From 7babc8cae835842aaf6f60fdd5346e5c10dd899e Mon Sep 17 00:00:00 2001 From: yifat Date: Tue, 15 Nov 2022 12:49:43 +0200 Subject: [PATCH 01/18] Add all files --- .../Generated/AlertsOperations.cs | 3701 +++++++++++++++++ .../Generated/AlertsOperationsExtensions.cs | 717 ++++ .../Generated/IAlertsOperations.cs | 458 ++ .../Generated/ISecurityCenterClient.cs | 85 + .../Generated/Models/Alert.cs | 332 ++ .../Generated/Models/AlertEntity.cs | 63 + .../AlertPropertiesSupportingEvidence.cs | 65 + .../Generated/Models/AlertSeverity.cs | 36 + .../AlertSimulatorBundlesRequestProperties.cs | 59 + .../Models/AlertSimulatorRequestBody.cs | 51 + .../Models/AlertSimulatorRequestProperties.cs | 57 + .../Generated/Models/AlertStatus.cs | 37 + .../Generated/Models/AscLocation.cs | 53 + .../Models/AzureResourceIdentifier.cs | 54 + .../Models/AzureTrackedResourceLocation.cs | 54 + .../Generated/Models/BundleType.cs | 29 + .../Generated/Models/ETag.cs | 54 + .../Generated/Models/ErrorAdditionalInfo.cs | 59 + .../Generated/Models/Intent.cs | 117 + .../Generated/Models/Kind.cs | 51 + .../Models/LogAnalyticsIdentifier.cs | 100 + .../Generated/Models/Page.cs | 53 + .../Generated/Models/Resource.cs | 69 + .../Generated/Models/ResourceIdentifier.cs | 37 + .../Generated/Models/Tags.cs | 54 + .../Generated/Models/TrackedResource.cs | 105 + .../Generated/SdkInfo_SecurityCenter.cs | 27 + .../Generated/SecurityCenterClient.cs | 371 ++ .../Properties/AssemblyInfo.cs | 18 + .../Security.Management.Sdk/README.md | 48 + .../Security.Management.Sdk.csproj | 18 + src/Security/Security.sln | 6 + src/Security/Security/Az.Security.psd1 | 2 +- src/Security/Security/Security.csproj | 2 +- 34 files changed, 7040 insertions(+), 2 deletions(-) create mode 100644 src/Security/Security.Management.Sdk/Generated/AlertsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/AlertsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IAlertsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISecurityCenterClient.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Alert.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AlertEntity.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AlertPropertiesSupportingEvidence.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AlertSeverity.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AlertSimulatorBundlesRequestProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AlertSimulatorRequestBody.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AlertSimulatorRequestProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AlertStatus.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AscLocation.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AzureResourceIdentifier.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AzureTrackedResourceLocation.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/BundleType.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ETag.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ErrorAdditionalInfo.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Intent.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Kind.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/LogAnalyticsIdentifier.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Page.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Resource.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ResourceIdentifier.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Tags.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/TrackedResource.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SdkInfo_SecurityCenter.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecurityCenterClient.cs create mode 100644 src/Security/Security.Management.Sdk/Properties/AssemblyInfo.cs create mode 100644 src/Security/Security.Management.Sdk/README.md create mode 100644 src/Security/Security.Management.Sdk/Security.Management.Sdk.csproj diff --git a/src/Security/Security.Management.Sdk/Generated/AlertsOperations.cs b/src/Security/Security.Management.Sdk/Generated/AlertsOperations.cs new file mode 100644 index 000000000000..95cf9b3ae2f0 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AlertsOperations.cs @@ -0,0 +1,3701 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AlertsOperations operations. + /// + internal partial class AlertsOperations : IServiceOperations, IAlertsOperations + { + /// + /// Initializes a new instance of the AlertsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal AlertsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// List all the alerts that are associated with the subscription + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.ApiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); + } + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/alerts").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (Client.ApiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List all the alerts that are associated with the resource group + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByResourceGroupWithHttpMessagesAsync(string resourceGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.ApiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); + } + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroup", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/alerts").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + List _queryParameters = new List(); + if (Client.ApiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List all the alerts that are associated with the subscription that are + /// stored in a specific location + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListSubscriptionLevelByRegionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.ApiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); + } + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListSubscriptionLevelByRegion", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + List _queryParameters = new List(); + if (Client.ApiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List all the alerts that are associated with the resource group that are + /// stored in a specific location + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListResourceGroupLevelByRegionWithHttpMessagesAsync(string resourceGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.ApiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); + } + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListResourceGroupLevelByRegion", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + List _queryParameters = new List(); + if (Client.ApiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get an alert that is associated with a subscription + /// + /// + /// Name of the alert object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetSubscriptionLevelWithHttpMessagesAsync(string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.ApiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); + } + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (alertName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("alertName", alertName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "GetSubscriptionLevel", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); + List _queryParameters = new List(); + if (Client.ApiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get an alert that is associated a resource group or a resource in a + /// resource group + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the alert object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetResourceGroupLevelWithHttpMessagesAsync(string resourceGroupName, string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.ApiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); + } + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (alertName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("alertName", alertName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "GetResourceGroupLevel", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); + List _queryParameters = new List(); + if (Client.ApiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Update the alert's state + /// + /// + /// Name of the alert object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task UpdateSubscriptionLevelStateToDismissWithHttpMessagesAsync(string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.ApiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); + } + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (alertName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("alertName", alertName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "UpdateSubscriptionLevelStateToDismiss", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/dismiss").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); + List _queryParameters = new List(); + if (Client.ApiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Update the alert's state + /// + /// + /// Name of the alert object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task UpdateSubscriptionLevelStateToResolveWithHttpMessagesAsync(string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.ApiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); + } + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (alertName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("alertName", alertName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "UpdateSubscriptionLevelStateToResolve", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/resolve").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); + List _queryParameters = new List(); + if (Client.ApiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Update the alert's state + /// + /// + /// Name of the alert object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task UpdateSubscriptionLevelStateToActivateWithHttpMessagesAsync(string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.ApiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); + } + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (alertName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("alertName", alertName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "UpdateSubscriptionLevelStateToActivate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/activate").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); + List _queryParameters = new List(); + if (Client.ApiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Update the alert's state + /// + /// + /// Name of the alert object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task UpdateSubscriptionLevelStateToInProgressWithHttpMessagesAsync(string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.ApiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); + } + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (alertName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("alertName", alertName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "UpdateSubscriptionLevelStateToInProgress", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/inProgress").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); + List _queryParameters = new List(); + if (Client.ApiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Update the alert's state + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the alert object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task UpdateResourceGroupLevelStateToResolveWithHttpMessagesAsync(string resourceGroupName, string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.ApiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); + } + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (alertName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("alertName", alertName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "UpdateResourceGroupLevelStateToResolve", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/resolve").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); + List _queryParameters = new List(); + if (Client.ApiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Update the alert's state + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the alert object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task UpdateResourceGroupLevelStateToDismissWithHttpMessagesAsync(string resourceGroupName, string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.ApiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); + } + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (alertName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("alertName", alertName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "UpdateResourceGroupLevelStateToDismiss", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/dismiss").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); + List _queryParameters = new List(); + if (Client.ApiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Update the alert's state + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the alert object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task UpdateResourceGroupLevelStateToActivateWithHttpMessagesAsync(string resourceGroupName, string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.ApiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); + } + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (alertName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("alertName", alertName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "UpdateResourceGroupLevelStateToActivate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/activate").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); + List _queryParameters = new List(); + if (Client.ApiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Update the alert's state + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the alert object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task UpdateResourceGroupLevelStateToInProgressWithHttpMessagesAsync(string resourceGroupName, string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.ApiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); + } + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (alertName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("alertName", alertName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "UpdateResourceGroupLevelStateToInProgress", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/inProgress").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); + List _queryParameters = new List(); + if (Client.ApiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Simulate security alerts + /// + /// + /// Alert Simulator request body data. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + public async Task SimulateWithHttpMessagesAsync(AlertSimulatorRequestProperties properties = default(AlertSimulatorRequestProperties), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + // Send request + AzureOperationResponse _response = await BeginSimulateWithHttpMessagesAsync(properties, customHeaders, cancellationToken).ConfigureAwait(false); + return await Client.GetPostOrDeleteOperationResultAsync(_response, customHeaders, cancellationToken).ConfigureAwait(false); + } + + /// + /// Simulate security alerts + /// + /// + /// Alert Simulator request body data. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task BeginSimulateWithHttpMessagesAsync(AlertSimulatorRequestProperties properties = default(AlertSimulatorRequestProperties), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.ApiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); + } + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + AlertSimulatorRequestBody alertSimulatorRequestBody = new AlertSimulatorRequestBody(); + if (properties != null) + { + alertSimulatorRequestBody.Properties = properties; + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("alertSimulatorRequestBody", alertSimulatorRequestBody); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "BeginSimulate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/default/simulate").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + List _queryParameters = new List(); + if (Client.ApiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(alertSimulatorRequestBody != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(alertSimulatorRequestBody, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 202) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List all the alerts that are associated with the subscription + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List all the alerts that are associated with the resource group + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByResourceGroupNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroupNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List all the alerts that are associated with the subscription that are + /// stored in a specific location + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListSubscriptionLevelByRegionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListSubscriptionLevelByRegionNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List all the alerts that are associated with the resource group that are + /// stored in a specific location + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListResourceGroupLevelByRegionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListResourceGroupLevelByRegionNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/AlertsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/AlertsOperationsExtensions.cs new file mode 100644 index 000000000000..f49df6801ff7 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AlertsOperationsExtensions.cs @@ -0,0 +1,717 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for AlertsOperations. + /// + public static partial class AlertsOperationsExtensions + { + /// + /// List all the alerts that are associated with the subscription + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this IAlertsOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// List all the alerts that are associated with the subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IAlertsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// List all the alerts that are associated with the resource group + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + public static IPage ListByResourceGroup(this IAlertsOperations operations, string resourceGroupName) + { + return operations.ListByResourceGroupAsync(resourceGroupName).GetAwaiter().GetResult(); + } + + /// + /// List all the alerts that are associated with the resource group + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByResourceGroupAsync(this IAlertsOperations operations, string resourceGroupName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByResourceGroupWithHttpMessagesAsync(resourceGroupName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// List all the alerts that are associated with the subscription that are + /// stored in a specific location + /// + /// + /// The operations group for this extension method. + /// + public static IPage ListSubscriptionLevelByRegion(this IAlertsOperations operations) + { + return operations.ListSubscriptionLevelByRegionAsync().GetAwaiter().GetResult(); + } + + /// + /// List all the alerts that are associated with the subscription that are + /// stored in a specific location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListSubscriptionLevelByRegionAsync(this IAlertsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListSubscriptionLevelByRegionWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// List all the alerts that are associated with the resource group that are + /// stored in a specific location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + public static IPage ListResourceGroupLevelByRegion(this IAlertsOperations operations, string resourceGroupName) + { + return operations.ListResourceGroupLevelByRegionAsync(resourceGroupName).GetAwaiter().GetResult(); + } + + /// + /// List all the alerts that are associated with the resource group that are + /// stored in a specific location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The cancellation token. + /// + public static async Task> ListResourceGroupLevelByRegionAsync(this IAlertsOperations operations, string resourceGroupName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListResourceGroupLevelByRegionWithHttpMessagesAsync(resourceGroupName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get an alert that is associated with a subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the alert object + /// + public static Alert GetSubscriptionLevel(this IAlertsOperations operations, string alertName) + { + return operations.GetSubscriptionLevelAsync(alertName).GetAwaiter().GetResult(); + } + + /// + /// Get an alert that is associated with a subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the alert object + /// + /// + /// The cancellation token. + /// + public static async Task GetSubscriptionLevelAsync(this IAlertsOperations operations, string alertName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetSubscriptionLevelWithHttpMessagesAsync(alertName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get an alert that is associated a resource group or a resource in a + /// resource group + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the alert object + /// + public static Alert GetResourceGroupLevel(this IAlertsOperations operations, string resourceGroupName, string alertName) + { + return operations.GetResourceGroupLevelAsync(resourceGroupName, alertName).GetAwaiter().GetResult(); + } + + /// + /// Get an alert that is associated a resource group or a resource in a + /// resource group + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the alert object + /// + /// + /// The cancellation token. + /// + public static async Task GetResourceGroupLevelAsync(this IAlertsOperations operations, string resourceGroupName, string alertName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetResourceGroupLevelWithHttpMessagesAsync(resourceGroupName, alertName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Update the alert's state + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the alert object + /// + public static void UpdateSubscriptionLevelStateToDismiss(this IAlertsOperations operations, string alertName) + { + operations.UpdateSubscriptionLevelStateToDismissAsync(alertName).GetAwaiter().GetResult(); + } + + /// + /// Update the alert's state + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the alert object + /// + /// + /// The cancellation token. + /// + public static async Task UpdateSubscriptionLevelStateToDismissAsync(this IAlertsOperations operations, string alertName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.UpdateSubscriptionLevelStateToDismissWithHttpMessagesAsync(alertName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Update the alert's state + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the alert object + /// + public static void UpdateSubscriptionLevelStateToResolve(this IAlertsOperations operations, string alertName) + { + operations.UpdateSubscriptionLevelStateToResolveAsync(alertName).GetAwaiter().GetResult(); + } + + /// + /// Update the alert's state + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the alert object + /// + /// + /// The cancellation token. + /// + public static async Task UpdateSubscriptionLevelStateToResolveAsync(this IAlertsOperations operations, string alertName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.UpdateSubscriptionLevelStateToResolveWithHttpMessagesAsync(alertName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Update the alert's state + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the alert object + /// + public static void UpdateSubscriptionLevelStateToActivate(this IAlertsOperations operations, string alertName) + { + operations.UpdateSubscriptionLevelStateToActivateAsync(alertName).GetAwaiter().GetResult(); + } + + /// + /// Update the alert's state + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the alert object + /// + /// + /// The cancellation token. + /// + public static async Task UpdateSubscriptionLevelStateToActivateAsync(this IAlertsOperations operations, string alertName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.UpdateSubscriptionLevelStateToActivateWithHttpMessagesAsync(alertName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Update the alert's state + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the alert object + /// + public static void UpdateSubscriptionLevelStateToInProgress(this IAlertsOperations operations, string alertName) + { + operations.UpdateSubscriptionLevelStateToInProgressAsync(alertName).GetAwaiter().GetResult(); + } + + /// + /// Update the alert's state + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the alert object + /// + /// + /// The cancellation token. + /// + public static async Task UpdateSubscriptionLevelStateToInProgressAsync(this IAlertsOperations operations, string alertName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.UpdateSubscriptionLevelStateToInProgressWithHttpMessagesAsync(alertName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Update the alert's state + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the alert object + /// + public static void UpdateResourceGroupLevelStateToResolve(this IAlertsOperations operations, string resourceGroupName, string alertName) + { + operations.UpdateResourceGroupLevelStateToResolveAsync(resourceGroupName, alertName).GetAwaiter().GetResult(); + } + + /// + /// Update the alert's state + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the alert object + /// + /// + /// The cancellation token. + /// + public static async Task UpdateResourceGroupLevelStateToResolveAsync(this IAlertsOperations operations, string resourceGroupName, string alertName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.UpdateResourceGroupLevelStateToResolveWithHttpMessagesAsync(resourceGroupName, alertName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Update the alert's state + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the alert object + /// + public static void UpdateResourceGroupLevelStateToDismiss(this IAlertsOperations operations, string resourceGroupName, string alertName) + { + operations.UpdateResourceGroupLevelStateToDismissAsync(resourceGroupName, alertName).GetAwaiter().GetResult(); + } + + /// + /// Update the alert's state + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the alert object + /// + /// + /// The cancellation token. + /// + public static async Task UpdateResourceGroupLevelStateToDismissAsync(this IAlertsOperations operations, string resourceGroupName, string alertName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.UpdateResourceGroupLevelStateToDismissWithHttpMessagesAsync(resourceGroupName, alertName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Update the alert's state + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the alert object + /// + public static void UpdateResourceGroupLevelStateToActivate(this IAlertsOperations operations, string resourceGroupName, string alertName) + { + operations.UpdateResourceGroupLevelStateToActivateAsync(resourceGroupName, alertName).GetAwaiter().GetResult(); + } + + /// + /// Update the alert's state + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the alert object + /// + /// + /// The cancellation token. + /// + public static async Task UpdateResourceGroupLevelStateToActivateAsync(this IAlertsOperations operations, string resourceGroupName, string alertName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.UpdateResourceGroupLevelStateToActivateWithHttpMessagesAsync(resourceGroupName, alertName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Update the alert's state + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the alert object + /// + public static void UpdateResourceGroupLevelStateToInProgress(this IAlertsOperations operations, string resourceGroupName, string alertName) + { + operations.UpdateResourceGroupLevelStateToInProgressAsync(resourceGroupName, alertName).GetAwaiter().GetResult(); + } + + /// + /// Update the alert's state + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the alert object + /// + /// + /// The cancellation token. + /// + public static async Task UpdateResourceGroupLevelStateToInProgressAsync(this IAlertsOperations operations, string resourceGroupName, string alertName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.UpdateResourceGroupLevelStateToInProgressWithHttpMessagesAsync(resourceGroupName, alertName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Simulate security alerts + /// + /// + /// The operations group for this extension method. + /// + /// + /// Alert Simulator request body data. + /// + public static void Simulate(this IAlertsOperations operations, AlertSimulatorRequestProperties properties = default(AlertSimulatorRequestProperties)) + { + operations.SimulateAsync(properties).GetAwaiter().GetResult(); + } + + /// + /// Simulate security alerts + /// + /// + /// The operations group for this extension method. + /// + /// + /// Alert Simulator request body data. + /// + /// + /// The cancellation token. + /// + public static async Task SimulateAsync(this IAlertsOperations operations, AlertSimulatorRequestProperties properties = default(AlertSimulatorRequestProperties), CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.SimulateWithHttpMessagesAsync(properties, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Simulate security alerts + /// + /// + /// The operations group for this extension method. + /// + /// + /// Alert Simulator request body data. + /// + public static void BeginSimulate(this IAlertsOperations operations, AlertSimulatorRequestProperties properties = default(AlertSimulatorRequestProperties)) + { + operations.BeginSimulateAsync(properties).GetAwaiter().GetResult(); + } + + /// + /// Simulate security alerts + /// + /// + /// The operations group for this extension method. + /// + /// + /// Alert Simulator request body data. + /// + /// + /// The cancellation token. + /// + public static async Task BeginSimulateAsync(this IAlertsOperations operations, AlertSimulatorRequestProperties properties = default(AlertSimulatorRequestProperties), CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.BeginSimulateWithHttpMessagesAsync(properties, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// List all the alerts that are associated with the subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IAlertsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// List all the alerts that are associated with the subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IAlertsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// List all the alerts that are associated with the resource group + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListByResourceGroupNext(this IAlertsOperations operations, string nextPageLink) + { + return operations.ListByResourceGroupNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// List all the alerts that are associated with the resource group + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByResourceGroupNextAsync(this IAlertsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByResourceGroupNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// List all the alerts that are associated with the subscription that are + /// stored in a specific location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListSubscriptionLevelByRegionNext(this IAlertsOperations operations, string nextPageLink) + { + return operations.ListSubscriptionLevelByRegionNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// List all the alerts that are associated with the subscription that are + /// stored in a specific location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListSubscriptionLevelByRegionNextAsync(this IAlertsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListSubscriptionLevelByRegionNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// List all the alerts that are associated with the resource group that are + /// stored in a specific location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListResourceGroupLevelByRegionNext(this IAlertsOperations operations, string nextPageLink) + { + return operations.ListResourceGroupLevelByRegionNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// List all the alerts that are associated with the resource group that are + /// stored in a specific location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListResourceGroupLevelByRegionNextAsync(this IAlertsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListResourceGroupLevelByRegionNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IAlertsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IAlertsOperations.cs new file mode 100644 index 000000000000..5cb32b6c50ba --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IAlertsOperations.cs @@ -0,0 +1,458 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AlertsOperations operations. + /// + public partial interface IAlertsOperations + { + /// + /// List all the alerts that are associated with the subscription + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List all the alerts that are associated with the resource group + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByResourceGroupWithHttpMessagesAsync(string resourceGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List all the alerts that are associated with the subscription that + /// are stored in a specific location + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListSubscriptionLevelByRegionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List all the alerts that are associated with the resource group + /// that are stored in a specific location + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListResourceGroupLevelByRegionWithHttpMessagesAsync(string resourceGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get an alert that is associated with a subscription + /// + /// + /// Name of the alert object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetSubscriptionLevelWithHttpMessagesAsync(string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get an alert that is associated a resource group or a resource in a + /// resource group + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of the alert object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetResourceGroupLevelWithHttpMessagesAsync(string resourceGroupName, string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Update the alert's state + /// + /// + /// Name of the alert object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task UpdateSubscriptionLevelStateToDismissWithHttpMessagesAsync(string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Update the alert's state + /// + /// + /// Name of the alert object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task UpdateSubscriptionLevelStateToResolveWithHttpMessagesAsync(string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Update the alert's state + /// + /// + /// Name of the alert object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task UpdateSubscriptionLevelStateToActivateWithHttpMessagesAsync(string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Update the alert's state + /// + /// + /// Name of the alert object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task UpdateSubscriptionLevelStateToInProgressWithHttpMessagesAsync(string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Update the alert's state + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of the alert object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task UpdateResourceGroupLevelStateToResolveWithHttpMessagesAsync(string resourceGroupName, string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Update the alert's state + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of the alert object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task UpdateResourceGroupLevelStateToDismissWithHttpMessagesAsync(string resourceGroupName, string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Update the alert's state + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of the alert object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task UpdateResourceGroupLevelStateToActivateWithHttpMessagesAsync(string resourceGroupName, string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Update the alert's state + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of the alert object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task UpdateResourceGroupLevelStateToInProgressWithHttpMessagesAsync(string resourceGroupName, string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Simulate security alerts + /// + /// + /// Alert Simulator request body data. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task SimulateWithHttpMessagesAsync(AlertSimulatorRequestProperties properties = default(AlertSimulatorRequestProperties), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Simulate security alerts + /// + /// + /// Alert Simulator request body data. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task BeginSimulateWithHttpMessagesAsync(AlertSimulatorRequestProperties properties = default(AlertSimulatorRequestProperties), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List all the alerts that are associated with the subscription + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List all the alerts that are associated with the resource group + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByResourceGroupNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List all the alerts that are associated with the subscription that + /// are stored in a specific location + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListSubscriptionLevelByRegionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List all the alerts that are associated with the resource group + /// that are stored in a specific location + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListResourceGroupLevelByRegionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISecurityCenterClient.cs b/src/Security/Security.Management.Sdk/Generated/ISecurityCenterClient.cs new file mode 100644 index 000000000000..78d351964f35 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISecurityCenterClient.cs @@ -0,0 +1,85 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + + /// + /// API spec for Microsoft.Security (Azure Security Center) alerts resource + /// provider + /// + public partial interface ISecurityCenterClient : System.IDisposable + { + /// + /// The base URI of the service. + /// + System.Uri BaseUri { get; set; } + + /// + /// Gets or sets json serialization settings. + /// + JsonSerializerSettings SerializationSettings { get; } + + /// + /// Gets or sets json deserialization settings. + /// + JsonSerializerSettings DeserializationSettings { get; } + + /// + /// Credentials needed for the client to connect to Azure. + /// + ServiceClientCredentials Credentials { get; } + + /// + /// The location where ASC stores the data of the subscription. can be + /// retrieved from Get locations + /// + string AscLocation { get; set; } + + /// + /// Azure subscription ID + /// + string SubscriptionId { get; set; } + + /// + /// API version for the operation + /// + string ApiVersion { get; } + + /// + /// The preferred language for the response. + /// + string AcceptLanguage { get; set; } + + /// + /// The retry timeout in seconds for Long Running Operations. Default + /// value is 30. + /// + int? LongRunningOperationRetryTimeout { get; set; } + + /// + /// Whether a unique x-ms-client-request-id should be generated. When + /// set to true a unique x-ms-client-request-id value is generated and + /// included in each request. Default is true. + /// + bool? GenerateClientRequestId { get; set; } + + + /// + /// Gets the IAlertsOperations. + /// + IAlertsOperations Alerts { get; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Alert.cs b/src/Security/Security.Management.Sdk/Generated/Models/Alert.cs new file mode 100644 index 000000000000..c200d83427c2 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Alert.cs @@ -0,0 +1,332 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Security alert + /// + [Rest.Serialization.JsonTransformation] + public partial class Alert : Resource + { + /// + /// Initializes a new instance of the Alert class. + /// + public Alert() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the Alert class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Schema version. + /// Unique identifier for the detection logic + /// (all alert instances from the same detection logic will have the + /// same alertType). + /// Unique identifier for the + /// alert. + /// The name of Azure Security + /// Center pricing tier which powering this alert. Learn more: + /// https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing + /// The display name of the + /// alert. + /// Description of the suspicious activity + /// that was detected. + /// The risk level of the threat that was + /// detected. Learn more: + /// https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#how-are-alerts-classified. + /// Possible values include: 'Informational', 'Low', 'Medium', + /// 'High' + /// The kill chain related intent behind the + /// alert. For list of supported values, and explanations of Azure + /// Security Center's supported kill chain intents. Possible values + /// include: 'Unknown', 'PreAttack', 'InitialAccess', 'Persistence', + /// 'PrivilegeEscalation', 'DefenseEvasion', 'CredentialAccess', + /// 'Discovery', 'LateralMovement', 'Execution', 'Collection', + /// 'Exfiltration', 'CommandAndControl', 'Impact', 'Probing', + /// 'Exploitation' + /// The UTC time of the first event or + /// activity included in the alert in ISO8601 format. + /// The UTC time of the last event or activity + /// included in the alert in ISO8601 format. + /// The resource identifiers that can + /// be used to direct the alert to the right product exposure group + /// (tenant, workspace, subscription etc.). There can be multiple + /// identifiers of different type per alert. + /// Manual action items to take to + /// remediate the alert. + /// The name of the vendor that raises the + /// alert. + /// The life cycle status of the alert. Possible + /// values include: 'Active', 'InProgress', 'Resolved', + /// 'Dismissed' + /// Links related to the alert + /// A direct link to the alert page in Azure + /// Portal. + /// The UTC time the alert was generated + /// in ISO8601 format. + /// The name of the product which published + /// this alert (Azure Security Center, Azure ATP, Microsoft Defender + /// ATP, O365 ATP, MCAS, and so on). + /// The UTC processing end time of + /// the alert in ISO8601 format. + /// A list of entities related to the + /// alert. + /// This field determines whether the alert is + /// an incident (a compound grouping of several alerts) or a single + /// alert. + /// Key for corelating related alerts. + /// Alerts with the same correlation key considered to be + /// related. + /// Custom properties for the + /// alert. + /// The display name of the resource + /// most related to this alert. + /// kill chain related techniques behind the + /// alert. + /// Kill chain related sub-techniques + /// behind the alert. + /// Changing set of properties + /// depending on the supportingEvidence type. + public Alert(string id = default(string), string name = default(string), string type = default(string), string version = default(string), string alertType = default(string), string systemAlertId = default(string), string productComponentName = default(string), string alertDisplayName = default(string), string description = default(string), string severity = default(string), string intent = default(string), System.DateTime? startTimeUtc = default(System.DateTime?), System.DateTime? endTimeUtc = default(System.DateTime?), IList resourceIdentifiers = default(IList), IList remediationSteps = default(IList), string vendorName = default(string), string status = default(string), IList> extendedLinks = default(IList>), string alertUri = default(string), System.DateTime? timeGeneratedUtc = default(System.DateTime?), string productName = default(string), System.DateTime? processingEndTimeUtc = default(System.DateTime?), IList entities = default(IList), bool? isIncident = default(bool?), string correlationKey = default(string), IDictionary extendedProperties = default(IDictionary), string compromisedEntity = default(string), IList techniques = default(IList), IList subTechniques = default(IList), AlertPropertiesSupportingEvidence supportingEvidence = default(AlertPropertiesSupportingEvidence)) + : base(id, name, type) + { + Version = version; + AlertType = alertType; + SystemAlertId = systemAlertId; + ProductComponentName = productComponentName; + AlertDisplayName = alertDisplayName; + Description = description; + Severity = severity; + Intent = intent; + StartTimeUtc = startTimeUtc; + EndTimeUtc = endTimeUtc; + ResourceIdentifiers = resourceIdentifiers; + RemediationSteps = remediationSteps; + VendorName = vendorName; + Status = status; + ExtendedLinks = extendedLinks; + AlertUri = alertUri; + TimeGeneratedUtc = timeGeneratedUtc; + ProductName = productName; + ProcessingEndTimeUtc = processingEndTimeUtc; + Entities = entities; + IsIncident = isIncident; + CorrelationKey = correlationKey; + ExtendedProperties = extendedProperties; + CompromisedEntity = compromisedEntity; + Techniques = techniques; + SubTechniques = subTechniques; + SupportingEvidence = supportingEvidence; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets schema version. + /// + [JsonProperty(PropertyName = "properties.version")] + public string Version { get; private set; } + + /// + /// Gets unique identifier for the detection logic (all alert instances + /// from the same detection logic will have the same alertType). + /// + [JsonProperty(PropertyName = "properties.alertType")] + public string AlertType { get; private set; } + + /// + /// Gets unique identifier for the alert. + /// + [JsonProperty(PropertyName = "properties.systemAlertId")] + public string SystemAlertId { get; private set; } + + /// + /// Gets the name of Azure Security Center pricing tier which powering + /// this alert. Learn more: + /// https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing + /// + [JsonProperty(PropertyName = "properties.productComponentName")] + public string ProductComponentName { get; private set; } + + /// + /// Gets the display name of the alert. + /// + [JsonProperty(PropertyName = "properties.alertDisplayName")] + public string AlertDisplayName { get; private set; } + + /// + /// Gets description of the suspicious activity that was detected. + /// + [JsonProperty(PropertyName = "properties.description")] + public string Description { get; private set; } + + /// + /// Gets the risk level of the threat that was detected. Learn more: + /// https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#how-are-alerts-classified. + /// Possible values include: 'Informational', 'Low', 'Medium', 'High' + /// + [JsonProperty(PropertyName = "properties.severity")] + public string Severity { get; private set; } + + /// + /// Gets the kill chain related intent behind the alert. For list of + /// supported values, and explanations of Azure Security Center's + /// supported kill chain intents. Possible values include: 'Unknown', + /// 'PreAttack', 'InitialAccess', 'Persistence', 'PrivilegeEscalation', + /// 'DefenseEvasion', 'CredentialAccess', 'Discovery', + /// 'LateralMovement', 'Execution', 'Collection', 'Exfiltration', + /// 'CommandAndControl', 'Impact', 'Probing', 'Exploitation' + /// + [JsonProperty(PropertyName = "properties.intent")] + public string Intent { get; private set; } + + /// + /// Gets the UTC time of the first event or activity included in the + /// alert in ISO8601 format. + /// + [JsonProperty(PropertyName = "properties.startTimeUtc")] + public System.DateTime? StartTimeUtc { get; private set; } + + /// + /// Gets the UTC time of the last event or activity included in the + /// alert in ISO8601 format. + /// + [JsonProperty(PropertyName = "properties.endTimeUtc")] + public System.DateTime? EndTimeUtc { get; private set; } + + /// + /// Gets the resource identifiers that can be used to direct the alert + /// to the right product exposure group (tenant, workspace, + /// subscription etc.). There can be multiple identifiers of different + /// type per alert. + /// + [JsonProperty(PropertyName = "properties.resourceIdentifiers")] + public IList ResourceIdentifiers { get; private set; } + + /// + /// Gets manual action items to take to remediate the alert. + /// + [JsonProperty(PropertyName = "properties.remediationSteps")] + public IList RemediationSteps { get; private set; } + + /// + /// Gets the name of the vendor that raises the alert. + /// + [JsonProperty(PropertyName = "properties.vendorName")] + public string VendorName { get; private set; } + + /// + /// Gets the life cycle status of the alert. Possible values include: + /// 'Active', 'InProgress', 'Resolved', 'Dismissed' + /// + [JsonProperty(PropertyName = "properties.status")] + public string Status { get; private set; } + + /// + /// Gets links related to the alert + /// + [JsonProperty(PropertyName = "properties.extendedLinks")] + public IList> ExtendedLinks { get; private set; } + + /// + /// Gets a direct link to the alert page in Azure Portal. + /// + [JsonProperty(PropertyName = "properties.alertUri")] + public string AlertUri { get; private set; } + + /// + /// Gets the UTC time the alert was generated in ISO8601 format. + /// + [JsonProperty(PropertyName = "properties.timeGeneratedUtc")] + public System.DateTime? TimeGeneratedUtc { get; private set; } + + /// + /// Gets the name of the product which published this alert (Azure + /// Security Center, Azure ATP, Microsoft Defender ATP, O365 ATP, MCAS, + /// and so on). + /// + [JsonProperty(PropertyName = "properties.productName")] + public string ProductName { get; private set; } + + /// + /// Gets the UTC processing end time of the alert in ISO8601 format. + /// + [JsonProperty(PropertyName = "properties.processingEndTimeUtc")] + public System.DateTime? ProcessingEndTimeUtc { get; private set; } + + /// + /// Gets a list of entities related to the alert. + /// + [JsonProperty(PropertyName = "properties.entities")] + public IList Entities { get; private set; } + + /// + /// Gets this field determines whether the alert is an incident (a + /// compound grouping of several alerts) or a single alert. + /// + [JsonProperty(PropertyName = "properties.isIncident")] + public bool? IsIncident { get; private set; } + + /// + /// Gets key for corelating related alerts. Alerts with the same + /// correlation key considered to be related. + /// + [JsonProperty(PropertyName = "properties.correlationKey")] + public string CorrelationKey { get; private set; } + + /// + /// Gets or sets custom properties for the alert. + /// + [JsonProperty(PropertyName = "properties.extendedProperties")] + public IDictionary ExtendedProperties { get; set; } + + /// + /// Gets the display name of the resource most related to this alert. + /// + [JsonProperty(PropertyName = "properties.compromisedEntity")] + public string CompromisedEntity { get; private set; } + + /// + /// Gets kill chain related techniques behind the alert. + /// + [JsonProperty(PropertyName = "properties.techniques")] + public IList Techniques { get; private set; } + + /// + /// Gets kill chain related sub-techniques behind the alert. + /// + [JsonProperty(PropertyName = "properties.subTechniques")] + public IList SubTechniques { get; private set; } + + /// + /// Gets or sets changing set of properties depending on the + /// supportingEvidence type. + /// + [JsonProperty(PropertyName = "properties.supportingEvidence")] + public AlertPropertiesSupportingEvidence SupportingEvidence { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AlertEntity.cs b/src/Security/Security.Management.Sdk/Generated/Models/AlertEntity.cs new file mode 100644 index 000000000000..538b3dceaaee --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AlertEntity.cs @@ -0,0 +1,63 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Changing set of properties depending on the entity type. + /// + public partial class AlertEntity + { + /// + /// Initializes a new instance of the AlertEntity class. + /// + public AlertEntity() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AlertEntity class. + /// + /// Unmatched properties from the + /// message are deserialized this collection + /// Type of entity + public AlertEntity(IDictionary additionalProperties = default(IDictionary), string type = default(string)) + { + AdditionalProperties = additionalProperties; + Type = type; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets unmatched properties from the message are deserialized + /// this collection + /// + [JsonExtensionData] + public IDictionary AdditionalProperties { get; set; } + + /// + /// Gets type of entity + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AlertPropertiesSupportingEvidence.cs b/src/Security/Security.Management.Sdk/Generated/Models/AlertPropertiesSupportingEvidence.cs new file mode 100644 index 000000000000..8e65be80e2f9 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AlertPropertiesSupportingEvidence.cs @@ -0,0 +1,65 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Changing set of properties depending on the supportingEvidence type. + /// + public partial class AlertPropertiesSupportingEvidence + { + /// + /// Initializes a new instance of the AlertPropertiesSupportingEvidence + /// class. + /// + public AlertPropertiesSupportingEvidence() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AlertPropertiesSupportingEvidence + /// class. + /// + /// Unmatched properties from the + /// message are deserialized this collection + /// Type of the supportingEvidence + public AlertPropertiesSupportingEvidence(IDictionary additionalProperties = default(IDictionary), string type = default(string)) + { + AdditionalProperties = additionalProperties; + Type = type; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets unmatched properties from the message are deserialized + /// this collection + /// + [JsonExtensionData] + public IDictionary AdditionalProperties { get; set; } + + /// + /// Gets type of the supportingEvidence + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AlertSeverity.cs b/src/Security/Security.Management.Sdk/Generated/Models/AlertSeverity.cs new file mode 100644 index 000000000000..f54b8f9ca28a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AlertSeverity.cs @@ -0,0 +1,36 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for AlertSeverity. + /// + public static class AlertSeverity + { + /// + /// Informational + /// + public const string Informational = "Informational"; + /// + /// Low + /// + public const string Low = "Low"; + /// + /// Medium + /// + public const string Medium = "Medium"; + /// + /// High + /// + public const string High = "High"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AlertSimulatorBundlesRequestProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/AlertSimulatorBundlesRequestProperties.cs new file mode 100644 index 000000000000..04aa34c27f51 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AlertSimulatorBundlesRequestProperties.cs @@ -0,0 +1,59 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Simulate alerts according to this bundles. + /// + [Newtonsoft.Json.JsonObject("Bundles")] + public partial class AlertSimulatorBundlesRequestProperties : AlertSimulatorRequestProperties + { + /// + /// Initializes a new instance of the + /// AlertSimulatorBundlesRequestProperties class. + /// + public AlertSimulatorBundlesRequestProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// AlertSimulatorBundlesRequestProperties class. + /// + /// Unmatched properties from the + /// message are deserialized this collection + /// Bundles list. + public AlertSimulatorBundlesRequestProperties(IDictionary additionalProperties = default(IDictionary), IList bundles = default(IList)) + : base(additionalProperties) + { + Bundles = bundles; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets bundles list. + /// + [JsonProperty(PropertyName = "bundles")] + public IList Bundles { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AlertSimulatorRequestBody.cs b/src/Security/Security.Management.Sdk/Generated/Models/AlertSimulatorRequestBody.cs new file mode 100644 index 000000000000..c8bbb95a1506 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AlertSimulatorRequestBody.cs @@ -0,0 +1,51 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Alert Simulator request body. + /// + public partial class AlertSimulatorRequestBody + { + /// + /// Initializes a new instance of the AlertSimulatorRequestBody class. + /// + public AlertSimulatorRequestBody() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AlertSimulatorRequestBody class. + /// + /// Alert Simulator request body data. + public AlertSimulatorRequestBody(AlertSimulatorRequestProperties properties = default(AlertSimulatorRequestProperties)) + { + Properties = properties; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets alert Simulator request body data. + /// + [JsonProperty(PropertyName = "properties")] + public AlertSimulatorRequestProperties Properties { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AlertSimulatorRequestProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/AlertSimulatorRequestProperties.cs new file mode 100644 index 000000000000..eed55ecbc415 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AlertSimulatorRequestProperties.cs @@ -0,0 +1,57 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Describes properties of an alert simulation request + /// + public partial class AlertSimulatorRequestProperties + { + /// + /// Initializes a new instance of the AlertSimulatorRequestProperties + /// class. + /// + public AlertSimulatorRequestProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AlertSimulatorRequestProperties + /// class. + /// + /// Unmatched properties from the + /// message are deserialized this collection + public AlertSimulatorRequestProperties(IDictionary additionalProperties = default(IDictionary)) + { + AdditionalProperties = additionalProperties; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets unmatched properties from the message are deserialized + /// this collection + /// + [JsonExtensionData] + public IDictionary AdditionalProperties { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AlertStatus.cs b/src/Security/Security.Management.Sdk/Generated/Models/AlertStatus.cs new file mode 100644 index 000000000000..88e3514a9f4e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AlertStatus.cs @@ -0,0 +1,37 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for AlertStatus. + /// + public static class AlertStatus + { + /// + /// An alert which doesn't specify a value is assigned the status + /// 'Active' + /// + public const string Active = "Active"; + /// + /// An alert which is in handling state + /// + public const string InProgress = "InProgress"; + /// + /// Alert closed after handling + /// + public const string Resolved = "Resolved"; + /// + /// Alert dismissed as false positive + /// + public const string Dismissed = "Dismissed"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AscLocation.cs b/src/Security/Security.Management.Sdk/Generated/Models/AscLocation.cs new file mode 100644 index 000000000000..720b19953282 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AscLocation.cs @@ -0,0 +1,53 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The ASC location of the subscription is in the "name" field + /// + public partial class AscLocation : Resource + { + /// + /// Initializes a new instance of the AscLocation class. + /// + public AscLocation() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AscLocation class. + /// + /// Resource Id + /// Resource name + /// Resource type + public AscLocation(string id = default(string), string name = default(string), string type = default(string), object properties = default(object)) + : base(id, name, type) + { + Properties = properties; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "properties")] + public object Properties { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AzureResourceIdentifier.cs b/src/Security/Security.Management.Sdk/Generated/Models/AzureResourceIdentifier.cs new file mode 100644 index 000000000000..4bfd85f17cd3 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AzureResourceIdentifier.cs @@ -0,0 +1,54 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Azure resource identifier. + /// + [Newtonsoft.Json.JsonObject("AzureResource")] + public partial class AzureResourceIdentifier : ResourceIdentifier + { + /// + /// Initializes a new instance of the AzureResourceIdentifier class. + /// + public AzureResourceIdentifier() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AzureResourceIdentifier class. + /// + /// ARM resource identifier for the cloud + /// resource being alerted on + public AzureResourceIdentifier(string azureResourceId = default(string)) + { + AzureResourceId = azureResourceId; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets ARM resource identifier for the cloud resource being alerted + /// on + /// + [JsonProperty(PropertyName = "azureResourceId")] + public string AzureResourceId { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AzureTrackedResourceLocation.cs b/src/Security/Security.Management.Sdk/Generated/Models/AzureTrackedResourceLocation.cs new file mode 100644 index 000000000000..446d816f4f1d --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AzureTrackedResourceLocation.cs @@ -0,0 +1,54 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Describes an Azure resource with location + /// + public partial class AzureTrackedResourceLocation + { + /// + /// Initializes a new instance of the AzureTrackedResourceLocation + /// class. + /// + public AzureTrackedResourceLocation() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AzureTrackedResourceLocation + /// class. + /// + /// Location where the resource is + /// stored + public AzureTrackedResourceLocation(string location = default(string)) + { + Location = location; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets location where the resource is stored + /// + [JsonProperty(PropertyName = "location")] + public string Location { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/BundleType.cs b/src/Security/Security.Management.Sdk/Generated/Models/BundleType.cs new file mode 100644 index 000000000000..c6140d4697c1 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/BundleType.cs @@ -0,0 +1,29 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for BundleType. + /// + public static class BundleType + { + public const string AppServices = "AppServices"; + public const string DNS = "DNS"; + public const string KeyVaults = "KeyVaults"; + public const string KubernetesService = "KubernetesService"; + public const string ResourceManager = "ResourceManager"; + public const string SqlServers = "SqlServers"; + public const string StorageAccounts = "StorageAccounts"; + public const string VirtualMachines = "VirtualMachines"; + public const string CosmosDbs = "CosmosDbs"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ETag.cs b/src/Security/Security.Management.Sdk/Generated/Models/ETag.cs new file mode 100644 index 000000000000..1909408527d8 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ETag.cs @@ -0,0 +1,54 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Entity tag is used for comparing two or more entities from the same + /// requested resource. + /// + public partial class ETag + { + /// + /// Initializes a new instance of the ETag class. + /// + public ETag() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ETag class. + /// + /// Entity tag is used for comparing two or more + /// entities from the same requested resource. + public ETag(string etag = default(string)) + { + Etag = etag; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets entity tag is used for comparing two or more entities + /// from the same requested resource. + /// + [JsonProperty(PropertyName = "etag")] + public string Etag { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ErrorAdditionalInfo.cs b/src/Security/Security.Management.Sdk/Generated/Models/ErrorAdditionalInfo.cs new file mode 100644 index 000000000000..9beab3502ae2 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ErrorAdditionalInfo.cs @@ -0,0 +1,59 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The resource management error additional info. + /// + public partial class ErrorAdditionalInfo + { + /// + /// Initializes a new instance of the ErrorAdditionalInfo class. + /// + public ErrorAdditionalInfo() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ErrorAdditionalInfo class. + /// + /// The additional info type. + /// The additional info. + public ErrorAdditionalInfo(string type = default(string), object info = default(object)) + { + Type = type; + Info = info; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the additional info type. + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + /// + /// Gets the additional info. + /// + [JsonProperty(PropertyName = "info")] + public object Info { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Intent.cs b/src/Security/Security.Management.Sdk/Generated/Models/Intent.cs new file mode 100644 index 000000000000..671f7b602390 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Intent.cs @@ -0,0 +1,117 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for Intent. + /// + public static class Intent + { + /// + /// Unknown + /// + public const string Unknown = "Unknown"; + /// + /// PreAttack could be either an attempt to access a certain resource + /// regardless of a malicious intent, or a failed attempt to gain + /// access to a target system to gather information prior to + /// exploitation. This step is usually detected as an attempt, + /// originating from outside the network, to scan the target system and + /// find a way in. Further details on the PreAttack stage can be read + /// in [MITRE Pre-Att&ck + /// matrix](https://attack.mitre.org/matrices/pre/). + /// + public const string PreAttack = "PreAttack"; + /// + /// InitialAccess is the stage where an attacker manages to get + /// foothold on the attacked resource. + /// + public const string InitialAccess = "InitialAccess"; + /// + /// Persistence is any access, action, or configuration change to a + /// system that gives a threat actor a persistent presence on that + /// system. + /// + public const string Persistence = "Persistence"; + /// + /// Privilege escalation is the result of actions that allow an + /// adversary to obtain a higher level of permissions on a system or + /// network. + /// + public const string PrivilegeEscalation = "PrivilegeEscalation"; + /// + /// Defense evasion consists of techniques an adversary may use to + /// evade detection or avoid other defenses. + /// + public const string DefenseEvasion = "DefenseEvasion"; + /// + /// Credential access represents techniques resulting in access to or + /// control over system, domain, or service credentials that are used + /// within an enterprise environment. + /// + public const string CredentialAccess = "CredentialAccess"; + /// + /// Discovery consists of techniques that allow the adversary to gain + /// knowledge about the system and internal network. + /// + public const string Discovery = "Discovery"; + /// + /// Lateral movement consists of techniques that enable an adversary to + /// access and control remote systems on a network and could, but does + /// not necessarily, include execution of tools on remote systems. + /// + public const string LateralMovement = "LateralMovement"; + /// + /// The execution tactic represents techniques that result in execution + /// of adversary-controlled code on a local or remote system. + /// + public const string Execution = "Execution"; + /// + /// Collection consists of techniques used to identify and gather + /// information, such as sensitive files, from a target network prior + /// to exfiltration. + /// + public const string Collection = "Collection"; + /// + /// Exfiltration refers to techniques and attributes that result or aid + /// in the adversary removing files and information from a target + /// network. + /// + public const string Exfiltration = "Exfiltration"; + /// + /// The command and control tactic represents how adversaries + /// communicate with systems under their control within a target + /// network. + /// + public const string CommandAndControl = "CommandAndControl"; + /// + /// Impact events primarily try to directly reduce the availability or + /// integrity of a system, service, or network; including manipulation + /// of data to impact a business or operational process. + /// + public const string Impact = "Impact"; + /// + /// Probing could be either an attempt to access a certain resource + /// regardless of a malicious intent, or a failed attempt to gain + /// access to a target system to gather information prior to + /// exploitation. + /// + public const string Probing = "Probing"; + /// + /// Exploitation is the stage where an attacker manages to get a + /// foothold on the attacked resource. This stage is relevant for + /// compute hosts and resources such as user accounts, certificates + /// etc. + /// + public const string Exploitation = "Exploitation"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Kind.cs b/src/Security/Security.Management.Sdk/Generated/Models/Kind.cs new file mode 100644 index 000000000000..1f323cae2c56 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Kind.cs @@ -0,0 +1,51 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Describes an Azure resource with kind + /// + public partial class Kind + { + /// + /// Initializes a new instance of the Kind class. + /// + public Kind() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the Kind class. + /// + /// Kind of the resource + public Kind(string kindProperty = default(string)) + { + KindProperty = kindProperty; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets kind of the resource + /// + [JsonProperty(PropertyName = "kind")] + public string KindProperty { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/LogAnalyticsIdentifier.cs b/src/Security/Security.Management.Sdk/Generated/Models/LogAnalyticsIdentifier.cs new file mode 100644 index 000000000000..75b4efedb02b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/LogAnalyticsIdentifier.cs @@ -0,0 +1,100 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Represents a Log Analytics workspace scope identifier. + /// + [Newtonsoft.Json.JsonObject("LogAnalytics")] + public partial class LogAnalyticsIdentifier : ResourceIdentifier + { + /// + /// Initializes a new instance of the LogAnalyticsIdentifier class. + /// + public LogAnalyticsIdentifier() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the LogAnalyticsIdentifier class. + /// + /// The LogAnalytics workspace id that stores + /// this alert. + /// The azure subscription id for + /// the LogAnalytics workspace storing this alert. + /// The azure resource group for + /// the LogAnalytics workspace storing this alert + /// (optional) The LogAnalytics agent id + /// reporting the event that this alert is based on. + public LogAnalyticsIdentifier(string workspaceId = default(string), string workspaceSubscriptionId = default(string), string workspaceResourceGroup = default(string), string agentId = default(string)) + { + WorkspaceId = workspaceId; + WorkspaceSubscriptionId = workspaceSubscriptionId; + WorkspaceResourceGroup = workspaceResourceGroup; + AgentId = agentId; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the LogAnalytics workspace id that stores this alert. + /// + [JsonProperty(PropertyName = "workspaceId")] + public string WorkspaceId { get; private set; } + + /// + /// Gets the azure subscription id for the LogAnalytics workspace + /// storing this alert. + /// + [JsonProperty(PropertyName = "workspaceSubscriptionId")] + public string WorkspaceSubscriptionId { get; private set; } + + /// + /// Gets the azure resource group for the LogAnalytics workspace + /// storing this alert + /// + [JsonProperty(PropertyName = "workspaceResourceGroup")] + public string WorkspaceResourceGroup { get; private set; } + + /// + /// Gets (optional) The LogAnalytics agent id reporting the event that + /// this alert is based on. + /// + [JsonProperty(PropertyName = "agentId")] + public string AgentId { get; private set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (WorkspaceSubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(WorkspaceSubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "WorkspaceSubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Page.cs b/src/Security/Security.Management.Sdk/Generated/Models/Page.cs new file mode 100644 index 000000000000..3fd68902cfcb --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Page.cs @@ -0,0 +1,53 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + + /// + /// Defines a page in Azure responses. + /// + /// Type of the page content items + [JsonObject] + public class Page : IPage + { + /// + /// Gets the link to the next page. + /// + [JsonProperty("nextLink")] + public string NextPageLink { get; private set; } + + [JsonProperty("value")] + private IList Items{ get; set; } + + /// + /// Returns an enumerator that iterates through the collection. + /// + /// A an enumerator that can be used to iterate through the collection. + public IEnumerator GetEnumerator() + { + return Items == null ? System.Linq.Enumerable.Empty().GetEnumerator() : Items.GetEnumerator(); + } + + /// + /// Returns an enumerator that iterates through the collection. + /// + /// A an enumerator that can be used to iterate through the collection. + IEnumerator IEnumerable.GetEnumerator() + { + return GetEnumerator(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Resource.cs b/src/Security/Security.Management.Sdk/Generated/Models/Resource.cs new file mode 100644 index 000000000000..d1b0f61c4799 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Resource.cs @@ -0,0 +1,69 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Describes an Azure resource. + /// + public partial class Resource : IResource + { + /// + /// Initializes a new instance of the Resource class. + /// + public Resource() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the Resource class. + /// + /// Resource Id + /// Resource name + /// Resource type + public Resource(string id = default(string), string name = default(string), string type = default(string)) + { + Id = id; + Name = name; + Type = type; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets resource Id + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; private set; } + + /// + /// Gets resource name + /// + [JsonProperty(PropertyName = "name")] + public string Name { get; private set; } + + /// + /// Gets resource type + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ResourceIdentifier.cs b/src/Security/Security.Management.Sdk/Generated/Models/ResourceIdentifier.cs new file mode 100644 index 000000000000..bc31b41d1edd --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ResourceIdentifier.cs @@ -0,0 +1,37 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using System.Linq; + + /// + /// A resource identifier for an alert which can be used to direct the + /// alert to the right product exposure group (tenant, workspace, + /// subscription etc.). + /// + public partial class ResourceIdentifier + { + /// + /// Initializes a new instance of the ResourceIdentifier class. + /// + public ResourceIdentifier() + { + CustomInit(); + } + + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Tags.cs b/src/Security/Security.Management.Sdk/Generated/Models/Tags.cs new file mode 100644 index 000000000000..a217d6f42095 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Tags.cs @@ -0,0 +1,54 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// A list of key value pairs that describe the resource. + /// + public partial class Tags + { + /// + /// Initializes a new instance of the Tags class. + /// + public Tags() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the Tags class. + /// + /// A list of key value pairs that describe + /// the resource. + public Tags(IDictionary tagsProperty = default(IDictionary)) + { + TagsProperty = tagsProperty; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets a list of key value pairs that describe the resource. + /// + [JsonProperty(PropertyName = "tags")] + public IDictionary TagsProperty { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/TrackedResource.cs b/src/Security/Security.Management.Sdk/Generated/Models/TrackedResource.cs new file mode 100644 index 000000000000..c2c25e9adf7a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/TrackedResource.cs @@ -0,0 +1,105 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Describes an Azure tracked resource. + /// + public partial class TrackedResource + { + /// + /// Initializes a new instance of the TrackedResource class. + /// + public TrackedResource() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the TrackedResource class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Location where the resource is + /// stored + /// Kind of the resource + /// Entity tag is used for comparing two or more + /// entities from the same requested resource. + /// A list of key value pairs that describe the + /// resource. + public TrackedResource(string id = default(string), string name = default(string), string type = default(string), string location = default(string), string kind = default(string), string etag = default(string), IDictionary tags = default(IDictionary)) + { + Id = id; + Name = name; + Type = type; + Location = location; + Kind = kind; + Etag = etag; + Tags = tags; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets resource Id + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; private set; } + + /// + /// Gets resource name + /// + [JsonProperty(PropertyName = "name")] + public string Name { get; private set; } + + /// + /// Gets resource type + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + /// + /// Gets or sets location where the resource is stored + /// + [JsonProperty(PropertyName = "location")] + public string Location { get; set; } + + /// + /// Gets or sets kind of the resource + /// + [JsonProperty(PropertyName = "kind")] + public string Kind { get; set; } + + /// + /// Gets or sets entity tag is used for comparing two or more entities + /// from the same requested resource. + /// + [JsonProperty(PropertyName = "etag")] + public string Etag { get; set; } + + /// + /// Gets or sets a list of key value pairs that describe the resource. + /// + [JsonProperty(PropertyName = "tags")] + public IDictionary Tags { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SdkInfo_SecurityCenter.cs b/src/Security/Security.Management.Sdk/Generated/SdkInfo_SecurityCenter.cs new file mode 100644 index 000000000000..d19c79eba634 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SdkInfo_SecurityCenter.cs @@ -0,0 +1,27 @@ + +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using System; + using System.Collections.Generic; + using System.Linq; + + internal static partial class SdkInfo + { + public static IEnumerable> ApiInfo_SecurityCenter + { + get + { + return new Tuple[] + { + new Tuple("Security", "Alerts", "2022-01-01"), + }.AsEnumerable(); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecurityCenterClient.cs b/src/Security/Security.Management.Sdk/Generated/SecurityCenterClient.cs new file mode 100644 index 000000000000..0bfe38d94ebe --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecurityCenterClient.cs @@ -0,0 +1,371 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Microsoft.Rest.Serialization; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + + /// + /// API spec for Microsoft.Security (Azure Security Center) alerts resource + /// provider + /// + public partial class SecurityCenterClient : ServiceClient, ISecurityCenterClient, IAzureClient + { + /// + /// The base URI of the service. + /// + public System.Uri BaseUri { get; set; } + + /// + /// Gets or sets json serialization settings. + /// + public JsonSerializerSettings SerializationSettings { get; private set; } + + /// + /// Gets or sets json deserialization settings. + /// + public JsonSerializerSettings DeserializationSettings { get; private set; } + + /// + /// Credentials needed for the client to connect to Azure. + /// + public ServiceClientCredentials Credentials { get; private set; } + + /// + /// The location where ASC stores the data of the subscription. can be + /// retrieved from Get locations + /// + public string AscLocation { get; set; } + + /// + /// Azure subscription ID + /// + public string SubscriptionId { get; set; } + + /// + /// API version for the operation + /// + public string ApiVersion { get; private set; } + + /// + /// The preferred language for the response. + /// + public string AcceptLanguage { get; set; } + + /// + /// The retry timeout in seconds for Long Running Operations. Default value is + /// 30. + /// + public int? LongRunningOperationRetryTimeout { get; set; } + + /// + /// Whether a unique x-ms-client-request-id should be generated. When set to + /// true a unique x-ms-client-request-id value is generated and included in + /// each request. Default is true. + /// + public bool? GenerateClientRequestId { get; set; } + + /// + /// Gets the IAlertsOperations. + /// + public virtual IAlertsOperations Alerts { get; private set; } + + /// + /// Initializes a new instance of the SecurityCenterClient class. + /// + /// + /// HttpClient to be used + /// + /// + /// True: will dispose the provided httpClient on calling SecurityCenterClient.Dispose(). False: will not dispose provided httpClient + protected SecurityCenterClient(HttpClient httpClient, bool disposeHttpClient) : base(httpClient, disposeHttpClient) + { + Initialize(); + } + + /// + /// Initializes a new instance of the SecurityCenterClient class. + /// + /// + /// Optional. The delegating handlers to add to the http client pipeline. + /// + protected SecurityCenterClient(params DelegatingHandler[] handlers) : base(handlers) + { + Initialize(); + } + + /// + /// Initializes a new instance of the SecurityCenterClient class. + /// + /// + /// Optional. The http client handler used to handle http transport. + /// + /// + /// Optional. The delegating handlers to add to the http client pipeline. + /// + protected SecurityCenterClient(HttpClientHandler rootHandler, params DelegatingHandler[] handlers) : base(rootHandler, handlers) + { + Initialize(); + } + + /// + /// Initializes a new instance of the SecurityCenterClient class. + /// + /// + /// Optional. The base URI of the service. + /// + /// + /// Optional. The delegating handlers to add to the http client pipeline. + /// + /// + /// Thrown when a required parameter is null + /// + protected SecurityCenterClient(System.Uri baseUri, params DelegatingHandler[] handlers) : this(handlers) + { + if (baseUri == null) + { + throw new System.ArgumentNullException("baseUri"); + } + BaseUri = baseUri; + } + + /// + /// Initializes a new instance of the SecurityCenterClient class. + /// + /// + /// Optional. The base URI of the service. + /// + /// + /// Optional. The http client handler used to handle http transport. + /// + /// + /// Optional. The delegating handlers to add to the http client pipeline. + /// + /// + /// Thrown when a required parameter is null + /// + protected SecurityCenterClient(System.Uri baseUri, HttpClientHandler rootHandler, params DelegatingHandler[] handlers) : this(rootHandler, handlers) + { + if (baseUri == null) + { + throw new System.ArgumentNullException("baseUri"); + } + BaseUri = baseUri; + } + + /// + /// Initializes a new instance of the SecurityCenterClient class. + /// + /// + /// Required. Credentials needed for the client to connect to Azure. + /// + /// + /// Optional. The delegating handlers to add to the http client pipeline. + /// + /// + /// Thrown when a required parameter is null + /// + public SecurityCenterClient(ServiceClientCredentials credentials, params DelegatingHandler[] handlers) : this(handlers) + { + if (credentials == null) + { + throw new System.ArgumentNullException("credentials"); + } + Credentials = credentials; + if (Credentials != null) + { + Credentials.InitializeServiceClient(this); + } + } + + /// + /// Initializes a new instance of the SecurityCenterClient class. + /// + /// + /// Required. Credentials needed for the client to connect to Azure. + /// + /// + /// HttpClient to be used + /// + /// + /// True: will dispose the provided httpClient on calling SecurityCenterClient.Dispose(). False: will not dispose provided httpClient + /// + /// Thrown when a required parameter is null + /// + public SecurityCenterClient(ServiceClientCredentials credentials, HttpClient httpClient, bool disposeHttpClient) : this(httpClient, disposeHttpClient) + { + if (credentials == null) + { + throw new System.ArgumentNullException("credentials"); + } + Credentials = credentials; + if (Credentials != null) + { + Credentials.InitializeServiceClient(this); + } + } + + /// + /// Initializes a new instance of the SecurityCenterClient class. + /// + /// + /// Required. Credentials needed for the client to connect to Azure. + /// + /// + /// Optional. The http client handler used to handle http transport. + /// + /// + /// Optional. The delegating handlers to add to the http client pipeline. + /// + /// + /// Thrown when a required parameter is null + /// + public SecurityCenterClient(ServiceClientCredentials credentials, HttpClientHandler rootHandler, params DelegatingHandler[] handlers) : this(rootHandler, handlers) + { + if (credentials == null) + { + throw new System.ArgumentNullException("credentials"); + } + Credentials = credentials; + if (Credentials != null) + { + Credentials.InitializeServiceClient(this); + } + } + + /// + /// Initializes a new instance of the SecurityCenterClient class. + /// + /// + /// Optional. The base URI of the service. + /// + /// + /// Required. Credentials needed for the client to connect to Azure. + /// + /// + /// Optional. The delegating handlers to add to the http client pipeline. + /// + /// + /// Thrown when a required parameter is null + /// + public SecurityCenterClient(System.Uri baseUri, ServiceClientCredentials credentials, params DelegatingHandler[] handlers) : this(handlers) + { + if (baseUri == null) + { + throw new System.ArgumentNullException("baseUri"); + } + if (credentials == null) + { + throw new System.ArgumentNullException("credentials"); + } + BaseUri = baseUri; + Credentials = credentials; + if (Credentials != null) + { + Credentials.InitializeServiceClient(this); + } + } + + /// + /// Initializes a new instance of the SecurityCenterClient class. + /// + /// + /// Optional. The base URI of the service. + /// + /// + /// Required. Credentials needed for the client to connect to Azure. + /// + /// + /// Optional. The http client handler used to handle http transport. + /// + /// + /// Optional. The delegating handlers to add to the http client pipeline. + /// + /// + /// Thrown when a required parameter is null + /// + public SecurityCenterClient(System.Uri baseUri, ServiceClientCredentials credentials, HttpClientHandler rootHandler, params DelegatingHandler[] handlers) : this(rootHandler, handlers) + { + if (baseUri == null) + { + throw new System.ArgumentNullException("baseUri"); + } + if (credentials == null) + { + throw new System.ArgumentNullException("credentials"); + } + BaseUri = baseUri; + Credentials = credentials; + if (Credentials != null) + { + Credentials.InitializeServiceClient(this); + } + } + + /// + /// An optional partial-method to perform custom initialization. + /// + partial void CustomInitialize(); + /// + /// Initializes client properties. + /// + private void Initialize() + { + Alerts = new AlertsOperations(this); + BaseUri = new System.Uri("https://management.azure.com"); + ApiVersion = "2022-01-01"; + AcceptLanguage = "en-US"; + LongRunningOperationRetryTimeout = 30; + GenerateClientRequestId = true; + SerializationSettings = new JsonSerializerSettings + { + Formatting = Newtonsoft.Json.Formatting.Indented, + DateFormatHandling = Newtonsoft.Json.DateFormatHandling.IsoDateFormat, + DateTimeZoneHandling = Newtonsoft.Json.DateTimeZoneHandling.Utc, + NullValueHandling = Newtonsoft.Json.NullValueHandling.Ignore, + ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Serialize, + ContractResolver = new ReadOnlyJsonContractResolver(), + Converters = new List + { + new Iso8601TimeSpanConverter() + } + }; + SerializationSettings.Converters.Add(new TransformationJsonConverter()); + DeserializationSettings = new JsonSerializerSettings + { + DateFormatHandling = Newtonsoft.Json.DateFormatHandling.IsoDateFormat, + DateTimeZoneHandling = Newtonsoft.Json.DateTimeZoneHandling.Utc, + NullValueHandling = Newtonsoft.Json.NullValueHandling.Ignore, + ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Serialize, + ContractResolver = new ReadOnlyJsonContractResolver(), + Converters = new List + { + new Iso8601TimeSpanConverter() + } + }; + SerializationSettings.Converters.Add(new PolymorphicSerializeJsonConverter("type")); + DeserializationSettings.Converters.Add(new PolymorphicDeserializeJsonConverter("type")); + SerializationSettings.Converters.Add(new PolymorphicSerializeJsonConverter("kind")); + DeserializationSettings.Converters.Add(new PolymorphicDeserializeJsonConverter("kind")); + CustomInitialize(); + DeserializationSettings.Converters.Add(new TransformationJsonConverter()); + DeserializationSettings.Converters.Add(new CloudErrorJsonConverter()); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Properties/AssemblyInfo.cs b/src/Security/Security.Management.Sdk/Properties/AssemblyInfo.cs new file mode 100644 index 000000000000..cd857a6a528d --- /dev/null +++ b/src/Security/Security.Management.Sdk/Properties/AssemblyInfo.cs @@ -0,0 +1,18 @@ +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for license information. + +using System.Reflection; +using System.Resources; + +[assembly: AssemblyTitle("Microsoft Azure Security Center Library")] +[assembly: AssemblyDescription("Provides management functionality for Microsoft Azure Security Center Resources.")] + +[assembly: AssemblyVersion("4.0.0.0")] +[assembly: AssemblyFileVersion("4.0.0.0")] +[assembly: AssemblyConfiguration("")] +[assembly: AssemblyCompany("Microsoft")] +[assembly: AssemblyProduct("Microsoft Azure .NET SDK")] +[assembly: AssemblyCopyright("Copyright (c) Microsoft Corporation")] +[assembly: AssemblyTrademark("")] +[assembly: AssemblyCulture("")] +[assembly: NeutralResourcesLanguage("en")] diff --git a/src/Security/Security.Management.Sdk/README.md b/src/Security/Security.Management.Sdk/README.md new file mode 100644 index 000000000000..1c8c477b830b --- /dev/null +++ b/src/Security/Security.Management.Sdk/README.md @@ -0,0 +1,48 @@ +# Overall +This directory contains management plane service clients of Az.Security module. + +## Run Generation +In this directory, run AutoRest: +``` +autorest --reset +autorest --use:@microsoft.azure/autorest.csharp@2.3.90 +autorest.cmd README.md --version=v2 +``` + +### AutoRest Configuration +> see https://aka.ms/autorest +``` yaml +csharp: true +clear-output-folder: true +reflect-api-versions: true +openapi-type: arm +azure-arm: true +license-header: MICROSOFT_MIT_NO_VERSION +payload-flattening-threshold: 2 +``` + + + +### +``` yaml +input-file: + - https://github.com/Azure/azure-rest-api-specs/blob/main/specification/security/resource-manager/Microsoft.Security/stable/2022-01-01/alerts.json + +directive: + - from: securityContacts.json + where: $.definitions.SecurityContactProperties.properties.alertNotifications.properties.state + transform: > + $['x-ms-enum']['name'] = 'SecurityAlertNotificationState'; + - from: securityContacts.json + where: $.definitions.SecurityContactProperties.properties.notificationsByRole.properties.state + transform: > + $['x-ms-enum']['name'] = 'SecurityAlertNotificationByRoleState'; + - from: swagger-document + where: $.parameters.AscLocation + transform: > + $['x-ms-parameter-location'] = 'client'; + +output-folder: Generated + +namespace: Microsoft.Azure.Management.Security +``` \ No newline at end of file diff --git a/src/Security/Security.Management.Sdk/Security.Management.Sdk.csproj b/src/Security/Security.Management.Sdk/Security.Management.Sdk.csproj new file mode 100644 index 000000000000..11fc5ca41300 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Security.Management.Sdk.csproj @@ -0,0 +1,18 @@ + + + + Security + + + + + + netstandard2.0 + Microsoft.Azure.PowerShell.Security.Management.Sdk + Microsoft.Azure.Management.Security + $(NoWarn);CS0108;CS1573 + + + + + diff --git a/src/Security/Security.sln b/src/Security/Security.sln index a22b8ab1aa30..e87304ad7e46 100644 --- a/src/Security/Security.sln +++ b/src/Security/Security.sln @@ -32,6 +32,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Compute.AlcWrapper", "..\Co EndProject Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Az.Compute", "..\Compute\Compute.Autorest\Az.Compute.csproj", "{9C271BA4-C9F6-4736-995F-3D606FBCFDCC}" EndProject +Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Security.Management.Sdk", "Security.Management.Sdk\Security.Management.Sdk.csproj", "{BE642E86-3333-4F83-A8F8-3867272A80FF}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU @@ -94,6 +96,10 @@ Global {9C271BA4-C9F6-4736-995F-3D606FBCFDCC}.Debug|Any CPU.Build.0 = Debug|Any CPU {9C271BA4-C9F6-4736-995F-3D606FBCFDCC}.Release|Any CPU.ActiveCfg = Release|Any CPU {9C271BA4-C9F6-4736-995F-3D606FBCFDCC}.Release|Any CPU.Build.0 = Release|Any CPU + {BE642E86-3333-4F83-A8F8-3867272A80FF}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {BE642E86-3333-4F83-A8F8-3867272A80FF}.Debug|Any CPU.Build.0 = Debug|Any CPU + {BE642E86-3333-4F83-A8F8-3867272A80FF}.Release|Any CPU.ActiveCfg = Release|Any CPU + {BE642E86-3333-4F83-A8F8-3867272A80FF}.Release|Any CPU.Build.0 = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/src/Security/Security/Az.Security.psd1 b/src/Security/Security/Az.Security.psd1 index 22dc00e66b11..d5da5657c011 100644 --- a/src/Security/Security/Az.Security.psd1 +++ b/src/Security/Security/Az.Security.psd1 @@ -56,7 +56,7 @@ DotNetFrameworkVersion = '4.7.2' RequiredModules = @(@{ModuleName = 'Az.Accounts'; ModuleVersion = '2.8.0'; }) # Assemblies that must be loaded prior to importing this module -RequiredAssemblies = 'Microsoft.Azure.Management.SecurityCenter.dll' +RequiredAssemblies = 'Microsoft.Azure.PowerShell.Security.Management.Sdk.dll' # Script files (.ps1) that are run in the caller's environment prior to importing this module. # ScriptsToProcess = @() diff --git a/src/Security/Security/Security.csproj b/src/Security/Security/Security.csproj index 735a4ffb4f09..3a4ca91b871c 100644 --- a/src/Security/Security/Security.csproj +++ b/src/Security/Security/Security.csproj @@ -11,7 +11,7 @@ - + From c434c37be2eade54f5d5d6affedd8f1317482c86 Mon Sep 17 00:00:00 2001 From: yifat Date: Wed, 16 Nov 2022 15:08:00 +0200 Subject: [PATCH 02/18] Add all code to module --- .../AdaptiveApplicationControlsOperations.cs | 836 ++++++ ...ApplicationControlsOperationsExtensions.cs | 168 ++ .../AdaptiveNetworkHardeningsOperations.cs | 1003 +++++++ ...veNetworkHardeningsOperationsExtensions.cs | 325 +++ .../AdvancedThreatProtectionOperations.cs | 436 +++ ...cedThreatProtectionOperationsExtensions.cs | 101 + .../Generated/AlertsOperations.cs | 150 +- .../AlertsSuppressionRulesOperations.cs | 992 +++++++ ...rtsSuppressionRulesOperationsExtensions.cs | 200 ++ .../Generated/AllowedConnectionsOperations.cs | 999 +++++++ .../AllowedConnectionsOperationsExtensions.cs | 203 ++ .../Generated/ApplicationOperations.cs | 645 +++++ .../ApplicationOperationsExtensions.cs | 130 + .../Generated/ApplicationsOperations.cs | 410 +++ .../ApplicationsOperationsExtensions.cs | 87 + .../AssessmentsMetadataOperations.cs | 1504 ++++++++++ ...AssessmentsMetadataOperationsExtensions.cs | 294 ++ .../Generated/AssessmentsOperations.cs | 1003 +++++++ .../AssessmentsOperationsExtensions.cs | 234 ++ .../AutoProvisioningSettingsOperations.cs | 814 ++++++ ...rovisioningSettingsOperationsExtensions.cs | 163 ++ .../Generated/AutomationsOperations.cs | 1695 ++++++++++++ .../AutomationsOperationsExtensions.cs | 356 +++ .../Generated/ComplianceResultsOperations.cs | 598 ++++ .../ComplianceResultsOperationsExtensions.cs | 137 + .../Generated/CompliancesOperations.cs | 600 ++++ .../CompliancesOperationsExtensions.cs | 141 + .../Generated/ConnectorsOperations.cs | 992 +++++++ .../ConnectorsOperationsExtensions.cs | 206 ++ .../CustomAssessmentAutomationsOperations.cs | 1479 ++++++++++ ...sessmentAutomationsOperationsExtensions.cs | 338 +++ .../CustomEntityStoreAssignmentsOperations.cs | 1481 ++++++++++ ...ityStoreAssignmentsOperationsExtensions.cs | 340 +++ .../DeviceSecurityGroupsOperations.cs | 992 +++++++ ...eviceSecurityGroupsOperationsExtensions.cs | 230 ++ .../DiscoveredSecuritySolutionsOperations.cs | 995 +++++++ ...edSecuritySolutionsOperationsExtensions.cs | 195 ++ .../ExternalSecuritySolutionsOperations.cs | 995 +++++++ ...alSecuritySolutionsOperationsExtensions.cs | 195 ++ .../GovernanceAssignmentsOperations.cs | 1038 +++++++ ...vernanceAssignmentsOperationsExtensions.cs | 266 ++ .../Generated/GovernanceRuleOperations.cs | 410 +++ .../GovernanceRuleOperationsExtensions.cs | 87 + .../Generated/GovernanceRulesOperations.cs | 1137 ++++++++ .../GovernanceRulesOperationsExtensions.cs | 332 +++ .../IAdaptiveApplicationControlsOperations.cs | 118 + .../IAdaptiveNetworkHardeningsOperations.cs | 198 ++ .../IAdvancedThreatProtectionOperations.cs | 76 + .../IAlertsSuppressionRulesOperations.cs | 138 + .../IAllowedConnectionsOperations.cs | 141 + .../Generated/IApplicationOperations.cs | 96 + .../Generated/IApplicationsOperations.cs | 70 + .../IAssessmentsMetadataOperations.cs | 203 ++ .../Generated/IAssessmentsOperations.cs | 158 ++ .../IAutoProvisioningSettingsOperations.cs | 116 + .../Generated/IAutomationsOperations.cs | 231 ++ .../Generated/IComplianceResultsOperations.cs | 98 + .../Generated/ICompliancesOperations.cs | 100 + .../Generated/IConnectorsOperations.cs | 142 + .../ICustomAssessmentAutomationsOperations.cs | 220 ++ ...ICustomEntityStoreAssignmentsOperations.cs | 221 ++ .../IDeviceSecurityGroupsOperations.cs | 153 + .../IDiscoveredSecuritySolutionsOperations.cs | 137 + .../IExternalSecuritySolutionsOperations.cs | 137 + .../IGovernanceAssignmentsOperations.cs | 173 ++ .../Generated/IGovernanceRuleOperations.cs | 70 + .../Generated/IGovernanceRulesOperations.cs | 203 ++ ...InformationProtectionPoliciesOperations.cs | 135 + .../Generated/IIngestionSettingsOperations.cs | 183 ++ ...IIotSecuritySolutionAnalyticsOperations.cs | 79 + .../IIotSecuritySolutionOperations.cs | 235 ++ ...tionsAnalyticsAggregatedAlertOperations.cs | 137 + ...utionsAnalyticsRecommendationOperations.cs | 111 + .../IJitNetworkAccessPoliciesOperations.cs | 319 +++ .../Generated/ILocationsOperations.cs | 93 + .../Generated/IMdeOnboardingsOperations.cs | 66 + .../Generated/IOperations.cs | 68 + .../Generated/IPricingsOperations.cs | 105 + ...gulatoryComplianceAssessmentsOperations.cs | 108 + ...IRegulatoryComplianceControlsOperations.cs | 101 + ...RegulatoryComplianceStandardsOperations.cs | 93 + ...SecureScoreControlDefinitionsOperations.cs | 113 + .../ISecureScoreControlsOperations.cs | 119 + .../Generated/ISecureScoresOperations.cs | 95 + .../Generated/ISecurityCenterClient.cs | 308 +- ...ISecurityConnectorApplicationOperations.cs | 118 + ...SecurityConnectorApplicationsOperations.cs | 77 + ...curityConnectorGovernanceRuleOperations.cs | 77 + ...rGovernanceRulesExecuteStatusOperations.cs | 97 + ...urityConnectorGovernanceRulesOperations.cs | 118 + .../ISecurityConnectorsOperations.cs | 230 ++ .../Generated/ISecurityContactsOperations.cs | 134 + .../Generated/ISecuritySolutionsOperations.cs | 94 + ...ecuritySolutionsReferenceDataOperations.cs | 67 + ...ServerVulnerabilityAssessmentOperations.cs | 184 ++ .../Generated/ISettingsOperations.cs | 123 + .../ISoftwareInventoriesOperations.cs | 159 ++ ...bilityAssessmentBaselineRulesOperations.cs | 189 ++ ...rabilityAssessmentScanResultsOperations.cs | 94 + ...lVulnerabilityAssessmentScansOperations.cs | 87 + .../Generated/ISubAssessmentsOperations.cs | 156 ++ ...nGovernanceRulesExecuteStatusOperations.cs | 83 + .../Generated/ITasksOperations.cs | 271 ++ .../Generated/ITopologyOperations.cs | 137 + .../Generated/IWorkspaceSettingsOperations.cs | 177 ++ ...InformationProtectionPoliciesOperations.cs | 830 ++++++ ...nProtectionPoliciesOperationsExtensions.cs | 203 ++ .../Generated/IngestionSettingsOperations.cs | 1369 +++++++++ .../IngestionSettingsOperationsExtensions.cs | 270 ++ .../IotSecuritySolutionAnalyticsOperations.cs | 488 ++++ ...tySolutionAnalyticsOperationsExtensions.cs | 109 + .../IotSecuritySolutionOperations.cs | 1710 ++++++++++++ ...IotSecuritySolutionOperationsExtensions.cs | 358 +++ ...tionsAnalyticsAggregatedAlertOperations.cs | 886 ++++++ ...ticsAggregatedAlertOperationsExtensions.cs | 206 ++ ...utionsAnalyticsRecommendationOperations.cs | 682 +++++ ...yticsRecommendationOperationsExtensions.cs | 163 ++ .../JitNetworkAccessPoliciesOperations.cs | 2465 +++++++++++++++++ ...tworkAccessPoliciesOperationsExtensions.cs | 486 ++++ .../Generated/LocationsOperations.cs | 604 ++++ .../LocationsOperationsExtensions.cs | 127 + .../Generated/MdeOnboardingsOperations.cs | 420 +++ .../MdeOnboardingsOperationsExtensions.cs | 81 + .../Generated/Models/AadConnectivityState.cs | 23 + .../Generated/Models/AadConnectivityState1.cs | 55 + .../Models/AadExternalSecuritySolution.cs | 59 + .../Generated/Models/AadSolutionProperties.cs | 73 + .../ActiveConnectionsNotInAllowedRange.cs | 66 + .../Models/AdaptiveApplicationControlGroup.cs | 145 + .../AdaptiveApplicationControlGroups.cs | 54 + .../AdaptiveApplicationControlIssueSummary.cs | 69 + .../Models/AdaptiveNetworkHardening.cs | 83 + .../AdaptiveNetworkHardeningEnforceRequest.cs | 83 + .../Generated/Models/AdditionalData.cs | 37 + .../Models/AdditionalWorkspaceDataType.cs | 22 + .../Models/AdditionalWorkspaceType.cs | 21 + .../Models/AdditionalWorkspacesProperties.cs | 73 + .../Models/AdvancedThreatProtectionSetting.cs | 62 + .../Models/AlertSimulatorRequestProperties.cs | 1 + .../Generated/Models/AlertSyncSettings.cs | 69 + .../Generated/Models/AlertsSuppressionRule.cs | 137 + .../Models/AllowedConnectionsResource.cs | 101 + .../Models/AllowlistCustomAlertRule.cs | 80 + .../AmqpC2DMessagesNotInAllowedRange.cs | 67 + ...mqpC2DRejectedMessagesNotInAllowedRange.cs | 67 + .../AmqpD2CMessagesNotInAllowedRange.cs | 67 + .../Generated/Models/Application.cs | 103 + .../Generated/Models/ApplicationCondition.cs | 76 + .../Models/ApplicationConditionOperator.cs | 35 + .../Generated/Models/AssessmentLinks.cs | 52 + .../Generated/Models/AssessmentStatus.cs | 87 + .../Generated/Models/AssessmentStatusCode.cs | 32 + .../Models/AssessmentStatusResponse.cs | 83 + .../Generated/Models/AssessmentType.cs | 39 + .../Models/AtaExternalSecuritySolution.cs | 59 + .../Generated/Models/AtaSolutionProperties.cs | 54 + .../Models/AuthenticationDetailsProperties.cs | 68 + .../Models/AuthenticationProvisioningState.cs | 36 + .../Generated/Models/AutoProvision.cs | 28 + .../Models/AutoProvisioningSetting.cs | 74 + .../Generated/Models/Automation.cs | 113 + .../Generated/Models/AutomationAction.cs | 37 + .../Models/AutomationActionEventHub.cs | 74 + .../Models/AutomationActionLogicApp.cs | 68 + .../Models/AutomationActionWorkspace.cs | 61 + .../Generated/Models/AutomationRuleSet.cs | 53 + .../Generated/Models/AutomationScope.cs | 64 + .../Generated/Models/AutomationSource.cs | 78 + .../Models/AutomationTriggeringRule.cs | 93 + .../Models/AutomationValidationStatus.cs | 60 + ...sumeRoleAuthenticationDetailsProperties.cs | 105 + ...AwsCredsAuthenticationDetailsProperties.cs | 104 + .../Generated/Models/AwsEnvironmentData.cs | 53 + .../Generated/Models/AwsOrganizationalData.cs | 37 + .../Models/AwsOrganizationalDataMaster.cs | 70 + .../Models/AwsOrganizationalDataMember.cs | 57 + .../Models/AzureDevOpsScopeEnvironmentData.cs | 38 + .../Generated/Models/AzureResourceDetails.cs | 52 + .../Generated/Models/AzureResourceLink.cs | 51 + .../Generated/Models/Baseline.cs | 61 + .../Models/BaselineAdjustedResult.cs | 79 + .../Generated/Models/BenchmarkReference.cs | 59 + .../Generated/Models/CVE.cs | 59 + .../Generated/Models/CVSS.cs | 51 + .../Generated/Models/Categories.cs | 25 + .../Models/CefExternalSecuritySolution.cs | 58 + .../Generated/Models/CefSolutionProperties.cs | 66 + .../Generated/Models/CloudName.cs | 25 + .../Generated/Models/CloudOffering.cs | 52 + .../Generated/Models/Compliance.cs | 83 + .../Generated/Models/ComplianceResult.cs | 62 + .../Generated/Models/ComplianceSegment.cs | 61 + .../Generated/Models/Condition.cs | 76 + .../Generated/Models/ConnectableResource.cs | 74 + .../Generated/Models/ConnectedResource.cs | 68 + .../Generated/Models/ConnectedWorkspace.cs | 52 + .../Models/ConnectionFromIpNotAllowed.cs | 67 + .../Generated/Models/ConnectionStrings.cs | 67 + .../Models/ConnectionToIpNotAllowed.cs | 67 + .../Generated/Models/ConnectionType.cs | 22 + .../Generated/Models/ConnectorSetting.cs | 85 + ...ontainerRegistryVulnerabilityProperties.cs | 117 + .../Generated/Models/ControlType.cs | 28 + .../Generated/Models/CreatedByType.cs | 24 + .../Models/CspmMonitorAwsOffering.cs | 55 + ...MonitorAwsOfferingNativeCloudConnection.cs | 54 + .../Models/CspmMonitorAzureDevOpsOffering.cs | 48 + .../Models/CspmMonitorGcpOffering.cs | 55 + ...MonitorGcpOfferingNativeCloudConnection.cs | 64 + .../Models/CspmMonitorGithubOffering.cs | 46 + .../Generated/Models/CustomAlertRule.cs | 80 + .../Models/CustomAssessmentAutomation.cs | 134 + .../CustomAssessmentAutomationRequest.cs | 116 + .../Models/CustomEntityStoreAssignment.cs | 82 + .../CustomEntityStoreAssignmentRequest.cs | 60 + .../Generated/Models/DataExportSettings.cs | 69 + .../Generated/Models/DataSource.cs | 24 + .../Models/DefenderCspmAwsOffering.cs | 56 + .../DefenderCspmAwsOfferingVmScanners.cs | 64 + ...rCspmAwsOfferingVmScannersConfiguration.cs | 75 + .../Models/DefenderCspmGcpOffering.cs | 46 + .../Models/DefenderFoDatabasesAwsOffering.cs | 65 + ...DatabasesAwsOfferingArcAutoProvisioning.cs | 62 + .../DefenderFoDatabasesAwsOfferingRds.cs | 62 + .../DefenderForContainersAwsOffering.cs | 141 + ...ontainersAwsOfferingCloudWatchToKinesis.cs | 55 + ...fferingContainerVulnerabilityAssessment.cs | 56 + ...ingContainerVulnerabilityAssessmentTask.cs | 56 + ...nderForContainersAwsOfferingKinesisToS3.cs | 55 + ...tainersAwsOfferingKubernetesScubaReader.cs | 55 + ...rContainersAwsOfferingKubernetesService.cs | 55 + .../DefenderForContainersGcpOffering.cs | 95 + ...feringDataPipelineNativeCloudConnection.cs | 67 + ...tainersGcpOfferingNativeCloudConnection.cs | 65 + .../Models/DefenderForDatabasesGcpOffering.cs | 66 + ...DatabasesGcpOfferingArcAutoProvisioning.cs | 53 + ...DefenderForDatabasesArcAutoProvisioning.cs | 67 + .../DefenderForDevOpsAzureDevOpsOffering.cs | 48 + .../Models/DefenderForDevOpsGithubOffering.cs | 48 + .../Models/DefenderForServersAwsOffering.cs | 105 + ...orServersAwsOfferingArcAutoProvisioning.cs | 62 + ...ForServersAwsOfferingDefenderForServers.cs | 54 + ...orServersAwsOfferingMdeAutoProvisioning.cs | 65 + .../DefenderForServersAwsOfferingSubPlan.cs | 55 + ...ForServersAwsOfferingVaAutoProvisioning.cs | 64 + ...OfferingVaAutoProvisioningConfiguration.cs | 57 + ...DefenderForServersAwsOfferingVmScanners.cs | 64 + ...rversAwsOfferingVmScannersConfiguration.cs | 75 + .../Models/DefenderForServersGcpOffering.cs | 95 + ...orServersGcpOfferingArcAutoProvisioning.cs | 53 + ...ForServersGcpOfferingDefenderForServers.cs | 65 + ...orServersGcpOfferingMdeAutoProvisioning.cs | 65 + .../DefenderForServersGcpOfferingSubPlan.cs | 55 + ...ForServersGcpOfferingVaAutoProvisioning.cs | 64 + ...OfferingVaAutoProvisioningConfiguration.cs | 57 + .../Models/DenylistCustomAlertRule.cs | 80 + .../Generated/Models/DeviceSecurityGroup.cs | 88 + .../DirectMethodInvokesNotInAllowedRange.cs | 66 + .../Generated/Models/Direction.cs | 22 + .../Models/DiscoveredSecuritySolution.cs | 137 + .../Models/EffectiveNetworkSecurityGroups.cs | 66 + .../Generated/Models/EndOfSupportStatus.cs | 25 + .../Generated/Models/EnvironmentData.cs | 37 + .../Generated/Models/EventSource.cs | 31 + .../Models/ExecuteGovernanceRuleParams.cs | 54 + .../Generated/Models/ExecuteRuleStatus.cs | 52 + .../Generated/Models/ExpandControlsEnum.cs | 24 + .../Generated/Models/ExpandEnum.cs | 28 + .../Generated/Models/ExportData.cs | 24 + .../Models/ExternalSecuritySolution.cs | 79 + .../Models/ExternalSecuritySolutionKind.cs | 23 + .../Models/ExternalSecuritySolutionKind1.cs | 55 + .../ExternalSecuritySolutionProperties.cs | 75 + .../FailedLocalLoginsNotInAllowedRange.cs | 66 + .../Models/FileUploadsNotInAllowedRange.cs | 66 + .../Models/GcpCredentialsDetailsProperties.cs | 210 ++ .../Generated/Models/GcpOrganizationalData.cs | 37 + .../Models/GcpOrganizationalDataMember.cs | 67 + .../GcpOrganizationalDataOrganization.cs | 81 + .../Generated/Models/GcpProjectDetails.cs | 68 + .../Models/GcpProjectEnvironmentData.cs | 61 + .../Models/GithubScopeEnvironmentData.cs | 37 + .../Generated/Models/GovernanceAssignment.cs | 130 + .../GovernanceAssignmentAdditionalData.cs | 92 + .../Models/GovernanceEmailNotification.cs | 63 + .../Generated/Models/GovernanceRule.cs | 201 ++ .../Models/GovernanceRuleConditionOperator.cs | 30 + .../Models/GovernanceRuleEmailNotification.cs | 65 + .../Models/GovernanceRuleOwnerSource.cs | 63 + .../Models/GovernanceRuleOwnerSourceType.cs | 28 + .../Generated/Models/GovernanceRuleType.cs | 28 + ...IdExecuteSingleSecurityConnectorHeaders.cs | 54 + ...sRuleIdExecuteSingleSubscriptionHeaders.cs | 54 + .../HttpC2DMessagesNotInAllowedRange.cs | 67 + ...ttpC2DRejectedMessagesNotInAllowedRange.cs | 67 + .../HttpD2CMessagesNotInAllowedRange.cs | 67 + .../Models/HybridComputeProvisioningState.cs | 32 + .../Models/HybridComputeSettingsProperties.cs | 124 + .../Generated/Models/ImplementationEffort.cs | 23 + .../InformationProtectionAwsOffering.cs | 57 + ...tectionAwsOfferingInformationProtection.cs | 54 + .../Models/InformationProtectionKeyword.cs | 81 + .../Models/InformationProtectionPolicy.cs | 88 + .../Models/InformationProtectionPolicyName.cs | 22 + .../Generated/Models/InformationType.cs | 108 + .../Models/IngestionConnectionString.cs | 60 + .../Generated/Models/IngestionSetting.cs | 56 + .../Generated/Models/IngestionSettingToken.cs | 54 + .../Generated/Models/Intent.cs | 2 +- .../Models/IoTSecurityAggregatedAlert.cs | 200 ++ ...egatedAlertPropertiesTopDevicesListItem.cs | 69 + .../IoTSecurityAggregatedRecommendation.cs | 175 ++ .../Models/IoTSecurityAlertedDevice.cs | 61 + .../Models/IoTSecurityDeviceAlert.cs | 71 + .../Models/IoTSecurityDeviceRecommendation.cs | 75 + .../IoTSecuritySolutionAnalyticsModel.cs | 108 + .../IoTSecuritySolutionAnalyticsModelList.cs | 81 + ...lyticsModelPropertiesDevicesMetricsItem.cs | 63 + .../Models/IoTSecuritySolutionModel.cs | 225 ++ .../Generated/Models/IoTSeverityMetrics.cs | 70 + .../Models/JitNetworkAccessPolicy.cs | 144 + .../JitNetworkAccessPolicyInitiatePort.cs | 78 + .../JitNetworkAccessPolicyInitiateRequest.cs | 87 + ...tworkAccessPolicyInitiateVirtualMachine.cs | 91 + .../JitNetworkAccessPolicyVirtualMachine.cs | 101 + .../Models/JitNetworkAccessPortRule.cs | 109 + .../Models/JitNetworkAccessRequest.cs | 103 + .../Models/JitNetworkAccessRequestPort.cs | 133 + .../JitNetworkAccessRequestVirtualMachine.cs | 91 + .../Generated/Models/ListCustomAlertRule.cs | 70 + .../Generated/Models/LocalUserNotAllowed.cs | 67 + .../Generated/Models/Location.cs | 52 + .../Generated/Models/MdeOnboardingData.cs | 75 + .../Generated/Models/MdeOnboardingDataList.cs | 55 + .../Generated/Models/MinimalSeverity.cs | 33 + .../MqttC2DMessagesNotInAllowedRange.cs | 67 + ...qttC2DRejectedMessagesNotInAllowedRange.cs | 67 + .../MqttD2CMessagesNotInAllowedRange.cs | 67 + .../Models/OnPremiseResourceDetails.cs | 105 + .../Models/OnPremiseSqlResourceDetails.cs | 90 + .../Generated/Models/Operation.cs | 65 + .../Generated/Models/OperationDisplay.cs | 78 + .../Generated/Models/OperatorModel.cs | 56 + .../Generated/Models/PathRecommendation.cs | 125 + .../Generated/Models/PermissionProperty.cs | 40 + .../Generated/Models/Pricing.cs | 132 + .../Generated/Models/PricingList.cs | 77 + .../Generated/Models/PricingTier.cs | 30 + .../Generated/Models/ProcessNotAllowed.cs | 67 + .../Generated/Models/PropertyType.cs | 24 + .../Generated/Models/ProtectionMode.cs | 80 + .../Generated/Models/Protocol.cs | 23 + .../Generated/Models/ProvisioningState.cs | 23 + .../Generated/Models/ProxyServerProperties.cs | 60 + .../Generated/Models/PublisherInfo.cs | 86 + .../Generated/Models/QueryCheck.cs | 69 + .../Models/QueuePurgesNotInAllowedRange.cs | 66 + .../Generated/Models/Rank.cs | 78 + .../Models/RecommendationConfigStatus.cs | 22 + .../RecommendationConfigurationProperties.cs | 107 + .../Generated/Models/RecommendationType.cs | 101 + .../Models/RegulatoryComplianceAssessment.cs | 134 + .../Models/RegulatoryComplianceControl.cs | 106 + .../Models/RegulatoryComplianceStandard.cs | 108 + .../Generated/Models/Remediation.cs | 78 + .../Generated/Models/RemediationEta.cs | 74 + .../Generated/Models/ReportedSeverity.cs | 24 + .../Generated/Models/ResourceDetails.cs | 37 + .../Generated/Models/ResourceIdentifier.cs | 2 + .../Generated/Models/ResourceStatus.cs | 36 + .../Generated/Models/Roles.cs | 38 + .../Generated/Models/Rule.cs | 93 + .../Generated/Models/RuleResults.cs | 53 + .../Generated/Models/RuleResultsInput.cs | 64 + .../Generated/Models/RuleResultsProperties.cs | 53 + .../Generated/Models/RuleSeverity.cs | 40 + .../Generated/Models/RuleState.cs | 66 + .../Generated/Models/RuleStatus.cs | 32 + .../Generated/Models/RuleType.cs | 36 + .../Generated/Models/RulesResults.cs | 53 + .../Generated/Models/RulesResultsInput.cs | 64 + .../Generated/Models/Scan.cs | 53 + .../Generated/Models/ScanProperties.cs | 167 ++ .../Generated/Models/ScanResult.cs | 53 + .../Generated/Models/ScanResultProperties.cs | 100 + .../Generated/Models/ScanResults.cs | 54 + .../Generated/Models/ScanState.cs | 36 + .../Generated/Models/ScanTriggerType.cs | 28 + .../Generated/Models/ScanningMode.cs | 21 + .../Generated/Models/Scans.cs | 54 + .../Generated/Models/ScopeElement.cs | 63 + .../SecureScoreControlDefinitionItem.cs | 126 + .../SecureScoreControlDefinitionSource.cs | 55 + .../Models/SecureScoreControlDetails.cs | 176 ++ .../Models/SecureScoreControlScore.cs | 116 + .../Generated/Models/SecureScoreItem.cs | 136 + .../SecurityAlertNotificationByRoleState.cs | 28 + .../Models/SecurityAlertNotificationState.cs | 28 + .../Generated/Models/SecurityAssessment.cs | 129 + .../Models/SecurityAssessmentMetadata.cs | 187 ++ .../SecurityAssessmentMetadataPartnerData.cs | 92 + .../SecurityAssessmentMetadataProperties.cs | 183 ++ ...tMetadataPropertiesResponsePublishDates.cs | 82 + .../SecurityAssessmentMetadataResponse.cs | 224 ++ .../Models/SecurityAssessmentPartnerData.cs | 81 + .../SecurityAssessmentPropertiesBase.cs | 111 + .../Models/SecurityAssessmentResponse.cs | 129 + .../Generated/Models/SecurityConnector.cs | 120 + ...rGovernanceRulesExecuteStatusGetHeaders.cs | 54 + .../Generated/Models/SecurityContact.cs | 93 + ...rityContactPropertiesAlertNotifications.cs | 68 + ...ityContactPropertiesNotificationsByRole.cs | 72 + .../Generated/Models/SecurityFamily.cs | 24 + .../Generated/Models/SecuritySolution.cs | 140 + .../Models/SecuritySolutionStatus.cs | 22 + .../Models/SecuritySolutionsReferenceData.cs | 178 ++ .../SecuritySolutionsReferenceDataList.cs | 50 + .../Generated/Models/SecuritySubAssessment.cs | 129 + .../Generated/Models/SecurityTask.cs | 92 + .../Models/SecurityTaskParameters.cs | 64 + .../Generated/Models/SensitivityLabel.cs | 88 + .../Models/ServerVulnerabilityAssessment.cs | 65 + .../ServerVulnerabilityAssessmentsList.cs | 53 + .../Models/ServerVulnerabilityProperties.cs | 106 + .../Models/ServicePrincipalProperties.cs | 64 + .../Generated/Models/Setting.cs | 48 + .../Generated/Models/SettingName2.cs | 25 + .../Generated/Models/SettingName4.cs | 25 + .../Generated/Models/SettingName5.cs | 25 + .../Generated/Models/Severity.cs | 23 + .../Generated/Models/SeverityEnum.cs | 23 + .../Generated/Models/Software.cs | 136 + .../SqlServerVulnerabilityProperties.cs | 66 + .../Generated/Models/State.cs | 39 + .../Generated/Models/Status.cs | 22 + .../Generated/Models/StatusReason.cs | 23 + .../Generated/Models/SubAssessmentStatus.cs | 82 + .../Models/SubAssessmentStatusCode.cs | 32 + .../Generated/Models/SubPlan.cs | 22 + ...nGovernanceRulesExecuteStatusGetHeaders.cs | 54 + .../Generated/Models/SupportedCloudEnum.cs | 22 + .../Models/SuppressionAlertsScope.cs | 66 + .../Generated/Models/SystemData.cs | 103 + .../Generated/Models/Tactics.cs | 34 + .../Generated/Models/TagsResource.cs | 54 + .../Generated/Models/TaskUpdateActionType.cs | 25 + .../Generated/Models/Techniques.cs | 124 + .../Generated/Models/Threats.cs | 28 + .../Models/ThresholdCustomAlertRule.cs | 77 + .../Models/TimeWindowCustomAlertRule.cs | 72 + .../Generated/Models/TopologyResource.cs | 96 + .../Models/TopologySingleResource.cs | 115 + .../Models/TopologySingleResourceChild.cs | 52 + .../Models/TopologySingleResourceParent.cs | 52 + .../Generated/Models/TransportProtocol.cs | 22 + .../Models/TwinUpdatesNotInAllowedRange.cs | 66 + .../Generated/Models/Type.cs | 22 + ...UnauthorizedOperationsNotInAllowedRange.cs | 66 + .../Models/UnmaskedIpLoggingStatus.cs | 28 + .../Models/UpdateIotSecuritySolutionData.cs | 84 + .../Models/UserDefinedResourcesProperties.cs | 87 + .../Generated/Models/UserImpact.cs | 23 + .../Generated/Models/UserRecommendation.cs | 63 + .../Generated/Models/VaRule.cs | 119 + .../Generated/Models/ValueType.cs | 28 + .../Generated/Models/VendorReference.cs | 59 + .../Generated/Models/VmRecommendation.cs | 80 + .../Generated/Models/WorkspaceSetting.cs | 89 + .../Generated/Operations.cs | 392 +++ .../Generated/OperationsExtensions.cs | 87 + .../Generated/PricingsOperations.cs | 653 +++++ .../Generated/PricingsOperationsExtensions.cs | 151 + ...gulatoryComplianceAssessmentsOperations.cs | 648 +++++ ...mplianceAssessmentsOperationsExtensions.cs | 155 ++ .../RegulatoryComplianceControlsOperations.cs | 630 +++++ ...yComplianceControlsOperationsExtensions.cs | 143 + ...RegulatoryComplianceStandardsOperations.cs | 610 ++++ ...ComplianceStandardsOperationsExtensions.cs | 127 + .../Generated/SdkInfo_SecurityCenter.cs | 60 + ...SecureScoreControlDefinitionsOperations.cs | 750 +++++ ...eControlDefinitionsOperationsExtensions.cs | 153 + .../SecureScoreControlsOperations.cs | 792 ++++++ ...SecureScoreControlsOperationsExtensions.cs | 169 ++ .../Generated/SecureScoresOperations.cs | 606 ++++ .../SecureScoresOperationsExtensions.cs | 129 + .../Generated/SecurityCenterClient.cs | 392 ++- .../SecurityConnectorApplicationOperations.cs | 747 +++++ ...onnectorApplicationOperationsExtensions.cs | 172 ++ ...SecurityConnectorApplicationsOperations.cs | 446 +++ ...nnectorApplicationsOperationsExtensions.cs | 105 + ...curityConnectorGovernanceRuleOperations.cs | 446 +++ ...ectorGovernanceRuleOperationsExtensions.cs | 105 + ...rGovernanceRulesExecuteStatusOperations.cs | 352 +++ ...eRulesExecuteStatusOperationsExtensions.cs | 145 + ...urityConnectorGovernanceRulesOperations.cs | 751 +++++ ...ctorGovernanceRulesOperationsExtensions.cs | 180 ++ .../Generated/SecurityConnectorsOperations.cs | 1694 +++++++++++ .../SecurityConnectorsOperationsExtensions.cs | 354 +++ .../Generated/SecurityContactsOperations.cs | 997 +++++++ .../SecurityContactsOperationsExtensions.cs | 192 ++ .../Generated/SecuritySolutionsOperations.cs | 632 +++++ .../SecuritySolutionsOperationsExtensions.cs | 129 + ...ecuritySolutionsReferenceDataOperations.cs | 426 +++ ...utionsReferenceDataOperationsExtensions.cs | 83 + ...ServerVulnerabilityAssessmentOperations.cs | 1014 +++++++ ...erabilityAssessmentOperationsExtensions.cs | 295 ++ .../Generated/SettingsOperations.cs | 811 ++++++ .../Generated/SettingsOperationsExtensions.cs | 167 ++ .../SoftwareInventoriesOperations.cs | 1062 +++++++ ...SoftwareInventoriesOperationsExtensions.cs | 235 ++ ...bilityAssessmentBaselineRulesOperations.cs | 1094 ++++++++ ...ssmentBaselineRulesOperationsExtensions.cs | 304 ++ ...rabilityAssessmentScanResultsOperations.cs | 477 ++++ ...sessmentScanResultsOperationsExtensions.cs | 135 + ...lVulnerabilityAssessmentScansOperations.cs | 459 +++ ...lityAssessmentScansOperationsExtensions.cs | 123 + .../Generated/SubAssessmentsOperations.cs | 975 +++++++ .../SubAssessmentsOperationsExtensions.cs | 229 ++ ...nGovernanceRulesExecuteStatusOperations.cs | 311 +++ ...eRulesExecuteStatusOperationsExtensions.cs | 117 + .../Generated/TasksOperations.cs | 2007 ++++++++++++++ .../Generated/TasksOperationsExtensions.cs | 419 +++ .../Generated/TopologyOperations.cs | 995 +++++++ .../Generated/TopologyOperationsExtensions.cs | 195 ++ .../Generated/WorkspaceSettingsOperations.cs | 1217 ++++++++ .../WorkspaceSettingsOperationsExtensions.cs | 256 ++ .../Security.Management.Sdk/README.md | 51 +- 527 files changed, 96920 insertions(+), 116 deletions(-) create mode 100644 src/Security/Security.Management.Sdk/Generated/AdaptiveApplicationControlsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/AdaptiveApplicationControlsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/AdaptiveNetworkHardeningsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/AdaptiveNetworkHardeningsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/AdvancedThreatProtectionOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/AdvancedThreatProtectionOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/AlertsSuppressionRulesOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/AlertsSuppressionRulesOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/AllowedConnectionsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/AllowedConnectionsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ApplicationOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ApplicationOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ApplicationsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ApplicationsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/AssessmentsMetadataOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/AssessmentsMetadataOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/AssessmentsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/AssessmentsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/AutoProvisioningSettingsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/AutoProvisioningSettingsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/AutomationsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/AutomationsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ComplianceResultsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ComplianceResultsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/CompliancesOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/CompliancesOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ConnectorsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ConnectorsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/CustomAssessmentAutomationsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/CustomAssessmentAutomationsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/CustomEntityStoreAssignmentsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/CustomEntityStoreAssignmentsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/DeviceSecurityGroupsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/DeviceSecurityGroupsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/DiscoveredSecuritySolutionsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/DiscoveredSecuritySolutionsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ExternalSecuritySolutionsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ExternalSecuritySolutionsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/GovernanceAssignmentsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/GovernanceAssignmentsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/GovernanceRuleOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/GovernanceRuleOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/GovernanceRulesOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/GovernanceRulesOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IAdaptiveApplicationControlsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IAdaptiveNetworkHardeningsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IAdvancedThreatProtectionOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IAlertsSuppressionRulesOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IAllowedConnectionsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IApplicationOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IApplicationsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IAssessmentsMetadataOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IAssessmentsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IAutoProvisioningSettingsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IAutomationsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IComplianceResultsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ICompliancesOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IConnectorsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ICustomAssessmentAutomationsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ICustomEntityStoreAssignmentsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IDeviceSecurityGroupsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IDiscoveredSecuritySolutionsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IExternalSecuritySolutionsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IGovernanceAssignmentsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IGovernanceRuleOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IGovernanceRulesOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IInformationProtectionPoliciesOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IIngestionSettingsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IIotSecuritySolutionAnalyticsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IIotSecuritySolutionOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IIotSecuritySolutionsAnalyticsAggregatedAlertOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IIotSecuritySolutionsAnalyticsRecommendationOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IJitNetworkAccessPoliciesOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ILocationsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IMdeOnboardingsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IPricingsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IRegulatoryComplianceAssessmentsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IRegulatoryComplianceControlsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IRegulatoryComplianceStandardsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISecureScoreControlDefinitionsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISecureScoreControlsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISecureScoresOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISecurityConnectorApplicationOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISecurityConnectorApplicationsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISecurityConnectorGovernanceRuleOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISecurityConnectorGovernanceRulesExecuteStatusOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISecurityConnectorGovernanceRulesOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISecurityConnectorsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISecurityContactsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISecuritySolutionsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISecuritySolutionsReferenceDataOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IServerVulnerabilityAssessmentOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISettingsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISoftwareInventoriesOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISqlVulnerabilityAssessmentBaselineRulesOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISqlVulnerabilityAssessmentScanResultsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISqlVulnerabilityAssessmentScansOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISubAssessmentsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ISubscriptionGovernanceRulesExecuteStatusOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ITasksOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ITopologyOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IWorkspaceSettingsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/InformationProtectionPoliciesOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/InformationProtectionPoliciesOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IngestionSettingsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IngestionSettingsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionAnalyticsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionAnalyticsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionsAnalyticsAggregatedAlertOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionsAnalyticsAggregatedAlertOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionsAnalyticsRecommendationOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionsAnalyticsRecommendationOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/JitNetworkAccessPoliciesOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/JitNetworkAccessPoliciesOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/LocationsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/LocationsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/MdeOnboardingsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/MdeOnboardingsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AadConnectivityState.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AadConnectivityState1.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AadExternalSecuritySolution.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AadSolutionProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ActiveConnectionsNotInAllowedRange.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AdaptiveApplicationControlGroup.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AdaptiveApplicationControlGroups.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AdaptiveApplicationControlIssueSummary.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AdaptiveNetworkHardening.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AdaptiveNetworkHardeningEnforceRequest.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AdditionalData.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AdditionalWorkspaceDataType.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AdditionalWorkspaceType.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AdditionalWorkspacesProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AdvancedThreatProtectionSetting.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AlertSyncSettings.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AlertsSuppressionRule.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AllowedConnectionsResource.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AllowlistCustomAlertRule.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AmqpC2DMessagesNotInAllowedRange.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AmqpC2DRejectedMessagesNotInAllowedRange.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AmqpD2CMessagesNotInAllowedRange.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Application.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ApplicationCondition.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ApplicationConditionOperator.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AssessmentLinks.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AssessmentStatus.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AssessmentStatusCode.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AssessmentStatusResponse.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AssessmentType.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AtaExternalSecuritySolution.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AtaSolutionProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AuthenticationDetailsProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AuthenticationProvisioningState.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AutoProvision.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AutoProvisioningSetting.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Automation.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AutomationAction.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AutomationActionEventHub.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AutomationActionLogicApp.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AutomationActionWorkspace.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AutomationRuleSet.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AutomationScope.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AutomationSource.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AutomationTriggeringRule.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AutomationValidationStatus.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AwAssumeRoleAuthenticationDetailsProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AwsCredsAuthenticationDetailsProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AwsEnvironmentData.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AwsOrganizationalData.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AwsOrganizationalDataMaster.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AwsOrganizationalDataMember.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AzureDevOpsScopeEnvironmentData.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AzureResourceDetails.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/AzureResourceLink.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Baseline.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/BaselineAdjustedResult.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/BenchmarkReference.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/CVE.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/CVSS.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Categories.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/CefExternalSecuritySolution.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/CefSolutionProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/CloudName.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/CloudOffering.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Compliance.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ComplianceResult.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ComplianceSegment.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Condition.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ConnectableResource.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ConnectedResource.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ConnectedWorkspace.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ConnectionFromIpNotAllowed.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ConnectionStrings.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ConnectionToIpNotAllowed.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ConnectionType.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ConnectorSetting.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ContainerRegistryVulnerabilityProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ControlType.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/CreatedByType.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorAwsOffering.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorAwsOfferingNativeCloudConnection.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorAzureDevOpsOffering.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorGcpOffering.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorGcpOfferingNativeCloudConnection.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorGithubOffering.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/CustomAlertRule.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/CustomAssessmentAutomation.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/CustomAssessmentAutomationRequest.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/CustomEntityStoreAssignment.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/CustomEntityStoreAssignmentRequest.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DataExportSettings.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DataSource.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderCspmAwsOffering.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderCspmAwsOfferingVmScanners.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderCspmAwsOfferingVmScannersConfiguration.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderCspmGcpOffering.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderFoDatabasesAwsOffering.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderFoDatabasesAwsOfferingArcAutoProvisioning.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderFoDatabasesAwsOfferingRds.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOffering.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingCloudWatchToKinesis.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingContainerVulnerabilityAssessment.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingContainerVulnerabilityAssessmentTask.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingKinesisToS3.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingKubernetesScubaReader.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingKubernetesService.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersGcpOffering.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersGcpOfferingDataPipelineNativeCloudConnection.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersGcpOfferingNativeCloudConnection.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForDatabasesGcpOffering.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForDatabasesGcpOfferingArcAutoProvisioning.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForDatabasesGcpOfferingDefenderForDatabasesArcAutoProvisioning.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForDevOpsAzureDevOpsOffering.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForDevOpsGithubOffering.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOffering.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingArcAutoProvisioning.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingDefenderForServers.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingMdeAutoProvisioning.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingSubPlan.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingVaAutoProvisioning.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingVaAutoProvisioningConfiguration.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingVmScanners.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingVmScannersConfiguration.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOffering.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingArcAutoProvisioning.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingDefenderForServers.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingMdeAutoProvisioning.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingSubPlan.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingVaAutoProvisioning.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingVaAutoProvisioningConfiguration.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DenylistCustomAlertRule.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DeviceSecurityGroup.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DirectMethodInvokesNotInAllowedRange.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Direction.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/DiscoveredSecuritySolution.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/EffectiveNetworkSecurityGroups.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/EndOfSupportStatus.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/EnvironmentData.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/EventSource.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ExecuteGovernanceRuleParams.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ExecuteRuleStatus.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ExpandControlsEnum.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ExpandEnum.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ExportData.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ExternalSecuritySolution.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ExternalSecuritySolutionKind.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ExternalSecuritySolutionKind1.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ExternalSecuritySolutionProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/FailedLocalLoginsNotInAllowedRange.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/FileUploadsNotInAllowedRange.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/GcpCredentialsDetailsProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/GcpOrganizationalData.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/GcpOrganizationalDataMember.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/GcpOrganizationalDataOrganization.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/GcpProjectDetails.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/GcpProjectEnvironmentData.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/GithubScopeEnvironmentData.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/GovernanceAssignment.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/GovernanceAssignmentAdditionalData.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/GovernanceEmailNotification.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/GovernanceRule.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleConditionOperator.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleEmailNotification.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleOwnerSource.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleOwnerSourceType.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleType.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/GovernanceRulesRuleIdExecuteSingleSecurityConnectorHeaders.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/GovernanceRulesRuleIdExecuteSingleSubscriptionHeaders.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/HttpC2DMessagesNotInAllowedRange.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/HttpC2DRejectedMessagesNotInAllowedRange.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/HttpD2CMessagesNotInAllowedRange.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/HybridComputeProvisioningState.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/HybridComputeSettingsProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ImplementationEffort.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionAwsOffering.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionAwsOfferingInformationProtection.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionKeyword.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionPolicy.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionPolicyName.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/InformationType.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/IngestionConnectionString.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/IngestionSetting.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/IngestionSettingToken.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityAggregatedAlert.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityAggregatedAlertPropertiesTopDevicesListItem.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityAggregatedRecommendation.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityAlertedDevice.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityDeviceAlert.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityDeviceRecommendation.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/IoTSecuritySolutionAnalyticsModel.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/IoTSecuritySolutionAnalyticsModelList.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/IoTSecuritySolutionAnalyticsModelPropertiesDevicesMetricsItem.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/IoTSecuritySolutionModel.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/IoTSeverityMetrics.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicy.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicyInitiatePort.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicyInitiateRequest.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicyInitiateVirtualMachine.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicyVirtualMachine.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPortRule.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessRequest.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessRequestPort.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessRequestVirtualMachine.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ListCustomAlertRule.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/LocalUserNotAllowed.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Location.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/MdeOnboardingData.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/MdeOnboardingDataList.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/MinimalSeverity.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/MqttC2DMessagesNotInAllowedRange.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/MqttC2DRejectedMessagesNotInAllowedRange.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/MqttD2CMessagesNotInAllowedRange.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/OnPremiseResourceDetails.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/OnPremiseSqlResourceDetails.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Operation.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/OperationDisplay.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/OperatorModel.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/PathRecommendation.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/PermissionProperty.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Pricing.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/PricingList.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/PricingTier.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ProcessNotAllowed.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/PropertyType.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ProtectionMode.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Protocol.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ProvisioningState.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ProxyServerProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/PublisherInfo.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/QueryCheck.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/QueuePurgesNotInAllowedRange.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Rank.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/RecommendationConfigStatus.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/RecommendationConfigurationProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/RecommendationType.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/RegulatoryComplianceAssessment.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/RegulatoryComplianceControl.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/RegulatoryComplianceStandard.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Remediation.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/RemediationEta.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ReportedSeverity.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ResourceDetails.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ResourceStatus.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Roles.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Rule.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/RuleResults.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/RuleResultsInput.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/RuleResultsProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/RuleSeverity.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/RuleState.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/RuleStatus.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/RuleType.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/RulesResults.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/RulesResultsInput.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Scan.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ScanProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ScanResult.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ScanResultProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ScanResults.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ScanState.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ScanTriggerType.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ScanningMode.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Scans.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ScopeElement.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecureScoreControlDefinitionItem.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecureScoreControlDefinitionSource.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecureScoreControlDetails.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecureScoreControlScore.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecureScoreItem.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityAlertNotificationByRoleState.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityAlertNotificationState.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessment.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadata.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadataPartnerData.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadataProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadataPropertiesResponsePublishDates.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadataResponse.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentPartnerData.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentPropertiesBase.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentResponse.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityConnector.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityConnectorGovernanceRulesExecuteStatusGetHeaders.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityContact.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityContactPropertiesAlertNotifications.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityContactPropertiesNotificationsByRole.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityFamily.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecuritySolution.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecuritySolutionStatus.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecuritySolutionsReferenceData.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecuritySolutionsReferenceDataList.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecuritySubAssessment.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityTask.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SecurityTaskParameters.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SensitivityLabel.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ServerVulnerabilityAssessment.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ServerVulnerabilityAssessmentsList.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ServerVulnerabilityProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ServicePrincipalProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Setting.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SettingName2.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SettingName4.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SettingName5.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Severity.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SeverityEnum.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Software.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SqlServerVulnerabilityProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/State.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Status.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/StatusReason.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SubAssessmentStatus.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SubAssessmentStatusCode.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SubPlan.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SubscriptionGovernanceRulesExecuteStatusGetHeaders.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SupportedCloudEnum.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SuppressionAlertsScope.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/SystemData.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Tactics.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/TagsResource.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/TaskUpdateActionType.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Techniques.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Threats.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ThresholdCustomAlertRule.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/TimeWindowCustomAlertRule.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/TopologyResource.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/TopologySingleResource.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/TopologySingleResourceChild.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/TopologySingleResourceParent.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/TransportProtocol.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/TwinUpdatesNotInAllowedRange.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/Type.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/UnauthorizedOperationsNotInAllowedRange.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/UnmaskedIpLoggingStatus.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/UpdateIotSecuritySolutionData.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/UserDefinedResourcesProperties.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/UserImpact.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/UserRecommendation.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/VaRule.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/ValueType.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/VendorReference.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/VmRecommendation.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Models/WorkspaceSetting.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/Operations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/OperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/PricingsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/PricingsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceAssessmentsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceAssessmentsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceControlsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceControlsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceStandardsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceStandardsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecureScoreControlDefinitionsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecureScoreControlDefinitionsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecureScoreControlsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecureScoreControlsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecureScoresOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecureScoresOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecurityConnectorApplicationOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecurityConnectorApplicationOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecurityConnectorApplicationsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecurityConnectorApplicationsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRuleOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRuleOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRulesExecuteStatusOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRulesExecuteStatusOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRulesOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRulesOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecurityConnectorsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecurityConnectorsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecurityContactsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecurityContactsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecuritySolutionsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecuritySolutionsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecuritySolutionsReferenceDataOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SecuritySolutionsReferenceDataOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ServerVulnerabilityAssessmentOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/ServerVulnerabilityAssessmentOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SettingsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SettingsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SoftwareInventoriesOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SoftwareInventoriesOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentBaselineRulesOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentBaselineRulesOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentScanResultsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentScanResultsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentScansOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentScansOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SubAssessmentsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SubAssessmentsOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SubscriptionGovernanceRulesExecuteStatusOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/SubscriptionGovernanceRulesExecuteStatusOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/TasksOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/TasksOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/TopologyOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/TopologyOperationsExtensions.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/WorkspaceSettingsOperations.cs create mode 100644 src/Security/Security.Management.Sdk/Generated/WorkspaceSettingsOperationsExtensions.cs diff --git a/src/Security/Security.Management.Sdk/Generated/AdaptiveApplicationControlsOperations.cs b/src/Security/Security.Management.Sdk/Generated/AdaptiveApplicationControlsOperations.cs new file mode 100644 index 000000000000..524870971a85 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AdaptiveApplicationControlsOperations.cs @@ -0,0 +1,836 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AdaptiveApplicationControlsOperations operations. + /// + internal partial class AdaptiveApplicationControlsOperations : IServiceOperations, IAdaptiveApplicationControlsOperations + { + /// + /// Initializes a new instance of the AdaptiveApplicationControlsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal AdaptiveApplicationControlsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Gets a list of application control machine groups for the subscription. + /// + /// + /// Include the policy rules + /// + /// + /// Return output in a summarized form + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> ListWithHttpMessagesAsync(bool? includePathRecommendations = default(bool?), bool? summary = default(bool?), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("includePathRecommendations", includePathRecommendations); + tracingParameters.Add("summary", summary); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/applicationWhitelistings").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (includePathRecommendations != null) + { + _queryParameters.Add(string.Format("includePathRecommendations={0}", System.Uri.EscapeDataString(Rest.Serialization.SafeJsonConvert.SerializeObject(includePathRecommendations, Client.SerializationSettings).Trim('"')))); + } + if (summary != null) + { + _queryParameters.Add(string.Format("summary={0}", System.Uri.EscapeDataString(Rest.Serialization.SafeJsonConvert.SerializeObject(summary, Client.SerializationSettings).Trim('"')))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets an application control VM/server group. + /// + /// + /// Name of an application control machine group + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string groupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (groupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "groupName"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("groupName", groupName); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/applicationWhitelistings/{groupName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{groupName}", System.Uri.EscapeDataString(groupName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Update an application control machine group + /// + /// + /// Name of an application control machine group + /// + /// + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> PutWithHttpMessagesAsync(string groupName, AdaptiveApplicationControlGroup body, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (groupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "groupName"); + } + if (body == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "body"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("groupName", groupName); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("body", body); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Put", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/applicationWhitelistings/{groupName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{groupName}", System.Uri.EscapeDataString(groupName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(body != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(body, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Delete an application control machine group + /// + /// + /// Name of an application control machine group + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string groupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (groupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "groupName"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("groupName", groupName); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/applicationWhitelistings/{groupName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{groupName}", System.Uri.EscapeDataString(groupName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 202 && (int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/AdaptiveApplicationControlsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/AdaptiveApplicationControlsOperationsExtensions.cs new file mode 100644 index 000000000000..d43ddfb37085 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AdaptiveApplicationControlsOperationsExtensions.cs @@ -0,0 +1,168 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for AdaptiveApplicationControlsOperations. + /// + public static partial class AdaptiveApplicationControlsOperationsExtensions + { + /// + /// Gets a list of application control machine groups for the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Include the policy rules + /// + /// + /// Return output in a summarized form + /// + public static AdaptiveApplicationControlGroups List(this IAdaptiveApplicationControlsOperations operations, bool? includePathRecommendations = default(bool?), bool? summary = default(bool?)) + { + return operations.ListAsync(includePathRecommendations, summary).GetAwaiter().GetResult(); + } + + /// + /// Gets a list of application control machine groups for the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Include the policy rules + /// + /// + /// Return output in a summarized form + /// + /// + /// The cancellation token. + /// + public static async Task ListAsync(this IAdaptiveApplicationControlsOperations operations, bool? includePathRecommendations = default(bool?), bool? summary = default(bool?), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(includePathRecommendations, summary, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets an application control VM/server group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of an application control machine group + /// + public static AdaptiveApplicationControlGroup Get(this IAdaptiveApplicationControlsOperations operations, string groupName) + { + return operations.GetAsync(groupName).GetAwaiter().GetResult(); + } + + /// + /// Gets an application control VM/server group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of an application control machine group + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IAdaptiveApplicationControlsOperations operations, string groupName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(groupName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Update an application control machine group + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of an application control machine group + /// + /// + /// + public static AdaptiveApplicationControlGroup Put(this IAdaptiveApplicationControlsOperations operations, string groupName, AdaptiveApplicationControlGroup body) + { + return operations.PutAsync(groupName, body).GetAwaiter().GetResult(); + } + + /// + /// Update an application control machine group + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of an application control machine group + /// + /// + /// + /// + /// The cancellation token. + /// + public static async Task PutAsync(this IAdaptiveApplicationControlsOperations operations, string groupName, AdaptiveApplicationControlGroup body, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.PutWithHttpMessagesAsync(groupName, body, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Delete an application control machine group + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of an application control machine group + /// + public static void Delete(this IAdaptiveApplicationControlsOperations operations, string groupName) + { + operations.DeleteAsync(groupName).GetAwaiter().GetResult(); + } + + /// + /// Delete an application control machine group + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of an application control machine group + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this IAdaptiveApplicationControlsOperations operations, string groupName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(groupName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/AdaptiveNetworkHardeningsOperations.cs b/src/Security/Security.Management.Sdk/Generated/AdaptiveNetworkHardeningsOperations.cs new file mode 100644 index 000000000000..b40d5fa63f44 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AdaptiveNetworkHardeningsOperations.cs @@ -0,0 +1,1003 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AdaptiveNetworkHardeningsOperations operations. + /// + internal partial class AdaptiveNetworkHardeningsOperations : IServiceOperations, IAdaptiveNetworkHardeningsOperations + { + /// + /// Initializes a new instance of the AdaptiveNetworkHardeningsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal AdaptiveNetworkHardeningsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Gets a list of Adaptive Network Hardenings resources in scope of an + /// extended resource. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByExtendedResourceWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (resourceNamespace == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceNamespace"); + } + if (resourceType == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceType"); + } + if (resourceName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceName"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("resourceNamespace", resourceNamespace); + tracingParameters.Add("resourceType", resourceType); + tracingParameters.Add("resourceName", resourceName); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByExtendedResource", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceNamespace}/{resourceType}/{resourceName}/providers/Microsoft.Security/adaptiveNetworkHardenings").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{resourceNamespace}", System.Uri.EscapeDataString(resourceNamespace)); + _url = _url.Replace("{resourceType}", System.Uri.EscapeDataString(resourceType)); + _url = _url.Replace("{resourceName}", System.Uri.EscapeDataString(resourceName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a single Adaptive Network Hardening resource + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The name of the Adaptive Network Hardening resource. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, string adaptiveNetworkHardeningResourceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (resourceNamespace == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceNamespace"); + } + if (resourceType == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceType"); + } + if (resourceName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceName"); + } + if (adaptiveNetworkHardeningResourceName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "adaptiveNetworkHardeningResourceName"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("resourceNamespace", resourceNamespace); + tracingParameters.Add("resourceType", resourceType); + tracingParameters.Add("resourceName", resourceName); + tracingParameters.Add("adaptiveNetworkHardeningResourceName", adaptiveNetworkHardeningResourceName); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceNamespace}/{resourceType}/{resourceName}/providers/Microsoft.Security/adaptiveNetworkHardenings/{adaptiveNetworkHardeningResourceName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{resourceNamespace}", System.Uri.EscapeDataString(resourceNamespace)); + _url = _url.Replace("{resourceType}", System.Uri.EscapeDataString(resourceType)); + _url = _url.Replace("{resourceName}", System.Uri.EscapeDataString(resourceName)); + _url = _url.Replace("{adaptiveNetworkHardeningResourceName}", System.Uri.EscapeDataString(adaptiveNetworkHardeningResourceName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Enforces the given rules on the NSG(s) listed in the request + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The name of the Adaptive Network Hardening resource. + /// + /// + /// The rules to enforce + /// + /// + /// The Azure resource IDs of the effective network security groups that will + /// be updated with the created security rules from the Adaptive Network + /// Hardening rules + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + public async Task EnforceWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, string adaptiveNetworkHardeningResourceName, IList rules, IList networkSecurityGroups, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + // Send request + AzureOperationResponse _response = await BeginEnforceWithHttpMessagesAsync(resourceGroupName, resourceNamespace, resourceType, resourceName, adaptiveNetworkHardeningResourceName, rules, networkSecurityGroups, customHeaders, cancellationToken).ConfigureAwait(false); + return await Client.GetPostOrDeleteOperationResultAsync(_response, customHeaders, cancellationToken).ConfigureAwait(false); + } + + /// + /// Enforces the given rules on the NSG(s) listed in the request + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The name of the Adaptive Network Hardening resource. + /// + /// + /// The rules to enforce + /// + /// + /// The Azure resource IDs of the effective network security groups that will + /// be updated with the created security rules from the Adaptive Network + /// Hardening rules + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task BeginEnforceWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, string adaptiveNetworkHardeningResourceName, IList rules, IList networkSecurityGroups, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (resourceNamespace == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceNamespace"); + } + if (resourceType == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceType"); + } + if (resourceName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceName"); + } + if (adaptiveNetworkHardeningResourceName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "adaptiveNetworkHardeningResourceName"); + } + if (rules == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "rules"); + } + if (networkSecurityGroups == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "networkSecurityGroups"); + } + string adaptiveNetworkHardeningEnforceAction = "enforce"; + string apiVersion = "2020-01-01"; + AdaptiveNetworkHardeningEnforceRequest body = new AdaptiveNetworkHardeningEnforceRequest(); + if (rules != null || networkSecurityGroups != null) + { + body.Rules = rules; + body.NetworkSecurityGroups = networkSecurityGroups; + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("resourceNamespace", resourceNamespace); + tracingParameters.Add("resourceType", resourceType); + tracingParameters.Add("resourceName", resourceName); + tracingParameters.Add("adaptiveNetworkHardeningResourceName", adaptiveNetworkHardeningResourceName); + tracingParameters.Add("adaptiveNetworkHardeningEnforceAction", adaptiveNetworkHardeningEnforceAction); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("body", body); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "BeginEnforce", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceNamespace}/{resourceType}/{resourceName}/providers/Microsoft.Security/adaptiveNetworkHardenings/{adaptiveNetworkHardeningResourceName}/{adaptiveNetworkHardeningEnforceAction}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{resourceNamespace}", System.Uri.EscapeDataString(resourceNamespace)); + _url = _url.Replace("{resourceType}", System.Uri.EscapeDataString(resourceType)); + _url = _url.Replace("{resourceName}", System.Uri.EscapeDataString(resourceName)); + _url = _url.Replace("{adaptiveNetworkHardeningResourceName}", System.Uri.EscapeDataString(adaptiveNetworkHardeningResourceName)); + _url = _url.Replace("{adaptiveNetworkHardeningEnforceAction}", System.Uri.EscapeDataString(adaptiveNetworkHardeningEnforceAction)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(body != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(body, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 202) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a list of Adaptive Network Hardenings resources in scope of an + /// extended resource. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByExtendedResourceNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByExtendedResourceNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/AdaptiveNetworkHardeningsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/AdaptiveNetworkHardeningsOperationsExtensions.cs new file mode 100644 index 000000000000..1f698f88bf8a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AdaptiveNetworkHardeningsOperationsExtensions.cs @@ -0,0 +1,325 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for AdaptiveNetworkHardeningsOperations. + /// + public static partial class AdaptiveNetworkHardeningsOperationsExtensions + { + /// + /// Gets a list of Adaptive Network Hardenings resources in scope of an + /// extended resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + public static IPage ListByExtendedResource(this IAdaptiveNetworkHardeningsOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName) + { + return operations.ListByExtendedResourceAsync(resourceGroupName, resourceNamespace, resourceType, resourceName).GetAwaiter().GetResult(); + } + + /// + /// Gets a list of Adaptive Network Hardenings resources in scope of an + /// extended resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByExtendedResourceAsync(this IAdaptiveNetworkHardeningsOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByExtendedResourceWithHttpMessagesAsync(resourceGroupName, resourceNamespace, resourceType, resourceName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a single Adaptive Network Hardening resource + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The name of the Adaptive Network Hardening resource. + /// + public static AdaptiveNetworkHardening Get(this IAdaptiveNetworkHardeningsOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, string adaptiveNetworkHardeningResourceName) + { + return operations.GetAsync(resourceGroupName, resourceNamespace, resourceType, resourceName, adaptiveNetworkHardeningResourceName).GetAwaiter().GetResult(); + } + + /// + /// Gets a single Adaptive Network Hardening resource + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The name of the Adaptive Network Hardening resource. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IAdaptiveNetworkHardeningsOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, string adaptiveNetworkHardeningResourceName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, resourceNamespace, resourceType, resourceName, adaptiveNetworkHardeningResourceName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Enforces the given rules on the NSG(s) listed in the request + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The name of the Adaptive Network Hardening resource. + /// + /// + /// The rules to enforce + /// + /// + /// The Azure resource IDs of the effective network security groups that will + /// be updated with the created security rules from the Adaptive Network + /// Hardening rules + /// + public static void Enforce(this IAdaptiveNetworkHardeningsOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, string adaptiveNetworkHardeningResourceName, IList rules, IList networkSecurityGroups) + { + operations.EnforceAsync(resourceGroupName, resourceNamespace, resourceType, resourceName, adaptiveNetworkHardeningResourceName, rules, networkSecurityGroups).GetAwaiter().GetResult(); + } + + /// + /// Enforces the given rules on the NSG(s) listed in the request + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The name of the Adaptive Network Hardening resource. + /// + /// + /// The rules to enforce + /// + /// + /// The Azure resource IDs of the effective network security groups that will + /// be updated with the created security rules from the Adaptive Network + /// Hardening rules + /// + /// + /// The cancellation token. + /// + public static async Task EnforceAsync(this IAdaptiveNetworkHardeningsOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, string adaptiveNetworkHardeningResourceName, IList rules, IList networkSecurityGroups, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.EnforceWithHttpMessagesAsync(resourceGroupName, resourceNamespace, resourceType, resourceName, adaptiveNetworkHardeningResourceName, rules, networkSecurityGroups, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Enforces the given rules on the NSG(s) listed in the request + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The name of the Adaptive Network Hardening resource. + /// + /// + /// The rules to enforce + /// + /// + /// The Azure resource IDs of the effective network security groups that will + /// be updated with the created security rules from the Adaptive Network + /// Hardening rules + /// + public static void BeginEnforce(this IAdaptiveNetworkHardeningsOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, string adaptiveNetworkHardeningResourceName, IList rules, IList networkSecurityGroups) + { + operations.BeginEnforceAsync(resourceGroupName, resourceNamespace, resourceType, resourceName, adaptiveNetworkHardeningResourceName, rules, networkSecurityGroups).GetAwaiter().GetResult(); + } + + /// + /// Enforces the given rules on the NSG(s) listed in the request + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The name of the Adaptive Network Hardening resource. + /// + /// + /// The rules to enforce + /// + /// + /// The Azure resource IDs of the effective network security groups that will + /// be updated with the created security rules from the Adaptive Network + /// Hardening rules + /// + /// + /// The cancellation token. + /// + public static async Task BeginEnforceAsync(this IAdaptiveNetworkHardeningsOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, string adaptiveNetworkHardeningResourceName, IList rules, IList networkSecurityGroups, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.BeginEnforceWithHttpMessagesAsync(resourceGroupName, resourceNamespace, resourceType, resourceName, adaptiveNetworkHardeningResourceName, rules, networkSecurityGroups, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Gets a list of Adaptive Network Hardenings resources in scope of an + /// extended resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListByExtendedResourceNext(this IAdaptiveNetworkHardeningsOperations operations, string nextPageLink) + { + return operations.ListByExtendedResourceNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Gets a list of Adaptive Network Hardenings resources in scope of an + /// extended resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByExtendedResourceNextAsync(this IAdaptiveNetworkHardeningsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByExtendedResourceNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/AdvancedThreatProtectionOperations.cs b/src/Security/Security.Management.Sdk/Generated/AdvancedThreatProtectionOperations.cs new file mode 100644 index 000000000000..13a4681b3563 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AdvancedThreatProtectionOperations.cs @@ -0,0 +1,436 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AdvancedThreatProtectionOperations operations. + /// + internal partial class AdvancedThreatProtectionOperations : IServiceOperations, IAdvancedThreatProtectionOperations + { + /// + /// Initializes a new instance of the AdvancedThreatProtectionOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal AdvancedThreatProtectionOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Gets the Advanced Threat Protection settings for the specified resource. + /// + /// + /// The identifier of the resource. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + string apiVersion = "2019-01-01"; + string settingName = "current"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("settingName", settingName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/advancedThreatProtectionSettings/{settingName}").ToString(); + _url = _url.Replace("{resourceId}", resourceId); + _url = _url.Replace("{settingName}", System.Uri.EscapeDataString(settingName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Creates or updates the Advanced Threat Protection settings on a specified + /// resource. + /// + /// + /// The identifier of the resource. + /// + /// + /// Indicates whether Advanced Threat Protection is enabled. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateWithHttpMessagesAsync(string resourceId, bool? isEnabled = default(bool?), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + string apiVersion = "2019-01-01"; + string settingName = "current"; + AdvancedThreatProtectionSetting advancedThreatProtectionSetting = new AdvancedThreatProtectionSetting(); + if (isEnabled != null) + { + advancedThreatProtectionSetting.IsEnabled = isEnabled; + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("settingName", settingName); + tracingParameters.Add("advancedThreatProtectionSetting", advancedThreatProtectionSetting); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Create", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/advancedThreatProtectionSettings/{settingName}").ToString(); + _url = _url.Replace("{resourceId}", resourceId); + _url = _url.Replace("{settingName}", System.Uri.EscapeDataString(settingName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(advancedThreatProtectionSetting != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(advancedThreatProtectionSetting, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/AdvancedThreatProtectionOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/AdvancedThreatProtectionOperationsExtensions.cs new file mode 100644 index 000000000000..6781f07eda08 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AdvancedThreatProtectionOperationsExtensions.cs @@ -0,0 +1,101 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for AdvancedThreatProtectionOperations. + /// + public static partial class AdvancedThreatProtectionOperationsExtensions + { + /// + /// Gets the Advanced Threat Protection settings for the specified resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + public static AdvancedThreatProtectionSetting Get(this IAdvancedThreatProtectionOperations operations, string resourceId) + { + return operations.GetAsync(resourceId).GetAwaiter().GetResult(); + } + + /// + /// Gets the Advanced Threat Protection settings for the specified resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IAdvancedThreatProtectionOperations operations, string resourceId, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceId, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Creates or updates the Advanced Threat Protection settings on a specified + /// resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + /// + /// Indicates whether Advanced Threat Protection is enabled. + /// + public static AdvancedThreatProtectionSetting Create(this IAdvancedThreatProtectionOperations operations, string resourceId, bool? isEnabled = default(bool?)) + { + return operations.CreateAsync(resourceId, isEnabled).GetAwaiter().GetResult(); + } + + /// + /// Creates or updates the Advanced Threat Protection settings on a specified + /// resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + /// + /// Indicates whether Advanced Threat Protection is enabled. + /// + /// + /// The cancellation token. + /// + public static async Task CreateAsync(this IAdvancedThreatProtectionOperations operations, string resourceId, bool? isEnabled = default(bool?), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateWithHttpMessagesAsync(resourceId, isEnabled, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/AlertsOperations.cs b/src/Security/Security.Management.Sdk/Generated/AlertsOperations.cs index 95cf9b3ae2f0..53d1642c658c 100644 --- a/src/Security/Security.Management.Sdk/Generated/AlertsOperations.cs +++ b/src/Security/Security.Management.Sdk/Generated/AlertsOperations.cs @@ -76,10 +76,6 @@ internal AlertsOperations(SecurityCenterClient client) /// public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) { - if (Client.ApiVersion == null) - { - throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); - } if (Client.SubscriptionId == null) { throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); @@ -91,6 +87,7 @@ internal AlertsOperations(SecurityCenterClient client) throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); } } + string apiVersion = "2022-01-01"; // Tracing bool _shouldTrace = ServiceClientTracing.IsEnabled; string _invocationId = null; @@ -98,6 +95,7 @@ internal AlertsOperations(SecurityCenterClient client) { _invocationId = ServiceClientTracing.NextInvocationId.ToString(); Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); tracingParameters.Add("cancellationToken", cancellationToken); ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); } @@ -106,9 +104,9 @@ internal AlertsOperations(SecurityCenterClient client) var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/alerts").ToString(); _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); List _queryParameters = new List(); - if (Client.ApiVersion != null) + if (apiVersion != null) { - _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); } if (_queryParameters.Count > 0) { @@ -265,10 +263,6 @@ internal AlertsOperations(SecurityCenterClient client) /// public async Task>> ListByResourceGroupWithHttpMessagesAsync(string resourceGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) { - if (Client.ApiVersion == null) - { - throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); - } if (Client.SubscriptionId == null) { throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); @@ -299,6 +293,7 @@ internal AlertsOperations(SecurityCenterClient client) throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); } } + string apiVersion = "2022-01-01"; // Tracing bool _shouldTrace = ServiceClientTracing.IsEnabled; string _invocationId = null; @@ -306,6 +301,7 @@ internal AlertsOperations(SecurityCenterClient client) { _invocationId = ServiceClientTracing.NextInvocationId.ToString(); Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); tracingParameters.Add("resourceGroupName", resourceGroupName); tracingParameters.Add("cancellationToken", cancellationToken); ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroup", tracingParameters); @@ -316,9 +312,9 @@ internal AlertsOperations(SecurityCenterClient client) _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); List _queryParameters = new List(); - if (Client.ApiVersion != null) + if (apiVersion != null) { - _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); } if (_queryParameters.Count > 0) { @@ -472,10 +468,6 @@ internal AlertsOperations(SecurityCenterClient client) /// public async Task>> ListSubscriptionLevelByRegionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) { - if (Client.ApiVersion == null) - { - throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); - } if (Client.SubscriptionId == null) { throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); @@ -491,6 +483,7 @@ internal AlertsOperations(SecurityCenterClient client) { throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); } + string apiVersion = "2022-01-01"; // Tracing bool _shouldTrace = ServiceClientTracing.IsEnabled; string _invocationId = null; @@ -498,6 +491,7 @@ internal AlertsOperations(SecurityCenterClient client) { _invocationId = ServiceClientTracing.NextInvocationId.ToString(); Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); tracingParameters.Add("cancellationToken", cancellationToken); ServiceClientTracing.Enter(_invocationId, this, "ListSubscriptionLevelByRegion", tracingParameters); } @@ -507,9 +501,9 @@ internal AlertsOperations(SecurityCenterClient client) _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); List _queryParameters = new List(); - if (Client.ApiVersion != null) + if (apiVersion != null) { - _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); } if (_queryParameters.Count > 0) { @@ -667,10 +661,6 @@ internal AlertsOperations(SecurityCenterClient client) /// public async Task>> ListResourceGroupLevelByRegionWithHttpMessagesAsync(string resourceGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) { - if (Client.ApiVersion == null) - { - throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); - } if (Client.SubscriptionId == null) { throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); @@ -705,6 +695,7 @@ internal AlertsOperations(SecurityCenterClient client) throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); } } + string apiVersion = "2022-01-01"; // Tracing bool _shouldTrace = ServiceClientTracing.IsEnabled; string _invocationId = null; @@ -712,6 +703,7 @@ internal AlertsOperations(SecurityCenterClient client) { _invocationId = ServiceClientTracing.NextInvocationId.ToString(); Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); tracingParameters.Add("resourceGroupName", resourceGroupName); tracingParameters.Add("cancellationToken", cancellationToken); ServiceClientTracing.Enter(_invocationId, this, "ListResourceGroupLevelByRegion", tracingParameters); @@ -723,9 +715,9 @@ internal AlertsOperations(SecurityCenterClient client) _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); List _queryParameters = new List(); - if (Client.ApiVersion != null) + if (apiVersion != null) { - _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); } if (_queryParameters.Count > 0) { @@ -881,10 +873,6 @@ internal AlertsOperations(SecurityCenterClient client) /// public async Task> GetSubscriptionLevelWithHttpMessagesAsync(string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) { - if (Client.ApiVersion == null) - { - throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); - } if (Client.SubscriptionId == null) { throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); @@ -904,6 +892,7 @@ internal AlertsOperations(SecurityCenterClient client) { throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); } + string apiVersion = "2022-01-01"; // Tracing bool _shouldTrace = ServiceClientTracing.IsEnabled; string _invocationId = null; @@ -911,6 +900,7 @@ internal AlertsOperations(SecurityCenterClient client) { _invocationId = ServiceClientTracing.NextInvocationId.ToString(); Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); tracingParameters.Add("alertName", alertName); tracingParameters.Add("cancellationToken", cancellationToken); ServiceClientTracing.Enter(_invocationId, this, "GetSubscriptionLevel", tracingParameters); @@ -922,9 +912,9 @@ internal AlertsOperations(SecurityCenterClient client) _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); List _queryParameters = new List(); - if (Client.ApiVersion != null) + if (apiVersion != null) { - _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); } if (_queryParameters.Count > 0) { @@ -1085,10 +1075,6 @@ internal AlertsOperations(SecurityCenterClient client) /// public async Task> GetResourceGroupLevelWithHttpMessagesAsync(string resourceGroupName, string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) { - if (Client.ApiVersion == null) - { - throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); - } if (Client.SubscriptionId == null) { throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); @@ -1127,6 +1113,7 @@ internal AlertsOperations(SecurityCenterClient client) { throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); } + string apiVersion = "2022-01-01"; // Tracing bool _shouldTrace = ServiceClientTracing.IsEnabled; string _invocationId = null; @@ -1134,6 +1121,7 @@ internal AlertsOperations(SecurityCenterClient client) { _invocationId = ServiceClientTracing.NextInvocationId.ToString(); Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); tracingParameters.Add("resourceGroupName", resourceGroupName); tracingParameters.Add("alertName", alertName); tracingParameters.Add("cancellationToken", cancellationToken); @@ -1147,9 +1135,9 @@ internal AlertsOperations(SecurityCenterClient client) _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); List _queryParameters = new List(); - if (Client.ApiVersion != null) + if (apiVersion != null) { - _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); } if (_queryParameters.Count > 0) { @@ -1302,10 +1290,6 @@ internal AlertsOperations(SecurityCenterClient client) /// public async Task UpdateSubscriptionLevelStateToDismissWithHttpMessagesAsync(string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) { - if (Client.ApiVersion == null) - { - throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); - } if (Client.SubscriptionId == null) { throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); @@ -1325,6 +1309,7 @@ internal AlertsOperations(SecurityCenterClient client) { throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); } + string apiVersion = "2022-01-01"; // Tracing bool _shouldTrace = ServiceClientTracing.IsEnabled; string _invocationId = null; @@ -1332,6 +1317,7 @@ internal AlertsOperations(SecurityCenterClient client) { _invocationId = ServiceClientTracing.NextInvocationId.ToString(); Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); tracingParameters.Add("alertName", alertName); tracingParameters.Add("cancellationToken", cancellationToken); ServiceClientTracing.Enter(_invocationId, this, "UpdateSubscriptionLevelStateToDismiss", tracingParameters); @@ -1343,9 +1329,9 @@ internal AlertsOperations(SecurityCenterClient client) _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); List _queryParameters = new List(); - if (Client.ApiVersion != null) + if (apiVersion != null) { - _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); } if (_queryParameters.Count > 0) { @@ -1480,10 +1466,6 @@ internal AlertsOperations(SecurityCenterClient client) /// public async Task UpdateSubscriptionLevelStateToResolveWithHttpMessagesAsync(string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) { - if (Client.ApiVersion == null) - { - throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); - } if (Client.SubscriptionId == null) { throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); @@ -1503,6 +1485,7 @@ internal AlertsOperations(SecurityCenterClient client) { throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); } + string apiVersion = "2022-01-01"; // Tracing bool _shouldTrace = ServiceClientTracing.IsEnabled; string _invocationId = null; @@ -1510,6 +1493,7 @@ internal AlertsOperations(SecurityCenterClient client) { _invocationId = ServiceClientTracing.NextInvocationId.ToString(); Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); tracingParameters.Add("alertName", alertName); tracingParameters.Add("cancellationToken", cancellationToken); ServiceClientTracing.Enter(_invocationId, this, "UpdateSubscriptionLevelStateToResolve", tracingParameters); @@ -1521,9 +1505,9 @@ internal AlertsOperations(SecurityCenterClient client) _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); List _queryParameters = new List(); - if (Client.ApiVersion != null) + if (apiVersion != null) { - _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); } if (_queryParameters.Count > 0) { @@ -1658,10 +1642,6 @@ internal AlertsOperations(SecurityCenterClient client) /// public async Task UpdateSubscriptionLevelStateToActivateWithHttpMessagesAsync(string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) { - if (Client.ApiVersion == null) - { - throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); - } if (Client.SubscriptionId == null) { throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); @@ -1681,6 +1661,7 @@ internal AlertsOperations(SecurityCenterClient client) { throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); } + string apiVersion = "2022-01-01"; // Tracing bool _shouldTrace = ServiceClientTracing.IsEnabled; string _invocationId = null; @@ -1688,6 +1669,7 @@ internal AlertsOperations(SecurityCenterClient client) { _invocationId = ServiceClientTracing.NextInvocationId.ToString(); Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); tracingParameters.Add("alertName", alertName); tracingParameters.Add("cancellationToken", cancellationToken); ServiceClientTracing.Enter(_invocationId, this, "UpdateSubscriptionLevelStateToActivate", tracingParameters); @@ -1699,9 +1681,9 @@ internal AlertsOperations(SecurityCenterClient client) _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); List _queryParameters = new List(); - if (Client.ApiVersion != null) + if (apiVersion != null) { - _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); } if (_queryParameters.Count > 0) { @@ -1836,10 +1818,6 @@ internal AlertsOperations(SecurityCenterClient client) /// public async Task UpdateSubscriptionLevelStateToInProgressWithHttpMessagesAsync(string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) { - if (Client.ApiVersion == null) - { - throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); - } if (Client.SubscriptionId == null) { throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); @@ -1859,6 +1837,7 @@ internal AlertsOperations(SecurityCenterClient client) { throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); } + string apiVersion = "2022-01-01"; // Tracing bool _shouldTrace = ServiceClientTracing.IsEnabled; string _invocationId = null; @@ -1866,6 +1845,7 @@ internal AlertsOperations(SecurityCenterClient client) { _invocationId = ServiceClientTracing.NextInvocationId.ToString(); Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); tracingParameters.Add("alertName", alertName); tracingParameters.Add("cancellationToken", cancellationToken); ServiceClientTracing.Enter(_invocationId, this, "UpdateSubscriptionLevelStateToInProgress", tracingParameters); @@ -1877,9 +1857,9 @@ internal AlertsOperations(SecurityCenterClient client) _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); List _queryParameters = new List(); - if (Client.ApiVersion != null) + if (apiVersion != null) { - _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); } if (_queryParameters.Count > 0) { @@ -2018,10 +1998,6 @@ internal AlertsOperations(SecurityCenterClient client) /// public async Task UpdateResourceGroupLevelStateToResolveWithHttpMessagesAsync(string resourceGroupName, string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) { - if (Client.ApiVersion == null) - { - throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); - } if (Client.SubscriptionId == null) { throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); @@ -2060,6 +2036,7 @@ internal AlertsOperations(SecurityCenterClient client) { throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); } + string apiVersion = "2022-01-01"; // Tracing bool _shouldTrace = ServiceClientTracing.IsEnabled; string _invocationId = null; @@ -2067,6 +2044,7 @@ internal AlertsOperations(SecurityCenterClient client) { _invocationId = ServiceClientTracing.NextInvocationId.ToString(); Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); tracingParameters.Add("resourceGroupName", resourceGroupName); tracingParameters.Add("alertName", alertName); tracingParameters.Add("cancellationToken", cancellationToken); @@ -2080,9 +2058,9 @@ internal AlertsOperations(SecurityCenterClient client) _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); List _queryParameters = new List(); - if (Client.ApiVersion != null) + if (apiVersion != null) { - _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); } if (_queryParameters.Count > 0) { @@ -2221,10 +2199,6 @@ internal AlertsOperations(SecurityCenterClient client) /// public async Task UpdateResourceGroupLevelStateToDismissWithHttpMessagesAsync(string resourceGroupName, string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) { - if (Client.ApiVersion == null) - { - throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); - } if (Client.SubscriptionId == null) { throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); @@ -2263,6 +2237,7 @@ internal AlertsOperations(SecurityCenterClient client) { throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); } + string apiVersion = "2022-01-01"; // Tracing bool _shouldTrace = ServiceClientTracing.IsEnabled; string _invocationId = null; @@ -2270,6 +2245,7 @@ internal AlertsOperations(SecurityCenterClient client) { _invocationId = ServiceClientTracing.NextInvocationId.ToString(); Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); tracingParameters.Add("resourceGroupName", resourceGroupName); tracingParameters.Add("alertName", alertName); tracingParameters.Add("cancellationToken", cancellationToken); @@ -2283,9 +2259,9 @@ internal AlertsOperations(SecurityCenterClient client) _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); List _queryParameters = new List(); - if (Client.ApiVersion != null) + if (apiVersion != null) { - _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); } if (_queryParameters.Count > 0) { @@ -2424,10 +2400,6 @@ internal AlertsOperations(SecurityCenterClient client) /// public async Task UpdateResourceGroupLevelStateToActivateWithHttpMessagesAsync(string resourceGroupName, string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) { - if (Client.ApiVersion == null) - { - throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); - } if (Client.SubscriptionId == null) { throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); @@ -2466,6 +2438,7 @@ internal AlertsOperations(SecurityCenterClient client) { throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); } + string apiVersion = "2022-01-01"; // Tracing bool _shouldTrace = ServiceClientTracing.IsEnabled; string _invocationId = null; @@ -2473,6 +2446,7 @@ internal AlertsOperations(SecurityCenterClient client) { _invocationId = ServiceClientTracing.NextInvocationId.ToString(); Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); tracingParameters.Add("resourceGroupName", resourceGroupName); tracingParameters.Add("alertName", alertName); tracingParameters.Add("cancellationToken", cancellationToken); @@ -2486,9 +2460,9 @@ internal AlertsOperations(SecurityCenterClient client) _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); List _queryParameters = new List(); - if (Client.ApiVersion != null) + if (apiVersion != null) { - _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); } if (_queryParameters.Count > 0) { @@ -2627,10 +2601,6 @@ internal AlertsOperations(SecurityCenterClient client) /// public async Task UpdateResourceGroupLevelStateToInProgressWithHttpMessagesAsync(string resourceGroupName, string alertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) { - if (Client.ApiVersion == null) - { - throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); - } if (Client.SubscriptionId == null) { throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); @@ -2669,6 +2639,7 @@ internal AlertsOperations(SecurityCenterClient client) { throw new ValidationException(ValidationRules.CannotBeNull, "alertName"); } + string apiVersion = "2022-01-01"; // Tracing bool _shouldTrace = ServiceClientTracing.IsEnabled; string _invocationId = null; @@ -2676,6 +2647,7 @@ internal AlertsOperations(SecurityCenterClient client) { _invocationId = ServiceClientTracing.NextInvocationId.ToString(); Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); tracingParameters.Add("resourceGroupName", resourceGroupName); tracingParameters.Add("alertName", alertName); tracingParameters.Add("cancellationToken", cancellationToken); @@ -2689,9 +2661,9 @@ internal AlertsOperations(SecurityCenterClient client) _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); _url = _url.Replace("{alertName}", System.Uri.EscapeDataString(alertName)); List _queryParameters = new List(); - if (Client.ApiVersion != null) + if (apiVersion != null) { - _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); } if (_queryParameters.Count > 0) { @@ -2845,10 +2817,6 @@ internal AlertsOperations(SecurityCenterClient client) /// public async Task BeginSimulateWithHttpMessagesAsync(AlertSimulatorRequestProperties properties = default(AlertSimulatorRequestProperties), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) { - if (Client.ApiVersion == null) - { - throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.ApiVersion"); - } if (Client.SubscriptionId == null) { throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); @@ -2864,6 +2832,7 @@ internal AlertsOperations(SecurityCenterClient client) { throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); } + string apiVersion = "2022-01-01"; AlertSimulatorRequestBody alertSimulatorRequestBody = new AlertSimulatorRequestBody(); if (properties != null) { @@ -2876,6 +2845,7 @@ internal AlertsOperations(SecurityCenterClient client) { _invocationId = ServiceClientTracing.NextInvocationId.ToString(); Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); tracingParameters.Add("alertSimulatorRequestBody", alertSimulatorRequestBody); tracingParameters.Add("cancellationToken", cancellationToken); ServiceClientTracing.Enter(_invocationId, this, "BeginSimulate", tracingParameters); @@ -2886,9 +2856,9 @@ internal AlertsOperations(SecurityCenterClient client) _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); List _queryParameters = new List(); - if (Client.ApiVersion != null) + if (apiVersion != null) { - _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(Client.ApiVersion))); + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); } if (_queryParameters.Count > 0) { diff --git a/src/Security/Security.Management.Sdk/Generated/AlertsSuppressionRulesOperations.cs b/src/Security/Security.Management.Sdk/Generated/AlertsSuppressionRulesOperations.cs new file mode 100644 index 000000000000..218a659c1e10 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AlertsSuppressionRulesOperations.cs @@ -0,0 +1,992 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AlertsSuppressionRulesOperations operations. + /// + internal partial class AlertsSuppressionRulesOperations : IServiceOperations, IAlertsSuppressionRulesOperations + { + /// + /// Initializes a new instance of the AlertsSuppressionRulesOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal AlertsSuppressionRulesOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// List of all the dismiss rules for the given subscription + /// + /// + /// Type of the alert to get rules for + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(string alertType = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("alertType", alertType); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/alertsSuppressionRules").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (alertType != null) + { + _queryParameters.Add(string.Format("AlertType={0}", System.Uri.EscapeDataString(alertType))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get dismiss rule, with name: {alertsSuppressionRuleName}, for the given + /// subscription + /// + /// + /// The unique name of the suppression alert rule + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string alertsSuppressionRuleName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (alertsSuppressionRuleName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "alertsSuppressionRuleName"); + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("alertsSuppressionRuleName", alertsSuppressionRuleName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/alertsSuppressionRules/{alertsSuppressionRuleName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{alertsSuppressionRuleName}", System.Uri.EscapeDataString(alertsSuppressionRuleName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Update existing rule or create new rule if it doesn't exist + /// + /// + /// The unique name of the suppression alert rule + /// + /// + /// Suppression rule object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> UpdateWithHttpMessagesAsync(string alertsSuppressionRuleName, AlertsSuppressionRule alertsSuppressionRule, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (alertsSuppressionRuleName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "alertsSuppressionRuleName"); + } + if (alertsSuppressionRule == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "alertsSuppressionRule"); + } + if (alertsSuppressionRule != null) + { + alertsSuppressionRule.Validate(); + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("alertsSuppressionRuleName", alertsSuppressionRuleName); + tracingParameters.Add("alertsSuppressionRule", alertsSuppressionRule); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Update", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/alertsSuppressionRules/{alertsSuppressionRuleName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{alertsSuppressionRuleName}", System.Uri.EscapeDataString(alertsSuppressionRuleName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(alertsSuppressionRule != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(alertsSuppressionRule, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Delete dismiss alert rule for this subscription. + /// + /// + /// The unique name of the suppression alert rule + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string alertsSuppressionRuleName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (alertsSuppressionRuleName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "alertsSuppressionRuleName"); + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("alertsSuppressionRuleName", alertsSuppressionRuleName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/alertsSuppressionRules/{alertsSuppressionRuleName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{alertsSuppressionRuleName}", System.Uri.EscapeDataString(alertsSuppressionRuleName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List of all the dismiss rules for the given subscription + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/AlertsSuppressionRulesOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/AlertsSuppressionRulesOperationsExtensions.cs new file mode 100644 index 000000000000..d1d174bcfe3a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AlertsSuppressionRulesOperationsExtensions.cs @@ -0,0 +1,200 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for AlertsSuppressionRulesOperations. + /// + public static partial class AlertsSuppressionRulesOperationsExtensions + { + /// + /// List of all the dismiss rules for the given subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// Type of the alert to get rules for + /// + public static IPage List(this IAlertsSuppressionRulesOperations operations, string alertType = default(string)) + { + return operations.ListAsync(alertType).GetAwaiter().GetResult(); + } + + /// + /// List of all the dismiss rules for the given subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// Type of the alert to get rules for + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IAlertsSuppressionRulesOperations operations, string alertType = default(string), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(alertType, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get dismiss rule, with name: {alertsSuppressionRuleName}, for the given + /// subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The unique name of the suppression alert rule + /// + public static AlertsSuppressionRule Get(this IAlertsSuppressionRulesOperations operations, string alertsSuppressionRuleName) + { + return operations.GetAsync(alertsSuppressionRuleName).GetAwaiter().GetResult(); + } + + /// + /// Get dismiss rule, with name: {alertsSuppressionRuleName}, for the given + /// subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The unique name of the suppression alert rule + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IAlertsSuppressionRulesOperations operations, string alertsSuppressionRuleName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(alertsSuppressionRuleName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Update existing rule or create new rule if it doesn't exist + /// + /// + /// The operations group for this extension method. + /// + /// + /// The unique name of the suppression alert rule + /// + /// + /// Suppression rule object + /// + public static AlertsSuppressionRule Update(this IAlertsSuppressionRulesOperations operations, string alertsSuppressionRuleName, AlertsSuppressionRule alertsSuppressionRule) + { + return operations.UpdateAsync(alertsSuppressionRuleName, alertsSuppressionRule).GetAwaiter().GetResult(); + } + + /// + /// Update existing rule or create new rule if it doesn't exist + /// + /// + /// The operations group for this extension method. + /// + /// + /// The unique name of the suppression alert rule + /// + /// + /// Suppression rule object + /// + /// + /// The cancellation token. + /// + public static async Task UpdateAsync(this IAlertsSuppressionRulesOperations operations, string alertsSuppressionRuleName, AlertsSuppressionRule alertsSuppressionRule, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.UpdateWithHttpMessagesAsync(alertsSuppressionRuleName, alertsSuppressionRule, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Delete dismiss alert rule for this subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The unique name of the suppression alert rule + /// + public static void Delete(this IAlertsSuppressionRulesOperations operations, string alertsSuppressionRuleName) + { + operations.DeleteAsync(alertsSuppressionRuleName).GetAwaiter().GetResult(); + } + + /// + /// Delete dismiss alert rule for this subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The unique name of the suppression alert rule + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this IAlertsSuppressionRulesOperations operations, string alertsSuppressionRuleName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(alertsSuppressionRuleName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// List of all the dismiss rules for the given subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IAlertsSuppressionRulesOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// List of all the dismiss rules for the given subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IAlertsSuppressionRulesOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/AllowedConnectionsOperations.cs b/src/Security/Security.Management.Sdk/Generated/AllowedConnectionsOperations.cs new file mode 100644 index 000000000000..683054249d40 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AllowedConnectionsOperations.cs @@ -0,0 +1,999 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AllowedConnectionsOperations operations. + /// + internal partial class AllowedConnectionsOperations : IServiceOperations, IAllowedConnectionsOperations + { + /// + /// Initializes a new instance of the AllowedConnectionsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal AllowedConnectionsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Gets the list of all possible traffic between resources for the + /// subscription + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/allowedConnections").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets the list of all possible traffic between resources for the + /// subscription and location. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByHomeRegionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByHomeRegion", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/allowedConnections").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets the list of all possible traffic between resources for the + /// subscription and location, based on connection type. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The type of allowed connections (Internal, External). Possible values + /// include: 'Internal', 'External' + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string connectionType, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (connectionType == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "connectionType"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("connectionType", connectionType); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/allowedConnections/{connectionType}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{connectionType}", System.Uri.EscapeDataString(connectionType)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets the list of all possible traffic between resources for the + /// subscription + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets the list of all possible traffic between resources for the + /// subscription and location. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByHomeRegionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByHomeRegionNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/AllowedConnectionsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/AllowedConnectionsOperationsExtensions.cs new file mode 100644 index 000000000000..e28c1214a53d --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AllowedConnectionsOperationsExtensions.cs @@ -0,0 +1,203 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for AllowedConnectionsOperations. + /// + public static partial class AllowedConnectionsOperationsExtensions + { + /// + /// Gets the list of all possible traffic between resources for the + /// subscription + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this IAllowedConnectionsOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Gets the list of all possible traffic between resources for the + /// subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IAllowedConnectionsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets the list of all possible traffic between resources for the + /// subscription and location. + /// + /// + /// The operations group for this extension method. + /// + public static IPage ListByHomeRegion(this IAllowedConnectionsOperations operations) + { + return operations.ListByHomeRegionAsync().GetAwaiter().GetResult(); + } + + /// + /// Gets the list of all possible traffic between resources for the + /// subscription and location. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByHomeRegionAsync(this IAllowedConnectionsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByHomeRegionWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets the list of all possible traffic between resources for the + /// subscription and location, based on connection type. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The type of allowed connections (Internal, External). Possible values + /// include: 'Internal', 'External' + /// + public static AllowedConnectionsResource Get(this IAllowedConnectionsOperations operations, string resourceGroupName, string connectionType) + { + return operations.GetAsync(resourceGroupName, connectionType).GetAwaiter().GetResult(); + } + + /// + /// Gets the list of all possible traffic between resources for the + /// subscription and location, based on connection type. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The type of allowed connections (Internal, External). Possible values + /// include: 'Internal', 'External' + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IAllowedConnectionsOperations operations, string resourceGroupName, string connectionType, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, connectionType, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets the list of all possible traffic between resources for the + /// subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IAllowedConnectionsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Gets the list of all possible traffic between resources for the + /// subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IAllowedConnectionsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets the list of all possible traffic between resources for the + /// subscription and location. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListByHomeRegionNext(this IAllowedConnectionsOperations operations, string nextPageLink) + { + return operations.ListByHomeRegionNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Gets the list of all possible traffic between resources for the + /// subscription and location. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByHomeRegionNextAsync(this IAllowedConnectionsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByHomeRegionNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ApplicationOperations.cs b/src/Security/Security.Management.Sdk/Generated/ApplicationOperations.cs new file mode 100644 index 000000000000..3ad2faf5d081 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ApplicationOperations.cs @@ -0,0 +1,645 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// ApplicationOperations operations. + /// + internal partial class ApplicationOperations : IServiceOperations, IApplicationOperations + { + /// + /// Initializes a new instance of the ApplicationOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal ApplicationOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Get a specific application for the requested scope by applicationId + /// + /// + /// The security Application key - unique key for the standard application + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string applicationId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (applicationId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "applicationId"); + } + string apiVersion = "2022-07-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("applicationId", applicationId); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/applications/{applicationId}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{applicationId}", System.Uri.EscapeDataString(applicationId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Creates or update a security application on the given subscription. + /// + /// + /// The security Application key - unique key for the standard application + /// + /// + /// Application over a subscription scope + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateOrUpdateWithHttpMessagesAsync(string applicationId, Application application, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (applicationId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "applicationId"); + } + if (application == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "application"); + } + if (application != null) + { + application.Validate(); + } + string apiVersion = "2022-07-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("applicationId", applicationId); + tracingParameters.Add("application", application); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "CreateOrUpdate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/applications/{applicationId}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{applicationId}", System.Uri.EscapeDataString(applicationId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(application != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(application, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 201) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + // Deserialize Response + if ((int)_statusCode == 201) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Delete an Application over a given scope + /// + /// + /// The security Application key - unique key for the standard application + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string applicationId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (applicationId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "applicationId"); + } + string apiVersion = "2022-07-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("applicationId", applicationId); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/applications/{applicationId}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{applicationId}", System.Uri.EscapeDataString(applicationId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ApplicationOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/ApplicationOperationsExtensions.cs new file mode 100644 index 000000000000..a94e1a10d83b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ApplicationOperationsExtensions.cs @@ -0,0 +1,130 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for ApplicationOperations. + /// + public static partial class ApplicationOperationsExtensions + { + /// + /// Get a specific application for the requested scope by applicationId + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security Application key - unique key for the standard application + /// + public static Application Get(this IApplicationOperations operations, string applicationId) + { + return operations.GetAsync(applicationId).GetAwaiter().GetResult(); + } + + /// + /// Get a specific application for the requested scope by applicationId + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security Application key - unique key for the standard application + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IApplicationOperations operations, string applicationId, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(applicationId, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Creates or update a security application on the given subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security Application key - unique key for the standard application + /// + /// + /// Application over a subscription scope + /// + public static Application CreateOrUpdate(this IApplicationOperations operations, string applicationId, Application application) + { + return operations.CreateOrUpdateAsync(applicationId, application).GetAwaiter().GetResult(); + } + + /// + /// Creates or update a security application on the given subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security Application key - unique key for the standard application + /// + /// + /// Application over a subscription scope + /// + /// + /// The cancellation token. + /// + public static async Task CreateOrUpdateAsync(this IApplicationOperations operations, string applicationId, Application application, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateOrUpdateWithHttpMessagesAsync(applicationId, application, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Delete an Application over a given scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security Application key - unique key for the standard application + /// + public static void Delete(this IApplicationOperations operations, string applicationId) + { + operations.DeleteAsync(applicationId).GetAwaiter().GetResult(); + } + + /// + /// Delete an Application over a given scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security Application key - unique key for the standard application + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this IApplicationOperations operations, string applicationId, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(applicationId, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ApplicationsOperations.cs b/src/Security/Security.Management.Sdk/Generated/ApplicationsOperations.cs new file mode 100644 index 000000000000..b5f9b0198c5f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ApplicationsOperations.cs @@ -0,0 +1,410 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// ApplicationsOperations operations. + /// + internal partial class ApplicationsOperations : IServiceOperations, IApplicationsOperations + { + /// + /// Initializes a new instance of the ApplicationsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal ApplicationsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Get a list of all relevant applications over a subscription level scope + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2022-07-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/applications").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get a list of all relevant applications over a subscription level scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ApplicationsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/ApplicationsOperationsExtensions.cs new file mode 100644 index 000000000000..c8ff3f88caa2 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ApplicationsOperationsExtensions.cs @@ -0,0 +1,87 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for ApplicationsOperations. + /// + public static partial class ApplicationsOperationsExtensions + { + /// + /// Get a list of all relevant applications over a subscription level scope + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this IApplicationsOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Get a list of all relevant applications over a subscription level scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IApplicationsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get a list of all relevant applications over a subscription level scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IApplicationsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Get a list of all relevant applications over a subscription level scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IApplicationsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/AssessmentsMetadataOperations.cs b/src/Security/Security.Management.Sdk/Generated/AssessmentsMetadataOperations.cs new file mode 100644 index 000000000000..6b11d7dceecc --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AssessmentsMetadataOperations.cs @@ -0,0 +1,1504 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AssessmentsMetadataOperations operations. + /// + internal partial class AssessmentsMetadataOperations : IServiceOperations, IAssessmentsMetadataOperations + { + /// + /// Initializes a new instance of the AssessmentsMetadataOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal AssessmentsMetadataOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Get metadata information on all assessment types + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + string apiVersion = "2021-06-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "providers/Microsoft.Security/assessmentMetadata").ToString(); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get metadata information on an assessment type + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string assessmentMetadataName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (assessmentMetadataName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "assessmentMetadataName"); + } + string apiVersion = "2021-06-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("assessmentMetadataName", assessmentMetadataName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "providers/Microsoft.Security/assessmentMetadata/{assessmentMetadataName}").ToString(); + _url = _url.Replace("{assessmentMetadataName}", System.Uri.EscapeDataString(assessmentMetadataName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get metadata information on all assessment types in a specific subscription + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListBySubscriptionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2021-06-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListBySubscription", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/assessmentMetadata").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get metadata information on an assessment type in a specific subscription + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetInSubscriptionWithHttpMessagesAsync(string assessmentMetadataName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (assessmentMetadataName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "assessmentMetadataName"); + } + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2021-06-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("assessmentMetadataName", assessmentMetadataName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "GetInSubscription", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/assessmentMetadata/{assessmentMetadataName}").ToString(); + _url = _url.Replace("{assessmentMetadataName}", System.Uri.EscapeDataString(assessmentMetadataName)); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Create metadata information on an assessment type in a specific + /// subscription + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// AssessmentMetadata object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateInSubscriptionWithHttpMessagesAsync(string assessmentMetadataName, SecurityAssessmentMetadataResponse assessmentMetadata, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (assessmentMetadataName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "assessmentMetadataName"); + } + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (assessmentMetadata == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "assessmentMetadata"); + } + if (assessmentMetadata != null) + { + assessmentMetadata.Validate(); + } + string apiVersion = "2021-06-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("assessmentMetadataName", assessmentMetadataName); + tracingParameters.Add("assessmentMetadata", assessmentMetadata); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "CreateInSubscription", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/assessmentMetadata/{assessmentMetadataName}").ToString(); + _url = _url.Replace("{assessmentMetadataName}", System.Uri.EscapeDataString(assessmentMetadataName)); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(assessmentMetadata != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(assessmentMetadata, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Delete metadata information on an assessment type in a specific + /// subscription, will cause the deletion of all the assessments of that type + /// in that subscription + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteInSubscriptionWithHttpMessagesAsync(string assessmentMetadataName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (assessmentMetadataName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "assessmentMetadataName"); + } + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2021-06-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("assessmentMetadataName", assessmentMetadataName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "DeleteInSubscription", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/assessmentMetadata/{assessmentMetadataName}").ToString(); + _url = _url.Replace("{assessmentMetadataName}", System.Uri.EscapeDataString(assessmentMetadataName)); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get metadata information on all assessment types + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get metadata information on all assessment types in a specific subscription + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListBySubscriptionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListBySubscriptionNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/AssessmentsMetadataOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/AssessmentsMetadataOperationsExtensions.cs new file mode 100644 index 000000000000..9170cabf9e6d --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AssessmentsMetadataOperationsExtensions.cs @@ -0,0 +1,294 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for AssessmentsMetadataOperations. + /// + public static partial class AssessmentsMetadataOperationsExtensions + { + /// + /// Get metadata information on all assessment types + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this IAssessmentsMetadataOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Get metadata information on all assessment types + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IAssessmentsMetadataOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get metadata information on an assessment type + /// + /// + /// The operations group for this extension method. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + public static SecurityAssessmentMetadataResponse Get(this IAssessmentsMetadataOperations operations, string assessmentMetadataName) + { + return operations.GetAsync(assessmentMetadataName).GetAwaiter().GetResult(); + } + + /// + /// Get metadata information on an assessment type + /// + /// + /// The operations group for this extension method. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IAssessmentsMetadataOperations operations, string assessmentMetadataName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(assessmentMetadataName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get metadata information on all assessment types in a specific subscription + /// + /// + /// The operations group for this extension method. + /// + public static IPage ListBySubscription(this IAssessmentsMetadataOperations operations) + { + return operations.ListBySubscriptionAsync().GetAwaiter().GetResult(); + } + + /// + /// Get metadata information on all assessment types in a specific subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListBySubscriptionAsync(this IAssessmentsMetadataOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListBySubscriptionWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get metadata information on an assessment type in a specific subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + public static SecurityAssessmentMetadataResponse GetInSubscription(this IAssessmentsMetadataOperations operations, string assessmentMetadataName) + { + return operations.GetInSubscriptionAsync(assessmentMetadataName).GetAwaiter().GetResult(); + } + + /// + /// Get metadata information on an assessment type in a specific subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The cancellation token. + /// + public static async Task GetInSubscriptionAsync(this IAssessmentsMetadataOperations operations, string assessmentMetadataName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetInSubscriptionWithHttpMessagesAsync(assessmentMetadataName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Create metadata information on an assessment type in a specific + /// subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// AssessmentMetadata object + /// + public static SecurityAssessmentMetadataResponse CreateInSubscription(this IAssessmentsMetadataOperations operations, string assessmentMetadataName, SecurityAssessmentMetadataResponse assessmentMetadata) + { + return operations.CreateInSubscriptionAsync(assessmentMetadataName, assessmentMetadata).GetAwaiter().GetResult(); + } + + /// + /// Create metadata information on an assessment type in a specific + /// subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// AssessmentMetadata object + /// + /// + /// The cancellation token. + /// + public static async Task CreateInSubscriptionAsync(this IAssessmentsMetadataOperations operations, string assessmentMetadataName, SecurityAssessmentMetadataResponse assessmentMetadata, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateInSubscriptionWithHttpMessagesAsync(assessmentMetadataName, assessmentMetadata, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Delete metadata information on an assessment type in a specific + /// subscription, will cause the deletion of all the assessments of that type + /// in that subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + public static void DeleteInSubscription(this IAssessmentsMetadataOperations operations, string assessmentMetadataName) + { + operations.DeleteInSubscriptionAsync(assessmentMetadataName).GetAwaiter().GetResult(); + } + + /// + /// Delete metadata information on an assessment type in a specific + /// subscription, will cause the deletion of all the assessments of that type + /// in that subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The cancellation token. + /// + public static async Task DeleteInSubscriptionAsync(this IAssessmentsMetadataOperations operations, string assessmentMetadataName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteInSubscriptionWithHttpMessagesAsync(assessmentMetadataName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Get metadata information on all assessment types + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IAssessmentsMetadataOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Get metadata information on all assessment types + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IAssessmentsMetadataOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get metadata information on all assessment types in a specific subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListBySubscriptionNext(this IAssessmentsMetadataOperations operations, string nextPageLink) + { + return operations.ListBySubscriptionNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Get metadata information on all assessment types in a specific subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListBySubscriptionNextAsync(this IAssessmentsMetadataOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListBySubscriptionNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/AssessmentsOperations.cs b/src/Security/Security.Management.Sdk/Generated/AssessmentsOperations.cs new file mode 100644 index 000000000000..a5585a960fc8 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AssessmentsOperations.cs @@ -0,0 +1,1003 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AssessmentsOperations operations. + /// + internal partial class AssessmentsOperations : IServiceOperations, IAssessmentsOperations + { + /// + /// Initializes a new instance of the AssessmentsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal AssessmentsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Get security assessments on all your scanned resources inside a scope + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(string scope, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (scope == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scope"); + } + string apiVersion = "2021-06-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("scope", scope); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{scope}/providers/Microsoft.Security/assessments").ToString(); + _url = _url.Replace("{scope}", scope); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get a security assessment on your scanned resource + /// + /// + /// The identifier of the resource. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// OData expand. Optional. Possible values include: 'links', 'metadata' + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceId, string assessmentName, string expand = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + if (assessmentName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "assessmentName"); + } + string apiVersion = "2021-06-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("assessmentName", assessmentName); + tracingParameters.Add("expand", expand); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/assessments/{assessmentName}").ToString(); + _url = _url.Replace("{resourceId}", resourceId); + _url = _url.Replace("{assessmentName}", System.Uri.EscapeDataString(assessmentName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (expand != null) + { + _queryParameters.Add(string.Format("$expand={0}", System.Uri.EscapeDataString(expand))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Create a security assessment on your resource. An assessment metadata that + /// describes this assessment must be predefined with the same name before + /// inserting the assessment result + /// + /// + /// The identifier of the resource. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// Calculated assessment on a pre-defined assessment metadata + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateOrUpdateWithHttpMessagesAsync(string resourceId, string assessmentName, SecurityAssessment assessment, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + if (assessmentName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "assessmentName"); + } + if (assessment == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "assessment"); + } + if (assessment != null) + { + assessment.Validate(); + } + string apiVersion = "2021-06-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("assessmentName", assessmentName); + tracingParameters.Add("assessment", assessment); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "CreateOrUpdate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/assessments/{assessmentName}").ToString(); + _url = _url.Replace("{resourceId}", resourceId); + _url = _url.Replace("{assessmentName}", System.Uri.EscapeDataString(assessmentName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(assessment != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(assessment, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 201) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + // Deserialize Response + if ((int)_statusCode == 201) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Delete a security assessment on your resource. An assessment metadata that + /// describes this assessment must be predefined with the same name before + /// inserting the assessment result + /// + /// + /// The identifier of the resource. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string resourceId, string assessmentName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + if (assessmentName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "assessmentName"); + } + string apiVersion = "2021-06-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("assessmentName", assessmentName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/assessments/{assessmentName}").ToString(); + _url = _url.Replace("{resourceId}", resourceId); + _url = _url.Replace("{assessmentName}", System.Uri.EscapeDataString(assessmentName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get security assessments on all your scanned resources inside a scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/AssessmentsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/AssessmentsOperationsExtensions.cs new file mode 100644 index 000000000000..77157c70c2c3 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AssessmentsOperationsExtensions.cs @@ -0,0 +1,234 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for AssessmentsOperations. + /// + public static partial class AssessmentsOperationsExtensions + { + /// + /// Get security assessments on all your scanned resources inside a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + public static IPage List(this IAssessmentsOperations operations, string scope) + { + return operations.ListAsync(scope).GetAwaiter().GetResult(); + } + + /// + /// Get security assessments on all your scanned resources inside a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IAssessmentsOperations operations, string scope, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(scope, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get a security assessment on your scanned resource + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// OData expand. Optional. Possible values include: 'links', 'metadata' + /// + public static SecurityAssessmentResponse Get(this IAssessmentsOperations operations, string resourceId, string assessmentName, string expand = default(string)) + { + return operations.GetAsync(resourceId, assessmentName, expand).GetAwaiter().GetResult(); + } + + /// + /// Get a security assessment on your scanned resource + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// OData expand. Optional. Possible values include: 'links', 'metadata' + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IAssessmentsOperations operations, string resourceId, string assessmentName, string expand = default(string), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceId, assessmentName, expand, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Create a security assessment on your resource. An assessment metadata that + /// describes this assessment must be predefined with the same name before + /// inserting the assessment result + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// Calculated assessment on a pre-defined assessment metadata + /// + public static SecurityAssessmentResponse CreateOrUpdate(this IAssessmentsOperations operations, string resourceId, string assessmentName, SecurityAssessment assessment) + { + return operations.CreateOrUpdateAsync(resourceId, assessmentName, assessment).GetAwaiter().GetResult(); + } + + /// + /// Create a security assessment on your resource. An assessment metadata that + /// describes this assessment must be predefined with the same name before + /// inserting the assessment result + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// Calculated assessment on a pre-defined assessment metadata + /// + /// + /// The cancellation token. + /// + public static async Task CreateOrUpdateAsync(this IAssessmentsOperations operations, string resourceId, string assessmentName, SecurityAssessment assessment, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateOrUpdateWithHttpMessagesAsync(resourceId, assessmentName, assessment, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Delete a security assessment on your resource. An assessment metadata that + /// describes this assessment must be predefined with the same name before + /// inserting the assessment result + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + public static void Delete(this IAssessmentsOperations operations, string resourceId, string assessmentName) + { + operations.DeleteAsync(resourceId, assessmentName).GetAwaiter().GetResult(); + } + + /// + /// Delete a security assessment on your resource. An assessment metadata that + /// describes this assessment must be predefined with the same name before + /// inserting the assessment result + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this IAssessmentsOperations operations, string resourceId, string assessmentName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(resourceId, assessmentName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Get security assessments on all your scanned resources inside a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IAssessmentsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Get security assessments on all your scanned resources inside a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IAssessmentsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/AutoProvisioningSettingsOperations.cs b/src/Security/Security.Management.Sdk/Generated/AutoProvisioningSettingsOperations.cs new file mode 100644 index 000000000000..bac4d7455e1c --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AutoProvisioningSettingsOperations.cs @@ -0,0 +1,814 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AutoProvisioningSettingsOperations operations. + /// + internal partial class AutoProvisioningSettingsOperations : IServiceOperations, IAutoProvisioningSettingsOperations + { + /// + /// Initializes a new instance of the AutoProvisioningSettingsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal AutoProvisioningSettingsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Exposes the auto provisioning settings of the subscriptions + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2017-08-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/autoProvisioningSettings").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Details of a specific setting + /// + /// + /// Auto provisioning setting key + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string settingName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (settingName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "settingName"); + } + string apiVersion = "2017-08-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("settingName", settingName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/autoProvisioningSettings/{settingName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{settingName}", System.Uri.EscapeDataString(settingName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Details of a specific setting + /// + /// + /// Auto provisioning setting key + /// + /// + /// Describes what kind of security agent provisioning action to take. Possible + /// values include: 'On', 'Off' + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateWithHttpMessagesAsync(string settingName, string autoProvision, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (settingName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "settingName"); + } + if (autoProvision == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "autoProvision"); + } + string apiVersion = "2017-08-01-preview"; + AutoProvisioningSetting setting = new AutoProvisioningSetting(); + if (autoProvision != null) + { + setting.AutoProvision = autoProvision; + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("settingName", settingName); + tracingParameters.Add("setting", setting); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Create", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/autoProvisioningSettings/{settingName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{settingName}", System.Uri.EscapeDataString(settingName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(setting != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(setting, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Exposes the auto provisioning settings of the subscriptions + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/AutoProvisioningSettingsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/AutoProvisioningSettingsOperationsExtensions.cs new file mode 100644 index 000000000000..12b72c1a682c --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AutoProvisioningSettingsOperationsExtensions.cs @@ -0,0 +1,163 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for AutoProvisioningSettingsOperations. + /// + public static partial class AutoProvisioningSettingsOperationsExtensions + { + /// + /// Exposes the auto provisioning settings of the subscriptions + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this IAutoProvisioningSettingsOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Exposes the auto provisioning settings of the subscriptions + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IAutoProvisioningSettingsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Details of a specific setting + /// + /// + /// The operations group for this extension method. + /// + /// + /// Auto provisioning setting key + /// + public static AutoProvisioningSetting Get(this IAutoProvisioningSettingsOperations operations, string settingName) + { + return operations.GetAsync(settingName).GetAwaiter().GetResult(); + } + + /// + /// Details of a specific setting + /// + /// + /// The operations group for this extension method. + /// + /// + /// Auto provisioning setting key + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IAutoProvisioningSettingsOperations operations, string settingName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(settingName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Details of a specific setting + /// + /// + /// The operations group for this extension method. + /// + /// + /// Auto provisioning setting key + /// + /// + /// Describes what kind of security agent provisioning action to take. Possible + /// values include: 'On', 'Off' + /// + public static AutoProvisioningSetting Create(this IAutoProvisioningSettingsOperations operations, string settingName, string autoProvision) + { + return operations.CreateAsync(settingName, autoProvision).GetAwaiter().GetResult(); + } + + /// + /// Details of a specific setting + /// + /// + /// The operations group for this extension method. + /// + /// + /// Auto provisioning setting key + /// + /// + /// Describes what kind of security agent provisioning action to take. Possible + /// values include: 'On', 'Off' + /// + /// + /// The cancellation token. + /// + public static async Task CreateAsync(this IAutoProvisioningSettingsOperations operations, string settingName, string autoProvision, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateWithHttpMessagesAsync(settingName, autoProvision, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Exposes the auto provisioning settings of the subscriptions + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IAutoProvisioningSettingsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Exposes the auto provisioning settings of the subscriptions + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IAutoProvisioningSettingsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/AutomationsOperations.cs b/src/Security/Security.Management.Sdk/Generated/AutomationsOperations.cs new file mode 100644 index 000000000000..d60283944484 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AutomationsOperations.cs @@ -0,0 +1,1695 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AutomationsOperations operations. + /// + internal partial class AutomationsOperations : IServiceOperations, IAutomationsOperations + { + /// + /// Initializes a new instance of the AutomationsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal AutomationsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Lists all the security automations in the specified subscription. Use the + /// 'nextLink' property in the response to get the next page of security + /// automations for the specified subscription. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/automations").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Lists all the security automations in the specified resource group. Use the + /// 'nextLink' property in the response to get the next page of security + /// automations for the specified resource group. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByResourceGroupWithHttpMessagesAsync(string resourceGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroup", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/automations").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Retrieves information about the model of a security automation. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security automation name. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string automationName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (automationName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "automationName"); + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("automationName", automationName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/automations/{automationName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{automationName}", System.Uri.EscapeDataString(automationName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Creates or updates a security automation. If a security automation is + /// already created and a subsequent request is issued for the same automation + /// id, then it will be updated. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security automation name. + /// + /// + /// The security automation resource + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateOrUpdateWithHttpMessagesAsync(string resourceGroupName, string automationName, Automation automation, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (automationName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "automationName"); + } + if (automation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "automation"); + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("automationName", automationName); + tracingParameters.Add("automation", automation); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "CreateOrUpdate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/automations/{automationName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{automationName}", System.Uri.EscapeDataString(automationName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(automation != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(automation, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 201) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + // Deserialize Response + if ((int)_statusCode == 201) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Deletes a security automation. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security automation name. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string resourceGroupName, string automationName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (automationName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "automationName"); + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("automationName", automationName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/automations/{automationName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{automationName}", System.Uri.EscapeDataString(automationName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Validates the security automation model before create or update. Any + /// validation errors are returned to the client. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security automation name. + /// + /// + /// The security automation resource + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> ValidateWithHttpMessagesAsync(string resourceGroupName, string automationName, Automation automation, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (automationName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "automationName"); + } + if (automation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "automation"); + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("automationName", automationName); + tracingParameters.Add("automation", automation); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Validate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/automations/{automationName}/validate").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{automationName}", System.Uri.EscapeDataString(automationName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(automation != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(automation, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Lists all the security automations in the specified subscription. Use the + /// 'nextLink' property in the response to get the next page of security + /// automations for the specified subscription. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Lists all the security automations in the specified resource group. Use the + /// 'nextLink' property in the response to get the next page of security + /// automations for the specified resource group. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByResourceGroupNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroupNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/AutomationsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/AutomationsOperationsExtensions.cs new file mode 100644 index 000000000000..95d9935049fd --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/AutomationsOperationsExtensions.cs @@ -0,0 +1,356 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for AutomationsOperations. + /// + public static partial class AutomationsOperationsExtensions + { + /// + /// Lists all the security automations in the specified subscription. Use the + /// 'nextLink' property in the response to get the next page of security + /// automations for the specified subscription. + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this IAutomationsOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Lists all the security automations in the specified subscription. Use the + /// 'nextLink' property in the response to get the next page of security + /// automations for the specified subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IAutomationsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Lists all the security automations in the specified resource group. Use the + /// 'nextLink' property in the response to get the next page of security + /// automations for the specified resource group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + public static IPage ListByResourceGroup(this IAutomationsOperations operations, string resourceGroupName) + { + return operations.ListByResourceGroupAsync(resourceGroupName).GetAwaiter().GetResult(); + } + + /// + /// Lists all the security automations in the specified resource group. Use the + /// 'nextLink' property in the response to get the next page of security + /// automations for the specified resource group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByResourceGroupAsync(this IAutomationsOperations operations, string resourceGroupName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByResourceGroupWithHttpMessagesAsync(resourceGroupName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Retrieves information about the model of a security automation. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security automation name. + /// + public static Automation Get(this IAutomationsOperations operations, string resourceGroupName, string automationName) + { + return operations.GetAsync(resourceGroupName, automationName).GetAwaiter().GetResult(); + } + + /// + /// Retrieves information about the model of a security automation. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security automation name. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IAutomationsOperations operations, string resourceGroupName, string automationName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, automationName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Creates or updates a security automation. If a security automation is + /// already created and a subsequent request is issued for the same automation + /// id, then it will be updated. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security automation name. + /// + /// + /// The security automation resource + /// + public static Automation CreateOrUpdate(this IAutomationsOperations operations, string resourceGroupName, string automationName, Automation automation) + { + return operations.CreateOrUpdateAsync(resourceGroupName, automationName, automation).GetAwaiter().GetResult(); + } + + /// + /// Creates or updates a security automation. If a security automation is + /// already created and a subsequent request is issued for the same automation + /// id, then it will be updated. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security automation name. + /// + /// + /// The security automation resource + /// + /// + /// The cancellation token. + /// + public static async Task CreateOrUpdateAsync(this IAutomationsOperations operations, string resourceGroupName, string automationName, Automation automation, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateOrUpdateWithHttpMessagesAsync(resourceGroupName, automationName, automation, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Deletes a security automation. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security automation name. + /// + public static void Delete(this IAutomationsOperations operations, string resourceGroupName, string automationName) + { + operations.DeleteAsync(resourceGroupName, automationName).GetAwaiter().GetResult(); + } + + /// + /// Deletes a security automation. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security automation name. + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this IAutomationsOperations operations, string resourceGroupName, string automationName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(resourceGroupName, automationName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Validates the security automation model before create or update. Any + /// validation errors are returned to the client. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security automation name. + /// + /// + /// The security automation resource + /// + public static AutomationValidationStatus Validate(this IAutomationsOperations operations, string resourceGroupName, string automationName, Automation automation) + { + return operations.ValidateAsync(resourceGroupName, automationName, automation).GetAwaiter().GetResult(); + } + + /// + /// Validates the security automation model before create or update. Any + /// validation errors are returned to the client. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security automation name. + /// + /// + /// The security automation resource + /// + /// + /// The cancellation token. + /// + public static async Task ValidateAsync(this IAutomationsOperations operations, string resourceGroupName, string automationName, Automation automation, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ValidateWithHttpMessagesAsync(resourceGroupName, automationName, automation, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Lists all the security automations in the specified subscription. Use the + /// 'nextLink' property in the response to get the next page of security + /// automations for the specified subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IAutomationsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Lists all the security automations in the specified subscription. Use the + /// 'nextLink' property in the response to get the next page of security + /// automations for the specified subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IAutomationsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Lists all the security automations in the specified resource group. Use the + /// 'nextLink' property in the response to get the next page of security + /// automations for the specified resource group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListByResourceGroupNext(this IAutomationsOperations operations, string nextPageLink) + { + return operations.ListByResourceGroupNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Lists all the security automations in the specified resource group. Use the + /// 'nextLink' property in the response to get the next page of security + /// automations for the specified resource group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByResourceGroupNextAsync(this IAutomationsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByResourceGroupNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ComplianceResultsOperations.cs b/src/Security/Security.Management.Sdk/Generated/ComplianceResultsOperations.cs new file mode 100644 index 000000000000..bcdd9739ba99 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ComplianceResultsOperations.cs @@ -0,0 +1,598 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// ComplianceResultsOperations operations. + /// + internal partial class ComplianceResultsOperations : IServiceOperations, IComplianceResultsOperations + { + /// + /// Initializes a new instance of the ComplianceResultsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal ComplianceResultsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Security compliance results in the subscription + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(string scope, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (scope == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scope"); + } + string apiVersion = "2017-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("scope", scope); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{scope}/providers/Microsoft.Security/complianceResults").ToString(); + _url = _url.Replace("{scope}", scope); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Security Compliance Result + /// + /// + /// The identifier of the resource. + /// + /// + /// name of the desired assessment compliance result + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceId, string complianceResultName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + if (complianceResultName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "complianceResultName"); + } + string apiVersion = "2017-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("complianceResultName", complianceResultName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/complianceResults/{complianceResultName}").ToString(); + _url = _url.Replace("{resourceId}", resourceId); + _url = _url.Replace("{complianceResultName}", System.Uri.EscapeDataString(complianceResultName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Security compliance results in the subscription + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ComplianceResultsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/ComplianceResultsOperationsExtensions.cs new file mode 100644 index 000000000000..974a102a3266 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ComplianceResultsOperationsExtensions.cs @@ -0,0 +1,137 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for ComplianceResultsOperations. + /// + public static partial class ComplianceResultsOperationsExtensions + { + /// + /// Security compliance results in the subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + public static IPage List(this IComplianceResultsOperations operations, string scope) + { + return operations.ListAsync(scope).GetAwaiter().GetResult(); + } + + /// + /// Security compliance results in the subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IComplianceResultsOperations operations, string scope, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(scope, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Security Compliance Result + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + /// + /// name of the desired assessment compliance result + /// + public static ComplianceResult Get(this IComplianceResultsOperations operations, string resourceId, string complianceResultName) + { + return operations.GetAsync(resourceId, complianceResultName).GetAwaiter().GetResult(); + } + + /// + /// Security Compliance Result + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + /// + /// name of the desired assessment compliance result + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IComplianceResultsOperations operations, string resourceId, string complianceResultName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceId, complianceResultName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Security compliance results in the subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IComplianceResultsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Security compliance results in the subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IComplianceResultsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/CompliancesOperations.cs b/src/Security/Security.Management.Sdk/Generated/CompliancesOperations.cs new file mode 100644 index 000000000000..307faa6dcacc --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/CompliancesOperations.cs @@ -0,0 +1,600 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// CompliancesOperations operations. + /// + internal partial class CompliancesOperations : IServiceOperations, ICompliancesOperations + { + /// + /// Initializes a new instance of the CompliancesOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal CompliancesOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// The Compliance scores of the specific management group. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(string scope, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (scope == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scope"); + } + string apiVersion = "2017-08-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("scope", scope); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{scope}/providers/Microsoft.Security/compliances").ToString(); + _url = _url.Replace("{scope}", scope); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Details of a specific Compliance. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// name of the Compliance + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string scope, string complianceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (scope == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scope"); + } + if (complianceName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "complianceName"); + } + string apiVersion = "2017-08-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("scope", scope); + tracingParameters.Add("complianceName", complianceName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{scope}/providers/Microsoft.Security/compliances/{complianceName}").ToString(); + _url = _url.Replace("{scope}", scope); + _url = _url.Replace("{complianceName}", System.Uri.EscapeDataString(complianceName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// The Compliance scores of the specific management group. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/CompliancesOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/CompliancesOperationsExtensions.cs new file mode 100644 index 000000000000..5221eb55ab00 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/CompliancesOperationsExtensions.cs @@ -0,0 +1,141 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for CompliancesOperations. + /// + public static partial class CompliancesOperationsExtensions + { + /// + /// The Compliance scores of the specific management group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + public static IPage List(this ICompliancesOperations operations, string scope) + { + return operations.ListAsync(scope).GetAwaiter().GetResult(); + } + + /// + /// The Compliance scores of the specific management group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this ICompliancesOperations operations, string scope, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(scope, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Details of a specific Compliance. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// name of the Compliance + /// + public static Compliance Get(this ICompliancesOperations operations, string scope, string complianceName) + { + return operations.GetAsync(scope, complianceName).GetAwaiter().GetResult(); + } + + /// + /// Details of a specific Compliance. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// name of the Compliance + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ICompliancesOperations operations, string scope, string complianceName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(scope, complianceName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// The Compliance scores of the specific management group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this ICompliancesOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// The Compliance scores of the specific management group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this ICompliancesOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ConnectorsOperations.cs b/src/Security/Security.Management.Sdk/Generated/ConnectorsOperations.cs new file mode 100644 index 000000000000..0c991b90f231 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ConnectorsOperations.cs @@ -0,0 +1,992 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// ConnectorsOperations operations. + /// + internal partial class ConnectorsOperations : IServiceOperations, IConnectorsOperations + { + /// + /// Initializes a new instance of the ConnectorsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal ConnectorsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Cloud accounts connectors of a subscription + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2020-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/connectors").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Details of a specific cloud account connector + /// + /// + /// Name of the cloud account connector + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string connectorName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (connectorName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "connectorName"); + } + string apiVersion = "2020-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("connectorName", connectorName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/connectors/{connectorName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{connectorName}", System.Uri.EscapeDataString(connectorName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Create a cloud account connector or update an existing one. Connect to your + /// cloud account. For AWS, use either account credentials or role-based + /// authentication. For GCP, use account organization credentials. + /// + /// + /// Name of the cloud account connector + /// + /// + /// Settings for hybrid compute management. These settings are relevant only + /// for Arc autoProvision (Hybrid Compute). + /// + /// + /// Settings for authentication management, these settings are relevant only + /// for the cloud connector. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateOrUpdateWithHttpMessagesAsync(string connectorName, HybridComputeSettingsProperties hybridComputeSettings = default(HybridComputeSettingsProperties), AuthenticationDetailsProperties authenticationDetails = default(AuthenticationDetailsProperties), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (connectorName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "connectorName"); + } + if (hybridComputeSettings != null) + { + hybridComputeSettings.Validate(); + } + string apiVersion = "2020-01-01-preview"; + ConnectorSetting connectorSetting = new ConnectorSetting(); + if (hybridComputeSettings != null || authenticationDetails != null) + { + connectorSetting.HybridComputeSettings = hybridComputeSettings; + connectorSetting.AuthenticationDetails = authenticationDetails; + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("connectorName", connectorName); + tracingParameters.Add("connectorSetting", connectorSetting); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "CreateOrUpdate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/connectors/{connectorName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{connectorName}", System.Uri.EscapeDataString(connectorName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(connectorSetting != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(connectorSetting, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Delete a cloud account connector from a subscription + /// + /// + /// Name of the cloud account connector + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string connectorName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (connectorName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "connectorName"); + } + string apiVersion = "2020-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("connectorName", connectorName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/connectors/{connectorName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{connectorName}", System.Uri.EscapeDataString(connectorName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Cloud accounts connectors of a subscription + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ConnectorsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/ConnectorsOperationsExtensions.cs new file mode 100644 index 000000000000..448906574d71 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ConnectorsOperationsExtensions.cs @@ -0,0 +1,206 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for ConnectorsOperations. + /// + public static partial class ConnectorsOperationsExtensions + { + /// + /// Cloud accounts connectors of a subscription + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this IConnectorsOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Cloud accounts connectors of a subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IConnectorsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Details of a specific cloud account connector + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the cloud account connector + /// + public static ConnectorSetting Get(this IConnectorsOperations operations, string connectorName) + { + return operations.GetAsync(connectorName).GetAwaiter().GetResult(); + } + + /// + /// Details of a specific cloud account connector + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the cloud account connector + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IConnectorsOperations operations, string connectorName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(connectorName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Create a cloud account connector or update an existing one. Connect to your + /// cloud account. For AWS, use either account credentials or role-based + /// authentication. For GCP, use account organization credentials. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the cloud account connector + /// + /// + /// Settings for hybrid compute management. These settings are relevant only + /// for Arc autoProvision (Hybrid Compute). + /// + /// + /// Settings for authentication management, these settings are relevant only + /// for the cloud connector. + /// + public static ConnectorSetting CreateOrUpdate(this IConnectorsOperations operations, string connectorName, HybridComputeSettingsProperties hybridComputeSettings = default(HybridComputeSettingsProperties), AuthenticationDetailsProperties authenticationDetails = default(AuthenticationDetailsProperties)) + { + return operations.CreateOrUpdateAsync(connectorName, hybridComputeSettings, authenticationDetails).GetAwaiter().GetResult(); + } + + /// + /// Create a cloud account connector or update an existing one. Connect to your + /// cloud account. For AWS, use either account credentials or role-based + /// authentication. For GCP, use account organization credentials. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the cloud account connector + /// + /// + /// Settings for hybrid compute management. These settings are relevant only + /// for Arc autoProvision (Hybrid Compute). + /// + /// + /// Settings for authentication management, these settings are relevant only + /// for the cloud connector. + /// + /// + /// The cancellation token. + /// + public static async Task CreateOrUpdateAsync(this IConnectorsOperations operations, string connectorName, HybridComputeSettingsProperties hybridComputeSettings = default(HybridComputeSettingsProperties), AuthenticationDetailsProperties authenticationDetails = default(AuthenticationDetailsProperties), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateOrUpdateWithHttpMessagesAsync(connectorName, hybridComputeSettings, authenticationDetails, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Delete a cloud account connector from a subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the cloud account connector + /// + public static void Delete(this IConnectorsOperations operations, string connectorName) + { + operations.DeleteAsync(connectorName).GetAwaiter().GetResult(); + } + + /// + /// Delete a cloud account connector from a subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the cloud account connector + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this IConnectorsOperations operations, string connectorName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(connectorName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Cloud accounts connectors of a subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IConnectorsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Cloud accounts connectors of a subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IConnectorsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/CustomAssessmentAutomationsOperations.cs b/src/Security/Security.Management.Sdk/Generated/CustomAssessmentAutomationsOperations.cs new file mode 100644 index 000000000000..61b823a21c5b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/CustomAssessmentAutomationsOperations.cs @@ -0,0 +1,1479 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// CustomAssessmentAutomationsOperations operations. + /// + internal partial class CustomAssessmentAutomationsOperations : IServiceOperations, ICustomAssessmentAutomationsOperations + { + /// + /// Initializes a new instance of the CustomAssessmentAutomationsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal CustomAssessmentAutomationsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Gets a custom assessment automation + /// + /// + /// Gets a single custom assessment automation by name for the provided + /// subscription and resource group. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the Custom Assessment Automation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string customAssessmentAutomationName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (customAssessmentAutomationName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "customAssessmentAutomationName"); + } + string apiVersion = "2021-07-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("customAssessmentAutomationName", customAssessmentAutomationName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Security/customAssessmentAutomations/{customAssessmentAutomationName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{customAssessmentAutomationName}", System.Uri.EscapeDataString(customAssessmentAutomationName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Creates a custom assessment automation + /// + /// + /// Creates or updates a custom assessment automation for the provided + /// subscription. Please note that providing an existing custom assessment + /// automation will replace the existing record. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the Custom Assessment Automation. + /// + /// + /// Custom Assessment Automation body + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateWithHttpMessagesAsync(string resourceGroupName, string customAssessmentAutomationName, CustomAssessmentAutomationRequest customAssessmentAutomationBody, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (customAssessmentAutomationName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "customAssessmentAutomationName"); + } + if (customAssessmentAutomationBody == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "customAssessmentAutomationBody"); + } + string apiVersion = "2021-07-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("customAssessmentAutomationName", customAssessmentAutomationName); + tracingParameters.Add("customAssessmentAutomationBody", customAssessmentAutomationBody); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Create", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Security/customAssessmentAutomations/{customAssessmentAutomationName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{customAssessmentAutomationName}", System.Uri.EscapeDataString(customAssessmentAutomationName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(customAssessmentAutomationBody != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(customAssessmentAutomationBody, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 201) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + // Deserialize Response + if ((int)_statusCode == 201) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Deletes a custom assessment automation + /// + /// + /// Deletes a custom assessment automation by name for a provided subscription + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the Custom Assessment Automation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string resourceGroupName, string customAssessmentAutomationName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (customAssessmentAutomationName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "customAssessmentAutomationName"); + } + string apiVersion = "2021-07-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("customAssessmentAutomationName", customAssessmentAutomationName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Security/customAssessmentAutomations/{customAssessmentAutomationName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{customAssessmentAutomationName}", System.Uri.EscapeDataString(customAssessmentAutomationName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List custom assessment automations in a subscription and a resource group + /// + /// + /// List custom assessment automations by provided subscription and resource + /// group + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByResourceGroupWithHttpMessagesAsync(string resourceGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + string apiVersion = "2021-07-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroup", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Security/customAssessmentAutomations").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List custom assessment automations in a subscription + /// + /// + /// List custom assessment automations by provided subscription + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListBySubscriptionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2021-07-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListBySubscription", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/customAssessmentAutomations").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List custom assessment automations in a subscription and a resource group + /// + /// + /// List custom assessment automations by provided subscription and resource + /// group + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByResourceGroupNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroupNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List custom assessment automations in a subscription + /// + /// + /// List custom assessment automations by provided subscription + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListBySubscriptionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListBySubscriptionNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/CustomAssessmentAutomationsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/CustomAssessmentAutomationsOperationsExtensions.cs new file mode 100644 index 000000000000..4db8866287f7 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/CustomAssessmentAutomationsOperationsExtensions.cs @@ -0,0 +1,338 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for CustomAssessmentAutomationsOperations. + /// + public static partial class CustomAssessmentAutomationsOperationsExtensions + { + /// + /// Gets a custom assessment automation + /// + /// + /// Gets a single custom assessment automation by name for the provided + /// subscription and resource group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the Custom Assessment Automation. + /// + public static CustomAssessmentAutomation Get(this ICustomAssessmentAutomationsOperations operations, string resourceGroupName, string customAssessmentAutomationName) + { + return operations.GetAsync(resourceGroupName, customAssessmentAutomationName).GetAwaiter().GetResult(); + } + + /// + /// Gets a custom assessment automation + /// + /// + /// Gets a single custom assessment automation by name for the provided + /// subscription and resource group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the Custom Assessment Automation. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ICustomAssessmentAutomationsOperations operations, string resourceGroupName, string customAssessmentAutomationName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, customAssessmentAutomationName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Creates a custom assessment automation + /// + /// + /// Creates or updates a custom assessment automation for the provided + /// subscription. Please note that providing an existing custom assessment + /// automation will replace the existing record. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the Custom Assessment Automation. + /// + /// + /// Custom Assessment Automation body + /// + public static CustomAssessmentAutomation Create(this ICustomAssessmentAutomationsOperations operations, string resourceGroupName, string customAssessmentAutomationName, CustomAssessmentAutomationRequest customAssessmentAutomationBody) + { + return operations.CreateAsync(resourceGroupName, customAssessmentAutomationName, customAssessmentAutomationBody).GetAwaiter().GetResult(); + } + + /// + /// Creates a custom assessment automation + /// + /// + /// Creates or updates a custom assessment automation for the provided + /// subscription. Please note that providing an existing custom assessment + /// automation will replace the existing record. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the Custom Assessment Automation. + /// + /// + /// Custom Assessment Automation body + /// + /// + /// The cancellation token. + /// + public static async Task CreateAsync(this ICustomAssessmentAutomationsOperations operations, string resourceGroupName, string customAssessmentAutomationName, CustomAssessmentAutomationRequest customAssessmentAutomationBody, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateWithHttpMessagesAsync(resourceGroupName, customAssessmentAutomationName, customAssessmentAutomationBody, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Deletes a custom assessment automation + /// + /// + /// Deletes a custom assessment automation by name for a provided subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the Custom Assessment Automation. + /// + public static void Delete(this ICustomAssessmentAutomationsOperations operations, string resourceGroupName, string customAssessmentAutomationName) + { + operations.DeleteAsync(resourceGroupName, customAssessmentAutomationName).GetAwaiter().GetResult(); + } + + /// + /// Deletes a custom assessment automation + /// + /// + /// Deletes a custom assessment automation by name for a provided subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the Custom Assessment Automation. + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this ICustomAssessmentAutomationsOperations operations, string resourceGroupName, string customAssessmentAutomationName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(resourceGroupName, customAssessmentAutomationName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// List custom assessment automations in a subscription and a resource group + /// + /// + /// List custom assessment automations by provided subscription and resource + /// group + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + public static IPage ListByResourceGroup(this ICustomAssessmentAutomationsOperations operations, string resourceGroupName) + { + return operations.ListByResourceGroupAsync(resourceGroupName).GetAwaiter().GetResult(); + } + + /// + /// List custom assessment automations in a subscription and a resource group + /// + /// + /// List custom assessment automations by provided subscription and resource + /// group + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByResourceGroupAsync(this ICustomAssessmentAutomationsOperations operations, string resourceGroupName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByResourceGroupWithHttpMessagesAsync(resourceGroupName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// List custom assessment automations in a subscription + /// + /// + /// List custom assessment automations by provided subscription + /// + /// + /// The operations group for this extension method. + /// + public static IPage ListBySubscription(this ICustomAssessmentAutomationsOperations operations) + { + return operations.ListBySubscriptionAsync().GetAwaiter().GetResult(); + } + + /// + /// List custom assessment automations in a subscription + /// + /// + /// List custom assessment automations by provided subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListBySubscriptionAsync(this ICustomAssessmentAutomationsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListBySubscriptionWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// List custom assessment automations in a subscription and a resource group + /// + /// + /// List custom assessment automations by provided subscription and resource + /// group + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListByResourceGroupNext(this ICustomAssessmentAutomationsOperations operations, string nextPageLink) + { + return operations.ListByResourceGroupNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// List custom assessment automations in a subscription and a resource group + /// + /// + /// List custom assessment automations by provided subscription and resource + /// group + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByResourceGroupNextAsync(this ICustomAssessmentAutomationsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByResourceGroupNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// List custom assessment automations in a subscription + /// + /// + /// List custom assessment automations by provided subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListBySubscriptionNext(this ICustomAssessmentAutomationsOperations operations, string nextPageLink) + { + return operations.ListBySubscriptionNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// List custom assessment automations in a subscription + /// + /// + /// List custom assessment automations by provided subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListBySubscriptionNextAsync(this ICustomAssessmentAutomationsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListBySubscriptionNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/CustomEntityStoreAssignmentsOperations.cs b/src/Security/Security.Management.Sdk/Generated/CustomEntityStoreAssignmentsOperations.cs new file mode 100644 index 000000000000..0ce546b4ce83 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/CustomEntityStoreAssignmentsOperations.cs @@ -0,0 +1,1481 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// CustomEntityStoreAssignmentsOperations operations. + /// + internal partial class CustomEntityStoreAssignmentsOperations : IServiceOperations, ICustomEntityStoreAssignmentsOperations + { + /// + /// Initializes a new instance of the CustomEntityStoreAssignmentsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal CustomEntityStoreAssignmentsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Gets a custom entity store assignment + /// + /// + /// Gets a single custom entity store assignment by name for the provided + /// subscription and resource group. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the custom entity store assignment. Generated name is GUID. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string customEntityStoreAssignmentName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (customEntityStoreAssignmentName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "customEntityStoreAssignmentName"); + } + string apiVersion = "2021-07-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("customEntityStoreAssignmentName", customEntityStoreAssignmentName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Security/customEntityStoreAssignments/{customEntityStoreAssignmentName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{customEntityStoreAssignmentName}", System.Uri.EscapeDataString(customEntityStoreAssignmentName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Creates a custom entity store assignment + /// + /// + /// Creates a custom entity store assignment for the provided subscription, if + /// not already exists. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the custom entity store assignment. Generated name is GUID. + /// + /// + /// The principal assigned with entity store. If not provided, will use caller + /// principal. Format of principal is: [AAD + /// type]=[PrincipalObjectId];[TenantId] + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateWithHttpMessagesAsync(string resourceGroupName, string customEntityStoreAssignmentName, string principal = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (customEntityStoreAssignmentName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "customEntityStoreAssignmentName"); + } + string apiVersion = "2021-07-01-preview"; + CustomEntityStoreAssignmentRequest customEntityStoreAssignmentRequestBody = new CustomEntityStoreAssignmentRequest(); + if (principal != null) + { + customEntityStoreAssignmentRequestBody.Principal = principal; + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("customEntityStoreAssignmentName", customEntityStoreAssignmentName); + tracingParameters.Add("customEntityStoreAssignmentRequestBody", customEntityStoreAssignmentRequestBody); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Create", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Security/customEntityStoreAssignments/{customEntityStoreAssignmentName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{customEntityStoreAssignmentName}", System.Uri.EscapeDataString(customEntityStoreAssignmentName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(customEntityStoreAssignmentRequestBody != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(customEntityStoreAssignmentRequestBody, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 201) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + // Deserialize Response + if ((int)_statusCode == 201) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Deleted a custom entity store assignment + /// + /// + /// Delete a custom entity store assignment by name for a provided subscription + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the custom entity store assignment. Generated name is GUID. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string resourceGroupName, string customEntityStoreAssignmentName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (customEntityStoreAssignmentName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "customEntityStoreAssignmentName"); + } + string apiVersion = "2021-07-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("customEntityStoreAssignmentName", customEntityStoreAssignmentName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Security/customEntityStoreAssignments/{customEntityStoreAssignmentName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{customEntityStoreAssignmentName}", System.Uri.EscapeDataString(customEntityStoreAssignmentName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List custom entity store assignments in a subscription and a resource group + /// + /// + /// List custom entity store assignments by a provided subscription and + /// resource group + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByResourceGroupWithHttpMessagesAsync(string resourceGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + string apiVersion = "2021-07-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroup", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Security/customEntityStoreAssignments").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List custom entity store assignments in a subscription + /// + /// + /// List custom entity store assignments by provided subscription + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListBySubscriptionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2021-07-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListBySubscription", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/customEntityStoreAssignments").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List custom entity store assignments in a subscription and a resource group + /// + /// + /// List custom entity store assignments by a provided subscription and + /// resource group + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByResourceGroupNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroupNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List custom entity store assignments in a subscription + /// + /// + /// List custom entity store assignments by provided subscription + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListBySubscriptionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListBySubscriptionNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/CustomEntityStoreAssignmentsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/CustomEntityStoreAssignmentsOperationsExtensions.cs new file mode 100644 index 000000000000..d5149fa00e0e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/CustomEntityStoreAssignmentsOperationsExtensions.cs @@ -0,0 +1,340 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for CustomEntityStoreAssignmentsOperations. + /// + public static partial class CustomEntityStoreAssignmentsOperationsExtensions + { + /// + /// Gets a custom entity store assignment + /// + /// + /// Gets a single custom entity store assignment by name for the provided + /// subscription and resource group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the custom entity store assignment. Generated name is GUID. + /// + public static CustomEntityStoreAssignment Get(this ICustomEntityStoreAssignmentsOperations operations, string resourceGroupName, string customEntityStoreAssignmentName) + { + return operations.GetAsync(resourceGroupName, customEntityStoreAssignmentName).GetAwaiter().GetResult(); + } + + /// + /// Gets a custom entity store assignment + /// + /// + /// Gets a single custom entity store assignment by name for the provided + /// subscription and resource group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the custom entity store assignment. Generated name is GUID. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ICustomEntityStoreAssignmentsOperations operations, string resourceGroupName, string customEntityStoreAssignmentName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, customEntityStoreAssignmentName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Creates a custom entity store assignment + /// + /// + /// Creates a custom entity store assignment for the provided subscription, if + /// not already exists. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the custom entity store assignment. Generated name is GUID. + /// + /// + /// The principal assigned with entity store. If not provided, will use caller + /// principal. Format of principal is: [AAD + /// type]=[PrincipalObjectId];[TenantId] + /// + public static CustomEntityStoreAssignment Create(this ICustomEntityStoreAssignmentsOperations operations, string resourceGroupName, string customEntityStoreAssignmentName, string principal = default(string)) + { + return operations.CreateAsync(resourceGroupName, customEntityStoreAssignmentName, principal).GetAwaiter().GetResult(); + } + + /// + /// Creates a custom entity store assignment + /// + /// + /// Creates a custom entity store assignment for the provided subscription, if + /// not already exists. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the custom entity store assignment. Generated name is GUID. + /// + /// + /// The principal assigned with entity store. If not provided, will use caller + /// principal. Format of principal is: [AAD + /// type]=[PrincipalObjectId];[TenantId] + /// + /// + /// The cancellation token. + /// + public static async Task CreateAsync(this ICustomEntityStoreAssignmentsOperations operations, string resourceGroupName, string customEntityStoreAssignmentName, string principal = default(string), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateWithHttpMessagesAsync(resourceGroupName, customEntityStoreAssignmentName, principal, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Deleted a custom entity store assignment + /// + /// + /// Delete a custom entity store assignment by name for a provided subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the custom entity store assignment. Generated name is GUID. + /// + public static void Delete(this ICustomEntityStoreAssignmentsOperations operations, string resourceGroupName, string customEntityStoreAssignmentName) + { + operations.DeleteAsync(resourceGroupName, customEntityStoreAssignmentName).GetAwaiter().GetResult(); + } + + /// + /// Deleted a custom entity store assignment + /// + /// + /// Delete a custom entity store assignment by name for a provided subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the custom entity store assignment. Generated name is GUID. + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this ICustomEntityStoreAssignmentsOperations operations, string resourceGroupName, string customEntityStoreAssignmentName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(resourceGroupName, customEntityStoreAssignmentName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// List custom entity store assignments in a subscription and a resource group + /// + /// + /// List custom entity store assignments by a provided subscription and + /// resource group + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + public static IPage ListByResourceGroup(this ICustomEntityStoreAssignmentsOperations operations, string resourceGroupName) + { + return operations.ListByResourceGroupAsync(resourceGroupName).GetAwaiter().GetResult(); + } + + /// + /// List custom entity store assignments in a subscription and a resource group + /// + /// + /// List custom entity store assignments by a provided subscription and + /// resource group + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByResourceGroupAsync(this ICustomEntityStoreAssignmentsOperations operations, string resourceGroupName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByResourceGroupWithHttpMessagesAsync(resourceGroupName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// List custom entity store assignments in a subscription + /// + /// + /// List custom entity store assignments by provided subscription + /// + /// + /// The operations group for this extension method. + /// + public static IPage ListBySubscription(this ICustomEntityStoreAssignmentsOperations operations) + { + return operations.ListBySubscriptionAsync().GetAwaiter().GetResult(); + } + + /// + /// List custom entity store assignments in a subscription + /// + /// + /// List custom entity store assignments by provided subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListBySubscriptionAsync(this ICustomEntityStoreAssignmentsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListBySubscriptionWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// List custom entity store assignments in a subscription and a resource group + /// + /// + /// List custom entity store assignments by a provided subscription and + /// resource group + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListByResourceGroupNext(this ICustomEntityStoreAssignmentsOperations operations, string nextPageLink) + { + return operations.ListByResourceGroupNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// List custom entity store assignments in a subscription and a resource group + /// + /// + /// List custom entity store assignments by a provided subscription and + /// resource group + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByResourceGroupNextAsync(this ICustomEntityStoreAssignmentsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByResourceGroupNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// List custom entity store assignments in a subscription + /// + /// + /// List custom entity store assignments by provided subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListBySubscriptionNext(this ICustomEntityStoreAssignmentsOperations operations, string nextPageLink) + { + return operations.ListBySubscriptionNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// List custom entity store assignments in a subscription + /// + /// + /// List custom entity store assignments by provided subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListBySubscriptionNextAsync(this ICustomEntityStoreAssignmentsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListBySubscriptionNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/DeviceSecurityGroupsOperations.cs b/src/Security/Security.Management.Sdk/Generated/DeviceSecurityGroupsOperations.cs new file mode 100644 index 000000000000..5b6b3778b606 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/DeviceSecurityGroupsOperations.cs @@ -0,0 +1,992 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// DeviceSecurityGroupsOperations operations. + /// + internal partial class DeviceSecurityGroupsOperations : IServiceOperations, IDeviceSecurityGroupsOperations + { + /// + /// Initializes a new instance of the DeviceSecurityGroupsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal DeviceSecurityGroupsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Use this method get the list of device security groups for the specified + /// IoT Hub resource. + /// + /// + /// The identifier of the resource. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(string resourceId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + string apiVersion = "2019-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/deviceSecurityGroups").ToString(); + _url = _url.Replace("{resourceId}", resourceId); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Use this method to get the device security group for the specified IoT Hub + /// resource. + /// + /// + /// The identifier of the resource. + /// + /// + /// The name of the device security group. Note that the name of the device + /// security group is case insensitive. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceId, string deviceSecurityGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + if (deviceSecurityGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "deviceSecurityGroupName"); + } + string apiVersion = "2019-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("deviceSecurityGroupName", deviceSecurityGroupName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/deviceSecurityGroups/{deviceSecurityGroupName}").ToString(); + _url = _url.Replace("{resourceId}", resourceId); + _url = _url.Replace("{deviceSecurityGroupName}", System.Uri.EscapeDataString(deviceSecurityGroupName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Use this method to creates or updates the device security group on a + /// specified IoT Hub resource. + /// + /// + /// The identifier of the resource. + /// + /// + /// The name of the device security group. Note that the name of the device + /// security group is case insensitive. + /// + /// + /// Security group object. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateOrUpdateWithHttpMessagesAsync(string resourceId, string deviceSecurityGroupName, DeviceSecurityGroup deviceSecurityGroup, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + if (deviceSecurityGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "deviceSecurityGroupName"); + } + if (deviceSecurityGroup == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "deviceSecurityGroup"); + } + string apiVersion = "2019-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("deviceSecurityGroupName", deviceSecurityGroupName); + tracingParameters.Add("deviceSecurityGroup", deviceSecurityGroup); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "CreateOrUpdate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/deviceSecurityGroups/{deviceSecurityGroupName}").ToString(); + _url = _url.Replace("{resourceId}", resourceId); + _url = _url.Replace("{deviceSecurityGroupName}", System.Uri.EscapeDataString(deviceSecurityGroupName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(deviceSecurityGroup != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(deviceSecurityGroup, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 201) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + // Deserialize Response + if ((int)_statusCode == 201) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// User this method to deletes the device security group. + /// + /// + /// The identifier of the resource. + /// + /// + /// The name of the device security group. Note that the name of the device + /// security group is case insensitive. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string resourceId, string deviceSecurityGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + if (deviceSecurityGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "deviceSecurityGroupName"); + } + string apiVersion = "2019-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("deviceSecurityGroupName", deviceSecurityGroupName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/deviceSecurityGroups/{deviceSecurityGroupName}").ToString(); + _url = _url.Replace("{resourceId}", resourceId); + _url = _url.Replace("{deviceSecurityGroupName}", System.Uri.EscapeDataString(deviceSecurityGroupName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Use this method get the list of device security groups for the specified + /// IoT Hub resource. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/DeviceSecurityGroupsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/DeviceSecurityGroupsOperationsExtensions.cs new file mode 100644 index 000000000000..455397ad11d5 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/DeviceSecurityGroupsOperationsExtensions.cs @@ -0,0 +1,230 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for DeviceSecurityGroupsOperations. + /// + public static partial class DeviceSecurityGroupsOperationsExtensions + { + /// + /// Use this method get the list of device security groups for the specified + /// IoT Hub resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + public static IPage List(this IDeviceSecurityGroupsOperations operations, string resourceId) + { + return operations.ListAsync(resourceId).GetAwaiter().GetResult(); + } + + /// + /// Use this method get the list of device security groups for the specified + /// IoT Hub resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IDeviceSecurityGroupsOperations operations, string resourceId, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(resourceId, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Use this method to get the device security group for the specified IoT Hub + /// resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + /// + /// The name of the device security group. Note that the name of the device + /// security group is case insensitive. + /// + public static DeviceSecurityGroup Get(this IDeviceSecurityGroupsOperations operations, string resourceId, string deviceSecurityGroupName) + { + return operations.GetAsync(resourceId, deviceSecurityGroupName).GetAwaiter().GetResult(); + } + + /// + /// Use this method to get the device security group for the specified IoT Hub + /// resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + /// + /// The name of the device security group. Note that the name of the device + /// security group is case insensitive. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IDeviceSecurityGroupsOperations operations, string resourceId, string deviceSecurityGroupName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceId, deviceSecurityGroupName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Use this method to creates or updates the device security group on a + /// specified IoT Hub resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + /// + /// The name of the device security group. Note that the name of the device + /// security group is case insensitive. + /// + /// + /// Security group object. + /// + public static DeviceSecurityGroup CreateOrUpdate(this IDeviceSecurityGroupsOperations operations, string resourceId, string deviceSecurityGroupName, DeviceSecurityGroup deviceSecurityGroup) + { + return operations.CreateOrUpdateAsync(resourceId, deviceSecurityGroupName, deviceSecurityGroup).GetAwaiter().GetResult(); + } + + /// + /// Use this method to creates or updates the device security group on a + /// specified IoT Hub resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + /// + /// The name of the device security group. Note that the name of the device + /// security group is case insensitive. + /// + /// + /// Security group object. + /// + /// + /// The cancellation token. + /// + public static async Task CreateOrUpdateAsync(this IDeviceSecurityGroupsOperations operations, string resourceId, string deviceSecurityGroupName, DeviceSecurityGroup deviceSecurityGroup, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateOrUpdateWithHttpMessagesAsync(resourceId, deviceSecurityGroupName, deviceSecurityGroup, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// User this method to deletes the device security group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + /// + /// The name of the device security group. Note that the name of the device + /// security group is case insensitive. + /// + public static void Delete(this IDeviceSecurityGroupsOperations operations, string resourceId, string deviceSecurityGroupName) + { + operations.DeleteAsync(resourceId, deviceSecurityGroupName).GetAwaiter().GetResult(); + } + + /// + /// User this method to deletes the device security group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The identifier of the resource. + /// + /// + /// The name of the device security group. Note that the name of the device + /// security group is case insensitive. + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this IDeviceSecurityGroupsOperations operations, string resourceId, string deviceSecurityGroupName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(resourceId, deviceSecurityGroupName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Use this method get the list of device security groups for the specified + /// IoT Hub resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IDeviceSecurityGroupsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Use this method get the list of device security groups for the specified + /// IoT Hub resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IDeviceSecurityGroupsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/DiscoveredSecuritySolutionsOperations.cs b/src/Security/Security.Management.Sdk/Generated/DiscoveredSecuritySolutionsOperations.cs new file mode 100644 index 000000000000..986b60e872f0 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/DiscoveredSecuritySolutionsOperations.cs @@ -0,0 +1,995 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// DiscoveredSecuritySolutionsOperations operations. + /// + internal partial class DiscoveredSecuritySolutionsOperations : IServiceOperations, IDiscoveredSecuritySolutionsOperations + { + /// + /// Initializes a new instance of the DiscoveredSecuritySolutionsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal DiscoveredSecuritySolutionsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Gets a list of discovered Security Solutions for the subscription. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/discoveredSecuritySolutions").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a list of discovered Security Solutions for the subscription and + /// location. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByHomeRegionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByHomeRegion", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/discoveredSecuritySolutions").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a specific discovered Security Solution. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of a discovered security solution. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string discoveredSecuritySolutionName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (discoveredSecuritySolutionName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "discoveredSecuritySolutionName"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("discoveredSecuritySolutionName", discoveredSecuritySolutionName); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/discoveredSecuritySolutions/{discoveredSecuritySolutionName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{discoveredSecuritySolutionName}", System.Uri.EscapeDataString(discoveredSecuritySolutionName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a list of discovered Security Solutions for the subscription. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a list of discovered Security Solutions for the subscription and + /// location. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByHomeRegionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByHomeRegionNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/DiscoveredSecuritySolutionsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/DiscoveredSecuritySolutionsOperationsExtensions.cs new file mode 100644 index 000000000000..33eab088f695 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/DiscoveredSecuritySolutionsOperationsExtensions.cs @@ -0,0 +1,195 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for DiscoveredSecuritySolutionsOperations. + /// + public static partial class DiscoveredSecuritySolutionsOperationsExtensions + { + /// + /// Gets a list of discovered Security Solutions for the subscription. + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this IDiscoveredSecuritySolutionsOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Gets a list of discovered Security Solutions for the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IDiscoveredSecuritySolutionsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a list of discovered Security Solutions for the subscription and + /// location. + /// + /// + /// The operations group for this extension method. + /// + public static IPage ListByHomeRegion(this IDiscoveredSecuritySolutionsOperations operations) + { + return operations.ListByHomeRegionAsync().GetAwaiter().GetResult(); + } + + /// + /// Gets a list of discovered Security Solutions for the subscription and + /// location. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByHomeRegionAsync(this IDiscoveredSecuritySolutionsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByHomeRegionWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a specific discovered Security Solution. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of a discovered security solution. + /// + public static DiscoveredSecuritySolution Get(this IDiscoveredSecuritySolutionsOperations operations, string resourceGroupName, string discoveredSecuritySolutionName) + { + return operations.GetAsync(resourceGroupName, discoveredSecuritySolutionName).GetAwaiter().GetResult(); + } + + /// + /// Gets a specific discovered Security Solution. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of a discovered security solution. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IDiscoveredSecuritySolutionsOperations operations, string resourceGroupName, string discoveredSecuritySolutionName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, discoveredSecuritySolutionName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a list of discovered Security Solutions for the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IDiscoveredSecuritySolutionsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Gets a list of discovered Security Solutions for the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IDiscoveredSecuritySolutionsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a list of discovered Security Solutions for the subscription and + /// location. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListByHomeRegionNext(this IDiscoveredSecuritySolutionsOperations operations, string nextPageLink) + { + return operations.ListByHomeRegionNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Gets a list of discovered Security Solutions for the subscription and + /// location. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByHomeRegionNextAsync(this IDiscoveredSecuritySolutionsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByHomeRegionNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ExternalSecuritySolutionsOperations.cs b/src/Security/Security.Management.Sdk/Generated/ExternalSecuritySolutionsOperations.cs new file mode 100644 index 000000000000..436163ba715f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ExternalSecuritySolutionsOperations.cs @@ -0,0 +1,995 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// ExternalSecuritySolutionsOperations operations. + /// + internal partial class ExternalSecuritySolutionsOperations : IServiceOperations, IExternalSecuritySolutionsOperations + { + /// + /// Initializes a new instance of the ExternalSecuritySolutionsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal ExternalSecuritySolutionsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Gets a list of external security solutions for the subscription. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/externalSecuritySolutions").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a list of external Security Solutions for the subscription and + /// location. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByHomeRegionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByHomeRegion", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/ExternalSecuritySolutions").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a specific external Security Solution. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of an external security solution. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string externalSecuritySolutionsName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (externalSecuritySolutionsName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "externalSecuritySolutionsName"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("externalSecuritySolutionsName", externalSecuritySolutionsName); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/ExternalSecuritySolutions/{externalSecuritySolutionsName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{externalSecuritySolutionsName}", System.Uri.EscapeDataString(externalSecuritySolutionsName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a list of external security solutions for the subscription. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a list of external Security Solutions for the subscription and + /// location. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByHomeRegionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByHomeRegionNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ExternalSecuritySolutionsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/ExternalSecuritySolutionsOperationsExtensions.cs new file mode 100644 index 000000000000..49c9f429e7b9 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ExternalSecuritySolutionsOperationsExtensions.cs @@ -0,0 +1,195 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for ExternalSecuritySolutionsOperations. + /// + public static partial class ExternalSecuritySolutionsOperationsExtensions + { + /// + /// Gets a list of external security solutions for the subscription. + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this IExternalSecuritySolutionsOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Gets a list of external security solutions for the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IExternalSecuritySolutionsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a list of external Security Solutions for the subscription and + /// location. + /// + /// + /// The operations group for this extension method. + /// + public static IPage ListByHomeRegion(this IExternalSecuritySolutionsOperations operations) + { + return operations.ListByHomeRegionAsync().GetAwaiter().GetResult(); + } + + /// + /// Gets a list of external Security Solutions for the subscription and + /// location. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByHomeRegionAsync(this IExternalSecuritySolutionsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByHomeRegionWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a specific external Security Solution. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of an external security solution. + /// + public static ExternalSecuritySolution Get(this IExternalSecuritySolutionsOperations operations, string resourceGroupName, string externalSecuritySolutionsName) + { + return operations.GetAsync(resourceGroupName, externalSecuritySolutionsName).GetAwaiter().GetResult(); + } + + /// + /// Gets a specific external Security Solution. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of an external security solution. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IExternalSecuritySolutionsOperations operations, string resourceGroupName, string externalSecuritySolutionsName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, externalSecuritySolutionsName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a list of external security solutions for the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IExternalSecuritySolutionsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Gets a list of external security solutions for the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IExternalSecuritySolutionsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a list of external Security Solutions for the subscription and + /// location. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListByHomeRegionNext(this IExternalSecuritySolutionsOperations operations, string nextPageLink) + { + return operations.ListByHomeRegionNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Gets a list of external Security Solutions for the subscription and + /// location. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByHomeRegionNextAsync(this IExternalSecuritySolutionsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByHomeRegionNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/GovernanceAssignmentsOperations.cs b/src/Security/Security.Management.Sdk/Generated/GovernanceAssignmentsOperations.cs new file mode 100644 index 000000000000..96954018f6a6 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/GovernanceAssignmentsOperations.cs @@ -0,0 +1,1038 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// GovernanceAssignmentsOperations operations. + /// + internal partial class GovernanceAssignmentsOperations : IServiceOperations, IGovernanceAssignmentsOperations + { + /// + /// Initializes a new instance of the GovernanceAssignmentsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal GovernanceAssignmentsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Get security governanceAssignments on all your resources inside a scope + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(string scope, string assessmentName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (scope == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scope"); + } + if (assessmentName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "assessmentName"); + } + string apiVersion = "2022-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("scope", scope); + tracingParameters.Add("assessmentName", assessmentName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{scope}/providers/Microsoft.Security/assessments/{assessmentName}/governanceAssignments").ToString(); + _url = _url.Replace("{scope}", scope); + _url = _url.Replace("{assessmentName}", System.Uri.EscapeDataString(assessmentName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get a specific governanceAssignment for the requested scope by + /// AssignmentKey + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The security governance assignment key - the assessment key of the required + /// governance assignment + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string scope, string assessmentName, string assignmentKey, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (scope == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scope"); + } + if (assessmentName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "assessmentName"); + } + if (assignmentKey == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "assignmentKey"); + } + string apiVersion = "2022-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("scope", scope); + tracingParameters.Add("assessmentName", assessmentName); + tracingParameters.Add("assignmentKey", assignmentKey); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{scope}/providers/Microsoft.Security/assessments/{assessmentName}/governanceAssignments/{assignmentKey}").ToString(); + _url = _url.Replace("{scope}", scope); + _url = _url.Replace("{assessmentName}", System.Uri.EscapeDataString(assessmentName)); + _url = _url.Replace("{assignmentKey}", System.Uri.EscapeDataString(assignmentKey)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Creates or update a security GovernanceAssignment on the given + /// subscription. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The security governance assignment key - the assessment key of the required + /// governance assignment + /// + /// + /// GovernanceAssignment over a subscription scope + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateOrUpdateWithHttpMessagesAsync(string scope, string assessmentName, string assignmentKey, GovernanceAssignment governanceAssignment, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (scope == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scope"); + } + if (assessmentName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "assessmentName"); + } + if (assignmentKey == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "assignmentKey"); + } + if (governanceAssignment == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "governanceAssignment"); + } + if (governanceAssignment != null) + { + governanceAssignment.Validate(); + } + string apiVersion = "2022-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("scope", scope); + tracingParameters.Add("assessmentName", assessmentName); + tracingParameters.Add("assignmentKey", assignmentKey); + tracingParameters.Add("governanceAssignment", governanceAssignment); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "CreateOrUpdate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{scope}/providers/Microsoft.Security/assessments/{assessmentName}/governanceAssignments/{assignmentKey}").ToString(); + _url = _url.Replace("{scope}", scope); + _url = _url.Replace("{assessmentName}", System.Uri.EscapeDataString(assessmentName)); + _url = _url.Replace("{assignmentKey}", System.Uri.EscapeDataString(assignmentKey)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(governanceAssignment != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(governanceAssignment, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 201) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + // Deserialize Response + if ((int)_statusCode == 201) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Delete a GovernanceAssignment over a given scope + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The security governance assignment key - the assessment key of the required + /// governance assignment + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string scope, string assessmentName, string assignmentKey, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (scope == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scope"); + } + if (assessmentName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "assessmentName"); + } + if (assignmentKey == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "assignmentKey"); + } + string apiVersion = "2022-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("scope", scope); + tracingParameters.Add("assessmentName", assessmentName); + tracingParameters.Add("assignmentKey", assignmentKey); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{scope}/providers/Microsoft.Security/assessments/{assessmentName}/governanceAssignments/{assignmentKey}").ToString(); + _url = _url.Replace("{scope}", scope); + _url = _url.Replace("{assessmentName}", System.Uri.EscapeDataString(assessmentName)); + _url = _url.Replace("{assignmentKey}", System.Uri.EscapeDataString(assignmentKey)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get security governanceAssignments on all your resources inside a scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/GovernanceAssignmentsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/GovernanceAssignmentsOperationsExtensions.cs new file mode 100644 index 000000000000..cbede9d9bc6c --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/GovernanceAssignmentsOperationsExtensions.cs @@ -0,0 +1,266 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for GovernanceAssignmentsOperations. + /// + public static partial class GovernanceAssignmentsOperationsExtensions + { + /// + /// Get security governanceAssignments on all your resources inside a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + public static IPage List(this IGovernanceAssignmentsOperations operations, string scope, string assessmentName) + { + return operations.ListAsync(scope, assessmentName).GetAwaiter().GetResult(); + } + + /// + /// Get security governanceAssignments on all your resources inside a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IGovernanceAssignmentsOperations operations, string scope, string assessmentName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(scope, assessmentName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get a specific governanceAssignment for the requested scope by + /// AssignmentKey + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The security governance assignment key - the assessment key of the required + /// governance assignment + /// + public static GovernanceAssignment Get(this IGovernanceAssignmentsOperations operations, string scope, string assessmentName, string assignmentKey) + { + return operations.GetAsync(scope, assessmentName, assignmentKey).GetAwaiter().GetResult(); + } + + /// + /// Get a specific governanceAssignment for the requested scope by + /// AssignmentKey + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The security governance assignment key - the assessment key of the required + /// governance assignment + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IGovernanceAssignmentsOperations operations, string scope, string assessmentName, string assignmentKey, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(scope, assessmentName, assignmentKey, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Creates or update a security GovernanceAssignment on the given + /// subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The security governance assignment key - the assessment key of the required + /// governance assignment + /// + /// + /// GovernanceAssignment over a subscription scope + /// + public static GovernanceAssignment CreateOrUpdate(this IGovernanceAssignmentsOperations operations, string scope, string assessmentName, string assignmentKey, GovernanceAssignment governanceAssignment) + { + return operations.CreateOrUpdateAsync(scope, assessmentName, assignmentKey, governanceAssignment).GetAwaiter().GetResult(); + } + + /// + /// Creates or update a security GovernanceAssignment on the given + /// subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The security governance assignment key - the assessment key of the required + /// governance assignment + /// + /// + /// GovernanceAssignment over a subscription scope + /// + /// + /// The cancellation token. + /// + public static async Task CreateOrUpdateAsync(this IGovernanceAssignmentsOperations operations, string scope, string assessmentName, string assignmentKey, GovernanceAssignment governanceAssignment, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateOrUpdateWithHttpMessagesAsync(scope, assessmentName, assignmentKey, governanceAssignment, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Delete a GovernanceAssignment over a given scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The security governance assignment key - the assessment key of the required + /// governance assignment + /// + public static void Delete(this IGovernanceAssignmentsOperations operations, string scope, string assessmentName, string assignmentKey) + { + operations.DeleteAsync(scope, assessmentName, assignmentKey).GetAwaiter().GetResult(); + } + + /// + /// Delete a GovernanceAssignment over a given scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The security governance assignment key - the assessment key of the required + /// governance assignment + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this IGovernanceAssignmentsOperations operations, string scope, string assessmentName, string assignmentKey, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(scope, assessmentName, assignmentKey, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Get security governanceAssignments on all your resources inside a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IGovernanceAssignmentsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Get security governanceAssignments on all your resources inside a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IGovernanceAssignmentsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/GovernanceRuleOperations.cs b/src/Security/Security.Management.Sdk/Generated/GovernanceRuleOperations.cs new file mode 100644 index 000000000000..7d99ad3d6496 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/GovernanceRuleOperations.cs @@ -0,0 +1,410 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// GovernanceRuleOperations operations. + /// + internal partial class GovernanceRuleOperations : IServiceOperations, IGovernanceRuleOperations + { + /// + /// Initializes a new instance of the GovernanceRuleOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal GovernanceRuleOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Get a list of all relevant governanceRules over a subscription level scope + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2022-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/governanceRules").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get a list of all relevant governanceRules over a subscription level scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/GovernanceRuleOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/GovernanceRuleOperationsExtensions.cs new file mode 100644 index 000000000000..15641338b56f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/GovernanceRuleOperationsExtensions.cs @@ -0,0 +1,87 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for GovernanceRuleOperations. + /// + public static partial class GovernanceRuleOperationsExtensions + { + /// + /// Get a list of all relevant governanceRules over a subscription level scope + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this IGovernanceRuleOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Get a list of all relevant governanceRules over a subscription level scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IGovernanceRuleOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get a list of all relevant governanceRules over a subscription level scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IGovernanceRuleOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Get a list of all relevant governanceRules over a subscription level scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IGovernanceRuleOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/GovernanceRulesOperations.cs b/src/Security/Security.Management.Sdk/Generated/GovernanceRulesOperations.cs new file mode 100644 index 000000000000..09585cfd1e2e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/GovernanceRulesOperations.cs @@ -0,0 +1,1137 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// GovernanceRulesOperations operations. + /// + internal partial class GovernanceRulesOperations : IServiceOperations, IGovernanceRulesOperations + { + /// + /// Initializes a new instance of the GovernanceRulesOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal GovernanceRulesOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Get a specific governanceRule for the requested scope by ruleId + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string ruleId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (ruleId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ruleId"); + } + string apiVersion = "2022-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("ruleId", ruleId); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/governanceRules/{ruleId}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ruleId}", System.Uri.EscapeDataString(ruleId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Creates or update a security GovernanceRule on the given subscription. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// GovernanceRule over a subscription scope + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateOrUpdateWithHttpMessagesAsync(string ruleId, GovernanceRule governanceRule, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (ruleId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ruleId"); + } + if (governanceRule == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "governanceRule"); + } + if (governanceRule != null) + { + governanceRule.Validate(); + } + string apiVersion = "2022-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("ruleId", ruleId); + tracingParameters.Add("governanceRule", governanceRule); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "CreateOrUpdate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/governanceRules/{ruleId}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ruleId}", System.Uri.EscapeDataString(ruleId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(governanceRule != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(governanceRule, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 201) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + // Deserialize Response + if ((int)_statusCode == 201) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Delete a GovernanceRule over a given scope + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string ruleId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (ruleId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ruleId"); + } + string apiVersion = "2022-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("ruleId", ruleId); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/governanceRules/{ruleId}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ruleId}", System.Uri.EscapeDataString(ruleId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Execute a security GovernanceRule on the given subscription. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Describe if governance rule should be override + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + public async Task> RuleIdExecuteSingleSubscriptionWithHttpMessagesAsync(string ruleId, bool? overrideParameter = default(bool?), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + // Send request + AzureOperationHeaderResponse _response = await BeginRuleIdExecuteSingleSubscriptionWithHttpMessagesAsync(ruleId, overrideParameter, customHeaders, cancellationToken).ConfigureAwait(false); + return await Client.GetPostOrDeleteOperationResultAsync(_response, customHeaders, cancellationToken).ConfigureAwait(false); + } + + /// + /// Execute a security GovernanceRule on the given security connector. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Describe if governance rule should be override + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + public async Task> RuleIdExecuteSingleSecurityConnectorWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string ruleId, bool? overrideParameter = default(bool?), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + // Send request + AzureOperationHeaderResponse _response = await BeginRuleIdExecuteSingleSecurityConnectorWithHttpMessagesAsync(resourceGroupName, securityConnectorName, ruleId, overrideParameter, customHeaders, cancellationToken).ConfigureAwait(false); + return await Client.GetPostOrDeleteOperationResultAsync(_response, customHeaders, cancellationToken).ConfigureAwait(false); + } + + /// + /// Execute a security GovernanceRule on the given subscription. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Describe if governance rule should be override + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> BeginRuleIdExecuteSingleSubscriptionWithHttpMessagesAsync(string ruleId, bool? overrideParameter = default(bool?), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (ruleId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ruleId"); + } + string apiVersion = "2022-01-01-preview"; + ExecuteGovernanceRuleParams executeGovernanceRuleParams = default(ExecuteGovernanceRuleParams); + if (overrideParameter != null) + { + executeGovernanceRuleParams = new ExecuteGovernanceRuleParams(); + executeGovernanceRuleParams.OverrideProperty = overrideParameter; + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("ruleId", ruleId); + tracingParameters.Add("executeGovernanceRuleParams", executeGovernanceRuleParams); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "BeginRuleIdExecuteSingleSubscription", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/governanceRules/{ruleId}/execute").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ruleId}", System.Uri.EscapeDataString(ruleId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(executeGovernanceRuleParams != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(executeGovernanceRuleParams, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 202) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationHeaderResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + try + { + _result.Headers = _httpResponse.GetHeadersAsJson().ToObject(JsonSerializer.Create(Client.DeserializationSettings)); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the headers.", _httpResponse.GetHeadersAsJson().ToString(), ex); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Execute a security GovernanceRule on the given security connector. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Describe if governance rule should be override + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> BeginRuleIdExecuteSingleSecurityConnectorWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string ruleId, bool? overrideParameter = default(bool?), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (securityConnectorName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityConnectorName"); + } + if (ruleId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ruleId"); + } + string apiVersion = "2022-01-01-preview"; + ExecuteGovernanceRuleParams executeGovernanceRuleParams = default(ExecuteGovernanceRuleParams); + if (overrideParameter != null) + { + executeGovernanceRuleParams = new ExecuteGovernanceRuleParams(); + executeGovernanceRuleParams.OverrideProperty = overrideParameter; + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("securityConnectorName", securityConnectorName); + tracingParameters.Add("ruleId", ruleId); + tracingParameters.Add("executeGovernanceRuleParams", executeGovernanceRuleParams); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "BeginRuleIdExecuteSingleSecurityConnector", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName}/providers/Microsoft.Security/governanceRules/{ruleId}/execute").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{securityConnectorName}", System.Uri.EscapeDataString(securityConnectorName)); + _url = _url.Replace("{ruleId}", System.Uri.EscapeDataString(ruleId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(executeGovernanceRuleParams != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(executeGovernanceRuleParams, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 202) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationHeaderResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + try + { + _result.Headers = _httpResponse.GetHeadersAsJson().ToObject(JsonSerializer.Create(Client.DeserializationSettings)); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the headers.", _httpResponse.GetHeadersAsJson().ToString(), ex); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/GovernanceRulesOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/GovernanceRulesOperationsExtensions.cs new file mode 100644 index 000000000000..fedde0810c58 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/GovernanceRulesOperationsExtensions.cs @@ -0,0 +1,332 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for GovernanceRulesOperations. + /// + public static partial class GovernanceRulesOperationsExtensions + { + /// + /// Get a specific governanceRule for the requested scope by ruleId + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + public static GovernanceRule Get(this IGovernanceRulesOperations operations, string ruleId) + { + return operations.GetAsync(ruleId).GetAwaiter().GetResult(); + } + + /// + /// Get a specific governanceRule for the requested scope by ruleId + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IGovernanceRulesOperations operations, string ruleId, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(ruleId, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Creates or update a security GovernanceRule on the given subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// GovernanceRule over a subscription scope + /// + public static GovernanceRule CreateOrUpdate(this IGovernanceRulesOperations operations, string ruleId, GovernanceRule governanceRule) + { + return operations.CreateOrUpdateAsync(ruleId, governanceRule).GetAwaiter().GetResult(); + } + + /// + /// Creates or update a security GovernanceRule on the given subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// GovernanceRule over a subscription scope + /// + /// + /// The cancellation token. + /// + public static async Task CreateOrUpdateAsync(this IGovernanceRulesOperations operations, string ruleId, GovernanceRule governanceRule, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateOrUpdateWithHttpMessagesAsync(ruleId, governanceRule, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Delete a GovernanceRule over a given scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + public static void Delete(this IGovernanceRulesOperations operations, string ruleId) + { + operations.DeleteAsync(ruleId).GetAwaiter().GetResult(); + } + + /// + /// Delete a GovernanceRule over a given scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this IGovernanceRulesOperations operations, string ruleId, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(ruleId, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Execute a security GovernanceRule on the given subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Describe if governance rule should be override + /// + public static GovernanceRulesRuleIdExecuteSingleSubscriptionHeaders RuleIdExecuteSingleSubscription(this IGovernanceRulesOperations operations, string ruleId, bool? overrideParameter = default(bool?)) + { + return operations.RuleIdExecuteSingleSubscriptionAsync(ruleId, overrideParameter).GetAwaiter().GetResult(); + } + + /// + /// Execute a security GovernanceRule on the given subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Describe if governance rule should be override + /// + /// + /// The cancellation token. + /// + public static async Task RuleIdExecuteSingleSubscriptionAsync(this IGovernanceRulesOperations operations, string ruleId, bool? overrideParameter = default(bool?), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.RuleIdExecuteSingleSubscriptionWithHttpMessagesAsync(ruleId, overrideParameter, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Headers; + } + } + + /// + /// Execute a security GovernanceRule on the given security connector. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Describe if governance rule should be override + /// + public static GovernanceRulesRuleIdExecuteSingleSecurityConnectorHeaders RuleIdExecuteSingleSecurityConnector(this IGovernanceRulesOperations operations, string resourceGroupName, string securityConnectorName, string ruleId, bool? overrideParameter = default(bool?)) + { + return operations.RuleIdExecuteSingleSecurityConnectorAsync(resourceGroupName, securityConnectorName, ruleId, overrideParameter).GetAwaiter().GetResult(); + } + + /// + /// Execute a security GovernanceRule on the given security connector. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Describe if governance rule should be override + /// + /// + /// The cancellation token. + /// + public static async Task RuleIdExecuteSingleSecurityConnectorAsync(this IGovernanceRulesOperations operations, string resourceGroupName, string securityConnectorName, string ruleId, bool? overrideParameter = default(bool?), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.RuleIdExecuteSingleSecurityConnectorWithHttpMessagesAsync(resourceGroupName, securityConnectorName, ruleId, overrideParameter, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Headers; + } + } + + /// + /// Execute a security GovernanceRule on the given subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Describe if governance rule should be override + /// + public static GovernanceRulesRuleIdExecuteSingleSubscriptionHeaders BeginRuleIdExecuteSingleSubscription(this IGovernanceRulesOperations operations, string ruleId, bool? overrideParameter = default(bool?)) + { + return operations.BeginRuleIdExecuteSingleSubscriptionAsync(ruleId, overrideParameter).GetAwaiter().GetResult(); + } + + /// + /// Execute a security GovernanceRule on the given subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Describe if governance rule should be override + /// + /// + /// The cancellation token. + /// + public static async Task BeginRuleIdExecuteSingleSubscriptionAsync(this IGovernanceRulesOperations operations, string ruleId, bool? overrideParameter = default(bool?), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.BeginRuleIdExecuteSingleSubscriptionWithHttpMessagesAsync(ruleId, overrideParameter, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Headers; + } + } + + /// + /// Execute a security GovernanceRule on the given security connector. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Describe if governance rule should be override + /// + public static GovernanceRulesRuleIdExecuteSingleSecurityConnectorHeaders BeginRuleIdExecuteSingleSecurityConnector(this IGovernanceRulesOperations operations, string resourceGroupName, string securityConnectorName, string ruleId, bool? overrideParameter = default(bool?)) + { + return operations.BeginRuleIdExecuteSingleSecurityConnectorAsync(resourceGroupName, securityConnectorName, ruleId, overrideParameter).GetAwaiter().GetResult(); + } + + /// + /// Execute a security GovernanceRule on the given security connector. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Describe if governance rule should be override + /// + /// + /// The cancellation token. + /// + public static async Task BeginRuleIdExecuteSingleSecurityConnectorAsync(this IGovernanceRulesOperations operations, string resourceGroupName, string securityConnectorName, string ruleId, bool? overrideParameter = default(bool?), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.BeginRuleIdExecuteSingleSecurityConnectorWithHttpMessagesAsync(resourceGroupName, securityConnectorName, ruleId, overrideParameter, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Headers; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IAdaptiveApplicationControlsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IAdaptiveApplicationControlsOperations.cs new file mode 100644 index 000000000000..695e503a7b24 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IAdaptiveApplicationControlsOperations.cs @@ -0,0 +1,118 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AdaptiveApplicationControlsOperations operations. + /// + public partial interface IAdaptiveApplicationControlsOperations + { + /// + /// Gets a list of application control machine groups for the + /// subscription. + /// + /// + /// Include the policy rules + /// + /// + /// Return output in a summarized form + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> ListWithHttpMessagesAsync(bool? includePathRecommendations = default(bool?), bool? summary = default(bool?), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets an application control VM/server group. + /// + /// + /// Name of an application control machine group + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string groupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Update an application control machine group + /// + /// + /// Name of an application control machine group + /// + /// + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> PutWithHttpMessagesAsync(string groupName, AdaptiveApplicationControlGroup body, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Delete an application control machine group + /// + /// + /// Name of an application control machine group + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string groupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IAdaptiveNetworkHardeningsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IAdaptiveNetworkHardeningsOperations.cs new file mode 100644 index 000000000000..4b9f355f44a6 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IAdaptiveNetworkHardeningsOperations.cs @@ -0,0 +1,198 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AdaptiveNetworkHardeningsOperations operations. + /// + public partial interface IAdaptiveNetworkHardeningsOperations + { + /// + /// Gets a list of Adaptive Network Hardenings resources in scope of an + /// extended resource. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByExtendedResourceWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a single Adaptive Network Hardening resource + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The name of the Adaptive Network Hardening resource. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, string adaptiveNetworkHardeningResourceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Enforces the given rules on the NSG(s) listed in the request + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The name of the Adaptive Network Hardening resource. + /// + /// + /// The rules to enforce + /// + /// + /// The Azure resource IDs of the effective network security groups + /// that will be updated with the created security rules from the + /// Adaptive Network Hardening rules + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task EnforceWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, string adaptiveNetworkHardeningResourceName, IList rules, IList networkSecurityGroups, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Enforces the given rules on the NSG(s) listed in the request + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The name of the Adaptive Network Hardening resource. + /// + /// + /// The rules to enforce + /// + /// + /// The Azure resource IDs of the effective network security groups + /// that will be updated with the created security rules from the + /// Adaptive Network Hardening rules + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task BeginEnforceWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, string adaptiveNetworkHardeningResourceName, IList rules, IList networkSecurityGroups, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a list of Adaptive Network Hardenings resources in scope of an + /// extended resource. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByExtendedResourceNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IAdvancedThreatProtectionOperations.cs b/src/Security/Security.Management.Sdk/Generated/IAdvancedThreatProtectionOperations.cs new file mode 100644 index 000000000000..c87519d2675f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IAdvancedThreatProtectionOperations.cs @@ -0,0 +1,76 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AdvancedThreatProtectionOperations operations. + /// + public partial interface IAdvancedThreatProtectionOperations + { + /// + /// Gets the Advanced Threat Protection settings for the specified + /// resource. + /// + /// + /// The identifier of the resource. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Creates or updates the Advanced Threat Protection settings on a + /// specified resource. + /// + /// + /// The identifier of the resource. + /// + /// + /// Indicates whether Advanced Threat Protection is enabled. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateWithHttpMessagesAsync(string resourceId, bool? isEnabled = default(bool?), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IAlertsSuppressionRulesOperations.cs b/src/Security/Security.Management.Sdk/Generated/IAlertsSuppressionRulesOperations.cs new file mode 100644 index 000000000000..41741b5ec51b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IAlertsSuppressionRulesOperations.cs @@ -0,0 +1,138 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AlertsSuppressionRulesOperations operations. + /// + public partial interface IAlertsSuppressionRulesOperations + { + /// + /// List of all the dismiss rules for the given subscription + /// + /// + /// Type of the alert to get rules for + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(string alertType = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get dismiss rule, with name: {alertsSuppressionRuleName}, for the + /// given subscription + /// + /// + /// The unique name of the suppression alert rule + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string alertsSuppressionRuleName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Update existing rule or create new rule if it doesn't exist + /// + /// + /// The unique name of the suppression alert rule + /// + /// + /// Suppression rule object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> UpdateWithHttpMessagesAsync(string alertsSuppressionRuleName, AlertsSuppressionRule alertsSuppressionRule, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Delete dismiss alert rule for this subscription. + /// + /// + /// The unique name of the suppression alert rule + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string alertsSuppressionRuleName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List of all the dismiss rules for the given subscription + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IAllowedConnectionsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IAllowedConnectionsOperations.cs new file mode 100644 index 000000000000..3dbfd8bc6b6f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IAllowedConnectionsOperations.cs @@ -0,0 +1,141 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AllowedConnectionsOperations operations. + /// + public partial interface IAllowedConnectionsOperations + { + /// + /// Gets the list of all possible traffic between resources for the + /// subscription + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets the list of all possible traffic between resources for the + /// subscription and location. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByHomeRegionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets the list of all possible traffic between resources for the + /// subscription and location, based on connection type. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The type of allowed connections (Internal, External). Possible + /// values include: 'Internal', 'External' + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string connectionType, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets the list of all possible traffic between resources for the + /// subscription + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets the list of all possible traffic between resources for the + /// subscription and location. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByHomeRegionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IApplicationOperations.cs b/src/Security/Security.Management.Sdk/Generated/IApplicationOperations.cs new file mode 100644 index 000000000000..80b375f9e231 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IApplicationOperations.cs @@ -0,0 +1,96 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// ApplicationOperations operations. + /// + public partial interface IApplicationOperations + { + /// + /// Get a specific application for the requested scope by applicationId + /// + /// + /// The security Application key - unique key for the standard + /// application + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string applicationId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Creates or update a security application on the given subscription. + /// + /// + /// The security Application key - unique key for the standard + /// application + /// + /// + /// Application over a subscription scope + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateOrUpdateWithHttpMessagesAsync(string applicationId, Application application, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Delete an Application over a given scope + /// + /// + /// The security Application key - unique key for the standard + /// application + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string applicationId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IApplicationsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IApplicationsOperations.cs new file mode 100644 index 000000000000..26b637913816 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IApplicationsOperations.cs @@ -0,0 +1,70 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// ApplicationsOperations operations. + /// + public partial interface IApplicationsOperations + { + /// + /// Get a list of all relevant applications over a subscription level + /// scope + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get a list of all relevant applications over a subscription level + /// scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IAssessmentsMetadataOperations.cs b/src/Security/Security.Management.Sdk/Generated/IAssessmentsMetadataOperations.cs new file mode 100644 index 000000000000..71304eab8ddc --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IAssessmentsMetadataOperations.cs @@ -0,0 +1,203 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AssessmentsMetadataOperations operations. + /// + public partial interface IAssessmentsMetadataOperations + { + /// + /// Get metadata information on all assessment types + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get metadata information on an assessment type + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string assessmentMetadataName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get metadata information on all assessment types in a specific + /// subscription + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListBySubscriptionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get metadata information on an assessment type in a specific + /// subscription + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetInSubscriptionWithHttpMessagesAsync(string assessmentMetadataName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Create metadata information on an assessment type in a specific + /// subscription + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// AssessmentMetadata object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateInSubscriptionWithHttpMessagesAsync(string assessmentMetadataName, SecurityAssessmentMetadataResponse assessmentMetadata, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Delete metadata information on an assessment type in a specific + /// subscription, will cause the deletion of all the assessments of + /// that type in that subscription + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteInSubscriptionWithHttpMessagesAsync(string assessmentMetadataName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get metadata information on all assessment types + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get metadata information on all assessment types in a specific + /// subscription + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListBySubscriptionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IAssessmentsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IAssessmentsOperations.cs new file mode 100644 index 000000000000..bf1a399b1507 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IAssessmentsOperations.cs @@ -0,0 +1,158 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AssessmentsOperations operations. + /// + public partial interface IAssessmentsOperations + { + /// + /// Get security assessments on all your scanned resources inside a + /// scope + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management + /// group (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(string scope, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get a security assessment on your scanned resource + /// + /// + /// The identifier of the resource. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// OData expand. Optional. Possible values include: 'links', + /// 'metadata' + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceId, string assessmentName, string expand = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Create a security assessment on your resource. An assessment + /// metadata that describes this assessment must be predefined with the + /// same name before inserting the assessment result + /// + /// + /// The identifier of the resource. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// Calculated assessment on a pre-defined assessment metadata + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateOrUpdateWithHttpMessagesAsync(string resourceId, string assessmentName, SecurityAssessment assessment, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Delete a security assessment on your resource. An assessment + /// metadata that describes this assessment must be predefined with the + /// same name before inserting the assessment result + /// + /// + /// The identifier of the resource. + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string resourceId, string assessmentName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get security assessments on all your scanned resources inside a + /// scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IAutoProvisioningSettingsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IAutoProvisioningSettingsOperations.cs new file mode 100644 index 000000000000..571b1fea820f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IAutoProvisioningSettingsOperations.cs @@ -0,0 +1,116 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AutoProvisioningSettingsOperations operations. + /// + public partial interface IAutoProvisioningSettingsOperations + { + /// + /// Exposes the auto provisioning settings of the subscriptions + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Details of a specific setting + /// + /// + /// Auto provisioning setting key + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string settingName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Details of a specific setting + /// + /// + /// Auto provisioning setting key + /// + /// + /// Describes what kind of security agent provisioning action to take. + /// Possible values include: 'On', 'Off' + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateWithHttpMessagesAsync(string settingName, string autoProvision, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Exposes the auto provisioning settings of the subscriptions + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IAutomationsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IAutomationsOperations.cs new file mode 100644 index 000000000000..a36ee0aad28a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IAutomationsOperations.cs @@ -0,0 +1,231 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// AutomationsOperations operations. + /// + public partial interface IAutomationsOperations + { + /// + /// Lists all the security automations in the specified subscription. + /// Use the 'nextLink' property in the response to get the next page of + /// security automations for the specified subscription. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Lists all the security automations in the specified resource group. + /// Use the 'nextLink' property in the response to get the next page of + /// security automations for the specified resource group. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByResourceGroupWithHttpMessagesAsync(string resourceGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Retrieves information about the model of a security automation. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security automation name. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string automationName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Creates or updates a security automation. If a security automation + /// is already created and a subsequent request is issued for the same + /// automation id, then it will be updated. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security automation name. + /// + /// + /// The security automation resource + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateOrUpdateWithHttpMessagesAsync(string resourceGroupName, string automationName, Automation automation, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Deletes a security automation. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security automation name. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string resourceGroupName, string automationName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Validates the security automation model before create or update. + /// Any validation errors are returned to the client. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security automation name. + /// + /// + /// The security automation resource + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> ValidateWithHttpMessagesAsync(string resourceGroupName, string automationName, Automation automation, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Lists all the security automations in the specified subscription. + /// Use the 'nextLink' property in the response to get the next page of + /// security automations for the specified subscription. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Lists all the security automations in the specified resource group. + /// Use the 'nextLink' property in the response to get the next page of + /// security automations for the specified resource group. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByResourceGroupNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IComplianceResultsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IComplianceResultsOperations.cs new file mode 100644 index 000000000000..4f5a7c6d91af --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IComplianceResultsOperations.cs @@ -0,0 +1,98 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// ComplianceResultsOperations operations. + /// + public partial interface IComplianceResultsOperations + { + /// + /// Security compliance results in the subscription + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management + /// group (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(string scope, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Security Compliance Result + /// + /// + /// The identifier of the resource. + /// + /// + /// name of the desired assessment compliance result + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceId, string complianceResultName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Security compliance results in the subscription + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ICompliancesOperations.cs b/src/Security/Security.Management.Sdk/Generated/ICompliancesOperations.cs new file mode 100644 index 000000000000..7fe5b67bd1c7 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ICompliancesOperations.cs @@ -0,0 +1,100 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// CompliancesOperations operations. + /// + public partial interface ICompliancesOperations + { + /// + /// The Compliance scores of the specific management group. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management + /// group (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(string scope, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Details of a specific Compliance. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management + /// group (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// name of the Compliance + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string scope, string complianceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// The Compliance scores of the specific management group. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IConnectorsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IConnectorsOperations.cs new file mode 100644 index 000000000000..864144851048 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IConnectorsOperations.cs @@ -0,0 +1,142 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// ConnectorsOperations operations. + /// + public partial interface IConnectorsOperations + { + /// + /// Cloud accounts connectors of a subscription + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Details of a specific cloud account connector + /// + /// + /// Name of the cloud account connector + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string connectorName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Create a cloud account connector or update an existing one. Connect + /// to your cloud account. For AWS, use either account credentials or + /// role-based authentication. For GCP, use account organization + /// credentials. + /// + /// + /// Name of the cloud account connector + /// + /// + /// Settings for hybrid compute management. These settings are relevant + /// only for Arc autoProvision (Hybrid Compute). + /// + /// + /// Settings for authentication management, these settings are relevant + /// only for the cloud connector. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateOrUpdateWithHttpMessagesAsync(string connectorName, HybridComputeSettingsProperties hybridComputeSettings = default(HybridComputeSettingsProperties), AuthenticationDetailsProperties authenticationDetails = default(AuthenticationDetailsProperties), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Delete a cloud account connector from a subscription + /// + /// + /// Name of the cloud account connector + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string connectorName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Cloud accounts connectors of a subscription + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ICustomAssessmentAutomationsOperations.cs b/src/Security/Security.Management.Sdk/Generated/ICustomAssessmentAutomationsOperations.cs new file mode 100644 index 000000000000..da6733283a0e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ICustomAssessmentAutomationsOperations.cs @@ -0,0 +1,220 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// CustomAssessmentAutomationsOperations operations. + /// + public partial interface ICustomAssessmentAutomationsOperations + { + /// + /// Gets a custom assessment automation + /// + /// + /// Gets a single custom assessment automation by name for the provided + /// subscription and resource group. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of the Custom Assessment Automation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string customAssessmentAutomationName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Creates a custom assessment automation + /// + /// + /// Creates or updates a custom assessment automation for the provided + /// subscription. Please note that providing an existing custom + /// assessment automation will replace the existing record. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of the Custom Assessment Automation. + /// + /// + /// Custom Assessment Automation body + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateWithHttpMessagesAsync(string resourceGroupName, string customAssessmentAutomationName, CustomAssessmentAutomationRequest customAssessmentAutomationBody, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Deletes a custom assessment automation + /// + /// + /// Deletes a custom assessment automation by name for a provided + /// subscription + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of the Custom Assessment Automation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string resourceGroupName, string customAssessmentAutomationName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List custom assessment automations in a subscription and a resource + /// group + /// + /// + /// List custom assessment automations by provided subscription and + /// resource group + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByResourceGroupWithHttpMessagesAsync(string resourceGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List custom assessment automations in a subscription + /// + /// + /// List custom assessment automations by provided subscription + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListBySubscriptionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List custom assessment automations in a subscription and a resource + /// group + /// + /// + /// List custom assessment automations by provided subscription and + /// resource group + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByResourceGroupNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List custom assessment automations in a subscription + /// + /// + /// List custom assessment automations by provided subscription + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListBySubscriptionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ICustomEntityStoreAssignmentsOperations.cs b/src/Security/Security.Management.Sdk/Generated/ICustomEntityStoreAssignmentsOperations.cs new file mode 100644 index 000000000000..9235180f0e65 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ICustomEntityStoreAssignmentsOperations.cs @@ -0,0 +1,221 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// CustomEntityStoreAssignmentsOperations operations. + /// + public partial interface ICustomEntityStoreAssignmentsOperations + { + /// + /// Gets a custom entity store assignment + /// + /// + /// Gets a single custom entity store assignment by name for the + /// provided subscription and resource group. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of the custom entity store assignment. Generated name is GUID. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string customEntityStoreAssignmentName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Creates a custom entity store assignment + /// + /// + /// Creates a custom entity store assignment for the provided + /// subscription, if not already exists. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of the custom entity store assignment. Generated name is GUID. + /// + /// + /// The principal assigned with entity store. If not provided, will use + /// caller principal. Format of principal is: [AAD + /// type]=[PrincipalObjectId];[TenantId] + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateWithHttpMessagesAsync(string resourceGroupName, string customEntityStoreAssignmentName, string principal = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Deleted a custom entity store assignment + /// + /// + /// Delete a custom entity store assignment by name for a provided + /// subscription + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of the custom entity store assignment. Generated name is GUID. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string resourceGroupName, string customEntityStoreAssignmentName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List custom entity store assignments in a subscription and a + /// resource group + /// + /// + /// List custom entity store assignments by a provided subscription and + /// resource group + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByResourceGroupWithHttpMessagesAsync(string resourceGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List custom entity store assignments in a subscription + /// + /// + /// List custom entity store assignments by provided subscription + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListBySubscriptionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List custom entity store assignments in a subscription and a + /// resource group + /// + /// + /// List custom entity store assignments by a provided subscription and + /// resource group + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByResourceGroupNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List custom entity store assignments in a subscription + /// + /// + /// List custom entity store assignments by provided subscription + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListBySubscriptionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IDeviceSecurityGroupsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IDeviceSecurityGroupsOperations.cs new file mode 100644 index 000000000000..b42dcc21b25c --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IDeviceSecurityGroupsOperations.cs @@ -0,0 +1,153 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// DeviceSecurityGroupsOperations operations. + /// + public partial interface IDeviceSecurityGroupsOperations + { + /// + /// Use this method get the list of device security groups for the + /// specified IoT Hub resource. + /// + /// + /// The identifier of the resource. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(string resourceId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Use this method to get the device security group for the specified + /// IoT Hub resource. + /// + /// + /// The identifier of the resource. + /// + /// + /// The name of the device security group. Note that the name of the + /// device security group is case insensitive. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceId, string deviceSecurityGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Use this method to creates or updates the device security group on + /// a specified IoT Hub resource. + /// + /// + /// The identifier of the resource. + /// + /// + /// The name of the device security group. Note that the name of the + /// device security group is case insensitive. + /// + /// + /// Security group object. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateOrUpdateWithHttpMessagesAsync(string resourceId, string deviceSecurityGroupName, DeviceSecurityGroup deviceSecurityGroup, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// User this method to deletes the device security group. + /// + /// + /// The identifier of the resource. + /// + /// + /// The name of the device security group. Note that the name of the + /// device security group is case insensitive. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string resourceId, string deviceSecurityGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Use this method get the list of device security groups for the + /// specified IoT Hub resource. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IDiscoveredSecuritySolutionsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IDiscoveredSecuritySolutionsOperations.cs new file mode 100644 index 000000000000..729cbdd31541 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IDiscoveredSecuritySolutionsOperations.cs @@ -0,0 +1,137 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// DiscoveredSecuritySolutionsOperations operations. + /// + public partial interface IDiscoveredSecuritySolutionsOperations + { + /// + /// Gets a list of discovered Security Solutions for the subscription. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a list of discovered Security Solutions for the subscription + /// and location. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByHomeRegionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a specific discovered Security Solution. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of a discovered security solution. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string discoveredSecuritySolutionName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a list of discovered Security Solutions for the subscription. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a list of discovered Security Solutions for the subscription + /// and location. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByHomeRegionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IExternalSecuritySolutionsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IExternalSecuritySolutionsOperations.cs new file mode 100644 index 000000000000..f258aaadccdb --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IExternalSecuritySolutionsOperations.cs @@ -0,0 +1,137 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// ExternalSecuritySolutionsOperations operations. + /// + public partial interface IExternalSecuritySolutionsOperations + { + /// + /// Gets a list of external security solutions for the subscription. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a list of external Security Solutions for the subscription and + /// location. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByHomeRegionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a specific external Security Solution. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of an external security solution. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string externalSecuritySolutionsName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a list of external security solutions for the subscription. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a list of external Security Solutions for the subscription and + /// location. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByHomeRegionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IGovernanceAssignmentsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IGovernanceAssignmentsOperations.cs new file mode 100644 index 000000000000..e5b45d3c8256 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IGovernanceAssignmentsOperations.cs @@ -0,0 +1,173 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// GovernanceAssignmentsOperations operations. + /// + public partial interface IGovernanceAssignmentsOperations + { + /// + /// Get security governanceAssignments on all your resources inside a + /// scope + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management + /// group (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(string scope, string assessmentName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get a specific governanceAssignment for the requested scope by + /// AssignmentKey + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management + /// group (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The security governance assignment key - the assessment key of the + /// required governance assignment + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string scope, string assessmentName, string assignmentKey, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Creates or update a security GovernanceAssignment on the given + /// subscription. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management + /// group (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The security governance assignment key - the assessment key of the + /// required governance assignment + /// + /// + /// GovernanceAssignment over a subscription scope + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateOrUpdateWithHttpMessagesAsync(string scope, string assessmentName, string assignmentKey, GovernanceAssignment governanceAssignment, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Delete a GovernanceAssignment over a given scope + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management + /// group (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The security governance assignment key - the assessment key of the + /// required governance assignment + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string scope, string assessmentName, string assignmentKey, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get security governanceAssignments on all your resources inside a + /// scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IGovernanceRuleOperations.cs b/src/Security/Security.Management.Sdk/Generated/IGovernanceRuleOperations.cs new file mode 100644 index 000000000000..e711bb80e2fb --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IGovernanceRuleOperations.cs @@ -0,0 +1,70 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// GovernanceRuleOperations operations. + /// + public partial interface IGovernanceRuleOperations + { + /// + /// Get a list of all relevant governanceRules over a subscription + /// level scope + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get a list of all relevant governanceRules over a subscription + /// level scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IGovernanceRulesOperations.cs b/src/Security/Security.Management.Sdk/Generated/IGovernanceRulesOperations.cs new file mode 100644 index 000000000000..3a7c36caadd4 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IGovernanceRulesOperations.cs @@ -0,0 +1,203 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// GovernanceRulesOperations operations. + /// + public partial interface IGovernanceRulesOperations + { + /// + /// Get a specific governanceRule for the requested scope by ruleId + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string ruleId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Creates or update a security GovernanceRule on the given + /// subscription. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// GovernanceRule over a subscription scope + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateOrUpdateWithHttpMessagesAsync(string ruleId, GovernanceRule governanceRule, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Delete a GovernanceRule over a given scope + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string ruleId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Execute a security GovernanceRule on the given subscription. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Describe if governance rule should be override + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task> RuleIdExecuteSingleSubscriptionWithHttpMessagesAsync(string ruleId, bool? overrideParameter = default(bool?), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Execute a security GovernanceRule on the given security connector. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Describe if governance rule should be override + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task> RuleIdExecuteSingleSecurityConnectorWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string ruleId, bool? overrideParameter = default(bool?), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Execute a security GovernanceRule on the given subscription. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Describe if governance rule should be override + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task> BeginRuleIdExecuteSingleSubscriptionWithHttpMessagesAsync(string ruleId, bool? overrideParameter = default(bool?), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Execute a security GovernanceRule on the given security connector. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Describe if governance rule should be override + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task> BeginRuleIdExecuteSingleSecurityConnectorWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string ruleId, bool? overrideParameter = default(bool?), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IInformationProtectionPoliciesOperations.cs b/src/Security/Security.Management.Sdk/Generated/IInformationProtectionPoliciesOperations.cs new file mode 100644 index 000000000000..96cca84bafc9 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IInformationProtectionPoliciesOperations.cs @@ -0,0 +1,135 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// InformationProtectionPoliciesOperations operations. + /// + public partial interface IInformationProtectionPoliciesOperations + { + /// + /// Details of the information protection policy. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management + /// group (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// Name of the information protection policy. Possible values include: + /// 'effective', 'custom' + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string scope, string informationProtectionPolicyName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Details of the information protection policy. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management + /// group (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// Name of the information protection policy. Possible values include: + /// 'effective', 'custom' + /// + /// + /// Dictionary of sensitivity labels. + /// + /// + /// The sensitivity information types. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateOrUpdateWithHttpMessagesAsync(string scope, string informationProtectionPolicyName, IDictionary labels = default(IDictionary), IDictionary informationTypes = default(IDictionary), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Information protection policies of a specific management group. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management + /// group (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(string scope, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Information protection policies of a specific management group. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IIngestionSettingsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IIngestionSettingsOperations.cs new file mode 100644 index 000000000000..04f385265d58 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IIngestionSettingsOperations.cs @@ -0,0 +1,183 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// IngestionSettingsOperations operations. + /// + public partial interface IIngestionSettingsOperations + { + /// + /// Settings for ingesting security data and logs to correlate with + /// resources associated with the subscription. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Settings for ingesting security data and logs to correlate with + /// resources associated with the subscription. + /// + /// + /// Name of the ingestion setting + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string ingestionSettingName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Create setting for ingesting security data and logs to correlate + /// with resources associated with the subscription. + /// + /// + /// Name of the ingestion setting + /// + /// + /// Ingestion setting data + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateWithHttpMessagesAsync(string ingestionSettingName, object properties = default(object), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Deletes the ingestion settings for this subscription. + /// + /// + /// Name of the ingestion setting + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string ingestionSettingName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Returns the token that is used for correlating ingested telemetry + /// with the resources in the subscription. + /// + /// + /// Name of the ingestion setting + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> ListTokensWithHttpMessagesAsync(string ingestionSettingName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Connection strings for ingesting security scan logs and data. + /// + /// + /// Name of the ingestion setting + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> ListConnectionStringsWithHttpMessagesAsync(string ingestionSettingName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Settings for ingesting security data and logs to correlate with + /// resources associated with the subscription. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IIotSecuritySolutionAnalyticsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IIotSecuritySolutionAnalyticsOperations.cs new file mode 100644 index 000000000000..77bf28bc2fd7 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IIotSecuritySolutionAnalyticsOperations.cs @@ -0,0 +1,79 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// IotSecuritySolutionAnalyticsOperations operations. + /// + public partial interface IIotSecuritySolutionAnalyticsOperations + { + /// + /// Use this method to get IoT security Analytics metrics in an array. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> ListWithHttpMessagesAsync(string resourceGroupName, string solutionName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Use this method to get IoT Security Analytics metrics. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string solutionName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IIotSecuritySolutionOperations.cs b/src/Security/Security.Management.Sdk/Generated/IIotSecuritySolutionOperations.cs new file mode 100644 index 000000000000..bed20a0e02df --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IIotSecuritySolutionOperations.cs @@ -0,0 +1,235 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// IotSecuritySolutionOperations operations. + /// + public partial interface IIotSecuritySolutionOperations + { + /// + /// Use this method to get the list of IoT Security solutions by + /// subscription. + /// + /// + /// Filter the IoT Security solution with OData syntax. Supports + /// filtering by iotHubs. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListBySubscriptionWithHttpMessagesAsync(string filter = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Use this method to get the list IoT Security solutions organized by + /// resource group. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Filter the IoT Security solution with OData syntax. Supports + /// filtering by iotHubs. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByResourceGroupWithHttpMessagesAsync(string resourceGroupName, string filter = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// User this method to get details of a specific IoT Security solution + /// based on solution name + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string solutionName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Use this method to create or update yours IoT Security solution + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// The security solution data + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateOrUpdateWithHttpMessagesAsync(string resourceGroupName, string solutionName, IoTSecuritySolutionModel iotSecuritySolutionData, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Use this method to update existing IoT Security solution tags or + /// user defined resources. To update other fields use the + /// CreateOrUpdate method. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// The security solution data + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> UpdateWithHttpMessagesAsync(string resourceGroupName, string solutionName, UpdateIotSecuritySolutionData updateIotSecuritySolutionData, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Use this method to delete yours IoT Security solution + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string resourceGroupName, string solutionName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Use this method to get the list of IoT Security solutions by + /// subscription. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListBySubscriptionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Use this method to get the list IoT Security solutions organized by + /// resource group. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByResourceGroupNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IIotSecuritySolutionsAnalyticsAggregatedAlertOperations.cs b/src/Security/Security.Management.Sdk/Generated/IIotSecuritySolutionsAnalyticsAggregatedAlertOperations.cs new file mode 100644 index 000000000000..00fba045b9ba --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IIotSecuritySolutionsAnalyticsAggregatedAlertOperations.cs @@ -0,0 +1,137 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// IotSecuritySolutionsAnalyticsAggregatedAlertOperations operations. + /// + public partial interface IIotSecuritySolutionsAnalyticsAggregatedAlertOperations + { + /// + /// Use this method to get the aggregated alert list of yours IoT + /// Security solution. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Number of results to retrieve. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(string resourceGroupName, string solutionName, int? top = default(int?), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Use this method to get a single the aggregated alert of yours IoT + /// Security solution. This aggregation is performed by alert name. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Identifier of the aggregated alert. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string solutionName, string aggregatedAlertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Use this method to dismiss an aggregated IoT Security Solution + /// Alert. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Identifier of the aggregated alert. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DismissWithHttpMessagesAsync(string resourceGroupName, string solutionName, string aggregatedAlertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Use this method to get the aggregated alert list of yours IoT + /// Security solution. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IIotSecuritySolutionsAnalyticsRecommendationOperations.cs b/src/Security/Security.Management.Sdk/Generated/IIotSecuritySolutionsAnalyticsRecommendationOperations.cs new file mode 100644 index 000000000000..ef803c0beac5 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IIotSecuritySolutionsAnalyticsRecommendationOperations.cs @@ -0,0 +1,111 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// IotSecuritySolutionsAnalyticsRecommendationOperations operations. + /// + public partial interface IIotSecuritySolutionsAnalyticsRecommendationOperations + { + /// + /// Use this method to get the aggregated security analytics + /// recommendation of yours IoT Security solution. This aggregation is + /// performed by recommendation name. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Name of the recommendation aggregated for this query. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string solutionName, string aggregatedRecommendationName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Use this method to get the list of aggregated security analytics + /// recommendations of yours IoT Security solution. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Number of results to retrieve. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(string resourceGroupName, string solutionName, int? top = default(int?), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Use this method to get the list of aggregated security analytics + /// recommendations of yours IoT Security solution. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IJitNetworkAccessPoliciesOperations.cs b/src/Security/Security.Management.Sdk/Generated/IJitNetworkAccessPoliciesOperations.cs new file mode 100644 index 000000000000..189cf30a96de --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IJitNetworkAccessPoliciesOperations.cs @@ -0,0 +1,319 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// JitNetworkAccessPoliciesOperations operations. + /// + public partial interface IJitNetworkAccessPoliciesOperations + { + /// + /// Policies for protecting resources using Just-in-Time access + /// control. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Policies for protecting resources using Just-in-Time access control + /// for the subscription, location + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByRegionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Policies for protecting resources using Just-in-Time access control + /// for the subscription, location + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByResourceGroupWithHttpMessagesAsync(string resourceGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Policies for protecting resources using Just-in-Time access control + /// for the subscription, location + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByResourceGroupAndRegionWithHttpMessagesAsync(string resourceGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Policies for protecting resources using Just-in-Time access control + /// for the subscription, location + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of a Just-in-Time access configuration policy. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string jitNetworkAccessPolicyName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Create a policy for protecting resources using Just-in-Time access + /// control + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of a Just-in-Time access configuration policy. + /// + /// + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateOrUpdateWithHttpMessagesAsync(string resourceGroupName, string jitNetworkAccessPolicyName, JitNetworkAccessPolicy body, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Delete a Just-in-Time access control policy. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of a Just-in-Time access configuration policy. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string resourceGroupName, string jitNetworkAccessPolicyName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Initiate a JIT access from a specific Just-in-Time policy + /// configuration. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of a Just-in-Time access configuration policy. + /// + /// + /// A list of virtual machines & ports to open access for + /// + /// + /// The justification for making the initiate request + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> InitiateWithHttpMessagesAsync(string resourceGroupName, string jitNetworkAccessPolicyName, IList virtualMachines, string justification = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Policies for protecting resources using Just-in-Time access + /// control. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Policies for protecting resources using Just-in-Time access control + /// for the subscription, location + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByRegionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Policies for protecting resources using Just-in-Time access control + /// for the subscription, location + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByResourceGroupNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Policies for protecting resources using Just-in-Time access control + /// for the subscription, location + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByResourceGroupAndRegionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ILocationsOperations.cs b/src/Security/Security.Management.Sdk/Generated/ILocationsOperations.cs new file mode 100644 index 000000000000..f8aa5ec2d81e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ILocationsOperations.cs @@ -0,0 +1,93 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// LocationsOperations operations. + /// + public partial interface ILocationsOperations + { + /// + /// The location of the responsible ASC of the specific subscription + /// (home region). For each subscription there is only one responsible + /// location. The location in the response should be used to read or + /// write other resources in ASC according to their ID. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Details of a specific location + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// The location of the responsible ASC of the specific subscription + /// (home region). For each subscription there is only one responsible + /// location. The location in the response should be used to read or + /// write other resources in ASC according to their ID. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IMdeOnboardingsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IMdeOnboardingsOperations.cs new file mode 100644 index 000000000000..a3a4e1af5336 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IMdeOnboardingsOperations.cs @@ -0,0 +1,66 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// MdeOnboardingsOperations operations. + /// + public partial interface IMdeOnboardingsOperations + { + /// + /// The configuration or data needed to onboard the machine to MDE + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// The default configuration or data needed to onboard the machine to + /// MDE + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IOperations.cs b/src/Security/Security.Management.Sdk/Generated/IOperations.cs new file mode 100644 index 000000000000..dff12f4f27ac --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IOperations.cs @@ -0,0 +1,68 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Operations operations. + /// + public partial interface IOperations + { + /// + /// Exposes all available operations for discovery purposes. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Exposes all available operations for discovery purposes. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IPricingsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IPricingsOperations.cs new file mode 100644 index 000000000000..be6bceeb82af --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IPricingsOperations.cs @@ -0,0 +1,105 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// PricingsOperations operations. + /// + public partial interface IPricingsOperations + { + /// + /// Lists Microsoft Defender for Cloud pricing configurations in the + /// subscription. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a provided Microsoft Defender for Cloud pricing configuration + /// in the subscription. + /// + /// + /// name of the pricing configuration + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string pricingName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Updates a provided Microsoft Defender for Cloud pricing + /// configuration in the subscription. + /// + /// + /// name of the pricing configuration + /// + /// + /// The pricing tier value. Microsoft Defender for Cloud is provided in + /// two pricing tiers: free and standard, with the standard tier + /// available with a trial period. The standard tier offers advanced + /// security capabilities, while the free tier offers basic security + /// features. Possible values include: 'Free', 'Standard' + /// + /// + /// The sub-plan selected for a Standard pricing configuration, when + /// more than one sub-plan is available. Each sub-plan enables a set of + /// security features. When not specified, full plan is applied. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> UpdateWithHttpMessagesAsync(string pricingName, string pricingTier, string subPlan = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IRegulatoryComplianceAssessmentsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IRegulatoryComplianceAssessmentsOperations.cs new file mode 100644 index 000000000000..255632c381ca --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IRegulatoryComplianceAssessmentsOperations.cs @@ -0,0 +1,108 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// RegulatoryComplianceAssessmentsOperations operations. + /// + public partial interface IRegulatoryComplianceAssessmentsOperations + { + /// + /// Details and state of assessments mapped to selected regulatory + /// compliance control + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// Name of the regulatory compliance control object + /// + /// + /// OData filter. Optional. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(string regulatoryComplianceStandardName, string regulatoryComplianceControlName, string filter = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Supported regulatory compliance details and state for selected + /// assessment + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// Name of the regulatory compliance control object + /// + /// + /// Name of the regulatory compliance assessment object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string regulatoryComplianceStandardName, string regulatoryComplianceControlName, string regulatoryComplianceAssessmentName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Details and state of assessments mapped to selected regulatory + /// compliance control + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IRegulatoryComplianceControlsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IRegulatoryComplianceControlsOperations.cs new file mode 100644 index 000000000000..e9d53899aae0 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IRegulatoryComplianceControlsOperations.cs @@ -0,0 +1,101 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// RegulatoryComplianceControlsOperations operations. + /// + public partial interface IRegulatoryComplianceControlsOperations + { + /// + /// All supported regulatory compliance controls details and state for + /// selected standard + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// OData filter. Optional. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(string regulatoryComplianceStandardName, string filter = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Selected regulatory compliance control details and state + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// Name of the regulatory compliance control object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string regulatoryComplianceStandardName, string regulatoryComplianceControlName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// All supported regulatory compliance controls details and state for + /// selected standard + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IRegulatoryComplianceStandardsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IRegulatoryComplianceStandardsOperations.cs new file mode 100644 index 000000000000..b2d4e1e56d27 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IRegulatoryComplianceStandardsOperations.cs @@ -0,0 +1,93 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// RegulatoryComplianceStandardsOperations operations. + /// + public partial interface IRegulatoryComplianceStandardsOperations + { + /// + /// Supported regulatory compliance standards details and state + /// + /// + /// OData filter. Optional. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(string filter = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Supported regulatory compliance details state for selected standard + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string regulatoryComplianceStandardName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Supported regulatory compliance standards details and state + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISecureScoreControlDefinitionsOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISecureScoreControlDefinitionsOperations.cs new file mode 100644 index 000000000000..1d91735fd1e9 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISecureScoreControlDefinitionsOperations.cs @@ -0,0 +1,113 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecureScoreControlDefinitionsOperations operations. + /// + public partial interface ISecureScoreControlDefinitionsOperations + { + /// + /// List the available security controls, their assessments, and the + /// max score + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// For a specified subscription, list the available security controls, + /// their assessments, and the max score + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListBySubscriptionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List the available security controls, their assessments, and the + /// max score + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// For a specified subscription, list the available security controls, + /// their assessments, and the max score + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListBySubscriptionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISecureScoreControlsOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISecureScoreControlsOperations.cs new file mode 100644 index 000000000000..48f818ae653f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISecureScoreControlsOperations.cs @@ -0,0 +1,119 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecureScoreControlsOperations operations. + /// + public partial interface ISecureScoreControlsOperations + { + /// + /// Get all security controls for a specific initiative within a scope + /// + /// + /// The initiative name. For the ASC Default initiative, use 'ascScore' + /// as in the sample request below. + /// + /// + /// OData expand. Optional. Possible values include: 'definition' + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListBySecureScoreWithHttpMessagesAsync(string secureScoreName, string expand = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get all security controls within a scope + /// + /// + /// OData expand. Optional. Possible values include: 'definition' + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(string expand = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get all security controls for a specific initiative within a scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListBySecureScoreNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get all security controls within a scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISecureScoresOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISecureScoresOperations.cs new file mode 100644 index 000000000000..b40c69042f9e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISecureScoresOperations.cs @@ -0,0 +1,95 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecureScoresOperations operations. + /// + public partial interface ISecureScoresOperations + { + /// + /// List secure scores for all your Microsoft Defender for Cloud + /// initiatives within your current scope. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get secure score for a specific Microsoft Defender for Cloud + /// initiative within your current scope. For the ASC Default + /// initiative, use 'ascScore'. + /// + /// + /// The initiative name. For the ASC Default initiative, use 'ascScore' + /// as in the sample request below. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string secureScoreName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List secure scores for all your Microsoft Defender for Cloud + /// initiatives within your current scope. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISecurityCenterClient.cs b/src/Security/Security.Management.Sdk/Generated/ISecurityCenterClient.cs index 78d351964f35..f4f05710ab48 100644 --- a/src/Security/Security.Management.Sdk/Generated/ISecurityCenterClient.cs +++ b/src/Security/Security.Management.Sdk/Generated/ISecurityCenterClient.cs @@ -16,8 +16,6 @@ namespace Microsoft.Azure.Management.Security using Newtonsoft.Json; /// - /// API spec for Microsoft.Security (Azure Security Center) alerts resource - /// provider /// public partial interface ISecurityCenterClient : System.IDisposable { @@ -41,21 +39,16 @@ public partial interface ISecurityCenterClient : System.IDisposable /// ServiceClientCredentials Credentials { get; } - /// - /// The location where ASC stores the data of the subscription. can be - /// retrieved from Get locations - /// - string AscLocation { get; set; } - /// /// Azure subscription ID /// string SubscriptionId { get; set; } /// - /// API version for the operation + /// The location where ASC stores the data of the subscription. can be + /// retrieved from Get locations /// - string ApiVersion { get; } + string AscLocation { get; set; } /// /// The preferred language for the response. @@ -76,10 +69,305 @@ public partial interface ISecurityCenterClient : System.IDisposable bool? GenerateClientRequestId { get; set; } + /// + /// Gets the IMdeOnboardingsOperations. + /// + IMdeOnboardingsOperations MdeOnboardings { get; } + + /// + /// Gets the ICustomAssessmentAutomationsOperations. + /// + ICustomAssessmentAutomationsOperations CustomAssessmentAutomations { get; } + + /// + /// Gets the ICustomEntityStoreAssignmentsOperations. + /// + ICustomEntityStoreAssignmentsOperations CustomEntityStoreAssignments { get; } + + /// + /// Gets the IComplianceResultsOperations. + /// + IComplianceResultsOperations ComplianceResults { get; } + + /// + /// Gets the IPricingsOperations. + /// + IPricingsOperations Pricings { get; } + + /// + /// Gets the IAdvancedThreatProtectionOperations. + /// + IAdvancedThreatProtectionOperations AdvancedThreatProtection { get; } + + /// + /// Gets the IDeviceSecurityGroupsOperations. + /// + IDeviceSecurityGroupsOperations DeviceSecurityGroups { get; } + + /// + /// Gets the IIotSecuritySolutionOperations. + /// + IIotSecuritySolutionOperations IotSecuritySolution { get; } + + /// + /// Gets the IIotSecuritySolutionAnalyticsOperations. + /// + IIotSecuritySolutionAnalyticsOperations IotSecuritySolutionAnalytics { get; } + + /// + /// Gets the IIotSecuritySolutionsAnalyticsAggregatedAlertOperations. + /// + IIotSecuritySolutionsAnalyticsAggregatedAlertOperations IotSecuritySolutionsAnalyticsAggregatedAlert { get; } + + /// + /// Gets the IIotSecuritySolutionsAnalyticsRecommendationOperations. + /// + IIotSecuritySolutionsAnalyticsRecommendationOperations IotSecuritySolutionsAnalyticsRecommendation { get; } + + /// + /// Gets the ILocationsOperations. + /// + ILocationsOperations Locations { get; } + + /// + /// Gets the IOperations. + /// + IOperations Operations { get; } + + /// + /// Gets the ITasksOperations. + /// + ITasksOperations Tasks { get; } + + /// + /// Gets the IAutoProvisioningSettingsOperations. + /// + IAutoProvisioningSettingsOperations AutoProvisioningSettings { get; } + + /// + /// Gets the ICompliancesOperations. + /// + ICompliancesOperations Compliances { get; } + + /// + /// Gets the IInformationProtectionPoliciesOperations. + /// + IInformationProtectionPoliciesOperations InformationProtectionPolicies { get; } + + /// + /// Gets the ISecurityContactsOperations. + /// + ISecurityContactsOperations SecurityContacts { get; } + + /// + /// Gets the IWorkspaceSettingsOperations. + /// + IWorkspaceSettingsOperations WorkspaceSettings { get; } + + /// + /// Gets the IRegulatoryComplianceStandardsOperations. + /// + IRegulatoryComplianceStandardsOperations RegulatoryComplianceStandards { get; } + + /// + /// Gets the IRegulatoryComplianceControlsOperations. + /// + IRegulatoryComplianceControlsOperations RegulatoryComplianceControls { get; } + + /// + /// Gets the IRegulatoryComplianceAssessmentsOperations. + /// + IRegulatoryComplianceAssessmentsOperations RegulatoryComplianceAssessments { get; } + + /// + /// Gets the ISubAssessmentsOperations. + /// + ISubAssessmentsOperations SubAssessments { get; } + + /// + /// Gets the IAutomationsOperations. + /// + IAutomationsOperations Automations { get; } + + /// + /// Gets the IAlertsSuppressionRulesOperations. + /// + IAlertsSuppressionRulesOperations AlertsSuppressionRules { get; } + + /// + /// Gets the IServerVulnerabilityAssessmentOperations. + /// + IServerVulnerabilityAssessmentOperations ServerVulnerabilityAssessment { get; } + + /// + /// Gets the IAssessmentsMetadataOperations. + /// + IAssessmentsMetadataOperations AssessmentsMetadata { get; } + + /// + /// Gets the IAssessmentsOperations. + /// + IAssessmentsOperations Assessments { get; } + + /// + /// Gets the IAdaptiveApplicationControlsOperations. + /// + IAdaptiveApplicationControlsOperations AdaptiveApplicationControls { get; } + + /// + /// Gets the IAdaptiveNetworkHardeningsOperations. + /// + IAdaptiveNetworkHardeningsOperations AdaptiveNetworkHardenings { get; } + + /// + /// Gets the IAllowedConnectionsOperations. + /// + IAllowedConnectionsOperations AllowedConnections { get; } + + /// + /// Gets the ITopologyOperations. + /// + ITopologyOperations Topology { get; } + + /// + /// Gets the IJitNetworkAccessPoliciesOperations. + /// + IJitNetworkAccessPoliciesOperations JitNetworkAccessPolicies { get; } + + /// + /// Gets the IDiscoveredSecuritySolutionsOperations. + /// + IDiscoveredSecuritySolutionsOperations DiscoveredSecuritySolutions { get; } + + /// + /// Gets the ISecuritySolutionsReferenceDataOperations. + /// + ISecuritySolutionsReferenceDataOperations SecuritySolutionsReferenceData { get; } + + /// + /// Gets the IExternalSecuritySolutionsOperations. + /// + IExternalSecuritySolutionsOperations ExternalSecuritySolutions { get; } + + /// + /// Gets the ISecureScoresOperations. + /// + ISecureScoresOperations SecureScores { get; } + + /// + /// Gets the ISecureScoreControlsOperations. + /// + ISecureScoreControlsOperations SecureScoreControls { get; } + + /// + /// Gets the ISecureScoreControlDefinitionsOperations. + /// + ISecureScoreControlDefinitionsOperations SecureScoreControlDefinitions { get; } + + /// + /// Gets the ISecuritySolutionsOperations. + /// + ISecuritySolutionsOperations SecuritySolutions { get; } + + /// + /// Gets the IConnectorsOperations. + /// + IConnectorsOperations Connectors { get; } + + /// + /// Gets the ISqlVulnerabilityAssessmentScansOperations. + /// + ISqlVulnerabilityAssessmentScansOperations SqlVulnerabilityAssessmentScans { get; } + + /// + /// Gets the ISqlVulnerabilityAssessmentScanResultsOperations. + /// + ISqlVulnerabilityAssessmentScanResultsOperations SqlVulnerabilityAssessmentScanResults { get; } + + /// + /// Gets the ISqlVulnerabilityAssessmentBaselineRulesOperations. + /// + ISqlVulnerabilityAssessmentBaselineRulesOperations SqlVulnerabilityAssessmentBaselineRules { get; } + /// /// Gets the IAlertsOperations. /// IAlertsOperations Alerts { get; } + /// + /// Gets the ISettingsOperations. + /// + ISettingsOperations Settings { get; } + + /// + /// Gets the IIngestionSettingsOperations. + /// + IIngestionSettingsOperations IngestionSettings { get; } + + /// + /// Gets the ISoftwareInventoriesOperations. + /// + ISoftwareInventoriesOperations SoftwareInventories { get; } + + /// + /// Gets the ISecurityConnectorsOperations. + /// + ISecurityConnectorsOperations SecurityConnectors { get; } + + /// + /// Gets the IGovernanceRuleOperations. + /// + IGovernanceRuleOperations GovernanceRule { get; } + + /// + /// Gets the IGovernanceRulesOperations. + /// + IGovernanceRulesOperations GovernanceRules { get; } + + /// + /// Gets the ISecurityConnectorGovernanceRuleOperations. + /// + ISecurityConnectorGovernanceRuleOperations SecurityConnectorGovernanceRule { get; } + + /// + /// Gets the ISecurityConnectorGovernanceRulesOperations. + /// + ISecurityConnectorGovernanceRulesOperations SecurityConnectorGovernanceRules { get; } + + /// + /// Gets the ISubscriptionGovernanceRulesExecuteStatusOperations. + /// + ISubscriptionGovernanceRulesExecuteStatusOperations SubscriptionGovernanceRulesExecuteStatus { get; } + + /// + /// Gets the ISecurityConnectorGovernanceRulesExecuteStatusOperations. + /// + ISecurityConnectorGovernanceRulesExecuteStatusOperations SecurityConnectorGovernanceRulesExecuteStatus { get; } + + /// + /// Gets the IGovernanceAssignmentsOperations. + /// + IGovernanceAssignmentsOperations GovernanceAssignments { get; } + + /// + /// Gets the IApplicationsOperations. + /// + IApplicationsOperations Applications { get; } + + /// + /// Gets the IApplicationOperations. + /// + IApplicationOperations Application { get; } + + /// + /// Gets the ISecurityConnectorApplicationsOperations. + /// + ISecurityConnectorApplicationsOperations SecurityConnectorApplications { get; } + + /// + /// Gets the ISecurityConnectorApplicationOperations. + /// + ISecurityConnectorApplicationOperations SecurityConnectorApplication { get; } + } } diff --git a/src/Security/Security.Management.Sdk/Generated/ISecurityConnectorApplicationOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISecurityConnectorApplicationOperations.cs new file mode 100644 index 000000000000..9fc60e313231 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISecurityConnectorApplicationOperations.cs @@ -0,0 +1,118 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecurityConnectorApplicationOperations operations. + /// + public partial interface ISecurityConnectorApplicationOperations + { + /// + /// Get a specific application for the requested scope by applicationId + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security Application key - unique key for the standard + /// application + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string applicationId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Creates or update a security Application on the given security + /// connector. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security Application key - unique key for the standard + /// application + /// + /// + /// Application over a subscription scope + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateOrUpdateWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string applicationId, Application application, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Delete an Application over a given scope + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security Application key - unique key for the standard + /// application + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string applicationId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISecurityConnectorApplicationsOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISecurityConnectorApplicationsOperations.cs new file mode 100644 index 000000000000..acb910eb85de --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISecurityConnectorApplicationsOperations.cs @@ -0,0 +1,77 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecurityConnectorApplicationsOperations operations. + /// + public partial interface ISecurityConnectorApplicationsOperations + { + /// + /// Get a list of all relevant applications over a security connector + /// level scope + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get a list of all relevant applications over a security connector + /// level scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISecurityConnectorGovernanceRuleOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISecurityConnectorGovernanceRuleOperations.cs new file mode 100644 index 000000000000..5fea99033c00 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISecurityConnectorGovernanceRuleOperations.cs @@ -0,0 +1,77 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecurityConnectorGovernanceRuleOperations operations. + /// + public partial interface ISecurityConnectorGovernanceRuleOperations + { + /// + /// Get a list of all relevant governanceRules over a security + /// connector level scope + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get a list of all relevant governanceRules over a security + /// connector level scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISecurityConnectorGovernanceRulesExecuteStatusOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISecurityConnectorGovernanceRulesExecuteStatusOperations.cs new file mode 100644 index 000000000000..d55fa981339d --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISecurityConnectorGovernanceRulesExecuteStatusOperations.cs @@ -0,0 +1,97 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecurityConnectorGovernanceRulesExecuteStatusOperations operations. + /// + public partial interface ISecurityConnectorGovernanceRulesExecuteStatusOperations + { + /// + /// Get a specific governanceRule execution status for the requested + /// scope by ruleId and operationId + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The security GovernanceRule execution key - unique key for the + /// execution of GovernanceRule + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string ruleId, string operationId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get a specific governanceRule execution status for the requested + /// scope by ruleId and operationId + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The security GovernanceRule execution key - unique key for the + /// execution of GovernanceRule + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> BeginGetWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string ruleId, string operationId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISecurityConnectorGovernanceRulesOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISecurityConnectorGovernanceRulesOperations.cs new file mode 100644 index 000000000000..be6280725219 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISecurityConnectorGovernanceRulesOperations.cs @@ -0,0 +1,118 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecurityConnectorGovernanceRulesOperations operations. + /// + public partial interface ISecurityConnectorGovernanceRulesOperations + { + /// + /// Get a specific governanceRule for the requested scope by ruleId + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string ruleId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Creates or update a security GovernanceRule on the given security + /// connector. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// GovernanceRule over a subscription scope + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateOrUpdateWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string ruleId, GovernanceRule governanceRule, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Delete a GovernanceRule over a given scope + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string ruleId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISecurityConnectorsOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISecurityConnectorsOperations.cs new file mode 100644 index 000000000000..b42ea2c24a69 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISecurityConnectorsOperations.cs @@ -0,0 +1,230 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecurityConnectorsOperations operations. + /// + public partial interface ISecurityConnectorsOperations + { + /// + /// Lists all the security connectors in the specified subscription. + /// Use the 'nextLink' property in the response to get the next page of + /// security connectors for the specified subscription. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Lists all the security connectors in the specified resource group. + /// Use the 'nextLink' property in the response to get the next page of + /// security connectors for the specified resource group. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByResourceGroupWithHttpMessagesAsync(string resourceGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Retrieves details of a specific security connector + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Creates or updates a security connector. If a security connector is + /// already created and a subsequent request is issued for the same + /// security connector id, then it will be updated. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security connector resource + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateOrUpdateWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, SecurityConnector securityConnector, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Updates a security connector + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security connector resource + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> UpdateWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, SecurityConnector securityConnector, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Deletes a security connector. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Lists all the security connectors in the specified subscription. + /// Use the 'nextLink' property in the response to get the next page of + /// security connectors for the specified subscription. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Lists all the security connectors in the specified resource group. + /// Use the 'nextLink' property in the response to get the next page of + /// security connectors for the specified resource group. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByResourceGroupNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISecurityContactsOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISecurityContactsOperations.cs new file mode 100644 index 000000000000..a0315a999898 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISecurityContactsOperations.cs @@ -0,0 +1,134 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecurityContactsOperations operations. + /// + public partial interface ISecurityContactsOperations + { + /// + /// List all security contact configurations for the subscription + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get Default Security contact configurations for the subscription + /// + /// + /// Name of the security contact object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string securityContactName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Create security contact configurations for the subscription + /// + /// + /// Name of the security contact object + /// + /// + /// Security contact object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateWithHttpMessagesAsync(string securityContactName, SecurityContact securityContact, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Delete security contact configurations for the subscription + /// + /// + /// Name of the security contact object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string securityContactName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// List all security contact configurations for the subscription + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISecuritySolutionsOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISecuritySolutionsOperations.cs new file mode 100644 index 000000000000..e59e818e3dc7 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISecuritySolutionsOperations.cs @@ -0,0 +1,94 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecuritySolutionsOperations operations. + /// + public partial interface ISecuritySolutionsOperations + { + /// + /// Gets a list of Security Solutions for the subscription. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a specific Security Solution. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of security solution. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string securitySolutionName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a list of Security Solutions for the subscription. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISecuritySolutionsReferenceDataOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISecuritySolutionsReferenceDataOperations.cs new file mode 100644 index 000000000000..0d8b4e9c13ef --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISecuritySolutionsReferenceDataOperations.cs @@ -0,0 +1,67 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecuritySolutionsReferenceDataOperations operations. + /// + public partial interface ISecuritySolutionsReferenceDataOperations + { + /// + /// Gets a list of all supported Security Solutions for the + /// subscription. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets list of all supported Security Solutions for subscription and + /// location. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> ListByHomeRegionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IServerVulnerabilityAssessmentOperations.cs b/src/Security/Security.Management.Sdk/Generated/IServerVulnerabilityAssessmentOperations.cs new file mode 100644 index 000000000000..10e0d65f0c6c --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IServerVulnerabilityAssessmentOperations.cs @@ -0,0 +1,184 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// ServerVulnerabilityAssessmentOperations operations. + /// + public partial interface IServerVulnerabilityAssessmentOperations + { + /// + /// Gets a list of server vulnerability assessment onboarding statuses + /// on a given resource. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> ListByExtendedResourceWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a server vulnerability assessment onboarding statuses on a + /// given resource. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Creating a server vulnerability assessment on a resource, which + /// will onboard a resource for having a vulnerability assessment on it + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateOrUpdateWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Removing server vulnerability assessment from a resource. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Removing server vulnerability assessment from a resource. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task BeginDeleteWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISettingsOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISettingsOperations.cs new file mode 100644 index 000000000000..f19c5c7f053a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISettingsOperations.cs @@ -0,0 +1,123 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SettingsOperations operations. + /// + public partial interface ISettingsOperations + { + /// + /// Settings about different configurations in Microsoft Defender for + /// Cloud + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Settings of different configurations in Microsoft Defender for + /// Cloud + /// + /// + /// The name of the setting. Possible values include: 'MCAS', 'WDATP', + /// 'WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW', 'WDATP_UNIFIED_SOLUTION', + /// 'Sentinel' + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string settingName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// updating settings about different configurations in Microsoft + /// Defender for Cloud + /// + /// + /// The name of the setting. Possible values include: 'MCAS', 'WDATP', + /// 'WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW', 'WDATP_UNIFIED_SOLUTION', + /// 'Sentinel' + /// + /// + /// Setting object + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> UpdateWithHttpMessagesAsync(string settingName, Setting setting, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Settings about different configurations in Microsoft Defender for + /// Cloud + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISoftwareInventoriesOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISoftwareInventoriesOperations.cs new file mode 100644 index 000000000000..fa4696b563ca --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISoftwareInventoriesOperations.cs @@ -0,0 +1,159 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SoftwareInventoriesOperations operations. + /// + public partial interface ISoftwareInventoriesOperations + { + /// + /// Gets the software inventory of the virtual machine. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByExtendedResourceWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets the software inventory of all virtual machines in the + /// subscriptions. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListBySubscriptionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a single software data of the virtual machine. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// The namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// Name of the installed software. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, string softwareName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets the software inventory of the virtual machine. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByExtendedResourceNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets the software inventory of all virtual machines in the + /// subscriptions. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListBySubscriptionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISqlVulnerabilityAssessmentBaselineRulesOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISqlVulnerabilityAssessmentBaselineRulesOperations.cs new file mode 100644 index 000000000000..f0ee5c0b7086 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISqlVulnerabilityAssessmentBaselineRulesOperations.cs @@ -0,0 +1,189 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SqlVulnerabilityAssessmentBaselineRulesOperations operations. + /// + public partial interface ISqlVulnerabilityAssessmentBaselineRulesOperations + { + /// + /// Creates a Baseline for a rule in a database. Will overwrite any + /// previously existing results. + /// + /// + /// The rule Id. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// Take results from latest scan. + /// + /// + /// Expected results to be inserted into the baseline. + /// Leave this field empty it LatestScan == true. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateOrUpdateWithHttpMessagesAsync(string ruleId, string workspaceId, string apiVersion, string resourceId, bool? latestScan = default(bool?), IList> results = default(IList>), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets the results for a given rule in the Baseline. + /// + /// + /// The rule Id. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string ruleId, string workspaceId, string apiVersion, string resourceId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Deletes a rule from the Baseline of a given database. + /// + /// + /// The rule Id. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string ruleId, string workspaceId, string apiVersion, string resourceId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets the results for all rules in the Baseline. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> ListWithHttpMessagesAsync(string workspaceId, string apiVersion, string resourceId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Add a list of baseline rules. Will overwrite any previously + /// existing results (for all rules). + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// Take results from latest scan. + /// + /// + /// Expected results to be inserted into the baseline. + /// Leave this field empty it LatestScan == true. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> AddWithHttpMessagesAsync(string workspaceId, string apiVersion, string resourceId, bool? latestScan = default(bool?), IDictionary>> results = default(IDictionary>>), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISqlVulnerabilityAssessmentScanResultsOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISqlVulnerabilityAssessmentScanResultsOperations.cs new file mode 100644 index 000000000000..57f3455ec59f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISqlVulnerabilityAssessmentScanResultsOperations.cs @@ -0,0 +1,94 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SqlVulnerabilityAssessmentScanResultsOperations operations. + /// + public partial interface ISqlVulnerabilityAssessmentScanResultsOperations + { + /// + /// Gets the scan results of a single rule in a scan record. + /// + /// + /// The scan Id. Type 'latest' to get the scan results for the latest + /// scan. + /// + /// + /// The rule Id of the results. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string scanId, string scanResultId, string workspaceId, string apiVersion, string resourceId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a list of scan results for a single scan record. + /// + /// + /// The scan Id. Type 'latest' to get the scan results for the latest + /// scan. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> ListWithHttpMessagesAsync(string scanId, string workspaceId, string apiVersion, string resourceId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISqlVulnerabilityAssessmentScansOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISqlVulnerabilityAssessmentScansOperations.cs new file mode 100644 index 000000000000..f8e610d3c62e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISqlVulnerabilityAssessmentScansOperations.cs @@ -0,0 +1,87 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SqlVulnerabilityAssessmentScansOperations operations. + /// + public partial interface ISqlVulnerabilityAssessmentScansOperations + { + /// + /// Gets the scan details of a single scan record. + /// + /// + /// The scan Id. Type 'latest' to get the scan record for the latest + /// scan. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string scanId, string workspaceId, string apiVersion, string resourceId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a list of scan records. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> ListWithHttpMessagesAsync(string workspaceId, string apiVersion, string resourceId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISubAssessmentsOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISubAssessmentsOperations.cs new file mode 100644 index 000000000000..99b971666525 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISubAssessmentsOperations.cs @@ -0,0 +1,156 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SubAssessmentsOperations operations. + /// + public partial interface ISubAssessmentsOperations + { + /// + /// Get security sub-assessments on all your scanned resources inside a + /// subscription scope + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management + /// group (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListAllWithHttpMessagesAsync(string scope, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get security sub-assessments on all your scanned resources inside a + /// scope + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management + /// group (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(string scope, string assessmentName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get a security sub-assessment on your scanned resource + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management + /// group (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The Sub-Assessment Key - Unique key for the sub-assessment type + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string scope, string assessmentName, string subAssessmentName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get security sub-assessments on all your scanned resources inside a + /// subscription scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListAllNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get security sub-assessments on all your scanned resources inside a + /// scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ISubscriptionGovernanceRulesExecuteStatusOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISubscriptionGovernanceRulesExecuteStatusOperations.cs new file mode 100644 index 000000000000..fd785dc40905 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ISubscriptionGovernanceRulesExecuteStatusOperations.cs @@ -0,0 +1,83 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SubscriptionGovernanceRulesExecuteStatusOperations operations. + /// + public partial interface ISubscriptionGovernanceRulesExecuteStatusOperations + { + /// + /// Get a specific governanceRule execution status for the requested + /// scope by ruleId and operationId + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The security GovernanceRule execution key - unique key for the + /// execution of GovernanceRule + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string ruleId, string operationId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Get a specific governanceRule execution status for the requested + /// scope by ruleId and operationId + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The security GovernanceRule execution key - unique key for the + /// execution of GovernanceRule + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> BeginGetWithHttpMessagesAsync(string ruleId, string operationId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ITasksOperations.cs b/src/Security/Security.Management.Sdk/Generated/ITasksOperations.cs new file mode 100644 index 000000000000..ee472989bb53 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ITasksOperations.cs @@ -0,0 +1,271 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// TasksOperations operations. + /// + public partial interface ITasksOperations + { + /// + /// Recommended tasks that will help improve the security of the + /// subscription proactively + /// + /// + /// OData filter. Optional. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(string filter = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Recommended tasks that will help improve the security of the + /// subscription proactively + /// + /// + /// OData filter. Optional. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByHomeRegionWithHttpMessagesAsync(string filter = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Recommended tasks that will help improve the security of the + /// subscription proactively + /// + /// + /// Name of the task object, will be a GUID + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetSubscriptionLevelTaskWithHttpMessagesAsync(string taskName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Recommended tasks that will help improve the security of the + /// subscription proactively + /// + /// + /// Name of the task object, will be a GUID + /// + /// + /// Type of the action to do on the task. Possible values include: + /// 'Activate', 'Dismiss', 'Start', 'Resolve', 'Close' + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task UpdateSubscriptionLevelTaskStateWithHttpMessagesAsync(string taskName, string taskUpdateActionType, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Recommended tasks that will help improve the security of the + /// subscription proactively + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// OData filter. Optional. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByResourceGroupWithHttpMessagesAsync(string resourceGroupName, string filter = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Recommended tasks that will help improve the security of the + /// subscription proactively + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of the task object, will be a GUID + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetResourceGroupLevelTaskWithHttpMessagesAsync(string resourceGroupName, string taskName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Recommended tasks that will help improve the security of the + /// subscription proactively + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of the task object, will be a GUID + /// + /// + /// Type of the action to do on the task. Possible values include: + /// 'Activate', 'Dismiss', 'Start', 'Resolve', 'Close' + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task UpdateResourceGroupLevelTaskStateWithHttpMessagesAsync(string resourceGroupName, string taskName, string taskUpdateActionType, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Recommended tasks that will help improve the security of the + /// subscription proactively + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Recommended tasks that will help improve the security of the + /// subscription proactively + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByHomeRegionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Recommended tasks that will help improve the security of the + /// subscription proactively + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByResourceGroupNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ITopologyOperations.cs b/src/Security/Security.Management.Sdk/Generated/ITopologyOperations.cs new file mode 100644 index 000000000000..064b65cd1f7e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ITopologyOperations.cs @@ -0,0 +1,137 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// TopologyOperations operations. + /// + public partial interface ITopologyOperations + { + /// + /// Gets a list that allows to build a topology view of a subscription. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a list that allows to build a topology view of a subscription + /// and location. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByHomeRegionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a specific topology component. + /// + /// + /// The name of the resource group within the user's subscription. The + /// name is case insensitive. + /// + /// + /// Name of a topology resources collection. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string resourceGroupName, string topologyResourceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a list that allows to build a topology view of a subscription. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Gets a list that allows to build a topology view of a subscription + /// and location. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListByHomeRegionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IWorkspaceSettingsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IWorkspaceSettingsOperations.cs new file mode 100644 index 000000000000..709ebd03dce2 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IWorkspaceSettingsOperations.cs @@ -0,0 +1,177 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// WorkspaceSettingsOperations operations. + /// + public partial interface IWorkspaceSettingsOperations + { + /// + /// Settings about where we should store your security data and logs. + /// If the result is empty, it means that no custom-workspace + /// configuration was set + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Settings about where we should store your security data and logs. + /// If the result is empty, it means that no custom-workspace + /// configuration was set + /// + /// + /// Name of the security setting + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> GetWithHttpMessagesAsync(string workspaceSettingName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// creating settings about where we should store your security data + /// and logs + /// + /// + /// Name of the security setting + /// + /// + /// The full Azure ID of the workspace to save the data in + /// + /// + /// All the VMs in this scope will send their security data to the + /// mentioned workspace unless overridden by a setting with more + /// specific scope + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> CreateWithHttpMessagesAsync(string workspaceSettingName, string workspaceId, string scope, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Settings about where we should store your security data and logs + /// + /// + /// Name of the security setting + /// + /// + /// The full Azure ID of the workspace to save the data in + /// + /// + /// All the VMs in this scope will send their security data to the + /// mentioned workspace unless overridden by a setting with more + /// specific scope + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task> UpdateWithHttpMessagesAsync(string workspaceSettingName, string workspaceId, string scope, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Deletes the custom workspace settings for this subscription. new + /// VMs will report to the default workspace + /// + /// + /// Name of the security setting + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + Task DeleteWithHttpMessagesAsync(string workspaceSettingName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + /// + /// Settings about where we should store your security data and logs. + /// If the result is empty, it means that no custom-workspace + /// configuration was set + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/InformationProtectionPoliciesOperations.cs b/src/Security/Security.Management.Sdk/Generated/InformationProtectionPoliciesOperations.cs new file mode 100644 index 000000000000..c7eeb37b8542 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/InformationProtectionPoliciesOperations.cs @@ -0,0 +1,830 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// InformationProtectionPoliciesOperations operations. + /// + internal partial class InformationProtectionPoliciesOperations : IServiceOperations, IInformationProtectionPoliciesOperations + { + /// + /// Initializes a new instance of the InformationProtectionPoliciesOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal InformationProtectionPoliciesOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Details of the information protection policy. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// Name of the information protection policy. Possible values include: + /// 'effective', 'custom' + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string scope, string informationProtectionPolicyName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (scope == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scope"); + } + if (informationProtectionPolicyName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "informationProtectionPolicyName"); + } + string apiVersion = "2017-08-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("scope", scope); + tracingParameters.Add("informationProtectionPolicyName", informationProtectionPolicyName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{scope}/providers/Microsoft.Security/informationProtectionPolicies/{informationProtectionPolicyName}").ToString(); + _url = _url.Replace("{scope}", scope); + _url = _url.Replace("{informationProtectionPolicyName}", System.Uri.EscapeDataString(informationProtectionPolicyName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Details of the information protection policy. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// Name of the information protection policy. Possible values include: + /// 'effective', 'custom' + /// + /// + /// Dictionary of sensitivity labels. + /// + /// + /// The sensitivity information types. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateOrUpdateWithHttpMessagesAsync(string scope, string informationProtectionPolicyName, IDictionary labels = default(IDictionary), IDictionary informationTypes = default(IDictionary), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (scope == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scope"); + } + if (informationProtectionPolicyName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "informationProtectionPolicyName"); + } + string apiVersion = "2017-08-01-preview"; + InformationProtectionPolicy informationProtectionPolicy = new InformationProtectionPolicy(); + if (labels != null || informationTypes != null) + { + informationProtectionPolicy.Labels = labels; + informationProtectionPolicy.InformationTypes = informationTypes; + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("scope", scope); + tracingParameters.Add("informationProtectionPolicyName", informationProtectionPolicyName); + tracingParameters.Add("informationProtectionPolicy", informationProtectionPolicy); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "CreateOrUpdate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{scope}/providers/Microsoft.Security/informationProtectionPolicies/{informationProtectionPolicyName}").ToString(); + _url = _url.Replace("{scope}", scope); + _url = _url.Replace("{informationProtectionPolicyName}", System.Uri.EscapeDataString(informationProtectionPolicyName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(informationProtectionPolicy != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(informationProtectionPolicy, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 201) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + // Deserialize Response + if ((int)_statusCode == 201) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Information protection policies of a specific management group. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(string scope, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (scope == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scope"); + } + string apiVersion = "2017-08-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("scope", scope); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{scope}/providers/Microsoft.Security/informationProtectionPolicies").ToString(); + _url = _url.Replace("{scope}", scope); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Information protection policies of a specific management group. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/InformationProtectionPoliciesOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/InformationProtectionPoliciesOperationsExtensions.cs new file mode 100644 index 000000000000..ce2a37d655f9 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/InformationProtectionPoliciesOperationsExtensions.cs @@ -0,0 +1,203 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for InformationProtectionPoliciesOperations. + /// + public static partial class InformationProtectionPoliciesOperationsExtensions + { + /// + /// Details of the information protection policy. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// Name of the information protection policy. Possible values include: + /// 'effective', 'custom' + /// + public static InformationProtectionPolicy Get(this IInformationProtectionPoliciesOperations operations, string scope, string informationProtectionPolicyName) + { + return operations.GetAsync(scope, informationProtectionPolicyName).GetAwaiter().GetResult(); + } + + /// + /// Details of the information protection policy. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// Name of the information protection policy. Possible values include: + /// 'effective', 'custom' + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IInformationProtectionPoliciesOperations operations, string scope, string informationProtectionPolicyName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(scope, informationProtectionPolicyName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Details of the information protection policy. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// Name of the information protection policy. Possible values include: + /// 'effective', 'custom' + /// + /// + /// Dictionary of sensitivity labels. + /// + /// + /// The sensitivity information types. + /// + public static InformationProtectionPolicy CreateOrUpdate(this IInformationProtectionPoliciesOperations operations, string scope, string informationProtectionPolicyName, IDictionary labels = default(IDictionary), IDictionary informationTypes = default(IDictionary)) + { + return operations.CreateOrUpdateAsync(scope, informationProtectionPolicyName, labels, informationTypes).GetAwaiter().GetResult(); + } + + /// + /// Details of the information protection policy. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// Name of the information protection policy. Possible values include: + /// 'effective', 'custom' + /// + /// + /// Dictionary of sensitivity labels. + /// + /// + /// The sensitivity information types. + /// + /// + /// The cancellation token. + /// + public static async Task CreateOrUpdateAsync(this IInformationProtectionPoliciesOperations operations, string scope, string informationProtectionPolicyName, IDictionary labels = default(IDictionary), IDictionary informationTypes = default(IDictionary), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateOrUpdateWithHttpMessagesAsync(scope, informationProtectionPolicyName, labels, informationTypes, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Information protection policies of a specific management group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + public static IPage List(this IInformationProtectionPoliciesOperations operations, string scope) + { + return operations.ListAsync(scope).GetAwaiter().GetResult(); + } + + /// + /// Information protection policies of a specific management group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IInformationProtectionPoliciesOperations operations, string scope, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(scope, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Information protection policies of a specific management group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IInformationProtectionPoliciesOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Information protection policies of a specific management group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IInformationProtectionPoliciesOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IngestionSettingsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IngestionSettingsOperations.cs new file mode 100644 index 000000000000..7da28345d980 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IngestionSettingsOperations.cs @@ -0,0 +1,1369 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// IngestionSettingsOperations operations. + /// + internal partial class IngestionSettingsOperations : IServiceOperations, IIngestionSettingsOperations + { + /// + /// Initializes a new instance of the IngestionSettingsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal IngestionSettingsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Settings for ingesting security data and logs to correlate with resources + /// associated with the subscription. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2021-01-15-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/ingestionSettings").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Settings for ingesting security data and logs to correlate with resources + /// associated with the subscription. + /// + /// + /// Name of the ingestion setting + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string ingestionSettingName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (ingestionSettingName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ingestionSettingName"); + } + string apiVersion = "2021-01-15-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("ingestionSettingName", ingestionSettingName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/ingestionSettings/{ingestionSettingName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ingestionSettingName}", System.Uri.EscapeDataString(ingestionSettingName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Create setting for ingesting security data and logs to correlate with + /// resources associated with the subscription. + /// + /// + /// Name of the ingestion setting + /// + /// + /// Ingestion setting data + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateWithHttpMessagesAsync(string ingestionSettingName, object properties = default(object), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (ingestionSettingName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ingestionSettingName"); + } + string apiVersion = "2021-01-15-preview"; + IngestionSetting ingestionSetting = new IngestionSetting(); + if (properties != null) + { + ingestionSetting.Properties = properties; + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("ingestionSettingName", ingestionSettingName); + tracingParameters.Add("ingestionSetting", ingestionSetting); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Create", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/ingestionSettings/{ingestionSettingName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ingestionSettingName}", System.Uri.EscapeDataString(ingestionSettingName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(ingestionSetting != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(ingestionSetting, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Deletes the ingestion settings for this subscription. + /// + /// + /// Name of the ingestion setting + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string ingestionSettingName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (ingestionSettingName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ingestionSettingName"); + } + string apiVersion = "2021-01-15-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("ingestionSettingName", ingestionSettingName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/ingestionSettings/{ingestionSettingName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ingestionSettingName}", System.Uri.EscapeDataString(ingestionSettingName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Returns the token that is used for correlating ingested telemetry with the + /// resources in the subscription. + /// + /// + /// Name of the ingestion setting + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> ListTokensWithHttpMessagesAsync(string ingestionSettingName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (ingestionSettingName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ingestionSettingName"); + } + string apiVersion = "2021-01-15-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("ingestionSettingName", ingestionSettingName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListTokens", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/ingestionSettings/{ingestionSettingName}/listTokens").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ingestionSettingName}", System.Uri.EscapeDataString(ingestionSettingName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Connection strings for ingesting security scan logs and data. + /// + /// + /// Name of the ingestion setting + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> ListConnectionStringsWithHttpMessagesAsync(string ingestionSettingName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (ingestionSettingName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ingestionSettingName"); + } + string apiVersion = "2021-01-15-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("ingestionSettingName", ingestionSettingName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListConnectionStrings", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/ingestionSettings/{ingestionSettingName}/listConnectionStrings").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ingestionSettingName}", System.Uri.EscapeDataString(ingestionSettingName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Settings for ingesting security data and logs to correlate with resources + /// associated with the subscription. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IngestionSettingsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/IngestionSettingsOperationsExtensions.cs new file mode 100644 index 000000000000..d83ac2934e02 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IngestionSettingsOperationsExtensions.cs @@ -0,0 +1,270 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for IngestionSettingsOperations. + /// + public static partial class IngestionSettingsOperationsExtensions + { + /// + /// Settings for ingesting security data and logs to correlate with resources + /// associated with the subscription. + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this IIngestionSettingsOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Settings for ingesting security data and logs to correlate with resources + /// associated with the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IIngestionSettingsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Settings for ingesting security data and logs to correlate with resources + /// associated with the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the ingestion setting + /// + public static IngestionSetting Get(this IIngestionSettingsOperations operations, string ingestionSettingName) + { + return operations.GetAsync(ingestionSettingName).GetAwaiter().GetResult(); + } + + /// + /// Settings for ingesting security data and logs to correlate with resources + /// associated with the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the ingestion setting + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IIngestionSettingsOperations operations, string ingestionSettingName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(ingestionSettingName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Create setting for ingesting security data and logs to correlate with + /// resources associated with the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the ingestion setting + /// + /// + /// Ingestion setting data + /// + public static IngestionSetting Create(this IIngestionSettingsOperations operations, string ingestionSettingName, object properties = default(object)) + { + return operations.CreateAsync(ingestionSettingName, properties).GetAwaiter().GetResult(); + } + + /// + /// Create setting for ingesting security data and logs to correlate with + /// resources associated with the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the ingestion setting + /// + /// + /// Ingestion setting data + /// + /// + /// The cancellation token. + /// + public static async Task CreateAsync(this IIngestionSettingsOperations operations, string ingestionSettingName, object properties = default(object), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateWithHttpMessagesAsync(ingestionSettingName, properties, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Deletes the ingestion settings for this subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the ingestion setting + /// + public static void Delete(this IIngestionSettingsOperations operations, string ingestionSettingName) + { + operations.DeleteAsync(ingestionSettingName).GetAwaiter().GetResult(); + } + + /// + /// Deletes the ingestion settings for this subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the ingestion setting + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this IIngestionSettingsOperations operations, string ingestionSettingName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(ingestionSettingName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Returns the token that is used for correlating ingested telemetry with the + /// resources in the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the ingestion setting + /// + public static IngestionSettingToken ListTokens(this IIngestionSettingsOperations operations, string ingestionSettingName) + { + return operations.ListTokensAsync(ingestionSettingName).GetAwaiter().GetResult(); + } + + /// + /// Returns the token that is used for correlating ingested telemetry with the + /// resources in the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the ingestion setting + /// + /// + /// The cancellation token. + /// + public static async Task ListTokensAsync(this IIngestionSettingsOperations operations, string ingestionSettingName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListTokensWithHttpMessagesAsync(ingestionSettingName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Connection strings for ingesting security scan logs and data. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the ingestion setting + /// + public static ConnectionStrings ListConnectionStrings(this IIngestionSettingsOperations operations, string ingestionSettingName) + { + return operations.ListConnectionStringsAsync(ingestionSettingName).GetAwaiter().GetResult(); + } + + /// + /// Connection strings for ingesting security scan logs and data. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the ingestion setting + /// + /// + /// The cancellation token. + /// + public static async Task ListConnectionStringsAsync(this IIngestionSettingsOperations operations, string ingestionSettingName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListConnectionStringsWithHttpMessagesAsync(ingestionSettingName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Settings for ingesting security data and logs to correlate with resources + /// associated with the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IIngestionSettingsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Settings for ingesting security data and logs to correlate with resources + /// associated with the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IIngestionSettingsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionAnalyticsOperations.cs b/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionAnalyticsOperations.cs new file mode 100644 index 000000000000..1df2267ad391 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionAnalyticsOperations.cs @@ -0,0 +1,488 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// IotSecuritySolutionAnalyticsOperations operations. + /// + internal partial class IotSecuritySolutionAnalyticsOperations : IServiceOperations, IIotSecuritySolutionAnalyticsOperations + { + /// + /// Initializes a new instance of the IotSecuritySolutionAnalyticsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal IotSecuritySolutionAnalyticsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Use this method to get IoT security Analytics metrics in an array. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> ListWithHttpMessagesAsync(string resourceGroupName, string solutionName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (solutionName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "solutionName"); + } + string apiVersion = "2019-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("solutionName", solutionName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{solutionName}", System.Uri.EscapeDataString(solutionName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Use this method to get IoT Security Analytics metrics. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string solutionName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (solutionName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "solutionName"); + } + string apiVersion = "2019-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("solutionName", solutionName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels/default").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{solutionName}", System.Uri.EscapeDataString(solutionName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionAnalyticsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionAnalyticsOperationsExtensions.cs new file mode 100644 index 000000000000..2276e0e10c62 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionAnalyticsOperationsExtensions.cs @@ -0,0 +1,109 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for IotSecuritySolutionAnalyticsOperations. + /// + public static partial class IotSecuritySolutionAnalyticsOperationsExtensions + { + /// + /// Use this method to get IoT security Analytics metrics in an array. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + public static IoTSecuritySolutionAnalyticsModelList List(this IIotSecuritySolutionAnalyticsOperations operations, string resourceGroupName, string solutionName) + { + return operations.ListAsync(resourceGroupName, solutionName).GetAwaiter().GetResult(); + } + + /// + /// Use this method to get IoT security Analytics metrics in an array. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// The cancellation token. + /// + public static async Task ListAsync(this IIotSecuritySolutionAnalyticsOperations operations, string resourceGroupName, string solutionName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(resourceGroupName, solutionName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Use this method to get IoT Security Analytics metrics. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + public static IoTSecuritySolutionAnalyticsModel Get(this IIotSecuritySolutionAnalyticsOperations operations, string resourceGroupName, string solutionName) + { + return operations.GetAsync(resourceGroupName, solutionName).GetAwaiter().GetResult(); + } + + /// + /// Use this method to get IoT Security Analytics metrics. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IIotSecuritySolutionAnalyticsOperations operations, string resourceGroupName, string solutionName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, solutionName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionOperations.cs b/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionOperations.cs new file mode 100644 index 000000000000..2cff9404992e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionOperations.cs @@ -0,0 +1,1710 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// IotSecuritySolutionOperations operations. + /// + internal partial class IotSecuritySolutionOperations : IServiceOperations, IIotSecuritySolutionOperations + { + /// + /// Initializes a new instance of the IotSecuritySolutionOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal IotSecuritySolutionOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Use this method to get the list of IoT Security solutions by subscription. + /// + /// + /// Filter the IoT Security solution with OData syntax. Supports filtering by + /// iotHubs. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListBySubscriptionWithHttpMessagesAsync(string filter = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2019-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("filter", filter); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListBySubscription", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/iotSecuritySolutions").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (filter != null) + { + _queryParameters.Add(string.Format("$filter={0}", System.Uri.EscapeDataString(filter))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Use this method to get the list IoT Security solutions organized by + /// resource group. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Filter the IoT Security solution with OData syntax. Supports filtering by + /// iotHubs. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByResourceGroupWithHttpMessagesAsync(string resourceGroupName, string filter = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + string apiVersion = "2019-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("filter", filter); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroup", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (filter != null) + { + _queryParameters.Add(string.Format("$filter={0}", System.Uri.EscapeDataString(filter))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// User this method to get details of a specific IoT Security solution based + /// on solution name + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string solutionName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (solutionName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "solutionName"); + } + string apiVersion = "2019-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("solutionName", solutionName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{solutionName}", System.Uri.EscapeDataString(solutionName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Use this method to create or update yours IoT Security solution + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// The security solution data + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateOrUpdateWithHttpMessagesAsync(string resourceGroupName, string solutionName, IoTSecuritySolutionModel iotSecuritySolutionData, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (solutionName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "solutionName"); + } + if (iotSecuritySolutionData == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "iotSecuritySolutionData"); + } + if (iotSecuritySolutionData != null) + { + iotSecuritySolutionData.Validate(); + } + string apiVersion = "2019-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("solutionName", solutionName); + tracingParameters.Add("iotSecuritySolutionData", iotSecuritySolutionData); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "CreateOrUpdate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{solutionName}", System.Uri.EscapeDataString(solutionName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(iotSecuritySolutionData != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(iotSecuritySolutionData, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 201) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + // Deserialize Response + if ((int)_statusCode == 201) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Use this method to update existing IoT Security solution tags or user + /// defined resources. To update other fields use the CreateOrUpdate method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// The security solution data + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> UpdateWithHttpMessagesAsync(string resourceGroupName, string solutionName, UpdateIotSecuritySolutionData updateIotSecuritySolutionData, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (solutionName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "solutionName"); + } + if (updateIotSecuritySolutionData == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "updateIotSecuritySolutionData"); + } + string apiVersion = "2019-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("solutionName", solutionName); + tracingParameters.Add("updateIotSecuritySolutionData", updateIotSecuritySolutionData); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Update", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{solutionName}", System.Uri.EscapeDataString(solutionName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PATCH"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(updateIotSecuritySolutionData != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(updateIotSecuritySolutionData, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Use this method to delete yours IoT Security solution + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string resourceGroupName, string solutionName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (solutionName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "solutionName"); + } + string apiVersion = "2019-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("solutionName", solutionName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{solutionName}", System.Uri.EscapeDataString(solutionName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Use this method to get the list of IoT Security solutions by subscription. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListBySubscriptionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListBySubscriptionNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Use this method to get the list IoT Security solutions organized by + /// resource group. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByResourceGroupNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroupNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionOperationsExtensions.cs new file mode 100644 index 000000000000..b157f32c4211 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionOperationsExtensions.cs @@ -0,0 +1,358 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for IotSecuritySolutionOperations. + /// + public static partial class IotSecuritySolutionOperationsExtensions + { + /// + /// Use this method to get the list of IoT Security solutions by subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Filter the IoT Security solution with OData syntax. Supports filtering by + /// iotHubs. + /// + public static IPage ListBySubscription(this IIotSecuritySolutionOperations operations, string filter = default(string)) + { + return operations.ListBySubscriptionAsync(filter).GetAwaiter().GetResult(); + } + + /// + /// Use this method to get the list of IoT Security solutions by subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// Filter the IoT Security solution with OData syntax. Supports filtering by + /// iotHubs. + /// + /// + /// The cancellation token. + /// + public static async Task> ListBySubscriptionAsync(this IIotSecuritySolutionOperations operations, string filter = default(string), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListBySubscriptionWithHttpMessagesAsync(filter, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Use this method to get the list IoT Security solutions organized by + /// resource group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Filter the IoT Security solution with OData syntax. Supports filtering by + /// iotHubs. + /// + public static IPage ListByResourceGroup(this IIotSecuritySolutionOperations operations, string resourceGroupName, string filter = default(string)) + { + return operations.ListByResourceGroupAsync(resourceGroupName, filter).GetAwaiter().GetResult(); + } + + /// + /// Use this method to get the list IoT Security solutions organized by + /// resource group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Filter the IoT Security solution with OData syntax. Supports filtering by + /// iotHubs. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByResourceGroupAsync(this IIotSecuritySolutionOperations operations, string resourceGroupName, string filter = default(string), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByResourceGroupWithHttpMessagesAsync(resourceGroupName, filter, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// User this method to get details of a specific IoT Security solution based + /// on solution name + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + public static IoTSecuritySolutionModel Get(this IIotSecuritySolutionOperations operations, string resourceGroupName, string solutionName) + { + return operations.GetAsync(resourceGroupName, solutionName).GetAwaiter().GetResult(); + } + + /// + /// User this method to get details of a specific IoT Security solution based + /// on solution name + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IIotSecuritySolutionOperations operations, string resourceGroupName, string solutionName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, solutionName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Use this method to create or update yours IoT Security solution + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// The security solution data + /// + public static IoTSecuritySolutionModel CreateOrUpdate(this IIotSecuritySolutionOperations operations, string resourceGroupName, string solutionName, IoTSecuritySolutionModel iotSecuritySolutionData) + { + return operations.CreateOrUpdateAsync(resourceGroupName, solutionName, iotSecuritySolutionData).GetAwaiter().GetResult(); + } + + /// + /// Use this method to create or update yours IoT Security solution + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// The security solution data + /// + /// + /// The cancellation token. + /// + public static async Task CreateOrUpdateAsync(this IIotSecuritySolutionOperations operations, string resourceGroupName, string solutionName, IoTSecuritySolutionModel iotSecuritySolutionData, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateOrUpdateWithHttpMessagesAsync(resourceGroupName, solutionName, iotSecuritySolutionData, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Use this method to update existing IoT Security solution tags or user + /// defined resources. To update other fields use the CreateOrUpdate method. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// The security solution data + /// + public static IoTSecuritySolutionModel Update(this IIotSecuritySolutionOperations operations, string resourceGroupName, string solutionName, UpdateIotSecuritySolutionData updateIotSecuritySolutionData) + { + return operations.UpdateAsync(resourceGroupName, solutionName, updateIotSecuritySolutionData).GetAwaiter().GetResult(); + } + + /// + /// Use this method to update existing IoT Security solution tags or user + /// defined resources. To update other fields use the CreateOrUpdate method. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// The security solution data + /// + /// + /// The cancellation token. + /// + public static async Task UpdateAsync(this IIotSecuritySolutionOperations operations, string resourceGroupName, string solutionName, UpdateIotSecuritySolutionData updateIotSecuritySolutionData, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.UpdateWithHttpMessagesAsync(resourceGroupName, solutionName, updateIotSecuritySolutionData, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Use this method to delete yours IoT Security solution + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + public static void Delete(this IIotSecuritySolutionOperations operations, string resourceGroupName, string solutionName) + { + operations.DeleteAsync(resourceGroupName, solutionName).GetAwaiter().GetResult(); + } + + /// + /// Use this method to delete yours IoT Security solution + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this IIotSecuritySolutionOperations operations, string resourceGroupName, string solutionName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(resourceGroupName, solutionName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Use this method to get the list of IoT Security solutions by subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListBySubscriptionNext(this IIotSecuritySolutionOperations operations, string nextPageLink) + { + return operations.ListBySubscriptionNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Use this method to get the list of IoT Security solutions by subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListBySubscriptionNextAsync(this IIotSecuritySolutionOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListBySubscriptionNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Use this method to get the list IoT Security solutions organized by + /// resource group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListByResourceGroupNext(this IIotSecuritySolutionOperations operations, string nextPageLink) + { + return operations.ListByResourceGroupNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Use this method to get the list IoT Security solutions organized by + /// resource group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByResourceGroupNextAsync(this IIotSecuritySolutionOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByResourceGroupNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionsAnalyticsAggregatedAlertOperations.cs b/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionsAnalyticsAggregatedAlertOperations.cs new file mode 100644 index 000000000000..68740bdb4a13 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionsAnalyticsAggregatedAlertOperations.cs @@ -0,0 +1,886 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// IotSecuritySolutionsAnalyticsAggregatedAlertOperations operations. + /// + internal partial class IotSecuritySolutionsAnalyticsAggregatedAlertOperations : IServiceOperations, IIotSecuritySolutionsAnalyticsAggregatedAlertOperations + { + /// + /// Initializes a new instance of the IotSecuritySolutionsAnalyticsAggregatedAlertOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal IotSecuritySolutionsAnalyticsAggregatedAlertOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Use this method to get the aggregated alert list of yours IoT Security + /// solution. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Number of results to retrieve. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(string resourceGroupName, string solutionName, int? top = default(int?), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (solutionName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "solutionName"); + } + string apiVersion = "2019-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("solutionName", solutionName); + tracingParameters.Add("top", top); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels/default/aggregatedAlerts").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{solutionName}", System.Uri.EscapeDataString(solutionName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (top != null) + { + _queryParameters.Add(string.Format("$top={0}", System.Uri.EscapeDataString(Rest.Serialization.SafeJsonConvert.SerializeObject(top, Client.SerializationSettings).Trim('"')))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Use this method to get a single the aggregated alert of yours IoT Security + /// solution. This aggregation is performed by alert name. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Identifier of the aggregated alert. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string solutionName, string aggregatedAlertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (solutionName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "solutionName"); + } + if (aggregatedAlertName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "aggregatedAlertName"); + } + string apiVersion = "2019-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("solutionName", solutionName); + tracingParameters.Add("aggregatedAlertName", aggregatedAlertName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels/default/aggregatedAlerts/{aggregatedAlertName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{solutionName}", System.Uri.EscapeDataString(solutionName)); + _url = _url.Replace("{aggregatedAlertName}", System.Uri.EscapeDataString(aggregatedAlertName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Use this method to dismiss an aggregated IoT Security Solution Alert. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Identifier of the aggregated alert. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DismissWithHttpMessagesAsync(string resourceGroupName, string solutionName, string aggregatedAlertName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (solutionName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "solutionName"); + } + if (aggregatedAlertName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "aggregatedAlertName"); + } + string apiVersion = "2019-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("solutionName", solutionName); + tracingParameters.Add("aggregatedAlertName", aggregatedAlertName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Dismiss", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels/default/aggregatedAlerts/{aggregatedAlertName}/dismiss").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{solutionName}", System.Uri.EscapeDataString(solutionName)); + _url = _url.Replace("{aggregatedAlertName}", System.Uri.EscapeDataString(aggregatedAlertName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Use this method to get the aggregated alert list of yours IoT Security + /// solution. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionsAnalyticsAggregatedAlertOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionsAnalyticsAggregatedAlertOperationsExtensions.cs new file mode 100644 index 000000000000..bf6dfa202398 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionsAnalyticsAggregatedAlertOperationsExtensions.cs @@ -0,0 +1,206 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for IotSecuritySolutionsAnalyticsAggregatedAlertOperations. + /// + public static partial class IotSecuritySolutionsAnalyticsAggregatedAlertOperationsExtensions + { + /// + /// Use this method to get the aggregated alert list of yours IoT Security + /// solution. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Number of results to retrieve. + /// + public static IPage List(this IIotSecuritySolutionsAnalyticsAggregatedAlertOperations operations, string resourceGroupName, string solutionName, int? top = default(int?)) + { + return operations.ListAsync(resourceGroupName, solutionName, top).GetAwaiter().GetResult(); + } + + /// + /// Use this method to get the aggregated alert list of yours IoT Security + /// solution. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Number of results to retrieve. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IIotSecuritySolutionsAnalyticsAggregatedAlertOperations operations, string resourceGroupName, string solutionName, int? top = default(int?), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(resourceGroupName, solutionName, top, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Use this method to get a single the aggregated alert of yours IoT Security + /// solution. This aggregation is performed by alert name. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Identifier of the aggregated alert. + /// + public static IoTSecurityAggregatedAlert Get(this IIotSecuritySolutionsAnalyticsAggregatedAlertOperations operations, string resourceGroupName, string solutionName, string aggregatedAlertName) + { + return operations.GetAsync(resourceGroupName, solutionName, aggregatedAlertName).GetAwaiter().GetResult(); + } + + /// + /// Use this method to get a single the aggregated alert of yours IoT Security + /// solution. This aggregation is performed by alert name. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Identifier of the aggregated alert. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IIotSecuritySolutionsAnalyticsAggregatedAlertOperations operations, string resourceGroupName, string solutionName, string aggregatedAlertName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, solutionName, aggregatedAlertName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Use this method to dismiss an aggregated IoT Security Solution Alert. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Identifier of the aggregated alert. + /// + public static void Dismiss(this IIotSecuritySolutionsAnalyticsAggregatedAlertOperations operations, string resourceGroupName, string solutionName, string aggregatedAlertName) + { + operations.DismissAsync(resourceGroupName, solutionName, aggregatedAlertName).GetAwaiter().GetResult(); + } + + /// + /// Use this method to dismiss an aggregated IoT Security Solution Alert. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Identifier of the aggregated alert. + /// + /// + /// The cancellation token. + /// + public static async Task DismissAsync(this IIotSecuritySolutionsAnalyticsAggregatedAlertOperations operations, string resourceGroupName, string solutionName, string aggregatedAlertName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DismissWithHttpMessagesAsync(resourceGroupName, solutionName, aggregatedAlertName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Use this method to get the aggregated alert list of yours IoT Security + /// solution. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IIotSecuritySolutionsAnalyticsAggregatedAlertOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Use this method to get the aggregated alert list of yours IoT Security + /// solution. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IIotSecuritySolutionsAnalyticsAggregatedAlertOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionsAnalyticsRecommendationOperations.cs b/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionsAnalyticsRecommendationOperations.cs new file mode 100644 index 000000000000..b64b055e7625 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionsAnalyticsRecommendationOperations.cs @@ -0,0 +1,682 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// IotSecuritySolutionsAnalyticsRecommendationOperations operations. + /// + internal partial class IotSecuritySolutionsAnalyticsRecommendationOperations : IServiceOperations, IIotSecuritySolutionsAnalyticsRecommendationOperations + { + /// + /// Initializes a new instance of the IotSecuritySolutionsAnalyticsRecommendationOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal IotSecuritySolutionsAnalyticsRecommendationOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Use this method to get the aggregated security analytics recommendation of + /// yours IoT Security solution. This aggregation is performed by + /// recommendation name. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Name of the recommendation aggregated for this query. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string solutionName, string aggregatedRecommendationName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (solutionName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "solutionName"); + } + if (aggregatedRecommendationName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "aggregatedRecommendationName"); + } + string apiVersion = "2019-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("solutionName", solutionName); + tracingParameters.Add("aggregatedRecommendationName", aggregatedRecommendationName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels/default/aggregatedRecommendations/{aggregatedRecommendationName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{solutionName}", System.Uri.EscapeDataString(solutionName)); + _url = _url.Replace("{aggregatedRecommendationName}", System.Uri.EscapeDataString(aggregatedRecommendationName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Use this method to get the list of aggregated security analytics + /// recommendations of yours IoT Security solution. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Number of results to retrieve. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(string resourceGroupName, string solutionName, int? top = default(int?), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (solutionName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "solutionName"); + } + string apiVersion = "2019-08-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("solutionName", solutionName); + tracingParameters.Add("top", top); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels/default/aggregatedRecommendations").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{solutionName}", System.Uri.EscapeDataString(solutionName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (top != null) + { + _queryParameters.Add(string.Format("$top={0}", System.Uri.EscapeDataString(Rest.Serialization.SafeJsonConvert.SerializeObject(top, Client.SerializationSettings).Trim('"')))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Use this method to get the list of aggregated security analytics + /// recommendations of yours IoT Security solution. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionsAnalyticsRecommendationOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionsAnalyticsRecommendationOperationsExtensions.cs new file mode 100644 index 000000000000..3fd8c6741346 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/IotSecuritySolutionsAnalyticsRecommendationOperationsExtensions.cs @@ -0,0 +1,163 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for IotSecuritySolutionsAnalyticsRecommendationOperations. + /// + public static partial class IotSecuritySolutionsAnalyticsRecommendationOperationsExtensions + { + /// + /// Use this method to get the aggregated security analytics recommendation of + /// yours IoT Security solution. This aggregation is performed by + /// recommendation name. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Name of the recommendation aggregated for this query. + /// + public static IoTSecurityAggregatedRecommendation Get(this IIotSecuritySolutionsAnalyticsRecommendationOperations operations, string resourceGroupName, string solutionName, string aggregatedRecommendationName) + { + return operations.GetAsync(resourceGroupName, solutionName, aggregatedRecommendationName).GetAwaiter().GetResult(); + } + + /// + /// Use this method to get the aggregated security analytics recommendation of + /// yours IoT Security solution. This aggregation is performed by + /// recommendation name. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Name of the recommendation aggregated for this query. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IIotSecuritySolutionsAnalyticsRecommendationOperations operations, string resourceGroupName, string solutionName, string aggregatedRecommendationName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, solutionName, aggregatedRecommendationName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Use this method to get the list of aggregated security analytics + /// recommendations of yours IoT Security solution. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Number of results to retrieve. + /// + public static IPage List(this IIotSecuritySolutionsAnalyticsRecommendationOperations operations, string resourceGroupName, string solutionName, int? top = default(int?)) + { + return operations.ListAsync(resourceGroupName, solutionName, top).GetAwaiter().GetResult(); + } + + /// + /// Use this method to get the list of aggregated security analytics + /// recommendations of yours IoT Security solution. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The name of the IoT Security solution. + /// + /// + /// Number of results to retrieve. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IIotSecuritySolutionsAnalyticsRecommendationOperations operations, string resourceGroupName, string solutionName, int? top = default(int?), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(resourceGroupName, solutionName, top, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Use this method to get the list of aggregated security analytics + /// recommendations of yours IoT Security solution. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IIotSecuritySolutionsAnalyticsRecommendationOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Use this method to get the list of aggregated security analytics + /// recommendations of yours IoT Security solution. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IIotSecuritySolutionsAnalyticsRecommendationOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/JitNetworkAccessPoliciesOperations.cs b/src/Security/Security.Management.Sdk/Generated/JitNetworkAccessPoliciesOperations.cs new file mode 100644 index 000000000000..e600a0970206 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/JitNetworkAccessPoliciesOperations.cs @@ -0,0 +1,2465 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// JitNetworkAccessPoliciesOperations operations. + /// + internal partial class JitNetworkAccessPoliciesOperations : IServiceOperations, IJitNetworkAccessPoliciesOperations + { + /// + /// Initializes a new instance of the JitNetworkAccessPoliciesOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal JitNetworkAccessPoliciesOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Policies for protecting resources using Just-in-Time access control. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/jitNetworkAccessPolicies").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByRegionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByRegion", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/jitNetworkAccessPolicies").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByResourceGroupWithHttpMessagesAsync(string resourceGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroup", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/jitNetworkAccessPolicies").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByResourceGroupAndRegionWithHttpMessagesAsync(string resourceGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroupAndRegion", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/jitNetworkAccessPolicies").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of a Just-in-Time access configuration policy. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string jitNetworkAccessPolicyName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (jitNetworkAccessPolicyName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "jitNetworkAccessPolicyName"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("jitNetworkAccessPolicyName", jitNetworkAccessPolicyName); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/jitNetworkAccessPolicies/{jitNetworkAccessPolicyName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{jitNetworkAccessPolicyName}", System.Uri.EscapeDataString(jitNetworkAccessPolicyName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Create a policy for protecting resources using Just-in-Time access control + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of a Just-in-Time access configuration policy. + /// + /// + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateOrUpdateWithHttpMessagesAsync(string resourceGroupName, string jitNetworkAccessPolicyName, JitNetworkAccessPolicy body, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (jitNetworkAccessPolicyName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "jitNetworkAccessPolicyName"); + } + if (body == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "body"); + } + if (body != null) + { + body.Validate(); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("jitNetworkAccessPolicyName", jitNetworkAccessPolicyName); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("body", body); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "CreateOrUpdate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/jitNetworkAccessPolicies/{jitNetworkAccessPolicyName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{jitNetworkAccessPolicyName}", System.Uri.EscapeDataString(jitNetworkAccessPolicyName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(body != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(body, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Delete a Just-in-Time access control policy. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of a Just-in-Time access configuration policy. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string resourceGroupName, string jitNetworkAccessPolicyName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (jitNetworkAccessPolicyName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "jitNetworkAccessPolicyName"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("jitNetworkAccessPolicyName", jitNetworkAccessPolicyName); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/jitNetworkAccessPolicies/{jitNetworkAccessPolicyName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{jitNetworkAccessPolicyName}", System.Uri.EscapeDataString(jitNetworkAccessPolicyName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Initiate a JIT access from a specific Just-in-Time policy configuration. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of a Just-in-Time access configuration policy. + /// + /// + /// A list of virtual machines & ports to open access for + /// + /// + /// The justification for making the initiate request + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> InitiateWithHttpMessagesAsync(string resourceGroupName, string jitNetworkAccessPolicyName, IList virtualMachines, string justification = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (jitNetworkAccessPolicyName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "jitNetworkAccessPolicyName"); + } + if (virtualMachines == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "virtualMachines"); + } + if (virtualMachines != null) + { + foreach (var element in virtualMachines) + { + if (element != null) + { + element.Validate(); + } + } + } + string jitNetworkAccessPolicyInitiateType = "initiate"; + string apiVersion = "2020-01-01"; + JitNetworkAccessPolicyInitiateRequest body = new JitNetworkAccessPolicyInitiateRequest(); + if (virtualMachines != null || justification != null) + { + body.VirtualMachines = virtualMachines; + body.Justification = justification; + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("jitNetworkAccessPolicyName", jitNetworkAccessPolicyName); + tracingParameters.Add("jitNetworkAccessPolicyInitiateType", jitNetworkAccessPolicyInitiateType); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("body", body); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Initiate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/jitNetworkAccessPolicies/{jitNetworkAccessPolicyName}/{jitNetworkAccessPolicyInitiateType}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{jitNetworkAccessPolicyName}", System.Uri.EscapeDataString(jitNetworkAccessPolicyName)); + _url = _url.Replace("{jitNetworkAccessPolicyInitiateType}", System.Uri.EscapeDataString(jitNetworkAccessPolicyInitiateType)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(body != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(body, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 202) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 202) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Policies for protecting resources using Just-in-Time access control. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByRegionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByRegionNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByResourceGroupNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroupNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByResourceGroupAndRegionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroupAndRegionNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/JitNetworkAccessPoliciesOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/JitNetworkAccessPoliciesOperationsExtensions.cs new file mode 100644 index 000000000000..d38cf804bfe6 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/JitNetworkAccessPoliciesOperationsExtensions.cs @@ -0,0 +1,486 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for JitNetworkAccessPoliciesOperations. + /// + public static partial class JitNetworkAccessPoliciesOperationsExtensions + { + /// + /// Policies for protecting resources using Just-in-Time access control. + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this IJitNetworkAccessPoliciesOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Policies for protecting resources using Just-in-Time access control. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IJitNetworkAccessPoliciesOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The operations group for this extension method. + /// + public static IPage ListByRegion(this IJitNetworkAccessPoliciesOperations operations) + { + return operations.ListByRegionAsync().GetAwaiter().GetResult(); + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByRegionAsync(this IJitNetworkAccessPoliciesOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByRegionWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + public static IPage ListByResourceGroup(this IJitNetworkAccessPoliciesOperations operations, string resourceGroupName) + { + return operations.ListByResourceGroupAsync(resourceGroupName).GetAwaiter().GetResult(); + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByResourceGroupAsync(this IJitNetworkAccessPoliciesOperations operations, string resourceGroupName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByResourceGroupWithHttpMessagesAsync(resourceGroupName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + public static IPage ListByResourceGroupAndRegion(this IJitNetworkAccessPoliciesOperations operations, string resourceGroupName) + { + return operations.ListByResourceGroupAndRegionAsync(resourceGroupName).GetAwaiter().GetResult(); + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByResourceGroupAndRegionAsync(this IJitNetworkAccessPoliciesOperations operations, string resourceGroupName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByResourceGroupAndRegionWithHttpMessagesAsync(resourceGroupName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of a Just-in-Time access configuration policy. + /// + public static JitNetworkAccessPolicy Get(this IJitNetworkAccessPoliciesOperations operations, string resourceGroupName, string jitNetworkAccessPolicyName) + { + return operations.GetAsync(resourceGroupName, jitNetworkAccessPolicyName).GetAwaiter().GetResult(); + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of a Just-in-Time access configuration policy. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IJitNetworkAccessPoliciesOperations operations, string resourceGroupName, string jitNetworkAccessPolicyName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, jitNetworkAccessPolicyName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Create a policy for protecting resources using Just-in-Time access control + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of a Just-in-Time access configuration policy. + /// + /// + /// + public static JitNetworkAccessPolicy CreateOrUpdate(this IJitNetworkAccessPoliciesOperations operations, string resourceGroupName, string jitNetworkAccessPolicyName, JitNetworkAccessPolicy body) + { + return operations.CreateOrUpdateAsync(resourceGroupName, jitNetworkAccessPolicyName, body).GetAwaiter().GetResult(); + } + + /// + /// Create a policy for protecting resources using Just-in-Time access control + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of a Just-in-Time access configuration policy. + /// + /// + /// + /// + /// The cancellation token. + /// + public static async Task CreateOrUpdateAsync(this IJitNetworkAccessPoliciesOperations operations, string resourceGroupName, string jitNetworkAccessPolicyName, JitNetworkAccessPolicy body, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateOrUpdateWithHttpMessagesAsync(resourceGroupName, jitNetworkAccessPolicyName, body, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Delete a Just-in-Time access control policy. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of a Just-in-Time access configuration policy. + /// + public static void Delete(this IJitNetworkAccessPoliciesOperations operations, string resourceGroupName, string jitNetworkAccessPolicyName) + { + operations.DeleteAsync(resourceGroupName, jitNetworkAccessPolicyName).GetAwaiter().GetResult(); + } + + /// + /// Delete a Just-in-Time access control policy. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of a Just-in-Time access configuration policy. + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this IJitNetworkAccessPoliciesOperations operations, string resourceGroupName, string jitNetworkAccessPolicyName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(resourceGroupName, jitNetworkAccessPolicyName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Initiate a JIT access from a specific Just-in-Time policy configuration. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of a Just-in-Time access configuration policy. + /// + /// + /// A list of virtual machines & ports to open access for + /// + /// + /// The justification for making the initiate request + /// + public static JitNetworkAccessRequest Initiate(this IJitNetworkAccessPoliciesOperations operations, string resourceGroupName, string jitNetworkAccessPolicyName, IList virtualMachines, string justification = default(string)) + { + return operations.InitiateAsync(resourceGroupName, jitNetworkAccessPolicyName, virtualMachines, justification).GetAwaiter().GetResult(); + } + + /// + /// Initiate a JIT access from a specific Just-in-Time policy configuration. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of a Just-in-Time access configuration policy. + /// + /// + /// A list of virtual machines & ports to open access for + /// + /// + /// The justification for making the initiate request + /// + /// + /// The cancellation token. + /// + public static async Task InitiateAsync(this IJitNetworkAccessPoliciesOperations operations, string resourceGroupName, string jitNetworkAccessPolicyName, IList virtualMachines, string justification = default(string), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.InitiateWithHttpMessagesAsync(resourceGroupName, jitNetworkAccessPolicyName, virtualMachines, justification, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Policies for protecting resources using Just-in-Time access control. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IJitNetworkAccessPoliciesOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Policies for protecting resources using Just-in-Time access control. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IJitNetworkAccessPoliciesOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListByRegionNext(this IJitNetworkAccessPoliciesOperations operations, string nextPageLink) + { + return operations.ListByRegionNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByRegionNextAsync(this IJitNetworkAccessPoliciesOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByRegionNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListByResourceGroupNext(this IJitNetworkAccessPoliciesOperations operations, string nextPageLink) + { + return operations.ListByResourceGroupNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByResourceGroupNextAsync(this IJitNetworkAccessPoliciesOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByResourceGroupNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListByResourceGroupAndRegionNext(this IJitNetworkAccessPoliciesOperations operations, string nextPageLink) + { + return operations.ListByResourceGroupAndRegionNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Policies for protecting resources using Just-in-Time access control for the + /// subscription, location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByResourceGroupAndRegionNextAsync(this IJitNetworkAccessPoliciesOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByResourceGroupAndRegionNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/LocationsOperations.cs b/src/Security/Security.Management.Sdk/Generated/LocationsOperations.cs new file mode 100644 index 000000000000..456e5d1aa5a0 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/LocationsOperations.cs @@ -0,0 +1,604 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// LocationsOperations operations. + /// + internal partial class LocationsOperations : IServiceOperations, ILocationsOperations + { + /// + /// Initializes a new instance of the LocationsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal LocationsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// The location of the responsible ASC of the specific subscription (home + /// region). For each subscription there is only one responsible location. The + /// location in the response should be used to read or write other resources in + /// ASC according to their ID. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2015-06-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Details of a specific location + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + string apiVersion = "2015-06-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// The location of the responsible ASC of the specific subscription (home + /// region). For each subscription there is only one responsible location. The + /// location in the response should be used to read or write other resources in + /// ASC according to their ID. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/LocationsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/LocationsOperationsExtensions.cs new file mode 100644 index 000000000000..2352a413ee62 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/LocationsOperationsExtensions.cs @@ -0,0 +1,127 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for LocationsOperations. + /// + public static partial class LocationsOperationsExtensions + { + /// + /// The location of the responsible ASC of the specific subscription (home + /// region). For each subscription there is only one responsible location. The + /// location in the response should be used to read or write other resources in + /// ASC according to their ID. + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this ILocationsOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// The location of the responsible ASC of the specific subscription (home + /// region). For each subscription there is only one responsible location. The + /// location in the response should be used to read or write other resources in + /// ASC according to their ID. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this ILocationsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Details of a specific location + /// + /// + /// The operations group for this extension method. + /// + public static AscLocation Get(this ILocationsOperations operations) + { + return operations.GetAsync().GetAwaiter().GetResult(); + } + + /// + /// Details of a specific location + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ILocationsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// The location of the responsible ASC of the specific subscription (home + /// region). For each subscription there is only one responsible location. The + /// location in the response should be used to read or write other resources in + /// ASC according to their ID. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this ILocationsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// The location of the responsible ASC of the specific subscription (home + /// region). For each subscription there is only one responsible location. The + /// location in the response should be used to read or write other resources in + /// ASC according to their ID. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this ILocationsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/MdeOnboardingsOperations.cs b/src/Security/Security.Management.Sdk/Generated/MdeOnboardingsOperations.cs new file mode 100644 index 000000000000..a4372d966bfb --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/MdeOnboardingsOperations.cs @@ -0,0 +1,420 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// MdeOnboardingsOperations operations. + /// + internal partial class MdeOnboardingsOperations : IServiceOperations, IMdeOnboardingsOperations + { + /// + /// Initializes a new instance of the MdeOnboardingsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal MdeOnboardingsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// The configuration or data needed to onboard the machine to MDE + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2021-10-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/mdeOnboardings").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// The default configuration or data needed to onboard the machine to MDE + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2021-10-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/mdeOnboardings/default").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/MdeOnboardingsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/MdeOnboardingsOperationsExtensions.cs new file mode 100644 index 000000000000..37b90bccd89c --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/MdeOnboardingsOperationsExtensions.cs @@ -0,0 +1,81 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for MdeOnboardingsOperations. + /// + public static partial class MdeOnboardingsOperationsExtensions + { + /// + /// The configuration or data needed to onboard the machine to MDE + /// + /// + /// The operations group for this extension method. + /// + public static MdeOnboardingDataList List(this IMdeOnboardingsOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// The configuration or data needed to onboard the machine to MDE + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task ListAsync(this IMdeOnboardingsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// The default configuration or data needed to onboard the machine to MDE + /// + /// + /// The operations group for this extension method. + /// + public static MdeOnboardingData Get(this IMdeOnboardingsOperations operations) + { + return operations.GetAsync().GetAwaiter().GetResult(); + } + + /// + /// The default configuration or data needed to onboard the machine to MDE + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IMdeOnboardingsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AadConnectivityState.cs b/src/Security/Security.Management.Sdk/Generated/Models/AadConnectivityState.cs new file mode 100644 index 000000000000..e6dc14a7b834 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AadConnectivityState.cs @@ -0,0 +1,23 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for AadConnectivityState. + /// + public static class AadConnectivityState + { + public const string Discovered = "Discovered"; + public const string NotLicensed = "NotLicensed"; + public const string Connected = "Connected"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AadConnectivityState1.cs b/src/Security/Security.Management.Sdk/Generated/Models/AadConnectivityState1.cs new file mode 100644 index 000000000000..4ecf3bb262b8 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AadConnectivityState1.cs @@ -0,0 +1,55 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Describes an Azure resource with kind + /// + public partial class AadConnectivityState1 + { + /// + /// Initializes a new instance of the AadConnectivityState1 class. + /// + public AadConnectivityState1() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AadConnectivityState1 class. + /// + /// The connectivity state of the + /// external AAD solution + public AadConnectivityState1(string connectivityState = default(string)) + { + ConnectivityState = connectivityState; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the connectivity state of the external AAD solution + /// + /// + /// Possible values include: 'Discovered', 'NotLicensed', 'Connected' + /// + [JsonProperty(PropertyName = "connectivityState")] + public string ConnectivityState { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AadExternalSecuritySolution.cs b/src/Security/Security.Management.Sdk/Generated/Models/AadExternalSecuritySolution.cs new file mode 100644 index 000000000000..96b281d985c0 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AadExternalSecuritySolution.cs @@ -0,0 +1,59 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Represents an AAD identity protection solution which sends logs to an + /// OMS workspace. + /// + [Newtonsoft.Json.JsonObject("AAD")] + public partial class AadExternalSecuritySolution : ExternalSecuritySolution + { + /// + /// Initializes a new instance of the AadExternalSecuritySolution + /// class. + /// + public AadExternalSecuritySolution() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AadExternalSecuritySolution + /// class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Location where the resource is + /// stored + public AadExternalSecuritySolution(string id = default(string), string name = default(string), string type = default(string), string location = default(string), AadSolutionProperties properties = default(AadSolutionProperties)) + : base(id, name, type, location) + { + Properties = properties; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "properties")] + public AadSolutionProperties Properties { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AadSolutionProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/AadSolutionProperties.cs new file mode 100644 index 000000000000..8c4467443ee6 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AadSolutionProperties.cs @@ -0,0 +1,73 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The external security solution properties for AAD solutions + /// + public partial class AadSolutionProperties + { + /// + /// Initializes a new instance of the AadSolutionProperties class. + /// + public AadSolutionProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AadSolutionProperties class. + /// + /// The connectivity state of the + /// external AAD solution + public AadSolutionProperties(string deviceVendor = default(string), string deviceType = default(string), ConnectedWorkspace workspace = default(ConnectedWorkspace), string connectivityState = default(string)) + { + DeviceVendor = deviceVendor; + DeviceType = deviceType; + Workspace = workspace; + ConnectivityState = connectivityState; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "deviceVendor")] + public string DeviceVendor { get; set; } + + /// + /// + [JsonProperty(PropertyName = "deviceType")] + public string DeviceType { get; set; } + + /// + /// + [JsonProperty(PropertyName = "workspace")] + public ConnectedWorkspace Workspace { get; set; } + + /// + /// Gets or sets the connectivity state of the external AAD solution + /// + /// + /// Possible values include: 'Discovered', 'NotLicensed', 'Connected' + /// + [JsonProperty(PropertyName = "connectivityState")] + public string ConnectivityState { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ActiveConnectionsNotInAllowedRange.cs b/src/Security/Security.Management.Sdk/Generated/Models/ActiveConnectionsNotInAllowedRange.cs new file mode 100644 index 000000000000..3c4aefd5b0a4 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ActiveConnectionsNotInAllowedRange.cs @@ -0,0 +1,66 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Number of active connections is not in allowed range. + /// + [Newtonsoft.Json.JsonObject("ActiveConnectionsNotInAllowedRange")] + public partial class ActiveConnectionsNotInAllowedRange : TimeWindowCustomAlertRule + { + /// + /// Initializes a new instance of the + /// ActiveConnectionsNotInAllowedRange class. + /// + public ActiveConnectionsNotInAllowedRange() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// ActiveConnectionsNotInAllowedRange class. + /// + /// Status of the custom alert. + /// The minimum threshold. + /// The maximum threshold. + /// The time window size in iso8601 + /// format. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public ActiveConnectionsNotInAllowedRange(bool isEnabled, int minThreshold, int maxThreshold, System.TimeSpan timeWindowSize, string displayName = default(string), string description = default(string)) + : base(isEnabled, minThreshold, maxThreshold, timeWindowSize, displayName, description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AdaptiveApplicationControlGroup.cs b/src/Security/Security.Management.Sdk/Generated/Models/AdaptiveApplicationControlGroup.cs new file mode 100644 index 000000000000..584a79c8d071 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AdaptiveApplicationControlGroup.cs @@ -0,0 +1,145 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + [Rest.Serialization.JsonTransformation] + public partial class AdaptiveApplicationControlGroup + { + /// + /// Initializes a new instance of the AdaptiveApplicationControlGroup + /// class. + /// + public AdaptiveApplicationControlGroup() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AdaptiveApplicationControlGroup + /// class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Location where the resource is + /// stored + /// Possible values include: 'Audit', + /// 'Enforce', 'None' + /// Possible values include: + /// 'Configured', 'NotConfigured', 'InProgress', 'Failed', + /// 'NoStatus' + /// Possible values include: + /// 'Recommended', 'NotRecommended', 'NotAvailable', 'NoStatus' + /// Possible values include: + /// 'Azure_AppLocker', 'Azure_AuditD', 'NonAzure_AppLocker', + /// 'NonAzure_AuditD', 'None' + public AdaptiveApplicationControlGroup(string id = default(string), string name = default(string), string type = default(string), string location = default(string), string enforcementMode = default(string), ProtectionMode protectionMode = default(ProtectionMode), string configurationStatus = default(string), string recommendationStatus = default(string), IList issues = default(IList), string sourceSystem = default(string), IList vmRecommendations = default(IList), IList pathRecommendations = default(IList)) + { + Id = id; + Name = name; + Type = type; + Location = location; + EnforcementMode = enforcementMode; + ProtectionMode = protectionMode; + ConfigurationStatus = configurationStatus; + RecommendationStatus = recommendationStatus; + Issues = issues; + SourceSystem = sourceSystem; + VmRecommendations = vmRecommendations; + PathRecommendations = pathRecommendations; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets resource Id + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; private set; } + + /// + /// Gets resource name + /// + [JsonProperty(PropertyName = "name")] + public string Name { get; private set; } + + /// + /// Gets resource type + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + /// + /// Gets location where the resource is stored + /// + [JsonProperty(PropertyName = "location")] + public string Location { get; private set; } + + /// + /// Gets or sets possible values include: 'Audit', 'Enforce', 'None' + /// + [JsonProperty(PropertyName = "properties.enforcementMode")] + public string EnforcementMode { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.protectionMode")] + public ProtectionMode ProtectionMode { get; set; } + + /// + /// Gets possible values include: 'Configured', 'NotConfigured', + /// 'InProgress', 'Failed', 'NoStatus' + /// + [JsonProperty(PropertyName = "properties.configurationStatus")] + public string ConfigurationStatus { get; private set; } + + /// + /// Gets possible values include: 'Recommended', 'NotRecommended', + /// 'NotAvailable', 'NoStatus' + /// + [JsonProperty(PropertyName = "properties.recommendationStatus")] + public string RecommendationStatus { get; private set; } + + /// + /// + [JsonProperty(PropertyName = "properties.issues")] + public IList Issues { get; private set; } + + /// + /// Gets possible values include: 'Azure_AppLocker', 'Azure_AuditD', + /// 'NonAzure_AppLocker', 'NonAzure_AuditD', 'None' + /// + [JsonProperty(PropertyName = "properties.sourceSystem")] + public string SourceSystem { get; private set; } + + /// + /// + [JsonProperty(PropertyName = "properties.vmRecommendations")] + public IList VmRecommendations { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.pathRecommendations")] + public IList PathRecommendations { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AdaptiveApplicationControlGroups.cs b/src/Security/Security.Management.Sdk/Generated/Models/AdaptiveApplicationControlGroups.cs new file mode 100644 index 000000000000..b570db10d6d2 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AdaptiveApplicationControlGroups.cs @@ -0,0 +1,54 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Represents a list of VM/server groups and set of rules that are + /// Recommended by Microsoft Defender for Cloud to be allowed + /// + public partial class AdaptiveApplicationControlGroups + { + /// + /// Initializes a new instance of the AdaptiveApplicationControlGroups + /// class. + /// + public AdaptiveApplicationControlGroups() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AdaptiveApplicationControlGroups + /// class. + /// + public AdaptiveApplicationControlGroups(IList value = default(IList)) + { + Value = value; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "value")] + public IList Value { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AdaptiveApplicationControlIssueSummary.cs b/src/Security/Security.Management.Sdk/Generated/Models/AdaptiveApplicationControlIssueSummary.cs new file mode 100644 index 000000000000..b97d7f1986d7 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AdaptiveApplicationControlIssueSummary.cs @@ -0,0 +1,69 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Represents a summary of the alerts of the machine group + /// + public partial class AdaptiveApplicationControlIssueSummary + { + /// + /// Initializes a new instance of the + /// AdaptiveApplicationControlIssueSummary class. + /// + public AdaptiveApplicationControlIssueSummary() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// AdaptiveApplicationControlIssueSummary class. + /// + /// Possible values include: 'ViolationsAudited', + /// 'ViolationsBlocked', 'MsiAndScriptViolationsAudited', + /// 'MsiAndScriptViolationsBlocked', 'ExecutableViolationsAudited', + /// 'RulesViolatedManually' + /// The number of machines in the group that + /// have this alert + public AdaptiveApplicationControlIssueSummary(string issue = default(string), double? numberOfVms = default(double?)) + { + Issue = issue; + NumberOfVms = numberOfVms; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets possible values include: 'ViolationsAudited', + /// 'ViolationsBlocked', 'MsiAndScriptViolationsAudited', + /// 'MsiAndScriptViolationsBlocked', 'ExecutableViolationsAudited', + /// 'RulesViolatedManually' + /// + [JsonProperty(PropertyName = "issue")] + public string Issue { get; set; } + + /// + /// Gets or sets the number of machines in the group that have this + /// alert + /// + [JsonProperty(PropertyName = "numberOfVms")] + public double? NumberOfVms { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AdaptiveNetworkHardening.cs b/src/Security/Security.Management.Sdk/Generated/Models/AdaptiveNetworkHardening.cs new file mode 100644 index 000000000000..f2f530b17ae7 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AdaptiveNetworkHardening.cs @@ -0,0 +1,83 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// The resource whose properties describes the Adaptive Network Hardening + /// settings for some Azure resource + /// + [Rest.Serialization.JsonTransformation] + public partial class AdaptiveNetworkHardening : Resource + { + /// + /// Initializes a new instance of the AdaptiveNetworkHardening class. + /// + public AdaptiveNetworkHardening() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AdaptiveNetworkHardening class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// The security rules which are recommended to be + /// effective on the VM + /// The UTC time on which the rules + /// were calculated + /// The Network Security + /// Groups effective on the network interfaces of the protected + /// resource + public AdaptiveNetworkHardening(string id = default(string), string name = default(string), string type = default(string), IList rules = default(IList), System.DateTime? rulesCalculationTime = default(System.DateTime?), IList effectiveNetworkSecurityGroups = default(IList)) + : base(id, name, type) + { + Rules = rules; + RulesCalculationTime = rulesCalculationTime; + EffectiveNetworkSecurityGroups = effectiveNetworkSecurityGroups; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the security rules which are recommended to be + /// effective on the VM + /// + [JsonProperty(PropertyName = "properties.rules")] + public IList Rules { get; set; } + + /// + /// Gets or sets the UTC time on which the rules were calculated + /// + [JsonProperty(PropertyName = "properties.rulesCalculationTime")] + public System.DateTime? RulesCalculationTime { get; set; } + + /// + /// Gets or sets the Network Security Groups effective on the network + /// interfaces of the protected resource + /// + [JsonProperty(PropertyName = "properties.effectiveNetworkSecurityGroups")] + public IList EffectiveNetworkSecurityGroups { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AdaptiveNetworkHardeningEnforceRequest.cs b/src/Security/Security.Management.Sdk/Generated/Models/AdaptiveNetworkHardeningEnforceRequest.cs new file mode 100644 index 000000000000..6ec2af5cda64 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AdaptiveNetworkHardeningEnforceRequest.cs @@ -0,0 +1,83 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + public partial class AdaptiveNetworkHardeningEnforceRequest + { + /// + /// Initializes a new instance of the + /// AdaptiveNetworkHardeningEnforceRequest class. + /// + public AdaptiveNetworkHardeningEnforceRequest() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// AdaptiveNetworkHardeningEnforceRequest class. + /// + /// The rules to enforce + /// The Azure resource IDs of the + /// effective network security groups that will be updated with the + /// created security rules from the Adaptive Network Hardening + /// rules + public AdaptiveNetworkHardeningEnforceRequest(IList rules, IList networkSecurityGroups) + { + Rules = rules; + NetworkSecurityGroups = networkSecurityGroups; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the rules to enforce + /// + [JsonProperty(PropertyName = "rules")] + public IList Rules { get; set; } + + /// + /// Gets or sets the Azure resource IDs of the effective network + /// security groups that will be updated with the created security + /// rules from the Adaptive Network Hardening rules + /// + [JsonProperty(PropertyName = "networkSecurityGroups")] + public IList NetworkSecurityGroups { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (Rules == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Rules"); + } + if (NetworkSecurityGroups == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "NetworkSecurityGroups"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AdditionalData.cs b/src/Security/Security.Management.Sdk/Generated/Models/AdditionalData.cs new file mode 100644 index 000000000000..efcb3ced1b86 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AdditionalData.cs @@ -0,0 +1,37 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Details of the sub-assessment + /// + [Newtonsoft.Json.JsonObject("AdditionalData")] + public partial class AdditionalData + { + /// + /// Initializes a new instance of the AdditionalData class. + /// + public AdditionalData() + { + CustomInit(); + } + + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AdditionalWorkspaceDataType.cs b/src/Security/Security.Management.Sdk/Generated/Models/AdditionalWorkspaceDataType.cs new file mode 100644 index 000000000000..676173dbafca --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AdditionalWorkspaceDataType.cs @@ -0,0 +1,22 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for AdditionalWorkspaceDataType. + /// + public static class AdditionalWorkspaceDataType + { + public const string Alerts = "Alerts"; + public const string RawEvents = "RawEvents"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AdditionalWorkspaceType.cs b/src/Security/Security.Management.Sdk/Generated/Models/AdditionalWorkspaceType.cs new file mode 100644 index 000000000000..62a80cafd8d8 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AdditionalWorkspaceType.cs @@ -0,0 +1,21 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for AdditionalWorkspaceType. + /// + public static class AdditionalWorkspaceType + { + public const string Sentinel = "Sentinel"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AdditionalWorkspacesProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/AdditionalWorkspacesProperties.cs new file mode 100644 index 000000000000..832e8fc248f4 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AdditionalWorkspacesProperties.cs @@ -0,0 +1,73 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Properties of the additional workspaces. + /// + public partial class AdditionalWorkspacesProperties + { + /// + /// Initializes a new instance of the AdditionalWorkspacesProperties + /// class. + /// + public AdditionalWorkspacesProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AdditionalWorkspacesProperties + /// class. + /// + /// Workspace resource id + /// Workspace type. Possible values include: + /// 'Sentinel' + /// List of data types sent to + /// workspace + public AdditionalWorkspacesProperties(string workspace = default(string), string type = default(string), IList dataTypes = default(IList)) + { + Workspace = workspace; + Type = type; + DataTypes = dataTypes; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets workspace resource id + /// + [JsonProperty(PropertyName = "workspace")] + public string Workspace { get; set; } + + /// + /// Gets or sets workspace type. Possible values include: 'Sentinel' + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; set; } + + /// + /// Gets or sets list of data types sent to workspace + /// + [JsonProperty(PropertyName = "dataTypes")] + public IList DataTypes { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AdvancedThreatProtectionSetting.cs b/src/Security/Security.Management.Sdk/Generated/Models/AdvancedThreatProtectionSetting.cs new file mode 100644 index 000000000000..fac496f0f512 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AdvancedThreatProtectionSetting.cs @@ -0,0 +1,62 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// The Advanced Threat Protection resource. + /// + [Rest.Serialization.JsonTransformation] + public partial class AdvancedThreatProtectionSetting : Resource + { + /// + /// Initializes a new instance of the AdvancedThreatProtectionSetting + /// class. + /// + public AdvancedThreatProtectionSetting() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AdvancedThreatProtectionSetting + /// class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Indicates whether Advanced Threat + /// Protection is enabled. + public AdvancedThreatProtectionSetting(string id = default(string), string name = default(string), string type = default(string), bool? isEnabled = default(bool?)) + : base(id, name, type) + { + IsEnabled = isEnabled; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets indicates whether Advanced Threat Protection is + /// enabled. + /// + [JsonProperty(PropertyName = "properties.isEnabled")] + public bool? IsEnabled { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AlertSimulatorRequestProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/AlertSimulatorRequestProperties.cs index eed55ecbc415..b2440faeba39 100644 --- a/src/Security/Security.Management.Sdk/Generated/Models/AlertSimulatorRequestProperties.cs +++ b/src/Security/Security.Management.Sdk/Generated/Models/AlertSimulatorRequestProperties.cs @@ -18,6 +18,7 @@ namespace Microsoft.Azure.Management.Security.Models /// /// Describes properties of an alert simulation request /// + [Newtonsoft.Json.JsonObject("AlertSimulatorRequestProperties")] public partial class AlertSimulatorRequestProperties { /// diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AlertSyncSettings.cs b/src/Security/Security.Management.Sdk/Generated/Models/AlertSyncSettings.cs new file mode 100644 index 000000000000..be34c37af7cb --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AlertSyncSettings.cs @@ -0,0 +1,69 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Represents an alert sync setting + /// + [Newtonsoft.Json.JsonObject("AlertSyncSettings")] + [Rest.Serialization.JsonTransformation] + public partial class AlertSyncSettings : Setting + { + /// + /// Initializes a new instance of the AlertSyncSettings class. + /// + public AlertSyncSettings() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AlertSyncSettings class. + /// + /// Is the alert sync setting enabled + /// Resource Id + /// Resource name + /// Resource type + public AlertSyncSettings(bool enabled, string id = default(string), string name = default(string), string type = default(string)) + : base(id, name, type) + { + Enabled = enabled; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets is the alert sync setting enabled + /// + [JsonProperty(PropertyName = "properties.enabled")] + public bool Enabled { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + //Nothing to validate + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AlertsSuppressionRule.cs b/src/Security/Security.Management.Sdk/Generated/Models/AlertsSuppressionRule.cs new file mode 100644 index 000000000000..286a4e6ee6b3 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AlertsSuppressionRule.cs @@ -0,0 +1,137 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Describes the suppression rule + /// + [Rest.Serialization.JsonTransformation] + public partial class AlertsSuppressionRule : Resource + { + /// + /// Initializes a new instance of the AlertsSuppressionRule class. + /// + public AlertsSuppressionRule() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AlertsSuppressionRule class. + /// + /// Type of the alert to automatically + /// suppress. For all alert types, use '*' + /// The reason for dismissing the alert + /// Possible states of the rule. Possible values + /// include: 'Enabled', 'Disabled', 'Expired' + /// Resource Id + /// Resource name + /// Resource type + /// The last time this rule was + /// modified + /// Expiration date of the rule, if + /// value is not provided or provided as null this field will default + /// to the maximum allowed expiration date. + /// Any comment regarding the rule + /// The suppression + /// conditions + public AlertsSuppressionRule(string alertType, string reason, RuleState state, string id = default(string), string name = default(string), string type = default(string), System.DateTime? lastModifiedUtc = default(System.DateTime?), System.DateTime? expirationDateUtc = default(System.DateTime?), string comment = default(string), SuppressionAlertsScope suppressionAlertsScope = default(SuppressionAlertsScope)) + : base(id, name, type) + { + AlertType = alertType; + LastModifiedUtc = lastModifiedUtc; + ExpirationDateUtc = expirationDateUtc; + Reason = reason; + State = state; + Comment = comment; + SuppressionAlertsScope = suppressionAlertsScope; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets type of the alert to automatically suppress. For all + /// alert types, use '*' + /// + [JsonProperty(PropertyName = "properties.alertType")] + public string AlertType { get; set; } + + /// + /// Gets the last time this rule was modified + /// + [JsonProperty(PropertyName = "properties.lastModifiedUtc")] + public System.DateTime? LastModifiedUtc { get; private set; } + + /// + /// Gets or sets expiration date of the rule, if value is not provided + /// or provided as null this field will default to the maximum allowed + /// expiration date. + /// + [JsonProperty(PropertyName = "properties.expirationDateUtc")] + public System.DateTime? ExpirationDateUtc { get; set; } + + /// + /// Gets or sets the reason for dismissing the alert + /// + [JsonProperty(PropertyName = "properties.reason")] + public string Reason { get; set; } + + /// + /// Gets or sets possible states of the rule. Possible values include: + /// 'Enabled', 'Disabled', 'Expired' + /// + [JsonProperty(PropertyName = "properties.state")] + public RuleState State { get; set; } + + /// + /// Gets or sets any comment regarding the rule + /// + [JsonProperty(PropertyName = "properties.comment")] + public string Comment { get; set; } + + /// + /// Gets or sets the suppression conditions + /// + [JsonProperty(PropertyName = "properties.suppressionAlertsScope")] + public SuppressionAlertsScope SuppressionAlertsScope { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (AlertType == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "AlertType"); + } + if (Reason == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Reason"); + } + if (SuppressionAlertsScope != null) + { + SuppressionAlertsScope.Validate(); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AllowedConnectionsResource.cs b/src/Security/Security.Management.Sdk/Generated/Models/AllowedConnectionsResource.cs new file mode 100644 index 000000000000..698a71888509 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AllowedConnectionsResource.cs @@ -0,0 +1,101 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// The resource whose properties describes the allowed traffic between + /// Azure resources + /// + [Rest.Serialization.JsonTransformation] + public partial class AllowedConnectionsResource + { + /// + /// Initializes a new instance of the AllowedConnectionsResource class. + /// + public AllowedConnectionsResource() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AllowedConnectionsResource class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Location where the resource is + /// stored + /// The UTC time on which the allowed + /// connections resource was calculated + /// List of connectable + /// resources + public AllowedConnectionsResource(string id = default(string), string name = default(string), string type = default(string), string location = default(string), System.DateTime? calculatedDateTime = default(System.DateTime?), IList connectableResources = default(IList)) + { + Id = id; + Name = name; + Type = type; + Location = location; + CalculatedDateTime = calculatedDateTime; + ConnectableResources = connectableResources; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets resource Id + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; private set; } + + /// + /// Gets resource name + /// + [JsonProperty(PropertyName = "name")] + public string Name { get; private set; } + + /// + /// Gets resource type + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + /// + /// Gets location where the resource is stored + /// + [JsonProperty(PropertyName = "location")] + public string Location { get; private set; } + + /// + /// Gets the UTC time on which the allowed connections resource was + /// calculated + /// + [JsonProperty(PropertyName = "properties.calculatedDateTime")] + public System.DateTime? CalculatedDateTime { get; private set; } + + /// + /// Gets list of connectable resources + /// + [JsonProperty(PropertyName = "properties.connectableResources")] + public IList ConnectableResources { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AllowlistCustomAlertRule.cs b/src/Security/Security.Management.Sdk/Generated/Models/AllowlistCustomAlertRule.cs new file mode 100644 index 000000000000..9033e1abbffb --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AllowlistCustomAlertRule.cs @@ -0,0 +1,80 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// A custom alert rule that checks if a value (depends on the custom alert + /// type) is allowed. + /// + [Newtonsoft.Json.JsonObject("AllowlistCustomAlertRule")] + public partial class AllowlistCustomAlertRule : ListCustomAlertRule + { + /// + /// Initializes a new instance of the AllowlistCustomAlertRule class. + /// + public AllowlistCustomAlertRule() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AllowlistCustomAlertRule class. + /// + /// Status of the custom alert. + /// The values to allow. The format of + /// the values depends on the rule type. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + /// The value type of the items in the list. + /// Possible values include: 'IpCidr', 'String' + public AllowlistCustomAlertRule(bool isEnabled, IList allowlistValues, string displayName = default(string), string description = default(string), string valueType = default(string)) + : base(isEnabled, displayName, description, valueType) + { + AllowlistValues = allowlistValues; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the values to allow. The format of the values depends + /// on the rule type. + /// + [JsonProperty(PropertyName = "allowlistValues")] + public IList AllowlistValues { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + if (AllowlistValues == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "AllowlistValues"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AmqpC2DMessagesNotInAllowedRange.cs b/src/Security/Security.Management.Sdk/Generated/Models/AmqpC2DMessagesNotInAllowedRange.cs new file mode 100644 index 000000000000..83fcf7eef6d5 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AmqpC2DMessagesNotInAllowedRange.cs @@ -0,0 +1,67 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Number of cloud to device messages (AMQP protocol) is not in allowed + /// range. + /// + [Newtonsoft.Json.JsonObject("AmqpC2DMessagesNotInAllowedRange")] + public partial class AmqpC2DMessagesNotInAllowedRange : TimeWindowCustomAlertRule + { + /// + /// Initializes a new instance of the AmqpC2DMessagesNotInAllowedRange + /// class. + /// + public AmqpC2DMessagesNotInAllowedRange() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AmqpC2DMessagesNotInAllowedRange + /// class. + /// + /// Status of the custom alert. + /// The minimum threshold. + /// The maximum threshold. + /// The time window size in iso8601 + /// format. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public AmqpC2DMessagesNotInAllowedRange(bool isEnabled, int minThreshold, int maxThreshold, System.TimeSpan timeWindowSize, string displayName = default(string), string description = default(string)) + : base(isEnabled, minThreshold, maxThreshold, timeWindowSize, displayName, description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AmqpC2DRejectedMessagesNotInAllowedRange.cs b/src/Security/Security.Management.Sdk/Generated/Models/AmqpC2DRejectedMessagesNotInAllowedRange.cs new file mode 100644 index 000000000000..61375802e9ea --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AmqpC2DRejectedMessagesNotInAllowedRange.cs @@ -0,0 +1,67 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Number of rejected cloud to device messages (AMQP protocol) is not in + /// allowed range. + /// + [Newtonsoft.Json.JsonObject("AmqpC2DRejectedMessagesNotInAllowedRange")] + public partial class AmqpC2DRejectedMessagesNotInAllowedRange : TimeWindowCustomAlertRule + { + /// + /// Initializes a new instance of the + /// AmqpC2DRejectedMessagesNotInAllowedRange class. + /// + public AmqpC2DRejectedMessagesNotInAllowedRange() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// AmqpC2DRejectedMessagesNotInAllowedRange class. + /// + /// Status of the custom alert. + /// The minimum threshold. + /// The maximum threshold. + /// The time window size in iso8601 + /// format. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public AmqpC2DRejectedMessagesNotInAllowedRange(bool isEnabled, int minThreshold, int maxThreshold, System.TimeSpan timeWindowSize, string displayName = default(string), string description = default(string)) + : base(isEnabled, minThreshold, maxThreshold, timeWindowSize, displayName, description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AmqpD2CMessagesNotInAllowedRange.cs b/src/Security/Security.Management.Sdk/Generated/Models/AmqpD2CMessagesNotInAllowedRange.cs new file mode 100644 index 000000000000..fd6dd48b1060 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AmqpD2CMessagesNotInAllowedRange.cs @@ -0,0 +1,67 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Number of device to cloud messages (AMQP protocol) is not in allowed + /// range. + /// + [Newtonsoft.Json.JsonObject("AmqpD2CMessagesNotInAllowedRange")] + public partial class AmqpD2CMessagesNotInAllowedRange : TimeWindowCustomAlertRule + { + /// + /// Initializes a new instance of the AmqpD2CMessagesNotInAllowedRange + /// class. + /// + public AmqpD2CMessagesNotInAllowedRange() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AmqpD2CMessagesNotInAllowedRange + /// class. + /// + /// Status of the custom alert. + /// The minimum threshold. + /// The maximum threshold. + /// The time window size in iso8601 + /// format. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public AmqpD2CMessagesNotInAllowedRange(bool isEnabled, int minThreshold, int maxThreshold, System.TimeSpan timeWindowSize, string displayName = default(string), string description = default(string)) + : base(isEnabled, minThreshold, maxThreshold, timeWindowSize, displayName, description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Application.cs b/src/Security/Security.Management.Sdk/Generated/Models/Application.cs new file mode 100644 index 000000000000..54b0b59b41be --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Application.cs @@ -0,0 +1,103 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Security Application over a given scope + /// + [Rest.Serialization.JsonTransformation] + public partial class Application : Resource + { + /// + /// Initializes a new instance of the Application class. + /// + public Application() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the Application class. + /// + /// The application conditionSets - see + /// examples + /// Resource Id + /// Resource name + /// Resource type + /// display name of the application + /// description of the application + public Application(IList conditionSets, string id = default(string), string name = default(string), string type = default(string), string displayName = default(string), string description = default(string)) + : base(id, name, type) + { + DisplayName = displayName; + Description = description; + ConditionSets = conditionSets; + CustomInit(); + } + /// + /// Static constructor for Application class. + /// + static Application() + { + SourceResourceType = "Assessments"; + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets display name of the application + /// + [JsonProperty(PropertyName = "properties.displayName")] + public string DisplayName { get; set; } + + /// + /// Gets or sets description of the application + /// + [JsonProperty(PropertyName = "properties.description")] + public string Description { get; set; } + + /// + /// Gets or sets the application conditionSets - see examples + /// + [JsonProperty(PropertyName = "properties.conditionSets")] + public IList ConditionSets { get; set; } + + /// + /// The application source, what it affects, e.g. Assessments + /// + [JsonProperty(PropertyName = "properties.sourceResourceType")] + public static string SourceResourceType { get; private set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (ConditionSets == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ConditionSets"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ApplicationCondition.cs b/src/Security/Security.Management.Sdk/Generated/Models/ApplicationCondition.cs new file mode 100644 index 000000000000..b9695a15088e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ApplicationCondition.cs @@ -0,0 +1,76 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Application's condition + /// + public partial class ApplicationCondition + { + /// + /// Initializes a new instance of the ApplicationCondition class. + /// + public ApplicationCondition() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ApplicationCondition class. + /// + /// The application Condition's Property, e.g. + /// ID, see examples + /// The application Condition's Value like IDs that + /// contain some string, see examples + /// The application Condition's + /// Operator, for example Contains for id or In for list of possible + /// IDs, see examples. Possible values include: 'Contains', 'Equals', + /// 'In' + public ApplicationCondition(string property = default(string), string value = default(string), string operatorProperty = default(string)) + { + Property = property; + Value = value; + OperatorProperty = operatorProperty; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the application Condition's Property, e.g. ID, see + /// examples + /// + [JsonProperty(PropertyName = "property")] + public string Property { get; set; } + + /// + /// Gets or sets the application Condition's Value like IDs that + /// contain some string, see examples + /// + [JsonProperty(PropertyName = "value")] + public string Value { get; set; } + + /// + /// Gets or sets the application Condition's Operator, for example + /// Contains for id or In for list of possible IDs, see examples. + /// Possible values include: 'Contains', 'Equals', 'In' + /// + [JsonProperty(PropertyName = "operator")] + public string OperatorProperty { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ApplicationConditionOperator.cs b/src/Security/Security.Management.Sdk/Generated/Models/ApplicationConditionOperator.cs new file mode 100644 index 000000000000..ed90495fc698 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ApplicationConditionOperator.cs @@ -0,0 +1,35 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for ApplicationConditionOperator. + /// + public static class ApplicationConditionOperator + { + /// + /// Checks that the string value of the data defined in Property + /// contains the given value + /// + public const string Contains = "Contains"; + /// + /// Checks that the string value of the data defined in Property equals + /// the given value + /// + public const string Equals = "Equals"; + /// + /// Checks that the string value of the data defined in Property equals + /// any of the given values (exact fit) + /// + public const string In = "In"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AssessmentLinks.cs b/src/Security/Security.Management.Sdk/Generated/Models/AssessmentLinks.cs new file mode 100644 index 000000000000..95ac7c0a98ef --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AssessmentLinks.cs @@ -0,0 +1,52 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Links relevant to the assessment + /// + public partial class AssessmentLinks + { + /// + /// Initializes a new instance of the AssessmentLinks class. + /// + public AssessmentLinks() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AssessmentLinks class. + /// + /// Link to assessment in Azure + /// Portal + public AssessmentLinks(string azurePortalUri = default(string)) + { + AzurePortalUri = azurePortalUri; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets link to assessment in Azure Portal + /// + [JsonProperty(PropertyName = "azurePortalUri")] + public string AzurePortalUri { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AssessmentStatus.cs b/src/Security/Security.Management.Sdk/Generated/Models/AssessmentStatus.cs new file mode 100644 index 000000000000..10c8e8539eac --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AssessmentStatus.cs @@ -0,0 +1,87 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Linq; + + /// + /// The result of the assessment + /// + public partial class AssessmentStatus + { + /// + /// Initializes a new instance of the AssessmentStatus class. + /// + public AssessmentStatus() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AssessmentStatus class. + /// + /// Programmatic code for the status of the + /// assessment. Possible values include: 'Healthy', 'Unhealthy', + /// 'NotApplicable' + /// Programmatic code for the cause of the + /// assessment status + /// Human readable description of the + /// assessment status + public AssessmentStatus(string code, string cause = default(string), string description = default(string)) + { + Code = code; + Cause = cause; + Description = description; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets programmatic code for the status of the assessment. + /// Possible values include: 'Healthy', 'Unhealthy', 'NotApplicable' + /// + [JsonProperty(PropertyName = "code")] + public string Code { get; set; } + + /// + /// Gets or sets programmatic code for the cause of the assessment + /// status + /// + [JsonProperty(PropertyName = "cause")] + public string Cause { get; set; } + + /// + /// Gets or sets human readable description of the assessment status + /// + [JsonProperty(PropertyName = "description")] + public string Description { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (Code == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Code"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AssessmentStatusCode.cs b/src/Security/Security.Management.Sdk/Generated/Models/AssessmentStatusCode.cs new file mode 100644 index 000000000000..c886cae05ca2 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AssessmentStatusCode.cs @@ -0,0 +1,32 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for AssessmentStatusCode. + /// + public static class AssessmentStatusCode + { + /// + /// The resource is healthy + /// + public const string Healthy = "Healthy"; + /// + /// The resource has a security issue that needs to be addressed + /// + public const string Unhealthy = "Unhealthy"; + /// + /// Assessment for this resource did not happen + /// + public const string NotApplicable = "NotApplicable"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AssessmentStatusResponse.cs b/src/Security/Security.Management.Sdk/Generated/Models/AssessmentStatusResponse.cs new file mode 100644 index 000000000000..8c65907db4db --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AssessmentStatusResponse.cs @@ -0,0 +1,83 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The result of the assessment + /// + public partial class AssessmentStatusResponse : AssessmentStatus + { + /// + /// Initializes a new instance of the AssessmentStatusResponse class. + /// + public AssessmentStatusResponse() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AssessmentStatusResponse class. + /// + /// Programmatic code for the status of the + /// assessment. Possible values include: 'Healthy', 'Unhealthy', + /// 'NotApplicable' + /// Programmatic code for the cause of the + /// assessment status + /// Human readable description of the + /// assessment status + /// The time that the assessment was + /// created and first evaluated. Returned as UTC time in ISO 8601 + /// format + /// The time that the status of the + /// assessment last changed. Returned as UTC time in ISO 8601 + /// format + public AssessmentStatusResponse(string code, string cause = default(string), string description = default(string), System.DateTime? firstEvaluationDate = default(System.DateTime?), System.DateTime? statusChangeDate = default(System.DateTime?)) + : base(code, cause, description) + { + FirstEvaluationDate = firstEvaluationDate; + StatusChangeDate = statusChangeDate; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the time that the assessment was created and first evaluated. + /// Returned as UTC time in ISO 8601 format + /// + [JsonProperty(PropertyName = "firstEvaluationDate")] + public System.DateTime? FirstEvaluationDate { get; private set; } + + /// + /// Gets the time that the status of the assessment last changed. + /// Returned as UTC time in ISO 8601 format + /// + [JsonProperty(PropertyName = "statusChangeDate")] + public System.DateTime? StatusChangeDate { get; private set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AssessmentType.cs b/src/Security/Security.Management.Sdk/Generated/Models/AssessmentType.cs new file mode 100644 index 000000000000..6eaa023c7fd9 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AssessmentType.cs @@ -0,0 +1,39 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for AssessmentType. + /// + public static class AssessmentType + { + /// + /// Microsoft Defender for Cloud managed assessments + /// + public const string BuiltIn = "BuiltIn"; + /// + /// User defined policies that are automatically ingested from Azure + /// Policy to Microsoft Defender for Cloud + /// + public const string CustomPolicy = "CustomPolicy"; + /// + /// User assessments pushed directly by the user or other third party + /// to Microsoft Defender for Cloud + /// + public const string CustomerManaged = "CustomerManaged"; + /// + /// An assessment that was created by a verified 3rd party if the user + /// connected it to ASC + /// + public const string VerifiedPartner = "VerifiedPartner"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AtaExternalSecuritySolution.cs b/src/Security/Security.Management.Sdk/Generated/Models/AtaExternalSecuritySolution.cs new file mode 100644 index 000000000000..e4c37c3b9e05 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AtaExternalSecuritySolution.cs @@ -0,0 +1,59 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Represents an ATA security solution which sends logs to an OMS + /// workspace + /// + [Newtonsoft.Json.JsonObject("ATA")] + public partial class AtaExternalSecuritySolution : ExternalSecuritySolution + { + /// + /// Initializes a new instance of the AtaExternalSecuritySolution + /// class. + /// + public AtaExternalSecuritySolution() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AtaExternalSecuritySolution + /// class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Location where the resource is + /// stored + public AtaExternalSecuritySolution(string id = default(string), string name = default(string), string type = default(string), string location = default(string), AtaSolutionProperties properties = default(AtaSolutionProperties)) + : base(id, name, type, location) + { + Properties = properties; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "properties")] + public AtaSolutionProperties Properties { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AtaSolutionProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/AtaSolutionProperties.cs new file mode 100644 index 000000000000..482a89428aee --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AtaSolutionProperties.cs @@ -0,0 +1,54 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// The external security solution properties for ATA solutions + /// + public partial class AtaSolutionProperties : ExternalSecuritySolutionProperties + { + /// + /// Initializes a new instance of the AtaSolutionProperties class. + /// + public AtaSolutionProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AtaSolutionProperties class. + /// + /// Unmatched properties from the + /// message are deserialized this collection + public AtaSolutionProperties(IDictionary additionalProperties = default(IDictionary), string deviceVendor = default(string), string deviceType = default(string), ConnectedWorkspace workspace = default(ConnectedWorkspace), string lastEventReceived = default(string)) + : base(additionalProperties, deviceVendor, deviceType, workspace) + { + LastEventReceived = lastEventReceived; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "lastEventReceived")] + public string LastEventReceived { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AuthenticationDetailsProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/AuthenticationDetailsProperties.cs new file mode 100644 index 000000000000..bf9f8117be03 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AuthenticationDetailsProperties.cs @@ -0,0 +1,68 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Settings for cloud authentication management + /// + [Newtonsoft.Json.JsonObject("AuthenticationDetailsProperties")] + public partial class AuthenticationDetailsProperties + { + /// + /// Initializes a new instance of the AuthenticationDetailsProperties + /// class. + /// + public AuthenticationDetailsProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AuthenticationDetailsProperties + /// class. + /// + /// State of the + /// multi-cloud connector. Possible values include: 'Valid', 'Invalid', + /// 'Expired', 'IncorrectPolicy' + /// The permissions detected in the + /// cloud account. + public AuthenticationDetailsProperties(string authenticationProvisioningState = default(string), IList grantedPermissions = default(IList)) + { + AuthenticationProvisioningState = authenticationProvisioningState; + GrantedPermissions = grantedPermissions; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets state of the multi-cloud connector. Possible values include: + /// 'Valid', 'Invalid', 'Expired', 'IncorrectPolicy' + /// + [JsonProperty(PropertyName = "authenticationProvisioningState")] + public string AuthenticationProvisioningState { get; private set; } + + /// + /// Gets the permissions detected in the cloud account. + /// + [JsonProperty(PropertyName = "grantedPermissions")] + public IList GrantedPermissions { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AuthenticationProvisioningState.cs b/src/Security/Security.Management.Sdk/Generated/Models/AuthenticationProvisioningState.cs new file mode 100644 index 000000000000..7db7aa930cd6 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AuthenticationProvisioningState.cs @@ -0,0 +1,36 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for AuthenticationProvisioningState. + /// + public static class AuthenticationProvisioningState + { + /// + /// Valid connector + /// + public const string Valid = "Valid"; + /// + /// Invalid connector + /// + public const string Invalid = "Invalid"; + /// + /// the connection has expired + /// + public const string Expired = "Expired"; + /// + /// Incorrect policy of the connector + /// + public const string IncorrectPolicy = "IncorrectPolicy"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AutoProvision.cs b/src/Security/Security.Management.Sdk/Generated/Models/AutoProvision.cs new file mode 100644 index 000000000000..4f43de04f692 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AutoProvision.cs @@ -0,0 +1,28 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for AutoProvision. + /// + public static class AutoProvision + { + /// + /// Install missing security agent on VMs automatically + /// + public const string On = "On"; + /// + /// Do not install security agent on the VMs automatically + /// + public const string Off = "Off"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AutoProvisioningSetting.cs b/src/Security/Security.Management.Sdk/Generated/Models/AutoProvisioningSetting.cs new file mode 100644 index 000000000000..c91262555845 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AutoProvisioningSetting.cs @@ -0,0 +1,74 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Auto provisioning setting + /// + [Rest.Serialization.JsonTransformation] + public partial class AutoProvisioningSetting : Resource + { + /// + /// Initializes a new instance of the AutoProvisioningSetting class. + /// + public AutoProvisioningSetting() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AutoProvisioningSetting class. + /// + /// Describes what kind of security agent + /// provisioning action to take. Possible values include: 'On', + /// 'Off' + /// Resource Id + /// Resource name + /// Resource type + public AutoProvisioningSetting(string autoProvision, string id = default(string), string name = default(string), string type = default(string)) + : base(id, name, type) + { + AutoProvision = autoProvision; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets describes what kind of security agent provisioning + /// action to take. Possible values include: 'On', 'Off' + /// + [JsonProperty(PropertyName = "properties.autoProvision")] + public string AutoProvision { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (AutoProvision == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "AutoProvision"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Automation.cs b/src/Security/Security.Management.Sdk/Generated/Models/Automation.cs new file mode 100644 index 000000000000..779e4c004182 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Automation.cs @@ -0,0 +1,113 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// The security automation resource. + /// + [Rest.Serialization.JsonTransformation] + public partial class Automation : TrackedResource + { + /// + /// Initializes a new instance of the Automation class. + /// + public Automation() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the Automation class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Location where the resource is + /// stored + /// Kind of the resource + /// Entity tag is used for comparing two or more + /// entities from the same requested resource. + /// A list of key value pairs that describe the + /// resource. + /// The security automation + /// description. + /// Indicates whether the security automation + /// is enabled. + /// A collection of scopes on which the security + /// automations logic is applied. Supported scopes are the subscription + /// itself or a resource group under that subscription. The automation + /// will only apply on defined scopes. + /// A collection of the source event types which + /// evaluate the security automation set of rules. + /// A collection of the actions which are + /// triggered if all the configured rules evaluations, within at least + /// one rule set, are true. + public Automation(string id = default(string), string name = default(string), string type = default(string), string location = default(string), string kind = default(string), string etag = default(string), IDictionary tags = default(IDictionary), string description = default(string), bool? isEnabled = default(bool?), IList scopes = default(IList), IList sources = default(IList), IList actions = default(IList)) + : base(id, name, type, location, kind, etag, tags) + { + Description = description; + IsEnabled = isEnabled; + Scopes = scopes; + Sources = sources; + Actions = actions; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the security automation description. + /// + [JsonProperty(PropertyName = "properties.description")] + public string Description { get; set; } + + /// + /// Gets or sets indicates whether the security automation is enabled. + /// + [JsonProperty(PropertyName = "properties.isEnabled")] + public bool? IsEnabled { get; set; } + + /// + /// Gets or sets a collection of scopes on which the security + /// automations logic is applied. Supported scopes are the subscription + /// itself or a resource group under that subscription. The automation + /// will only apply on defined scopes. + /// + [JsonProperty(PropertyName = "properties.scopes")] + public IList Scopes { get; set; } + + /// + /// Gets or sets a collection of the source event types which evaluate + /// the security automation set of rules. + /// + [JsonProperty(PropertyName = "properties.sources")] + public IList Sources { get; set; } + + /// + /// Gets or sets a collection of the actions which are triggered if all + /// the configured rules evaluations, within at least one rule set, are + /// true. + /// + [JsonProperty(PropertyName = "properties.actions")] + public IList Actions { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AutomationAction.cs b/src/Security/Security.Management.Sdk/Generated/Models/AutomationAction.cs new file mode 100644 index 000000000000..e486a3ba01b9 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AutomationAction.cs @@ -0,0 +1,37 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The action that should be triggered. + /// + [Newtonsoft.Json.JsonObject("AutomationAction")] + public partial class AutomationAction + { + /// + /// Initializes a new instance of the AutomationAction class. + /// + public AutomationAction() + { + CustomInit(); + } + + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AutomationActionEventHub.cs b/src/Security/Security.Management.Sdk/Generated/Models/AutomationActionEventHub.cs new file mode 100644 index 000000000000..b6cebe530d82 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AutomationActionEventHub.cs @@ -0,0 +1,74 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The target Event Hub to which event data will be exported. To learn + /// more about Microsoft Defender for Cloud continuous export capabilities, + /// visit https://aka.ms/ASCExportLearnMore + /// + [Newtonsoft.Json.JsonObject("EventHub")] + public partial class AutomationActionEventHub : AutomationAction + { + /// + /// Initializes a new instance of the AutomationActionEventHub class. + /// + public AutomationActionEventHub() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AutomationActionEventHub class. + /// + /// The target Event Hub Azure + /// Resource ID. + /// The target Event Hub SAS policy + /// name. + /// The target Event Hub connection + /// string (it will not be included in any response). + public AutomationActionEventHub(string eventHubResourceId = default(string), string sasPolicyName = default(string), string connectionString = default(string)) + { + EventHubResourceId = eventHubResourceId; + SasPolicyName = sasPolicyName; + ConnectionString = connectionString; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the target Event Hub Azure Resource ID. + /// + [JsonProperty(PropertyName = "eventHubResourceId")] + public string EventHubResourceId { get; set; } + + /// + /// Gets the target Event Hub SAS policy name. + /// + [JsonProperty(PropertyName = "sasPolicyName")] + public string SasPolicyName { get; private set; } + + /// + /// Gets or sets the target Event Hub connection string (it will not be + /// included in any response). + /// + [JsonProperty(PropertyName = "connectionString")] + public string ConnectionString { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AutomationActionLogicApp.cs b/src/Security/Security.Management.Sdk/Generated/Models/AutomationActionLogicApp.cs new file mode 100644 index 000000000000..36b20d49d914 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AutomationActionLogicApp.cs @@ -0,0 +1,68 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The logic app action that should be triggered. To learn more about + /// Microsoft Defender for Cloud's Workflow Automation capabilities, visit + /// https://aka.ms/ASCWorkflowAutomationLearnMore + /// + [Newtonsoft.Json.JsonObject("LogicApp")] + public partial class AutomationActionLogicApp : AutomationAction + { + /// + /// Initializes a new instance of the AutomationActionLogicApp class. + /// + public AutomationActionLogicApp() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AutomationActionLogicApp class. + /// + /// The triggered Logic App Azure + /// Resource ID. This can also reside on other subscriptions, given + /// that you have permissions to trigger the Logic App + /// The Logic App trigger URI endpoint (it will not + /// be included in any response). + public AutomationActionLogicApp(string logicAppResourceId = default(string), string uri = default(string)) + { + LogicAppResourceId = logicAppResourceId; + Uri = uri; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the triggered Logic App Azure Resource ID. This can + /// also reside on other subscriptions, given that you have permissions + /// to trigger the Logic App + /// + [JsonProperty(PropertyName = "logicAppResourceId")] + public string LogicAppResourceId { get; set; } + + /// + /// Gets or sets the Logic App trigger URI endpoint (it will not be + /// included in any response). + /// + [JsonProperty(PropertyName = "uri")] + public string Uri { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AutomationActionWorkspace.cs b/src/Security/Security.Management.Sdk/Generated/Models/AutomationActionWorkspace.cs new file mode 100644 index 000000000000..ccee3a5f2258 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AutomationActionWorkspace.cs @@ -0,0 +1,61 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The Log Analytics Workspace to which event data will be exported. + /// Security alerts data will reside in the 'SecurityAlert' table and the + /// assessments data will reside in the 'SecurityRecommendation' table + /// (under the 'Security'/'SecurityCenterFree' solutions). Note that in + /// order to view the data in the workspace, the Security Center Log + /// Analytics free/standard solution needs to be enabled on that workspace. + /// To learn more about Microsoft Defender for Cloud continuous export + /// capabilities, visit https://aka.ms/ASCExportLearnMore + /// + [Newtonsoft.Json.JsonObject("Workspace")] + public partial class AutomationActionWorkspace : AutomationAction + { + /// + /// Initializes a new instance of the AutomationActionWorkspace class. + /// + public AutomationActionWorkspace() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AutomationActionWorkspace class. + /// + /// The fully qualified Log Analytics + /// Workspace Azure Resource ID. + public AutomationActionWorkspace(string workspaceResourceId = default(string)) + { + WorkspaceResourceId = workspaceResourceId; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the fully qualified Log Analytics Workspace Azure + /// Resource ID. + /// + [JsonProperty(PropertyName = "workspaceResourceId")] + public string WorkspaceResourceId { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AutomationRuleSet.cs b/src/Security/Security.Management.Sdk/Generated/Models/AutomationRuleSet.cs new file mode 100644 index 000000000000..894960364084 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AutomationRuleSet.cs @@ -0,0 +1,53 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// A rule set which evaluates all its rules upon an event interception. + /// Only when all the included rules in the rule set will be evaluated as + /// 'true', will the event trigger the defined actions. + /// + public partial class AutomationRuleSet + { + /// + /// Initializes a new instance of the AutomationRuleSet class. + /// + public AutomationRuleSet() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AutomationRuleSet class. + /// + public AutomationRuleSet(IList rules = default(IList)) + { + Rules = rules; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "rules")] + public IList Rules { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AutomationScope.cs b/src/Security/Security.Management.Sdk/Generated/Models/AutomationScope.cs new file mode 100644 index 000000000000..ced4486980ea --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AutomationScope.cs @@ -0,0 +1,64 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// A single automation scope. + /// + public partial class AutomationScope + { + /// + /// Initializes a new instance of the AutomationScope class. + /// + public AutomationScope() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AutomationScope class. + /// + /// The resources scope description. + /// The resources scope path. Can be the + /// subscription on which the automation is defined on or a resource + /// group under that subscription (fully qualified Azure resource + /// IDs). + public AutomationScope(string description = default(string), string scopePath = default(string)) + { + Description = description; + ScopePath = scopePath; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the resources scope description. + /// + [JsonProperty(PropertyName = "description")] + public string Description { get; set; } + + /// + /// Gets or sets the resources scope path. Can be the subscription on + /// which the automation is defined on or a resource group under that + /// subscription (fully qualified Azure resource IDs). + /// + [JsonProperty(PropertyName = "scopePath")] + public string ScopePath { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AutomationSource.cs b/src/Security/Security.Management.Sdk/Generated/Models/AutomationSource.cs new file mode 100644 index 000000000000..4ca8dd6c764f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AutomationSource.cs @@ -0,0 +1,78 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// The source event types which evaluate the security automation set of + /// rules. For example - security alerts and security assessments. To learn + /// more about the supported security events data models schemas - please + /// visit https://aka.ms/ASCAutomationSchemas. + /// + public partial class AutomationSource + { + /// + /// Initializes a new instance of the AutomationSource class. + /// + public AutomationSource() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AutomationSource class. + /// + /// A valid event source type. Possible + /// values include: 'Assessments', 'AssessmentsSnapshot', + /// 'SubAssessments', 'SubAssessmentsSnapshot', 'Alerts', + /// 'SecureScores', 'SecureScoresSnapshot', 'SecureScoreControls', + /// 'SecureScoreControlsSnapshot', 'RegulatoryComplianceAssessment', + /// 'RegulatoryComplianceAssessmentSnapshot' + /// A set of rules which evaluate upon event + /// interception. A logical disjunction is applied between defined rule + /// sets (logical 'or'). + public AutomationSource(string eventSource = default(string), IList ruleSets = default(IList)) + { + EventSource = eventSource; + RuleSets = ruleSets; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets a valid event source type. Possible values include: + /// 'Assessments', 'AssessmentsSnapshot', 'SubAssessments', + /// 'SubAssessmentsSnapshot', 'Alerts', 'SecureScores', + /// 'SecureScoresSnapshot', 'SecureScoreControls', + /// 'SecureScoreControlsSnapshot', 'RegulatoryComplianceAssessment', + /// 'RegulatoryComplianceAssessmentSnapshot' + /// + [JsonProperty(PropertyName = "eventSource")] + public string EventSource { get; set; } + + /// + /// Gets or sets a set of rules which evaluate upon event interception. + /// A logical disjunction is applied between defined rule sets (logical + /// 'or'). + /// + [JsonProperty(PropertyName = "ruleSets")] + public IList RuleSets { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AutomationTriggeringRule.cs b/src/Security/Security.Management.Sdk/Generated/Models/AutomationTriggeringRule.cs new file mode 100644 index 000000000000..a08d617056f6 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AutomationTriggeringRule.cs @@ -0,0 +1,93 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// A rule which is evaluated upon event interception. The rule is + /// configured by comparing a specific value from the event model to an + /// expected value. This comparison is done by using one of the supported + /// operators set. + /// + public partial class AutomationTriggeringRule + { + /// + /// Initializes a new instance of the AutomationTriggeringRule class. + /// + public AutomationTriggeringRule() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AutomationTriggeringRule class. + /// + /// The JPath of the entity model property + /// that should be checked. + /// The data type of the compared operands + /// (string, integer, floating point number or a boolean [true/false]]. + /// Possible values include: 'String', 'Integer', 'Number', + /// 'Boolean' + /// The expected value. + /// A valid comparer operator to use. A + /// case-insensitive comparison will be applied for String + /// PropertyType. Possible values include: 'Equals', 'GreaterThan', + /// 'GreaterThanOrEqualTo', 'LesserThan', 'LesserThanOrEqualTo', + /// 'NotEquals', 'Contains', 'StartsWith', 'EndsWith' + public AutomationTriggeringRule(string propertyJPath = default(string), string propertyType = default(string), string expectedValue = default(string), string operatorProperty = default(string)) + { + PropertyJPath = propertyJPath; + PropertyType = propertyType; + ExpectedValue = expectedValue; + OperatorProperty = operatorProperty; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the JPath of the entity model property that should be + /// checked. + /// + [JsonProperty(PropertyName = "propertyJPath")] + public string PropertyJPath { get; set; } + + /// + /// Gets or sets the data type of the compared operands (string, + /// integer, floating point number or a boolean [true/false]]. Possible + /// values include: 'String', 'Integer', 'Number', 'Boolean' + /// + [JsonProperty(PropertyName = "propertyType")] + public string PropertyType { get; set; } + + /// + /// Gets or sets the expected value. + /// + [JsonProperty(PropertyName = "expectedValue")] + public string ExpectedValue { get; set; } + + /// + /// Gets or sets a valid comparer operator to use. A case-insensitive + /// comparison will be applied for String PropertyType. Possible values + /// include: 'Equals', 'GreaterThan', 'GreaterThanOrEqualTo', + /// 'LesserThan', 'LesserThanOrEqualTo', 'NotEquals', 'Contains', + /// 'StartsWith', 'EndsWith' + /// + [JsonProperty(PropertyName = "operator")] + public string OperatorProperty { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AutomationValidationStatus.cs b/src/Security/Security.Management.Sdk/Generated/Models/AutomationValidationStatus.cs new file mode 100644 index 000000000000..d72b1cde55b2 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AutomationValidationStatus.cs @@ -0,0 +1,60 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The security automation model state property bag. + /// + public partial class AutomationValidationStatus + { + /// + /// Initializes a new instance of the AutomationValidationStatus class. + /// + public AutomationValidationStatus() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AutomationValidationStatus class. + /// + /// Indicates whether the model is valid or + /// not. + /// The validation message. + public AutomationValidationStatus(bool? isValid = default(bool?), string message = default(string)) + { + IsValid = isValid; + Message = message; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets indicates whether the model is valid or not. + /// + [JsonProperty(PropertyName = "isValid")] + public bool? IsValid { get; set; } + + /// + /// Gets or sets the validation message. + /// + [JsonProperty(PropertyName = "message")] + public string Message { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AwAssumeRoleAuthenticationDetailsProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/AwAssumeRoleAuthenticationDetailsProperties.cs new file mode 100644 index 000000000000..d23662cc5f9a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AwAssumeRoleAuthenticationDetailsProperties.cs @@ -0,0 +1,105 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// AWS cloud account connector based assume role, the role enables + /// delegating access to your AWS resources. The role is composed of role + /// Amazon Resource Name (ARN) and external ID. For more details, refer to + /// <a + /// href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html">Creating + /// a Role to Delegate Permissions to an IAM User (write only)</a> + /// + [Newtonsoft.Json.JsonObject("awsAssumeRole")] + public partial class AwAssumeRoleAuthenticationDetailsProperties : AuthenticationDetailsProperties + { + /// + /// Initializes a new instance of the + /// AwAssumeRoleAuthenticationDetailsProperties class. + /// + public AwAssumeRoleAuthenticationDetailsProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// AwAssumeRoleAuthenticationDetailsProperties class. + /// + /// Assumed role ID is an identifier + /// that you can use to create temporary security credentials. + /// A unique identifier that is required + /// when you assume a role in another account. + /// State of the + /// multi-cloud connector. Possible values include: 'Valid', 'Invalid', + /// 'Expired', 'IncorrectPolicy' + /// The permissions detected in the + /// cloud account. + /// The ID of the cloud account + public AwAssumeRoleAuthenticationDetailsProperties(string awsAssumeRoleArn, string awsExternalId, string authenticationProvisioningState = default(string), IList grantedPermissions = default(IList), string accountId = default(string)) + : base(authenticationProvisioningState, grantedPermissions) + { + AccountId = accountId; + AwsAssumeRoleArn = awsAssumeRoleArn; + AwsExternalId = awsExternalId; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the ID of the cloud account + /// + [JsonProperty(PropertyName = "accountId")] + public string AccountId { get; private set; } + + /// + /// Gets or sets assumed role ID is an identifier that you can use to + /// create temporary security credentials. + /// + [JsonProperty(PropertyName = "awsAssumeRoleArn")] + public string AwsAssumeRoleArn { get; set; } + + /// + /// Gets or sets a unique identifier that is required when you assume a + /// role in another account. + /// + [JsonProperty(PropertyName = "awsExternalId")] + public string AwsExternalId { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (AwsAssumeRoleArn == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "AwsAssumeRoleArn"); + } + if (AwsExternalId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "AwsExternalId"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AwsCredsAuthenticationDetailsProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/AwsCredsAuthenticationDetailsProperties.cs new file mode 100644 index 000000000000..f934c6479f8f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AwsCredsAuthenticationDetailsProperties.cs @@ -0,0 +1,104 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// AWS cloud account connector based credentials, the credentials is + /// composed of access key ID and secret key, for more details, refer to + /// <a + /// href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html">Creating + /// an IAM User in Your AWS Account (write only)</a> + /// + [Newtonsoft.Json.JsonObject("awsCreds")] + public partial class AwsCredsAuthenticationDetailsProperties : AuthenticationDetailsProperties + { + /// + /// Initializes a new instance of the + /// AwsCredsAuthenticationDetailsProperties class. + /// + public AwsCredsAuthenticationDetailsProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// AwsCredsAuthenticationDetailsProperties class. + /// + /// Public key element of the AWS + /// credential object (write only) + /// Secret key element of the AWS + /// credential object (write only) + /// State of the + /// multi-cloud connector. Possible values include: 'Valid', 'Invalid', + /// 'Expired', 'IncorrectPolicy' + /// The permissions detected in the + /// cloud account. + /// The ID of the cloud account + public AwsCredsAuthenticationDetailsProperties(string awsAccessKeyId, string awsSecretAccessKey, string authenticationProvisioningState = default(string), IList grantedPermissions = default(IList), string accountId = default(string)) + : base(authenticationProvisioningState, grantedPermissions) + { + AccountId = accountId; + AwsAccessKeyId = awsAccessKeyId; + AwsSecretAccessKey = awsSecretAccessKey; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the ID of the cloud account + /// + [JsonProperty(PropertyName = "accountId")] + public string AccountId { get; private set; } + + /// + /// Gets or sets public key element of the AWS credential object (write + /// only) + /// + [JsonProperty(PropertyName = "awsAccessKeyId")] + public string AwsAccessKeyId { get; set; } + + /// + /// Gets or sets secret key element of the AWS credential object (write + /// only) + /// + [JsonProperty(PropertyName = "awsSecretAccessKey")] + public string AwsSecretAccessKey { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (AwsAccessKeyId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "AwsAccessKeyId"); + } + if (AwsSecretAccessKey == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "AwsSecretAccessKey"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AwsEnvironmentData.cs b/src/Security/Security.Management.Sdk/Generated/Models/AwsEnvironmentData.cs new file mode 100644 index 000000000000..d2f48fa63db5 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AwsEnvironmentData.cs @@ -0,0 +1,53 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The aws connector environment data + /// + [Newtonsoft.Json.JsonObject("AwsAccount")] + public partial class AwsEnvironmentData : EnvironmentData + { + /// + /// Initializes a new instance of the AwsEnvironmentData class. + /// + public AwsEnvironmentData() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AwsEnvironmentData class. + /// + /// The AWS account's organizational + /// data + public AwsEnvironmentData(AwsOrganizationalData organizationalData = default(AwsOrganizationalData)) + { + OrganizationalData = organizationalData; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the AWS account's organizational data + /// + [JsonProperty(PropertyName = "organizationalData")] + public AwsOrganizationalData OrganizationalData { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AwsOrganizationalData.cs b/src/Security/Security.Management.Sdk/Generated/Models/AwsOrganizationalData.cs new file mode 100644 index 000000000000..79ae3d2c54f1 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AwsOrganizationalData.cs @@ -0,0 +1,37 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The awsOrganization data + /// + [Newtonsoft.Json.JsonObject("AwsOrganizationalData")] + public partial class AwsOrganizationalData + { + /// + /// Initializes a new instance of the AwsOrganizationalData class. + /// + public AwsOrganizationalData() + { + CustomInit(); + } + + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AwsOrganizationalDataMaster.cs b/src/Security/Security.Management.Sdk/Generated/Models/AwsOrganizationalDataMaster.cs new file mode 100644 index 000000000000..d31f34757de3 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AwsOrganizationalDataMaster.cs @@ -0,0 +1,70 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// The awsOrganization data for the master account + /// + [Newtonsoft.Json.JsonObject("Organization")] + public partial class AwsOrganizationalDataMaster : AwsOrganizationalData + { + /// + /// Initializes a new instance of the AwsOrganizationalDataMaster + /// class. + /// + public AwsOrganizationalDataMaster() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AwsOrganizationalDataMaster + /// class. + /// + /// If the multi cloud account is of + /// membership type organization, this will be the name of the + /// onboarding stackset + /// If the multi cloud account is of + /// membership type organization, list of accounts excluded from + /// offering + public AwsOrganizationalDataMaster(string stacksetName = default(string), IList excludedAccountIds = default(IList)) + { + StacksetName = stacksetName; + ExcludedAccountIds = excludedAccountIds; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets if the multi cloud account is of membership type + /// organization, this will be the name of the onboarding stackset + /// + [JsonProperty(PropertyName = "stacksetName")] + public string StacksetName { get; set; } + + /// + /// Gets or sets if the multi cloud account is of membership type + /// organization, list of accounts excluded from offering + /// + [JsonProperty(PropertyName = "excludedAccountIds")] + public IList ExcludedAccountIds { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AwsOrganizationalDataMember.cs b/src/Security/Security.Management.Sdk/Generated/Models/AwsOrganizationalDataMember.cs new file mode 100644 index 000000000000..76cb90f759fb --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AwsOrganizationalDataMember.cs @@ -0,0 +1,57 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The awsOrganization data for the member account + /// + [Newtonsoft.Json.JsonObject("Member")] + public partial class AwsOrganizationalDataMember : AwsOrganizationalData + { + /// + /// Initializes a new instance of the AwsOrganizationalDataMember + /// class. + /// + public AwsOrganizationalDataMember() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AwsOrganizationalDataMember + /// class. + /// + /// If the multi cloud account is not + /// of membership type organization, this will be the ID of the + /// account's parent + public AwsOrganizationalDataMember(string parentHierarchyId = default(string)) + { + ParentHierarchyId = parentHierarchyId; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets if the multi cloud account is not of membership type + /// organization, this will be the ID of the account's parent + /// + [JsonProperty(PropertyName = "parentHierarchyId")] + public string ParentHierarchyId { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AzureDevOpsScopeEnvironmentData.cs b/src/Security/Security.Management.Sdk/Generated/Models/AzureDevOpsScopeEnvironmentData.cs new file mode 100644 index 000000000000..c06b5b05413e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AzureDevOpsScopeEnvironmentData.cs @@ -0,0 +1,38 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The AzureDevOps scope connector's environment data + /// + [Newtonsoft.Json.JsonObject("AzureDevOpsScope")] + public partial class AzureDevOpsScopeEnvironmentData : EnvironmentData + { + /// + /// Initializes a new instance of the AzureDevOpsScopeEnvironmentData + /// class. + /// + public AzureDevOpsScopeEnvironmentData() + { + CustomInit(); + } + + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AzureResourceDetails.cs b/src/Security/Security.Management.Sdk/Generated/Models/AzureResourceDetails.cs new file mode 100644 index 000000000000..b634e09ebdb5 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AzureResourceDetails.cs @@ -0,0 +1,52 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Details of the Azure resource that was assessed + /// + [Newtonsoft.Json.JsonObject("Azure")] + public partial class AzureResourceDetails : ResourceDetails + { + /// + /// Initializes a new instance of the AzureResourceDetails class. + /// + public AzureResourceDetails() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AzureResourceDetails class. + /// + /// Azure resource Id of the assessed resource + public AzureResourceDetails(string id = default(string)) + { + Id = id; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets azure resource Id of the assessed resource + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/AzureResourceLink.cs b/src/Security/Security.Management.Sdk/Generated/Models/AzureResourceLink.cs new file mode 100644 index 000000000000..d2d7d81bfbc5 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/AzureResourceLink.cs @@ -0,0 +1,51 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Describes an Azure resource with kind + /// + public partial class AzureResourceLink + { + /// + /// Initializes a new instance of the AzureResourceLink class. + /// + public AzureResourceLink() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the AzureResourceLink class. + /// + /// Azure resource Id + public AzureResourceLink(string id = default(string)) + { + Id = id; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets azure resource Id + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Baseline.cs b/src/Security/Security.Management.Sdk/Generated/Models/Baseline.cs new file mode 100644 index 000000000000..a300c7515832 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Baseline.cs @@ -0,0 +1,61 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Baseline details. + /// + public partial class Baseline + { + /// + /// Initializes a new instance of the Baseline class. + /// + public Baseline() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the Baseline class. + /// + /// Expected results. + /// Baseline update time (UTC). + public Baseline(IList> expectedResults = default(IList>), System.DateTime? updatedTime = default(System.DateTime?)) + { + ExpectedResults = expectedResults; + UpdatedTime = updatedTime; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets expected results. + /// + [JsonProperty(PropertyName = "expectedResults")] + public IList> ExpectedResults { get; set; } + + /// + /// Gets or sets baseline update time (UTC). + /// + [JsonProperty(PropertyName = "updatedTime")] + public System.DateTime? UpdatedTime { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/BaselineAdjustedResult.cs b/src/Security/Security.Management.Sdk/Generated/Models/BaselineAdjustedResult.cs new file mode 100644 index 000000000000..29e81afc6670 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/BaselineAdjustedResult.cs @@ -0,0 +1,79 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// The rule result adjusted with baseline. + /// + public partial class BaselineAdjustedResult + { + /// + /// Initializes a new instance of the BaselineAdjustedResult class. + /// + public BaselineAdjustedResult() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the BaselineAdjustedResult class. + /// + /// Possible values include: 'NonFinding', + /// 'Finding', 'InternalError' + /// Results the are not in + /// baseline. + /// Results the are in + /// baseline. + public BaselineAdjustedResult(Baseline baseline = default(Baseline), string status = default(string), IList> resultsNotInBaseline = default(IList>), IList> resultsOnlyInBaseline = default(IList>)) + { + Baseline = baseline; + Status = status; + ResultsNotInBaseline = resultsNotInBaseline; + ResultsOnlyInBaseline = resultsOnlyInBaseline; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "baseline")] + public Baseline Baseline { get; set; } + + /// + /// Gets or sets possible values include: 'NonFinding', 'Finding', + /// 'InternalError' + /// + [JsonProperty(PropertyName = "status")] + public string Status { get; set; } + + /// + /// Gets or sets results the are not in baseline. + /// + [JsonProperty(PropertyName = "resultsNotInBaseline")] + public IList> ResultsNotInBaseline { get; set; } + + /// + /// Gets or sets results the are in baseline. + /// + [JsonProperty(PropertyName = "resultsOnlyInBaseline")] + public IList> ResultsOnlyInBaseline { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/BenchmarkReference.cs b/src/Security/Security.Management.Sdk/Generated/Models/BenchmarkReference.cs new file mode 100644 index 000000000000..f730db7e5513 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/BenchmarkReference.cs @@ -0,0 +1,59 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The benchmark references. + /// + public partial class BenchmarkReference + { + /// + /// Initializes a new instance of the BenchmarkReference class. + /// + public BenchmarkReference() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the BenchmarkReference class. + /// + /// The benchmark name. + /// The benchmark reference. + public BenchmarkReference(string benchmark = default(string), string reference = default(string)) + { + Benchmark = benchmark; + Reference = reference; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the benchmark name. + /// + [JsonProperty(PropertyName = "benchmark")] + public string Benchmark { get; set; } + + /// + /// Gets or sets the benchmark reference. + /// + [JsonProperty(PropertyName = "reference")] + public string Reference { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/CVE.cs b/src/Security/Security.Management.Sdk/Generated/Models/CVE.cs new file mode 100644 index 000000000000..c517739c77c2 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/CVE.cs @@ -0,0 +1,59 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// CVE details + /// + public partial class CVE + { + /// + /// Initializes a new instance of the CVE class. + /// + public CVE() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the CVE class. + /// + /// CVE title + /// Link url + public CVE(string title = default(string), string link = default(string)) + { + Title = title; + Link = link; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets CVE title + /// + [JsonProperty(PropertyName = "title")] + public string Title { get; private set; } + + /// + /// Gets link url + /// + [JsonProperty(PropertyName = "link")] + public string Link { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/CVSS.cs b/src/Security/Security.Management.Sdk/Generated/Models/CVSS.cs new file mode 100644 index 000000000000..9f419f3ffaee --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/CVSS.cs @@ -0,0 +1,51 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// CVSS details + /// + public partial class CVSS + { + /// + /// Initializes a new instance of the CVSS class. + /// + public CVSS() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the CVSS class. + /// + /// CVSS base + public CVSS(double? baseProperty = default(double?)) + { + BaseProperty = baseProperty; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets CVSS base + /// + [JsonProperty(PropertyName = "base")] + public double? BaseProperty { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Categories.cs b/src/Security/Security.Management.Sdk/Generated/Models/Categories.cs new file mode 100644 index 000000000000..822bbff8ba38 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Categories.cs @@ -0,0 +1,25 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for Categories. + /// + public static class Categories + { + public const string Compute = "Compute"; + public const string Networking = "Networking"; + public const string Data = "Data"; + public const string IdentityAndAccess = "IdentityAndAccess"; + public const string IoT = "IoT"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/CefExternalSecuritySolution.cs b/src/Security/Security.Management.Sdk/Generated/Models/CefExternalSecuritySolution.cs new file mode 100644 index 000000000000..71f7f935f574 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/CefExternalSecuritySolution.cs @@ -0,0 +1,58 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Represents a security solution which sends CEF logs to an OMS workspace + /// + [Newtonsoft.Json.JsonObject("CEF")] + public partial class CefExternalSecuritySolution : ExternalSecuritySolution + { + /// + /// Initializes a new instance of the CefExternalSecuritySolution + /// class. + /// + public CefExternalSecuritySolution() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the CefExternalSecuritySolution + /// class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Location where the resource is + /// stored + public CefExternalSecuritySolution(string id = default(string), string name = default(string), string type = default(string), string location = default(string), CefSolutionProperties properties = default(CefSolutionProperties)) + : base(id, name, type, location) + { + Properties = properties; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "properties")] + public CefSolutionProperties Properties { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/CefSolutionProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/CefSolutionProperties.cs new file mode 100644 index 000000000000..03694767fcec --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/CefSolutionProperties.cs @@ -0,0 +1,66 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// The external security solution properties for CEF solutions + /// + public partial class CefSolutionProperties : ExternalSecuritySolutionProperties + { + /// + /// Initializes a new instance of the CefSolutionProperties class. + /// + public CefSolutionProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the CefSolutionProperties class. + /// + /// Unmatched properties from the + /// message are deserialized this collection + public CefSolutionProperties(IDictionary additionalProperties = default(IDictionary), string deviceVendor = default(string), string deviceType = default(string), ConnectedWorkspace workspace = default(ConnectedWorkspace), string hostname = default(string), string agent = default(string), string lastEventReceived = default(string)) + : base(additionalProperties, deviceVendor, deviceType, workspace) + { + Hostname = hostname; + Agent = agent; + LastEventReceived = lastEventReceived; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "hostname")] + public string Hostname { get; set; } + + /// + /// + [JsonProperty(PropertyName = "agent")] + public string Agent { get; set; } + + /// + /// + [JsonProperty(PropertyName = "lastEventReceived")] + public string LastEventReceived { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/CloudName.cs b/src/Security/Security.Management.Sdk/Generated/Models/CloudName.cs new file mode 100644 index 000000000000..1cbff15d954c --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/CloudName.cs @@ -0,0 +1,25 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for CloudName. + /// + public static class CloudName + { + public const string Azure = "Azure"; + public const string AWS = "AWS"; + public const string GCP = "GCP"; + public const string Github = "Github"; + public const string AzureDevOps = "AzureDevOps"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/CloudOffering.cs b/src/Security/Security.Management.Sdk/Generated/Models/CloudOffering.cs new file mode 100644 index 000000000000..61f9eed172e0 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/CloudOffering.cs @@ -0,0 +1,52 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The security offering details + /// + [Newtonsoft.Json.JsonObject("cloudOffering")] + public partial class CloudOffering + { + /// + /// Initializes a new instance of the CloudOffering class. + /// + public CloudOffering() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the CloudOffering class. + /// + /// The offering description. + public CloudOffering(string description = default(string)) + { + Description = description; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the offering description. + /// + [JsonProperty(PropertyName = "description")] + public string Description { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Compliance.cs b/src/Security/Security.Management.Sdk/Generated/Models/Compliance.cs new file mode 100644 index 000000000000..4004358f771f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Compliance.cs @@ -0,0 +1,83 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Compliance of a scope + /// + [Rest.Serialization.JsonTransformation] + public partial class Compliance : Resource + { + /// + /// Initializes a new instance of the Compliance class. + /// + public Compliance() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the Compliance class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// The timestamp when the + /// Compliance calculation was conducted. + /// The resource count of the given + /// subscription for which the Compliance calculation was conducted + /// (needed for Management Group Compliance calculation). + /// An array of segment, which is the + /// actually the compliance assessment. + public Compliance(string id = default(string), string name = default(string), string type = default(string), System.DateTime? assessmentTimestampUtcDate = default(System.DateTime?), int? resourceCount = default(int?), IList assessmentResult = default(IList)) + : base(id, name, type) + { + AssessmentTimestampUtcDate = assessmentTimestampUtcDate; + ResourceCount = resourceCount; + AssessmentResult = assessmentResult; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the timestamp when the Compliance calculation was conducted. + /// + [JsonProperty(PropertyName = "properties.assessmentTimestampUtcDate")] + public System.DateTime? AssessmentTimestampUtcDate { get; private set; } + + /// + /// Gets the resource count of the given subscription for which the + /// Compliance calculation was conducted (needed for Management Group + /// Compliance calculation). + /// + [JsonProperty(PropertyName = "properties.resourceCount")] + public int? ResourceCount { get; private set; } + + /// + /// Gets an array of segment, which is the actually the compliance + /// assessment. + /// + [JsonProperty(PropertyName = "properties.assessmentResult")] + public IList AssessmentResult { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ComplianceResult.cs b/src/Security/Security.Management.Sdk/Generated/Models/ComplianceResult.cs new file mode 100644 index 000000000000..24aa5241f32f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ComplianceResult.cs @@ -0,0 +1,62 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// a compliance result + /// + [Rest.Serialization.JsonTransformation] + public partial class ComplianceResult : Resource + { + /// + /// Initializes a new instance of the ComplianceResult class. + /// + public ComplianceResult() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ComplianceResult class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// The status of the resource regarding a + /// single assessment. Possible values include: 'Healthy', + /// 'NotApplicable', 'OffByPolicy', 'NotHealthy' + public ComplianceResult(string id = default(string), string name = default(string), string type = default(string), string resourceStatus = default(string)) + : base(id, name, type) + { + ResourceStatus = resourceStatus; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the status of the resource regarding a single assessment. + /// Possible values include: 'Healthy', 'NotApplicable', 'OffByPolicy', + /// 'NotHealthy' + /// + [JsonProperty(PropertyName = "properties.resourceStatus")] + public string ResourceStatus { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ComplianceSegment.cs b/src/Security/Security.Management.Sdk/Generated/Models/ComplianceSegment.cs new file mode 100644 index 000000000000..326a57a4e2cb --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ComplianceSegment.cs @@ -0,0 +1,61 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// A segment of a compliance assessment. + /// + public partial class ComplianceSegment + { + /// + /// Initializes a new instance of the ComplianceSegment class. + /// + public ComplianceSegment() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ComplianceSegment class. + /// + /// The segment type, e.g. compliant, + /// non-compliance, insufficient coverage, N/A, etc. + /// The size (%) of the segment. + public ComplianceSegment(string segmentType = default(string), double? percentage = default(double?)) + { + SegmentType = segmentType; + Percentage = percentage; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the segment type, e.g. compliant, non-compliance, insufficient + /// coverage, N/A, etc. + /// + [JsonProperty(PropertyName = "segmentType")] + public string SegmentType { get; private set; } + + /// + /// Gets the size (%) of the segment. + /// + [JsonProperty(PropertyName = "percentage")] + public double? Percentage { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Condition.cs b/src/Security/Security.Management.Sdk/Generated/Models/Condition.cs new file mode 100644 index 000000000000..b0c59507d82f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Condition.cs @@ -0,0 +1,76 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Governance rule's condition + /// + public partial class Condition + { + /// + /// Initializes a new instance of the Condition class. + /// + public Condition() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the Condition class. + /// + /// The governance rule Condition's Property, + /// e.g. Severity or AssessmentKey, see examples + /// The governance rule Condition's Value like + /// severity Low, High or assessments keys, see examples + /// The governance rule Condition's + /// Operator, for example Equals for severity or In for list of + /// assessments, see examples. Possible values include: 'Equals', + /// 'In' + public Condition(string property = default(string), string value = default(string), string operatorProperty = default(string)) + { + Property = property; + Value = value; + OperatorProperty = operatorProperty; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the governance rule Condition's Property, e.g. + /// Severity or AssessmentKey, see examples + /// + [JsonProperty(PropertyName = "property")] + public string Property { get; set; } + + /// + /// Gets or sets the governance rule Condition's Value like severity + /// Low, High or assessments keys, see examples + /// + [JsonProperty(PropertyName = "value")] + public string Value { get; set; } + + /// + /// Gets or sets the governance rule Condition's Operator, for example + /// Equals for severity or In for list of assessments, see examples. + /// Possible values include: 'Equals', 'In' + /// + [JsonProperty(PropertyName = "operator")] + public string OperatorProperty { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ConnectableResource.cs b/src/Security/Security.Management.Sdk/Generated/Models/ConnectableResource.cs new file mode 100644 index 000000000000..fdee3b843f08 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ConnectableResource.cs @@ -0,0 +1,74 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Describes the allowed inbound and outbound traffic of an Azure resource + /// + public partial class ConnectableResource + { + /// + /// Initializes a new instance of the ConnectableResource class. + /// + public ConnectableResource() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ConnectableResource class. + /// + /// The Azure resource id + /// The list of Azure resources + /// that the resource has inbound allowed connection from + /// The list of Azure + /// resources that the resource has outbound allowed connection + /// to + public ConnectableResource(string id = default(string), IList inboundConnectedResources = default(IList), IList outboundConnectedResources = default(IList)) + { + Id = id; + InboundConnectedResources = inboundConnectedResources; + OutboundConnectedResources = outboundConnectedResources; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the Azure resource id + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; private set; } + + /// + /// Gets the list of Azure resources that the resource has inbound + /// allowed connection from + /// + [JsonProperty(PropertyName = "inboundConnectedResources")] + public IList InboundConnectedResources { get; private set; } + + /// + /// Gets the list of Azure resources that the resource has outbound + /// allowed connection to + /// + [JsonProperty(PropertyName = "outboundConnectedResources")] + public IList OutboundConnectedResources { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ConnectedResource.cs b/src/Security/Security.Management.Sdk/Generated/Models/ConnectedResource.cs new file mode 100644 index 000000000000..a9458d7b180b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ConnectedResource.cs @@ -0,0 +1,68 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Describes properties of a connected resource + /// + public partial class ConnectedResource + { + /// + /// Initializes a new instance of the ConnectedResource class. + /// + public ConnectedResource() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ConnectedResource class. + /// + /// The Azure resource id of the + /// connected resource + /// The allowed tcp ports + /// The allowed udp ports + public ConnectedResource(string connectedResourceId = default(string), string tcpPorts = default(string), string udpPorts = default(string)) + { + ConnectedResourceId = connectedResourceId; + TcpPorts = tcpPorts; + UdpPorts = udpPorts; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the Azure resource id of the connected resource + /// + [JsonProperty(PropertyName = "connectedResourceId")] + public string ConnectedResourceId { get; private set; } + + /// + /// Gets the allowed tcp ports + /// + [JsonProperty(PropertyName = "tcpPorts")] + public string TcpPorts { get; private set; } + + /// + /// Gets the allowed udp ports + /// + [JsonProperty(PropertyName = "udpPorts")] + public string UdpPorts { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ConnectedWorkspace.cs b/src/Security/Security.Management.Sdk/Generated/Models/ConnectedWorkspace.cs new file mode 100644 index 000000000000..ede95550d65f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ConnectedWorkspace.cs @@ -0,0 +1,52 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Represents an OMS workspace to which the solution is connected + /// + public partial class ConnectedWorkspace + { + /// + /// Initializes a new instance of the ConnectedWorkspace class. + /// + public ConnectedWorkspace() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ConnectedWorkspace class. + /// + /// Azure resource ID of the connected OMS + /// workspace + public ConnectedWorkspace(string id = default(string)) + { + Id = id; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets azure resource ID of the connected OMS workspace + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ConnectionFromIpNotAllowed.cs b/src/Security/Security.Management.Sdk/Generated/Models/ConnectionFromIpNotAllowed.cs new file mode 100644 index 000000000000..ca4803a93ebc --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ConnectionFromIpNotAllowed.cs @@ -0,0 +1,67 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Inbound connection from an ip that isn't allowed. Allow list consists + /// of ipv4 or ipv6 range in CIDR notation. + /// + [Newtonsoft.Json.JsonObject("ConnectionFromIpNotAllowed")] + public partial class ConnectionFromIpNotAllowed : AllowlistCustomAlertRule + { + /// + /// Initializes a new instance of the ConnectionFromIpNotAllowed class. + /// + public ConnectionFromIpNotAllowed() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ConnectionFromIpNotAllowed class. + /// + /// Status of the custom alert. + /// The values to allow. The format of + /// the values depends on the rule type. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + /// The value type of the items in the list. + /// Possible values include: 'IpCidr', 'String' + public ConnectionFromIpNotAllowed(bool isEnabled, IList allowlistValues, string displayName = default(string), string description = default(string), string valueType = default(string)) + : base(isEnabled, allowlistValues, displayName, description, valueType) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ConnectionStrings.cs b/src/Security/Security.Management.Sdk/Generated/Models/ConnectionStrings.cs new file mode 100644 index 000000000000..3f8d150af8f3 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ConnectionStrings.cs @@ -0,0 +1,67 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Connection string for ingesting security data and logs + /// + public partial class ConnectionStrings + { + /// + /// Initializes a new instance of the ConnectionStrings class. + /// + public ConnectionStrings() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ConnectionStrings class. + /// + /// Connection strings + public ConnectionStrings(IList value) + { + Value = value; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets connection strings + /// + [JsonProperty(PropertyName = "value")] + public IList Value { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (Value == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Value"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ConnectionToIpNotAllowed.cs b/src/Security/Security.Management.Sdk/Generated/Models/ConnectionToIpNotAllowed.cs new file mode 100644 index 000000000000..19cc63c8934c --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ConnectionToIpNotAllowed.cs @@ -0,0 +1,67 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Outbound connection to an ip that isn't allowed. Allow list consists of + /// ipv4 or ipv6 range in CIDR notation. + /// + [Newtonsoft.Json.JsonObject("ConnectionToIpNotAllowed")] + public partial class ConnectionToIpNotAllowed : AllowlistCustomAlertRule + { + /// + /// Initializes a new instance of the ConnectionToIpNotAllowed class. + /// + public ConnectionToIpNotAllowed() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ConnectionToIpNotAllowed class. + /// + /// Status of the custom alert. + /// The values to allow. The format of + /// the values depends on the rule type. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + /// The value type of the items in the list. + /// Possible values include: 'IpCidr', 'String' + public ConnectionToIpNotAllowed(bool isEnabled, IList allowlistValues, string displayName = default(string), string description = default(string), string valueType = default(string)) + : base(isEnabled, allowlistValues, displayName, description, valueType) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ConnectionType.cs b/src/Security/Security.Management.Sdk/Generated/Models/ConnectionType.cs new file mode 100644 index 000000000000..599f04894777 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ConnectionType.cs @@ -0,0 +1,22 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for ConnectionType. + /// + public static class ConnectionType + { + public const string Internal = "Internal"; + public const string External = "External"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ConnectorSetting.cs b/src/Security/Security.Management.Sdk/Generated/Models/ConnectorSetting.cs new file mode 100644 index 000000000000..e99d45471912 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ConnectorSetting.cs @@ -0,0 +1,85 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// The connector setting + /// + [Rest.Serialization.JsonTransformation] + public partial class ConnectorSetting : Resource + { + /// + /// Initializes a new instance of the ConnectorSetting class. + /// + public ConnectorSetting() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ConnectorSetting class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Settings for hybrid compute + /// management. These settings are relevant only for Arc autoProvision + /// (Hybrid Compute). + /// Settings for authentication + /// management, these settings are relevant only for the cloud + /// connector. + public ConnectorSetting(string id = default(string), string name = default(string), string type = default(string), HybridComputeSettingsProperties hybridComputeSettings = default(HybridComputeSettingsProperties), AuthenticationDetailsProperties authenticationDetails = default(AuthenticationDetailsProperties)) + : base(id, name, type) + { + HybridComputeSettings = hybridComputeSettings; + AuthenticationDetails = authenticationDetails; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets settings for hybrid compute management. These settings + /// are relevant only for Arc autoProvision (Hybrid Compute). + /// + [JsonProperty(PropertyName = "properties.hybridComputeSettings")] + public HybridComputeSettingsProperties HybridComputeSettings { get; set; } + + /// + /// Gets or sets settings for authentication management, these settings + /// are relevant only for the cloud connector. + /// + [JsonProperty(PropertyName = "properties.authenticationDetails")] + public AuthenticationDetailsProperties AuthenticationDetails { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (HybridComputeSettings != null) + { + HybridComputeSettings.Validate(); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ContainerRegistryVulnerabilityProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/ContainerRegistryVulnerabilityProperties.cs new file mode 100644 index 000000000000..5938f602483a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ContainerRegistryVulnerabilityProperties.cs @@ -0,0 +1,117 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Additional context fields for container registry Vulnerability + /// assessment + /// + [Newtonsoft.Json.JsonObject("ContainerRegistryVulnerability")] + public partial class ContainerRegistryVulnerabilityProperties : AdditionalData + { + /// + /// Initializes a new instance of the + /// ContainerRegistryVulnerabilityProperties class. + /// + public ContainerRegistryVulnerabilityProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// ContainerRegistryVulnerabilityProperties class. + /// + /// Vulnerability Type. e.g: Vulnerability, + /// Potential Vulnerability, Information Gathered, + /// Vulnerability + /// Dictionary from cvss version to cvss details + /// object + /// Indicates whether a patch is available or + /// not + /// List of CVEs + /// Published time + /// Name of the repository which the + /// vulnerable image belongs to + /// Digest of the vulnerable image + public ContainerRegistryVulnerabilityProperties(string type = default(string), IDictionary cvss = default(IDictionary), bool? patchable = default(bool?), IList cve = default(IList), System.DateTime? publishedTime = default(System.DateTime?), IList vendorReferences = default(IList), string repositoryName = default(string), string imageDigest = default(string)) + { + Type = type; + Cvss = cvss; + Patchable = patchable; + Cve = cve; + PublishedTime = publishedTime; + VendorReferences = vendorReferences; + RepositoryName = repositoryName; + ImageDigest = imageDigest; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets vulnerability Type. e.g: Vulnerability, Potential + /// Vulnerability, Information Gathered, Vulnerability + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + /// + /// Gets dictionary from cvss version to cvss details object + /// + [JsonProperty(PropertyName = "cvss")] + public IDictionary Cvss { get; private set; } + + /// + /// Gets indicates whether a patch is available or not + /// + [JsonProperty(PropertyName = "patchable")] + public bool? Patchable { get; private set; } + + /// + /// Gets list of CVEs + /// + [JsonProperty(PropertyName = "cve")] + public IList Cve { get; private set; } + + /// + /// Gets published time + /// + [JsonProperty(PropertyName = "publishedTime")] + public System.DateTime? PublishedTime { get; private set; } + + /// + /// + [JsonProperty(PropertyName = "vendorReferences")] + public IList VendorReferences { get; private set; } + + /// + /// Gets name of the repository which the vulnerable image belongs to + /// + [JsonProperty(PropertyName = "repositoryName")] + public string RepositoryName { get; private set; } + + /// + /// Gets digest of the vulnerable image + /// + [JsonProperty(PropertyName = "imageDigest")] + public string ImageDigest { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ControlType.cs b/src/Security/Security.Management.Sdk/Generated/Models/ControlType.cs new file mode 100644 index 000000000000..c245b5e17e5a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ControlType.cs @@ -0,0 +1,28 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for ControlType. + /// + public static class ControlType + { + /// + /// Microsoft Defender for Cloud managed assessments + /// + public const string BuiltIn = "BuiltIn"; + /// + /// Non Microsoft Defender for Cloud managed assessments + /// + public const string Custom = "Custom"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/CreatedByType.cs b/src/Security/Security.Management.Sdk/Generated/Models/CreatedByType.cs new file mode 100644 index 000000000000..a18acdd38fdf --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/CreatedByType.cs @@ -0,0 +1,24 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for CreatedByType. + /// + public static class CreatedByType + { + public const string User = "User"; + public const string Application = "Application"; + public const string ManagedIdentity = "ManagedIdentity"; + public const string Key = "Key"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorAwsOffering.cs b/src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorAwsOffering.cs new file mode 100644 index 000000000000..891f4d2e3456 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorAwsOffering.cs @@ -0,0 +1,55 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The CSPM monitoring for AWS offering + /// + [Newtonsoft.Json.JsonObject("CspmMonitorAws")] + public partial class CspmMonitorAwsOffering : CloudOffering + { + /// + /// Initializes a new instance of the CspmMonitorAwsOffering class. + /// + public CspmMonitorAwsOffering() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the CspmMonitorAwsOffering class. + /// + /// The offering description. + /// The native cloud connection + /// configuration + public CspmMonitorAwsOffering(string description = default(string), CspmMonitorAwsOfferingNativeCloudConnection nativeCloudConnection = default(CspmMonitorAwsOfferingNativeCloudConnection)) + : base(description) + { + NativeCloudConnection = nativeCloudConnection; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the native cloud connection configuration + /// + [JsonProperty(PropertyName = "nativeCloudConnection")] + public CspmMonitorAwsOfferingNativeCloudConnection NativeCloudConnection { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorAwsOfferingNativeCloudConnection.cs b/src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorAwsOfferingNativeCloudConnection.cs new file mode 100644 index 000000000000..710796af0f02 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorAwsOfferingNativeCloudConnection.cs @@ -0,0 +1,54 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The native cloud connection configuration + /// + public partial class CspmMonitorAwsOfferingNativeCloudConnection + { + /// + /// Initializes a new instance of the + /// CspmMonitorAwsOfferingNativeCloudConnection class. + /// + public CspmMonitorAwsOfferingNativeCloudConnection() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// CspmMonitorAwsOfferingNativeCloudConnection class. + /// + /// The cloud role ARN in AWS for this + /// feature + public CspmMonitorAwsOfferingNativeCloudConnection(string cloudRoleArn = default(string)) + { + CloudRoleArn = cloudRoleArn; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the cloud role ARN in AWS for this feature + /// + [JsonProperty(PropertyName = "cloudRoleArn")] + public string CloudRoleArn { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorAzureDevOpsOffering.cs b/src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorAzureDevOpsOffering.cs new file mode 100644 index 000000000000..3b9a37a84cd0 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorAzureDevOpsOffering.cs @@ -0,0 +1,48 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The CSPM monitoring for AzureDevOps offering + /// + [Newtonsoft.Json.JsonObject("CspmMonitorAzureDevOps")] + public partial class CspmMonitorAzureDevOpsOffering : CloudOffering + { + /// + /// Initializes a new instance of the CspmMonitorAzureDevOpsOffering + /// class. + /// + public CspmMonitorAzureDevOpsOffering() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the CspmMonitorAzureDevOpsOffering + /// class. + /// + /// The offering description. + public CspmMonitorAzureDevOpsOffering(string description = default(string)) + : base(description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorGcpOffering.cs b/src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorGcpOffering.cs new file mode 100644 index 000000000000..ecfd80fd4a14 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorGcpOffering.cs @@ -0,0 +1,55 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The CSPM monitoring for GCP offering + /// + [Newtonsoft.Json.JsonObject("CspmMonitorGcp")] + public partial class CspmMonitorGcpOffering : CloudOffering + { + /// + /// Initializes a new instance of the CspmMonitorGcpOffering class. + /// + public CspmMonitorGcpOffering() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the CspmMonitorGcpOffering class. + /// + /// The offering description. + /// The native cloud connection + /// configuration + public CspmMonitorGcpOffering(string description = default(string), CspmMonitorGcpOfferingNativeCloudConnection nativeCloudConnection = default(CspmMonitorGcpOfferingNativeCloudConnection)) + : base(description) + { + NativeCloudConnection = nativeCloudConnection; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the native cloud connection configuration + /// + [JsonProperty(PropertyName = "nativeCloudConnection")] + public CspmMonitorGcpOfferingNativeCloudConnection NativeCloudConnection { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorGcpOfferingNativeCloudConnection.cs b/src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorGcpOfferingNativeCloudConnection.cs new file mode 100644 index 000000000000..bf6c0cca4d75 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorGcpOfferingNativeCloudConnection.cs @@ -0,0 +1,64 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The native cloud connection configuration + /// + public partial class CspmMonitorGcpOfferingNativeCloudConnection + { + /// + /// Initializes a new instance of the + /// CspmMonitorGcpOfferingNativeCloudConnection class. + /// + public CspmMonitorGcpOfferingNativeCloudConnection() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// CspmMonitorGcpOfferingNativeCloudConnection class. + /// + /// The GCP workload identity + /// provider id for the offering + /// The service account email + /// address in GCP for this offering + public CspmMonitorGcpOfferingNativeCloudConnection(string workloadIdentityProviderId = default(string), string serviceAccountEmailAddress = default(string)) + { + WorkloadIdentityProviderId = workloadIdentityProviderId; + ServiceAccountEmailAddress = serviceAccountEmailAddress; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the GCP workload identity provider id for the offering + /// + [JsonProperty(PropertyName = "workloadIdentityProviderId")] + public string WorkloadIdentityProviderId { get; set; } + + /// + /// Gets or sets the service account email address in GCP for this + /// offering + /// + [JsonProperty(PropertyName = "serviceAccountEmailAddress")] + public string ServiceAccountEmailAddress { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorGithubOffering.cs b/src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorGithubOffering.cs new file mode 100644 index 000000000000..a5088c61c166 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/CspmMonitorGithubOffering.cs @@ -0,0 +1,46 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The CSPM monitoring for github offering + /// + [Newtonsoft.Json.JsonObject("CspmMonitorGithub")] + public partial class CspmMonitorGithubOffering : CloudOffering + { + /// + /// Initializes a new instance of the CspmMonitorGithubOffering class. + /// + public CspmMonitorGithubOffering() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the CspmMonitorGithubOffering class. + /// + /// The offering description. + public CspmMonitorGithubOffering(string description = default(string)) + : base(description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/CustomAlertRule.cs b/src/Security/Security.Management.Sdk/Generated/Models/CustomAlertRule.cs new file mode 100644 index 000000000000..a581bbf4f832 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/CustomAlertRule.cs @@ -0,0 +1,80 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// A custom alert rule. + /// + [Newtonsoft.Json.JsonObject("CustomAlertRule")] + public partial class CustomAlertRule + { + /// + /// Initializes a new instance of the CustomAlertRule class. + /// + public CustomAlertRule() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the CustomAlertRule class. + /// + /// Status of the custom alert. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public CustomAlertRule(bool isEnabled, string displayName = default(string), string description = default(string)) + { + DisplayName = displayName; + Description = description; + IsEnabled = isEnabled; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the display name of the custom alert. + /// + [JsonProperty(PropertyName = "displayName")] + public string DisplayName { get; private set; } + + /// + /// Gets the description of the custom alert. + /// + [JsonProperty(PropertyName = "description")] + public string Description { get; private set; } + + /// + /// Gets or sets status of the custom alert. + /// + [JsonProperty(PropertyName = "isEnabled")] + public bool IsEnabled { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + //Nothing to validate + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/CustomAssessmentAutomation.cs b/src/Security/Security.Management.Sdk/Generated/Models/CustomAssessmentAutomation.cs new file mode 100644 index 000000000000..99a623549639 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/CustomAssessmentAutomation.cs @@ -0,0 +1,134 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Custom Assessment Automation + /// + [Rest.Serialization.JsonTransformation] + public partial class CustomAssessmentAutomation : Resource + { + /// + /// Initializes a new instance of the CustomAssessmentAutomation class. + /// + public CustomAssessmentAutomation() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the CustomAssessmentAutomation class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Azure Resource Manager metadata containing + /// createdBy and modifiedBy information. + /// GZip encoded KQL query representing + /// the assessment automation results required. + /// Relevant cloud for the custom + /// assessment automation. Possible values include: 'AWS', + /// 'GCP' + /// The severity to relate to the assessments + /// generated by this assessment automation. Possible values include: + /// 'High', 'Medium', 'Low' + /// The display name of the assessments + /// generated by this assessment automation. + /// The description to relate to the + /// assessments generated by this assessment automation. + /// The remediation description to + /// relate to the assessments generated by this assessment + /// automation. + /// The assessment metadata key used when + /// an assessment is generated for this assessment automation. + public CustomAssessmentAutomation(string id = default(string), string name = default(string), string type = default(string), SystemData systemData = default(SystemData), string compressedQuery = default(string), string supportedCloud = default(string), string severity = default(string), string displayName = default(string), string description = default(string), string remediationDescription = default(string), string assessmentKey = default(string)) + : base(id, name, type) + { + SystemData = systemData; + CompressedQuery = compressedQuery; + SupportedCloud = supportedCloud; + Severity = severity; + DisplayName = displayName; + Description = description; + RemediationDescription = remediationDescription; + AssessmentKey = assessmentKey; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets azure Resource Manager metadata containing createdBy and + /// modifiedBy information. + /// + [JsonProperty(PropertyName = "systemData")] + public SystemData SystemData { get; private set; } + + /// + /// Gets or sets gZip encoded KQL query representing the assessment + /// automation results required. + /// + [JsonProperty(PropertyName = "properties.compressedQuery")] + public string CompressedQuery { get; set; } + + /// + /// Gets or sets relevant cloud for the custom assessment automation. + /// Possible values include: 'AWS', 'GCP' + /// + [JsonProperty(PropertyName = "properties.supportedCloud")] + public string SupportedCloud { get; set; } + + /// + /// Gets or sets the severity to relate to the assessments generated by + /// this assessment automation. Possible values include: 'High', + /// 'Medium', 'Low' + /// + [JsonProperty(PropertyName = "properties.severity")] + public string Severity { get; set; } + + /// + /// Gets or sets the display name of the assessments generated by this + /// assessment automation. + /// + [JsonProperty(PropertyName = "properties.displayName")] + public string DisplayName { get; set; } + + /// + /// Gets or sets the description to relate to the assessments generated + /// by this assessment automation. + /// + [JsonProperty(PropertyName = "properties.description")] + public string Description { get; set; } + + /// + /// Gets or sets the remediation description to relate to the + /// assessments generated by this assessment automation. + /// + [JsonProperty(PropertyName = "properties.remediationDescription")] + public string RemediationDescription { get; set; } + + /// + /// Gets or sets the assessment metadata key used when an assessment is + /// generated for this assessment automation. + /// + [JsonProperty(PropertyName = "properties.assessmentKey")] + public string AssessmentKey { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/CustomAssessmentAutomationRequest.cs b/src/Security/Security.Management.Sdk/Generated/Models/CustomAssessmentAutomationRequest.cs new file mode 100644 index 000000000000..b6a13a810a10 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/CustomAssessmentAutomationRequest.cs @@ -0,0 +1,116 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Custom Assessment Automation request + /// + [Rest.Serialization.JsonTransformation] + public partial class CustomAssessmentAutomationRequest : Resource + { + /// + /// Initializes a new instance of the CustomAssessmentAutomationRequest + /// class. + /// + public CustomAssessmentAutomationRequest() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the CustomAssessmentAutomationRequest + /// class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Base 64 encoded KQL query + /// representing the assessment automation results required. + /// Relevant cloud for the custom + /// assessment automation. Possible values include: 'AWS', + /// 'GCP' + /// The severity to relate to the assessments + /// generated by this assessment automation. Possible values include: + /// 'High', 'Medium', 'Low' + /// The display name of the assessments + /// generated by this assessment automation. + /// The description to relate to the + /// assessments generated by this assessment automation. + /// The remediation description to + /// relate to the assessments generated by this assessment + /// automation. + public CustomAssessmentAutomationRequest(string id = default(string), string name = default(string), string type = default(string), string compressedQuery = default(string), string supportedCloud = default(string), string severity = default(string), string displayName = default(string), string description = default(string), string remediationDescription = default(string)) + : base(id, name, type) + { + CompressedQuery = compressedQuery; + SupportedCloud = supportedCloud; + Severity = severity; + DisplayName = displayName; + Description = description; + RemediationDescription = remediationDescription; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets base 64 encoded KQL query representing the assessment + /// automation results required. + /// + [JsonProperty(PropertyName = "properties.compressedQuery")] + public string CompressedQuery { get; set; } + + /// + /// Gets or sets relevant cloud for the custom assessment automation. + /// Possible values include: 'AWS', 'GCP' + /// + [JsonProperty(PropertyName = "properties.supportedCloud")] + public string SupportedCloud { get; set; } + + /// + /// Gets or sets the severity to relate to the assessments generated by + /// this assessment automation. Possible values include: 'High', + /// 'Medium', 'Low' + /// + [JsonProperty(PropertyName = "properties.severity")] + public string Severity { get; set; } + + /// + /// Gets or sets the display name of the assessments generated by this + /// assessment automation. + /// + [JsonProperty(PropertyName = "properties.displayName")] + public string DisplayName { get; set; } + + /// + /// Gets or sets the description to relate to the assessments generated + /// by this assessment automation. + /// + [JsonProperty(PropertyName = "properties.description")] + public string Description { get; set; } + + /// + /// Gets or sets the remediation description to relate to the + /// assessments generated by this assessment automation. + /// + [JsonProperty(PropertyName = "properties.remediationDescription")] + public string RemediationDescription { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/CustomEntityStoreAssignment.cs b/src/Security/Security.Management.Sdk/Generated/Models/CustomEntityStoreAssignment.cs new file mode 100644 index 000000000000..fa1e2ff27620 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/CustomEntityStoreAssignment.cs @@ -0,0 +1,82 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Custom entity store assignment + /// + [Rest.Serialization.JsonTransformation] + public partial class CustomEntityStoreAssignment : Resource + { + /// + /// Initializes a new instance of the CustomEntityStoreAssignment + /// class. + /// + public CustomEntityStoreAssignment() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the CustomEntityStoreAssignment + /// class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Azure Resource Manager metadata containing + /// createdBy and modifiedBy information. + /// The principal assigned with entity store. + /// Format of principal is: [AAD + /// type]=[PrincipalObjectId];[TenantId] + /// The link to entity store + /// database. + public CustomEntityStoreAssignment(string id = default(string), string name = default(string), string type = default(string), SystemData systemData = default(SystemData), string principal = default(string), string entityStoreDatabaseLink = default(string)) + : base(id, name, type) + { + SystemData = systemData; + Principal = principal; + EntityStoreDatabaseLink = entityStoreDatabaseLink; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets azure Resource Manager metadata containing createdBy and + /// modifiedBy information. + /// + [JsonProperty(PropertyName = "systemData")] + public SystemData SystemData { get; private set; } + + /// + /// Gets or sets the principal assigned with entity store. Format of + /// principal is: [AAD type]=[PrincipalObjectId];[TenantId] + /// + [JsonProperty(PropertyName = "properties.principal")] + public string Principal { get; set; } + + /// + /// Gets or sets the link to entity store database. + /// + [JsonProperty(PropertyName = "properties.entityStoreDatabaseLink")] + public string EntityStoreDatabaseLink { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/CustomEntityStoreAssignmentRequest.cs b/src/Security/Security.Management.Sdk/Generated/Models/CustomEntityStoreAssignmentRequest.cs new file mode 100644 index 000000000000..ba4022d7b0b3 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/CustomEntityStoreAssignmentRequest.cs @@ -0,0 +1,60 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// describes the custom entity store assignment request + /// + [Rest.Serialization.JsonTransformation] + public partial class CustomEntityStoreAssignmentRequest + { + /// + /// Initializes a new instance of the + /// CustomEntityStoreAssignmentRequest class. + /// + public CustomEntityStoreAssignmentRequest() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// CustomEntityStoreAssignmentRequest class. + /// + /// The principal assigned with entity store. + /// If not provided, will use caller principal. Format of principal is: + /// [AAD type]=[PrincipalObjectId];[TenantId] + public CustomEntityStoreAssignmentRequest(string principal = default(string)) + { + Principal = principal; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the principal assigned with entity store. If not + /// provided, will use caller principal. Format of principal is: [AAD + /// type]=[PrincipalObjectId];[TenantId] + /// + [JsonProperty(PropertyName = "properties.principal")] + public string Principal { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DataExportSettings.cs b/src/Security/Security.Management.Sdk/Generated/Models/DataExportSettings.cs new file mode 100644 index 000000000000..b7b8bc76592f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DataExportSettings.cs @@ -0,0 +1,69 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Represents a data export setting + /// + [Newtonsoft.Json.JsonObject("DataExportSettings")] + [Rest.Serialization.JsonTransformation] + public partial class DataExportSettings : Setting + { + /// + /// Initializes a new instance of the DataExportSettings class. + /// + public DataExportSettings() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the DataExportSettings class. + /// + /// Is the data export setting enabled + /// Resource Id + /// Resource name + /// Resource type + public DataExportSettings(bool enabled, string id = default(string), string name = default(string), string type = default(string)) + : base(id, name, type) + { + Enabled = enabled; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets is the data export setting enabled + /// + [JsonProperty(PropertyName = "properties.enabled")] + public bool Enabled { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + //Nothing to validate + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DataSource.cs b/src/Security/Security.Management.Sdk/Generated/Models/DataSource.cs new file mode 100644 index 000000000000..21aee25c6657 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DataSource.cs @@ -0,0 +1,24 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for DataSource. + /// + public static class DataSource + { + /// + /// Devices twin data + /// + public const string TwinData = "TwinData"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderCspmAwsOffering.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderCspmAwsOffering.cs new file mode 100644 index 000000000000..bbddf8a22bd3 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderCspmAwsOffering.cs @@ -0,0 +1,56 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The CSPM P1 for Aws offering + /// + [Newtonsoft.Json.JsonObject("DefenderCspmAws")] + public partial class DefenderCspmAwsOffering : CloudOffering + { + /// + /// Initializes a new instance of the DefenderCspmAwsOffering class. + /// + public DefenderCspmAwsOffering() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the DefenderCspmAwsOffering class. + /// + /// The offering description. + /// The Microsoft Defender for Server VM + /// scanning configuration + public DefenderCspmAwsOffering(string description = default(string), DefenderCspmAwsOfferingVmScanners vmScanners = default(DefenderCspmAwsOfferingVmScanners)) + : base(description) + { + VmScanners = vmScanners; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the Microsoft Defender for Server VM scanning + /// configuration + /// + [JsonProperty(PropertyName = "vmScanners")] + public DefenderCspmAwsOfferingVmScanners VmScanners { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderCspmAwsOfferingVmScanners.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderCspmAwsOfferingVmScanners.cs new file mode 100644 index 000000000000..3e5ab1f445d7 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderCspmAwsOfferingVmScanners.cs @@ -0,0 +1,64 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The Microsoft Defender for Server VM scanning configuration + /// + public partial class DefenderCspmAwsOfferingVmScanners + { + /// + /// Initializes a new instance of the DefenderCspmAwsOfferingVmScanners + /// class. + /// + public DefenderCspmAwsOfferingVmScanners() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the DefenderCspmAwsOfferingVmScanners + /// class. + /// + /// Is Microsoft Defender for Server VM scanning + /// enabled + /// configuration for Microsoft Defender + /// for Server VM scanning + public DefenderCspmAwsOfferingVmScanners(bool? enabled = default(bool?), DefenderCspmAwsOfferingVmScannersConfiguration configuration = default(DefenderCspmAwsOfferingVmScannersConfiguration)) + { + Enabled = enabled; + Configuration = configuration; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets is Microsoft Defender for Server VM scanning enabled + /// + [JsonProperty(PropertyName = "enabled")] + public bool? Enabled { get; set; } + + /// + /// Gets or sets configuration for Microsoft Defender for Server VM + /// scanning + /// + [JsonProperty(PropertyName = "configuration")] + public DefenderCspmAwsOfferingVmScannersConfiguration Configuration { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderCspmAwsOfferingVmScannersConfiguration.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderCspmAwsOfferingVmScannersConfiguration.cs new file mode 100644 index 000000000000..d87af5677e5e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderCspmAwsOfferingVmScannersConfiguration.cs @@ -0,0 +1,75 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// configuration for Microsoft Defender for Server VM scanning + /// + public partial class DefenderCspmAwsOfferingVmScannersConfiguration + { + /// + /// Initializes a new instance of the + /// DefenderCspmAwsOfferingVmScannersConfiguration class. + /// + public DefenderCspmAwsOfferingVmScannersConfiguration() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderCspmAwsOfferingVmScannersConfiguration class. + /// + /// The cloud role ARN in AWS for this + /// feature + /// The scanning mode for the vm scan. + /// Possible values include: 'Default' + /// VM tags that indicates that VM should + /// not be scanned + public DefenderCspmAwsOfferingVmScannersConfiguration(string cloudRoleArn = default(string), string scanningMode = default(string), IDictionary exclusionTags = default(IDictionary)) + { + CloudRoleArn = cloudRoleArn; + ScanningMode = scanningMode; + ExclusionTags = exclusionTags; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the cloud role ARN in AWS for this feature + /// + [JsonProperty(PropertyName = "cloudRoleArn")] + public string CloudRoleArn { get; set; } + + /// + /// Gets or sets the scanning mode for the vm scan. Possible values + /// include: 'Default' + /// + [JsonProperty(PropertyName = "scanningMode")] + public string ScanningMode { get; set; } + + /// + /// Gets or sets VM tags that indicates that VM should not be scanned + /// + [JsonProperty(PropertyName = "exclusionTags")] + public IDictionary ExclusionTags { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderCspmGcpOffering.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderCspmGcpOffering.cs new file mode 100644 index 000000000000..4ffc1b800eca --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderCspmGcpOffering.cs @@ -0,0 +1,46 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The CSPM P1 for GCP offering + /// + [Newtonsoft.Json.JsonObject("DefenderCspmGcp")] + public partial class DefenderCspmGcpOffering : CloudOffering + { + /// + /// Initializes a new instance of the DefenderCspmGcpOffering class. + /// + public DefenderCspmGcpOffering() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the DefenderCspmGcpOffering class. + /// + /// The offering description. + public DefenderCspmGcpOffering(string description = default(string)) + : base(description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderFoDatabasesAwsOffering.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderFoDatabasesAwsOffering.cs new file mode 100644 index 000000000000..5832c29fa726 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderFoDatabasesAwsOffering.cs @@ -0,0 +1,65 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The Defender for Databases AWS offering + /// + [Newtonsoft.Json.JsonObject("DefenderForDatabasesAws")] + public partial class DefenderFoDatabasesAwsOffering : CloudOffering + { + /// + /// Initializes a new instance of the DefenderFoDatabasesAwsOffering + /// class. + /// + public DefenderFoDatabasesAwsOffering() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the DefenderFoDatabasesAwsOffering + /// class. + /// + /// The offering description. + /// The ARC autoprovisioning + /// configuration + /// The RDS configuration + public DefenderFoDatabasesAwsOffering(string description = default(string), DefenderFoDatabasesAwsOfferingArcAutoProvisioning arcAutoProvisioning = default(DefenderFoDatabasesAwsOfferingArcAutoProvisioning), DefenderFoDatabasesAwsOfferingRds rds = default(DefenderFoDatabasesAwsOfferingRds)) + : base(description) + { + ArcAutoProvisioning = arcAutoProvisioning; + Rds = rds; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the ARC autoprovisioning configuration + /// + [JsonProperty(PropertyName = "arcAutoProvisioning")] + public DefenderFoDatabasesAwsOfferingArcAutoProvisioning ArcAutoProvisioning { get; set; } + + /// + /// Gets or sets the RDS configuration + /// + [JsonProperty(PropertyName = "rds")] + public DefenderFoDatabasesAwsOfferingRds Rds { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderFoDatabasesAwsOfferingArcAutoProvisioning.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderFoDatabasesAwsOfferingArcAutoProvisioning.cs new file mode 100644 index 000000000000..57b9875d2a4f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderFoDatabasesAwsOfferingArcAutoProvisioning.cs @@ -0,0 +1,62 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The ARC autoprovisioning configuration + /// + public partial class DefenderFoDatabasesAwsOfferingArcAutoProvisioning + { + /// + /// Initializes a new instance of the + /// DefenderFoDatabasesAwsOfferingArcAutoProvisioning class. + /// + public DefenderFoDatabasesAwsOfferingArcAutoProvisioning() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderFoDatabasesAwsOfferingArcAutoProvisioning class. + /// + /// Is arc auto provisioning enabled + /// The cloud role ARN in AWS for this + /// feature + public DefenderFoDatabasesAwsOfferingArcAutoProvisioning(bool? enabled = default(bool?), string cloudRoleArn = default(string)) + { + Enabled = enabled; + CloudRoleArn = cloudRoleArn; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets is arc auto provisioning enabled + /// + [JsonProperty(PropertyName = "enabled")] + public bool? Enabled { get; set; } + + /// + /// Gets or sets the cloud role ARN in AWS for this feature + /// + [JsonProperty(PropertyName = "cloudRoleArn")] + public string CloudRoleArn { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderFoDatabasesAwsOfferingRds.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderFoDatabasesAwsOfferingRds.cs new file mode 100644 index 000000000000..05d60fa23103 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderFoDatabasesAwsOfferingRds.cs @@ -0,0 +1,62 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The RDS configuration + /// + public partial class DefenderFoDatabasesAwsOfferingRds + { + /// + /// Initializes a new instance of the DefenderFoDatabasesAwsOfferingRds + /// class. + /// + public DefenderFoDatabasesAwsOfferingRds() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the DefenderFoDatabasesAwsOfferingRds + /// class. + /// + /// Is RDS protection enabled + /// The cloud role ARN in AWS for this + /// feature + public DefenderFoDatabasesAwsOfferingRds(bool? enabled = default(bool?), string cloudRoleArn = default(string)) + { + Enabled = enabled; + CloudRoleArn = cloudRoleArn; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets is RDS protection enabled + /// + [JsonProperty(PropertyName = "enabled")] + public bool? Enabled { get; set; } + + /// + /// Gets or sets the cloud role ARN in AWS for this feature + /// + [JsonProperty(PropertyName = "cloudRoleArn")] + public string CloudRoleArn { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOffering.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOffering.cs new file mode 100644 index 000000000000..949a1dc6ca0f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOffering.cs @@ -0,0 +1,141 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The Defender for Containers AWS offering + /// + [Newtonsoft.Json.JsonObject("DefenderForContainersAws")] + public partial class DefenderForContainersAwsOffering : CloudOffering + { + /// + /// Initializes a new instance of the DefenderForContainersAwsOffering + /// class. + /// + public DefenderForContainersAwsOffering() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the DefenderForContainersAwsOffering + /// class. + /// + /// The offering description. + /// The kubernetes service connection + /// configuration + /// The kubernetes to scuba + /// connection configuration + /// The cloudwatch to kinesis + /// connection configuration + /// The kinesis to s3 connection + /// configuration + /// The container + /// vulnerability assessment configuration + /// The container + /// vulnerability assessment task configuration + /// Enable + /// container vulnerability assessment feature + /// Is audit logs pipeline auto + /// provisioning enabled + /// The retention time in days of + /// kube audit logs set on the CloudWatch log group + /// The externalId used by the data + /// reader to prevent the confused deputy attack + public DefenderForContainersAwsOffering(string description = default(string), DefenderForContainersAwsOfferingKubernetesService kubernetesService = default(DefenderForContainersAwsOfferingKubernetesService), DefenderForContainersAwsOfferingKubernetesScubaReader kubernetesScubaReader = default(DefenderForContainersAwsOfferingKubernetesScubaReader), DefenderForContainersAwsOfferingCloudWatchToKinesis cloudWatchToKinesis = default(DefenderForContainersAwsOfferingCloudWatchToKinesis), DefenderForContainersAwsOfferingKinesisToS3 kinesisToS3 = default(DefenderForContainersAwsOfferingKinesisToS3), DefenderForContainersAwsOfferingContainerVulnerabilityAssessment containerVulnerabilityAssessment = default(DefenderForContainersAwsOfferingContainerVulnerabilityAssessment), DefenderForContainersAwsOfferingContainerVulnerabilityAssessmentTask containerVulnerabilityAssessmentTask = default(DefenderForContainersAwsOfferingContainerVulnerabilityAssessmentTask), bool? enableContainerVulnerabilityAssessment = default(bool?), bool? autoProvisioning = default(bool?), long? kubeAuditRetentionTime = default(long?), string scubaExternalId = default(string)) + : base(description) + { + KubernetesService = kubernetesService; + KubernetesScubaReader = kubernetesScubaReader; + CloudWatchToKinesis = cloudWatchToKinesis; + KinesisToS3 = kinesisToS3; + ContainerVulnerabilityAssessment = containerVulnerabilityAssessment; + ContainerVulnerabilityAssessmentTask = containerVulnerabilityAssessmentTask; + EnableContainerVulnerabilityAssessment = enableContainerVulnerabilityAssessment; + AutoProvisioning = autoProvisioning; + KubeAuditRetentionTime = kubeAuditRetentionTime; + ScubaExternalId = scubaExternalId; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the kubernetes service connection configuration + /// + [JsonProperty(PropertyName = "kubernetesService")] + public DefenderForContainersAwsOfferingKubernetesService KubernetesService { get; set; } + + /// + /// Gets or sets the kubernetes to scuba connection configuration + /// + [JsonProperty(PropertyName = "kubernetesScubaReader")] + public DefenderForContainersAwsOfferingKubernetesScubaReader KubernetesScubaReader { get; set; } + + /// + /// Gets or sets the cloudwatch to kinesis connection configuration + /// + [JsonProperty(PropertyName = "cloudWatchToKinesis")] + public DefenderForContainersAwsOfferingCloudWatchToKinesis CloudWatchToKinesis { get; set; } + + /// + /// Gets or sets the kinesis to s3 connection configuration + /// + [JsonProperty(PropertyName = "kinesisToS3")] + public DefenderForContainersAwsOfferingKinesisToS3 KinesisToS3 { get; set; } + + /// + /// Gets or sets the container vulnerability assessment configuration + /// + [JsonProperty(PropertyName = "containerVulnerabilityAssessment")] + public DefenderForContainersAwsOfferingContainerVulnerabilityAssessment ContainerVulnerabilityAssessment { get; set; } + + /// + /// Gets or sets the container vulnerability assessment task + /// configuration + /// + [JsonProperty(PropertyName = "containerVulnerabilityAssessmentTask")] + public DefenderForContainersAwsOfferingContainerVulnerabilityAssessmentTask ContainerVulnerabilityAssessmentTask { get; set; } + + /// + /// Gets or sets enable container vulnerability assessment feature + /// + [JsonProperty(PropertyName = "enableContainerVulnerabilityAssessment")] + public bool? EnableContainerVulnerabilityAssessment { get; set; } + + /// + /// Gets or sets is audit logs pipeline auto provisioning enabled + /// + [JsonProperty(PropertyName = "autoProvisioning")] + public bool? AutoProvisioning { get; set; } + + /// + /// Gets or sets the retention time in days of kube audit logs set on + /// the CloudWatch log group + /// + [JsonProperty(PropertyName = "kubeAuditRetentionTime")] + public long? KubeAuditRetentionTime { get; set; } + + /// + /// Gets or sets the externalId used by the data reader to prevent the + /// confused deputy attack + /// + [JsonProperty(PropertyName = "scubaExternalId")] + public string ScubaExternalId { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingCloudWatchToKinesis.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingCloudWatchToKinesis.cs new file mode 100644 index 000000000000..5feecc15884b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingCloudWatchToKinesis.cs @@ -0,0 +1,55 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The cloudwatch to kinesis connection configuration + /// + public partial class DefenderForContainersAwsOfferingCloudWatchToKinesis + { + /// + /// Initializes a new instance of the + /// DefenderForContainersAwsOfferingCloudWatchToKinesis class. + /// + public DefenderForContainersAwsOfferingCloudWatchToKinesis() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForContainersAwsOfferingCloudWatchToKinesis class. + /// + /// The cloud role ARN in AWS used by + /// CloudWatch to transfer data into Kinesis + public DefenderForContainersAwsOfferingCloudWatchToKinesis(string cloudRoleArn = default(string)) + { + CloudRoleArn = cloudRoleArn; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the cloud role ARN in AWS used by CloudWatch to + /// transfer data into Kinesis + /// + [JsonProperty(PropertyName = "cloudRoleArn")] + public string CloudRoleArn { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingContainerVulnerabilityAssessment.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingContainerVulnerabilityAssessment.cs new file mode 100644 index 000000000000..307bb4063b33 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingContainerVulnerabilityAssessment.cs @@ -0,0 +1,56 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The container vulnerability assessment configuration + /// + public partial class DefenderForContainersAwsOfferingContainerVulnerabilityAssessment + { + /// + /// Initializes a new instance of the + /// DefenderForContainersAwsOfferingContainerVulnerabilityAssessment + /// class. + /// + public DefenderForContainersAwsOfferingContainerVulnerabilityAssessment() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForContainersAwsOfferingContainerVulnerabilityAssessment + /// class. + /// + /// The cloud role ARN in AWS for this + /// feature + public DefenderForContainersAwsOfferingContainerVulnerabilityAssessment(string cloudRoleArn = default(string)) + { + CloudRoleArn = cloudRoleArn; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the cloud role ARN in AWS for this feature + /// + [JsonProperty(PropertyName = "cloudRoleArn")] + public string CloudRoleArn { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingContainerVulnerabilityAssessmentTask.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingContainerVulnerabilityAssessmentTask.cs new file mode 100644 index 000000000000..85f8e14107a7 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingContainerVulnerabilityAssessmentTask.cs @@ -0,0 +1,56 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The container vulnerability assessment task configuration + /// + public partial class DefenderForContainersAwsOfferingContainerVulnerabilityAssessmentTask + { + /// + /// Initializes a new instance of the + /// DefenderForContainersAwsOfferingContainerVulnerabilityAssessmentTask + /// class. + /// + public DefenderForContainersAwsOfferingContainerVulnerabilityAssessmentTask() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForContainersAwsOfferingContainerVulnerabilityAssessmentTask + /// class. + /// + /// The cloud role ARN in AWS for this + /// feature + public DefenderForContainersAwsOfferingContainerVulnerabilityAssessmentTask(string cloudRoleArn = default(string)) + { + CloudRoleArn = cloudRoleArn; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the cloud role ARN in AWS for this feature + /// + [JsonProperty(PropertyName = "cloudRoleArn")] + public string CloudRoleArn { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingKinesisToS3.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingKinesisToS3.cs new file mode 100644 index 000000000000..37a4b59f397e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingKinesisToS3.cs @@ -0,0 +1,55 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The kinesis to s3 connection configuration + /// + public partial class DefenderForContainersAwsOfferingKinesisToS3 + { + /// + /// Initializes a new instance of the + /// DefenderForContainersAwsOfferingKinesisToS3 class. + /// + public DefenderForContainersAwsOfferingKinesisToS3() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForContainersAwsOfferingKinesisToS3 class. + /// + /// The cloud role ARN in AWS used by + /// Kinesis to transfer data into S3 + public DefenderForContainersAwsOfferingKinesisToS3(string cloudRoleArn = default(string)) + { + CloudRoleArn = cloudRoleArn; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the cloud role ARN in AWS used by Kinesis to transfer + /// data into S3 + /// + [JsonProperty(PropertyName = "cloudRoleArn")] + public string CloudRoleArn { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingKubernetesScubaReader.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingKubernetesScubaReader.cs new file mode 100644 index 000000000000..aefbe86d7024 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingKubernetesScubaReader.cs @@ -0,0 +1,55 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The kubernetes to scuba connection configuration + /// + public partial class DefenderForContainersAwsOfferingKubernetesScubaReader + { + /// + /// Initializes a new instance of the + /// DefenderForContainersAwsOfferingKubernetesScubaReader class. + /// + public DefenderForContainersAwsOfferingKubernetesScubaReader() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForContainersAwsOfferingKubernetesScubaReader class. + /// + /// The cloud role ARN in AWS for this + /// feature used for reading data + public DefenderForContainersAwsOfferingKubernetesScubaReader(string cloudRoleArn = default(string)) + { + CloudRoleArn = cloudRoleArn; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the cloud role ARN in AWS for this feature used for + /// reading data + /// + [JsonProperty(PropertyName = "cloudRoleArn")] + public string CloudRoleArn { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingKubernetesService.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingKubernetesService.cs new file mode 100644 index 000000000000..70052f080892 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersAwsOfferingKubernetesService.cs @@ -0,0 +1,55 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The kubernetes service connection configuration + /// + public partial class DefenderForContainersAwsOfferingKubernetesService + { + /// + /// Initializes a new instance of the + /// DefenderForContainersAwsOfferingKubernetesService class. + /// + public DefenderForContainersAwsOfferingKubernetesService() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForContainersAwsOfferingKubernetesService class. + /// + /// The cloud role ARN in AWS for this + /// feature used for provisioning resources + public DefenderForContainersAwsOfferingKubernetesService(string cloudRoleArn = default(string)) + { + CloudRoleArn = cloudRoleArn; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the cloud role ARN in AWS for this feature used for + /// provisioning resources + /// + [JsonProperty(PropertyName = "cloudRoleArn")] + public string CloudRoleArn { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersGcpOffering.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersGcpOffering.cs new file mode 100644 index 000000000000..6647bd928f2c --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersGcpOffering.cs @@ -0,0 +1,95 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The containers GCP offering + /// + [Newtonsoft.Json.JsonObject("DefenderForContainersGcp")] + public partial class DefenderForContainersGcpOffering : CloudOffering + { + /// + /// Initializes a new instance of the DefenderForContainersGcpOffering + /// class. + /// + public DefenderForContainersGcpOffering() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the DefenderForContainersGcpOffering + /// class. + /// + /// The offering description. + /// The native cloud connection + /// configuration + /// The native cloud + /// connection configuration + /// Is audit logs data + /// collection enabled + /// Is Microsoft + /// Defender for Cloud Kubernetes agent auto provisioning + /// enabled + /// Is Policy Kubernetes + /// agent auto provisioning enabled + public DefenderForContainersGcpOffering(string description = default(string), DefenderForContainersGcpOfferingNativeCloudConnection nativeCloudConnection = default(DefenderForContainersGcpOfferingNativeCloudConnection), DefenderForContainersGcpOfferingDataPipelineNativeCloudConnection dataPipelineNativeCloudConnection = default(DefenderForContainersGcpOfferingDataPipelineNativeCloudConnection), bool? auditLogsAutoProvisioningFlag = default(bool?), bool? defenderAgentAutoProvisioningFlag = default(bool?), bool? policyAgentAutoProvisioningFlag = default(bool?)) + : base(description) + { + NativeCloudConnection = nativeCloudConnection; + DataPipelineNativeCloudConnection = dataPipelineNativeCloudConnection; + AuditLogsAutoProvisioningFlag = auditLogsAutoProvisioningFlag; + DefenderAgentAutoProvisioningFlag = defenderAgentAutoProvisioningFlag; + PolicyAgentAutoProvisioningFlag = policyAgentAutoProvisioningFlag; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the native cloud connection configuration + /// + [JsonProperty(PropertyName = "nativeCloudConnection")] + public DefenderForContainersGcpOfferingNativeCloudConnection NativeCloudConnection { get; set; } + + /// + /// Gets or sets the native cloud connection configuration + /// + [JsonProperty(PropertyName = "dataPipelineNativeCloudConnection")] + public DefenderForContainersGcpOfferingDataPipelineNativeCloudConnection DataPipelineNativeCloudConnection { get; set; } + + /// + /// Gets or sets is audit logs data collection enabled + /// + [JsonProperty(PropertyName = "auditLogsAutoProvisioningFlag")] + public bool? AuditLogsAutoProvisioningFlag { get; set; } + + /// + /// Gets or sets is Microsoft Defender for Cloud Kubernetes agent auto + /// provisioning enabled + /// + [JsonProperty(PropertyName = "defenderAgentAutoProvisioningFlag")] + public bool? DefenderAgentAutoProvisioningFlag { get; set; } + + /// + /// Gets or sets is Policy Kubernetes agent auto provisioning enabled + /// + [JsonProperty(PropertyName = "policyAgentAutoProvisioningFlag")] + public bool? PolicyAgentAutoProvisioningFlag { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersGcpOfferingDataPipelineNativeCloudConnection.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersGcpOfferingDataPipelineNativeCloudConnection.cs new file mode 100644 index 000000000000..2e481a7f5847 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersGcpOfferingDataPipelineNativeCloudConnection.cs @@ -0,0 +1,67 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The native cloud connection configuration + /// + public partial class DefenderForContainersGcpOfferingDataPipelineNativeCloudConnection + { + /// + /// Initializes a new instance of the + /// DefenderForContainersGcpOfferingDataPipelineNativeCloudConnection + /// class. + /// + public DefenderForContainersGcpOfferingDataPipelineNativeCloudConnection() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForContainersGcpOfferingDataPipelineNativeCloudConnection + /// class. + /// + /// The data collection + /// service account email address in GCP for this offering + /// The data collection GCP + /// workload identity provider id for this offering + public DefenderForContainersGcpOfferingDataPipelineNativeCloudConnection(string serviceAccountEmailAddress = default(string), string workloadIdentityProviderId = default(string)) + { + ServiceAccountEmailAddress = serviceAccountEmailAddress; + WorkloadIdentityProviderId = workloadIdentityProviderId; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the data collection service account email address in + /// GCP for this offering + /// + [JsonProperty(PropertyName = "serviceAccountEmailAddress")] + public string ServiceAccountEmailAddress { get; set; } + + /// + /// Gets or sets the data collection GCP workload identity provider id + /// for this offering + /// + [JsonProperty(PropertyName = "workloadIdentityProviderId")] + public string WorkloadIdentityProviderId { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersGcpOfferingNativeCloudConnection.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersGcpOfferingNativeCloudConnection.cs new file mode 100644 index 000000000000..df9f18d01d3a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForContainersGcpOfferingNativeCloudConnection.cs @@ -0,0 +1,65 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The native cloud connection configuration + /// + public partial class DefenderForContainersGcpOfferingNativeCloudConnection + { + /// + /// Initializes a new instance of the + /// DefenderForContainersGcpOfferingNativeCloudConnection class. + /// + public DefenderForContainersGcpOfferingNativeCloudConnection() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForContainersGcpOfferingNativeCloudConnection class. + /// + /// The service account email + /// address in GCP for this offering + /// The GCP workload identity + /// provider id for this offering + public DefenderForContainersGcpOfferingNativeCloudConnection(string serviceAccountEmailAddress = default(string), string workloadIdentityProviderId = default(string)) + { + ServiceAccountEmailAddress = serviceAccountEmailAddress; + WorkloadIdentityProviderId = workloadIdentityProviderId; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the service account email address in GCP for this + /// offering + /// + [JsonProperty(PropertyName = "serviceAccountEmailAddress")] + public string ServiceAccountEmailAddress { get; set; } + + /// + /// Gets or sets the GCP workload identity provider id for this + /// offering + /// + [JsonProperty(PropertyName = "workloadIdentityProviderId")] + public string WorkloadIdentityProviderId { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForDatabasesGcpOffering.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForDatabasesGcpOffering.cs new file mode 100644 index 000000000000..153e326d2b62 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForDatabasesGcpOffering.cs @@ -0,0 +1,66 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The Defender for Databases GCP offering configurations + /// + [Newtonsoft.Json.JsonObject("DefenderForDatabasesGcp")] + public partial class DefenderForDatabasesGcpOffering : CloudOffering + { + /// + /// Initializes a new instance of the DefenderForDatabasesGcpOffering + /// class. + /// + public DefenderForDatabasesGcpOffering() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the DefenderForDatabasesGcpOffering + /// class. + /// + /// The offering description. + /// The ARC autoprovisioning + /// configuration + /// The native + /// cloud connection configuration + public DefenderForDatabasesGcpOffering(string description = default(string), DefenderForDatabasesGcpOfferingArcAutoProvisioning arcAutoProvisioning = default(DefenderForDatabasesGcpOfferingArcAutoProvisioning), DefenderForDatabasesGcpOfferingDefenderForDatabasesArcAutoProvisioning defenderForDatabasesArcAutoProvisioning = default(DefenderForDatabasesGcpOfferingDefenderForDatabasesArcAutoProvisioning)) + : base(description) + { + ArcAutoProvisioning = arcAutoProvisioning; + DefenderForDatabasesArcAutoProvisioning = defenderForDatabasesArcAutoProvisioning; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the ARC autoprovisioning configuration + /// + [JsonProperty(PropertyName = "arcAutoProvisioning")] + public DefenderForDatabasesGcpOfferingArcAutoProvisioning ArcAutoProvisioning { get; set; } + + /// + /// Gets or sets the native cloud connection configuration + /// + [JsonProperty(PropertyName = "defenderForDatabasesArcAutoProvisioning")] + public DefenderForDatabasesGcpOfferingDefenderForDatabasesArcAutoProvisioning DefenderForDatabasesArcAutoProvisioning { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForDatabasesGcpOfferingArcAutoProvisioning.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForDatabasesGcpOfferingArcAutoProvisioning.cs new file mode 100644 index 000000000000..01d4acd2c4d0 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForDatabasesGcpOfferingArcAutoProvisioning.cs @@ -0,0 +1,53 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The ARC autoprovisioning configuration + /// + public partial class DefenderForDatabasesGcpOfferingArcAutoProvisioning + { + /// + /// Initializes a new instance of the + /// DefenderForDatabasesGcpOfferingArcAutoProvisioning class. + /// + public DefenderForDatabasesGcpOfferingArcAutoProvisioning() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForDatabasesGcpOfferingArcAutoProvisioning class. + /// + /// Is arc auto provisioning enabled + public DefenderForDatabasesGcpOfferingArcAutoProvisioning(bool? enabled = default(bool?)) + { + Enabled = enabled; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets is arc auto provisioning enabled + /// + [JsonProperty(PropertyName = "enabled")] + public bool? Enabled { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForDatabasesGcpOfferingDefenderForDatabasesArcAutoProvisioning.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForDatabasesGcpOfferingDefenderForDatabasesArcAutoProvisioning.cs new file mode 100644 index 000000000000..7693c84cef72 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForDatabasesGcpOfferingDefenderForDatabasesArcAutoProvisioning.cs @@ -0,0 +1,67 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The native cloud connection configuration + /// + public partial class DefenderForDatabasesGcpOfferingDefenderForDatabasesArcAutoProvisioning + { + /// + /// Initializes a new instance of the + /// DefenderForDatabasesGcpOfferingDefenderForDatabasesArcAutoProvisioning + /// class. + /// + public DefenderForDatabasesGcpOfferingDefenderForDatabasesArcAutoProvisioning() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForDatabasesGcpOfferingDefenderForDatabasesArcAutoProvisioning + /// class. + /// + /// The service account email + /// address in GCP for this offering + /// The GCP workload identity + /// provider id for this offering + public DefenderForDatabasesGcpOfferingDefenderForDatabasesArcAutoProvisioning(string serviceAccountEmailAddress = default(string), string workloadIdentityProviderId = default(string)) + { + ServiceAccountEmailAddress = serviceAccountEmailAddress; + WorkloadIdentityProviderId = workloadIdentityProviderId; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the service account email address in GCP for this + /// offering + /// + [JsonProperty(PropertyName = "serviceAccountEmailAddress")] + public string ServiceAccountEmailAddress { get; set; } + + /// + /// Gets or sets the GCP workload identity provider id for this + /// offering + /// + [JsonProperty(PropertyName = "workloadIdentityProviderId")] + public string WorkloadIdentityProviderId { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForDevOpsAzureDevOpsOffering.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForDevOpsAzureDevOpsOffering.cs new file mode 100644 index 000000000000..5ccb98be303f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForDevOpsAzureDevOpsOffering.cs @@ -0,0 +1,48 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The Defender for DevOps for Azure DevOps offering + /// + [Newtonsoft.Json.JsonObject("DefenderForDevOpsAzureDevOps")] + public partial class DefenderForDevOpsAzureDevOpsOffering : CloudOffering + { + /// + /// Initializes a new instance of the + /// DefenderForDevOpsAzureDevOpsOffering class. + /// + public DefenderForDevOpsAzureDevOpsOffering() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForDevOpsAzureDevOpsOffering class. + /// + /// The offering description. + public DefenderForDevOpsAzureDevOpsOffering(string description = default(string)) + : base(description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForDevOpsGithubOffering.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForDevOpsGithubOffering.cs new file mode 100644 index 000000000000..5e17d36d80c5 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForDevOpsGithubOffering.cs @@ -0,0 +1,48 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The Defender for DevOps for Github offering + /// + [Newtonsoft.Json.JsonObject("DefenderForDevOpsGithub")] + public partial class DefenderForDevOpsGithubOffering : CloudOffering + { + /// + /// Initializes a new instance of the DefenderForDevOpsGithubOffering + /// class. + /// + public DefenderForDevOpsGithubOffering() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the DefenderForDevOpsGithubOffering + /// class. + /// + /// The offering description. + public DefenderForDevOpsGithubOffering(string description = default(string)) + : base(description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOffering.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOffering.cs new file mode 100644 index 000000000000..1152299c68cf --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOffering.cs @@ -0,0 +1,105 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The Defender for Servers AWS offering + /// + [Newtonsoft.Json.JsonObject("DefenderForServersAws")] + public partial class DefenderForServersAwsOffering : CloudOffering + { + /// + /// Initializes a new instance of the DefenderForServersAwsOffering + /// class. + /// + public DefenderForServersAwsOffering() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the DefenderForServersAwsOffering + /// class. + /// + /// The offering description. + /// The Defender for servers + /// connection configuration + /// The ARC autoprovisioning + /// configuration + /// The Vulnerability Assessment + /// autoprovisioning configuration + /// The Microsoft Defender for + /// Endpoint autoprovisioning configuration + /// configuration for the servers offering + /// subPlan + /// The Microsoft Defender for Server VM + /// scanning configuration + public DefenderForServersAwsOffering(string description = default(string), DefenderForServersAwsOfferingDefenderForServers defenderForServers = default(DefenderForServersAwsOfferingDefenderForServers), DefenderForServersAwsOfferingArcAutoProvisioning arcAutoProvisioning = default(DefenderForServersAwsOfferingArcAutoProvisioning), DefenderForServersAwsOfferingVaAutoProvisioning vaAutoProvisioning = default(DefenderForServersAwsOfferingVaAutoProvisioning), DefenderForServersAwsOfferingMdeAutoProvisioning mdeAutoProvisioning = default(DefenderForServersAwsOfferingMdeAutoProvisioning), DefenderForServersAwsOfferingSubPlan subPlan = default(DefenderForServersAwsOfferingSubPlan), DefenderForServersAwsOfferingVmScanners vmScanners = default(DefenderForServersAwsOfferingVmScanners)) + : base(description) + { + DefenderForServers = defenderForServers; + ArcAutoProvisioning = arcAutoProvisioning; + VaAutoProvisioning = vaAutoProvisioning; + MdeAutoProvisioning = mdeAutoProvisioning; + SubPlan = subPlan; + VmScanners = vmScanners; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the Defender for servers connection configuration + /// + [JsonProperty(PropertyName = "defenderForServers")] + public DefenderForServersAwsOfferingDefenderForServers DefenderForServers { get; set; } + + /// + /// Gets or sets the ARC autoprovisioning configuration + /// + [JsonProperty(PropertyName = "arcAutoProvisioning")] + public DefenderForServersAwsOfferingArcAutoProvisioning ArcAutoProvisioning { get; set; } + + /// + /// Gets or sets the Vulnerability Assessment autoprovisioning + /// configuration + /// + [JsonProperty(PropertyName = "vaAutoProvisioning")] + public DefenderForServersAwsOfferingVaAutoProvisioning VaAutoProvisioning { get; set; } + + /// + /// Gets or sets the Microsoft Defender for Endpoint autoprovisioning + /// configuration + /// + [JsonProperty(PropertyName = "mdeAutoProvisioning")] + public DefenderForServersAwsOfferingMdeAutoProvisioning MdeAutoProvisioning { get; set; } + + /// + /// Gets or sets configuration for the servers offering subPlan + /// + [JsonProperty(PropertyName = "subPlan")] + public DefenderForServersAwsOfferingSubPlan SubPlan { get; set; } + + /// + /// Gets or sets the Microsoft Defender for Server VM scanning + /// configuration + /// + [JsonProperty(PropertyName = "vmScanners")] + public DefenderForServersAwsOfferingVmScanners VmScanners { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingArcAutoProvisioning.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingArcAutoProvisioning.cs new file mode 100644 index 000000000000..c80d4fca0b2c --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingArcAutoProvisioning.cs @@ -0,0 +1,62 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The ARC autoprovisioning configuration + /// + public partial class DefenderForServersAwsOfferingArcAutoProvisioning + { + /// + /// Initializes a new instance of the + /// DefenderForServersAwsOfferingArcAutoProvisioning class. + /// + public DefenderForServersAwsOfferingArcAutoProvisioning() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForServersAwsOfferingArcAutoProvisioning class. + /// + /// Is arc auto provisioning enabled + /// The cloud role ARN in AWS for this + /// feature + public DefenderForServersAwsOfferingArcAutoProvisioning(bool? enabled = default(bool?), string cloudRoleArn = default(string)) + { + Enabled = enabled; + CloudRoleArn = cloudRoleArn; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets is arc auto provisioning enabled + /// + [JsonProperty(PropertyName = "enabled")] + public bool? Enabled { get; set; } + + /// + /// Gets or sets the cloud role ARN in AWS for this feature + /// + [JsonProperty(PropertyName = "cloudRoleArn")] + public string CloudRoleArn { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingDefenderForServers.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingDefenderForServers.cs new file mode 100644 index 000000000000..8e39b34fd800 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingDefenderForServers.cs @@ -0,0 +1,54 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The Defender for servers connection configuration + /// + public partial class DefenderForServersAwsOfferingDefenderForServers + { + /// + /// Initializes a new instance of the + /// DefenderForServersAwsOfferingDefenderForServers class. + /// + public DefenderForServersAwsOfferingDefenderForServers() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForServersAwsOfferingDefenderForServers class. + /// + /// The cloud role ARN in AWS for this + /// feature + public DefenderForServersAwsOfferingDefenderForServers(string cloudRoleArn = default(string)) + { + CloudRoleArn = cloudRoleArn; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the cloud role ARN in AWS for this feature + /// + [JsonProperty(PropertyName = "cloudRoleArn")] + public string CloudRoleArn { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingMdeAutoProvisioning.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingMdeAutoProvisioning.cs new file mode 100644 index 000000000000..c1bacf43d9b7 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingMdeAutoProvisioning.cs @@ -0,0 +1,65 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The Microsoft Defender for Endpoint autoprovisioning configuration + /// + public partial class DefenderForServersAwsOfferingMdeAutoProvisioning + { + /// + /// Initializes a new instance of the + /// DefenderForServersAwsOfferingMdeAutoProvisioning class. + /// + public DefenderForServersAwsOfferingMdeAutoProvisioning() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForServersAwsOfferingMdeAutoProvisioning class. + /// + /// Is Microsoft Defender for Endpoint auto + /// provisioning enabled + /// configuration for Microsoft Defender + /// for Endpoint autoprovisioning + public DefenderForServersAwsOfferingMdeAutoProvisioning(bool? enabled = default(bool?), object configuration = default(object)) + { + Enabled = enabled; + Configuration = configuration; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets is Microsoft Defender for Endpoint auto provisioning + /// enabled + /// + [JsonProperty(PropertyName = "enabled")] + public bool? Enabled { get; set; } + + /// + /// Gets or sets configuration for Microsoft Defender for Endpoint + /// autoprovisioning + /// + [JsonProperty(PropertyName = "configuration")] + public object Configuration { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingSubPlan.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingSubPlan.cs new file mode 100644 index 000000000000..08be98b87c42 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingSubPlan.cs @@ -0,0 +1,55 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// configuration for the servers offering subPlan + /// + public partial class DefenderForServersAwsOfferingSubPlan + { + /// + /// Initializes a new instance of the + /// DefenderForServersAwsOfferingSubPlan class. + /// + public DefenderForServersAwsOfferingSubPlan() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForServersAwsOfferingSubPlan class. + /// + /// The available sub plans. Possible values + /// include: 'P1', 'P2' + public DefenderForServersAwsOfferingSubPlan(string type = default(string)) + { + Type = type; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the available sub plans. Possible values include: + /// 'P1', 'P2' + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingVaAutoProvisioning.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingVaAutoProvisioning.cs new file mode 100644 index 000000000000..a5c9b793bf03 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingVaAutoProvisioning.cs @@ -0,0 +1,64 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The Vulnerability Assessment autoprovisioning configuration + /// + public partial class DefenderForServersAwsOfferingVaAutoProvisioning + { + /// + /// Initializes a new instance of the + /// DefenderForServersAwsOfferingVaAutoProvisioning class. + /// + public DefenderForServersAwsOfferingVaAutoProvisioning() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForServersAwsOfferingVaAutoProvisioning class. + /// + /// Is Vulnerability Assessment auto provisioning + /// enabled + /// configuration for Vulnerability + /// Assessment autoprovisioning + public DefenderForServersAwsOfferingVaAutoProvisioning(bool? enabled = default(bool?), DefenderForServersAwsOfferingVaAutoProvisioningConfiguration configuration = default(DefenderForServersAwsOfferingVaAutoProvisioningConfiguration)) + { + Enabled = enabled; + Configuration = configuration; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets is Vulnerability Assessment auto provisioning enabled + /// + [JsonProperty(PropertyName = "enabled")] + public bool? Enabled { get; set; } + + /// + /// Gets or sets configuration for Vulnerability Assessment + /// autoprovisioning + /// + [JsonProperty(PropertyName = "configuration")] + public DefenderForServersAwsOfferingVaAutoProvisioningConfiguration Configuration { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingVaAutoProvisioningConfiguration.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingVaAutoProvisioningConfiguration.cs new file mode 100644 index 000000000000..da39359e94a3 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingVaAutoProvisioningConfiguration.cs @@ -0,0 +1,57 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// configuration for Vulnerability Assessment autoprovisioning + /// + public partial class DefenderForServersAwsOfferingVaAutoProvisioningConfiguration + { + /// + /// Initializes a new instance of the + /// DefenderForServersAwsOfferingVaAutoProvisioningConfiguration class. + /// + public DefenderForServersAwsOfferingVaAutoProvisioningConfiguration() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForServersAwsOfferingVaAutoProvisioningConfiguration class. + /// + /// The Vulnerability Assessment solution to be + /// provisioned. Can be either 'TVM' or 'Qualys'. Possible values + /// include: 'Qualys', 'TVM' + public DefenderForServersAwsOfferingVaAutoProvisioningConfiguration(string type = default(string)) + { + Type = type; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the Vulnerability Assessment solution to be + /// provisioned. Can be either 'TVM' or 'Qualys'. Possible values + /// include: 'Qualys', 'TVM' + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingVmScanners.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingVmScanners.cs new file mode 100644 index 000000000000..e032f5829569 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingVmScanners.cs @@ -0,0 +1,64 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The Microsoft Defender for Server VM scanning configuration + /// + public partial class DefenderForServersAwsOfferingVmScanners + { + /// + /// Initializes a new instance of the + /// DefenderForServersAwsOfferingVmScanners class. + /// + public DefenderForServersAwsOfferingVmScanners() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForServersAwsOfferingVmScanners class. + /// + /// Is Microsoft Defender for Server VM scanning + /// enabled + /// configuration for Microsoft Defender + /// for Server VM scanning + public DefenderForServersAwsOfferingVmScanners(bool? enabled = default(bool?), DefenderForServersAwsOfferingVmScannersConfiguration configuration = default(DefenderForServersAwsOfferingVmScannersConfiguration)) + { + Enabled = enabled; + Configuration = configuration; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets is Microsoft Defender for Server VM scanning enabled + /// + [JsonProperty(PropertyName = "enabled")] + public bool? Enabled { get; set; } + + /// + /// Gets or sets configuration for Microsoft Defender for Server VM + /// scanning + /// + [JsonProperty(PropertyName = "configuration")] + public DefenderForServersAwsOfferingVmScannersConfiguration Configuration { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingVmScannersConfiguration.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingVmScannersConfiguration.cs new file mode 100644 index 000000000000..b63806c1ff52 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersAwsOfferingVmScannersConfiguration.cs @@ -0,0 +1,75 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// configuration for Microsoft Defender for Server VM scanning + /// + public partial class DefenderForServersAwsOfferingVmScannersConfiguration + { + /// + /// Initializes a new instance of the + /// DefenderForServersAwsOfferingVmScannersConfiguration class. + /// + public DefenderForServersAwsOfferingVmScannersConfiguration() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForServersAwsOfferingVmScannersConfiguration class. + /// + /// The cloud role ARN in AWS for this + /// feature + /// The scanning mode for the vm scan. + /// Possible values include: 'Default' + /// VM tags that indicates that VM should + /// not be scanned + public DefenderForServersAwsOfferingVmScannersConfiguration(string cloudRoleArn = default(string), string scanningMode = default(string), IDictionary exclusionTags = default(IDictionary)) + { + CloudRoleArn = cloudRoleArn; + ScanningMode = scanningMode; + ExclusionTags = exclusionTags; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the cloud role ARN in AWS for this feature + /// + [JsonProperty(PropertyName = "cloudRoleArn")] + public string CloudRoleArn { get; set; } + + /// + /// Gets or sets the scanning mode for the vm scan. Possible values + /// include: 'Default' + /// + [JsonProperty(PropertyName = "scanningMode")] + public string ScanningMode { get; set; } + + /// + /// Gets or sets VM tags that indicates that VM should not be scanned + /// + [JsonProperty(PropertyName = "exclusionTags")] + public IDictionary ExclusionTags { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOffering.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOffering.cs new file mode 100644 index 000000000000..cda61fe0dde1 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOffering.cs @@ -0,0 +1,95 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The Defender for Servers GCP offering configurations + /// + [Newtonsoft.Json.JsonObject("DefenderForServersGcp")] + public partial class DefenderForServersGcpOffering : CloudOffering + { + /// + /// Initializes a new instance of the DefenderForServersGcpOffering + /// class. + /// + public DefenderForServersGcpOffering() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the DefenderForServersGcpOffering + /// class. + /// + /// The offering description. + /// The Defender for servers + /// connection configuration + /// The ARC autoprovisioning + /// configuration + /// The Vulnerability Assessment + /// autoprovisioning configuration + /// The Microsoft Defender for + /// Endpoint autoprovisioning configuration + /// configuration for the servers offering + /// subPlan + public DefenderForServersGcpOffering(string description = default(string), DefenderForServersGcpOfferingDefenderForServers defenderForServers = default(DefenderForServersGcpOfferingDefenderForServers), DefenderForServersGcpOfferingArcAutoProvisioning arcAutoProvisioning = default(DefenderForServersGcpOfferingArcAutoProvisioning), DefenderForServersGcpOfferingVaAutoProvisioning vaAutoProvisioning = default(DefenderForServersGcpOfferingVaAutoProvisioning), DefenderForServersGcpOfferingMdeAutoProvisioning mdeAutoProvisioning = default(DefenderForServersGcpOfferingMdeAutoProvisioning), DefenderForServersGcpOfferingSubPlan subPlan = default(DefenderForServersGcpOfferingSubPlan)) + : base(description) + { + DefenderForServers = defenderForServers; + ArcAutoProvisioning = arcAutoProvisioning; + VaAutoProvisioning = vaAutoProvisioning; + MdeAutoProvisioning = mdeAutoProvisioning; + SubPlan = subPlan; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the Defender for servers connection configuration + /// + [JsonProperty(PropertyName = "defenderForServers")] + public DefenderForServersGcpOfferingDefenderForServers DefenderForServers { get; set; } + + /// + /// Gets or sets the ARC autoprovisioning configuration + /// + [JsonProperty(PropertyName = "arcAutoProvisioning")] + public DefenderForServersGcpOfferingArcAutoProvisioning ArcAutoProvisioning { get; set; } + + /// + /// Gets or sets the Vulnerability Assessment autoprovisioning + /// configuration + /// + [JsonProperty(PropertyName = "vaAutoProvisioning")] + public DefenderForServersGcpOfferingVaAutoProvisioning VaAutoProvisioning { get; set; } + + /// + /// Gets or sets the Microsoft Defender for Endpoint autoprovisioning + /// configuration + /// + [JsonProperty(PropertyName = "mdeAutoProvisioning")] + public DefenderForServersGcpOfferingMdeAutoProvisioning MdeAutoProvisioning { get; set; } + + /// + /// Gets or sets configuration for the servers offering subPlan + /// + [JsonProperty(PropertyName = "subPlan")] + public DefenderForServersGcpOfferingSubPlan SubPlan { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingArcAutoProvisioning.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingArcAutoProvisioning.cs new file mode 100644 index 000000000000..7baa02415409 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingArcAutoProvisioning.cs @@ -0,0 +1,53 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The ARC autoprovisioning configuration + /// + public partial class DefenderForServersGcpOfferingArcAutoProvisioning + { + /// + /// Initializes a new instance of the + /// DefenderForServersGcpOfferingArcAutoProvisioning class. + /// + public DefenderForServersGcpOfferingArcAutoProvisioning() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForServersGcpOfferingArcAutoProvisioning class. + /// + /// Is arc auto provisioning enabled + public DefenderForServersGcpOfferingArcAutoProvisioning(bool? enabled = default(bool?)) + { + Enabled = enabled; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets is arc auto provisioning enabled + /// + [JsonProperty(PropertyName = "enabled")] + public bool? Enabled { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingDefenderForServers.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingDefenderForServers.cs new file mode 100644 index 000000000000..ec0a18faff99 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingDefenderForServers.cs @@ -0,0 +1,65 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The Defender for servers connection configuration + /// + public partial class DefenderForServersGcpOfferingDefenderForServers + { + /// + /// Initializes a new instance of the + /// DefenderForServersGcpOfferingDefenderForServers class. + /// + public DefenderForServersGcpOfferingDefenderForServers() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForServersGcpOfferingDefenderForServers class. + /// + /// The workload identity + /// provider id in GCP for this feature + /// The service account email + /// address in GCP for this feature + public DefenderForServersGcpOfferingDefenderForServers(string workloadIdentityProviderId = default(string), string serviceAccountEmailAddress = default(string)) + { + WorkloadIdentityProviderId = workloadIdentityProviderId; + ServiceAccountEmailAddress = serviceAccountEmailAddress; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the workload identity provider id in GCP for this + /// feature + /// + [JsonProperty(PropertyName = "workloadIdentityProviderId")] + public string WorkloadIdentityProviderId { get; set; } + + /// + /// Gets or sets the service account email address in GCP for this + /// feature + /// + [JsonProperty(PropertyName = "serviceAccountEmailAddress")] + public string ServiceAccountEmailAddress { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingMdeAutoProvisioning.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingMdeAutoProvisioning.cs new file mode 100644 index 000000000000..329b867fb127 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingMdeAutoProvisioning.cs @@ -0,0 +1,65 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The Microsoft Defender for Endpoint autoprovisioning configuration + /// + public partial class DefenderForServersGcpOfferingMdeAutoProvisioning + { + /// + /// Initializes a new instance of the + /// DefenderForServersGcpOfferingMdeAutoProvisioning class. + /// + public DefenderForServersGcpOfferingMdeAutoProvisioning() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForServersGcpOfferingMdeAutoProvisioning class. + /// + /// Is Microsoft Defender for Endpoint auto + /// provisioning enabled + /// configuration for Microsoft Defender + /// for Endpoint autoprovisioning + public DefenderForServersGcpOfferingMdeAutoProvisioning(bool? enabled = default(bool?), object configuration = default(object)) + { + Enabled = enabled; + Configuration = configuration; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets is Microsoft Defender for Endpoint auto provisioning + /// enabled + /// + [JsonProperty(PropertyName = "enabled")] + public bool? Enabled { get; set; } + + /// + /// Gets or sets configuration for Microsoft Defender for Endpoint + /// autoprovisioning + /// + [JsonProperty(PropertyName = "configuration")] + public object Configuration { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingSubPlan.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingSubPlan.cs new file mode 100644 index 000000000000..20207d77ab47 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingSubPlan.cs @@ -0,0 +1,55 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// configuration for the servers offering subPlan + /// + public partial class DefenderForServersGcpOfferingSubPlan + { + /// + /// Initializes a new instance of the + /// DefenderForServersGcpOfferingSubPlan class. + /// + public DefenderForServersGcpOfferingSubPlan() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForServersGcpOfferingSubPlan class. + /// + /// The available sub plans. Possible values + /// include: 'P1', 'P2' + public DefenderForServersGcpOfferingSubPlan(string type = default(string)) + { + Type = type; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the available sub plans. Possible values include: + /// 'P1', 'P2' + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingVaAutoProvisioning.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingVaAutoProvisioning.cs new file mode 100644 index 000000000000..63befae83b99 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingVaAutoProvisioning.cs @@ -0,0 +1,64 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The Vulnerability Assessment autoprovisioning configuration + /// + public partial class DefenderForServersGcpOfferingVaAutoProvisioning + { + /// + /// Initializes a new instance of the + /// DefenderForServersGcpOfferingVaAutoProvisioning class. + /// + public DefenderForServersGcpOfferingVaAutoProvisioning() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForServersGcpOfferingVaAutoProvisioning class. + /// + /// Is Vulnerability Assessment auto provisioning + /// enabled + /// configuration for Vulnerability + /// Assessment autoprovisioning + public DefenderForServersGcpOfferingVaAutoProvisioning(bool? enabled = default(bool?), DefenderForServersGcpOfferingVaAutoProvisioningConfiguration configuration = default(DefenderForServersGcpOfferingVaAutoProvisioningConfiguration)) + { + Enabled = enabled; + Configuration = configuration; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets is Vulnerability Assessment auto provisioning enabled + /// + [JsonProperty(PropertyName = "enabled")] + public bool? Enabled { get; set; } + + /// + /// Gets or sets configuration for Vulnerability Assessment + /// autoprovisioning + /// + [JsonProperty(PropertyName = "configuration")] + public DefenderForServersGcpOfferingVaAutoProvisioningConfiguration Configuration { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingVaAutoProvisioningConfiguration.cs b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingVaAutoProvisioningConfiguration.cs new file mode 100644 index 000000000000..6b09a5c9fbd2 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DefenderForServersGcpOfferingVaAutoProvisioningConfiguration.cs @@ -0,0 +1,57 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// configuration for Vulnerability Assessment autoprovisioning + /// + public partial class DefenderForServersGcpOfferingVaAutoProvisioningConfiguration + { + /// + /// Initializes a new instance of the + /// DefenderForServersGcpOfferingVaAutoProvisioningConfiguration class. + /// + public DefenderForServersGcpOfferingVaAutoProvisioningConfiguration() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DefenderForServersGcpOfferingVaAutoProvisioningConfiguration class. + /// + /// The Vulnerability Assessment solution to be + /// provisioned. Can be either 'TVM' or 'Qualys'. Possible values + /// include: 'Qualys', 'TVM' + public DefenderForServersGcpOfferingVaAutoProvisioningConfiguration(string type = default(string)) + { + Type = type; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the Vulnerability Assessment solution to be + /// provisioned. Can be either 'TVM' or 'Qualys'. Possible values + /// include: 'Qualys', 'TVM' + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DenylistCustomAlertRule.cs b/src/Security/Security.Management.Sdk/Generated/Models/DenylistCustomAlertRule.cs new file mode 100644 index 000000000000..1bfe4ef2944a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DenylistCustomAlertRule.cs @@ -0,0 +1,80 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// A custom alert rule that checks if a value (depends on the custom alert + /// type) is denied. + /// + [Newtonsoft.Json.JsonObject("DenylistCustomAlertRule")] + public partial class DenylistCustomAlertRule : ListCustomAlertRule + { + /// + /// Initializes a new instance of the DenylistCustomAlertRule class. + /// + public DenylistCustomAlertRule() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the DenylistCustomAlertRule class. + /// + /// Status of the custom alert. + /// The values to deny. The format of the + /// values depends on the rule type. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + /// The value type of the items in the list. + /// Possible values include: 'IpCidr', 'String' + public DenylistCustomAlertRule(bool isEnabled, IList denylistValues, string displayName = default(string), string description = default(string), string valueType = default(string)) + : base(isEnabled, displayName, description, valueType) + { + DenylistValues = denylistValues; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the values to deny. The format of the values depends + /// on the rule type. + /// + [JsonProperty(PropertyName = "denylistValues")] + public IList DenylistValues { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + if (DenylistValues == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "DenylistValues"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DeviceSecurityGroup.cs b/src/Security/Security.Management.Sdk/Generated/Models/DeviceSecurityGroup.cs new file mode 100644 index 000000000000..1c292fc222b8 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DeviceSecurityGroup.cs @@ -0,0 +1,88 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// The device security group resource + /// + [Rest.Serialization.JsonTransformation] + public partial class DeviceSecurityGroup : Resource + { + /// + /// Initializes a new instance of the DeviceSecurityGroup class. + /// + public DeviceSecurityGroup() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the DeviceSecurityGroup class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// The list of custom alert threshold + /// rules. + /// The list of custom alert time-window + /// rules. + /// The allow-list custom alert + /// rules. + /// The deny-list custom alert + /// rules. + public DeviceSecurityGroup(string id = default(string), string name = default(string), string type = default(string), IList thresholdRules = default(IList), IList timeWindowRules = default(IList), IList allowlistRules = default(IList), IList denylistRules = default(IList)) + : base(id, name, type) + { + ThresholdRules = thresholdRules; + TimeWindowRules = timeWindowRules; + AllowlistRules = allowlistRules; + DenylistRules = denylistRules; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the list of custom alert threshold rules. + /// + [JsonProperty(PropertyName = "properties.thresholdRules")] + public IList ThresholdRules { get; set; } + + /// + /// Gets or sets the list of custom alert time-window rules. + /// + [JsonProperty(PropertyName = "properties.timeWindowRules")] + public IList TimeWindowRules { get; set; } + + /// + /// Gets or sets the allow-list custom alert rules. + /// + [JsonProperty(PropertyName = "properties.allowlistRules")] + public IList AllowlistRules { get; set; } + + /// + /// Gets or sets the deny-list custom alert rules. + /// + [JsonProperty(PropertyName = "properties.denylistRules")] + public IList DenylistRules { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DirectMethodInvokesNotInAllowedRange.cs b/src/Security/Security.Management.Sdk/Generated/Models/DirectMethodInvokesNotInAllowedRange.cs new file mode 100644 index 000000000000..5965d3547967 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DirectMethodInvokesNotInAllowedRange.cs @@ -0,0 +1,66 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Number of direct method invokes is not in allowed range. + /// + [Newtonsoft.Json.JsonObject("DirectMethodInvokesNotInAllowedRange")] + public partial class DirectMethodInvokesNotInAllowedRange : TimeWindowCustomAlertRule + { + /// + /// Initializes a new instance of the + /// DirectMethodInvokesNotInAllowedRange class. + /// + public DirectMethodInvokesNotInAllowedRange() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// DirectMethodInvokesNotInAllowedRange class. + /// + /// Status of the custom alert. + /// The minimum threshold. + /// The maximum threshold. + /// The time window size in iso8601 + /// format. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public DirectMethodInvokesNotInAllowedRange(bool isEnabled, int minThreshold, int maxThreshold, System.TimeSpan timeWindowSize, string displayName = default(string), string description = default(string)) + : base(isEnabled, minThreshold, maxThreshold, timeWindowSize, displayName, description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Direction.cs b/src/Security/Security.Management.Sdk/Generated/Models/Direction.cs new file mode 100644 index 000000000000..1f13287d7fa6 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Direction.cs @@ -0,0 +1,22 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for Direction. + /// + public static class Direction + { + public const string Inbound = "Inbound"; + public const string Outbound = "Outbound"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/DiscoveredSecuritySolution.cs b/src/Security/Security.Management.Sdk/Generated/Models/DiscoveredSecuritySolution.cs new file mode 100644 index 000000000000..dcd1ce59ccfb --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/DiscoveredSecuritySolution.cs @@ -0,0 +1,137 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + [Rest.Serialization.JsonTransformation] + public partial class DiscoveredSecuritySolution + { + /// + /// Initializes a new instance of the DiscoveredSecuritySolution class. + /// + public DiscoveredSecuritySolution() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the DiscoveredSecuritySolution class. + /// + /// The security family of the discovered + /// solution. Possible values include: 'Waf', 'Ngfw', 'SaasWaf', + /// 'Va' + /// The security solutions' image offer + /// The security solutions' image + /// publisher + /// The security solutions' image sku + /// Resource Id + /// Resource name + /// Resource type + /// Location where the resource is + /// stored + public DiscoveredSecuritySolution(string securityFamily, string offer, string publisher, string sku, string id = default(string), string name = default(string), string type = default(string), string location = default(string)) + { + Id = id; + Name = name; + Type = type; + Location = location; + SecurityFamily = securityFamily; + Offer = offer; + Publisher = publisher; + Sku = sku; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets resource Id + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; private set; } + + /// + /// Gets resource name + /// + [JsonProperty(PropertyName = "name")] + public string Name { get; private set; } + + /// + /// Gets resource type + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + /// + /// Gets location where the resource is stored + /// + [JsonProperty(PropertyName = "location")] + public string Location { get; private set; } + + /// + /// Gets or sets the security family of the discovered solution. + /// Possible values include: 'Waf', 'Ngfw', 'SaasWaf', 'Va' + /// + [JsonProperty(PropertyName = "properties.securityFamily")] + public string SecurityFamily { get; set; } + + /// + /// Gets or sets the security solutions' image offer + /// + [JsonProperty(PropertyName = "properties.offer")] + public string Offer { get; set; } + + /// + /// Gets or sets the security solutions' image publisher + /// + [JsonProperty(PropertyName = "properties.publisher")] + public string Publisher { get; set; } + + /// + /// Gets or sets the security solutions' image sku + /// + [JsonProperty(PropertyName = "properties.sku")] + public string Sku { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (SecurityFamily == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "SecurityFamily"); + } + if (Offer == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Offer"); + } + if (Publisher == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Publisher"); + } + if (Sku == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Sku"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/EffectiveNetworkSecurityGroups.cs b/src/Security/Security.Management.Sdk/Generated/Models/EffectiveNetworkSecurityGroups.cs new file mode 100644 index 000000000000..17b9f1c49622 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/EffectiveNetworkSecurityGroups.cs @@ -0,0 +1,66 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Describes the Network Security Groups effective on a network interface + /// + public partial class EffectiveNetworkSecurityGroups + { + /// + /// Initializes a new instance of the EffectiveNetworkSecurityGroups + /// class. + /// + public EffectiveNetworkSecurityGroups() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the EffectiveNetworkSecurityGroups + /// class. + /// + /// The Azure resource ID of the network + /// interface + /// The Network Security Groups + /// effective on the network interface + public EffectiveNetworkSecurityGroups(string networkInterface = default(string), IList networkSecurityGroups = default(IList)) + { + NetworkInterface = networkInterface; + NetworkSecurityGroups = networkSecurityGroups; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the Azure resource ID of the network interface + /// + [JsonProperty(PropertyName = "networkInterface")] + public string NetworkInterface { get; set; } + + /// + /// Gets or sets the Network Security Groups effective on the network + /// interface + /// + [JsonProperty(PropertyName = "networkSecurityGroups")] + public IList NetworkSecurityGroups { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/EndOfSupportStatus.cs b/src/Security/Security.Management.Sdk/Generated/Models/EndOfSupportStatus.cs new file mode 100644 index 000000000000..711d2f3fa86d --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/EndOfSupportStatus.cs @@ -0,0 +1,25 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for EndOfSupportStatus. + /// + public static class EndOfSupportStatus + { + public const string None = "None"; + public const string NoLongerSupported = "noLongerSupported"; + public const string VersionNoLongerSupported = "versionNoLongerSupported"; + public const string UpcomingNoLongerSupported = "upcomingNoLongerSupported"; + public const string UpcomingVersionNoLongerSupported = "upcomingVersionNoLongerSupported"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/EnvironmentData.cs b/src/Security/Security.Management.Sdk/Generated/Models/EnvironmentData.cs new file mode 100644 index 000000000000..2e3a2bc00d39 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/EnvironmentData.cs @@ -0,0 +1,37 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The security connector environment data. + /// + [Newtonsoft.Json.JsonObject("EnvironmentData")] + public partial class EnvironmentData + { + /// + /// Initializes a new instance of the EnvironmentData class. + /// + public EnvironmentData() + { + CustomInit(); + } + + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/EventSource.cs b/src/Security/Security.Management.Sdk/Generated/Models/EventSource.cs new file mode 100644 index 000000000000..e90fe1ebe454 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/EventSource.cs @@ -0,0 +1,31 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for EventSource. + /// + public static class EventSource + { + public const string Assessments = "Assessments"; + public const string AssessmentsSnapshot = "AssessmentsSnapshot"; + public const string SubAssessments = "SubAssessments"; + public const string SubAssessmentsSnapshot = "SubAssessmentsSnapshot"; + public const string Alerts = "Alerts"; + public const string SecureScores = "SecureScores"; + public const string SecureScoresSnapshot = "SecureScoresSnapshot"; + public const string SecureScoreControls = "SecureScoreControls"; + public const string SecureScoreControlsSnapshot = "SecureScoreControlsSnapshot"; + public const string RegulatoryComplianceAssessment = "RegulatoryComplianceAssessment"; + public const string RegulatoryComplianceAssessmentSnapshot = "RegulatoryComplianceAssessmentSnapshot"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ExecuteGovernanceRuleParams.cs b/src/Security/Security.Management.Sdk/Generated/Models/ExecuteGovernanceRuleParams.cs new file mode 100644 index 000000000000..539efccfb5d4 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ExecuteGovernanceRuleParams.cs @@ -0,0 +1,54 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Governance rule execution parameters + /// + public partial class ExecuteGovernanceRuleParams + { + /// + /// Initializes a new instance of the ExecuteGovernanceRuleParams + /// class. + /// + public ExecuteGovernanceRuleParams() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ExecuteGovernanceRuleParams + /// class. + /// + /// Describe if governance rule should + /// be override + public ExecuteGovernanceRuleParams(bool? overrideProperty = default(bool?)) + { + OverrideProperty = overrideProperty; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets describe if governance rule should be override + /// + [JsonProperty(PropertyName = "override")] + public bool? OverrideProperty { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ExecuteRuleStatus.cs b/src/Security/Security.Management.Sdk/Generated/Models/ExecuteRuleStatus.cs new file mode 100644 index 000000000000..6c5d37c8ab15 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ExecuteRuleStatus.cs @@ -0,0 +1,52 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Execute status of Security GovernanceRule over a given scope + /// + public partial class ExecuteRuleStatus + { + /// + /// Initializes a new instance of the ExecuteRuleStatus class. + /// + public ExecuteRuleStatus() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ExecuteRuleStatus class. + /// + /// Unique key for the execution of + /// GovernanceRule + public ExecuteRuleStatus(string operationId = default(string)) + { + OperationId = operationId; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets unique key for the execution of GovernanceRule + /// + [JsonProperty(PropertyName = "operationId")] + public string OperationId { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ExpandControlsEnum.cs b/src/Security/Security.Management.Sdk/Generated/Models/ExpandControlsEnum.cs new file mode 100644 index 000000000000..e9d717ddacba --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ExpandControlsEnum.cs @@ -0,0 +1,24 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for ExpandControlsEnum. + /// + public static class ExpandControlsEnum + { + /// + /// Add definition object for each control + /// + public const string Definition = "definition"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ExpandEnum.cs b/src/Security/Security.Management.Sdk/Generated/Models/ExpandEnum.cs new file mode 100644 index 000000000000..6f3b1395c0b3 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ExpandEnum.cs @@ -0,0 +1,28 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for ExpandEnum. + /// + public static class ExpandEnum + { + /// + /// All links associated with an assessment + /// + public const string Links = "links"; + /// + /// Assessment metadata + /// + public const string Metadata = "metadata"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ExportData.cs b/src/Security/Security.Management.Sdk/Generated/Models/ExportData.cs new file mode 100644 index 000000000000..4702716c60b7 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ExportData.cs @@ -0,0 +1,24 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for ExportData. + /// + public static class ExportData + { + /// + /// Agent raw events + /// + public const string RawEvents = "RawEvents"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ExternalSecuritySolution.cs b/src/Security/Security.Management.Sdk/Generated/Models/ExternalSecuritySolution.cs new file mode 100644 index 000000000000..e2d8f37146e5 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ExternalSecuritySolution.cs @@ -0,0 +1,79 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Represents a security solution external to Microsoft Defender for Cloud + /// which sends information to an OMS workspace and whose data is displayed + /// by Microsoft Defender for Cloud. + /// + [Newtonsoft.Json.JsonObject("ExternalSecuritySolution")] + public partial class ExternalSecuritySolution + { + /// + /// Initializes a new instance of the ExternalSecuritySolution class. + /// + public ExternalSecuritySolution() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ExternalSecuritySolution class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Location where the resource is + /// stored + public ExternalSecuritySolution(string id = default(string), string name = default(string), string type = default(string), string location = default(string)) + { + Id = id; + Name = name; + Type = type; + Location = location; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets resource Id + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; private set; } + + /// + /// Gets resource name + /// + [JsonProperty(PropertyName = "name")] + public string Name { get; private set; } + + /// + /// Gets resource type + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + /// + /// Gets location where the resource is stored + /// + [JsonProperty(PropertyName = "location")] + public string Location { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ExternalSecuritySolutionKind.cs b/src/Security/Security.Management.Sdk/Generated/Models/ExternalSecuritySolutionKind.cs new file mode 100644 index 000000000000..06da0714d086 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ExternalSecuritySolutionKind.cs @@ -0,0 +1,23 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for ExternalSecuritySolutionKind. + /// + public static class ExternalSecuritySolutionKind + { + public const string CEF = "CEF"; + public const string ATA = "ATA"; + public const string AAD = "AAD"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ExternalSecuritySolutionKind1.cs b/src/Security/Security.Management.Sdk/Generated/Models/ExternalSecuritySolutionKind1.cs new file mode 100644 index 000000000000..7a1246b2fade --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ExternalSecuritySolutionKind1.cs @@ -0,0 +1,55 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Describes an Azure resource with kind + /// + public partial class ExternalSecuritySolutionKind1 + { + /// + /// Initializes a new instance of the ExternalSecuritySolutionKind1 + /// class. + /// + public ExternalSecuritySolutionKind1() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ExternalSecuritySolutionKind1 + /// class. + /// + /// The kind of the external solution. Possible + /// values include: 'CEF', 'ATA', 'AAD' + public ExternalSecuritySolutionKind1(string kind = default(string)) + { + Kind = kind; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the kind of the external solution. Possible values + /// include: 'CEF', 'ATA', 'AAD' + /// + [JsonProperty(PropertyName = "kind")] + public string Kind { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ExternalSecuritySolutionProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/ExternalSecuritySolutionProperties.cs new file mode 100644 index 000000000000..0d621f57ed66 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ExternalSecuritySolutionProperties.cs @@ -0,0 +1,75 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// The solution properties (correspond to the solution kind) + /// + public partial class ExternalSecuritySolutionProperties + { + /// + /// Initializes a new instance of the + /// ExternalSecuritySolutionProperties class. + /// + public ExternalSecuritySolutionProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// ExternalSecuritySolutionProperties class. + /// + /// Unmatched properties from the + /// message are deserialized this collection + public ExternalSecuritySolutionProperties(IDictionary additionalProperties = default(IDictionary), string deviceVendor = default(string), string deviceType = default(string), ConnectedWorkspace workspace = default(ConnectedWorkspace)) + { + AdditionalProperties = additionalProperties; + DeviceVendor = deviceVendor; + DeviceType = deviceType; + Workspace = workspace; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets unmatched properties from the message are deserialized + /// this collection + /// + [JsonExtensionData] + public IDictionary AdditionalProperties { get; set; } + + /// + /// + [JsonProperty(PropertyName = "deviceVendor")] + public string DeviceVendor { get; set; } + + /// + /// + [JsonProperty(PropertyName = "deviceType")] + public string DeviceType { get; set; } + + /// + /// + [JsonProperty(PropertyName = "workspace")] + public ConnectedWorkspace Workspace { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/FailedLocalLoginsNotInAllowedRange.cs b/src/Security/Security.Management.Sdk/Generated/Models/FailedLocalLoginsNotInAllowedRange.cs new file mode 100644 index 000000000000..940afb4c7ce2 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/FailedLocalLoginsNotInAllowedRange.cs @@ -0,0 +1,66 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Number of failed local logins is not in allowed range. + /// + [Newtonsoft.Json.JsonObject("FailedLocalLoginsNotInAllowedRange")] + public partial class FailedLocalLoginsNotInAllowedRange : TimeWindowCustomAlertRule + { + /// + /// Initializes a new instance of the + /// FailedLocalLoginsNotInAllowedRange class. + /// + public FailedLocalLoginsNotInAllowedRange() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// FailedLocalLoginsNotInAllowedRange class. + /// + /// Status of the custom alert. + /// The minimum threshold. + /// The maximum threshold. + /// The time window size in iso8601 + /// format. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public FailedLocalLoginsNotInAllowedRange(bool isEnabled, int minThreshold, int maxThreshold, System.TimeSpan timeWindowSize, string displayName = default(string), string description = default(string)) + : base(isEnabled, minThreshold, maxThreshold, timeWindowSize, displayName, description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/FileUploadsNotInAllowedRange.cs b/src/Security/Security.Management.Sdk/Generated/Models/FileUploadsNotInAllowedRange.cs new file mode 100644 index 000000000000..b35c49246449 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/FileUploadsNotInAllowedRange.cs @@ -0,0 +1,66 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Number of file uploads is not in allowed range. + /// + [Newtonsoft.Json.JsonObject("FileUploadsNotInAllowedRange")] + public partial class FileUploadsNotInAllowedRange : TimeWindowCustomAlertRule + { + /// + /// Initializes a new instance of the FileUploadsNotInAllowedRange + /// class. + /// + public FileUploadsNotInAllowedRange() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the FileUploadsNotInAllowedRange + /// class. + /// + /// Status of the custom alert. + /// The minimum threshold. + /// The maximum threshold. + /// The time window size in iso8601 + /// format. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public FileUploadsNotInAllowedRange(bool isEnabled, int minThreshold, int maxThreshold, System.TimeSpan timeWindowSize, string displayName = default(string), string description = default(string)) + : base(isEnabled, minThreshold, maxThreshold, timeWindowSize, displayName, description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/GcpCredentialsDetailsProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/GcpCredentialsDetailsProperties.cs new file mode 100644 index 000000000000..946e5ec735eb --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/GcpCredentialsDetailsProperties.cs @@ -0,0 +1,210 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// GCP cloud account connector based service to service credentials, the + /// credentials are composed of the organization ID and a JSON API key + /// (write only) + /// + [Newtonsoft.Json.JsonObject("gcpCredentials")] + public partial class GcpCredentialsDetailsProperties : AuthenticationDetailsProperties + { + /// + /// Initializes a new instance of the GcpCredentialsDetailsProperties + /// class. + /// + public GcpCredentialsDetailsProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the GcpCredentialsDetailsProperties + /// class. + /// + /// The organization ID of the GCP cloud + /// account + /// Type field of the API key (write only) + /// Project ID field of the API key (write + /// only) + /// Private key ID field of the API key + /// (write only) + /// Private key field of the API key (write + /// only) + /// Client email field of the API key (write + /// only) + /// Client ID field of the API key (write + /// only) + /// Auth URI field of the API key (write + /// only) + /// Token URI field of the API key (write + /// only) + /// Auth provider x509 + /// certificate URL field of the API key (write only) + /// Client x509 certificate URL field + /// of the API key (write only) + /// State of the + /// multi-cloud connector. Possible values include: 'Valid', 'Invalid', + /// 'Expired', 'IncorrectPolicy' + /// The permissions detected in the + /// cloud account. + public GcpCredentialsDetailsProperties(string organizationId, string type, string projectId, string privateKeyId, string privateKey, string clientEmail, string clientId, string authUri, string tokenUri, string authProviderX509CertUrl, string clientX509CertUrl, string authenticationProvisioningState = default(string), IList grantedPermissions = default(IList)) + : base(authenticationProvisioningState, grantedPermissions) + { + OrganizationId = organizationId; + Type = type; + ProjectId = projectId; + PrivateKeyId = privateKeyId; + PrivateKey = privateKey; + ClientEmail = clientEmail; + ClientId = clientId; + AuthUri = authUri; + TokenUri = tokenUri; + AuthProviderX509CertUrl = authProviderX509CertUrl; + ClientX509CertUrl = clientX509CertUrl; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the organization ID of the GCP cloud account + /// + [JsonProperty(PropertyName = "organizationId")] + public string OrganizationId { get; set; } + + /// + /// Gets or sets type field of the API key (write only) + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; set; } + + /// + /// Gets or sets project ID field of the API key (write only) + /// + [JsonProperty(PropertyName = "projectId")] + public string ProjectId { get; set; } + + /// + /// Gets or sets private key ID field of the API key (write only) + /// + [JsonProperty(PropertyName = "privateKeyId")] + public string PrivateKeyId { get; set; } + + /// + /// Gets or sets private key field of the API key (write only) + /// + [JsonProperty(PropertyName = "privateKey")] + public string PrivateKey { get; set; } + + /// + /// Gets or sets client email field of the API key (write only) + /// + [JsonProperty(PropertyName = "clientEmail")] + public string ClientEmail { get; set; } + + /// + /// Gets or sets client ID field of the API key (write only) + /// + [JsonProperty(PropertyName = "clientId")] + public string ClientId { get; set; } + + /// + /// Gets or sets auth URI field of the API key (write only) + /// + [JsonProperty(PropertyName = "authUri")] + public string AuthUri { get; set; } + + /// + /// Gets or sets token URI field of the API key (write only) + /// + [JsonProperty(PropertyName = "tokenUri")] + public string TokenUri { get; set; } + + /// + /// Gets or sets auth provider x509 certificate URL field of the API + /// key (write only) + /// + [JsonProperty(PropertyName = "authProviderX509CertUrl")] + public string AuthProviderX509CertUrl { get; set; } + + /// + /// Gets or sets client x509 certificate URL field of the API key + /// (write only) + /// + [JsonProperty(PropertyName = "clientX509CertUrl")] + public string ClientX509CertUrl { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (OrganizationId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "OrganizationId"); + } + if (Type == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Type"); + } + if (ProjectId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ProjectId"); + } + if (PrivateKeyId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "PrivateKeyId"); + } + if (PrivateKey == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "PrivateKey"); + } + if (ClientEmail == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ClientEmail"); + } + if (ClientId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ClientId"); + } + if (AuthUri == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "AuthUri"); + } + if (TokenUri == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "TokenUri"); + } + if (AuthProviderX509CertUrl == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "AuthProviderX509CertUrl"); + } + if (ClientX509CertUrl == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ClientX509CertUrl"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/GcpOrganizationalData.cs b/src/Security/Security.Management.Sdk/Generated/Models/GcpOrganizationalData.cs new file mode 100644 index 000000000000..4f4f65ff90e8 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/GcpOrganizationalData.cs @@ -0,0 +1,37 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The gcpOrganization data + /// + [Newtonsoft.Json.JsonObject("GcpOrganizationalData")] + public partial class GcpOrganizationalData + { + /// + /// Initializes a new instance of the GcpOrganizationalData class. + /// + public GcpOrganizationalData() + { + CustomInit(); + } + + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/GcpOrganizationalDataMember.cs b/src/Security/Security.Management.Sdk/Generated/Models/GcpOrganizationalDataMember.cs new file mode 100644 index 000000000000..27089dd7141e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/GcpOrganizationalDataMember.cs @@ -0,0 +1,67 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The gcpOrganization data for the member account + /// + [Newtonsoft.Json.JsonObject("Member")] + public partial class GcpOrganizationalDataMember : GcpOrganizationalData + { + /// + /// Initializes a new instance of the GcpOrganizationalDataMember + /// class. + /// + public GcpOrganizationalDataMember() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the GcpOrganizationalDataMember + /// class. + /// + /// If the multi cloud account is not + /// of membership type organization, this will be the ID of the + /// project's parent + /// The GCP management project + /// number from organizational onboarding + public GcpOrganizationalDataMember(string parentHierarchyId = default(string), string managementProjectNumber = default(string)) + { + ParentHierarchyId = parentHierarchyId; + ManagementProjectNumber = managementProjectNumber; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets if the multi cloud account is not of membership type + /// organization, this will be the ID of the project's parent + /// + [JsonProperty(PropertyName = "parentHierarchyId")] + public string ParentHierarchyId { get; set; } + + /// + /// Gets or sets the GCP management project number from organizational + /// onboarding + /// + [JsonProperty(PropertyName = "managementProjectNumber")] + public string ManagementProjectNumber { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/GcpOrganizationalDataOrganization.cs b/src/Security/Security.Management.Sdk/Generated/Models/GcpOrganizationalDataOrganization.cs new file mode 100644 index 000000000000..85401007420b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/GcpOrganizationalDataOrganization.cs @@ -0,0 +1,81 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// The gcpOrganization data for the parent account + /// + [Newtonsoft.Json.JsonObject("Organization")] + public partial class GcpOrganizationalDataOrganization : GcpOrganizationalData + { + /// + /// Initializes a new instance of the GcpOrganizationalDataOrganization + /// class. + /// + public GcpOrganizationalDataOrganization() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the GcpOrganizationalDataOrganization + /// class. + /// + /// If the multi cloud account is + /// of membership type organization, list of accounts excluded from + /// offering + /// The service account email + /// address which represents the organization level permissions + /// container. + /// The GCP workload identity + /// provider id which represents the permissions required to auto + /// provision security connectors + public GcpOrganizationalDataOrganization(IList excludedProjectNumbers = default(IList), string serviceAccountEmailAddress = default(string), string workloadIdentityProviderId = default(string)) + { + ExcludedProjectNumbers = excludedProjectNumbers; + ServiceAccountEmailAddress = serviceAccountEmailAddress; + WorkloadIdentityProviderId = workloadIdentityProviderId; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets if the multi cloud account is of membership type + /// organization, list of accounts excluded from offering + /// + [JsonProperty(PropertyName = "excludedProjectNumbers")] + public IList ExcludedProjectNumbers { get; set; } + + /// + /// Gets or sets the service account email address which represents the + /// organization level permissions container. + /// + [JsonProperty(PropertyName = "serviceAccountEmailAddress")] + public string ServiceAccountEmailAddress { get; set; } + + /// + /// Gets or sets the GCP workload identity provider id which represents + /// the permissions required to auto provision security connectors + /// + [JsonProperty(PropertyName = "workloadIdentityProviderId")] + public string WorkloadIdentityProviderId { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/GcpProjectDetails.cs b/src/Security/Security.Management.Sdk/Generated/Models/GcpProjectDetails.cs new file mode 100644 index 000000000000..9740d24d3e5b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/GcpProjectDetails.cs @@ -0,0 +1,68 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The details about the project represented by the security connector + /// + public partial class GcpProjectDetails + { + /// + /// Initializes a new instance of the GcpProjectDetails class. + /// + public GcpProjectDetails() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the GcpProjectDetails class. + /// + /// The unique GCP Project number + /// The GCP Project id + /// The GCP workload identity + /// federation pool id + public GcpProjectDetails(string projectNumber = default(string), string projectId = default(string), string workloadIdentityPoolId = default(string)) + { + ProjectNumber = projectNumber; + ProjectId = projectId; + WorkloadIdentityPoolId = workloadIdentityPoolId; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the unique GCP Project number + /// + [JsonProperty(PropertyName = "projectNumber")] + public string ProjectNumber { get; set; } + + /// + /// Gets or sets the GCP Project id + /// + [JsonProperty(PropertyName = "projectId")] + public string ProjectId { get; set; } + + /// + /// Gets the GCP workload identity federation pool id + /// + [JsonProperty(PropertyName = "workloadIdentityPoolId")] + public string WorkloadIdentityPoolId { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/GcpProjectEnvironmentData.cs b/src/Security/Security.Management.Sdk/Generated/Models/GcpProjectEnvironmentData.cs new file mode 100644 index 000000000000..db15032181db --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/GcpProjectEnvironmentData.cs @@ -0,0 +1,61 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The GCP project connector environment data + /// + [Newtonsoft.Json.JsonObject("GcpProject")] + public partial class GcpProjectEnvironmentData : EnvironmentData + { + /// + /// Initializes a new instance of the GcpProjectEnvironmentData class. + /// + public GcpProjectEnvironmentData() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the GcpProjectEnvironmentData class. + /// + /// The Gcp project's organizational + /// data + /// The Gcp project's details + public GcpProjectEnvironmentData(GcpOrganizationalData organizationalData = default(GcpOrganizationalData), GcpProjectDetails projectDetails = default(GcpProjectDetails)) + { + OrganizationalData = organizationalData; + ProjectDetails = projectDetails; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the Gcp project's organizational data + /// + [JsonProperty(PropertyName = "organizationalData")] + public GcpOrganizationalData OrganizationalData { get; set; } + + /// + /// Gets or sets the Gcp project's details + /// + [JsonProperty(PropertyName = "projectDetails")] + public GcpProjectDetails ProjectDetails { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/GithubScopeEnvironmentData.cs b/src/Security/Security.Management.Sdk/Generated/Models/GithubScopeEnvironmentData.cs new file mode 100644 index 000000000000..628876724aa6 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/GithubScopeEnvironmentData.cs @@ -0,0 +1,37 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The github scope connector's environment data + /// + [Newtonsoft.Json.JsonObject("GithubScope")] + public partial class GithubScopeEnvironmentData : EnvironmentData + { + /// + /// Initializes a new instance of the GithubScopeEnvironmentData class. + /// + public GithubScopeEnvironmentData() + { + CustomInit(); + } + + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/GovernanceAssignment.cs b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceAssignment.cs new file mode 100644 index 000000000000..8277c24d4ac6 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceAssignment.cs @@ -0,0 +1,130 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Security GovernanceAssignment over a given scope + /// + [Rest.Serialization.JsonTransformation] + public partial class GovernanceAssignment : Resource + { + /// + /// Initializes a new instance of the GovernanceAssignment class. + /// + public GovernanceAssignment() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the GovernanceAssignment class. + /// + /// The remediation due-date - after + /// this date Secure Score will be affected (in case of active + /// grace-period) + /// Resource Id + /// Resource name + /// Resource type + /// The Owner for the governance assignment - e.g. + /// user@contoso.com - see example + /// The ETA (estimated time of arrival) + /// for remediation (optional), see example + /// Defines whether there is a grace period + /// on the governance assignment + /// The email notifications + /// settings for the governance rule, states whether to disable + /// notifications for mangers and owners + /// The additional data for the governance + /// assignment - e.g. links to ticket (optional), see example + public GovernanceAssignment(System.DateTime remediationDueDate, string id = default(string), string name = default(string), string type = default(string), string owner = default(string), RemediationEta remediationEta = default(RemediationEta), bool? isGracePeriod = default(bool?), GovernanceEmailNotification governanceEmailNotification = default(GovernanceEmailNotification), GovernanceAssignmentAdditionalData additionalData = default(GovernanceAssignmentAdditionalData)) + : base(id, name, type) + { + Owner = owner; + RemediationDueDate = remediationDueDate; + RemediationEta = remediationEta; + IsGracePeriod = isGracePeriod; + GovernanceEmailNotification = governanceEmailNotification; + AdditionalData = additionalData; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the Owner for the governance assignment - e.g. + /// user@contoso.com - see example + /// + [JsonProperty(PropertyName = "properties.owner")] + public string Owner { get; set; } + + /// + /// Gets or sets the remediation due-date - after this date Secure + /// Score will be affected (in case of active grace-period) + /// + [JsonProperty(PropertyName = "properties.remediationDueDate")] + public System.DateTime RemediationDueDate { get; set; } + + /// + /// Gets or sets the ETA (estimated time of arrival) for remediation + /// (optional), see example + /// + [JsonProperty(PropertyName = "properties.remediationEta")] + public RemediationEta RemediationEta { get; set; } + + /// + /// Gets or sets defines whether there is a grace period on the + /// governance assignment + /// + [JsonProperty(PropertyName = "properties.isGracePeriod")] + public bool? IsGracePeriod { get; set; } + + /// + /// Gets or sets the email notifications settings for the governance + /// rule, states whether to disable notifications for mangers and + /// owners + /// + [JsonProperty(PropertyName = "properties.governanceEmailNotification")] + public GovernanceEmailNotification GovernanceEmailNotification { get; set; } + + /// + /// Gets or sets the additional data for the governance assignment - + /// e.g. links to ticket (optional), see example + /// + [JsonProperty(PropertyName = "properties.additionalData")] + public GovernanceAssignmentAdditionalData AdditionalData { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (RemediationEta != null) + { + RemediationEta.Validate(); + } + if (AdditionalData != null) + { + AdditionalData.Validate(); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/GovernanceAssignmentAdditionalData.cs b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceAssignmentAdditionalData.cs new file mode 100644 index 000000000000..46d3b2b18a1c --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceAssignmentAdditionalData.cs @@ -0,0 +1,92 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Describe the additional data of GovernanceAssignment - optional + /// + public partial class GovernanceAssignmentAdditionalData + { + /// + /// Initializes a new instance of the + /// GovernanceAssignmentAdditionalData class. + /// + public GovernanceAssignmentAdditionalData() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// GovernanceAssignmentAdditionalData class. + /// + /// Ticket number associated with this + /// GovernanceAssignment + /// Ticket link associated with this + /// GovernanceAssignment - for example: https://snow.com + /// The ticket status associated with this + /// GovernanceAssignment - for example: Active + public GovernanceAssignmentAdditionalData(int? ticketNumber = default(int?), string ticketLink = default(string), string ticketStatus = default(string)) + { + TicketNumber = ticketNumber; + TicketLink = ticketLink; + TicketStatus = ticketStatus; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets ticket number associated with this + /// GovernanceAssignment + /// + [JsonProperty(PropertyName = "ticketNumber")] + public int? TicketNumber { get; set; } + + /// + /// Gets or sets ticket link associated with this GovernanceAssignment + /// - for example: https://snow.com + /// + [JsonProperty(PropertyName = "ticketLink")] + public string TicketLink { get; set; } + + /// + /// Gets or sets the ticket status associated with this + /// GovernanceAssignment - for example: Active + /// + [JsonProperty(PropertyName = "ticketStatus")] + public string TicketStatus { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (TicketNumber != null) + { + if (TicketNumber < 0) + { + throw new ValidationException(ValidationRules.InclusiveMinimum, "TicketNumber", 0); + } + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/GovernanceEmailNotification.cs b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceEmailNotification.cs new file mode 100644 index 000000000000..a0025d9b0d02 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceEmailNotification.cs @@ -0,0 +1,63 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The governance email weekly notification configuration. + /// + public partial class GovernanceEmailNotification + { + /// + /// Initializes a new instance of the GovernanceEmailNotification + /// class. + /// + public GovernanceEmailNotification() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the GovernanceEmailNotification + /// class. + /// + /// Exclude manager from + /// weekly email notification. + /// Exclude owner from + /// weekly email notification. + public GovernanceEmailNotification(bool? disableManagerEmailNotification = default(bool?), bool? disableOwnerEmailNotification = default(bool?)) + { + DisableManagerEmailNotification = disableManagerEmailNotification; + DisableOwnerEmailNotification = disableOwnerEmailNotification; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets exclude manager from weekly email notification. + /// + [JsonProperty(PropertyName = "disableManagerEmailNotification")] + public bool? DisableManagerEmailNotification { get; set; } + + /// + /// Gets or sets exclude owner from weekly email notification. + /// + [JsonProperty(PropertyName = "disableOwnerEmailNotification")] + public bool? DisableOwnerEmailNotification { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRule.cs b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRule.cs new file mode 100644 index 000000000000..34d35b619c55 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRule.cs @@ -0,0 +1,201 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Security GovernanceRule over a given scope + /// + [Rest.Serialization.JsonTransformation] + public partial class GovernanceRule : Resource + { + /// + /// Initializes a new instance of the GovernanceRule class. + /// + public GovernanceRule() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the GovernanceRule class. + /// + /// display name of the + /// governanceRule + /// The governance rule priority, priority + /// to the lower number. Rules with the same priority on the same + /// subscription will not be allowed + /// The rule type of the governance rule, + /// defines the source of the rule e.g. Integrated. Possible values + /// include: 'Integrated', 'ServiceNow' + /// The governance rule conditionSets - see + /// examples + /// The Owner source for the governance rule + /// - e.g. Manually by user@contoso.com - see example + /// Resource Id + /// Resource name + /// Resource type + /// description of the governanceRule + /// Governance rule remediation + /// timeframe - this is the time that will affect on the grace-period + /// duration e.g. 7.00:00:00 - means 7 days + /// Defines whether there is a grace period + /// on the governance rule + /// Defines whether the rule is + /// active/inactive + /// The email notifications + /// settings for the governance rule, states whether to disable + /// notifications for mangers and owners + public GovernanceRule(string displayName, int rulePriority, string ruleType, IList conditionSets, GovernanceRuleOwnerSource ownerSource, string id = default(string), string name = default(string), string type = default(string), string description = default(string), string remediationTimeframe = default(string), bool? isGracePeriod = default(bool?), bool? isDisabled = default(bool?), GovernanceRuleEmailNotification governanceEmailNotification = default(GovernanceRuleEmailNotification)) + : base(id, name, type) + { + DisplayName = displayName; + Description = description; + RemediationTimeframe = remediationTimeframe; + IsGracePeriod = isGracePeriod; + RulePriority = rulePriority; + IsDisabled = isDisabled; + RuleType = ruleType; + ConditionSets = conditionSets; + OwnerSource = ownerSource; + GovernanceEmailNotification = governanceEmailNotification; + CustomInit(); + } + /// + /// Static constructor for GovernanceRule class. + /// + static GovernanceRule() + { + SourceResourceType = "Assessments"; + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets display name of the governanceRule + /// + [JsonProperty(PropertyName = "properties.displayName")] + public string DisplayName { get; set; } + + /// + /// Gets or sets description of the governanceRule + /// + [JsonProperty(PropertyName = "properties.description")] + public string Description { get; set; } + + /// + /// Gets or sets governance rule remediation timeframe - this is the + /// time that will affect on the grace-period duration e.g. 7.00:00:00 + /// - means 7 days + /// + [JsonProperty(PropertyName = "properties.remediationTimeframe")] + public string RemediationTimeframe { get; set; } + + /// + /// Gets or sets defines whether there is a grace period on the + /// governance rule + /// + [JsonProperty(PropertyName = "properties.isGracePeriod")] + public bool? IsGracePeriod { get; set; } + + /// + /// Gets or sets the governance rule priority, priority to the lower + /// number. Rules with the same priority on the same subscription will + /// not be allowed + /// + [JsonProperty(PropertyName = "properties.rulePriority")] + public int RulePriority { get; set; } + + /// + /// Gets or sets defines whether the rule is active/inactive + /// + [JsonProperty(PropertyName = "properties.isDisabled")] + public bool? IsDisabled { get; set; } + + /// + /// Gets or sets the rule type of the governance rule, defines the + /// source of the rule e.g. Integrated. Possible values include: + /// 'Integrated', 'ServiceNow' + /// + [JsonProperty(PropertyName = "properties.ruleType")] + public string RuleType { get; set; } + + /// + /// Gets or sets the governance rule conditionSets - see examples + /// + [JsonProperty(PropertyName = "properties.conditionSets")] + public IList ConditionSets { get; set; } + + /// + /// Gets or sets the Owner source for the governance rule - e.g. + /// Manually by user@contoso.com - see example + /// + [JsonProperty(PropertyName = "properties.ownerSource")] + public GovernanceRuleOwnerSource OwnerSource { get; set; } + + /// + /// Gets or sets the email notifications settings for the governance + /// rule, states whether to disable notifications for mangers and + /// owners + /// + [JsonProperty(PropertyName = "properties.governanceEmailNotification")] + public GovernanceRuleEmailNotification GovernanceEmailNotification { get; set; } + + /// + /// The governance rule source, what the rule affects, e.g. Assessments + /// + [JsonProperty(PropertyName = "properties.sourceResourceType")] + public static string SourceResourceType { get; private set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (DisplayName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "DisplayName"); + } + if (RuleType == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "RuleType"); + } + if (ConditionSets == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ConditionSets"); + } + if (OwnerSource == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "OwnerSource"); + } + if (RulePriority > 1000) + { + throw new ValidationException(ValidationRules.InclusiveMaximum, "RulePriority", 1000); + } + if (RulePriority < 0) + { + throw new ValidationException(ValidationRules.InclusiveMinimum, "RulePriority", 0); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleConditionOperator.cs b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleConditionOperator.cs new file mode 100644 index 000000000000..45187122ce91 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleConditionOperator.cs @@ -0,0 +1,30 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for GovernanceRuleConditionOperator. + /// + public static class GovernanceRuleConditionOperator + { + /// + /// Checks that the string value of the data defined in Property equals + /// the given value - exact fit + /// + public const string Equals = "Equals"; + /// + /// Checks that the string value of the data defined in Property equals + /// any of the given values (exact fit) + /// + public const string In = "In"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleEmailNotification.cs b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleEmailNotification.cs new file mode 100644 index 000000000000..111958173334 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleEmailNotification.cs @@ -0,0 +1,65 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The governance email weekly notification configuration. + /// + public partial class GovernanceRuleEmailNotification + { + /// + /// Initializes a new instance of the GovernanceRuleEmailNotification + /// class. + /// + public GovernanceRuleEmailNotification() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the GovernanceRuleEmailNotification + /// class. + /// + /// Defines whether + /// manager email notifications are disabled. + /// Defines whether owner + /// email notifications are disabled. + public GovernanceRuleEmailNotification(bool? disableManagerEmailNotification = default(bool?), bool? disableOwnerEmailNotification = default(bool?)) + { + DisableManagerEmailNotification = disableManagerEmailNotification; + DisableOwnerEmailNotification = disableOwnerEmailNotification; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets defines whether manager email notifications are + /// disabled. + /// + [JsonProperty(PropertyName = "disableManagerEmailNotification")] + public bool? DisableManagerEmailNotification { get; set; } + + /// + /// Gets or sets defines whether owner email notifications are + /// disabled. + /// + [JsonProperty(PropertyName = "disableOwnerEmailNotification")] + public bool? DisableOwnerEmailNotification { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleOwnerSource.cs b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleOwnerSource.cs new file mode 100644 index 000000000000..3a02cca449c5 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleOwnerSource.cs @@ -0,0 +1,63 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Describe the owner source of governance rule + /// + public partial class GovernanceRuleOwnerSource + { + /// + /// Initializes a new instance of the GovernanceRuleOwnerSource class. + /// + public GovernanceRuleOwnerSource() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the GovernanceRuleOwnerSource class. + /// + /// The owner type for the governance rule owner + /// source. Possible values include: 'ByTag', 'Manually' + /// The source value e.g. tag key like owner name + /// or email address + public GovernanceRuleOwnerSource(string type = default(string), string value = default(string)) + { + Type = type; + Value = value; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the owner type for the governance rule owner source. + /// Possible values include: 'ByTag', 'Manually' + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; set; } + + /// + /// Gets or sets the source value e.g. tag key like owner name or email + /// address + /// + [JsonProperty(PropertyName = "value")] + public string Value { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleOwnerSourceType.cs b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleOwnerSourceType.cs new file mode 100644 index 000000000000..fc90a51ab5f5 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleOwnerSourceType.cs @@ -0,0 +1,28 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for GovernanceRuleOwnerSourceType. + /// + public static class GovernanceRuleOwnerSourceType + { + /// + /// The rule source type defined using resource tag + /// + public const string ByTag = "ByTag"; + /// + /// The rule source type defined manually + /// + public const string Manually = "Manually"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleType.cs b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleType.cs new file mode 100644 index 000000000000..f8aa038f85b2 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRuleType.cs @@ -0,0 +1,28 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for GovernanceRuleType. + /// + public static class GovernanceRuleType + { + /// + /// The source of the rule type definition is integrated + /// + public const string Integrated = "Integrated"; + /// + /// The source of the rule type definition is ServiceNow + /// + public const string ServiceNow = "ServiceNow"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRulesRuleIdExecuteSingleSecurityConnectorHeaders.cs b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRulesRuleIdExecuteSingleSecurityConnectorHeaders.cs new file mode 100644 index 000000000000..a2c3a7772b8b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRulesRuleIdExecuteSingleSecurityConnectorHeaders.cs @@ -0,0 +1,54 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Defines headers for RuleIdExecuteSingleSecurityConnector operation. + /// + public partial class GovernanceRulesRuleIdExecuteSingleSecurityConnectorHeaders + { + /// + /// Initializes a new instance of the + /// GovernanceRulesRuleIdExecuteSingleSecurityConnectorHeaders class. + /// + public GovernanceRulesRuleIdExecuteSingleSecurityConnectorHeaders() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// GovernanceRulesRuleIdExecuteSingleSecurityConnectorHeaders class. + /// + /// Location URL for the execution + /// status + public GovernanceRulesRuleIdExecuteSingleSecurityConnectorHeaders(string location = default(string)) + { + Location = location; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets location URL for the execution status + /// + [JsonProperty(PropertyName = "location")] + public string Location { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRulesRuleIdExecuteSingleSubscriptionHeaders.cs b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRulesRuleIdExecuteSingleSubscriptionHeaders.cs new file mode 100644 index 000000000000..ea088da2857b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/GovernanceRulesRuleIdExecuteSingleSubscriptionHeaders.cs @@ -0,0 +1,54 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Defines headers for RuleIdExecuteSingleSubscription operation. + /// + public partial class GovernanceRulesRuleIdExecuteSingleSubscriptionHeaders + { + /// + /// Initializes a new instance of the + /// GovernanceRulesRuleIdExecuteSingleSubscriptionHeaders class. + /// + public GovernanceRulesRuleIdExecuteSingleSubscriptionHeaders() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// GovernanceRulesRuleIdExecuteSingleSubscriptionHeaders class. + /// + /// Location URL for the execution + /// status + public GovernanceRulesRuleIdExecuteSingleSubscriptionHeaders(string location = default(string)) + { + Location = location; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets location URL for the execution status + /// + [JsonProperty(PropertyName = "location")] + public string Location { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/HttpC2DMessagesNotInAllowedRange.cs b/src/Security/Security.Management.Sdk/Generated/Models/HttpC2DMessagesNotInAllowedRange.cs new file mode 100644 index 000000000000..b4c92a0347b1 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/HttpC2DMessagesNotInAllowedRange.cs @@ -0,0 +1,67 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Number of cloud to device messages (HTTP protocol) is not in allowed + /// range. + /// + [Newtonsoft.Json.JsonObject("HttpC2DMessagesNotInAllowedRange")] + public partial class HttpC2DMessagesNotInAllowedRange : TimeWindowCustomAlertRule + { + /// + /// Initializes a new instance of the HttpC2DMessagesNotInAllowedRange + /// class. + /// + public HttpC2DMessagesNotInAllowedRange() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the HttpC2DMessagesNotInAllowedRange + /// class. + /// + /// Status of the custom alert. + /// The minimum threshold. + /// The maximum threshold. + /// The time window size in iso8601 + /// format. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public HttpC2DMessagesNotInAllowedRange(bool isEnabled, int minThreshold, int maxThreshold, System.TimeSpan timeWindowSize, string displayName = default(string), string description = default(string)) + : base(isEnabled, minThreshold, maxThreshold, timeWindowSize, displayName, description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/HttpC2DRejectedMessagesNotInAllowedRange.cs b/src/Security/Security.Management.Sdk/Generated/Models/HttpC2DRejectedMessagesNotInAllowedRange.cs new file mode 100644 index 000000000000..a9d06f027578 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/HttpC2DRejectedMessagesNotInAllowedRange.cs @@ -0,0 +1,67 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Number of rejected cloud to device messages (HTTP protocol) is not in + /// allowed range. + /// + [Newtonsoft.Json.JsonObject("HttpC2DRejectedMessagesNotInAllowedRange")] + public partial class HttpC2DRejectedMessagesNotInAllowedRange : TimeWindowCustomAlertRule + { + /// + /// Initializes a new instance of the + /// HttpC2DRejectedMessagesNotInAllowedRange class. + /// + public HttpC2DRejectedMessagesNotInAllowedRange() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// HttpC2DRejectedMessagesNotInAllowedRange class. + /// + /// Status of the custom alert. + /// The minimum threshold. + /// The maximum threshold. + /// The time window size in iso8601 + /// format. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public HttpC2DRejectedMessagesNotInAllowedRange(bool isEnabled, int minThreshold, int maxThreshold, System.TimeSpan timeWindowSize, string displayName = default(string), string description = default(string)) + : base(isEnabled, minThreshold, maxThreshold, timeWindowSize, displayName, description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/HttpD2CMessagesNotInAllowedRange.cs b/src/Security/Security.Management.Sdk/Generated/Models/HttpD2CMessagesNotInAllowedRange.cs new file mode 100644 index 000000000000..d9ecd22c241b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/HttpD2CMessagesNotInAllowedRange.cs @@ -0,0 +1,67 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Number of device to cloud messages (HTTP protocol) is not in allowed + /// range. + /// + [Newtonsoft.Json.JsonObject("HttpD2CMessagesNotInAllowedRange")] + public partial class HttpD2CMessagesNotInAllowedRange : TimeWindowCustomAlertRule + { + /// + /// Initializes a new instance of the HttpD2CMessagesNotInAllowedRange + /// class. + /// + public HttpD2CMessagesNotInAllowedRange() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the HttpD2CMessagesNotInAllowedRange + /// class. + /// + /// Status of the custom alert. + /// The minimum threshold. + /// The maximum threshold. + /// The time window size in iso8601 + /// format. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public HttpD2CMessagesNotInAllowedRange(bool isEnabled, int minThreshold, int maxThreshold, System.TimeSpan timeWindowSize, string displayName = default(string), string description = default(string)) + : base(isEnabled, minThreshold, maxThreshold, timeWindowSize, displayName, description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/HybridComputeProvisioningState.cs b/src/Security/Security.Management.Sdk/Generated/Models/HybridComputeProvisioningState.cs new file mode 100644 index 000000000000..738d7684264e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/HybridComputeProvisioningState.cs @@ -0,0 +1,32 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for HybridComputeProvisioningState. + /// + public static class HybridComputeProvisioningState + { + /// + /// Valid service principal details. + /// + public const string Valid = "Valid"; + /// + /// Invalid service principal details. + /// + public const string Invalid = "Invalid"; + /// + /// the service principal details are expired + /// + public const string Expired = "Expired"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/HybridComputeSettingsProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/HybridComputeSettingsProperties.cs new file mode 100644 index 000000000000..18bf12f00bc5 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/HybridComputeSettingsProperties.cs @@ -0,0 +1,124 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Settings for hybrid compute management + /// + public partial class HybridComputeSettingsProperties + { + /// + /// Initializes a new instance of the HybridComputeSettingsProperties + /// class. + /// + public HybridComputeSettingsProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the HybridComputeSettingsProperties + /// class. + /// + /// Whether or not to automatically install + /// Azure Arc (hybrid compute) agents on machines. Possible values + /// include: 'On', 'Off' + /// State of the service + /// principal and its secret. Possible values include: 'Valid', + /// 'Invalid', 'Expired' + /// The name of the resource group + /// where Arc (Hybrid Compute) connectors are connected. + /// The location where the metadata of machines + /// will be stored + /// For a non-Azure machine that is not + /// connected directly to the internet, specify a proxy server that the + /// non-Azure machine can use. + /// An object to access resources that + /// are secured by an Azure AD tenant. + public HybridComputeSettingsProperties(string autoProvision, string hybridComputeProvisioningState = default(string), string resourceGroupName = default(string), string region = default(string), ProxyServerProperties proxyServer = default(ProxyServerProperties), ServicePrincipalProperties servicePrincipal = default(ServicePrincipalProperties)) + { + HybridComputeProvisioningState = hybridComputeProvisioningState; + AutoProvision = autoProvision; + ResourceGroupName = resourceGroupName; + Region = region; + ProxyServer = proxyServer; + ServicePrincipal = servicePrincipal; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets state of the service principal and its secret. Possible values + /// include: 'Valid', 'Invalid', 'Expired' + /// + [JsonProperty(PropertyName = "hybridComputeProvisioningState")] + public string HybridComputeProvisioningState { get; private set; } + + /// + /// Gets or sets whether or not to automatically install Azure Arc + /// (hybrid compute) agents on machines. Possible values include: 'On', + /// 'Off' + /// + [JsonProperty(PropertyName = "autoProvision")] + public string AutoProvision { get; set; } + + /// + /// Gets or sets the name of the resource group where Arc (Hybrid + /// Compute) connectors are connected. + /// + [JsonProperty(PropertyName = "resourceGroupName")] + public string ResourceGroupName { get; set; } + + /// + /// Gets or sets the location where the metadata of machines will be + /// stored + /// + [JsonProperty(PropertyName = "region")] + public string Region { get; set; } + + /// + /// Gets or sets for a non-Azure machine that is not connected directly + /// to the internet, specify a proxy server that the non-Azure machine + /// can use. + /// + [JsonProperty(PropertyName = "proxyServer")] + public ProxyServerProperties ProxyServer { get; set; } + + /// + /// Gets or sets an object to access resources that are secured by an + /// Azure AD tenant. + /// + [JsonProperty(PropertyName = "servicePrincipal")] + public ServicePrincipalProperties ServicePrincipal { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (AutoProvision == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "AutoProvision"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ImplementationEffort.cs b/src/Security/Security.Management.Sdk/Generated/Models/ImplementationEffort.cs new file mode 100644 index 000000000000..bb650e74439d --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ImplementationEffort.cs @@ -0,0 +1,23 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for ImplementationEffort. + /// + public static class ImplementationEffort + { + public const string Low = "Low"; + public const string Moderate = "Moderate"; + public const string High = "High"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionAwsOffering.cs b/src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionAwsOffering.cs new file mode 100644 index 000000000000..9ec2666df8c1 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionAwsOffering.cs @@ -0,0 +1,57 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The information protection for AWS offering + /// + [Newtonsoft.Json.JsonObject("InformationProtectionAws")] + public partial class InformationProtectionAwsOffering : CloudOffering + { + /// + /// Initializes a new instance of the InformationProtectionAwsOffering + /// class. + /// + public InformationProtectionAwsOffering() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the InformationProtectionAwsOffering + /// class. + /// + /// The offering description. + /// The native cloud connection + /// configuration + public InformationProtectionAwsOffering(string description = default(string), InformationProtectionAwsOfferingInformationProtection informationProtection = default(InformationProtectionAwsOfferingInformationProtection)) + : base(description) + { + InformationProtection = informationProtection; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the native cloud connection configuration + /// + [JsonProperty(PropertyName = "informationProtection")] + public InformationProtectionAwsOfferingInformationProtection InformationProtection { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionAwsOfferingInformationProtection.cs b/src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionAwsOfferingInformationProtection.cs new file mode 100644 index 000000000000..d2868f0f3374 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionAwsOfferingInformationProtection.cs @@ -0,0 +1,54 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The native cloud connection configuration + /// + public partial class InformationProtectionAwsOfferingInformationProtection + { + /// + /// Initializes a new instance of the + /// InformationProtectionAwsOfferingInformationProtection class. + /// + public InformationProtectionAwsOfferingInformationProtection() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// InformationProtectionAwsOfferingInformationProtection class. + /// + /// The cloud role ARN in AWS for this + /// feature + public InformationProtectionAwsOfferingInformationProtection(string cloudRoleArn = default(string)) + { + CloudRoleArn = cloudRoleArn; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the cloud role ARN in AWS for this feature + /// + [JsonProperty(PropertyName = "cloudRoleArn")] + public string CloudRoleArn { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionKeyword.cs b/src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionKeyword.cs new file mode 100644 index 000000000000..081316c6a281 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionKeyword.cs @@ -0,0 +1,81 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The information type keyword. + /// + public partial class InformationProtectionKeyword + { + /// + /// Initializes a new instance of the InformationProtectionKeyword + /// class. + /// + public InformationProtectionKeyword() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the InformationProtectionKeyword + /// class. + /// + /// The keyword pattern. + /// Indicates whether the keyword is custom or + /// not. + /// Indicates whether the keyword can be + /// applied on numeric types or not. + /// Indicates whether the keyword is excluded or + /// not. + public InformationProtectionKeyword(string pattern = default(string), bool? custom = default(bool?), bool? canBeNumeric = default(bool?), bool? excluded = default(bool?)) + { + Pattern = pattern; + Custom = custom; + CanBeNumeric = canBeNumeric; + Excluded = excluded; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the keyword pattern. + /// + [JsonProperty(PropertyName = "pattern")] + public string Pattern { get; set; } + + /// + /// Gets or sets indicates whether the keyword is custom or not. + /// + [JsonProperty(PropertyName = "custom")] + public bool? Custom { get; set; } + + /// + /// Gets or sets indicates whether the keyword can be applied on + /// numeric types or not. + /// + [JsonProperty(PropertyName = "canBeNumeric")] + public bool? CanBeNumeric { get; set; } + + /// + /// Gets or sets indicates whether the keyword is excluded or not. + /// + [JsonProperty(PropertyName = "excluded")] + public bool? Excluded { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionPolicy.cs b/src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionPolicy.cs new file mode 100644 index 000000000000..ec242a463632 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionPolicy.cs @@ -0,0 +1,88 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Information protection policy. + /// + [Rest.Serialization.JsonTransformation] + public partial class InformationProtectionPolicy : Resource + { + /// + /// Initializes a new instance of the InformationProtectionPolicy + /// class. + /// + public InformationProtectionPolicy() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the InformationProtectionPolicy + /// class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Describes the last UTC time the + /// policy was modified. + /// Describes the version of the policy. + /// Dictionary of sensitivity labels. + /// The sensitivity information + /// types. + public InformationProtectionPolicy(string id = default(string), string name = default(string), string type = default(string), System.DateTime? lastModifiedUtc = default(System.DateTime?), string version = default(string), IDictionary labels = default(IDictionary), IDictionary informationTypes = default(IDictionary)) + : base(id, name, type) + { + LastModifiedUtc = lastModifiedUtc; + Version = version; + Labels = labels; + InformationTypes = informationTypes; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets describes the last UTC time the policy was modified. + /// + [JsonProperty(PropertyName = "properties.lastModifiedUtc")] + public System.DateTime? LastModifiedUtc { get; private set; } + + /// + /// Gets describes the version of the policy. + /// + [JsonProperty(PropertyName = "properties.version")] + public string Version { get; private set; } + + /// + /// Gets or sets dictionary of sensitivity labels. + /// + [JsonProperty(PropertyName = "properties.labels")] + public IDictionary Labels { get; set; } + + /// + /// Gets or sets the sensitivity information types. + /// + [JsonProperty(PropertyName = "properties.informationTypes")] + public IDictionary InformationTypes { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionPolicyName.cs b/src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionPolicyName.cs new file mode 100644 index 000000000000..980ac3f12ba9 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/InformationProtectionPolicyName.cs @@ -0,0 +1,22 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for InformationProtectionPolicyName. + /// + public static class InformationProtectionPolicyName + { + public const string Effective = "effective"; + public const string Custom = "custom"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/InformationType.cs b/src/Security/Security.Management.Sdk/Generated/Models/InformationType.cs new file mode 100644 index 000000000000..928cd9418374 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/InformationType.cs @@ -0,0 +1,108 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// The information type. + /// + public partial class InformationType + { + /// + /// Initializes a new instance of the InformationType class. + /// + public InformationType() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the InformationType class. + /// + /// The name of the information type. + /// The description of the information + /// type. + /// The order of the information type. + /// The recommended label id to be + /// associated with this information type. + /// Indicates whether the information type is + /// enabled or not. + /// Indicates whether the information type is + /// custom or not. + /// The information type keywords. + public InformationType(string displayName = default(string), string description = default(string), int? order = default(int?), System.Guid? recommendedLabelId = default(System.Guid?), bool? enabled = default(bool?), bool? custom = default(bool?), IList keywords = default(IList)) + { + DisplayName = displayName; + Description = description; + Order = order; + RecommendedLabelId = recommendedLabelId; + Enabled = enabled; + Custom = custom; + Keywords = keywords; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the name of the information type. + /// + [JsonProperty(PropertyName = "displayName")] + public string DisplayName { get; set; } + + /// + /// Gets or sets the description of the information type. + /// + [JsonProperty(PropertyName = "description")] + public string Description { get; set; } + + /// + /// Gets or sets the order of the information type. + /// + [JsonProperty(PropertyName = "order")] + public int? Order { get; set; } + + /// + /// Gets or sets the recommended label id to be associated with this + /// information type. + /// + [JsonProperty(PropertyName = "recommendedLabelId")] + public System.Guid? RecommendedLabelId { get; set; } + + /// + /// Gets or sets indicates whether the information type is enabled or + /// not. + /// + [JsonProperty(PropertyName = "enabled")] + public bool? Enabled { get; set; } + + /// + /// Gets or sets indicates whether the information type is custom or + /// not. + /// + [JsonProperty(PropertyName = "custom")] + public bool? Custom { get; set; } + + /// + /// Gets or sets the information type keywords. + /// + [JsonProperty(PropertyName = "keywords")] + public IList Keywords { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/IngestionConnectionString.cs b/src/Security/Security.Management.Sdk/Generated/Models/IngestionConnectionString.cs new file mode 100644 index 000000000000..f3dfa012394b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/IngestionConnectionString.cs @@ -0,0 +1,60 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Connection string for ingesting security data and logs + /// + public partial class IngestionConnectionString + { + /// + /// Initializes a new instance of the IngestionConnectionString class. + /// + public IngestionConnectionString() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the IngestionConnectionString class. + /// + /// The region where ingested logs and data + /// resides + /// Connection string value + public IngestionConnectionString(string location = default(string), string value = default(string)) + { + Location = location; + Value = value; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the region where ingested logs and data resides + /// + [JsonProperty(PropertyName = "location")] + public string Location { get; private set; } + + /// + /// Gets connection string value + /// + [JsonProperty(PropertyName = "value")] + public string Value { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/IngestionSetting.cs b/src/Security/Security.Management.Sdk/Generated/Models/IngestionSetting.cs new file mode 100644 index 000000000000..c7a6adc3d336 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/IngestionSetting.cs @@ -0,0 +1,56 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Configures how to correlate scan data and logs with resources + /// associated with the subscription. + /// + public partial class IngestionSetting : Resource + { + /// + /// Initializes a new instance of the IngestionSetting class. + /// + public IngestionSetting() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the IngestionSetting class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Ingestion setting data + public IngestionSetting(string id = default(string), string name = default(string), string type = default(string), object properties = default(object)) + : base(id, name, type) + { + Properties = properties; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets ingestion setting data + /// + [JsonProperty(PropertyName = "properties")] + public object Properties { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/IngestionSettingToken.cs b/src/Security/Security.Management.Sdk/Generated/Models/IngestionSettingToken.cs new file mode 100644 index 000000000000..75bb1556dcb4 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/IngestionSettingToken.cs @@ -0,0 +1,54 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Configures how to correlate scan data and logs with resources + /// associated with the subscription. + /// + public partial class IngestionSettingToken + { + /// + /// Initializes a new instance of the IngestionSettingToken class. + /// + public IngestionSettingToken() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the IngestionSettingToken class. + /// + /// The token is used for correlating security data + /// and logs with the resources in the subscription. + public IngestionSettingToken(string token = default(string)) + { + Token = token; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the token is used for correlating security data and logs with + /// the resources in the subscription. + /// + [JsonProperty(PropertyName = "token")] + public string Token { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Intent.cs b/src/Security/Security.Management.Sdk/Generated/Models/Intent.cs index 671f7b602390..72e3ff79efea 100644 --- a/src/Security/Security.Management.Sdk/Generated/Models/Intent.cs +++ b/src/Security/Security.Management.Sdk/Generated/Models/Intent.cs @@ -27,7 +27,7 @@ public static class Intent /// exploitation. This step is usually detected as an attempt, /// originating from outside the network, to scan the target system and /// find a way in. Further details on the PreAttack stage can be read - /// in [MITRE Pre-Att&ck + /// in [MITRE Pre-Attack /// matrix](https://attack.mitre.org/matrices/pre/). /// public const string PreAttack = "PreAttack"; diff --git a/src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityAggregatedAlert.cs b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityAggregatedAlert.cs new file mode 100644 index 000000000000..6976cdba2dbb --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityAggregatedAlert.cs @@ -0,0 +1,200 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Security Solution Aggregated Alert information + /// + [Rest.Serialization.JsonTransformation] + public partial class IoTSecurityAggregatedAlert + { + /// + /// Initializes a new instance of the IoTSecurityAggregatedAlert class. + /// + public IoTSecurityAggregatedAlert() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the IoTSecurityAggregatedAlert class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Resource tags + /// Name of the alert type. + /// Display name of the alert + /// type. + /// Date of detection. + /// Name of the organization that raised the + /// alert. + /// Assessed alert severity. Possible + /// values include: 'Informational', 'Low', 'Medium', 'High' + /// Recommended steps for + /// remediation. + /// Description of the suspected + /// vulnerability and meaning. + /// Number of alerts occurrences within the + /// aggregated time window. + /// Azure resource ID of the + /// resource that received the alerts. + /// The type of the alerted resource (Azure, + /// Non-Azure). + /// IoT Security solution alert + /// response. + /// Log analytics query for getting the + /// list of affected devices/alerts. + /// 10 devices with the highest number of + /// occurrences of this alert type, on this day. + public IoTSecurityAggregatedAlert(string id = default(string), string name = default(string), string type = default(string), IDictionary tags = default(IDictionary), string alertType = default(string), string alertDisplayName = default(string), System.DateTime? aggregatedDateUtc = default(System.DateTime?), string vendorName = default(string), string reportedSeverity = default(string), string remediationSteps = default(string), string description = default(string), long? count = default(long?), string effectedResourceType = default(string), string systemSource = default(string), string actionTaken = default(string), string logAnalyticsQuery = default(string), IList topDevicesList = default(IList)) + { + Id = id; + Name = name; + Type = type; + Tags = tags; + AlertType = alertType; + AlertDisplayName = alertDisplayName; + AggregatedDateUtc = aggregatedDateUtc; + VendorName = vendorName; + ReportedSeverity = reportedSeverity; + RemediationSteps = remediationSteps; + Description = description; + Count = count; + EffectedResourceType = effectedResourceType; + SystemSource = systemSource; + ActionTaken = actionTaken; + LogAnalyticsQuery = logAnalyticsQuery; + TopDevicesList = topDevicesList; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets resource Id + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; private set; } + + /// + /// Gets resource name + /// + [JsonProperty(PropertyName = "name")] + public string Name { get; private set; } + + /// + /// Gets resource type + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + /// + /// Gets or sets resource tags + /// + [JsonProperty(PropertyName = "tags")] + public IDictionary Tags { get; set; } + + /// + /// Gets name of the alert type. + /// + [JsonProperty(PropertyName = "properties.alertType")] + public string AlertType { get; private set; } + + /// + /// Gets display name of the alert type. + /// + [JsonProperty(PropertyName = "properties.alertDisplayName")] + public string AlertDisplayName { get; private set; } + + /// + /// Gets date of detection. + /// + [JsonConverter(typeof(DateJsonConverter))] + [JsonProperty(PropertyName = "properties.aggregatedDateUtc")] + public System.DateTime? AggregatedDateUtc { get; private set; } + + /// + /// Gets name of the organization that raised the alert. + /// + [JsonProperty(PropertyName = "properties.vendorName")] + public string VendorName { get; private set; } + + /// + /// Gets assessed alert severity. Possible values include: + /// 'Informational', 'Low', 'Medium', 'High' + /// + [JsonProperty(PropertyName = "properties.reportedSeverity")] + public string ReportedSeverity { get; private set; } + + /// + /// Gets recommended steps for remediation. + /// + [JsonProperty(PropertyName = "properties.remediationSteps")] + public string RemediationSteps { get; private set; } + + /// + /// Gets description of the suspected vulnerability and meaning. + /// + [JsonProperty(PropertyName = "properties.description")] + public string Description { get; private set; } + + /// + /// Gets number of alerts occurrences within the aggregated time + /// window. + /// + [JsonProperty(PropertyName = "properties.count")] + public long? Count { get; private set; } + + /// + /// Gets azure resource ID of the resource that received the alerts. + /// + [JsonProperty(PropertyName = "properties.effectedResourceType")] + public string EffectedResourceType { get; private set; } + + /// + /// Gets the type of the alerted resource (Azure, Non-Azure). + /// + [JsonProperty(PropertyName = "properties.systemSource")] + public string SystemSource { get; private set; } + + /// + /// Gets ioT Security solution alert response. + /// + [JsonProperty(PropertyName = "properties.actionTaken")] + public string ActionTaken { get; private set; } + + /// + /// Gets log analytics query for getting the list of affected + /// devices/alerts. + /// + [JsonProperty(PropertyName = "properties.logAnalyticsQuery")] + public string LogAnalyticsQuery { get; private set; } + + /// + /// Gets 10 devices with the highest number of occurrences of this + /// alert type, on this day. + /// + [JsonProperty(PropertyName = "properties.topDevicesList")] + public IList TopDevicesList { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityAggregatedAlertPropertiesTopDevicesListItem.cs b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityAggregatedAlertPropertiesTopDevicesListItem.cs new file mode 100644 index 000000000000..e99cf861e643 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityAggregatedAlertPropertiesTopDevicesListItem.cs @@ -0,0 +1,69 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + public partial class IoTSecurityAggregatedAlertPropertiesTopDevicesListItem + { + /// + /// Initializes a new instance of the + /// IoTSecurityAggregatedAlertPropertiesTopDevicesListItem class. + /// + public IoTSecurityAggregatedAlertPropertiesTopDevicesListItem() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// IoTSecurityAggregatedAlertPropertiesTopDevicesListItem class. + /// + /// Name of the device. + /// Number of alerts raised for this + /// device. + /// Most recent time this alert was raised + /// for this device, on this day. + public IoTSecurityAggregatedAlertPropertiesTopDevicesListItem(string deviceId = default(string), long? alertsCount = default(long?), string lastOccurrence = default(string)) + { + DeviceId = deviceId; + AlertsCount = alertsCount; + LastOccurrence = lastOccurrence; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets name of the device. + /// + [JsonProperty(PropertyName = "deviceId")] + public string DeviceId { get; private set; } + + /// + /// Gets number of alerts raised for this device. + /// + [JsonProperty(PropertyName = "alertsCount")] + public long? AlertsCount { get; private set; } + + /// + /// Gets most recent time this alert was raised for this device, on + /// this day. + /// + [JsonProperty(PropertyName = "lastOccurrence")] + public string LastOccurrence { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityAggregatedRecommendation.cs b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityAggregatedRecommendation.cs new file mode 100644 index 000000000000..10cb785cc6f8 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityAggregatedRecommendation.cs @@ -0,0 +1,175 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// IoT Security solution recommendation information. + /// + [Rest.Serialization.JsonTransformation] + public partial class IoTSecurityAggregatedRecommendation + { + /// + /// Initializes a new instance of the + /// IoTSecurityAggregatedRecommendation class. + /// + public IoTSecurityAggregatedRecommendation() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// IoTSecurityAggregatedRecommendation class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Resource tags + /// Name of the + /// recommendation. + /// Display name of the + /// recommendation type. + /// Description of the suspected + /// vulnerability and meaning. + /// Recommendation-type + /// GUID. + /// Name of the organization that made the + /// recommendation. + /// Recommended steps for + /// remediation + /// Assessed recommendation severity. + /// Possible values include: 'Informational', 'Low', 'Medium', + /// 'High' + /// Number of healthy devices within the + /// IoT Security solution. + /// Number of unhealthy devices + /// within the IoT Security solution. + /// Log analytics query for getting the + /// list of affected devices/alerts. + public IoTSecurityAggregatedRecommendation(string id = default(string), string name = default(string), string type = default(string), IDictionary tags = default(IDictionary), string recommendationName = default(string), string recommendationDisplayName = default(string), string description = default(string), string recommendationTypeId = default(string), string detectedBy = default(string), string remediationSteps = default(string), string reportedSeverity = default(string), long? healthyDevices = default(long?), long? unhealthyDeviceCount = default(long?), string logAnalyticsQuery = default(string)) + { + Id = id; + Name = name; + Type = type; + Tags = tags; + RecommendationName = recommendationName; + RecommendationDisplayName = recommendationDisplayName; + Description = description; + RecommendationTypeId = recommendationTypeId; + DetectedBy = detectedBy; + RemediationSteps = remediationSteps; + ReportedSeverity = reportedSeverity; + HealthyDevices = healthyDevices; + UnhealthyDeviceCount = unhealthyDeviceCount; + LogAnalyticsQuery = logAnalyticsQuery; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets resource Id + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; private set; } + + /// + /// Gets resource name + /// + [JsonProperty(PropertyName = "name")] + public string Name { get; private set; } + + /// + /// Gets resource type + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + /// + /// Gets or sets resource tags + /// + [JsonProperty(PropertyName = "tags")] + public IDictionary Tags { get; set; } + + /// + /// Gets or sets name of the recommendation. + /// + [JsonProperty(PropertyName = "properties.recommendationName")] + public string RecommendationName { get; set; } + + /// + /// Gets display name of the recommendation type. + /// + [JsonProperty(PropertyName = "properties.recommendationDisplayName")] + public string RecommendationDisplayName { get; private set; } + + /// + /// Gets description of the suspected vulnerability and meaning. + /// + [JsonProperty(PropertyName = "properties.description")] + public string Description { get; private set; } + + /// + /// Gets recommendation-type GUID. + /// + [JsonProperty(PropertyName = "properties.recommendationTypeId")] + public string RecommendationTypeId { get; private set; } + + /// + /// Gets name of the organization that made the recommendation. + /// + [JsonProperty(PropertyName = "properties.detectedBy")] + public string DetectedBy { get; private set; } + + /// + /// Gets recommended steps for remediation + /// + [JsonProperty(PropertyName = "properties.remediationSteps")] + public string RemediationSteps { get; private set; } + + /// + /// Gets assessed recommendation severity. Possible values include: + /// 'Informational', 'Low', 'Medium', 'High' + /// + [JsonProperty(PropertyName = "properties.reportedSeverity")] + public string ReportedSeverity { get; private set; } + + /// + /// Gets number of healthy devices within the IoT Security solution. + /// + [JsonProperty(PropertyName = "properties.healthyDevices")] + public long? HealthyDevices { get; private set; } + + /// + /// Gets number of unhealthy devices within the IoT Security solution. + /// + [JsonProperty(PropertyName = "properties.unhealthyDeviceCount")] + public long? UnhealthyDeviceCount { get; private set; } + + /// + /// Gets log analytics query for getting the list of affected + /// devices/alerts. + /// + [JsonProperty(PropertyName = "properties.logAnalyticsQuery")] + public string LogAnalyticsQuery { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityAlertedDevice.cs b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityAlertedDevice.cs new file mode 100644 index 000000000000..370ea29693b8 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityAlertedDevice.cs @@ -0,0 +1,61 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Statistical information about the number of alerts per device during + /// last set number of days. + /// + public partial class IoTSecurityAlertedDevice + { + /// + /// Initializes a new instance of the IoTSecurityAlertedDevice class. + /// + public IoTSecurityAlertedDevice() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the IoTSecurityAlertedDevice class. + /// + /// Device identifier. + /// Number of alerts raised for this + /// device. + public IoTSecurityAlertedDevice(string deviceId = default(string), long? alertsCount = default(long?)) + { + DeviceId = deviceId; + AlertsCount = alertsCount; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets device identifier. + /// + [JsonProperty(PropertyName = "deviceId")] + public string DeviceId { get; private set; } + + /// + /// Gets number of alerts raised for this device. + /// + [JsonProperty(PropertyName = "alertsCount")] + public long? AlertsCount { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityDeviceAlert.cs b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityDeviceAlert.cs new file mode 100644 index 000000000000..fcc0b588b6c1 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityDeviceAlert.cs @@ -0,0 +1,71 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Statistical information about the number of alerts per alert type + /// during last set number of days + /// + public partial class IoTSecurityDeviceAlert + { + /// + /// Initializes a new instance of the IoTSecurityDeviceAlert class. + /// + public IoTSecurityDeviceAlert() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the IoTSecurityDeviceAlert class. + /// + /// Display name of the alert + /// Assessed Alert severity. Possible + /// values include: 'Informational', 'Low', 'Medium', 'High' + /// Number of alerts raised for this alert + /// type. + public IoTSecurityDeviceAlert(string alertDisplayName = default(string), string reportedSeverity = default(string), long? alertsCount = default(long?)) + { + AlertDisplayName = alertDisplayName; + ReportedSeverity = reportedSeverity; + AlertsCount = alertsCount; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets display name of the alert + /// + [JsonProperty(PropertyName = "alertDisplayName")] + public string AlertDisplayName { get; private set; } + + /// + /// Gets assessed Alert severity. Possible values include: + /// 'Informational', 'Low', 'Medium', 'High' + /// + [JsonProperty(PropertyName = "reportedSeverity")] + public string ReportedSeverity { get; private set; } + + /// + /// Gets number of alerts raised for this alert type. + /// + [JsonProperty(PropertyName = "alertsCount")] + public long? AlertsCount { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityDeviceRecommendation.cs b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityDeviceRecommendation.cs new file mode 100644 index 000000000000..273a5f40b9c5 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecurityDeviceRecommendation.cs @@ -0,0 +1,75 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Statistical information about the number of recommendations per device, + /// per recommendation type. + /// + public partial class IoTSecurityDeviceRecommendation + { + /// + /// Initializes a new instance of the IoTSecurityDeviceRecommendation + /// class. + /// + public IoTSecurityDeviceRecommendation() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the IoTSecurityDeviceRecommendation + /// class. + /// + /// Display name of the + /// recommendation. + /// Assessed recommendation severity. + /// Possible values include: 'Informational', 'Low', 'Medium', + /// 'High' + /// Number of devices with this + /// recommendation. + public IoTSecurityDeviceRecommendation(string recommendationDisplayName = default(string), string reportedSeverity = default(string), long? devicesCount = default(long?)) + { + RecommendationDisplayName = recommendationDisplayName; + ReportedSeverity = reportedSeverity; + DevicesCount = devicesCount; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets display name of the recommendation. + /// + [JsonProperty(PropertyName = "recommendationDisplayName")] + public string RecommendationDisplayName { get; private set; } + + /// + /// Gets assessed recommendation severity. Possible values include: + /// 'Informational', 'Low', 'Medium', 'High' + /// + [JsonProperty(PropertyName = "reportedSeverity")] + public string ReportedSeverity { get; private set; } + + /// + /// Gets number of devices with this recommendation. + /// + [JsonProperty(PropertyName = "devicesCount")] + public long? DevicesCount { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/IoTSecuritySolutionAnalyticsModel.cs b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecuritySolutionAnalyticsModel.cs new file mode 100644 index 000000000000..d9b4829a9e80 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecuritySolutionAnalyticsModel.cs @@ -0,0 +1,108 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Security analytics of your IoT Security solution + /// + [Rest.Serialization.JsonTransformation] + public partial class IoTSecuritySolutionAnalyticsModel : Resource + { + /// + /// Initializes a new instance of the IoTSecuritySolutionAnalyticsModel + /// class. + /// + public IoTSecuritySolutionAnalyticsModel() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the IoTSecuritySolutionAnalyticsModel + /// class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Security analytics of your IoT Security + /// solution. + /// Number of unhealthy devices + /// within your IoT Security solution. + /// List of device metrics by the + /// aggregation date. + /// List of the 3 devices with the most + /// alerts. + /// List of the 3 most + /// prevalent device alerts. + /// List of the 3 most + /// prevalent device recommendations. + public IoTSecuritySolutionAnalyticsModel(string id = default(string), string name = default(string), string type = default(string), IoTSeverityMetrics metrics = default(IoTSeverityMetrics), long? unhealthyDeviceCount = default(long?), IList devicesMetrics = default(IList), IList topAlertedDevices = default(IList), IList mostPrevalentDeviceAlerts = default(IList), IList mostPrevalentDeviceRecommendations = default(IList)) + : base(id, name, type) + { + Metrics = metrics; + UnhealthyDeviceCount = unhealthyDeviceCount; + DevicesMetrics = devicesMetrics; + TopAlertedDevices = topAlertedDevices; + MostPrevalentDeviceAlerts = mostPrevalentDeviceAlerts; + MostPrevalentDeviceRecommendations = mostPrevalentDeviceRecommendations; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets security analytics of your IoT Security solution. + /// + [JsonProperty(PropertyName = "properties.metrics")] + public IoTSeverityMetrics Metrics { get; private set; } + + /// + /// Gets number of unhealthy devices within your IoT Security solution. + /// + [JsonProperty(PropertyName = "properties.unhealthyDeviceCount")] + public long? UnhealthyDeviceCount { get; private set; } + + /// + /// Gets list of device metrics by the aggregation date. + /// + [JsonProperty(PropertyName = "properties.devicesMetrics")] + public IList DevicesMetrics { get; private set; } + + /// + /// Gets or sets list of the 3 devices with the most alerts. + /// + [JsonProperty(PropertyName = "properties.topAlertedDevices")] + public IList TopAlertedDevices { get; set; } + + /// + /// Gets or sets list of the 3 most prevalent device alerts. + /// + [JsonProperty(PropertyName = "properties.mostPrevalentDeviceAlerts")] + public IList MostPrevalentDeviceAlerts { get; set; } + + /// + /// Gets or sets list of the 3 most prevalent device recommendations. + /// + [JsonProperty(PropertyName = "properties.mostPrevalentDeviceRecommendations")] + public IList MostPrevalentDeviceRecommendations { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/IoTSecuritySolutionAnalyticsModelList.cs b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecuritySolutionAnalyticsModelList.cs new file mode 100644 index 000000000000..2dbfcc768ce6 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecuritySolutionAnalyticsModelList.cs @@ -0,0 +1,81 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// List of Security analytics of your IoT Security solution + /// + public partial class IoTSecuritySolutionAnalyticsModelList + { + /// + /// Initializes a new instance of the + /// IoTSecuritySolutionAnalyticsModelList class. + /// + public IoTSecuritySolutionAnalyticsModelList() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// IoTSecuritySolutionAnalyticsModelList class. + /// + /// List of Security analytics of your IoT Security + /// solution + /// When there is too much alert data for one + /// page, use this URI to fetch the next page. + public IoTSecuritySolutionAnalyticsModelList(IList value, string nextLink = default(string)) + { + Value = value; + NextLink = nextLink; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets list of Security analytics of your IoT Security + /// solution + /// + [JsonProperty(PropertyName = "value")] + public IList Value { get; set; } + + /// + /// Gets when there is too much alert data for one page, use this URI + /// to fetch the next page. + /// + [JsonProperty(PropertyName = "nextLink")] + public string NextLink { get; private set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (Value == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Value"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/IoTSecuritySolutionAnalyticsModelPropertiesDevicesMetricsItem.cs b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecuritySolutionAnalyticsModelPropertiesDevicesMetricsItem.cs new file mode 100644 index 000000000000..aee9300681d2 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecuritySolutionAnalyticsModelPropertiesDevicesMetricsItem.cs @@ -0,0 +1,63 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + public partial class IoTSecuritySolutionAnalyticsModelPropertiesDevicesMetricsItem + { + /// + /// Initializes a new instance of the + /// IoTSecuritySolutionAnalyticsModelPropertiesDevicesMetricsItem + /// class. + /// + public IoTSecuritySolutionAnalyticsModelPropertiesDevicesMetricsItem() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// IoTSecuritySolutionAnalyticsModelPropertiesDevicesMetricsItem + /// class. + /// + /// Aggregation of IoT Security solution device + /// alert metrics by date. + /// Device alert count by + /// severity. + public IoTSecuritySolutionAnalyticsModelPropertiesDevicesMetricsItem(System.DateTime? date = default(System.DateTime?), IoTSeverityMetrics devicesMetrics = default(IoTSeverityMetrics)) + { + Date = date; + DevicesMetrics = devicesMetrics; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets aggregation of IoT Security solution device alert + /// metrics by date. + /// + [JsonProperty(PropertyName = "date")] + public System.DateTime? Date { get; set; } + + /// + /// Gets or sets device alert count by severity. + /// + [JsonProperty(PropertyName = "devicesMetrics")] + public IoTSeverityMetrics DevicesMetrics { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/IoTSecuritySolutionModel.cs b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecuritySolutionModel.cs new file mode 100644 index 000000000000..513d7a6b5754 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/IoTSecuritySolutionModel.cs @@ -0,0 +1,225 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// IoT Security solution configuration and resource information. + /// + [Rest.Serialization.JsonTransformation] + public partial class IoTSecuritySolutionModel + { + /// + /// Initializes a new instance of the IoTSecuritySolutionModel class. + /// + public IoTSecuritySolutionModel() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the IoTSecuritySolutionModel class. + /// + /// Resource display name. + /// IoT Hub resource IDs + /// Resource Id + /// Resource name + /// Resource type + /// Resource tags + /// The resource location. + /// Workspace resource ID + /// Status of the IoT Security solution. Possible + /// values include: 'Enabled', 'Disabled' + /// List of additional options for exporting to + /// workspace data. + /// Disabled data sources. Disabling + /// these data sources compromises the system. + /// List of resources that were + /// automatically discovered as relevant to the security + /// solution. + /// Unmasked IP address logging + /// status. Possible values include: 'Disabled', 'Enabled' + /// List of additional + /// workspaces + /// Azure Resource Manager metadata containing + /// createdBy and modifiedBy information. + public IoTSecuritySolutionModel(string displayName, IList iotHubs, string id = default(string), string name = default(string), string type = default(string), IDictionary tags = default(IDictionary), string location = default(string), string workspace = default(string), string status = default(string), IList export = default(IList), IList disabledDataSources = default(IList), UserDefinedResourcesProperties userDefinedResources = default(UserDefinedResourcesProperties), IList autoDiscoveredResources = default(IList), IList recommendationsConfiguration = default(IList), string unmaskedIpLoggingStatus = default(string), IList additionalWorkspaces = default(IList), SystemData systemData = default(SystemData)) + { + Id = id; + Name = name; + Type = type; + Tags = tags; + Location = location; + Workspace = workspace; + DisplayName = displayName; + Status = status; + Export = export; + DisabledDataSources = disabledDataSources; + IotHubs = iotHubs; + UserDefinedResources = userDefinedResources; + AutoDiscoveredResources = autoDiscoveredResources; + RecommendationsConfiguration = recommendationsConfiguration; + UnmaskedIpLoggingStatus = unmaskedIpLoggingStatus; + AdditionalWorkspaces = additionalWorkspaces; + SystemData = systemData; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets resource Id + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; private set; } + + /// + /// Gets resource name + /// + [JsonProperty(PropertyName = "name")] + public string Name { get; private set; } + + /// + /// Gets resource type + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + /// + /// Gets or sets resource tags + /// + [JsonProperty(PropertyName = "tags")] + public IDictionary Tags { get; set; } + + /// + /// Gets or sets the resource location. + /// + [JsonProperty(PropertyName = "location")] + public string Location { get; set; } + + /// + /// Gets or sets workspace resource ID + /// + [JsonProperty(PropertyName = "properties.workspace")] + public string Workspace { get; set; } + + /// + /// Gets or sets resource display name. + /// + [JsonProperty(PropertyName = "properties.displayName")] + public string DisplayName { get; set; } + + /// + /// Gets or sets status of the IoT Security solution. Possible values + /// include: 'Enabled', 'Disabled' + /// + [JsonProperty(PropertyName = "properties.status")] + public string Status { get; set; } + + /// + /// Gets or sets list of additional options for exporting to workspace + /// data. + /// + [JsonProperty(PropertyName = "properties.export")] + public IList Export { get; set; } + + /// + /// Gets or sets disabled data sources. Disabling these data sources + /// compromises the system. + /// + [JsonProperty(PropertyName = "properties.disabledDataSources")] + public IList DisabledDataSources { get; set; } + + /// + /// Gets or sets ioT Hub resource IDs + /// + [JsonProperty(PropertyName = "properties.iotHubs")] + public IList IotHubs { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.userDefinedResources")] + public UserDefinedResourcesProperties UserDefinedResources { get; set; } + + /// + /// Gets list of resources that were automatically discovered as + /// relevant to the security solution. + /// + [JsonProperty(PropertyName = "properties.autoDiscoveredResources")] + public IList AutoDiscoveredResources { get; private set; } + + /// + /// + [JsonProperty(PropertyName = "properties.recommendationsConfiguration")] + public IList RecommendationsConfiguration { get; set; } + + /// + /// Gets or sets unmasked IP address logging status. Possible values + /// include: 'Disabled', 'Enabled' + /// + [JsonProperty(PropertyName = "properties.unmaskedIpLoggingStatus")] + public string UnmaskedIpLoggingStatus { get; set; } + + /// + /// Gets or sets list of additional workspaces + /// + [JsonProperty(PropertyName = "properties.additionalWorkspaces")] + public IList AdditionalWorkspaces { get; set; } + + /// + /// Gets azure Resource Manager metadata containing createdBy and + /// modifiedBy information. + /// + [JsonProperty(PropertyName = "systemData")] + public SystemData SystemData { get; private set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (DisplayName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "DisplayName"); + } + if (IotHubs == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "IotHubs"); + } + if (UserDefinedResources != null) + { + UserDefinedResources.Validate(); + } + if (RecommendationsConfiguration != null) + { + foreach (var element in RecommendationsConfiguration) + { + if (element != null) + { + element.Validate(); + } + } + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/IoTSeverityMetrics.cs b/src/Security/Security.Management.Sdk/Generated/Models/IoTSeverityMetrics.cs new file mode 100644 index 000000000000..71fc0a7748c7 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/IoTSeverityMetrics.cs @@ -0,0 +1,70 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// IoT Security solution analytics severity metrics. + /// + public partial class IoTSeverityMetrics + { + /// + /// Initializes a new instance of the IoTSeverityMetrics class. + /// + public IoTSeverityMetrics() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the IoTSeverityMetrics class. + /// + /// Count of high severity + /// alerts/recommendations. + /// Count of medium severity + /// alerts/recommendations. + /// Count of low severity + /// alerts/recommendations. + public IoTSeverityMetrics(long? high = default(long?), long? medium = default(long?), long? low = default(long?)) + { + High = high; + Medium = medium; + Low = low; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets count of high severity alerts/recommendations. + /// + [JsonProperty(PropertyName = "high")] + public long? High { get; set; } + + /// + /// Gets or sets count of medium severity alerts/recommendations. + /// + [JsonProperty(PropertyName = "medium")] + public long? Medium { get; set; } + + /// + /// Gets or sets count of low severity alerts/recommendations. + /// + [JsonProperty(PropertyName = "low")] + public long? Low { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicy.cs b/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicy.cs new file mode 100644 index 000000000000..dd50ff3c5eb5 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicy.cs @@ -0,0 +1,144 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + [Rest.Serialization.JsonTransformation] + public partial class JitNetworkAccessPolicy + { + /// + /// Initializes a new instance of the JitNetworkAccessPolicy class. + /// + public JitNetworkAccessPolicy() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the JitNetworkAccessPolicy class. + /// + /// Configurations for + /// Microsoft.Compute/virtualMachines resource type. + /// Resource Id + /// Resource name + /// Resource type + /// Kind of the resource + /// Location where the resource is + /// stored + /// Gets the provisioning state of the + /// Just-in-Time policy. + public JitNetworkAccessPolicy(IList virtualMachines, string id = default(string), string name = default(string), string type = default(string), string kind = default(string), string location = default(string), IList requests = default(IList), string provisioningState = default(string)) + { + Id = id; + Name = name; + Type = type; + Kind = kind; + Location = location; + VirtualMachines = virtualMachines; + Requests = requests; + ProvisioningState = provisioningState; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets resource Id + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; private set; } + + /// + /// Gets resource name + /// + [JsonProperty(PropertyName = "name")] + public string Name { get; private set; } + + /// + /// Gets resource type + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + /// + /// Gets or sets kind of the resource + /// + [JsonProperty(PropertyName = "kind")] + public string Kind { get; set; } + + /// + /// Gets location where the resource is stored + /// + [JsonProperty(PropertyName = "location")] + public string Location { get; private set; } + + /// + /// Gets or sets configurations for Microsoft.Compute/virtualMachines + /// resource type. + /// + [JsonProperty(PropertyName = "properties.virtualMachines")] + public IList VirtualMachines { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.requests")] + public IList Requests { get; set; } + + /// + /// Gets the provisioning state of the Just-in-Time policy. + /// + [JsonProperty(PropertyName = "properties.provisioningState")] + public string ProvisioningState { get; private set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (VirtualMachines == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "VirtualMachines"); + } + if (VirtualMachines != null) + { + foreach (var element in VirtualMachines) + { + if (element != null) + { + element.Validate(); + } + } + } + if (Requests != null) + { + foreach (var element1 in Requests) + { + if (element1 != null) + { + element1.Validate(); + } + } + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicyInitiatePort.cs b/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicyInitiatePort.cs new file mode 100644 index 000000000000..3ba8881a47ae --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicyInitiatePort.cs @@ -0,0 +1,78 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + public partial class JitNetworkAccessPolicyInitiatePort + { + /// + /// Initializes a new instance of the + /// JitNetworkAccessPolicyInitiatePort class. + /// + public JitNetworkAccessPolicyInitiatePort() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// JitNetworkAccessPolicyInitiatePort class. + /// + /// The time to close the request in + /// UTC + /// Source of the allowed + /// traffic. If omitted, the request will be for the source IP address + /// of the initiate request. + public JitNetworkAccessPolicyInitiatePort(int number, System.DateTime endTimeUtc, string allowedSourceAddressPrefix = default(string)) + { + Number = number; + AllowedSourceAddressPrefix = allowedSourceAddressPrefix; + EndTimeUtc = endTimeUtc; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "number")] + public int Number { get; set; } + + /// + /// Gets or sets source of the allowed traffic. If omitted, the request + /// will be for the source IP address of the initiate request. + /// + [JsonProperty(PropertyName = "allowedSourceAddressPrefix")] + public string AllowedSourceAddressPrefix { get; set; } + + /// + /// Gets or sets the time to close the request in UTC + /// + [JsonProperty(PropertyName = "endTimeUtc")] + public System.DateTime EndTimeUtc { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + //Nothing to validate + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicyInitiateRequest.cs b/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicyInitiateRequest.cs new file mode 100644 index 000000000000..a200477d08ac --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicyInitiateRequest.cs @@ -0,0 +1,87 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + public partial class JitNetworkAccessPolicyInitiateRequest + { + /// + /// Initializes a new instance of the + /// JitNetworkAccessPolicyInitiateRequest class. + /// + public JitNetworkAccessPolicyInitiateRequest() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// JitNetworkAccessPolicyInitiateRequest class. + /// + /// A list of virtual machines & + /// ports to open access for + /// The justification for making the + /// initiate request + public JitNetworkAccessPolicyInitiateRequest(IList virtualMachines, string justification = default(string)) + { + VirtualMachines = virtualMachines; + Justification = justification; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets a list of virtual machines &amp; ports to open + /// access for + /// + [JsonProperty(PropertyName = "virtualMachines")] + public IList VirtualMachines { get; set; } + + /// + /// Gets or sets the justification for making the initiate request + /// + [JsonProperty(PropertyName = "justification")] + public string Justification { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (VirtualMachines == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "VirtualMachines"); + } + if (VirtualMachines != null) + { + foreach (var element in VirtualMachines) + { + if (element != null) + { + element.Validate(); + } + } + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicyInitiateVirtualMachine.cs b/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicyInitiateVirtualMachine.cs new file mode 100644 index 000000000000..184efe058a64 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicyInitiateVirtualMachine.cs @@ -0,0 +1,91 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + public partial class JitNetworkAccessPolicyInitiateVirtualMachine + { + /// + /// Initializes a new instance of the + /// JitNetworkAccessPolicyInitiateVirtualMachine class. + /// + public JitNetworkAccessPolicyInitiateVirtualMachine() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// JitNetworkAccessPolicyInitiateVirtualMachine class. + /// + /// Resource ID of the virtual machine that is linked + /// to this policy + /// The ports to open for the resource with the + /// `id` + public JitNetworkAccessPolicyInitiateVirtualMachine(string id, IList ports) + { + Id = id; + Ports = ports; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets resource ID of the virtual machine that is linked to + /// this policy + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; set; } + + /// + /// Gets or sets the ports to open for the resource with the `id` + /// + [JsonProperty(PropertyName = "ports")] + public IList Ports { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (Id == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Id"); + } + if (Ports == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Ports"); + } + if (Ports != null) + { + foreach (var element in Ports) + { + if (element != null) + { + element.Validate(); + } + } + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicyVirtualMachine.cs b/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicyVirtualMachine.cs new file mode 100644 index 000000000000..d9317bcb088a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPolicyVirtualMachine.cs @@ -0,0 +1,101 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + public partial class JitNetworkAccessPolicyVirtualMachine + { + /// + /// Initializes a new instance of the + /// JitNetworkAccessPolicyVirtualMachine class. + /// + public JitNetworkAccessPolicyVirtualMachine() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// JitNetworkAccessPolicyVirtualMachine class. + /// + /// Resource ID of the virtual machine that is linked + /// to this policy + /// Port configurations for the virtual + /// machine + /// Public IP address of the Azure + /// Firewall that is linked to this policy, if applicable + public JitNetworkAccessPolicyVirtualMachine(string id, IList ports, string publicIpAddress = default(string)) + { + Id = id; + Ports = ports; + PublicIpAddress = publicIpAddress; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets resource ID of the virtual machine that is linked to + /// this policy + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; set; } + + /// + /// Gets or sets port configurations for the virtual machine + /// + [JsonProperty(PropertyName = "ports")] + public IList Ports { get; set; } + + /// + /// Gets or sets public IP address of the Azure Firewall that is linked + /// to this policy, if applicable + /// + [JsonProperty(PropertyName = "publicIpAddress")] + public string PublicIpAddress { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (Id == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Id"); + } + if (Ports == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Ports"); + } + if (Ports != null) + { + foreach (var element in Ports) + { + if (element != null) + { + element.Validate(); + } + } + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPortRule.cs b/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPortRule.cs new file mode 100644 index 000000000000..bf465a75df8e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessPortRule.cs @@ -0,0 +1,109 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + public partial class JitNetworkAccessPortRule + { + /// + /// Initializes a new instance of the JitNetworkAccessPortRule class. + /// + public JitNetworkAccessPortRule() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the JitNetworkAccessPortRule class. + /// + /// Possible values include: 'TCP', 'UDP', + /// 'All' + /// Maximum duration requests + /// can be made for. In ISO 8601 duration format. Minimum 5 minutes, + /// maximum 1 day + /// Mutually exclusive with + /// the "allowedSourceAddressPrefixes" parameter. Should be an IP + /// address or CIDR, for example "192.168.0.3" or + /// "192.168.0.0/16". + /// Mutually exclusive with + /// the "allowedSourceAddressPrefix" parameter. + public JitNetworkAccessPortRule(int number, string protocol, string maxRequestAccessDuration, string allowedSourceAddressPrefix = default(string), IList allowedSourceAddressPrefixes = default(IList)) + { + Number = number; + Protocol = protocol; + AllowedSourceAddressPrefix = allowedSourceAddressPrefix; + AllowedSourceAddressPrefixes = allowedSourceAddressPrefixes; + MaxRequestAccessDuration = maxRequestAccessDuration; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "number")] + public int Number { get; set; } + + /// + /// Gets or sets possible values include: 'TCP', 'UDP', 'All' + /// + [JsonProperty(PropertyName = "protocol")] + public string Protocol { get; set; } + + /// + /// Gets or sets mutually exclusive with the + /// "allowedSourceAddressPrefixes" parameter. Should be an IP address + /// or CIDR, for example "192.168.0.3" or "192.168.0.0/16". + /// + [JsonProperty(PropertyName = "allowedSourceAddressPrefix")] + public string AllowedSourceAddressPrefix { get; set; } + + /// + /// Gets or sets mutually exclusive with the + /// "allowedSourceAddressPrefix" parameter. + /// + [JsonProperty(PropertyName = "allowedSourceAddressPrefixes")] + public IList AllowedSourceAddressPrefixes { get; set; } + + /// + /// Gets or sets maximum duration requests can be made for. In ISO 8601 + /// duration format. Minimum 5 minutes, maximum 1 day + /// + [JsonProperty(PropertyName = "maxRequestAccessDuration")] + public string MaxRequestAccessDuration { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (Protocol == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Protocol"); + } + if (MaxRequestAccessDuration == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "MaxRequestAccessDuration"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessRequest.cs b/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessRequest.cs new file mode 100644 index 000000000000..e0c69789405e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessRequest.cs @@ -0,0 +1,103 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + public partial class JitNetworkAccessRequest + { + /// + /// Initializes a new instance of the JitNetworkAccessRequest class. + /// + public JitNetworkAccessRequest() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the JitNetworkAccessRequest class. + /// + /// The start time of the request in + /// UTC + /// The identity of the person who made the + /// request + /// The justification for making the + /// initiate request + public JitNetworkAccessRequest(IList virtualMachines, System.DateTime startTimeUtc, string requestor, string justification = default(string)) + { + VirtualMachines = virtualMachines; + StartTimeUtc = startTimeUtc; + Requestor = requestor; + Justification = justification; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "virtualMachines")] + public IList VirtualMachines { get; set; } + + /// + /// Gets or sets the start time of the request in UTC + /// + [JsonProperty(PropertyName = "startTimeUtc")] + public System.DateTime StartTimeUtc { get; set; } + + /// + /// Gets or sets the identity of the person who made the request + /// + [JsonProperty(PropertyName = "requestor")] + public string Requestor { get; set; } + + /// + /// Gets or sets the justification for making the initiate request + /// + [JsonProperty(PropertyName = "justification")] + public string Justification { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (VirtualMachines == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "VirtualMachines"); + } + if (Requestor == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Requestor"); + } + if (VirtualMachines != null) + { + foreach (var element in VirtualMachines) + { + if (element != null) + { + element.Validate(); + } + } + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessRequestPort.cs b/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessRequestPort.cs new file mode 100644 index 000000000000..18a2297f1887 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessRequestPort.cs @@ -0,0 +1,133 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + public partial class JitNetworkAccessRequestPort + { + /// + /// Initializes a new instance of the JitNetworkAccessRequestPort + /// class. + /// + public JitNetworkAccessRequestPort() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the JitNetworkAccessRequestPort + /// class. + /// + /// The date & time at which the request + /// ends in UTC + /// The status of the port. Possible values + /// include: 'Revoked', 'Initiated' + /// A description of why the `status` has + /// its value. Possible values include: 'Expired', 'UserRequested', + /// 'NewerRequestInitiated' + /// Mutually exclusive with + /// the "allowedSourceAddressPrefixes" parameter. Should be an IP + /// address or CIDR, for example "192.168.0.3" or + /// "192.168.0.0/16". + /// Mutually exclusive with + /// the "allowedSourceAddressPrefix" parameter. + /// The port which is mapped to this port's + /// `number` in the Azure Firewall, if applicable + public JitNetworkAccessRequestPort(int number, System.DateTime endTimeUtc, string status, string statusReason, string allowedSourceAddressPrefix = default(string), IList allowedSourceAddressPrefixes = default(IList), int? mappedPort = default(int?)) + { + Number = number; + AllowedSourceAddressPrefix = allowedSourceAddressPrefix; + AllowedSourceAddressPrefixes = allowedSourceAddressPrefixes; + EndTimeUtc = endTimeUtc; + Status = status; + StatusReason = statusReason; + MappedPort = mappedPort; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "number")] + public int Number { get; set; } + + /// + /// Gets or sets mutually exclusive with the + /// "allowedSourceAddressPrefixes" parameter. Should be an IP address + /// or CIDR, for example "192.168.0.3" or "192.168.0.0/16". + /// + [JsonProperty(PropertyName = "allowedSourceAddressPrefix")] + public string AllowedSourceAddressPrefix { get; set; } + + /// + /// Gets or sets mutually exclusive with the + /// "allowedSourceAddressPrefix" parameter. + /// + [JsonProperty(PropertyName = "allowedSourceAddressPrefixes")] + public IList AllowedSourceAddressPrefixes { get; set; } + + /// + /// Gets or sets the date &amp; time at which the request ends in + /// UTC + /// + [JsonProperty(PropertyName = "endTimeUtc")] + public System.DateTime EndTimeUtc { get; set; } + + /// + /// Gets or sets the status of the port. Possible values include: + /// 'Revoked', 'Initiated' + /// + [JsonProperty(PropertyName = "status")] + public string Status { get; set; } + + /// + /// Gets or sets a description of why the `status` has its value. + /// Possible values include: 'Expired', 'UserRequested', + /// 'NewerRequestInitiated' + /// + [JsonProperty(PropertyName = "statusReason")] + public string StatusReason { get; set; } + + /// + /// Gets or sets the port which is mapped to this port's `number` in + /// the Azure Firewall, if applicable + /// + [JsonProperty(PropertyName = "mappedPort")] + public int? MappedPort { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (Status == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Status"); + } + if (StatusReason == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "StatusReason"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessRequestVirtualMachine.cs b/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessRequestVirtualMachine.cs new file mode 100644 index 000000000000..38f2fe3c1c8c --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/JitNetworkAccessRequestVirtualMachine.cs @@ -0,0 +1,91 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + public partial class JitNetworkAccessRequestVirtualMachine + { + /// + /// Initializes a new instance of the + /// JitNetworkAccessRequestVirtualMachine class. + /// + public JitNetworkAccessRequestVirtualMachine() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// JitNetworkAccessRequestVirtualMachine class. + /// + /// Resource ID of the virtual machine that is linked + /// to this policy + /// The ports that were opened for the virtual + /// machine + public JitNetworkAccessRequestVirtualMachine(string id, IList ports) + { + Id = id; + Ports = ports; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets resource ID of the virtual machine that is linked to + /// this policy + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; set; } + + /// + /// Gets or sets the ports that were opened for the virtual machine + /// + [JsonProperty(PropertyName = "ports")] + public IList Ports { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (Id == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Id"); + } + if (Ports == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Ports"); + } + if (Ports != null) + { + foreach (var element in Ports) + { + if (element != null) + { + element.Validate(); + } + } + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ListCustomAlertRule.cs b/src/Security/Security.Management.Sdk/Generated/Models/ListCustomAlertRule.cs new file mode 100644 index 000000000000..763959ad3860 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ListCustomAlertRule.cs @@ -0,0 +1,70 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// A List custom alert rule. + /// + [Newtonsoft.Json.JsonObject("ListCustomAlertRule")] + public partial class ListCustomAlertRule : CustomAlertRule + { + /// + /// Initializes a new instance of the ListCustomAlertRule class. + /// + public ListCustomAlertRule() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ListCustomAlertRule class. + /// + /// Status of the custom alert. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + /// The value type of the items in the list. + /// Possible values include: 'IpCidr', 'String' + public ListCustomAlertRule(bool isEnabled, string displayName = default(string), string description = default(string), string valueType = default(string)) + : base(isEnabled, displayName, description) + { + ValueType = valueType; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the value type of the items in the list. Possible values + /// include: 'IpCidr', 'String' + /// + [JsonProperty(PropertyName = "valueType")] + public string ValueType { get; private set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/LocalUserNotAllowed.cs b/src/Security/Security.Management.Sdk/Generated/Models/LocalUserNotAllowed.cs new file mode 100644 index 000000000000..27e661e467c1 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/LocalUserNotAllowed.cs @@ -0,0 +1,67 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Login by a local user that isn't allowed. Allow list consists of login + /// names to allow. + /// + [Newtonsoft.Json.JsonObject("LocalUserNotAllowed")] + public partial class LocalUserNotAllowed : AllowlistCustomAlertRule + { + /// + /// Initializes a new instance of the LocalUserNotAllowed class. + /// + public LocalUserNotAllowed() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the LocalUserNotAllowed class. + /// + /// Status of the custom alert. + /// The values to allow. The format of + /// the values depends on the rule type. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + /// The value type of the items in the list. + /// Possible values include: 'IpCidr', 'String' + public LocalUserNotAllowed(bool isEnabled, IList allowlistValues, string displayName = default(string), string description = default(string), string valueType = default(string)) + : base(isEnabled, allowlistValues, displayName, description, valueType) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Location.cs b/src/Security/Security.Management.Sdk/Generated/Models/Location.cs new file mode 100644 index 000000000000..a35eb9fed24e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Location.cs @@ -0,0 +1,52 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Describes an Azure resource with location + /// + public partial class Location + { + /// + /// Initializes a new instance of the Location class. + /// + public Location() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the Location class. + /// + /// Location where the resource is + /// stored + public Location(string locationProperty = default(string)) + { + LocationProperty = locationProperty; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets location where the resource is stored + /// + [JsonProperty(PropertyName = "location")] + public string LocationProperty { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/MdeOnboardingData.cs b/src/Security/Security.Management.Sdk/Generated/Models/MdeOnboardingData.cs new file mode 100644 index 000000000000..4ac0a8e3c861 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/MdeOnboardingData.cs @@ -0,0 +1,75 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// The resource of the configuration or data needed to onboard the machine + /// to MDE + /// + [Rest.Serialization.JsonTransformation] + public partial class MdeOnboardingData : Resource + { + /// + /// Initializes a new instance of the MdeOnboardingData class. + /// + public MdeOnboardingData() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the MdeOnboardingData class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// The onboarding package used + /// to onboard Windows machines to MDE, coded in base64. This can also + /// be used for onboarding using the dedicated VM Extension + /// The onboarding package used to + /// onboard Linux machines to MDE, coded in base64. This can also be + /// used for onboarding using the dedicated VM Extension + public MdeOnboardingData(string id = default(string), string name = default(string), string type = default(string), byte[] onboardingPackageWindows = default(byte[]), byte[] onboardingPackageLinux = default(byte[])) + : base(id, name, type) + { + OnboardingPackageWindows = onboardingPackageWindows; + OnboardingPackageLinux = onboardingPackageLinux; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the onboarding package used to onboard Windows + /// machines to MDE, coded in base64. This can also be used for + /// onboarding using the dedicated VM Extension + /// + [JsonProperty(PropertyName = "properties.onboardingPackageWindows")] + public byte[] OnboardingPackageWindows { get; set; } + + /// + /// Gets or sets the onboarding package used to onboard Linux machines + /// to MDE, coded in base64. This can also be used for onboarding using + /// the dedicated VM Extension + /// + [JsonProperty(PropertyName = "properties.onboardingPackageLinux")] + public byte[] OnboardingPackageLinux { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/MdeOnboardingDataList.cs b/src/Security/Security.Management.Sdk/Generated/Models/MdeOnboardingDataList.cs new file mode 100644 index 000000000000..8df1ce7278aa --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/MdeOnboardingDataList.cs @@ -0,0 +1,55 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// List of all MDE onboarding data resources + /// + public partial class MdeOnboardingDataList + { + /// + /// Initializes a new instance of the MdeOnboardingDataList class. + /// + public MdeOnboardingDataList() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the MdeOnboardingDataList class. + /// + /// List of the resources of the configuration or + /// data needed to onboard the machine to MDE + public MdeOnboardingDataList(IList value = default(IList)) + { + Value = value; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets list of the resources of the configuration or data + /// needed to onboard the machine to MDE + /// + [JsonProperty(PropertyName = "value")] + public IList Value { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/MinimalSeverity.cs b/src/Security/Security.Management.Sdk/Generated/Models/MinimalSeverity.cs new file mode 100644 index 000000000000..3ed9c1cdfeca --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/MinimalSeverity.cs @@ -0,0 +1,33 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for MinimalSeverity. + /// + public static class MinimalSeverity + { + /// + /// Get notifications on new alerts with High severity + /// + public const string High = "High"; + /// + /// Get notifications on new alerts with medium or high severity + /// + public const string Medium = "Medium"; + /// + /// Don't get notifications on new alerts with low, medium or high + /// severity + /// + public const string Low = "Low"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/MqttC2DMessagesNotInAllowedRange.cs b/src/Security/Security.Management.Sdk/Generated/Models/MqttC2DMessagesNotInAllowedRange.cs new file mode 100644 index 000000000000..50ce5fe30a68 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/MqttC2DMessagesNotInAllowedRange.cs @@ -0,0 +1,67 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Number of cloud to device messages (MQTT protocol) is not in allowed + /// range. + /// + [Newtonsoft.Json.JsonObject("MqttC2DMessagesNotInAllowedRange")] + public partial class MqttC2DMessagesNotInAllowedRange : TimeWindowCustomAlertRule + { + /// + /// Initializes a new instance of the MqttC2DMessagesNotInAllowedRange + /// class. + /// + public MqttC2DMessagesNotInAllowedRange() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the MqttC2DMessagesNotInAllowedRange + /// class. + /// + /// Status of the custom alert. + /// The minimum threshold. + /// The maximum threshold. + /// The time window size in iso8601 + /// format. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public MqttC2DMessagesNotInAllowedRange(bool isEnabled, int minThreshold, int maxThreshold, System.TimeSpan timeWindowSize, string displayName = default(string), string description = default(string)) + : base(isEnabled, minThreshold, maxThreshold, timeWindowSize, displayName, description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/MqttC2DRejectedMessagesNotInAllowedRange.cs b/src/Security/Security.Management.Sdk/Generated/Models/MqttC2DRejectedMessagesNotInAllowedRange.cs new file mode 100644 index 000000000000..55fb3039b11a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/MqttC2DRejectedMessagesNotInAllowedRange.cs @@ -0,0 +1,67 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Number of rejected cloud to device messages (MQTT protocol) is not in + /// allowed range. + /// + [Newtonsoft.Json.JsonObject("MqttC2DRejectedMessagesNotInAllowedRange")] + public partial class MqttC2DRejectedMessagesNotInAllowedRange : TimeWindowCustomAlertRule + { + /// + /// Initializes a new instance of the + /// MqttC2DRejectedMessagesNotInAllowedRange class. + /// + public MqttC2DRejectedMessagesNotInAllowedRange() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// MqttC2DRejectedMessagesNotInAllowedRange class. + /// + /// Status of the custom alert. + /// The minimum threshold. + /// The maximum threshold. + /// The time window size in iso8601 + /// format. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public MqttC2DRejectedMessagesNotInAllowedRange(bool isEnabled, int minThreshold, int maxThreshold, System.TimeSpan timeWindowSize, string displayName = default(string), string description = default(string)) + : base(isEnabled, minThreshold, maxThreshold, timeWindowSize, displayName, description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/MqttD2CMessagesNotInAllowedRange.cs b/src/Security/Security.Management.Sdk/Generated/Models/MqttD2CMessagesNotInAllowedRange.cs new file mode 100644 index 000000000000..358bb0c6e4f8 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/MqttD2CMessagesNotInAllowedRange.cs @@ -0,0 +1,67 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Number of device to cloud messages (MQTT protocol) is not in allowed + /// range. + /// + [Newtonsoft.Json.JsonObject("MqttD2CMessagesNotInAllowedRange")] + public partial class MqttD2CMessagesNotInAllowedRange : TimeWindowCustomAlertRule + { + /// + /// Initializes a new instance of the MqttD2CMessagesNotInAllowedRange + /// class. + /// + public MqttD2CMessagesNotInAllowedRange() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the MqttD2CMessagesNotInAllowedRange + /// class. + /// + /// Status of the custom alert. + /// The minimum threshold. + /// The maximum threshold. + /// The time window size in iso8601 + /// format. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public MqttD2CMessagesNotInAllowedRange(bool isEnabled, int minThreshold, int maxThreshold, System.TimeSpan timeWindowSize, string displayName = default(string), string description = default(string)) + : base(isEnabled, minThreshold, maxThreshold, timeWindowSize, displayName, description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/OnPremiseResourceDetails.cs b/src/Security/Security.Management.Sdk/Generated/Models/OnPremiseResourceDetails.cs new file mode 100644 index 000000000000..755fcd1a3f42 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/OnPremiseResourceDetails.cs @@ -0,0 +1,105 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Details of the On Premise resource that was assessed + /// + [Newtonsoft.Json.JsonObject("OnPremise")] + public partial class OnPremiseResourceDetails : ResourceDetails + { + /// + /// Initializes a new instance of the OnPremiseResourceDetails class. + /// + public OnPremiseResourceDetails() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the OnPremiseResourceDetails class. + /// + /// Azure resource Id of the workspace the + /// machine is attached to + /// The unique Id of the machine + /// The oms agent Id installed on the + /// machine + /// The name of the machine + public OnPremiseResourceDetails(string workspaceId, string vmuuid, string sourceComputerId, string machineName) + { + WorkspaceId = workspaceId; + Vmuuid = vmuuid; + SourceComputerId = sourceComputerId; + MachineName = machineName; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets azure resource Id of the workspace the machine is + /// attached to + /// + [JsonProperty(PropertyName = "workspaceId")] + public string WorkspaceId { get; set; } + + /// + /// Gets or sets the unique Id of the machine + /// + [JsonProperty(PropertyName = "vmuuid")] + public string Vmuuid { get; set; } + + /// + /// Gets or sets the oms agent Id installed on the machine + /// + [JsonProperty(PropertyName = "sourceComputerId")] + public string SourceComputerId { get; set; } + + /// + /// Gets or sets the name of the machine + /// + [JsonProperty(PropertyName = "machineName")] + public string MachineName { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (WorkspaceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "WorkspaceId"); + } + if (Vmuuid == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Vmuuid"); + } + if (SourceComputerId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "SourceComputerId"); + } + if (MachineName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "MachineName"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/OnPremiseSqlResourceDetails.cs b/src/Security/Security.Management.Sdk/Generated/Models/OnPremiseSqlResourceDetails.cs new file mode 100644 index 000000000000..084f5df0f1b6 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/OnPremiseSqlResourceDetails.cs @@ -0,0 +1,90 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Details of the On Premise Sql resource that was assessed + /// + [Newtonsoft.Json.JsonObject("OnPremiseSql")] + public partial class OnPremiseSqlResourceDetails : OnPremiseResourceDetails + { + /// + /// Initializes a new instance of the OnPremiseSqlResourceDetails + /// class. + /// + public OnPremiseSqlResourceDetails() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the OnPremiseSqlResourceDetails + /// class. + /// + /// Azure resource Id of the workspace the + /// machine is attached to + /// The unique Id of the machine + /// The oms agent Id installed on the + /// machine + /// The name of the machine + /// The Sql server name installed on the + /// machine + /// The Sql database name installed on the + /// machine + public OnPremiseSqlResourceDetails(string workspaceId, string vmuuid, string sourceComputerId, string machineName, string serverName, string databaseName) + : base(workspaceId, vmuuid, sourceComputerId, machineName) + { + ServerName = serverName; + DatabaseName = databaseName; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the Sql server name installed on the machine + /// + [JsonProperty(PropertyName = "serverName")] + public string ServerName { get; set; } + + /// + /// Gets or sets the Sql database name installed on the machine + /// + [JsonProperty(PropertyName = "databaseName")] + public string DatabaseName { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + if (ServerName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ServerName"); + } + if (DatabaseName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "DatabaseName"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Operation.cs b/src/Security/Security.Management.Sdk/Generated/Models/Operation.cs new file mode 100644 index 000000000000..ca7b8be3c64a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Operation.cs @@ -0,0 +1,65 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Possible operation in the REST API of Microsoft.Security + /// + public partial class Operation + { + /// + /// Initializes a new instance of the Operation class. + /// + public Operation() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the Operation class. + /// + /// Name of the operation + /// Where the operation is originated + public Operation(string name = default(string), string origin = default(string), OperationDisplay display = default(OperationDisplay)) + { + Name = name; + Origin = origin; + Display = display; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets name of the operation + /// + [JsonProperty(PropertyName = "name")] + public string Name { get; private set; } + + /// + /// Gets where the operation is originated + /// + [JsonProperty(PropertyName = "origin")] + public string Origin { get; private set; } + + /// + /// + [JsonProperty(PropertyName = "display")] + public OperationDisplay Display { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/OperationDisplay.cs b/src/Security/Security.Management.Sdk/Generated/Models/OperationDisplay.cs new file mode 100644 index 000000000000..0da7bfb68a89 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/OperationDisplay.cs @@ -0,0 +1,78 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Security operation display + /// + public partial class OperationDisplay + { + /// + /// Initializes a new instance of the OperationDisplay class. + /// + public OperationDisplay() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the OperationDisplay class. + /// + /// The resource provider for the + /// operation. + /// The display name of the resource the + /// operation applies to. + /// The display name of the security + /// operation. + /// The description of the operation. + public OperationDisplay(string provider = default(string), string resource = default(string), string operation = default(string), string description = default(string)) + { + Provider = provider; + Resource = resource; + Operation = operation; + Description = description; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the resource provider for the operation. + /// + [JsonProperty(PropertyName = "provider")] + public string Provider { get; private set; } + + /// + /// Gets the display name of the resource the operation applies to. + /// + [JsonProperty(PropertyName = "resource")] + public string Resource { get; private set; } + + /// + /// Gets the display name of the security operation. + /// + [JsonProperty(PropertyName = "operation")] + public string Operation { get; private set; } + + /// + /// Gets the description of the operation. + /// + [JsonProperty(PropertyName = "description")] + public string Description { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/OperatorModel.cs b/src/Security/Security.Management.Sdk/Generated/Models/OperatorModel.cs new file mode 100644 index 000000000000..2f7657382ce4 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/OperatorModel.cs @@ -0,0 +1,56 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for OperatorModel. + /// + public static class OperatorModel + { + /// + /// Applies for decimal and non-decimal operands + /// + public const string Equals = "Equals"; + /// + /// Applies only for decimal operands + /// + public const string GreaterThan = "GreaterThan"; + /// + /// Applies only for decimal operands + /// + public const string GreaterThanOrEqualTo = "GreaterThanOrEqualTo"; + /// + /// Applies only for decimal operands + /// + public const string LesserThan = "LesserThan"; + /// + /// Applies only for decimal operands + /// + public const string LesserThanOrEqualTo = "LesserThanOrEqualTo"; + /// + /// Applies for decimal and non-decimal operands + /// + public const string NotEquals = "NotEquals"; + /// + /// Applies only for non-decimal operands + /// + public const string Contains = "Contains"; + /// + /// Applies only for non-decimal operands + /// + public const string StartsWith = "StartsWith"; + /// + /// Applies only for non-decimal operands + /// + public const string EndsWith = "EndsWith"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/PathRecommendation.cs b/src/Security/Security.Management.Sdk/Generated/Models/PathRecommendation.cs new file mode 100644 index 000000000000..d55253f6d73d --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/PathRecommendation.cs @@ -0,0 +1,125 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Represents a path that is recommended to be allowed and its properties + /// + public partial class PathRecommendation + { + /// + /// Initializes a new instance of the PathRecommendation class. + /// + public PathRecommendation() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the PathRecommendation class. + /// + /// The full path of the file, or an identifier of + /// the application + /// Possible values include: 'Recommended', 'Add', + /// 'Remove' + /// Possible values include: 'File', 'FileHash', + /// 'PublisherSignature', 'ProductSignature', 'BinarySignature', + /// 'VersionAndAboveSignature' + /// Whether the application is commonly run on the + /// machine + /// Possible values include: 'Exe', 'Dll', + /// 'Msi', 'Script', 'Executable', 'Unknown' + /// Possible values include: + /// 'Configured', 'NotConfigured', 'InProgress', 'Failed', + /// 'NoStatus' + public PathRecommendation(string path = default(string), string action = default(string), string type = default(string), PublisherInfo publisherInfo = default(PublisherInfo), bool? common = default(bool?), IList userSids = default(IList), IList usernames = default(IList), string fileType = default(string), string configurationStatus = default(string)) + { + Path = path; + Action = action; + Type = type; + PublisherInfo = publisherInfo; + Common = common; + UserSids = userSids; + Usernames = usernames; + FileType = fileType; + ConfigurationStatus = configurationStatus; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the full path of the file, or an identifier of the + /// application + /// + [JsonProperty(PropertyName = "path")] + public string Path { get; set; } + + /// + /// Gets or sets possible values include: 'Recommended', 'Add', + /// 'Remove' + /// + [JsonProperty(PropertyName = "action")] + public string Action { get; set; } + + /// + /// Gets or sets possible values include: 'File', 'FileHash', + /// 'PublisherSignature', 'ProductSignature', 'BinarySignature', + /// 'VersionAndAboveSignature' + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; set; } + + /// + /// + [JsonProperty(PropertyName = "publisherInfo")] + public PublisherInfo PublisherInfo { get; set; } + + /// + /// Gets or sets whether the application is commonly run on the machine + /// + [JsonProperty(PropertyName = "common")] + public bool? Common { get; set; } + + /// + /// + [JsonProperty(PropertyName = "userSids")] + public IList UserSids { get; set; } + + /// + /// + [JsonProperty(PropertyName = "usernames")] + public IList Usernames { get; set; } + + /// + /// Gets or sets possible values include: 'Exe', 'Dll', 'Msi', + /// 'Script', 'Executable', 'Unknown' + /// + [JsonProperty(PropertyName = "fileType")] + public string FileType { get; set; } + + /// + /// Gets or sets possible values include: 'Configured', + /// 'NotConfigured', 'InProgress', 'Failed', 'NoStatus' + /// + [JsonProperty(PropertyName = "configurationStatus")] + public string ConfigurationStatus { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/PermissionProperty.cs b/src/Security/Security.Management.Sdk/Generated/Models/PermissionProperty.cs new file mode 100644 index 000000000000..0e08aa9fcd72 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/PermissionProperty.cs @@ -0,0 +1,40 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for PermissionProperty. + /// + public static class PermissionProperty + { + /// + /// This permission provides read only access to AWS Security Hub + /// resources. + /// + public const string AWSAWSSecurityHubReadOnlyAccess = "AWS::AWSSecurityHubReadOnlyAccess"; + /// + /// This permission grants access to read security configuration + /// metadata. + /// + public const string AWSSecurityAudit = "AWS::SecurityAudit"; + /// + /// The permission provides for EC2 Automation service to execute + /// activities defined within Automation documents. + /// + public const string AWSAmazonSSMAutomationRole = "AWS::AmazonSSMAutomationRole"; + /// + /// This permission provides read only access to GCP Security Command + /// Center. + /// + public const string GCPSecurityCenterAdminViewer = "GCP::Security Center Admin Viewer"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Pricing.cs b/src/Security/Security.Management.Sdk/Generated/Models/Pricing.cs new file mode 100644 index 000000000000..98d8608e872b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Pricing.cs @@ -0,0 +1,132 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Microsoft Defender for Cloud is provided in two pricing tiers: free and + /// standard, with the standard tier available with a trial period. The + /// standard tier offers advanced security capabilities, while the free + /// tier offers basic security features. + /// + [Rest.Serialization.JsonTransformation] + public partial class Pricing : Resource + { + /// + /// Initializes a new instance of the Pricing class. + /// + public Pricing() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the Pricing class. + /// + /// The pricing tier value. Microsoft + /// Defender for Cloud is provided in two pricing tiers: free and + /// standard, with the standard tier available with a trial period. The + /// standard tier offers advanced security capabilities, while the free + /// tier offers basic security features. Possible values include: + /// 'Free', 'Standard' + /// Resource Id + /// Resource name + /// Resource type + /// The sub-plan selected for a Standard pricing + /// configuration, when more than one sub-plan is available. Each + /// sub-plan enables a set of security features. When not specified, + /// full plan is applied. + /// The duration left for the + /// subscriptions free trial period - in ISO 8601 format (e.g. + /// P3Y6M4DT12H30M5S). + /// Optional. True if the plan is deprecated. + /// If there are replacing plans they will appear in `replacedBy` + /// property + /// Optional. List of plans that replace this + /// plan. This property exists only if this plan is deprecated. + public Pricing(string pricingTier, string id = default(string), string name = default(string), string type = default(string), string subPlan = default(string), System.TimeSpan? freeTrialRemainingTime = default(System.TimeSpan?), bool? deprecated = default(bool?), IList replacedBy = default(IList)) + : base(id, name, type) + { + PricingTier = pricingTier; + SubPlan = subPlan; + FreeTrialRemainingTime = freeTrialRemainingTime; + Deprecated = deprecated; + ReplacedBy = replacedBy; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the pricing tier value. Microsoft Defender for Cloud + /// is provided in two pricing tiers: free and standard, with the + /// standard tier available with a trial period. The standard tier + /// offers advanced security capabilities, while the free tier offers + /// basic security features. Possible values include: 'Free', + /// 'Standard' + /// + [JsonProperty(PropertyName = "properties.pricingTier")] + public string PricingTier { get; set; } + + /// + /// Gets or sets the sub-plan selected for a Standard pricing + /// configuration, when more than one sub-plan is available. Each + /// sub-plan enables a set of security features. When not specified, + /// full plan is applied. + /// + [JsonProperty(PropertyName = "properties.subPlan")] + public string SubPlan { get; set; } + + /// + /// Gets the duration left for the subscriptions free trial period - in + /// ISO 8601 format (e.g. P3Y6M4DT12H30M5S). + /// + [JsonProperty(PropertyName = "properties.freeTrialRemainingTime")] + public System.TimeSpan? FreeTrialRemainingTime { get; private set; } + + /// + /// Gets optional. True if the plan is deprecated. If there are + /// replacing plans they will appear in `replacedBy` property + /// + [JsonProperty(PropertyName = "properties.deprecated")] + public bool? Deprecated { get; private set; } + + /// + /// Gets optional. List of plans that replace this plan. This property + /// exists only if this plan is deprecated. + /// + [JsonProperty(PropertyName = "properties.replacedBy")] + public IList ReplacedBy { get; private set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (PricingTier == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "PricingTier"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/PricingList.cs b/src/Security/Security.Management.Sdk/Generated/Models/PricingList.cs new file mode 100644 index 000000000000..6d3f6c87855b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/PricingList.cs @@ -0,0 +1,77 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// List of pricing configurations response. + /// + public partial class PricingList + { + /// + /// Initializes a new instance of the PricingList class. + /// + public PricingList() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the PricingList class. + /// + /// List of pricing configurations + public PricingList(IList value) + { + Value = value; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets list of pricing configurations + /// + [JsonProperty(PropertyName = "value")] + public IList Value { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (Value == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Value"); + } + if (Value != null) + { + foreach (var element in Value) + { + if (element != null) + { + element.Validate(); + } + } + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/PricingTier.cs b/src/Security/Security.Management.Sdk/Generated/Models/PricingTier.cs new file mode 100644 index 000000000000..cd2176a35423 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/PricingTier.cs @@ -0,0 +1,30 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for PricingTier. + /// + public static class PricingTier + { + /// + /// Get free Microsoft Defender for Cloud experience with basic + /// security features + /// + public const string Free = "Free"; + /// + /// Get the standard Microsoft Defender for Cloud experience with + /// advanced security features + /// + public const string Standard = "Standard"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ProcessNotAllowed.cs b/src/Security/Security.Management.Sdk/Generated/Models/ProcessNotAllowed.cs new file mode 100644 index 000000000000..66e7dc1f46f9 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ProcessNotAllowed.cs @@ -0,0 +1,67 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Execution of a process that isn't allowed. Allow list consists of + /// process names to allow. + /// + [Newtonsoft.Json.JsonObject("ProcessNotAllowed")] + public partial class ProcessNotAllowed : AllowlistCustomAlertRule + { + /// + /// Initializes a new instance of the ProcessNotAllowed class. + /// + public ProcessNotAllowed() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ProcessNotAllowed class. + /// + /// Status of the custom alert. + /// The values to allow. The format of + /// the values depends on the rule type. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + /// The value type of the items in the list. + /// Possible values include: 'IpCidr', 'String' + public ProcessNotAllowed(bool isEnabled, IList allowlistValues, string displayName = default(string), string description = default(string), string valueType = default(string)) + : base(isEnabled, allowlistValues, displayName, description, valueType) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/PropertyType.cs b/src/Security/Security.Management.Sdk/Generated/Models/PropertyType.cs new file mode 100644 index 000000000000..2cc27d136067 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/PropertyType.cs @@ -0,0 +1,24 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for PropertyType. + /// + public static class PropertyType + { + public const string String = "String"; + public const string Integer = "Integer"; + public const string Number = "Number"; + public const string Boolean = "Boolean"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ProtectionMode.cs b/src/Security/Security.Management.Sdk/Generated/Models/ProtectionMode.cs new file mode 100644 index 000000000000..620558e29e99 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ProtectionMode.cs @@ -0,0 +1,80 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The protection mode of the collection/file types. Exe/Msi/Script are + /// used for Windows, Executable is used for Linux. + /// + public partial class ProtectionMode + { + /// + /// Initializes a new instance of the ProtectionMode class. + /// + public ProtectionMode() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ProtectionMode class. + /// + /// Possible values include: 'Audit', 'Enforce', + /// 'None' + /// Possible values include: 'Audit', 'Enforce', + /// 'None' + /// Possible values include: 'Audit', 'Enforce', + /// 'None' + /// Possible values include: 'Audit', + /// 'Enforce', 'None' + public ProtectionMode(string exe = default(string), string msi = default(string), string script = default(string), string executable = default(string)) + { + Exe = exe; + Msi = msi; + Script = script; + Executable = executable; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets possible values include: 'Audit', 'Enforce', 'None' + /// + [JsonProperty(PropertyName = "exe")] + public string Exe { get; set; } + + /// + /// Gets or sets possible values include: 'Audit', 'Enforce', 'None' + /// + [JsonProperty(PropertyName = "msi")] + public string Msi { get; set; } + + /// + /// Gets or sets possible values include: 'Audit', 'Enforce', 'None' + /// + [JsonProperty(PropertyName = "script")] + public string Script { get; set; } + + /// + /// Gets or sets possible values include: 'Audit', 'Enforce', 'None' + /// + [JsonProperty(PropertyName = "executable")] + public string Executable { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Protocol.cs b/src/Security/Security.Management.Sdk/Generated/Models/Protocol.cs new file mode 100644 index 000000000000..e73c096a0219 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Protocol.cs @@ -0,0 +1,23 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for Protocol. + /// + public static class Protocol + { + public const string TCP = "TCP"; + public const string UDP = "UDP"; + public const string All = "*"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ProvisioningState.cs b/src/Security/Security.Management.Sdk/Generated/Models/ProvisioningState.cs new file mode 100644 index 000000000000..3402e79694b0 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ProvisioningState.cs @@ -0,0 +1,23 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for ProvisioningState. + /// + public static class ProvisioningState + { + public const string Succeeded = "Succeeded"; + public const string Failed = "Failed"; + public const string Updating = "Updating"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ProxyServerProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/ProxyServerProperties.cs new file mode 100644 index 000000000000..2f0253d64a38 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ProxyServerProperties.cs @@ -0,0 +1,60 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// For a non-Azure machine that is not connected directly to the internet, + /// specify a proxy server that the non-Azure machine can use. + /// + public partial class ProxyServerProperties + { + /// + /// Initializes a new instance of the ProxyServerProperties class. + /// + public ProxyServerProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ProxyServerProperties class. + /// + /// Proxy server IP + /// Proxy server port + public ProxyServerProperties(string ip = default(string), string port = default(string)) + { + Ip = ip; + Port = port; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets proxy server IP + /// + [JsonProperty(PropertyName = "ip")] + public string Ip { get; set; } + + /// + /// Gets or sets proxy server port + /// + [JsonProperty(PropertyName = "port")] + public string Port { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/PublisherInfo.cs b/src/Security/Security.Management.Sdk/Generated/Models/PublisherInfo.cs new file mode 100644 index 000000000000..2ddd5dc41bc4 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/PublisherInfo.cs @@ -0,0 +1,86 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Represents the publisher information of a process/rule + /// + public partial class PublisherInfo + { + /// + /// Initializes a new instance of the PublisherInfo class. + /// + public PublisherInfo() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the PublisherInfo class. + /// + /// The Subject field of the x.509 + /// certificate used to sign the code, using the following fields - O + /// = Organization, L = Locality, S = State or Province, and C = + /// Country + /// The product name taken from the file's + /// version resource + /// The "OriginalName" field taken from the + /// file's version resource + /// The binary file version taken from the file's + /// version resource + public PublisherInfo(string publisherName = default(string), string productName = default(string), string binaryName = default(string), string version = default(string)) + { + PublisherName = publisherName; + ProductName = productName; + BinaryName = binaryName; + Version = version; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the Subject field of the x.509 certificate used to + /// sign the code, using the following fields - O = Organization, L = + /// Locality, S = State or Province, and C = Country + /// + [JsonProperty(PropertyName = "publisherName")] + public string PublisherName { get; set; } + + /// + /// Gets or sets the product name taken from the file's version + /// resource + /// + [JsonProperty(PropertyName = "productName")] + public string ProductName { get; set; } + + /// + /// Gets or sets the "OriginalName" field taken from the file's version + /// resource + /// + [JsonProperty(PropertyName = "binaryName")] + public string BinaryName { get; set; } + + /// + /// Gets or sets the binary file version taken from the file's version + /// resource + /// + [JsonProperty(PropertyName = "version")] + public string Version { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/QueryCheck.cs b/src/Security/Security.Management.Sdk/Generated/Models/QueryCheck.cs new file mode 100644 index 000000000000..3150c3f2832b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/QueryCheck.cs @@ -0,0 +1,69 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// The rule query details. + /// + public partial class QueryCheck + { + /// + /// Initializes a new instance of the QueryCheck class. + /// + public QueryCheck() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the QueryCheck class. + /// + /// The rule query. + /// Expected result. + /// Column names of expected result. + public QueryCheck(string query = default(string), IList> expectedResult = default(IList>), IList columnNames = default(IList)) + { + Query = query; + ExpectedResult = expectedResult; + ColumnNames = columnNames; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the rule query. + /// + [JsonProperty(PropertyName = "query")] + public string Query { get; set; } + + /// + /// Gets or sets expected result. + /// + [JsonProperty(PropertyName = "expectedResult")] + public IList> ExpectedResult { get; set; } + + /// + /// Gets or sets column names of expected result. + /// + [JsonProperty(PropertyName = "columnNames")] + public IList ColumnNames { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/QueuePurgesNotInAllowedRange.cs b/src/Security/Security.Management.Sdk/Generated/Models/QueuePurgesNotInAllowedRange.cs new file mode 100644 index 000000000000..e7a506d93b60 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/QueuePurgesNotInAllowedRange.cs @@ -0,0 +1,66 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Number of device queue purges is not in allowed range. + /// + [Newtonsoft.Json.JsonObject("QueuePurgesNotInAllowedRange")] + public partial class QueuePurgesNotInAllowedRange : TimeWindowCustomAlertRule + { + /// + /// Initializes a new instance of the QueuePurgesNotInAllowedRange + /// class. + /// + public QueuePurgesNotInAllowedRange() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the QueuePurgesNotInAllowedRange + /// class. + /// + /// Status of the custom alert. + /// The minimum threshold. + /// The maximum threshold. + /// The time window size in iso8601 + /// format. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public QueuePurgesNotInAllowedRange(bool isEnabled, int minThreshold, int maxThreshold, System.TimeSpan timeWindowSize, string displayName = default(string), string description = default(string)) + : base(isEnabled, minThreshold, maxThreshold, timeWindowSize, displayName, description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Rank.cs b/src/Security/Security.Management.Sdk/Generated/Models/Rank.cs new file mode 100644 index 000000000000..a3b52881e9ca --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Rank.cs @@ -0,0 +1,78 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using Newtonsoft.Json.Converters; + using System.Runtime; + using System.Runtime.Serialization; + + /// + /// Defines values for Rank. + /// + [JsonConverter(typeof(StringEnumConverter))] + public enum Rank + { + [EnumMember(Value = "None")] + None, + [EnumMember(Value = "Low")] + Low, + [EnumMember(Value = "Medium")] + Medium, + [EnumMember(Value = "High")] + High, + [EnumMember(Value = "Critical")] + Critical + } + internal static class RankEnumExtension + { + internal static string ToSerializedValue(this Rank? value) + { + return value == null ? null : ((Rank)value).ToSerializedValue(); + } + + internal static string ToSerializedValue(this Rank value) + { + switch( value ) + { + case Rank.None: + return "None"; + case Rank.Low: + return "Low"; + case Rank.Medium: + return "Medium"; + case Rank.High: + return "High"; + case Rank.Critical: + return "Critical"; + } + return null; + } + + internal static Rank? ParseRank(this string value) + { + switch( value ) + { + case "None": + return Rank.None; + case "Low": + return Rank.Low; + case "Medium": + return Rank.Medium; + case "High": + return Rank.High; + case "Critical": + return Rank.Critical; + } + return null; + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/RecommendationConfigStatus.cs b/src/Security/Security.Management.Sdk/Generated/Models/RecommendationConfigStatus.cs new file mode 100644 index 000000000000..43bb6bcde242 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/RecommendationConfigStatus.cs @@ -0,0 +1,22 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for RecommendationConfigStatus. + /// + public static class RecommendationConfigStatus + { + public const string Disabled = "Disabled"; + public const string Enabled = "Enabled"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/RecommendationConfigurationProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/RecommendationConfigurationProperties.cs new file mode 100644 index 000000000000..8f915c231964 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/RecommendationConfigurationProperties.cs @@ -0,0 +1,107 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Linq; + + /// + /// The type of IoT Security recommendation. + /// + public partial class RecommendationConfigurationProperties + { + /// + /// Initializes a new instance of the + /// RecommendationConfigurationProperties class. + /// + public RecommendationConfigurationProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// RecommendationConfigurationProperties class. + /// + /// The type of IoT Security + /// recommendation. Possible values include: 'IoT_ACRAuthentication', + /// 'IoT_AgentSendsUnutilizedMessages', 'IoT_Baseline', + /// 'IoT_EdgeHubMemOptimize', 'IoT_EdgeLoggingOptions', + /// 'IoT_InconsistentModuleSettings', 'IoT_InstallAgent', + /// 'IoT_IPFilter_DenyAll', 'IoT_IPFilter_PermissiveRule', + /// 'IoT_OpenPorts', 'IoT_PermissiveFirewallPolicy', + /// 'IoT_PermissiveInputFirewallRules', + /// 'IoT_PermissiveOutputFirewallRules', 'IoT_PrivilegedDockerOptions', + /// 'IoT_SharedCredentials', 'IoT_VulnerableTLSCipherSuite' + /// Recommendation status. When the recommendation + /// status is disabled recommendations are not generated. Possible + /// values include: 'Disabled', 'Enabled' + public RecommendationConfigurationProperties(string recommendationType, string status, string name = default(string)) + { + RecommendationType = recommendationType; + Name = name; + Status = status; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the type of IoT Security recommendation. Possible + /// values include: 'IoT_ACRAuthentication', + /// 'IoT_AgentSendsUnutilizedMessages', 'IoT_Baseline', + /// 'IoT_EdgeHubMemOptimize', 'IoT_EdgeLoggingOptions', + /// 'IoT_InconsistentModuleSettings', 'IoT_InstallAgent', + /// 'IoT_IPFilter_DenyAll', 'IoT_IPFilter_PermissiveRule', + /// 'IoT_OpenPorts', 'IoT_PermissiveFirewallPolicy', + /// 'IoT_PermissiveInputFirewallRules', + /// 'IoT_PermissiveOutputFirewallRules', 'IoT_PrivilegedDockerOptions', + /// 'IoT_SharedCredentials', 'IoT_VulnerableTLSCipherSuite' + /// + [JsonProperty(PropertyName = "recommendationType")] + public string RecommendationType { get; set; } + + /// + /// + [JsonProperty(PropertyName = "name")] + public string Name { get; private set; } + + /// + /// Gets or sets recommendation status. When the recommendation status + /// is disabled recommendations are not generated. Possible values + /// include: 'Disabled', 'Enabled' + /// + [JsonProperty(PropertyName = "status")] + public string Status { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (RecommendationType == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "RecommendationType"); + } + if (Status == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Status"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/RecommendationType.cs b/src/Security/Security.Management.Sdk/Generated/Models/RecommendationType.cs new file mode 100644 index 000000000000..325aab5eebae --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/RecommendationType.cs @@ -0,0 +1,101 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for RecommendationType. + /// + public static class RecommendationType + { + /// + /// Authentication schema used for pull an edge module from an ACR + /// repository does not use Service Principal Authentication. + /// + public const string IoTACRAuthentication = "IoT_ACRAuthentication"; + /// + /// IoT agent message size capacity is currently underutilized, causing + /// an increase in the number of sent messages. Adjust message + /// intervals for better utilization. + /// + public const string IoTAgentSendsUnutilizedMessages = "IoT_AgentSendsUnutilizedMessages"; + /// + /// Identified security related system configuration issues. + /// + public const string IoTBaseline = "IoT_Baseline"; + /// + /// You can optimize Edge Hub memory usage by turning off protocol + /// heads for any protocols not used by Edge modules in your solution. + /// + public const string IoTEdgeHubMemOptimize = "IoT_EdgeHubMemOptimize"; + /// + /// Logging is disabled for this edge module. + /// + public const string IoTEdgeLoggingOptions = "IoT_EdgeLoggingOptions"; + /// + /// A minority within a device security group has inconsistent Edge + /// Module settings with the rest of their group. + /// + public const string IoTInconsistentModuleSettings = "IoT_InconsistentModuleSettings"; + /// + /// Install the Azure Security of Things Agent. + /// + public const string IoTInstallAgent = "IoT_InstallAgent"; + /// + /// IP Filter Configuration should have rules defined for allowed + /// traffic and should deny all other traffic by default. + /// + public const string IoTIPFilterDenyAll = "IoT_IPFilter_DenyAll"; + /// + /// An Allow IP Filter rules source IP range is too large. Overly + /// permissive rules might expose your IoT hub to malicious intenders. + /// + public const string IoTIPFilterPermissiveRule = "IoT_IPFilter_PermissiveRule"; + /// + /// A listening endpoint was found on the device. + /// + public const string IoTOpenPorts = "IoT_OpenPorts"; + /// + /// An Allowed firewall policy was found (INPUT/OUTPUT). The policy + /// should Deny all traffic by default and define rules to allow + /// necessary communication to/from the device. + /// + public const string IoTPermissiveFirewallPolicy = "IoT_PermissiveFirewallPolicy"; + /// + /// A rule in the firewall has been found that contains a permissive + /// pattern for a wide range of IP addresses or Ports. + /// + public const string IoTPermissiveInputFirewallRules = "IoT_PermissiveInputFirewallRules"; + /// + /// A rule in the firewall has been found that contains a permissive + /// pattern for a wide range of IP addresses or Ports. + /// + public const string IoTPermissiveOutputFirewallRules = "IoT_PermissiveOutputFirewallRules"; + /// + /// Edge module is configured to run in privileged mode, with extensive + /// Linux capabilities or with host-level network access (send/receive + /// data to host machine). + /// + public const string IoTPrivilegedDockerOptions = "IoT_PrivilegedDockerOptions"; + /// + /// Same authentication credentials to the IoT Hub used by multiple + /// devices. This could indicate an illegitimate device impersonating a + /// legitimate device. It also exposes the risk of device impersonation + /// by an attacker. + /// + public const string IoTSharedCredentials = "IoT_SharedCredentials"; + /// + /// Insecure TLS configurations detected. Immediate upgrade + /// recommended. + /// + public const string IoTVulnerableTLSCipherSuite = "IoT_VulnerableTLSCipherSuite"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/RegulatoryComplianceAssessment.cs b/src/Security/Security.Management.Sdk/Generated/Models/RegulatoryComplianceAssessment.cs new file mode 100644 index 000000000000..35ebdfade6fc --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/RegulatoryComplianceAssessment.cs @@ -0,0 +1,134 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Regulatory compliance assessment details and state + /// + [Rest.Serialization.JsonTransformation] + public partial class RegulatoryComplianceAssessment : Resource + { + /// + /// Initializes a new instance of the RegulatoryComplianceAssessment + /// class. + /// + public RegulatoryComplianceAssessment() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the RegulatoryComplianceAssessment + /// class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// The description of the regulatory + /// compliance assessment + /// The expected type of assessment + /// contained in the AssessmentDetailsLink + /// Link to more detailed + /// assessment results data. The response type will be according to the + /// assessmentType field + /// Aggregative state based on the assessment's + /// scanned resources states. Possible values include: 'Passed', + /// 'Failed', 'Skipped', 'Unsupported' + /// The given assessment's related + /// resources count with passed state. + /// The given assessment's related + /// resources count with failed state. + /// The given assessment's related + /// resources count with skipped state. + /// The given assessment's related + /// resources count with unsupported state. + public RegulatoryComplianceAssessment(string id = default(string), string name = default(string), string type = default(string), string description = default(string), string assessmentType = default(string), string assessmentDetailsLink = default(string), string state = default(string), int? passedResources = default(int?), int? failedResources = default(int?), int? skippedResources = default(int?), int? unsupportedResources = default(int?)) + : base(id, name, type) + { + Description = description; + AssessmentType = assessmentType; + AssessmentDetailsLink = assessmentDetailsLink; + State = state; + PassedResources = passedResources; + FailedResources = failedResources; + SkippedResources = skippedResources; + UnsupportedResources = unsupportedResources; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the description of the regulatory compliance assessment + /// + [JsonProperty(PropertyName = "properties.description")] + public string Description { get; private set; } + + /// + /// Gets the expected type of assessment contained in the + /// AssessmentDetailsLink + /// + [JsonProperty(PropertyName = "properties.assessmentType")] + public string AssessmentType { get; private set; } + + /// + /// Gets link to more detailed assessment results data. The response + /// type will be according to the assessmentType field + /// + [JsonProperty(PropertyName = "properties.assessmentDetailsLink")] + public string AssessmentDetailsLink { get; private set; } + + /// + /// Gets or sets aggregative state based on the assessment's scanned + /// resources states. Possible values include: 'Passed', 'Failed', + /// 'Skipped', 'Unsupported' + /// + [JsonProperty(PropertyName = "properties.state")] + public string State { get; set; } + + /// + /// Gets the given assessment's related resources count with passed + /// state. + /// + [JsonProperty(PropertyName = "properties.passedResources")] + public int? PassedResources { get; private set; } + + /// + /// Gets the given assessment's related resources count with failed + /// state. + /// + [JsonProperty(PropertyName = "properties.failedResources")] + public int? FailedResources { get; private set; } + + /// + /// Gets the given assessment's related resources count with skipped + /// state. + /// + [JsonProperty(PropertyName = "properties.skippedResources")] + public int? SkippedResources { get; private set; } + + /// + /// Gets the given assessment's related resources count with + /// unsupported state. + /// + [JsonProperty(PropertyName = "properties.unsupportedResources")] + public int? UnsupportedResources { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/RegulatoryComplianceControl.cs b/src/Security/Security.Management.Sdk/Generated/Models/RegulatoryComplianceControl.cs new file mode 100644 index 000000000000..0d66fb6f07b5 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/RegulatoryComplianceControl.cs @@ -0,0 +1,106 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Regulatory compliance control details and state + /// + [Rest.Serialization.JsonTransformation] + public partial class RegulatoryComplianceControl : Resource + { + /// + /// Initializes a new instance of the RegulatoryComplianceControl + /// class. + /// + public RegulatoryComplianceControl() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the RegulatoryComplianceControl + /// class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// The description of the regulatory + /// compliance control + /// Aggregative state based on the control's + /// supported assessments states. Possible values include: 'Passed', + /// 'Failed', 'Skipped', 'Unsupported' + /// The number of supported regulatory + /// compliance assessments of the given control with a passed + /// state + /// The number of supported regulatory + /// compliance assessments of the given control with a failed + /// state + /// The number of supported regulatory + /// compliance assessments of the given control with a skipped + /// state + public RegulatoryComplianceControl(string id = default(string), string name = default(string), string type = default(string), string description = default(string), string state = default(string), int? passedAssessments = default(int?), int? failedAssessments = default(int?), int? skippedAssessments = default(int?)) + : base(id, name, type) + { + Description = description; + State = state; + PassedAssessments = passedAssessments; + FailedAssessments = failedAssessments; + SkippedAssessments = skippedAssessments; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the description of the regulatory compliance control + /// + [JsonProperty(PropertyName = "properties.description")] + public string Description { get; private set; } + + /// + /// Gets or sets aggregative state based on the control's supported + /// assessments states. Possible values include: 'Passed', 'Failed', + /// 'Skipped', 'Unsupported' + /// + [JsonProperty(PropertyName = "properties.state")] + public string State { get; set; } + + /// + /// Gets the number of supported regulatory compliance assessments of + /// the given control with a passed state + /// + [JsonProperty(PropertyName = "properties.passedAssessments")] + public int? PassedAssessments { get; private set; } + + /// + /// Gets the number of supported regulatory compliance assessments of + /// the given control with a failed state + /// + [JsonProperty(PropertyName = "properties.failedAssessments")] + public int? FailedAssessments { get; private set; } + + /// + /// Gets the number of supported regulatory compliance assessments of + /// the given control with a skipped state + /// + [JsonProperty(PropertyName = "properties.skippedAssessments")] + public int? SkippedAssessments { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/RegulatoryComplianceStandard.cs b/src/Security/Security.Management.Sdk/Generated/Models/RegulatoryComplianceStandard.cs new file mode 100644 index 000000000000..754f8a0f0488 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/RegulatoryComplianceStandard.cs @@ -0,0 +1,108 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Regulatory compliance standard details and state + /// + [Rest.Serialization.JsonTransformation] + public partial class RegulatoryComplianceStandard : Resource + { + /// + /// Initializes a new instance of the RegulatoryComplianceStandard + /// class. + /// + public RegulatoryComplianceStandard() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the RegulatoryComplianceStandard + /// class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Aggregative state based on the standard's + /// supported controls states. Possible values include: 'Passed', + /// 'Failed', 'Skipped', 'Unsupported' + /// The number of supported regulatory + /// compliance controls of the given standard with a passed + /// state + /// The number of supported regulatory + /// compliance controls of the given standard with a failed + /// state + /// The number of supported regulatory + /// compliance controls of the given standard with a skipped + /// state + /// The number of regulatory + /// compliance controls of the given standard which are unsupported by + /// automated assessments + public RegulatoryComplianceStandard(string id = default(string), string name = default(string), string type = default(string), string state = default(string), int? passedControls = default(int?), int? failedControls = default(int?), int? skippedControls = default(int?), int? unsupportedControls = default(int?)) + : base(id, name, type) + { + State = state; + PassedControls = passedControls; + FailedControls = failedControls; + SkippedControls = skippedControls; + UnsupportedControls = unsupportedControls; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets aggregative state based on the standard's supported + /// controls states. Possible values include: 'Passed', 'Failed', + /// 'Skipped', 'Unsupported' + /// + [JsonProperty(PropertyName = "properties.state")] + public string State { get; set; } + + /// + /// Gets the number of supported regulatory compliance controls of the + /// given standard with a passed state + /// + [JsonProperty(PropertyName = "properties.passedControls")] + public int? PassedControls { get; private set; } + + /// + /// Gets the number of supported regulatory compliance controls of the + /// given standard with a failed state + /// + [JsonProperty(PropertyName = "properties.failedControls")] + public int? FailedControls { get; private set; } + + /// + /// Gets the number of supported regulatory compliance controls of the + /// given standard with a skipped state + /// + [JsonProperty(PropertyName = "properties.skippedControls")] + public int? SkippedControls { get; private set; } + + /// + /// Gets the number of regulatory compliance controls of the given + /// standard which are unsupported by automated assessments + /// + [JsonProperty(PropertyName = "properties.unsupportedControls")] + public int? UnsupportedControls { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Remediation.cs b/src/Security/Security.Management.Sdk/Generated/Models/Remediation.cs new file mode 100644 index 000000000000..16eb64f95179 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Remediation.cs @@ -0,0 +1,78 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Remediation details. + /// + public partial class Remediation + { + /// + /// Initializes a new instance of the Remediation class. + /// + public Remediation() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the Remediation class. + /// + /// Remediation description. + /// Remediation script. + /// Is remediation automated. + /// Optional link to remediate in Azure + /// Portal. + public Remediation(string description = default(string), IList scripts = default(IList), bool? automated = default(bool?), string portalLink = default(string)) + { + Description = description; + Scripts = scripts; + Automated = automated; + PortalLink = portalLink; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets remediation description. + /// + [JsonProperty(PropertyName = "description")] + public string Description { get; set; } + + /// + /// Gets or sets remediation script. + /// + [JsonProperty(PropertyName = "scripts")] + public IList Scripts { get; set; } + + /// + /// Gets or sets is remediation automated. + /// + [JsonProperty(PropertyName = "automated")] + public bool? Automated { get; set; } + + /// + /// Gets or sets optional link to remediate in Azure Portal. + /// + [JsonProperty(PropertyName = "portalLink")] + public string PortalLink { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/RemediationEta.cs b/src/Security/Security.Management.Sdk/Generated/Models/RemediationEta.cs new file mode 100644 index 000000000000..58762587feee --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/RemediationEta.cs @@ -0,0 +1,74 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Linq; + + /// + /// The ETA (estimated time of arrival) for remediation + /// + public partial class RemediationEta + { + /// + /// Initializes a new instance of the RemediationEta class. + /// + public RemediationEta() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the RemediationEta class. + /// + /// ETA for remediation. + /// Justification for change of + /// Eta. + public RemediationEta(System.DateTime eta, string justification) + { + Eta = eta; + Justification = justification; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets ETA for remediation. + /// + [JsonProperty(PropertyName = "eta")] + public System.DateTime Eta { get; set; } + + /// + /// Gets or sets justification for change of Eta. + /// + [JsonProperty(PropertyName = "justification")] + public string Justification { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (Justification == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Justification"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ReportedSeverity.cs b/src/Security/Security.Management.Sdk/Generated/Models/ReportedSeverity.cs new file mode 100644 index 000000000000..95ad7f4efcb8 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ReportedSeverity.cs @@ -0,0 +1,24 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for ReportedSeverity. + /// + public static class ReportedSeverity + { + public const string Informational = "Informational"; + public const string Low = "Low"; + public const string Medium = "Medium"; + public const string High = "High"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ResourceDetails.cs b/src/Security/Security.Management.Sdk/Generated/Models/ResourceDetails.cs new file mode 100644 index 000000000000..6ab1d4f7544f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ResourceDetails.cs @@ -0,0 +1,37 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Details of the resource that was assessed + /// + [Newtonsoft.Json.JsonObject("ResourceDetails")] + public partial class ResourceDetails + { + /// + /// Initializes a new instance of the ResourceDetails class. + /// + public ResourceDetails() + { + CustomInit(); + } + + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ResourceIdentifier.cs b/src/Security/Security.Management.Sdk/Generated/Models/ResourceIdentifier.cs index bc31b41d1edd..261c4ea106f6 100644 --- a/src/Security/Security.Management.Sdk/Generated/Models/ResourceIdentifier.cs +++ b/src/Security/Security.Management.Sdk/Generated/Models/ResourceIdentifier.cs @@ -10,6 +10,7 @@ namespace Microsoft.Azure.Management.Security.Models { + using Newtonsoft.Json; using System.Linq; /// @@ -17,6 +18,7 @@ namespace Microsoft.Azure.Management.Security.Models /// alert to the right product exposure group (tenant, workspace, /// subscription etc.). /// + [Newtonsoft.Json.JsonObject("ResourceIdentifier")] public partial class ResourceIdentifier { /// diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ResourceStatus.cs b/src/Security/Security.Management.Sdk/Generated/Models/ResourceStatus.cs new file mode 100644 index 000000000000..72433f55bfed --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ResourceStatus.cs @@ -0,0 +1,36 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for ResourceStatus. + /// + public static class ResourceStatus + { + /// + /// This assessment on the resource is healthy + /// + public const string Healthy = "Healthy"; + /// + /// This assessment is not applicable to this resource + /// + public const string NotApplicable = "NotApplicable"; + /// + /// This assessment is turned off by policy on this subscription + /// + public const string OffByPolicy = "OffByPolicy"; + /// + /// This assessment on the resource is not healthy + /// + public const string NotHealthy = "NotHealthy"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Roles.cs b/src/Security/Security.Management.Sdk/Generated/Models/Roles.cs new file mode 100644 index 000000000000..bcfb1a8b1190 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Roles.cs @@ -0,0 +1,38 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for Roles. + /// + public static class Roles + { + /// + /// If enabled, send notification on new alerts to the account admins + /// + public const string AccountAdmin = "AccountAdmin"; + /// + /// If enabled, send notification on new alerts to the service admins + /// + public const string ServiceAdmin = "ServiceAdmin"; + /// + /// If enabled, send notification on new alerts to the subscription + /// owners + /// + public const string Owner = "Owner"; + /// + /// If enabled, send notification on new alerts to the subscription + /// contributors + /// + public const string Contributor = "Contributor"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Rule.cs b/src/Security/Security.Management.Sdk/Generated/Models/Rule.cs new file mode 100644 index 000000000000..7ca280d9e7c5 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Rule.cs @@ -0,0 +1,93 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Describes remote addresses that is recommended to communicate with the + /// Azure resource on some (Protocol, Port, Direction). All other remote + /// addresses are recommended to be blocked + /// + public partial class Rule + { + /// + /// Initializes a new instance of the Rule class. + /// + public Rule() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the Rule class. + /// + /// The name of the rule + /// The rule's direction. Possible values + /// include: 'Inbound', 'Outbound' + /// The rule's destination port + /// The rule's transport protocols + /// The remote IP addresses that should be + /// able to communicate with the Azure resource on the rule's + /// destination port and protocol + public Rule(string name = default(string), string direction = default(string), int? destinationPort = default(int?), IList protocols = default(IList), IList ipAddresses = default(IList)) + { + Name = name; + Direction = direction; + DestinationPort = destinationPort; + Protocols = protocols; + IpAddresses = ipAddresses; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the name of the rule + /// + [JsonProperty(PropertyName = "name")] + public string Name { get; set; } + + /// + /// Gets or sets the rule's direction. Possible values include: + /// 'Inbound', 'Outbound' + /// + [JsonProperty(PropertyName = "direction")] + public string Direction { get; set; } + + /// + /// Gets or sets the rule's destination port + /// + [JsonProperty(PropertyName = "destinationPort")] + public int? DestinationPort { get; set; } + + /// + /// Gets or sets the rule's transport protocols + /// + [JsonProperty(PropertyName = "protocols")] + public IList Protocols { get; set; } + + /// + /// Gets or sets the remote IP addresses that should be able to + /// communicate with the Azure resource on the rule's destination port + /// and protocol + /// + [JsonProperty(PropertyName = "ipAddresses")] + public IList IpAddresses { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/RuleResults.cs b/src/Security/Security.Management.Sdk/Generated/Models/RuleResults.cs new file mode 100644 index 000000000000..6e8fe66927d2 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/RuleResults.cs @@ -0,0 +1,53 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Rule results. + /// + public partial class RuleResults : Resource + { + /// + /// Initializes a new instance of the RuleResults class. + /// + public RuleResults() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the RuleResults class. + /// + /// Resource Id + /// Resource name + /// Resource type + public RuleResults(string id = default(string), string name = default(string), string type = default(string), RuleResultsProperties properties = default(RuleResultsProperties)) + : base(id, name, type) + { + Properties = properties; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "properties")] + public RuleResultsProperties Properties { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/RuleResultsInput.cs b/src/Security/Security.Management.Sdk/Generated/Models/RuleResultsInput.cs new file mode 100644 index 000000000000..48175a551b15 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/RuleResultsInput.cs @@ -0,0 +1,64 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Rule results input. + /// + public partial class RuleResultsInput + { + /// + /// Initializes a new instance of the RuleResultsInput class. + /// + public RuleResultsInput() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the RuleResultsInput class. + /// + /// Take results from latest scan. + /// Expected results to be inserted into the + /// baseline. + /// Leave this field empty it LatestScan == true. + public RuleResultsInput(bool? latestScan = default(bool?), IList> results = default(IList>)) + { + LatestScan = latestScan; + Results = results; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets take results from latest scan. + /// + [JsonProperty(PropertyName = "latestScan")] + public bool? LatestScan { get; set; } + + /// + /// Gets or sets expected results to be inserted into the baseline. + /// Leave this field empty it LatestScan == true. + /// + [JsonProperty(PropertyName = "results")] + public IList> Results { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/RuleResultsProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/RuleResultsProperties.cs new file mode 100644 index 000000000000..b2ac5f11bd07 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/RuleResultsProperties.cs @@ -0,0 +1,53 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Rule results properties. + /// + public partial class RuleResultsProperties + { + /// + /// Initializes a new instance of the RuleResultsProperties class. + /// + public RuleResultsProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the RuleResultsProperties class. + /// + /// Expected results in the baseline. + public RuleResultsProperties(IList> results = default(IList>)) + { + Results = results; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets expected results in the baseline. + /// + [JsonProperty(PropertyName = "results")] + public IList> Results { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/RuleSeverity.cs b/src/Security/Security.Management.Sdk/Generated/Models/RuleSeverity.cs new file mode 100644 index 000000000000..b8a0d9d07aa2 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/RuleSeverity.cs @@ -0,0 +1,40 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for RuleSeverity. + /// + public static class RuleSeverity + { + /// + /// High + /// + public const string High = "High"; + /// + /// Medium + /// + public const string Medium = "Medium"; + /// + /// Low + /// + public const string Low = "Low"; + /// + /// Informational + /// + public const string Informational = "Informational"; + /// + /// Obsolete + /// + public const string Obsolete = "Obsolete"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/RuleState.cs b/src/Security/Security.Management.Sdk/Generated/Models/RuleState.cs new file mode 100644 index 000000000000..0387421fabb7 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/RuleState.cs @@ -0,0 +1,66 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using Newtonsoft.Json.Converters; + using System.Runtime; + using System.Runtime.Serialization; + + /// + /// Defines values for RuleState. + /// + [JsonConverter(typeof(StringEnumConverter))] + public enum RuleState + { + [EnumMember(Value = "Enabled")] + Enabled, + [EnumMember(Value = "Disabled")] + Disabled, + [EnumMember(Value = "Expired")] + Expired + } + internal static class RuleStateEnumExtension + { + internal static string ToSerializedValue(this RuleState? value) + { + return value == null ? null : ((RuleState)value).ToSerializedValue(); + } + + internal static string ToSerializedValue(this RuleState value) + { + switch( value ) + { + case RuleState.Enabled: + return "Enabled"; + case RuleState.Disabled: + return "Disabled"; + case RuleState.Expired: + return "Expired"; + } + return null; + } + + internal static RuleState? ParseRuleState(this string value) + { + switch( value ) + { + case "Enabled": + return RuleState.Enabled; + case "Disabled": + return RuleState.Disabled; + case "Expired": + return RuleState.Expired; + } + return null; + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/RuleStatus.cs b/src/Security/Security.Management.Sdk/Generated/Models/RuleStatus.cs new file mode 100644 index 000000000000..cf84cb6f5d92 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/RuleStatus.cs @@ -0,0 +1,32 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for RuleStatus. + /// + public static class RuleStatus + { + /// + /// NonFinding + /// + public const string NonFinding = "NonFinding"; + /// + /// Finding + /// + public const string Finding = "Finding"; + /// + /// InternalError + /// + public const string InternalError = "InternalError"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/RuleType.cs b/src/Security/Security.Management.Sdk/Generated/Models/RuleType.cs new file mode 100644 index 000000000000..994750901819 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/RuleType.cs @@ -0,0 +1,36 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for RuleType. + /// + public static class RuleType + { + /// + /// Binary + /// + public const string Binary = "Binary"; + /// + /// BaselineExpected + /// + public const string BaselineExpected = "BaselineExpected"; + /// + /// PositiveList + /// + public const string PositiveList = "PositiveList"; + /// + /// NegativeList + /// + public const string NegativeList = "NegativeList"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/RulesResults.cs b/src/Security/Security.Management.Sdk/Generated/Models/RulesResults.cs new file mode 100644 index 000000000000..6b7f1bacf56e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/RulesResults.cs @@ -0,0 +1,53 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// A list of rules results. + /// + public partial class RulesResults + { + /// + /// Initializes a new instance of the RulesResults class. + /// + public RulesResults() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the RulesResults class. + /// + /// List of rule results. + public RulesResults(IList value = default(IList)) + { + Value = value; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets list of rule results. + /// + [JsonProperty(PropertyName = "value")] + public IList Value { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/RulesResultsInput.cs b/src/Security/Security.Management.Sdk/Generated/Models/RulesResultsInput.cs new file mode 100644 index 000000000000..0a4174ce060e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/RulesResultsInput.cs @@ -0,0 +1,64 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Rules results input. + /// + public partial class RulesResultsInput + { + /// + /// Initializes a new instance of the RulesResultsInput class. + /// + public RulesResultsInput() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the RulesResultsInput class. + /// + /// Take results from latest scan. + /// Expected results to be inserted into the + /// baseline. + /// Leave this field empty it LatestScan == true. + public RulesResultsInput(bool? latestScan = default(bool?), IDictionary>> results = default(IDictionary>>)) + { + LatestScan = latestScan; + Results = results; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets take results from latest scan. + /// + [JsonProperty(PropertyName = "latestScan")] + public bool? LatestScan { get; set; } + + /// + /// Gets or sets expected results to be inserted into the baseline. + /// Leave this field empty it LatestScan == true. + /// + [JsonProperty(PropertyName = "results")] + public IDictionary>> Results { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Scan.cs b/src/Security/Security.Management.Sdk/Generated/Models/Scan.cs new file mode 100644 index 000000000000..5df07a4230bf --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Scan.cs @@ -0,0 +1,53 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// A vulnerability assessment scan record. + /// + public partial class Scan : Resource + { + /// + /// Initializes a new instance of the Scan class. + /// + public Scan() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the Scan class. + /// + /// Resource Id + /// Resource name + /// Resource type + public Scan(string id = default(string), string name = default(string), string type = default(string), ScanProperties properties = default(ScanProperties)) + : base(id, name, type) + { + Properties = properties; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "properties")] + public ScanProperties Properties { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ScanProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/ScanProperties.cs new file mode 100644 index 000000000000..0ed039291522 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ScanProperties.cs @@ -0,0 +1,167 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// A vulnerability assessment scan record properties. + /// + public partial class ScanProperties + { + /// + /// Initializes a new instance of the ScanProperties class. + /// + public ScanProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ScanProperties class. + /// + /// Possible values include: 'OnDemand', + /// 'Recurring' + /// Possible values include: 'Failed', + /// 'FailedToRun', 'InProgress', 'Passed' + /// The server name. + /// The database name. + /// The SQL version. + /// The scan start time (UTC). + /// Scan results are valid until end time + /// (UTC). + /// The number of failed + /// rules with high severity. + /// The number of failed + /// rules with medium severity. + /// The number of failed + /// rules with low severity. + /// The number of total passed + /// rules. + /// The number of total failed + /// rules. + /// The number of total rules + /// assessed. + /// Baseline created for this database, + /// and has one or more rules. + public ScanProperties(string triggerType = default(string), string state = default(string), string server = default(string), string database = default(string), string sqlVersion = default(string), System.DateTime? startTime = default(System.DateTime?), System.DateTime? endTime = default(System.DateTime?), int? highSeverityFailedRulesCount = default(int?), int? mediumSeverityFailedRulesCount = default(int?), int? lowSeverityFailedRulesCount = default(int?), int? totalPassedRulesCount = default(int?), int? totalFailedRulesCount = default(int?), int? totalRulesCount = default(int?), bool? isBaselineApplied = default(bool?)) + { + TriggerType = triggerType; + State = state; + Server = server; + Database = database; + SqlVersion = sqlVersion; + StartTime = startTime; + EndTime = endTime; + HighSeverityFailedRulesCount = highSeverityFailedRulesCount; + MediumSeverityFailedRulesCount = mediumSeverityFailedRulesCount; + LowSeverityFailedRulesCount = lowSeverityFailedRulesCount; + TotalPassedRulesCount = totalPassedRulesCount; + TotalFailedRulesCount = totalFailedRulesCount; + TotalRulesCount = totalRulesCount; + IsBaselineApplied = isBaselineApplied; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets possible values include: 'OnDemand', 'Recurring' + /// + [JsonProperty(PropertyName = "triggerType")] + public string TriggerType { get; set; } + + /// + /// Gets or sets possible values include: 'Failed', 'FailedToRun', + /// 'InProgress', 'Passed' + /// + [JsonProperty(PropertyName = "state")] + public string State { get; set; } + + /// + /// Gets or sets the server name. + /// + [JsonProperty(PropertyName = "server")] + public string Server { get; set; } + + /// + /// Gets or sets the database name. + /// + [JsonProperty(PropertyName = "database")] + public string Database { get; set; } + + /// + /// Gets or sets the SQL version. + /// + [JsonProperty(PropertyName = "sqlVersion")] + public string SqlVersion { get; set; } + + /// + /// Gets or sets the scan start time (UTC). + /// + [JsonProperty(PropertyName = "startTime")] + public System.DateTime? StartTime { get; set; } + + /// + /// Gets or sets scan results are valid until end time (UTC). + /// + [JsonProperty(PropertyName = "endTime")] + public System.DateTime? EndTime { get; set; } + + /// + /// Gets or sets the number of failed rules with high severity. + /// + [JsonProperty(PropertyName = "highSeverityFailedRulesCount")] + public int? HighSeverityFailedRulesCount { get; set; } + + /// + /// Gets or sets the number of failed rules with medium severity. + /// + [JsonProperty(PropertyName = "mediumSeverityFailedRulesCount")] + public int? MediumSeverityFailedRulesCount { get; set; } + + /// + /// Gets or sets the number of failed rules with low severity. + /// + [JsonProperty(PropertyName = "lowSeverityFailedRulesCount")] + public int? LowSeverityFailedRulesCount { get; set; } + + /// + /// Gets or sets the number of total passed rules. + /// + [JsonProperty(PropertyName = "totalPassedRulesCount")] + public int? TotalPassedRulesCount { get; set; } + + /// + /// Gets or sets the number of total failed rules. + /// + [JsonProperty(PropertyName = "totalFailedRulesCount")] + public int? TotalFailedRulesCount { get; set; } + + /// + /// Gets or sets the number of total rules assessed. + /// + [JsonProperty(PropertyName = "totalRulesCount")] + public int? TotalRulesCount { get; set; } + + /// + /// Gets or sets baseline created for this database, and has one or + /// more rules. + /// + [JsonProperty(PropertyName = "isBaselineApplied")] + public bool? IsBaselineApplied { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ScanResult.cs b/src/Security/Security.Management.Sdk/Generated/Models/ScanResult.cs new file mode 100644 index 000000000000..1cda1f43e431 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ScanResult.cs @@ -0,0 +1,53 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// A vulnerability assessment scan result for a single rule. + /// + public partial class ScanResult : Resource + { + /// + /// Initializes a new instance of the ScanResult class. + /// + public ScanResult() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ScanResult class. + /// + /// Resource Id + /// Resource name + /// Resource type + public ScanResult(string id = default(string), string name = default(string), string type = default(string), ScanResultProperties properties = default(ScanResultProperties)) + : base(id, name, type) + { + Properties = properties; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "properties")] + public ScanResultProperties Properties { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ScanResultProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/ScanResultProperties.cs new file mode 100644 index 000000000000..8693056eed0e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ScanResultProperties.cs @@ -0,0 +1,100 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// A vulnerability assessment scan result properties for a single rule. + /// + public partial class ScanResultProperties + { + /// + /// Initializes a new instance of the ScanResultProperties class. + /// + public ScanResultProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ScanResultProperties class. + /// + /// The rule Id. + /// Possible values include: 'NonFinding', + /// 'Finding', 'InternalError' + /// Indicated whether the results specified + /// here are trimmed. + /// The results of the query that was + /// run. + public ScanResultProperties(string ruleId = default(string), string status = default(string), bool? isTrimmed = default(bool?), IList> queryResults = default(IList>), Remediation remediation = default(Remediation), BaselineAdjustedResult baselineAdjustedResult = default(BaselineAdjustedResult), VaRule ruleMetadata = default(VaRule)) + { + RuleId = ruleId; + Status = status; + IsTrimmed = isTrimmed; + QueryResults = queryResults; + Remediation = remediation; + BaselineAdjustedResult = baselineAdjustedResult; + RuleMetadata = ruleMetadata; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the rule Id. + /// + [JsonProperty(PropertyName = "ruleId")] + public string RuleId { get; set; } + + /// + /// Gets or sets possible values include: 'NonFinding', 'Finding', + /// 'InternalError' + /// + [JsonProperty(PropertyName = "status")] + public string Status { get; set; } + + /// + /// Gets or sets indicated whether the results specified here are + /// trimmed. + /// + [JsonProperty(PropertyName = "isTrimmed")] + public bool? IsTrimmed { get; set; } + + /// + /// Gets or sets the results of the query that was run. + /// + [JsonProperty(PropertyName = "queryResults")] + public IList> QueryResults { get; set; } + + /// + /// + [JsonProperty(PropertyName = "remediation")] + public Remediation Remediation { get; set; } + + /// + /// + [JsonProperty(PropertyName = "baselineAdjustedResult")] + public BaselineAdjustedResult BaselineAdjustedResult { get; set; } + + /// + /// + [JsonProperty(PropertyName = "ruleMetadata")] + public VaRule RuleMetadata { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ScanResults.cs b/src/Security/Security.Management.Sdk/Generated/Models/ScanResults.cs new file mode 100644 index 000000000000..82b3c05f7285 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ScanResults.cs @@ -0,0 +1,54 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// A list of vulnerability assessment scan results. + /// + public partial class ScanResults + { + /// + /// Initializes a new instance of the ScanResults class. + /// + public ScanResults() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ScanResults class. + /// + /// List of vulnerability assessment scan + /// results. + public ScanResults(IList value = default(IList)) + { + Value = value; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets list of vulnerability assessment scan results. + /// + [JsonProperty(PropertyName = "value")] + public IList Value { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ScanState.cs b/src/Security/Security.Management.Sdk/Generated/Models/ScanState.cs new file mode 100644 index 000000000000..ccda47c95700 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ScanState.cs @@ -0,0 +1,36 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for ScanState. + /// + public static class ScanState + { + /// + /// Failed + /// + public const string Failed = "Failed"; + /// + /// FailedToRun + /// + public const string FailedToRun = "FailedToRun"; + /// + /// InProgress + /// + public const string InProgress = "InProgress"; + /// + /// Passed + /// + public const string Passed = "Passed"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ScanTriggerType.cs b/src/Security/Security.Management.Sdk/Generated/Models/ScanTriggerType.cs new file mode 100644 index 000000000000..5ffd2c8c6dfe --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ScanTriggerType.cs @@ -0,0 +1,28 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for ScanTriggerType. + /// + public static class ScanTriggerType + { + /// + /// OnDemand + /// + public const string OnDemand = "OnDemand"; + /// + /// Recurring + /// + public const string Recurring = "Recurring"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ScanningMode.cs b/src/Security/Security.Management.Sdk/Generated/Models/ScanningMode.cs new file mode 100644 index 000000000000..ef3aa549aece --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ScanningMode.cs @@ -0,0 +1,21 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for ScanningMode. + /// + public static class ScanningMode + { + public const string Default = "Default"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Scans.cs b/src/Security/Security.Management.Sdk/Generated/Models/Scans.cs new file mode 100644 index 000000000000..4ccc0445a988 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Scans.cs @@ -0,0 +1,54 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// A list of vulnerability assessment scan records. + /// + public partial class Scans + { + /// + /// Initializes a new instance of the Scans class. + /// + public Scans() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the Scans class. + /// + /// List of vulnerability assessment scan + /// records. + public Scans(IList value = default(IList)) + { + Value = value; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets list of vulnerability assessment scan records. + /// + [JsonProperty(PropertyName = "value")] + public IList Value { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ScopeElement.cs b/src/Security/Security.Management.Sdk/Generated/Models/ScopeElement.cs new file mode 100644 index 000000000000..c7c0bd533565 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ScopeElement.cs @@ -0,0 +1,63 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// A more specific scope used to identify the alerts to suppress. + /// + public partial class ScopeElement + { + /// + /// Initializes a new instance of the ScopeElement class. + /// + public ScopeElement() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ScopeElement class. + /// + /// Unmatched properties from the + /// message are deserialized this collection + /// The alert entity type to suppress by. + public ScopeElement(IDictionary additionalProperties = default(IDictionary), string field = default(string)) + { + AdditionalProperties = additionalProperties; + Field = field; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets unmatched properties from the message are deserialized + /// this collection + /// + [JsonExtensionData] + public IDictionary AdditionalProperties { get; set; } + + /// + /// Gets or sets the alert entity type to suppress by. + /// + [JsonProperty(PropertyName = "field")] + public string Field { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecureScoreControlDefinitionItem.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecureScoreControlDefinitionItem.cs new file mode 100644 index 000000000000..8692c1b52ee5 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecureScoreControlDefinitionItem.cs @@ -0,0 +1,126 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Information about the security control. + /// + [Rest.Serialization.JsonTransformation] + public partial class SecureScoreControlDefinitionItem : Resource + { + /// + /// Initializes a new instance of the SecureScoreControlDefinitionItem + /// class. + /// + public SecureScoreControlDefinitionItem() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SecureScoreControlDefinitionItem + /// class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// User friendly display name of the + /// control + /// User friendly description of the + /// control + /// Maximum control score (0..10) + /// Source object from which the control was + /// created + /// Array of assessments metadata + /// IDs that are included in this security control + public SecureScoreControlDefinitionItem(string id = default(string), string name = default(string), string type = default(string), string displayName = default(string), string description = default(string), int? maxScore = default(int?), SecureScoreControlDefinitionSource source = default(SecureScoreControlDefinitionSource), IList assessmentDefinitions = default(IList)) + : base(id, name, type) + { + DisplayName = displayName; + Description = description; + MaxScore = maxScore; + Source = source; + AssessmentDefinitions = assessmentDefinitions; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets user friendly display name of the control + /// + [JsonProperty(PropertyName = "properties.displayName")] + public string DisplayName { get; private set; } + + /// + /// Gets user friendly description of the control + /// + [JsonProperty(PropertyName = "properties.description")] + public string Description { get; private set; } + + /// + /// Gets maximum control score (0..10) + /// + [JsonProperty(PropertyName = "properties.maxScore")] + public int? MaxScore { get; private set; } + + /// + /// Gets source object from which the control was created + /// + [JsonProperty(PropertyName = "properties.source")] + public SecureScoreControlDefinitionSource Source { get; private set; } + + /// + /// Gets array of assessments metadata IDs that are included in this + /// security control + /// + [JsonProperty(PropertyName = "properties.assessmentDefinitions")] + public IList AssessmentDefinitions { get; private set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (Description != null) + { + if (Description.Length > 256) + { + throw new ValidationException(ValidationRules.MaxLength, "Description", 256); + } + } + if (MaxScore != null) + { + if (MaxScore > 10) + { + throw new ValidationException(ValidationRules.InclusiveMaximum, "MaxScore", 10); + } + if (MaxScore < 0) + { + throw new ValidationException(ValidationRules.InclusiveMinimum, "MaxScore", 0); + } + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecureScoreControlDefinitionSource.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecureScoreControlDefinitionSource.cs new file mode 100644 index 000000000000..b7b1aed385e0 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecureScoreControlDefinitionSource.cs @@ -0,0 +1,55 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The type of the security control (For example, BuiltIn) + /// + public partial class SecureScoreControlDefinitionSource + { + /// + /// Initializes a new instance of the + /// SecureScoreControlDefinitionSource class. + /// + public SecureScoreControlDefinitionSource() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// SecureScoreControlDefinitionSource class. + /// + /// The type of security control (for example, + /// BuiltIn). Possible values include: 'BuiltIn', 'Custom' + public SecureScoreControlDefinitionSource(string sourceType = default(string)) + { + SourceType = sourceType; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the type of security control (for example, BuiltIn). + /// Possible values include: 'BuiltIn', 'Custom' + /// + [JsonProperty(PropertyName = "sourceType")] + public string SourceType { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecureScoreControlDetails.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecureScoreControlDetails.cs new file mode 100644 index 000000000000..a85e38cb2ff4 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecureScoreControlDetails.cs @@ -0,0 +1,176 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Details of the security control, its score, and the health status of + /// the relevant resources. + /// + [Rest.Serialization.JsonTransformation] + public partial class SecureScoreControlDetails : Resource + { + /// + /// Initializes a new instance of the SecureScoreControlDetails class. + /// + public SecureScoreControlDetails() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SecureScoreControlDetails class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// User friendly display name of the + /// control + /// Maximum score available + /// Current score + /// Ratio of the current score divided by the + /// maximum. Rounded to 4 digits after the decimal point + /// Number of healthy resources in + /// the control + /// Number of unhealthy resources + /// in the control + /// Number of not applicable + /// resources in the control + /// The relative weight for this specific control + /// in each of your subscriptions. Used when calculating an aggregated + /// score for this control across all of your subscriptions. + public SecureScoreControlDetails(string id = default(string), string name = default(string), string type = default(string), string displayName = default(string), int? max = default(int?), double? current = default(double?), double? percentage = default(double?), int? healthyResourceCount = default(int?), int? unhealthyResourceCount = default(int?), int? notApplicableResourceCount = default(int?), long? weight = default(long?), SecureScoreControlDefinitionItem definition = default(SecureScoreControlDefinitionItem)) + : base(id, name, type) + { + DisplayName = displayName; + Max = max; + Current = current; + Percentage = percentage; + HealthyResourceCount = healthyResourceCount; + UnhealthyResourceCount = unhealthyResourceCount; + NotApplicableResourceCount = notApplicableResourceCount; + Weight = weight; + Definition = definition; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets user friendly display name of the control + /// + [JsonProperty(PropertyName = "properties.displayName")] + public string DisplayName { get; private set; } + + /// + /// Gets maximum score available + /// + [JsonProperty(PropertyName = "properties.score.max")] + public int? Max { get; private set; } + + /// + /// Gets current score + /// + [JsonProperty(PropertyName = "properties.score.current")] + public double? Current { get; private set; } + + /// + /// Gets ratio of the current score divided by the maximum. Rounded to + /// 4 digits after the decimal point + /// + [JsonProperty(PropertyName = "properties.score.percentage")] + public double? Percentage { get; private set; } + + /// + /// Gets number of healthy resources in the control + /// + [JsonProperty(PropertyName = "properties.healthyResourceCount")] + public int? HealthyResourceCount { get; private set; } + + /// + /// Gets number of unhealthy resources in the control + /// + [JsonProperty(PropertyName = "properties.unhealthyResourceCount")] + public int? UnhealthyResourceCount { get; private set; } + + /// + /// Gets number of not applicable resources in the control + /// + [JsonProperty(PropertyName = "properties.notApplicableResourceCount")] + public int? NotApplicableResourceCount { get; private set; } + + /// + /// Gets the relative weight for this specific control in each of your + /// subscriptions. Used when calculating an aggregated score for this + /// control across all of your subscriptions. + /// + [JsonProperty(PropertyName = "properties.weight")] + public long? Weight { get; private set; } + + /// + /// + [JsonProperty(PropertyName = "properties.definition")] + public SecureScoreControlDefinitionItem Definition { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (Max != null) + { + if (Max < 0) + { + throw new ValidationException(ValidationRules.InclusiveMinimum, "Max", 0); + } + } + if (Current != null) + { + if (Current < 0) + { + throw new ValidationException(ValidationRules.InclusiveMinimum, "Current", 0); + } + } + if (Percentage != null) + { + if (Percentage > 1) + { + throw new ValidationException(ValidationRules.InclusiveMaximum, "Percentage", 1); + } + if (Percentage < 0) + { + throw new ValidationException(ValidationRules.InclusiveMinimum, "Percentage", 0); + } + } + if (Weight != null) + { + if (Weight < 0) + { + throw new ValidationException(ValidationRules.InclusiveMinimum, "Weight", 0); + } + } + if (Definition != null) + { + Definition.Validate(); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecureScoreControlScore.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecureScoreControlScore.cs new file mode 100644 index 000000000000..c13205cd0a70 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecureScoreControlScore.cs @@ -0,0 +1,116 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Calculation result data + /// + public partial class SecureScoreControlScore + { + /// + /// Initializes a new instance of the SecureScoreControlScore class. + /// + public SecureScoreControlScore() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SecureScoreControlScore class. + /// + /// Maximum control score (0..10) + /// Actual score for the control = (achieved + /// points / total points) * max score. if total points is zeroed, the + /// return number is 0.00 + /// Ratio of the current score divided by the + /// maximum. Rounded to 4 digits after the decimal point + public SecureScoreControlScore(int? max = default(int?), double? current = default(double?), double? percentage = default(double?)) + { + Max = max; + Current = current; + Percentage = percentage; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets maximum control score (0..10) + /// + [JsonProperty(PropertyName = "max")] + public int? Max { get; private set; } + + /// + /// Gets actual score for the control = (achieved points / total + /// points) * max score. if total points is zeroed, the return number + /// is 0.00 + /// + [JsonProperty(PropertyName = "current")] + public double? Current { get; private set; } + + /// + /// Gets ratio of the current score divided by the maximum. Rounded to + /// 4 digits after the decimal point + /// + [JsonProperty(PropertyName = "percentage")] + public double? Percentage { get; private set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (Max != null) + { + if (Max > 10) + { + throw new ValidationException(ValidationRules.InclusiveMaximum, "Max", 10); + } + if (Max < 0) + { + throw new ValidationException(ValidationRules.InclusiveMinimum, "Max", 0); + } + } + if (Current != null) + { + if (Current > 10) + { + throw new ValidationException(ValidationRules.InclusiveMaximum, "Current", 10); + } + if (Current < 0) + { + throw new ValidationException(ValidationRules.InclusiveMinimum, "Current", 0); + } + } + if (Percentage != null) + { + if (Percentage > 1) + { + throw new ValidationException(ValidationRules.InclusiveMaximum, "Percentage", 1); + } + if (Percentage < 0) + { + throw new ValidationException(ValidationRules.InclusiveMinimum, "Percentage", 0); + } + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecureScoreItem.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecureScoreItem.cs new file mode 100644 index 000000000000..aa0e2ba185d2 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecureScoreItem.cs @@ -0,0 +1,136 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Secure score item data model + /// + [Rest.Serialization.JsonTransformation] + public partial class SecureScoreItem : Resource + { + /// + /// Initializes a new instance of the SecureScoreItem class. + /// + public SecureScoreItem() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SecureScoreItem class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// The initiative’s name + /// Maximum score available + /// Current score + /// Ratio of the current score divided by the + /// maximum. Rounded to 4 digits after the decimal point + /// The relative weight for each subscription. + /// Used when calculating an aggregated secure score for multiple + /// subscriptions. + public SecureScoreItem(string id = default(string), string name = default(string), string type = default(string), string displayName = default(string), int? max = default(int?), double? current = default(double?), double? percentage = default(double?), long? weight = default(long?)) + : base(id, name, type) + { + DisplayName = displayName; + Max = max; + Current = current; + Percentage = percentage; + Weight = weight; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the initiative’s name + /// + [JsonProperty(PropertyName = "properties.displayName")] + public string DisplayName { get; private set; } + + /// + /// Gets maximum score available + /// + [JsonProperty(PropertyName = "properties.score.max")] + public int? Max { get; private set; } + + /// + /// Gets current score + /// + [JsonProperty(PropertyName = "properties.score.current")] + public double? Current { get; private set; } + + /// + /// Gets ratio of the current score divided by the maximum. Rounded to + /// 4 digits after the decimal point + /// + [JsonProperty(PropertyName = "properties.score.percentage")] + public double? Percentage { get; private set; } + + /// + /// Gets the relative weight for each subscription. Used when + /// calculating an aggregated secure score for multiple subscriptions. + /// + [JsonProperty(PropertyName = "properties.weight")] + public long? Weight { get; private set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (Max != null) + { + if (Max < 0) + { + throw new ValidationException(ValidationRules.InclusiveMinimum, "Max", 0); + } + } + if (Current != null) + { + if (Current < 0) + { + throw new ValidationException(ValidationRules.InclusiveMinimum, "Current", 0); + } + } + if (Percentage != null) + { + if (Percentage > 1) + { + throw new ValidationException(ValidationRules.InclusiveMaximum, "Percentage", 1); + } + if (Percentage < 0) + { + throw new ValidationException(ValidationRules.InclusiveMinimum, "Percentage", 0); + } + } + if (Weight != null) + { + if (Weight < 0) + { + throw new ValidationException(ValidationRules.InclusiveMinimum, "Weight", 0); + } + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityAlertNotificationByRoleState.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAlertNotificationByRoleState.cs new file mode 100644 index 000000000000..079292ce7d28 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAlertNotificationByRoleState.cs @@ -0,0 +1,28 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for SecurityAlertNotificationByRoleState. + /// + public static class SecurityAlertNotificationByRoleState + { + /// + /// Send notification on new alerts to the subscription's admins + /// + public const string On = "On"; + /// + /// Don't send notification on new alerts to the subscription's admins + /// + public const string Off = "Off"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityAlertNotificationState.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAlertNotificationState.cs new file mode 100644 index 000000000000..852cd4776a01 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAlertNotificationState.cs @@ -0,0 +1,28 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for SecurityAlertNotificationState. + /// + public static class SecurityAlertNotificationState + { + /// + /// Get notifications on new alerts + /// + public const string On = "On"; + /// + /// Don't get notifications on new alerts + /// + public const string Off = "Off"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessment.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessment.cs new file mode 100644 index 000000000000..03c06c51b147 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessment.cs @@ -0,0 +1,129 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Security assessment on a resource + /// + [Rest.Serialization.JsonTransformation] + public partial class SecurityAssessment : Resource + { + /// + /// Initializes a new instance of the SecurityAssessment class. + /// + public SecurityAssessment() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SecurityAssessment class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// User friendly display name of the + /// assessment + /// Additional data regarding the + /// assessment + public SecurityAssessment(ResourceDetails resourceDetails, AssessmentStatus status, string id = default(string), string name = default(string), string type = default(string), string displayName = default(string), IDictionary additionalData = default(IDictionary), AssessmentLinks links = default(AssessmentLinks), SecurityAssessmentMetadataProperties metadata = default(SecurityAssessmentMetadataProperties), SecurityAssessmentPartnerData partnersData = default(SecurityAssessmentPartnerData)) + : base(id, name, type) + { + ResourceDetails = resourceDetails; + DisplayName = displayName; + AdditionalData = additionalData; + Links = links; + Metadata = metadata; + PartnersData = partnersData; + Status = status; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "properties.resourceDetails")] + public ResourceDetails ResourceDetails { get; set; } + + /// + /// Gets user friendly display name of the assessment + /// + [JsonProperty(PropertyName = "properties.displayName")] + public string DisplayName { get; private set; } + + /// + /// Gets or sets additional data regarding the assessment + /// + [JsonProperty(PropertyName = "properties.additionalData")] + public IDictionary AdditionalData { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.links")] + public AssessmentLinks Links { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.metadata")] + public SecurityAssessmentMetadataProperties Metadata { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.partnersData")] + public SecurityAssessmentPartnerData PartnersData { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.status")] + public AssessmentStatus Status { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (ResourceDetails == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ResourceDetails"); + } + if (Status == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Status"); + } + if (Metadata != null) + { + Metadata.Validate(); + } + if (PartnersData != null) + { + PartnersData.Validate(); + } + if (Status != null) + { + Status.Validate(); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadata.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadata.cs new file mode 100644 index 000000000000..6e117714f897 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadata.cs @@ -0,0 +1,187 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Security assessment metadata + /// + [Rest.Serialization.JsonTransformation] + public partial class SecurityAssessmentMetadata : Resource + { + /// + /// Initializes a new instance of the SecurityAssessmentMetadata class. + /// + public SecurityAssessmentMetadata() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SecurityAssessmentMetadata class. + /// + /// User friendly display name of the + /// assessment + /// The severity level of the assessment. + /// Possible values include: 'Low', 'Medium', 'High' + /// BuiltIn if the assessment based on + /// built-in Azure Policy definition, Custom if the assessment based on + /// custom Azure Policy definition. Possible values include: 'BuiltIn', + /// 'CustomPolicy', 'CustomerManaged', 'VerifiedPartner' + /// Resource Id + /// Resource name + /// Resource type + /// Azure resource ID of the policy + /// definition that turns this assessment calculation on + /// Human readable description of the + /// assessment + /// Human readable description of + /// what you should do to mitigate this security issue + /// The user impact of the assessment. + /// Possible values include: 'Low', 'Moderate', 'High' + /// The implementation effort + /// required to remediate this assessment. Possible values include: + /// 'Low', 'Moderate', 'High' + /// True if this assessment is in preview release + /// status + public SecurityAssessmentMetadata(string displayName, string severity, string assessmentType, string id = default(string), string name = default(string), string type = default(string), string policyDefinitionId = default(string), string description = default(string), string remediationDescription = default(string), IList categories = default(IList), string userImpact = default(string), string implementationEffort = default(string), IList threats = default(IList), bool? preview = default(bool?), SecurityAssessmentMetadataPartnerData partnerData = default(SecurityAssessmentMetadataPartnerData)) + : base(id, name, type) + { + DisplayName = displayName; + PolicyDefinitionId = policyDefinitionId; + Description = description; + RemediationDescription = remediationDescription; + Categories = categories; + Severity = severity; + UserImpact = userImpact; + ImplementationEffort = implementationEffort; + Threats = threats; + Preview = preview; + AssessmentType = assessmentType; + PartnerData = partnerData; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets user friendly display name of the assessment + /// + [JsonProperty(PropertyName = "properties.displayName")] + public string DisplayName { get; set; } + + /// + /// Gets azure resource ID of the policy definition that turns this + /// assessment calculation on + /// + [JsonProperty(PropertyName = "properties.policyDefinitionId")] + public string PolicyDefinitionId { get; private set; } + + /// + /// Gets or sets human readable description of the assessment + /// + [JsonProperty(PropertyName = "properties.description")] + public string Description { get; set; } + + /// + /// Gets or sets human readable description of what you should do to + /// mitigate this security issue + /// + [JsonProperty(PropertyName = "properties.remediationDescription")] + public string RemediationDescription { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.categories")] + public IList Categories { get; set; } + + /// + /// Gets or sets the severity level of the assessment. Possible values + /// include: 'Low', 'Medium', 'High' + /// + [JsonProperty(PropertyName = "properties.severity")] + public string Severity { get; set; } + + /// + /// Gets or sets the user impact of the assessment. Possible values + /// include: 'Low', 'Moderate', 'High' + /// + [JsonProperty(PropertyName = "properties.userImpact")] + public string UserImpact { get; set; } + + /// + /// Gets or sets the implementation effort required to remediate this + /// assessment. Possible values include: 'Low', 'Moderate', 'High' + /// + [JsonProperty(PropertyName = "properties.implementationEffort")] + public string ImplementationEffort { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.threats")] + public IList Threats { get; set; } + + /// + /// Gets or sets true if this assessment is in preview release status + /// + [JsonProperty(PropertyName = "properties.preview")] + public bool? Preview { get; set; } + + /// + /// Gets or sets builtIn if the assessment based on built-in Azure + /// Policy definition, Custom if the assessment based on custom Azure + /// Policy definition. Possible values include: 'BuiltIn', + /// 'CustomPolicy', 'CustomerManaged', 'VerifiedPartner' + /// + [JsonProperty(PropertyName = "properties.assessmentType")] + public string AssessmentType { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.partnerData")] + public SecurityAssessmentMetadataPartnerData PartnerData { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (DisplayName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "DisplayName"); + } + if (Severity == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Severity"); + } + if (AssessmentType == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "AssessmentType"); + } + if (PartnerData != null) + { + PartnerData.Validate(); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadataPartnerData.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadataPartnerData.cs new file mode 100644 index 000000000000..239f0ac190e8 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadataPartnerData.cs @@ -0,0 +1,92 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Describes the partner that created the assessment + /// + public partial class SecurityAssessmentMetadataPartnerData + { + /// + /// Initializes a new instance of the + /// SecurityAssessmentMetadataPartnerData class. + /// + public SecurityAssessmentMetadataPartnerData() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// SecurityAssessmentMetadataPartnerData class. + /// + /// Name of the company of the + /// partner + /// Secret to authenticate the partner and verify + /// it created the assessment - write only + /// Name of the product of the partner that + /// created the assessment + public SecurityAssessmentMetadataPartnerData(string partnerName, string secret, string productName = default(string)) + { + PartnerName = partnerName; + ProductName = productName; + Secret = secret; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets name of the company of the partner + /// + [JsonProperty(PropertyName = "partnerName")] + public string PartnerName { get; set; } + + /// + /// Gets or sets name of the product of the partner that created the + /// assessment + /// + [JsonProperty(PropertyName = "productName")] + public string ProductName { get; set; } + + /// + /// Gets or sets secret to authenticate the partner and verify it + /// created the assessment - write only + /// + [JsonProperty(PropertyName = "secret")] + public string Secret { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (PartnerName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "PartnerName"); + } + if (Secret == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Secret"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadataProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadataProperties.cs new file mode 100644 index 000000000000..56d202538867 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadataProperties.cs @@ -0,0 +1,183 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Describes properties of an assessment metadata. + /// + public partial class SecurityAssessmentMetadataProperties + { + /// + /// Initializes a new instance of the + /// SecurityAssessmentMetadataProperties class. + /// + public SecurityAssessmentMetadataProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// SecurityAssessmentMetadataProperties class. + /// + /// User friendly display name of the + /// assessment + /// The severity level of the assessment. + /// Possible values include: 'Low', 'Medium', 'High' + /// BuiltIn if the assessment based on + /// built-in Azure Policy definition, Custom if the assessment based on + /// custom Azure Policy definition. Possible values include: 'BuiltIn', + /// 'CustomPolicy', 'CustomerManaged', 'VerifiedPartner' + /// Azure resource ID of the policy + /// definition that turns this assessment calculation on + /// Human readable description of the + /// assessment + /// Human readable description of + /// what you should do to mitigate this security issue + /// The user impact of the assessment. + /// Possible values include: 'Low', 'Moderate', 'High' + /// The implementation effort + /// required to remediate this assessment. Possible values include: + /// 'Low', 'Moderate', 'High' + /// True if this assessment is in preview release + /// status + public SecurityAssessmentMetadataProperties(string displayName, string severity, string assessmentType, string policyDefinitionId = default(string), string description = default(string), string remediationDescription = default(string), IList categories = default(IList), string userImpact = default(string), string implementationEffort = default(string), IList threats = default(IList), bool? preview = default(bool?), SecurityAssessmentMetadataPartnerData partnerData = default(SecurityAssessmentMetadataPartnerData)) + { + DisplayName = displayName; + PolicyDefinitionId = policyDefinitionId; + Description = description; + RemediationDescription = remediationDescription; + Categories = categories; + Severity = severity; + UserImpact = userImpact; + ImplementationEffort = implementationEffort; + Threats = threats; + Preview = preview; + AssessmentType = assessmentType; + PartnerData = partnerData; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets user friendly display name of the assessment + /// + [JsonProperty(PropertyName = "displayName")] + public string DisplayName { get; set; } + + /// + /// Gets azure resource ID of the policy definition that turns this + /// assessment calculation on + /// + [JsonProperty(PropertyName = "policyDefinitionId")] + public string PolicyDefinitionId { get; private set; } + + /// + /// Gets or sets human readable description of the assessment + /// + [JsonProperty(PropertyName = "description")] + public string Description { get; set; } + + /// + /// Gets or sets human readable description of what you should do to + /// mitigate this security issue + /// + [JsonProperty(PropertyName = "remediationDescription")] + public string RemediationDescription { get; set; } + + /// + /// + [JsonProperty(PropertyName = "categories")] + public IList Categories { get; set; } + + /// + /// Gets or sets the severity level of the assessment. Possible values + /// include: 'Low', 'Medium', 'High' + /// + [JsonProperty(PropertyName = "severity")] + public string Severity { get; set; } + + /// + /// Gets or sets the user impact of the assessment. Possible values + /// include: 'Low', 'Moderate', 'High' + /// + [JsonProperty(PropertyName = "userImpact")] + public string UserImpact { get; set; } + + /// + /// Gets or sets the implementation effort required to remediate this + /// assessment. Possible values include: 'Low', 'Moderate', 'High' + /// + [JsonProperty(PropertyName = "implementationEffort")] + public string ImplementationEffort { get; set; } + + /// + /// + [JsonProperty(PropertyName = "threats")] + public IList Threats { get; set; } + + /// + /// Gets or sets true if this assessment is in preview release status + /// + [JsonProperty(PropertyName = "preview")] + public bool? Preview { get; set; } + + /// + /// Gets or sets builtIn if the assessment based on built-in Azure + /// Policy definition, Custom if the assessment based on custom Azure + /// Policy definition. Possible values include: 'BuiltIn', + /// 'CustomPolicy', 'CustomerManaged', 'VerifiedPartner' + /// + [JsonProperty(PropertyName = "assessmentType")] + public string AssessmentType { get; set; } + + /// + /// + [JsonProperty(PropertyName = "partnerData")] + public SecurityAssessmentMetadataPartnerData PartnerData { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (DisplayName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "DisplayName"); + } + if (Severity == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Severity"); + } + if (AssessmentType == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "AssessmentType"); + } + if (PartnerData != null) + { + PartnerData.Validate(); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadataPropertiesResponsePublishDates.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadataPropertiesResponsePublishDates.cs new file mode 100644 index 000000000000..aeadb7deed5d --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadataPropertiesResponsePublishDates.cs @@ -0,0 +1,82 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Linq; + + public partial class SecurityAssessmentMetadataPropertiesResponsePublishDates + { + /// + /// Initializes a new instance of the + /// SecurityAssessmentMetadataPropertiesResponsePublishDates class. + /// + public SecurityAssessmentMetadataPropertiesResponsePublishDates() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// SecurityAssessmentMetadataPropertiesResponsePublishDates class. + /// + public SecurityAssessmentMetadataPropertiesResponsePublishDates(string publicProperty, string ga = default(string)) + { + GA = ga; + PublicProperty = publicProperty; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "GA")] + public string GA { get; set; } + + /// + /// + [JsonProperty(PropertyName = "public")] + public string PublicProperty { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (PublicProperty == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "PublicProperty"); + } + if (GA != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(GA, "^([0-9]{2}/){2}[0-9]{4}$")) + { + throw new ValidationException(ValidationRules.Pattern, "GA", "^([0-9]{2}/){2}[0-9]{4}$"); + } + } + if (PublicProperty != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(PublicProperty, "^([0-9]{2}/){2}[0-9]{4}$")) + { + throw new ValidationException(ValidationRules.Pattern, "PublicProperty", "^([0-9]{2}/){2}[0-9]{4}$"); + } + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadataResponse.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadataResponse.cs new file mode 100644 index 000000000000..3f4914690ea7 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentMetadataResponse.cs @@ -0,0 +1,224 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Security assessment metadata response + /// + [Rest.Serialization.JsonTransformation] + public partial class SecurityAssessmentMetadataResponse : Resource + { + /// + /// Initializes a new instance of the + /// SecurityAssessmentMetadataResponse class. + /// + public SecurityAssessmentMetadataResponse() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// SecurityAssessmentMetadataResponse class. + /// + /// User friendly display name of the + /// assessment + /// The severity level of the assessment. + /// Possible values include: 'Low', 'Medium', 'High' + /// BuiltIn if the assessment based on + /// built-in Azure Policy definition, Custom if the assessment based on + /// custom Azure Policy definition. Possible values include: 'BuiltIn', + /// 'CustomPolicy', 'CustomerManaged', 'VerifiedPartner' + /// Resource Id + /// Resource name + /// Resource type + /// Azure resource ID of the policy + /// definition that turns this assessment calculation on + /// Human readable description of the + /// assessment + /// Human readable description of + /// what you should do to mitigate this security issue + /// The user impact of the assessment. + /// Possible values include: 'Low', 'Moderate', 'High' + /// The implementation effort + /// required to remediate this assessment. Possible values include: + /// 'Low', 'Moderate', 'High' + /// True if this assessment is in preview release + /// status + public SecurityAssessmentMetadataResponse(string displayName, string severity, string assessmentType, string id = default(string), string name = default(string), string type = default(string), string policyDefinitionId = default(string), string description = default(string), string remediationDescription = default(string), IList categories = default(IList), string userImpact = default(string), string implementationEffort = default(string), IList threats = default(IList), bool? preview = default(bool?), SecurityAssessmentMetadataPartnerData partnerData = default(SecurityAssessmentMetadataPartnerData), SecurityAssessmentMetadataPropertiesResponsePublishDates publishDates = default(SecurityAssessmentMetadataPropertiesResponsePublishDates), string plannedDeprecationDate = default(string), IList tactics = default(IList), IList techniques = default(IList)) + : base(id, name, type) + { + DisplayName = displayName; + PolicyDefinitionId = policyDefinitionId; + Description = description; + RemediationDescription = remediationDescription; + Categories = categories; + Severity = severity; + UserImpact = userImpact; + ImplementationEffort = implementationEffort; + Threats = threats; + Preview = preview; + AssessmentType = assessmentType; + PartnerData = partnerData; + PublishDates = publishDates; + PlannedDeprecationDate = plannedDeprecationDate; + Tactics = tactics; + Techniques = techniques; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets user friendly display name of the assessment + /// + [JsonProperty(PropertyName = "properties.displayName")] + public string DisplayName { get; set; } + + /// + /// Gets azure resource ID of the policy definition that turns this + /// assessment calculation on + /// + [JsonProperty(PropertyName = "properties.policyDefinitionId")] + public string PolicyDefinitionId { get; private set; } + + /// + /// Gets or sets human readable description of the assessment + /// + [JsonProperty(PropertyName = "properties.description")] + public string Description { get; set; } + + /// + /// Gets or sets human readable description of what you should do to + /// mitigate this security issue + /// + [JsonProperty(PropertyName = "properties.remediationDescription")] + public string RemediationDescription { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.categories")] + public IList Categories { get; set; } + + /// + /// Gets or sets the severity level of the assessment. Possible values + /// include: 'Low', 'Medium', 'High' + /// + [JsonProperty(PropertyName = "properties.severity")] + public string Severity { get; set; } + + /// + /// Gets or sets the user impact of the assessment. Possible values + /// include: 'Low', 'Moderate', 'High' + /// + [JsonProperty(PropertyName = "properties.userImpact")] + public string UserImpact { get; set; } + + /// + /// Gets or sets the implementation effort required to remediate this + /// assessment. Possible values include: 'Low', 'Moderate', 'High' + /// + [JsonProperty(PropertyName = "properties.implementationEffort")] + public string ImplementationEffort { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.threats")] + public IList Threats { get; set; } + + /// + /// Gets or sets true if this assessment is in preview release status + /// + [JsonProperty(PropertyName = "properties.preview")] + public bool? Preview { get; set; } + + /// + /// Gets or sets builtIn if the assessment based on built-in Azure + /// Policy definition, Custom if the assessment based on custom Azure + /// Policy definition. Possible values include: 'BuiltIn', + /// 'CustomPolicy', 'CustomerManaged', 'VerifiedPartner' + /// + [JsonProperty(PropertyName = "properties.assessmentType")] + public string AssessmentType { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.partnerData")] + public SecurityAssessmentMetadataPartnerData PartnerData { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.publishDates")] + public SecurityAssessmentMetadataPropertiesResponsePublishDates PublishDates { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.plannedDeprecationDate")] + public string PlannedDeprecationDate { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.tactics")] + public IList Tactics { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.techniques")] + public IList Techniques { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (DisplayName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "DisplayName"); + } + if (Severity == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Severity"); + } + if (AssessmentType == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "AssessmentType"); + } + if (PartnerData != null) + { + PartnerData.Validate(); + } + if (PublishDates != null) + { + PublishDates.Validate(); + } + if (PlannedDeprecationDate != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(PlannedDeprecationDate, "^[0-9]{2}/[0-9]{4}$")) + { + throw new ValidationException(ValidationRules.Pattern, "PlannedDeprecationDate", "^[0-9]{2}/[0-9]{4}$"); + } + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentPartnerData.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentPartnerData.cs new file mode 100644 index 000000000000..a5111cfc592e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentPartnerData.cs @@ -0,0 +1,81 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Data regarding 3rd party partner integration + /// + public partial class SecurityAssessmentPartnerData + { + /// + /// Initializes a new instance of the SecurityAssessmentPartnerData + /// class. + /// + public SecurityAssessmentPartnerData() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SecurityAssessmentPartnerData + /// class. + /// + /// Name of the company of the + /// partner + /// secret to authenticate the partner - write + /// only + public SecurityAssessmentPartnerData(string partnerName, string secret) + { + PartnerName = partnerName; + Secret = secret; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets name of the company of the partner + /// + [JsonProperty(PropertyName = "partnerName")] + public string PartnerName { get; set; } + + /// + /// Gets or sets secret to authenticate the partner - write only + /// + [JsonProperty(PropertyName = "secret")] + public string Secret { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (PartnerName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "PartnerName"); + } + if (Secret == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Secret"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentPropertiesBase.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentPropertiesBase.cs new file mode 100644 index 000000000000..b427a560b47d --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentPropertiesBase.cs @@ -0,0 +1,111 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Describes properties of an assessment. + /// + public partial class SecurityAssessmentPropertiesBase + { + /// + /// Initializes a new instance of the SecurityAssessmentPropertiesBase + /// class. + /// + public SecurityAssessmentPropertiesBase() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SecurityAssessmentPropertiesBase + /// class. + /// + /// User friendly display name of the + /// assessment + /// Additional data regarding the + /// assessment + public SecurityAssessmentPropertiesBase(ResourceDetails resourceDetails, string displayName = default(string), IDictionary additionalData = default(IDictionary), AssessmentLinks links = default(AssessmentLinks), SecurityAssessmentMetadataProperties metadata = default(SecurityAssessmentMetadataProperties), SecurityAssessmentPartnerData partnersData = default(SecurityAssessmentPartnerData)) + { + ResourceDetails = resourceDetails; + DisplayName = displayName; + AdditionalData = additionalData; + Links = links; + Metadata = metadata; + PartnersData = partnersData; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "resourceDetails")] + public ResourceDetails ResourceDetails { get; set; } + + /// + /// Gets user friendly display name of the assessment + /// + [JsonProperty(PropertyName = "displayName")] + public string DisplayName { get; private set; } + + /// + /// Gets or sets additional data regarding the assessment + /// + [JsonProperty(PropertyName = "additionalData")] + public IDictionary AdditionalData { get; set; } + + /// + /// + [JsonProperty(PropertyName = "links")] + public AssessmentLinks Links { get; set; } + + /// + /// + [JsonProperty(PropertyName = "metadata")] + public SecurityAssessmentMetadataProperties Metadata { get; set; } + + /// + /// + [JsonProperty(PropertyName = "partnersData")] + public SecurityAssessmentPartnerData PartnersData { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (ResourceDetails == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ResourceDetails"); + } + if (Metadata != null) + { + Metadata.Validate(); + } + if (PartnersData != null) + { + PartnersData.Validate(); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentResponse.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentResponse.cs new file mode 100644 index 000000000000..9b440803bb42 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityAssessmentResponse.cs @@ -0,0 +1,129 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Security assessment on a resource - response format + /// + [Rest.Serialization.JsonTransformation] + public partial class SecurityAssessmentResponse : Resource + { + /// + /// Initializes a new instance of the SecurityAssessmentResponse class. + /// + public SecurityAssessmentResponse() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SecurityAssessmentResponse class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// User friendly display name of the + /// assessment + /// Additional data regarding the + /// assessment + public SecurityAssessmentResponse(ResourceDetails resourceDetails, AssessmentStatusResponse status, string id = default(string), string name = default(string), string type = default(string), string displayName = default(string), IDictionary additionalData = default(IDictionary), AssessmentLinks links = default(AssessmentLinks), SecurityAssessmentMetadataProperties metadata = default(SecurityAssessmentMetadataProperties), SecurityAssessmentPartnerData partnersData = default(SecurityAssessmentPartnerData)) + : base(id, name, type) + { + ResourceDetails = resourceDetails; + DisplayName = displayName; + AdditionalData = additionalData; + Links = links; + Metadata = metadata; + PartnersData = partnersData; + Status = status; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "properties.resourceDetails")] + public ResourceDetails ResourceDetails { get; set; } + + /// + /// Gets user friendly display name of the assessment + /// + [JsonProperty(PropertyName = "properties.displayName")] + public string DisplayName { get; private set; } + + /// + /// Gets or sets additional data regarding the assessment + /// + [JsonProperty(PropertyName = "properties.additionalData")] + public IDictionary AdditionalData { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.links")] + public AssessmentLinks Links { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.metadata")] + public SecurityAssessmentMetadataProperties Metadata { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.partnersData")] + public SecurityAssessmentPartnerData PartnersData { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.status")] + public AssessmentStatusResponse Status { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (ResourceDetails == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ResourceDetails"); + } + if (Status == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Status"); + } + if (Metadata != null) + { + Metadata.Validate(); + } + if (PartnersData != null) + { + PartnersData.Validate(); + } + if (Status != null) + { + Status.Validate(); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityConnector.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityConnector.cs new file mode 100644 index 000000000000..4b5f41bb8545 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityConnector.cs @@ -0,0 +1,120 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// The security connector resource. + /// + [Rest.Serialization.JsonTransformation] + public partial class SecurityConnector : TrackedResource + { + /// + /// Initializes a new instance of the SecurityConnector class. + /// + public SecurityConnector() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SecurityConnector class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Location where the resource is + /// stored + /// Kind of the resource + /// Entity tag is used for comparing two or more + /// entities from the same requested resource. + /// A list of key value pairs that describe the + /// resource. + /// Azure Resource Manager metadata containing + /// createdBy and modifiedBy information. + /// The multi cloud resource + /// identifier (account id in case of AWS connector, project number in + /// case of GCP connector). + /// The date on which the + /// trial period will end, if applicable. Trial period exists for 30 + /// days after upgrading to payed offerings. + /// The multi cloud resource's cloud + /// name. Possible values include: 'Azure', 'AWS', 'GCP', 'Github', + /// 'AzureDevOps' + /// A collection of offerings for the security + /// connector. + /// The security connector environment + /// data. + public SecurityConnector(string id = default(string), string name = default(string), string type = default(string), string location = default(string), string kind = default(string), string etag = default(string), IDictionary tags = default(IDictionary), SystemData systemData = default(SystemData), string hierarchyIdentifier = default(string), System.DateTime? hierarchyIdentifierTrialEndDate = default(System.DateTime?), string environmentName = default(string), IList offerings = default(IList), EnvironmentData environmentData = default(EnvironmentData)) + : base(id, name, type, location, kind, etag, tags) + { + SystemData = systemData; + HierarchyIdentifier = hierarchyIdentifier; + HierarchyIdentifierTrialEndDate = hierarchyIdentifierTrialEndDate; + EnvironmentName = environmentName; + Offerings = offerings; + EnvironmentData = environmentData; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets azure Resource Manager metadata containing createdBy and + /// modifiedBy information. + /// + [JsonProperty(PropertyName = "systemData")] + public SystemData SystemData { get; private set; } + + /// + /// Gets or sets the multi cloud resource identifier (account id in + /// case of AWS connector, project number in case of GCP connector). + /// + [JsonProperty(PropertyName = "properties.hierarchyIdentifier")] + public string HierarchyIdentifier { get; set; } + + /// + /// Gets the date on which the trial period will end, if applicable. + /// Trial period exists for 30 days after upgrading to payed offerings. + /// + [JsonProperty(PropertyName = "properties.hierarchyIdentifierTrialEndDate")] + public System.DateTime? HierarchyIdentifierTrialEndDate { get; private set; } + + /// + /// Gets or sets the multi cloud resource's cloud name. Possible values + /// include: 'Azure', 'AWS', 'GCP', 'Github', 'AzureDevOps' + /// + [JsonProperty(PropertyName = "properties.environmentName")] + public string EnvironmentName { get; set; } + + /// + /// Gets or sets a collection of offerings for the security connector. + /// + [JsonProperty(PropertyName = "properties.offerings")] + public IList Offerings { get; set; } + + /// + /// Gets or sets the security connector environment data. + /// + [JsonProperty(PropertyName = "properties.environmentData")] + public EnvironmentData EnvironmentData { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityConnectorGovernanceRulesExecuteStatusGetHeaders.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityConnectorGovernanceRulesExecuteStatusGetHeaders.cs new file mode 100644 index 000000000000..253c728ba409 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityConnectorGovernanceRulesExecuteStatusGetHeaders.cs @@ -0,0 +1,54 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Defines headers for Get operation. + /// + public partial class SecurityConnectorGovernanceRulesExecuteStatusGetHeaders + { + /// + /// Initializes a new instance of the + /// SecurityConnectorGovernanceRulesExecuteStatusGetHeaders class. + /// + public SecurityConnectorGovernanceRulesExecuteStatusGetHeaders() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// SecurityConnectorGovernanceRulesExecuteStatusGetHeaders class. + /// + /// Location URL for the execution + /// status + public SecurityConnectorGovernanceRulesExecuteStatusGetHeaders(string location = default(string)) + { + Location = location; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets location URL for the execution status + /// + [JsonProperty(PropertyName = "location")] + public string Location { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityContact.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityContact.cs new file mode 100644 index 000000000000..ed930e6f1e81 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityContact.cs @@ -0,0 +1,93 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Contact details and configurations for notifications coming from + /// Microsoft Defender for Cloud. + /// + [Rest.Serialization.JsonTransformation] + public partial class SecurityContact : Resource + { + /// + /// Initializes a new instance of the SecurityContact class. + /// + public SecurityContact() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SecurityContact class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// List of email addresses which will get + /// notifications from Microsoft Defender for Cloud by the + /// configurations defined in this security contact. + /// The security contact's phone number + /// Defines whether to send email + /// notifications about new security alerts + /// Defines whether to send email + /// notifications from Microsoft Defender for Cloud to persons with + /// specific RBAC roles on the subscription. + public SecurityContact(string id = default(string), string name = default(string), string type = default(string), string emails = default(string), string phone = default(string), SecurityContactPropertiesAlertNotifications alertNotifications = default(SecurityContactPropertiesAlertNotifications), SecurityContactPropertiesNotificationsByRole notificationsByRole = default(SecurityContactPropertiesNotificationsByRole)) + : base(id, name, type) + { + Emails = emails; + Phone = phone; + AlertNotifications = alertNotifications; + NotificationsByRole = notificationsByRole; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets list of email addresses which will get notifications + /// from Microsoft Defender for Cloud by the configurations defined in + /// this security contact. + /// + [JsonProperty(PropertyName = "properties.emails")] + public string Emails { get; set; } + + /// + /// Gets or sets the security contact's phone number + /// + [JsonProperty(PropertyName = "properties.phone")] + public string Phone { get; set; } + + /// + /// Gets or sets defines whether to send email notifications about new + /// security alerts + /// + [JsonProperty(PropertyName = "properties.alertNotifications")] + public SecurityContactPropertiesAlertNotifications AlertNotifications { get; set; } + + /// + /// Gets or sets defines whether to send email notifications from + /// Microsoft Defender for Cloud to persons with specific RBAC roles on + /// the subscription. + /// + [JsonProperty(PropertyName = "properties.notificationsByRole")] + public SecurityContactPropertiesNotificationsByRole NotificationsByRole { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityContactPropertiesAlertNotifications.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityContactPropertiesAlertNotifications.cs new file mode 100644 index 000000000000..ae3738e954ac --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityContactPropertiesAlertNotifications.cs @@ -0,0 +1,68 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Defines whether to send email notifications about new security alerts + /// + public partial class SecurityContactPropertiesAlertNotifications + { + /// + /// Initializes a new instance of the + /// SecurityContactPropertiesAlertNotifications class. + /// + public SecurityContactPropertiesAlertNotifications() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// SecurityContactPropertiesAlertNotifications class. + /// + /// Defines if email notifications will be sent + /// about new security alerts. Possible values include: 'On', + /// 'Off' + /// Defines the minimal alert severity + /// which will be sent as email notifications. Possible values include: + /// 'High', 'Medium', 'Low' + public SecurityContactPropertiesAlertNotifications(string state = default(string), string minimalSeverity = default(string)) + { + State = state; + MinimalSeverity = minimalSeverity; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets defines if email notifications will be sent about new + /// security alerts. Possible values include: 'On', 'Off' + /// + [JsonProperty(PropertyName = "state")] + public string State { get; set; } + + /// + /// Gets or sets defines the minimal alert severity which will be sent + /// as email notifications. Possible values include: 'High', 'Medium', + /// 'Low' + /// + [JsonProperty(PropertyName = "minimalSeverity")] + public string MinimalSeverity { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityContactPropertiesNotificationsByRole.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityContactPropertiesNotificationsByRole.cs new file mode 100644 index 000000000000..05ce9d1e29b1 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityContactPropertiesNotificationsByRole.cs @@ -0,0 +1,72 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Defines whether to send email notifications from Microsoft Defender for + /// Cloud to persons with specific RBAC roles on the subscription. + /// + public partial class SecurityContactPropertiesNotificationsByRole + { + /// + /// Initializes a new instance of the + /// SecurityContactPropertiesNotificationsByRole class. + /// + public SecurityContactPropertiesNotificationsByRole() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// SecurityContactPropertiesNotificationsByRole class. + /// + /// Defines whether to send email notifications + /// from AMicrosoft Defender for Cloud to persons with specific RBAC + /// roles on the subscription. Possible values include: 'On', + /// 'Off' + /// Defines which RBAC roles will get email + /// notifications from Microsoft Defender for Cloud. List of allowed + /// RBAC roles: + public SecurityContactPropertiesNotificationsByRole(string state = default(string), IList roles = default(IList)) + { + State = state; + Roles = roles; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets defines whether to send email notifications from + /// AMicrosoft Defender for Cloud to persons with specific RBAC roles + /// on the subscription. Possible values include: 'On', 'Off' + /// + [JsonProperty(PropertyName = "state")] + public string State { get; set; } + + /// + /// Gets or sets defines which RBAC roles will get email notifications + /// from Microsoft Defender for Cloud. List of allowed RBAC roles: + /// + [JsonProperty(PropertyName = "roles")] + public IList Roles { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityFamily.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityFamily.cs new file mode 100644 index 000000000000..5c56967d3c07 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityFamily.cs @@ -0,0 +1,24 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for SecurityFamily. + /// + public static class SecurityFamily + { + public const string Waf = "Waf"; + public const string Ngfw = "Ngfw"; + public const string SaasWaf = "SaasWaf"; + public const string Va = "Va"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecuritySolution.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecuritySolution.cs new file mode 100644 index 000000000000..3b11e243b80e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecuritySolution.cs @@ -0,0 +1,140 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + [Rest.Serialization.JsonTransformation] + public partial class SecuritySolution + { + /// + /// Initializes a new instance of the SecuritySolution class. + /// + public SecuritySolution() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SecuritySolution class. + /// + /// The security family of the security + /// solution. Possible values include: 'Waf', 'Ngfw', 'SaasWaf', + /// 'Va' + /// The security family provisioning + /// State. Possible values include: 'Succeeded', 'Failed', + /// 'Updating' + /// The security solutions' template + /// The security solutions' + /// status + /// Resource Id + /// Resource name + /// Resource type + /// Location where the resource is + /// stored + public SecuritySolution(string securityFamily, string provisioningState, string template, string protectionStatus, string id = default(string), string name = default(string), string type = default(string), string location = default(string)) + { + Id = id; + Name = name; + Type = type; + Location = location; + SecurityFamily = securityFamily; + ProvisioningState = provisioningState; + Template = template; + ProtectionStatus = protectionStatus; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets resource Id + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; private set; } + + /// + /// Gets resource name + /// + [JsonProperty(PropertyName = "name")] + public string Name { get; private set; } + + /// + /// Gets resource type + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + /// + /// Gets location where the resource is stored + /// + [JsonProperty(PropertyName = "location")] + public string Location { get; private set; } + + /// + /// Gets or sets the security family of the security solution. Possible + /// values include: 'Waf', 'Ngfw', 'SaasWaf', 'Va' + /// + [JsonProperty(PropertyName = "properties.securityFamily")] + public string SecurityFamily { get; set; } + + /// + /// Gets or sets the security family provisioning State. Possible + /// values include: 'Succeeded', 'Failed', 'Updating' + /// + [JsonProperty(PropertyName = "properties.provisioningState")] + public string ProvisioningState { get; set; } + + /// + /// Gets or sets the security solutions' template + /// + [JsonProperty(PropertyName = "properties.template")] + public string Template { get; set; } + + /// + /// Gets or sets the security solutions' status + /// + [JsonProperty(PropertyName = "properties.protectionStatus")] + public string ProtectionStatus { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (SecurityFamily == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "SecurityFamily"); + } + if (ProvisioningState == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ProvisioningState"); + } + if (Template == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Template"); + } + if (ProtectionStatus == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ProtectionStatus"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecuritySolutionStatus.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecuritySolutionStatus.cs new file mode 100644 index 000000000000..04aa23861a3e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecuritySolutionStatus.cs @@ -0,0 +1,22 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for SecuritySolutionStatus. + /// + public static class SecuritySolutionStatus + { + public const string Enabled = "Enabled"; + public const string Disabled = "Disabled"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecuritySolutionsReferenceData.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecuritySolutionsReferenceData.cs new file mode 100644 index 000000000000..fb9f193a9b77 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecuritySolutionsReferenceData.cs @@ -0,0 +1,178 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + [Rest.Serialization.JsonTransformation] + public partial class SecuritySolutionsReferenceData + { + /// + /// Initializes a new instance of the SecuritySolutionsReferenceData + /// class. + /// + public SecuritySolutionsReferenceData() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SecuritySolutionsReferenceData + /// class. + /// + /// The security family of the security + /// solution. Possible values include: 'Waf', 'Ngfw', 'SaasWaf', + /// 'Va' + /// The security solutions' vendor + /// name + /// The security solutions' package info + /// url + /// The security solutions' product + /// name + /// The security solutions' publisher + /// The security solutions' + /// publisher display name + /// The security solutions' template + /// Resource Id + /// Resource name + /// Resource type + /// Location where the resource is + /// stored + public SecuritySolutionsReferenceData(string securityFamily, string alertVendorName, string packageInfoUrl, string productName, string publisher, string publisherDisplayName, string template, string id = default(string), string name = default(string), string type = default(string), string location = default(string)) + { + Id = id; + Name = name; + Type = type; + Location = location; + SecurityFamily = securityFamily; + AlertVendorName = alertVendorName; + PackageInfoUrl = packageInfoUrl; + ProductName = productName; + Publisher = publisher; + PublisherDisplayName = publisherDisplayName; + Template = template; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets resource Id + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; private set; } + + /// + /// Gets resource name + /// + [JsonProperty(PropertyName = "name")] + public string Name { get; private set; } + + /// + /// Gets resource type + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + /// + /// Gets location where the resource is stored + /// + [JsonProperty(PropertyName = "location")] + public string Location { get; private set; } + + /// + /// Gets or sets the security family of the security solution. Possible + /// values include: 'Waf', 'Ngfw', 'SaasWaf', 'Va' + /// + [JsonProperty(PropertyName = "properties.securityFamily")] + public string SecurityFamily { get; set; } + + /// + /// Gets or sets the security solutions' vendor name + /// + [JsonProperty(PropertyName = "properties.alertVendorName")] + public string AlertVendorName { get; set; } + + /// + /// Gets or sets the security solutions' package info url + /// + [JsonProperty(PropertyName = "properties.packageInfoUrl")] + public string PackageInfoUrl { get; set; } + + /// + /// Gets or sets the security solutions' product name + /// + [JsonProperty(PropertyName = "properties.productName")] + public string ProductName { get; set; } + + /// + /// Gets or sets the security solutions' publisher + /// + [JsonProperty(PropertyName = "properties.publisher")] + public string Publisher { get; set; } + + /// + /// Gets or sets the security solutions' publisher display name + /// + [JsonProperty(PropertyName = "properties.publisherDisplayName")] + public string PublisherDisplayName { get; set; } + + /// + /// Gets or sets the security solutions' template + /// + [JsonProperty(PropertyName = "properties.template")] + public string Template { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (SecurityFamily == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "SecurityFamily"); + } + if (AlertVendorName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "AlertVendorName"); + } + if (PackageInfoUrl == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "PackageInfoUrl"); + } + if (ProductName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ProductName"); + } + if (Publisher == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Publisher"); + } + if (PublisherDisplayName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "PublisherDisplayName"); + } + if (Template == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Template"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecuritySolutionsReferenceDataList.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecuritySolutionsReferenceDataList.cs new file mode 100644 index 000000000000..9f49c1c98659 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecuritySolutionsReferenceDataList.cs @@ -0,0 +1,50 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + public partial class SecuritySolutionsReferenceDataList + { + /// + /// Initializes a new instance of the + /// SecuritySolutionsReferenceDataList class. + /// + public SecuritySolutionsReferenceDataList() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// SecuritySolutionsReferenceDataList class. + /// + public SecuritySolutionsReferenceDataList(IList value = default(IList)) + { + Value = value; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "value")] + public IList Value { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecuritySubAssessment.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecuritySubAssessment.cs new file mode 100644 index 000000000000..36c19a3ee77c --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecuritySubAssessment.cs @@ -0,0 +1,129 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Security sub-assessment on a resource + /// + [Rest.Serialization.JsonTransformation] + public partial class SecuritySubAssessment : Resource + { + /// + /// Initializes a new instance of the SecuritySubAssessment class. + /// + public SecuritySubAssessment() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SecuritySubAssessment class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Vulnerability ID + /// User friendly display name of the + /// sub-assessment + /// Information on how to remediate this + /// sub-assessment + /// Description of the impact of this + /// sub-assessment + /// Category of the sub-assessment + /// Human readable description of the + /// assessment status + /// The date and time the sub-assessment + /// was generated + public SecuritySubAssessment(string id = default(string), string name = default(string), string type = default(string), string securitySubAssessmentId = default(string), string displayName = default(string), SubAssessmentStatus status = default(SubAssessmentStatus), string remediation = default(string), string impact = default(string), string category = default(string), string description = default(string), System.DateTime? timeGenerated = default(System.DateTime?), ResourceDetails resourceDetails = default(ResourceDetails), AdditionalData additionalData = default(AdditionalData)) + : base(id, name, type) + { + SecuritySubAssessmentId = securitySubAssessmentId; + DisplayName = displayName; + Status = status; + Remediation = remediation; + Impact = impact; + Category = category; + Description = description; + TimeGenerated = timeGenerated; + ResourceDetails = resourceDetails; + AdditionalData = additionalData; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets vulnerability ID + /// + [JsonProperty(PropertyName = "properties.id")] + public string SecuritySubAssessmentId { get; private set; } + + /// + /// Gets user friendly display name of the sub-assessment + /// + [JsonProperty(PropertyName = "properties.displayName")] + public string DisplayName { get; private set; } + + /// + /// + [JsonProperty(PropertyName = "properties.status")] + public SubAssessmentStatus Status { get; set; } + + /// + /// Gets information on how to remediate this sub-assessment + /// + [JsonProperty(PropertyName = "properties.remediation")] + public string Remediation { get; private set; } + + /// + /// Gets description of the impact of this sub-assessment + /// + [JsonProperty(PropertyName = "properties.impact")] + public string Impact { get; private set; } + + /// + /// Gets category of the sub-assessment + /// + [JsonProperty(PropertyName = "properties.category")] + public string Category { get; private set; } + + /// + /// Gets human readable description of the assessment status + /// + [JsonProperty(PropertyName = "properties.description")] + public string Description { get; private set; } + + /// + /// Gets the date and time the sub-assessment was generated + /// + [JsonProperty(PropertyName = "properties.timeGenerated")] + public System.DateTime? TimeGenerated { get; private set; } + + /// + /// + [JsonProperty(PropertyName = "properties.resourceDetails")] + public ResourceDetails ResourceDetails { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.additionalData")] + public AdditionalData AdditionalData { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityTask.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityTask.cs new file mode 100644 index 000000000000..c220f050da08 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityTask.cs @@ -0,0 +1,92 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Security task that we recommend to do in order to strengthen security + /// + [Rest.Serialization.JsonTransformation] + public partial class SecurityTask : Resource + { + /// + /// Initializes a new instance of the SecurityTask class. + /// + public SecurityTask() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SecurityTask class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// State of the task (Active, Resolved + /// etc.) + /// The time this task was discovered in + /// UTC + /// The time this task's details + /// were last changed in UTC + /// Additional data on the state of the + /// task + public SecurityTask(string id = default(string), string name = default(string), string type = default(string), string state = default(string), System.DateTime? creationTimeUtc = default(System.DateTime?), SecurityTaskParameters securityTaskParameters = default(SecurityTaskParameters), System.DateTime? lastStateChangeTimeUtc = default(System.DateTime?), string subState = default(string)) + : base(id, name, type) + { + State = state; + CreationTimeUtc = creationTimeUtc; + SecurityTaskParameters = securityTaskParameters; + LastStateChangeTimeUtc = lastStateChangeTimeUtc; + SubState = subState; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets state of the task (Active, Resolved etc.) + /// + [JsonProperty(PropertyName = "properties.state")] + public string State { get; private set; } + + /// + /// Gets the time this task was discovered in UTC + /// + [JsonProperty(PropertyName = "properties.creationTimeUtc")] + public System.DateTime? CreationTimeUtc { get; private set; } + + /// + /// + [JsonProperty(PropertyName = "properties.securityTaskParameters")] + public SecurityTaskParameters SecurityTaskParameters { get; set; } + + /// + /// Gets the time this task's details were last changed in UTC + /// + [JsonProperty(PropertyName = "properties.lastStateChangeTimeUtc")] + public System.DateTime? LastStateChangeTimeUtc { get; private set; } + + /// + /// Gets additional data on the state of the task + /// + [JsonProperty(PropertyName = "properties.subState")] + public string SubState { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SecurityTaskParameters.cs b/src/Security/Security.Management.Sdk/Generated/Models/SecurityTaskParameters.cs new file mode 100644 index 000000000000..c4fe6ec39563 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SecurityTaskParameters.cs @@ -0,0 +1,64 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Changing set of properties, depending on the task type that is derived + /// from the name field + /// + public partial class SecurityTaskParameters + { + /// + /// Initializes a new instance of the SecurityTaskParameters class. + /// + public SecurityTaskParameters() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SecurityTaskParameters class. + /// + /// Unmatched properties from the + /// message are deserialized this collection + /// Name of the task type + public SecurityTaskParameters(IDictionary additionalProperties = default(IDictionary), string name = default(string)) + { + AdditionalProperties = additionalProperties; + Name = name; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets unmatched properties from the message are deserialized + /// this collection + /// + [JsonExtensionData] + public IDictionary AdditionalProperties { get; set; } + + /// + /// Gets name of the task type + /// + [JsonProperty(PropertyName = "name")] + public string Name { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SensitivityLabel.cs b/src/Security/Security.Management.Sdk/Generated/Models/SensitivityLabel.cs new file mode 100644 index 000000000000..eab74c284f0a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SensitivityLabel.cs @@ -0,0 +1,88 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The sensitivity label. + /// + public partial class SensitivityLabel + { + /// + /// Initializes a new instance of the SensitivityLabel class. + /// + public SensitivityLabel() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SensitivityLabel class. + /// + /// The name of the sensitivity + /// label. + /// The description of the sensitivity + /// label. + /// The rank of the sensitivity label. Possible + /// values include: 'None', 'Low', 'Medium', 'High', 'Critical' + /// The order of the sensitivity label. + /// Indicates whether the label is enabled or + /// not. + public SensitivityLabel(string displayName = default(string), string description = default(string), Rank? rank = default(Rank?), int? order = default(int?), bool? enabled = default(bool?)) + { + DisplayName = displayName; + Description = description; + Rank = rank; + Order = order; + Enabled = enabled; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the name of the sensitivity label. + /// + [JsonProperty(PropertyName = "displayName")] + public string DisplayName { get; set; } + + /// + /// Gets or sets the description of the sensitivity label. + /// + [JsonProperty(PropertyName = "description")] + public string Description { get; set; } + + /// + /// Gets or sets the rank of the sensitivity label. Possible values + /// include: 'None', 'Low', 'Medium', 'High', 'Critical' + /// + [JsonProperty(PropertyName = "rank")] + public Rank? Rank { get; set; } + + /// + /// Gets or sets the order of the sensitivity label. + /// + [JsonProperty(PropertyName = "order")] + public int? Order { get; set; } + + /// + /// Gets or sets indicates whether the label is enabled or not. + /// + [JsonProperty(PropertyName = "enabled")] + public bool? Enabled { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ServerVulnerabilityAssessment.cs b/src/Security/Security.Management.Sdk/Generated/Models/ServerVulnerabilityAssessment.cs new file mode 100644 index 000000000000..b439ebeeee5c --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ServerVulnerabilityAssessment.cs @@ -0,0 +1,65 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Describes the server vulnerability assessment details on a resource + /// + [Rest.Serialization.JsonTransformation] + public partial class ServerVulnerabilityAssessment : Resource + { + /// + /// Initializes a new instance of the ServerVulnerabilityAssessment + /// class. + /// + public ServerVulnerabilityAssessment() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ServerVulnerabilityAssessment + /// class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// The provisioningState of the + /// vulnerability assessment capability on the VM. Possible values + /// include: 'Succeeded', 'Failed', 'Canceled', 'Provisioning', + /// 'Deprovisioning' + public ServerVulnerabilityAssessment(string id = default(string), string name = default(string), string type = default(string), string provisioningState = default(string)) + : base(id, name, type) + { + ProvisioningState = provisioningState; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the provisioningState of the vulnerability assessment + /// capability on the VM. Possible values include: 'Succeeded', + /// 'Failed', 'Canceled', 'Provisioning', 'Deprovisioning' + /// + [JsonProperty(PropertyName = "properties.provisioningState")] + public string ProvisioningState { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ServerVulnerabilityAssessmentsList.cs b/src/Security/Security.Management.Sdk/Generated/Models/ServerVulnerabilityAssessmentsList.cs new file mode 100644 index 000000000000..55aa5f7c97b7 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ServerVulnerabilityAssessmentsList.cs @@ -0,0 +1,53 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// List of server vulnerability assessments + /// + public partial class ServerVulnerabilityAssessmentsList + { + /// + /// Initializes a new instance of the + /// ServerVulnerabilityAssessmentsList class. + /// + public ServerVulnerabilityAssessmentsList() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// ServerVulnerabilityAssessmentsList class. + /// + public ServerVulnerabilityAssessmentsList(IList value = default(IList)) + { + Value = value; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "value")] + public IList Value { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ServerVulnerabilityProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/ServerVulnerabilityProperties.cs new file mode 100644 index 000000000000..bbfe28e93d43 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ServerVulnerabilityProperties.cs @@ -0,0 +1,106 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Additional context fields for server vulnerability assessment + /// + [Newtonsoft.Json.JsonObject("ServerVulnerabilityAssessment")] + public partial class ServerVulnerabilityProperties : AdditionalData + { + /// + /// Initializes a new instance of the ServerVulnerabilityProperties + /// class. + /// + public ServerVulnerabilityProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ServerVulnerabilityProperties + /// class. + /// + /// Vulnerability Type. e.g: Vulnerability, + /// Potential Vulnerability, Information Gathered + /// Dictionary from cvss version to cvss details + /// object + /// Indicates whether a patch is available or + /// not + /// List of CVEs + /// Threat name + /// Published time + public ServerVulnerabilityProperties(string type = default(string), IDictionary cvss = default(IDictionary), bool? patchable = default(bool?), IList cve = default(IList), string threat = default(string), System.DateTime? publishedTime = default(System.DateTime?), IList vendorReferences = default(IList)) + { + Type = type; + Cvss = cvss; + Patchable = patchable; + Cve = cve; + Threat = threat; + PublishedTime = publishedTime; + VendorReferences = vendorReferences; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets vulnerability Type. e.g: Vulnerability, Potential + /// Vulnerability, Information Gathered + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + /// + /// Gets dictionary from cvss version to cvss details object + /// + [JsonProperty(PropertyName = "cvss")] + public IDictionary Cvss { get; private set; } + + /// + /// Gets indicates whether a patch is available or not + /// + [JsonProperty(PropertyName = "patchable")] + public bool? Patchable { get; private set; } + + /// + /// Gets list of CVEs + /// + [JsonProperty(PropertyName = "cve")] + public IList Cve { get; private set; } + + /// + /// Gets threat name + /// + [JsonProperty(PropertyName = "threat")] + public string Threat { get; private set; } + + /// + /// Gets published time + /// + [JsonProperty(PropertyName = "publishedTime")] + public System.DateTime? PublishedTime { get; private set; } + + /// + /// + [JsonProperty(PropertyName = "vendorReferences")] + public IList VendorReferences { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ServicePrincipalProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/ServicePrincipalProperties.cs new file mode 100644 index 000000000000..974632976de4 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ServicePrincipalProperties.cs @@ -0,0 +1,64 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Details of the service principal. + /// + public partial class ServicePrincipalProperties + { + /// + /// Initializes a new instance of the ServicePrincipalProperties class. + /// + public ServicePrincipalProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ServicePrincipalProperties class. + /// + /// Application ID of service + /// principal. + /// A secret string that the application uses to + /// prove its identity, also can be referred to as application password + /// (write only). + public ServicePrincipalProperties(string applicationId = default(string), string secret = default(string)) + { + ApplicationId = applicationId; + Secret = secret; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets application ID of service principal. + /// + [JsonProperty(PropertyName = "applicationId")] + public string ApplicationId { get; set; } + + /// + /// Gets or sets a secret string that the application uses to prove its + /// identity, also can be referred to as application password (write + /// only). + /// + [JsonProperty(PropertyName = "secret")] + public string Secret { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Setting.cs b/src/Security/Security.Management.Sdk/Generated/Models/Setting.cs new file mode 100644 index 000000000000..9beaab70fad5 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Setting.cs @@ -0,0 +1,48 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// The kind of the security setting + /// + [Newtonsoft.Json.JsonObject("Setting")] + public partial class Setting : Resource + { + /// + /// Initializes a new instance of the Setting class. + /// + public Setting() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the Setting class. + /// + /// Resource Id + /// Resource name + /// Resource type + public Setting(string id = default(string), string name = default(string), string type = default(string)) + : base(id, name, type) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SettingName2.cs b/src/Security/Security.Management.Sdk/Generated/Models/SettingName2.cs new file mode 100644 index 000000000000..9e48de43cda2 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SettingName2.cs @@ -0,0 +1,25 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for SettingName2. + /// + public static class SettingName2 + { + public const string MCAS = "MCAS"; + public const string WDATP = "WDATP"; + public const string WDATPEXCLUDELINUXPUBLICPREVIEW = "WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW"; + public const string WDATPUNIFIEDSOLUTION = "WDATP_UNIFIED_SOLUTION"; + public const string Sentinel = "Sentinel"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SettingName4.cs b/src/Security/Security.Management.Sdk/Generated/Models/SettingName4.cs new file mode 100644 index 000000000000..e82d7496a0d7 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SettingName4.cs @@ -0,0 +1,25 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for SettingName4. + /// + public static class SettingName4 + { + public const string MCAS = "MCAS"; + public const string WDATP = "WDATP"; + public const string WDATPEXCLUDELINUXPUBLICPREVIEW = "WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW"; + public const string WDATPUNIFIEDSOLUTION = "WDATP_UNIFIED_SOLUTION"; + public const string Sentinel = "Sentinel"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SettingName5.cs b/src/Security/Security.Management.Sdk/Generated/Models/SettingName5.cs new file mode 100644 index 000000000000..d4199d1ebe60 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SettingName5.cs @@ -0,0 +1,25 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for SettingName5. + /// + public static class SettingName5 + { + public const string MCAS = "MCAS"; + public const string WDATP = "WDATP"; + public const string WDATPEXCLUDELINUXPUBLICPREVIEW = "WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW"; + public const string WDATPUNIFIEDSOLUTION = "WDATP_UNIFIED_SOLUTION"; + public const string Sentinel = "Sentinel"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Severity.cs b/src/Security/Security.Management.Sdk/Generated/Models/Severity.cs new file mode 100644 index 000000000000..d8fe3d2429fd --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Severity.cs @@ -0,0 +1,23 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for Severity. + /// + public static class Severity + { + public const string Low = "Low"; + public const string Medium = "Medium"; + public const string High = "High"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SeverityEnum.cs b/src/Security/Security.Management.Sdk/Generated/Models/SeverityEnum.cs new file mode 100644 index 000000000000..2cb486159e05 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SeverityEnum.cs @@ -0,0 +1,23 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for SeverityEnum. + /// + public static class SeverityEnum + { + public const string High = "High"; + public const string Medium = "Medium"; + public const string Low = "Low"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Software.cs b/src/Security/Security.Management.Sdk/Generated/Models/Software.cs new file mode 100644 index 000000000000..fd19673fdb03 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Software.cs @@ -0,0 +1,136 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Represents a software data + /// + [Rest.Serialization.JsonTransformation] + public partial class Software : Resource + { + /// + /// Initializes a new instance of the Software class. + /// + public Software() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the Software class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Unique identifier for the virtual machine in + /// the service. + /// Platform of the operating system running + /// on the device. + /// Name of the software vendor. + /// Name of the software product. + /// Version number of the software + /// product. + /// End of support status. Possible + /// values include: 'None', 'noLongerSupported', + /// 'versionNoLongerSupported', 'upcomingNoLongerSupported', + /// 'upcomingVersionNoLongerSupported' + /// The end of support date in case the + /// product is upcoming end of support. + /// Number of + /// weaknesses. + /// First time that the software was seen in + /// the device. + public Software(string id = default(string), string name = default(string), string type = default(string), string deviceId = default(string), string osPlatform = default(string), string vendor = default(string), string softwareName = default(string), string version = default(string), string endOfSupportStatus = default(string), string endOfSupportDate = default(string), int? numberOfKnownVulnerabilities = default(int?), string firstSeenAt = default(string)) + : base(id, name, type) + { + DeviceId = deviceId; + OsPlatform = osPlatform; + Vendor = vendor; + SoftwareName = softwareName; + Version = version; + EndOfSupportStatus = endOfSupportStatus; + EndOfSupportDate = endOfSupportDate; + NumberOfKnownVulnerabilities = numberOfKnownVulnerabilities; + FirstSeenAt = firstSeenAt; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets unique identifier for the virtual machine in the + /// service. + /// + [JsonProperty(PropertyName = "properties.deviceId")] + public string DeviceId { get; set; } + + /// + /// Gets or sets platform of the operating system running on the + /// device. + /// + [JsonProperty(PropertyName = "properties.osPlatform")] + public string OsPlatform { get; set; } + + /// + /// Gets or sets name of the software vendor. + /// + [JsonProperty(PropertyName = "properties.vendor")] + public string Vendor { get; set; } + + /// + /// Gets or sets name of the software product. + /// + [JsonProperty(PropertyName = "properties.softwareName")] + public string SoftwareName { get; set; } + + /// + /// Gets or sets version number of the software product. + /// + [JsonProperty(PropertyName = "properties.version")] + public string Version { get; set; } + + /// + /// Gets or sets end of support status. Possible values include: + /// 'None', 'noLongerSupported', 'versionNoLongerSupported', + /// 'upcomingNoLongerSupported', 'upcomingVersionNoLongerSupported' + /// + [JsonProperty(PropertyName = "properties.endOfSupportStatus")] + public string EndOfSupportStatus { get; set; } + + /// + /// Gets or sets the end of support date in case the product is + /// upcoming end of support. + /// + [JsonProperty(PropertyName = "properties.endOfSupportDate")] + public string EndOfSupportDate { get; set; } + + /// + /// Gets or sets number of weaknesses. + /// + [JsonProperty(PropertyName = "properties.numberOfKnownVulnerabilities")] + public int? NumberOfKnownVulnerabilities { get; set; } + + /// + /// Gets or sets first time that the software was seen in the device. + /// + [JsonProperty(PropertyName = "properties.firstSeenAt")] + public string FirstSeenAt { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SqlServerVulnerabilityProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/SqlServerVulnerabilityProperties.cs new file mode 100644 index 000000000000..f4e6a8943968 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SqlServerVulnerabilityProperties.cs @@ -0,0 +1,66 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Details of the resource that was assessed + /// + [Newtonsoft.Json.JsonObject("SqlServerVulnerability")] + public partial class SqlServerVulnerabilityProperties : AdditionalData + { + /// + /// Initializes a new instance of the SqlServerVulnerabilityProperties + /// class. + /// + public SqlServerVulnerabilityProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SqlServerVulnerabilityProperties + /// class. + /// + /// The resource type the sub assessment refers to + /// in its resource details + /// The T-SQL query that runs on your SQL database + /// to perform the particular check + public SqlServerVulnerabilityProperties(string type = default(string), string query = default(string)) + { + Type = type; + Query = query; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets the resource type the sub assessment refers to in its resource + /// details + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + /// + /// Gets the T-SQL query that runs on your SQL database to perform the + /// particular check + /// + [JsonProperty(PropertyName = "query")] + public string Query { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/State.cs b/src/Security/Security.Management.Sdk/Generated/Models/State.cs new file mode 100644 index 000000000000..705d4a8a9390 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/State.cs @@ -0,0 +1,39 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for State. + /// + public static class State + { + /// + /// All supported regulatory compliance controls in the given standard + /// have a passed state + /// + public const string Passed = "Passed"; + /// + /// At least one supported regulatory compliance control in the given + /// standard has a state of failed + /// + public const string Failed = "Failed"; + /// + /// All supported regulatory compliance controls in the given standard + /// have a state of skipped + /// + public const string Skipped = "Skipped"; + /// + /// No supported regulatory compliance data for the given standard + /// + public const string Unsupported = "Unsupported"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Status.cs b/src/Security/Security.Management.Sdk/Generated/Models/Status.cs new file mode 100644 index 000000000000..73043aabe2a4 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Status.cs @@ -0,0 +1,22 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for Status. + /// + public static class Status + { + public const string Revoked = "Revoked"; + public const string Initiated = "Initiated"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/StatusReason.cs b/src/Security/Security.Management.Sdk/Generated/Models/StatusReason.cs new file mode 100644 index 000000000000..05827e56b0e3 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/StatusReason.cs @@ -0,0 +1,23 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for StatusReason. + /// + public static class StatusReason + { + public const string Expired = "Expired"; + public const string UserRequested = "UserRequested"; + public const string NewerRequestInitiated = "NewerRequestInitiated"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SubAssessmentStatus.cs b/src/Security/Security.Management.Sdk/Generated/Models/SubAssessmentStatus.cs new file mode 100644 index 000000000000..6135ab7b906f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SubAssessmentStatus.cs @@ -0,0 +1,82 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Status of the sub-assessment + /// + public partial class SubAssessmentStatus + { + /// + /// Initializes a new instance of the SubAssessmentStatus class. + /// + public SubAssessmentStatus() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SubAssessmentStatus class. + /// + /// Programmatic code for the status of the + /// assessment. Possible values include: 'Healthy', 'Unhealthy', + /// 'NotApplicable' + /// Programmatic code for the cause of the + /// assessment status + /// Human readable description of the + /// assessment status + /// The sub-assessment severity level. Possible + /// values include: 'Low', 'Medium', 'High' + public SubAssessmentStatus(string code = default(string), string cause = default(string), string description = default(string), string severity = default(string)) + { + Code = code; + Cause = cause; + Description = description; + Severity = severity; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets programmatic code for the status of the assessment. Possible + /// values include: 'Healthy', 'Unhealthy', 'NotApplicable' + /// + [JsonProperty(PropertyName = "code")] + public string Code { get; private set; } + + /// + /// Gets programmatic code for the cause of the assessment status + /// + [JsonProperty(PropertyName = "cause")] + public string Cause { get; private set; } + + /// + /// Gets human readable description of the assessment status + /// + [JsonProperty(PropertyName = "description")] + public string Description { get; private set; } + + /// + /// Gets the sub-assessment severity level. Possible values include: + /// 'Low', 'Medium', 'High' + /// + [JsonProperty(PropertyName = "severity")] + public string Severity { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SubAssessmentStatusCode.cs b/src/Security/Security.Management.Sdk/Generated/Models/SubAssessmentStatusCode.cs new file mode 100644 index 000000000000..29a2701497c4 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SubAssessmentStatusCode.cs @@ -0,0 +1,32 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for SubAssessmentStatusCode. + /// + public static class SubAssessmentStatusCode + { + /// + /// The resource is healthy + /// + public const string Healthy = "Healthy"; + /// + /// The resource has a security issue that needs to be addressed + /// + public const string Unhealthy = "Unhealthy"; + /// + /// Assessment for this resource did not happen + /// + public const string NotApplicable = "NotApplicable"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SubPlan.cs b/src/Security/Security.Management.Sdk/Generated/Models/SubPlan.cs new file mode 100644 index 000000000000..c306cc3ac11f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SubPlan.cs @@ -0,0 +1,22 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for SubPlan. + /// + public static class SubPlan + { + public const string P1 = "P1"; + public const string P2 = "P2"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SubscriptionGovernanceRulesExecuteStatusGetHeaders.cs b/src/Security/Security.Management.Sdk/Generated/Models/SubscriptionGovernanceRulesExecuteStatusGetHeaders.cs new file mode 100644 index 000000000000..cfed59a917b8 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SubscriptionGovernanceRulesExecuteStatusGetHeaders.cs @@ -0,0 +1,54 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Defines headers for Get operation. + /// + public partial class SubscriptionGovernanceRulesExecuteStatusGetHeaders + { + /// + /// Initializes a new instance of the + /// SubscriptionGovernanceRulesExecuteStatusGetHeaders class. + /// + public SubscriptionGovernanceRulesExecuteStatusGetHeaders() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// SubscriptionGovernanceRulesExecuteStatusGetHeaders class. + /// + /// Location URL for the execution + /// status + public SubscriptionGovernanceRulesExecuteStatusGetHeaders(string location = default(string)) + { + Location = location; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets location URL for the execution status + /// + [JsonProperty(PropertyName = "location")] + public string Location { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SupportedCloudEnum.cs b/src/Security/Security.Management.Sdk/Generated/Models/SupportedCloudEnum.cs new file mode 100644 index 000000000000..f4a13c93dba1 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SupportedCloudEnum.cs @@ -0,0 +1,22 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for SupportedCloudEnum. + /// + public static class SupportedCloudEnum + { + public const string AWS = "AWS"; + public const string GCP = "GCP"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SuppressionAlertsScope.cs b/src/Security/Security.Management.Sdk/Generated/Models/SuppressionAlertsScope.cs new file mode 100644 index 000000000000..e60a2338735c --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SuppressionAlertsScope.cs @@ -0,0 +1,66 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + public partial class SuppressionAlertsScope + { + /// + /// Initializes a new instance of the SuppressionAlertsScope class. + /// + public SuppressionAlertsScope() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SuppressionAlertsScope class. + /// + /// All the conditions inside need to be true in + /// order to suppress the alert + public SuppressionAlertsScope(IList allOf) + { + AllOf = allOf; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets all the conditions inside need to be true in order to + /// suppress the alert + /// + [JsonProperty(PropertyName = "allOf")] + public IList AllOf { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (AllOf == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "AllOf"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/SystemData.cs b/src/Security/Security.Management.Sdk/Generated/Models/SystemData.cs new file mode 100644 index 000000000000..07d83ce36f45 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/SystemData.cs @@ -0,0 +1,103 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Metadata pertaining to creation and last modification of the resource. + /// + public partial class SystemData + { + /// + /// Initializes a new instance of the SystemData class. + /// + public SystemData() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the SystemData class. + /// + /// The identity that created the + /// resource. + /// The type of identity that created the + /// resource. Possible values include: 'User', 'Application', + /// 'ManagedIdentity', 'Key' + /// The timestamp of resource creation + /// (UTC). + /// The identity that last modified the + /// resource. + /// The type of identity that last + /// modified the resource. Possible values include: 'User', + /// 'Application', 'ManagedIdentity', 'Key' + /// The timestamp of resource last + /// modification (UTC) + public SystemData(string createdBy = default(string), string createdByType = default(string), System.DateTime? createdAt = default(System.DateTime?), string lastModifiedBy = default(string), string lastModifiedByType = default(string), System.DateTime? lastModifiedAt = default(System.DateTime?)) + { + CreatedBy = createdBy; + CreatedByType = createdByType; + CreatedAt = createdAt; + LastModifiedBy = lastModifiedBy; + LastModifiedByType = lastModifiedByType; + LastModifiedAt = lastModifiedAt; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the identity that created the resource. + /// + [JsonProperty(PropertyName = "createdBy")] + public string CreatedBy { get; set; } + + /// + /// Gets or sets the type of identity that created the resource. + /// Possible values include: 'User', 'Application', 'ManagedIdentity', + /// 'Key' + /// + [JsonProperty(PropertyName = "createdByType")] + public string CreatedByType { get; set; } + + /// + /// Gets or sets the timestamp of resource creation (UTC). + /// + [JsonProperty(PropertyName = "createdAt")] + public System.DateTime? CreatedAt { get; set; } + + /// + /// Gets or sets the identity that last modified the resource. + /// + [JsonProperty(PropertyName = "lastModifiedBy")] + public string LastModifiedBy { get; set; } + + /// + /// Gets or sets the type of identity that last modified the resource. + /// Possible values include: 'User', 'Application', 'ManagedIdentity', + /// 'Key' + /// + [JsonProperty(PropertyName = "lastModifiedByType")] + public string LastModifiedByType { get; set; } + + /// + /// Gets or sets the timestamp of resource last modification (UTC) + /// + [JsonProperty(PropertyName = "lastModifiedAt")] + public System.DateTime? LastModifiedAt { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Tactics.cs b/src/Security/Security.Management.Sdk/Generated/Models/Tactics.cs new file mode 100644 index 000000000000..dd960101d446 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Tactics.cs @@ -0,0 +1,34 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for Tactics. + /// + public static class Tactics + { + public const string Reconnaissance = "Reconnaissance"; + public const string ResourceDevelopment = "Resource Development"; + public const string InitialAccess = "Initial Access"; + public const string Execution = "Execution"; + public const string Persistence = "Persistence"; + public const string PrivilegeEscalation = "Privilege Escalation"; + public const string DefenseEvasion = "Defense Evasion"; + public const string CredentialAccess = "Credential Access"; + public const string Discovery = "Discovery"; + public const string LateralMovement = "Lateral Movement"; + public const string Collection = "Collection"; + public const string CommandandControl = "Command and Control"; + public const string Exfiltration = "Exfiltration"; + public const string Impact = "Impact"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/TagsResource.cs b/src/Security/Security.Management.Sdk/Generated/Models/TagsResource.cs new file mode 100644 index 000000000000..66212bd8fb3a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/TagsResource.cs @@ -0,0 +1,54 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// A container holding only the Tags for a resource, allowing the user to + /// update the tags. + /// + public partial class TagsResource + { + /// + /// Initializes a new instance of the TagsResource class. + /// + public TagsResource() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the TagsResource class. + /// + /// Resource tags + public TagsResource(IDictionary tags = default(IDictionary)) + { + Tags = tags; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets resource tags + /// + [JsonProperty(PropertyName = "tags")] + public IDictionary Tags { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/TaskUpdateActionType.cs b/src/Security/Security.Management.Sdk/Generated/Models/TaskUpdateActionType.cs new file mode 100644 index 000000000000..c296c6abfb5f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/TaskUpdateActionType.cs @@ -0,0 +1,25 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for TaskUpdateActionType. + /// + public static class TaskUpdateActionType + { + public const string Activate = "Activate"; + public const string Dismiss = "Dismiss"; + public const string Start = "Start"; + public const string Resolve = "Resolve"; + public const string Close = "Close"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Techniques.cs b/src/Security/Security.Management.Sdk/Generated/Models/Techniques.cs new file mode 100644 index 000000000000..9acf4cad6320 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Techniques.cs @@ -0,0 +1,124 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for Techniques. + /// + public static class Techniques + { + public const string AbuseElevationControlMechanism = "Abuse Elevation Control Mechanism"; + public const string AccessTokenManipulation = "Access Token Manipulation"; + public const string AccountDiscovery = "Account Discovery"; + public const string AccountManipulation = "Account Manipulation"; + public const string ActiveScanning = "Active Scanning"; + public const string ApplicationLayerProtocol = "Application Layer Protocol"; + public const string AudioCapture = "Audio Capture"; + public const string BootorLogonAutostartExecution = "Boot or Logon Autostart Execution"; + public const string BootorLogonInitializationScripts = "Boot or Logon Initialization Scripts"; + public const string BruteForce = "Brute Force"; + public const string CloudInfrastructureDiscovery = "Cloud Infrastructure Discovery"; + public const string CloudServiceDashboard = "Cloud Service Dashboard"; + public const string CloudServiceDiscovery = "Cloud Service Discovery"; + public const string CommandandScriptingInterpreter = "Command and Scripting Interpreter"; + public const string CompromiseClientSoftwareBinary = "Compromise Client Software Binary"; + public const string CompromiseInfrastructure = "Compromise Infrastructure"; + public const string ContainerandResourceDiscovery = "Container and Resource Discovery"; + public const string CreateAccount = "Create Account"; + public const string CreateorModifySystemProcess = "Create or Modify System Process"; + public const string CredentialsfromPasswordStores = "Credentials from Password Stores"; + public const string DataDestruction = "Data Destruction"; + public const string DataEncryptedforImpact = "Data Encrypted for Impact"; + public const string DatafromCloudStorageObject = "Data from Cloud Storage Object"; + public const string DatafromConfigurationRepository = "Data from Configuration Repository"; + public const string DatafromInformationRepositories = "Data from Information Repositories"; + public const string DatafromLocalSystem = "Data from Local System"; + public const string DataManipulation = "Data Manipulation"; + public const string DataStaged = "Data Staged"; + public const string Defacement = "Defacement"; + public const string DeobfuscateDecodeFilesorInformation = "Deobfuscate/Decode Files or Information"; + public const string DiskWipe = "Disk Wipe"; + public const string DomainTrustDiscovery = "Domain Trust Discovery"; + public const string DriveByCompromise = "Drive-by Compromise"; + public const string DynamicResolution = "Dynamic Resolution"; + public const string EndpointDenialofService = "Endpoint Denial of Service"; + public const string EventTriggeredExecution = "Event Triggered Execution"; + public const string ExfiltrationOverAlternativeProtocol = "Exfiltration Over Alternative Protocol"; + public const string ExploitPublicFacingApplication = "Exploit Public-Facing Application"; + public const string ExploitationforClientExecution = "Exploitation for Client Execution"; + public const string ExploitationforCredentialAccess = "Exploitation for Credential Access"; + public const string ExploitationforDefenseEvasion = "Exploitation for Defense Evasion"; + public const string ExploitationforPrivilegeEscalation = "Exploitation for Privilege Escalation"; + public const string ExploitationofRemoteServices = "Exploitation of Remote Services"; + public const string ExternalRemoteServices = "External Remote Services"; + public const string FallbackChannels = "Fallback Channels"; + public const string FileandDirectoryDiscovery = "File and Directory Discovery"; + public const string GatherVictimNetworkInformation = "Gather Victim Network Information"; + public const string HideArtifacts = "Hide Artifacts"; + public const string HijackExecutionFlow = "Hijack Execution Flow"; + public const string ImpairDefenses = "Impair Defenses"; + public const string ImplantContainerImage = "Implant Container Image"; + public const string IndicatorRemovalonHost = "Indicator Removal on Host"; + public const string IndirectCommandExecution = "Indirect Command Execution"; + public const string IngressToolTransfer = "Ingress Tool Transfer"; + public const string InputCapture = "Input Capture"; + public const string InterProcessCommunication = "Inter-Process Communication"; + public const string LateralToolTransfer = "Lateral Tool Transfer"; + public const string ManInTheMiddle = "Man-in-the-Middle"; + public const string Masquerading = "Masquerading"; + public const string ModifyAuthenticationProcess = "Modify Authentication Process"; + public const string ModifyRegistry = "Modify Registry"; + public const string NetworkDenialofService = "Network Denial of Service"; + public const string NetworkServiceScanning = "Network Service Scanning"; + public const string NetworkSniffing = "Network Sniffing"; + public const string NonApplicationLayerProtocol = "Non-Application Layer Protocol"; + public const string NonStandardPort = "Non-Standard Port"; + public const string ObtainCapabilities = "Obtain Capabilities"; + public const string ObfuscatedFilesorInformation = "Obfuscated Files or Information"; + public const string OfficeApplicationStartup = "Office Application Startup"; + public const string OSCredentialDumping = "OS Credential Dumping"; + public const string PermissionGroupsDiscovery = "Permission Groups Discovery"; + public const string Phishing = "Phishing"; + public const string PreOSBoot = "Pre-OS Boot"; + public const string ProcessDiscovery = "Process Discovery"; + public const string ProcessInjection = "Process Injection"; + public const string ProtocolTunneling = "Protocol Tunneling"; + public const string Proxy = "Proxy"; + public const string QueryRegistry = "Query Registry"; + public const string RemoteAccessSoftware = "Remote Access Software"; + public const string RemoteServiceSessionHijacking = "Remote Service Session Hijacking"; + public const string RemoteServices = "Remote Services"; + public const string RemoteSystemDiscovery = "Remote System Discovery"; + public const string ResourceHijacking = "Resource Hijacking"; + public const string ScheduledTaskJob = "Scheduled Task/Job"; + public const string ScreenCapture = "Screen Capture"; + public const string SearchVictimOwnedWebsites = "Search Victim-Owned Websites"; + public const string ServerSoftwareComponent = "Server Software Component"; + public const string ServiceStop = "Service Stop"; + public const string SignedBinaryProxyExecution = "Signed Binary Proxy Execution"; + public const string SoftwareDeploymentTools = "Software Deployment Tools"; + public const string SQLStoredProcedures = "SQL Stored Procedures"; + public const string StealorForgeKerberosTickets = "Steal or Forge Kerberos Tickets"; + public const string SubvertTrustControls = "Subvert Trust Controls"; + public const string SupplyChainCompromise = "Supply Chain Compromise"; + public const string SystemInformationDiscovery = "System Information Discovery"; + public const string TaintSharedContent = "Taint Shared Content"; + public const string TrafficSignaling = "Traffic Signaling"; + public const string TransferDatatoCloudAccount = "Transfer Data to Cloud Account"; + public const string TrustedRelationship = "Trusted Relationship"; + public const string UnsecuredCredentials = "Unsecured Credentials"; + public const string UserExecution = "User Execution"; + public const string ValidAccounts = "Valid Accounts"; + public const string WindowsManagementInstrumentation = "Windows Management Instrumentation"; + public const string FileandDirectoryPermissionsModification = "File and Directory Permissions Modification"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Threats.cs b/src/Security/Security.Management.Sdk/Generated/Models/Threats.cs new file mode 100644 index 000000000000..599f07219ffb --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Threats.cs @@ -0,0 +1,28 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for Threats. + /// + public static class Threats + { + public const string AccountBreach = "accountBreach"; + public const string DataExfiltration = "dataExfiltration"; + public const string DataSpillage = "dataSpillage"; + public const string MaliciousInsider = "maliciousInsider"; + public const string ElevationOfPrivilege = "elevationOfPrivilege"; + public const string ThreatResistance = "threatResistance"; + public const string MissingCoverage = "missingCoverage"; + public const string DenialOfService = "denialOfService"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ThresholdCustomAlertRule.cs b/src/Security/Security.Management.Sdk/Generated/Models/ThresholdCustomAlertRule.cs new file mode 100644 index 000000000000..7df8da76196b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ThresholdCustomAlertRule.cs @@ -0,0 +1,77 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// A custom alert rule that checks if a value (depends on the custom alert + /// type) is within the given range. + /// + [Newtonsoft.Json.JsonObject("ThresholdCustomAlertRule")] + public partial class ThresholdCustomAlertRule : CustomAlertRule + { + /// + /// Initializes a new instance of the ThresholdCustomAlertRule class. + /// + public ThresholdCustomAlertRule() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the ThresholdCustomAlertRule class. + /// + /// Status of the custom alert. + /// The minimum threshold. + /// The maximum threshold. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public ThresholdCustomAlertRule(bool isEnabled, int minThreshold, int maxThreshold, string displayName = default(string), string description = default(string)) + : base(isEnabled, displayName, description) + { + MinThreshold = minThreshold; + MaxThreshold = maxThreshold; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the minimum threshold. + /// + [JsonProperty(PropertyName = "minThreshold")] + public int MinThreshold { get; set; } + + /// + /// Gets or sets the maximum threshold. + /// + [JsonProperty(PropertyName = "maxThreshold")] + public int MaxThreshold { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/TimeWindowCustomAlertRule.cs b/src/Security/Security.Management.Sdk/Generated/Models/TimeWindowCustomAlertRule.cs new file mode 100644 index 000000000000..eaeb685da1b5 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/TimeWindowCustomAlertRule.cs @@ -0,0 +1,72 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// A custom alert rule that checks if the number of activities (depends on + /// the custom alert type) in a time window is within the given range. + /// + [Newtonsoft.Json.JsonObject("TimeWindowCustomAlertRule")] + public partial class TimeWindowCustomAlertRule : ThresholdCustomAlertRule + { + /// + /// Initializes a new instance of the TimeWindowCustomAlertRule class. + /// + public TimeWindowCustomAlertRule() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the TimeWindowCustomAlertRule class. + /// + /// Status of the custom alert. + /// The minimum threshold. + /// The maximum threshold. + /// The time window size in iso8601 + /// format. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public TimeWindowCustomAlertRule(bool isEnabled, int minThreshold, int maxThreshold, System.TimeSpan timeWindowSize, string displayName = default(string), string description = default(string)) + : base(isEnabled, minThreshold, maxThreshold, displayName, description) + { + TimeWindowSize = timeWindowSize; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the time window size in iso8601 format. + /// + [JsonProperty(PropertyName = "timeWindowSize")] + public System.TimeSpan TimeWindowSize { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/TopologyResource.cs b/src/Security/Security.Management.Sdk/Generated/Models/TopologyResource.cs new file mode 100644 index 000000000000..0b7bb6c3c668 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/TopologyResource.cs @@ -0,0 +1,96 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + [Rest.Serialization.JsonTransformation] + public partial class TopologyResource + { + /// + /// Initializes a new instance of the TopologyResource class. + /// + public TopologyResource() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the TopologyResource class. + /// + /// Resource Id + /// Resource name + /// Resource type + /// Location where the resource is + /// stored + /// The UTC time on which the topology + /// was calculated + /// Azure resources which are part of + /// this topology resource + public TopologyResource(string id = default(string), string name = default(string), string type = default(string), string location = default(string), System.DateTime? calculatedDateTime = default(System.DateTime?), IList topologyResources = default(IList)) + { + Id = id; + Name = name; + Type = type; + Location = location; + CalculatedDateTime = calculatedDateTime; + TopologyResources = topologyResources; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets resource Id + /// + [JsonProperty(PropertyName = "id")] + public string Id { get; private set; } + + /// + /// Gets resource name + /// + [JsonProperty(PropertyName = "name")] + public string Name { get; private set; } + + /// + /// Gets resource type + /// + [JsonProperty(PropertyName = "type")] + public string Type { get; private set; } + + /// + /// Gets location where the resource is stored + /// + [JsonProperty(PropertyName = "location")] + public string Location { get; private set; } + + /// + /// Gets the UTC time on which the topology was calculated + /// + [JsonProperty(PropertyName = "properties.calculatedDateTime")] + public System.DateTime? CalculatedDateTime { get; private set; } + + /// + /// Gets azure resources which are part of this topology resource + /// + [JsonProperty(PropertyName = "properties.topologyResources")] + public IList TopologyResources { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/TopologySingleResource.cs b/src/Security/Security.Management.Sdk/Generated/Models/TopologySingleResource.cs new file mode 100644 index 000000000000..389401335b55 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/TopologySingleResource.cs @@ -0,0 +1,115 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + public partial class TopologySingleResource + { + /// + /// Initializes a new instance of the TopologySingleResource class. + /// + public TopologySingleResource() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the TopologySingleResource class. + /// + /// Azure resource id + /// The security severity of the + /// resource + /// Indicates if the resource has + /// security recommendations + /// Indicates the resource connectivity + /// level to the Internet (InternetFacing, Internal ,etc.) + /// Score of the resource based on its + /// security severity + /// The location of this resource + /// Azure resources connected to this resource + /// which are in higher level in the topology view + /// Azure resources connected to this resource + /// which are in lower level in the topology view + public TopologySingleResource(string resourceId = default(string), string severity = default(string), bool? recommendationsExist = default(bool?), string networkZones = default(string), int? topologyScore = default(int?), string location = default(string), IList parents = default(IList), IList children = default(IList)) + { + ResourceId = resourceId; + Severity = severity; + RecommendationsExist = recommendationsExist; + NetworkZones = networkZones; + TopologyScore = topologyScore; + Location = location; + Parents = parents; + Children = children; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets azure resource id + /// + [JsonProperty(PropertyName = "resourceId")] + public string ResourceId { get; private set; } + + /// + /// Gets the security severity of the resource + /// + [JsonProperty(PropertyName = "severity")] + public string Severity { get; private set; } + + /// + /// Gets indicates if the resource has security recommendations + /// + [JsonProperty(PropertyName = "recommendationsExist")] + public bool? RecommendationsExist { get; private set; } + + /// + /// Gets indicates the resource connectivity level to the Internet + /// (InternetFacing, Internal ,etc.) + /// + [JsonProperty(PropertyName = "networkZones")] + public string NetworkZones { get; private set; } + + /// + /// Gets score of the resource based on its security severity + /// + [JsonProperty(PropertyName = "topologyScore")] + public int? TopologyScore { get; private set; } + + /// + /// Gets the location of this resource + /// + [JsonProperty(PropertyName = "location")] + public string Location { get; private set; } + + /// + /// Gets azure resources connected to this resource which are in higher + /// level in the topology view + /// + [JsonProperty(PropertyName = "parents")] + public IList Parents { get; private set; } + + /// + /// Gets azure resources connected to this resource which are in lower + /// level in the topology view + /// + [JsonProperty(PropertyName = "children")] + public IList Children { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/TopologySingleResourceChild.cs b/src/Security/Security.Management.Sdk/Generated/Models/TopologySingleResourceChild.cs new file mode 100644 index 000000000000..186ba225522b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/TopologySingleResourceChild.cs @@ -0,0 +1,52 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + public partial class TopologySingleResourceChild + { + /// + /// Initializes a new instance of the TopologySingleResourceChild + /// class. + /// + public TopologySingleResourceChild() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the TopologySingleResourceChild + /// class. + /// + /// Azure resource id which serves as child + /// resource in topology view + public TopologySingleResourceChild(string resourceId = default(string)) + { + ResourceId = resourceId; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets azure resource id which serves as child resource in topology + /// view + /// + [JsonProperty(PropertyName = "resourceId")] + public string ResourceId { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/TopologySingleResourceParent.cs b/src/Security/Security.Management.Sdk/Generated/Models/TopologySingleResourceParent.cs new file mode 100644 index 000000000000..6d3f5e55d010 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/TopologySingleResourceParent.cs @@ -0,0 +1,52 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + public partial class TopologySingleResourceParent + { + /// + /// Initializes a new instance of the TopologySingleResourceParent + /// class. + /// + public TopologySingleResourceParent() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the TopologySingleResourceParent + /// class. + /// + /// Azure resource id which serves as parent + /// resource in topology view + public TopologySingleResourceParent(string resourceId = default(string)) + { + ResourceId = resourceId; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets azure resource id which serves as parent resource in topology + /// view + /// + [JsonProperty(PropertyName = "resourceId")] + public string ResourceId { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/TransportProtocol.cs b/src/Security/Security.Management.Sdk/Generated/Models/TransportProtocol.cs new file mode 100644 index 000000000000..6471d37ae648 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/TransportProtocol.cs @@ -0,0 +1,22 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for TransportProtocol. + /// + public static class TransportProtocol + { + public const string TCP = "TCP"; + public const string UDP = "UDP"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/TwinUpdatesNotInAllowedRange.cs b/src/Security/Security.Management.Sdk/Generated/Models/TwinUpdatesNotInAllowedRange.cs new file mode 100644 index 000000000000..e0b4415251e9 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/TwinUpdatesNotInAllowedRange.cs @@ -0,0 +1,66 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Number of twin updates is not in allowed range. + /// + [Newtonsoft.Json.JsonObject("TwinUpdatesNotInAllowedRange")] + public partial class TwinUpdatesNotInAllowedRange : TimeWindowCustomAlertRule + { + /// + /// Initializes a new instance of the TwinUpdatesNotInAllowedRange + /// class. + /// + public TwinUpdatesNotInAllowedRange() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the TwinUpdatesNotInAllowedRange + /// class. + /// + /// Status of the custom alert. + /// The minimum threshold. + /// The maximum threshold. + /// The time window size in iso8601 + /// format. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public TwinUpdatesNotInAllowedRange(bool isEnabled, int minThreshold, int maxThreshold, System.TimeSpan timeWindowSize, string displayName = default(string), string description = default(string)) + : base(isEnabled, minThreshold, maxThreshold, timeWindowSize, displayName, description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/Type.cs b/src/Security/Security.Management.Sdk/Generated/Models/Type.cs new file mode 100644 index 000000000000..de82097b95ad --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/Type.cs @@ -0,0 +1,22 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for Type. + /// + public static class Type + { + public const string Qualys = "Qualys"; + public const string TVM = "TVM"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/UnauthorizedOperationsNotInAllowedRange.cs b/src/Security/Security.Management.Sdk/Generated/Models/UnauthorizedOperationsNotInAllowedRange.cs new file mode 100644 index 000000000000..f57c05fd4648 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/UnauthorizedOperationsNotInAllowedRange.cs @@ -0,0 +1,66 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Number of unauthorized operations is not in allowed range. + /// + [Newtonsoft.Json.JsonObject("UnauthorizedOperationsNotInAllowedRange")] + public partial class UnauthorizedOperationsNotInAllowedRange : TimeWindowCustomAlertRule + { + /// + /// Initializes a new instance of the + /// UnauthorizedOperationsNotInAllowedRange class. + /// + public UnauthorizedOperationsNotInAllowedRange() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the + /// UnauthorizedOperationsNotInAllowedRange class. + /// + /// Status of the custom alert. + /// The minimum threshold. + /// The maximum threshold. + /// The time window size in iso8601 + /// format. + /// The display name of the custom + /// alert. + /// The description of the custom + /// alert. + public UnauthorizedOperationsNotInAllowedRange(bool isEnabled, int minThreshold, int maxThreshold, System.TimeSpan timeWindowSize, string displayName = default(string), string description = default(string)) + : base(isEnabled, minThreshold, maxThreshold, timeWindowSize, displayName, description) + { + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public override void Validate() + { + base.Validate(); + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/UnmaskedIpLoggingStatus.cs b/src/Security/Security.Management.Sdk/Generated/Models/UnmaskedIpLoggingStatus.cs new file mode 100644 index 000000000000..3e10ac3c9d4a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/UnmaskedIpLoggingStatus.cs @@ -0,0 +1,28 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for UnmaskedIpLoggingStatus. + /// + public static class UnmaskedIpLoggingStatus + { + /// + /// Unmasked IP logging is disabled + /// + public const string Disabled = "Disabled"; + /// + /// Unmasked IP logging is enabled + /// + public const string Enabled = "Enabled"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/UpdateIotSecuritySolutionData.cs b/src/Security/Security.Management.Sdk/Generated/Models/UpdateIotSecuritySolutionData.cs new file mode 100644 index 000000000000..f789fd59b1e1 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/UpdateIotSecuritySolutionData.cs @@ -0,0 +1,84 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + [Rest.Serialization.JsonTransformation] + public partial class UpdateIotSecuritySolutionData : TagsResource + { + /// + /// Initializes a new instance of the UpdateIotSecuritySolutionData + /// class. + /// + public UpdateIotSecuritySolutionData() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the UpdateIotSecuritySolutionData + /// class. + /// + /// Resource tags + public UpdateIotSecuritySolutionData(IDictionary tags = default(IDictionary), UserDefinedResourcesProperties userDefinedResources = default(UserDefinedResourcesProperties), IList recommendationsConfiguration = default(IList)) + : base(tags) + { + UserDefinedResources = userDefinedResources; + RecommendationsConfiguration = recommendationsConfiguration; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// + [JsonProperty(PropertyName = "properties.userDefinedResources")] + public UserDefinedResourcesProperties UserDefinedResources { get; set; } + + /// + /// + [JsonProperty(PropertyName = "properties.recommendationsConfiguration")] + public IList RecommendationsConfiguration { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (UserDefinedResources != null) + { + UserDefinedResources.Validate(); + } + if (RecommendationsConfiguration != null) + { + foreach (var element in RecommendationsConfiguration) + { + if (element != null) + { + element.Validate(); + } + } + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/UserDefinedResourcesProperties.cs b/src/Security/Security.Management.Sdk/Generated/Models/UserDefinedResourcesProperties.cs new file mode 100644 index 000000000000..509f38822ff6 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/UserDefinedResourcesProperties.cs @@ -0,0 +1,87 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// Properties of the IoT Security solution's user defined resources. + /// + public partial class UserDefinedResourcesProperties + { + /// + /// Initializes a new instance of the UserDefinedResourcesProperties + /// class. + /// + public UserDefinedResourcesProperties() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the UserDefinedResourcesProperties + /// class. + /// + /// Azure Resource Graph query which represents the + /// security solution's user defined resources. Required to start with + /// "where type != "Microsoft.Devices/IotHubs"" + /// List of Azure subscription ids on + /// which the user defined resources query should be executed. + public UserDefinedResourcesProperties(string query, IList querySubscriptions) + { + Query = query; + QuerySubscriptions = querySubscriptions; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets azure Resource Graph query which represents the + /// security solution's user defined resources. Required to start with + /// "where type != "Microsoft.Devices/IotHubs"" + /// + [JsonProperty(PropertyName = "query")] + public string Query { get; set; } + + /// + /// Gets or sets list of Azure subscription ids on which the user + /// defined resources query should be executed. + /// + [JsonProperty(PropertyName = "querySubscriptions")] + public IList QuerySubscriptions { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (Query == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Query"); + } + if (QuerySubscriptions == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "QuerySubscriptions"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/UserImpact.cs b/src/Security/Security.Management.Sdk/Generated/Models/UserImpact.cs new file mode 100644 index 000000000000..f8467055956b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/UserImpact.cs @@ -0,0 +1,23 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for UserImpact. + /// + public static class UserImpact + { + public const string Low = "Low"; + public const string Moderate = "Moderate"; + public const string High = "High"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/UserRecommendation.cs b/src/Security/Security.Management.Sdk/Generated/Models/UserRecommendation.cs new file mode 100644 index 000000000000..2fb025f28d4b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/UserRecommendation.cs @@ -0,0 +1,63 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Represents a user that is recommended to be allowed for a certain rule + /// + public partial class UserRecommendation + { + /// + /// Initializes a new instance of the UserRecommendation class. + /// + public UserRecommendation() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the UserRecommendation class. + /// + /// Represents a user that is recommended to be + /// allowed for a certain rule + /// Possible values include: + /// 'Recommended', 'Add', 'Remove' + public UserRecommendation(string username = default(string), string recommendationAction = default(string)) + { + Username = username; + RecommendationAction = recommendationAction; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets represents a user that is recommended to be allowed + /// for a certain rule + /// + [JsonProperty(PropertyName = "username")] + public string Username { get; set; } + + /// + /// Gets or sets possible values include: 'Recommended', 'Add', + /// 'Remove' + /// + [JsonProperty(PropertyName = "recommendationAction")] + public string RecommendationAction { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/VaRule.cs b/src/Security/Security.Management.Sdk/Generated/Models/VaRule.cs new file mode 100644 index 000000000000..8aa624d21d9a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/VaRule.cs @@ -0,0 +1,119 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + + /// + /// vulnerability assessment rule metadata details. + /// + public partial class VaRule + { + /// + /// Initializes a new instance of the VaRule class. + /// + public VaRule() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the VaRule class. + /// + /// The rule Id. + /// Possible values include: 'High', 'Medium', + /// 'Low', 'Informational', 'Obsolete' + /// The rule category. + /// Possible values include: 'Binary', + /// 'BaselineExpected', 'PositiveList', 'NegativeList' + /// The rule title. + /// The rule description. + /// The rule rationale. + /// The benchmark references. + public VaRule(string ruleId = default(string), string severity = default(string), string category = default(string), string ruleType = default(string), string title = default(string), string description = default(string), string rationale = default(string), QueryCheck queryCheck = default(QueryCheck), IList benchmarkReferences = default(IList)) + { + RuleId = ruleId; + Severity = severity; + Category = category; + RuleType = ruleType; + Title = title; + Description = description; + Rationale = rationale; + QueryCheck = queryCheck; + BenchmarkReferences = benchmarkReferences; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the rule Id. + /// + [JsonProperty(PropertyName = "ruleId")] + public string RuleId { get; set; } + + /// + /// Gets or sets possible values include: 'High', 'Medium', 'Low', + /// 'Informational', 'Obsolete' + /// + [JsonProperty(PropertyName = "severity")] + public string Severity { get; set; } + + /// + /// Gets or sets the rule category. + /// + [JsonProperty(PropertyName = "category")] + public string Category { get; set; } + + /// + /// Gets or sets possible values include: 'Binary', 'BaselineExpected', + /// 'PositiveList', 'NegativeList' + /// + [JsonProperty(PropertyName = "ruleType")] + public string RuleType { get; set; } + + /// + /// Gets or sets the rule title. + /// + [JsonProperty(PropertyName = "title")] + public string Title { get; set; } + + /// + /// Gets or sets the rule description. + /// + [JsonProperty(PropertyName = "description")] + public string Description { get; set; } + + /// + /// Gets or sets the rule rationale. + /// + [JsonProperty(PropertyName = "rationale")] + public string Rationale { get; set; } + + /// + /// + [JsonProperty(PropertyName = "queryCheck")] + public QueryCheck QueryCheck { get; set; } + + /// + /// Gets or sets the benchmark references. + /// + [JsonProperty(PropertyName = "benchmarkReferences")] + public IList BenchmarkReferences { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/ValueType.cs b/src/Security/Security.Management.Sdk/Generated/Models/ValueType.cs new file mode 100644 index 000000000000..555342f47de3 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/ValueType.cs @@ -0,0 +1,28 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + + /// + /// Defines values for ValueType. + /// + public static class ValueType + { + /// + /// An IP range in CIDR format (e.g. '192.168.0.1/8'). + /// + public const string IpCidr = "IpCidr"; + /// + /// Any string value. + /// + public const string String = "String"; + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/VendorReference.cs b/src/Security/Security.Management.Sdk/Generated/Models/VendorReference.cs new file mode 100644 index 000000000000..09c28c8f0fe7 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/VendorReference.cs @@ -0,0 +1,59 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Vendor reference + /// + public partial class VendorReference + { + /// + /// Initializes a new instance of the VendorReference class. + /// + public VendorReference() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the VendorReference class. + /// + /// Link title + /// Link url + public VendorReference(string title = default(string), string link = default(string)) + { + Title = title; + Link = link; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets link title + /// + [JsonProperty(PropertyName = "title")] + public string Title { get; private set; } + + /// + /// Gets link url + /// + [JsonProperty(PropertyName = "link")] + public string Link { get; private set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/VmRecommendation.cs b/src/Security/Security.Management.Sdk/Generated/Models/VmRecommendation.cs new file mode 100644 index 000000000000..d9ffe6372bac --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/VmRecommendation.cs @@ -0,0 +1,80 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Newtonsoft.Json; + using System.Linq; + + /// + /// Represents a machine that is part of a machine group + /// + public partial class VmRecommendation + { + /// + /// Initializes a new instance of the VmRecommendation class. + /// + public VmRecommendation() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the VmRecommendation class. + /// + /// Possible values include: + /// 'Configured', 'NotConfigured', 'InProgress', 'Failed', + /// 'NoStatus' + /// Possible values include: + /// 'Recommended', 'Add', 'Remove' + /// Possible values include: + /// 'Supported', 'NotSupported', 'Unknown' + public VmRecommendation(string configurationStatus = default(string), string recommendationAction = default(string), string resourceId = default(string), string enforcementSupport = default(string)) + { + ConfigurationStatus = configurationStatus; + RecommendationAction = recommendationAction; + ResourceId = resourceId; + EnforcementSupport = enforcementSupport; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets possible values include: 'Configured', + /// 'NotConfigured', 'InProgress', 'Failed', 'NoStatus' + /// + [JsonProperty(PropertyName = "configurationStatus")] + public string ConfigurationStatus { get; set; } + + /// + /// Gets or sets possible values include: 'Recommended', 'Add', + /// 'Remove' + /// + [JsonProperty(PropertyName = "recommendationAction")] + public string RecommendationAction { get; set; } + + /// + /// + [JsonProperty(PropertyName = "resourceId")] + public string ResourceId { get; set; } + + /// + /// Gets or sets possible values include: 'Supported', 'NotSupported', + /// 'Unknown' + /// + [JsonProperty(PropertyName = "enforcementSupport")] + public string EnforcementSupport { get; set; } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Models/WorkspaceSetting.cs b/src/Security/Security.Management.Sdk/Generated/Models/WorkspaceSetting.cs new file mode 100644 index 000000000000..a3d55c0c0494 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Models/WorkspaceSetting.cs @@ -0,0 +1,89 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security.Models +{ + using Microsoft.Rest; + using Microsoft.Rest.Serialization; + using Newtonsoft.Json; + using System.Linq; + + /// + /// Configures where to store the OMS agent data for workspaces under a + /// scope + /// + [Rest.Serialization.JsonTransformation] + public partial class WorkspaceSetting : Resource + { + /// + /// Initializes a new instance of the WorkspaceSetting class. + /// + public WorkspaceSetting() + { + CustomInit(); + } + + /// + /// Initializes a new instance of the WorkspaceSetting class. + /// + /// The full Azure ID of the workspace to + /// save the data in + /// All the VMs in this scope will send their + /// security data to the mentioned workspace unless overridden by a + /// setting with more specific scope + /// Resource Id + /// Resource name + /// Resource type + public WorkspaceSetting(string workspaceId, string scope, string id = default(string), string name = default(string), string type = default(string)) + : base(id, name, type) + { + WorkspaceId = workspaceId; + Scope = scope; + CustomInit(); + } + + /// + /// An initialization method that performs custom operations like setting defaults + /// + partial void CustomInit(); + + /// + /// Gets or sets the full Azure ID of the workspace to save the data in + /// + [JsonProperty(PropertyName = "properties.workspaceId")] + public string WorkspaceId { get; set; } + + /// + /// Gets or sets all the VMs in this scope will send their security + /// data to the mentioned workspace unless overridden by a setting with + /// more specific scope + /// + [JsonProperty(PropertyName = "properties.scope")] + public string Scope { get; set; } + + /// + /// Validate the object. + /// + /// + /// Thrown if validation fails + /// + public virtual void Validate() + { + if (WorkspaceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "WorkspaceId"); + } + if (Scope == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "Scope"); + } + } + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/Operations.cs b/src/Security/Security.Management.Sdk/Generated/Operations.cs new file mode 100644 index 000000000000..98734535b88e --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/Operations.cs @@ -0,0 +1,392 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Operations operations. + /// + internal partial class Operations : IServiceOperations, IOperations + { + /// + /// Initializes a new instance of the Operations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal Operations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Exposes all available operations for discovery purposes. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + string apiVersion = "2015-06-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "providers/Microsoft.Security/operations").ToString(); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Exposes all available operations for discovery purposes. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/OperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/OperationsExtensions.cs new file mode 100644 index 000000000000..3c376d08fd0d --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/OperationsExtensions.cs @@ -0,0 +1,87 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for Operations. + /// + public static partial class OperationsExtensions + { + /// + /// Exposes all available operations for discovery purposes. + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this IOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Exposes all available operations for discovery purposes. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Exposes all available operations for discovery purposes. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Exposes all available operations for discovery purposes. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/PricingsOperations.cs b/src/Security/Security.Management.Sdk/Generated/PricingsOperations.cs new file mode 100644 index 000000000000..a955ddb5d768 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/PricingsOperations.cs @@ -0,0 +1,653 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// PricingsOperations operations. + /// + internal partial class PricingsOperations : IServiceOperations, IPricingsOperations + { + /// + /// Initializes a new instance of the PricingsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal PricingsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Lists Microsoft Defender for Cloud pricing configurations in the + /// subscription. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2022-03-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/pricings").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a provided Microsoft Defender for Cloud pricing configuration in the + /// subscription. + /// + /// + /// name of the pricing configuration + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string pricingName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (pricingName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "pricingName"); + } + string apiVersion = "2022-03-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("pricingName", pricingName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/pricings/{pricingName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{pricingName}", System.Uri.EscapeDataString(pricingName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Updates a provided Microsoft Defender for Cloud pricing configuration in + /// the subscription. + /// + /// + /// name of the pricing configuration + /// + /// + /// The pricing tier value. Microsoft Defender for Cloud is provided in two + /// pricing tiers: free and standard, with the standard tier available with a + /// trial period. The standard tier offers advanced security capabilities, + /// while the free tier offers basic security features. Possible values + /// include: 'Free', 'Standard' + /// + /// + /// The sub-plan selected for a Standard pricing configuration, when more than + /// one sub-plan is available. Each sub-plan enables a set of security + /// features. When not specified, full plan is applied. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> UpdateWithHttpMessagesAsync(string pricingName, string pricingTier, string subPlan = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (pricingName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "pricingName"); + } + if (pricingTier == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "pricingTier"); + } + string apiVersion = "2022-03-01"; + Pricing pricing = new Pricing(); + if (pricingTier != null || subPlan != null) + { + pricing.PricingTier = pricingTier; + pricing.SubPlan = subPlan; + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("pricingName", pricingName); + tracingParameters.Add("pricing", pricing); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Update", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/pricings/{pricingName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{pricingName}", System.Uri.EscapeDataString(pricingName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(pricing != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(pricing, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/PricingsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/PricingsOperationsExtensions.cs new file mode 100644 index 000000000000..1bb6927ae5b8 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/PricingsOperationsExtensions.cs @@ -0,0 +1,151 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for PricingsOperations. + /// + public static partial class PricingsOperationsExtensions + { + /// + /// Lists Microsoft Defender for Cloud pricing configurations in the + /// subscription. + /// + /// + /// The operations group for this extension method. + /// + public static PricingList List(this IPricingsOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Lists Microsoft Defender for Cloud pricing configurations in the + /// subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task ListAsync(this IPricingsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a provided Microsoft Defender for Cloud pricing configuration in the + /// subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// name of the pricing configuration + /// + public static Pricing Get(this IPricingsOperations operations, string pricingName) + { + return operations.GetAsync(pricingName).GetAwaiter().GetResult(); + } + + /// + /// Gets a provided Microsoft Defender for Cloud pricing configuration in the + /// subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// name of the pricing configuration + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IPricingsOperations operations, string pricingName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(pricingName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Updates a provided Microsoft Defender for Cloud pricing configuration in + /// the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// name of the pricing configuration + /// + /// + /// The pricing tier value. Microsoft Defender for Cloud is provided in two + /// pricing tiers: free and standard, with the standard tier available with a + /// trial period. The standard tier offers advanced security capabilities, + /// while the free tier offers basic security features. Possible values + /// include: 'Free', 'Standard' + /// + /// + /// The sub-plan selected for a Standard pricing configuration, when more than + /// one sub-plan is available. Each sub-plan enables a set of security + /// features. When not specified, full plan is applied. + /// + public static Pricing Update(this IPricingsOperations operations, string pricingName, string pricingTier, string subPlan = default(string)) + { + return operations.UpdateAsync(pricingName, pricingTier, subPlan).GetAwaiter().GetResult(); + } + + /// + /// Updates a provided Microsoft Defender for Cloud pricing configuration in + /// the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// name of the pricing configuration + /// + /// + /// The pricing tier value. Microsoft Defender for Cloud is provided in two + /// pricing tiers: free and standard, with the standard tier available with a + /// trial period. The standard tier offers advanced security capabilities, + /// while the free tier offers basic security features. Possible values + /// include: 'Free', 'Standard' + /// + /// + /// The sub-plan selected for a Standard pricing configuration, when more than + /// one sub-plan is available. Each sub-plan enables a set of security + /// features. When not specified, full plan is applied. + /// + /// + /// The cancellation token. + /// + public static async Task UpdateAsync(this IPricingsOperations operations, string pricingName, string pricingTier, string subPlan = default(string), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.UpdateWithHttpMessagesAsync(pricingName, pricingTier, subPlan, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceAssessmentsOperations.cs b/src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceAssessmentsOperations.cs new file mode 100644 index 000000000000..46c95fe8d269 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceAssessmentsOperations.cs @@ -0,0 +1,648 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// RegulatoryComplianceAssessmentsOperations operations. + /// + internal partial class RegulatoryComplianceAssessmentsOperations : IServiceOperations, IRegulatoryComplianceAssessmentsOperations + { + /// + /// Initializes a new instance of the RegulatoryComplianceAssessmentsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal RegulatoryComplianceAssessmentsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Details and state of assessments mapped to selected regulatory compliance + /// control + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// Name of the regulatory compliance control object + /// + /// + /// OData filter. Optional. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(string regulatoryComplianceStandardName, string regulatoryComplianceControlName, string filter = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (regulatoryComplianceStandardName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "regulatoryComplianceStandardName"); + } + if (regulatoryComplianceControlName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "regulatoryComplianceControlName"); + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("regulatoryComplianceStandardName", regulatoryComplianceStandardName); + tracingParameters.Add("regulatoryComplianceControlName", regulatoryComplianceControlName); + tracingParameters.Add("filter", filter); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/regulatoryComplianceStandards/{regulatoryComplianceStandardName}/regulatoryComplianceControls/{regulatoryComplianceControlName}/regulatoryComplianceAssessments").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{regulatoryComplianceStandardName}", System.Uri.EscapeDataString(regulatoryComplianceStandardName)); + _url = _url.Replace("{regulatoryComplianceControlName}", System.Uri.EscapeDataString(regulatoryComplianceControlName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (filter != null) + { + _queryParameters.Add(string.Format("$filter={0}", System.Uri.EscapeDataString(filter))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Supported regulatory compliance details and state for selected assessment + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// Name of the regulatory compliance control object + /// + /// + /// Name of the regulatory compliance assessment object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string regulatoryComplianceStandardName, string regulatoryComplianceControlName, string regulatoryComplianceAssessmentName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (regulatoryComplianceStandardName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "regulatoryComplianceStandardName"); + } + if (regulatoryComplianceControlName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "regulatoryComplianceControlName"); + } + if (regulatoryComplianceAssessmentName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "regulatoryComplianceAssessmentName"); + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("regulatoryComplianceStandardName", regulatoryComplianceStandardName); + tracingParameters.Add("regulatoryComplianceControlName", regulatoryComplianceControlName); + tracingParameters.Add("regulatoryComplianceAssessmentName", regulatoryComplianceAssessmentName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/regulatoryComplianceStandards/{regulatoryComplianceStandardName}/regulatoryComplianceControls/{regulatoryComplianceControlName}/regulatoryComplianceAssessments/{regulatoryComplianceAssessmentName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{regulatoryComplianceStandardName}", System.Uri.EscapeDataString(regulatoryComplianceStandardName)); + _url = _url.Replace("{regulatoryComplianceControlName}", System.Uri.EscapeDataString(regulatoryComplianceControlName)); + _url = _url.Replace("{regulatoryComplianceAssessmentName}", System.Uri.EscapeDataString(regulatoryComplianceAssessmentName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Details and state of assessments mapped to selected regulatory compliance + /// control + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceAssessmentsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceAssessmentsOperationsExtensions.cs new file mode 100644 index 000000000000..481a46a93920 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceAssessmentsOperationsExtensions.cs @@ -0,0 +1,155 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for RegulatoryComplianceAssessmentsOperations. + /// + public static partial class RegulatoryComplianceAssessmentsOperationsExtensions + { + /// + /// Details and state of assessments mapped to selected regulatory compliance + /// control + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// Name of the regulatory compliance control object + /// + /// + /// OData filter. Optional. + /// + public static IPage List(this IRegulatoryComplianceAssessmentsOperations operations, string regulatoryComplianceStandardName, string regulatoryComplianceControlName, string filter = default(string)) + { + return operations.ListAsync(regulatoryComplianceStandardName, regulatoryComplianceControlName, filter).GetAwaiter().GetResult(); + } + + /// + /// Details and state of assessments mapped to selected regulatory compliance + /// control + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// Name of the regulatory compliance control object + /// + /// + /// OData filter. Optional. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IRegulatoryComplianceAssessmentsOperations operations, string regulatoryComplianceStandardName, string regulatoryComplianceControlName, string filter = default(string), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(regulatoryComplianceStandardName, regulatoryComplianceControlName, filter, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Supported regulatory compliance details and state for selected assessment + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// Name of the regulatory compliance control object + /// + /// + /// Name of the regulatory compliance assessment object + /// + public static RegulatoryComplianceAssessment Get(this IRegulatoryComplianceAssessmentsOperations operations, string regulatoryComplianceStandardName, string regulatoryComplianceControlName, string regulatoryComplianceAssessmentName) + { + return operations.GetAsync(regulatoryComplianceStandardName, regulatoryComplianceControlName, regulatoryComplianceAssessmentName).GetAwaiter().GetResult(); + } + + /// + /// Supported regulatory compliance details and state for selected assessment + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// Name of the regulatory compliance control object + /// + /// + /// Name of the regulatory compliance assessment object + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IRegulatoryComplianceAssessmentsOperations operations, string regulatoryComplianceStandardName, string regulatoryComplianceControlName, string regulatoryComplianceAssessmentName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(regulatoryComplianceStandardName, regulatoryComplianceControlName, regulatoryComplianceAssessmentName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Details and state of assessments mapped to selected regulatory compliance + /// control + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IRegulatoryComplianceAssessmentsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Details and state of assessments mapped to selected regulatory compliance + /// control + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IRegulatoryComplianceAssessmentsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceControlsOperations.cs b/src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceControlsOperations.cs new file mode 100644 index 000000000000..b1b3046fae67 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceControlsOperations.cs @@ -0,0 +1,630 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// RegulatoryComplianceControlsOperations operations. + /// + internal partial class RegulatoryComplianceControlsOperations : IServiceOperations, IRegulatoryComplianceControlsOperations + { + /// + /// Initializes a new instance of the RegulatoryComplianceControlsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal RegulatoryComplianceControlsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// All supported regulatory compliance controls details and state for selected + /// standard + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// OData filter. Optional. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(string regulatoryComplianceStandardName, string filter = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (regulatoryComplianceStandardName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "regulatoryComplianceStandardName"); + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("regulatoryComplianceStandardName", regulatoryComplianceStandardName); + tracingParameters.Add("filter", filter); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/regulatoryComplianceStandards/{regulatoryComplianceStandardName}/regulatoryComplianceControls").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{regulatoryComplianceStandardName}", System.Uri.EscapeDataString(regulatoryComplianceStandardName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (filter != null) + { + _queryParameters.Add(string.Format("$filter={0}", System.Uri.EscapeDataString(filter))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Selected regulatory compliance control details and state + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// Name of the regulatory compliance control object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string regulatoryComplianceStandardName, string regulatoryComplianceControlName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (regulatoryComplianceStandardName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "regulatoryComplianceStandardName"); + } + if (regulatoryComplianceControlName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "regulatoryComplianceControlName"); + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("regulatoryComplianceStandardName", regulatoryComplianceStandardName); + tracingParameters.Add("regulatoryComplianceControlName", regulatoryComplianceControlName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/regulatoryComplianceStandards/{regulatoryComplianceStandardName}/regulatoryComplianceControls/{regulatoryComplianceControlName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{regulatoryComplianceStandardName}", System.Uri.EscapeDataString(regulatoryComplianceStandardName)); + _url = _url.Replace("{regulatoryComplianceControlName}", System.Uri.EscapeDataString(regulatoryComplianceControlName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// All supported regulatory compliance controls details and state for selected + /// standard + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceControlsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceControlsOperationsExtensions.cs new file mode 100644 index 000000000000..cd7d6e6df6c2 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceControlsOperationsExtensions.cs @@ -0,0 +1,143 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for RegulatoryComplianceControlsOperations. + /// + public static partial class RegulatoryComplianceControlsOperationsExtensions + { + /// + /// All supported regulatory compliance controls details and state for selected + /// standard + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// OData filter. Optional. + /// + public static IPage List(this IRegulatoryComplianceControlsOperations operations, string regulatoryComplianceStandardName, string filter = default(string)) + { + return operations.ListAsync(regulatoryComplianceStandardName, filter).GetAwaiter().GetResult(); + } + + /// + /// All supported regulatory compliance controls details and state for selected + /// standard + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// OData filter. Optional. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IRegulatoryComplianceControlsOperations operations, string regulatoryComplianceStandardName, string filter = default(string), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(regulatoryComplianceStandardName, filter, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Selected regulatory compliance control details and state + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// Name of the regulatory compliance control object + /// + public static RegulatoryComplianceControl Get(this IRegulatoryComplianceControlsOperations operations, string regulatoryComplianceStandardName, string regulatoryComplianceControlName) + { + return operations.GetAsync(regulatoryComplianceStandardName, regulatoryComplianceControlName).GetAwaiter().GetResult(); + } + + /// + /// Selected regulatory compliance control details and state + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// Name of the regulatory compliance control object + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IRegulatoryComplianceControlsOperations operations, string regulatoryComplianceStandardName, string regulatoryComplianceControlName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(regulatoryComplianceStandardName, regulatoryComplianceControlName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// All supported regulatory compliance controls details and state for selected + /// standard + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IRegulatoryComplianceControlsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// All supported regulatory compliance controls details and state for selected + /// standard + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IRegulatoryComplianceControlsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceStandardsOperations.cs b/src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceStandardsOperations.cs new file mode 100644 index 000000000000..8fa85b9d82b4 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceStandardsOperations.cs @@ -0,0 +1,610 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// RegulatoryComplianceStandardsOperations operations. + /// + internal partial class RegulatoryComplianceStandardsOperations : IServiceOperations, IRegulatoryComplianceStandardsOperations + { + /// + /// Initializes a new instance of the RegulatoryComplianceStandardsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal RegulatoryComplianceStandardsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Supported regulatory compliance standards details and state + /// + /// + /// OData filter. Optional. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(string filter = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("filter", filter); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/regulatoryComplianceStandards").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (filter != null) + { + _queryParameters.Add(string.Format("$filter={0}", System.Uri.EscapeDataString(filter))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Supported regulatory compliance details state for selected standard + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string regulatoryComplianceStandardName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (regulatoryComplianceStandardName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "regulatoryComplianceStandardName"); + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("regulatoryComplianceStandardName", regulatoryComplianceStandardName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/regulatoryComplianceStandards/{regulatoryComplianceStandardName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{regulatoryComplianceStandardName}", System.Uri.EscapeDataString(regulatoryComplianceStandardName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Supported regulatory compliance standards details and state + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceStandardsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceStandardsOperationsExtensions.cs new file mode 100644 index 000000000000..0f1c4822a5a8 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/RegulatoryComplianceStandardsOperationsExtensions.cs @@ -0,0 +1,127 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for RegulatoryComplianceStandardsOperations. + /// + public static partial class RegulatoryComplianceStandardsOperationsExtensions + { + /// + /// Supported regulatory compliance standards details and state + /// + /// + /// The operations group for this extension method. + /// + /// + /// OData filter. Optional. + /// + public static IPage List(this IRegulatoryComplianceStandardsOperations operations, string filter = default(string)) + { + return operations.ListAsync(filter).GetAwaiter().GetResult(); + } + + /// + /// Supported regulatory compliance standards details and state + /// + /// + /// The operations group for this extension method. + /// + /// + /// OData filter. Optional. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IRegulatoryComplianceStandardsOperations operations, string filter = default(string), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(filter, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Supported regulatory compliance details state for selected standard + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the regulatory compliance standard object + /// + public static RegulatoryComplianceStandard Get(this IRegulatoryComplianceStandardsOperations operations, string regulatoryComplianceStandardName) + { + return operations.GetAsync(regulatoryComplianceStandardName).GetAwaiter().GetResult(); + } + + /// + /// Supported regulatory compliance details state for selected standard + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the regulatory compliance standard object + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IRegulatoryComplianceStandardsOperations operations, string regulatoryComplianceStandardName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(regulatoryComplianceStandardName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Supported regulatory compliance standards details and state + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IRegulatoryComplianceStandardsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Supported regulatory compliance standards details and state + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IRegulatoryComplianceStandardsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SdkInfo_SecurityCenter.cs b/src/Security/Security.Management.Sdk/Generated/SdkInfo_SecurityCenter.cs index d19c79eba634..12e0850845ba 100644 --- a/src/Security/Security.Management.Sdk/Generated/SdkInfo_SecurityCenter.cs +++ b/src/Security/Security.Management.Sdk/Generated/SdkInfo_SecurityCenter.cs @@ -19,7 +19,67 @@ public static IEnumerable> ApiInfo_SecurityCenter { return new Tuple[] { + new Tuple("Security", "AdaptiveApplicationControls", "2020-01-01"), + new Tuple("Security", "AdaptiveNetworkHardenings", "2020-01-01"), + new Tuple("Security", "AdvancedThreatProtection", "2019-01-01"), new Tuple("Security", "Alerts", "2022-01-01"), + new Tuple("Security", "AlertsSuppressionRules", "2019-01-01-preview"), + new Tuple("Security", "AllowedConnections", "2020-01-01"), + new Tuple("Security", "Application", "2022-07-01-preview"), + new Tuple("Security", "Applications", "2022-07-01-preview"), + new Tuple("Security", "Assessments", "2021-06-01"), + new Tuple("Security", "AssessmentsMetadata", "2021-06-01"), + new Tuple("Security", "AutoProvisioningSettings", "2017-08-01-preview"), + new Tuple("Security", "Automations", "2019-01-01-preview"), + new Tuple("Security", "ComplianceResults", "2017-08-01"), + new Tuple("Security", "Compliances", "2017-08-01-preview"), + new Tuple("Security", "Connectors", "2020-01-01-preview"), + new Tuple("Security", "CustomAssessmentAutomations", "2021-07-01-preview"), + new Tuple("Security", "CustomEntityStoreAssignments", "2021-07-01-preview"), + new Tuple("Security", "DeviceSecurityGroups", "2019-08-01"), + new Tuple("Security", "DiscoveredSecuritySolutions", "2020-01-01"), + new Tuple("Security", "ExternalSecuritySolutions", "2020-01-01"), + new Tuple("Security", "GovernanceAssignments", "2022-01-01-preview"), + new Tuple("Security", "GovernanceRule", "2022-01-01-preview"), + new Tuple("Security", "GovernanceRules", "2022-01-01-preview"), + new Tuple("Security", "InformationProtectionPolicies", "2017-08-01-preview"), + new Tuple("Security", "IngestionSettings", "2021-01-15-preview"), + new Tuple("Security", "IotSecuritySolution", "2019-08-01"), + new Tuple("Security", "IotSecuritySolutionAnalytics", "2019-08-01"), + new Tuple("Security", "IotSecuritySolutionsAnalyticsAggregatedAlert", "2019-08-01"), + new Tuple("Security", "IotSecuritySolutionsAnalyticsRecommendation", "2019-08-01"), + new Tuple("Security", "JitNetworkAccessPolicies", "2020-01-01"), + new Tuple("Security", "Locations", "2015-06-01-preview"), + new Tuple("Security", "MdeOnboardings", "2021-10-01-preview"), + new Tuple("Security", "Operations", "2015-06-01-preview"), + new Tuple("Security", "Pricings", "2022-03-01"), + new Tuple("Security", "RegulatoryComplianceAssessments", "2019-01-01-preview"), + new Tuple("Security", "RegulatoryComplianceControls", "2019-01-01-preview"), + new Tuple("Security", "RegulatoryComplianceStandards", "2019-01-01-preview"), + new Tuple("Security", "SecureScoreControlDefinitions", "2020-01-01"), + new Tuple("Security", "SecureScoreControls", "2020-01-01"), + new Tuple("Security", "SecureScores", "2020-01-01"), + new Tuple("Security", "SecurityConnectorApplication", "2022-07-01-preview"), + new Tuple("Security", "SecurityConnectorApplications", "2022-07-01-preview"), + new Tuple("Security", "SecurityConnectorGovernanceRule", "2022-01-01-preview"), + new Tuple("Security", "SecurityConnectorGovernanceRules", "2022-01-01-preview"), + new Tuple("Security", "SecurityConnectorGovernanceRulesExecuteStatus", "2022-01-01-preview"), + new Tuple("Security", "SecurityConnectors", "2022-08-01-preview"), + new Tuple("Security", "SecurityContacts", "2020-01-01-preview"), + new Tuple("Security", "SecuritySolutions", "2020-01-01"), + new Tuple("Security", "SecuritySolutionsReferenceData", "2020-01-01"), + new Tuple("Security", "ServerVulnerabilityAssessment", "2020-01-01"), + new Tuple("Security", "Settings", "2022-05-01"), + new Tuple("Security", "SoftwareInventories", "2021-05-01-preview"), + new Tuple("Security", "SqlVulnerabilityAssessmentBaselineRules", "2020-07-01-preview"), + new Tuple("Security", "SqlVulnerabilityAssessmentScanResults", "2020-07-01-preview"), + new Tuple("Security", "SqlVulnerabilityAssessmentScans", "2020-07-01-preview"), + new Tuple("Security", "SubAssessments", "2019-01-01-preview"), + new Tuple("Security", "SubscriptionGovernanceRulesExecuteStatus", "2022-01-01-preview"), + new Tuple("Security", "Tasks", "2015-06-01-preview"), + new Tuple("Security", "Topology", "2020-01-01"), + new Tuple("Security", "WorkspaceSettings", "2017-08-01-preview"), + new Tuple("Security", "securitySolutionsReferenceData", "2020-01-01"), }.AsEnumerable(); } } diff --git a/src/Security/Security.Management.Sdk/Generated/SecureScoreControlDefinitionsOperations.cs b/src/Security/Security.Management.Sdk/Generated/SecureScoreControlDefinitionsOperations.cs new file mode 100644 index 000000000000..d0504ab34dcd --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecureScoreControlDefinitionsOperations.cs @@ -0,0 +1,750 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecureScoreControlDefinitionsOperations operations. + /// + internal partial class SecureScoreControlDefinitionsOperations : IServiceOperations, ISecureScoreControlDefinitionsOperations + { + /// + /// Initializes a new instance of the SecureScoreControlDefinitionsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SecureScoreControlDefinitionsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// List the available security controls, their assessments, and the max score + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "providers/Microsoft.Security/secureScoreControlDefinitions").ToString(); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// For a specified subscription, list the available security controls, their + /// assessments, and the max score + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListBySubscriptionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListBySubscription", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/secureScoreControlDefinitions").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List the available security controls, their assessments, and the max score + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// For a specified subscription, list the available security controls, their + /// assessments, and the max score + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListBySubscriptionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListBySubscriptionNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecureScoreControlDefinitionsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SecureScoreControlDefinitionsOperationsExtensions.cs new file mode 100644 index 000000000000..dd3871951067 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecureScoreControlDefinitionsOperationsExtensions.cs @@ -0,0 +1,153 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SecureScoreControlDefinitionsOperations. + /// + public static partial class SecureScoreControlDefinitionsOperationsExtensions + { + /// + /// List the available security controls, their assessments, and the max score + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this ISecureScoreControlDefinitionsOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// List the available security controls, their assessments, and the max score + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this ISecureScoreControlDefinitionsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// For a specified subscription, list the available security controls, their + /// assessments, and the max score + /// + /// + /// The operations group for this extension method. + /// + public static IPage ListBySubscription(this ISecureScoreControlDefinitionsOperations operations) + { + return operations.ListBySubscriptionAsync().GetAwaiter().GetResult(); + } + + /// + /// For a specified subscription, list the available security controls, their + /// assessments, and the max score + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListBySubscriptionAsync(this ISecureScoreControlDefinitionsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListBySubscriptionWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// List the available security controls, their assessments, and the max score + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this ISecureScoreControlDefinitionsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// List the available security controls, their assessments, and the max score + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this ISecureScoreControlDefinitionsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// For a specified subscription, list the available security controls, their + /// assessments, and the max score + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListBySubscriptionNext(this ISecureScoreControlDefinitionsOperations operations, string nextPageLink) + { + return operations.ListBySubscriptionNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// For a specified subscription, list the available security controls, their + /// assessments, and the max score + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListBySubscriptionNextAsync(this ISecureScoreControlDefinitionsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListBySubscriptionNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecureScoreControlsOperations.cs b/src/Security/Security.Management.Sdk/Generated/SecureScoreControlsOperations.cs new file mode 100644 index 000000000000..68b0ca1ac12f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecureScoreControlsOperations.cs @@ -0,0 +1,792 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecureScoreControlsOperations operations. + /// + internal partial class SecureScoreControlsOperations : IServiceOperations, ISecureScoreControlsOperations + { + /// + /// Initializes a new instance of the SecureScoreControlsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SecureScoreControlsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Get all security controls for a specific initiative within a scope + /// + /// + /// The initiative name. For the ASC Default initiative, use 'ascScore' as in + /// the sample request below. + /// + /// + /// OData expand. Optional. Possible values include: 'definition' + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListBySecureScoreWithHttpMessagesAsync(string secureScoreName, string expand = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (secureScoreName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "secureScoreName"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("secureScoreName", secureScoreName); + tracingParameters.Add("expand", expand); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListBySecureScore", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/secureScores/{secureScoreName}/secureScoreControls").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{secureScoreName}", System.Uri.EscapeDataString(secureScoreName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (expand != null) + { + _queryParameters.Add(string.Format("$expand={0}", System.Uri.EscapeDataString(expand))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get all security controls within a scope + /// + /// + /// OData expand. Optional. Possible values include: 'definition' + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(string expand = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("expand", expand); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/secureScoreControls").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (expand != null) + { + _queryParameters.Add(string.Format("$expand={0}", System.Uri.EscapeDataString(expand))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get all security controls for a specific initiative within a scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListBySecureScoreNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListBySecureScoreNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get all security controls within a scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecureScoreControlsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SecureScoreControlsOperationsExtensions.cs new file mode 100644 index 000000000000..103f6984f1c7 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecureScoreControlsOperationsExtensions.cs @@ -0,0 +1,169 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SecureScoreControlsOperations. + /// + public static partial class SecureScoreControlsOperationsExtensions + { + /// + /// Get all security controls for a specific initiative within a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The initiative name. For the ASC Default initiative, use 'ascScore' as in + /// the sample request below. + /// + /// + /// OData expand. Optional. Possible values include: 'definition' + /// + public static IPage ListBySecureScore(this ISecureScoreControlsOperations operations, string secureScoreName, string expand = default(string)) + { + return operations.ListBySecureScoreAsync(secureScoreName, expand).GetAwaiter().GetResult(); + } + + /// + /// Get all security controls for a specific initiative within a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The initiative name. For the ASC Default initiative, use 'ascScore' as in + /// the sample request below. + /// + /// + /// OData expand. Optional. Possible values include: 'definition' + /// + /// + /// The cancellation token. + /// + public static async Task> ListBySecureScoreAsync(this ISecureScoreControlsOperations operations, string secureScoreName, string expand = default(string), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListBySecureScoreWithHttpMessagesAsync(secureScoreName, expand, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get all security controls within a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// OData expand. Optional. Possible values include: 'definition' + /// + public static IPage List(this ISecureScoreControlsOperations operations, string expand = default(string)) + { + return operations.ListAsync(expand).GetAwaiter().GetResult(); + } + + /// + /// Get all security controls within a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// OData expand. Optional. Possible values include: 'definition' + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this ISecureScoreControlsOperations operations, string expand = default(string), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(expand, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get all security controls for a specific initiative within a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListBySecureScoreNext(this ISecureScoreControlsOperations operations, string nextPageLink) + { + return operations.ListBySecureScoreNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Get all security controls for a specific initiative within a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListBySecureScoreNextAsync(this ISecureScoreControlsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListBySecureScoreNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get all security controls within a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this ISecureScoreControlsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Get all security controls within a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this ISecureScoreControlsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecureScoresOperations.cs b/src/Security/Security.Management.Sdk/Generated/SecureScoresOperations.cs new file mode 100644 index 000000000000..5675a3c47eaf --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecureScoresOperations.cs @@ -0,0 +1,606 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecureScoresOperations operations. + /// + internal partial class SecureScoresOperations : IServiceOperations, ISecureScoresOperations + { + /// + /// Initializes a new instance of the SecureScoresOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SecureScoresOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// List secure scores for all your Microsoft Defender for Cloud initiatives + /// within your current scope. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/secureScores").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get secure score for a specific Microsoft Defender for Cloud initiative + /// within your current scope. For the ASC Default initiative, use 'ascScore'. + /// + /// + /// The initiative name. For the ASC Default initiative, use 'ascScore' as in + /// the sample request below. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string secureScoreName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (secureScoreName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "secureScoreName"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("secureScoreName", secureScoreName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/secureScores/{secureScoreName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{secureScoreName}", System.Uri.EscapeDataString(secureScoreName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List secure scores for all your Microsoft Defender for Cloud initiatives + /// within your current scope. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecureScoresOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SecureScoresOperationsExtensions.cs new file mode 100644 index 000000000000..97651df43a86 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecureScoresOperationsExtensions.cs @@ -0,0 +1,129 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SecureScoresOperations. + /// + public static partial class SecureScoresOperationsExtensions + { + /// + /// List secure scores for all your Microsoft Defender for Cloud initiatives + /// within your current scope. + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this ISecureScoresOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// List secure scores for all your Microsoft Defender for Cloud initiatives + /// within your current scope. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this ISecureScoresOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get secure score for a specific Microsoft Defender for Cloud initiative + /// within your current scope. For the ASC Default initiative, use 'ascScore'. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The initiative name. For the ASC Default initiative, use 'ascScore' as in + /// the sample request below. + /// + public static SecureScoreItem Get(this ISecureScoresOperations operations, string secureScoreName) + { + return operations.GetAsync(secureScoreName).GetAwaiter().GetResult(); + } + + /// + /// Get secure score for a specific Microsoft Defender for Cloud initiative + /// within your current scope. For the ASC Default initiative, use 'ascScore'. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The initiative name. For the ASC Default initiative, use 'ascScore' as in + /// the sample request below. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ISecureScoresOperations operations, string secureScoreName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(secureScoreName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// List secure scores for all your Microsoft Defender for Cloud initiatives + /// within your current scope. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this ISecureScoresOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// List secure scores for all your Microsoft Defender for Cloud initiatives + /// within your current scope. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this ISecureScoresOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecurityCenterClient.cs b/src/Security/Security.Management.Sdk/Generated/SecurityCenterClient.cs index 0bfe38d94ebe..826d0b16b6ec 100644 --- a/src/Security/Security.Management.Sdk/Generated/SecurityCenterClient.cs +++ b/src/Security/Security.Management.Sdk/Generated/SecurityCenterClient.cs @@ -21,10 +21,6 @@ namespace Microsoft.Azure.Management.Security using System.Net; using System.Net.Http; - /// - /// API spec for Microsoft.Security (Azure Security Center) alerts resource - /// provider - /// public partial class SecurityCenterClient : ServiceClient, ISecurityCenterClient, IAzureClient { /// @@ -47,21 +43,16 @@ public partial class SecurityCenterClient : ServiceClient, /// public ServiceClientCredentials Credentials { get; private set; } - /// - /// The location where ASC stores the data of the subscription. can be - /// retrieved from Get locations - /// - public string AscLocation { get; set; } - /// /// Azure subscription ID /// public string SubscriptionId { get; set; } /// - /// API version for the operation + /// The location where ASC stores the data of the subscription. can be + /// retrieved from Get locations /// - public string ApiVersion { get; private set; } + public string AscLocation { get; set; } /// /// The preferred language for the response. @@ -81,11 +72,306 @@ public partial class SecurityCenterClient : ServiceClient, /// public bool? GenerateClientRequestId { get; set; } + /// + /// Gets the IMdeOnboardingsOperations. + /// + public virtual IMdeOnboardingsOperations MdeOnboardings { get; private set; } + + /// + /// Gets the ICustomAssessmentAutomationsOperations. + /// + public virtual ICustomAssessmentAutomationsOperations CustomAssessmentAutomations { get; private set; } + + /// + /// Gets the ICustomEntityStoreAssignmentsOperations. + /// + public virtual ICustomEntityStoreAssignmentsOperations CustomEntityStoreAssignments { get; private set; } + + /// + /// Gets the IComplianceResultsOperations. + /// + public virtual IComplianceResultsOperations ComplianceResults { get; private set; } + + /// + /// Gets the IPricingsOperations. + /// + public virtual IPricingsOperations Pricings { get; private set; } + + /// + /// Gets the IAdvancedThreatProtectionOperations. + /// + public virtual IAdvancedThreatProtectionOperations AdvancedThreatProtection { get; private set; } + + /// + /// Gets the IDeviceSecurityGroupsOperations. + /// + public virtual IDeviceSecurityGroupsOperations DeviceSecurityGroups { get; private set; } + + /// + /// Gets the IIotSecuritySolutionOperations. + /// + public virtual IIotSecuritySolutionOperations IotSecuritySolution { get; private set; } + + /// + /// Gets the IIotSecuritySolutionAnalyticsOperations. + /// + public virtual IIotSecuritySolutionAnalyticsOperations IotSecuritySolutionAnalytics { get; private set; } + + /// + /// Gets the IIotSecuritySolutionsAnalyticsAggregatedAlertOperations. + /// + public virtual IIotSecuritySolutionsAnalyticsAggregatedAlertOperations IotSecuritySolutionsAnalyticsAggregatedAlert { get; private set; } + + /// + /// Gets the IIotSecuritySolutionsAnalyticsRecommendationOperations. + /// + public virtual IIotSecuritySolutionsAnalyticsRecommendationOperations IotSecuritySolutionsAnalyticsRecommendation { get; private set; } + + /// + /// Gets the ILocationsOperations. + /// + public virtual ILocationsOperations Locations { get; private set; } + + /// + /// Gets the IOperations. + /// + public virtual IOperations Operations { get; private set; } + + /// + /// Gets the ITasksOperations. + /// + public virtual ITasksOperations Tasks { get; private set; } + + /// + /// Gets the IAutoProvisioningSettingsOperations. + /// + public virtual IAutoProvisioningSettingsOperations AutoProvisioningSettings { get; private set; } + + /// + /// Gets the ICompliancesOperations. + /// + public virtual ICompliancesOperations Compliances { get; private set; } + + /// + /// Gets the IInformationProtectionPoliciesOperations. + /// + public virtual IInformationProtectionPoliciesOperations InformationProtectionPolicies { get; private set; } + + /// + /// Gets the ISecurityContactsOperations. + /// + public virtual ISecurityContactsOperations SecurityContacts { get; private set; } + + /// + /// Gets the IWorkspaceSettingsOperations. + /// + public virtual IWorkspaceSettingsOperations WorkspaceSettings { get; private set; } + + /// + /// Gets the IRegulatoryComplianceStandardsOperations. + /// + public virtual IRegulatoryComplianceStandardsOperations RegulatoryComplianceStandards { get; private set; } + + /// + /// Gets the IRegulatoryComplianceControlsOperations. + /// + public virtual IRegulatoryComplianceControlsOperations RegulatoryComplianceControls { get; private set; } + + /// + /// Gets the IRegulatoryComplianceAssessmentsOperations. + /// + public virtual IRegulatoryComplianceAssessmentsOperations RegulatoryComplianceAssessments { get; private set; } + + /// + /// Gets the ISubAssessmentsOperations. + /// + public virtual ISubAssessmentsOperations SubAssessments { get; private set; } + + /// + /// Gets the IAutomationsOperations. + /// + public virtual IAutomationsOperations Automations { get; private set; } + + /// + /// Gets the IAlertsSuppressionRulesOperations. + /// + public virtual IAlertsSuppressionRulesOperations AlertsSuppressionRules { get; private set; } + + /// + /// Gets the IServerVulnerabilityAssessmentOperations. + /// + public virtual IServerVulnerabilityAssessmentOperations ServerVulnerabilityAssessment { get; private set; } + + /// + /// Gets the IAssessmentsMetadataOperations. + /// + public virtual IAssessmentsMetadataOperations AssessmentsMetadata { get; private set; } + + /// + /// Gets the IAssessmentsOperations. + /// + public virtual IAssessmentsOperations Assessments { get; private set; } + + /// + /// Gets the IAdaptiveApplicationControlsOperations. + /// + public virtual IAdaptiveApplicationControlsOperations AdaptiveApplicationControls { get; private set; } + + /// + /// Gets the IAdaptiveNetworkHardeningsOperations. + /// + public virtual IAdaptiveNetworkHardeningsOperations AdaptiveNetworkHardenings { get; private set; } + + /// + /// Gets the IAllowedConnectionsOperations. + /// + public virtual IAllowedConnectionsOperations AllowedConnections { get; private set; } + + /// + /// Gets the ITopologyOperations. + /// + public virtual ITopologyOperations Topology { get; private set; } + + /// + /// Gets the IJitNetworkAccessPoliciesOperations. + /// + public virtual IJitNetworkAccessPoliciesOperations JitNetworkAccessPolicies { get; private set; } + + /// + /// Gets the IDiscoveredSecuritySolutionsOperations. + /// + public virtual IDiscoveredSecuritySolutionsOperations DiscoveredSecuritySolutions { get; private set; } + + /// + /// Gets the ISecuritySolutionsReferenceDataOperations. + /// + public virtual ISecuritySolutionsReferenceDataOperations SecuritySolutionsReferenceData { get; private set; } + + /// + /// Gets the IExternalSecuritySolutionsOperations. + /// + public virtual IExternalSecuritySolutionsOperations ExternalSecuritySolutions { get; private set; } + + /// + /// Gets the ISecureScoresOperations. + /// + public virtual ISecureScoresOperations SecureScores { get; private set; } + + /// + /// Gets the ISecureScoreControlsOperations. + /// + public virtual ISecureScoreControlsOperations SecureScoreControls { get; private set; } + + /// + /// Gets the ISecureScoreControlDefinitionsOperations. + /// + public virtual ISecureScoreControlDefinitionsOperations SecureScoreControlDefinitions { get; private set; } + + /// + /// Gets the ISecuritySolutionsOperations. + /// + public virtual ISecuritySolutionsOperations SecuritySolutions { get; private set; } + + /// + /// Gets the IConnectorsOperations. + /// + public virtual IConnectorsOperations Connectors { get; private set; } + + /// + /// Gets the ISqlVulnerabilityAssessmentScansOperations. + /// + public virtual ISqlVulnerabilityAssessmentScansOperations SqlVulnerabilityAssessmentScans { get; private set; } + + /// + /// Gets the ISqlVulnerabilityAssessmentScanResultsOperations. + /// + public virtual ISqlVulnerabilityAssessmentScanResultsOperations SqlVulnerabilityAssessmentScanResults { get; private set; } + + /// + /// Gets the ISqlVulnerabilityAssessmentBaselineRulesOperations. + /// + public virtual ISqlVulnerabilityAssessmentBaselineRulesOperations SqlVulnerabilityAssessmentBaselineRules { get; private set; } + /// /// Gets the IAlertsOperations. /// public virtual IAlertsOperations Alerts { get; private set; } + /// + /// Gets the ISettingsOperations. + /// + public virtual ISettingsOperations Settings { get; private set; } + + /// + /// Gets the IIngestionSettingsOperations. + /// + public virtual IIngestionSettingsOperations IngestionSettings { get; private set; } + + /// + /// Gets the ISoftwareInventoriesOperations. + /// + public virtual ISoftwareInventoriesOperations SoftwareInventories { get; private set; } + + /// + /// Gets the ISecurityConnectorsOperations. + /// + public virtual ISecurityConnectorsOperations SecurityConnectors { get; private set; } + + /// + /// Gets the IGovernanceRuleOperations. + /// + public virtual IGovernanceRuleOperations GovernanceRule { get; private set; } + + /// + /// Gets the IGovernanceRulesOperations. + /// + public virtual IGovernanceRulesOperations GovernanceRules { get; private set; } + + /// + /// Gets the ISecurityConnectorGovernanceRuleOperations. + /// + public virtual ISecurityConnectorGovernanceRuleOperations SecurityConnectorGovernanceRule { get; private set; } + + /// + /// Gets the ISecurityConnectorGovernanceRulesOperations. + /// + public virtual ISecurityConnectorGovernanceRulesOperations SecurityConnectorGovernanceRules { get; private set; } + + /// + /// Gets the ISubscriptionGovernanceRulesExecuteStatusOperations. + /// + public virtual ISubscriptionGovernanceRulesExecuteStatusOperations SubscriptionGovernanceRulesExecuteStatus { get; private set; } + + /// + /// Gets the ISecurityConnectorGovernanceRulesExecuteStatusOperations. + /// + public virtual ISecurityConnectorGovernanceRulesExecuteStatusOperations SecurityConnectorGovernanceRulesExecuteStatus { get; private set; } + + /// + /// Gets the IGovernanceAssignmentsOperations. + /// + public virtual IGovernanceAssignmentsOperations GovernanceAssignments { get; private set; } + + /// + /// Gets the IApplicationsOperations. + /// + public virtual IApplicationsOperations Applications { get; private set; } + + /// + /// Gets the IApplicationOperations. + /// + public virtual IApplicationOperations Application { get; private set; } + + /// + /// Gets the ISecurityConnectorApplicationsOperations. + /// + public virtual ISecurityConnectorApplicationsOperations SecurityConnectorApplications { get; private set; } + + /// + /// Gets the ISecurityConnectorApplicationOperations. + /// + public virtual ISecurityConnectorApplicationOperations SecurityConnectorApplication { get; private set; } + /// /// Initializes a new instance of the SecurityCenterClient class. /// @@ -327,9 +613,67 @@ public SecurityCenterClient(System.Uri baseUri, ServiceClientCredentials credent /// private void Initialize() { + MdeOnboardings = new MdeOnboardingsOperations(this); + CustomAssessmentAutomations = new CustomAssessmentAutomationsOperations(this); + CustomEntityStoreAssignments = new CustomEntityStoreAssignmentsOperations(this); + ComplianceResults = new ComplianceResultsOperations(this); + Pricings = new PricingsOperations(this); + AdvancedThreatProtection = new AdvancedThreatProtectionOperations(this); + DeviceSecurityGroups = new DeviceSecurityGroupsOperations(this); + IotSecuritySolution = new IotSecuritySolutionOperations(this); + IotSecuritySolutionAnalytics = new IotSecuritySolutionAnalyticsOperations(this); + IotSecuritySolutionsAnalyticsAggregatedAlert = new IotSecuritySolutionsAnalyticsAggregatedAlertOperations(this); + IotSecuritySolutionsAnalyticsRecommendation = new IotSecuritySolutionsAnalyticsRecommendationOperations(this); + Locations = new LocationsOperations(this); + Operations = new Operations(this); + Tasks = new TasksOperations(this); + AutoProvisioningSettings = new AutoProvisioningSettingsOperations(this); + Compliances = new CompliancesOperations(this); + InformationProtectionPolicies = new InformationProtectionPoliciesOperations(this); + SecurityContacts = new SecurityContactsOperations(this); + WorkspaceSettings = new WorkspaceSettingsOperations(this); + RegulatoryComplianceStandards = new RegulatoryComplianceStandardsOperations(this); + RegulatoryComplianceControls = new RegulatoryComplianceControlsOperations(this); + RegulatoryComplianceAssessments = new RegulatoryComplianceAssessmentsOperations(this); + SubAssessments = new SubAssessmentsOperations(this); + Automations = new AutomationsOperations(this); + AlertsSuppressionRules = new AlertsSuppressionRulesOperations(this); + ServerVulnerabilityAssessment = new ServerVulnerabilityAssessmentOperations(this); + AssessmentsMetadata = new AssessmentsMetadataOperations(this); + Assessments = new AssessmentsOperations(this); + AdaptiveApplicationControls = new AdaptiveApplicationControlsOperations(this); + AdaptiveNetworkHardenings = new AdaptiveNetworkHardeningsOperations(this); + AllowedConnections = new AllowedConnectionsOperations(this); + Topology = new TopologyOperations(this); + JitNetworkAccessPolicies = new JitNetworkAccessPoliciesOperations(this); + DiscoveredSecuritySolutions = new DiscoveredSecuritySolutionsOperations(this); + SecuritySolutionsReferenceData = new SecuritySolutionsReferenceDataOperations(this); + ExternalSecuritySolutions = new ExternalSecuritySolutionsOperations(this); + SecureScores = new SecureScoresOperations(this); + SecureScoreControls = new SecureScoreControlsOperations(this); + SecureScoreControlDefinitions = new SecureScoreControlDefinitionsOperations(this); + SecuritySolutions = new SecuritySolutionsOperations(this); + Connectors = new ConnectorsOperations(this); + SqlVulnerabilityAssessmentScans = new SqlVulnerabilityAssessmentScansOperations(this); + SqlVulnerabilityAssessmentScanResults = new SqlVulnerabilityAssessmentScanResultsOperations(this); + SqlVulnerabilityAssessmentBaselineRules = new SqlVulnerabilityAssessmentBaselineRulesOperations(this); Alerts = new AlertsOperations(this); + Settings = new SettingsOperations(this); + IngestionSettings = new IngestionSettingsOperations(this); + SoftwareInventories = new SoftwareInventoriesOperations(this); + SecurityConnectors = new SecurityConnectorsOperations(this); + GovernanceRule = new GovernanceRuleOperations(this); + GovernanceRules = new GovernanceRulesOperations(this); + SecurityConnectorGovernanceRule = new SecurityConnectorGovernanceRuleOperations(this); + SecurityConnectorGovernanceRules = new SecurityConnectorGovernanceRulesOperations(this); + SubscriptionGovernanceRulesExecuteStatus = new SubscriptionGovernanceRulesExecuteStatusOperations(this); + SecurityConnectorGovernanceRulesExecuteStatus = new SecurityConnectorGovernanceRulesExecuteStatusOperations(this); + GovernanceAssignments = new GovernanceAssignmentsOperations(this); + Applications = new ApplicationsOperations(this); + Application = new ApplicationOperations(this); + SecurityConnectorApplications = new SecurityConnectorApplicationsOperations(this); + SecurityConnectorApplication = new SecurityConnectorApplicationOperations(this); BaseUri = new System.Uri("https://management.azure.com"); - ApiVersion = "2022-01-01"; AcceptLanguage = "en-US"; LongRunningOperationRetryTimeout = 30; GenerateClientRequestId = true; @@ -359,10 +703,32 @@ private void Initialize() new Iso8601TimeSpanConverter() } }; + SerializationSettings.Converters.Add(new PolymorphicSerializeJsonConverter("ruleType")); + DeserializationSettings.Converters.Add(new PolymorphicDeserializeJsonConverter("ruleType")); + SerializationSettings.Converters.Add(new PolymorphicSerializeJsonConverter("source")); + DeserializationSettings.Converters.Add(new PolymorphicDeserializeJsonConverter("source")); + SerializationSettings.Converters.Add(new PolymorphicSerializeJsonConverter("assessedResourceType")); + DeserializationSettings.Converters.Add(new PolymorphicDeserializeJsonConverter("assessedResourceType")); + SerializationSettings.Converters.Add(new PolymorphicSerializeJsonConverter("actionType")); + DeserializationSettings.Converters.Add(new PolymorphicDeserializeJsonConverter("actionType")); + SerializationSettings.Converters.Add(new PolymorphicSerializeJsonConverter("kind")); + DeserializationSettings.Converters.Add(new PolymorphicDeserializeJsonConverter("kind")); + SerializationSettings.Converters.Add(new PolymorphicSerializeJsonConverter("authenticationType")); + DeserializationSettings.Converters.Add(new PolymorphicDeserializeJsonConverter("authenticationType")); SerializationSettings.Converters.Add(new PolymorphicSerializeJsonConverter("type")); DeserializationSettings.Converters.Add(new PolymorphicDeserializeJsonConverter("type")); SerializationSettings.Converters.Add(new PolymorphicSerializeJsonConverter("kind")); DeserializationSettings.Converters.Add(new PolymorphicDeserializeJsonConverter("kind")); + SerializationSettings.Converters.Add(new PolymorphicSerializeJsonConverter("kind")); + DeserializationSettings.Converters.Add(new PolymorphicDeserializeJsonConverter("kind")); + SerializationSettings.Converters.Add(new PolymorphicSerializeJsonConverter("offeringType")); + DeserializationSettings.Converters.Add(new PolymorphicDeserializeJsonConverter("offeringType")); + SerializationSettings.Converters.Add(new PolymorphicSerializeJsonConverter("environmentType")); + DeserializationSettings.Converters.Add(new PolymorphicDeserializeJsonConverter("environmentType")); + SerializationSettings.Converters.Add(new PolymorphicSerializeJsonConverter("organizationMembershipType")); + DeserializationSettings.Converters.Add(new PolymorphicDeserializeJsonConverter("organizationMembershipType")); + SerializationSettings.Converters.Add(new PolymorphicSerializeJsonConverter("organizationMembershipType")); + DeserializationSettings.Converters.Add(new PolymorphicDeserializeJsonConverter("organizationMembershipType")); CustomInitialize(); DeserializationSettings.Converters.Add(new TransformationJsonConverter()); DeserializationSettings.Converters.Add(new CloudErrorJsonConverter()); diff --git a/src/Security/Security.Management.Sdk/Generated/SecurityConnectorApplicationOperations.cs b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorApplicationOperations.cs new file mode 100644 index 000000000000..c45741d6b39f --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorApplicationOperations.cs @@ -0,0 +1,747 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecurityConnectorApplicationOperations operations. + /// + internal partial class SecurityConnectorApplicationOperations : IServiceOperations, ISecurityConnectorApplicationOperations + { + /// + /// Initializes a new instance of the SecurityConnectorApplicationOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SecurityConnectorApplicationOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Get a specific application for the requested scope by applicationId + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security Application key - unique key for the standard application + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string applicationId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (securityConnectorName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityConnectorName"); + } + if (applicationId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "applicationId"); + } + string apiVersion = "2022-07-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("securityConnectorName", securityConnectorName); + tracingParameters.Add("applicationId", applicationId); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName}/providers/Microsoft.Security/applications/{applicationId}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{securityConnectorName}", System.Uri.EscapeDataString(securityConnectorName)); + _url = _url.Replace("{applicationId}", System.Uri.EscapeDataString(applicationId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Creates or update a security Application on the given security connector. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security Application key - unique key for the standard application + /// + /// + /// Application over a subscription scope + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateOrUpdateWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string applicationId, Application application, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (securityConnectorName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityConnectorName"); + } + if (applicationId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "applicationId"); + } + if (application == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "application"); + } + if (application != null) + { + application.Validate(); + } + string apiVersion = "2022-07-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("securityConnectorName", securityConnectorName); + tracingParameters.Add("applicationId", applicationId); + tracingParameters.Add("application", application); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "CreateOrUpdate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName}/providers/Microsoft.Security/applications/{applicationId}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{securityConnectorName}", System.Uri.EscapeDataString(securityConnectorName)); + _url = _url.Replace("{applicationId}", System.Uri.EscapeDataString(applicationId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(application != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(application, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 201) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + // Deserialize Response + if ((int)_statusCode == 201) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Delete an Application over a given scope + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security Application key - unique key for the standard application + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string applicationId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (securityConnectorName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityConnectorName"); + } + if (applicationId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "applicationId"); + } + string apiVersion = "2022-07-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("securityConnectorName", securityConnectorName); + tracingParameters.Add("applicationId", applicationId); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName}/providers/Microsoft.Security/applications/{applicationId}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{securityConnectorName}", System.Uri.EscapeDataString(securityConnectorName)); + _url = _url.Replace("{applicationId}", System.Uri.EscapeDataString(applicationId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecurityConnectorApplicationOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorApplicationOperationsExtensions.cs new file mode 100644 index 000000000000..30a3405449d2 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorApplicationOperationsExtensions.cs @@ -0,0 +1,172 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SecurityConnectorApplicationOperations. + /// + public static partial class SecurityConnectorApplicationOperationsExtensions + { + /// + /// Get a specific application for the requested scope by applicationId + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security Application key - unique key for the standard application + /// + public static Application Get(this ISecurityConnectorApplicationOperations operations, string resourceGroupName, string securityConnectorName, string applicationId) + { + return operations.GetAsync(resourceGroupName, securityConnectorName, applicationId).GetAwaiter().GetResult(); + } + + /// + /// Get a specific application for the requested scope by applicationId + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security Application key - unique key for the standard application + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ISecurityConnectorApplicationOperations operations, string resourceGroupName, string securityConnectorName, string applicationId, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, securityConnectorName, applicationId, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Creates or update a security Application on the given security connector. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security Application key - unique key for the standard application + /// + /// + /// Application over a subscription scope + /// + public static Application CreateOrUpdate(this ISecurityConnectorApplicationOperations operations, string resourceGroupName, string securityConnectorName, string applicationId, Application application) + { + return operations.CreateOrUpdateAsync(resourceGroupName, securityConnectorName, applicationId, application).GetAwaiter().GetResult(); + } + + /// + /// Creates or update a security Application on the given security connector. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security Application key - unique key for the standard application + /// + /// + /// Application over a subscription scope + /// + /// + /// The cancellation token. + /// + public static async Task CreateOrUpdateAsync(this ISecurityConnectorApplicationOperations operations, string resourceGroupName, string securityConnectorName, string applicationId, Application application, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateOrUpdateWithHttpMessagesAsync(resourceGroupName, securityConnectorName, applicationId, application, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Delete an Application over a given scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security Application key - unique key for the standard application + /// + public static void Delete(this ISecurityConnectorApplicationOperations operations, string resourceGroupName, string securityConnectorName, string applicationId) + { + operations.DeleteAsync(resourceGroupName, securityConnectorName, applicationId).GetAwaiter().GetResult(); + } + + /// + /// Delete an Application over a given scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security Application key - unique key for the standard application + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this ISecurityConnectorApplicationOperations operations, string resourceGroupName, string securityConnectorName, string applicationId, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(resourceGroupName, securityConnectorName, applicationId, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecurityConnectorApplicationsOperations.cs b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorApplicationsOperations.cs new file mode 100644 index 000000000000..a1c1c4487845 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorApplicationsOperations.cs @@ -0,0 +1,446 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecurityConnectorApplicationsOperations operations. + /// + internal partial class SecurityConnectorApplicationsOperations : IServiceOperations, ISecurityConnectorApplicationsOperations + { + /// + /// Initializes a new instance of the SecurityConnectorApplicationsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SecurityConnectorApplicationsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Get a list of all relevant applications over a security connector level + /// scope + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (securityConnectorName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityConnectorName"); + } + string apiVersion = "2022-07-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("securityConnectorName", securityConnectorName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName}/providers/Microsoft.Security/applications").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{securityConnectorName}", System.Uri.EscapeDataString(securityConnectorName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get a list of all relevant applications over a security connector level + /// scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecurityConnectorApplicationsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorApplicationsOperationsExtensions.cs new file mode 100644 index 000000000000..d736b66fd946 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorApplicationsOperationsExtensions.cs @@ -0,0 +1,105 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SecurityConnectorApplicationsOperations. + /// + public static partial class SecurityConnectorApplicationsOperationsExtensions + { + /// + /// Get a list of all relevant applications over a security connector level + /// scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + public static IPage List(this ISecurityConnectorApplicationsOperations operations, string resourceGroupName, string securityConnectorName) + { + return operations.ListAsync(resourceGroupName, securityConnectorName).GetAwaiter().GetResult(); + } + + /// + /// Get a list of all relevant applications over a security connector level + /// scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this ISecurityConnectorApplicationsOperations operations, string resourceGroupName, string securityConnectorName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(resourceGroupName, securityConnectorName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get a list of all relevant applications over a security connector level + /// scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this ISecurityConnectorApplicationsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Get a list of all relevant applications over a security connector level + /// scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this ISecurityConnectorApplicationsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRuleOperations.cs b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRuleOperations.cs new file mode 100644 index 000000000000..6725ca420414 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRuleOperations.cs @@ -0,0 +1,446 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecurityConnectorGovernanceRuleOperations operations. + /// + internal partial class SecurityConnectorGovernanceRuleOperations : IServiceOperations, ISecurityConnectorGovernanceRuleOperations + { + /// + /// Initializes a new instance of the SecurityConnectorGovernanceRuleOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SecurityConnectorGovernanceRuleOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Get a list of all relevant governanceRules over a security connector level + /// scope + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (securityConnectorName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityConnectorName"); + } + string apiVersion = "2022-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("securityConnectorName", securityConnectorName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName}/providers/Microsoft.Security/governanceRules").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{securityConnectorName}", System.Uri.EscapeDataString(securityConnectorName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get a list of all relevant governanceRules over a security connector level + /// scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRuleOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRuleOperationsExtensions.cs new file mode 100644 index 000000000000..5e4a4eb6301a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRuleOperationsExtensions.cs @@ -0,0 +1,105 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SecurityConnectorGovernanceRuleOperations. + /// + public static partial class SecurityConnectorGovernanceRuleOperationsExtensions + { + /// + /// Get a list of all relevant governanceRules over a security connector level + /// scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + public static IPage List(this ISecurityConnectorGovernanceRuleOperations operations, string resourceGroupName, string securityConnectorName) + { + return operations.ListAsync(resourceGroupName, securityConnectorName).GetAwaiter().GetResult(); + } + + /// + /// Get a list of all relevant governanceRules over a security connector level + /// scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this ISecurityConnectorGovernanceRuleOperations operations, string resourceGroupName, string securityConnectorName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(resourceGroupName, securityConnectorName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get a list of all relevant governanceRules over a security connector level + /// scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this ISecurityConnectorGovernanceRuleOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Get a list of all relevant governanceRules over a security connector level + /// scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this ISecurityConnectorGovernanceRuleOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRulesExecuteStatusOperations.cs b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRulesExecuteStatusOperations.cs new file mode 100644 index 000000000000..71d18f9d099b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRulesExecuteStatusOperations.cs @@ -0,0 +1,352 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecurityConnectorGovernanceRulesExecuteStatusOperations operations. + /// + internal partial class SecurityConnectorGovernanceRulesExecuteStatusOperations : IServiceOperations, ISecurityConnectorGovernanceRulesExecuteStatusOperations + { + /// + /// Initializes a new instance of the SecurityConnectorGovernanceRulesExecuteStatusOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SecurityConnectorGovernanceRulesExecuteStatusOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Get a specific governanceRule execution status for the requested scope by + /// ruleId and operationId + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The security GovernanceRule execution key - unique key for the execution of + /// GovernanceRule + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string ruleId, string operationId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + // Send request + AzureOperationResponse _response = await BeginGetWithHttpMessagesAsync(resourceGroupName, securityConnectorName, ruleId, operationId, customHeaders, cancellationToken).ConfigureAwait(false); + return await Client.GetPostOrDeleteOperationResultAsync(_response, customHeaders, cancellationToken).ConfigureAwait(false); + } + + /// + /// Get a specific governanceRule execution status for the requested scope by + /// ruleId and operationId + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The security GovernanceRule execution key - unique key for the execution of + /// GovernanceRule + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> BeginGetWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string ruleId, string operationId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (securityConnectorName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityConnectorName"); + } + if (ruleId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ruleId"); + } + if (operationId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "operationId"); + } + string apiVersion = "2022-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("securityConnectorName", securityConnectorName); + tracingParameters.Add("ruleId", ruleId); + tracingParameters.Add("operationId", operationId); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "BeginGet", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName}/providers/Microsoft.Security/governanceRules/{ruleId}/operationResults/{operationId}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{securityConnectorName}", System.Uri.EscapeDataString(securityConnectorName)); + _url = _url.Replace("{ruleId}", System.Uri.EscapeDataString(ruleId)); + _url = _url.Replace("{operationId}", System.Uri.EscapeDataString(operationId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 202) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + try + { + _result.Headers = _httpResponse.GetHeadersAsJson().ToObject(JsonSerializer.Create(Client.DeserializationSettings)); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the headers.", _httpResponse.GetHeadersAsJson().ToString(), ex); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRulesExecuteStatusOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRulesExecuteStatusOperationsExtensions.cs new file mode 100644 index 000000000000..6048ea7b2c46 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRulesExecuteStatusOperationsExtensions.cs @@ -0,0 +1,145 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SecurityConnectorGovernanceRulesExecuteStatusOperations. + /// + public static partial class SecurityConnectorGovernanceRulesExecuteStatusOperationsExtensions + { + /// + /// Get a specific governanceRule execution status for the requested scope by + /// ruleId and operationId + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The security GovernanceRule execution key - unique key for the execution of + /// GovernanceRule + /// + public static ExecuteRuleStatus Get(this ISecurityConnectorGovernanceRulesExecuteStatusOperations operations, string resourceGroupName, string securityConnectorName, string ruleId, string operationId) + { + return operations.GetAsync(resourceGroupName, securityConnectorName, ruleId, operationId).GetAwaiter().GetResult(); + } + + /// + /// Get a specific governanceRule execution status for the requested scope by + /// ruleId and operationId + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The security GovernanceRule execution key - unique key for the execution of + /// GovernanceRule + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ISecurityConnectorGovernanceRulesExecuteStatusOperations operations, string resourceGroupName, string securityConnectorName, string ruleId, string operationId, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, securityConnectorName, ruleId, operationId, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get a specific governanceRule execution status for the requested scope by + /// ruleId and operationId + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The security GovernanceRule execution key - unique key for the execution of + /// GovernanceRule + /// + public static ExecuteRuleStatus BeginGet(this ISecurityConnectorGovernanceRulesExecuteStatusOperations operations, string resourceGroupName, string securityConnectorName, string ruleId, string operationId) + { + return operations.BeginGetAsync(resourceGroupName, securityConnectorName, ruleId, operationId).GetAwaiter().GetResult(); + } + + /// + /// Get a specific governanceRule execution status for the requested scope by + /// ruleId and operationId + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The security GovernanceRule execution key - unique key for the execution of + /// GovernanceRule + /// + /// + /// The cancellation token. + /// + public static async Task BeginGetAsync(this ISecurityConnectorGovernanceRulesExecuteStatusOperations operations, string resourceGroupName, string securityConnectorName, string ruleId, string operationId, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.BeginGetWithHttpMessagesAsync(resourceGroupName, securityConnectorName, ruleId, operationId, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRulesOperations.cs b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRulesOperations.cs new file mode 100644 index 000000000000..72d4b393a70d --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRulesOperations.cs @@ -0,0 +1,751 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecurityConnectorGovernanceRulesOperations operations. + /// + internal partial class SecurityConnectorGovernanceRulesOperations : IServiceOperations, ISecurityConnectorGovernanceRulesOperations + { + /// + /// Initializes a new instance of the SecurityConnectorGovernanceRulesOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SecurityConnectorGovernanceRulesOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Get a specific governanceRule for the requested scope by ruleId + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string ruleId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (securityConnectorName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityConnectorName"); + } + if (ruleId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ruleId"); + } + string apiVersion = "2022-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("securityConnectorName", securityConnectorName); + tracingParameters.Add("ruleId", ruleId); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName}/providers/Microsoft.Security/governanceRules/{ruleId}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{securityConnectorName}", System.Uri.EscapeDataString(securityConnectorName)); + _url = _url.Replace("{ruleId}", System.Uri.EscapeDataString(ruleId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Creates or update a security GovernanceRule on the given security + /// connector. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// GovernanceRule over a subscription scope + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateOrUpdateWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string ruleId, GovernanceRule governanceRule, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (securityConnectorName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityConnectorName"); + } + if (ruleId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ruleId"); + } + if (governanceRule == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "governanceRule"); + } + if (governanceRule != null) + { + governanceRule.Validate(); + } + string apiVersion = "2022-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("securityConnectorName", securityConnectorName); + tracingParameters.Add("ruleId", ruleId); + tracingParameters.Add("governanceRule", governanceRule); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "CreateOrUpdate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName}/providers/Microsoft.Security/governanceRules/{ruleId}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{securityConnectorName}", System.Uri.EscapeDataString(securityConnectorName)); + _url = _url.Replace("{ruleId}", System.Uri.EscapeDataString(ruleId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(governanceRule != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(governanceRule, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 201) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + // Deserialize Response + if ((int)_statusCode == 201) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Delete a GovernanceRule over a given scope + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, string ruleId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (securityConnectorName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityConnectorName"); + } + if (ruleId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ruleId"); + } + string apiVersion = "2022-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("securityConnectorName", securityConnectorName); + tracingParameters.Add("ruleId", ruleId); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName}/providers/Microsoft.Security/governanceRules/{ruleId}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{securityConnectorName}", System.Uri.EscapeDataString(securityConnectorName)); + _url = _url.Replace("{ruleId}", System.Uri.EscapeDataString(ruleId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRulesOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRulesOperationsExtensions.cs new file mode 100644 index 000000000000..fa52000a8462 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorGovernanceRulesOperationsExtensions.cs @@ -0,0 +1,180 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SecurityConnectorGovernanceRulesOperations. + /// + public static partial class SecurityConnectorGovernanceRulesOperationsExtensions + { + /// + /// Get a specific governanceRule for the requested scope by ruleId + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + public static GovernanceRule Get(this ISecurityConnectorGovernanceRulesOperations operations, string resourceGroupName, string securityConnectorName, string ruleId) + { + return operations.GetAsync(resourceGroupName, securityConnectorName, ruleId).GetAwaiter().GetResult(); + } + + /// + /// Get a specific governanceRule for the requested scope by ruleId + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ISecurityConnectorGovernanceRulesOperations operations, string resourceGroupName, string securityConnectorName, string ruleId, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, securityConnectorName, ruleId, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Creates or update a security GovernanceRule on the given security + /// connector. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// GovernanceRule over a subscription scope + /// + public static GovernanceRule CreateOrUpdate(this ISecurityConnectorGovernanceRulesOperations operations, string resourceGroupName, string securityConnectorName, string ruleId, GovernanceRule governanceRule) + { + return operations.CreateOrUpdateAsync(resourceGroupName, securityConnectorName, ruleId, governanceRule).GetAwaiter().GetResult(); + } + + /// + /// Creates or update a security GovernanceRule on the given security + /// connector. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// GovernanceRule over a subscription scope + /// + /// + /// The cancellation token. + /// + public static async Task CreateOrUpdateAsync(this ISecurityConnectorGovernanceRulesOperations operations, string resourceGroupName, string securityConnectorName, string ruleId, GovernanceRule governanceRule, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateOrUpdateWithHttpMessagesAsync(resourceGroupName, securityConnectorName, ruleId, governanceRule, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Delete a GovernanceRule over a given scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + public static void Delete(this ISecurityConnectorGovernanceRulesOperations operations, string resourceGroupName, string securityConnectorName, string ruleId) + { + operations.DeleteAsync(resourceGroupName, securityConnectorName, ruleId).GetAwaiter().GetResult(); + } + + /// + /// Delete a GovernanceRule over a given scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this ISecurityConnectorGovernanceRulesOperations operations, string resourceGroupName, string securityConnectorName, string ruleId, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(resourceGroupName, securityConnectorName, ruleId, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecurityConnectorsOperations.cs b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorsOperations.cs new file mode 100644 index 000000000000..487d4627e66c --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorsOperations.cs @@ -0,0 +1,1694 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecurityConnectorsOperations operations. + /// + internal partial class SecurityConnectorsOperations : IServiceOperations, ISecurityConnectorsOperations + { + /// + /// Initializes a new instance of the SecurityConnectorsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SecurityConnectorsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Lists all the security connectors in the specified subscription. Use the + /// 'nextLink' property in the response to get the next page of security + /// connectors for the specified subscription. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2022-08-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/securityConnectors").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Lists all the security connectors in the specified resource group. Use the + /// 'nextLink' property in the response to get the next page of security + /// connectors for the specified resource group. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByResourceGroupWithHttpMessagesAsync(string resourceGroupName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + string apiVersion = "2022-08-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroup", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Retrieves details of a specific security connector + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (securityConnectorName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityConnectorName"); + } + string apiVersion = "2022-08-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("securityConnectorName", securityConnectorName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{securityConnectorName}", System.Uri.EscapeDataString(securityConnectorName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Creates or updates a security connector. If a security connector is already + /// created and a subsequent request is issued for the same security connector + /// id, then it will be updated. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security connector resource + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateOrUpdateWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, SecurityConnector securityConnector, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (securityConnectorName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityConnectorName"); + } + if (securityConnector == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityConnector"); + } + string apiVersion = "2022-08-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("securityConnectorName", securityConnectorName); + tracingParameters.Add("securityConnector", securityConnector); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "CreateOrUpdate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{securityConnectorName}", System.Uri.EscapeDataString(securityConnectorName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(securityConnector != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(securityConnector, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 201) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + // Deserialize Response + if ((int)_statusCode == 201) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Updates a security connector + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security connector resource + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> UpdateWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, SecurityConnector securityConnector, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (securityConnectorName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityConnectorName"); + } + if (securityConnector == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityConnector"); + } + string apiVersion = "2022-08-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("securityConnectorName", securityConnectorName); + tracingParameters.Add("securityConnector", securityConnector); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Update", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{securityConnectorName}", System.Uri.EscapeDataString(securityConnectorName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PATCH"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(securityConnector != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(securityConnector, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Deletes a security connector. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string resourceGroupName, string securityConnectorName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (securityConnectorName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityConnectorName"); + } + string apiVersion = "2022-08-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("securityConnectorName", securityConnectorName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{securityConnectorName}", System.Uri.EscapeDataString(securityConnectorName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Lists all the security connectors in the specified subscription. Use the + /// 'nextLink' property in the response to get the next page of security + /// connectors for the specified subscription. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Lists all the security connectors in the specified resource group. Use the + /// 'nextLink' property in the response to get the next page of security + /// connectors for the specified resource group. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByResourceGroupNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroupNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecurityConnectorsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorsOperationsExtensions.cs new file mode 100644 index 000000000000..591b99676bec --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecurityConnectorsOperationsExtensions.cs @@ -0,0 +1,354 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SecurityConnectorsOperations. + /// + public static partial class SecurityConnectorsOperationsExtensions + { + /// + /// Lists all the security connectors in the specified subscription. Use the + /// 'nextLink' property in the response to get the next page of security + /// connectors for the specified subscription. + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this ISecurityConnectorsOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Lists all the security connectors in the specified subscription. Use the + /// 'nextLink' property in the response to get the next page of security + /// connectors for the specified subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this ISecurityConnectorsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Lists all the security connectors in the specified resource group. Use the + /// 'nextLink' property in the response to get the next page of security + /// connectors for the specified resource group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + public static IPage ListByResourceGroup(this ISecurityConnectorsOperations operations, string resourceGroupName) + { + return operations.ListByResourceGroupAsync(resourceGroupName).GetAwaiter().GetResult(); + } + + /// + /// Lists all the security connectors in the specified resource group. Use the + /// 'nextLink' property in the response to get the next page of security + /// connectors for the specified resource group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByResourceGroupAsync(this ISecurityConnectorsOperations operations, string resourceGroupName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByResourceGroupWithHttpMessagesAsync(resourceGroupName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Retrieves details of a specific security connector + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + public static SecurityConnector Get(this ISecurityConnectorsOperations operations, string resourceGroupName, string securityConnectorName) + { + return operations.GetAsync(resourceGroupName, securityConnectorName).GetAwaiter().GetResult(); + } + + /// + /// Retrieves details of a specific security connector + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ISecurityConnectorsOperations operations, string resourceGroupName, string securityConnectorName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, securityConnectorName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Creates or updates a security connector. If a security connector is already + /// created and a subsequent request is issued for the same security connector + /// id, then it will be updated. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security connector resource + /// + public static SecurityConnector CreateOrUpdate(this ISecurityConnectorsOperations operations, string resourceGroupName, string securityConnectorName, SecurityConnector securityConnector) + { + return operations.CreateOrUpdateAsync(resourceGroupName, securityConnectorName, securityConnector).GetAwaiter().GetResult(); + } + + /// + /// Creates or updates a security connector. If a security connector is already + /// created and a subsequent request is issued for the same security connector + /// id, then it will be updated. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security connector resource + /// + /// + /// The cancellation token. + /// + public static async Task CreateOrUpdateAsync(this ISecurityConnectorsOperations operations, string resourceGroupName, string securityConnectorName, SecurityConnector securityConnector, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateOrUpdateWithHttpMessagesAsync(resourceGroupName, securityConnectorName, securityConnector, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Updates a security connector + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security connector resource + /// + public static SecurityConnector Update(this ISecurityConnectorsOperations operations, string resourceGroupName, string securityConnectorName, SecurityConnector securityConnector) + { + return operations.UpdateAsync(resourceGroupName, securityConnectorName, securityConnector).GetAwaiter().GetResult(); + } + + /// + /// Updates a security connector + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The security connector resource + /// + /// + /// The cancellation token. + /// + public static async Task UpdateAsync(this ISecurityConnectorsOperations operations, string resourceGroupName, string securityConnectorName, SecurityConnector securityConnector, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.UpdateWithHttpMessagesAsync(resourceGroupName, securityConnectorName, securityConnector, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Deletes a security connector. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + public static void Delete(this ISecurityConnectorsOperations operations, string resourceGroupName, string securityConnectorName) + { + operations.DeleteAsync(resourceGroupName, securityConnectorName).GetAwaiter().GetResult(); + } + + /// + /// Deletes a security connector. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The security connector name. + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this ISecurityConnectorsOperations operations, string resourceGroupName, string securityConnectorName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(resourceGroupName, securityConnectorName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Lists all the security connectors in the specified subscription. Use the + /// 'nextLink' property in the response to get the next page of security + /// connectors for the specified subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this ISecurityConnectorsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Lists all the security connectors in the specified subscription. Use the + /// 'nextLink' property in the response to get the next page of security + /// connectors for the specified subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this ISecurityConnectorsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Lists all the security connectors in the specified resource group. Use the + /// 'nextLink' property in the response to get the next page of security + /// connectors for the specified resource group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListByResourceGroupNext(this ISecurityConnectorsOperations operations, string nextPageLink) + { + return operations.ListByResourceGroupNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Lists all the security connectors in the specified resource group. Use the + /// 'nextLink' property in the response to get the next page of security + /// connectors for the specified resource group. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByResourceGroupNextAsync(this ISecurityConnectorsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByResourceGroupNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecurityContactsOperations.cs b/src/Security/Security.Management.Sdk/Generated/SecurityContactsOperations.cs new file mode 100644 index 000000000000..95b1543065ae --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecurityContactsOperations.cs @@ -0,0 +1,997 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecurityContactsOperations operations. + /// + internal partial class SecurityContactsOperations : IServiceOperations, ISecurityContactsOperations + { + /// + /// Initializes a new instance of the SecurityContactsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SecurityContactsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// List all security contact configurations for the subscription + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2020-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/securityContacts").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get Default Security contact configurations for the subscription + /// + /// + /// Name of the security contact object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string securityContactName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (securityContactName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityContactName"); + } + string apiVersion = "2020-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("securityContactName", securityContactName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/securityContacts/{securityContactName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{securityContactName}", System.Uri.EscapeDataString(securityContactName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Create security contact configurations for the subscription + /// + /// + /// Name of the security contact object + /// + /// + /// Security contact object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateWithHttpMessagesAsync(string securityContactName, SecurityContact securityContact, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (securityContactName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityContactName"); + } + if (securityContact == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityContact"); + } + string apiVersion = "2020-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("securityContactName", securityContactName); + tracingParameters.Add("securityContact", securityContact); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Create", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/securityContacts/{securityContactName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{securityContactName}", System.Uri.EscapeDataString(securityContactName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(securityContact != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(securityContact, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 201) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + // Deserialize Response + if ((int)_statusCode == 201) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Delete security contact configurations for the subscription + /// + /// + /// Name of the security contact object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string securityContactName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (securityContactName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securityContactName"); + } + string apiVersion = "2020-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("securityContactName", securityContactName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/securityContacts/{securityContactName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{securityContactName}", System.Uri.EscapeDataString(securityContactName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// List all security contact configurations for the subscription + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecurityContactsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SecurityContactsOperationsExtensions.cs new file mode 100644 index 000000000000..70d81f4a9fe0 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecurityContactsOperationsExtensions.cs @@ -0,0 +1,192 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SecurityContactsOperations. + /// + public static partial class SecurityContactsOperationsExtensions + { + /// + /// List all security contact configurations for the subscription + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this ISecurityContactsOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// List all security contact configurations for the subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this ISecurityContactsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get Default Security contact configurations for the subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the security contact object + /// + public static SecurityContact Get(this ISecurityContactsOperations operations, string securityContactName) + { + return operations.GetAsync(securityContactName).GetAwaiter().GetResult(); + } + + /// + /// Get Default Security contact configurations for the subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the security contact object + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ISecurityContactsOperations operations, string securityContactName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(securityContactName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Create security contact configurations for the subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the security contact object + /// + /// + /// Security contact object + /// + public static SecurityContact Create(this ISecurityContactsOperations operations, string securityContactName, SecurityContact securityContact) + { + return operations.CreateAsync(securityContactName, securityContact).GetAwaiter().GetResult(); + } + + /// + /// Create security contact configurations for the subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the security contact object + /// + /// + /// Security contact object + /// + /// + /// The cancellation token. + /// + public static async Task CreateAsync(this ISecurityContactsOperations operations, string securityContactName, SecurityContact securityContact, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateWithHttpMessagesAsync(securityContactName, securityContact, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Delete security contact configurations for the subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the security contact object + /// + public static void Delete(this ISecurityContactsOperations operations, string securityContactName) + { + operations.DeleteAsync(securityContactName).GetAwaiter().GetResult(); + } + + /// + /// Delete security contact configurations for the subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the security contact object + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this ISecurityContactsOperations operations, string securityContactName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(securityContactName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// List all security contact configurations for the subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this ISecurityContactsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// List all security contact configurations for the subscription + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this ISecurityContactsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecuritySolutionsOperations.cs b/src/Security/Security.Management.Sdk/Generated/SecuritySolutionsOperations.cs new file mode 100644 index 000000000000..de7706e3ffbb --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecuritySolutionsOperations.cs @@ -0,0 +1,632 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecuritySolutionsOperations operations. + /// + internal partial class SecuritySolutionsOperations : IServiceOperations, ISecuritySolutionsOperations + { + /// + /// Initializes a new instance of the SecuritySolutionsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SecuritySolutionsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Gets a list of Security Solutions for the subscription. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/securitySolutions").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a specific Security Solution. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of security solution. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string securitySolutionName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (securitySolutionName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "securitySolutionName"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("securitySolutionName", securitySolutionName); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/securitySolutions/{securitySolutionName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{securitySolutionName}", System.Uri.EscapeDataString(securitySolutionName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a list of Security Solutions for the subscription. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecuritySolutionsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SecuritySolutionsOperationsExtensions.cs new file mode 100644 index 000000000000..cceb5464c183 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecuritySolutionsOperationsExtensions.cs @@ -0,0 +1,129 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SecuritySolutionsOperations. + /// + public static partial class SecuritySolutionsOperationsExtensions + { + /// + /// Gets a list of Security Solutions for the subscription. + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this ISecuritySolutionsOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Gets a list of Security Solutions for the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this ISecuritySolutionsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a specific Security Solution. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of security solution. + /// + public static SecuritySolution Get(this ISecuritySolutionsOperations operations, string resourceGroupName, string securitySolutionName) + { + return operations.GetAsync(resourceGroupName, securitySolutionName).GetAwaiter().GetResult(); + } + + /// + /// Gets a specific Security Solution. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of security solution. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ISecuritySolutionsOperations operations, string resourceGroupName, string securitySolutionName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, securitySolutionName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a list of Security Solutions for the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this ISecuritySolutionsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Gets a list of Security Solutions for the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this ISecuritySolutionsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecuritySolutionsReferenceDataOperations.cs b/src/Security/Security.Management.Sdk/Generated/SecuritySolutionsReferenceDataOperations.cs new file mode 100644 index 000000000000..c71d1fe5707a --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecuritySolutionsReferenceDataOperations.cs @@ -0,0 +1,426 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SecuritySolutionsReferenceDataOperations operations. + /// + internal partial class SecuritySolutionsReferenceDataOperations : IServiceOperations, ISecuritySolutionsReferenceDataOperations + { + /// + /// Initializes a new instance of the SecuritySolutionsReferenceDataOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SecuritySolutionsReferenceDataOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Gets a list of all supported Security Solutions for the subscription. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/securitySolutionsReferenceData").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets list of all supported Security Solutions for subscription and + /// location. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> ListByHomeRegionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByHomeRegion", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/securitySolutionsReferenceData").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SecuritySolutionsReferenceDataOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SecuritySolutionsReferenceDataOperationsExtensions.cs new file mode 100644 index 000000000000..9209ab0f8048 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SecuritySolutionsReferenceDataOperationsExtensions.cs @@ -0,0 +1,83 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SecuritySolutionsReferenceDataOperations. + /// + public static partial class SecuritySolutionsReferenceDataOperationsExtensions + { + /// + /// Gets a list of all supported Security Solutions for the subscription. + /// + /// + /// The operations group for this extension method. + /// + public static SecuritySolutionsReferenceDataList List(this ISecuritySolutionsReferenceDataOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Gets a list of all supported Security Solutions for the subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task ListAsync(this ISecuritySolutionsReferenceDataOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets list of all supported Security Solutions for subscription and + /// location. + /// + /// + /// The operations group for this extension method. + /// + public static SecuritySolutionsReferenceDataList ListByHomeRegion(this ISecuritySolutionsReferenceDataOperations operations) + { + return operations.ListByHomeRegionAsync().GetAwaiter().GetResult(); + } + + /// + /// Gets list of all supported Security Solutions for subscription and + /// location. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task ListByHomeRegionAsync(this ISecuritySolutionsReferenceDataOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByHomeRegionWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ServerVulnerabilityAssessmentOperations.cs b/src/Security/Security.Management.Sdk/Generated/ServerVulnerabilityAssessmentOperations.cs new file mode 100644 index 000000000000..cee80b002e95 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ServerVulnerabilityAssessmentOperations.cs @@ -0,0 +1,1014 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// ServerVulnerabilityAssessmentOperations operations. + /// + internal partial class ServerVulnerabilityAssessmentOperations : IServiceOperations, IServerVulnerabilityAssessmentOperations + { + /// + /// Initializes a new instance of the ServerVulnerabilityAssessmentOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal ServerVulnerabilityAssessmentOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Gets a list of server vulnerability assessment onboarding statuses on a + /// given resource. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> ListByExtendedResourceWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (resourceNamespace == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceNamespace"); + } + if (resourceType == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceType"); + } + if (resourceName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceName"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("resourceNamespace", resourceNamespace); + tracingParameters.Add("resourceType", resourceType); + tracingParameters.Add("resourceName", resourceName); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByExtendedResource", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceNamespace}/{resourceType}/{resourceName}/providers/Microsoft.Security/serverVulnerabilityAssessments").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{resourceNamespace}", System.Uri.EscapeDataString(resourceNamespace)); + _url = _url.Replace("{resourceType}", System.Uri.EscapeDataString(resourceType)); + _url = _url.Replace("{resourceName}", System.Uri.EscapeDataString(resourceName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a server vulnerability assessment onboarding statuses on a given + /// resource. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (resourceNamespace == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceNamespace"); + } + if (resourceType == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceType"); + } + if (resourceName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceName"); + } + string serverVulnerabilityAssessment = "default"; + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("resourceNamespace", resourceNamespace); + tracingParameters.Add("resourceType", resourceType); + tracingParameters.Add("resourceName", resourceName); + tracingParameters.Add("serverVulnerabilityAssessment", serverVulnerabilityAssessment); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceNamespace}/{resourceType}/{resourceName}/providers/Microsoft.Security/serverVulnerabilityAssessments/{serverVulnerabilityAssessment}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{resourceNamespace}", System.Uri.EscapeDataString(resourceNamespace)); + _url = _url.Replace("{resourceType}", System.Uri.EscapeDataString(resourceType)); + _url = _url.Replace("{resourceName}", System.Uri.EscapeDataString(resourceName)); + _url = _url.Replace("{serverVulnerabilityAssessment}", System.Uri.EscapeDataString(serverVulnerabilityAssessment)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Creating a server vulnerability assessment on a resource, which will + /// onboard a resource for having a vulnerability assessment on it + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateOrUpdateWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (resourceNamespace == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceNamespace"); + } + if (resourceType == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceType"); + } + if (resourceName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceName"); + } + string serverVulnerabilityAssessment = "default"; + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("resourceNamespace", resourceNamespace); + tracingParameters.Add("resourceType", resourceType); + tracingParameters.Add("resourceName", resourceName); + tracingParameters.Add("serverVulnerabilityAssessment", serverVulnerabilityAssessment); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "CreateOrUpdate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceNamespace}/{resourceType}/{resourceName}/providers/Microsoft.Security/serverVulnerabilityAssessments/{serverVulnerabilityAssessment}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{resourceNamespace}", System.Uri.EscapeDataString(resourceNamespace)); + _url = _url.Replace("{resourceType}", System.Uri.EscapeDataString(resourceType)); + _url = _url.Replace("{resourceName}", System.Uri.EscapeDataString(resourceName)); + _url = _url.Replace("{serverVulnerabilityAssessment}", System.Uri.EscapeDataString(serverVulnerabilityAssessment)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 202) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 202) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Removing server vulnerability assessment from a resource. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The headers that will be added to request. + /// + /// + /// The cancellation token. + /// + public async Task DeleteWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + // Send request + AzureOperationResponse _response = await BeginDeleteWithHttpMessagesAsync(resourceGroupName, resourceNamespace, resourceType, resourceName, customHeaders, cancellationToken).ConfigureAwait(false); + return await Client.GetPostOrDeleteOperationResultAsync(_response, customHeaders, cancellationToken).ConfigureAwait(false); + } + + /// + /// Removing server vulnerability assessment from a resource. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task BeginDeleteWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (resourceNamespace == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceNamespace"); + } + if (resourceType == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceType"); + } + if (resourceName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceName"); + } + string serverVulnerabilityAssessment = "default"; + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("resourceNamespace", resourceNamespace); + tracingParameters.Add("resourceType", resourceType); + tracingParameters.Add("resourceName", resourceName); + tracingParameters.Add("serverVulnerabilityAssessment", serverVulnerabilityAssessment); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "BeginDelete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceNamespace}/{resourceType}/{resourceName}/providers/Microsoft.Security/serverVulnerabilityAssessments/{serverVulnerabilityAssessment}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{resourceNamespace}", System.Uri.EscapeDataString(resourceNamespace)); + _url = _url.Replace("{resourceType}", System.Uri.EscapeDataString(resourceType)); + _url = _url.Replace("{resourceName}", System.Uri.EscapeDataString(resourceName)); + _url = _url.Replace("{serverVulnerabilityAssessment}", System.Uri.EscapeDataString(serverVulnerabilityAssessment)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 202 && (int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/ServerVulnerabilityAssessmentOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/ServerVulnerabilityAssessmentOperationsExtensions.cs new file mode 100644 index 000000000000..fd4c58871da3 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/ServerVulnerabilityAssessmentOperationsExtensions.cs @@ -0,0 +1,295 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for ServerVulnerabilityAssessmentOperations. + /// + public static partial class ServerVulnerabilityAssessmentOperationsExtensions + { + /// + /// Gets a list of server vulnerability assessment onboarding statuses on a + /// given resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + public static ServerVulnerabilityAssessmentsList ListByExtendedResource(this IServerVulnerabilityAssessmentOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName) + { + return operations.ListByExtendedResourceAsync(resourceGroupName, resourceNamespace, resourceType, resourceName).GetAwaiter().GetResult(); + } + + /// + /// Gets a list of server vulnerability assessment onboarding statuses on a + /// given resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The cancellation token. + /// + public static async Task ListByExtendedResourceAsync(this IServerVulnerabilityAssessmentOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByExtendedResourceWithHttpMessagesAsync(resourceGroupName, resourceNamespace, resourceType, resourceName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a server vulnerability assessment onboarding statuses on a given + /// resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + public static ServerVulnerabilityAssessment Get(this IServerVulnerabilityAssessmentOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName) + { + return operations.GetAsync(resourceGroupName, resourceNamespace, resourceType, resourceName).GetAwaiter().GetResult(); + } + + /// + /// Gets a server vulnerability assessment onboarding statuses on a given + /// resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IServerVulnerabilityAssessmentOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, resourceNamespace, resourceType, resourceName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Creating a server vulnerability assessment on a resource, which will + /// onboard a resource for having a vulnerability assessment on it + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + public static ServerVulnerabilityAssessment CreateOrUpdate(this IServerVulnerabilityAssessmentOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName) + { + return operations.CreateOrUpdateAsync(resourceGroupName, resourceNamespace, resourceType, resourceName).GetAwaiter().GetResult(); + } + + /// + /// Creating a server vulnerability assessment on a resource, which will + /// onboard a resource for having a vulnerability assessment on it + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The cancellation token. + /// + public static async Task CreateOrUpdateAsync(this IServerVulnerabilityAssessmentOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateOrUpdateWithHttpMessagesAsync(resourceGroupName, resourceNamespace, resourceType, resourceName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Removing server vulnerability assessment from a resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + public static void Delete(this IServerVulnerabilityAssessmentOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName) + { + operations.DeleteAsync(resourceGroupName, resourceNamespace, resourceType, resourceName).GetAwaiter().GetResult(); + } + + /// + /// Removing server vulnerability assessment from a resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this IServerVulnerabilityAssessmentOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(resourceGroupName, resourceNamespace, resourceType, resourceName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Removing server vulnerability assessment from a resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + public static void BeginDelete(this IServerVulnerabilityAssessmentOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName) + { + operations.BeginDeleteAsync(resourceGroupName, resourceNamespace, resourceType, resourceName).GetAwaiter().GetResult(); + } + + /// + /// Removing server vulnerability assessment from a resource. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The Namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The cancellation token. + /// + public static async Task BeginDeleteAsync(this IServerVulnerabilityAssessmentOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.BeginDeleteWithHttpMessagesAsync(resourceGroupName, resourceNamespace, resourceType, resourceName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SettingsOperations.cs b/src/Security/Security.Management.Sdk/Generated/SettingsOperations.cs new file mode 100644 index 000000000000..d0246181d487 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SettingsOperations.cs @@ -0,0 +1,811 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SettingsOperations operations. + /// + internal partial class SettingsOperations : IServiceOperations, ISettingsOperations + { + /// + /// Initializes a new instance of the SettingsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SettingsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Settings about different configurations in Microsoft Defender for Cloud + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2022-05-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/settings").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Settings of different configurations in Microsoft Defender for Cloud + /// + /// + /// The name of the setting. Possible values include: 'MCAS', 'WDATP', + /// 'WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW', 'WDATP_UNIFIED_SOLUTION', 'Sentinel' + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string settingName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (settingName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "settingName"); + } + string apiVersion = "2022-05-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("settingName", settingName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/settings/{settingName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{settingName}", System.Uri.EscapeDataString(settingName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// updating settings about different configurations in Microsoft Defender for + /// Cloud + /// + /// + /// The name of the setting. Possible values include: 'MCAS', 'WDATP', + /// 'WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW', 'WDATP_UNIFIED_SOLUTION', 'Sentinel' + /// + /// + /// Setting object + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> UpdateWithHttpMessagesAsync(string settingName, Setting setting, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (settingName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "settingName"); + } + if (setting == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "setting"); + } + string apiVersion = "2022-05-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("settingName", settingName); + tracingParameters.Add("setting", setting); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Update", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/settings/{settingName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{settingName}", System.Uri.EscapeDataString(settingName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(setting != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(setting, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Settings about different configurations in Microsoft Defender for Cloud + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SettingsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SettingsOperationsExtensions.cs new file mode 100644 index 000000000000..402f8d5e9e51 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SettingsOperationsExtensions.cs @@ -0,0 +1,167 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SettingsOperations. + /// + public static partial class SettingsOperationsExtensions + { + /// + /// Settings about different configurations in Microsoft Defender for Cloud + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this ISettingsOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Settings about different configurations in Microsoft Defender for Cloud + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this ISettingsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Settings of different configurations in Microsoft Defender for Cloud + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the setting. Possible values include: 'MCAS', 'WDATP', + /// 'WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW', 'WDATP_UNIFIED_SOLUTION', 'Sentinel' + /// + public static Setting Get(this ISettingsOperations operations, string settingName) + { + return operations.GetAsync(settingName).GetAwaiter().GetResult(); + } + + /// + /// Settings of different configurations in Microsoft Defender for Cloud + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the setting. Possible values include: 'MCAS', 'WDATP', + /// 'WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW', 'WDATP_UNIFIED_SOLUTION', 'Sentinel' + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ISettingsOperations operations, string settingName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(settingName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// updating settings about different configurations in Microsoft Defender for + /// Cloud + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the setting. Possible values include: 'MCAS', 'WDATP', + /// 'WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW', 'WDATP_UNIFIED_SOLUTION', 'Sentinel' + /// + /// + /// Setting object + /// + public static Setting Update(this ISettingsOperations operations, string settingName, Setting setting) + { + return operations.UpdateAsync(settingName, setting).GetAwaiter().GetResult(); + } + + /// + /// updating settings about different configurations in Microsoft Defender for + /// Cloud + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the setting. Possible values include: 'MCAS', 'WDATP', + /// 'WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW', 'WDATP_UNIFIED_SOLUTION', 'Sentinel' + /// + /// + /// Setting object + /// + /// + /// The cancellation token. + /// + public static async Task UpdateAsync(this ISettingsOperations operations, string settingName, Setting setting, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.UpdateWithHttpMessagesAsync(settingName, setting, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Settings about different configurations in Microsoft Defender for Cloud + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this ISettingsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Settings about different configurations in Microsoft Defender for Cloud + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this ISettingsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SoftwareInventoriesOperations.cs b/src/Security/Security.Management.Sdk/Generated/SoftwareInventoriesOperations.cs new file mode 100644 index 000000000000..79f3935d59fa --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SoftwareInventoriesOperations.cs @@ -0,0 +1,1062 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SoftwareInventoriesOperations operations. + /// + internal partial class SoftwareInventoriesOperations : IServiceOperations, ISoftwareInventoriesOperations + { + /// + /// Initializes a new instance of the SoftwareInventoriesOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SoftwareInventoriesOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Gets the software inventory of the virtual machine. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByExtendedResourceWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (resourceNamespace == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceNamespace"); + } + if (resourceType == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceType"); + } + if (resourceName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceName"); + } + string apiVersion = "2021-05-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("resourceNamespace", resourceNamespace); + tracingParameters.Add("resourceType", resourceType); + tracingParameters.Add("resourceName", resourceName); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByExtendedResource", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceNamespace}/{resourceType}/{resourceName}/providers/Microsoft.Security/softwareInventories").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{resourceNamespace}", System.Uri.EscapeDataString(resourceNamespace)); + _url = _url.Replace("{resourceType}", System.Uri.EscapeDataString(resourceType)); + _url = _url.Replace("{resourceName}", System.Uri.EscapeDataString(resourceName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets the software inventory of all virtual machines in the subscriptions. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListBySubscriptionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2021-05-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListBySubscription", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/softwareInventories").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a single software data of the virtual machine. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// Name of the installed software. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, string softwareName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (resourceNamespace == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceNamespace"); + } + if (resourceType == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceType"); + } + if (resourceName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceName"); + } + if (softwareName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "softwareName"); + } + string apiVersion = "2021-05-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("resourceNamespace", resourceNamespace); + tracingParameters.Add("resourceType", resourceType); + tracingParameters.Add("resourceName", resourceName); + tracingParameters.Add("softwareName", softwareName); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceNamespace}/{resourceType}/{resourceName}/providers/Microsoft.Security/softwareInventories/{softwareName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{resourceNamespace}", System.Uri.EscapeDataString(resourceNamespace)); + _url = _url.Replace("{resourceType}", System.Uri.EscapeDataString(resourceType)); + _url = _url.Replace("{resourceName}", System.Uri.EscapeDataString(resourceName)); + _url = _url.Replace("{softwareName}", System.Uri.EscapeDataString(softwareName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets the software inventory of the virtual machine. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByExtendedResourceNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByExtendedResourceNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets the software inventory of all virtual machines in the subscriptions. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListBySubscriptionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListBySubscriptionNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SoftwareInventoriesOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SoftwareInventoriesOperationsExtensions.cs new file mode 100644 index 000000000000..622f67f67bc9 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SoftwareInventoriesOperationsExtensions.cs @@ -0,0 +1,235 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SoftwareInventoriesOperations. + /// + public static partial class SoftwareInventoriesOperationsExtensions + { + /// + /// Gets the software inventory of the virtual machine. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + public static IPage ListByExtendedResource(this ISoftwareInventoriesOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName) + { + return operations.ListByExtendedResourceAsync(resourceGroupName, resourceNamespace, resourceType, resourceName).GetAwaiter().GetResult(); + } + + /// + /// Gets the software inventory of the virtual machine. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByExtendedResourceAsync(this ISoftwareInventoriesOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByExtendedResourceWithHttpMessagesAsync(resourceGroupName, resourceNamespace, resourceType, resourceName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets the software inventory of all virtual machines in the subscriptions. + /// + /// + /// The operations group for this extension method. + /// + public static IPage ListBySubscription(this ISoftwareInventoriesOperations operations) + { + return operations.ListBySubscriptionAsync().GetAwaiter().GetResult(); + } + + /// + /// Gets the software inventory of all virtual machines in the subscriptions. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListBySubscriptionAsync(this ISoftwareInventoriesOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListBySubscriptionWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a single software data of the virtual machine. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// Name of the installed software. + /// + public static Software Get(this ISoftwareInventoriesOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, string softwareName) + { + return operations.GetAsync(resourceGroupName, resourceNamespace, resourceType, resourceName, softwareName).GetAwaiter().GetResult(); + } + + /// + /// Gets a single software data of the virtual machine. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// The namespace of the resource. + /// + /// + /// The type of the resource. + /// + /// + /// Name of the resource. + /// + /// + /// Name of the installed software. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ISoftwareInventoriesOperations operations, string resourceGroupName, string resourceNamespace, string resourceType, string resourceName, string softwareName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, resourceNamespace, resourceType, resourceName, softwareName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets the software inventory of the virtual machine. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListByExtendedResourceNext(this ISoftwareInventoriesOperations operations, string nextPageLink) + { + return operations.ListByExtendedResourceNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Gets the software inventory of the virtual machine. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByExtendedResourceNextAsync(this ISoftwareInventoriesOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByExtendedResourceNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets the software inventory of all virtual machines in the subscriptions. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListBySubscriptionNext(this ISoftwareInventoriesOperations operations, string nextPageLink) + { + return operations.ListBySubscriptionNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Gets the software inventory of all virtual machines in the subscriptions. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListBySubscriptionNextAsync(this ISoftwareInventoriesOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListBySubscriptionNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentBaselineRulesOperations.cs b/src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentBaselineRulesOperations.cs new file mode 100644 index 000000000000..a73d325a2059 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentBaselineRulesOperations.cs @@ -0,0 +1,1094 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SqlVulnerabilityAssessmentBaselineRulesOperations operations. + /// + internal partial class SqlVulnerabilityAssessmentBaselineRulesOperations : IServiceOperations, ISqlVulnerabilityAssessmentBaselineRulesOperations + { + /// + /// Initializes a new instance of the SqlVulnerabilityAssessmentBaselineRulesOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SqlVulnerabilityAssessmentBaselineRulesOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Creates a Baseline for a rule in a database. Will overwrite any previously + /// existing results. + /// + /// + /// The rule Id. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// Take results from latest scan. + /// + /// + /// Expected results to be inserted into the baseline. + /// Leave this field empty it LatestScan == true. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateOrUpdateWithHttpMessagesAsync(string ruleId, string workspaceId, string apiVersion, string resourceId, bool? latestScan = default(bool?), IList> results = default(IList>), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (ruleId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ruleId"); + } + if (workspaceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "workspaceId"); + } + if (apiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "apiVersion"); + } + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + RuleResultsInput body = default(RuleResultsInput); + if (latestScan != null || results != null) + { + body = new RuleResultsInput(); + body.LatestScan = latestScan; + body.Results = results; + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("ruleId", ruleId); + tracingParameters.Add("workspaceId", workspaceId); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("body", body); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "CreateOrUpdate", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/sqlVulnerabilityAssessments/default/baselineRules/{ruleId}").ToString(); + _url = _url.Replace("{ruleId}", System.Uri.EscapeDataString(ruleId)); + _url = _url.Replace("{resourceId}", resourceId); + List _queryParameters = new List(); + if (workspaceId != null) + { + _queryParameters.Add(string.Format("workspaceId={0}", System.Uri.EscapeDataString(workspaceId))); + } + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(body != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(body, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets the results for a given rule in the Baseline. + /// + /// + /// The rule Id. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string ruleId, string workspaceId, string apiVersion, string resourceId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (ruleId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ruleId"); + } + if (workspaceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "workspaceId"); + } + if (apiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "apiVersion"); + } + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("ruleId", ruleId); + tracingParameters.Add("workspaceId", workspaceId); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/sqlVulnerabilityAssessments/default/baselineRules/{ruleId}").ToString(); + _url = _url.Replace("{ruleId}", System.Uri.EscapeDataString(ruleId)); + _url = _url.Replace("{resourceId}", resourceId); + List _queryParameters = new List(); + if (workspaceId != null) + { + _queryParameters.Add(string.Format("workspaceId={0}", System.Uri.EscapeDataString(workspaceId))); + } + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Deletes a rule from the Baseline of a given database. + /// + /// + /// The rule Id. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string ruleId, string workspaceId, string apiVersion, string resourceId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (ruleId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ruleId"); + } + if (workspaceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "workspaceId"); + } + if (apiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "apiVersion"); + } + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("ruleId", ruleId); + tracingParameters.Add("workspaceId", workspaceId); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/sqlVulnerabilityAssessments/default/baselineRules/{ruleId}").ToString(); + _url = _url.Replace("{ruleId}", System.Uri.EscapeDataString(ruleId)); + _url = _url.Replace("{resourceId}", resourceId); + List _queryParameters = new List(); + if (workspaceId != null) + { + _queryParameters.Add(string.Format("workspaceId={0}", System.Uri.EscapeDataString(workspaceId))); + } + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets the results for all rules in the Baseline. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> ListWithHttpMessagesAsync(string workspaceId, string apiVersion, string resourceId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (workspaceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "workspaceId"); + } + if (apiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "apiVersion"); + } + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("workspaceId", workspaceId); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/sqlVulnerabilityAssessments/default/baselineRules").ToString(); + _url = _url.Replace("{resourceId}", resourceId); + List _queryParameters = new List(); + if (workspaceId != null) + { + _queryParameters.Add(string.Format("workspaceId={0}", System.Uri.EscapeDataString(workspaceId))); + } + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Add a list of baseline rules. Will overwrite any previously existing + /// results (for all rules). + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// Take results from latest scan. + /// + /// + /// Expected results to be inserted into the baseline. + /// Leave this field empty it LatestScan == true. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> AddWithHttpMessagesAsync(string workspaceId, string apiVersion, string resourceId, bool? latestScan = default(bool?), IDictionary>> results = default(IDictionary>>), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (workspaceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "workspaceId"); + } + if (apiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "apiVersion"); + } + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + RulesResultsInput body = default(RulesResultsInput); + if (latestScan != null || results != null) + { + body = new RulesResultsInput(); + body.LatestScan = latestScan; + body.Results = results; + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("workspaceId", workspaceId); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("body", body); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Add", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/sqlVulnerabilityAssessments/default/baselineRules").ToString(); + _url = _url.Replace("{resourceId}", resourceId); + List _queryParameters = new List(); + if (workspaceId != null) + { + _queryParameters.Add(string.Format("workspaceId={0}", System.Uri.EscapeDataString(workspaceId))); + } + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(body != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(body, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentBaselineRulesOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentBaselineRulesOperationsExtensions.cs new file mode 100644 index 000000000000..0ed1ee0ba393 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentBaselineRulesOperationsExtensions.cs @@ -0,0 +1,304 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Collections; + using System.Collections.Generic; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SqlVulnerabilityAssessmentBaselineRulesOperations. + /// + public static partial class SqlVulnerabilityAssessmentBaselineRulesOperationsExtensions + { + /// + /// Creates a Baseline for a rule in a database. Will overwrite any previously + /// existing results. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The rule Id. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// Take results from latest scan. + /// + /// + /// Expected results to be inserted into the baseline. + /// Leave this field empty it LatestScan == true. + /// + public static RuleResults CreateOrUpdate(this ISqlVulnerabilityAssessmentBaselineRulesOperations operations, string ruleId, string workspaceId, string apiVersion, string resourceId, bool? latestScan = default(bool?), IList> results = default(IList>)) + { + return operations.CreateOrUpdateAsync(ruleId, workspaceId, apiVersion, resourceId, latestScan, results).GetAwaiter().GetResult(); + } + + /// + /// Creates a Baseline for a rule in a database. Will overwrite any previously + /// existing results. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The rule Id. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// Take results from latest scan. + /// + /// + /// Expected results to be inserted into the baseline. + /// Leave this field empty it LatestScan == true. + /// + /// + /// The cancellation token. + /// + public static async Task CreateOrUpdateAsync(this ISqlVulnerabilityAssessmentBaselineRulesOperations operations, string ruleId, string workspaceId, string apiVersion, string resourceId, bool? latestScan = default(bool?), IList> results = default(IList>), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateOrUpdateWithHttpMessagesAsync(ruleId, workspaceId, apiVersion, resourceId, latestScan, results, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets the results for a given rule in the Baseline. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The rule Id. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + public static RuleResults Get(this ISqlVulnerabilityAssessmentBaselineRulesOperations operations, string ruleId, string workspaceId, string apiVersion, string resourceId) + { + return operations.GetAsync(ruleId, workspaceId, apiVersion, resourceId).GetAwaiter().GetResult(); + } + + /// + /// Gets the results for a given rule in the Baseline. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The rule Id. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ISqlVulnerabilityAssessmentBaselineRulesOperations operations, string ruleId, string workspaceId, string apiVersion, string resourceId, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(ruleId, workspaceId, apiVersion, resourceId, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Deletes a rule from the Baseline of a given database. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The rule Id. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + public static void Delete(this ISqlVulnerabilityAssessmentBaselineRulesOperations operations, string ruleId, string workspaceId, string apiVersion, string resourceId) + { + operations.DeleteAsync(ruleId, workspaceId, apiVersion, resourceId).GetAwaiter().GetResult(); + } + + /// + /// Deletes a rule from the Baseline of a given database. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The rule Id. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this ISqlVulnerabilityAssessmentBaselineRulesOperations operations, string ruleId, string workspaceId, string apiVersion, string resourceId, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(ruleId, workspaceId, apiVersion, resourceId, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Gets the results for all rules in the Baseline. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + public static RulesResults List(this ISqlVulnerabilityAssessmentBaselineRulesOperations operations, string workspaceId, string apiVersion, string resourceId) + { + return operations.ListAsync(workspaceId, apiVersion, resourceId).GetAwaiter().GetResult(); + } + + /// + /// Gets the results for all rules in the Baseline. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// The cancellation token. + /// + public static async Task ListAsync(this ISqlVulnerabilityAssessmentBaselineRulesOperations operations, string workspaceId, string apiVersion, string resourceId, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(workspaceId, apiVersion, resourceId, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Add a list of baseline rules. Will overwrite any previously existing + /// results (for all rules). + /// + /// + /// The operations group for this extension method. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// Take results from latest scan. + /// + /// + /// Expected results to be inserted into the baseline. + /// Leave this field empty it LatestScan == true. + /// + public static RulesResults Add(this ISqlVulnerabilityAssessmentBaselineRulesOperations operations, string workspaceId, string apiVersion, string resourceId, bool? latestScan = default(bool?), IDictionary>> results = default(IDictionary>>)) + { + return operations.AddAsync(workspaceId, apiVersion, resourceId, latestScan, results).GetAwaiter().GetResult(); + } + + /// + /// Add a list of baseline rules. Will overwrite any previously existing + /// results (for all rules). + /// + /// + /// The operations group for this extension method. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// Take results from latest scan. + /// + /// + /// Expected results to be inserted into the baseline. + /// Leave this field empty it LatestScan == true. + /// + /// + /// The cancellation token. + /// + public static async Task AddAsync(this ISqlVulnerabilityAssessmentBaselineRulesOperations operations, string workspaceId, string apiVersion, string resourceId, bool? latestScan = default(bool?), IDictionary>> results = default(IDictionary>>), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.AddWithHttpMessagesAsync(workspaceId, apiVersion, resourceId, latestScan, results, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentScanResultsOperations.cs b/src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentScanResultsOperations.cs new file mode 100644 index 000000000000..5a9f5d770742 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentScanResultsOperations.cs @@ -0,0 +1,477 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SqlVulnerabilityAssessmentScanResultsOperations operations. + /// + internal partial class SqlVulnerabilityAssessmentScanResultsOperations : IServiceOperations, ISqlVulnerabilityAssessmentScanResultsOperations + { + /// + /// Initializes a new instance of the SqlVulnerabilityAssessmentScanResultsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SqlVulnerabilityAssessmentScanResultsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Gets the scan results of a single rule in a scan record. + /// + /// + /// The scan Id. Type 'latest' to get the scan results for the latest scan. + /// + /// + /// The rule Id of the results. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string scanId, string scanResultId, string workspaceId, string apiVersion, string resourceId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (scanId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scanId"); + } + if (scanResultId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scanResultId"); + } + if (workspaceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "workspaceId"); + } + if (apiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "apiVersion"); + } + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("scanId", scanId); + tracingParameters.Add("scanResultId", scanResultId); + tracingParameters.Add("workspaceId", workspaceId); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/sqlVulnerabilityAssessments/default/scans/{scanId}/scanResults/{scanResultId}").ToString(); + _url = _url.Replace("{scanId}", System.Uri.EscapeDataString(scanId)); + _url = _url.Replace("{scanResultId}", System.Uri.EscapeDataString(scanResultId)); + _url = _url.Replace("{resourceId}", resourceId); + List _queryParameters = new List(); + if (workspaceId != null) + { + _queryParameters.Add(string.Format("workspaceId={0}", System.Uri.EscapeDataString(workspaceId))); + } + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a list of scan results for a single scan record. + /// + /// + /// The scan Id. Type 'latest' to get the scan results for the latest scan. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> ListWithHttpMessagesAsync(string scanId, string workspaceId, string apiVersion, string resourceId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (scanId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scanId"); + } + if (workspaceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "workspaceId"); + } + if (apiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "apiVersion"); + } + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("scanId", scanId); + tracingParameters.Add("workspaceId", workspaceId); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/sqlVulnerabilityAssessments/default/scans/{scanId}/scanResults").ToString(); + _url = _url.Replace("{scanId}", System.Uri.EscapeDataString(scanId)); + _url = _url.Replace("{resourceId}", resourceId); + List _queryParameters = new List(); + if (workspaceId != null) + { + _queryParameters.Add(string.Format("workspaceId={0}", System.Uri.EscapeDataString(workspaceId))); + } + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentScanResultsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentScanResultsOperationsExtensions.cs new file mode 100644 index 000000000000..d8afab1ab968 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentScanResultsOperationsExtensions.cs @@ -0,0 +1,135 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SqlVulnerabilityAssessmentScanResultsOperations. + /// + public static partial class SqlVulnerabilityAssessmentScanResultsOperationsExtensions + { + /// + /// Gets the scan results of a single rule in a scan record. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The scan Id. Type 'latest' to get the scan results for the latest scan. + /// + /// + /// The rule Id of the results. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + public static ScanResult Get(this ISqlVulnerabilityAssessmentScanResultsOperations operations, string scanId, string scanResultId, string workspaceId, string apiVersion, string resourceId) + { + return operations.GetAsync(scanId, scanResultId, workspaceId, apiVersion, resourceId).GetAwaiter().GetResult(); + } + + /// + /// Gets the scan results of a single rule in a scan record. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The scan Id. Type 'latest' to get the scan results for the latest scan. + /// + /// + /// The rule Id of the results. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ISqlVulnerabilityAssessmentScanResultsOperations operations, string scanId, string scanResultId, string workspaceId, string apiVersion, string resourceId, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(scanId, scanResultId, workspaceId, apiVersion, resourceId, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a list of scan results for a single scan record. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The scan Id. Type 'latest' to get the scan results for the latest scan. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + public static ScanResults List(this ISqlVulnerabilityAssessmentScanResultsOperations operations, string scanId, string workspaceId, string apiVersion, string resourceId) + { + return operations.ListAsync(scanId, workspaceId, apiVersion, resourceId).GetAwaiter().GetResult(); + } + + /// + /// Gets a list of scan results for a single scan record. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The scan Id. Type 'latest' to get the scan results for the latest scan. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// The cancellation token. + /// + public static async Task ListAsync(this ISqlVulnerabilityAssessmentScanResultsOperations operations, string scanId, string workspaceId, string apiVersion, string resourceId, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(scanId, workspaceId, apiVersion, resourceId, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentScansOperations.cs b/src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentScansOperations.cs new file mode 100644 index 000000000000..f7fa62fe09b8 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentScansOperations.cs @@ -0,0 +1,459 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SqlVulnerabilityAssessmentScansOperations operations. + /// + internal partial class SqlVulnerabilityAssessmentScansOperations : IServiceOperations, ISqlVulnerabilityAssessmentScansOperations + { + /// + /// Initializes a new instance of the SqlVulnerabilityAssessmentScansOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SqlVulnerabilityAssessmentScansOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Gets the scan details of a single scan record. + /// + /// + /// The scan Id. Type 'latest' to get the scan record for the latest scan. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string scanId, string workspaceId, string apiVersion, string resourceId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (scanId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scanId"); + } + if (workspaceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "workspaceId"); + } + if (apiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "apiVersion"); + } + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("scanId", scanId); + tracingParameters.Add("workspaceId", workspaceId); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/sqlVulnerabilityAssessments/default/scans/{scanId}").ToString(); + _url = _url.Replace("{scanId}", System.Uri.EscapeDataString(scanId)); + _url = _url.Replace("{resourceId}", resourceId); + List _queryParameters = new List(); + if (workspaceId != null) + { + _queryParameters.Add(string.Format("workspaceId={0}", System.Uri.EscapeDataString(workspaceId))); + } + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a list of scan records. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> ListWithHttpMessagesAsync(string workspaceId, string apiVersion, string resourceId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (workspaceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "workspaceId"); + } + if (apiVersion == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "apiVersion"); + } + if (resourceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceId"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("workspaceId", workspaceId); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceId", resourceId); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{resourceId}/providers/Microsoft.Security/sqlVulnerabilityAssessments/default/scans").ToString(); + _url = _url.Replace("{resourceId}", resourceId); + List _queryParameters = new List(); + if (workspaceId != null) + { + _queryParameters.Add(string.Format("workspaceId={0}", System.Uri.EscapeDataString(workspaceId))); + } + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentScansOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentScansOperationsExtensions.cs new file mode 100644 index 000000000000..43f7145dc144 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SqlVulnerabilityAssessmentScansOperationsExtensions.cs @@ -0,0 +1,123 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SqlVulnerabilityAssessmentScansOperations. + /// + public static partial class SqlVulnerabilityAssessmentScansOperationsExtensions + { + /// + /// Gets the scan details of a single scan record. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The scan Id. Type 'latest' to get the scan record for the latest scan. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + public static Scan Get(this ISqlVulnerabilityAssessmentScansOperations operations, string scanId, string workspaceId, string apiVersion, string resourceId) + { + return operations.GetAsync(scanId, workspaceId, apiVersion, resourceId).GetAwaiter().GetResult(); + } + + /// + /// Gets the scan details of a single scan record. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The scan Id. Type 'latest' to get the scan record for the latest scan. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ISqlVulnerabilityAssessmentScansOperations operations, string scanId, string workspaceId, string apiVersion, string resourceId, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(scanId, workspaceId, apiVersion, resourceId, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a list of scan records. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + public static Scans List(this ISqlVulnerabilityAssessmentScansOperations operations, string workspaceId, string apiVersion, string resourceId) + { + return operations.ListAsync(workspaceId, apiVersion, resourceId).GetAwaiter().GetResult(); + } + + /// + /// Gets a list of scan records. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The workspace Id. + /// + /// + /// The api version. + /// + /// + /// The identifier of the resource. + /// + /// + /// The cancellation token. + /// + public static async Task ListAsync(this ISqlVulnerabilityAssessmentScansOperations operations, string workspaceId, string apiVersion, string resourceId, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(workspaceId, apiVersion, resourceId, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SubAssessmentsOperations.cs b/src/Security/Security.Management.Sdk/Generated/SubAssessmentsOperations.cs new file mode 100644 index 000000000000..e5b502213ff3 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SubAssessmentsOperations.cs @@ -0,0 +1,975 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SubAssessmentsOperations operations. + /// + internal partial class SubAssessmentsOperations : IServiceOperations, ISubAssessmentsOperations + { + /// + /// Initializes a new instance of the SubAssessmentsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SubAssessmentsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Get security sub-assessments on all your scanned resources inside a + /// subscription scope + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListAllWithHttpMessagesAsync(string scope, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (scope == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scope"); + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("scope", scope); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListAll", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{scope}/providers/Microsoft.Security/subAssessments").ToString(); + _url = _url.Replace("{scope}", scope); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get security sub-assessments on all your scanned resources inside a scope + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(string scope, string assessmentName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (scope == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scope"); + } + if (assessmentName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "assessmentName"); + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("scope", scope); + tracingParameters.Add("assessmentName", assessmentName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{scope}/providers/Microsoft.Security/assessments/{assessmentName}/subAssessments").ToString(); + _url = _url.Replace("{scope}", scope); + _url = _url.Replace("{assessmentName}", System.Uri.EscapeDataString(assessmentName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get a security sub-assessment on your scanned resource + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The Sub-Assessment Key - Unique key for the sub-assessment type + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string scope, string assessmentName, string subAssessmentName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (scope == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scope"); + } + if (assessmentName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "assessmentName"); + } + if (subAssessmentName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "subAssessmentName"); + } + string apiVersion = "2019-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("scope", scope); + tracingParameters.Add("assessmentName", assessmentName); + tracingParameters.Add("subAssessmentName", subAssessmentName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "{scope}/providers/Microsoft.Security/assessments/{assessmentName}/subAssessments/{subAssessmentName}").ToString(); + _url = _url.Replace("{scope}", scope); + _url = _url.Replace("{assessmentName}", System.Uri.EscapeDataString(assessmentName)); + _url = _url.Replace("{subAssessmentName}", System.Uri.EscapeDataString(subAssessmentName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get security sub-assessments on all your scanned resources inside a + /// subscription scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListAllNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListAllNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Get security sub-assessments on all your scanned resources inside a scope + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SubAssessmentsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SubAssessmentsOperationsExtensions.cs new file mode 100644 index 000000000000..afe53f2d6811 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SubAssessmentsOperationsExtensions.cs @@ -0,0 +1,229 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SubAssessmentsOperations. + /// + public static partial class SubAssessmentsOperationsExtensions + { + /// + /// Get security sub-assessments on all your scanned resources inside a + /// subscription scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + public static IPage ListAll(this ISubAssessmentsOperations operations, string scope) + { + return operations.ListAllAsync(scope).GetAwaiter().GetResult(); + } + + /// + /// Get security sub-assessments on all your scanned resources inside a + /// subscription scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The cancellation token. + /// + public static async Task> ListAllAsync(this ISubAssessmentsOperations operations, string scope, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListAllWithHttpMessagesAsync(scope, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get security sub-assessments on all your scanned resources inside a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + public static IPage List(this ISubAssessmentsOperations operations, string scope, string assessmentName) + { + return operations.ListAsync(scope, assessmentName).GetAwaiter().GetResult(); + } + + /// + /// Get security sub-assessments on all your scanned resources inside a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this ISubAssessmentsOperations operations, string scope, string assessmentName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(scope, assessmentName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get a security sub-assessment on your scanned resource + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The Sub-Assessment Key - Unique key for the sub-assessment type + /// + public static SecuritySubAssessment Get(this ISubAssessmentsOperations operations, string scope, string assessmentName, string subAssessmentName) + { + return operations.GetAsync(scope, assessmentName, subAssessmentName).GetAwaiter().GetResult(); + } + + /// + /// Get a security sub-assessment on your scanned resource + /// + /// + /// The operations group for this extension method. + /// + /// + /// Scope of the query, can be subscription + /// (/subscriptions/0b06d9ea-afe6-4779-bd59-30e5c2d9d13f) or management group + /// (/providers/Microsoft.Management/managementGroups/mgName). + /// + /// + /// The Assessment Key - Unique key for the assessment type + /// + /// + /// The Sub-Assessment Key - Unique key for the sub-assessment type + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ISubAssessmentsOperations operations, string scope, string assessmentName, string subAssessmentName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(scope, assessmentName, subAssessmentName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get security sub-assessments on all your scanned resources inside a + /// subscription scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListAllNext(this ISubAssessmentsOperations operations, string nextPageLink) + { + return operations.ListAllNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Get security sub-assessments on all your scanned resources inside a + /// subscription scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAllNextAsync(this ISubAssessmentsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListAllNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get security sub-assessments on all your scanned resources inside a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this ISubAssessmentsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Get security sub-assessments on all your scanned resources inside a scope + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this ISubAssessmentsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SubscriptionGovernanceRulesExecuteStatusOperations.cs b/src/Security/Security.Management.Sdk/Generated/SubscriptionGovernanceRulesExecuteStatusOperations.cs new file mode 100644 index 000000000000..a76a04de2fed --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SubscriptionGovernanceRulesExecuteStatusOperations.cs @@ -0,0 +1,311 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// SubscriptionGovernanceRulesExecuteStatusOperations operations. + /// + internal partial class SubscriptionGovernanceRulesExecuteStatusOperations : IServiceOperations, ISubscriptionGovernanceRulesExecuteStatusOperations + { + /// + /// Initializes a new instance of the SubscriptionGovernanceRulesExecuteStatusOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal SubscriptionGovernanceRulesExecuteStatusOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Get a specific governanceRule execution status for the requested scope by + /// ruleId and operationId + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The security GovernanceRule execution key - unique key for the execution of + /// GovernanceRule + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string ruleId, string operationId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + // Send request + AzureOperationResponse _response = await BeginGetWithHttpMessagesAsync(ruleId, operationId, customHeaders, cancellationToken).ConfigureAwait(false); + return await Client.GetPostOrDeleteOperationResultAsync(_response, customHeaders, cancellationToken).ConfigureAwait(false); + } + + /// + /// Get a specific governanceRule execution status for the requested scope by + /// ruleId and operationId + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The security GovernanceRule execution key - unique key for the execution of + /// GovernanceRule + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> BeginGetWithHttpMessagesAsync(string ruleId, string operationId, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (ruleId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "ruleId"); + } + if (operationId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "operationId"); + } + string apiVersion = "2022-01-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("ruleId", ruleId); + tracingParameters.Add("operationId", operationId); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "BeginGet", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/governanceRules/{ruleId}/operationResults/{operationId}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ruleId}", System.Uri.EscapeDataString(ruleId)); + _url = _url.Replace("{operationId}", System.Uri.EscapeDataString(operationId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200 && (int)_statusCode != 202) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + try + { + _result.Headers = _httpResponse.GetHeadersAsJson().ToObject(JsonSerializer.Create(Client.DeserializationSettings)); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the headers.", _httpResponse.GetHeadersAsJson().ToString(), ex); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/SubscriptionGovernanceRulesExecuteStatusOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SubscriptionGovernanceRulesExecuteStatusOperationsExtensions.cs new file mode 100644 index 000000000000..6bd526fce67d --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/SubscriptionGovernanceRulesExecuteStatusOperationsExtensions.cs @@ -0,0 +1,117 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for SubscriptionGovernanceRulesExecuteStatusOperations. + /// + public static partial class SubscriptionGovernanceRulesExecuteStatusOperationsExtensions + { + /// + /// Get a specific governanceRule execution status for the requested scope by + /// ruleId and operationId + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The security GovernanceRule execution key - unique key for the execution of + /// GovernanceRule + /// + public static ExecuteRuleStatus Get(this ISubscriptionGovernanceRulesExecuteStatusOperations operations, string ruleId, string operationId) + { + return operations.GetAsync(ruleId, operationId).GetAwaiter().GetResult(); + } + + /// + /// Get a specific governanceRule execution status for the requested scope by + /// ruleId and operationId + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The security GovernanceRule execution key - unique key for the execution of + /// GovernanceRule + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ISubscriptionGovernanceRulesExecuteStatusOperations operations, string ruleId, string operationId, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(ruleId, operationId, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Get a specific governanceRule execution status for the requested scope by + /// ruleId and operationId + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The security GovernanceRule execution key - unique key for the execution of + /// GovernanceRule + /// + public static ExecuteRuleStatus BeginGet(this ISubscriptionGovernanceRulesExecuteStatusOperations operations, string ruleId, string operationId) + { + return operations.BeginGetAsync(ruleId, operationId).GetAwaiter().GetResult(); + } + + /// + /// Get a specific governanceRule execution status for the requested scope by + /// ruleId and operationId + /// + /// + /// The operations group for this extension method. + /// + /// + /// The security GovernanceRule key - unique key for the standard + /// GovernanceRule + /// + /// + /// The security GovernanceRule execution key - unique key for the execution of + /// GovernanceRule + /// + /// + /// The cancellation token. + /// + public static async Task BeginGetAsync(this ISubscriptionGovernanceRulesExecuteStatusOperations operations, string ruleId, string operationId, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.BeginGetWithHttpMessagesAsync(ruleId, operationId, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/TasksOperations.cs b/src/Security/Security.Management.Sdk/Generated/TasksOperations.cs new file mode 100644 index 000000000000..7f16ee354316 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/TasksOperations.cs @@ -0,0 +1,2007 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// TasksOperations operations. + /// + internal partial class TasksOperations : IServiceOperations, ITasksOperations + { + /// + /// Initializes a new instance of the TasksOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal TasksOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// OData filter. Optional. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(string filter = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2015-06-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("filter", filter); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/tasks").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (filter != null) + { + _queryParameters.Add(string.Format("$filter={0}", System.Uri.EscapeDataString(filter))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// OData filter. Optional. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByHomeRegionWithHttpMessagesAsync(string filter = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + string apiVersion = "2015-06-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("filter", filter); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByHomeRegion", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/tasks").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (filter != null) + { + _queryParameters.Add(string.Format("$filter={0}", System.Uri.EscapeDataString(filter))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// Name of the task object, will be a GUID + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetSubscriptionLevelTaskWithHttpMessagesAsync(string taskName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (taskName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "taskName"); + } + string apiVersion = "2015-06-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("taskName", taskName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "GetSubscriptionLevelTask", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/tasks/{taskName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{taskName}", System.Uri.EscapeDataString(taskName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// Name of the task object, will be a GUID + /// + /// + /// Type of the action to do on the task. Possible values include: 'Activate', + /// 'Dismiss', 'Start', 'Resolve', 'Close' + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task UpdateSubscriptionLevelTaskStateWithHttpMessagesAsync(string taskName, string taskUpdateActionType, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (taskName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "taskName"); + } + if (taskUpdateActionType == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "taskUpdateActionType"); + } + string apiVersion = "2015-06-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("taskName", taskName); + tracingParameters.Add("taskUpdateActionType", taskUpdateActionType); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "UpdateSubscriptionLevelTaskState", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/tasks/{taskName}/{taskUpdateActionType}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{taskName}", System.Uri.EscapeDataString(taskName)); + _url = _url.Replace("{taskUpdateActionType}", System.Uri.EscapeDataString(taskUpdateActionType)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// OData filter. Optional. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByResourceGroupWithHttpMessagesAsync(string resourceGroupName, string filter = default(string), Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + string apiVersion = "2015-06-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("filter", filter); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroup", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/tasks").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (filter != null) + { + _queryParameters.Add(string.Format("$filter={0}", System.Uri.EscapeDataString(filter))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the task object, will be a GUID + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetResourceGroupLevelTaskWithHttpMessagesAsync(string resourceGroupName, string taskName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (taskName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "taskName"); + } + string apiVersion = "2015-06-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("taskName", taskName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "GetResourceGroupLevelTask", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/tasks/{taskName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{taskName}", System.Uri.EscapeDataString(taskName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the task object, will be a GUID + /// + /// + /// Type of the action to do on the task. Possible values include: 'Activate', + /// 'Dismiss', 'Start', 'Resolve', 'Close' + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task UpdateResourceGroupLevelTaskStateWithHttpMessagesAsync(string resourceGroupName, string taskName, string taskUpdateActionType, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (taskName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "taskName"); + } + if (taskUpdateActionType == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "taskUpdateActionType"); + } + string apiVersion = "2015-06-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("taskName", taskName); + tracingParameters.Add("taskUpdateActionType", taskUpdateActionType); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "UpdateResourceGroupLevelTaskState", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/tasks/{taskName}/{taskUpdateActionType}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{taskName}", System.Uri.EscapeDataString(taskName)); + _url = _url.Replace("{taskUpdateActionType}", System.Uri.EscapeDataString(taskUpdateActionType)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("POST"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByHomeRegionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByHomeRegionNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByResourceGroupNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByResourceGroupNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/TasksOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/TasksOperationsExtensions.cs new file mode 100644 index 000000000000..45a9bdd70a7b --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/TasksOperationsExtensions.cs @@ -0,0 +1,419 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for TasksOperations. + /// + public static partial class TasksOperationsExtensions + { + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// OData filter. Optional. + /// + public static IPage List(this ITasksOperations operations, string filter = default(string)) + { + return operations.ListAsync(filter).GetAwaiter().GetResult(); + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// OData filter. Optional. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this ITasksOperations operations, string filter = default(string), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(filter, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// OData filter. Optional. + /// + public static IPage ListByHomeRegion(this ITasksOperations operations, string filter = default(string)) + { + return operations.ListByHomeRegionAsync(filter).GetAwaiter().GetResult(); + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// OData filter. Optional. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByHomeRegionAsync(this ITasksOperations operations, string filter = default(string), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByHomeRegionWithHttpMessagesAsync(filter, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the task object, will be a GUID + /// + public static SecurityTask GetSubscriptionLevelTask(this ITasksOperations operations, string taskName) + { + return operations.GetSubscriptionLevelTaskAsync(taskName).GetAwaiter().GetResult(); + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the task object, will be a GUID + /// + /// + /// The cancellation token. + /// + public static async Task GetSubscriptionLevelTaskAsync(this ITasksOperations operations, string taskName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetSubscriptionLevelTaskWithHttpMessagesAsync(taskName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the task object, will be a GUID + /// + /// + /// Type of the action to do on the task. Possible values include: 'Activate', + /// 'Dismiss', 'Start', 'Resolve', 'Close' + /// + public static void UpdateSubscriptionLevelTaskState(this ITasksOperations operations, string taskName, string taskUpdateActionType) + { + operations.UpdateSubscriptionLevelTaskStateAsync(taskName, taskUpdateActionType).GetAwaiter().GetResult(); + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the task object, will be a GUID + /// + /// + /// Type of the action to do on the task. Possible values include: 'Activate', + /// 'Dismiss', 'Start', 'Resolve', 'Close' + /// + /// + /// The cancellation token. + /// + public static async Task UpdateSubscriptionLevelTaskStateAsync(this ITasksOperations operations, string taskName, string taskUpdateActionType, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.UpdateSubscriptionLevelTaskStateWithHttpMessagesAsync(taskName, taskUpdateActionType, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// OData filter. Optional. + /// + public static IPage ListByResourceGroup(this ITasksOperations operations, string resourceGroupName, string filter = default(string)) + { + return operations.ListByResourceGroupAsync(resourceGroupName, filter).GetAwaiter().GetResult(); + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// OData filter. Optional. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByResourceGroupAsync(this ITasksOperations operations, string resourceGroupName, string filter = default(string), CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByResourceGroupWithHttpMessagesAsync(resourceGroupName, filter, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the task object, will be a GUID + /// + public static SecurityTask GetResourceGroupLevelTask(this ITasksOperations operations, string resourceGroupName, string taskName) + { + return operations.GetResourceGroupLevelTaskAsync(resourceGroupName, taskName).GetAwaiter().GetResult(); + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the task object, will be a GUID + /// + /// + /// The cancellation token. + /// + public static async Task GetResourceGroupLevelTaskAsync(this ITasksOperations operations, string resourceGroupName, string taskName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetResourceGroupLevelTaskWithHttpMessagesAsync(resourceGroupName, taskName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the task object, will be a GUID + /// + /// + /// Type of the action to do on the task. Possible values include: 'Activate', + /// 'Dismiss', 'Start', 'Resolve', 'Close' + /// + public static void UpdateResourceGroupLevelTaskState(this ITasksOperations operations, string resourceGroupName, string taskName, string taskUpdateActionType) + { + operations.UpdateResourceGroupLevelTaskStateAsync(resourceGroupName, taskName, taskUpdateActionType).GetAwaiter().GetResult(); + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of the task object, will be a GUID + /// + /// + /// Type of the action to do on the task. Possible values include: 'Activate', + /// 'Dismiss', 'Start', 'Resolve', 'Close' + /// + /// + /// The cancellation token. + /// + public static async Task UpdateResourceGroupLevelTaskStateAsync(this ITasksOperations operations, string resourceGroupName, string taskName, string taskUpdateActionType, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.UpdateResourceGroupLevelTaskStateWithHttpMessagesAsync(resourceGroupName, taskName, taskUpdateActionType, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this ITasksOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this ITasksOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListByHomeRegionNext(this ITasksOperations operations, string nextPageLink) + { + return operations.ListByHomeRegionNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByHomeRegionNextAsync(this ITasksOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByHomeRegionNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListByResourceGroupNext(this ITasksOperations operations, string nextPageLink) + { + return operations.ListByResourceGroupNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Recommended tasks that will help improve the security of the subscription + /// proactively + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByResourceGroupNextAsync(this ITasksOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByResourceGroupNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/TopologyOperations.cs b/src/Security/Security.Management.Sdk/Generated/TopologyOperations.cs new file mode 100644 index 000000000000..4a971359baa8 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/TopologyOperations.cs @@ -0,0 +1,995 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// TopologyOperations operations. + /// + internal partial class TopologyOperations : IServiceOperations, ITopologyOperations + { + /// + /// Initializes a new instance of the TopologyOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal TopologyOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Gets a list that allows to build a topology view of a subscription. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/topologies").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a list that allows to build a topology view of a subscription and + /// location. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByHomeRegionWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByHomeRegion", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/topologies").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a specific topology component. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of a topology resources collection. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string resourceGroupName, string topologyResourceName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (resourceGroupName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "resourceGroupName"); + } + if (resourceGroupName != null) + { + if (resourceGroupName.Length > 90) + { + throw new ValidationException(ValidationRules.MaxLength, "resourceGroupName", 90); + } + if (resourceGroupName.Length < 1) + { + throw new ValidationException(ValidationRules.MinLength, "resourceGroupName", 1); + } + if (!System.Text.RegularExpressions.Regex.IsMatch(resourceGroupName, "^[-\\w\\._\\(\\)]+$")) + { + throw new ValidationException(ValidationRules.Pattern, "resourceGroupName", "^[-\\w\\._\\(\\)]+$"); + } + } + if (Client.AscLocation == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.AscLocation"); + } + if (topologyResourceName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "topologyResourceName"); + } + string apiVersion = "2020-01-01"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("resourceGroupName", resourceGroupName); + tracingParameters.Add("topologyResourceName", topologyResourceName); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/topologies/{topologyResourceName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{resourceGroupName}", System.Uri.EscapeDataString(resourceGroupName)); + _url = _url.Replace("{ascLocation}", System.Uri.EscapeDataString(Client.AscLocation)); + _url = _url.Replace("{topologyResourceName}", System.Uri.EscapeDataString(topologyResourceName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a list that allows to build a topology view of a subscription. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Gets a list that allows to build a topology view of a subscription and + /// location. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListByHomeRegionNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListByHomeRegionNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/TopologyOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/TopologyOperationsExtensions.cs new file mode 100644 index 000000000000..a9873ee82612 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/TopologyOperationsExtensions.cs @@ -0,0 +1,195 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for TopologyOperations. + /// + public static partial class TopologyOperationsExtensions + { + /// + /// Gets a list that allows to build a topology view of a subscription. + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this ITopologyOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Gets a list that allows to build a topology view of a subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this ITopologyOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a list that allows to build a topology view of a subscription and + /// location. + /// + /// + /// The operations group for this extension method. + /// + public static IPage ListByHomeRegion(this ITopologyOperations operations) + { + return operations.ListByHomeRegionAsync().GetAwaiter().GetResult(); + } + + /// + /// Gets a list that allows to build a topology view of a subscription and + /// location. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByHomeRegionAsync(this ITopologyOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByHomeRegionWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a specific topology component. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of a topology resources collection. + /// + public static TopologyResource Get(this ITopologyOperations operations, string resourceGroupName, string topologyResourceName) + { + return operations.GetAsync(resourceGroupName, topologyResourceName).GetAwaiter().GetResult(); + } + + /// + /// Gets a specific topology component. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The name of the resource group within the user's subscription. The name is + /// case insensitive. + /// + /// + /// Name of a topology resources collection. + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this ITopologyOperations operations, string resourceGroupName, string topologyResourceName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(resourceGroupName, topologyResourceName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a list that allows to build a topology view of a subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this ITopologyOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Gets a list that allows to build a topology view of a subscription. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this ITopologyOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Gets a list that allows to build a topology view of a subscription and + /// location. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListByHomeRegionNext(this ITopologyOperations operations, string nextPageLink) + { + return operations.ListByHomeRegionNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Gets a list that allows to build a topology view of a subscription and + /// location. + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListByHomeRegionNextAsync(this ITopologyOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListByHomeRegionNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/WorkspaceSettingsOperations.cs b/src/Security/Security.Management.Sdk/Generated/WorkspaceSettingsOperations.cs new file mode 100644 index 000000000000..e3a984e5f273 --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/WorkspaceSettingsOperations.cs @@ -0,0 +1,1217 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using Newtonsoft.Json; + using System.Collections; + using System.Collections.Generic; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Threading; + using System.Threading.Tasks; + + /// + /// WorkspaceSettingsOperations operations. + /// + internal partial class WorkspaceSettingsOperations : IServiceOperations, IWorkspaceSettingsOperations + { + /// + /// Initializes a new instance of the WorkspaceSettingsOperations class. + /// + /// + /// Reference to the service client. + /// + /// + /// Thrown when a required parameter is null + /// + internal WorkspaceSettingsOperations(SecurityCenterClient client) + { + if (client == null) + { + throw new System.ArgumentNullException("client"); + } + Client = client; + } + + /// + /// Gets a reference to the SecurityCenterClient + /// + public SecurityCenterClient Client { get; private set; } + + /// + /// Settings about where we should store your security data and logs. If the + /// result is empty, it means that no custom-workspace configuration was set + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + string apiVersion = "2017-08-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "List", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/workspaceSettings").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Settings about where we should store your security data and logs. If the + /// result is empty, it means that no custom-workspace configuration was set + /// + /// + /// Name of the security setting + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> GetWithHttpMessagesAsync(string workspaceSettingName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (workspaceSettingName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "workspaceSettingName"); + } + string apiVersion = "2017-08-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("workspaceSettingName", workspaceSettingName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Get", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/workspaceSettings/{workspaceSettingName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{workspaceSettingName}", System.Uri.EscapeDataString(workspaceSettingName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// creating settings about where we should store your security data and logs + /// + /// + /// Name of the security setting + /// + /// + /// The full Azure ID of the workspace to save the data in + /// + /// + /// All the VMs in this scope will send their security data to the mentioned + /// workspace unless overridden by a setting with more specific scope + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> CreateWithHttpMessagesAsync(string workspaceSettingName, string workspaceId, string scope, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (workspaceSettingName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "workspaceSettingName"); + } + if (workspaceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "workspaceId"); + } + if (scope == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scope"); + } + string apiVersion = "2017-08-01-preview"; + WorkspaceSetting workspaceSetting = new WorkspaceSetting(); + if (workspaceId != null || scope != null) + { + workspaceSetting.WorkspaceId = workspaceId; + workspaceSetting.Scope = scope; + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("workspaceSettingName", workspaceSettingName); + tracingParameters.Add("workspaceSetting", workspaceSetting); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Create", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/workspaceSettings/{workspaceSettingName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{workspaceSettingName}", System.Uri.EscapeDataString(workspaceSettingName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PUT"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(workspaceSetting != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(workspaceSetting, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Settings about where we should store your security data and logs + /// + /// + /// Name of the security setting + /// + /// + /// The full Azure ID of the workspace to save the data in + /// + /// + /// All the VMs in this scope will send their security data to the mentioned + /// workspace unless overridden by a setting with more specific scope + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task> UpdateWithHttpMessagesAsync(string workspaceSettingName, string workspaceId, string scope, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (workspaceSettingName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "workspaceSettingName"); + } + if (workspaceId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "workspaceId"); + } + if (scope == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "scope"); + } + string apiVersion = "2017-08-01-preview"; + WorkspaceSetting workspaceSetting = new WorkspaceSetting(); + if (workspaceId != null || scope != null) + { + workspaceSetting.WorkspaceId = workspaceId; + workspaceSetting.Scope = scope; + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("workspaceSettingName", workspaceSettingName); + tracingParameters.Add("workspaceSetting", workspaceSetting); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Update", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/workspaceSettings/{workspaceSettingName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{workspaceSettingName}", System.Uri.EscapeDataString(workspaceSettingName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("PATCH"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + if(workspaceSetting != null) + { + _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(workspaceSetting, Client.SerializationSettings); + _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); + _httpRequest.Content.Headers.ContentType =System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); + } + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Deletes the custom workspace settings for this subscription. new VMs will + /// report to the default workspace + /// + /// + /// Name of the security setting + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task DeleteWithHttpMessagesAsync(string workspaceSettingName, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (Client.SubscriptionId == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "this.Client.SubscriptionId"); + } + if (Client.SubscriptionId != null) + { + if (!System.Text.RegularExpressions.Regex.IsMatch(Client.SubscriptionId, "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$")) + { + throw new ValidationException(ValidationRules.Pattern, "Client.SubscriptionId", "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"); + } + } + if (workspaceSettingName == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "workspaceSettingName"); + } + string apiVersion = "2017-08-01-preview"; + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("apiVersion", apiVersion); + tracingParameters.Add("workspaceSettingName", workspaceSettingName); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "Delete", tracingParameters); + } + // Construct URL + var _baseUrl = Client.BaseUri.AbsoluteUri; + var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.Security/workspaceSettings/{workspaceSettingName}").ToString(); + _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(Client.SubscriptionId)); + _url = _url.Replace("{workspaceSettingName}", System.Uri.EscapeDataString(workspaceSettingName)); + List _queryParameters = new List(); + if (apiVersion != null) + { + _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); + } + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("DELETE"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 204) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + /// + /// Settings about where we should store your security data and logs. If the + /// result is empty, it means that no custom-workspace configuration was set + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// Headers that will be added to request. + /// + /// + /// The cancellation token. + /// + /// + /// Thrown when the operation returned an invalid status code + /// + /// + /// Thrown when unable to deserialize the response + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// Thrown when a required parameter is null + /// + /// + /// A response object containing the response body and response headers. + /// + public async Task>> ListNextWithHttpMessagesAsync(string nextPageLink, Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + { + if (nextPageLink == null) + { + throw new ValidationException(ValidationRules.CannotBeNull, "nextPageLink"); + } + // Tracing + bool _shouldTrace = ServiceClientTracing.IsEnabled; + string _invocationId = null; + if (_shouldTrace) + { + _invocationId = ServiceClientTracing.NextInvocationId.ToString(); + Dictionary tracingParameters = new Dictionary(); + tracingParameters.Add("nextPageLink", nextPageLink); + tracingParameters.Add("cancellationToken", cancellationToken); + ServiceClientTracing.Enter(_invocationId, this, "ListNext", tracingParameters); + } + // Construct URL + string _url = "{nextLink}"; + _url = _url.Replace("{nextLink}", nextPageLink); + List _queryParameters = new List(); + if (_queryParameters.Count > 0) + { + _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); + } + // Create HTTP transport objects + var _httpRequest = new HttpRequestMessage(); + HttpResponseMessage _httpResponse = null; + _httpRequest.Method = new HttpMethod("GET"); + _httpRequest.RequestUri = new System.Uri(_url); + // Set Headers + if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) + { + _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); + } + if (Client.AcceptLanguage != null) + { + if (_httpRequest.Headers.Contains("accept-language")) + { + _httpRequest.Headers.Remove("accept-language"); + } + _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); + } + + + if (customHeaders != null) + { + foreach(var _header in customHeaders) + { + if (_httpRequest.Headers.Contains(_header.Key)) + { + _httpRequest.Headers.Remove(_header.Key); + } + _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); + } + } + + // Serialize Request + string _requestContent = null; + // Set Credentials + if (Client.Credentials != null) + { + cancellationToken.ThrowIfCancellationRequested(); + await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + } + // Send Request + if (_shouldTrace) + { + ServiceClientTracing.SendRequest(_invocationId, _httpRequest); + } + cancellationToken.ThrowIfCancellationRequested(); + _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); + if (_shouldTrace) + { + ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); + } + HttpStatusCode _statusCode = _httpResponse.StatusCode; + cancellationToken.ThrowIfCancellationRequested(); + string _responseContent = null; + if ((int)_statusCode != 200) + { + var ex = new CloudException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); + try + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + CloudError _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject(_responseContent, Client.DeserializationSettings); + if (_errorBody != null) + { + ex = new CloudException(_errorBody.Message); + ex.Body = _errorBody; + } + } + catch (JsonException) + { + // Ignore the exception + } + ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); + ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + ex.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + if (_shouldTrace) + { + ServiceClientTracing.Error(_invocationId, ex); + } + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw ex; + } + // Create Result + var _result = new AzureOperationResponse>(); + _result.Request = _httpRequest; + _result.Response = _httpResponse; + if (_httpResponse.Headers.Contains("x-ms-request-id")) + { + _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); + } + // Deserialize Response + if ((int)_statusCode == 200) + { + _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); + try + { + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + } + catch (JsonException ex) + { + _httpRequest.Dispose(); + if (_httpResponse != null) + { + _httpResponse.Dispose(); + } + throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); + } + } + if (_shouldTrace) + { + ServiceClientTracing.Exit(_invocationId, _result); + } + return _result; + } + + } +} diff --git a/src/Security/Security.Management.Sdk/Generated/WorkspaceSettingsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/WorkspaceSettingsOperationsExtensions.cs new file mode 100644 index 000000000000..76e7b53a84ac --- /dev/null +++ b/src/Security/Security.Management.Sdk/Generated/WorkspaceSettingsOperationsExtensions.cs @@ -0,0 +1,256 @@ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See License.txt in the project root for +// license information. +// +// Code generated by Microsoft (R) AutoRest Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is +// regenerated. +// + +namespace Microsoft.Azure.Management.Security +{ + using Microsoft.Rest; + using Microsoft.Rest.Azure; + using Models; + using System.Threading; + using System.Threading.Tasks; + + /// + /// Extension methods for WorkspaceSettingsOperations. + /// + public static partial class WorkspaceSettingsOperationsExtensions + { + /// + /// Settings about where we should store your security data and logs. If the + /// result is empty, it means that no custom-workspace configuration was set + /// + /// + /// The operations group for this extension method. + /// + public static IPage List(this IWorkspaceSettingsOperations operations) + { + return operations.ListAsync().GetAwaiter().GetResult(); + } + + /// + /// Settings about where we should store your security data and logs. If the + /// result is empty, it means that no custom-workspace configuration was set + /// + /// + /// The operations group for this extension method. + /// + /// + /// The cancellation token. + /// + public static async Task> ListAsync(this IWorkspaceSettingsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Settings about where we should store your security data and logs. If the + /// result is empty, it means that no custom-workspace configuration was set + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the security setting + /// + public static WorkspaceSetting Get(this IWorkspaceSettingsOperations operations, string workspaceSettingName) + { + return operations.GetAsync(workspaceSettingName).GetAwaiter().GetResult(); + } + + /// + /// Settings about where we should store your security data and logs. If the + /// result is empty, it means that no custom-workspace configuration was set + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the security setting + /// + /// + /// The cancellation token. + /// + public static async Task GetAsync(this IWorkspaceSettingsOperations operations, string workspaceSettingName, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.GetWithHttpMessagesAsync(workspaceSettingName, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// creating settings about where we should store your security data and logs + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the security setting + /// + /// + /// The full Azure ID of the workspace to save the data in + /// + /// + /// All the VMs in this scope will send their security data to the mentioned + /// workspace unless overridden by a setting with more specific scope + /// + public static WorkspaceSetting Create(this IWorkspaceSettingsOperations operations, string workspaceSettingName, string workspaceId, string scope) + { + return operations.CreateAsync(workspaceSettingName, workspaceId, scope).GetAwaiter().GetResult(); + } + + /// + /// creating settings about where we should store your security data and logs + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the security setting + /// + /// + /// The full Azure ID of the workspace to save the data in + /// + /// + /// All the VMs in this scope will send their security data to the mentioned + /// workspace unless overridden by a setting with more specific scope + /// + /// + /// The cancellation token. + /// + public static async Task CreateAsync(this IWorkspaceSettingsOperations operations, string workspaceSettingName, string workspaceId, string scope, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.CreateWithHttpMessagesAsync(workspaceSettingName, workspaceId, scope, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Settings about where we should store your security data and logs + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the security setting + /// + /// + /// The full Azure ID of the workspace to save the data in + /// + /// + /// All the VMs in this scope will send their security data to the mentioned + /// workspace unless overridden by a setting with more specific scope + /// + public static WorkspaceSetting Update(this IWorkspaceSettingsOperations operations, string workspaceSettingName, string workspaceId, string scope) + { + return operations.UpdateAsync(workspaceSettingName, workspaceId, scope).GetAwaiter().GetResult(); + } + + /// + /// Settings about where we should store your security data and logs + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the security setting + /// + /// + /// The full Azure ID of the workspace to save the data in + /// + /// + /// All the VMs in this scope will send their security data to the mentioned + /// workspace unless overridden by a setting with more specific scope + /// + /// + /// The cancellation token. + /// + public static async Task UpdateAsync(this IWorkspaceSettingsOperations operations, string workspaceSettingName, string workspaceId, string scope, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.UpdateWithHttpMessagesAsync(workspaceSettingName, workspaceId, scope, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + /// + /// Deletes the custom workspace settings for this subscription. new VMs will + /// report to the default workspace + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the security setting + /// + public static void Delete(this IWorkspaceSettingsOperations operations, string workspaceSettingName) + { + operations.DeleteAsync(workspaceSettingName).GetAwaiter().GetResult(); + } + + /// + /// Deletes the custom workspace settings for this subscription. new VMs will + /// report to the default workspace + /// + /// + /// The operations group for this extension method. + /// + /// + /// Name of the security setting + /// + /// + /// The cancellation token. + /// + public static async Task DeleteAsync(this IWorkspaceSettingsOperations operations, string workspaceSettingName, CancellationToken cancellationToken = default(CancellationToken)) + { + (await operations.DeleteWithHttpMessagesAsync(workspaceSettingName, null, cancellationToken).ConfigureAwait(false)).Dispose(); + } + + /// + /// Settings about where we should store your security data and logs. If the + /// result is empty, it means that no custom-workspace configuration was set + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + public static IPage ListNext(this IWorkspaceSettingsOperations operations, string nextPageLink) + { + return operations.ListNextAsync(nextPageLink).GetAwaiter().GetResult(); + } + + /// + /// Settings about where we should store your security data and logs. If the + /// result is empty, it means that no custom-workspace configuration was set + /// + /// + /// The operations group for this extension method. + /// + /// + /// The NextLink from the previous successful call to List operation. + /// + /// + /// The cancellation token. + /// + public static async Task> ListNextAsync(this IWorkspaceSettingsOperations operations, string nextPageLink, CancellationToken cancellationToken = default(CancellationToken)) + { + using (var _result = await operations.ListNextWithHttpMessagesAsync(nextPageLink, null, cancellationToken).ConfigureAwait(false)) + { + return _result.Body; + } + } + + } +} diff --git a/src/Security/Security.Management.Sdk/README.md b/src/Security/Security.Management.Sdk/README.md index 1c8c477b830b..81cded05703d 100644 --- a/src/Security/Security.Management.Sdk/README.md +++ b/src/Security/Security.Management.Sdk/README.md @@ -26,7 +26,55 @@ payload-flattening-threshold: 2 ### ``` yaml input-file: - - https://github.com/Azure/azure-rest-api-specs/blob/main/specification/security/resource-manager/Microsoft.Security/stable/2022-01-01/alerts.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2021-10-01-preview/mdeOnboardings.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2021-07-01-preview/customAssessmentAutomation.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2021-07-01-preview/customEntityStoreAssignment.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2017-08-01/complianceResults.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2022-03-01/pricings.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/advancedThreatProtectionSettings.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2019-08-01/deviceSecurityGroups.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2019-08-01/iotSecuritySolutions.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2019-08-01/iotSecuritySolutionAnalytics.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/locations.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/operations.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/tasks.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/autoProvisioningSettings.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/compliances.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/informationProtectionPolicies.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/securityContacts.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/workspaceSettings.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/regulatoryCompliance.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/subAssessments.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/automations.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/serverVulnerabilityAssessments.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2021-06-01/assessmentMetadata.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2021-06-01/assessments.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/applicationWhitelistings.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/adaptiveNetworkHardenings.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/allowedConnections.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/topologies.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/jitNetworkAccessPolicies.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/discoveredSecuritySolutions.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/securitySolutionsReferenceData.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/externalSecuritySolutions.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/secureScore.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/SecuritySolutions.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/connectors.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2020-07-01-preview/sqlVulnerabilityAssessmentsScanOperations.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2020-07-01-preview/sqlVulnerabilityAssessmentsScanResultsOperations.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2020-07-01-preview/sqlVulnerabilityAssessmentsBaselineRuleOperations.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2022-01-01/alerts.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/stable/2022-05-01/settings.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2021-01-15-preview/ingestionSettings.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2021-05-01-preview/softwareInventories.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2022-08-01-preview/securityConnectors.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2022-01-01-preview/governanceRules.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2022-01-01-preview/governanceAssignments.json + - https://github.com/Azure/azure-rest-api-specs/blob/312544c27464f61bf9639924099d4238bdfa1d71/specification/security/resource-manager/Microsoft.Security/preview/2022-07-01-preview/applications.json + +override-info: + title: SecurityCenter directive: - from: securityContacts.json @@ -43,6 +91,5 @@ directive: $['x-ms-parameter-location'] = 'client'; output-folder: Generated - namespace: Microsoft.Azure.Management.Security ``` \ No newline at end of file From b21843d88c862db1b8b98749fdb5b6446e769547 Mon Sep 17 00:00:00 2001 From: yifat Date: Thu, 17 Nov 2022 10:01:06 +0200 Subject: [PATCH 03/18] resolve changes --- .../GetAssessmentMetadata.cs | 2 +- .../SetAssessmentMetadata.cs | 2 +- .../SecurityContacts/SetSecurityContacts.cs | 2 +- .../PSSecurityAssessmentMetadataConverters.cs | 20 +++++++++++++ .../PSSecurityAssessmentConverters.cs | 17 +++++++++++ .../SecurityContact/PSSecurityContact.cs | 6 ++-- .../PSSecurityContactConverters.cs | 28 +++++++++++++++++-- ...rityContactPropertiesAlertNotifications.cs | 22 +++++++++++++++ ...ityContactPropertiesNotificationsByRole.cs | 12 ++++++++ 9 files changed, 103 insertions(+), 8 deletions(-) create mode 100644 src/Security/Security/Models/SecurityContact/PSSecurityContactPropertiesAlertNotifications.cs create mode 100644 src/Security/Security/Models/SecurityContact/PSSecurityContactPropertiesNotificationsByRole.cs diff --git a/src/Security/Security/Cmdlets/AssessmentMetadata/GetAssessmentMetadata.cs b/src/Security/Security/Cmdlets/AssessmentMetadata/GetAssessmentMetadata.cs index 7a30e5f28a2f..42cfd1f5f730 100644 --- a/src/Security/Security/Cmdlets/AssessmentMetadata/GetAssessmentMetadata.cs +++ b/src/Security/Security/Cmdlets/AssessmentMetadata/GetAssessmentMetadata.cs @@ -43,7 +43,7 @@ public override void ExecuteCmdlet() WriteObject(metadataList.ConvertToPSType(), enumerateCollection: true); break; case ParameterSetNames.SubscriptionLevelResource: - SecurityAssessmentMetadata metadata = null; + SecurityAssessmentMetadataResponse metadata = null; try { diff --git a/src/Security/Security/Cmdlets/AssessmentMetadata/SetAssessmentMetadata.cs b/src/Security/Security/Cmdlets/AssessmentMetadata/SetAssessmentMetadata.cs index b09e9d4115e3..f992bea77a55 100644 --- a/src/Security/Security/Cmdlets/AssessmentMetadata/SetAssessmentMetadata.cs +++ b/src/Security/Security/Cmdlets/AssessmentMetadata/SetAssessmentMetadata.cs @@ -44,7 +44,7 @@ public override void ExecuteCmdlet() { if (ShouldProcess(Name, VerbsCommon.Set)) { - var metadata = new SecurityAssessmentMetadata(displayName: DisplayName, severity: Severity, assessmentType: "CustomerManaged", description: Description, remediationDescription: RemediationDescription); + var metadata = new SecurityAssessmentMetadataResponse(displayName: DisplayName, severity: Severity, assessmentType: "CustomerManaged", description: Description, remediationDescription: RemediationDescription); var result = SecurityCenterClient.AssessmentsMetadata.CreateInSubscriptionWithHttpMessagesAsync(Name, metadata).GetAwaiter().GetResult().Body; WriteObject(result.ConvertToPSType(), enumerateCollection: true); diff --git a/src/Security/Security/Cmdlets/SecurityContacts/SetSecurityContacts.cs b/src/Security/Security/Cmdlets/SecurityContacts/SetSecurityContacts.cs index 975a509f3e36..6eaa6caf0339 100644 --- a/src/Security/Security/Cmdlets/SecurityContacts/SetSecurityContacts.cs +++ b/src/Security/Security/Cmdlets/SecurityContacts/SetSecurityContacts.cs @@ -49,7 +49,7 @@ public override void ExecuteCmdlet() if (ShouldProcess(Name, VerbsCommon.Set)) { - var contact = new SecurityContact(email: Email, phone: phone, alertNotifications: alertNotification, alertsToAdmins: alertAdmin); + var contact = new SecurityContact(emails: Email, phone: phone, alertNotifications: new SecurityContactPropertiesAlertNotifications(state: alertNotification), notificationsByRole: new SecurityContactPropertiesNotificationsByRole(state: alertAdmin)); var sc = SecurityCenterClient.SecurityContacts.CreateWithHttpMessagesAsync(Name, contact).GetAwaiter().GetResult().Body; WriteObject(sc.ConvertToPSType(), enumerateCollection: true); diff --git a/src/Security/Security/Models/AssessmentMetadata/PSSecurityAssessmentMetadataConverters.cs b/src/Security/Security/Models/AssessmentMetadata/PSSecurityAssessmentMetadataConverters.cs index eb284f25694c..4949ef9d5ca1 100644 --- a/src/Security/Security/Models/AssessmentMetadata/PSSecurityAssessmentMetadataConverters.cs +++ b/src/Security/Security/Models/AssessmentMetadata/PSSecurityAssessmentMetadataConverters.cs @@ -35,9 +35,29 @@ public static PSSecurityAssessmentMetadata ConvertToPSType(this SecurityAssessme }; } + public static PSSecurityAssessmentMetadata ConvertToPSType(this SecurityAssessmentMetadataResponse value) + { + return new PSSecurityAssessmentMetadata() + { + Id = value.Id, + Name = value.Name, + AssessmentType = value.AssessmentType, + Description = value.Description, + DisplayName = value.DisplayName, + PolicyDefinitionId = value.PolicyDefinitionId, + RemediationDescription = value.RemediationDescription, + Severity = value.Severity + }; + } + public static List ConvertToPSType(this IEnumerable value) { return value.Select(sc => sc.ConvertToPSType()).ToList(); } + + public static List ConvertToPSType(this IEnumerable value) + { + return value.Select(sc => sc.ConvertToPSType()).ToList(); + } } } diff --git a/src/Security/Security/Models/Assessments/PSSecurityAssessmentConverters.cs b/src/Security/Security/Models/Assessments/PSSecurityAssessmentConverters.cs index bfb79be2b048..373957b07e0e 100644 --- a/src/Security/Security/Models/Assessments/PSSecurityAssessmentConverters.cs +++ b/src/Security/Security/Models/Assessments/PSSecurityAssessmentConverters.cs @@ -32,6 +32,18 @@ public static PSSecurityAssessment ConvertToPSType(this SecurityAssessment value }; } + public static PSSecurityAssessment ConvertToPSType(this SecurityAssessmentResponse value) + { + return new PSSecurityAssessment() + { + Id = value.Id, + Name = value.Name, + DisplayName = value.DisplayName, + ResourceDetails = value.ResourceDetails.ConvertToPSType(), + Status = value.Status.ConvertToPSType() + }; + } + public static PSSecurityResourceDetails ConvertToPSType(this ResourceDetails value) { if (value is AzureResourceDetails details) @@ -63,5 +75,10 @@ public static List ConvertToPSType(this IEnumerable obj.ConvertToPSType()).ToList(); } + + public static List ConvertToPSType(this IEnumerable value) + { + return value.Select(obj => obj.ConvertToPSType()).ToList(); + } } } diff --git a/src/Security/Security/Models/SecurityContact/PSSecurityContact.cs b/src/Security/Security/Models/SecurityContact/PSSecurityContact.cs index 390861276a28..37b953cbbbda 100644 --- a/src/Security/Security/Models/SecurityContact/PSSecurityContact.cs +++ b/src/Security/Security/Models/SecurityContact/PSSecurityContact.cs @@ -12,6 +12,8 @@ // limitations under the License. // ---------------------------------------------------------------------------------- +using Microsoft.Azure.Commands.SecurityCenter.Models.SecurityContact; + namespace Microsoft.Azure.Commands.Security.Models.SecurityContacts { public class PSSecurityContact @@ -24,8 +26,8 @@ public class PSSecurityContact public string Phone { get; set; } - public string AlertNotifications { get; set; } + public PSSecurityContactPropertiesAlertNotifications AlertNotifications { get; set; } - public string AlertsToAdmins { get; set; } + public PSSecurityContactPropertiesNotificationsByRole NotificationsByRole { get; set; } } } diff --git a/src/Security/Security/Models/SecurityContact/PSSecurityContactConverters.cs b/src/Security/Security/Models/SecurityContact/PSSecurityContactConverters.cs index 2a4d6a41bb15..1f0708c37e29 100644 --- a/src/Security/Security/Models/SecurityContact/PSSecurityContactConverters.cs +++ b/src/Security/Security/Models/SecurityContact/PSSecurityContactConverters.cs @@ -14,6 +14,8 @@ using System.Collections.Generic; using System.Linq; +using Microsoft.Azure.Commands.Security.Models.Alerts; +using Microsoft.Azure.Commands.SecurityCenter.Models.SecurityContact; using Microsoft.Azure.Management.Security.Models; namespace Microsoft.Azure.Commands.Security.Models.SecurityContacts @@ -26,10 +28,10 @@ public static PSSecurityContact ConvertToPSType(this SecurityContact value) { Id = value.Id, Name = value.Name, - Email = value.Email, + Email = value.Emails, Phone = value.Phone, - AlertNotifications = value.AlertNotifications, - AlertsToAdmins = value.AlertsToAdmins + AlertNotifications = value.AlertNotifications?.ConvertToPSType(), + NotificationsByRole = value.NotificationsByRole?.ConvertToPSType() }; } @@ -37,5 +39,25 @@ public static List ConvertToPSType(this IEnumerable sc.ConvertToPSType()).ToList(); } + + public static PSSecurityContactPropertiesAlertNotifications ConvertToPSType(this SecurityContactPropertiesAlertNotifications value) + { + return new PSSecurityContactPropertiesAlertNotifications + { + MinimalSeverity = value.MinimalSeverity, + State = value.State + + }; + } + + public static PSSecurityContactPropertiesNotificationsByRole ConvertToPSType(this SecurityContactPropertiesNotificationsByRole value) + { + return new PSSecurityContactPropertiesNotificationsByRole + { + State = value.State, + Roles = value.Roles?.ToList() ?? new List(), + + }; + } } } diff --git a/src/Security/Security/Models/SecurityContact/PSSecurityContactPropertiesAlertNotifications.cs b/src/Security/Security/Models/SecurityContact/PSSecurityContactPropertiesAlertNotifications.cs new file mode 100644 index 000000000000..2159d6e3492c --- /dev/null +++ b/src/Security/Security/Models/SecurityContact/PSSecurityContactPropertiesAlertNotifications.cs @@ -0,0 +1,22 @@ +// ---------------------------------------------------------------------------------- +// +// Copyright Microsoft Corporation +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// ---------------------------------------------------------------------------------- + +namespace Microsoft.Azure.Commands.SecurityCenter.Models.SecurityContact +{ + public class PSSecurityContactPropertiesAlertNotifications + { + public string State { get; set; } + public string MinimalSeverity { get; set; } + } +} diff --git a/src/Security/Security/Models/SecurityContact/PSSecurityContactPropertiesNotificationsByRole.cs b/src/Security/Security/Models/SecurityContact/PSSecurityContactPropertiesNotificationsByRole.cs new file mode 100644 index 000000000000..472a3a942af9 --- /dev/null +++ b/src/Security/Security/Models/SecurityContact/PSSecurityContactPropertiesNotificationsByRole.cs @@ -0,0 +1,12 @@ +using System; +using System.Collections.Generic; +using System.Text; + +namespace Microsoft.Azure.Commands.SecurityCenter.Models.SecurityContact +{ + public class PSSecurityContactPropertiesNotificationsByRole + { + public string State { get; set; } + public IList Roles { get; set; } + } +} From 73f68053f034e3621f9f6eb65e8d2c6f6a158d3b Mon Sep 17 00:00:00 2001 From: yifat Date: Thu, 17 Nov 2022 10:13:56 +0200 Subject: [PATCH 04/18] Record securitySettings tests --- .../GetSubscriptionLevelResource.json | 24 +++++++++---------- .../SetSettingsScope.json | 22 ++++++++--------- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecuritySettingTests/GetSubscriptionLevelResource.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecuritySettingTests/GetSubscriptionLevelResource.json index 1bfb85005318..9cebf3c27abe 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecuritySettingTests/GetSubscriptionLevelResource.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecuritySettingTests/GetSubscriptionLevelResource.json @@ -1,24 +1,24 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/settings/MCAS?api-version=2021-07-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2V0dGluZ3MvTUNBUz9hcGktdmVyc2lvbj0yMDIxLTA3LTAx", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/settings/MCAS?api-version=2022-05-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2V0dGluZ3MvTUNBUz9hcGktdmVyc2lvbj0yMDIyLTA1LTAx", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "00c95812-5aa7-4716-88f8-7d33d4d84b76" + "acaf4f56-0e3b-4f44-aefc-76f477a6d1c2" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -27,7 +27,7 @@ "no-cache" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "748" + "749" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -36,22 +36,22 @@ "1.0" ], "x-ms-request-id": [ - "bd1c617c-a3fd-4d6b-b187-4779ab695dc3" + "1c2f5422-98cc-4e57-b519-c4636767c103" ], "Server": [ "Kestrel" ], "x-ms-correlation-request-id": [ - "5b5a4230-6849-4e46-a54a-eb3819adf3d8" + "8fbdb62d-25d4-4c4c-8888-f8cc11312a7f" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210831T191114Z:5b5a4230-6849-4e46-a54a-eb3819adf3d8" + "FRANCESOUTH:20221117T080850Z:8fbdb62d-25d4-4c4c-8888-f8cc11312a7f" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Tue, 31 Aug 2021 19:11:13 GMT" + "Thu, 17 Nov 2022 08:08:50 GMT" ], "Content-Length": [ "212" diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecuritySettingTests/SetSettingsScope.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecuritySettingTests/SetSettingsScope.json index 14c6cc50b7cd..139cc73e4b6a 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecuritySettingTests/SetSettingsScope.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecuritySettingTests/SetSettingsScope.json @@ -1,22 +1,21 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/settings/MCAS?api-version=2021-07-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2V0dGluZ3MvTUNBUz9hcGktdmVyc2lvbj0yMDIxLTA3LTAx", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/settings/MCAS?api-version=2022-05-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2V0dGluZ3MvTUNBUz9hcGktdmVyc2lvbj0yMDIyLTA1LTAx", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"kind\": \"DataExportSettings\",\r\n \"properties\": {\r\n \"enabled\": true\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "0d07b8e4-c2bf-49ae-a40b-9d2b7b221f24" + "48c6644b-75c7-4ab0-9b09-8ca9dcdbf714" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" @@ -25,6 +24,7 @@ "82" ] }, + "RequestBody": "{\r\n \"kind\": \"DataExportSettings\",\r\n \"properties\": {\r\n \"enabled\": true\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -42,22 +42,22 @@ "1.0" ], "x-ms-request-id": [ - "9e96ae13-d0b3-4745-9d3f-ee16c22bd307" + "736d33d3-9dba-4e80-9179-e2ae3ffb9eca" ], "Server": [ "Kestrel" ], "x-ms-correlation-request-id": [ - "c3ee9956-93ca-4060-a741-832965b8b513" + "277f6bf8-7dda-4871-99b4-237dc70bb7f3" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210831T191053Z:c3ee9956-93ca-4060-a741-832965b8b513" + "FRANCESOUTH:20221117T080905Z:277f6bf8-7dda-4871-99b4-237dc70bb7f3" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Tue, 31 Aug 2021 19:10:52 GMT" + "Thu, 17 Nov 2022 08:09:04 GMT" ], "Content-Length": [ "212" From 1d1dccc6604023a217379d77fe868aa69e36fd9d Mon Sep 17 00:00:00 2001 From: yifat Date: Thu, 17 Nov 2022 10:18:00 +0200 Subject: [PATCH 05/18] Record pricing tests --- .../GetResourceId.json | 86 ++++++++++--------- .../GetSubscriptionLevelResource.json | 43 +++++----- .../GetSubscriptionScope.json | 43 +++++----- .../SetSubscriptionLevelResource.json | 41 +++++---- 4 files changed, 114 insertions(+), 99 deletions(-) diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityPricingTests/GetResourceId.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityPricingTests/GetResourceId.json index 40d6d5d6a431..36e24a64ee4d 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityPricingTests/GetResourceId.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityPricingTests/GetResourceId.json @@ -1,24 +1,24 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings?api-version=2018-06-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3M/YXBpLXZlcnNpb249MjAxOC0wNi0wMQ==", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings?api-version=2022-03-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3M/YXBpLXZlcnNpb249MjAyMi0wMy0wMQ==", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "dbe116e2-b1bf-48bb-ba3e-59a22dd4f6ef" + "937e4856-158e-4149-b762-2d142e3d8843" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.27317.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.17763.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/1.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -26,32 +26,35 @@ "Pragma": [ "no-cache" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "749" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "api-supported-versions": [ + "1.0" + ], "x-ms-request-id": [ - "eedecfd3-1861-4d8a-9f14-0b3ae3e47918" + "e0465550-7d23-4281-b28e-01c82f6fce93" ], "Server": [ - "Microsoft-HTTPAPI/2.0" - ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "749" + "Kestrel" ], "x-ms-correlation-request-id": [ - "19b224f5-944c-4fe8-956c-203d27e139bc" + "bc163e9a-ae9a-49bc-8623-d4f86ce81900" ], "x-ms-routing-request-id": [ - "UKWEST:20190307T160226Z:19b224f5-944c-4fe8-956c-203d27e139bc" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T081735Z:bc163e9a-ae9a-49bc-8623-d4f86ce81900" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Thu, 07 Mar 2019 16:02:26 GMT" + "Thu, 17 Nov 2022 08:17:34 GMT" ], "Content-Length": [ - "740" + "3571" ], "Content-Type": [ "application/json; charset=utf-8" @@ -60,28 +63,28 @@ "-1" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/SqlServers\",\r\n \"name\": \"SqlServers\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/AppServices\",\r\n \"name\": \"AppServices\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"subPlan\": \"P2\",\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/SqlServers\",\r\n \"name\": \"SqlServers\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/AppServices\",\r\n \"name\": \"AppServices\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/StorageAccounts\",\r\n \"name\": \"StorageAccounts\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"subPlan\": \"PerTransaction\",\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/SqlServerVirtualMachines\",\r\n \"name\": \"SqlServerVirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/KubernetesService\",\r\n \"name\": \"KubernetesService\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Free\",\r\n \"freeTrialRemainingTime\": \"PT0S\",\r\n \"deprecated\": true,\r\n \"replacedBy\": [\r\n \"Containers\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/ContainerRegistry\",\r\n \"name\": \"ContainerRegistry\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Free\",\r\n \"freeTrialRemainingTime\": \"PT0S\",\r\n \"deprecated\": true,\r\n \"replacedBy\": [\r\n \"Containers\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/KeyVaults\",\r\n \"name\": \"KeyVaults\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/Dns\",\r\n \"name\": \"Dns\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/Arm\",\r\n \"name\": \"Arm\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/OpenSourceRelationalDatabases\",\r\n \"name\": \"OpenSourceRelationalDatabases\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/CosmosDbs\",\r\n \"name\": \"CosmosDbs\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/Containers\",\r\n \"name\": \"Containers\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/CloudPosture\",\r\n \"name\": \"CloudPosture\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n }\r\n ]\r\n}", "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2018-06-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMTgtMDYtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2022-03-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMjItMDMtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "c9fb7dce-a70e-479d-9b32-291e95bc03bb" + "71cc253e-91c8-4709-bfe4-0c11228610fd" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.27317.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.17763.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/1.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -89,32 +92,35 @@ "Pragma": [ "no-cache" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "749" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "api-supported-versions": [ + "1.0" + ], "x-ms-request-id": [ - "daa9dbee-0558-4a28-9cd3-5477a35d4e65" + "3062b7c9-ebb2-4bc7-a821-e31a12a769b2" ], "Server": [ - "Microsoft-HTTPAPI/2.0" - ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "748" + "Kestrel" ], "x-ms-correlation-request-id": [ - "8c67c551-286c-4e11-88ad-013af876be80" + "c5297372-580b-42df-b1ab-29096f1d54e2" ], "x-ms-routing-request-id": [ - "UKWEST:20190307T160226Z:8c67c551-286c-4e11-88ad-013af876be80" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T081735Z:c5297372-580b-42df-b1ab-29096f1d54e2" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Thu, 07 Mar 2019 16:02:26 GMT" + "Thu, 17 Nov 2022 08:17:35 GMT" ], "Content-Length": [ - "248" + "263" ], "Content-Type": [ "application/json; charset=utf-8" @@ -123,7 +129,7 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"subPlan\": \"P2\",\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", "StatusCode": 200 } ], diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityPricingTests/GetSubscriptionLevelResource.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityPricingTests/GetSubscriptionLevelResource.json index fcbc30d6b735..db11274069a1 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityPricingTests/GetSubscriptionLevelResource.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityPricingTests/GetSubscriptionLevelResource.json @@ -1,24 +1,24 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2018-06-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMTgtMDYtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2022-03-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMjItMDMtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "53454c0a-4f38-4e00-80f9-c5f043112a55" + "3dbd15ef-8507-4208-8d96-4cc3f9d245ed" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.27317.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.17763.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/1.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -26,32 +26,35 @@ "Pragma": [ "no-cache" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "749" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "api-supported-versions": [ + "1.0" + ], "x-ms-request-id": [ - "a037fefe-64b5-4806-8f96-158e3a3372d4" + "729bb007-e779-4fd0-97f2-de538a2f7d32" ], "Server": [ - "Microsoft-HTTPAPI/2.0" - ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "749" + "Kestrel" ], "x-ms-correlation-request-id": [ - "6c6dce52-fc3f-489e-bb8d-cafa6ca73d49" + "74f359b5-9ba8-4eca-82a1-7549114721db" ], "x-ms-routing-request-id": [ - "UKWEST:20190307T160212Z:6c6dce52-fc3f-489e-bb8d-cafa6ca73d49" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T081721Z:74f359b5-9ba8-4eca-82a1-7549114721db" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Thu, 07 Mar 2019 16:02:11 GMT" + "Thu, 17 Nov 2022 08:17:21 GMT" ], "Content-Length": [ - "248" + "263" ], "Content-Type": [ "application/json; charset=utf-8" @@ -60,7 +63,7 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"subPlan\": \"P2\",\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", "StatusCode": 200 } ], diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityPricingTests/GetSubscriptionScope.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityPricingTests/GetSubscriptionScope.json index f1e4f0c01147..338a08ca88fe 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityPricingTests/GetSubscriptionScope.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityPricingTests/GetSubscriptionScope.json @@ -1,24 +1,24 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings?api-version=2018-06-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3M/YXBpLXZlcnNpb249MjAxOC0wNi0wMQ==", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings?api-version=2022-03-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3M/YXBpLXZlcnNpb249MjAyMi0wMy0wMQ==", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "ba121c01-7663-4a6b-87c4-568971724544" + "f1c02083-1c88-485c-9d4f-b0b97b2ebf5b" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.27317.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.17763.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/1.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -26,32 +26,35 @@ "Pragma": [ "no-cache" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "749" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "api-supported-versions": [ + "1.0" + ], "x-ms-request-id": [ - "e318150b-cb26-4984-bdbe-61420d5610ee" + "811a90a2-6bd8-4b10-870a-eba5f085c7c0" ], "Server": [ - "Microsoft-HTTPAPI/2.0" - ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "749" + "Kestrel" ], "x-ms-correlation-request-id": [ - "55fec7e0-25a2-4353-9e93-8a55aba1f223" + "e7ab7154-94bc-4b8b-8ee8-675e107a441c" ], "x-ms-routing-request-id": [ - "UKWEST:20190307T160215Z:55fec7e0-25a2-4353-9e93-8a55aba1f223" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T081725Z:e7ab7154-94bc-4b8b-8ee8-675e107a441c" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Thu, 07 Mar 2019 16:02:14 GMT" + "Thu, 17 Nov 2022 08:17:24 GMT" ], "Content-Length": [ - "740" + "3571" ], "Content-Type": [ "application/json; charset=utf-8" @@ -60,7 +63,7 @@ "-1" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/SqlServers\",\r\n \"name\": \"SqlServers\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/AppServices\",\r\n \"name\": \"AppServices\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"subPlan\": \"P2\",\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/SqlServers\",\r\n \"name\": \"SqlServers\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/AppServices\",\r\n \"name\": \"AppServices\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/StorageAccounts\",\r\n \"name\": \"StorageAccounts\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"subPlan\": \"PerTransaction\",\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/SqlServerVirtualMachines\",\r\n \"name\": \"SqlServerVirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/KubernetesService\",\r\n \"name\": \"KubernetesService\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Free\",\r\n \"freeTrialRemainingTime\": \"PT0S\",\r\n \"deprecated\": true,\r\n \"replacedBy\": [\r\n \"Containers\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/ContainerRegistry\",\r\n \"name\": \"ContainerRegistry\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Free\",\r\n \"freeTrialRemainingTime\": \"PT0S\",\r\n \"deprecated\": true,\r\n \"replacedBy\": [\r\n \"Containers\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/KeyVaults\",\r\n \"name\": \"KeyVaults\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/Dns\",\r\n \"name\": \"Dns\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/Arm\",\r\n \"name\": \"Arm\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/OpenSourceRelationalDatabases\",\r\n \"name\": \"OpenSourceRelationalDatabases\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/CosmosDbs\",\r\n \"name\": \"CosmosDbs\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/Containers\",\r\n \"name\": \"Containers\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/CloudPosture\",\r\n \"name\": \"CloudPosture\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n }\r\n ]\r\n}", "StatusCode": 200 } ], diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityPricingTests/SetSubscriptionLevelResource.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityPricingTests/SetSubscriptionLevelResource.json index 963f679d8c69..e594eb14440e 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityPricingTests/SetSubscriptionLevelResource.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityPricingTests/SetSubscriptionLevelResource.json @@ -1,22 +1,21 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2018-06-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMTgtMDYtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2022-03-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMjItMDMtMDE=", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\"\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "3b98cd60-b80c-4ac7-bbe7-9050b9993c66" + "0e1bd728-50ab-4441-b168-17ee8aeb56ba" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.27317.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.17763.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/1.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" @@ -25,6 +24,7 @@ "59" ] }, + "RequestBody": "{\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\"\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -32,32 +32,35 @@ "Pragma": [ "no-cache" ], - "x-ms-request-id": [ - "6c117ca2-62bf-49d1-af25-21363cbddf57" - ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "249" ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "api-supported-versions": [ + "1.0" + ], + "x-ms-request-id": [ + "705288e2-0b19-479a-8692-c599574ba03a" + ], "Server": [ - "Microsoft-HTTPAPI/2.0" + "Kestrel" ], "x-ms-correlation-request-id": [ - "221326c2-b015-4173-97bc-b9bc6f9cabf8" + "0ab83088-e8b8-47b0-b8d3-3bd3c7125f41" ], "x-ms-routing-request-id": [ - "UKWEST:20190307T160223Z:221326c2-b015-4173-97bc-b9bc6f9cabf8" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T081731Z:0ab83088-e8b8-47b0-b8d3-3bd3c7125f41" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Thu, 07 Mar 2019 16:02:22 GMT" + "Thu, 17 Nov 2022 08:17:30 GMT" ], "Content-Length": [ - "248" + "263" ], "Content-Type": [ "application/json; charset=utf-8" @@ -66,7 +69,7 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"subPlan\": \"P2\",\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", "StatusCode": 200 } ], From 91c770c248e269e0e1f349d65ac551d722558ce9 Mon Sep 17 00:00:00 2001 From: yifat Date: Thu, 17 Nov 2022 10:23:14 +0200 Subject: [PATCH 06/18] Record securityAssessment and metadata --- .../CreateAndDeleteAssessmentMetadata.json | 126 +++++++++--------- .../GetAllAssessmentMetadata.json | 26 ++-- .../GetAllAssessments.json | 86 ++++++++++-- 3 files changed, 149 insertions(+), 89 deletions(-) diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/CreateAndDeleteAssessmentMetadata.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/CreateAndDeleteAssessmentMetadata.json index 57b570161b78..cf4dae17a9c7 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/CreateAndDeleteAssessmentMetadata.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/CreateAndDeleteAssessmentMetadata.json @@ -1,24 +1,24 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata?api-version=2020-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata?api-version=2021-06-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhP2FwaS12ZXJzaW9uPTIwMjEtMDYtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "090ac85a-e6cb-4470-9f7e-436b38671034" + "6fd3aef1-cae0-405d-9f57-628d75fc0d8c" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.27317.07", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.19041.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.1.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -30,13 +30,13 @@ "749" ], "x-ms-request-id": [ - "30fee969-e173-4de8-befb-d2d1fc93a0fb" + "1a0b3441-285a-4194-ac1d-8514bef53b0e" ], "x-ms-correlation-request-id": [ - "30fee969-e173-4de8-befb-d2d1fc93a0fb" + "1a0b3441-285a-4194-ac1d-8514bef53b0e" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200602T104815Z:30fee969-e173-4de8-befb-d2d1fc93a0fb" + "FRANCESOUTH:20221117T082003Z:1a0b3441-285a-4194-ac1d-8514bef53b0e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -45,10 +45,10 @@ "nosniff" ], "Date": [ - "Tue, 02 Jun 2020 10:48:15 GMT" + "Thu, 17 Nov 2022 08:20:03 GMT" ], "Content-Length": [ - "133768" + "1308177" ], "Content-Type": [ "application/json; charset=utf-8" @@ -57,28 +57,28 @@ "-1" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"\",\r\n \"remediationDescription\": \"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine: 1. Stop your VM when it is safe to do so. 2. Enable Secure Boot for the VM. 3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps: 1. Go to the app service applications settings page 2. In the remote debugging toggle select Off 3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the �*� defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"1. Click an identified outstanding update. 2. In the Missing system updates pane, click the support link and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
\\n1. Go to Virtual machines and click on your machine.
\\n2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases: 1. Select the SQL database. 2. Under Data encryption, select On. 3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
\\n1. Select the SQL server.
\\n2. Under Auditing, select On.
\\n3. Select Storage details and configure a storage account for the audit log.
\\n4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines. To make sure your virtual machines are successfully monitored,
\\n you need to enable data collection in Security Center and make sure the MMA agent is both installed on the virtual machines and properly collects security events to the configured workspace.
\\n In some cases, the MMA agent may fail to properly report security events, due to multiple reasons. In these cases, coverage may be partial - security events won�t be properly processed,
\\n and in turn threat detection for the affected VMs may fail to function.\",\r\n \"remediationDescription\": \"To resolve monitoring agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install monitoring agent on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines.<br> We recommend configuring auto-provisioning to ensure the MMA is deployed automatically.<br> If you choose not to use auto-provisioning, you�ll need to follow the remediation steps to manually deploy the MMA for all your VMs.<br> You�ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric.\",\r\n \"remediationDescription\": \"Installation of the monitoring agent and enabling data collection in Security Center can be done in several ways:\\n
  • Using Security Center�s automatic provisioning on your subscription(s).
    This will automatically provision the monitoring agent on current and future-created virtual machines on your subscription(s). (Learn more)
    \\nYou can enable automatic provisioning on multiple subscriptions by clicking on the Getting started menu item, and select 'Install agents'.
    You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Security policy' menu item,
    select 'Edit settings' on a subscription and enable auto provisioning in the 'data collection' menu item.
    • \\n
  • Install the Microsoft Monitoring agent on your Virtual machines as a VM extension or directly, by following these instructions.
    • \\n
  • Provision the Microsoft Monitoring agent with Azure Policies. The applicable policy definitions are:
    �[Preview]: Deploy Log Analytics Agent for Windows VMs� and �[Preview]: Deploy Log Analytics Agent for Linux VMs.
    • \\n
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.

To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
 a. Click '+New policy'.
 b. In the 'Name' text box, enter a policy name.
 c. Assign 'User and groups':
  i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
  ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
  iii. After selecting the users, at the bottom of the list, click 'Select'.
  iv. Click 'Done'.
 d. Assign 'Cloud apps'
  i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
  ii. Click 'Done'.
 e. Assign 'Access Controls'
  i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
  ii. Click 'Select'.
 f. Enable Policy.
  i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.

To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
 a. Click '+New policy'.
 b. In the 'Name' text box, enter a policy name.
 c. Assign 'User and groups':
  i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
  ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
  iii. After selecting the users, at the bottom of the list, click 'Select'.
  iv. Click 'Done'.
 d. Assign 'Cloud apps'
  i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
  ii. Click 'Done'.
 e. Assign 'Access Controls'
  i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
  ii. Click 'Select'.
 f. Enable Policy.
  i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.

To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
 a. Click '+New policy'.
 b. In the 'Name' text box, enter a policy name.
 c. Assign 'User and groups':
  i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
  ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
  iii. After selecting the users, at the bottom of the list, click 'Select'.
  iv. Click 'Done'.
 d. Assign 'Cloud apps'
  i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
  ii. Click 'Done'.
 e. Assign 'Access Controls'
  i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
  ii. Click 'Select'.
 f. Enable Policy.
  i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click the Role assignments tab and set the 'Role' filter to 'Owner'. 2. Select the owners you want to remove. 3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled 1. In the 'Role' drop-down list, select the Owner role. 2. In the Select list, select a user. 3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To Remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on SQL servers: 1. Select the SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources : 1. Go to the Virtual machine 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal: 1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service. 2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows: 1. Go to Azure Kubernetes Services. 2. Click 'Add' and enter your cluster's configuration. 3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics: 1. Go to Data Lake Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance: 1. Select the SQL managed instance. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per managed SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per managed SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps: 1. Go to the Redis Caches, and select your redis cache. 2. Select 'Advanced settings'. 3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics: 1. Go to Batch and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics: 1. Go to Stream Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics: 1. Go to the Service Bus. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics: 1. Go to Data Lake Store and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics: 1. Go to Search and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign': 1. Go to the Service fabric cluster. 2. Click on 'Custom fabric settings'. 3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics: 1. Go to Logic Apps and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources : 1. Go to the Storage Account 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics: 1. Go to Key Vault and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"1. In your storage account, go to 'Firewalls and virtual networks'. 2. Under 'Allow access from', choose 'Selected networks'. 3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account. 4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required: 1. In your storage account, go to the 'Configuration' page. 2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates: 1. Review the list of missing system updates. 2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/f3631911-7880-4edb-88bd-6411f5e3b6ec\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machine scale sets.<br> You cannot configure auto-provisioning of the MMA for Azure virtual machine scale sets. To deploy the MMA on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), please follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"To install monitoring agent : 1. Select or create a workspace. 2. Click on Install to install the agent on the scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations: 1. Review the list of failed rules. 2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution: 1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as:
  • The configuration of the operating system
  • Application configuration or presence
  • Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’ tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:attack surface reduction\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5468b9f3-f0dd-41e3-a383-f0f442f34bcf\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bde66085-0bff-4163-a200-2ff7c1175045\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3f528984-4591-4989-b6bc-6d9f67f3de57\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa676ae0-e4c3-4803-8ce8-e85df20b57cd\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a782bbed-a876-4631-9bc5-7ace7d466dc8\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fce8d615-a5d2-431d-ba4d-2d9ae164224f\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75af18a4-86e2-40ab-a157-359d67bd9314\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"name\": \"3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Install the Azure Security of Things Agent\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b122f8fc-72f9-4a24-87ec-b71bdfb5a890\",\r\n \"description\": \"Installing the Azure Security of Things agent on a device increases the security detections available for it\",\r\n \"remediationDescription\": \"Install the Azure Security of Things Security Agent\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15d59b-fbfe-41c9-bdb1-d900cc77eb6e\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6cb74de-df4c-497f-9e87-f0ccd430de6c\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4912296-8654-4bf1-bb7b-a42bfa368af6\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5502d409-6ab3-401d-a4ae-619cf2bbf68e\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:1. Follow the guidance here to create service principals with a certificate. 2. Select a subscription from the list of subscriptions below or navigate to the specific subscription. 3. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.

Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with applications and firewalls unprotected by the DDoS protection service. These apps and firewalls have public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"1. Select a virtual network to enable the DDoS protection service standard on. 2. Select the Standard option. 3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for whitelisting safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect. 4. Create a new applications control policy according to the instructions in Security Center’s documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Whitelisting rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to whitelist in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your whitelists of known-safe applications: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines. 4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
  1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
  2. Click the \\\"Rules\\\" tab.
  3. If you want to modify a recommended rule's parameters:
    • In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
    • Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
  4. If you want to create a new rule:
    • Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
    • Fill in the parameters and click \\\"Add rule\\\". The pane closes and the new rule is listed in the Rules tab.
  5. Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22). 3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges. 4. Click 'Save'.

Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding: 1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade. 2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left). 3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on NSG associated to your VM\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to easily target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click the Network Security Group with overly permissive rules. 3. In the 'Network security group' blade, click on each of the rules that are overly permissive. 4. Improve the rule by applying less permissive source IP ranges. 5. Apply the suggested changes and click 'Save'.

If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.

Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable an NSG on its NIC. 2. In the 'Networking' pane, select the Network Interface that is associated with the selected VM. 3. In the 'Network interface' pane, select the 'Network security group' menu item. 4. Select 'Edit' at the top of the pane. 5. Follow the steps and select an existing network security group to attach to this VM.

Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65f6008c-c7de-4146-b4f2-0f91aa80ebe0\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation: 1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'. 2. Review the recommended classifications. 3. Apply the relevant recommendations and dismiss the ones that are not applicable.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"name\": \"fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases in VMs should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bf49982c-9e3e-4fc4-bc20-67afecd23512\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities: 1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate. 2. Review the set of failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field. 5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exist. 6. Delete the old image with the vulnerability from you registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remediate vulnerabilities found on your virtual machines (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerability findings that were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8\",\r\n \"description\": \"To protect machines from threats and vulnerabilities, install a supported endpoint protection solution.
Learn more about how endpoint protection for machines is evaluated in Endpoint protection assessment and recommendations in Microsoft Defender for Cloud.\",\r\n \"remediationDescription\": \"To remediate missing endpoint protection:
1. Confirm that your solution is on the list of tools supported by Defender for Cloud.
2. Install the supported endpoint protection solution or enable an existing tool.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b26b102-ccde-4697-aa30-f0621f865f99\",\r\n \"name\": \"9b26b102-ccde-4697-aa30-f0621f865f99\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of EC2 instances should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Cloud has identified some overly-permissive inbound rules for management ports in your network. Enable just-in-time access control to protect your Instances from internet-based brute-force attacks. Learn more.\",\r\n \"remediationDescription\": \"To enable just-in-time instance access:
  • Select one or more Instances from the list below and click \\\"Remediate\\\", or click \\\"Take action\\\" if you've arrived from a recommendation for a specific instance.
  • On the \\\"JIT instance access configuration\\\" page, define the ports for which the just-in-time instance access will be applicable.
    • To add additional ports, click the \\\"Add\\\" button on the top left, or click an existing port and edit it.
    • On the \\\"Add port configuration\\\" blade, enter the required parameters.
  • Click \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"11/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2cac0072-6f56-46f0-9518-ddec3660ee56\",\r\n \"name\": \"2cac0072-6f56-46f0-9518-ddec3660ee56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST and WebSocket API logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled.
The control fails if logging is not enabled for all methods of a stage or if logging Level is neither ERROR nor INFO.
API Gateway REST or WebSocket API stages should have relevant logs enabled. API Gateway REST and WebSocket API execution logging provides detailed records of requests made to API Gateway REST and WebSocket API stages.
The stages include API integration backend responses, Lambda authorizer responses, and the requestId for AWS integration endpoints.\",\r\n \"remediationDescription\": \"To enable logging for REST and WebSocket API operations, Set up CloudWatch API logging using the API Gateway console in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec268d38-c94b-4df3-8b4e-5248fcaaf3fc\",\r\n \"name\": \"ec268d38-c94b-4df3-8b4e-5248fcaaf3fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API stages should be configured to use SSL certificates for backend authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon API Gateway REST API stages have SSL certificates configured.
Backend systems use these certificates to authenticate that incoming requests are from API Gateway.
API Gateway REST API stages should be configured with SSL certificates to allow backend systems to authenticate that requests originate from API Gateway.\",\r\n \"remediationDescription\": \"For detailed instructions on how to generate and configure API Gateway REST API SSL certificates, see Generate and configure an SSL certificate for backend authentication in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5cbaff4f-f8d5-49fe-9fdc-63c4507ac670\",\r\n \"name\": \"5cbaff4f-f8d5-49fe-9fdc-63c4507ac670\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API stages should have AWS X-Ray tracing enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages.
X-Ray active tracing enables a more rapid response to performance changes in the underlying infrastructure. Changes in performance could result in a lack of availability of the API.
X-Ray active tracing provides real-time metrics of user requests that flow through your API Gateway REST API operations and connected services.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable X-Ray active tracing for API Gateway REST API operations, see Amazon API Gateway active tracing support for AWS X-Ray in the AWS X-Ray Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d69eb8b0-79ba-4963-a683-a96a8ea787e2\",\r\n \"name\": \"d69eb8b0-79ba-4963-a683-a96a8ea787e2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway should be associated with an AWS WAF web ACL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an API Gateway stage uses an AWS WAF web access control list (ACL).
This control fails if an AWS WAF web ACL is not attached to a REST API Gateway stage.
AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It enables you to configure an ACL, which is a set of rules that allow, block, or count web requests based on customizable web security rules and conditions that you define.
Ensure that your API Gateway stage is associated with an AWS WAF web ACL to help protect it from malicious attacks.\",\r\n \"remediationDescription\": \"For information on how to use the API Gateway console to associate an AWS WAF Regional web ACL with an existing API Gateway API stage, see Using AWS WAF to protect your APIs in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a0ce4e0-b61e-4ec7-ab65-aeaff3893bd3\",\r\n \"name\": \"1a0ce4e0-b61e-4ec7-ab65-aeaff3893bd3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API cache data should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It adds another set of access controls to limit unauthorized users ability access the data. For example, API permissions are required to decrypt the data before it can be read.
API Gateway REST API caches should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"To remediate this control, configure the stage to encrypt the cache data.
To configure API caching for a given stage
1. Open the API Gateway console.
2. Choose the API.
3. Choose \\\"Stages\\\".
4. In the \\\"Stages\\\" list for the API, choose the stage to add caching to.
5. Choose \\\"Settings\\\".
6. Choose \\\"Enable API cache\\\".
7. Update the desired settings, then select \\\"Encrypt cache data\\\".
Choose \\\"Save Changes\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/186509dc-f326-415f-b085-4d27f1342849\",\r\n \"name\": \"186509dc-f326-415f-b085-4d27f1342849\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have a default root object configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured.
A user might sometimes request the distributions root URL instead of an object in the distribution. When this happens, specifying a default root object can help you to avoid exposing the contents of your web distribution.\",\r\n \"remediationDescription\": \"For detailed instructions on how to specify a default root object for your distribution, see How to specify a default root object in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a0ab1f4e-bafb-4947-a7d1-13a9c35c7d82\",\r\n \"name\": \"a0ab1f4e-bafb-4947-a7d1-13a9c35c7d82\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin access identity enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured.
CloudFront OAI prevents users from accessing S3 bucket content directly. When users access an S3 bucket directly, they effectively bypass the CloudFront distribution and any permissions that are applied to the underlying S3 bucket content.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Creating a CloudFront OAI and adding it to your distribution in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a67adff8-625f-4891-9f61-43f837d18ad2\",\r\n \"name\": \"a67adff8-625f-4891-9f61-43f837d18ad2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should require encryption in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors.
HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Requiring HTTPS for communication between viewers and CloudFront in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4779e962-2ea3-4126-aa76-379ea271887c\",\r\n \"name\": \"4779e962-2ea3-4126-aa76-379ea271887c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin failover configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins.
CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Creating an origin group in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88114970-36db-42b3-9549-20608b1ab8ad\",\r\n \"name\": \"88114970-36db-42b3-9549-20608b1ab8ad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether server access logging is enabled on CloudFront distributions. The control fails if access logging is not enabled for a distribution.
CloudFront access logs provide detailed information about every user request that CloudFront receives. Each log contains information such as the date and time the request was received, the IP address of the viewer that made the request, the source of the request, and the port number of the request from the viewer.
These logs are useful for applications such as security and access audits and forensics investigation. For additional guidance on how to analyze access logs, see Querying Amazon CloudFront logs in the Amazon Athena User Guide.\",\r\n \"remediationDescription\": \"For information on how to configure access logging for a CloudFront distribution, see Configuring and using standard logs (access logs) in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e0d5964-2895-45b1-b646-fcded8d567be\",\r\n \"name\": \"0e0d5964-2895-45b1-b646-fcded8d567be\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have AWS WAF enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudFront distributions are associated with either AWS WAF or AWS WAFv2 web ACLs. The control fails if the distribution is not associated with a web ACL.
AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It allows you to configure a set of rules, called a web access control list (web ACL), that allow, block, or count web requests based on customizable web security rules and conditions that you define. Ensure your CloudFront distribution is associated with an AWS WAF web ACL to help protect it from malicious attacks.\",\r\n \"remediationDescription\": \"For information on how to associate a web ACL with a CloudFront distribution, see Using AWS WAF to control access to your content in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d088fb9f-11dc-451e-8f79-393916e42bb2\",\r\n \"name\": \"d088fb9f-11dc-451e-8f79-393916e42bb2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies should not allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts.This control fails if the \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies.
With AWS KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data.
Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, do not allow \\\"kms:Decrypt\\\" permission on all KMS keys. Instead, allow \\\"kms:Decrypt\\\" only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"To remediate this issue, you modify the IAM customer managed policies to restrict access to the keys.

To modify an IAM customer managed policy

1. Open the IAM console at https://console.aws.amazon.com/iam/
2. In the IAM navigation pane, choose \\\"Policies\\\".
3. Choose the arrow next to the policy you want to modify.
4. Choose \\\"Edit policy\\\".
5. Choose the \\\"JSON\\\" tab.
6. Change the \\\"Resource\\\" value to the specific key or keys that you want to allow.
7. After you modify the policy, choose \\\"Review policy\\\".
8. Choose \\\"Save changes\\\".

For more information, see Using IAM policies with AWS KMS in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/18be55d0-b681-4693-af8d-b8815518d758\",\r\n \"name\": \"18be55d0-b681-4693-af8d-b8815518d758\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts.
This control fails if \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" actions are allowed on all KMS keys in an inline policy.
With AWS KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the permissions they need and only for keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data.
Instead of granting permission for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow the users to use only those keys. For example, do not allow \\\"kms:Decrypt\\\" permission on all KMS keys. Instead, allow them only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"To remediate this issue, you modify the inline policy to restrict access to the keys.

To modify an IAM inline policy

1. Open the IAM console at https://console.aws.amazon.com/iam/
2. In the IAM navigation pane, choose \\\"Users, Groups\\\", or \\\"Roles\\\".
3. Choose the name of the user, group or role for which to modify IAM inline policies.
4. Choose the arrow next to the policy to modify.
5. Choose \\\"Edit policy\\\".
6. Choose the \\\"JSON\\\" tab.
7. Change the \\\"Resource\\\" value to the specific keys you want to allow.
8. After you modify the policy, choose \\\"Review policy\\\".
9. Choose \\\"Save changes\\\".

For more information, see Using IAM policies with AWS KMS in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10c59743-84c4-4711-adb7-ba895dc57339\",\r\n \"name\": \"10c59743-84c4-4711-adb7-ba895dc57339\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS keys should not be unintentionally deleted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether KMS keys are scheduled for deletion. The control fails if a KMS key is scheduled for deletion.
KMS keys cannot be recovered once deleted. Data encrypted under a KMS key is also permanently unrecoverable if the KMS key is deleted. If meaningful data has been encrypted under a KMS key scheduled for deletion, consider decrypting the data or re-encrypting the data under a new KMS key unless you are intentionally performing a cryptographic erasure.
When a KMS key is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS key is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS key will not be deleted.
For additional information regarding deleting KMS keys, see Deleting KMS keys in the AWS Key Management Service Developer Guide.\",\r\n \"remediationDescription\": \"For detailed remediation instructions to cancel a scheduled KMS key deletion, see \\\"To cancel key deletion\\\" under Scheduling and canceling key deletion (console) in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe770214-7b47-48f7-a78c-1279c35d8279\",\r\n \"name\": \"fe770214-7b47-48f7-a78c-1279c35d8279\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EMR cluster master nodes should not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether master nodes on Amazon EMR clusters have public IP addresses.
The control fails if the master node has public IP addresses that are associated with any of its instances. Public IP addresses are designated in the PublicIp field of the NetworkInterfaces configuration for the instance.
This control only checks Amazon EMR clusters that are in a RUNNING or WAITING state.\",\r\n \"remediationDescription\": \"During launch, you can control whether your instance in a default or nondefault subnet is assigned a public IPv4 address.
By default, default subnets have this attribute set to true. Nondefault subnets have the IPv4 public addressing attribute set to false, unless it was created by the Amazon EC2 launch instance wizard. In that case, the wizard sets the attribute to true.
You need to launch your cluster in a VPC with a private subnet that has the IPv4 public addressing attribute set to false.
After launch, you cannot manually disassociate a public IPv4 address from your instance.
To remediate this finding, you need to create a new cluster in VPC private subnet. For information on how to launch a cluster in into a VPC private subnet, see Launch clusters into a VPC in the Amazon EMR Management Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a0476c5-a14b-4195-8c31-633511234b38\",\r\n \"name\": \"5a0476c5-a14b-4195-8c31-633511234b38\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies that you create should not allow wildcard actions for services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the IAM identity-based policies that you create have Allow statements that use the * wildcard to grant permissions for all actions on any service. The control fails if any policy statement includes 'Effect': 'Allow' with 'Action': 'Service:*'.
For example, the following statement in a policy results in a failed finding.
'Statement': [
{
'Sid': 'EC2-Wildcard',
'Effect': 'Allow',
'Action': 'ec2:*',
'Resource': '*'
}
The control also fails if you use 'Effect': 'Allow' with 'NotAction': 'service:*'. In that case, the NotAction element provides access to all of the actions in an AWS service, except for the actions specified in NotAction.
This control only applies to customer managed IAM policies. It does not apply to IAM policies that are managed by AWS.
When you assign permissions to AWS services, it is important to scope the allowed IAM actions in your IAM policies. You should restrict IAM actions to only those actions that are needed. This helps you to provision least privilege permissions. Overly permissive policies might lead to privilege escalation if the policies are attached to an IAM principal that might not require the permission.
In some cases, you might want to allow IAM actions that have a similar prefix, such as DescribeFlowLogs and DescribeAvailabilityZones. In these authorized cases, you can add a suffixed wildcard to the common prefix. For example, ec2:Describe*.

This control passes if you use a prefixed IAM action with a suffixed wildcard. For example, the following statement in a policy results in a passed finding.
'Statement': [
{
'Sid': 'EC2-Wildcard',
'Effect': 'Allow',
'Action': 'ec2:Describe*',
'Resource': '*'
}
When you group related IAM actions in this way, you can also avoid exceeding the IAM policy size limits.\",\r\n \"remediationDescription\": \"To remediate this issue, update your IAM policies so that they do not allow full '*' administrative privileges.
For details on how to edit an IAM policy, see Editing IAM policies in the IAM User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bde343a-0681-4ee2-883a-027cc1e655b8\",\r\n \"name\": \"0bde343a-0681-4ee2-883a-027cc1e655b8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Attached EBS volumes should be encrypted at-rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check.
For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.
To learn more about Amazon EBS encryption, see Amazon EBS encryption in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"remediationDescription\": \"There is no direct way to encrypt an existing unencrypted volume or snapshot. You can only encrypt a new volume or snapshot when you create it.
If you enabled encryption by default, Amazon EBS encrypts the resulting new volume or snapshot using your default key for Amazon EBS encryption. Even if you have not enabled encryption by default, you can enable encryption when you create an individual volume or snapshot. In both cases, you can override the default key for Amazon EBS encryption and choose a symmetric customer managed CMK.
For more information, see Creating an Amazon EBS volume and Copying an Amazon EBS snapshot in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a3340b3-8916-40fe-942d-a937e60f5d4c\",\r\n \"name\": \"1a3340b3-8916-40fe-942d-a937e60f5d4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Stopped EC2 instances should be removed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days.
A failed finding indicates that an EC2 instance has not run for a significant period of time. This creates a security risk because the EC2 instance is not being actively maintained (analyzed, patched, updated). If it is later launched, the lack of proper maintenance could result in unexpected issues in your AWS environment. To safely maintain an EC2 instance over time in a nonrunning state, start it periodically for maintenance and then stop it after maintenance. Ideally this is an automated process.\",\r\n \"remediationDescription\": \"You can terminate an EC2 instance using either the console or the command line.
Before you terminate the EC2 instance, verify that you won't lose any data:
* Check that your Amazon EBS volumes will not be deleted on termination.
* Copy any data that you need from your EC2 instance store volumes to Amazon EBS or Amazon S3.
To terminate an EC2 instance (console)
1. Open the Amazon EC2 console.
2. In the navigation pane, under Instances, choose \\\"Instances\\\".
3. Select the instance, and then choose \\\"Actions\\\", \\\"Instance State\\\", \\\"Terminate\\\".
4. When prompted for confirmation, choose \\\"Yes, Terminate\\\".
To terminate an EC2 instance (AWS CLI, Tools for Windows PowerShell)
Use one of the following commands. For more information about the command line interface, see Accessing Amazon EC2 in the Amazon EC2 User Guide for Linux Instances.
- From the AWS CLI, use terminate-instances
- From the Tools for Windows PowerShell, use Stop-EC2Instance.
To learn more about terminating instances, see Terminating an instancein the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56406d4c-87b4-4aeb-b1cc-7f6312d78e0a\",\r\n \"name\": \"56406d4c-87b4-4aeb-b1cc-7f6312d78e0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS default encryption should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS).
The control fails if the account level encryption is not enabled.
When encryption is enabled for your account, Amazon EBS volumes and snapshot copies are encrypted at rest. This adds an additional layer of protection for your data.
For more information, see Encryption by default in the Amazon EC2 User Guide for Linux Instances.
Note that following instance types do not support encryption: R1, C1, and M1.\",\r\n \"remediationDescription\": \"You can use the Amazon EC2 console to enable default encryption for Amazon EBS volumes.

To configure the default encryption for Amazon EBS encryption for a Region
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
2. From the navigation pane, select \\\"EC2 Dashboard\\\".
3. In the upper-right corner of the page, choose \\\"Account Attributes\\\", \\\"EBS encryption\\\".
4. Choose \\\"Manage\\\".
5. Select \\\"Enable\\\". You can keep the AWS managed key with the alias alias/aws/ebs created on your behalf as the default encryption key, or choose a symmetric customer managed key.
6. Choose \\\"Update EBS encryption\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea3248a-8af5-4df3-8e08-f7d1925ea147\",\r\n \"name\": \"5ea3248a-8af5-4df3-8e08-f7d1925ea147\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should use IMDSv2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if \\\"HttpTokens\\\" is set to \\\"required\\\" for IMDSv2. The control fails if \\\"HttpTokens\\\" is set to \\\"optional\\\".
You use instance metadata to configure or manage the running instance. The IMDS provides access to temporary, frequently rotated credentials. These credentials remove the need to hard code or distribute sensitive credentials to instances manually or programmatically. The IMDS is attached locally to every EC2 instance. It runs on a special 'link local' IP address of 169.254.169.254. This IP address is only accessible by software that runs on the instance.
Version 2 of the IMDS adds new protections for the following types of vulnerabilities. These vulnerabilities could be used to try to access the IMDS.
* Open website application firewalls
* Open reverse proxies
* Server-side request forgery (SSRF) vulnerabilities
* Open Layer 3 firewalls and network address translation (NAT)
Security Hub recommends that you configure your EC2 instances with IMDSv2.\",\r\n \"remediationDescription\": \"To remediate an EC2 instance that is not configured with IMDSv2, you can require the use of IMDSv2.
To require IMDSv2 on an existing instance, when you request instance metadata, modify the Amazon EC2 metadata options. Follow the instructions in Configuring instance metadata options for existing instances in the Amazon EC2 User Guide for Linux Instances.
To require the use of IMDSv2 on a new instance when you launch it, follow the instructions in Configuring instance metadata options for new instances in the Amazon EC2 User Guide for Linux Instances.
To configure your new EC2 instance with IMDSv2 from the console
1. Open the Amazon EC2 console.
2. Choose \\\"Launch instance\\\" and then choose \\\"Launch instance\\\".
3. In the \\\"Configure Instance Details\\\" step, under \\\"Advanced Details\\\", for \\\"Metadata version\\\", choose \\\"V2 (token required)\\\".
4. Choose \\\"Review and Launch\\\".
If your software uses IMDSv1, you can reconfigure your software to use IMDSv2. For details, see Transitioning to using Instance Metadata Service Version 2 in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/63afb20c-4e8e-42ad-bc6d-dc48d4bebc5f\",\r\n \"name\": \"63afb20c-4e8e-42ad-bc6d-dc48d4bebc5f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not have a public IP address\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether EC2 instances have a public IP address. The control fails if the \\\"publicIp\\\" field is present in the EC2 instance configuration item. This control applies to IPv4 addresses only.
A public IPv4 address is an IP address that is reachable from the internet. If you launch your instance with a public IP address, then your EC2 instance is reachable from the internet. A private IPv4 address is an IP address that is not reachable from the internet. You can use private IPv4 addresses for communication between EC2 instances in the same VPC or in your connected private network.
IPv6 addresses are globally unique, and therefore are reachable from the internet. However, by default all subnets have the IPv6 addressing attribute set to false. For more information about IPv6, see IP addressing in your VPC in the Amazon VPC User Guide.
If you have a legitimate use case to maintain EC2 instances with public IP addresses, then you can suppress the findings from this control. For more information about front-end architecture options, see the AWS Architecture Blog or the This Is My Architecture series.\",\r\n \"remediationDescription\": \"Use a non-default VPC so that your instance is not assigned a public IP address by default.
When you launch an EC2 instance into a default VPC, it is assigned a public IP address. When you launch an EC2 instance into a non-default VPC, the subnet configuration determines whether it receives a public IP address. The subnet has an attribute to determine if new EC2 instances in the subnet receive a public IP address from the public IPv4 address pool.
You cannot manually associate or disassociate an automatically-assigned public IP address from your EC2 instance. To control whether your EC2 instance receives a public IP address, do one of the following:
- Modify the public IP addressing attribute of your subnet. For more information, see Modifying the public IPv4 addressing attribute for your subnet in the Amazon VPC User Guide.
- Enable or disable the public IP addressing feature during launch. This overrides the subnet's public IP addressing attribute. For more information, see Assign a public IPv4 address during instance launch in the Amazon EC2 User Guide for Linux Instances.
For more information, see Public IPv4 addresses and external DNS hostnames in the Amazon EC2 User Guide for Linux Instances.
If your EC2 instance is associated with an Elastic IP address, then your EC2 instance is reachable from the internet. You can disassociate an Elastic IP address from an instance or network interface at any time.
To disassociate an Elastic IP address
1. Open the Amazon EC2 console
2. In the navigation pane, choose \\\"Elastic IPs\\\".
3. Select the Elastic IP address to disassociate.
4. From \\\"Actions\\\", choose \\\"Disassociate Elastic IP address\\\".
5. Choose \\\"Disassociate\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e700ddd4-bb55-4602-b93a-d75895fbf7c6\",\r\n \"name\": \"e700ddd4-bb55-4602-b93a-d75895fbf7c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 should be configured to use VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service.
To improve the security posture of your VPC, you can configure Amazon EC2 to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to access Amazon EC2 API operations privately. It restricts all network traffic between your VPC and Amazon EC2 to the Amazon network. Because endpoints are supported within the same Region only, you cannot create an endpoint between a VPC and a service in a different Region. This prevents unintended Amazon EC2 API calls to other Regions.
To learn more about creating VPC endpoints for Amazon EC2, see Amazon EC2 and interface VPC endpoints in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"remediationDescription\": \"To remediate this issue, you can create an interface VPC endpoint to Amazon EC2.
To create an interface endpoint to Amazon EC2 from the Amazon VPC console
1. Open the Amazon VPC console
2. In the navigation pane, choose \\\"Endpoints\\\".
3. Choose \\\"Create Endpoint\\\".
4. For \\\"Service category\\\", choose \\\"AWS services\\\".
5. For \\\"Service Name\\\", choose \\\"com.amazonaws.<region>.ec2\\\".
6. For \\\"Type\\\", choose \\\"Interface\\\".
7. Complete the following information.
  1. For \\\"VPC\\\", select a VPC in which to create the endpoint.
  2. For \\\"Subnets\\\", select the subnets (Availability Zones) in which to create the endpoint network interfaces. Not all Availability Zones are supported for all AWS services.
  3. To enable private DNS for the interface endpoint, select the check box for \\\"Enable DNS Name\\\". This option is enabled by default.
    To use the private DNS option, the following attributes of your VPC must be set to true:
    - \\\"enableDnsHostnames\\\"
    - \\\"enableDnsSupport\\\"
    For more information, see Viewing and updating DNS support for your VPC in the Amazon VPC User Guide.
  4. For \\\"Security group\\\", select the security groups to associate with the endpoint network interfaces.
  5. (Optional) Add or remove a tag. To add a tag, choose \\\"Add tag\\\" and do the following:
    - For \\\"Key\\\", enter the tag name.
    - For \\\"Value\\\", enter the tag value.
  6.  To remove a tag, choose the delete button (x) to the right of the tag Key and Value.
8. Choose \\\"Create endpoint\\\".
To create an interface VPC endpoint policy
You can attach a policy to your VPC endpoint to control access to the Amazon EC2 API. The policy specifies the following:
- The principal that can perform actions
- The actions that can be performed
- The resource on which the actions can be performed
For more details on creating a VPC endpoint policy, see Amazon EC2 and interface VPC endpoints In the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ace790eb-39b9-4b4f-b53d-26d0f77d4ab8\",\r\n \"name\": \"ace790eb-39b9-4b4f-b53d-26d0f77d4ab8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 subnets should not automatically assign public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the assignment of public IPs in Amazon Virtual Private Cloud (Amazon VPC) subnets have \\\"MapPublicIpOnLaunch\\\" set to \\\"FALSE\\\". The control passes if the flag is set to \\\"FALSE\\\".
All subnets have an attribute that determines whether a network interface created in the subnet automatically receives a public IPv4 address. Instances that are launched into subnets that have this attribute enabled have a public IP address assigned to their primary network interface.\",\r\n \"remediationDescription\": \"You can configure a subnet from the Amazon VPC console.
To configure a subnet to not assign public IP addresses
1. Open the Amazon VPC console.
2. In the navigation pane, choose \\\"Subnets\\\".
3. Select your subnet and then choose \\\"Subnet Actions\\\", \\\"Modify auto-assign IP settings\\\".
4. Clear the \\\"Enable auto-assign public IPv4 address\\\" check box and then choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f9a7d87-ec2e-409a-991a-48c29484d6b5\",\r\n \"name\": \"5f9a7d87-ec2e-409a-991a-48c29484d6b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused network access control lists should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether there are any unused network access control lists (ACLs).
The control checks the item configuration of the resource \\\"AWS::EC2::NetworkAcl\\\" and determines the relationships of the network ACL.
If the only relationship is the VPC of the network ACL, then the control fails.
If other relationships are listed, then the control passes.\",\r\n \"remediationDescription\": \"For instructions on how to delete an unused network ACL, see Deleting a network ACL in the Amazon VPC User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fead4128-7325-4b82-beda-3fd42de36920\",\r\n \"name\": \"fead4128-7325-4b82-beda-3fd42de36920\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not use multiple ENIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs).This control passes if a single network adapter is used. The control includes an optional parameter list to identify the allowed ENIs.
Multiple ENIs can cause dual-homed instances, meaning instances that have multiple subnets. This can add network security complexity and introduce unintended network paths and access.\",\r\n \"remediationDescription\": \"To remediate this issue, detach the additional ENIs.
To detach a network interface
1. Open the Amazon EC2 console.
2. Under \\\"Network & Security\\\", choose \\\"Network Interfaces\\\".
3. Filter the list by the noncompliant instance IDs to see the associated ENIs.
4. Select the ENIs that you want to remove.
5. From the \\\"Actions\\\" menu, choose \\\"Detach\\\".
6. If you see the prompt \\\"Are you sure that you want to detach the following network interface?\\\", choose \\\"Detach\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8b328664-f3f1-45ab-976d-f6c66647b3b8\",\r\n \"name\": \"8b328664-f3f1-45ab-976d-f6c66647b3b8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should only allow unrestricted incoming traffic for authorized ports\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the security groups that are in use allow unrestricted incoming traffic. Optionally the rule checks whether the port numbers are listed in the \\\"authorizedTcpPorts\\\" parameter.
- If the security group rule port number allows unrestricted incoming traffic, but the port number is specified in \\\"authorizedTcpPorts\\\", then the control passes. The default value for \\\"authorizedTcpPorts\\\" is 80, 443.
- If the security group rule port number allows unrestricted incoming traffic, but the port number is not specified in authorizedTcpPorts input parameter, then the control fails.
- If the parameter is not used, then the control fails for any security group that has an unrestricted inbound rule.
Security groups provide stateful filtering of ingress and egress network traffic to AWS. Security group rules should follow the principal of least privileged access. Unrestricted access (IP address with a /0 suffix) increases the opportunity for malicious activity such as hacking, denial-of-service attacks, and loss of data.
Unless a port is specifically allowed, the port should deny unrestricted access.\",\r\n \"remediationDescription\": \"For information on how to modify a security group, see Add, remove, or update rules in the Amazon VPC User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/194fd099-90fa-43e1-8d06-6b4f5138e952\",\r\n \"name\": \"194fd099-90fa-43e1-8d06-6b4f5138e952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow unrestricted access to ports with high risk\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for those ports.
Unrestricted access (0.0.0.0/0) increases opportunities for malicious activity, such as hacking, denial-of-service attacks, and loss of data.
Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. No security group should allow unrestricted ingress access to the following ports:
- 3389 (RDP)
- 20, 21 (FTP)
- 22 (SSH)
- 23 (Telnet)
- 110 (POP3)
- 143 (IMAP)
- 3306 (mySQL)
- 8080 (proxy)
- 1433, 1434 (MSSQL)
- 9200 or 9300 (Elasticsearch)
- 5601 (Kibana)
- 25 (SMTP)
- 445 (CIFS)
- 135 (RPC)
- 4333 (ahsp)
- 5432 (postgresql)
- 5500 (fcp-addr-srvr1)\",\r\n \"remediationDescription\": \"For information on how to delete rules from a security group, see Delete rules from a security group in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bfa7d2aa-f362-11eb-9a03-0242ac130003\",\r\n \"name\": \"bfa7d2aa-f362-11eb-9a03-0242ac130003\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether storage encryption is enabled for your Amazon RDS DB instances.
This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
For an added layer of security for your sensitive data in RDS DB instances, you should configure your RDS DB instances to be encrypted at rest. To encrypt your RDS DB instances and snapshots at rest, enable the encryption option for your RDS DB instances. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots.
RDS encrypted DB instances use the open standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You do not need to modify your database client applications to use encryption.
Amazon RDS encryption is currently available for all database engines and storage types. Amazon RDS encryption is available for most DB instance classes. To learn about DB instance classes that do not support Amazon RDS encryption, see Encrypting Amazon RDS resources in the Amazon RDS User Guide.
\",\r\n \"remediationDescription\": \"For information about encrypting DB instances in Amazon RDS, see Encrypting Amazon RDS resources in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4f4fbc5e-0b10-4208-b52f-1f47f1c73b6a\",\r\n \"name\": \"4f4fbc5e-0b10-4208-b52f-1f47f1c73b6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS cluster snapshots and database snapshots should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB snapshots are encrypted.
This control is intended for RDS DB instances. However, it can also generate findings for snapshots of Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. Data in RDS snapshots should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"To encrypt an unencrypted RDS snapshot: 1. Open the  Amazon RDS console. 2. In the navigation pane, choose \\\"Snapshots\\\". 3. Find the snapshot to encrypt under \\\"Manual\\\" or \\\"System\\\". 4. Select the check box next to the snapshot to encrypt. 5. Choose \\\"Actions\\\", then choose \\\"Copy Snapshot\\\". 6. Under \\\"New DB Snapshot Identifier\\\", type a name for the new snapshot.7. Under \\\"Encryption\\\", select \\\"Enable Encryption\\\". 8. Choose the KMS key to use to encrypt the snapshot. 9. Choose \\\"Copy Snapshot\\\". 10. After the new snapshot is created, delete the original snapshot. 11. For \\\"Backup Retention Period\\\", choose a positive nonzero value. For example, 30 days.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/70ebbd01-cd79-4bc8-ae85-49f47ccdd5ad\",\r\n \"name\": \"70ebbd01-cd79-4bc8-ae85-49f47ccdd5ad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured with multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether high availability is enabled for your RDS DB instances.
RDS DB instances should be configured for multiple Availability Zones (AZs). This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover if there is an issue with Availability Zone availability and during regular RDS maintenance.\",\r\n \"remediationDescription\": \"To enable multiple Availability Zones for a DB instance: 1. Open the Amazon RDS console at Amazon RDS console. 2. In the navigation pane, choose \\\"Databases\\\", and then choose the DB instance that you want to modify.3. Choose \\\"Modify\\\". The \\\"Modify DB Instance\\\" page appears.4. Under Instance Specifications, set \\\"Multi-AZ deployment \\\" to \\\"Yes\\\" .5. Choose \\\"Continue\\\" and then check the summary of modifications. 6. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide. 7. On the confirmation page, review your changes. If they are correct, choose \\\"Modify DB Instance\\\" to save your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93e5a579-dd2f-4a56-b827-ebbfe7376b16\",\r\n \"name\": \"93e5a579-dd2f-4a56-b827-ebbfe7376b16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enhanced monitoring should be configured for RDS DB instances and clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced monitoring is enabled for your RDS DB instances.
In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer.
Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU. For more information, see Enhanced Monitoring in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable Enhanced Monitoring for your DB instance, see Setting up for and enabling Enhanced Monitoring in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e769650-868c-46f5-b8c0-1a8ba12a4c92\",\r\n \"name\": \"9e769650-868c-46f5-b8c0-1a8ba12a4c92\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS clusters should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS clusters have deletion protection enabled.
This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
Enabling cluster deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity.
When deletion protection is enabled, an RDS cluster cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"To enable deletion protection for an RDS DB cluster:
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/. 2. In the navigation pane, choose \\\"Databases\\\", then choose the DB cluster that you want to modify. 3. Choose \\\"Modify\\\". 4. Under \\\"Deletion protection\\\", choose \\\"Enable deletion protection\\\".5. Choose \\\"Continue\\\" 6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\". 7. Choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e1f7933-faa9-4379-a9bd-697740dedac8\",\r\n \"name\": \"8e1f7933-faa9-4379-a9bd-697740dedac8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your RDS DB instances that use one of the listed database engines have deletion protection enabled.
Enabling instance deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity.
While deletion protection is enabled, an RDS DB instance cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"To enable deletion protection for an RDS DB instance: 1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/. 2. In the navigation pane, choose \\\"Databases\\\", then choose the DB instance that you want to modify. 3. Choose \\\"Modify\\\". 4. Under \\\"Deletion protection\\\", choose \\\"Enable deletion protection\\\". 5. Choose \\\"Continue\\\". 6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\". 7. Choose \\\"Modify DB Instance\\\"\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdf441dd-0ab7-4ef2-a643-de12725e5d5d\",\r\n \"name\": \"cdf441dd-0ab7-4ef2-a643-de12725e5d5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB clusters should be configured for multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"RDS DB clusters should be configured for multiple the data that is stored.
Deployment to multiple Availability Zones allows for automate Availability Zones to ensure availability of ed failover in the event of an Availability Zone availability issue and during regular RDS maintenance events.\",\r\n \"remediationDescription\": \"To enable multi-AZ for a DB cluster (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Databases\\\", and then choose the DB instance to modify.
3. choose \\\"Modify\\\", The \\\"Modify DB Instance\\\" page appears.
4. Under \\\"Instance Specifications\\\", set \\\"Multi-AZ deploymen\\\" to \\\"Yes\\\".
5. Choose \\\"Continue\\\" and check the summary of modifications.
6. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide.
On the confirmation page, review your changes. If they are correct, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b9ed02d0-afca-4bed-838d-70bf31ecf19a\",\r\n \"name\": \"b9ed02d0-afca-4bed-838d-70bf31ecf19a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB clusters should be configured to copy tags to snapshots\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identification and inventory of your IT assets is a crucial aspect of governance and security.
You need to have visibility of all your RDS DB clusters so that you can assess their security posture and act on potential areas of weakness.
Snapshots should be tagged in the same way as their parent RDS database clusters.
Enabling this setting ensures that snapshots inherit the tags of their parent database clusters.\",\r\n \"remediationDescription\": \"To enable automatic tag copying to snapshots for a DB cluster
1. Open theAmazon RDS console at https://console.aws.amazon.com/rds/.
2. Choose \\\"Databases\\\"
3. Select the DB cluster to modify.
4. choose \\\"Modify\\\".
5. Under \\\"Backup\\\", select \\\"Copy tags to snapshots\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fcd891e5-c6a2-41ce-bca6-f49ec582f3ce\",\r\n \"name\": \"fcd891e5-c6a2-41ce-bca6-f49ec582f3ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured to copy tags to snapshots\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created.
Identification and inventory of your IT assets is a crucial aspect of governance and security.
You need to have visibility of all your RDS DB instances so that you can assess their security posture and take action on potential areas of weakness.
Snapshots should be tagged in the same way as their parent RDS database instances. Enabling this setting ensures that snapshots inherit the tags of their parent database instances.\",\r\n \"remediationDescription\": \"To enable automatic tag copying to snapshots for a DB instance
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Databases\\\".
3. Select the DB instance to modify.
4. Under \\\"Backup\\\", select \\\"Copy tags to snapshots\\\".
5. Choose \\\"Continue\\\".
6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9a84b879-8aab-4b82-80f2-22e637a26813\",\r\n \"name\": \"9a84b879-8aab-4b82-80f2-22e637a26813\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS instances should be deployed in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPCs provide a number of network controls to secure access to RDS resources.
These controls include VPC Endpoints, network ACLs, and security groups.
To take advantage of these controls, we recommend that you move EC2-Classic RDS instances to EC2-VPC.\",\r\n \"remediationDescription\": \"For detailed instructions on how to move RDS instances to VPC, see Updating the VPC for a DB instance in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\",\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/65659c22-6588-405b-b118-614c2b4ead5b\",\r\n \"name\": \"65659c22-6588-405b-b118-614c2b4ead5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical cluster events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists that has notifications enabled for the following source type,
event category key-value pairs. DBCluster: [\\\"maintenance\\\" and \\\"failure\\\"].
RDS event notifications uses Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \" To subscribe to RDS cluster event notifications.
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Clusters\\\".
  d. Under \\\"Instances to include\\\", select \\\"All Clusters\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"maintenance\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff4f3ab3-8ed7-4b4f-a721-4c3b66a59140\",\r\n \"name\": \"ff4f3ab3-8ed7-4b4f-a721-4c3b66a59140\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database instance events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type.
event category key-value pairs. DBInstance: [\\\"maintenance\\\", \\\"configuration change\\\" and \\\"failure\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Instances\\\".
  d. Under \\\"Instances to include\\\", select \\\"All Instances\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"maintenance\\\", \\\"configuration change\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6f24bb0-b696-451c-a26e-0cc9ea8e97e3\",\r\n \"name\": \"c6f24bb0-b696-451c-a26e-0cc9ea8e97e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database parameter group events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type.
event category key-value pairs. DBParameterGroup: [\\\"configuration\\\",\\\"change\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create \\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Parameter groups\\\".
  d. Under \\\"Instances to include\\\", select \\\"All parameter groups\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"configuration change\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ab5c51fb-ecdb-46de-b8df-c28ae46ce5bc\",\r\n \"name\": \"ab5c51fb-ecdb-46de-b8df-c28ae46ce5bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database security group events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.DBSecurityGroup: [\\\"configuration\\\",\\\"change\\\",\\\"failure\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for a rapid response.
For additional information about RDS event notifications , see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event\\\",\\\"subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Security groups\\\".
  d. Under \\\"Instances to include\\\", select \\\"All security groups\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"configuration change\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47476790-2527-4bdb-b839-3b48ed18dccf\",\r\n \"name\": \"47476790-2527-4bdb-b839-3b48ed18dccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should automatically scale capacity with demand\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured.
Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications.\",\r\n \"remediationDescription\": \"For detailed instructions on enabling DynamoDB automatic scaling on existing tables in capacity mode, see Enabling DynamoDB auto scaling on existing tables. in the Amazon DynamoDB Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc873508-40c1-41b6-8507-8a431d74f831\",\r\n \"name\": \"cc873508-40c1-41b6-8507-8a431d74f831\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should have point-in-time recovery enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table.
Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. DynamoDB point-in-time recovery automates backups for DynamoDB tables. It reduces the time to recover from accidental delete or write operations.
DynamoDB tables that have PITR enabled can be restored to any point in time in the last 35 days.\",\r\n \"remediationDescription\": \"To remediate this issue, add point-in-time recovery to your DynamoDB table.
To enable DynamoDB \\\"point-in-time recovery\\\" for an existing table:
1. Open the DynamoDB console at https://console.aws.amazon.com/dynamodb/. 2. Choose the table that you want to work with, and then choose \\\"Backups\\\". 3. In the Point-in-time Recovery section, under Status, choose \\\"Enable\\\". 4. Choose \\\"Enable\\\" again to confirm the change.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58e67d3d-8b17-4c1c-9bc4-550b10f0328a\",\r\n \"name\": \"58e67d3d-8b17-4c1c-9bc4-550b10f0328a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB Accelerator (DAX) clusters should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a DAX cluster is encrypted at rest.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data.
For example, API permissions are required to decrypt the data before it can be read.\",\r\n \"remediationDescription\": \"You cannot enable or disable encryption at rest after a cluster is created. You must recreate the cluster in order to enable encryption at rest.
For detailed instructions on how to create a DAX cluster with encryption at rest enabled, see Enabling encryption at rest using the AWS Management Console in the Amazon DynamoDB Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e482075-311f-401e-adc7-f8a8affc5635\",\r\n \"name\": \"4e482075-311f-401e-adc7-f8a8affc5635\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be configured to encrypt file data at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. The check fails in the following cases:
*\\\"Encrypted\\\" is set to \\\"false\\\" in the DescribeFileSystems response.
The \\\"KmsKeyId\\\" key in the DescribeFileSystems response does not match the KmsKeyId parameter for efs-encrypted-check.
Note that this control does not use the \\\"KmsKeyId\\\" parameter for efs-encrypted-check. It only checks the value of \\\"Encrypted\\\". For an added layer of security for your sensitive data in Amazon EFS, you should create encrypted file systems.
Amazon EFS supports encryption for file systems at-rest. You can enable encryption of data at rest when you create an Amazon EFS file system.
To learn more about Amazon EFS encryption, see Data encryption in Amazon EFS in the Amazon Elastic File System User Guide.\",\r\n \"remediationDescription\": \"For details on how to encrypt a new Amazon EFS file system, see Encrypting data at rest in the Amazon Elastic File System User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e864e460-158b-4a4a-beb9-16ebc25c1240\",\r\n \"name\": \"e864e460-158b-4a4a-beb9-16ebc25c1240\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS volumes should be in backup plans\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup. The control fails if Amazon EFS file systems are not included in the backup plans.
Including EFS file systems in the backup plans helps you to protect your data from deletion and data loss.\",\r\n \"remediationDescription\": \"To remediate this issue, update your file system to enable automatic backups.
To enable automatic backups for an existing file system:
1.Open the Amazon Elastic File System console. 2. On the \\\"File systems\\\" page, choose the file system for which to enable automatic backups. The \\\"File system details\\\" page is displayed. 3. Under \\\"General\\\", choose \\\"Edit\\\". 4. To enable automatic backups, select \\\"Enable automatic backups\\\". 5. Choose \\\"Save changes\\\".
To learn more, visit Using AWS Backup with Amazon EFS in the Amazon Elastic File System User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e656e5b7-130c-4fb4-be90-9bdd4f82fdfb\",\r\n \"name\": \"e656e5b7-130c-4fb4-be90-9bdd4f82fdfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should use supported runtimes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the Lambda function settings for runtimes match the expected values set for the supported runtimes for each language. This control checks for the following runtimes:
nodejs14.x, nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, ruby2.7, ruby2.5, java11, java8, java8.al2, go1.x, dotnetcore3.1, dotnetcore2.1
Lambda runtimes are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When a runtime component is no longer supported for security updates, Lambda deprecates the runtime. Even though you cannot create functions that use the deprecated runtime, the function is still available to process invocation events. Make sure that your Lambda functions are current and do not use out-of-date runtime environments.
To learn more about the supported runtimes that this control checks for the supported languages, see AWS Lambda runtimes in the AWS Lambda Developer Guide.\",\r\n \"remediationDescription\": \"For more information on supported runtimes and deprecation schedules, see the Runtime support policy section of the AWS Lambda Developer Guide.
When you migrate your runtimes to the latest version, follow the syntax and guidance from the publishers of the language.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Persistence\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Proxy\",\r\n \"Account Manipulation\",\r\n \"Scheduled Task/Job\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dcf10b98-798f-4734-9afd-800916bf1e65\",\r\n \"name\": \"dcf10b98-798f-4734-9afd-800916bf1e65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should have a dead-letter queue configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is configured with a dead-letter queue. The control fails if the Lambda function is not configured with a dead-letter queue.
As an alternative to an on-failure destination, you can configure your function with a dead-letter queue to save discarded events for further processing.
A dead-letter queue acts the same as an on-failure destination. It is used when an event fails all processing attempts or expires without being processed.
A dead-letter queue allows you to look back at errors or failed requests to your Lambda function to debug or identify unusual behavior.
From a security perspective, it is important to understand why your function failed and to ensure that your function does not drop data or compromise data security as a result.
For example, if your function cannot communicate to an underlying resource, that could be a symptom of a denial of service (DoS) attack elsewhere in the network.\",\r\n \"remediationDescription\": \"You can configure a dead-letter queue from the AWS Lambda console.
To configure a dead-letter queue
1. Open the AWS Lambda console.
2. In the navigation pane, choose \\\"Functions\\\".
3. Choose a function.
4. Choose \\\"Configuration\\\" and then choose \\\"Asynchronous invocation\\\".
5. Under \\\"Asynchronous invocation\\\", choose \\\"Edit\\\".
6. Set \\\"DLQ resource\\\" to Amazon SQS or Amazon SNS.
7. Choose the target queue or topic.
8. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"plannedDeprecationDate\": \"12/2022\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90917e06-2781-4857-9d74-9043c6475d03\",\r\n \"name\": \"90917e06-2781-4857-9d74-9043c6475d03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SNS topics should be encrypted at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an SNS topic is encrypted at rest using AWS KMS.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It also adds another set of access controls to limit the ability of unauthorized users to access the data.
For example, API permissions are required to decrypt the data before it can be read. SNS topics should be encrypted at-rest for an added layer of security. For more information, see Encryption at rest in the Amazon Simple Notification Service Developer Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your SNS topic to enable encryption.
To encrypt an unencrypted SNS topic
1. Open the Amazon SNS console.
2. In the navigation pane, choose \\\"Topics\\\".
4. Choose the name of the topic to encrypt.
5. Choose \\\"Edit\\\".
6. Under \\\"Encryption\\\", choose Enable Encryption.
7. Choose the KMS key to use to encrypt the topic.
8. Choose \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"File and Directory Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/773667f7-6511-4aec-ae9c-e3286c56a254\",\r\n \"name\": \"773667f7-6511-4aec-ae9c-e3286c56a254\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancer listeners should be configured with HTTPS or TLS termination\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. The control is applicable if a Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the control does not report any findings.
The control passes if the Classic Load Balancer listeners are configured with TLS or HTTPS for front-end connections.
The control fails if the listener is not configured with TLS or HTTPS for front-end connections.
Before you start to use a load balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners can support both HTTP and HTTPS/TLS protocols. You should always use an HTTPS or TLS listener, so that the load balancer does the work of encryption and decryption in transit.\",\r\n \"remediationDescription\": \"To remediate this issue, update your listeners to use the TLS or HTTPS protocol.
To change all noncompliant listeners to TLS/HTTPS listeners
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load Balancers. Then choose your Classic Load Balancer.
3. Choose the Listeners tab, and then choose Edit.
4. For all listeners where Load Balancer Protocol is not set to HTTPS or SSL, change the setting to HTTPS or SSL.
5. For all modified listeners, under SSL Certificate, choose Change.
6. For all modified listeners, select Choose a certificate from ACM.
7. Select the certificate from the Certificates drop-down list. Then choose Saveb.
8. After you update all of the listeners, choose Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca924610-5a8e-4c5e-9f17-8dff1ab1757b\",\r\n \"name\": \"ca924610-5a8e-4c5e-9f17-8dff1ab1757b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application load balancers should be configured to drop HTTP headers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop invalid HTTP headers. The control fails if the value of routing.http.drop_invalid_header_fields.enabled is set to false.
By default, ALBs are not configured to drop invalid HTTP header values. Removing these header values prevents HTTP desync attacks.\",\r\n \"remediationDescription\": \"To remediate this issue, configure your load balancer to drop invalid header fields.
To configure the load balancer to drop invalid header fields
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load balancers.
3. Choose an Application Load Balancer.
4. From Actions, choose Edit attributes.
5. Under Drop Invalid Header Fields, choose Enable.
6. Choose Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ba5c359-495f-4ba6-9897-7fdbc0aed675\",\r\n \"name\": \"4ba5c359-495f-4ba6-9897-7fdbc0aed675\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application and Classic Load Balancers logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if access_logs.s3.enabled is false.
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.
To learn more, see Access logs for your Classic Load Balancer in User Guide for Classic Load Balancers.
\",\r\n \"remediationDescription\": \"To remediate this issue, configure your load balancer to drop invalid header fields.
To configure the load balancer to drop invalid header fields
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load balancers.
3. Choose an Application Load Balancer.
4. From Actions, choose Edit attributes.
5. Under Access logs, choose Enable.
6. Enter your S3 location. This location can exist or it can be created for you. If you do not specify a prefix, the access logs are stored in the root of the S3 bucket.
7. Choose Save\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5c508bf1-26f9-4696-bb61-8341d395e3de\",\r\n \"name\": \"5c508bf1-26f9-4696-bb61-8341d395e3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer deletion protection should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured.
Enable deletion protection to protect your Application Load Balancer from deletion.\",\r\n \"remediationDescription\": \"To prevent your load balancer from being deleted accidentally, you can enable deletion protection. By default, deletion protection is disabled for your load balancer.
If you enable deletion protection for your load balancer, you must disable delete protection before you can delete the load balancer.
To enable deletion protection from the console
1. Open the Amazon EC2 console.
2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.
3. Choose the load balancer.
4. On the Description tab, choose Edit attributes.
5. On the Edit load balancer attributes page, select Enable for Delete Protection, and then choose Save.
6. Choose Save.
To learn more, see Deletion protection in User Guide for Application Load Balancers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dd60e31e-073a-42b6-9b23-db7ca86fd5e0\",\r\n \"name\": \"dd60e31e-073a-42b6-9b23-db7ca86fd5e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancers should have connection draining enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Classic Load Balancers have connection draining enabled.
Enabling connection draining on Classic Load Balancers ensures that the load balancer stops sending requests to instances that are de-registering or unhealthy. It keeps the existing connections open. This is particularly useful for instances in Auto Scaling groups, to ensure that connections aren't severed abruptly.\",\r\n \"remediationDescription\": \"To enable connection draining on Classic Load Balancers, following the steps in Configure connection draining for your Classic Load Balancer in User Guide for Classic Load Balancers.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b63a099-6c0c-4354-848b-17de1f3c8ae3\",\r\n \"name\": \"9b63a099-6c0c-4354-848b-17de1f3c8ae3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should encrypt data sent between nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have node-to-node encryption enabled. HTTPS (TLS) can be used to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. Only encrypted connections over HTTPS (TLS) should be allowed. Enabling node-to-node encryption for Amazon ES domains ensures that intra-cluster communications are encrypted in transit. There can be a performance penalty associated with this configuration. You should be aware of and test the performance trade-off before enabling this option.\",\r\n \"remediationDescription\": \"Node-to-node encryption can only be enabled on a new domain. To remediate this finding, first create a new domain with the Node-to-node encryption check box selected. Then follow Using a snapshot to migrate data to migrate your data to the new domain.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/de8ae504-ec39-4ffb-b3ef-6e36fdcbb455\",\r\n \"name\": \"de8ae504-ec39-4ffb-b3ef-6e36fdcbb455\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker. The 'blacklistedactionpatterns' parameter allows for successful evaluation of the rule for S3 buckets. The parameter grants access to external accounts for action patterns that are not included in the 'blacklistedactionpatterns' list.\",\r\n \"remediationDescription\": \"To remediate this issue, edit the S3 bucket policy to remove the permissions.

To edit an S3 bucket policy

1. Open the Amazon S3 console.
2. In the Bucket name list, choose the name of the S3 bucket for which you want to edit the policy.
3. Choose Permissions, and then choose Bucket Policy.
4. In the Bucket policy editor text box, do one of the following:
* Remove the statements that grant access to denied actions to other AWS accounts
* Remove the permitted denied actions from the statements
5. Choose Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11d0f4af-6924-4a2e-8b66-781a4553c828\",\r\n \"name\": \"11d0f4af-6924-4a2e-8b66-781a4553c828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled on AWS connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides real-time threat protection for containerized environments and generates alerts about suspicious activities.
Use this information to harden the security of Kubernetes clusters and remediate security issues.

Important: When you've enabled Microsoft Defender for Containers and deployed Azure Arc to your EKS clusters, the protections - and charges - will begin. If you don't deploy Azure Arc on a cluster, Defender for Containers will not protect it and no charges will be incurred for this Microsoft Defender plan for that cluster.\",\r\n \"remediationDescription\": \"To enable Defender for Containers on all EKS clusters in an AWS account connected to Microsoft Defender for Cloud:
1. From the Azure portal, open Microsoft Defender for Cloud.
2. Open the \\\"Environment settings\\\" page and select the relevant AWS account.
3. Under \\\"Select plans\\\", set \\\"Containers\\\" to \\\"On\\\".
4. Select \\\"Next: Configure access\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/38307993-84fb-4636-8ce7-3a64466bb5cc\",\r\n \"name\": \"38307993-84fb-4636-8ce7-3a64466bb5cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EKS clusters should have Microsoft Defender's extension for Azure Arc installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender's cluster extension provides security capabilities for your EKS clusters. The extension collects data from a cluster and its nodes to identify security vulnerabilities and threats.
The extension works with Azure Arc-enabled Kubernetes.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct EKS cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
Note: When the process completes, it may take up to 12 hours until your resource moves to the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d3a977e-46f1-419a-9046-4bd44db80aac\",\r\n \"name\": \"7d3a977e-46f1-419a-9046-4bd44db80aac\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EKS clusters should grant the required AWS permissions to Microsoft Defender for Cloud\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides protections for your EKS clusters.
To monitor your cluster for security vulnerabilities and threats, Defender for Containers needs permissions for your AWS account. These permissions will be used to enable Kubernetes control plane logging on your cluster and establish a reliable pipeline between your cluster and Defender for Cloud's backend in the cloud.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"To grant the required permissions:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. 2. Open the \\\"Environment settings\\\" page and select the relevant AWS account.
  3. In the edit connector wizard, skip to step 3, \\\"Configure access\\\".
  4. Download the CloudFormation template.
  5. Open the template and copy the ARNs for the following roles:
    AzureDefenderKubernetesRole
    AzureDefenderKubernetesScubaReaderRole
    AzureDefenderCloudWatchToKinesisRole
    AzureDefenderKinesisToS3Role
  6. Folow the steps in \\\"Create Stack in AWS\\\" for those roles.
  7. In the connector wizard, update the role ARNs with the ARNs copied from the template.
  8. Save the changes.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4aa0f6dc-40be-43b2-92f1-3a52ad9d68d1\",\r\n \"name\": \"4aa0f6dc-40be-43b2-92f1-3a52ad9d68d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should have automatic rotation enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation.
Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically.
Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently. To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, you enable automatic rotation for your secrets.
To enable automatic rotation for secrets
1. Open the Secrets Manager console.
2. To find the secret that requires rotating, enter the secret name in the search field.
3. Choose the secret you want to rotate, which displays the secrets details page.
4. Under Rotation configuration, choose Edit rotation.
5. From Edit rotation configuration, choose Enable automatic rotation.
6. For Select Rotation Interval, choose a rotation interval.
7. Choose a Lambda function for rotation. For information about customizing your Lambda rotation function, see Understanding and customizing your Lambda rotation function in the AWS Secrets Manager User Guide.
8. To configure the secret for rotation, choose Next.
To learn more about Secrets Manager rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bec42e2d-956b-4940-a37d-7c1b1e8c525f\",\r\n \"name\": \"bec42e2d-956b-4940-a37d-7c1b1e8c525f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets configured with automatic rotation should rotate successfully\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The control fails if RotationOccurringAsScheduled is false. The control does not evaluate secrets that do not have rotation configured.
Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically.
Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently.
In addition to configuring secrets to rotate automatically, you should ensure that those secrets rotate successfully based on the rotation schedule.
To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"If the automatic rotation fails, then Secrets Manager might have encountered errors with the configuration.
To rotate secrets in Secrets Manager, you use a Lambda function that defines how to interact with the database or service that owns the secret.
For help on how to diagnose and fix common errors related to secrets rotation, see Troubleshooting AWS Secrets Manager rotation of secrets in the AWS Secrets Manager User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bfa82db5-c112-44f0-89e6-a9adfb9a4028\",\r\n \"name\": \"bfa82db5-c112-44f0-89e6-a9adfb9a4028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remove unused Secrets Manager secrets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your secrets have been accessed within a specified number of days. The default value is 90 days. If a secret was not accessed within the defined number of days, this control fails.
Deleting unused secrets is as important as rotating secrets. Unused secrets can be abused by their former users, who no longer need access to these secrets. Also, as more users get access to a secret, someone might have mishandled and leaked it to an unauthorized entity, which increases the risk of abuse. Deleting unused secrets helps revoke secret access from users who no longer need it. It also helps to reduce the cost of using Secrets Manager. Therefore, it is essential to routinely delete unused secrets.\",\r\n \"remediationDescription\": \"You can delete inactive secrets from the Secrets Manager console.
To delete inactive secrets
1. Open the Secrets Manager console
2. To locate the secret, enter the secret name in the search box.
3. Choose the secret to delete.
4. Under Secret details, from Actions, choose Delete secret.
5. Under Schedule secret deletion, enter the number of days to wait before the secret is deleted.
6. Choose Schedule deletion.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/323f0eb4-ea19-4b55-83e9-d104009616b4\",\r\n \"name\": \"323f0eb4-ea19-4b55-83e9-d104009616b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should be rotated within a specified number of days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your secrets have been rotated at least once within 90 days.
Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised.
As more users get access to a secret, it can become more likely that someone mishandled and leaked it to an unauthorized entity. Secrets can be leaked through logs and cache data. They can be shared for debugging purposes and not changed or revoked once the debugging completes. For all these reasons, secrets should be rotated frequently.
You can configure your secrets for automatic rotation in AWS Secrets Manager. With automatic rotation, you can replace long-term secrets with short-term ones, significantly reducing the risk of compromise.
Security Hub recommends that you enable rotation for your Secrets Manager secrets. To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"You can enable automatic secret rotation in the Secrets Manager console.
To enable secret rotation
1. Open the Secrets Manager console.
2. To locate the secret, enter the secret name in the search box.
3. Choose the secret to display.
4. Under Rotation configuration, choose Edit rotation.
5. From Edit rotation configuration, choose Enable automatic rotation.
6. From Select Rotation Interval, choose the rotation interval.
7. Choose a Lambda function to use for rotation.
8. Choose Next.
After you configure the secret for automatic rotation, under Rotation Configuration, choose Rotate secret immediately.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad593449-a095-47b5-91b8-894396a1aa7f\",\r\n \"name\": \"ad593449-a095-47b5-91b8-894396a1aa7f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS WAF Classic global web ACL logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether logging is enabled for an AWS WAF global Web ACL. This control fails if logging is not enabled for the web ACL.
Logging is an important part of maintaining the reliability, availability, and performance of AWS WAF globally. It is a business and compliance requirement in many organizations, and allows you to troubleshoot application behavior. It also provides detailed information about the traffic that is analyzed by the web ACL that is attached to AWS WAF.\",\r\n \"remediationDescription\": \"You can enable logging for a web ACL from the Kinesis Data Firehose console.
To enable logging for a web ACL
1. Open the Kinesis Data Firehose console.
2. Create a Kinesis Data Firehose delivery stream.
The name must start with the prefix aws-waf-logs-. For example, aws-waf-logs-us-east-2-analytics.
Create the Kinesis Data Firehose delivery stream with a PUT source and in the Region where you operate. If you capture logs for Amazon CloudFront, create the delivery stream in US East (N. Virginia). For more information, see Creating an Amazon Kinesis Data Firehose delivery stream in the Amazon Kinesis Data Firehose Developer Guide.
3. From \\\"Services\\\", choose \\\"WAF & Shield\\\". Then choose \\\"Switch to AWS WAF Classic\\\".
4. From \\\"Filter\\\", choose \\\"Global (CloudFront)\\\".
5. Choose the web ACL to enable logging for.
6. Under \\\"Logging\\\", choose \\\"Enable logging\\\".
7. Choose the Kinesis Data Firehose delivery stream that you created earlier. You must choose a delivery stream that has a name that begins with aws-waf-logs-.
8. Choose \\\"Enable logging\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/678b2afa-7fc7-45e5-ad4e-2c49efb57ac8\",\r\n \"name\": \"678b2afa-7fc7-45e5-ad4e-2c49efb57ac8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following logs of Amazon RDS are enabled and sent to CloudWatch Logs:
- Oracle: (Alert, Audit, Trace, Listener)
- PostgreSQL: (Postgresql, Upgrade)
- MySQL: (Audit, Error, General, SlowQuery)
- MariaDB: (Audit, Error, General, SlowQuery)
- SQL Server: (Error, Agent)
- Aurora: (Audit, Error, General, SlowQuery)
- Aurora-MySQL: (Audit, Error, General, SlowQuery)
- Aurora-PostgreSQL: (Postgresql, Upgrade).
RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"Logging options are contained in the DB parameter group associated with the RDS DB cluster or instance. To enable logging when the default parameter group for the database engine is used, you must create a new DB parameter group that has the required parameter values. You must then associate the customer DB parameter group with the DB cluster or instance.
To enable and publish MariaDB, MySQL, or PostgreSQL logs to CloudWatch Logs from the AWS Management Console, set the following parameters in a custom DB Parameter Group:

Database engineParameters
MariaDBgeneral_log=1
slow_query_log=1
log_output = FILE
- MariaDB also requires a custom options group, explained below.
MySQLgeneral_log=1
slow_query_log=1
log_output = FILE
PostgreSQLlog_statement=all
log_min_duration_statement=minimum query duration (ms) to log

To create a custom DB parameter group
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Parameter groups\\\".
3. Choose \\\"Create parameter group\\\". The \\\"Create parameter group\\\" window appears.
4. In the \\\"Parameter group\\\" family list, choose a DB parameter group family.
5. In the \\\"Type\\\" list, choose \\\"DB Parameter Group\\\".
6. In \\\"Group name\\\", enter the name of the new DB parameter group.
7. In \\\"Description\\\", enter a description for the new DB parameter group.
8. Choose \\\"Create\\\".

To create a new option group for MariaDB logging by using the console
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Option groups\\\".
3. Choose \\\"Create group\\\".
4. In the \\\"Create option group\\\" window, do the following:
  • For \\\"Name\\\", type a name for the option group that is unique within your AWS account. The name can contain only letters, digits, and hyphens.
  • For \\\"Description\\\", type a brief description of the option group. The description is used for display purposes.
  • For \\\"Engine\\\", choose the DB engine that you want.
  • For \\\"Major engine version\\\", choose the major version of the DB engine that you want.
5. To continue, choose \\\"Create\\\".
6. Choose the name of the option group you just created.
7. Choose \\\"Add option\\\".
8. Choose \\\"MARIADB_AUDIT_PLUGIN\\\" from the \\\"Option name\\\" list.
9. Set \\\"SERVER_AUDIT_EVENTS\\\" to \\\"CONNECT\\\", \\\"QUERY\\\", \\\"TABLE\\\", \\\"QUERY_DDL\\\", \\\"QUERY_DML\\\", \\\"QUERY_DCL\\\".
10. Choose Add option.

To publish SQL Server DB, Oracle DB, or PostgreSQL logs to CloudWatch Logs from the AWS Management Console
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Databases\\\".
3. Choose the DB instance that you want to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Log exports\\\", choose all of the log files to start publishing to CloudWatch Logs.
\\\"Log exports\\\" is available only for database engine versions that support publishing to CloudWatch Logs.
6. Choose \\\"Continue\\\". Then on the summary page, choose \\\"Modify DB Instance\\\".

To apply a new DB parameter group or DB options group to an RDS DB instance
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Databases\\\".
3. Choose the DB instance that you want to modify.
4. Choose \\\"Modify\\\". The \\\"Modify DB Instance\\\" page appears.
5. Under \\\"Database options\\\", change the DB parameter group and DB options group as needed.
6. When you finish you changes, choose \\\"Continue\\\". Check the summary of modifications.
7. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide.
8. Choose \\\"Modify DB Instance\\\" to save your changes.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cd307f02-2ca7-44b4-8c1b-b580251d613c\",\r\n \"name\": \"cd307f02-2ca7-44b4-8c1b-b580251d613c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB instance has IAM database authentication enabled.
IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL. For more information, see IAM database authentication in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your DB instance to enable IAM authentication.
To enable IAM authentication for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Select the DB instance to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", choose \\\"Enable IAM DB authentication\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ac30502-52e5-4fc6-af40-095dddfbc8b9\",\r\n \"name\": \"3ac30502-52e5-4fc6-af40-095dddfbc8b9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB cluster has IAM database authentication enabled.
IAM database authentication allows for password-free authentication to database instances. The authentication uses an authentication token. Network traffic to and from the database is encrypted using SSL. For more information, see IAM database authentication in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your DB instance to enable IAM authentication.
To enable IAM authentication for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Select the DB cluster to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", choose \\\"Enable IAM DB authentication\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d352afac-cebc-4e02-b474-7ef402fb1d65\",\r\n \"name\": \"d352afac-cebc-4e02-b474-7ef402fb1d65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS automatic minor version upgrades should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic minor version upgrades are enabled for the RDS database instance.
Enabling automatic minor version upgrades ensures that the latest minor version updates to the relational database management system (RDBMS) are installed. These upgrades might include security patches and bug fixes. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"You can enable minor version upgrades for a DB instance from the Amazon RDS console.
To enable automatic minor version upgrades for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Choose the DB instance to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Maintenance\\\", select \\\"Yes\\\" for \\\"Auto minor version upgrade\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications: \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. Choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d0ef47dc-95aa-4765-a075-72c07df8acff\",\r\n \"name\": \"d0ef47dc-95aa-4765-a075-72c07df8acff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Aurora clusters should have backtracking enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Aurora clusters have backtracking enabled.
Backups help you to recover more quickly from a security incident. They also strengthens the resilience of your systems. Aurora backtracking reduces the time to recover a database to a point in time. It does not require a database restore to do so.
For more information about backtracking in Aurora, see Backtracking an Aurora DB cluster in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable Aurora backtracking, see Configuring backtracking in the Amazon Aurora User Guide.
Note that you cannot enable backtracking on an existing cluster. Instead, you can create a clone that has backtracking enabled. For more information about the limitations of Aurora backtracking, see the list of limitations in Overview of backtracking.For information about pricing for backtracking, see the Aurora pricing page.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/176f9062-64d0-4edd-bb0f-915012a6ef16\",\r\n \"name\": \"176f9062-64d0-4edd-bb0f-915012a6ef16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift should have automatic upgrades to major versions enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster.
Enabling automatic major version upgrades ensures that the latest major version updates to Amazon Redshift clusters are installed during the maintenance window.
These updates might include security patches and bug fixes. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"To remediate this issue from the AWS CLI, use the Amazon Redshift modify-cluster command to set the --allow-version-upgrade attribute.
Copy the following command aws redshift modify-cluster --cluster-identifier clustername --allow-version-upgrade Where clustername is the name of your Amazon Redshift cluster.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ee72ceb-2cb7-4686-84e6-0e1ac1c27241\",\r\n \"name\": \"1ee72ceb-2cb7-4686-84e6-0e1ac1c27241\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should use enhanced VPC routing\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon Redshift cluster has EnhancedVpcRouting enabled.
Enhanced VPC routing forces all COPY and UNLOAD traffic between the cluster and data repositories to go through your VPC. You can then use VPC features such as security groups and network access control lists to secure network traffic. You can also use VPC Flow Logs to monitor network traffic.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Enabling enhanced VPC routing in the Amazon Redshift Cluster Management Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/036bb56b-c442-4352-bb4c-5bd0353ad314\",\r\n \"name\": \"036bb56b-c442-4352-bb4c-5bd0353ad314\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Amazon Redshift clusters should be encrypted in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit. The check fails if the Amazon Redshift cluster parameter require_SSL is not set to '1'.
TLS can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over TLS should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"To remediate this issue, update the parameter group to require encryption.
To modify a parameter group
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose Config, then choose Workload management to display the Workload management page.
3. Choose the parameter group that you want to modify.
4. Choose Parameters.
5. Choose Edit parameters then set require_ssl to '1'.
6. Enter your changes and then choose Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a152832-6600-49d1-89be-82e474190e13\",\r\n \"name\": \"7a152832-6600-49d1-89be-82e474190e13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have automatic snapshots enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven.
Backups help you to recover more quickly from a security incident. They strengthen the resilience of your systems. Amazon Redshift takes periodic snapshots by default. This control checks whether automatic snapshots are enabled and retained for at least seven days. For more details on Amazon Redshift automated snapshots, see Automated snapshots in the Amazon Redshift Cluster Management Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update the snapshot retention period to at least 7.
To modify the snapshot retention period
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose \\\"Clusters\\\", then choose the name of the cluster to modify.
3. Choose \\\"Edit\\\".
4. Under \\\"Backup\\\", set \\\"Snapshot retention\\\" to a value of 7 or greater.
5. Choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e2a0ec17-447b-44b6-8646-c0b5584b6b0a\",\r\n \"name\": \"e2a0ec17-447b-44b6-8646-c0b5584b6b0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have audit logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon Redshift cluster has audit logging enabled.
Amazon Redshift audit logging provides additional information about connections and user activities in your cluster. This data can be stored and secured in Amazon S3 and can be helpful in security audits and investigations. For more information, see Database audit logging in the Amazon Redshift Cluster Management Guide.\",\r\n \"remediationDescription\": \"To enable cluster audit logging
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose \\\"Clusters\\\", then choose the name of the cluster to modify.
3. Choose \\\"Maintenance and monitoring\\\"
4. Under \\\"Audit logging\\\", choose \\\"Edit\\\".
5. Set \\\"Enable audit logging\\\" to \\\"yes\\\", then enter the log destination bucket details.
6. Choose \\\"Confirm\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4170067b-345d-47ed-ab4a-c6b6046881f1\",\r\n \"name\": \"4170067b-345d-47ed-ab4a-c6b6046881f1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Beanstalk environments should have enhanced health reporting enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced health reporting is enabled for your AWS Elastic Beanstalk environments.
Elastic Beanstalk enhanced health reporting enables a more rapid response to changes in the health of the underlying infrastructure. These changes could result in a lack of availability of the application.
Elastic Beanstalk enhanced health reporting provides a status descriptor to gauge the severity of the identified issues and identify possible causes to investigate. The Elastic Beanstalk health agent, included in supported Amazon Machine Images (AMIs), evaluates logs and metrics of environment EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to enable enhanced health reporting, see Enabling enhanced health reporting using the Elastic Beanstalk console in the AWS Elastic Beanstalk Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"10/04/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/820f6c6e-f73f-432c-8c60-cae1794ea150\",\r\n \"name\": \"820f6c6e-f73f-432c-8c60-cae1794ea150\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Beanstalk managed platform updates should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"his control checks whether managed platform updates are enabled for the Elastic Beanstalk environment.
Enabling managed platform updates ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"For instructions on how to enable managed platform updates, see To configure managed platform updates under Managed platform updates in the AWS Elastic Beanstalk Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"10/04/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f48af569-2e67-464b-9a62-b8df0f85bc5e\",\r\n \"name\": \"f48af569-2e67-464b-9a62-b8df0f85bc5e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domain error logging to CloudWatch Logs should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs.
You should enable error logs for Elasticsearch domains and send those logs to CloudWatch Logs for retention and response. Domain error logs can assist with security and access audits, and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"For information on how to enable log publishing, see Enabling log publishing (console) in the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12ebb4cd-34b6-4c3a-bee9-7e35f4f6caff\",\r\n \"name\": \"12ebb4cd-34b6-4c3a-bee9-7e35f4f6caff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have audit logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled.
Audit logs are highly customizable. They allow you to track user activity on your Elasticsearch clusters, including authentication successes and failures, requests to OpenSearch, index changes, and incoming search queries.\",\r\n \"remediationDescription\": \"For detailed instructions on enabling audit logs, see Enabling audit logs in the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/994cbcb3-43d4-419d-b5c4-9adc558f3ca2\",\r\n \"name\": \"994cbcb3-43d4-419d-b5c4-9adc558f3ca2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have at least three data nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true.
An Elasticsearch domain requires at least three data nodes for high availability and fault-tolerance. Deploying an Elasticsearch domain with at least three data nodes ensures cluster operations if a node fails.\",\r\n \"remediationDescription\": \"To modify the number of data nodes in an Elasticsearch domain
1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/es/.
2. Under \\\"My domains\\\", choose the name of the domain to edit.
3. Choose \\\"Edit domain\\\".
4. Under \\\"Data nodes\\\", set \\\"Number of nodes\\\" to a number greater than or equal to three. For three Availability Zone deployments, set to a multiple of three to ensure equal distribution across Availability Zones.
5. Choose \\\"Submit\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b4b9a67c-c315-4f9b-b06b-04867a453aab\",\r\n \"name\": \"b4b9a67c-c315-4f9b-b06b-04867a453aab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should be configured with at least three dedicated master nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. This control passes if Elasticsearch domains have five dedicated master nodes. However, using more than three master nodes might be unnecessary to mitigate the availability risk, and will result in additional cost.
An Elasticsearch domain requires at least three dedicated master nodes for high availability and fault-tolerance. Dedicated master node resources can be strained during data node blue/green deployments because there are additional nodes to manage. Deploying an Elasticsearch domain with at least three dedicated master nodes ensures sufficient master node resource capacity and cluster operations if a node fails.\",\r\n \"remediationDescription\": \"To modify the number of dedicated master nodes in an OpenSearch domain
1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/es/.
2. Under \\\"My domains\\\", choose the name of the domain to edit.
3. Choose \\\"Edit domain\\\".
4. Under \\\"Dedicated master nodes\\\", set \\\"Instance type\\\" to the desired instance type.
5. Set \\\"Number of master nodes\\\" equal to three or greater.
6. Choose \\\"Submit\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/effb5011-f8db-45ac-b981-b5bdfd7beb88\",\r\n \"name\": \"effb5011-f8db-45ac-b981-b5bdfd7beb88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Elasticsearch domains should be encrypted using TLS 1.2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07.
HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS. TLS 1.2 provides several security enhancements over previous versions of TLS.\",\r\n \"remediationDescription\": \"To enable TLS encryption, use the UpdateDomainConfig API operation to configure the DomainEndpointOptions in order to set the TLSSecurityPolicy. For more information, see the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f16376-e2dd-487d-b5ee-ba67fef4c5c0\",\r\n \"name\": \"83f16376-e2dd-487d-b5ee-ba67fef4c5c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled at the bucket level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether S3 buckets have bucket-level public access blocks applied. This control fails is if any of the following settings are set to false:
* ignorePublicAcls
* blockPublicPolicy
* blockPublicAcls
* restrictPublicBuckets
Block Public Access at the S3 bucket level provides controls to ensure that objects never have public access. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both.
Unless you intend to have your S3 buckets publicly accessible, you should configure the bucket level Amazon S3 Block Public Access feature.\",\r\n \"remediationDescription\": \"For information on how to remove public access at a bucket level, see Blocking public access to your Amazon S3 storage in the Amazon S3 User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/340a07a1-7d68-4562-ac25-df77c214fe13\",\r\n \"name\": \"340a07a1-7d68-4562-ac25-df77c214fe13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SQS queues should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon SQS queues are encrypted at rest.
Server-side encryption (SSE) allows you to transmit sensitive data in encrypted queues. To protect the content of messages in queues, SSE uses keys managed in AWS KMS.
For more information, see Encryption at rest in the Amazon Simple Queue Service Developer Guide.\",\r\n \"remediationDescription\": \"For information about managing SSE using the AWS Management Console, see  Configuring server-side encryption (SSE) for a queue (console) in the Amazon Simple Queue Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/882a80f0-943f-473e-b6d7-40c7a625540e\",\r\n \"name\": \"882a80f0-943f-473e-b6d7-40c7a625540e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS accounts should have Azure Arc auto provisioning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For full visibility of the security content from Microsoft Defender for servers, EC2 instances should be connected to Azure Arc. To ensure that all eligible EC2 instances automatically receive Azure Arc, enable auto-provisioning from Defender for Cloud at the AWS account level. Learn more about Azure Arc, and Microsoft Defender for Servers.\",\r\n \"remediationDescription\": \"1. From the Defender for Cloud, open \\\"Environment settings\\\".
2. For the relevant AWS account, select the three dots at the end of the row, and select \\\"Edit settings\\\".
3. For the \\\"Servers\\\" plan, select \\\"View configuration\\\".
4. Enable auto-provisioning for the Azure Arc agent and click on the \\\"Save\\\" button.
5. Select \\\"Next\\\" and follow the instructions.
Note: To enable auto-provisioning, you'll need owner permissions for the relevant subscription.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"25/10/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/231dee23-84db-44d2-bd9d-c32fbcfb42a3\",\r\n \"name\": \"231dee23-84db-44d2-bd9d-c32fbcfb42a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be connected to Azure Arc\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Connect your EC2 instances to Azure Arc in order to have full visibility to Microsoft Defender for Servers security content. Learn more about Azure Arc, and about Microsoft Defender for Servers on hybrid-cloud environment.\",\r\n \"remediationDescription\": \"1. From the Azure portal, open \\\"Servers - Azure Arc\\\".
2. From the top left corner, select \\\"Add\\\".
3. From \\\"Add a single server\\\", select \\\"Generate script\\\".
4. In the \\\"Resource details\\\" page, select the subscription and resource group to which you have connected the machine's AWS account.
5. Select \\\"Next\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"25/10/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1736090-65fc-454f-a437-af58fd91ad1e\",\r\n \"name\": \"f1736090-65fc-454f-a437-af58fd91ad1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS databases and clusters should not use a database engine default port\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the RDS cluster or instance uses a port other than the default port of the database engine.
If you use a known port to deploy an RDS cluster or instance, an attacker can guess information about the cluster or instance.
The attacker can use this information in conjunction with other information to connect to an RDS cluster or instance or gain additional information about your application.
When you change the port, you must also update the existing connection strings that were used to connect to the old port.
You should also check the security group of the DB instance to ensure that it includes an ingress rule that allows connectivity on the new port.\",\r\n \"remediationDescription\": \"To modify the default port of an existing DB instance
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/
2. Choose \\\"Databases\\\".
3. Select the DB instance to modify
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", change \\\"Database port\\\" to a non-default value.
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify cluster\\\". For instances, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0dc124a8-2a69-47c5-a4e1-678d725a33ab\",\r\n \"name\": \"0dc124a8-2a69-47c5-a4e1-678d725a33ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon ECS task definitions should have secure networking modes and user definitions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an active Amazon ECS task definition that has host networking mode also has privileged or user container definitions.
The control fails for task definitions that have host network mode and container definitions where privileged=false or is empty and user=root or is empty.
If a task definition has elevated privileges, it is because the customer has specifically opted in to that configuration.
This control checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted in to elevated privileges.\",\r\n \"remediationDescription\": \"For information on how to update a task definition, see Updating a task definition in the Amazon Elastic Container Service Developer Guide.
Note that when you update a task definition, it does not update running tasks that were launched from the previous task definition. To update a running task, you must redeploy the task with the new task definition.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9bb205cd-a931-4f77-a620-0a263479732b\",\r\n \"name\": \"9bb205cd-a931-4f77-a620-0a263479732b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon ECS services should not have public IP addresses assigned to them automatically\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A public IP address is an IP address that is reachable from the internet.
If you launch your Amazon ECS instances with a public IP address, then your Amazon ECS instances are reachable from the internet.
Amazon ECS services should not be publicly accessible, as this may allow unintended access to your container application servers.\",\r\n \"remediationDescription\": \"To disable automatic public IP assignment, see To configure VPC and security group settings for your service in the Amazon Elastic Container Service Developer Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e68b4d8-1a5e-47fc-a3eb-b3542fea43f1\",\r\n \"name\": \"0e68b4d8-1a5e-47fc-a3eb-b3542fea43f1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Imported ACM certificates should be renewed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager.
ACM can automatically renew certificates that use DNS validation. For certificates that use email validation, you must respond to a domain validation email.
ACM also does not automatically renew certificates that you import. You must renew imported certificates manually.
For more information about managed renewal for ACM certificates, see Managed renewal for ACM certificates in the AWS Certificate Manager User Guide.\",\r\n \"remediationDescription\": \"ACM provides managed renewal for your Amazon-issued SSL/TLS certificates.
This means that ACM either renews your certificates automatically (if you use DNS validation), or it sends you email notices when the certificate expiration approaches. These services are provided for both public and private ACM certificates.
\\\"For domains validated by email\\\"
When a certificate is 45 days from expiration, ACM sends to the domain owner an email for each domain name.
To validate the domains and complete the renewal, you must respond to the email notifications.
For more information, see Renewal for domains validated by email in the AWS Certificate Manager User Guide.
\\\"For domains validated by DNS\\\"
ACM automatically renews certificates that use DNS validation. 60 days before the expiration, ACM verifies that the certificate can be renewed.
If it cannot validate a domain name, then ACM sends a notification that manual validation is required.
It sends these notifications 45 days, 30 days, 7days, and 1 day before the expiration.
For more information, see Renewal for domains validated by DNS in the AWS Certificate Manager User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aad436f2-f0a2-46d8-acf1-19452fb732d2\",\r\n \"name\": \"aad436f2-f0a2-46d8-acf1-19452fb732d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC subnets should not allow automatic public IP assignment\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC subnets which allow automatic public IP assignment.
VPC subnet is a part of the VPC having its own rules for traffic.
Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. In the console, select the specific region from \\\"region drop down\\\" on the top right corner, for which the alert is generated. 3. Navigate to the \\\"VPC\\\" service. 4. In the navigation pane, click on \\\"Subnets\\\". 5. Select the identified Subnet and choose the option \\\"Modify auto-assign IP settings\\\" under the Subnet Actions. 6. Disable the \\\"Auto-Assign IP\\\" option and save it.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a3697e4-d854-41a5-a3df-d6a5fc664689\",\r\n \"name\": \"1a3697e4-d854-41a5-a3df-d6a5fc664689\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 bucket should not be configured with policy overly permissive to VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies S3 buckets that have the bucket policy overly permissive to VPC endpoints. It is a leading practice to follow the principle of least privileges ensuring that the VPC endpoints have only necessary permissions instead of full permission on S3 operations.
NOTE: When working with Amazon S3 bucket policies for VPC endpoints, you might block your access to that bucket without intending to do so.
Bucket permissions that are intended to specifically limit bucket access to connections originating from your VPC endpoint can block all connections to the bucket.
Additionally, The Amazon S3 bucket policy might disable console access to the specified bucket because console requests don't originate from the specified VPC endpoint.
Hence, additional care should be taken while remediating any such overly permissive policies.
For more details refer https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the S3 dashboard. 3. Choose the reported S3 bucket. 4. In the \\\"Permissions\\\" tab, click on the \\\"Bucket Policy\\\". 5. Update the S3 bucket policy for the VPC endpoint so that it has only required permissions instead of full S3 permission.
Refer for example: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ca6e24c-b113-429c-83e1-38e8c4b91396\",\r\n \"name\": \"0ca6e24c-b113-429c-83e1-38e8c4b91396\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC enpoint should not be configured with policy overly permissive to any principal\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC endpoints that have a VPC endpoint (VPCE) policy that is overly permissive.
When the Principal element value is set to '*' within the access policy, the VPC endpoint allows full access to any IAM user or service within the VPC using credentials from any AWS accounts.
It is a leading practice to follow the principle of least privileged VPCE policy ensuring security against any data leakage and unauthorized access.

For more details refer:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. In the console, select the specific region from the region drop-down on the top right corner, for which the alert is generated. 3. Navigate to the \\\"VPC dashboard\\\". 4. Go to \\\"Endpoints\\\", from the left panel VIRTUAL PRIVATE CLOUD section. 5. Select the reported VPC endpoint. 6. On the \\\"Actions\\\" drop-down button, click on the \\\"Edit policy\\\". 7. On the \\\"Edit Policy\\\" page, Choose \\\"Custom\\\" policy.
a. Then add policy, without the \\\"Everyone\\\" grantee (i.e. '*' or 'AWS': '*') from the Principal element value with an AWS account ID (e.g. '123456789'), an AWS account ARN (e.g. 'arn:aws:iam::123456789:root') or an IAM user ARN (e.g. 'arn:aws:iam::123456789:user/vpce-admin').
b. Add a Condition clause to the policy statement to filter the endpoint access to specific entities. 8. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ed36584a-91d9-4639-ae8d-893d0f2cb462\",\r\n \"name\": \"ed36584a-91d9-4639-ae8d-893d0f2cb462\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cloudfront distribution should have WAF enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Amazon CloudFront web distributions which don't have AWS Web Application Firewall (AWS WAF) protection enabled.
it is a leading practice to enable the AWS WAF service on CloudFront web distributions to protect web applications from common web exploits, application layer attacks that could affect application availability, compromise security, or consume excessive resources.
To block malicious requests to your Cloudfront Content Delivery Network you should define the 'block' criteria in the WAF web access control list (web ACL).\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Go to the CloudFront Distributions Dashboard. 3. Click on the reported web distribution. 4. On \\\"General\\\" tab, Click on \\\"Edit\\\" button. 5. On \\\"Edit Distribution\\\" page, Choose a \\\"AWS WAF Web ACL\\\" from dropdown. 6. Click on \\\"Yes, Edit\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45f50501-deed-438b-b931-340078d0022f\",\r\n \"name\": \"45f50501-deed-438b-b931-340078d0022f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cloudfront should have AWS WAF V2 enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS cloudfront distribution not configured with AWS WAF V2 web acl.
As a leading practice it is recommended to configure AWS WAF v2 on the cloudfront to protect against application-layer attacks.
To block malicious requests to your cloudfront, define the block criteria in the WAFv2 web acl.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Go to the CloudFront Distributions Dashboard. 3. Click on the reported web distribution. 4. On \\\"General\\\" tab, Click on \\\"Edit\\\" button under \\\"Settings\\\". 5. On \\\"Edit Distribution\\\" page, from \\\"AWS WAF Web ACL\\\" dropdown select WAFv2 ACL which you want to apply.
Note: In case no WAFv2 ACL found from \\\"AWS WAF Web ACL\\\" dropdown list, Please follow below URL to create WAFv2 ACL:
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-creating.html. 6. Click on \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b288b879-d5e3-49d0-9bad-a9ddf738838a\",\r\n \"name\": \"b288b879-d5e3-49d0-9bad-a9ddf738838a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API should have AWS WAF V2 enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS API Gateway REST API which is not configured with AWS Web Application Firewall protection.
As a leading practice, you should enable the AWS WAF service on API Gateway REST API to protect against common web exploits, application layer attacks.
To block malicious requests to your API Gateway REST API, define the block criteria in the WAF web access control list (web ACL).\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Make sure your the reported API Gateway REST API requires WAF based on your requirement and Note down the API Gateway REST API name Follow steps given in below URL to associate API Gateway REST API to WAF Web ACL ,
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eb2a1621-6fe5-4b17-be36-082897f04987\",\r\n \"name\": \"eb2a1621-6fe5-4b17-be36-082897f04987\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"ELB v2 should not have SSL negotiation policy configured with weak cipher\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers v2 (ELBv2) which are configured with SSL negotiation policy containing weak ciphers.
To simplify, An SSL cipher, or an SSL cipher suite, is a set of algorithms or a set of instructions/steps that uses encryption keys to establish a secure connection between two entities usually the client (a user's browser) and the web server they are connecting to (your website).
As many of the other ciphers are not secure as per industry standards, it is recommended to use only the ciphers recommended in the following AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Go to the EC2 Dashboard, and select \\\"Load Balancers\\\". 4. Click on the reported Load Balancer. 5. On the 'Listeners' tab, Choose the \\\"HTTPS\\\" or 'SSL' rule; Click on \\\"Edit\\\", Change 'Security policy' to other than \\\"ELBSecurityPolicy-TLS-1-0-2015-04\\\" as it contains DES-CBC3-SHA cipher, which is a weak cipher. 6. Click on \\\"Update\\\" to save your changes.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d13e510-5e69-43ec-921f-fe52e2ecc36b\",\r\n \"name\": \"9d13e510-5e69-43ec-921f-fe52e2ecc36b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC route table should not allow VPC peering overly permissive to all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC route tables with overly permissive peering connection to all traffic.
It is a leading practice to ensure selective peering connection route tables to reduce the attack surface as resources outside of these routes are inaccessible to the peered VPC.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to \\\"VPC\\\" dashboard from \\\"Services\\\" dropdown. 4. From left menu, select \\\"Route Tables\\\". 5. Click on the alerted route table. 6. From top click on \\\"Action\\\" button. 7. From the Action menu dropdown, select \\\"Edit routes\\\". 8. From the list of destination remove the extra permissive destination by clicking the cross symbol available for that destination. 9. Add a destination with \\\"least access\\\". 10. Click on \\\"Save Routes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5e4503df-e4f7-4055-a38e-ff8ae44dfd1e\",\r\n \"name\": \"5e4503df-e4f7-4055-a38e-ff8ae44dfd1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS key automatic rotation is not enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS KMS key that are not enabled with key rotation.
As a security leading practice, it is important to rotate the keys periodically so that if the keys are compromised, the data in the underlying service is still secure with the new keys.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Key Management Service (KMS). 4. Click on \\\"Customer managed keys\\\" (Left Panel). 5. Select reported KMS Customer managed key. 6. Under the \\\"Key Rotation\\\" tab, Enable \\\"Automatically rotate this KMS every year\\\". 7. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c548e51-ca15-4b21-92b7-80acef51da37\",\r\n \"name\": \"4c548e51-ca15-4b21-92b7-80acef51da37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrails logs should be encrypted using AWS KMS key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check ensures that CloudTrail logs are encrypted using AWS KMS key.
AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account.
It is a compliance and security leading practice to encrypt the CloudTrail data with AWS KMS key as it may contain sensitive information.\",\r\n \"remediationDescription\": \"1. Login to AWS Console and navigate to the \\\"CloudTrail\\\" service. 2. For each trail, under Configuration > Storage Location, select \\\"Yes\\\" to \\\"Encrypt log files\\\" setting. 3.Choose and existing KMS key or create a new one to encrypt the logs with.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a102936-e0ab-4ab6-ab05-0cb15a6587f6\",\r\n \"name\": \"2a102936-e0ab-4ab6-ab05-0cb15a6587f6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RedShift cluster should be encrypted using customer-managed keys (CMKs)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Redshift Clusters which are encrypted with default KMS keys and not with customer-managed key.
It is a leading practice to use customer managed KMS Keys to encrypt your Redshift databases data.
Customer-managed CMKs give you more flexibility, including the ability to create, rotate, disable, define access control for,
and audit the encryption keys used to help protect your data.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift. 2. On the navigation menu, choose \\\"Clusters\\\", then choose the cluster that you want to modify encryption. 3. Choose \\\"Properties\\\". 4. In the Database configurations section, choose \\\"Edit\\\" then choose \\\"Edit encryption\\\". 5. Choose \\\"customer-managed key encryption options\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/885a3b62-d0de-4e54-aaba-f58875fb7888\",\r\n \"name\": \"885a3b62-d0de-4e54-aaba-f58875fb7888\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be encrypted using CMK\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic File Systems (EFSs) which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your EFS data. It gives you full control over the encrypted data.\",\r\n \"remediationDescription\": \"AWS EFS Encryption of data at rest can only be enabled during file system creation. In order to resolve this alert, create a new EFS with encryption enabled with the customer-managed key, then migrate all required data from the reported EFS to this newly created EFS and delete reported EFS.

To create new EFS with encryption enabled, perform the following:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to EFS dashboard and click on \\\"File systems\\\" on the left panel. 4. Click on \\\"Create file system\\\" button. 5. On the \\\"Configure file system access\\\" step, specify EFS details as per your requirements and Click on \\\"Next Step\\\". 6. On the \\\"Configure optional settings\\\" step, Under \\\"Enable encryption\\\" Choose \\\"Enable encryption of data at rest\\\" and Select customer managed key from \\\"Select KMS master key\\\" dropdown list along with other parameters and Click on \\\"Next Step\\\". 7. On the \\\"Review and create\\\" step, Review all your setting and Click on \\\"Create File System\\\" button.

To delete reported EFS which does not has encryption, perform the following:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to EFS dashboard and click on \\\"File systems\\\" on the left panel. 4. Select the reported file system. 5. Click on \\\"Actions\\\" drop-down. 6. Click on \\\"Delete file system\\\". 7. In the \\\"Permanently delete file system\\\" popup box, To confirm the deletion enter the file system's ID and Click on \\\"Delete File System\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/db0cfb9d-c281-4301-92aa-3d6d12837d8d\",\r\n \"name\": \"db0cfb9d-c281-4301-92aa-3d6d12837d8d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policy should not allow assume role permission across all services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS IAM policy which allows assume role permission across all services. Typically, AssumeRole is used if you have multiple accounts and need to access resources from each account then you can create long term credentials in one account and then use temporary security credentials to access all the other accounts by assuming roles in those accounts.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Navigate to the \\\"IAM\\\" service. 3. Identify the reported policy. 4. Change the Service element of the policy document to be more restrictive so that it only allows AssumeRole permission on select services.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/894259c2-c1d5-47dc-b5c6-b242d5c76fdf\",\r\n \"name\": \"894259c2-c1d5-47dc-b5c6-b242d5c76fdf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon RDS instance should be configured with automatic backup settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies RDS instances which are not set with the automatic backup setting. If Automatic Backup is set, RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases which provide for point-in-time recovery. The automatic backup will happen during the specified backup window time and keeps the backups for a limited period of time as defined in the retention period. It is recommended to set automatic backups for your critical RDS servers that will help in the data restoration process.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated. 3. Navigate to \\\"Amazon RDS\\\" console. 4. Choose \\\"DB Instances\\\", and then select the \\\"reported DB\\\" instance. 5. On \\\"Instance Actions\\\" drop-down list, choose \\\"Modify\\\". 6. In \\\"Backup\\\" section,
a. From the \\\"Backup Retention Period\\\" drop-down list, select the number of days you want RDS should retain automatic backups of this DB instance. b. Choose \\\"Start Time\\\" and \\\"Duration\\\" in \\\"Backup window\\\" which is the daily time range (in UTC) during which automated backups created. 7. Click on \\\"Continue\\\". 8. On the confirmation page, choose \\\"Modify DB Instance\\\" to save your changes\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a5e0d700-3de1-469a-96d2-6536d9a92604\",\r\n \"name\": \"a5e0d700-3de1-469a-96d2-6536d9a92604\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Load Balancer should not have ACM certificate expired or expiring in 90 days.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (ELB) which are using ACM certificates expired or expiring in 90 days. AWS Certificate Manager (ACM) is the preferred tool to provision, manage, and deploy your server certificates. With ACM you can request a certificate or deploy an existing ACM or external certificate to AWS resources. As a best practice, it is recommended to reimport expiring/expired certificates while preserving the ELB associations of the original certificate.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service dashboard. 4. Choose the reported certificate. 5. Under \\\"Actions\\\" drop-down click on 'Reimport certificate'. 6. On the \\\"Import a certificate\\\" page:
6a. For \\\"Certificate body*\\\", paste the PEM-encoded certificate to import. 6b. For \\\"Certificate private key*\\\", paste the PEM-encoded, unencrypted private key that matches the SSL/TLS certificate public key. 6c. (Optional) For \\\"Certificate chain\\\", paste the PEM-encoded certificate chain delivered. 6d. Click Review and import button to continue the process. 7. On the \\\"Review and import\\\" page, review the imported certificate details then click on \\\"Import\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9137f5de-aac8-4cee-a22f-8d81f19be67f\",\r\n \"name\": \"9137f5de-aac8-4cee-a22f-8d81f19be67f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon RDS database should be encrypted using customer managed key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies RDS databases that are encrypted with default KMS keys and not with customer managed keys. As a leading practice, use customer managed keys to encrypt the data on your RDS databases and maintain control of your keys and data on sensitive workloads.\",\r\n \"remediationDescription\": \"You can set AWS RDS database encryption only during database creation. Thus, the steps for resolving this alert requires you to create a new RDS database with a customer managed key for encryption, migrate the data from the identified database to this newly created database, and delete the RDS database identified in the alert.

To create a new RDS database with encryption using a customer managed key:
1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the Amazon RDS Dashboard. 4. Select \\\"Create database\\\". 5. On the \\\"Select engine\\\" page, select \\\"Engine options\\\" and \\\"Next\\\". 6. On the \\\"Choose use case\\\" page, select \\\"Use case\\\" of database and \\\"Next\\\". 7. On the \\\"Specify DB details\\\" page, specify the database details you need and click \\\"Next\\\". 8. On the \\\"Configure advanced settings\\\" page, Under \\\"Encryption\\\", select \\\"Enable encryption\\\" and select the customer managed key from \\\"Master key\\\" dropdown list. 9. Select \\\"Create database\\\".

To delete the RDS database that uses the default KMS keys, which triggered the alert:
1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the Amazon RDS Dashboard. 4. Click on Instances, and select the reported RDS database. 5. Select the \\\"Instance actions\\\" drop-down and click \\\"Delete\\\". 6. In the \\\"Delete\\\" dialog, select the \\\"Create final snapshot?\\\" checkbox, if you want a backup. Provide a name for the final snapshot, confirm deletion and select \\\"Delete\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03a8f33c-b01c-4dfc-b627-f98114715ae0\",\r\n \"name\": \"03a8f33c-b01c-4dfc-b627-f98114715ae0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM should not have expired SSL/TLS certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies expired SSL/TLS certificates. To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. This check generates alerts if there are any expired SSL/TLS certificates stored in AWS IAM. As a best practice, it is recommended to delete expired certificates.\",\r\n \"remediationDescription\": \"Removing invalid certificates through AWS Management Console is currently not supported. To delete SSL/TLS certificates stored in IAM through the AWS API i.e. the Command Line Interface (CLI).

Remediation CLI:
1. Run describe-load-balancers command to make sure that the expired server certificate is not currently used by any active load balancer.
aws elb describe-load-balancers --region 'COMPUTE_REGION' --load-balancer-names 'ELB_NAME' --query 'LoadBalancerDescriptions[*].ListenerDescriptions [*].Listener.SSLCertificateId'

- This command output will return the Amazon Resource Name (ARN) for the SSL certificate currently used by the selected ELB:
arn:aws:iam::1234567890:server-certificate/MyCertificate

- If the load balancer listener using the reported expired certificate is not removed before the certificate, the ELB may continue to use the same certificate and work improperly. Thus, to delete the ELB listener that is using the expired SSL certificate, run following command:
aws elb delete-load-balancer-listeners --region 'COMPUTE_REGION' --load-balancer-name 'ELB_NAME' --load-balancer-ports 443

2. Now that is safe to remove the expired SSL/TLS certificate from AWS IAM, To delete it run:
aws iam delete-server-certificate --server-certificate-name 'CERTIFICATE_NAME'\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0cd8771b-44a7-46bd-b8ba-2fb84d20d8d1\",\r\n \"name\": \"0cd8771b-44a7-46bd-b8ba-2fb84d20d8d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 Classic instance should be configured with VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS EC2 instances which are still using EC2 Classic. With EC2-Classic(if your AWS Account supports it), your instances run in a single, flat network that you share with other customers.
Where as with Amazon VPC, your instances run in a virtual private cloud (VPC) that's logically isolated to your AWS account.
It is a security good practice that deploying VPCs will enable you to leverage enhanced infrastructure security controls.
Note: This alert only triggers in regions that support launching into AWS Classic\",\r\n \"remediationDescription\": \"1. Open the AWS Systems Manager console, and then choose \\\"Automation\\\" from the navigation pane. 2. Choose \\\"Execute automation\\\". 3. On the Owned by \\\"Amazon tab\\\", in the \\\"Automation document search box\\\", enter MigrateEC2Classic. 4. Select the \\\"radio button\\\" for the AWSSupport-MigrateEC2ClassicToVPC document, and then choose \\\"Next\\\". 5. Under Input parameters, for \\\"InstanceId\\\", enter your source \\\"EC2-Classic instance ID\\\". 6. For \\\"AutomationAssumeRole\\\" and \\\"TargetInstanceType\\\", choose your required parameters. By default, \\\"TargetInstanceType\\\" is set to t2.xlarge.
Note:: For more information about the AWS Identity and Access Management (IAM) permissions that are required for AutomationAssumeRole to successfully run the Automation, see AWSSupport-MigrateEC2ClassicToVPC. 7. For \\\"MigrationType\\\", select \\\"Test\\\" or \\\"CutOver\\\". 8. If you select \\\"CutOver\\\" for \\\"MigrationType\\\", then \\\"set\\\" the following parameters:
\\\"SNSNotificationARNForApproval\\\": Enter the ARN of the SNS topic used to send Approval notifications to stop the source instance.
\\\"ApproverIAM\\\": Enter the ARN of the IAM users or roles that can approve or reject the action to stop the source instance. 9. Choose \\\"Execute\\\".
Note: You should also consider disable EC2 Classic in the region to prevent further use.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04bf6bba-7661-45b7-8d81-a25d34330b7a\",\r\n \"name\": \"04bf6bba-7661-45b7-8d81-a25d34330b7a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AppSync should be configured with AWS WAF V2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS AppSync which is not configured with AWS Web Application Firewall V2.
As a leading practice, enable the AWS WAF service on AppSync to protect against application layer attacks.
To block malicious requests to your AppSync, you can define the block criteria in the WAF web access control list (web ACL) for granular control.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console and open the \\\"AppSync Console\\\". 2. Choose the \\\"API\\\" that you want to associate with a \\\"web ACL\\\". 3. In the navigation \\\"pane\\\", choose \\\"Settings\\\". 4. In the \\\"Web application firewall\\\" section, turn on \\\"Enable AWS WAF\\\". 5. In the \\\"Web ACL\\\" dropdown list, choose the \\\"name\\\" of the \\\"web ACL\\\" to associate with your API. 6. Choose \\\"Save\\\" to associate the web ACL with your API.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9a947ba-7d72-482d-9a73-f426e931d4ff\",\r\n \"name\": \"f9a947ba-7d72-482d-9a73-f426e931d4ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Application Load Balancer should be configured with AWS WAF V2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS ALB(Application Load Balancer) which is not configured with AWS Web Application Firewall V2.
As a leading practice, enable the AWS WAF service on AWS ALB to protect against application layer attacks.
To block malicious requests to your AppSync, you can define the block criteria in the WAF web access control list (web ACL) for granular control.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Make sure your the reported \\\"Application Load Balancer\\\" requires \\\"WAF\\\" based on your requirement and Note down the load balancer name. 3. Navigate to \\\"WAF & Shield\\\" dashboard. 4. Click on \\\"Web ACLs\\\", under \\\"AWS WAF\\\" section from left panel. 5. If Web ACL is not created; create a new \\\"Web ACL\\\" and add reported \\\"Application Load Balancer\\\" to \\\"Associated AWS resources\\\". 6. If you have Web ACL already created; Click on \\\"Web ACL\\\" and add your reported Application \\\"Load Balancer\\\" to \\\"Associated AWS resources\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ab12a85-37fc-47f3-a570-4688945ac7c8\",\r\n \"name\": \"2ab12a85-37fc-47f3-a570-4688945ac7c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Classic Load Balancer should not have SSL negotiation configured with vulnerable SSL protocol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (Classic) which are configured with SSL negotiation policy containing vulnerable SSL protocol.
The SSL protocol establishes a secure connection between a client and a server and ensures that all the data passed between the client and your load balancer is private.
As a security leading practice, it is important to use the latest version SSL protocol.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to \\\"EC2 Dashboard\\\" and click on \\\"Load Balancers\\\" (Left Panel). 4. Click on the reported Load Balancer's \\\"Listeners\\\" tab and Click on \\\"Edit\\\" button. 5. On \\\"Edit Listeners\\\" popup for rule \\\"HTTPS/SSL\\\", - If your cipher is \\\"Predefined Security Policy\\\", change \\\"Cipher\\\" to \\\"ELBSecurityPolicy-TLS-1-2-2017-01 or latest\\\" (OR) - If your cipher is \\\"Custom Security Policy\\\", Choose \\\"Protocol-TLSv1.2\\\" only on \\\"SSL Protocols\\\" section. 6. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e44dfbce-8551-4935-8016-ccad8701ad12\",\r\n \"name\": \"e44dfbce-8551-4935-8016-ccad8701ad12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Classic Load Balancer should not have SSL negotiation policy configured with weak cipher\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (Classic) which are configured with SSL negotiation policy containing insecure ciphers.
An SSL cipher is an encryption algorithm that uses encryption keys to create a coded message.
SSL protocols use several SSL ciphers to encrypt data over the Internet.
As many of the other ciphers are not secure, it is a leading practice to use only the ciphers recommended in the following AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Go to the \\\"EC2 Dashboard\\\", and select \\\"Load Balancers\\\". 4. Click on the reported \\\"Load Balancer\\\". 5. On \\\"Listeners\\\" tab, Change the cipher for the \\\"HTTPS/SSL\\\" rule. - For a \\\"Predefined Security Policy', change \\\"Cipher\\\" to \\\"ELBSecurityPolicy-TLS-1-2-2017-01' or latest\\\" - For a \\\"Custom Security Policy\\\", select from the secure ciphers as recommended in the below AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html. 6. \\\"Save\\\" your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fef14c73-c63f-4bcb-883b-113288b6d77b\",\r\n \"name\": \"fef14c73-c63f-4bcb-883b-113288b6d77b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC should not allow unauthorized peering connection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the VPCs which have unauthorized peering. The leading practice is to disallow VPC peering between two VPCs from different AWS accounts, as this potentially enables unauthorized access to private resources.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS Console and navigate to AWS VPC service console. 2. In the left navigation panel, select \\\"Peering Connection\\\". 3. Choose the reported \\\"Peering Connection\\\". 4. Click on \\\"Actions\\\" and select \\\"Delete VPC Peering Connection\\\". 5. click on \\\"Yes, Delete\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/470dc8a8-f118-40a1-96ed-a30f026c3d01\",\r\n \"name\": \"470dc8a8-f118-40a1-96ed-a30f026c3d01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Route53 having public hosted zone with private records\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A hosted zone is a container for records (An object in a hosted zone that you use to define how you want to route traffic for the domain or a subdomain), which include information about how you want to route traffic for a domain (such as example.com) and all of its subdomains (such as www.example.com, retail.example.com, and seattle.accounting.example.com). A hosted zone has the same name as the corresponding domain. A public hosted zone is a container that holds information about how you want to route traffic on the internet for a specific domain. It is best practice to avoid AWS Route 53 Public Hosted Zones containing DNS records for private IPs or resources within your AWS account to overcome information leakage of your internal network and resources.\",\r\n \"remediationDescription\": \"You can not convert a public hosted zone into a private hosted zone. Hence, it is a leading practice to create and configure a Private Hosted Zone to manage private IPs within your Virtual Private Cloud (VPC) as Amazon Route 53 service will only return your private DNS records when queried from within the associated VPC, and delete the associated public hosted zone once the Private hosted zone is configured with all the records.

To create a private hosted zone using the Route 53 console:
1. Sign into the AWS console and navigate to Route53 console. 2. choose Hosted Zones in the navigation pane. 3. Choose \\\"Create Hosted Zone\\\". 4. In the Create Private Hosted Zone pane, enter a \\\"domain name\\\". 5. In the Type list, choose \\\"Private Hosted Zone\\\" for Amazon VPC. 6. In the VPC ID list, choose the \\\"VPC\\\" that you want to associate with the hosted zone. If you want to associate more than one VPC with the hosted zone, you can add VPCs after you create the hosted zone. 7. Choose \\\"Create\\\".

To delete a public hosted zone using the Route 53 console:

1. Sign into the AWS console and navigate to Route53 console. 2. Confirm that the hosted zone that you want to delete contains only an NS and an \\\"SOA record\\\". If it contains additional records, \\\"delete\\\" them. 3. On the Hosted Zones page, choose the \\\"row for the hosted zone\\\" that you want to delete. 4. Choose \\\"Delete Hosted Zone\\\". 5. Choose \\\"OK\\\" to confirm.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a5f791e6-be98-47ed-a865-538c759c62b4\",\r\n \"name\": \"a5f791e6-be98-47ed-a865-538c759c62b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Certificate Manager certificate should not have wildcard domain name\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies ACM Certificates which are using wildcard certificates for wildcard domain name instead of single domain name certificates. ACM allows you to use an asterisk (*) in the domain name to create an ACM Certificate containing a wildcard name that can protect several sites in the same domain. For example, a wildcard certificate issued for *.prismacloud.io can match both www.prismacloud.io and images.prismacloud.io. When you use wildcard certificates, if the private key of a certificate is compromised, then all domain and subdomains that use the compromised certificate are potentially impacted. So it is recommended to use single domain name certificates instead of wildcard certificates to reduce the associated risks with a compromised domain or subdomain.\",\r\n \"remediationDescription\": \"To remediate this finding, you have to replace the reported wildcard certificate with single domain name certificate for all the first-level subdomains resulted from the domain name of the website secured with the wildcard certificate and delete the reported wildcard domain certificate.

To create a new certificate with a single domain:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service. 4. In \\\"Request a certificate\\\" page enter the information requested:
a. On Step 1: \\\"Add domain names\\\" page, in the \\\"Domain name\\\" box, type the fully qualified domain name. Click on \\\"Next\\\". b. On Step 2: \\\"Select validation method\\\" page, Select the validation method. Click on \\\"Review\\\". c. On Step 3: \\\"Review\\\" page, review the domain name and validation method details. click on \\\"Confirm\\\". d. On Step 4: \\\"Validation\\\" page, validate the certificate request based on the validation method selected. then click on \\\"Continue\\\".

The certificate status should change from \\\"Pending validation\\\" to \\\"Issued\\\". Now access your application's web server configuration and replace the wildcard certificate with the newly issued single domain name certificate.

To delete the reported wildcard certificate:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service. 4. Choose the reported certificate. 5. Under \\\"Actions\\\" drop-down click on \\\"Delete\\\". 6. On \\\"Delete certificate\\\" popup windows, Click on \\\"Delete\\\" button.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad7b369-2c97-406d-ac70-5d9f22bfcbd9\",\r\n \"name\": \"0ad7b369-2c97-406d-ac70-5d9f22bfcbd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM Access Analyzer should be configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS regions in which the IAM Access Analyzer is not configured. AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity and identify unintended access to your resources and data. So it is recommended to configure the Access analyzer in all regions in your account.\\n\\nNOTE: Access Analyzer analyzes only policies that are applied to resources in the same AWS Region that it's enabled in. To monitor all resources in your AWS environment, you must create an analyzer to enable Access Analyzer in each Region where you're using supported AWS resources.

For more details:
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the IAM dashboard. 4. Go to \\\"Access analyzer\\\", from the left panel. 5. Click on the \\\"Create analyzer\\\" button. 6. On the Create analyzer page, enter the parameters as per your requirements. 7. Click on the \\\"Create analyzer\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/851c1c56-3a4a-422d-b86b-efa629b043b0\",\r\n \"name\": \"851c1c56-3a4a-422d-b86b-efa629b043b0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon private ECR repository policy should not be overly permissive\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS Private ECR repositories that have overly permissive registry policies. An ECR(Elastic Container Registry) repository is a collection of Docker images available on the AWS cloud. These images might contain sensitive information which should be restricted to unauthorized users.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the AWS ECR Repository service dashboard. 4. Go to \\\"Repository\\\", from the left panel. 5. Select the repository for which alert is being generated. 6. Select the \\\"Permissions\\\" option from left menu below 'repositories'. 7. Click on \\\"Edit policy JSON\\\" to modify the JSON so that Principal is restrictive. 8. After modifications, click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e4dc63-ee46-405b-a02a-2a8395fe233d\",\r\n \"name\": \"04e4dc63-ee46-405b-a02a-2a8395fe233d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS ECR Repository should not be publicly accessible through IAM policies.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS ECR Repository resources which are publicly accessible through IAM policies. Ensure that the AWS ECR Repository resources provisioned in your AWS account are not publicly accessible from the Internet to avoid sensitive data exposure and minimize security risks.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the AWS ECR Repository service dashboard. 3. Find resource-based policy of the AWS ECR Repository resource. 4. Update the \\\"Principal\\\" section of the policy to avoid public access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1bd970e0-1d18-4aed-8216-d0005f6595c2\",\r\n \"name\": \"1bd970e0-1d18-4aed-8216-d0005f6595c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFormation template should not contain globally open resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This alert triggers if a CloudFormation template that when launched will result in resources allowing global network access. Below are three common causes:\\n\\n- Security Group with a {0.0.0.0/0, ::/0} rule\\n- Network Access Control List with a {0.0.0.0/0, ::/0} rule\\n- Network Access Control List with -1 IpProtocol\",\r\n \"remediationDescription\": \"It is a leading practice to review the template and ensure this is the intended behavior.
1. Goto the AWS CloudFormation dashboard. 2. Click on the Stack you want to modify. 3. Select the \\\"Template\\\" tab and then View in \\\"Designer\\\". 4. Make your template modifications. 5. Check for \\\"syntax errors\\\" in your template by choosing \\\"Validate template\\\" near the top of the page and save. 6. Choose \\\"Amazon S3 bucket\\\", name your template and Save. 7. Copy the bucket URL and click OK. 8. Select \\\"Close\\\" to close Designer. 9. Click on the \\\"Stack\\\" you want to modify. 10. From the \\\"Actions\\\" pull down menu, select \\\"Update stack\\\". 11. Choose \\\"Replace current template\\\" and paste the URL from Designer into the Amazon S3 URL field. Then click on \\\"Next\\\". 12. Specify stack details, then click on \\\"Next\\\". 13. Configure stack options, then click on \\\"Next\\\". 14. Review, then select \\\"Update\\\" stack near the bottom of the page.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/baad8309-83f2-437a-a131-6e357c8db91f\",\r\n \"name\": \"baad8309-83f2-437a-a131-6e357c8db91f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Secret Manager resource IAM policy allow secret publically accessible.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS Secret Manager Secret resources which are publicly accessible through IAM policies. Ensure that the AWS Secret Manager Secret resources provisioned in your AWS account are not publicly accessible from the Internet to avoid sensitive data exposure and minimize security risks.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the AWS Secret Manager Secret service. 3. Find resource-based policy of the AWS Secret Manager Secret resource. 4. Update the \\\"Principal\\\" section of the policy to avoid public access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7b076bd-9747-490f-b04d-1cf0418bc428\",\r\n \"name\": \"f7b076bd-9747-490f-b04d-1cf0418bc428\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Domain transfer lock is not enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The domain registries for all generic TLDs and many geographic TLDs let you lock a domain to prevent someone from transferring the domain to another registrar without your permission.
It is a leading practice to lock your domain.\",\r\n \"remediationDescription\": \"To lock a domain to prevent unauthorized transfer to another registrar:

1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/. 2. In the navigation pane, choose \\\"Registered Domains\\\". 3. Choose the name of the domain that you want to update. 4. Choose \\\"Enable\\\" (to lock the domain) or \\\"Disable\\\" (to unlock the domain). 5. Choose \\\"Save\\\". \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/06ee058b-9ba9-4a54-a6d3-7214703d309f\",\r\n \"name\": \"06ee058b-9ba9-4a54-a6d3-7214703d309f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open CASSANDRA port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:7000-7001, 7199, 8888, 9042, 9160, 61620-61621.\",\r\n \"remediationDescription\": \"Configuring firewall rules to allow any IP address to connect to Cassandra ports can expose Cassandra services to attackers.
For more information, see VPC firewall rules overview.

This recommendation is generated for vulnerable firewall rules, even if they were intentionally disabled. Disabled firewall rules alert you to unsafe configurations which could allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87cb47d9-eb93-4413-be7f-2f89112d3e22\",\r\n \"name\": \"87cb47d9-eb93-4413-be7f-2f89112d3e22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open CISCOSECURE_WEBSM port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:9090.\",\r\n \"remediationDescription\": \"Configuring Firewall rules to allow any IP address to connect to CiscoSecure/WebSM ports can expose your CiscoSecure/WebSM services to attackers. For more information, see VPC firewall rules overview

This recommendation is generated for vulnerable firewall rules, even if they were intentionally disabled. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c59d6ae-79c9-4f74-bacd-9bb8d2b05576\",\r\n \"name\": \"9c59d6ae-79c9-4f74-bacd-9bb8d2b05576\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open DIRECTORY_SERVICES port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:445 and UDP:445.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Directory ports might expose your Directory services to attackers. For more information, see VPC firewall rules overview.
The Directory service ports are:
TCP - 445
UDP - 445

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/99fa8cd5-10fc-4051-909c-62a6d1272956\",\r\n \"name\": \"99fa8cd5-10fc-4051-909c-62a6d1272956\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open DNS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:53 and UDP:53.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to DNS ports might expose your DNS services to attackers.
For more information, see VPC firewall rules overview.
The DNS service ports are:
TCP - 53
UDP - 53

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c39d3a7-a11d-4f1e-a5b8-8c3be23fe0d1\",\r\n \"name\": \"9c39d3a7-a11d-4f1e-a5b8-8c3be23fe0d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open ELASTICSEARCH port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:9200, 9300.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Elasticsearch ports might expose your Elasticsearch services to attackers. For more information, see VPC firewall rules overview.

The Elasticsearch service ports are:
TCP - 9200, 9300

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/98c71657-9a57-4a9c-8cc0-e69136b9ec13\",\r\n \"name\": \"98c71657-9a57-4a9c-8cc0-e69136b9ec13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to be open to public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the sourceRanges and allowed properties for one of two configurations:

The sourceRanges property contains 0.0.0.0/0 and the allowed property contains a combination of rules that includes any protocol or protocol:port, except the following:
icmp
tcp:22
tcp:443
tcp:3389
udp:3389
sctp:22

The sourceRanges property contains a combination of IP ranges that includes any non-private IP address and the allowed property contains a combination of rules that permit either all tcp ports or all udp ports.\",\r\n \"remediationDescription\": \"Firewall rules that allow connections from all IP addresses, like 0.0.0.0/0, or from all ports can unnecessarily expose resources to attacks from unintended sources. These rules should be removed or scoped explicitly to the intended source IP ranges or ports.
For example, in applications intended to be public, consider restricting allowed ports to those needed for the application, like 80 and 443. If your application needs to allow connections from all IP addresses or ports, consider adding the asset to an allowlist. Learn more about Updating firewall rules.

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. Click the firewall rule listed in the Security Health Analytics finding, and then click \\\"Edit\\\". 3. Under \\\"Source IP ranges\\\", \\\"edit\\\" the IP values to restrict the range of IPs that is allowed. 4. Under \\\"Protocols and ports\\\", \\\"select\\\" \\\"Specified protocols and ports\\\", \\\"select\\\" the allowed protocols, and enter ports that are allowed. 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14dae408-be1b-4ab9-8645-1d9eba885a3e\",\r\n \"name\": \"14dae408-be1b-4ab9-8645-1d9eba885a3e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open FTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:21.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to FTP ports might expose your FTP services to attackers. For more information, see VPC firewall rules overview.

The FTP service ports are:
TCP - 21

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d6e19ca8-7446-4b1a-87e9-fb0bee876c80\",\r\n \"name\": \"d6e19ca8-7446-4b1a-87e9-fb0bee876c80\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open HTTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:80.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to HTTP ports might expose your HTTP services to attackers. For more information, see VPC firewall rules overview.

The HTTP service ports are:
TCP - 80

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/114491f8-1760-40b9-ad56-04be9c0be1d6\",\r\n \"name\": \"114491f8-1760-40b9-ad56-04be9c0be1d6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open LDAP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:389, 636 and UDP:389.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to LDAP ports might expose your LDAP services to attackers. For more information, see VPC firewall rules overview.

The LDAP service ports are:
TCP - 389, 636
UDP - 389

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dcbfebbd-0d89-4605-b29c-a8b94a11ca4c\",\r\n \"name\": \"dcbfebbd-0d89-4605-b29c-a8b94a11ca4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MEMCACHED port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:11211, 11214-11215 and UDP:11211, 11214-11215.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Memcached ports might expose your Memcached services to attackers. For more information, see VPC firewall rules overview.

The Memcached service ports are:
TCP - 11211, 11214, 11215
UDP - 11211, 11214, 11215

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0088a052-38cd-4ef3-80bc-982871756481\",\r\n \"name\": \"0088a052-38cd-4ef3-80bc-982871756481\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MONGODB port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:27017-27019.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to MongoDB ports might expose your MongoDB services to attackers. For more information, see VPC firewall rules overview.

The MongoDB service ports are:
TCP - 27017, 27018, 27019

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/184a6210-9eb3-4d41-9453-84fd7f01186e\",\r\n \"name\": \"184a6210-9eb3-4d41-9453-84fd7f01186e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MYSQL port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:3306.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to MySQL ports might expose your MySQL services to attackers. For more information, see VPC firewall rules overview.

The MySQL service ports are:
TCP - 3306

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f39b9212-7c2e-4265-85ad-14701b0209e3\",\r\n \"name\": \"f39b9212-7c2e-4265-85ad-14701b0209e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open NETBIOS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:137-139 and UDP:137-139.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to NetBIOS ports might expose your NetBIOS services to attackers. For more information, see VPC firewall rules overview.

The NetBIOS service ports are:
TCP - 137, 138, 139
UDP - 137, 138, 139

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802bc806-5136-461f-a95d-dd65f8725af0\",\r\n \"name\": \"802bc806-5136-461f-a95d-dd65f8725af0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open ORACLEDB port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:1521, 2483-2484 and UDP:2483-2484.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to OracleDB ports might expose your OracleDB services to attackers. SeFor more information, see VPC firewall rules overview.

The OracleDB service ports are:
TCP - 1521, 2483, 2484
UDP - 2483, 2484

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4f5e97a0-d563-4c0a-8aca-958753dfbeb6\",\r\n \"name\": \"4f5e97a0-d563-4c0a-8aca-958753dfbeb6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open POP3 port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:110.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to POP3 ports might expose your POP3 services to attackers. For more information, see VPC firewall rules overview.

The POP3 service ports are:
TCP - 110

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d1143d-a7ab-405c-a80c-8b9da25bc5e4\",\r\n \"name\": \"27d1143d-a7ab-405c-a80c-8b9da25bc5e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open PostgreSQL port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:5432 and UDP:5432.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to PostgreSQL ports might expose your PostgreSQL services to attackers. For more information, see VPC firewall rules overview.

The PostgreSQL service ports are:
TCP - 5432
UDP - 5432

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9a7b9056-30af-476f-bdc8-8b421d29b5e3\",\r\n \"name\": \"9a7b9056-30af-476f-bdc8-8b421d29b5e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open REDIS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:6379.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Redis ports might expose your Redis services to attackers. For more information, see VPC firewall rules overview.

The Redis service ports are:
TCP - 6379

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5855b7ce-fded-464c-894c-d34bd834f17e\",\r\n \"name\": \"5855b7ce-fded-464c-894c-d34bd834f17e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open SMTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:25.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to SMTP ports might expose your SMTP services to attackers. For more information, see VPC firewall rules overview.

The SMTP service ports are:
TCP - 25

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c8753af-c7d5-404f-abdf-8e8bef018dc9\",\r\n \"name\": \"4c8753af-c7d5-404f-abdf-8e8bef018dc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open SSH port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocols and ports: TCP:22 and SCTP:22.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to SSH ports might expose your SSH services to attackers. For more information, see VPC firewall rules overview.

The SSH service ports are:
SCTP - 22
TCP - 22

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bdb01af7-e42a-49c6-952f-b83ce13914a7\",\r\n \"name\": \"bdb01af7-e42a-49c6-952f-b83ce13914a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open TELNET port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:23.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Telnet ports might expose your Telnet services to attackers. For more information, see VPC firewall rules overview.

The Telnet service ports are:
TCP - 23

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3be77f6-6fa9-45bd-9bdb-420484420235\",\r\n \"name\": \"c3be77f6-6fa9-45bd-9bdb-420484420235\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Compute instances should use a load balancer that is configured to use a target HTTPS proxy\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates if the selfLink property of the targetHttpProxy resource matches the target attribute in the forwarding rule, and if the forwarding rule contains a loadBalancingScheme field set to External.\",\r\n \"remediationDescription\": \"A Compute Engine instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy.

To protect the integrity of your data and prevent intruders from tampering with your communications, configure your HTTP(S) load balancers to allow only HTTPS traffic. For more information, see External HTTP(S) Load Balancing overview.

To remediate this finding, complete the following steps:
1. Go to the \\\"Target proxies\\\" page in the GCP Cloud Console. Go to Target proxies. 2. In the list of target proxies, click the name of the target proxy in the finding. 3. Click the link under the \\\"URL map\\\". 4. Click \\\"Edit\\\". 5. Click \\\"Frontend configuration\\\". 6. Delete all \\\"Frontend IP\\\" and port configurations that allow HTTP traffic and create new ones that allow HTTPS traffic.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6aeb69dc-0d01-4228-88e9-7e610891d5dd\",\r\n \"name\": \"6aeb69dc-0d01-4228-88e9-7e610891d5dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE cluster's auto repair feature should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the management property of a node pool for the key-value pair, 'key': 'autoRepair', 'value': true.\",\r\n \"remediationDescription\": \"A Google Kubernetes Engine (GKE) cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled.

When enabled, GKE makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, GKE initiates a repair process for that node. For more information, see Auto-repairing nodes.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Click the \\\"Nodes\\\" tab. 3. For each node pool:
1. Click the name of the node pool to go to its detail page. 2. Click \\\"Edit\\\". 3. Under \\\"Management\\\", select \\\"Enable auto-repair\\\". 4. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1680e053-2e9b-4e77-a1c7-793ae286155e\",\r\n \"name\": \"1680e053-2e9b-4e77-a1c7-793ae286155e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE cluster's auto upgrade feature should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the management property of a node pool for the key-value pair, 'key': 'autoUpgrade', 'value': true.\",\r\n \"remediationDescription\": \"A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled.

For more information, see Auto-upgrading nodes.

To remediate this finding, complete the following steps:
1. Go to the Kubernetes clusters page in the GCP Cloud Console. Go to Kubernetes clusters
2. In the list of clusters, click the name of the cluster.
3. Click the Nodes tab.
For each node pool:
1. Click the name of the node pool to go to its detail page.
2. Click \\\"Edit\\\".
3. Under \\\"Management\\\", select \\\"Enable auto-upgrade\\\".
4. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa160a2c-e976-41cb-acff-1e1e3f1ed032\",\r\n \"name\": \"fa160a2c-e976-41cb-acff-1e1e3f1ed032\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Logging for GKE clusters should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the loggingService property of a cluster contains the location Cloud Logging should use to write logs.\",\r\n \"remediationDescription\": \"Logging isn't enabled for a GKE cluster.

To help investigate security issues and monitor usage, enable Cloud Logging on your clusters.

Depending on the quantity of information, Cloud Logging costs can be significant. To understand your usage of the service and its cost,
see Cost optimization for Google Cloud's operations suite.

To remediate this finding, complete the following steps:
1. Go to the Kubernetes clusters page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Stackdriver Logging\\\" or \\\"Stackdriver Kubernetes Engine Monitoring\\\" drop-down list, select \\\"Enabled\\\".
These options aren't compatible. Make sure that you use either \\\"Stackdriver Kubernetes Engine Monitoring\\\" alone, or \\\"Legacy Stackdriver Logging\\\" with \\\"Legacy Stackdriver Monitoring\\\". 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a7b7361-5100-4a8c-b23e-f712d7dad39b\",\r\n \"name\": \"6a7b7361-5100-4a8c-b23e-f712d7dad39b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring on GKE clusters should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the monitoringService property of a cluster contains the location Cloud Monitoring should use to write metrics.\",\r\n \"remediationDescription\": \"Monitoring is disabled on GKE clusters.

To help investigate security issues and monitor usage, enable Cloud Monitoring on your clusters.

Depending on the quantity of information, Cloud Monitoring costs can be significant. To understand your usage of the service and its costs, see Cost optimization for Google Cloud's operations suite.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Stackdriver Monitoring\\\" or \\\"Stackdriver Kubernetes Engine Monitoring\\\" drop-down list, select \\\"Enabled\\\".
These options aren't compatible. Make sure that you use either \\\"Stackdriver Kubernetes Engine Monitoring\\\" alone, or \\\"Legacy Stackdriver Monitoring\\\" with \\\"Legacy Stackdriver Logging\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fae39f34-d931-4026-b09c-b0a785bb1ff9\",\r\n \"name\": \"fae39f34-d931-4026-b09c-b0a785bb1ff9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cluster hosts should be configured to use only private, internal IP addresses to access Google APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the privateIpGoogleAccess property of a subnetwork is set to false.\",\r\n \"remediationDescription\": \"Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs.

Private Google Access enables virtual machine (VM) instances with only private, internal IP addresses to reach the public IP addresses of Google APIs and services. For more information, see Configuring Google Private Access.

To remediate this finding, complete the following steps:
1. Go to the \\\"Virtual Private Cloud networks\\\" page in the GCP Cloud Console. Go to VPC networks . 2. In the list of networks, click the name of the desired network. 3. On the \\\"VPC network details\\\" page, click the \\\"Subnets\\\" tab. 4. In the list of subnets, click the name of the subnet associated with the Kubernetes cluster in the finding. 5. On the \\\"Subnet details\\\" page, click \\\"Edit\\\". 6. Under \\\"Private Google Access\\\", select \\\"On\\\". 7. Click \\\"Save\\\". 8. To remove public (external) IPs from VM instances whose only external traffic is to Google APIs, see Unassigning a static external IP address.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3e33004b-f0b8-488d-85ed-61336c7ad4ca\",\r\n \"name\": \"3e33004b-f0b8-488d-85ed-61336c7ad4ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Compute Engine VMs should use the Container-Optimized OS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the config property of a node pool for the key-value pair, 'imageType': 'COS'.\",\r\n \"remediationDescription\": \"Compute Engine VMs aren't using the Container-Optimized OS, which is designed to run Docker containers on Google Cloud securely.

Container-Optimized OS is Google's recommended OS for hosting and running containers on Google Cloud. Its small OS footprint minimizes security exposure, while automatic updates patch security vulnerabilities in a timely manner. For more information, see Container-Optimized OS Overview.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters 2. In the list of clusters, click the name of the cluster in the finding. 3. Click the \\\"Nodes\\\" tab. 4. For each node pool:
1. Click the name of the node pool to go to its detail page. 2. Click \\\"Edit\\\". 3. Under \\\"Nodes\\\" -> \\\"Image type\\\", click \\\"Change\\\". 4. Select \\\"Container-Optimized OS\\\", and then click \\\"Change\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/49016ecd-d4d6-4f48-a64f-42af93e15120\",\r\n \"name\": \"49016ecd-d4d6-4f48-a64f-42af93e15120\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have alias IP ranges enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the useIPAliases field of the ipAllocationPolicy in a cluster is set to false.\",\r\n \"remediationDescription\": \"A GKE cluster was created with alias IP ranges disabled.

When you enable alias IP ranges, GKE clusters allocate IP addresses from a known CIDR block, so your cluster is scalable and interacts better with Google Cloud products and entities. For more information, see Alias IP ranges overview .

To remediate this finding, complete the following steps:
You cannot migrate an existing cluster to use alias IPs. To create a new cluster with alias IPs enabled, do the following:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Click \\\"Create\\\". 3. From the navigation pane, under \\\"Cluster\\\", click \\\"Networking\\\". 4. Under \\\"Advanced networking options\\\", select \\\"Enable VPC-native traffic routing (uses alias IP)\\\". 5. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd1096e1-73cf-41ab-8f2a-257b78aed9dc\",\r\n \"name\": \"bd1096e1-73cf-41ab-8f2a-257b78aed9dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Legacy Authorization should be disabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the legacyAbac property of a cluster for the key-value pair, 'enabled': true.\",\r\n \"remediationDescription\": \"Legacy Authorization is enabled on GKE clusters.

In Kubernetes, role-based access control (RBAC) lets you define roles with rules containing a set of permissions, and grant permissions at the cluster and namespace level. This feature provides better security by ensuring that users only have access to specific resources. Consider disabling legacy attribute-based access control (ABAC).

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Authorization\\\" drop-down list, select \\\"Disabled\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24df9ba4-8c98-42f2-9f64-50b095eca06f\",\r\n \"name\": \"24df9ba4-8c98-42f2-9f64-50b095eca06f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Control Plane Authorized Networks should be enabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the masterAuthorizedNetworksConfig property of a cluster for the key-value pair, 'enabled': false.\",\r\n \"remediationDescription\": \"Control Plane Authorized Networks is not enabled on GKE clusters.

Control Plane Authorized Networks improves security for your container cluster by blocking specified IP addresses from accessing your cluster's control plane.
For more information, see Adding authorized networks for control plane access.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Control Plane Authorized Networks\\\" drop-down list, select \\\"Enabled\\\". 5. Click \\\"Add authorized network\\\". 6. Specify the authorized networks you want to use.
7. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd06513a-1e03-4d40-9159-243f76dcdcb7\",\r\n \"name\": \"fd06513a-1e03-4d40-9159-243f76dcdcb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network policy should be enabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the networkPolicy field of the addonsConfig property for the key-value pair, 'disabled': true.\",\r\n \"remediationDescription\": \"Network policy is disabled on GKE clusters.

By default, pod to pod communication is open. Open communication allows pods to connect directly across nodes, with or without network address translation. A NetworkPolicy resource is like a pod-level firewall that restricts connections between pods, unless the NetworkPolicy resource explicitly allows the connection. Learn how to define a network policy.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Click the name of the cluster listed in the Security Health Analytics finding. 3. Under \\\"Networking\\\", in the row for \\\"Network policy\\\", click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. In the dialog, select \\\"Enable network policy for control plane\\\" and \\\"Enable network policy for nodes\\\". 5. Click \\\"Save Changes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b73bad4f-4ea7-4d04-bab0-d400cb3ad639\",\r\n \"name\": \"b73bad4f-4ea7-4d04-bab0-d400cb3ad639\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service accounts should have restricted project access in a cluster\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the config property of a node pool to check if no service account is specified or if the default service account is used.\",\r\n \"remediationDescription\": \"A GKE node is using the Compute Engine default service node, which has broad access by default and might be over-privileged for running your GKE cluster.

To remediate this finding, complete the following steps:
Follow the instructions to Use least privilege Google service accounts.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d3e70cff-e4db-47b1-b646-0ac5ed8ada36\",\r\n \"name\": \"d3e70cff-e4db-47b1-b646-0ac5ed8ada36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have Private clusters enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the enablePrivateNodes field of the privateClusterConfig property is set to false.\",\r\n \"remediationDescription\": \"A GKE cluster has a private cluster disabled.

Private clusters allow nodes to only have private IP addresses. This feature limits outbound internet access for nodes. If a cluster node doesn't have a public IP address, it isn't discoverable or exposed to the public internet. You can still route traffic to a node by using an internal load balancer. For more information, see Private clusters

You can't make an existing cluster private. To remediate this finding, create a new private cluster:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters 2. Click \\\"Create Cluster\\\". 3. In the navigation menu, under \\\"Cluster\\\", select \\\"Networking\\\". 4. Select the radio button for \\\"Private cluster\\\". 5. Under \\\"Advanced networking options\\\", select the checkbox for \\\"Enable VPC-native traffic routing (uses alias IP)\\\". 6. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8fa5c03-a8e8-467b-992c-ad8b2db0f55e\",\r\n \"name\": \"d8fa5c03-a8e8-467b-992c-ad8b2db0f55e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE web dashboard should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the kubernetesDashboard field of the addonsConfig property for the key-value pair, 'disabled': false.\",\r\n \"remediationDescription\": \"The GKE web UI (dashboard) is enabled.

A highly privileged Kubernetes Service Accounts backs the Kubernetes web interface. If compromised, the service account can be abused. If you are already using the Cloud Console, the Kubernetes web interface extends your attack surface unnecessarily. Learn about Disabling the Kubernetes web interface.

To remediate this finding, disable the Kubernetes web interface:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Click the name of the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. Click \\\"Add-ons\\\". The section expands to display available add-ons. 5. On the \\\"Kubernetes dashboard\\\" drop-down list, select \\\"Disabled\\\". 6. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc6ce9-c9a7-4d91-b7c8-f2314ecbf8af\",\r\n \"name\": \"2acc6ce9-c9a7-4d91-b7c8-f2314ecbf8af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Egress deny rule should be set on a firewall to block unwanted outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the destinationRanges property in the firewall is set to 0.0.0.0/0 and the denied property contains the key-value pair, 'IPProtocol': 'all'.\",\r\n \"remediationDescription\": \"An egress deny rule is not set on a firewall.

A firewall that denies all egress network traffic prevents any unwanted outbound network connections, except those connections other firewalls explicitly authorize. For more information, see Egress cases.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. Click \\\"Create Firewall Rule\\\". 3. Give the firewall a name and, optionally, a description. 4. Under \\\"Direction of traffic\\\", select \\\"Egress\\\". 5. Under \\\"Action on match\\\", select \\\"Deny\\\". 6. In the \\\"Targets\\\" drop-down menu, select \\\"All instances in the network\\\". 7. In the \\\"Destination filter\\\" drop-down menu, select \\\"IP ranges\\\", and then type 0.0.0.0/0 into the \\\"Destination IP ranges\\\" box. 8. Under \\\"Protocols and ports\\\", select \\\"Deny all\\\". 9. Click \\\"Disable Rule\\\" then, under \\\"Enforcement\\\", select \\\"Enabled\\\". 10. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37e5206e-a928-416b-9851-3689f506f73f\",\r\n \"name\": \"37e5206e-a928-416b-9851-3689f506f73f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall rule logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the logConfig property in firewall metadata to see if it's empty or contains the key-value pair 'enable': false.\",\r\n \"remediationDescription\": \"Firewall rules logging is disabled.

Firewall rules logging lets you audit, verify, and analyze the effects of your firewall rules. It can be useful for auditing network access or providing early warning that the network is being used in an unapproved manner. The cost of logs can be significant. For more information on Firewall Rules Logging and its cost, see Using Firewall Rules Logging.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, click the name of the desired firewall rule. 3. Click \\\"Edit\\\". 4. Under \\\"Logs\\\", select \\\"On\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a7771a9-a2dd-40e8-87a2-921259d68667\",\r\n \"name\": \"4a7771a9-a2dd-40e8-87a2-921259d68667\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Users should have least privilege access with granular IAM roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM policy in resource metadata for any principals assigned roles/Owner, roles/Writer, or roles/Reader.\",\r\n \"remediationDescription\": \"A user has one of the following IAM basic roles: roles/owner, roles/editor, or roles/viewer.
These roles are too permissive and shouldn't be used. Instead, they should be assigned per project only.

For more information, see Understanding roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM policy\\\" page in the GCP Cloud Console. Go to IAM policy. 2. For each user assigned a primitive role, consider using more granular roles instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24eb0365-d63d-43c0-b11f-8b0a1a0842f7\",\r\n \"name\": \"24eb0365-d63d-43c0-b11f-8b0a1a0842f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cryptographic keys should not have more than three users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates IAM policies for key rings, projects, and organizations, and retrieves principals with roles that allow them to encrypt, decrypt or sign data using Cloud KMS keys: roles/owner, roles/cloudkms.cryptoKeyEncrypterDecrypter, roles/cloudkms.cryptoKeyEncrypter, roles/cloudkms.cryptoKeyDecrypter, roles/cloudkms.signer, and roles/cloudkms.signerVerifier.\",\r\n \"remediationDescription\": \"Limit the number of principal users that can use cryptographic keys to three.

The following predefined roles grant permissions to encrypt, decrypt, or sign data using cryptographic keys:
1. roles/owner 2. roles/cloudkms.cryptoKeyEncrypterDecrypter 3. roles/cloudkms.cryptoKeyEncrypter 4. roles/cloudkms.cryptoKeyDecrypter 5. roles/cloudkms.signer
6. roles/cloudkms.signerVerifier

For more information, see Permissions and roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"Cloud KMS keys\\\" page in the GCP Cloud Console. Go to Cloud KMS keys. 2. Click the \\\"name\\\" of the key ring indicated in the finding. 3. Click the \\\"name\\\" of the key indicated in the finding. 4. Select the box next to the primary version, and then click \\\"Show Info Panel\\\". 5. Reduce the number of principals having permissions to encrypt, decrypt, or sign data to three or fewer.
To revoke permissions, click \\\"Delete\\\" delete next to each principal.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e836b239-c7dc-476a-9a85-829b565cbc59\",\r\n \"name\": \"e836b239-c7dc-476a-9a85-829b565cbc59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Object versioning should be enabled on storage buckets where sinks are configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the enabled field in the bucket's versioning property is set to true.\",\r\n \"remediationDescription\": \"Object versioning isn't enabled on a storage bucket where sinks are configured.

To support the retrieval of objects that are deleted or overwritten, GCP Cloud Storage offers the Object Versioning feature. Enable Object Versioning to protect your Cloud Storage data from being overwritten or accidentally deleted. Learn how to Enable Object Versioning.

To remediate this finding, use the gsutil versioning set on command with the appropriate value:
gsutil versioning set on gs://finding.assetDisplayName
Replace finding.assetDisplayName with the name of the relevant bucket.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76261631-76ea-4bd4-b064-34a619be1de0\",\r\n \"name\": \"76261631-76ea-4bd4-b064-34a619be1de0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage buckets used as a log sink should not be publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM policy of a bucket for the principals allUsers or allAuthenticatedUsers, which grant public access.\",\r\n \"remediationDescription\": \"A storage bucket is public and used as a log sink, meaning that anyone on the internet can access logs stored in this bucket.
allUsers represents anyone on the internet and allAuthenticatedUsers represents anyone who is logged into a Google service;
neither is constrained to users within your organization.

For more information, see Overview of access control.

To remediate this finding, complete the following steps:
1. Go to the \\\"Cloud Storage browser\\\" page in the GCP Cloud Console. Go to Cloud Storage browser . 2. In the list of buckets, click the name of the bucket indicated in the finding. 3. Click the \\\"Permissions\\\" tab. 4. Remove \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" from the list of principals.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7c20b7aa-be3d-4a4b-af45-1b432c02f86b\",\r\n \"name\": \"7c20b7aa-be3d-4a4b-af45-1b432c02f86b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redis IAM role should not be assigned at the organization or folder level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM allow policy in resource metadata for principals assigned roles/redis.admin, roles/redis.editor, roles/redis.viewer at the organization or folder level.\",\r\n \"remediationDescription\": \"A Redis IAM role is assigned at the organization or folder level.

The following Redis IAM roles should be assigned per project only, not at the organization or folder level:
1. roles/redis.admin
2. roles/redis.viewer
3. roles/redis.editor

For more information, see Access control and permissions.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM policy\\\" page in the GCP Cloud Console. Go to IAM policy. 2. Remove the \\\"Redis IAM roles\\\" indicated in the finding and add them on the individual projects instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/986fe72e-466a-462d-a06e-c77b439c53c0\",\r\n \"name\": \"986fe72e-466a-462d-a06e-c77b439c53c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Projects that have cryptographic keys should not have users with Owner permissions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM allow policy in project metadata for principals assigned roles/Owner.\",\r\n \"remediationDescription\": \"A user has roles/Owner permissions on a project that has cryptographic keys. For more information, see Permissions and roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM page\\\" in the GCP Cloud Console. Go IAM page. 2. If necessary, select the project in the finding. 3. For each principal assigned the \\\"Owner\\\" role:
1. Click \\\"Edit\\\". 2. In the \\\"Edit permissions\\\" panel, next to the \\\"Owner\\\" role, click \\\"Delete\\\". 3. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67ebdf6b-6197-4e42-bbbf-eaf4e6c20b4c\",\r\n \"name\": \"67ebdf6b-6197-4e42-bbbf-eaf4e6c20b4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Use corporate login credentials instead of personal accounts, such as Gmail accounts.
It is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources.
Gmail accounts based outside of the user's organization, such as personal accounts, should not be used for business purposes.\",\r\n \"remediationDescription\": \"Follow the documentation and setup corporate login accounts Manage Identities.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6991b2e9-ae9e-4e99-acb6-037c4b575215\",\r\n \"name\": \"6991b2e9-ae9e-4e99-acb6-037c4b575215\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that there are only GCP-managed service account keys for each service account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"User managed service accounts should not have user-managed keys.
Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis.
User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.
For user-managed keys, the user has to take ownership of key management activities which include:
  • Key storage
  • Key distribution
  • Key revocation
  • Key rotation
  • Protecting the keys from unauthorized users
  • Key recovery
Even with key owner precautions, keys can be easily leaked by common development malpractices like checking keys into the source code or leaving them in the Downloads directory, or accidentally leaving them on support blogs/channels. It is recommended to prevent user-managed service account keys.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the IAM page in the GCP Console using https://console.cloud.google.com/apis/credentials. 2. In the left navigation pane, click \\\"Service accounts\\\". All service accounts and their corresponding keys are listed. 3. Click the service account. 4. Click the \\\"edit\\\" and delete the keys.

From CLI:
To delete a user managed Service Account Key, run gcloud iam service-accounts keys delete --iam-account=<user-managed-service-account-EMAIL> <KEY-ID>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/54c381fe-a80a-4038-8a9d-c166d2922ea9\",\r\n \"name\": \"54c381fe-a80a-4038-8a9d-c166d2922ea9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to assign the \\\"Service Account User (iam.serviceAccountUser)\\\" and \\\"Service Account Token Creator (iam.serviceAccountTokenCreator)\\\" roles to a user for a specific service account rather than assigning the role to a user at project level.
A service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end-user.
Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved.
In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.
Users with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access.
Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/Service account.
Based on business needs, there could be multiple user-managed service accounts configured for a project.
Granting the \\\"iam.serviceAccountUser\\\" or \\\"iam.serviceAserviceAccountTokenCreatorccountUser\\\" roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future.
This can result in elevation of privileges by using service accounts and corresponding \\\"Compute Engine instances\\\".
In order to implement \\\"least privileges\\\" best practices, IAM users should not be assigned the \\\"Service Account User\\\" or \\\"Service Account Token Creator\\\" roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The \\\"Service Account User\\\" allows a user to bind a service account to a long-running job service, whereas the \\\"Service Account Token Creator\\\" role allows a user to directly impersonate (or assert) the identity of a service account.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the IAM page in the GCP Console by visiting: GCP Console IAM. 2. Click on the filter table text bar. Type \\\"Role: Service Account User\\\" 3. Click the \\\"Delete Bin\\\" icon in front of the role \\\"Service Account User\\\" for every user listed as a result of a filter. 4. Click on the filter table text bar. Type \\\"Role: Service Account Token Creator\\\" 5. Click the \\\"Delete Bin\\\" icon in front of the role \\\"Service Account Token Creator\\\" for every user listed as a result of a filter.

From Command Line:
1. Using a text editor, remove the bindings with the \\\"roles/iam.serviceAccountUser\\\" or \\\"roles/iam.serviceAccountTokenCreator\\\".
For example, you can use the iam.json file shown below as follows:
{ "bindings": [ { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", ], "role": "roles/appengine.appViewer" }, { "members": [ "user:email1@gmail.com" ], "role": "roles/owner" }, { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", "serviceAccount:123456789012-compute@developer.gserviceaccount.com" ], "role": "roles/editor" } ], "etag": "BwUjMhCsNvY=" }
2. Update the project's IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0007dd31-9e95-460d-82bd-ae3e9e623161\",\r\n \"name\": \"0007dd31-9e95-460d-82bd-ae3e9e623161\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests users make to Google cloud services accessible to that particular service account.
It is recommended that all Service Account keys are regularly rotated.
Rotating Service Account keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.
Each service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.
GCP provides the option to create one or more user-managed (also called external key pairs) key pairs for use from outside GCP (for example, for use with Application Default Credentials). When a new key pair is created, the user is required to download the private key (which is not retained by Google).
With external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, gcloud command-line tool, or the Service Accounts page in the Google Cloud Platform Console.
GCP facilitates up to 10 external service account keys per service account to facilitate key rotation.\",\r\n \"remediationDescription\": \"From Console:
Delete any external (user-managed) Service Account Key older than 90 days: 1. Go to APIs & Services\\\\Credentials using https://console.cloud.google.com/apis/credentials
2. In the Section \\\"Service Account Keys\\\", for every external (user-managed) service account key where \\\"creation date is\\\" greater than or equal to the past 90 days, click \\\"Delete Bin Icon\\\" to Delete Service Account key.
Create a new external (user-managed) Service Account Key for a Service Account:
1. Go to \\\"APIs & Services\\\\Credentials\\\" using https://console.cloud.google.com/apis/credentials
2. Click \\\"Create Credentials\\\" and Select \\\"Service Account Key\\\". 3. Choose the service account in the drop-down list for which an External (user-anaged) Service Account key needs to be created. 4. Select the desired key type format among \\\"JSON\\\" or \\\"P12\\\". 5. Click \\\"Create\\\". It will download the private key. Keep it safe. 6. Click \\\"Close\\\" if prompted. 7. The site will redirect to the \\\"APIs & Services\\\\Credentials\\\" page. Make a note of the new ID displayed in the Service account keys section.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e8cb9ac-87ee-424b-a9d2-0d41e411d18f\",\r\n \"name\": \"9e8cb9ac-87ee-424b-a9d2-0d41e411d18f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users.
The built-in/predefined IAM role \\\"Service Account admin\\\" allows the user/identity to create, delete, and manage service account(s).
The built-in/predefined IAM role \\\"Service Account User\\\" allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances.
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action.
In Cloud IAM - service accounts, this could be an action such as using a service account to access resources that user should not normally have access to.
Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.
No user should have \\\"Service Account Admin\\\" and \\\"Service Account User\\\" roles assigned at the same time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to IAM & Admin/IAM. 2. For any member having both \\\"Service Account Admin\\\" and \\\"Service account User\\\" roles granted/assigned, click the \\\"Delete Bin icon\\\" to remove either role from the member.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fcbcaef9-4bb0-49db-a932-afd64ed221d4\",\r\n \"name\": \"fcbcaef9-4bb0-49db-a932-afd64ed221d4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the IAM policy on Cloud KMS \\\"cryptokeys\\\" should restrict anonymous and/or public access.
Granting permissions to \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\" allows anyone to access the dataset.
Such access might not be desirable if sensitive data is stored at the location.
In this case, ensure that anonymous and/or public access to a Cloud KMS \\\"cryptokey\\\" is not allowed.\",\r\n \"remediationDescription\": \"From Command Line:
1. List all Cloud KMS \\\"Cryptokeys\\\".
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'. 2. Remove IAM policy binding for a KMS key to remove access to \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" using the below command.
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f756937d-b790-4718-8dd7-fa995930c4a1\",\r\n \"name\": \"f756937d-b790-4718-8dd7-fa995930c4a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.
The format for the rotation schedule depends on the client library that is used.
For the gcloud command-line tool, the next rotation time must be in \\\"ISO\\\" or \\\"RFC3339\\\" format, and the rotation period must be in the form \\\"INTEGER[UNIT]\\\", where units can be one of seconds (s), minutes (m), hours (h) or days (d).
Set a key rotation period and starting time. A key can be created with a specified \\\"rotation period\\\", which is the time between when new key versions are generated automatically.
A key can also be created with a specified next rotation time.
A key is a named object representing a \\\"cryptographic key\\\" used for a specific purpose.
The key material, the actual bits used for \\\"encryption\\\", can change over time as new key versions are created.
A key is used to protect some \\\"corpus of data\\\". A collection of files could be encrypted with the same key and people with \\\"decrypt\\\" permissions on that key would be able to decrypt those files.
Therefore, it's necessary to make sure the \\\"rotation period\\\" is set to a specific time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to Cryptographic Keys. 2. Click on the specific key ring. 3. From the list of keys, choose the specific key and Click on \\\"Right side pop up the blade (3 dots)\\\". 4. Click on \\\"Edit rotation period\\\". 5. On the pop-up window, \\\"Select a new rotation period\\\" in days which should be less than 90 and then choose \\\"Starting on\\\" date (date from which the rotation period begins).

From Command Line:
1. Update and schedule rotation by \\\"ROTATION_PERIOD\\\" and \\\"NEXT_ROTATION_TIME\\\" for each key:
gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next-rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14007242-eadd-4d15-ad54-97201351c0ec\",\r\n \"name\": \"14007242-eadd-4d15-ad54-97201351c0ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.
The built-in/predefined IAM role \\\"Cloud KMS Admin\\\" allows the user/identity to create, delete, and manage service account(s).
The built-in/predefined IAM role \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\" allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).
The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).
The built-in/predefined IAM role \\\"Cloud KMS CryptoKey Decrypter\\\" allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action.
In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to.
Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors.
It is considered best practice. No user(s) should have Cloud KMS Admin and any of the \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\", \\\"Cloud KMS CryptoKey Encrypter\\\", \\\"Cloud KMS CryptoKey Decrypter\\\" roles assigned at the same time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to IAM & Admin/IAM. 2. For any member having \\\"Cloud KMS Admin\\\" and any of the \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\", \\\"Cloud KMS CryptoKey Encrypter\\\", \\\"Cloud KMS CryptoKey Decrypter\\\" roles granted/assigned, click the \\\"Delete Bin\\\" icon to remove the role from the member.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b9173aa-68d9-4581-814f-fab4a91aa9af\",\r\n \"name\": \"0b9173aa-68d9-4581-814f-fab4a91aa9af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that Cloud Audit Logging is configured to track all admin activities and read, write access to user data.
Cloud Audit Logging maintains two audit logs for each project, folder, and organization: Admin Activity and Data Access.
1. Admin Activity logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources.
Admin Activity audit logs are enabled for all services and cannot be configured. 2. Data Access audit logs record API calls that create, modify, or read user-provided data. These are disabled by default and should be enabled.
There are three kinds of Data Access audit log information:
  • Admin read: Records operations that read metadata or configuration information. Admin Activity audit logs record writes of metadata and configuration information that cannot be disabled.
  • Data read: Records operations that read user-provided data.
  • Data write: Records operations that write user-provided data.
It is recommended to have an effective default audit config configured in such a way that:
1. logtype is set to DATA_READ (to log user activity tracking) and DATA_WRITES (to log changes/tampering to user data). 2. audit config is enabled for all the services supported by the Data Access audit logs feature. 3. Logs should be captured for all users, i.e., there are no exempted users in any of the audit config sections. This will ensure overriding the audit config will not contradict the requirement.\",\r\n \"remediationDescription\": \"From Console:
1. Go to Audit Logs. 2. Follow the steps at Configure Data Access to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.

From Command Line:
1. To read the project's IAM policy and store it in a file run a command:
gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml
Alternatively, the policy can be set at the organization or folder level. If setting the policy at the organization level, it is not necessary to also set it for each folder or project.
gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml
gcloud resource-manager folders get-iam-policy FOLDER_ID > /tmp/folder_policy.yaml
2. Edit policy in /tmp/policy.yaml, adding or changing only the audit logs configuration to:
auditConfigs: - auditLogConfigs: - logType: DATA_WRITE - logType: DATA_READ service: allServices

Note: \\\"exemptedMembers\\\": is not set as audit logging should be enabled for all the users
3. To write new IAM policy run command:
gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml
gcloud resource-manager folders set-iam-policy FOLDER_ID /tmp/folder_policy.yaml
gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml

If the preceding command reports a conflict with another change, then repeat these steps, starting with the first step.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/194b473e-7c5a-4754-b1ae-76591fe11b5c\",\r\n \"name\": \"194b473e-7c5a-4754-b1ae-76591fe11b5c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).
Log entries are held in Stackdriver Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. Exporting involves writing a filter that selects the log entries to export, and choosing a destination in Cloud Storage, BigQuery, or Cloud Pub/Sub.
The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts. \",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"Logging/Logs\\\" by visiting: GCP Logs explorer. 2. Click the down arrow symbol on \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. This step converts \\\"Filter Bar\\\" to \\\"Advanced Filter Bar\\\".4.Clear any text from the \\\"Advanced Filter\\\" field. This ensures that the \\\"log-filter\\\" is set to empty and captures all the logs. 5. Click \\\"Submit Filter\\\" and the result should display all logs. 6. Click \\\"Create Sink\\\", which opens a menu on the right. 7. Fill out the fields and click \\\"Create Sink\\\".
For more information, see GCP Logging Documentation.

From Command Line:
To create a sink to export all log entries in a Google Cloud Storage bucket:
gcloud logging sinks create <sink-name>
storage.googleapis.com/DESTINATION_BUCKET_NAME
Sinks can be created for a folder or organization, which will include all projects.
gcloud logging sinks create <sink-name>
storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children --folder=FOLDER_ID | --organization=ORGANIZATION_ID \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/07ca1398-d477-400a-a9fc-4cfc78f723f9\",\r\n \"name\": \"07ca1398-d477-400a-a9fc-4cfc78f723f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that retention policies on log buckets are configured using Bucket Lock\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted.
It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.
Logs can be exported by creating one or more sinks that include a log filter and a destination. As Stackdriver Logging receives new log entries, they are compared against each sink.
If a log entry matches a sink's filter, then a copy of the log entry is written to the destination.
Sinks can be configured to export logs in storage buckets.
It is recommended to configure a data retention policy for these cloud storage buckets and to lock the data retention policy; thus permanently preventing the policy from being reduced or removed.
This way, if the system is ever compromised by an attacker or a malicious insider who wants to cover their tracks, the activity logs are definitely preserved for forensics and security investigations.\",\r\n \"remediationDescription\": \" From the Console:
1. If sinks are not configured, first follow the instructions in the recommendation: \\\"Ensure that sinks are configured for all Log entries\\\". 2. For each storage bucket configured as a sink, go to the Cloud Storage browser at \\\"https://console.cloud.google.com/storage/browser/<BUCKET_NAME>\\\". 3. Select the Bucket Lock tab near the top of the page. 4. In the Retention policy entry, click the Add Duration link. The \\\"Set a retention policy\\\" dialog box appears. 5. Enter the desired length of time for the retention period and click \\\"Save policy\\\". 6. Set the \\\"Lock status\\\" for this retention policy to \\\"Locked\\\".

From Command Line:
1.To list all sinks destined to storage buckets:
gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID | --project=PROJECT_ID
2. For each storage bucket listed above, set a retention policy and lock it:
gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]
gsutil retention lock gs://[BUCKET_NAME]
For more information, see Bucket lock retention policy.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f42c20a6-8012-4e1e-bf4d-19b977e8c8d7\",\r\n \"name\": \"f42c20a6-8012-4e1e-bf4d-19b977e8c8d7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all \\\"roles/Owner\\\" assignments should be monitored.
Members (users/Service-Accounts) with a role assignment to primitive role \\\"roles/Owner\\\" are project owners.
The project owner has all the privileges on the project the role belongs to. These are summarized below:
- All viewer permissions on all GCP Services within the project
- Permissions for actions that modify the state of all GCP services within the project
- Manage roles and permissions for a project and all resources within the project
- Set up billing for a project
Granting the owner role to a member (user/Service-Account) will allow that member to modify the Identity and Access Management (IAM) policy. Therefore, grant the owner role only if the member has a legitimate purpose to manage the IAM policy. This is because the project IAM policy contains sensitive access control data. Having a minimal set of users allowed to manage IAM policy will simplify any auditing that may be necessary.
Project ownership has the highest level of privileges on a project. To avoid misuse of project resources, the project ownership assignment/change actions mentioned above should be monitored and alerted to concerned recipients.
- Sending project ownership invites
- Acceptance/Rejection of project ownership invite by user
- Adding `role\\\\Owner` to a user/service-account
- Removing a user/Service account from `role\\\\Owner`\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
(protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\")
AND (ProjectOwnership OR projectOwnerInvitee)
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\")
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\")
 4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/34ed4dfb-fc6d-498f-b2b0-d1099704775d\",\r\n \"name\": \"34ed4dfb-fc6d-498f-b2b0-d1099704775d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data Access logs to help answer the questions of, \\\"who did what, where, and when?\\\" within GCP projects.
Cloud audit logging records information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by GCP services. Cloud audit logging provides a history of GCP API calls for an account, including API calls made via the console, SDKs, command-line tools, and other GCP services.
Admin activity and data access logs produced by cloud audit logging enable security analysis, resource change tracking, and compliance auditing.
Configuring the metric filter and alerts for audit configuration changes ensures the recommended state of audit configuration is maintained so that all activities in the project are audit-able at any point in time.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
protoPayload.methodName=\\\"SetIamPolicy\\\" AND
protoPayload.serviceData.policyDelta.auditConfigDeltas:*
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba27e90d-311d-409d-8c69-7dfac0a1351c\",\r\n \"name\": \"ba27e90d-311d-409d-8c69-7dfac0a1351c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for changes to Identity and Access Management (IAM) role creation, deletion and updating activities.
Google Cloud IAM provides predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources. However, to cater to organization-specific needs, Cloud IAM also provides the ability to create custom roles. Project owners and administrators with the Organization Role Administrator role or the IAM Role Administrator role can create custom roles. Monitoring role creation, deletion and updating activities will help in identifying any over-privileged role at early stages.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"iam_role\\\"
AND protoPayload.methodName=\\\"google.iam.admin.v1.CreateRole\\\"
OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\"
OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a7723f9-ee51-4a2b-a4e5-2497a20c1964\",\r\n \"name\": \"4a7723f9-ee51-4a2b-a4e5-2497a20c1964\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes.
Monitoring for Create or Update Firewall rule events gives insight to network access changes and may reduce the time it takes to detect suspicious activity.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"gce_firewall_rule\\\"
AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\"
OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b5c8e32b-a400-4d4b-8d2d-c5afbd4a6997\",\r\n \"name\": \"b5c8e32b-a400-4d4b-8d2d-c5afbd4a6997\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network route changes.
Google Cloud Platform (GCP) routes define the paths network traffic takes from a VM instance to another destination. The other destination can be inside the organization VPC network (such as another VM) or outside of it. Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop for delivery.
Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"gce_route\\\"
AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\"
OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/59aef38a-19c2-4663-97a7-4c82a98dbab5\",\r\n \"name\": \"59aef38a-19c2-4663-97a7-4c82a98dbab5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network changes.
It is possible to have more than one VPC within a project. In addition, it is also possible to create a peer connection between two VPCs enabling network traffic to route between VPCs.
Monitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=gce_network
AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2e14266c-76ea-4479-915e-4edaae7d78ec\",\r\n \"name\": \"2e14266c-76ea-4479-915e-4edaae7d78ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.
Monitoring changes to cloud storage bucket permissions may reduce the time needed to detect and correct permissions on sensitive cloud storage buckets and objects inside the bucket.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=gcs_bucket
AND protoPayload.methodName=\\\"storage.setIamPermissions\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dce022e-f7f9-4725-8a63-c0d4a868b4d3\",\r\n \"name\": \"9dce022e-f7f9-4725-8a63-c0d4a868b4d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for SQL instance configuration changes.
Monitoring changes to SQL instance configuration changes may reduce the time needed to detect and correct misconfigurations done on the SQL server.
Below are a few of the configurable options which may the impact security posture of an SQL instance:
* Enable auto backups and high availability: Misconfiguration may adversely impact business continuity, disaster recovery, and high availability
* Authorize networks: Misconfiguration may increase exposure to untrusted networks\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
protoPayload.methodName=\\\"cloudsql.instances.update\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9f88a5b8-2853-4b3f-a4c7-33f225cae99a\",\r\n \"name\": \"9f88a5b8-2853-4b3f-a4c7-33f225cae99a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic.
When specifying a source for an ingress rule or a destination for an egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using SSH on Port 22 can be avoided.
GCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network.
Egress and ingresstraffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication).
For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified.
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default Port '22'.
Generic access from the Internet to a specific IP Range needs to be restricted.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to VPC Network. 2. Go to the Firewall Rules. 3. Click the Firewall Rule you want to modify. 4. Click Edit. 5. Modify Source IP ranges to specific IP. 6. Click Save.

From Command Line:
gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[- PORT]],...] --source-ranges=[CIDR_RANGE,...] \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc8464f-f32a-4b3c-954e-48f9db2d9bcf\",\r\n \"name\": \"8bc8464f-f32a-4b3c-954e-48f9db2d9bcf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic.
When specifying a source for an ingress rule or a destination for an egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming raffic from the Internet to a VPC or VM instance using RDP on Port 3389 can be avoided.
GCP Firewall Rules within a VPC Network. These rules apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network.
Egress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication). For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified.
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default Port 3389. Generic access from the Internet to a specific IP Range should be restricted.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to VPC Network. 2. Go to the Firewall Rules. 3. Click the Firewall Rule to be modified. 4. Click Edit. 5. Modify Source IP ranges to specific IP. 6. Click Save.

From Command Line:
1.Update RDP Firewall rule with new SOURCE_RANGE from the below command:
gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ea1989f3-de6c-4389-8b6c-c8b9a3df1595\",\r\n \"name\": \"ea1989f3-de6c-4389-8b6c-c8b9a3df1595\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent use of \\\"default\\\" network, a project should not have a \\\"default\\\" network.
The default network has a preconfigured network configuration and automatically generates the following insecure firewall rules:
  • default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.
  • default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.
  • default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.
  • default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.
These automatically created firewall rules do not get audit logged and cannot be configured to enable firewall rule logging.
Furthermore, the default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses, and as a result, it's not possible to use Cloud VPN or VPC Network Peering with the default network.
Based on organization security and networking requirements, the organization should create a new network and delete the default network.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the \\\"VPC networks\\\" page by visiting:
VPC networks. 2. Click the network named default. 3. On the network detail page, click \\\"EDIT\\\". 4. Click \\\"DELETE VPC NETWORK\\\". 5. If needed, create a new network to replace the default network.

From Command Line:
For each Google Cloud Platform project,
1. Delete the default network:
gcloud compute networks delete default
2. If needed, create a new network to replace it:
gcloud compute networks create NETWORK_NAME\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/44995f9b-5963-4a92-8e99-6d68acbc187c\",\r\n \"name\": \"44995f9b-5963-4a92-8e99-6d68acbc187c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In order to prevent use of legacy networks, a project should not have a legacy network configured.
Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions.
Subnetworks cannot be created in a legacy network and are unable to switch from legacy to auto or custom subnet networks. Legacy networks can have an impact for high network traffic projects and are subject to a single point of contention or failure.\",\r\n \"remediationDescription\": \"For each Google Cloud Platform project,
1. Follow the documentation and create a non-legacy network suitable for the organization's requirements. 2. Follow the documentation and delete the networks in the \\\"legacy\\\" mode.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33509176-9e4d-4238-84ec-984ba67019fa\",\r\n \"name\": \"33509176-9e4d-4238-84ec-984ba67019fa\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet.
Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.
Domain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling DNS responses to be validated.
Having a trustworthy DNS that translates a domain name like www.example.com into its associated IP address is an increasingly important building block of today's web-based applications.
Attackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks.
DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records.
As a result, it prevents attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"Cloud DNS\\\" by visiting Cloud DNS. 2. For each zone of Type Public, set DNSSEC to \\\"On\\\".

From Command Line:
Use the below command to enable \\\"DNSSEC\\\" for Cloud DNS Zone Name.
gcloud dns managed-zones update ZONE_NAME --dnssec-state on \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87356ecc-b718-442d-af22-677bceaeae06\",\r\n \"name\": \"87356ecc-b718-442d-af22-677bceaeae06\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
Domain Name System Security Extensions (DNSSEC) algorithm numbers in this registry may be used in CERT RRs.
Zonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the user can select the DNSSEC signing algorithms and the denial-of-existence type.
Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled.
If there is a need to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.\",\r\n \"remediationDescription\": \"1. If it is necessary to change the settings for a managed zone where it has been enabled, NSSEC must be turned off and re-enabled with different settings.
To turn off DNSSEC, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state off
2. To update key-signing for a reported managed DNS Zone, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM - -zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE

Algorithm KSK Length ZSK Length
RSASHA1 1024,2048 1024,2048
RSASHA256 1024,2048 1024,2048
RSASHA512 1024,2048 1024,2048
ECDSAP256SHA256 256 256
ECDSAP384SHA384 384 384
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/117ad72e-fed7-4dc8-995d-39919b9ba2d9\",\r\n \"name\": \"117ad72e-fed7-4dc8-995d-39919b9ba2d9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the DNSSEC signing algorithms and the denial-of-existence type can be selected.
Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled.
If the need exists to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.\",\r\n \"remediationDescription\": \"1. If it is necessary to change the settings for a managed zone where it has been enabled, DNSSEC must be turned off and re-enabled with different settings.
To turn off DNSSEC, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state off
2. To update zone-signing for a reported managed DNS Zone, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM - -zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE

Algorithm KSK Length ZSK Length
RSASHA1 1024,2048 1024,2048
RSASHA256 1024,2048 1024,2048
RSASHA512 1024,2048 1024,2048
ECDSAP256SHA256 256 256
ECDSAP384SHA384 384 384
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a107c44c-75e4-4607-b1b0-cd5cfcf249e0\",\r\n \"name\": \"a107c44c-75e4-4607-b1b0-cd5cfcf249e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.
The default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services.
To defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended to not use the default Compute Engine service account.
Instead, you should create a new service account and assigning only the permissions needed by your instance.
The default Compute Engine service account is named [PROJECT_NUMBER]- compute@developer.gserviceaccount.com.
VMs created by GKE should be excluded. These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to go to its \\\"VM instance details\\\" page. 3. Click \\\"STOP\\\" and then click \\\"EDIT\\\". 4. Under the section \\\"Service Account\\\", select a service account other that the default Compute Engine service account. You may first need to create a new service account. 5. Click \\\"Save\\\" and then click \\\"START\\\".

From Command Line:
1. Stop the instance: gcloud compute instances stop INSTANCE_NAME
2. Update the instance: gcloud compute instances set-service-account INSTANCE_NAME --serviceaccount=SERVICE_ACCOUNT
3. Restart the instance: gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c1fcf1-ca66-4fc1-b5e6-51d7f4f76782\",\r\n \"name\": \"a8c1fcf1-ca66-4fc1-b5e6-51d7f4f76782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account \\\"Compute Engine default service account\\\" with Scope \\\"Allow full access to all Cloud APIs\\\".
Along with ability to optionally create, manage and use user managed custom service accounts, Google Compute Engine provides default service account \\\"Compute Engine default service account\\\" for an instances to access necessary cloud services.
\\\"Project Editor\\\" role is assigned to \\\"Compute Engine default service account\\\" hence, This service account has almost all capabilities over all cloud services except billing.
However, when \\\"Compute Engine default service account\\\" assigned to an instance it can operate in 3 scopes.
1. Allow default access: Allows only minimum access required to run an Instance (Least Privileges) 2. Allow full access to all Cloud APIs: Allow full access to all the cloud APIs/Services (Too much access) 3. Set access for each API: Allows Instance administrator to choose only those APIs that are needed to perform specific business functionality expected by instance
When an instance is configured with \\\"Compute Engine default service account\\\" with Scope \\\"Allow full access to all Cloud APIs\\\", based on IAM roles assigned to the user(s) accessing Instance,
it may allow user to perform cloud operations/API calls that user is not supposed to perform leading to successful privilege escalation.
VMs created by GKE should be excluded. These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the impacted VM instance. 3. If the instance is not stopped, click the \\\"Stop\\\" button. Wait for the instance to be stopped. 4. Next, click the \\\"Edit\\\" button. 5. Scroll down to the \\\"Service Account\\\" section. 6. Select a different service account or ensure that \\\"Allow full access to all Cloud APIs\\\" is not selected.  7. Click the \\\"Save\\\" button to save your changes and then click \\\"START\\\".

From Command Line:
1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
2. Update the instance:
gcloud compute instances set-service-account INSTANCE_NAME --serviceaccount=SERVICE_ACCOUNT --scopes [SCOPE1, SCOPE2...]
3. Restart the instance:
gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/49cb12f0-3dd3-4220-9cfb-5c3fd514a6d8\",\r\n \"name\": \"49cb12f0-3dd3-4220-9cfb-5c3fd514a6d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user.
It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.
To find out which instance causes the project to be unhealthy see recommendation \\\"Ensure oslogin is enabled for all instances\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM compute metadata page. 2. Click \\\"Edit\\\". 3. Add a metadata entry where the key is \\\"enable-oslogin\\\" and the value is \\\"TRUE\\\". 4. Click \\\"Save\\\" to apply the changes. 5. For every instance that overrides the project setting, go to the VM instances page. 6. Click the name of the instance on which you want to remove the metadata value. 7. At the top of the instance details page, click \\\"Edit\\\" to edit the instance settings. 8. Under \\\"Custom metadata\\\", remove any entry with key \\\"enable-oslogin\\\" and the value is \\\"FALSE\\\" 9. At the bottom of the instance details page, click \\\"Save\\\" to apply your changes to the instance.

From Command Line:
1. Configure oslogin on the project:
gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE
2. Remove instance metadata that overrides the project settings.
gcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin
Optionally, you can enable two factor authentication for OS login. For more information, see here.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/569ef64e-d7aa-4d7e-aa0b-5b3e045ca2c3\",\r\n \"name\": \"569ef64e-d7aa-4d7e-aa0b-5b3e045ca2c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for all instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user.
It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click the name of the instance on which you want to remove the metadata value. 3. At the top of the instance details page, click \\\"Edit\\\" to edit the instance settings. 4. Under \\\"Custom metadata\\\", remove any entry with key \\\"enable-oslogin\\\" and the value is \\\"FALSE\\\" 5. At the bottom of the instance details page, click \\\"Save\\\" to apply your changes to the instance.

From Command Line:
Remove instance metadata that overrides the project settings.
gcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin
Optionally, you can enable two factor authentication for OS login. For more information, see here.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e060336-2c9e-4289-a2a6-8d301bad47bb\",\r\n \"name\": \"7e060336-2c9e-4289-a2a6-8d301bad47bb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.
If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.
A virtual machine instance has four virtual serial ports. Interacting with a serial port is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.
The instance's operating system, BIOS, and other system-level entities often write output to the serial ports, and can accept input such as commands or answers to prompts.
Typically, these system-level entities use the first serial port (port 1) and serial port 1 is often referred to as the serial console.
The interactive serial console does not support IP-based access restrictions such as IP whitelists. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address.
This allows anybody to connect to that instance if they know the correct SSH key, username, project ID, zone, and instance name.
Therefore interactive serial console support should be disabled.\",\r\n \"remediationDescription\": \"From Console:
1. Login to Google Cloud console 2. Go to Computer Engine 3. Go to VM instances 4. Click on the Specific VM 5. Click \\\"EDIT\\\" 6. Unselect \\\"Enable connecting to serial ports\\\" below \\\"Remote access\\\" block. 7. Click \\\"Save\\\".

From Command Line:
Use the below command to disable
gcloud compute instances add-metadata INSTANCE_NAME --zone=ZONE --metadata=serial-port-enable=false
or
gcloud compute instances add-metadata INSTANCE_NAME --zone=ZONE --metadata=serial-port-enable=0\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a4b3b3a-7de9-4aa4-a29b-580d59b43f79\",\r\n \"name\": \"1a4b3b3a-7de9-4aa4-a29b-580d59b43f79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To defend against against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.
Shielded VMs are virtual machines (VMs) on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits.
Shielded VM offers verifiable integrity of your Compute Engine VM instances, so you can be confident your instances haven't been compromised by boot- or kernel-level malware or rootkits.
Shielded VM's verifiable integrity is achieved through the use of Secure Boot, virtual trusted platform module (vTPM)-enabled Measured Boot, and integrity monitoring.
Shielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishing the root of trust for Secure Boot.
Integrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, called the integrity policy baseline.
The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.
Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to see its \\\"VM instance details\\\" page. 3. Click \\\"STOP\\\" to stop the instance. 4. When the instance has stopped, click \\\"EDIT\\\". 5. In the Shielded VM section, select \\\"Turn on vTPM\\\" and \\\"Turn on Integrity Monitoring\\\". 6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select \\\"Turn on Secure Boot\\\". 7. Click the \\\"Save\\\" button to modify the instance and then click \\\"START\\\" to restart it.

From Command Line:
You can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:
gcloud compute images list --project gce-uefi-images --no-standard-images
1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
2. Update the instance:
gcloud compute instances update INSTANCE_NAME --shielded-vtpm --shielded-vmintegrity-monitoring
3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on secure boot.
gcloud compute instances update INSTANCE_NAME --shielded-vm-secure-boot
4. Restart the instance:
gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bdd13ad-a9d2-4910-8b06-9c4cddb55abb\",\r\n \"name\": \"8bdd13ad-a9d2-4910-8b06-9c4cddb55abb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances should not be configured to have external IP addresses.
To reduce your attack surface, Compute instances should not have public IP addresses. Instead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.
Instances created by GKE should be excluded because some of them have external IP addresses and cannot be changed by editing the instance settings.
These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to go the the Instance detail page. 3. Click \\\"Edit\\\". 4. For each Network interface, ensure that External IP is set to None. 5. Click \\\"Done\\\" and then click \\\"Save\\\".

From Command Line:
1. Describe the instance properties: gcloud compute instances describe INSTANCE_NAME --zone=ZONE
2. Identify the access config name that contains the external IP address. This access config appears in the following format:
networkInterfaces: - accessConfigs: - kind: compute#accessConfig name: External NAT natIP: 130.211.181.55 type: ONE_TO_ONE_NAT
3. Delete the access config.
gcloud compute instances delete-access-config INSTANCE_NAME --zone=ZONE --access-config-name \\\"ACCESS_CONFIG_NAME\\\"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8305d96-2aa5-458d-92b7-f8418f5f3328\",\r\n \"name\": \"d8305d96-2aa5-458d-92b7-f8418f5f3328\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.
Allowing anonymous or public access grants permissions to anyone to access bucket content.
Such access might not be desired if you are storing any sensitive data.
Hence, ensure that anonymous or public access to a bucket is not allowed.\",\r\n \"remediationDescription\": \"From Console:
1. Go to \\\"Storage browser\\\" by visiting GCP Storage browser. 2. Click on the bucket name to go to its \\\"Bucket details\\\" page. 3. Click on the \\\"Permissions\\\" tab. 4. Click \\\"Delete\\\" button in front of \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" to remove that particular role assignment.
From Command Line:
Remove \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" access.
gsutil iam ch -d allUsers gs://BUCKET_NAME
gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b5cdbc-0633-49af-b63d-a9dc90560196\",\r\n \"name\": \"64b5cdbc-0633-49af-b63d-a9dc90560196\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.
It is recommended to use uniform bucket-level access to unify and simplify how you grant access to your Cloud Storage resources.
Cloud Storage offers two systems for granting users permission to access your buckets and objects:
Cloud Identity and Access Management (Cloud IAM) and Access Control Lists (ACLs).
These systems act in parallel - in order for a user to access a Cloud Storage resource, only one of the systems needs to grant the user permission.
Cloud IAM is used throughout Google Cloud and allows you to grant a variety of permissions at the bucket and project levels.
ACLs are used only by Cloud Storage and have limited permission options, but they allow you to grant permissions on a per-object basis.

In order to support a uniform permissioning system, Cloud Storage has uniform bucket-level access.
Using this feature disables ACLs for all Cloud Storage resources:
access to Cloud Storage resources then is granted exclusively through Cloud IAM.
Enabling uniform bucket-level access guarantees that if a Storage bucket is not publicly accessible,
no object in the bucket is publicly accessible either.\",\r\n \"remediationDescription\": \"From Console:
1. Open the \\\"Cloud Storage browser\\\" in the Google Cloud Console by visiting: GCP Storage browser. 2. In the list of buckets, click on the name of the desired bucket. 3. Select the \\\"Permissions\\\" tab near the top of the page. 4. In the text box that starts with \\\"This bucket uses fine-grained access control...\\\", click \\\"Edit\\\". 5. In the pop-up menu that appears, select \\\"Uniform\\\". 6. Click \\\"Save\\\".
From Command Line:
Use the \\\"on\\\" option in a uniformbucketlevelaccess set command:
gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dab1eea3-7693-4da3-af1b-2f73832655fa\",\r\n \"name\": \"dab1eea3-7693-4da3-af1b-2f73832655fa\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.
Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset.
Such access might not be desirable if sensitive data is being stored in the dataset.
Therefore, ensure that anonymous and/or public access to a dataset is not allowed.\",\r\n \"remediationDescription\": \"From Console:
1. Go to \\\"BigQuery\\\" by visiting: BigQuery. 2. Select the dataset from \\\"Resources\\\". 3. Click \\\"SHARE DATASET\\\" near the right side of the window. 4. Review each attached role. 5. Click the \\\"delete\\\" icon for each member \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\". On the popup click \\\"Remove\\\".
From Command Line:
1. Retrieve the data set information:
bq show --format=prettyjson PROJECT_ID:DATASET_NAME > PATH_TO_FILE
2. In the access section of the JSON file, update the dataset information to remove all roles containing \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\". 3. Update the dataset:
bq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8191f530-fde7-4177-827a-43ce0f69ffe7\",\r\n \"name\": \"8191f530-fde7-4177-827a-43ce0f69ffe7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the \\\"log_lock_waits\\\" flag for a PostgreSQL instance creates a log for any session waits that take longer than the alloted \\\"deadlock_timeout\\\" time to acquire a lock.
The deadlock timeout defines the time to wait on a lock before checking for any conditions. Frequent run overs on deadlock timeout can be an indication of an underlying issue.
Logging such waits on locks by enabling the log_lock_waits flag can be used to identify poor performance due to locking delays or if a specially-crafted SQL is attempting to starve resources through holding locks for excessive amounts of time.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_lock_waits\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_lock_waits\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_lock_waits=on

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/492fed4e-1871-4c12-948d-074ee0f07559\",\r\n \"name\": \"492fed4e-1871-4c12-948d-074ee0f07559\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_error_statement\\\" flag defines the minimum message severity level that is considered as an error statement.
Messages for error statements are logged with the SQL statement.
Valid values include \\\"DEBUG5\\\", \\\"DEBUG4\\\", \\\"DEBUG3\\\", \\\"DEBUG2\\\", \\\"DEBUG1\\\", \\\"INFO\\\", \\\"NOTICE\\\", \\\"WARNING\\\", \\\"ERROR\\\", \\\"LOG\\\", \\\"FATAL\\\", and \\\"PANIC\\\".
Each severity level includes the subsequent levels mentioned above.
Note: To effectively turn off logging failing statements, set this parameter to PANIC.
ERROR is considered the best practice setting. Changes should only be made in accordance with the organization's logging policy.
Auditing helps in troubleshooting operational problems and also permits forensic analysis.
If \\\"log_min_error_statement\\\" is not set to the correct value, messages may not be classified as error messages appropriately.
Considering general log messages as error messages would make it difficult to find actual errors, while considering only stricter severity levels as error messages may skip actual errors to log their SQL statements.
The \\\"log_min_error_statement\\\" flag should be set in accordance with the organization's logging policy.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_error_statement\\\" from the drop-down menu and set appropriate value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_min_error_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_error_statement=

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/29622fc0-14dc-4d65-a5a8-e9a39ffc4b62\",\r\n \"name\": \"29622fc0-14dc-4d65-a5a8-e9a39ffc4b62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' \",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"PostgreSQL can create a temporary file for actions such as sorting, hashing and temporary query results when these operations exceed \\\"work_mem\\\".
The \\\"log_temp_files\\\" flag controls logging names and the file size when it is deleted.
Configuring \\\"log_temp_files\\\" to 0 causes all temporary file information to be logged, while positive values log only files whose size is greater than or equal to the specified number of kilobytes.
A value of \\\"-1\\\" disables temporary file information logging.
If all temporary files are not logged, it may be more difficult to identify potential performance issues that may be due to either poor application coding or deliberate resource starvation attempts.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_temp_files\\\" from the drop-down menu and set the value as 0. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_temp_files\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_temp_files=`0`

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c9e237b-419f-4e73-b43a-94b5863dd73e\",\r\n \"name\": \"1c9e237b-419f-4e73-b43a-94b5863dd73e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_duration_statement\\\" flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that \\\"log_min_duration_statement\\\" is disabled, i.e., a value of -1 is set.
Logging SQL statements may include sensitive information that should not be recorded in logs. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_duration_statement\\\" from the drop-down menu and set the value of \\\"-1\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Configure the \\\"log_min_duration_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_duration_statement=-1

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/26973a34-79a6-46a0-874f-358c8c00af05\",\r\n \"name\": \"26973a34-79a6-46a0-874f-358c8c00af05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"cross db ownership chaining\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
Use the \\\"cross db ownership\\\" for chaining option to configure cross-database ownership chaining for an instance of Microsoft SQL Server.
This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases.
Enabling \\\"cross db ownership\\\" is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining and you are aware of the security implications of this setting.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance for which you want to enable to database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"cross db ownership chaining\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"cross db ownership chaining\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"cross db ownership chaining=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/658ce98f-ecf1-4c14-967f-3c4faf130fbf\",\r\n \"name\": \"658ce98f-ecf1-4c14-967f-3c4faf130fbf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"contained database authentication\\\" database flag for Cloud SQL on the SQL Server instance is set to \\\"off\\\".
A contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed.
Users can connect to the database without authenticating a login at the Database Engine level.
Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server.
Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators.
Most of the threats are related to the USER WITH PASSWORD authentication process, which moves the authentication boundary from the Database Engine level to the database level, hence this is recommended to disable this flag.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance for which you want to enable to database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"contained database authentication\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Configure the \\\"contained database authentication\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"contained database authentication=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/13872d43-aac6-4018-9c89-507b8fe9be54\",\r\n \"name\": \"13872d43-aac6-4018-9c89-507b8fe9be54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to enforce all incoming connections to SQL database instance to use SSL.
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc.
For security, it is recommended to always use SSL encryption when connecting to your instance.
This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to Cloud SQL Instances. 2. Click on an instance name to see its configuration overview. 3. In the left-side panel, select \\\"Connections\\\". 4. In the \\\"SSL connections\\\" section, click \\\"Allow only SSL connections\\\". 5. Under \\\"Configure SSL server certificates\\\" click \\\"Create new certificate\\\". 6. Under \\\"Configure SSL client certificates\\\" click \\\"Create a client certificate\\\". 7. Follow the instructions shown to learn how to connect to your instance.

From Command Line:
To enforce SSL encryption for an instance run the command:
gcloud sql instances patch INSTANCE_NAME --require-ssl

Note:
\\\"RESTART\\\" is required for type MySQL Generation 1 Instances (\\\"backendType: FIRST_GEN\\\") to get this configuration in effect.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/de78ebca-1ec6-4872-8061-8fcfb27752fc\",\r\n \"name\": \"de78ebca-1ec6-4872-8061-8fcfb27752fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from the world.
To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it.
An authorized network should not have IPs/networks configured to \\\"0.0.0.0/0\\\" which will allow access to the instance from anywhere in the world. Note that authorized networks apply only to instances with public IPs.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Click the instance name to open its \\\"Instance details\\\" page. 3. Under the \\\"Configuration\\\" section click \\\"Edit configurations\\\". 4. Under \\\"Configuration options\\\" expand the \\\"Connectivity\\\" section. 5. Click the \\\"delete\\\" icon for the authorized network \\\"0.0.0.0/0\\\". 6. Click \\\"Save\\\" to update the instance.

From Command Line:
Update the authorized network list by dropping off any addresses.
oud sql instances patch INSTANCE_NAME --authorized-networks=IP_ADDR1,IP_ADDR2... \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1658239d-caf7-471d-83c5-2e4c44afdcff\",\r\n \"name\": \"1658239d-caf7-471d-83c5-2e4c44afdcff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.
To lower the organization's attack surface, Cloud SQL databases should not have public IPs.
Private IPs provide improved network security and lower latency for your application.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Click the instance name to open its Instance details page. 3. Select the \\\"Connections\\\" tab. 4. Deselect the \\\"Public IP\\\" checkbox. 5. Click \\\"Save\\\" to update the instance.

From Command Line:
1. For every instance remove its public IP and assign a private IP instead:
gcloud beta sql instances patch INSTANCE_NAME --network=VPC_NETWOR_NAME --no-assign-ip 2. Confirm the changes using the following command:
gcloud sql instances describe INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/afaac6e6-6240-48a2-9f62-4e257b851311\",\r\n \"name\": \"afaac6e6-6240-48a2-9f62-4e257b851311\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to have all SQL database instances set to enable automated backups.
Backups provide a way to restore a Cloud SQL instance to recover lost data or recover from a problem with that instance.
Automated backups need to be set for any instance that contains data that should be protected from loss or damage.
This recommendation is applicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2 instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the instance where the backups need to be configured. 3. Click \\\"Edit\\\". 4. In the \\\"Backups\\\" section, check \\\"Enable automated backups\\\", and choose a backup window. 5. Click \\\"Save\\\".
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Enable \\\"Automated backups\\\" for every Cloud SQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --backup-start-time [HH:MM] The \\\"backup-start-time\\\" parameter is specified in 24-hour time, in the UTC+00 time zone, and specifies the start of a 4-hour backup window. Backups can start any time during the backup window.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/633a87f4-bd71-45ce-9eca-c6bb8cbe8b21\",\r\n \"name\": \"633a87f4-bd71-45ce-9eca-c6bb8cbe8b21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.
The local_infile flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the local_infile setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.
To explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with local_infile disabled. local_infile can also be set at runtime.
Due to security issues associated with the local_infile flag, it is recommended to disable it. This recommendation is applicable to MySQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the MySQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"local_infile\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the local_infile database flag for every Cloud SQL Mysql database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off
Note:
This command will overwrite all database flags that were previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2404629-0132-4ab3-839e-8389dbe9fe98\",\r\n \"name\": \"a2404629-0132-4ab3-839e-8389dbe9fe98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log_checkpoints database flag for the Cloud SQL PostgreSQL instance is set to on.
Enabling log_checkpoints causes checkpoints and restart points to be logged in the server log. Some statistics are included in the log messages, including the number of buffers written and the time spent writing them.
This parameter can only be set in the postgresql.conf file or on the server command line. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_checkpoints\\\" from the drop-down menu, and set its value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_checkpoints database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_checkpoints=on
Note: This command will overwrite all previously set database flags. To keep those and add new ones, include the values for all flags to be set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4016e27f-a451-4e24-9222-39d7d107ad74\",\r\n \"name\": \"4016e27f-a451-4e24-9222-39d7d107ad74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.
PostgreSQL does not log attempted connections by default. Enabling the log_connections setting will create log entries for each attempted connection as well as successful completion of client authentication which can be useful in troubleshooting issues and to determine any unusual connection attempts to the server.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance for which you want to enable the database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_connections\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_connections database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_connections=on
Note:
This command will overwrite all previously set database flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a86f62be-7402-4797-91dc-8ba2b976cb74\",\r\n \"name\": \"a86f62be-7402-4797-91dc-8ba2b976cb74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_disconnections setting logs the end of each session, including the session duration.
PostgreSQL does not log session details such as duration and session end by default. Enabling the log_disconnections setting will create log entries at the end of each session which can be useful in troubleshooting issues and determine any unusual activity across a time period.
The log_disconnections and log_connections work hand in hand and generally, the pair would be enabled/disabled together. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_disconnections\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_disconnections database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_disconnections=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ae77cb8b-0b43-4e86-8b5c-f5afcf95766a\",\r\n \"name\": \"ae77cb8b-0b43-4e86-8b5c-f5afcf95766a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user.
The application uses the service account to call the service's Google API so that users aren't directly involved.
It's recommended not to use admin access for ServiceAccount.
Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it.
Enrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM.
A ServiceAccount Access holder can perform critical actions like delete, update change settings, etc.
without user intervention.
For this reason, it's recommended that service accounts not have Admin rights.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to IAM & admin/IAM. 2. Go to the \\\"Members\\\". 3. Identify \\\"User-Managed user created\\\" service account with roles containing \\\"*Admin\\\" or \\\"*admin\\\" or role matching \\\"Editor\\\" or role matching \\\"Owner\\\". 4. Click the \\\"Delete bin\\\" icon to remove the role from the member (service account in this case)
From Command Line:
1. Using a text editor, Remove \\\"Role\\\" which contains \\\"roles/*Admin\\\" or \\\"roles/*admin\\\" or matched \\\"roles/editor\\\" or matches \\\"roles/owner\\\". Add a role to the bindings array that defines the group members and the role for those members.
For example, to grant the role roles/appengine.appViewer to the \\\"ServiceAccount\\\" which is roles/editor, you would change the example shown below as follows:
{ 'bindings': [ { 'members': [ 'serviceAccount:our-project-123@appspot.gserviceaccount.com', ], 'role': 'roles/appengine.appViewer' }, { 'members': [ 'user:email1@gmail.com' ], 'role': 'roles/owner' }, { 'members': [ 'serviceAccount:our-project-123@appspot.gserviceaccount.com', 'serviceAccount:123456789012-compute@developer.gserviceaccount.com' ], 'role': 'roles/editor' } ], 'etag': 'BwUjMhCsNvY=' }
2. Update the project's IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e5b33de-bcfa-4044-93ce-4937bf8f0bbd\",\r\n \"name\": \"9e5b33de-bcfa-4044-93ce-4937bf8f0bbd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"skip_show_database\\\" database flag for Cloud SQL Mysql instance to \\\"on\\\".
'skip_show_database' database flag prevents people from using the SHOW DATABASES statement if they do not have the SHOW DATABASES privilege.
This can improve security if you have concerns about users being able to see databases belonging to other users.
Its effect depends on the SHOW DATABASES privilege: If the variable value is ON, the SHOW DATABASES statement is permitted only to users who have the SHOW DATABASES privilege, and the statement displays all database names.
If the value is OFF, SHOW DATABASES is permitted to all users, but displays the names of only those databases for which the user has the SHOW DATABASES or other privilege.
This recommendation is applicable to Mysql database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the Mysql instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"skip_show_database\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"skip_show_database\\\" database flag for every Cloud SQL Mysql database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags skip_show_database=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/272820a7-06ce-44b3-8318-4ec1f82237dc\",\r\n \"name\": \"272820a7-06ce-44b3-8318-4ec1f82237dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_hostname setting causes the duration of each completed statement to be logged.
This does not logs the text of the query and thus behaves different from the log_min_duration_statement flag.
This parameter cannot be changed after session start.
Monitoring the time taken to execute the queries can be crucial in identifying any resource hogging queries and assessing the performance of the server.
Further steps such as load balancing and use of optimized queries can be taken to ensure the performance and stability of the server.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_duration\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_duration\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_duration=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/989db7d6-71d5-4928-a9a6-c9ab7b8044e9\",\r\n \"name\": \"989db7d6-71d5-4928-a9a6-c9ab7b8044e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"PostgreSQL logs only the IP address of the connecting hosts.
The \\\"log_hostname\\\" flag controls the logging of \\\"hostnames\\\" in addition to the IP addresses logged.
The performance hit is dependent on the configuration of the environment and the host name resolution setup.
This parameter can only be set in the \\\"postgresql.conf\\\" file or on the server command line.
Logging hostnames can incur overhead on server performance as for each statement logged, DNS resolution will be required to convert IP address to hostname.
Depending on the setup, this may be non-negligible.
Additionally, the IP addresses that are logged can be resolved to their DNS names later when reviewing the logs excluding the cases where dynamic hostnames are used.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_hostname\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_hostname\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_hostname=
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Gather Victim Host Information\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a6efc275-b1c1-4003-8e85-2f30b2eb56e6\",\r\n \"name\": \"a6efc275-b1c1-4003-8e85-2f30b2eb56e6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The PostgreSQL planner/optimizer is responsible to parse and verify the syntax of each query received by the server.
If the syntax is correct a \\\"parse tree\\\" is built up else an error is generated.
The \\\"log_parser_stats\\\" flag controls the inclusion of parser performance statistics in the PostgreSQL logs for each query.
The \\\"log_parser_stats\\\" flag enables a crude profiling method for logging parser performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_parser_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_parser_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_parser_stats=off
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/25631aaa-3866-43ac-860f-22c12bff1a4b\",\r\n \"name\": \"25631aaa-3866-43ac-860f-22c12bff1a4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging.
It is recommended that Flow Logs be enabled for every business-critical VPC subnet.
VPC networks and subnetworks provide logically isolated and secure network partitions where GCP resources can be launched. When Flow Logs is enabled for a subnet, VMs within that subnet start reporting on all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows.
Each VM samples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or from another VM, a host in the on-premises datacenter, a Google service, or a host on the Internet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow Logs enabled, both VMs report the flows.
Flow Logs supports the following use cases: 1. Network monitoring. 2. Understanding network usage and optimizing network traffic expenses. 3. Network forensics. 4. Real-time security analysis
Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the VPC network GCP Console visiting https://console.cloud.google.com/networking/networks/list. 2. Click the \\\"name\\\" of a subnet, The Subnet details page displays. 3. Click the \\\"EDIT\\\" button. 4. Set \\\"Flow Logs\\\" to On. 5. Click \\\"Save\\\".

From Command Line:
To set Private Google access for a network subnet, run the following command::
gcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --enable-flow-logs \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00f8a6a6-cf69-4c11-822e-3ebf4910e545\",\r\n \"name\": \"00f8a6a6-cf69-4c11-822e-3ebf4910e545\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Block Project-wide SSH keys' is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project.
It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.It will list all the instances in your project. 2. Click on the \\\"name\\\" of the Impacted instance. 3. Click \\\"Edit\\\" in the toolbar. 4. Under \\\"SSH Keys\\\", go to the \\\"Block project-wide\\\" SSH keys checkbox. 5. To block users with project-wide SSH keys from connecting to this instance, select \\\"Block project-wide\\\" SSH keys. 6. Click \\\"Save\\\" at the bottom of the page. 7. Repeat steps for every impacted Instance.

From Command Line:
Block project-wide public SSH keys, set the metadata value to TRUE:
gcloud compute instances add-metadata INSTANCE_NAME --metadata block-project-ssh-keys=TRUE \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ba588a6-4539-4e67-bc62-d7b2b51300fb\",\r\n \"name\": \"0ba588a6-4539-4e67-bc62-d7b2b51300fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet.
However, both capabilities are required if you want to use instances to help route packets.
Forwarding of data packets should be disabled to prevent data loss or information disclosure.
Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet.
However, both capabilities are required if you want to use instances to help route packets. To enable this source and destination IP check, disable the canIpForward field, which allows an instance to send and receive packets with non-matching destination or source IPs.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the \\\"VM Instances\\\" page by visiting: https://console.cloud.google.com/compute/instances. 2. Select the \\\"VM Instance\\\" you want to remediate 3. Click the \\\"Delete\\\" button. 4. On the \\\"VM Instances\\\" page, click \\\"CREATE INSTANCE\\\". 5. Create a new instance with the desired configuration. By default, the instance is configured to not allow IP forwarding.

From Command Line:
Delete the instance
gcloud compute instances delete INSTANCE_NAME
Create a new instance to replace it, with IP forwarding set to Off
gcloud compute instances create \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"techniques\": [\r\n \"Exfiltration over C2 Channel\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d87879a-d498-4e61-b552-b34463f87f83\",\r\n \"name\": \"7d87879a-d498-4e61-b552-b34463f87f83\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The same SQL query can be excuted in multiple ways and still produce different results.
The PostgreSQL planner/optimizer is responsible to create an optimal execution plan for each query.
The \\\"log_planner_stats\\\" flag controls the inclusion of PostgreSQL planner performance statistics in the PostgreSQL logs for each query.
The \\\"log_planner_stats\\\" flag enables a crude profiling method for logging PostgreSQL planner performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_planner_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_planner_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_planner_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19711549-76eb-4f1f-b43b-b1048e66c1f0\",\r\n \"name\": \"19711549-76eb-4f1f-b43b-b1048e66c1f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The PostgreSQL executor is responsible to execute the plan handed over by the PostgreSQL planner.
The executor processes the plan recursively to extract the required set of rows.
The \\\"log_executor_stats\\\" flag controls the inclusion of PostgreSQL executor performance statistics in the PostgreSQL logs for each query.
The \\\"log_executor_stats\\\" flag enables a crude profiling method for logging PostgreSQL executor performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_executor_stats\\\" from the drop-down menu and set appropriate value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_executor_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_executor_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c36e73b7-ee30-4684-a1ad-2b878d2b10bf\",\r\n \"name\": \"c36e73b7-ee30-4684-a1ad-2b878d2b10bf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_statement_stats\\\" flag controls the inclusion of end to end performance statistics of a SQL query in the PostgreSQL logs for each query.
This cannot be enabled with other module statistics (\\\"log_parser_stats\\\", \\\"log_planner_stats\\\", \\\"log_executor_stats\\\").
The \\\"log_statement_stats\\\" flag enables a crude profiling method for logging end to end performance statistics of a SQL query.
This can be useful for troubleshooting but may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_statement_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_statement_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_statement_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/50a1058e-925b-4998-9d93-5eaa8f7021a3\",\r\n \"name\": \"50a1058e-925b-4998-9d93-5eaa8f7021a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_error_statement\\\" flag defines the minimum message severity level that are considered as an error statement.
Messages for error statements are logged with the SQL statement.
Valid values include \\\"DEBUG5\\\", \\\"DEBUG4\\\", \\\"DEBUG3\\\", \\\"DEBUG2\\\", \\\"DEBUG1\\\", \\\"INFO\\\", \\\"NOTICE\\\", \\\"WARNING\\\", \\\"ERROR\\\", \\\"LOG\\\", \\\"FATAL\\\", and \\\"PANIC\\\".
Each severity level includes the subsequent levels mentioned above.
Ensure a value of ERROR or stricter is set.
Auditing helps in troubleshooting operational problems and also permits forensic analysis.
If \\\"log_min_error_statement\\\" is not set to the correct value, messages may not be classified as error messages appropriately.
Considering general log messages as error messages would make is difficult to find actual errors and considering only stricter severity levels as error messages may skip actual errors to log their SQL statements.
The \\\"log_min_error_statement\\\" flag should be set to \\\"ERROR\\\" or stricter.
This recommendation is applicable to PostgreSQL database instances. \",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_error_statement\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_min_error_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_error_statement=

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/98b8908a-18b9-46ea-8c52-3f8db1da996f\",\r\n \"name\": \"98b8908a-18b9-46ea-8c52-3f8db1da996f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"external scripts enabled\\\" database flag for Cloud SQL SQL Server instance to off.
\\\"external scripts enabled\\\" enable the execution of scripts with certain remote language extensions.
This property is OFF by default.
When Advanced Analytics Services is installed, setup can optionally set this property to true.
As the \\\"External Scripts Enabled\\\" feature allows scripts external to SQL such as files located in an R library to be executed, which could adversely affect the security of the system, hence this should be disabled.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"external scripts enabled\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"external scripts enabled\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"external scripts enabled=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91f55b07-083c-4ec5-a2be-4b52bbc2e2df\",\r\n \"name\": \"91f55b07-083c-4ec5-a2be-4b52bbc2e2df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"user connections\\\" database flag for Cloud SQL SQL Server instance according organization-defined value.
The \\\"user connections\\\" option specifies the maximum number of simultaneous user connections that are allowed on an instance of SQL Server.
The actual number of user connections allowed also depends on the version of SQL Server that you are using, and also the limits of your application or applications and hardware.
SQL Server allows a maximum of 32,767 user connections.
Because user connections is a dynamic (self-configuring) option, SQL Server adjusts the maximum number of user connections automatically as needed, up to the maximum value allowable.
For example, if only 10 users are logged in, 10 user connection objects are allocated.
In most cases, you do not have to change the value for this option.
The default is 0, which means that the maximum (32,767) user connections are allowed.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"user connections\\\" from the drop-down menu and set the value as organization recommended value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"user connections\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"user connections=[0-32,767]\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fab1e680-86f0-4616-bee9-1b7394e49ade\",\r\n \"name\": \"fab1e680-86f0-4616-bee9-1b7394e49ade\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that, \\\"user options\\\" database flag for Cloud SQL SQL Server instance should not be configured.
The \\\"user options\\\" option specifies global defaults for all users.
A list of default query processing options is established for the duration of a user's work session.
The user options option allows you to change the default values of the SET options (if the server's default settings are not appropriate).
A user can override these defaults by using the SET statement.
You can configure user options dynamically for new logins.
After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. Click the X next \\\"user options\\\" flag shown. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands:
1.Clearing all flags to their default value:
gcloud sql instances patch [INSTANCE_NAME] --clear-database-flags
OR
2. To clear only \\\"user options\\\" database flag, configure the database flag by overriding the \\\"user options\\\". Exclude \\\"user options\\\" flag and its value, and keep all other flags you want to configure:
gcloud sql instances patch [INSTANCE_NAME] --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dddbbe7d-7e32-47d8-b319-39cbb70b8f88\",\r\n \"name\": \"dddbbe7d-7e32-47d8-b319-39cbb70b8f88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"remote access\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
The \\\"remote access\\\" option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running.
This default value for this option is 1.
This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server.
To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled.
The Remote Access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server.
'Remote access' functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, hence this should be disabled.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"remote access\\\" from the drop-down menu and set the value as \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"remote access\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"remote access=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/631246fb-7192-4709-a0b3-b83e65e6b550\",\r\n \"name\": \"631246fb-7192-4709-a0b3-b83e65e6b550\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"3625 (trace flag)\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
Trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload.
All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed.
\\\"3625(trace log)\\\" Limits the amount of information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'.
This can help prevent disclosure of sensitive information, hence this is recommended to disable this flag.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"3625\\\" from the drop-down menu and set the value as \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"3625\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"3625=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"System Information Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58c07fca-9c6e-46fa-84a7-642f224a1d18\",\r\n \"name\": \"58c07fca-9c6e-46fa-84a7-642f224a1d18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Secure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS) features clients are permitted to use when connecting to load balancers.
To prevent usage of insecure features, SSL policies should use (a) at least TLS 1.2 with the MODERN profile;
or (b) the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version;
or (3) a CUSTOM profile that does not support any of the following features:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

Load balancers are used to efficiently distribute traffic across multiple servers.
Both SSL proxy and HTTPS load balancers are external load balancers, meaning they distribute traffic from the Internet to a GCP network.
GCP customers can configure load balancer SSL policies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a connection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies permissible cipher suites.
To comply with users using outdated protocols, GCP load balancers can be configured to permit insecure cipher suites.
In fact, the GCP default SSL policy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the widest range of insecure cipher suites.
As a result, it is easy for customers to configure a load balancer without even knowing that they are permitting outdated cipher suites.\",\r\n \"remediationDescription\": \" From the Console:
1. If the \\\"TargetSSLProxy\\\" or \\\"TargetHttpsProxy\\\" does not have an SSL policy configured, create a new \\\"SSL policy\\\". Otherwise, modify the existing insecure policy. 2. Navigate to the \\\"SSL Policies\\\" page by visiting: https://console.cloud.google.com/net-security/sslpolicies. 3. Click on the name of the \\\"insecure policy\\\" to go to its \\\"SSL policy\\\" details page. 4. Click \\\"EDIT\\\". 5. Set \\\"Minimum TLS version\\\" to \\\"TLS 1.2\\\". 6. Set \\\"Profile\\\" to \\\"Modern\\\" or \\\"Restricted\\\". 7. Alternatively, if teh user selects the profile \\\"Custom\\\", make sure that the following features are disabled:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

From Command Line:
For each insecure SSL policy, update it to use secure cyphers:
gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]
If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it:
gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME
gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ca40f30-2508-4c90-85b6-36564b909364\",\r\n \"name\": \"6ca40f30-2508-4c90-85b6-36564b909364\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine.
If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data.
By default, Google Compute Engine encrypts all data at rest.
Compute Engine handles and manages this encryption for you without any additional actions on your part.
However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.
By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part.
However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.
If you provide your own encryption keys, Compute Engine uses your key to protect the Google-generated keys used to encrypt and decrypt your data.
Only users who can provide the correct key can use resources protected by a customer-supplied encryption key.
Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.
At least business critical VMs should have VM disks encrypted with CSEK.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to Compute Engine \\\"Disks\\\" by visiting: https://console.cloud.google.com/compute/disks. 2. Click \\\"CREATE DISK\\\". 3. Set \\\"Encryption\\\" type to \\\"Customer supplied\\\". 4. Provide the \\\"Key\\\" in the box. 5. Select \\\"Wrapped key\\\". 6. Click \\\"Create\\\".

From Command Line:
In the gcloud compute tool, encrypt a disk using the --csek-key-file flag during instance creation. If you are using an RSA-wrapped key, use the gcloud beta component:
gcloud (beta) compute instances create INSTANCE_NAME --csek-key-file example-file.json
To encrypt a standalone persistent disk:
gcloud (beta) compute disks create DISK_NAME --csek-key-file example-file.json \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Collection\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\",\r\n \"Data from Local System\",\r\n \"Data Encrypted for Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c10bad5f-cd86-4ea0-a40c-5d31510da525\",\r\n \"name\": \"c10bad5f-cd86-4ea0-a40c-5d31510da525\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud DNS logging is enabled for all VPC networks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver.
Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.
Security monitoring and forensics cannot depend solely on IP addresses from VPC flow logs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual host routing,
and other technology that can obscure the DNS name used by a client from the IP address.
Monitoring of Cloud DNS logs provides visibility to DNS names requested by the clients within the VPC.
These logs can be monitored for anomalous domain names, evaluated against threat intelligence, and
Note: For full capture of DNS, firewall must block egress UDP/53 (DNS)
and TCP/443 (DNS over HTTPS) to prevent client from using external DNS name server for resolution.\",\r\n \"remediationDescription\": \" From Command Line:
Add New DNS Policy With Logging Enabled
For each VPC network that needs a DNS policy with logging enabled:
gcloud dns policies create enable-dns-logging --enable-logging --description='Enable DNS Logging' --networks=VPC_NETWORK_NAME The VPC_NETWORK_NAME can be one or more networks in comma-separated list
Enable Logging for Existing DNS Policy For each VPC network that has an existing DNS policy that needs logging enabled:
gcloud dns policies update POLICY_NAME --enable-logging --networks=VPC_NETWORK_NAME
The VPC_NETWORK_NAME can be one or more networks in comma-separated list\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/814c3346-91c9-4e70-90b6-985cfd3e0478\",\r\n \"name\": \"814c3346-91c9-4e70-90b6-985cfd3e0478\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access to VMs should be restricted by firewall rules that allow only IAP traffic by ensuring only connections proxied by the IAP are allowed.
To ensure that load balancing works correctly health checks should also be allowed.
IAP ensure that access to VMs is controlled by authenticating incoming requests.
However if the VM is still accessible from IP addresses other than the IAP it may still be possible to send unauthenticated requests to the instance.
Care must be taken to ensure that loadblancer health checks are not blocked as this would stop the loadbalancer from correctly knowing the health of the VM and loadbalancing correctly.\",\r\n \"remediationDescription\": \" From the Console: 1. Go to the Cloud Console VPC network > Firewall rules. 2. Select the \\\"checkbox\\\" next to the following rules:
default-allow-http
default-allow-https
default-allow-internal. 3. Click \\\"Delete\\\". 4. Click \\\"Create\\\" firewall rule and set the following values:
\\\"Name:\\\" allow-iap-traffic
\\\"Targets:\\\" All instances in the network
\\\"Source IP ranges\\\" (press Enter after you paste each value in the box):
130.211.0.0/22
35.191.0.0/16
\\\"Protocols and ports:\\\"
Specified protocols and ports
tcp:80 5. When you're finished updating values, click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/171e9492-73a7-43de-adce-6bd0a3cf6045\",\r\n \"name\": \"171e9492-73a7-43de-adce-6bd0a3cf6045\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances have Confidential Computing enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use-while it is being processed.
Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).
Confidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD EPYC CPUs.
Customer data will stay encrypted while it is used, indexed, queried, or trained on.
Encryption keys are generated in hardware, per VM, and not exportable. Thanks to built-in hardware optimizations of both performance and security, there is no significant performance penalty to Confidential Computing workloads.
Confidential Computing enables customers' sensitive code and other data encrypted in memory during processing. Google does not have access to the encryption keys.
Confidential VM can help alleviate concerns about risk related to either dependency on Google infrastructure or Google insiders' access to customer data in the clear.\",\r\n \"remediationDescription\": \" From the Console: 1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances. 2. Click \\\"DCREATE INSTANCE\\\". 3. Fill out the desired \\\"configuration\\\" for your instance. 4. Under the \\\"Confidential VM service\\\" section, check the option \\\"Enable the Confidential Computing service on this VM instance\\\". 5. Click \\\"Create\\\".

From Command Line:
Create a new instance with Confidential Compute enabled.
gcloud beta compute instances create INSTANCE_NAME --zone ZONE --confidential-compute --maintenance-policy=TERMINATE \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f4cfc689-cac8-4f45-8355-652dcda3ec55\",\r\n \"name\": \"f4cfc689-cac8-4f45-8355-652dcda3ec55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys.
This is seamless and do not require any additional input from the user.
However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
This is seamless and does not require any additional input from the user.
For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery tables.
The CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.
BigQuery stores the table and CMEK association and the encryption/decryption is done automatically.
Applying the Default Customer-managed keys on BigQuery data sets ensures that all the new tables created in the future will be encrypted using CMEK but existing tables need to be updated to use CMEK individually.
Note: Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.\",\r\n \"remediationDescription\": \"Currently, there is no way to update the encryption of existing data in the table.
The data needs to be copied to either an original table or another table while specifying the customer managed encryption key (CMEK).
From Command Line:
Use the following command to copy the data. The source and the destination needs to be same in case copying to the original table.
bq cp --destination_kms_key 'customer_managed_key' source_dataset.source_table destination_dataset.destination_table \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f024ea22-7e48-4b3b-a824-d61794c14bb4\",\r\n \"name\": \"f024ea22-7e48-4b3b-a824-d61794c14bb4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys.
This is seamless and do not require any additional input from the user.
However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
This is seamless and does not require any additional input from the user.
For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
Setting a Default Customer-managed encryption key (CMEK) for a data set ensure any tables created in future will use the specified CMEK if none other is provided.
Note: Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.\",\r\n \"remediationDescription\": \"The default CMEK for existing data sets can be updated by specifying the default key in the EncryptionConfiguration.kmsKeyName field when calling the datasets.insert or datasets.patch methods\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0faf27b6-f1d5-4f50-b22a-5d129cba0113\",\r\n \"name\": \"0faf27b6-f1d5-4f50-b22a-5d129cba0113\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have Microsoft Defender's extension for Azure Arc installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender's cluster extension provides security capabilities for your GKE clusters. The extension collects data from a cluster and its nodes to identify security vulnerabilities and threats.
The extension works with Azure Arc-enabled Kubernetes.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct GKE cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6273e20b-8814-4fda-a297-42a70b16fcbf\",\r\n \"name\": \"6273e20b-8814-4fda-a297-42a70b16fcbf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have the Azure Policy extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Azure Policy extension for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
The extension works with Azure Arc-enabled Kubernetes.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct GKE cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9bbe2f0f-d6c6-48e8-b4d0-cf25d2c50206\",\r\n \"name\": \"9bbe2f0f-d6c6-48e8-b4d0-cf25d2c50206\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP VM instances should be connected to Azure Arc\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Connect your GCP Virtual Machines to Azure Arc in order to have full visibility to Microsoft Defender for Servers security content. Learn more about Azure Arc, and about Microsoft Defender for Servers on hybrid-cloud environment.\",\r\n \"remediationDescription\": \"1. From the Azure portal, open \\\"Servers - Azure Arc\\\". 2. From the top left corner, select \\\"Add\\\". 3. From \\\"Add a single server\\\", select \\\"Generate script\\\". 4. In the \\\"Resource details\\\" page, select the subscription and resource group to which you have connected the machine's GCP Project. 5. Select \\\"Next\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20622d8c-2a4f-4a03-9896-a5f2f7ede717\",\r\n \"name\": \"20622d8c-2a4f-4a03-9896-a5f2f7ede717\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP VM instances should have OS config agent installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To receive the full Defender for Servers capabilities using Azure Arc auto-provisioning, GCP VMs should have OS config agent enabled\",\r\n \"remediationDescription\": \"Follow the steps described in GCP documentation to install the OS config agent. Learn more\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1716d754-8d50-4b90-87b6-0404cad9b4e3\",\r\n \"name\": \"1716d754-8d50-4b90-87b6-0404cad9b4e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP projects should have Azure Arc auto provisioning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For full visibility of the security content from Microsoft Defender for servers, GCP VM instances should be connected to Azure Arc. To ensure that all eligible VM instances automatically receive Azure Arc, enable auto-provisioning from Defender for Cloud at the GCP project level. Learn more about Azure Arc, and Microsoft Defender for Servers.\",\r\n \"remediationDescription\": \"1. From the Defender for Cloud, open \\\"Environment settings\\\". 2. For the relevant GCP project, select the three dots at the end of the row, and select \\\"Edit settings\\\". 3. For the \\\"Servers\\\" plan, select \\\"View configuration\\\". 4. Enable auto-provisioning for the Azure Arc agent and click on the \\\"Save\\\" button. 5. Select \\\"Next\\\" and follow the instructions.
Note: To enable auto-provisioning, you'll need owner permissions for the relevant subscription.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/29ed3416-2035-4d44-986e-0bcbb7de172e\",\r\n \"name\": \"29ed3416-2035-4d44-986e-0bcbb7de172e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead.

Security risks involved in using API-Keys appear below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

To avoid the security risk in using API keys, it is recommended to use standard authentication flow instead.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", to delete API Keys: Click the \\\"Delete Bin Icon\\\" in front of every \\\"API Key Name\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/63e0e2db-70c3-4edc-becf-93961d3156ed\",\r\n \"name\": \"63e0e2db-70c3-4edc-becf-93961d3156ed\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API key usage to trusted hosts, HTTP referrers and apps.

Security risks involved in using API-Keys appear below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

In light of these potential risks, Google recommends using the standard authentication flow instead of API keys. However, there are limited cases where API keys are more appropriat.
For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

In order to reduce attack vectors, API-Keys can be restricted only to trusted hosts, HTTP referrers and applications.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. In the \\\"Key restrictions\\\" section, set the application restrictions to any of \\\"HTTP referrers\\\", \\\"IP Adresses\\\", \\\"Android Apps\\\", \\\"iOs Apps\\\". 4. Click \\\"Save\\\". 5. Repeat steps 2,3,4 for every unrestricted API key.

\\\"Note\\\": Do not set \\\"HTTP referrers\\\" to wild-cards (* or *.[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s).
Do not set \\\"IP addresses\\\" and referrer to any host \\\"(0.0.0.0 or 0.0.0.0/0 or ::0)\\\"\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Steal Application Access Token\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/54d3b0ae-67b3-4fee-9ac4-f6c784b9d16b\",\r\n \"name\": \"54d3b0ae-67b3-4fee-9ac4-f6c784b9d16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"API keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API keys to use (call) only APIs required by an application.

Security risks involved in using API-Keys are below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

In light of these potential risks, Google recommends using the standard authentication flow instead of API-Keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

In order to reduce attack surfaces by providing least privileges, API-Keys can be restricted to use (call) only APIs required by an application.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. In the \\\"Key restrictions\\\" section go to \\\"API restrictions\\\". 4. Click the \\\"Select API\\\" drop-down to choose an API. 5. Click \\\"Save\\\". 6. Repeat steps 2,3,4,5 for every unrestricted API key.

\\\"Note\\\": Do not set API restrictions to Google Cloud APIs, as this option allows access to all services offered by Google cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Steal Application Access Token\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fbc1ef5d-989e-4b64-8e9d-221b422f9c43\",\r\n \"name\": \"fbc1ef5d-989e-4b64-8e9d-221b422f9c43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to rotate API keys every 90 days.

Security risks involved in using API-Keys are listed below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

Because of these potential risks, Google recommends using the standard authentication flow instead of API Keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

Once a key is stolen, it has no expiration, meaning it may be used indefinitely unless the project owner revokes or regenerates the key. Rotating API keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.

API keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. Click \\\"REGENERATE KEY\\\" to rotate API key. 4. Click \\\"Save\\\". 5. Repeat steps 2,3,4 for every API key that has not been rotated in the last 90 days.

\\\"Note\\\": Do not set \\\"HTTP referrers\\\" to wild-cards (* or *.[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s).
Do not set \\\"IP addresses\\\" and referrer to \\\"any host (0.0.0.0 or 0.0.0.0/0 or ::0)\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a47a6c3b-0629-406c-ad09-d91f7d9f78a3\",\r\n \"name\": \"a47a6c3b-0629-406c-ad09-d91f7d9f78a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"root\\\" account has unrestricted access to all resources in the AWS account. It is highly recommend that the use of this account be avoided.
The \\\"root\\\" account is the most privileged AWS account. Minimizing the use of this account and adopting the principle of least privilege for access management will reduce the risk of accidental changes and unintended disclosure of highly privileged credentials.\",\r\n \"remediationDescription\": \"Follow the remediation instructions of the \\\"Ensure IAM policies are attached only to groups or roles\\\" recommendation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b73d3c97-01e1-43b4-bf01-a459e5eed3de\",\r\n \"name\": \"b73d3c97-01e1-43b4-bf01-a459e5eed3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password.
With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.
It is recommended that MFA be enabled for all accounts that have a console password.
Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.\",\r\n \"remediationDescription\": \"Perform the following to enable MFA: 1. Sign in to the AWS Management Console and open the IAM console. 2. In the navigation pane, choose Users. 3. In the User Name list, choose the name of the intended MFA user. 4. Choose the Security Credentials tab, and then choose Manage MFA Device. 5. In the Manage MFA Device wizard, choose A virtual MFA device, and then chooseNext Step. IAM generates and displays configuration information for the virtual MFA device, includinga QR code graphic. The graphic is a representation of the 'secret configuration key' that isavailable for manual entry on devices that do not support QR codes. 6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications.) If the virtual MFA application support smultiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following:
* Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.
* In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.
When you are finished, the virtual MFA device starts generating one-time passwords. 8. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Active Virtual MFA.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f13dc885-79aa-456b-ba28-3428147ecf55\",\r\n \"name\": \"f13dc885-79aa-456b-ba28-3428147ecf55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys.
It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated.
Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.\",\r\n \"remediationDescription\": \"Perform the following to remove or deactivate credentials:
1. Login to the AWS Management Console:
2. Click \\\"Services\\\"
3. Click \\\"IAM\\\"
4. Click on \\\"Users\\\"
5. Click on \\\"Security Credentials\\\"
6. As an Administrator: Click on \\\"Make Inactive\\\" for credentials that have not been used in 90 Days
7. As an IAM User: Click on \\\"Make Inactive\\\" or \\\"Delete\\\" for credentials which have not been used in 90 Days\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d72f547e-c011-4cdb-9dda-8c4d6dc09bf2\",\r\n \"name\": \"d72f547e-c011-4cdb-9dda-8c4d6dc09bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS.
AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services.
It is recommended that all access keys be regularly rotated.
Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.
Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"Perform the following to rotate access keys:
1. Login to the AWS Management Console:
2. Click \\\"Services\\\"
3. Click \\\"IAM\\\"
4.Click on \\\"Users\\\"
5. Click on \\\"Security Credentials\\\"
6. As an Administrator: Click on \\\"Make Inactive\\\" for keys that have not been rotated in 90 Days
7. As an IAM User: Click on \\\"MakeInactive\\\" or \\\"Delete\\\" for keys which have not been rotated or used in 90 Days
8. Click on \\\"Create Access Key\\\"
9. Update programmatic call with new Access Key credentials
Via CLI:
aws iam update-access-key
aws iam create-access-key
aws iam delete-access-key \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6e5ebe18-e026-4c26-875c-fcbea8089071\",\r\n \"name\": \"6e5ebe18-e026-4c26-875c-fcbea8089071\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one uppercase letter.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one uppercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-uppercase-characters
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c420241-9bec-4af8-afb7-038a711b7d22\",\r\n \"name\": \"1c420241-9bec-4af8-afb7-038a711b7d22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one lowercase letter.
Setting a password complexity policy increases account resiliency against brute force login attempts\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via the AWS Console
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one lowercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-lowercase-characters
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1919c309-1c8b-4fab-bd8c-7ff77521db40\",\r\n \"name\": \"1919c309-1c8b-4fab-bd8c-7ff77521db40\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements.
IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one symbol.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via the AWS Console
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one lowercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-symbols
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/84fb0ae8-4785-449c-b9ac-e106a2509540\",\r\n \"name\": \"84fb0ae8-4785-449c-b9ac-e106a2509540\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one number.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Require at least one number\\\" 5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-numbers
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e109af9f-128b-4774-a40c-aab8eff3934c\",\r\n \"name\": \"e109af9f-128b-4774-a40c-aab8eff3934c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length.
It is recommended that the password policy require a minimum password length '14'.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Set \\\"Minimum password length\\\" to 14 or greater.
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --minimum-password-length 14
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e99393-671c-4979-a08a-cd1533da9ece\",\r\n \"name\": \"22e99393-671c-4979-a08a-cd1533da9ece\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can prevent the reuse of a given password by the same user.
It is recommended that the password policy prevent the reuse of passwords.
Preventing password reuse increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Prevent password reuse\\\" 5. Set \\\"Number of passwords to remember\\\" is set to '24'.
Via CLI:
aws iam update-account-password-policy --password-reuse-prevention 24
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/729c20d1-fe7c-4e1b-8c9c-ab5ad56d7f96\",\r\n \"name\": \"729c20d1-fe7c-4e1b-8c9c-ab5ad56d7f96\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can require passwords to be rotated or expired after a given number of days.
It is recommended that the password policy expire passwords after 90 days or less.
Reducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help in the following scenarios:
* Passwords can be stolen or compromised sometimes without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat.
* Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted.
* Many people use the same password for many systems such as work, email, and personal.
* Compromised end user workstations might have a keystroke logger.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Enable password expiration\\\" 5. Set \\\"Password expiration period (in days):\\\" to 90 or less
Via CLI:
aws iam update-account-password-policy --max-password-age 90
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/412835f5-0339-4180-9c22-ea8735dc6c24\",\r\n \"name\": \"412835f5-0339-4180-9c22-ea8735dc6c24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Root account access key shouldn't exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account.
It is recommended that all access keys associated with the root account be removed.
Removing access keys associated with the root account limits vectors by which the account can be compromised.
Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.\",\r\n \"remediationDescription\": \"To delete access keys:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\".
4. Select \\\"Access keys (access key ID and secret access key)\\\".
5. To permanently delete the key, select \\\"Delete\\\" and then select \\\"Yes\\\". You cannot recover deleted keys.
6. If there is more than one root user access key, then repeat steps 4 and 5 for each key.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c9ea4ef-3bb5-4f02-b8b9-55e788e1a21a\",\r\n \"name\": \"1c9ea4ef-3bb5-4f02-b8b9-55e788e1a21a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.
When you use virtual MFA for root accounts, it is recommended that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices.
This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\",\r\n \"remediationDescription\": \"To enable MFA for the root account:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\".
4. Select \\\"Multi-factor authentication (MFA)\\\".
\\t5. Select \\\"Activate MFA\\\".
6. Select the type of device to use for MFA and then select \\\"Continue\\\".
7. Complete the steps to configure the device type appropriate to your selection.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eb39e935-38fc-4b0c-8cf2-d6affab0306a\",\r\n \"name\": \"eb39e935-38fc-4b0c-8cf2-d6affab0306a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.
For Level 2, it is recommended that you protect the root account with a hardware MFA. A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA doesn't suffer the attack surface introduced by the mobile smartphone that a virtual MFA resides on.
Using hardware MFA for many, many accounts might create a logistical device management issue. If this occurs, consider implementing this Level 2 recommendation selectively to the highest security accounts. You can then apply the Level 1 recommendation to the remaining accounts.\",\r\n \"remediationDescription\": \"To enable hardware-based MFA for the root account:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\". 4. Select \\\"Multi-factor authentication (MFA)\\\".
5. Select \\\"Activate MFA\\\".
6. Select a hardware-based (not virtual) device to use for MFA and then select \\\"Continue\\\".
7. Complete the steps to configure the device type appropriate to your selection.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a773f81a-0b2d-4f8e-826a-77fc432416c3\",\r\n \"name\": \"a773f81a-0b2d-4f8e-826a-77fc432416c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should be attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles.
It is recommended that IAM policies be applied directly to groups and roles but not users.
Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow.
Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.\",\r\n \"remediationDescription\": \"To remediate, create an IAM group, assign the policy to the group, and then add the users to the group. The policy is applied to each user in the group.

To create an IAM group:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Groups\\\" and then select \\\"Create New Group\\\".
\\t3. Enter a name for the group to create and then select \\\"Next Step\\\".
4. Select each policy to assign to the group and then select \\\"Next Step\\\".
The policies that you Select should include any policies currently attached directly to a user account.
The next step to resolve a failed check is to add users to a group and then assign the policies to that group.
Each user in the group gets assigned the policies assigned to the group.
5. Confirm the details on the \\\"Review\\\" page and then select \\\"Create Group\\\".
For more information about creating groups, see Creating IAM groups [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_create.html] in the IAM User Guide.

To add users to an IAM group:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Groups\\\".
3. select \\\"Group Actions\\\" and then select \\\"Add Users to Group\\\".
4. Select the users to add to the group and then select \\\"Add Users\\\".
For more information about adding users to groups, see Adding and removing users in an IAM group [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_add-remove-users.html].

To remove a policy attached directly to a user:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Users\\\".
3. For the user to detach a policy from, select the name in the \\\"User name\\\" column.
4. For each policy listed under \\\"Attached directly\\\", select the \\\"X\\\" on the right side of the page to remove the policy from the user and then select \\\"Remove\\\".
5. Confirm that the user can still use AWS services as expected.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6614c30d-c9f3-4acd-8371-c8f362148398\",\r\n \"name\": \"6614c30d-c9f3-4acd-8371-c8f362148398\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services.
Create an IAM Role to allow authorized users to manage incidents with AWS Support.
By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.\",\r\n \"remediationDescription\": \"Using the Amazon unified command line interface:
Create an IAM role for managing incidents with AWS:
* Create a trust relationship policy document that allows \\\"iam_user\\\" to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:
{ \\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [ { \\\"Effect\\\": \\\"Allow\\\", \\\"Principal\\\": { \\\"AWS\\\": \\\"<span style=\\\"font-style: italic;\\\"><iam_user></span>\\\" }, \\\"Action\\\": \\\"sts:AssumeRole\\\" } ] }
* Create the IAM role using the above trust policy:
aws iam create-role --role-name <aws_support_iam_role> --assume-rolepolicy-document file:///tmp/TrustPolicy.json
* Attach \\\"AWSSupportAccess\\\" managed policy to the created IAM role:
aws iam attach-role-policy --policy-arn <iam_policy_arn> --role-name<aws_support_iam_role>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/655f9340-184f-4b6e-8214-b835003ab0b1\",\r\n \"name\": \"655f9340-184f-4b6e-8214-b835003ab0b1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Do not setup access keys during initial user setup for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily.
In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys.
Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization\",\r\n \"remediationDescription\": \"Perform the following to delete access keys that do not pass the audit: 1. Login to the AWS Management Console: 2. Click \\\"Services\\\" 3. Click \\\"IAM\\\" 4. Click on \\\"Users\\\" 5. Click on \\\"Security Credentials\\\" 6. As an Administrator
* Click on \\\"Delete\\\" for keys that were created at the same time as the user profile but have not been used. 7. As an IAM User
* Click on \\\"Delete\\\" for keys that were created at the same time as the user profile but have not been used.
Via CLI:
aws iam delete-access-key\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Persistence\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1d08b362-7e24-46b0-bed1-4a6c1d1526a5\",\r\n \"name\": \"1d08b362-7e24-46b0-bed1-4a6c1d1526a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies that allow full \\\"*:*\\\" administrative privileges should not be created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies are the means by which privileges are granted to users, groups, or roles.
It is recommended and considered a standard security advice to grant least privilege-that is, granting only the permissions required to perform a task.
Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.
It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.
Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.
IAM policies that have a statement with \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\" should be removed.\",\r\n \"remediationDescription\": \"To modify an IAM policy:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Policies\\\".
3. Select the radio button next to the policy to remove. 4. From the \\\"Policy actions\\\" drop-down menu, select \\\"Detach\\\".
5. On the \\\"Detach policy\\\" page, select the radio button next to each user to detach the policy from and then select \\\"Detach policy\\\".
Confirm that the user that you detached the policy from can still access AWS services and resources as expected.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3d8e09b-83a6-417a-ae1e-3f5b54576965\",\r\n \"name\": \"b3d8e09b-83a6-417a-ae1e-3f5b54576965\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you.
The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).
The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally,
* ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected
* ensuring that a multi-regions trail exists will ensure that \\\"Global Service Logging\\\" is enabled for a trail by default to capture recording of events generated on AWS global services
* for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account.\",\r\n \"remediationDescription\": \"Perform the following to enable global (Multi-region) CloudTrail logging:
Via the management Console:
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
2. Click on \\\"Trails\\\" on the left navigation pane.
3. Click \\\"Get Started Now\\\", if presented
* Click \\\"Add new trail\\\"
* Enter a trail name in the \\\"Trail name\\\" box.
* Set the \\\"Apply trail to all regions\\\" option to \\\"Yes\\\".
* Specify an S3 bucket name in the \\\"S3 bucket\\\" box.
* Click \\\"Create\\\".
4. If 1 or more trails already exist, select the target trail to enable for global logging.
5. Click the edit icon (pencil) next to \\\"Apply trail to all regions\\\", Click \\\"Yes\\\" and Click \\\"Save\\\". 6. Click the edit icon (pencil) next to \\\"Management Events\\\", click \\\"All\\\" for setting \\\"Read/Write Events\\\" and Click \\\"Save\\\".
Via CLI:
aws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail

Note: Creating CloudTrail via CLI without providing any overriding options configures
Management Events to set All type of Read/Writes by default.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/324ec96c-9719-46ce-b6a9-e7f4fed7dd6e\",\r\n \"name\": \"324ec96c-9719-46ce-b6a9-e7f4fed7dd6e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure additional integrity checking of CloudTrail logs, we recommend enabling file validation on all CloudTrails.\",\r\n \"remediationDescription\": \"Enable log file validation on a given trail:
Via the management Console
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
2. Select on \\\"Trails\\\" on the left navigation pane
3. Select the target trail
4. Within the \\\"S3\\\" section select the edit icon (pencil)
5. Select \\\"Advanced\\\"
6. Select \\\"Yes\\\" radio button in section \\\"Enable log file validation\\\"
7. Click \\\"Save\\\"
Via CLI
aws cloudtrail update-trail --name --enable-log-file-validation

Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn --start-time --end-time\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a41f2846-4a59-44e9-89bb-1f62d4b03a85\",\r\n \"name\": \"a41f2846-4a59-44e9-89bb-1f62d4b03a85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs a record of every API call made in your AWS account. These log files are stored in an S3 bucket.
It is recommended that the bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs.
Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.\",\r\n \"remediationDescription\": \"Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:
1. Go to Amazon S3 console at https://console.aws.amazon.com/s3/home
2. Right-click on the bucket and click Properties.
3. In the \\\"Properties\\\" pane, click the \\\"Permissions\\\" tab.
4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.
5. Select the row that grants permission to \\\"Everyone\\\" or \\\"Any Authenticated User\\\".
6. Uncheck all the permissions granted to \\\"Everyone\\\" or \\\"Any Authenticated User\\\" (click x to delete the row).
7. Click \\\"Save\\\" to save the ACL.
8. If the \\\"Edit bucket policy\\\" button is present, click it.
9. Remove any \\\"Statement\\\" having an \\\"Effect\\\" set to \\\"Allow\\\" and a \\\"Principal\\\" set to \\\"*\\\" or {\\\"AWS\\\" : \\\"*\\\"}.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/842be2e5-2cd8-420f-969a-6d6b4096c580\",\r\n \"name\": \"842be2e5-2cd8-420f-969a-6d6b4096c580\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, real-time analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs.
For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. We recommended that CloudTrail logs will be sent to CloudWatch Logs to ensure AWS account activity is being captured, monitored, and appropriately alarmed on.
Sending CloudTrail logs to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.\",\r\n \"remediationDescription\": \"Via the AWS management Console:
1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/
2. Under All Buckets, select the target bucket you wish to evaluate.
3. Select Properties on the top right of the console.
4. Select Trails\\\" in the left menu.
5. Click on each trail where no \\\"CloudWatch Logs\\\" are defined.
6. Go to the \\\"CloudWatch Logs\\\" section and then select \\\"Configure\\\".
7. Define a new or select an existing log group.
8. Click on \\\"Continue\\\".
9. Configure \\\"IAM Role\\\" which will deliver CloudTrail events to CloudWatch Logs
* Create/Select an \\\"IAM Role\\\" and \\\"Policy Name\\\".
* Select \\\"Allow\\\" to continue.
Note that it can also be enabled via CLI:
aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-grouparn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff06f36-f8fd-4af5-bd02-5195593423fb\",\r\n \"name\": \"3ff06f36-f8fd-4af5-bd02-5195593423fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you.
The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources.
It is recommended to enable AWS Config be enabled in all regions.

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"To implement AWS Config configuration:
Via AWS Management Console:
1. Select the region you want to focus on in the top right of the console.
2. Click \\\"Services\\\".
3. Click \\\"Config\\\".
4. Define which resources you want to record in the selected region.
5. Choose to include global resources (IAM resources).
6. Specify an S3 bucket in the same account or in another managed AWS account.
7. Create an SNS Topic from the same AWS account or another managed AWS account.

Via AWS Command Line Interface:
1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.
2. Run this command to set up the configuration recorder:
aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole
3. Run this command to start the configuration recorder:
start-configuration-recorder --configuration-recorder-name <value>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/759e80dc-92c2-4afd-afa3-c01294999363\",\r\n \"name\": \"759e80dc-92c2-4afd-afa3-c01294999363\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 Bucket Access Logging generates a log that contains access records Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket for each request made to your S3 bucket.
An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed.
It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.
By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within an target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.\",\r\n \"remediationDescription\": \"Perform the following to enable S3 bucket logging:
Via the Management Console.
1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.
2. Under \\\"All Buckets\\\" click on the target S3 bucket.
3. Click on \\\"Properties\\\" in the top right of the console.
4. Under \\\"Bucket\\\": <s3_bucket_for_cloudtrail> click on \\\"Logging\\\".
5. Configure bucket logging.
* Click on \\\"Enabled\\\" checkbox.
* Select Target Bucket from list.
* Enter a Target Prefix.
6. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/190f732b-c68e-4816-9961-aba074272627\",\r\n \"name\": \"190f732b-c68e-4816-9961-aba074272627\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommended to configure CloudTrail use SSE-KMS.
Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.\",\r\n \"remediationDescription\": \"To configure CloudTrail SSE-KMS:
Via the Management Console:
1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail.
2. In the left navigation pane, select \\\"Trails\\\".
3. Click on a Trail.
4. Under the \\\"S3\\\"section click on the edit button (pencil icon).
5. Click \\\"Advanced\\\".
6. Select an existing CMK from the \\\"KMS key Id\\\" drop-down menu.
* Note: Ensure the CMK is located in the same region as the S3 bucket
* Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided here for editing the selected CMK Key policy.
7. Click \\\"Save\\\".
8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files.
9. Click \\\"Yes\\\".

Via CLI:
aws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key> aws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66748314-d51c-4d9c-b789-eebef29a7039\",\r\n \"name\": \"66748314-d51c-4d9c-b789-eebef29a7039\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK).
It is the backing key that is used to perform cryptographic operations such as encryption and decryption.
Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled.
Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\",\r\n \"remediationDescription\": \"Via the Management Console:
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam.
2. In the left navigation pane, choose \\\"Encryption Keys\\\".
3. Select a customer created master key (CMK).
4. Under the \\\"Key Policy\\\" section, move down to \\\"Key Rotation\\\".
5. Check the \\\"Rotate this key every year\\\" checkbox.

Via CLI
Run the following command to enable key rotation:
aws kms enable-key-rotation --key-id <kms_key_id>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3428e584-0fa6-48c0-817e-6d689d7bb879\",\r\n \"name\": \"3428e584-0fa6-48c0-817e-6d689d7bb879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC Flow Logs provide visibility into network traffic that passes through the VPC and can be used to detect anomalous traffic or insight during security events.\",\r\n \"remediationDescription\": \"1. Sign into the management console.
2. Select \\\"Services\\\" then \\\"VPC\\\".
3. In the left navigation pane, select \\\"Your VPCs\\\".
4. Select a VPC.
5. In the right pane, select the \\\"Flow Logs\\\" tab.
6. If no Flow Log exists, select \\\"Create Flow Log\\\".
7. For Filter, select Reject.
8. Enter in a \\\"Role\\\" and \\\"Destination Log Group\\\".
9. Select \\\"Create Log Flow\\\".
10. Select \\\"CloudWatch Logs Group\\\".

Note: Setting the filter to \\\"Reject\\\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/231951ea-e9db-41cd-a7d0-611105fa4fb9\",\r\n \"name\": \"231951ea-e9db-41cd-a7d0-611105fa4fb9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for unauthorized API calls.
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<unauthorized_api_calls_metric>` --metric-transformations metricName= `<unauthorized_api_calls_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.errorCode = \\\"*UnauthorizedOperation\\\") || ($.errorCode = \\\"AccessDenied*\\\")}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<unauthorized_api_calls_alarm>` --metric-name `<unauthorized_api_calls_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/001ddfe0-1b98-443f-819d-99f060fd67d5\",\r\n \"name\": \"001ddfe0-1b98-443f-819d-99f060fd67d5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).
Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>`,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = \\\"ConsoleLogin\\\") && ($.additionalEventData.MFAUsed != \\\"Yes\\\") }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<no_mfa_console_signin_alarm>` --metric-name `<no_mfa_console_signin_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/59f84fbd-7946-41b3-88b1-d899dcac92bc\",\r\n \"name\": \"59f84fbd-7946-41b3-88b1-d899dcac92bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of 'root' account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for root login attempts.

Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for \\\"Root\\\" account usage and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<root_usage_metric>` --metric-transformations metricName= `<root_usage_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filterpattern '{ $.userIdentity.type = \\\"Root\\\" && $.userIdentity.invokedBy NOTEXISTS && $.eventType != \\\"AwsServiceEvent\\\" }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<root_usage_alarm>` --metricname `<root_usage_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e5ad1a9-3803-4399-baf2-a7eb9483b954\",\r\n \"name\": \"8e5ad1a9-3803-4399-baf2-a7eb9483b954\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.
Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<iam_changes_metric>` --metric-transformations metricName=`<iam_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name `<iam_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0dc3b824-092a-4fc6-b8b4-31d5c2403024\",\r\n \"name\": \"0dc3b824-092a-4fc6-b8b4-31d5c2403024\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.

Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<cloudtrail_cfg_changes_metric>` --metric-transformations metricName= `<cloudtrail_cfg_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging)}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name aws cloudwatch put-metric-alarm --alarm-name `<cloudtrail_cfg_changes_alarm>` --metric-name `<cloudtrail_cfg_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e09bb35-54a3-48a1-855d-9fd3239deaf7\",\r\n \"name\": \"0e09bb35-54a3-48a1-855d-9fd3239deaf7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for failed console authentication attempts.
Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<console_signin_failure_metric>` --metric-transformations metricName= `<console_signin_failure_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = ConsoleLogin) && ($.errorMessage = \\\"Failed authentication\\\") }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<console_signin_failure_alarm>` --metric-name `<console_signin_failure_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d12e97c1-1f3e-4c69-8cc1-6e4cc6a9b167\",\r\n \"name\": \"d12e97c1-1f3e-4c69-8cc1-6e4cc6a9b167\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.
Data encrypted with disabled or deleted keys will no longer be accessible.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<disable_or_delete_cmk_changes_metric>` --metrictransformations metricName= `<disable_or_delete_cmk_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<disable_or_delete_cmk_changes_alarm>` --metric-name `<disable_or_delete_cmk_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69ed2dc0-6f39-4a33-a747-20a28f85b33c\",\r\n \"name\": \"69ed2dc0-6f39-4a33-a747-20a28f85b33c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.
Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<s3_bucket_policy_changes_metric>` --metric-transformations metricName= `<s3_bucket_policy_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<s3_bucket_policy_changes_alarm>` --metric-name `<s3_bucket_policy_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/965a7c7f-e6da-4062-83f4-9c1800e51e44\",\r\n \"name\": \"965a7c7f-e6da-4062-83f4-9c1800e51e44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.
Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<aws_config_changes_metric>` --metric-transformations metricName= `<aws_config_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel) ||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `` - -metric-name `` --statistic Sum --period 300 -- threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aedabb63-8bdb-47f9-955c-72b652a75e2a\",\r\n \"name\": \"aedabb63-8bdb-47f9-955c-72b652a75e2a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC.
It is recommended that a metric filter and alarm be established changes to Security Groups.
Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for security groups changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<security_group_changes_metric>` --metric-transformations metricName= `<security_group_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<security_group_changes_alarm>` --metric-name `<security_group_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec356185-75b9-4ff2-a284-9f64fc885e72\",\r\n \"name\": \"ec356185-75b9-4ff2-a284-9f64fc885e72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC.
It is recommended that a metric filter and alarm be established for changes made to NACLs.
Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for NACL changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<nacl_changes_metric>` --metric-transformations metricName = `<nacl_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<nacl_changes_alarm>` --metric-name `<nacl_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c7156050-6f51-4d3f-a880-9f2363648cfb\",\r\n \"name\": \"c7156050-6f51-4d3f-a880-9f2363648cfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC.
It is recommended that a metric filter and alarm be established for changes to network gateways.
Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<network_gw_changes_metric>` --metric-transformations metricName= `<network_gw_changes_metric>`,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<network_gw_changes_alarm>` --metric-name `<network_gw_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e70666f-4bec-4ca0-8b59-c6c8b9b3cc1e\",\r\n \"name\": \"7e70666f-4bec-4ca0-8b59-c6c8b9b3cc1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways.
It is recommended that a metric filter and alarm be established for changes to route tables.
Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for route table changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<route_table_changes_metric>` --metric-transformations metricName= `<route_table_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<route_table_changes_alarm>` --metric-name `<route_table_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4b4bfa9b-fd2a-43f1-961f-654b9d5c9a60\",\r\n \"name\": \"4b4bfa9b-fd2a-43f1-961f-654b9d5c9a60\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.
Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact. \",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for VPC changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<vpc_changes_metric>` --metric-transformations metricName = `<vpc_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<vpc_changes_alarm>` --metric-name `<vpc_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e1f4bba6-5f43-4dc5-ab15-f2a9f5807fea\",\r\n \"name\": \"e1f4bba6-5f43-4dc5-ab15-f2a9f5807fea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To reduce the server's exposure, it is recommended not to allow unrestricted ingress access to port '22'.\",\r\n \"remediationDescription\": \"1. Login to the AWS Management Console at VPC
2. In the left pane, select \\\"Security Groups\\\"
3. For each security group, perform the following:
4. Select the security group
5. Select the \\\"Inbound Rules\\\" tab
6. Identify the rules to be removed
7. Select the \\\"x\\\" in the \\\"Remove\\\" column
8. Select \\\"Save\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79082bbe-34fc-480a-a7fc-3aad94954609\",\r\n \"name\": \"79082bbe-34fc-480a-a7fc-3aad94954609\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389.
Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"Perform the following to implement the prescribed state:
1. Login to the AWS Management Console at VPC
2. In the left pane, click \\\"Security Groups\\\"
3. For each security group, perform the following:
4. Select the security group
5.Click the \\\"Inbound Rules\\\" tab
6. Identify the rules to be removed
7. Click the \\\"x\\\" in the \\\"Remove\\\" column
8. Click \\\"Save\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/500c4d2e-9baf-4081-b8a8-936ac85771a5\",\r\n \"name\": \"500c4d2e-9baf-4081-b8a8-936ac85771a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC's default security group should restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security group should restrict all traffic to reduce resource exposure.\",\r\n \"remediationDescription\": \"1. Identify AWS resources that exist within the default security group 2. Create a set of least privilege security groups for those resources 3. Place the resources in those security groups 4. Remove the resources noted in #1 from the default security group

Security Group State:
1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:
3. In the left pane, select \\\"Security Groups\\\"
4. For each default security group, perform the following:
5. Select the \\\"default\\\" security group
6. Select the \\\"Inbound Rules\\\" tab
7. Remove any inbound rules
8. Select the \\\"Outbound Rules\\\" tab
9. Remove any outbound rules\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/837d6a45-503f-4c95-bf42-323763960b62\",\r\n \"name\": \"837d6a45-503f-4c95-bf42-323763960b62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto Scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.
PCI DSS does not require load balancing or highly available configurations. This is recommended by AWS best practices.\",\r\n \"remediationDescription\": \"To enable Elastic Load Balancing health checks:
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. On the navigation pane, under \\\"Auto Scaling\\\", choose \\\"Auto Scaling Groups\\\".
3. To select the group from the list, choose the right box.
4. From \\\"Actions\\\", choose \\\"Edit\\\"
5. For \\\"Health Check Type\\\", choose \\\"ELB\\\".
6. For \\\"Health Check Grace Period\\\", enter \\\"300\\\".
7. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2917bcec-6991-4ea4-9e73-156e6ef831e4\",\r\n \"name\": \"2917bcec-6991-4ea4-9e73-156e6ef831e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. Not all services enable logging by default for all APIs and events.
You should implement any additional audit trails other than CloudTrail and review the documentation for each service in CloudTrail Supported Services and Integrations.\",\r\n \"remediationDescription\": \"To create a new trail in CloudTrail
1. Sign in to the AWS Management Console using the IAM user you configured for CloudTrail administration.
2. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
3. Select the AWS Region where you want your trail to be created.
4. In the navigation pane, select \\\"Trails\\\".
5. On the \\\"Trails\\\" page, select \\\"Get Started Now\\\". If you do not see that option, select \\\"Create Trail\\\".
6. In\\\" Trail name\\\", provide your trail a name, such as My-Management-Events-Trail. As a best practice, use a name that quickly identifies the purpose of the trail. In this case, you're creating a trail that logs management events.
7. In \\\"Management Events\\\", make sure \\\"Read/Write\\\" events is set to \\\"All\\\".
8. In \\\"Data Events\\\", do not make any changes. This trail will not log any data events.
9. Create a new S3 bucket for the logs:
a. In \\\"Storage Location\\\", in \\\"Create a new S3 bucket\\\", select \\\"Yes\\\".
b. In \\\"S3 bucket\\\", provide your bucket a name.
c. Under \\\"Advanced\\\", choose \\\"Yes\\\" for both \\\"Encrypt log files with SSE-KMS\\\" and \\\"Enable log file validation\\\".
10. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/132a70b8-ffda-457a-b7a3-e6f2e01fc0af\",\r\n \"name\": \"132a70b8-ffda-457a-b7a3-e6f2e01fc0af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect your replicated instances from threats. A private replication instance should have a private IP address that you cannot access outside of the replication network.
A replication instance should have a private IP address when the source and target databases are in the same network, and the network is connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering.
You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users.
To do this, restrict users' IAM permissions to modify AWS DMS settings and resources.\",\r\n \"remediationDescription\": \"To configure the AWS DMS replication instances setting to be not publicly accessible:
1. Open the AWS Database Migration Service console at https://console.aws.amazon.com/dms/.
2. In the left navigation pane, under \\\"Resource management\\\", navigate to \\\"Replication instances\\\".
3. To delete the public instance, select the check box for the instance, choose \\\"Actions\\\", then choose \\\"delete\\\".
4. Choose \\\"Create replication instance\\\". Provide the configuration details.
5.To disable public access, make sure that \\\"Publicly accessible\\\" is not selected.
6. Choose \\\"Create\\\",
Note: public access setting cannot be changed once a replication instance is created. It must be deleted and recreated.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/02e8de17-1a01-45cb-b906-6d07a78f4b3c\",\r\n \"name\": \"02e8de17-1a01-45cb-b906-6d07a78f4b3c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Amazon EBS snapshots should not be publicly restorable by everyone unless explicitly allowed, to avoid accidental exposure of data. Additionally, permission to change Amazon EBS configurations should be restricted to authorized AWS accounts only.\",\r\n \"remediationDescription\": \"Make a public Amazon EBS snapshot private
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Elastic Block Store\\\", select \\\"Snapshots\\\" and then select your public snapshot.
3. Select \\\"Actions\\\", then select \\\"Modify permissions\\\".
4. Select \\\"Private\\\".
5. (Optional) Add AWS account numbers for authorized accounts to share your snapshot with.
6. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f065cc7b-f63b-4865-b8ff-4a1292e1a5cb\",\r\n \"name\": \"f065cc7b-f63b-4865-b8ff-4a1292e1a5cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups should be attached to Amazon EC2 instances or to an ENI.
healthy finding can indicate there are unused Amazon EC2 security groups.\",\r\n \"remediationDescription\": \"The following steps should be applied to each security group not attached to an ENI.
To delete a security group:
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, under \\\"Security\\\", select \\\"Security groups\\\".
3. Select the check box for the security group to delete.
4. From \\\"Actions\\\", select \\\"Delete security group\\\".
5. Select \\\"Delete\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/601406b5-110c-41be-ad69-9c5661ba5f7c\",\r\n \"name\": \"601406b5-110c-41be-ad69-9c5661ba5f7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Elastic IP addresses that are allocated to a VPC should be attached to Amazon EC2 instances or in-use elastic network interfaces (ENIs).\",\r\n \"remediationDescription\": \"To release an Elastic IP address follow the following steps. Note that in oder to release an address, it shouldn't be associated with an instance
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Network & Security\\\", select \\\"Elastic IPs\\\".
3. Select the Elastic IP address, select \\\"Actions\\\", and then select \\\"Release Elastic IP address\\\".
4. When prompted, select \\\"Release\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fce0daac-96e4-47ab-ab35-18ac6b7dcc70\",\r\n \"name\": \"fce0daac-96e4-47ab-ab35-18ac6b7dcc70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To enforce encryption in transit, you should use redirect actions with Application Load Balancers to redirect client HTTP requests to an HTTPS request on port 443.\",\r\n \"remediationDescription\": \"To redirect HTTP requests to HTTPS on an Application Load Balancer:
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Load Balancing\\\", select \\\"Load balancers\\\".
3. Select an Application Load Balancer.
4. Select \\\"Listeners\\\".
5. Enable the check box for an HTTP listener (port 80 TCP) and then select \\\"Edit\\\".
6. If there is an existing rule, you must delete it. Otherwise, select \\\"Add action\\\" and then select \\\"Redirect to...\\\".
7. Select \\\"HTTPS\\\" and then enter 443.
8. Select the check mark in a circle symbol and then select \\\"Update\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df952171-786d-44b5-b309-9c982bddeb7c\",\r\n \"name\": \"df952171-786d-44b5-b309-9c982bddeb7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC cannot contain domains with a public endpoint.
Note: this does not evaluate the VPC subnet routing configuration to determine public reachability.\",\r\n \"remediationDescription\": \"If you create a domain with a public endpoint, you cannot later place it within a VPC. Instead, you must create a new domain and migrate your data.
The reverse is also true. If you create a domain within a VPC, it cannot have a public endpoint. Instead, you must either create another domain or disable this control.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cf747c91-14f3-4b30-aafe-eb12c18fd030\",\r\n \"name\": \"cf747c91-14f3-4b30-aafe-eb12c18fd030\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is important to enable encryptions rest of Amazon ES domains to protect sensitive data\",\r\n \"remediationDescription\": \"By default, domains do not encrypt data at rest.
To enable the feature, you must create another domain and migrate your data.
Note: existing domains cannot be configured to use the feature.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4b32e0a4-44a7-4f18-ad92-549f7d219061\",\r\n \"name\": \"4b32e0a4-44a7-4f18-ad92-549f7d219061\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To provide additional protection against intrusions, GuardDuty should be enabled on your AWS account and region.
Note: GuardDuty might not be a complete solution for every environment\",\r\n \"remediationDescription\": \"To enable GuardDuty:
1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/ \\t
2. Choose \\\"Get Started\\\".
Choose \\\"Enable GuardDuty\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c676d6f-60cb-4c7b-a484-17164c598016\",\r\n \"name\": \"9c676d6f-60cb-4c7b-a484-17164c598016\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"All IAM users should have multi-factor authentication (MFA) enabled.\",\r\n \"remediationDescription\": \"To configure MFA for a user:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Users\\\".
3. Select the user name of the user to configure MFA for.
4. Select \\\"Security credentials\\\" and then Select \\\"Manage\\\" next to \\\"Assigned MFA device\\\".
5. Follow the \\\"Manage MFA Device\\\" wizard to assign the type of device appropriate for your environments.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd751d04-8378-4cf8-8f1b-594ee340ae08\",\r\n \"name\": \"fd751d04-8378-4cf8-8f1b-594ee340ae08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the account password policy for IAM users uses the following minimum configurations.
* RequireUppercaseCharacters- Require at least one uppercase character in password. (Default = true)
* RequireLowercaseCharacters- Require at least one lowercase character in password. (Default = true)
* RequireNumbers- Require at least one number in password. (Default = true)
* MinimumPasswordLength- Password minimum length. (Default = 7 or longer)
* PasswordReusePrevention- Number of passwords before allowing reuse. (Default = 4)
* MaxPasswordAge- Number of days before password expiration. (Default = 90)\",\r\n \"remediationDescription\": \"To modify the password policy:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Under \\\"Access management\\\", select \\\"Account settings\\\".
3. Select \\\"Prevent password reuse\\\". For \\\"Number of passwords to remember\\\", enter \\\"24\\\".
\\t4. Select \\\"Change password policy\\\".
5. Select \\\"Require at least one uppercase letter from Latin alphabet (A-Z)\\\".
6. Select \\\"Require at least one lowercase letter from Latin alphabet (a-z)\\\".
7. Select \\\"Require at least one non-alphanumeric character (!@#$%^&*()_+-=[]{}|')\\\".
8. Select \\\"Require at least one number\\\".
9. For \\\"Enforce minimum password length\\\", enter \\\"14\\\".
10. Select \\\"Enable password expiration\\\". For \\\"Expire passwords in day(s)\\\", enter \\\"90\\\".
11. Select \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b236a0-f9d7-454a-942a-8c2ba3943cf7\",\r\n \"name\": \"64b236a0-f9d7-454a-942a-8c2ba3943cf7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should restrict public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Lambda function resource-based policy should restrict public access. This recommendation does not check access by internal principals.
Ensure access to the function is restricted to authorized principals only by using least privilege resource-based policies.\",\r\n \"remediationDescription\": \"To use the AWS CLI to revoke function-use permission from an AWS service or another account:
1. Get the statement ID from the output of GetPolicy, from the AWS CLI and run the following:
aws lambda get-policy --function-name yourfunctionname
This returns the policy string associated with the publicly accessible Lambda function.
2. From the policy statement returned by the get-policy command, copy the string value of the Sid field, and run from the AWS CLI, run
aws lambda remove-permission --function-name yourfunctionname --statement-id youridvalue

To use the Lambda console to restrict access to the Lambda function:
1. Open the AWS Lambda console at https://console.aws.amazon.com/lambda/, Navigate to \\\"Functions\\\" and then select your publicly accessible Lambda function.
2. Under \\\"Designer\\\" select the key icon at the top left, that has the tool-tip \\\"View permissions\\\".
3. Under \\\"Function policy\\\", Consider adding the following IAM condition to scope access to your account only.
\\\"Condition\\\":{\\\"StringEquals\\\":{\\\"AWS:SourceAccount\\\":\\\"account_id\\\"}}\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10445918-c305-4c6a-9851-250e8ec7b872\",\r\n \"name\": \"10445918-c305-4c6a-9851-250e8ec7b872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Configure Lambda functions to a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability.
Note that if Lambda@Edge is found in the account, then this control generates failed findings. To prevent these findings, you can disable this control.\",\r\n \"remediationDescription\": \"To configure a function to connect to private subnets in a virtual private cloud (VPC) in your account:
1. From the AWS Lambda console, https://console.aws.amazon.com/lambda/, open \\\"Functions\\\" and select your Lambda function.
2. From the \\\"Network\\\" section, select a VPC with the connectivity requirements of the function.
3. To run your functions in high availability mode, select at least two subnets.
4. Select at least one security group that has the connectivity requirements of the function.
5. Save your changes.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f64521fc-a9f1-4d43-b667-8d94b4a202af\",\r\n \"name\": \"f64521fc-a9f1-4d43-b667-8d94b4a202af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend only allowing authorized principals to access the snapshot and change Amazon RDS configuration.\",\r\n \"remediationDescription\": \"To remove public access for Amazon RDS Snapshots:
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Snapshots\\\" and select the public Snapshot to modify.
2. From the \\\"Actions\\\" list, select \\\"Share Snapshots\\\".
3. From \\\"DB snapshot visibility\\\", select \\\"Private\\\" and \\\"for all\\\".
4. Save your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/72f3b7f1-76b8-4cf5-8da5-4ba5745b512c\",\r\n \"name\": \"72f3b7f1-76b8-4cf5-8da5-4ba5745b512c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend that you also ensure that access to your RDS instance's configuration is limited to authorized users only, by restricting users' IAM permissions to modify RDS instances' settings and resources.\",\r\n \"remediationDescription\": \"To remove public access for an Amazon RDS Database, follow one of these procedures:

\\\"Modify the DB instance's publicly accessible configuration:\\\"
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Databases\\\" and select the public database.
2. Select \\\"Modify\\\".
3. Scroll to \\\"Network & Security\\\".
4. For the Public accessibility option, select \\\"No\\\".
5. Scroll to the bottom and select \\\"Continue\\\".
6. From \\\"Scheduling of modifications\\\", select \\\"Apply immediately\\\".
7. Select \\\"Modify DB Instance\\\".
\\\"Configure the VPC subnet security group to prohibit public access:\\\"
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Databases\\\" and select the public database.
2. From \\\"Connectivity & Security\\\", select the configured VPC security group.
3. From the \\\"Actions\\\" list, select \\\"Edit inbound rules\\\".
4. Define rules to prohibit public access (you can choose between specific IPs, ranges of IPs and security groups).
5. Select \\\"Save rules\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f5ac036-11e1-4cda-89b5-a115b9ae4f72\",\r\n \"name\": \"7f5ac036-11e1-4cda-89b5-a115b9ae4f72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend Amazon Redshift clusters to avoid public accessibility by evaluating the 'publiclyAccessible' field in the cluster configuration item.\",\r\n \"remediationDescription\": \"To disable public access for an Amazon Redshift cluster:
1. From the Amazon RDS console, https://console.aws.amazon.com/redshift/, open \\\"Clusters\\\" and select your public Amazon Redshift cluster.
2. From the \\\"Cluster\\\" drop-down menu, select \\\"Modify cluster\\\".
3. For the \\\"Publicly accessible\\\" option, select \\\"No\\\".
4. Select \\\"Modify\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/994d14f1-b8d7-4cb3-ad4e-a7ccb08065d5\",\r\n \"name\": \"994d14f1-b8d7-4cb3-ad4e-a7ccb08065d5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets public write access should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Allowing public write access to your S3 bucket can leave you vulnerable to malicious actions such as storing data at your expense, encrypting your files for ransom, or using your bucket to operate malware.\",\r\n \"remediationDescription\": \"To remove public write access for an S3 bucket
1. Open the AWS console at https://console.aws.amazon.com/s3/ and select the name of the bucket identified in the recommendation.
2. Select the \\\"Permissions\\\" tab and then select \\\"Public access settings\\\".
3. Select \\\"Edit\\\", select all four options, and then select \\\"save\\\".
4. If prompted, enter \\\"confirm\\\" and then choose \\\"confirm\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f65de27c-1b77-4a2d-bc89-8631ff9ee786\",\r\n \"name\": \"f65de27c-1b77-4a2d-bc89-8631ff9ee786\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets public read access should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Removing public read access to your S3 bucket can help protect your data and prevent a data breach.\",\r\n \"remediationDescription\": \"To remove public read access for an S3 bucket
1. Open the AWS console at https://console.aws.amazon.com/s3/, and select the name of the bucket identified in the recommendation.
2. Select the \\\"Permissions\\\" tab and then select \\\"Public access settings\\\".
3. Select \\\"Edit\\\", select all four options, and then select \\\"save\\\".
4. If prompted, enter \\\"confirm\\\" and then choose \\\"confirm\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35713036-bd12-4646-9b92-4c56a761a710\",\r\n \"name\": \"35713036-bd12-4646-9b92-4c56a761a710\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling S3 cross-region replication ensures that multiple versions of the data are available in different distinct Regions.
This allows you to protect your S3 bucket against DDoS attacks and data corruption events.\",\r\n \"remediationDescription\": \"To enable S3 bucket replication:
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and Select the name of the bucket identified in the recommendation.
2. Select \\\"Management\\\" and then select \\\"Replication\\\".
3. Select \\\"add rule\\\", and then select \\\"Entire bucket\\\" as your source bucket.
4. Select your destination bucket (Versioning should be enabled on the destination bucket as well).
5. Select an IAM role.
6. Enter a name for the rule, select \\\"Enabled\\\" for the status, then select \\\"Next\\\".
7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3cb793ab-20d3-4677-9723-024c8fed0c23\",\r\n \"name\": \"3cb793ab-20d3-4677-9723-024c8fed0c23\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enable server-side encryption to protect data in your S3 buckets.
Encrypting the data can prevent access to sensitive data in the event of a data breach.\",\r\n \"remediationDescription\": \"To enable default encryption on an S3 bucket
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and Select the name of the bucket identified in the recommendation.
2. Select \\\"Properties\\\" and then under the \\\"Default encryption\\\" section, select either \\\"AES-256\\\" to use keys that are managed by Amazon S3, or \\\"AWS-KMS\\\" to use keys that are managed by AWS-KMS.
*If you use AWS-KMS for default encryption, you need to choose a master key from the list of the AWS KMS master keys that you have created.
*Please note that if you use the AWS KMS you are subject to the requests per second limits. For more information about the AWS KMS limits, see the AWS Key Management Service Developer Guide.
3.Select \\\"save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fb7ea50-412e-4dd4-ac79-94d54bd8f21e\",\r\n \"name\": \"1fb7ea50-412e-4dd4-ac79-94d54bd8f21e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend to require requests to use Secure Socket Layer (SSL) on all Amazon S3 bucket.
S3 buckets should have policies that require all requests ('Action: S3:*') to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key 'aws:SecureTransport'.\",\r\n \"remediationDescription\": \"To configure an S3 bucket to deny nonsecure transport
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.
2. Navigate to the noncompliant bucket, and then choose the bucket name.
3. Choose \\\"Permissions\\\", then choose \\\"Bucket Policy\\\".
4. Add a similar policy statement to that in the policy below. Replace \\\"awsexamplebucket\\\" with the name of the bucket you are modifying.
{\\\"Id\\\":\\\"ExamplePolicy\\\",\\\"Version\\\":\\\"2012-10-17\\\",\\\"Statement\\\":[{\\\"Sid\\\":\\\"AllowSSLRequestsOnly\\\",\\\"Action\\\":\\\"s3:*\\\",\\\"Effect\\\":\\\"Deny\\\",\\\"Resource\\\":[\\\"arn:aws:s3:::awsexamplebucket\\\",\\\"arn:aws:s3:::awsexamplebucket/*\\\"],\\\"Condition\\\": {\\\"Bool\\\":{\\\"aws:SecureTransport\\\":\\\"false\\\"}},\\\"Principal\\\": \\\"*\\\"}]}
5. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ac66d910-ae29-4cab-967b-c3f0810b7642\",\r\n \"name\": \"ac66d910-ae29-4cab-967b-c3f0810b7642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling Block Public Access setting for your S3 bucket can help prevent sensitive data leaks and protect your bucket from malicious actions.\",\r\n \"remediationDescription\": \"To enable Amazon S3 Block Public Access:
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and then select \\\"Block public access\\\" under \\\"account settings\\\".
2. Select \\\"Edit\\\" and then select \\\"Block all public access\\\".
3. Select \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0991c64b-ccf5-4408-aee9-2ef03d460020\",\r\n \"name\": \"0991c64b-ccf5-4408-aee9-2ef03d460020\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disable direct internet access for Amazon SageMaker notebook instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Direct internet access should be disabled for an SageMaker notebook instance.
This checks whether the 'DirectInternetAccess' field is disabled for the notebook instance.
Your instance should be configured with a VPC and the default setting should be Disable - Access the internet through a VPC.
In order to enable internet access to train or host models from a notebook, make sure that your VPC has a NAT gateway and your security group allows outbound connections. Ensure access to your SageMaker configuration is limited to only authorized users, and restrict users' IAM permissions to modify SageMaker settings and resources.\",\r\n \"remediationDescription\": \"Note that you can't change the internet access setting after a notebook instance is created. It must be stopped, deleted, and recreated.
To configure an SageMaker notebook instance to deny direct internet access:
1. From the SageMaker console, https://console.aws.amazon.com/sagemaker/, open \\\"Notebook instances\\\" and delete the instance that has direct internet access enabled.
2. Select the instance, open \\\"Actions\\\", and select \\\"Stop\\\". When the instance has stopped, open \\\"Actions\\\", and select \\\"Delete\\\".
3. Select \\\"Create notebook instance\\\" and enter the configuration details.
4. Expand the \\\"Network\\\" section and select the VPC, subnet, and security group. Under \\\"Direct internet access\\\", select \\\"Disable — Access the internet through a VPC\\\".
5. Select \\\"Create notebook instance\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5b3c2887-d7b7-4887-b074-4e6057027709\",\r\n \"name\": \"5b3c2887-d7b7-4887-b074-4e6057027709\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance.
It only checks instances that are managed by AWS Systems Manager Patch Manager.
It does not check whether the patch was applied within the 30-day limit prescribed by PCI DSS requirement '6.2'.
It also does not validate whether the patches applied were classified as security patches.
You should create patching groups with the appropriate baseline settings and ensure in-scope systems are managed by those patch groups in Systems Manager. For more information about patch groups, see the AWS Systems Manager User Guide.\",\r\n \"remediationDescription\": \"\\\"To remediate noncompliant patches\\\"
This rule checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT. To find out more about patch compliance states, see the AWS Systems Manager User Guide.
1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
2. In the navigation pane, under \\\"Node Management\\\", choose \\\"Run Command\\\".
3. Choose \\\"Run command\\\".
4. Choose the radio button next to AWS-RunPatchBaseline and then change the \\\"Operation\\\" to \\\"Install\\\".
5. Choose \\\"Choose instances manually\\\" and then choose the noncompliant instance(s).
6. Scroll to the bottom and then choose \\\"Run\\\".
7. After the command has completed, to monitor the new compliance status of your patched instances, in the navigation pane, choose \\\"Compliance\\\".
See the AWS Systems Manager User Guide for more information about the following
* Using Systems Manager documents to patch a managed instance
* Running commands using the Systems Manager Run command\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67a90ae0-b3d1-44f0-9dcf-a03234ebeb65\",\r\n \"name\": \"67a90ae0-b3d1-44f0-9dcf-a03234ebeb65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association is run on an instance. The control passes if the association compliance status is COMPLIANT.
A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed.
After you create one or more State Manager associations, compliance status information is immediately available to you in the console or in response to AWS CLI commands or corresponding Systems Manager API operations. For associations, \\\"Configuration\\\" Compliance shows statuses of Compliant or Non-compliant and the severity level assigned to the association, such as \\\"Critical\\\" or \\\"Medium\\\". To learn more about State Manager association compliance, see About About State Manager association compliance in the AWS Systems Manager User Guide.
You must configure your in-scope EC2 instances for Systems Manager association. You must also configure the patch baseline for the security rating of the vendor of patches, and set the autoapproval date to meet PCI DSS '3.2.1' requirement '6.2'. For additional guidance on how to Create an association, see Create an association in the AWS Systems Manager User Guide. For additional information on working with patching in Systems Manager, see AWS Systems Manager Patch Manager in the AWS Systems Manager User Guide.\",\r\n \"remediationDescription\": \"A failed association can be related to different things, including targets and SSM document names. To remediate this issue, you must first identify and investigate the association. You can then update the association to correct the specific issue.
You can edit an association to specify a new name, schedule, severity level, or targets. After you edit an association, Systems Manager creates a new version.
\\\"To investigate and update a failed association\\\"
1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
2. In the navigation pane, under \\\"Node Management\\\", choose \\\"Fleet Manager\\\".
3. Choose the instance ID that has an \\\"Association status\\\" of \\\"Failed\\\".
4. Choose \\\"View details\\\".
5. Choose \\\"Associations\\\".
6. Note the name of the association that has an \\\"Association status\\\" of \\\"Failed\\\". This is the association that you need to investigate. You need to use the association name in the next step.
7. In the navigation pane,under \\\"Node Management\\\", choose \\\"State Manager\\\". Search for the association name, then select the association. After you determine the issue, edit the failed association to correct the problem. For information on how to edit an association, see Edit an association.
For more information on creating and editing State Manager associations, see Working with associations in Systems Manager in the AWS Systems Manager User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4be5393d-cc33-4ef7-acae-80295bc3ae35\",\r\n \"name\": \"4be5393d-cc33-4ef7-acae-80295bc3ae35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Status of the Amazon EC2 Systems Manager patch compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the patch installation on the instance.
Only instances that are managed by AWS Systems Manager Patch Manager are checked. Patches that were applied within the 30-day limit prescribed by PCI DSS requirement '6' are not checked. \",\r\n \"remediationDescription\": \"To ensure EC2 instances are managed by Systems Manager:
1. From the AWS Systems Manager console, https://console.aws.amazon.com/systems-manager/, select \\\"Quick setup\\\".
2. Leave the default options.
3. Select \\\"Set up Systems Manager\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9694d4ef-f21a-40b7-b535-618ac5c5d21e\",\r\n \"name\": \"9694d4ef-f21a-40b7-b535-618ac5c5d21e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.
Authentication credentials should never be stored or transmitted in clear text or appear in the repository URL. Instead of personal access tokens or user name and password, you should use OAuth to grant authorization for accessing GitHub or Bitbucket repositories.
Using personal access tokens or a user name and password could expose your credentials to unintended data exposure and unauthorized access.\",\r\n \"remediationDescription\": \"You can update your CodeBuild project to use OAuth.
To remove basic authentication / (GitHub) Personal Access Token from CodeBuild project source
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Choose the build project that contains personal access tokens or a user name and password.
3. From \\\"Edit\\\", choose \\\"Source\\\".
4. Choose \\\"Disconnect from GitHub / Bitbucket\\\".
5. Choose \\\"Connect using OAuth\\\", then choose \\\"Connect to GitHub / Bitbucket\\\".
6. When prompted, choose \\\"authorize as appropriate\\\".
7. Reconfigure your repository URL and additional configuration settings, as needed.
8. Choose \\\"Update source\\\".
For more information, refer to CodeBuild use case-based samples the AWS CodeBuild User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a88b4b72-b461-4b5e-b024-91da1cbe500f\",\r\n \"name\": \"a88b4b72-b461-4b5e-b024-91da1cbe500f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the project contains the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
Authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY should never be stored in clear text, as this could lead to unintended data exposure and unauthorized access.\",\r\n \"remediationDescription\": \"To remediate this issue, update your CodeBuild project to remove the environment variable.
To remove environment variables from a CodeBuild project
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Expand \\\"Build\\\".
3. Choose \\\"Build project\\\", and then choose the build project that contains plaintext credentials.
4. From \\\"Edit\\\", choose \\\"Environment\\\".
5. Expand \\\"Additional configuration\\\".
6. Choose \\\"Update environment\\\".

To store sensitive values in the Amazon EC2 Systems Manager Parameter Store and then retrieve them from your build spec
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Expand \\\"Build\\\".
3. Choose \\\"Build project\\\", and then choose the build project that contains plaintext credentials.
4. From \\\"Edit\\\", choose \\\"Environment\\\".
5. Expand \\\"Additional configuration\\\" and scroll to \\\"Environment variables\\\".
6. Follow this tutorial to create a Systems Manager parameter that contains your sensitive data.
7. After you create the parameter, copy the parameter name.
8. Back in the CodeBuild console, choose \\\"Create environmental variable\\\".
9. Enter the name of your variable as it appears in your build spec.
10. For \\\"Value\\\", paste the name of your parameter.
11. For \\\"Type\\\", choose \\\"Parameter\\\".
12. To remove your noncompliant environmental variable that contains plaintext credentials, choose \\\"Remove\\\".
13. Choose \\\"Update environment\\\".
For more information, see Environment variables in build environments in the AWS CodeBuild User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should use Secure Boot\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against the installation of malware-based rootkits and boot kits, enable Secure Boot on supported Linux virtual machines. Secure Boot ensures that only signed operating systems and drivers will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"Enabling Secure Boot will trigger an immediate system reboot. To enable it:
1. From Azure Virtual Machines, open your machine.
2. From the VM details page, open the 'Configuration' tab and select 'Secure boot'.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e2f798b8-621a-4d46-99d7-1310e09eba26\",\r\n \"name\": \"e2f798b8-621a-4d46-99d7-1310e09eba26\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should enforce kernel module signature validation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To help mitigate against the execution of malicious or unauthorized code in kernel mode, enforce kernel module signature validation on supported Linux virtual machines. Kernel module signature validation ensures that only trusted kernel modules will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"Enforcing kernel module signature validation requires a system reboot. To enforce it:
1. From Azure Virtual Machines, open your machine.
2. Run:
sudo azsecd remediate -r enforce-kernelmodule-ci
3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d79a60ef-d490-484e-91ed-f45ceb0e7cfb\",\r\n \"name\": \"d79a60ef-d490-484e-91ed-f45ceb0e7cfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be restarted to apply security configuration updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To apply security configuration updates and protect against vulnerabilities, restart your machines. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"To restart the machine:
1. From Azure Virtual Machines, open your machine.
2. Select 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b7604066-ed76-45f9-a5c1-c97e4812dc55\",\r\n \"name\": \"b7604066-ed76-45f9-a5c1-c97e4812dc55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines guest attestation status should be healthy\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Guest attestation is performed by sending a trusted log (TCGLog) to an attestation server. The server uses these logs to determine whether boot components are trustworthy. This assessment is intended to detect compromises of the boot chain which might be the result of a bootkit or rootkit infection.
This assessment applies to Trusted Launch and Confidential virtual machines that have the Guest Attestation extension installed.\",\r\n \"remediationDescription\": \"1. Scan your machine to ensure it isn't infected with malicious software.
2. Verify across your organization whether components of your operating system have been manually replaced.
3. Verify that a TPM device is installed on your machine: on Windows, run the PowerShell command \\\"Get-tpm\\\" as admin, and on Linux, use \\\"ls /dev/tpm0\\\" (with \\\"/dev/tpm0\\\" returning).
4. Remove any untrusted software or drivers with admin access.
5. Restart your machine in normal mode.
6. If all else fails, securely back up your data and create a new machine from a known-good image.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an Azure Function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Select Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access Function Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the Function App custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access API Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the API App custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys;
temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources.
For a comparison of different disk encryption technologies in Azure, see https://aka.ms/diskencryptioncomparison.
Use Azure Disk Encryption to encrypt all this data.
Disregard this recommendation if:
1. You're using the encryption-at-host feature, or 2. Server-side encryption on Managed Disks meets your security requirements.
Learn more in Server-side encryption of Azure Disk Storage.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Click any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Defender for Cloud protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Select Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases:
1. Select the SQL database.
2. Under Data encryption, select On.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
1. Go to 'SQL servers' page in the Azure portal and select your SQL server.
2. From the top left menu, select 'Auditing' and choose 'Enable Azure SQL Auditing'.
3. Select one of the options to store the Audit logs and follow the instructions.
4. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499\",\r\n \"description\": \"Defender for Cloud collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. This agent is also required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. We recommend configuring auto-provisioning to automatically deploy the agent. If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.\",\r\n \"remediationDescription\": \"For multiple ways to install and configure your Log Analytics agent see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"To reduce the potential for breaches by compromised owner accounts, we recommend limiting the number of owner accounts to a maximum of 3\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click the Role assignments tab and set the 'Role' filter to 'Owner'.
2. Select the owners you want to remove.
3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled
1. In the 'Role' drop-down list, select the Owner role.
2. In the Select list, select a user.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Signed Binary Proxy Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container hosts should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Privilege Escalation\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Local System\",\r\n \"Remote Services\",\r\n \"Network Sniffing\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"File and Directory Discovery\",\r\n \"Implant Container Image\",\r\n \"Abuse Elevation Control Mechanism\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers:
1. Select the SQL server.
2. Open 'Microsoft Defender for Cloud' under 'Security'
3. Make sure Microsoft Defender for Cloud's status is 'enabled at the server-level' or 'enabled at the subscription-level'
4. Open '(Configure)'
5. Under 'Vulnerability assessment settings', turn Periodic recurring scans to On, and configure a storage account for storing vulnerability assessment scan results.
6. Select 'Save'\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"SQL Stored Procedures\",\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on SQL servers: 1. Select the SQL server. 2. Under 'Defender for Cloud', set Microsoft Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Select 'Save'.
Note: Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.
Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.

To view all affected classic VMs make sure to select all your Azure subscriptions under 'directories + subscriptions' tab.

Available resources and information about this tool & migration:
Overview of Virtual machines (classic) deprecation, step by step process for migration & available Microsoft resources.
Details about Migrate to Azure Resource Manager migration tool.
Migrate to Azure Resource Manager migration tool using PowerShell.\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources:
1. Go to the Virtual machines (classic) Portal Blade.
2. Under Subscriptions, select all available subscriptions to get full list of affected classic VMs.
3. Click on Migrate to ARM.
4. Click on Validate. If validate failed, use the suggested methods in the error messages or at Migration Overview document to fix the errors.
5. Click on Prepare. If prepare failed, use the suggested methods in the error messages or at Migration Overview document to fix the errors.
6. View migrated virtual machines at Virtual Machines Portal Blade and Test their operation.
7. (Optional) Click on Abort to rollback migration.
8. Click on Commit. Commit finalizes the migration and cannot be rolled back.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics:
1. Go to Data Lake Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL managed instances should have vulnerability assessment configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance:
1. Select the SQL managed instance.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"SQL Stored Procedures\",\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected SQL Managed Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on managed SQL servers:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Microsoft Defender for SQL to On.
3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set Periodic recurring scans to On.4. Select Save.
Note: Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redis Cache should allow access only via SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps:
1. Go to the Redis Caches, and select your redis cache.
2. Select 'Advanced settings'.
3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics:
1. Go to Batch and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics:
1. Go to Stream Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics:
1. Go to the Service Bus.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"You should encrypt Automation Account Variables that store sensitive data. This step can only be taken at creation time.
If you have Automation Account Variables storing sensitive data that are not already encrypted, then you will need to delete them and recreate them as encrypted variables.
To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics:
1. Go to Data Lake Store and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics:
1. Go to Search and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign':
1. Go to the Service fabric cluster.
2. Click on 'Custom fabric settings'.
3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bb318338-de6a-42ff-8428-8274c897d564\",\r\n \"name\": \"bb318338-de6a-42ff-8428-8274c897d564\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Kubernetes services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c\",\r\n \"description\": \"Enable diagnostic logs in your Kubernetes services and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs.\",\r\n \"remediationDescription\": \"To enable diagnostics logs in one of your Kubernetes services: 1. Go to Kubernetes services and select one of your Kubernetes clusters. 2. From the left menu, open the diagnostic settings and select Add diagnostic setting. 3. Select one of the options to store the diagnostics logs and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"10/07/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"To ensure you can recreate activity trails for investigation purposes when a security incident occurs or your network is compromised, enable logging. If your diagnostic logs aren't being sent to a Log Analytics workspace, Azure Storage account, or Azure Event Hub, ensure you've configured diagnostic settings to send platform metrics and platform logs to the relevant destinations. Learn more in Create diagnostic settings to send platform logs and metrics to different destinations.\",\r\n \"remediationDescription\": \"To enable diagnostics for a logic app: 1. Open Azure Logic Apps and select the logic app. 2. From the menu, select Diagnostic settings. 3. Select Edit setting if you have an existing setting or select Add diagnostic setting to create a new configuration. 4. Select the options to define what to log and where to store it. 5. Save your settings.
Note : If you use storage accounts, we recommend setting a retention for the logs. To ensure the recommendation evaluates the retention dates across all resources, open the ASC default initiative assignment and set the parameter \\\"Required retention (in days) for logs..\\\" to the desired retention dates that you want the recommendation to evaluate.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"plannedDeprecationDate\": \"12/2022\",\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources :
1. Go to the Storage Account
2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics:
1. Go to Key Vault and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. We recommended configuring network rules so that only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"
1. In your storage account, go to 'Firewalls and virtual networks'.
2. Under 'Allow access from', choose 'Selected networks'.
3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account.
4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required:
1. In your storage account, go to the 'Configuration' page.
2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates:
1. Review the list of missing system updates.
2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Software Deployment Tools\",\r\n \"Exploit Public-Facing Application\",\r\n \"Supply Chain Compromise\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Drive-by Compromise\",\r\n \"Endpoint Denial of Service\",\r\n \"Compromise Client Software Binary\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b\",\r\n \"description\": \"Defender for Cloud collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. You'll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets. To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"For information on how to add the Log Analytics agent as an extension to your virtual machine scale set, see the following instructions. For information on how to deploy the log analytics agent at scale on virtual machine scale set using Azure Policy please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machine scale sets should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution:
1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on virtual machine scale sets should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Microsoft Defender for Cloud. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c\",\r\n \"description\": \"To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more.\",\r\n \"remediationDescription\": \"1. Register your subscription to Guest Configuration resource provider. 2. Install the Guest Configuration extension on your machine. 3. Enable a system-assigned managed identity, if one doesn't exist. Learn more in Enable Guest Configuration.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69133b6b-695a-43eb-a763-221e19556755\",\r\n \"name\": \"69133b6b-695a-43eb-a763-221e19556755\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a\",\r\n \"description\": \"The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more\",\r\n \"remediationDescription\": \"To enable a system-assigned managed identity, deploy the 'Enable a system-assigned managed identity' initiative: 1. Register the resource provider. 2. Deploy requirements for Azure virtual machines. Learn more about configuring the Guest Configuration prerequisites in Enable Guest Configuration.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"1. Enable controlled folder access.
2. Configure the following attack surface reduction rules: 'Block executable content from email client and webmail', 'Block untrusted and unsigned processes that run from USB', 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)', ' Block all Office applications from creating child processes', 'Block JavaScript or VBScript from launching downloaded executable content', 'Block execution of potentially obfuscated scripts ', 'Block Office applications from creating executable content', 'Block Office communication application from creating child processes', 'Block Win32 API calls from Office macros', 'Block Adobe Reader from creating child processes', 'Block Office applications from injecting code into other processes'.
Learn more in Use attack surface reduction rules to prevent malware infection.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Privilege Escalation\",\r\n \"Lateral Movement\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Taint Shared Content\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploit Public-Facing Application\",\r\n \"Drive-by Compromise\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4078e558-bda6-41fb-9b3c-361e8875200d\",\r\n \"description\": \"Defender for Cloud uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Windows.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on Linux-based Azure Arc-enabled machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/1e7fed80-8321-4605-b42c-65fc300f23a3\",\r\n \"description\": \"Defender for Cloud uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Linux.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"name\": \"fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Validity period of certificates stored in Azure Key Vault should not exceed 12 months\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\r\n \"description\": \"Ensure your certificates do not have a validity period that exceeds 12 months.\",\r\n \"remediationDescription\": \"To remediate you must create a new version of the certificate. Ensure that your application or service will be able to get a new version of the certificate before proceeding. Select a key vault from the list below. The list of certificates with a validity period that exceeds 12 months will appear. From the Azure Portal, open Azure Key Vault and select the vault with the certificate that needs to be replaced. Select the relevant certificate and the certificate details page opens. 1. On the certificate details page, select \\\"+ New Version\\\". The \\\"Create a Certificate\\\" pane opens. 2. Change the \\\"Validity period (in months)\\\" field to 12 or less. 3. Select \\\"Create\\\". 4. Ensure that you have set up auto-renewal, or have a process to renew your certificate prior to expiration.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Credentials from Password Stores\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\r\n \"description\": \"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.\",\r\n \"remediationDescription\": \"To prevent public access to containers and blobs in your storage account:
1. In the Azure portal, navigate to your storage account.
2. From the settings menu, select \\\"Configuration\\\".
3. Set \\\"Allow Blob public access\\\" to \\\"Disabled\\\".
Learn more about public access
Note: It might take several minutes after remediation completes until the resource appears in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for servers brings threat detection and advanced defenses for your Windows and Linux machines.
With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for servers but missing out on some of the benefits.
When you enable Microsoft Defender for servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for servers on the identified workspaces, select the workspaces and select Remediate.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for servers brings threat detection and advanced defenses for your Windows and Linux machines.
With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for servers but missing out on some of the benefits.
When you enable Microsoft Defender for servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on machines on the identified workspaces, select the workspaces and select Remediate.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"09/29/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"name\": \"14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\r\n \"description\": \"The best way to authenticate to Azure services is by using Role-Based Access Control (RBAC). RBAC allows you to maintain the minimum privilege principle and supports the ability to revoke permissions as an effective method of response when compromised. You can configure your Azure Cosmos DB account to enforce RBAC as the only authentication method. When the enforcement is configured, all other methods of access will be denied (primary/secondary keys and access tokens).\",\r\n \"remediationDescription\": \"Change your resource authentication method to RBAC. After RBAC is enabled, edit the configuration settings to enforce RBAC as the only authentication method.
  1. Change the resources' authentication method from primary key to Azure Active Directory (AAD):

    1. Map all the resources that currently access to the Azure Cosmos DB account with keys or access tokens.
    2. Create an Azure Active Directory (AAD) identity for each of these resources:
      1. For Azure resources, you can create a managed identity . You may choose between system-assigned and user-assigned managed identities.
      2. For non-Azure resources, create an AAD identity.
    3. Grant each AAD identity the minimum permission it requires. When possible, we recommend you use one of the 2 built-in role definitions: Cosmos DB Built-in Data Reader or Cosmos DB Built-in Data Contributor.
    4. Validate that the new resource is functioning correctly. After new permissions are granted to identities, it may take a few hours until they propagate. When all resources are working correctly with the new identities, continue to the next step.

    You can read more about configuring role-based access control with Azure Active Directory for your Azure Cosmos DB account.

  2. Enforce RBAC as the only authentication method:
    You may choose one of the two options listed below:
    1. You can use the az resource update powershell command:
      $cosmosdbname = \\\"cosmos-db-account-name\\\"
      $resourcegroup = \\\"resource-group-name\\\"
      $cosmosdb = az cosmosdb show --name $cosmosdbname --resource-group $resourcegroup | ConvertFrom-Json

      az resource update --ids $cosmosdb.id --set properties.disableLocalAuth=true --latest-include-preview

    2. Deploy these changes in your ARM template to enforce RBAC as the only authentication method.

      You can read more about using ARM templates on existing resources.

    After these changes have been implemented, all access attempts that use primary/secondary key or access tokens authentication will be denied.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2482620f-f324-4add-af68-2e01e27485e9\",\r\n \"name\": \"2482620f-f324-4add-af68-2e01e27485e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d103537b-9f3d-4658-a568-31dd66eb05cb\",\r\n \"name\": \"d103537b-9f3d-4658-a568-31dd66eb05cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in subscription should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a6cd9b98-3b29-4213-b880-43f0b0897b83\",\r\n \"name\": \"a6cd9b98-3b29-4213-b880-43f0b0897b83\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in projects should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in projects should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\r\n \"description\": \"Protect the data on your Azure virtual machines with Azure Backup.
Azure Backup is an Azure-native, cost-effective, data protection solution.
It creates recovery points that are stored in geo-redundant recovery vaults.
When you restore from a recovery point, you can restore the whole VM or specific files.\",\r\n \"remediationDescription\": \"1. To enable Azure Backup for a virtual machine, navigate to the virtual machine on the Azure portal and select 'Backup' from the menu. In the screen that appears, choose whether to backup the machine to a new or existing Recovery Services vault in the same location and subscription. Learn more at https://aka.ms/AzureVMBackupDoc 2. To enable Azure Backup for multiple virtual machines, assign the policy 'Configure backup on VMs of a location to an existing central Vault in the same location' to the relevant scope. This policy can be assigned to one subscription-location pair at a time. Learn more at http://aka.ms/AzureBackupVMGovernance. Charges are based on the number and size of VMs being protected. Learn more about pricing at https://azure.microsoft.com/pricing/details/backup/\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Disk Wipe\",\r\n \"Defacement\",\r\n \"Data Encrypted for Impact\",\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your function app:
1. Go to the App Service for your API app 2. Navigate to Platform features 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"name\": \"2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MariaDB\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\r\n \"description\": \"Azure Database for MariaDB allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MariaDB server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=2086853\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your web app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"name\": \"95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for PostgreSQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\r\n \"description\": \"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for PostgreSQL server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867615\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests.
Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Web App:
1. Navigate to Azure App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require.
For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"name\": \"8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MySQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\r\n \"description\": \"Azure Database for MySQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MySQL server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867608\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"name\": \"5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your API app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/91a78b24-f231-4a8a-8da9-02c35b2b6510\",\r\n \"description\": \"Audit enabling of diagnostic logs on the app.
This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised\",\r\n \"remediationDescription\": \"To enable resource logs for an App Service: 1. Navigate to your App Service. 2. Go to 'Diagnostic Settings' tab. 3. Enable necessary auditing services for your specified apps. For more information, please go to https://aka.ms/enabling-diagnostic-settings.\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"name\": \"cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your API app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"name\": \"1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for PostgreSQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\r\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for PostgreSQL:
1. Select your Azure Database for PostgreSQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848213\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"name\": \"1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for MySQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\r\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for MySQL:
1. Select your Azure Database for MySQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848211\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your web app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your function app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"name\": \"6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"name\": \"7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"name\": \"39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your web app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"name\": \"f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your function app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"name\": \"08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\r\n \"description\": \"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your API app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"name\": \"e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"name\": \"96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your function app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"name\": \"c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"name\": \"c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for PostgreSQL:
1. Navigate to your Azure Database for PostgreSQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/postgresql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/pgprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"name\": \"ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MariaDB:
1. Navigate to your Azure Database for MariaDB. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mariadbprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"name\": \"cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MySQL:
1. Navigate to your Azure Database for MySQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mysql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mysqlprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\r\n \"description\": \"Audit SQL servers configured with an auditing retention period of less than 90 days.\",\r\n \"remediationDescription\": \"To configure auditing retention on your Azure SQL server or Azure Synapse server:
1.From the Azure portal, select the Azure SQL Server or Azure Synapse resource. 2.From the menu, select Auditing. 3.Select Storage details. 4.To set a new retention period of 90 days or higher, manually enter a value or move the slider for Retention (Days). 5.Select OK.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your function app:
1. Navigate to the Configurations for your Function app.
2. Select Configuration, and go to the General Settings tab.
3. Select the General Settings tab.
4. Under the FTP state section, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp
Learn more about Azure Functions Deployment Technology Availability\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your web app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"name\": \"67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your API app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"name\": \"c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function apps should have Client Certificates (Incoming client certificates) enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Function App: 1. Navigate to your App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"name\": \"4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key vaults should have purge protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\r\n \"description\": \"Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.\",\r\n \"remediationDescription\": \"To enable purge protection for your key vault: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Properties' tab. 3. Select the radio button corresponding to \\\"Enable purge protection\\\". 4. Select 'Save'. Soft delete is a pre-requisite for purge protection, if you have not already enabled this option, please select the radio button corresponding to \\\"Enable soft delete\\\" first. Please visit https://aka.ms/keyvaultsoftdelete for detailed configuration steps.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"name\": \"9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Email notification to subscription owner for high severity alerts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d\",\r\n \"description\": \"To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Defender for Cloud.\",\r\n \"remediationDescription\": \"To configure email notifications: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/13e7d036-6903-821c-6018-962938929bf0\",\r\n \"name\": \"13e7d036-6903-821c-6018-962938929bf0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registries should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.\",\r\n \"remediationDescription\": \"To enable private links for a registry: 1. Ensure the registry's SKU is set to Premium (SKUs can be upgraded) 2. In the Private endpoints tab, under Network Settings, add basic endpoint information such as name and region 3. On the next page, add registry resource information (such as: name, resource type and subscription) 4. On the next page, add networking and private dns configuration. 5. Create the private endpoint resource. For more information, see: https://aka.ms/acr/privatelink\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/d85c6833-7d33-4cf5-a915-aaa2de84405f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5d090f1-7d5c-9b38-7344-0ede8343276d\",\r\n \"name\": \"d5d090f1-7d5c-9b38-7344-0ede8343276d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for MySQL is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for MySQL server to deny all public network access and allow connections ONLY through private endpoints: 1. Select the Azure Database for MySQL. 2. In Connection security, set deny public network access to 'Yes'. For details, see: https://go.microsoft.com/fwlink/?linkid=2120014.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/06ac6ef4-1e66-1334-5418-6e79ab444ce0\",\r\n \"name\": \"06ac6ef4-1e66-1334-5418-6e79ab444ce0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] SQL managed instances should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\r\n \"remediationDescription\": \"To configure your own encryption key for SQL Server Transparent Data encryption: 1. Select the SQL server. 2. On the Transparent data encryption page, select Customer-managed key. 3. For Key selection method, choose Select a key or Enter a key identifier if you have one. 4. If you chose Select a key, configure the desired Key vault and Key. For more information, see this article: https://docs.microsoft.com/azure/sql-database/transparent-data-encryption-byok-azure-sql\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b51b7f7-cbed-75bf-8a02-43384bf47562\",\r\n \"name\": \"6b51b7f7-cbed-75bf-8a02-43384bf47562\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] MySQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\r\n \"remediationDescription\": \"Azure automatically encrypts data at rest with service-managed keys. To use a customer-managed key to protect and control access to the key that encrypts your data: 1. Create a key vault with soft delete and purge protection enabled. 2. Create your own encryption key or use the Azure Key Vault API to generate a key. 3. Grant the Azure Database for MySQL access to the key vault with the get, wrapKey, and unwrapKey permissions by using its unique managed identity. 4. Select the Azure Database for MySQL, go to data encryption, and pass the key vault and key information. Learn more https://aka.ms/mysqlbyok\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19d45f8f-245c-852e-dbf9-d4aab4758b1f\",\r\n \"name\": \"19d45f8f-245c-852e-dbf9-d4aab4758b1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\r\n \"remediationDescription\": \"Azure automatically encrypts data at rest with service-managed keys. To use a customer-managed key to protect and control access to the key that encrypts your data: 1. Create a key vault with soft delete and purge protection enabled. 2. Create your own encryption key or use the Azure Key Vault API to generate a key. 3. Grant the Azure Database for PostgreSQL access to the key vault with the get, wrapKey, and unwrapKey permissions by using its unique managed identity. 4. Select the Azure Database for PostgreSQL, go to data encryption, and pass the key vault and key information. Learn more https://aka.ms/postgresqlbyok\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ab153e43-2fb5-0670-2117-70340851ea9b\",\r\n \"name\": \"ab153e43-2fb5-0670-2117-70340851ea9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for MariaDB is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for MariaDB server to deny all public network access and allow connections ONLY through private endpoints: 1. Select the Azure Database for MariaDB. 2. In Connection security, set deny public network access to 'Yes'. For more information, see: https://go.microsoft.com/fwlink/?linkid=2119542\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a93e945-3675-aef6-075d-c661498e1046\",\r\n \"name\": \"1a93e945-3675-aef6-075d-c661498e1046\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] SQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\r\n \"remediationDescription\": \"To configure your own encryption key for SQL Server Transparent Data encryption: 1. Select the SQL server. 2. On the Transparent data encryption page, select Customer-managed key. 3. For Key selection method, choose Select a key or Enter a key identifier if you have one. 4. If you chose Select a key, configure the desired Key vault and Key. For more information, see this article: https://docs.microsoft.com/azure/sql-database/transparent-data-encryption-byok-azure-sql\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/be264018-593c-1162-bd5e-b74a39396652\",\r\n \"name\": \"be264018-593c-1162-bd5e-b74a39396652\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cache for Redis should reside within a virtual network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d092e0a-7acd-40d2-a975-dca21cae48c4\",\r\n \"description\": \"Azure Virtual Network (VNet) deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access. When an Azure Cache for Redis instance is configured with a VNet, it is not publicly addressable and can only be accessed from virtual machines and applications within the VNet.\",\r\n \"remediationDescription\": \"Injection into your custom Virtual Network/Subnet can only be done at cache creation time, so take these steps to mitigate: 1. Create and configure a new VNet-injected cache into your custom subnet for the Azure Cache for Redis. 2. Either embed your client application into the same virtual network or allow access for your client application to communicate with the cache instance within your subnet using NSG rules. Follow the guidance here: https://aka.ms/redis/vnet-faq 3. If necessary, export the data from your instance and import it into the new Azure Cache for Redis instance. Learn more about the import/export feature here: https://aka.ms/redis/import-export.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"name\": \"af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto provisioning of the Log Analytics agent should be enabled on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17\",\r\n \"description\": \"To monitor for security vulnerabilities and threats, Microsoft Defender for Cloud collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.\",\r\n \"remediationDescription\": \"To configure auto provisioning:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. Open the Auto provisioning page and set the toggle to On for the Log Analytics agent.
3. Select the workspace to receive the data from the machines.
Learn more in Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"name\": \"77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subscriptions should have a contact email address for security issues\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\",\r\n \"description\": \"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Defender for Cloud.\",\r\n \"remediationDescription\": \"To set up a security contact:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/af560c4d-9c05-e073-b9f1-f7a94958ff25\",\r\n \"name\": \"af560c4d-9c05-e073-b9f1-f7a94958ff25\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Container registries should be encrypted with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\",\r\n \"remediationDescription\": \"Azure automatically encrypts registry Contents. To encrypt a registry using a customer-managed key (CMK): 1. Create a user-assigned managed identity. 2. Create a Key Vault with soft delete and purge protection enabled. 3. Give the Managed Identity (Get, Unwrap and Wrap) Key Permissions to the key vault by adding a key vault Access Policy. 4. Create a key for encryption. 5. Create the registry: enable customer-managed key, add the managed identity, and provid the created key's version. For more information, see: https://aka.ms/acr/cmk\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8318c3a1-fcac-2e1d-9582-50912e5578e5\",\r\n \"name\": \"8318c3a1-fcac-2e1d-9582-50912e5578e5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"App Configuration should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint.\",\r\n \"remediationDescription\": \"To enable private link for Azure App Configuration: 1. In the Azure portal, open the App Configuration instance. 2. Navigate to Settings --> Private endpoint connections 3. Click on Add and configure the private endpoint. For details, see https://aka.ms/appconfig/private-endpoint\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/614ffa75-862c-456e-ad8b-eaa1b0844b07\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"name\": \"3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Email notification for high severity alerts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899\",\r\n \"description\": \"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Defender for Cloud.\",\r\n \"remediationDescription\": \"To configure email notifications: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. In the 'Notification type' area, ensure mails are sent regarding security alerts from severity 'high'.
4. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b34f9fe7-80cd-6fb3-2c5b-951993746ca8\",\r\n \"name\": \"b34f9fe7-80cd-6fb3-2c5b-951993746ca8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for PostgreSQL is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for PostgreSQL server to deny all public network access and allow connections only through private endpoints: 1. Select the Azure Database for PostgreSQL. 2. In Connection security, set deny public network access to 'Yes'. For more information, see: https://go.microsoft.com/fwlink/?linkid=2120015.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"name\": \"9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registries should not allow unrestricted network access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\r\n \"description\": \"Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet.\",\r\n \"remediationDescription\": \"To enable VNet/Firewall rules for a registry: 1. In the Azure Portal, navigate to your registry in the Azure portal 2. Under Networking settings, on the Public access tab, select allow public access from 'Selected networks' instead of 'All Networks' 3. Under Firewall, enter a public IP address, such as the public IP address of a VM in a virtual network. Or, enter an address range in CIDR notation that contains the VM's IP address 4. Select save. For more information, see: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bef092f5-bea7-3df3-1ee8-4376dd9c111e\",\r\n \"name\": \"bef092f5-bea7-3df3-1ee8-4376dd9c111e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Event Grid domains should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domains instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure Event Grid Domain resource: 1. In the Azure portal, find your Event Grid Domain resource. 2. Navigate to Settings --> Networking, 3. Select \\\"+ Public network access\\\" and choose \\\"+ Private endpoints only\\\" to restrict access only via private endpoint connections, 4. Select \\\"+ Private endpoint connections\\\" to configure the values. For details, see https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/36f4658a-848a-467b-881c-e6fa20cf75fc\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bdac9c7b-b9b8-f572-0450-f161c430861c\",\r\n \"name\": \"bdac9c7b-b9b8-f572-0450-f161c430861c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Event Grid topics should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your topics instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure Event Grid Topic resource: 1. In the Azure portal, find your Event Grid Topic resource. 2. Navigate to Settings --> Networking, 3. Select \\\"+ Public network access\\\" and choose \\\"+ Private endpoints only\\\" to restrict access only via private endpoint connections, 4. Select \\\"+ Private endpoint connections\\\" to configure the values. For details, see https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6fcec95c-fbdf-45e8-91e1-e3175d9c9eca\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/18bf29b3-a844-e170-2826-4e95d0ba4dc9\",\r\n \"name\": \"18bf29b3-a844-e170-2826-4e95d0ba4dc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\r\n \"remediationDescription\": \"To enable customer-managed keys for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using customer-managed keys. Learn more about configuring customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b6f84d18-0137-3176-6aa1-f4d9ac95155c\",\r\n \"name\": \"b6f84d18-0137-3176-6aa1-f4d9ac95155c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure SignalR Service should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/53503636-bcc9-4748-9663-5348217f160f\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your SignalR resources instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/asrs/privatelink.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure SignalR service resource: 1.. Find your SignalR resource in the Azure portal, 2. Navigate to Settings --> Private endpoint connections, 3 Click \\\"+ Private endpoint\\\" to configure the values. Learn more here: https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/ef45854f-b33f-49a3-8041-9057e915d88f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/814df446-7128-eff0-9177-fa52ac035b74\",\r\n \"name\": \"814df446-7128-eff0-9177-fa52ac035b74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\r\n \"remediationDescription\": \"To enable customer-managed keys on an Azure Cosmos DB account, create an encryption key in Azure Key Vault then pass the key identifier when creating the account. For details, see https://aka.ms/cosmosdb-cmk.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\r\n \"description\": \"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.\",\r\n \"remediationDescription\": \"Azure Web Application Firewall is a paid solution, refer to https://aka.ms/applicationgateway-pricing for full pricing details. To manually add an Azure Web Application Firewall to Azure Application Gateway: 1. If you want to use an existing Azure Web Application Firewall for Azure Application Gateway policy, proceed to Step 2. Otherwise, open the Azure Web Application Firewall service and select 'add'. 3. On the Basics tab, in 'Policy for', select 'Regional WAF (Application Gateway)'. Customize the Azure Web Application Firewall as required. To finish, select 'Review + create' and 'create' the Azure Web Application Firewall. 4. Go to the Azure Application Gateway and select the Azure Application Gateway that does not have an Azure Web Application Firewall. 5. From the left sidebar, select settings, and select 'Web application firewall'. If your current tier is not 'WAF V2' change your tier to 'WAF V2'. There are differences in pricing when changing WAF tiers, refer to https://aka.ms/applicationgateway-pricing for full details. 6. Return to the Web Application Firewall created earlier. Select 'Associated application gateways on the sidebar'. 7. Select 'Associate an application gateway' and add your application gateway. To save the changes, Select 'Save'. An Azure Web Application Firewall is now protecting your application gateway resource. For details, see https://aka.ms/applicationgateway-waf.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Reconnaissance\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Scanning\",\r\n \"Application Layer Protocol\",\r\n \"Active Scanning\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0c02a769-03f1-c4d7-85a5-db5dca505c49\",\r\n \"name\": \"0c02a769-03f1-c4d7-85a5-db5dca505c49\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Azure Front Door Service service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\r\n \"description\": \"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.\",\r\n \"remediationDescription\": \"Azure Web Application Firewall is a paid solution, refer to https://aka.ms/frontdoor-pricing for full pricing details. To manually add an Azure Web Application Firewall to your Azure Front Door Service 1. If you want to use an existing Azure Web Application Firewall for Azure Front Door Service policy, proceed to Step 2. Otherwise, open the Azure Web Application Firewall service and select 'add'. 3. On the Basics tab, in 'Policy for', select 'Global WAF (Front Door)' and in 'Policy state' select 'Enabled'. Customize the Azure Web Application Firewall as required. To finish, select 'Review + create' and 'create' the Azure Web Application Firewall. 4. Go to the Front Door service and select the Front Door service that does not have an Azure Web Application Firewall. 5. From the left sidebar, select 'Web application firewall'. 6. Select the frontend to which you're adding an Azure Web Application Firewall policy. Select 'Apply policy'. From the dropdown, select the Azure Web Application Firewall policy. Select 'Add'. 7. To save the Azure Web Application Firewall for the chosen frontend, select 'Save'. An Azure Web Application Firewall will now be applied to the Azure Front Door Service. For details, see https://aka.ms/waf-frontdoor-tutorial\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Reconnaissance\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Scanning\",\r\n \"Application Layer Protocol\",\r\n \"Active Scanning\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f6b0e473-eb23-c3be-fe61-2ae3e8309530\",\r\n \"name\": \"f6b0e473-eb23-c3be-fe61-2ae3e8309530\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VM Image Builder templates should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa\",\r\n \"description\": \"Audit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead, which may directly expose resources to the internet and increase the potential attack surface.\",\r\n \"remediationDescription\": \"To enable private link connection when building VM Image Builder templates, add vnetConfig to templates. For details, see http://aka.ms/azvmimagebuildertmplref.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9\",\r\n \"description\": \"Private links enforce secure communication, by providing private connectivity to the storage account\",\r\n \"remediationDescription\": \"To enforce secure communications for your storage accounts, add a private endpoint as described here: https://aka.ms/connectprivatelytostorageaccount.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/9f766f00-8d11-464e-80e1-4091d7874074\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca98bba7-719e-48ee-e193-0b76766cdb07\",\r\n \"name\": \"ca98bba7-719e-48ee-e193-0b76766cdb07\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Storage accounts should use customer-managed key (CMK) for encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\",\r\n \"remediationDescription\": \"To enable customer-managed keys on your storage accounts, create an encryption key in your key vault then pass the key identifier to the storage account. For details, see https://aka.ms/storageencryptionkeys.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c768356-5ad2-e3cc-c799-252b27d3865a\",\r\n \"name\": \"4c768356-5ad2-e3cc-c799-252b27d3865a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Spring Cloud should use network injection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4\",\r\n \"description\": \"Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.\",\r\n \"remediationDescription\": \"Virtual network injection brings the following benefits to your Azure Spring Cloud instances: 1. Isolates Azure Spring Cloud from the internet. 2. Enables Azure Spring Cloud to interact with systems in either on- premises data centers or Azure services in other virtual networks. 3. Provides greater control over inbound and outbound network communications for Azure Spring Cloud.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Trusted Relationship\",\r\n \"Exploitation of Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Non-Standard Port\",\r\n \"Lateral Tool Transfer\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\r\n \"description\": \"Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.\",\r\n \"remediationDescription\": \"To protect your storage account from potential threats using virtual network rules: 1. In the Azure portal, open your storage account. 2. From the left sidebar, select 'Networking'. 3. From the 'Allow access from' section, select 'Selected networks'. 4. Add a Virtual network under the 'Virtual networks' section. Do not add allowed IP ranges/ or addresses in the firewall. This is to prevent public IPs from accessing your storage account. For details, see: https://aka.ms/storagenetworksecurity.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbd14f11-6228-4588-82a4-517b8d77b23f\",\r\n \"name\": \"bbd14f11-6228-4588-82a4-517b8d77b23f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\",\r\n \"remediationDescription\": \"To setup CMK on Azure Machine Learning workspaces, follow the instructions. here: https://aka.ms/azureml-workspaces-cmk\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/692343df-7e70-b082-7b0e-67f97146cea3\",\r\n \"name\": \"692343df-7e70-b082-7b0e-67f97146cea3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Machine Learning workspaces should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Machine Learning workspaces instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/azureml-workspaces-privatelink.\",\r\n \"remediationDescription\": \"To enable private link on Azure Machine Learning workspaces, follow the instructions here: https://aka.ms/azureml-workspaces-privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/7838fd83-5cbb-4b5d-888c-bfa240972597\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"name\": \"2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be configured for Key Vault\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0bc445-3935-4915-9981-011aa2b46147\",\r\n \"description\": \"Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.\",\r\n \"remediationDescription\": \"For detailed steps, see https://aka.ms/akvprivatelink.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"name\": \"52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should be enabled on Key Vault\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\r\n \"description\": \"Key vault's firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the firewall to make sure that only traffic from allowed networks can access your key vault.\",\r\n \"remediationDescription\": \"To enable the key vault firewall: 1. In the Azure portal, open your key vault. 2.From the left sidebar, select Networking (located under the \\\"Settings\\\" section). 3. Set the radio button to Private endpoint and selected networks and select Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1aabfa0d-7585-f9f5-1d92-ecb40291d9f2\",\r\n \"name\": \"1aabfa0d-7585-f9f5-1d92-ecb40291d9f2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key Vault keys should have an expiration date\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\r\n \"description\": \"Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.\",\r\n \"remediationDescription\": \"To enable an expiration date on your key: 1. Log in to the Azure portal and select your key vault. 2. Open the 'Keys' tab. 3. Find all keys in the table that do not have an expiration date. 4. Select a key. 5. Select the current version of the key. 6. Select the box corresponding to 'Set expiration date'. 7. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Credentials from Password Stores\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"name\": \"14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key Vault secrets should have an expiration date\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\r\n \"description\": \"Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.\",\r\n \"remediationDescription\": \"To enable an expiration date on your secret: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Secrets' tab. 3. Find all secrets in the table that do not have an expiration date. 4. Click on a secret. 5. Click the current version of the secret. 6. Check the box corresponding to 'Set expiration date'. 7. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Credentials from Password Stores\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"name\": \"78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key vaults should have soft delete enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\r\n \"description\": \"Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.\",\r\n \"remediationDescription\": \"To enable soft delete protection for your key vault: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Properties' tab. 3. Select the radio button corresponding to \\\"Enable soft delete\\\". 4. Enter a retention period in days. Select 'Save'. Please visit https://aka.ms/keyvaultsoftdelete for detailed configuration steps.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6\",\r\n \"description\": \"Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more in Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure.\",\r\n \"remediationDescription\": \"To use SSH for authentication to your Linux virtual machine: 1. Create an SSH key pair for the Linux virtual machine. 2. Disable password authentication in the Linux virtual machine's configuration. 3. Update the SSH key in your Azure Resource Manager template (replace the admin password with the adminSSHKey parameter) or via the Azure CLI (with the --generate-ssh-keys command). Learn more in Create and use an SSH public-private key pair for Linux VMs in Azure.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.\",\r\n \"remediationDescription\": \"To enable Private Endpoint Connections: 1. Open Azure SQL Database and browse to the server blade 2. Navigate to Security --> Private endpoint connections blade via the navigation menu 3. Select the \\\"+ Private Endpoint\\\" button 4. Follow the instructions here: https://docs.microsoft.com/azure/azure-sql/database/private-endpoint-overview#how-to-set-up-private-link-for-azure-sql-database.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\r\n \"description\": \"Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.\",\r\n \"remediationDescription\": \"To disable Public Network Access: 1. Open Azure SQL Database and browse to the server blade 2. Navigate to Security --> Firewalls and virtual networks blade via the navigation menu on the left. 3. Select Deny Public Network Access control and change the value to Yes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce2768c3-a7c7-1bbf-22cd-f9db675a9807\",\r\n \"name\": \"ce2768c3-a7c7-1bbf-22cd-f9db675a9807\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API app has Client Certificates Incoming client certificates set to On\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your API App: 1. Navigate to your App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112\",\r\n \"description\": \"To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.\",\r\n \"remediationDescription\": \"To ensure your windows web server is using secure communication protocol: 1. Enable Guest Configuration extension and system assigned identity: https://docs.microsoft.com/azure/virtual-machines/extensions/guest-configuration 2. Enable TLS on your machine. For Windows Server 2008 R2, Windows Server 2012, or Windows 7, install the update at https://support.microsoft.com/help/3140245. For Windows 2012 R2 Server or later, no updates are necessary. 3. Update the Windows and WinHTTP registry keys (or verify that they're correct) according to the information here: https://docs.microsoft.com/dotnet/framework/network-programming/tls#configuring-schannel-protocols-in-the-windows-registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f738efb8-005f-680d-3d43-b3db762d6243\",\r\n \"name\": \"f738efb8-005f-680d-3d43-b3db762d6243\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should restrict network access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\r\n \"description\": \"Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"To restrict access for Cognitive Services from public networks: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"Networking\\\" page, 3. In \\\"Firewalls and virtual networks\\\" select \\\"Selected Networks and Private Endpoints\\\" or \\\"Disabled\\\". Learn more about Private Endpoints in https://go.microsoft.com/fwlink/?linkid=2129800. Learn more about configuration Virtual Networks for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2110097.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Trusted Relationship\",\r\n \"Exploitation of Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Non-Standard Port\",\r\n \"Lateral Tool Transfer\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aa395469-1687-78a7-bf76-f4614ef72977\",\r\n \"name\": \"aa395469-1687-78a7-bf76-f4614ef72977\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should use customer owned storage or enable data encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11566b39-f7f7-4b82-ab06-68d8700eb0a4\",\r\n \"description\": \"This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption.\",\r\n \"remediationDescription\": \"To enable encryption for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using either Microsoft-managed keys or customer-managed keys. Learn more about configuration customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321. To request access to bring your own storage, fill out and submit the request form from https://aka.ms/cogsvc-cmk.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684a5b6d-a270-61ce-306e-5cea400dc3a7\",\r\n \"name\": \"684a5b6d-a270-61ce-306e-5cea400dc3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for Cognitive Services accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\r\n \"description\": \"This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed.\",\r\n \"remediationDescription\": \"To only allow access for Cognitive Services from Private Endpoints: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"Networking\\\" page, 3. In \\\"Firewalls and virtual networks\\\" select \\\"Disabled\\\". Learn more about Private Endpoints in https://go.microsoft.com/fwlink/?linkid=2129800.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdcf4f71-60d3-540b-91e3-aa19792da364\",\r\n \"name\": \"cdcf4f71-60d3-540b-91e3-aa19792da364\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should enable data encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2bdd0062-9d75-436e-89df-487dd8e4b3c7\",\r\n \"description\": \"This policy audits any Cognitive Services account not using data encryption. For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key.\",\r\n \"remediationDescription\": \"To enable encryption for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using either Microsoft-managed keys or customer-managed keys. Learn more about configuration customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/74e7dcff-317f-9635-41d2-ead5019acc99\",\r\n \"name\": \"74e7dcff-317f-9635-41d2-ead5019acc99\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Management services should use a virtual network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\r\n \"description\": \"Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.\",\r\n \"remediationDescription\": \"To enable Virtual Network on API Management Service: 1. In the Azure portal, open API Management services, 2. Select the desired service from the list, and open the \\\"Virtual Network\\\" page, 3. Setup virtual network along with desired type of virtual network. Learn more about configuring virtual network for API Management Services at https://aka.ms/apim-vnet\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Create Account\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"name\": \"276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cosmos DB accounts should have firewall rules\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\r\n \"description\": \"Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.\",\r\n \"remediationDescription\": \"To configure your Azure Cosmos DB firewall and add IP rules: 1. Go to the \\\"Firewall and virtual networks\\\" section of your Cosmos DB account. 2. Select \\\"Selected networks\\\". 3. Add the IP addresses or ranges you want to allow. For more details, follow the instructions in https://aka.ms/cosmosdb-firewall\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Initial Access\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Fallback Channels\",\r\n \"Remote System Discovery\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Non-Standard Port\",\r\n \"Gather Victim Network Information\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\",\r\n \"description\": \"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end-to-end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure.\",\r\n \"remediationDescription\": \"To enable Network Watcher: 1. Navigate to the Network Watcher page on the Azure portal 2. Select the relevant subscription and click on the region drop down 3. For any regions that are listed as Disabled, enable them by selecting \\\"Enable network watcher\\\" in the context menu For more information, visit here: https://docs.microsoft.com/azure/network-watcher/network-watcher-create\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"name\": \"f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Resource Manager should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99\",\r\n \"description\": \"Microsoft Defender for Resource Manager automatically monitors the resource management operations in your organization. Defender for Cloud detects threats and alerts you about suspicious activity. Learn more in Introduction to Microsoft Defender for Resource Manager. Enabling this Defender plan results in charges. Learn about the pricing details per region on Defender for Cloud's pricing page: https://azure.microsoft.com/services/defender-for-cloud/#pricing.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for Resource Manager on your subscription: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Resource Manager to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\",\r\n \"Permission Groups Discovery\",\r\n \"Account Discovery\",\r\n \"Cloud Service Discovery\",\r\n \"Credentials from Password Stores\",\r\n \"Impair Defenses\",\r\n \"Cloud Infrastructure Discovery\",\r\n \"Cloud Service Dashboard\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"name\": \"aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for DNS should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bdc59948-5574-49b3-bb91-76b7c986428d\",\r\n \"description\": \"Microsoft Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Defender for DNS alerts you about suspicious activity at the DNS layer. Learn more in Introduction to Microsoft Defender for DNS. Enabling this Defender plan results in charges. Learn about the pricing details per region on Defender for Cloud's pricing page: https://azure.microsoft.com/services/defender-for-cloud/#pricing.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for DNS on your subscription: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set DNS to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Exfiltration\",\r\n \"Command and Control\"\r\n ],\r\n \"techniques\": [\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Application Layer Protocol\",\r\n \"Proxy\",\r\n \"Dynamic Resolution\",\r\n \"Protocol Tunneling\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3\",\r\n \"description\": \"Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.\",\r\n \"remediationDescription\": \"Enabling vTPM will trigger an immediate SYSTEM REBOOT. To enable it: 1. Select the VM. 2. On the VM page, navigate to the 'Configuration' tab. 3. On the 'Configuration' page, check 'vTPM'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/e494853f-93c3-4e44-9210-d12f61a64b34\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121\",\r\n \"description\": \"Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.\",\r\n \"remediationDescription\": \"Enabling Secure Boot will trigger an immediate SYSTEM REBOOT. To enable it: 1. Select the VM. 2. On the VM page, navigate to the 'Configuration' tab. 3. On the 'Configuration' page, check 'Secure boot'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/7cb1b219-61c6-47e0-b80c-4472cadeeb5f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e94a7421-fc27-7a4d-e9ba-2ba01384cacd\",\r\n \"name\": \"e94a7421-fc27-7a4d-e9ba-2ba01384cacd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/672fe5a1-2fcd-42d7-b85d-902b6e28c6ff\",\r\n \"description\": \"Install Guest Attestation extension on supported Linux virtual machines to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Linux virtual machines: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vm extension set --name GuestAttestation --publisher Microsoft.Azure.Security.LinuxAttestation --vm-name MyVM --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6074e9a3-c711-4856-976d-24d51f9e065b\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a53f4f-26b6-3d68-33f3-2ec1f2452b5d\",\r\n \"name\": \"a9a53f4f-26b6-3d68-33f3-2ec1f2452b5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Linux virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a21f8c92-9e22-4f09-b759-50500d1d2dda\",\r\n \"description\": \"Install Guest Attestation extension on supported Linux virtual machine scale sets to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Linux virtual machine scale sets: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vmss extension set --name GuestAttestation --publisher Microsoft.Azure.Security.LinuxAttestation' --vmss-name MyVMSS --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/874b14bd-b49e-495a-88c6-46acb89b0a33\",\r\n \"name\": \"874b14bd-b49e-495a-88c6-46acb89b0a33\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cb4d9c2-f88f-4069-bee0-dba239a57b09\",\r\n \"description\": \"Install Guest Attestation extension on supported virtual machines to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Windows virtual machines: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vm extension set --name GuestAttestation --publisher Microsoft.Azure.Security.WindowsAttestation --vm-name MyVM --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/98ea2fc7-6fc6-4fd1-9d8d-6331154da071\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/02e8ca50-0e7e-cc34-0b91-215af2904248\",\r\n \"name\": \"02e8ca50-0e7e-cc34-0b91-215af2904248\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Windows virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f655e522-adff-494d-95c2-52d4f6d56a42\",\r\n \"description\": \"Install Guest Attestation extension on supported virtual machine scale sets to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Windows virtual machine scale sets: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vmss extension set --name GuestAttestation --publisher Microsoft.Azure.Security.WindowsAttestation' --vmss-name MyVMSS --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"name\": \"506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The control fails if any of the HTTP listeners of Application Load Balancers do not have HTTP to HTTPS redirection configured. Before you start to use your Application Load Balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners support both the HTTP and HTTPS protocols. You can use an HTTPS listener to offload the work of encryption and decryption to your load balancer. To enforce encryption in transit, you should use redirect actions with Application Load Balancers to redirect client HTTP requests to an HTTPS request on port 443.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"name\": \"4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon S3 buckets have policies that require requests to use Secure Socket Layer (SSL). S3 buckets should have policies that require all requests ('Action: S3:*') to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key 'aws:SecureTransport'. This does not check the SSL or TLS version. You should not allow early versions of SSL or TLS (SSLv3, TLS1.0) per PCI DSS requirements.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"name\": \"b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server-side encryption. When you set default encryption on a bucket, all new objects stored in the bucket are encrypted when they are stored, including clear text PAN data. Server-side encryption for all of the objects stored in a bucket can also be enforced using a bucket policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"name\": \"c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Config should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS Config is enabled in the account for the local Region and is recording all resources. It does not check for change detection for all critical system files and content files, as AWS Config supports only a subset of resource types. The AWS Config service performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items, and any configuration changes between resources. Security Hub recommends that you enable AWS Config in all Regions. The AWS configuration item history that AWS Config captures enables security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"name\": \"bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root user credentials. It does not check whether you are using virtual MFA. To address PCI DSS requirement 8.3.1, you can choose between hardware MFA (this control) or virtual MFA.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"name\": \"9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the IAM users have multi-factor authentication (MFA) enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"name\": \"b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root user credentials. It does not check whether you are using hardware MFA. To address PCI DSS requirement 8.3.1, you can choose between virtual MFA (this control) or hardware MFA.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"name\": \"5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public write access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your S3 buckets allow public write access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). It does not check for write access to the bucket by internal principals, such as IAM roles. You should ensure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"name\": \"7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public read access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). Unless you explicitly require everyone on the internet to be able to write to your S3 bucket, you should ensure that your S3 bucket is not publicly writable. It does not check for read access to the bucket by internal principals, such as IAM roles. You should ensure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"name\": \"7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM user credentials should be disabled if not used within a pre-defined number days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your IAM users have passwords or active access keys that have not been used within a specified number of days. The default is 90 days. Security Hub strongly recommends that you do not generate and remove all access keys in your account. Instead, the recommended best practice is to either create one or more IAM roles or to use federation. These practices allow your users to use their existing corporate credentials to sign in to the AWS Management Console console and AWS CLI. Each approach has its use cases. Federation is generally better for enterprises that have an existing central directory or who plan to need more than the current quota of IAM users. Applications running outside of an AWS environment need access keys for programmatic access to AWS resources. However, if the resources that need programmatic access run inside AWS, the best practice is to use IAM roles. You can use roles to grant a resource access without hardcoding an access key ID and secret access key into the configuration. If you already have an access key, we recommend that you remove or deactivate unused user credentials that are inactive for 90 days or longer. This control only checks for inactive passwords or active access keys. It does not disable the account from use after 90 days. Customers are responsible for taking action and disabling the unused credentials.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"name\": \"d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the account password policy for IAM users uses the following minimum PCI DSS configurations: 'RequireUppercaseCharacters' - Require at least one uppercase character in password. (Default = 'true'); 'RequireLowercaseCharacters' - Require at least one lowercase character in password. (Default = 'true'); 'RequireNumbers' - Require at least one number in password. (Default = 'true'); 'MinimumPasswordLength' - Password minimum length. (Default = 7 or longer); 'PasswordReusePrevention' - Number of passwords before allowing reuse. (Default = 4); MaxPasswordAge - Number of days before password expiration. (Default = 90).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"name\": \"d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM root user access key should not exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether user access keys exist for the root user.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"name\": \"7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users should not have IAM policies attached\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles. It does not check whether least privileged policies are applied to IAM roles and groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"name\": \"c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should not allow full \\\"*\\\" administrative privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the default version of AWS Identity and Access Management policies (also known as customer managed policies) do not have administrator access with a statement that has \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\". It only checks for the customer managed policies that you created, but does not check for full access to individual services, such as \\\"S3:*\\\". It does not check for inline and AWS managed policies.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"name\": \"a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer master key (CMK) rotation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that key rotation is enabled for each customer master key (CMK). It does not check CMKs that have imported key material. You should ensure keys that have imported material and those that are not stored in AWS KMS are rotated. AWS managed customer master keys are rotated once every 3 years.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"name\": \"b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Lambda function resource-based policy prohibits public access. It does not check for access to the Lambda function by internal principals, such as IAM roles. You should ensure that access to the Lambda function is restricted to authorized principals only by using least privilege Lambda resource-based policies.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"name\": \"e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS DB snapshots prohibit access by other accounts. You should also ensure that access to the snapshot and permission to change Amazon RDS configuration is restricted to authorized principals only. Note that if the configuration is changed to allow public access, the AWS Config rule may not be able to detect the change for up to 12 hours. Until the AWS Config rule detects the change, the check passes even though the configuration violates the rule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"name\": \"ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS instances are publicly accessible by evaluating the publiclyAccessible field in the instance configuration item. The value of publiclyAccessible indicates whether the DB instance is publicly accessible. When the DB instance is publicly accessible, it is an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. When the DB instance isn't publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. The control does not check VPC subnet routing settings or the Security Group rules. You should also ensure VPC subnet routing does not allow public access, and that the security group inbound rule associated with the RDS instance does not allow unrestricted access (0.0.0.0/0). You should also ensure that access to your RDS instance configuration is limited to only authorized users by restricting users' IAM permissions to modify RDS instances settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"name\": \"d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters are publicly accessible by evaluating the 'publiclyAccessible' field in the cluster configuration item.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"name\": \"529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"name\": \"8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS DMS replication instances are public. To do this, it examines the value of the PubliclyAccessible field. A private replication instance has a private IP address that you cannot access outside of the replication network. A replication instance should have a private IP address when the source and target databases are in the same network, and the network is connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering. You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users. To do this, restrict users' IAM permissions to modify AWS DMS settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"name\": \"b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic Block Store snapshots are not publicly restorable by everyone, which makes them public. Amazon EBS snapshots should not be publicly restorable by everyone unless you explicitly allow it, to avoid accidental exposure of your company's sensitive data. You should also ensure that permission to change Amazon EBS configurations are restricted to authorized AWS accounts only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"name\": \"3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following public access block settings are configured at the account level: 'ignorePublicAcls': 'true'; 'blockPublicPolicy': 'true'; 'blockPublicAcls': 'true'; 'restrictPublicBuckets': 'true'. As an AWS best practice, S3 buckets should block public access. Unless you explicitly require everyone on the internet to be able to access your S3 bucket, you should ensure that your S3 bucket is not publicly accessible.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"name\": \"93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC default security group should prohibit inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the default security group of a VPC does not allow inbound or outbound traffic. It does not check for access restrictions for other security groups that are not default, and other VPC configurations.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"name\": \"390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether security groups in use disallow unrestricted incoming SSH traffic. It does not evaluate outbound traffic. Note that security groups are stateful. If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out regardless of outbound rules.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"name\": \"86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control helps you maintain an accurate asset inventory of needed security groups in your cardholder data environment (CDE). It does so by checking that security groups are attached to Amazon EC2 instances or to an ENI. A failed finding indicates you may have unused Amazon EC2 security groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/099e9ded-7834-43ad-be02-30114c800211\",\r\n \"name\": \"099e9ded-7834-43ad-be02-30114c800211\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability. This AWS control also does not check whether the Amazon ES resource-based policy permits public access by other accounts or external entities. You should ensure that Amazon ES domains are not attached to public subnets. You should also ensure that your VPC is configured according to the recommended best practices.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"name\": \"40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability. Note that if Lambda@Edge is found in the account, then this control generates failed findings. To prevent these findings, you can disable this control.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"name\": \"5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain clear text credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the project contains environment variables 'AWS_ACCESS_KEY_ID' and 'AWS_SECRET_ACCESS_KEY'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"name\": \"ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elastic IP addresses that are allocated to a VPC are attached to Amazon EC2 instances or in-use elastic network interfaces (ENIs). A failed finding indicates you may have unused Amazon EC2 EIPs. This will help you maintain an accurate asset inventory of EIPs in your cardholder data environment (CDE).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"name\": \"023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SageMaker notebook instances should not have direct internet access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether direct internet access is disabled for an SageMaker notebook instance. To do this, it checks whether the 'DirectInternetAccess' field is disabled for the notebook instance. If you configure your SageMaker instance without a VPC, then by default direct internet access is enabled on your instance. You should configure your instance with a VPC and change the default setting to Disable - Access the internet through a VPC. To train or host models from a notebook, you need internet access. To enable internet access, make sure that your VPC has a NAT gateway and your security group allows outbound connections. You should also ensure that access to your SageMaker configuration is limited to only authorized users. Restrict users' IAM permissions to modify SageMaker settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"name\": \"0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS CloudTrail is configured to use the server-side encryption (SSE) AWS KMS customer master key (CMK) encryption. If you are only using the default encryption option, you can choose to disable this check.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"name\": \"f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have encryption at rest configuration enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"name\": \"336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A log metric filter and alarm should exist for usage of the \\\"root\\\" user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks for the CloudWatch metric filters using the following pattern: '{ $.userIdentity.type = \\\"Root\\\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \\\"AwsServiceEvent\\\" }'. It checks the following: The log group name is configured for use with active multi-Region CloudTrail; There is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All; There is at least one active subscriber to an Amazon SNS topic associated with the alarm.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"name\": \"5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether VPC flow logs are found and enabled for VPCs. The traffic type is set to REJECT. With VPC Flow Logs, you can capture information about the IP address traffic to and from network interfaces in your VPC. After you create a flow log, you can use CloudWatch Logs to view and retrieve the log data. Security Hub recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC. They can detect anomalous traffic and provide insight into security workflows. By default, the record includes values for the different components of the IP address flow, including the source, destination, and protocol.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"name\": \"4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail trails are configured to send logs to CloudWatch Logs. It does not check for user permissions to alter logs or log groups. You should create specific CloudWatch rules to alert when CloudTrail logs are altered. This control also does not check for any additional audit log sources other than CloudTrail being sent to a CloudWatch Logs group.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"name\": \"6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail is enabled in your AWS account. However, some AWS services do not enable logging of all APIs and events. You should implement any additional audit trails other than CloudTrail and review the documentation for each service in CloudTrail Supported Services and Integrations.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"name\": \"21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail log file validation is enabled. It does not check when configurations are altered. To monitor and alert on log file changes, you can use Amazon EventBridge or CloudWatch metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"name\": \"75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the patch installation on the instance. It only checks instances that are managed by AWS Systems Manager Patch Manager. It does not check whether the patch was applied within the 30-day limit prescribed by PCI DSS requirement 6.2. It also does not validate whether the patches applied were classified as security patches. You should create patching groups with the appropriate baseline settings and ensure in-scope systems are managed by those patch groups in Systems Manager.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"name\": \"6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EC2 instances in your account are managed by Systems Manager. AWS Systems Manager is an AWS service that you can use to view and control your AWS infrastructure. To help you to maintain security and compliance, Systems Manager scans your managed instances. A managed instance is a machine that is configured for use with Systems Manager. Systems Manager then reports or takes corrective action on any policy violations that it detects. Systems Manager also helps you to configure and maintain your managed instances. Additional configuration is needed in Systems Manager for patch deployment to managed EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"name\": \"32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the status of the AWS Systems Manager association compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the association is run on an instance. The control passes if the association compliance status is COMPLIANT. A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed. After you create one or more State Manager associations, compliance status information is immediately available to you in the console or in response to AWS CLI commands or corresponding Systems Manager API operations. For associations, Configuration Compliance shows statuses of Compliant or Non-compliant and the severity level assigned to the association, such as Critical or Medium. You must configure your in-scope EC2 instances for Systems Manager association. You must also configure the patch baseline for the security rating of the vendor of patches, and set the autoapproval date to meet PCI DSS 3.2.1 requirement 6.2.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"name\": \"5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether S3 buckets have cross-region replication enabled. PCI DSS does not require data replication or highly available configurations. However, this check aligns with AWS best practices for this control. In addition to availability, you should consider other systems hardening settings.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"name\": \"94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. PCI DSS does not require load balancing or highly available configurations. However, this check aligns with AWS best practices.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"name\": \"d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon GuardDuty is enabled in your AWS account and Region. While GuardDuty can be effective against attacks that an intrusion detection system would typically protect, it might not be a complete solution for every environment. This rule also does not check for the generation of alerts to personnel.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"name\": \"bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SSM agent should be installed on your AWS EC2 instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Systems Manager is an AWS service that can be used to control and view your AWS infrastructure. The AWS Systems Manager Agent (SSM Agent) is a software that can be installed and configured on a machine and makes it possible for Systems Manager to update and configure these resources. Defender for Cloud leverages the SSM Agent for automatic installation of Azure Arc, that enables greater parity for AWS instances to Azure VMs.\",\r\n \"remediationDescription\": \"First, Make sure EC2 instances are managed by Systems Manager: 1.Open AWS System Manager.
2. Choose Quick setup
3. keep the default options on the configuration screen.
4. Choose Set up Systems Manager.
For directions on installing and configuring the SSM Agent on Windows instances visit this page For directions on installing and configuring the SSM Agent on Linux instances visit this page \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"name\": \"a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled in every region in your AWS accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub is a regional service and customer must enable Security Hub in each region to view findings in that region. You should continuously monitor all regions across all of your AWS accounts for unauthorized behavior or misconfigurations, including regions you don't use heavily.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"name\": \"20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled for all AWS member accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. Integrating it into Defender for Cloud enables a comprehensive view across multiple cloud environments. any AWS member account related to an onboarded account should have Security Hub enabled as well.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"name\": \"726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Make sure to log in using the credentials of a fully-managed corporate account and not a personal account.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select the checkbox next to non-corporate users, and then click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"name\": \"4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that multi-factor authentication is enabled for all non-service accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) must be enabled for all Google Cloud Platform accounts, excluding service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP Security Settings and set up multi-factor authentication for all non-service accounts within the project.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"name\": \"0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service accounts are not configured with administrative roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select Members and make sure that there aren't any 'User-Managed user created service account' accounts with one of the following roles: admin, editor, or owner.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"name\": \"90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the 'Service Account User' and 'Service Account Token Creator' roles are not granted to users at a project level. Instead, grant these roles to users in the context of specific service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. In the filter table field, enter 'Role: Service Account User' and click 'Delete' (bin icon) for every user listed. Similarly, filter using 'Role: Service Account Token Creator' and delete every user listed.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"name\": \"ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service account keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'Service Account Keys', for every External (user-managed) service account where the creation date is 90 days or more, delete the service account key and create a new one instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"name\": \"f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties. Also, make sure that users are not assigned with both 'Service Account Admin' and other 'Service Account User' roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Edit members with both 'Service Account Admin' and 'Service Account User', delete one of the roles, and then click 'Save'. \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"name\": \"3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud KMS encryption keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to GCP Security Kms. For every key ring, for every key in the key ring, do the following: Select 'Right side pop up the blade' > 'Edit rotation period' > 'Select a new rotation period' and specify a period of less than 90 days, and then specify a 'Starting on' date.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"name\": \"3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties and that there are no users assigned with both the 'Cloud KMS Admin' role and any of the following roles: 'Cloud KMS CryptoKey', 'Cloud KMS Encrypter/Decrypter', 'Cloud KMS CryptoKey Encrypter' or 'Cloud KMS CryptoKey Decrypterer'.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. For the member that is listed at the recommendation, click 'Edit'. For the 'Cloud KMS Admin' role, click 'Delete', and then Click 'Save'. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"name\": \"52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all API keys are not used within the scope of projects. The standard authentication flow should be implemented, since the use of API keys presents many security risks.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', delete the relevant API Keys. These API keys should be replaced by a standard authentication flow as described In the Authentication overview [GCP docs authentication]\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"name\": \"76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted, and used only by trusted hosts, HTTP referrers, or applications.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. Under 'Key restrictions', set application restriction to HTTP referrers, IP Addresses, Android Apps, or iOS Apps, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"name\": \"0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted to only access API endpoints that are essential to the calling application.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. For every API key, make sure that the 'Key restrictions' parameter 'API restrictions' is not set to 'None'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"name\": \"5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys'. Select 'API Key Name'. Click 'REGENERATE KEY' to rotate the API key, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"name\": \"f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud Audit Logging is configured to track read and write activities across all supported services and for all users. Configured this way, all administrative activities, or attempts to access user data, will be tracked.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin Audit. On the 'Audit Log' page, select the 'Log type' tab. Select 'Admin read', 'Data read', and 'Data write', and then click 'Save'. Make sure there are no exemptions.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"name\": \"cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all resource have a log sink configured, exporting copies of all the log entries to a centralized location such as a SIEM.\",\r\n \"remediationDescription\": \"Browse to GCP Logs viewer. Switch to the 'Advanced' filter bar, clear any text from the filter field, and then click 'Submit Filter'. Click 'Create Sink', fill out the required details, and then click 'Create Sink'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"name\": \"bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filters and alerts are configured to monitor project ownership assignment/change actions.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browse to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, and run the following query: (protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'. Finally, edit the alert policy and update the 'Target Aggregation' option to 'Count'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"name\": \"3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filter and alerts are configured for Audit Configuration changes. Audit logging data is required for security analysis. Tracking the log metric filters and alerts is important to ensure that all activities in the projects are being audited as planned.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"SetIamPolicy\\\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*. In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"name\": \"f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Custom Role changes. Monitoring role creation, update, or deletion may help to identify over-privileged or misused roles. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"iam_role\\\" AND protoPayload.methodName = \\\"google.iam.admin.v1.CreateRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"name\": \"c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Virtual Private Cloud (VPC) Network Firewall rule changes. Firewall create or update rule events indicate network access changes, which may indicate suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_firewall_rule\\\" AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\" OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to https://console.cloud.google.com/logs/metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"name\": \"7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network route changes. Monitoring network route changes to route tables may indicate of a suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_route\\\" AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\" OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Creat Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"name\": \"0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network changes. Monitoring network changes to the VPC is important to make sure it is not compromised.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gce_network AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\" OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\" OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\" OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\" OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add 'Alert Triggers', and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"name\": \"46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"\\\"Ensure that the log metric filter and alerts are configured for Cloud Storage IAM permission changes. Monitoring changes to a storage bucket permissions can help identify malicious attempts to access a sensitive storage buckets and objects inside buckets.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gcs_bucket AND protoPayload.methodName=\\\"storage.setIamPermissions\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"name\": \"b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for SQL instance configuration changes. Monitoring changes to an SQL instance can help identify malicious attempts to access a sensitive data stored in an SQL instance. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"cloudsql.instances.update\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"name\": \"ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that projects do not have a default network. A default predefined network generates multiple unsecure firewall rules that are not audit logged, cannot be configured to enable firewall rule logging, and do not allow the use of a Cloud VPN or VPC Network Peering with the default network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the 'default' network. On the network detail page, click 'edit', and then click 'Delete VPC network'. If required, you can to create a new network with custom firewall rules to replace the 'default' network.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"name\": \"3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all projects do not have a legacy network. Legacy networks may have an impact for high network traffic projects and pose a single point of contention or failure.\",\r\n \"remediationDescription\": \"Create a non-legacy network and then delete the legacy networks using the following command: 'gcloud compute networks delete my-legacy-network'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"name\": \"e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Domain Name System Security Extensions (DNSSEC) is enabled for Cloud DNS zones. DNSSEC helps mitigate the risk of a DNS hijacking and man-in-the-middle attacks, by preventing attackers from issuing fake DNS responses that may misdirect browsers to malicious websites.\",\r\n \"remediationDescription\": \"Browse to GCP DNS zones. For each zone of type 'Public', set DNSSEC to 'On'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"name\": \"049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the key-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the key-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"name\": \"cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the zone-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the zone-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"name\": \"0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that SSH access is restricted from the internet because it can be used as initial access to the network. Prevent inbound traffic via SSH (port 22) from the internet using the generic IP address (0.0.0.0/0).\",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"name\": \"684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RDP access is restricted from the internet, as is may be used for initial access to the network. Prevent inbound traffic via RDP (port 3389) from the internet using the generic IP address (0.0.0.0/0). \",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"name\": \"3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all VPC Flow Logs are enabled, for every subnet in a VPC Network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the relevant subnet, click 'Edit', set 'Flow Logs' to 'On', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"name\": \"c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there are no HTTPS or SSL Proxy Load Balancers that use weak SSL policies with TLS or 1.1.\",\r\n \"remediationDescription\": \"Browser to GCP SSL Policies. Select the relevant policy, click 'Edit', set 'Minimum TLS version' to 'TLS 1.2', set 'Profile' to 'Modern' or 'Restricted', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"name\": \"233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all instances are not configured to use the default service account with full access to all Google Cloud APIs.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant VM instance, stop the instance if it is currently started, and then click 'Edit'. Under 'Service Account', select 'Compute Engine default service account', make sure that 'Allow full access to all Cloud APIs' is not selected, click 'Save' and then 'Start'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"name\": \"1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure \\\"Block Project-wide SSH keys\\\" is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that no project-wide SSH keys are used for VM instances, as they enable login to all instances in the project.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the impacted instance, click 'Edit', under 'SSH Keys', select 'Block project-wide SSH keys', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"name\": \"fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that OS login is enabled for all projects, as this pairs the SSH keys in use with IAM users. \",\r\n \"remediationDescription\": \"Browse to GCP Compute metadata. Click 'Edit', add metadata key for 'enable-oslogin' with value 'TRUE', and then click 'Save'. For every instances that overrides the project setting, browse to GCP Compute instances. Select the relevant instance name, click 'Edit', under 'custom metadata', remove 'enable-oslogin' keys with the value 'FALSE', and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"name\": \"c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that 'Enable connecting to serial ports' is not enabled for all VM Instance. When the interactive serial console is enabled for an instance, clients can connect to the instance from any IP address using the proper username and SSH key.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Remote access', make sure that 'Enable connecting to serial ports' is not selected.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"name\": \"3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent data loss, forwarding of data packets should not be enabled on instances.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Network interfaces', make sure that 'IP forwarding' is set to 'Off' for every network interface.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"name\": \"6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, all data at rest is encrypted by Google Compute Engine. Make sure that VM disks are encrypted using Customer-Supplied Encryption Keys (CSEK) enabling you to control and manage the encryption keys yourself.\",\r\n \"remediationDescription\": \"Browse to GCP Compute disks. Select the relevant disk and make sure that the 'Encryption type' is set to 'Customer supplied'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"name\": \"9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against advanced threats, a Compute Engine instance using a public image and must be launched with a Shielded VM. It is also important to verify that the boot loader and firmware on the VMs are signed and untampered.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Shielded VM', make sure that 'Turn on vTPM' and 'Turn on Integrity Monitoring' are enabled.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"name\": \"0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances must not be configured with public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"name\": \"79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that an IAM policy on Cloud Storage buckets does not allow anonymous or public access so sensitive data.\",\r\n \"remediationDescription\": \"To restrict access to Cloud Storage Buckets: Browse to GCP Storage browser. Select the relevant bucket, select 'Permissions', and then under 'Role(s)', remove all Cloud IAM permissions that were granted to 'allUsers' and 'allAuthenticatedUsers'. To restrict access from public addresses: browse to GCP Firewalls List.. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP adress values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"name\": \"a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For simple and unified resource access, ensure that Cloud Storage buckets have uniform bucket-level access enabled.\",\r\n \"remediationDescription\": \"Browse to GCP Storage browser. Edit the relevant bucket, under 'Access Control', select 'Uniform', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"name\": \"a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the Cloud SQL Database instance requires all incoming connections to always use SSL encryption.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances, select the relevant instance and under 'Connections', select 'Allow only SSL connections'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"name\": \"1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to only accept connections from trustworthy networks and/or IP addresses and restrict all other access. \",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"name\": \"2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to use private IP addresses, and not public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"name\": \"664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL database instances must be configured with automated backups.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances. Select the relevant instance, and under 'Backups', make sure that 'Automated backups' is set to 'Enabled' and that the 'Backup time' is set.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"name\": \"5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure that sensitive data is not compromised, IAM policies on BigQuery datasets must not allow anonymous or public access.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"name\": \"582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account has unrestricted access to all resources in the AWS account. We highly recommend that you avoid using this account. The root account is the most privileged account. Minimizing the use of this account and adopting the principle of least privilege for access management reduces the risk of accidental changes and unintended disclosure of highly privileged credentials. As a best practice, use your root credentials only when required to perform account and service management tasks. Apply IAM policies directly to groups and roles but not users. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.3 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"name\": \"1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-factor authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password as well as for an authentication code from their AWS MFA device. Security Hub recommends enabling MFA for all accounts that have a console password. Enabling MFA provides increased security for console access because it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"name\": \"8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM users can access AWS resources using different types of credentials, such as passwords or access keys. Security Hub recommends that you remove or deactivate all credentials that have been unused in 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used. The AWS Config rule for this control uses the 'GetCredentialReport; and 'GenerateCredentialReport' API operations, which are only updated every four hours. Changes to IAM users can take up to four hours to be visible to this control.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"name\": \"9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. Security Hub recommends that you regularly rotate all access keys. Rotating access keys reduces the chance for an access key that is associated with a compromised or terminated account to be used. Rotate access keys to ensure that data can't be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"name\": \"554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one uppercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"name\": \"66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one lowercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"name\": \"b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one symbol. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5425052d-cc0d-4424-af71-050311f99634\",\r\n \"name\": \"5425052d-cc0d-4424-af71-050311f99634\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one number. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"name\": \"09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum password length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords are at least a given length. Security Hub recommends that the password policy require a minimum password length of 14 characters. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"name\": \"01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the number of passwords to remember is set to 24. The control fails if the value is not 24. IAM password policies can prevent the reuse of a given password by the same user. Security Hub recommends that the password policy prevent the reuse of passwords. Preventing password reuse increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"name\": \"0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can require passwords to be rotated or expired after a given number of days. Security Hub recommends that the password policy expire passwords after 90 days or less. Reducing the password lifetime increases account resiliency against brute force login attempts. Requiring regular password changes also helps in the following scenarios: Passwords can be stolen or compromised without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat; Certain corporate and government web filters or proxy servers can intercept and record traffic even if it's encrypted; Many people use the same password for many systems such as work, email, and personal; Compromised end-user workstations might have a keystroke logger.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"name\": \"8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no root account access key exists\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given account. Security Hub recommends that all access keys be associated with the root account be removed. Removing access keys associated with the root account limits vectors that the account can be compromised by. Removing the root access keys also encourages the creation and use of role-based accounts that are least privileged.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"name\": \"8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device. When you use virtual MFA for root accounts, Security Hub recommends that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices. This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"name\": \"8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure hardware MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device. For Level 2, Security Hub recommends that you protect the root account with a hardware MFA. A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA doesn't suffer the attack surface introduced by the mobile smartphone that a virtual MFA resides on. Using hardware MFA for many, many accounts might create a logistical device management issue. If this occurs, consider implementing this Level 2 recommendation selectively to the highest security accounts. You can then apply the Level 1 recommendation to the remaining accounts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"name\": \"c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies are attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. Security Hub recommends that you apply IAM policies directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity might in turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"name\": \"bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM role to allow authorized users to manage incidents with AWS Support. By implementing least privilege for access control, an IAM role will require an appropriate IAM policy to allow support center access in order to manage incidents with AWS Support.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"name\": \"9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies define a set of privileges granted to users, groups, or roles. It's recommended and considered a standard security advice to grant least privilege-that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges. It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. You should remove IAM policies that have a statement with '\\\"Effect\\\": \\\"Allow\\\"' with '\\\"Action\\\": \\\"*\\\"' over '\\\"Resource\\\": \\\"*\\\"'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"name\": \"22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the AWS Management Console, AWS SDKs, command-line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally: Ensuring that a multi-Region trail exists ensures that unexpected activity occurring in otherwise unused Regions is detected; Ensuring that a multi-Region trail exists ensures that Global Service Logging is enabled for a trail by default to capture recording of events generated on AWS global services; For a multi-Region trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"name\": \"fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail log file validation is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. You can use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. Security Hub recommends that you enable file validation on all trails. Enabling log file validation provides additional integrity checking of CloudTrail logs.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"name\": \"0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket CloudTrail logs to is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. Security Hub recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account's use or configuration. To run this check, Security Hub first uses custom logic to look for the S3 bucket where your CloudTrail logs are stored. It then uses the AWS Config managed rules to check that bucket is publicly accessible. If you aggregate your logs into a single centralized S3 bucket, then Security Hub only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is 'No data'. If the bucket is publicly accessible, the check generates a failed finding.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"name\": \"5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a web service that records AWS API calls made in a given account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs in a specified Amazon S3 bucket for long-term analysis, you can perform real-time analysis by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all Regions in an account, CloudTrail sends log files from all those Regions to a CloudWatch Logs log group. Security Hub recommends that you send CloudTrail logs to CloudWatch Logs.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"name\": \"dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. Security Hub recommends that you enable AWS Config in all Regions. The AWS configuration item history that AWS Config captures enables security analysis, resource change tracking, and compliance auditing. To run this check, Security Hub performs custom logic to perform the audit steps prescribed for it in the CIS AWS Foundations Benchmark v1.2. Security Hub also requires that global resources are recorded in each Region, because Security Hub is a regional service and performs its security checks on a Region-by-Region basis.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"name\": \"30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Amazon S3 bucket access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. Security Hub recommends that you enable bucket access logging on the CloudTrail S3 bucket. By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows. To run this check, Security Hub first uses custom logic to look for the bucket where your CloudTrail logs are stored and then uses the AWS Config managed rule to check if logging is enabled. If you aggregate your logs into a single centralized S3 bucket, then Security Hub only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is 'No data'. If the bucket is publicly accessible, the check generates a failed finding.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"name\": \"c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (AWS KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses hardware security modules (HSMs) to protect the security of encryption keys. You can configure CloudTrail logs to leverage server-side encryption (SSE) and AWS KMS customer-created master keys (CMKs) to further protect CloudTrail logs. Security Hub recommends that you configure CloudTrail to use SSE-KMS. Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data because a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"name\": \"23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS KMS enables customers to rotate the backing key, which is key material stored in AWS KMS and is tied to the key ID of the CMK. It's the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all previous backing keys so that decryption of encrypted data can take place transparently. Security Hub recommends that you enable CMK key rotation. Rotating encryption keys helps reduce the potential impact of a compromised key because data encrypted with a new key can't be accessed with a previous key that might have been exposed.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"name\": \"a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VPC flow logging is enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC flow logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you have created a flow log, you can view and retrieve its data in CloudWatch Logs. Security Hub recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC and can detect anomalous traffic or insight during security workflows.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"name\": \"00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm unauthorized API calls. Monitoring unauthorized API calls helps reveal application errors and might reduce time to detect malicious activity. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.1 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"name\": \"83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm console logins that aren't protected by MFA. Monitoring for single-factor console logins increases visibility into accounts that aren't protected by MFA. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.2 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"name\": \"a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for root login attempts. Monitoring for root account logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.3 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"name\": \"5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes made to IAM policies. Monitoring these changes helps ensure that authentication and authorization controls remain intact. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.4 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"name\": \"011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to CloudTrail configuration settings. Monitoring these changes helps ensure sustained visibility to activities in the account. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.5 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"name\": \"c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for failed console authentication attempts. Monitoring failed console logins might decrease lead time to detect an attempt to brute-force a credential, which might provide an indicator, such as source IP, that you can use in other event correlations. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.6 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"name\": \"293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for customer-created CMKs that have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys is no longer accessible. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.7 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"name\": \"0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to S3 bucket policies. Monitoring these changes might reduce time to detect and correct permissive policies on sensitive S3 buckets. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.8 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"name\": \"7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to AWS Config configuration settings. Monitoring these changes helps ensure sustained visibility of configuration items in the account. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.9 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"name\": \"b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security groups are a stateful packet filter that controls ingress and egress traffic in a VPC. Security Hub recommends that you create a metric filter and alarm for changes to security groups. Monitoring these changes helps ensure that resources and services aren't unintentionally exposed. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.10 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"name\": \"022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets in a VPC. Security Hub recommends that you create a metric filter and alarm for changes to NACLs. Monitoring these changes helps ensure that AWS resources and services aren't unintentionally exposed. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.11 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"name\": \"3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send and receive traffic to a destination outside a VPC. Security Hub recommends that you create a metric filter and alarm for changes to network gateways. Monitoring these changes helps ensure that all ingress and egress traffic traverses the VPC border via a controlled path. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.12 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"name\": \"33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables route network traffic between subnets and to network gateways. Security Hub recommends that you create a metric filter and alarm for changes to route tables. Monitoring these changes helps ensure that all VPC traffic flows through an expected path. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.13 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"name\": \"9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs. Security Hub recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.14 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"name\": \"b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that no security group allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"name\": \"9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that no security group allow unrestricted ingress access to port 3389. Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"name\": \"ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the default security group of every VPC restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A VPC comes with a default security group with initial settings that deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that the default security group restrict all traffic. Update the default security group for the default VPC in every Region to comply. Any new VPCs automatically contain a default security group that you need to remediate to comply with this recommendation. Configuring all VPC default security groups to restrict all traffic encourages least-privilege security group development and mindful placement of AWS resources into security groups, which in turn reduces the exposure of those resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47a6d30e-79c4-411b-920a-06a7eab22bad\",\r\n \"name\": \"47a6d30e-79c4-411b-920a-06a7eab22bad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Imported ACM certificates should be renewed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager. Certificates provided by ACM are automatically renewed. If you're using certificates provided by ACM, you do not need to rotate SSL/TLS certificates. ACM manages certificate renewals for you. ACM does not automatically renew certificates that you import. You must renew imported certificates manually.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f74c50e7-84a3-4e64-ac2b-c4ec74e0cb71\",\r\n \"name\": \"f74c50e7-84a3-4e64-ac2b-c4ec74e0cb71\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST and HTTP API logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all methods of an Amazon API Gateway REST or HTTP API stage have logging enabled. The control fails if logging is not enabled for all methods of a stage or if 'loggingLevel' is neither 'ERROR' nor 'INFO'. API Gateway REST or HTTP API stages should have relevant logs enabled. API Gateway REST API execution logging provides detailed records of requests made to API Gateway REST API stages. The stages include API integration backend responses, Lambda authorizer responses, and the 'requestId' for AWS integration endpoints. HTTP API access logs include information about requests made to the HTTP API. The information includes the IP address of the caller, the method of the request, the time of the request, and the HTTP status code response. Logs can assist with security and access audits, power additional threat detections, and aid in diagnosing availability issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8127ddad-f29f-4207-a9d3-9bb3ba3f1485\",\r\n \"name\": \"8127ddad-f29f-4207-a9d3-9bb3ba3f1485\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto Scaling groups associated with a load balancer should use load balancer health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. This ensures that the group can determine an instance's health based on additional tests provided by the load balancer. Using Elastic Load Balancing health checks can help support the availability of applications that use EC2 Auto Scaling groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/73c17f13-ba0c-4227-84ee-f34eb85431ca\",\r\n \"name\": \"73c17f13-ba0c-4227-84ee-f34eb85431ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have a default root object configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured. A user might sometimes request the distribution's root URL instead of an object in the distribution. When this happens, specifying a default root object can help you to avoid exposing the contents of your web distribution.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1fb3f16-5849-4b9d-a7e6-03df4a2235bb\",\r\n \"name\": \"c1fb3f16-5849-4b9d-a7e6-03df4a2235bb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin access identity enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured. CloudFront OAI prevents users from accessing S3 bucket content directly. When users access an S3 bucket directly, they effectively bypass the CloudFront distribution and any permissions that are applied to the underlying S3 bucket content.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbadae9a-7672-4ab2-821a-71f13d319b3b\",\r\n \"name\": \"bbadae9a-7672-4ab2-821a-71f13d319b3b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should require encryption in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if 'ViewerProtocolPolicy' is set to 'allow-all' for 'defaultCacheBehavior' or for 'cacheBehaviors'. HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7196e4f7-7136-4003-b3e5-a8156d160a3f\",\r\n \"name\": \"7196e4f7-7136-4003-b3e5-a8156d160a3f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin failover configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins. CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ce0c201-fc34-43ba-85ef-d47406a9ca05\",\r\n \"name\": \"3ce0c201-fc34-43ba-85ef-d47406a9ca05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled and configured with at least one multi-Region trail\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that there is at least one multi-Region CloudTrail trail.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4788ce7d-f39d-40e4-8a46-4308a5bd80ea\",\r\n \"name\": \"4788ce7d-f39d-40e4-8a46-4308a5bd80ea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should have encryption at-rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail is configured to use the server-side encryption (SSE) AWS Key Management Service customer master key (CMK) encryption. The check passes if the 'KmsKeyId' is defined. For an added layer of security for your sensitive CloudTrail log files, you should use server-side encryption with AWS KMS-managed keys (SSE-KMS) for your CloudTrail log files for encryption at rest. Note that by default, the log files delivered by CloudTrail to your buckets are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03c0e8b8-fcb4-48d1-ae1a-d35e08748340\",\r\n \"name\": \"03c0e8b8-fcb4-48d1-ae1a-d35e08748340\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should automatically scale capacity with demand\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured. Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cf8a0486-5ef6-42f1-8403-35ecd324153f\",\r\n \"name\": \"cf8a0486-5ef6-42f1-8403-35ecd324153f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should have point-in-time recovery enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. DynamoDB point-in-time recovery automates backups for DynamoDB tables. It reduces the time to recover from accidental delete or write operations. DynamoDB tables that have PITR enabled can be restored to any point in time in the last 35 days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ae2524f-9c45-49d6-af31-ec19df32bbe4\",\r\n \"name\": \"5ae2524f-9c45-49d6-af31-ec19df32bbe4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB Accelerator (DAX) clusters should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a DAX cluster is encrypted at rest. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data. For example, API permissions are required to decrypt the data before it can be read.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eaca2aff-0681-4c41-8d7f-04c71577f298\",\r\n \"name\": \"eaca2aff-0681-4c41-8d7f-04c71577f298\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that Amazon Elastic Block Store snapshots are not public, as determined by the ability to be restorable by anyone. EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a specific point in time. You can use the snapshots to restore previous states of EBS volumes. It is rarely acceptable to share a snapshot with the public. Typically the decision to share a snapshot publicly was made in error or without a complete understanding of the implications. This check helps ensure that all such sharing was fully planned and intentional.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b31e09dd-677c-4e14-8ab1-0a9f13e54218\",\r\n \"name\": \"b31e09dd-677c-4e14-8ab1-0a9f13e54218\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"The VPC default security group should not allow inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the default security group of a VPC does not allow inbound or outbound traffic. The rules for the default security group allow all outbound and inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. We do not recommend using the default security group. Because the default security group cannot be deleted, you should change the default security group rules setting to restrict inbound and outbound traffic. This prevents unintended traffic if the default security group is accidentally configured for resources such as EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d828e79-c441-43c3-807e-38ce88a728a5\",\r\n \"name\": \"5d828e79-c441-43c3-807e-38ce88a728a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Attached EBS volumes should be encrypted at-rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check. For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1a7dd27-bb23-4de0-a249-adc3c14aa144\",\r\n \"name\": \"f1a7dd27-bb23-4de0-a249-adc3c14aa144\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Stopped EC2 instances should be removed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days. A failed finding indicates that an EC2 instance has not run for a significant period of time. This creates a security risk because the EC2 instance is not being actively maintained (analyzed, patched, updated). If it is later launched, the lack of proper maintenance could result in unexpected issues in your AWS environment. To safely maintain an EC2 instance over time in a nonrunning state, start it periodically for maintenance and then stop it after maintenance. Ideally this is an automated process.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3f15179b-8414-407a-9432-2b0c131695f3\",\r\n \"name\": \"3f15179b-8414-407a-9432-2b0c131695f3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS default encryption should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS). The control fails if the account level encryption is not enabled. When encryption is enabled for your account, Amazon EBS volumes and snapshot copies are encrypted at rest. This adds an additional layer of protection for your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91ffef5d-42a9-4e34-b1d0-68cdc160748d\",\r\n \"name\": \"91ffef5d-42a9-4e34-b1d0-68cdc160748d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should use IMDSv2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if 'HttpTokens' is set to required for IMDSv2. The control fails if 'HttpTokens' is set to 'optional'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f53022b-ffee-44cc-b84e-6bcc1bcef11f\",\r\n \"name\": \"6f53022b-ffee-44cc-b84e-6bcc1bcef11f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not have a public IP address\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether EC2 instances have a public IP address. The control fails if the publicIp field is present in the EC2 instance configuration item. This control applies to IPv4 addresses only. A public IPv4 address is an IP address that is reachable from the internet. If you launch your instance with a public IP address, then your EC2 instance is reachable from the internet. A private IPv4 address is an IP address that is not reachable from the internet. You can use private IPv4 addresses for communication between EC2 instances in the same VPC or in your connected private network. IPv6 addresses are globally unique, and therefore are reachable from the internet. However, by default all subnets have the IPv6 addressing attribute set to false.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aa3fb42f-04c9-4e17-b05b-e4e4f1f90f15\",\r\n \"name\": \"aa3fb42f-04c9-4e17-b05b-e4e4f1f90f15\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 should be configured to use VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service. To improve the security posture of your VPC, you can configure Amazon EC2 to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to access Amazon EC2 APIs privately. It restricts all network traffic between your VPC and Amazon EC2 to the Amazon network. Because endpoints are supported within the same Region only, you cannot create an endpoint between a VPC and a service in a different Region. This prevents unintended Amazon EC2 API calls to other Regions.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d9e95363-3a8a-498b-bef3-b869869b20b5\",\r\n \"name\": \"d9e95363-3a8a-498b-bef3-b869869b20b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be configured to encrypt file data at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. The check fails in the following cases: 'Encrypted' is set to 'false' in the 'DescribeFileSystems' response; The 'KmsKeyId' key in the 'DescribeFileSystems' response does not match the 'KmsKeyId' parameter for 'efs-encrypted-check'. Note that this control does not use the 'KmsKeyId' parameter for 'efs-encrypted-check'. It only checks the value of 'Encrypted'. For an added layer of security for your sensitive data in Amazon EFS, you should create encrypted file systems. Amazon EFS supports encryption for file systems at-rest. You can enable encryption of data at rest when you create an Amazon EFS file system.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f5375c36-4d39-436b-a5fc-42576f9c4c24\",\r\n \"name\": \"f5375c36-4d39-436b-a5fc-42576f9c4c24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS volumes should be in backup plans\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup. The control fails if Amazon EFS file systems are not included in the backup plans. Including EFS file systems in the backup plans helps you to protect your data from deletion and data loss.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10b9bd1a-d845-4d29-a8f0-aa9386f93226\",\r\n \"name\": \"10b9bd1a-d845-4d29-a8f0-aa9386f93226\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancer listeners should be configured with HTTPS or TLS termination\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. The control is applicable if a Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the control does not report any findings. The control passes if the Classic Load Balancer listeners are configured with TLS or HTTPS for front-end connections. The control fails if the listener is not configured with TLS or HTTPS for front-end connections. Before you start to use a load balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners can support both HTTP and HTTPS/TLS protocols. You should always use an HTTPS or TLS listener, so that the load balancer does the work of encryption and decryption in transit.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4d75936d-e541-4a75-a183-99cc54462cf1\",\r\n \"name\": \"4d75936d-e541-4a75-a183-99cc54462cf1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application load balancers should be configured to drop HTTP headers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop invalid HTTP headers. The control fails if the value of 'routing.http.drop_invalid_header_fields.enabled' is set to 'false'. By default, ALBs are not configured to drop invalid HTTP header values. Removing these header values prevents HTTP desync attacks.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cbc0dd46-9b4b-4078-8340-b20283037770\",\r\n \"name\": \"cbc0dd46-9b4b-4078-8340-b20283037770\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application and Classic Load Balancers logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if 'access_logs.s3.enabled' is 'false'. Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fbec0eb1-0e7e-4df0-8f3c-bf9ac1601927\",\r\n \"name\": \"fbec0eb1-0e7e-4df0-8f3c-bf9ac1601927\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer deletion protection should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured. Enable deletion protection to protect your Application Load Balancer from deletion.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f4705af2-9651-47f1-8797-2050c0870f35\",\r\n \"name\": \"f4705af2-9651-47f1-8797-2050c0870f35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EMR cluster master nodes should not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether master nodes on Amazon EMR clusters have public IP addresses. The control fails if the master node has public IP addresses that are associated with any of its instances. Public IP addresses are designated in the 'PublicIp' field of the 'NetworkInterfaces' configuration for the instance. This control only checks Amazon EMR clusters that are in a 'RUNNING' or 'WAITING' state.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c459de6-4a24-4f24-93bb-6533935019f5\",\r\n \"name\": \"4c459de6-4a24-4f24-93bb-6533935019f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have encryption at-rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled. The check fails if encryption at rest is not enabled. For an added layer of security for your sensitive data in Elasticsearch, you should configure your Elasticsearch to be encrypted at rest. Elasticsearch domains offer encryption of data at rest. The feature uses AWS KMS to store and manage your encryption keys. To perform the encryption, it uses the Advanced Encryption Standard algorithm with 256-bit keys (AES-256).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ecae3088-3cc5-4b7a-bc19-2c20719ab4fb\",\r\n \"name\": \"ecae3088-3cc5-4b7a-bc19-2c20719ab4fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. You should ensure that Amazon ES domains are not attached to public subnets. You should also ensure that your VPC is configured according to the recommended best practices. Amazon ES domains deployed within a VPC can communicate with VPC resources over the private AWS network, without the need to traverse the public internet. This configuration increases the security posture by limiting access to the data in transit. VPCs provide a number of network controls to secure access to Amazon ES domains, including network ACL and security groups. Security Hub recommends that you migrate public Amazon ES domains to VPCs to take advantage of these controls.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1518211b-17f4-46bc-9538-d6ccd8efa3c4\",\r\n \"name\": \"1518211b-17f4-46bc-9538-d6ccd8efa3c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should encrypt data sent between nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have node-to-node encryption enabled. HTTPS (TLS) can be used to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. Only encrypted connections over HTTPS (TLS) should be allowed. Enabling node-to-node encryption for Amazon ES domains ensures that intra-cluster communications are encrypted in transit. There can be a performance penalty associated with this configuration. You should be aware of and test the performance trade-off before enabling this option.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233d2b0e-27cd-4589-aed5-b76e73744071\",\r\n \"name\": \"233d2b0e-27cd-4589-aed5-b76e73744071\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users' access keys should be rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the active access keys are rotated within 90 days. We highly recommend that you do not generate and remove all access keys in your account. Instead, the recommended best practice is to either create one or more IAM roles or to use federation. You can use these methods to allow your users to use their existing corporate credentials to log into the AWS Management Console and AWS CLI. Each approach has its use cases. Federation is generally better for enterprises that have an existing central directory or plan to need more than the current limit IAM users. Applications that run outside of an AWS environment need access keys for programmatic access to AWS resources. However, if the resources that need programmatic access run inside AWS, the best practice is to use IAM roles. Roles allow you to grant a resource access without hardcoding an access key ID and secret access key into the configuration. If you already have an access key, Security Hub recommends that you rotate the access keys every 90 days. Rotating access keys reduces the chance that an access key that is associated with a compromised or terminated account is used. It also ensures that data cannot be accessed with an old key that might have been lost, cracked, or stolen. Always update your applications after you rotate access keys. Access keys consist of an access key ID and a secret access key. They are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS CLI, Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. If your organization uses AWS Single Sign-On (AWS SSO), your users can sign in to Active Directory, a built-in AWS SSO directory, or another identity provider (IdP) connected to AWS SSO. They can then be mapped to an IAM role that enables them to run AWS CLI commands or call AWS APIs without the need for IAM user access keys.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e5c918c8-d7f6-4d5d-b91f-9b9736457ce9\",\r\n \"name\": \"e5c918c8-d7f6-4d5d-b91f-9b9736457ce9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS Multi-Factor Authentication (MFA) is enabled for all IAM users that use a console password. Multi-factor authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password. In addition, they are prompted for an authentication code from their AWS MFA device. We recommend that you enable MFA for all accounts that have a console password. MFA is designed to provide increased security for console access. The authenticating principal must possess a device that emits a time-sensitive key and must have knowledge of a credential.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2af5aa8e-6e0a-4cf4-82e7-ad17ba327c3c\",\r\n \"name\": \"2af5aa8e-6e0a-4cf4-82e7-ad17ba327c3c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused IAM user credentials should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your IAM users have passwords or active access keys that have not been used for 90 days. IAM users can access AWS resources using different types of credentials, such as passwords or access keys. Security Hub recommends that you remove or deactivate all credentials that were unused for 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d945fb4-6cf1-431b-8e96-66dba76ab2b1\",\r\n \"name\": \"9d945fb4-6cf1-431b-8e96-66dba76ab2b1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies should not allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if the 'kms:Decrypt' or 'kms:ReEncryptFrom' actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies. With AWS KMS, you control who can use your customer master keys (CMKs) and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the 'kms:Decrypt' or 'kms:ReEncryptFrom' permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data. Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, do not allow 'kms:Decrypt' permission on all KMS keys. Instead, allow 'kms:Decrypt' only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d3746ffb-51b3-4cc9-8b5d-2ac1f9192d37\",\r\n \"name\": \"d3746ffb-51b3-4cc9-8b5d-2ac1f9192d37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if 'kms:Decrypt' or 'kms:ReEncryptFrom' actions are allowed on all KMS keys in an inline policy. With AWS KMS, you control who can use your customer master keys (CMKs) and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the permissions they need and only for keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data. Instead of granting permission for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow the users to use only those keys. For example, do not allow 'kms:Decrypt' permission on all KMS keys. Instead, allow them only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91b8d230-94ad-4df8-b737-f585df30fa30\",\r\n \"name\": \"91b8d230-94ad-4df8-b737-f585df30fa30\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS keys should not be unintentionally deleted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS KMS customer managed keys (CMK) are scheduled for deletion. The control fails if a CMK is scheduled for deletion. CMKs cannot be recovered once deleted. Data encrypted under a KMS CMK is also permanently unrecoverable if the CMK is deleted. If meaningful data has been encrypted under a CMK scheduled for deletion, consider decrypting the data or re-encrypting the data under a new CMK unless you are intentionally performing a cryptographic erasure. When a CMK is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS CMK is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS CMK will not be deleted.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/706a0138-900e-4c53-8114-bb5f19eccd09\",\r\n \"name\": \"706a0138-900e-4c53-8114-bb5f19eccd09\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda function policies should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Lambda function resource-based policy prohibits public access outside of your account. The Lambda function should not be publicly accessible, as this may allow unintended access to your code stored in the function.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ac49a0a5-db33-4be7-9738-301783b6bba9\",\r\n \"name\": \"ac49a0a5-db33-4be7-9738-301783b6bba9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should use latest runtimes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the Lambda function settings for runtimes match the expected values set for the latest runtimes for each supported language. This control checks for the following runtimes: nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, ruby2.5, ruby2.7,java11, java8, go1.x, dotnetcore2.1, dotnetcore3.1 Lambda runtimes are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When a runtime component is no longer supported for security updates, Lambda deprecates the runtime. Even though you cannot create functions that use the deprecated runtime, the function is still available to process invocation events. Make sure that your Lambda functions are current and do not use out-of-date runtime environments.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/480c2cd4-467d-4ea5-8ffa-c459cf8503c0\",\r\n \"name\": \"480c2cd4-467d-4ea5-8ffa-c459cf8503c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should be private\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS snapshots are public. RDS snapshots are used to back up the data on your RDS instances at a specific point in time. They can be used to restore previous states of RDS instances. An RDS snapshot must not be public unless intended. If you share an unencrypted manual snapshot as public, this makes the snapshot available to all AWS accounts. This may result in unintended data exposure of your RDS instance. Note that if the configuration is changed to allow public access, the AWS Config rule may not be able to detect the change for up to 12 hours. Until the AWS Config rule detects the change, the check passes even though the configuration violates the rule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/efe6ff8c-8247-4705-9a06-097d57b93305\",\r\n \"name\": \"efe6ff8c-8247-4705-9a06-097d57b93305\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS instances are publicly accessible by evaluating the 'PubliclyAccessible' field in the instance configuration item. The 'PubliclyAccessible' value in the RDS instance configuration indicates whether the DB instance is publicly accessible. When the DB instance is configured with 'PubliclyAccessible', it is an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. When the DB instance isn't publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your RDS instance to be publicly accessible, the RDS instance should not be configured with 'PubliclyAccessible' value. Doing so might allow unnecessary traffic to your database instance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52a194fc-4cc6-4bc3-92c0-7c2454dd1043\",\r\n \"name\": \"52a194fc-4cc6-4bc3-92c0-7c2454dd1043\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether storage encryption is enabled for your Amazon RDS DB instances. For an added layer of security for your sensitive data in RDS DB instances, you should configure your RDS DB instances to be encrypted at rest. To encrypt your RDS DB instances and snapshots at rest, enable the encryption option for your RDS DB instances. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots. RDS encrypted DB instances use the open standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You do not need to modify your database client applications to use encryption. Amazon RDS encryption is currently available for all database engines and storage types. Amazon RDS encryption is available for most DB instance classes.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a9abb2d-5fdd-4264-8770-91c66cf58ecf\",\r\n \"name\": \"5a9abb2d-5fdd-4264-8770-91c66cf58ecf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS cluster snapshots and database snapshots should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB snapshots are encrypted. Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. Data in RDS snapshots should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f3b277d1-0c86-445b-acf1-bc0a405b193b\",\r\n \"name\": \"f3b277d1-0c86-445b-acf1-bc0a405b193b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured with multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether high availability is enabled for your RDS DB instances. RDS DB instances should be configured for multiple Availability Zones (AZs). This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover if there is an issue with Availability Zone availability and during regular RDS maintenance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e91ce41-1c19-4950-8a76-cfe3c6596250\",\r\n \"name\": \"7e91ce41-1c19-4950-8a76-cfe3c6596250\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enhanced monitoring should be configured for RDS DB instances and clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced monitoring is enabled for your RDS DB instances. In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer. Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1d16fd74-7014-464b-b981-6242a4c2be32\",\r\n \"name\": \"1d16fd74-7014-464b-b981-6242a4c2be32\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS clusters should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS clusters have deletion protection enabled. Enabling cluster deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity. When deletion protection is enabled, an RDS cluster cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1831430a-6cf6-4341-b2cc-1e66168bdd21\",\r\n \"name\": \"1831430a-6cf6-4341-b2cc-1e66168bdd21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your RDS DB instances have deletion protection enabled. Enabling instance deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity. While deletion protection is enabled, an RDS DB instance cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3c0f7022-8906-4a8c-b993-9675f89d8d3e\",\r\n \"name\": \"3c0f7022-8906-4a8c-b993-9675f89d8d3e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following logs of Amazon RDS are enabled and sent to CloudWatch Logs: Oracle: (Alert, Audit, Trace, Listener), PostgreSQL: (Postgresql, Upgrade), MySQL: (Audit, Error, General, SlowQuery), MariaDB: (Audit, Error, General, SlowQuery), SQL Server: (Error, Agent), Aurora: (Audit, Error, General, SlowQuery), Aurora-MySQL: (Audit, Error, General, SlowQuery), Aurora-PostgreSQL: (Postgresql, Upgrade). RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a9c7f5-85ba-4091-b15a-c06bec33faf8\",\r\n \"name\": \"66a9c7f5-85ba-4091-b15a-c06bec33faf8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB instance has IAM database authentication enabled. IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b948796-172f-426e-a3bd-3f0b1999d0e0\",\r\n \"name\": \"7b948796-172f-426e-a3bd-3f0b1999d0e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS instances should have automatic backups enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB instances have automated backups enabled and whether the backup retention period is greater than or equal to seven. Optionally, you can supply a 'retentionPeriod' to compare against. The control passes if all of the following are true: Backups are enabled, The backup retention period is greater than or equal to retentionPeriod, The retention period is greater than or equal to seven. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. Amazon RDS provides an easy way to configure daily full instance volume snapshots. This control checks that backups are enabled and retained for at least seven days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/53af35b0-2338-4783-9ba9-8399f610a783\",\r\n \"name\": \"53af35b0-2338-4783-9ba9-8399f610a783\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters are publicly accessible. It evaluates the 'PubliclyAccessible' field in the cluster configuration item. The 'PubliclyAccessible' attribute of the Amazon Redshift cluster configuration indicates whether the cluster is publicly accessible. When the cluster is configured with 'PubliclyAccessible' set to 'true', it is an Internet-facing instance that has a publicly resolvable DNS name, which resolves to a public IP address. When the cluster is not publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your cluster to be publicly accessible, the cluster should not be configured with 'PubliclyAccessible' set to 'true'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4bd4c29c-8565-4052-96b4-5405e68f51ba\",\r\n \"name\": \"4bd4c29c-8565-4052-96b4-5405e68f51ba\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Amazon Redshift clusters should be encrypted in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit. The check fails if the Amazon Redshift cluster parameter require_SSL is not set to 1. TLS can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over TLS should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b032ed58-d158-401f-b820-424a48414f93\",\r\n \"name\": \"b032ed58-d158-401f-b820-424a48414f93\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have automatic snapshots enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven. Backups help you to recover more quickly from a security incident. They strengthen the resilience of your systems. Amazon Redshift takes periodic snapshots by default. This control checks whether automatic snapshots are enabled and retained for at least seven days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/643a00cb-3da3-43ef-b523-15a0f3198e45\",\r\n \"name\": \"643a00cb-3da3-43ef-b523-15a0f3198e45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift should have automatic upgrades to major versions enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster. Enabling automatic major version upgrades ensures that the latest major version updates to Amazon Redshift clusters are installed during the maintenance window. These updates might include security patches and bug fixes. Keeping up-to-date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c816f41-886f-4e31-87f2-41cfb091d59b\",\r\n \"name\": \"2c816f41-886f-4e31-87f2-41cfb091d59b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker. The 'blacklistedactionpatterns' parameter allows for successful evaluation of the rule for S3 buckets. The parameter grants access to external accounts for action patterns that are not included in the 'blacklistedactionpatterns' list.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df8e8066-1415-40c7-9844-f495a1ad179e\",\r\n \"name\": \"df8e8066-1415-40c7-9844-f495a1ad179e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should have automatic rotation enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically. Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5110f9f8-2bf7-444f-81d7-321bfeceec06\",\r\n \"name\": \"5110f9f8-2bf7-444f-81d7-321bfeceec06\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets configured with automatic rotation should rotate successfully\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The control fails if 'RotationOccurringAsScheduled' is 'false'. The control does not evaluate secrets that do not have rotation configured. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically. Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently. In addition to configuring secrets to rotate automatically, you should ensure that those secrets rotate successfully based on the rotation schedule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad8217e9-5e93-4be2-88bc-3e538960209d\",\r\n \"name\": \"ad8217e9-5e93-4be2-88bc-3e538960209d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SNS topics should be encrypted at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an SNS topic is encrypted at rest using AWS KMS. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It also adds another set of access controls to limit the ability of unauthorized users to access the data. For example, API permissions are required to decrypt the data before it can be read. SNS topics should be encrypted at-rest for an added layer of security.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c3f3c8-3c13-48be-9ee5-67b6865e7462\",\r\n \"name\": \"11c3f3c8-3c13-48be-9ee5-67b6865e7462\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All EC2 instances managed by Systems Manager should be compliant with patching requirements\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. It only checks instances that are managed by Systems Manager Patch Manager. Having your EC2 instances fully patched as required by your organization reduces the attack surface of your AWS accounts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.
Note that the following subnet types will be listed as not applicable: GatewaySubnet, AzureFirewallSubnet, AzureBastionSubnet.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your subnets:
1. Select a subnet to enable NSG on.
2. Click the 'Network security group' section.
3. Follow the steps and select an existing network security group to attach to this specific subnet.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Defender for Cloud has discovered virtual networks with Application Gateway resources unprotected by the DDoS protection service. These resources contain public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"
1. Select a virtual network to enable the DDoS protection service standard on.
2. Select the Standard option.
3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\",\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Defender for Cloud uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls:
1. Open the Workload protections dashboard and from the advanced protection area, select Adaptive application controls.
2. To see the groups of machines that Defender for Cloud recommends protecting with adaptive application controls, select the Recommended3. Create a new applications control policy according to the instructions in Defender for Cloud's documentation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Defender for Cloud's adaptive application controls. Defender for Cloud uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your list of known-safe applications:
1. From the portal, open Defender for Cloud.
2. Select \\\"Adaptive application controls\\\" from Defender for Cloud's sidebar.
3. To see the groups of machines for which Defender for Cloud recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines.
4. The current policy will be displayed together with the new rules that Defender for Cloud recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Defender for Cloud has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly-permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Defender for Cloud's threat intelligence sources. Learn more in Improve your network security posture with adaptive network hardening.\",\r\n \"remediationDescription\": \"To review the recommended changes to the traffic rules for your network security groups, select a machine or select 'Take action'\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"Defender for Cloud has identified some overly-permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks. Learn more in Understanding just-in-time (JIT) VM access.\",\r\n \"remediationDescription\": \"To enable just-in-time VM access:
  • Select one or more VMs from the list below and select \\\"Remediate\\\", or select \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
  • On the \\\"JIT VM access configuration\\\" page, define the ports for which the just-in-time VM access will be applicable.
    • To add additional ports, select the \\\"Add\\\" button on the top left, or select an existing port and edit it.
    • On the \\\"Add port configuration\\\" pane, enter the required parameters.
  • Select \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click on each of the rules that allow management ports (for example, RDP-3389, WINRM-5985, SSH-22).
3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges.
4. Click 'Save'.
Use Defender for Cloud's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Learn more in Understanding just-in-time (JIT) VM access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Defender for Cloud has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding:
1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade.
2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left).
3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'.
4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Defender for Cloud has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click the Network Security Group with overly permissive rules.
3. In the 'Network security group' blade, click on each of the rules that are overly permissive.
4. Improve the rule by applying less permissive source IP ranges.
5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
To keep your machine as secure as possible, the VM access to the internet must be restricted and an NSG should be enabled on the subnet.
VMs with 'High' severity are internet-facing VMs.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a Network Security Group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the Network Security Group to assign to the subnet and click \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Click 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the Network Security Group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a network security group:
1. Select a VM from the list below, or select \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the network security group to assign to the subnet and select \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Select 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the network security group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Defender for Cloud regularly checks your connected machines to ensure they're running vulnerability assessment tools. Use this recommendation to deploy a vulnerability assessment solution.\",\r\n \"remediationDescription\": \"To deploy a vulnerability assessment solution, in the \\\"Unhealthy resources\\\" tab, select the resources, then select \\\"Remediate\\\". Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several hours after remediation completes to see the resources in the 'Healthy resources' tab\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c\",\r\n \"description\": \"Some of your virtual networks aren't protected with a firewall. Use Azure Firewall to restrict access to your virtual networks and prevent potential threats. Learn more about Azure Firewall.\",\r\n \"remediationDescription\": \"To protect your virtual networks with Azure Firewall:
1. From the list below, select a network. Or select Take action if you've arrived here from a specific virtual network page.
2. Follow the Azure Firewall deployment instructions. Make sure to configure all default routes properly.
Important: Azure Firewall is billed separately from Defender for Cloud. Learn more about Azure Firewall pricing.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Initial Access\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Fallback Channels\",\r\n \"Remote System Discovery\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Non-Standard Port\",\r\n \"Gather Victim Network Information\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for Cloud has identified machines that are missing a file integrity monitoring solution. To monitor changes to critical files, registry keys, and more on your servers, enable file integrity monitoring.
When the file integrity monitoring solution is enabled, a data collection rule is assigned to your machines, and defines the files to be monitored. To edit rules, or see the files changed on machines with existing rules, go to the file integrity monitoring management page\",\r\n \"remediationDescription\": \"To enable file integrity monitoring:
From the list below, select one or more virtual machines and select Remediate\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Privilege Escalation\",\r\n \"Execution\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"OS Credential Dumping\",\r\n \"Boot or Logon Initialization Scripts\",\r\n \"Scheduled Task/Job\",\r\n \"Account Manipulation\",\r\n \"Office Application Startup\",\r\n \"File and Directory Permissions Modification\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Subvert Trust Controls\",\r\n \"Modify Authentication Process\",\r\n \"Impair Defenses\",\r\n \"Hijack Execution Flow\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047\",\r\n \"description\": \"Microsoft Defender for Cloud includes Microsoft Defender for Key Vault, providing an additional layer of security intelligence.
Microsoft Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any key vaults in this subscription, you won't be charged. If you later create key vaults on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for Key Vault.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for Key Vault on all key vaults in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Key Vault to On.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Credentials from Password Stores\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Azure SQL Database servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any Azure SQL Database servers in this subscription, you won't be charged. If you later create Azure SQL Database servers on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for SQL.\",\r\n \"remediationDescription\": \"To enable this plan on all Azure SQL Database servers in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Azure SQL Database servers to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Defense Evasion\",\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Modify Registry\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL servers on machines should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.

Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. If you don't have any SQL servers on machines in this subscription, no charges will be incurred.
If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Microsoft Defender for SQL servers on machines.\",\r\n \"remediationDescription\": \"To enable this plan on all SQL servers on machines in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set SQL servers on machines to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Defense Evasion\",\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Modify Registry\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Storage should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa\",\r\n \"description\": \"Microsoft Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any Azure Storage accounts in this subscription, you won't be charged. If you later create Azure Storage accounts on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for Storage.\",\r\n \"remediationDescription\": \"To enable this plan on all Azure Storage accounts in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Storage to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Lateral Movement\",\r\n \"Command and Control\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Taint Shared Content\",\r\n \"Ingress Tool Transfer\",\r\n \"Data Destruction\",\r\n \"Data from Cloud Storage Object\",\r\n \"Transfer Data to Cloud Account\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb\",\r\n \"description\": \"Microsoft Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
Microsoft Defender for App Service can discover attacks on your applications and identify emerging attacks.

Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred.
If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Protect your web apps and APIs.\",\r\n \"remediationDescription\": \"To enable this plan on all App Service plans in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set App Service to On.\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Collection\",\r\n \"Discovery\",\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Privilege Escalation\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Resource Development\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"OS Credential Dumping\",\r\n \"Data from Local System\",\r\n \"Query Registry\",\r\n \"Obfuscated Files or Information\",\r\n \"Masquerading\",\r\n \"Windows Management Instrumentation\",\r\n \"Scheduled Task/Job\",\r\n \"Process Injection\",\r\n \"Input Capture\",\r\n \"Process Discovery\",\r\n \"Command and Scripting Interpreter\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Account Discovery\",\r\n \"Ingress Tool Transfer\",\r\n \"Screen Capture\",\r\n \"Audio Capture\",\r\n \"Access Token Manipulation\",\r\n \"Deobfuscate/Decode Files or Information\",\r\n \"Drive-by Compromise\",\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"User Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Domain Trust Discovery\",\r\n \"Resource Hijacking\",\r\n \"Create or Modify System Process\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Unsecured Credentials\",\r\n \"Steal or Forge Kerberos Tickets\",\r\n \"Inter-Process Communication\",\r\n \"Phishing\",\r\n \"Hijack Execution Flow\",\r\n \"Compromise Infrastructure\",\r\n \"Search Victim-Owned Websites\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"name\": \"e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38\",\r\n \"description\": \"Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.
You can use this information to quickly remediate security issues and improve the security of your containers.

Important: Remediating this recommendation will result in charges for protecting your Kubernetes clusters. If you don't have any Kubernetes clusters in this subscription, no charges will be incurred.
If you create any Kubernetes clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Introduction to Microsoft Defender for Containers.\",\r\n \"remediationDescription\": \"To enable this plan on all Kubernetes clusters in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Containers to On.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"DenialOfService\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"11/01/2021\",\r\n \"public\": \"11/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Indicator Removal on Host\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Implant Container Image\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d\",\r\n \"description\": \"Microsoft Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your servers.

Important: Remediating this recommendation will result in charges for protecting your servers. If you don't have any servers in this subscription, no charges will be incurred.
If you create any servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable this plan on all servers in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Servers to On.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\",\r\n \"Execution\",\r\n \"Defense Evasion\",\r\n \"Exfiltration\",\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Hijack Execution Flow\",\r\n \"Modify Authentication Process\",\r\n \"Boot or Logon Initialization Scripts\",\r\n \"Scheduled Task/Job\",\r\n \"Account Manipulation\",\r\n \"Office Application Startup\",\r\n \"OS Credential Dumping\",\r\n \"Obfuscated Files or Information\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Process Injection\",\r\n \"Command and Scripting Interpreter\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Indicator Removal on Host\",\r\n \"Valid Accounts\",\r\n \"System Information Discovery\",\r\n \"Account Discovery\",\r\n \"Ingress Tool Transfer\",\r\n \"Modify Registry\",\r\n \"Create Account\",\r\n \"Deobfuscate/Decode Files or Information\",\r\n \"Drive-by Compromise\",\r\n \"Indirect Command Execution\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Signed Binary Proxy Execution\",\r\n \"File and Directory Permissions Modification\",\r\n \"Service Stop\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Steal or Forge Kerberos Tickets\",\r\n \"Impair Defenses\",\r\n \"Remote Service Session Hijacking\",\r\n \"Hide Artifacts\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Brute Force\",\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"name\": \"b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for open-source relational databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835\",\r\n \"description\": \"Microsoft Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more in Introduction to Microsoft Defender for open-source relational databases.

Important: Enabling this plan will result in charges for protecting your open-source relational databases. If you don't have any open-source relational databases in this subscription, no charges will be incurred. If you create any open-source relational databases on this subscription in the future, they will automatically be protected and charges will begin at that time.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for open-source relational databases on your subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Open-source relational databases to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"09/19/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ebc815f-7bc7-4573-994d-e1cc46fb4a35\",\r\n \"name\": \"2ebc815f-7bc7-4573-994d-e1cc46fb4a35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have infrastructure as code scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found infrastructure as code security configuration issues in repositories. The issues shown below have been detected in template files. To improve the security posture of the related cloud resources, it is highly recommended to remediate these issues.\",\r\n \"remediationDescription\": \"Security issues and vulnerabilities in infrastructure as code can lead to compliance violations and data breaches in production environments. It is recommended to improve the security posture by remediating and fixing these findings to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c68a8c2a-6ed4-454b-9e37-4b7654f2165f\",\r\n \"name\": \"c68a8c2a-6ed4-454b-9e37-4b7654f2165f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have code scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found vulnerabilities in code repositories. To improve the security posture of the repositories, it is highly recommended to remediate these vulnerabilities.\",\r\n \"remediationDescription\": \"The vulnerabilities detected in code repositories can lead to compliance violations and data breaches. It is highly recommended to remediate these vulnerabilities to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27\",\r\n \"name\": \"4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have secret scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found a secret in code repositories. This should be remediated immediately to prevent a security breach. Secrets found in repositories can be leaked or discovered by adversaries, leading to compromise of an application or service. For Azure DevOps, the Microsoft Security DevOps CredScan tool only scans builds on which it has been configured to run. Therefore, results may not reflect the complete status of secrets in your repositories.\",\r\n \"remediationDescription\": \"Invalidate the secrets, tokens, and/or passwords that were found by the secret scanner.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/822425e3-827f-4f35-bc33-33749257f851\",\r\n \"name\": \"822425e3-827f-4f35-bc33-33749257f851\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have Dependabot scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found vulnerabilities in code repositories. To improve the security posture of the repositories, it is highly recommended to remediate these vulnerabilities.\",\r\n \"remediationDescription\": \"The vulnerabilities detected in the code repositories can lead to compliance violations and data breaches. It is recommended to remediate these vulnerabilities to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dbf49ec-ce06-476d-ab70-7bd612c4a52c\",\r\n \"name\": \"9dbf49ec-ce06-476d-ab70-7bd612c4a52c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DevOps security posture findings should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps security posture checks helps you keep your ADO artifacts such as various org/project settings, build/release configurations, service connections, agent pools, etc., configured securely.\",\r\n \"remediationDescription\": \"The security posture checks found can lead to compliance violations and data breaches. It is recommended to improve the security posture by remediating and fixing these configuration findings to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MissingCoverage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"02/06/2023\",\r\n \"public\": \"10/01/2022\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Reconnaissance\",\r\n \"Exfiltration\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Application Layer Protocol\",\r\n \"Compromise Infrastructure\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03587042-5d4b-44ff-af42-ae99e3c71c87\",\r\n \"name\": \"03587042-5d4b-44ff-af42-ae99e3c71c87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic container registry images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"23/06/2022\",\r\n \"public\": \"23/06/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registry images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Resolve the findings from the vulnerability assessment solutions on your virtual machines.\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by the vulnerability assessment solutions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77a4a140-e051-481a-84cc-d4bf2109bd65\",\r\n \"name\": \"77a4a140-e051-481a-84cc-d4bf2109bd65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Resolve the findings from the vulnerability assessment solutions on your EC2 instances.\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by the vulnerability assessment solutions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/14/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL databases should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. Learn more\",\r\n \"remediationDescription\": \"To remediate SQL vulnerabilities and mitigate risks:
1. Navigate to a database in the Unhealthy databases list.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Valid Accounts\",\r\n \"Modify Registry\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers on machines should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. Learn more\",\r\n \"remediationDescription\": \"To remediate SQL vulnerabilities and mitigate risks:
1. Navigate to a database in the Unhealthy databases list.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Valid Accounts\",\r\n \"Modify Registry\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your Windows machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Select any of the findings below.
2. On the right pane opened, follow the instructions under 'Remediation' if exist.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Lateral Movement\",\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your Linux machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Select any of the findings below.
2. On the right pane opened, follow the instructions under 'Remediation' if exist.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Lateral Movement\",\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"
1. Click an identified outstanding update.
2. In the Missing system updates pane, click the support link (when exists) and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Software Deployment Tools\",\r\n \"Exploit Public-Facing Application\",\r\n \"Supply Chain Compromise\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Drive-by Compromise\",\r\n \"Endpoint Denial of Service\",\r\n \"Compromise Client Software Binary\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b\",\r\n \"description\": \"Ensure your machines are up to date by installing missing security and critical OS updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install missing system updates on a selected machine: 1. From \\\"Affected resources\\\", select a virtual machine. 2. Select the \\\"Fix\\\" button. This will redirect you to Update management center (preview). 3. In update management center (preview), select \\\"One-time update\\\" or \\\"Schedule updates\\\", and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Click any of the configuration vulnerability rules 2. In the Vulnerability details pane, see the remediation description and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"10/24/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2\",\r\n \"description\": \"Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. See the documentation for the endpoint protection solutions supported by Defender for Cloud and the endpoint protection assessments.\",\r\n \"remediationDescription\": \"
1. Confirm that your solution is on the list of tools supported by Defender for Cloud.
2. For a list of possible health issues with your solution and advice on how to resolve the health issues, consult this page of the Defender for Cloud documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad50b498-f90c-451f-886f-d0a169cc5002\",\r\n \"name\": \"ad50b498-f90c-451f-886f-d0a169cc5002\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should use only signed and trusted boot components\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"With Secure Boot enabled, all OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Defender for Cloud has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allow list or remove the identified components.\",\r\n \"remediationDescription\": \"Investigate the untrusted boot components. If they are legitimate, add them to the allow list. Otherwise, remove them.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"name\": \"dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with read permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have read permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"name\": \"c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with write permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/931e118d-50a1-4457-a5e4-78550e086c52\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have write permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"name\": \"6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with owner permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have owner permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"name\": \"fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with read permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52\",\r\n \"description\": \"Accounts with read permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"name\": \"0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with write permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87\",\r\n \"description\": \"Accounts with write permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"name\": \"20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with owner permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/339353f6-2387-4a45-abe4-7f529d121046\",\r\n \"description\": \"Accounts with owner permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"name\": \"1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Blocked accounts with read and write permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be\",\r\n \"description\": \"Accounts that have been blocked from signing in on Active Directory, should be removed from your Azure resources.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of accounts that are blocked from signing in on the Accounts section. Click on each account to view its role definitions and locate the source scope. If you accept the risk for specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the blocked user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"name\": \"050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Blocked accounts with owner permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5\",\r\n \"description\": \"Accounts that have been blocked from signing in on Active Directory, should be removed from your Azure resources.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of accounts that are blocked from signing in on the Accounts section. Click on each account to view its role definitions and locate the source scope. If you accept the risk for specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the blocked user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af99038c-02fd-4a2f-ac24-386b62bf32de\",\r\n \"description\": \" Azure's terms of use prohibit the use of Azure services in ways that could damage, disable, overburden, or impair any Microsoft server or the network. This recommendation lists exposed ports that need to be closed for your continued security. It also illustrates the potential threat to each port.\",\r\n \"remediationDescription\": \"Review the findings and evaluate if any ports need to remain open for your service to function or if they can be closed to protect your resources. Please, opt out of the recommendation by using the exemption workflow for any ports that need to remain open.
For all other findings, remediate per instructions below:
• Need to secure network traffic for a single VNet, please follow instruction to setup Network Security Groups (NSG).
• Need to secure network traffic for one or more peered VNet, please follow instruction to setup Azure Firewall.
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"04/04/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/41503391-efa5-47ee-9282-4eff6131462c\",\r\n \"name\": \"41503391-efa5-47ee-9282-4eff6131462c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running container images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fc39691-5a3f-4e3e-94ee-2e6447309ad9\",\r\n \"description\": \"Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.
7. Use the new image across all pods where it is currently being used.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ElevationOfPrivilege\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"12/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/afd071f0-ebaa-422b-bb2f-8a772a31db75\",\r\n \"name\": \"afd071f0-ebaa-422b-bb2f-8a772a31db75\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function apps should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Runtime vulnerability scanning for functions scans your function apps for security vulnerabilities and exposes detailed findings. Resolving the vulnerabilities can greatly improve your serverless applications security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve function app vulnerabilities:
1. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
2. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [],\r\n \"publishDates\": {\r\n \"public\": \"03/18/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"name\": \"08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d\",\r\n \"description\": \"Azure Policy add-on for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.

Defender for Cloud requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. Learn more.

Requires Kubernetes v1.14.0 or later.

\",\r\n \"remediationDescription\": \"To configure the Azure Policy Add-on for use with your Azure Kubernetes Service cluster, follow the instructions in Install Azure Policy Add-on for AKS.

Auto provisioning:
You can also auto deploy this add-on as explained in Enable auto provisioning of extensions.
When auto provisioning for the add-on is set to On, the extension is enabled by default in all existing and future clusters (that meet the add-on installation requirements).\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0642d770-b189-42ef-a2ce-9dcc3ec6c169\",\r\n \"name\": \"0642d770-b189-42ef-a2ce-9dcc3ec6c169\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b2122c1-8120-4ff5-801b-17625a355590\",\r\n \"description\": \"Azure Policy extension for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.\",\r\n \"remediationDescription\": \"To configure the Azure Policy extension for use with your Azure Arc-enabled Kubernetes cluster, follow the instructions in #Install Azure Policy Extension for Azure Arc-enabled Kubernetes.

Auto provisioning:
You can also auto deploy this extension as explained in Enable auto provisioning of extensions .
When auto provisioning for the extension is set to \\\"on\\\", the extension is enabled by default in all existing and future clusters (that meet the extension installation requirements).\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2022\",\r\n \"public\": \"06/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/0adc5395-9169-4b9b-8687-af838d69410a\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"name\": \"405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container CPU and memory limits should be enforced\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\r\n \"description\": \"Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).

We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods without CPU and memory limits. To control a pod's limits, set quotas at the container level. Each container of a pod can specify one or both of the following:
  • spec.containers[].resources.limits.cpu
  • spec.containers[].resources.limits.memory

After making your changes, redeploy the pod with the new limits.

Note: Although requests and limits can only be specified on individual containers, it is convenient to talk about pod resource limits. A Pod resource limit is the sum of the resource limits for all the containers in the pod. Learn more.

\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"DenialOfService\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"name\": \"5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Privileged containers should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\r\n \"description\": \"To prevent unrestricted host access, avoid privileged containers whenever possible.

Privileged containers have all of the root capabilities of a host machine. They can be used as entry points for attacks and to spread malicious code or malware to compromised applications, hosts and networks.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods running privileged containers.

For these pods, set the privileged flag to 'false' or remove this property on the security context of the container's spec. After making your changes, redeploy the pod with the updated spec.

\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"name\": \"8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container images should be deployed from trusted registries only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\r\n \"description\": \"Images running on your Kubernetes cluster should come from known and monitored container image registries. Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.\",\r\n \"remediationDescription\": \"
  1. Ensure a regex, defining your organization private registries is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods running images from untrusted registries. If you see a pod running an unfamiliar image, remove it and report the incident to your security admin. Otherwise, move all images to a trusted private registry and redeploy the pods with the updated registry.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"name\": \"add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Services should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services access to the configured ports.\",\r\n \"remediationDescription\": \"
  1. Ensure a list of ports on which your services are allowed to listen, is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the services which listen on ports outside the configured list.
  3. Limit the services' ports. After making your changes, redeploy the services with the updated ports.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\",\r\n \"Non-Standard Port\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"name\": \"11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Least privileged Linux capabilities should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\r\n \"description\": \"To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user. We recommend dropping all capabilities, then adding those that are required\",\r\n \"remediationDescription\": \"
1. Make sure lists of dropped capabilities and allowed capabilities are configured, via the security policy parameters. Recommend to set parameter 'Required drop capabilities' as [\\\"ALL\\\"] to enforce to drop all capabilities. The recommendation by default will only block to add capacities.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the running containers with capabilities outside the configured list.
3. Limit the containers' Linux capabilities. To add or remove Linux capabilities for a container, include a capabilities section in the securityContext section of the container manifest with the relevant capabilities set e.g. Drop: ALL ; add: [\\\"NET_ADMIN\\\", \\\"SYS_TIME\\\"].
4. After making your changes, redeploy the pod with the updated capabilities.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"name\": \"27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Immutable (read-only) root filesystem should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80\",\r\n \"description\": \"Containers should run with a read only root file system in your Kubernetes cluster. Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers without read only root file system.
2. For these pods, set the readOnlyRootFilesystem flag to 'true' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Collection\",\r\n \"Lateral Movement\",\r\n \"Persistence\",\r\n \"Defense Evasion\",\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Scheduled Task/Job\",\r\n \"Data Staged\",\r\n \"Taint Shared Content\",\r\n \"Account Manipulation\",\r\n \"Create Account\",\r\n \"File and Directory Permissions Modification\",\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Server Software Component\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Compromise Client Software Binary\",\r\n \"Modify Authentication Process\",\r\n \"Hide Artifacts\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"name\": \"f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75\",\r\n \"description\": \"We recommend limiting pod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths. If there's a compromise, the container node access from the containers should be restricted.\",\r\n \"remediationDescription\": \"
1. Ensure a list of allowed host paths is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running pods with hostPath volume violating the configured list.
3. Update hostPath and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Taint Shared Content\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"name\": \"9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running containers as root user should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042\",\r\n \"description\": \"Containers shouldn't run as root users in your Kubernetes cluster. Running a process as the root user inside a container runs it as root on the host. If there's a compromise, an attacker has root in the container, and any misconfigurations become easier to exploit.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the relevant pods.
2. For these pods, ensure the runAsUser property is set to a non-zero value or set property runAsNonRoot=true.
3. After making your changes, redeploy the pod with the updated rule.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"name\": \"ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of host networking and ports should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe\",\r\n \"description\": \"Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. Pods created with the hostNetwork attribute enabled will share the node's network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node's network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.\",\r\n \"remediationDescription\": \"
1. Ensure the following are all configured in the security policy parameters: allow host network usage, and min and max host ports.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers with host networking violating the configured list.
3. Validate the host networking using the hostNetwork and hostPort attributes (when applicable) of the container's spec.
4. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"name\": \"802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers sharing sensitive host namespaces should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\r\n \"description\": \"To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods sharing host process ID or host IPC.
2. Set the host process ID and host IPC to 'false' on the pod's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"name\": \"43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container with privilege escalation should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\r\n \"description\": \"Containers shouldn't run with privilege escalation to root in your Kubernetes cluster.
The AllowPrivilegeEscalation attribute controls whether a process can gain more privileges than its parent process.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers with privilege escalation to root in your Kubernetes cluster.
2. For these pods, set the AllowPrivilegeEscalation flag to 'false' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"name\": \"86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers should only use allowed AppArmor profiles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e\",\r\n \"description\": \"Containers running on Kubernetes clusters should be limited to allowed AppArmor profiles only.
;AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program.\",\r\n \"remediationDescription\": \"
1. Ensure a list of AppArmor profiles containers are allowed to use is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the running pods with AppArmor profile violating the configured list.
3. Update AppArmor annotation in the Pod's metadata and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Process Injection\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/111cb068-89df-48bd-9493-2e6773444af8\",\r\n \"name\": \"111cb068-89df-48bd-9493-2e6773444af8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should gate deployment of vulnerable images\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759\",\r\n \"description\": \"Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Defender for Cloud's CI/CD scanning and Microsoft Defender for container registries to identify and patch vulnerabilities prior to deployment.
Evaluation prerequisite: Azure policy add-on/extension and the Defender profile/extension.
Applicable only for private preview customers.\",\r\n \"remediationDescription\": \"Configuration

Use the Settings tab to ensure the recommendation policy meets your requirement.

Monitor and resolve violations in audit mode
  1. Click on a cluster to see violating pods.
  2. For each non-compliant pod, extract used images using 'kubectl get pods <pod name> -n <pod namespace> -o json'
  3. Retrieve list of vulnerabilities per pod using the 'Container registry images should have vulnerability findings resolved' recommendation:
    1. If an image is unscanned, push/import image to registry protected by Defender for Containers and re-deploy pod.
    2. If scan result violates security policy, follow scan findings remediation steps to remediate image and re-deploy pod.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"10/25/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes API server should be configured with restricted access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes API server. You can restrict access by defining authorized IP ranges, or by setting up your API servers as private clusters as explained inCreate a private Azure Kubernetes Service cluster.\",\r\n \"remediationDescription\": \"To manually configure authorized IP ranges, follow the steps in Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS). If your existing cluster uses a Basic SKU Load Balancer, you'll need to redeploy or migrate to a new AKS cluster using the Standard SKU Load Balancer as explained in Moving from a basic SKU load balancer to standard SKU. If you decide not to redeploy, and you want to move these clusters to the 'not applicable' tab, follow the steps in Define an exemption.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Container and Resource Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows:
1. Go to Azure Kubernetes Services.
2. Select 'Add' and enter your cluster's configuration.
3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6d87087-9ebe-b31f-b452-0bf3bbbaccd2\",\r\n \"name\": \"c6d87087-9ebe-b31f-b452-0bf3bbbaccd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should be accessible only over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\r\n \"description\": \"Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc-enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc\",\r\n \"remediationDescription\": \"From the unhealthy resources tab, select the cluster. Defender for Cloud lists the ingress objects that are accessible without HTTPS. 1. If the ingress controlled by nginx ingress controller, must first set annotation \\\"nginx.ingress.kubernetes.io/force-ssl-redirect\\\"=true. 2. Add the Transport Layer Security (TLS) configuration to your ingress manifest. After making your changes, redeploy the updated ingress object.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6\",\r\n \"name\": \"3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Arc-enabled Kubernetes clusters should have the Defender extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8dfab9c4-fe7b-49ad-85e4-1e9be085358f\",\r\n \"description\": \"Defender's extension for Azure Arc provides threat protection for your Arc-enabled Kubernetes clusters. The extension collects data from all control plane (master) nodes in the cluster and sends it to the Microsoft Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-kubernetes-azure-arc?wt.mc_id=defenderforcloud_inproduct_portal_recoremediation.\",\r\n \"remediationDescription\": \"To install the Defender extension on your Arc-enabled Kubernetes clusters, select an unhealthy cluster and select Remediate.
To manually deploy the extension with Azure Resource Manager, Azure CLI, or the REST API, see the instructions in Microsoft Defender for Arc-enabled Kubernetes.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/708b60a6-d253-4fe0-9114-4be4c00f012c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a83a6e-c417-42ec-b567-1e6fcb3d09a9\",\r\n \"name\": \"56a83a6e-c417-42ec-b567-1e6fcb3d09a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Kubernetes Service clusters should have Defender profile enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1840de2-8088-4ea8-b153-b4c723e9cb01\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection.
When you enable the SecurityProfile.AzureDefender profile on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data.
Learn more about [Microsoft Defender for Containers](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks#architecture-overview).\",\r\n \"remediationDescription\": \"To enable the profile using Azure CLI, Azure Resource Manager, or the REST API, follow the instructions in Enable the SecurityProfile.AzureDefender profile.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"12/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff87e0b4-17df-d338-5b19-80e71e0dcc9d\",\r\n \"name\": \"ff87e0b4-17df-d338-5b19-80e71e0dcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should not use the default namespace\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\r\n \"description\": \"Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"Defender for Cloud lists the components using the default namespace.
1. From the unhealthy resources tab, select a cluster.
2. Define a namespace for the components.
3. After making your changes, redeploy the components with the updated namespace. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/namespaces/#creating-a-new-namespace\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32060ac3-f17f-4848-db8e-e7cf2c9a53eb\",\r\n \"name\": \"32060ac3-f17f-4848-db8e-e7cf2c9a53eb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should disable automounting API credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/423dd1ba-798e-40e4-9c4d-b6902674b423\",\r\n \"description\": \"Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"From the unhealthy resources tab, select the cluster. Defender for Cloud lists the pods missing the automountServiceAccountToken: false flag. There are multiple ways to opt out of automounting API credentials for a service account. To opt out of automounting API credentials for a single pod, set automountServiceAccountToken: false in PodSpec. After making your changes, redeploy your updated pod or service account.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aba14f78-27c5-af84-848e-9105d18dfd92\",\r\n \"name\": \"aba14f78-27c5-af84-848e-9105d18dfd92\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should not grant CAPSYSADMIN security capabilities\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d2e7ea85-6b44-4317-a0be-1b951587f626\",\r\n \"description\": \"To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"Defender for Cloud lists the pods running containers that have the CAP_SYS_ADMIN Linux security capability. To remove containers' CAP_SYS_ADMIN Linux security capabilities: 1. From the unhealthy resources tab, select the cluster. 2. Insert a capabilities section in the securityContext section of the container manifest with Drop: SYS_ADMIN. 3. After making your changes, redeploy the pod with the updated capabilities\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b7683ca3-3a11-49b6-b9d4-a112713edfa3\",\r\n \"name\": \"b7683ca3-3a11-49b6-b9d4-a112713edfa3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced configuration of Defender for Containers should be enabled on GCP connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. To ensure you the solution is provisioned properly, and the full set of capabilities are available, enable all advanced configuration settings.\",\r\n \"remediationDescription\": \"To enable advanced configuration of the Containers plan for a GCP account connected to Microsoft Defender for Cloud:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. Navigate to the \\\"Environment settings\\\" page, and select the relevant GCP account.
  3. Navigate to \\\"Select plans\\\"> \\\"Containers\\\" row, and select \\\"Configure >\\\".
  4. Enable the missing auto provision features and select Save.
  5. Select \\\"Next: Configure access\\\" and follow the instructions.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"03/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d42ac63d-0592-43b2-8bfa-ff9199da595e\",\r\n \"name\": \"d42ac63d-0592-43b2-8bfa-ff9199da595e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled on GCP connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. Enable Containers plan on your GCP connector, to harden the security of Kubernetes clusters and remediate security issues. Learn more about Microsoft Defender for Containers.\",\r\n \"remediationDescription\": \"To enable Defender for Containers on all GKE clusters in an GCP project connected to Microsoft Defender for Cloud:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. Navigate to the \\\"Environment settings\\\" page, and select the relevant GCP account.
  3. Navigate to \\\"Select plans\\\", and toggle \\\"Containers\\\" to \\\"On\\\".
  4. Select \\\"Next: Configure access\\\" and follow the instructions.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"03/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6672df26-ff2e-4282-83c3-e2f20571bd11\",\r\n \"name\": \"6672df26-ff2e-4282-83c3-e2f20571bd11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have code scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub uses code scanning to analyze code in order to find security vulnerabilities and errors in code. Code scanning can be used to find, triage, and prioritize fixes for existing problems in your code. Code scanning can also prevent developers from introducing new problems. Scans can be scheduled for specific days and times, or scans can be triggered when a specific event occurs in the repository, such as a push. If code scanning finds a potential vulnerability or error in code, GitHub displays an alert in the repository. A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project.\",\r\n \"remediationDescription\": \"1. On GitHub.com, navigate to the main page of the repository. 2. Under your repository name, click Security. 3. To the right of Code scanning alerts, click Set up code scanning. If code scanning is missing, you need to ask an organization owner or repository administrator to enable GitHub Advanced Security. 4. Under 'Get started with code scanning', click Set up this workflow on the CodeQL analysis workflow or on a third-party workflow. 5.To customize how code scanning scans your code, edit the workflow. 6. Use the Start commit drop-down, and type a commit message. 7. Click Commit new file or Propose new file\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/92643c1f-1a95-4b68-bbd2-5117f92d6e35\",\r\n \"name\": \"92643c1f-1a95-4b68-bbd2-5117f92d6e35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have Dependabot scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub sends Dependabot alerts when it detects vulnerabilities in code dependencies that affect repositories. A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. Vulnerabilities vary in type, severity, and method of attack. When code depends on a package that has a security vulnerability, this vulnerable dependency can cause a range of problems.\",\r\n \"remediationDescription\": \"1. Browse to a GitHub repository. 2. Click on the Settings. 3. Click 'Security & analysis'. 4. Enable Dependabot alerts\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a600c61-6443-4ab4-bd28-7a6b6fb4691d\",\r\n \"name\": \"1a600c61-6443-4ab4-bd28-7a6b6fb4691d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have secret scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were accidentally committed to repositories. Secret scanning will scan the entire Git history on all branches present in the GitHub repository for any secrets. Examples of secrets are tokens and private keys that a service provider can issue for authentication. If a secret is checked into a repository, anyone who has read access to the repository can use the secret to access the external service with those privileges. Secrets should be stored in a dedicated, secure location outside the repository for the project.\",\r\n \"remediationDescription\": \"1. On GitHub.com, navigate to the main page of the repository. 2. Under your repository name, click Settings. 3.In the left sidebar, click Security and analysis. 4. If Advanced Security is not already enabled for the repository, to the right of GitHub Advanced Security, click Enable. 5. Review the impact of enabling Advanced Security, then click Enable GitHub Advanced Security for this repository. 6. When you enable Advanced Security, secret scanning may automatically be enabled for the repository due to the organization's settings. If Secret scanning is shown with an Enable button, you still need to enable secret scanning by clicking Enable. If you see a Disable button, secret scanning is already enabled\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c0ba94f-e732-43c7-bf3a-05e80f45d642\",\r\n \"name\": \"1c0ba94f-e732-43c7-bf3a-05e80f45d642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure API Management APIs should be onboarded to Defender for APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfiguration.
In order to enable security monitoring & coverage on your APIs within Azure API Management, please remediate this recommendation through steps below.
Important: Enabling Defender for APIs monitoring coverage will require compute & memory utilization on the Azure API Management service.
Please monitor the performance of your Azure API Management service while onboarding APIs, and scale out your Azure API Managment resources when needed.\",\r\n \"remediationDescription\": \"Select the unhealthy resources and click \\\"Fix\\\" to launch \\\"Quick fix\\\" remediation. Note: After the process completes, it may take up 3 hurs until your resources move to the \\\"Healthy resources\\\" tab.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e8c00a2-e8bc-42a8-9e12-99584a51ad10\",\r\n \"name\": \"4e8c00a2-e8bc-42a8-9e12-99584a51ad10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API endpoints that are unused should be disabled and removed from the Azure API Management service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"API endpoints that are no longer in use should be removed from the Azure API Management service as a best practice. API endpoints that are unused (haven't received traffic for a threshold of 30 days) may pose a risk to an organization. These may be APIs that should have been deprecated from the Azure API Management service, but may have been accidently left as active and they may not be receiving the most up to date security coverage.\",\r\n \"remediationDescription\": \"Note: Manually verify that the API endpoint is unused and consider any potential impact this may cause before removing the API endpoint from the Azure API Management service.
1. Navigate to the Azure API Management resource to locate the unhealthy resources within the Azure Portal.
2. In the left pane, select APIs.
3. Select the API with the associated API collection name that is hosting the affected API endpoint (in Azure API Management, known as \\\"API operation\\\").
4. Select the ellipses next to the endpoint and select \\\"Delete\\\" to remove the unused API endpoint.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91af2040-7874-4659-abf0-578e1f8d07dc\",\r\n \"name\": \"91af2040-7874-4659-abf0-578e1f8d07dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API endpoints in Azure API Management should be authenticated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Authentication mechanisms are often implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. API endpoints published within Azure API Management should enforce authentication to help minimize this risk. Learn More\",\r\n \"remediationDescription\": \"1. Verify the configuration of the authentication on the API endpoint. For APIs published in Azure API Management, this recommendation assesses the execution of authentication via the Subscription Keys, JWT and Client Certificate configured within Azure API Management. If none of these authentication mechanisms are present, or if none of these authentication mechanisms are executed, the API will receive this recommendation.
2. After the assessment, if the API is verified and is missing or incorrectly configured authentication, enable & ensure the proper configuration of authentication for the API endpoint. For Azure API Management, steps and a reference example regarding how to enable authentication can be found here in this document: API Management authentication policies\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer managed metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Customer managed description\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"[elgrady] custom assessment metadata description\",\r\n \"remediationDescription\": \"[elgrady] custom assessment remediationDescription\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"name\": \"9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer managed metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Customer managed description\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"[elgrady] custom assessment metadata description\",\r\n \"remediationDescription\": \"[elgrady] custom assessment remediationDescription\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n }\r\n ]\r\n}", "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata?api-version=2020-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata?api-version=2021-06-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhP2FwaS12ZXJzaW9uPTIwMjEtMDYtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "36952ad5-7871-451a-b633-0077bc28dc5c" + "5b48e6c9-3d2a-4d91-bd35-399bc741f505" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.27317.07", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.19041.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.1.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -87,16 +87,16 @@ "no-cache" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "748" + "749" ], "x-ms-request-id": [ - "44d928d6-df57-49b7-b4ba-35b627da10ee" + "32ac8b94-52fd-4fef-b70e-c11e83b3d7d5" ], "x-ms-correlation-request-id": [ - "44d928d6-df57-49b7-b4ba-35b627da10ee" + "32ac8b94-52fd-4fef-b70e-c11e83b3d7d5" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200602T104817Z:44d928d6-df57-49b7-b4ba-35b627da10ee" + "FRANCESOUTH:20221117T082006Z:32ac8b94-52fd-4fef-b70e-c11e83b3d7d5" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -105,10 +105,10 @@ "nosniff" ], "Date": [ - "Tue, 02 Jun 2020 10:48:16 GMT" + "Thu, 17 Nov 2022 08:20:06 GMT" ], "Content-Length": [ - "134199" + "1308608" ], "Content-Type": [ "application/json; charset=utf-8" @@ -117,28 +117,28 @@ "-1" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"\",\r\n \"remediationDescription\": \"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine: 1. Stop your VM when it is safe to do so. 2. Enable Secure Boot for the VM. 3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps: 1. Go to the app service applications settings page 2. In the remote debugging toggle select Off 3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the �*� defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"1. Click an identified outstanding update. 2. In the Missing system updates pane, click the support link and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
\\n1. Go to Virtual machines and click on your machine.
\\n2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases: 1. Select the SQL database. 2. Under Data encryption, select On. 3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
\\n1. Select the SQL server.
\\n2. Under Auditing, select On.
\\n3. Select Storage details and configure a storage account for the audit log.
\\n4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines. To make sure your virtual machines are successfully monitored,
\\n you need to enable data collection in Security Center and make sure the MMA agent is both installed on the virtual machines and properly collects security events to the configured workspace.
\\n In some cases, the MMA agent may fail to properly report security events, due to multiple reasons. In these cases, coverage may be partial - security events won�t be properly processed,
\\n and in turn threat detection for the affected VMs may fail to function.\",\r\n \"remediationDescription\": \"To resolve monitoring agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install monitoring agent on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines.<br> We recommend configuring auto-provisioning to ensure the MMA is deployed automatically.<br> If you choose not to use auto-provisioning, you�ll need to follow the remediation steps to manually deploy the MMA for all your VMs.<br> You�ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric.\",\r\n \"remediationDescription\": \"Installation of the monitoring agent and enabling data collection in Security Center can be done in several ways:\\n
  • Using Security Center�s automatic provisioning on your subscription(s).
    This will automatically provision the monitoring agent on current and future-created virtual machines on your subscription(s). (Learn more)
    \\nYou can enable automatic provisioning on multiple subscriptions by clicking on the Getting started menu item, and select 'Install agents'.
    You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Security policy' menu item,
    select 'Edit settings' on a subscription and enable auto provisioning in the 'data collection' menu item.
    • \\n
  • Install the Microsoft Monitoring agent on your Virtual machines as a VM extension or directly, by following these instructions.
    • \\n
  • Provision the Microsoft Monitoring agent with Azure Policies. The applicable policy definitions are:
    �[Preview]: Deploy Log Analytics Agent for Windows VMs� and �[Preview]: Deploy Log Analytics Agent for Linux VMs.
    • \\n
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.

To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
 a. Click '+New policy'.
 b. In the 'Name' text box, enter a policy name.
 c. Assign 'User and groups':
  i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
  ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
  iii. After selecting the users, at the bottom of the list, click 'Select'.
  iv. Click 'Done'.
 d. Assign 'Cloud apps'
  i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
  ii. Click 'Done'.
 e. Assign 'Access Controls'
  i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
  ii. Click 'Select'.
 f. Enable Policy.
  i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.

To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
 a. Click '+New policy'.
 b. In the 'Name' text box, enter a policy name.
 c. Assign 'User and groups':
  i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
  ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
  iii. After selecting the users, at the bottom of the list, click 'Select'.
  iv. Click 'Done'.
 d. Assign 'Cloud apps'
  i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
  ii. Click 'Done'.
 e. Assign 'Access Controls'
  i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
  ii. Click 'Select'.
 f. Enable Policy.
  i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.

To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
 a. Click '+New policy'.
 b. In the 'Name' text box, enter a policy name.
 c. Assign 'User and groups':
  i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
  ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
  iii. After selecting the users, at the bottom of the list, click 'Select'.
  iv. Click 'Done'.
 d. Assign 'Cloud apps'
  i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
  ii. Click 'Done'.
 e. Assign 'Access Controls'
  i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
  ii. Click 'Select'.
 f. Enable Policy.
  i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click the Role assignments tab and set the 'Role' filter to 'Owner'. 2. Select the owners you want to remove. 3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled 1. In the 'Role' drop-down list, select the Owner role. 2. In the Select list, select a user. 3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To Remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on SQL servers: 1. Select the SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources : 1. Go to the Virtual machine 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal: 1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service. 2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows: 1. Go to Azure Kubernetes Services. 2. Click 'Add' and enter your cluster's configuration. 3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics: 1. Go to Data Lake Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance: 1. Select the SQL managed instance. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per managed SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per managed SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps: 1. Go to the Redis Caches, and select your redis cache. 2. Select 'Advanced settings'. 3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics: 1. Go to Batch and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics: 1. Go to Stream Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics: 1. Go to the Service Bus. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics: 1. Go to Data Lake Store and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics: 1. Go to Search and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign': 1. Go to the Service fabric cluster. 2. Click on 'Custom fabric settings'. 3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics: 1. Go to Logic Apps and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources : 1. Go to the Storage Account 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics: 1. Go to Key Vault and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"1. In your storage account, go to 'Firewalls and virtual networks'. 2. Under 'Allow access from', choose 'Selected networks'. 3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account. 4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required: 1. In your storage account, go to the 'Configuration' page. 2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates: 1. Review the list of missing system updates. 2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/f3631911-7880-4edb-88bd-6411f5e3b6ec\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machine scale sets.<br> You cannot configure auto-provisioning of the MMA for Azure virtual machine scale sets. To deploy the MMA on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), please follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"To install monitoring agent : 1. Select or create a workspace. 2. Click on Install to install the agent on the scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations: 1. Review the list of failed rules. 2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution: 1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as:
  • The configuration of the operating system
  • Application configuration or presence
  • Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’ tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:attack surface reduction\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5468b9f3-f0dd-41e3-a383-f0f442f34bcf\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bde66085-0bff-4163-a200-2ff7c1175045\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3f528984-4591-4989-b6bc-6d9f67f3de57\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa676ae0-e4c3-4803-8ce8-e85df20b57cd\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a782bbed-a876-4631-9bc5-7ace7d466dc8\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fce8d615-a5d2-431d-ba4d-2d9ae164224f\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75af18a4-86e2-40ab-a157-359d67bd9314\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"name\": \"3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Install the Azure Security of Things Agent\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b122f8fc-72f9-4a24-87ec-b71bdfb5a890\",\r\n \"description\": \"Installing the Azure Security of Things agent on a device increases the security detections available for it\",\r\n \"remediationDescription\": \"Install the Azure Security of Things Security Agent\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15d59b-fbfe-41c9-bdb1-d900cc77eb6e\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6cb74de-df4c-497f-9e87-f0ccd430de6c\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4912296-8654-4bf1-bb7b-a42bfa368af6\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5502d409-6ab3-401d-a4ae-619cf2bbf68e\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:1. Follow the guidance here to create service principals with a certificate. 2. Select a subscription from the list of subscriptions below or navigate to the specific subscription. 3. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.

Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with applications and firewalls unprotected by the DDoS protection service. These apps and firewalls have public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"1. Select a virtual network to enable the DDoS protection service standard on. 2. Select the Standard option. 3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for whitelisting safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect. 4. Create a new applications control policy according to the instructions in Security Center’s documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Whitelisting rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to whitelist in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your whitelists of known-safe applications: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines. 4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
  1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
  2. Click the \\\"Rules\\\" tab.
  3. If you want to modify a recommended rule's parameters:
    • In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
    • Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
  4. If you want to create a new rule:
    • Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
    • Fill in the parameters and click \\\"Add rule\\\". The pane closes and the new rule is listed in the Rules tab.
  5. Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22). 3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges. 4. Click 'Save'.

Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding: 1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade. 2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left). 3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on NSG associated to your VM\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to easily target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click the Network Security Group with overly permissive rules. 3. In the 'Network security group' blade, click on each of the rules that are overly permissive. 4. Improve the rule by applying less permissive source IP ranges. 5. Apply the suggested changes and click 'Save'.

If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.

Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable an NSG on its NIC. 2. In the 'Networking' pane, select the Network Interface that is associated with the selected VM. 3. In the 'Network interface' pane, select the 'Network security group' menu item. 4. Select 'Edit' at the top of the pane. 5. Follow the steps and select an existing network security group to attach to this VM.

Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65f6008c-c7de-4146-b4f2-0f91aa80ebe0\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation: 1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'. 2. Review the recommended classifications. 3. Apply the relevant recommendations and dismiss the ones that are not applicable.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"name\": \"fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases in VMs should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bf49982c-9e3e-4fc4-bc20-67afecd23512\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities: 1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate. 2. Review the set of failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field. 5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exist. 6. Delete the old image with the vulnerability from you registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remediate vulnerabilities found on your virtual machines (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerability findings that were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/45fb078b-a96e-4d0b-90cb-f3ed8a5530c0\",\r\n \"name\": \"45fb078b-a96e-4d0b-90cb-f3ed8a5530c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Testing the cmdlet\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Testing that creating a new metadata is working\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"High\"\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8\",\r\n \"description\": \"To protect machines from threats and vulnerabilities, install a supported endpoint protection solution.
Learn more about how endpoint protection for machines is evaluated in Endpoint protection assessment and recommendations in Microsoft Defender for Cloud.\",\r\n \"remediationDescription\": \"To remediate missing endpoint protection:
1. Confirm that your solution is on the list of tools supported by Defender for Cloud.
2. Install the supported endpoint protection solution or enable an existing tool.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b26b102-ccde-4697-aa30-f0621f865f99\",\r\n \"name\": \"9b26b102-ccde-4697-aa30-f0621f865f99\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of EC2 instances should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Cloud has identified some overly-permissive inbound rules for management ports in your network. Enable just-in-time access control to protect your Instances from internet-based brute-force attacks. Learn more.\",\r\n \"remediationDescription\": \"To enable just-in-time instance access:
  • Select one or more Instances from the list below and click \\\"Remediate\\\", or click \\\"Take action\\\" if you've arrived from a recommendation for a specific instance.
  • On the \\\"JIT instance access configuration\\\" page, define the ports for which the just-in-time instance access will be applicable.
    • To add additional ports, click the \\\"Add\\\" button on the top left, or click an existing port and edit it.
    • On the \\\"Add port configuration\\\" blade, enter the required parameters.
  • Click \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"11/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2cac0072-6f56-46f0-9518-ddec3660ee56\",\r\n \"name\": \"2cac0072-6f56-46f0-9518-ddec3660ee56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST and WebSocket API logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled.
The control fails if logging is not enabled for all methods of a stage or if logging Level is neither ERROR nor INFO.
API Gateway REST or WebSocket API stages should have relevant logs enabled. API Gateway REST and WebSocket API execution logging provides detailed records of requests made to API Gateway REST and WebSocket API stages.
The stages include API integration backend responses, Lambda authorizer responses, and the requestId for AWS integration endpoints.\",\r\n \"remediationDescription\": \"To enable logging for REST and WebSocket API operations, Set up CloudWatch API logging using the API Gateway console in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec268d38-c94b-4df3-8b4e-5248fcaaf3fc\",\r\n \"name\": \"ec268d38-c94b-4df3-8b4e-5248fcaaf3fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API stages should be configured to use SSL certificates for backend authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon API Gateway REST API stages have SSL certificates configured.
Backend systems use these certificates to authenticate that incoming requests are from API Gateway.
API Gateway REST API stages should be configured with SSL certificates to allow backend systems to authenticate that requests originate from API Gateway.\",\r\n \"remediationDescription\": \"For detailed instructions on how to generate and configure API Gateway REST API SSL certificates, see Generate and configure an SSL certificate for backend authentication in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5cbaff4f-f8d5-49fe-9fdc-63c4507ac670\",\r\n \"name\": \"5cbaff4f-f8d5-49fe-9fdc-63c4507ac670\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API stages should have AWS X-Ray tracing enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages.
X-Ray active tracing enables a more rapid response to performance changes in the underlying infrastructure. Changes in performance could result in a lack of availability of the API.
X-Ray active tracing provides real-time metrics of user requests that flow through your API Gateway REST API operations and connected services.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable X-Ray active tracing for API Gateway REST API operations, see Amazon API Gateway active tracing support for AWS X-Ray in the AWS X-Ray Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d69eb8b0-79ba-4963-a683-a96a8ea787e2\",\r\n \"name\": \"d69eb8b0-79ba-4963-a683-a96a8ea787e2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway should be associated with an AWS WAF web ACL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an API Gateway stage uses an AWS WAF web access control list (ACL).
This control fails if an AWS WAF web ACL is not attached to a REST API Gateway stage.
AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It enables you to configure an ACL, which is a set of rules that allow, block, or count web requests based on customizable web security rules and conditions that you define.
Ensure that your API Gateway stage is associated with an AWS WAF web ACL to help protect it from malicious attacks.\",\r\n \"remediationDescription\": \"For information on how to use the API Gateway console to associate an AWS WAF Regional web ACL with an existing API Gateway API stage, see Using AWS WAF to protect your APIs in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a0ce4e0-b61e-4ec7-ab65-aeaff3893bd3\",\r\n \"name\": \"1a0ce4e0-b61e-4ec7-ab65-aeaff3893bd3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API cache data should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It adds another set of access controls to limit unauthorized users ability access the data. For example, API permissions are required to decrypt the data before it can be read.
API Gateway REST API caches should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"To remediate this control, configure the stage to encrypt the cache data.
To configure API caching for a given stage
1. Open the API Gateway console.
2. Choose the API.
3. Choose \\\"Stages\\\".
4. In the \\\"Stages\\\" list for the API, choose the stage to add caching to.
5. Choose \\\"Settings\\\".
6. Choose \\\"Enable API cache\\\".
7. Update the desired settings, then select \\\"Encrypt cache data\\\".
Choose \\\"Save Changes\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/186509dc-f326-415f-b085-4d27f1342849\",\r\n \"name\": \"186509dc-f326-415f-b085-4d27f1342849\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have a default root object configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured.
A user might sometimes request the distributions root URL instead of an object in the distribution. When this happens, specifying a default root object can help you to avoid exposing the contents of your web distribution.\",\r\n \"remediationDescription\": \"For detailed instructions on how to specify a default root object for your distribution, see How to specify a default root object in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a0ab1f4e-bafb-4947-a7d1-13a9c35c7d82\",\r\n \"name\": \"a0ab1f4e-bafb-4947-a7d1-13a9c35c7d82\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin access identity enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured.
CloudFront OAI prevents users from accessing S3 bucket content directly. When users access an S3 bucket directly, they effectively bypass the CloudFront distribution and any permissions that are applied to the underlying S3 bucket content.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Creating a CloudFront OAI and adding it to your distribution in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a67adff8-625f-4891-9f61-43f837d18ad2\",\r\n \"name\": \"a67adff8-625f-4891-9f61-43f837d18ad2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should require encryption in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors.
HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Requiring HTTPS for communication between viewers and CloudFront in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4779e962-2ea3-4126-aa76-379ea271887c\",\r\n \"name\": \"4779e962-2ea3-4126-aa76-379ea271887c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin failover configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins.
CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Creating an origin group in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88114970-36db-42b3-9549-20608b1ab8ad\",\r\n \"name\": \"88114970-36db-42b3-9549-20608b1ab8ad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether server access logging is enabled on CloudFront distributions. The control fails if access logging is not enabled for a distribution.
CloudFront access logs provide detailed information about every user request that CloudFront receives. Each log contains information such as the date and time the request was received, the IP address of the viewer that made the request, the source of the request, and the port number of the request from the viewer.
These logs are useful for applications such as security and access audits and forensics investigation. For additional guidance on how to analyze access logs, see Querying Amazon CloudFront logs in the Amazon Athena User Guide.\",\r\n \"remediationDescription\": \"For information on how to configure access logging for a CloudFront distribution, see Configuring and using standard logs (access logs) in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e0d5964-2895-45b1-b646-fcded8d567be\",\r\n \"name\": \"0e0d5964-2895-45b1-b646-fcded8d567be\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have AWS WAF enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudFront distributions are associated with either AWS WAF or AWS WAFv2 web ACLs. The control fails if the distribution is not associated with a web ACL.
AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It allows you to configure a set of rules, called a web access control list (web ACL), that allow, block, or count web requests based on customizable web security rules and conditions that you define. Ensure your CloudFront distribution is associated with an AWS WAF web ACL to help protect it from malicious attacks.\",\r\n \"remediationDescription\": \"For information on how to associate a web ACL with a CloudFront distribution, see Using AWS WAF to control access to your content in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d088fb9f-11dc-451e-8f79-393916e42bb2\",\r\n \"name\": \"d088fb9f-11dc-451e-8f79-393916e42bb2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies should not allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts.This control fails if the \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies.
With AWS KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data.
Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, do not allow \\\"kms:Decrypt\\\" permission on all KMS keys. Instead, allow \\\"kms:Decrypt\\\" only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"To remediate this issue, you modify the IAM customer managed policies to restrict access to the keys.

To modify an IAM customer managed policy

1. Open the IAM console at https://console.aws.amazon.com/iam/
2. In the IAM navigation pane, choose \\\"Policies\\\".
3. Choose the arrow next to the policy you want to modify.
4. Choose \\\"Edit policy\\\".
5. Choose the \\\"JSON\\\" tab.
6. Change the \\\"Resource\\\" value to the specific key or keys that you want to allow.
7. After you modify the policy, choose \\\"Review policy\\\".
8. Choose \\\"Save changes\\\".

For more information, see Using IAM policies with AWS KMS in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/18be55d0-b681-4693-af8d-b8815518d758\",\r\n \"name\": \"18be55d0-b681-4693-af8d-b8815518d758\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts.
This control fails if \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" actions are allowed on all KMS keys in an inline policy.
With AWS KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the permissions they need and only for keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data.
Instead of granting permission for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow the users to use only those keys. For example, do not allow \\\"kms:Decrypt\\\" permission on all KMS keys. Instead, allow them only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"To remediate this issue, you modify the inline policy to restrict access to the keys.

To modify an IAM inline policy

1. Open the IAM console at https://console.aws.amazon.com/iam/
2. In the IAM navigation pane, choose \\\"Users, Groups\\\", or \\\"Roles\\\".
3. Choose the name of the user, group or role for which to modify IAM inline policies.
4. Choose the arrow next to the policy to modify.
5. Choose \\\"Edit policy\\\".
6. Choose the \\\"JSON\\\" tab.
7. Change the \\\"Resource\\\" value to the specific keys you want to allow.
8. After you modify the policy, choose \\\"Review policy\\\".
9. Choose \\\"Save changes\\\".

For more information, see Using IAM policies with AWS KMS in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10c59743-84c4-4711-adb7-ba895dc57339\",\r\n \"name\": \"10c59743-84c4-4711-adb7-ba895dc57339\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS keys should not be unintentionally deleted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether KMS keys are scheduled for deletion. The control fails if a KMS key is scheduled for deletion.
KMS keys cannot be recovered once deleted. Data encrypted under a KMS key is also permanently unrecoverable if the KMS key is deleted. If meaningful data has been encrypted under a KMS key scheduled for deletion, consider decrypting the data or re-encrypting the data under a new KMS key unless you are intentionally performing a cryptographic erasure.
When a KMS key is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS key is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS key will not be deleted.
For additional information regarding deleting KMS keys, see Deleting KMS keys in the AWS Key Management Service Developer Guide.\",\r\n \"remediationDescription\": \"For detailed remediation instructions to cancel a scheduled KMS key deletion, see \\\"To cancel key deletion\\\" under Scheduling and canceling key deletion (console) in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe770214-7b47-48f7-a78c-1279c35d8279\",\r\n \"name\": \"fe770214-7b47-48f7-a78c-1279c35d8279\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EMR cluster master nodes should not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether master nodes on Amazon EMR clusters have public IP addresses.
The control fails if the master node has public IP addresses that are associated with any of its instances. Public IP addresses are designated in the PublicIp field of the NetworkInterfaces configuration for the instance.
This control only checks Amazon EMR clusters that are in a RUNNING or WAITING state.\",\r\n \"remediationDescription\": \"During launch, you can control whether your instance in a default or nondefault subnet is assigned a public IPv4 address.
By default, default subnets have this attribute set to true. Nondefault subnets have the IPv4 public addressing attribute set to false, unless it was created by the Amazon EC2 launch instance wizard. In that case, the wizard sets the attribute to true.
You need to launch your cluster in a VPC with a private subnet that has the IPv4 public addressing attribute set to false.
After launch, you cannot manually disassociate a public IPv4 address from your instance.
To remediate this finding, you need to create a new cluster in VPC private subnet. For information on how to launch a cluster in into a VPC private subnet, see Launch clusters into a VPC in the Amazon EMR Management Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a0476c5-a14b-4195-8c31-633511234b38\",\r\n \"name\": \"5a0476c5-a14b-4195-8c31-633511234b38\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies that you create should not allow wildcard actions for services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the IAM identity-based policies that you create have Allow statements that use the * wildcard to grant permissions for all actions on any service. The control fails if any policy statement includes 'Effect': 'Allow' with 'Action': 'Service:*'.
For example, the following statement in a policy results in a failed finding.
'Statement': [
{
'Sid': 'EC2-Wildcard',
'Effect': 'Allow',
'Action': 'ec2:*',
'Resource': '*'
}
The control also fails if you use 'Effect': 'Allow' with 'NotAction': 'service:*'. In that case, the NotAction element provides access to all of the actions in an AWS service, except for the actions specified in NotAction.
This control only applies to customer managed IAM policies. It does not apply to IAM policies that are managed by AWS.
When you assign permissions to AWS services, it is important to scope the allowed IAM actions in your IAM policies. You should restrict IAM actions to only those actions that are needed. This helps you to provision least privilege permissions. Overly permissive policies might lead to privilege escalation if the policies are attached to an IAM principal that might not require the permission.
In some cases, you might want to allow IAM actions that have a similar prefix, such as DescribeFlowLogs and DescribeAvailabilityZones. In these authorized cases, you can add a suffixed wildcard to the common prefix. For example, ec2:Describe*.

This control passes if you use a prefixed IAM action with a suffixed wildcard. For example, the following statement in a policy results in a passed finding.
'Statement': [
{
'Sid': 'EC2-Wildcard',
'Effect': 'Allow',
'Action': 'ec2:Describe*',
'Resource': '*'
}
When you group related IAM actions in this way, you can also avoid exceeding the IAM policy size limits.\",\r\n \"remediationDescription\": \"To remediate this issue, update your IAM policies so that they do not allow full '*' administrative privileges.
For details on how to edit an IAM policy, see Editing IAM policies in the IAM User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bde343a-0681-4ee2-883a-027cc1e655b8\",\r\n \"name\": \"0bde343a-0681-4ee2-883a-027cc1e655b8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Attached EBS volumes should be encrypted at-rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check.
For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.
To learn more about Amazon EBS encryption, see Amazon EBS encryption in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"remediationDescription\": \"There is no direct way to encrypt an existing unencrypted volume or snapshot. You can only encrypt a new volume or snapshot when you create it.
If you enabled encryption by default, Amazon EBS encrypts the resulting new volume or snapshot using your default key for Amazon EBS encryption. Even if you have not enabled encryption by default, you can enable encryption when you create an individual volume or snapshot. In both cases, you can override the default key for Amazon EBS encryption and choose a symmetric customer managed CMK.
For more information, see Creating an Amazon EBS volume and Copying an Amazon EBS snapshot in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a3340b3-8916-40fe-942d-a937e60f5d4c\",\r\n \"name\": \"1a3340b3-8916-40fe-942d-a937e60f5d4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Stopped EC2 instances should be removed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days.
A failed finding indicates that an EC2 instance has not run for a significant period of time. This creates a security risk because the EC2 instance is not being actively maintained (analyzed, patched, updated). If it is later launched, the lack of proper maintenance could result in unexpected issues in your AWS environment. To safely maintain an EC2 instance over time in a nonrunning state, start it periodically for maintenance and then stop it after maintenance. Ideally this is an automated process.\",\r\n \"remediationDescription\": \"You can terminate an EC2 instance using either the console or the command line.
Before you terminate the EC2 instance, verify that you won't lose any data:
* Check that your Amazon EBS volumes will not be deleted on termination.
* Copy any data that you need from your EC2 instance store volumes to Amazon EBS or Amazon S3.
To terminate an EC2 instance (console)
1. Open the Amazon EC2 console.
2. In the navigation pane, under Instances, choose \\\"Instances\\\".
3. Select the instance, and then choose \\\"Actions\\\", \\\"Instance State\\\", \\\"Terminate\\\".
4. When prompted for confirmation, choose \\\"Yes, Terminate\\\".
To terminate an EC2 instance (AWS CLI, Tools for Windows PowerShell)
Use one of the following commands. For more information about the command line interface, see Accessing Amazon EC2 in the Amazon EC2 User Guide for Linux Instances.
- From the AWS CLI, use terminate-instances
- From the Tools for Windows PowerShell, use Stop-EC2Instance.
To learn more about terminating instances, see Terminating an instancein the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56406d4c-87b4-4aeb-b1cc-7f6312d78e0a\",\r\n \"name\": \"56406d4c-87b4-4aeb-b1cc-7f6312d78e0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS default encryption should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS).
The control fails if the account level encryption is not enabled.
When encryption is enabled for your account, Amazon EBS volumes and snapshot copies are encrypted at rest. This adds an additional layer of protection for your data.
For more information, see Encryption by default in the Amazon EC2 User Guide for Linux Instances.
Note that following instance types do not support encryption: R1, C1, and M1.\",\r\n \"remediationDescription\": \"You can use the Amazon EC2 console to enable default encryption for Amazon EBS volumes.

To configure the default encryption for Amazon EBS encryption for a Region
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
2. From the navigation pane, select \\\"EC2 Dashboard\\\".
3. In the upper-right corner of the page, choose \\\"Account Attributes\\\", \\\"EBS encryption\\\".
4. Choose \\\"Manage\\\".
5. Select \\\"Enable\\\". You can keep the AWS managed key with the alias alias/aws/ebs created on your behalf as the default encryption key, or choose a symmetric customer managed key.
6. Choose \\\"Update EBS encryption\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea3248a-8af5-4df3-8e08-f7d1925ea147\",\r\n \"name\": \"5ea3248a-8af5-4df3-8e08-f7d1925ea147\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should use IMDSv2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if \\\"HttpTokens\\\" is set to \\\"required\\\" for IMDSv2. The control fails if \\\"HttpTokens\\\" is set to \\\"optional\\\".
You use instance metadata to configure or manage the running instance. The IMDS provides access to temporary, frequently rotated credentials. These credentials remove the need to hard code or distribute sensitive credentials to instances manually or programmatically. The IMDS is attached locally to every EC2 instance. It runs on a special 'link local' IP address of 169.254.169.254. This IP address is only accessible by software that runs on the instance.
Version 2 of the IMDS adds new protections for the following types of vulnerabilities. These vulnerabilities could be used to try to access the IMDS.
* Open website application firewalls
* Open reverse proxies
* Server-side request forgery (SSRF) vulnerabilities
* Open Layer 3 firewalls and network address translation (NAT)
Security Hub recommends that you configure your EC2 instances with IMDSv2.\",\r\n \"remediationDescription\": \"To remediate an EC2 instance that is not configured with IMDSv2, you can require the use of IMDSv2.
To require IMDSv2 on an existing instance, when you request instance metadata, modify the Amazon EC2 metadata options. Follow the instructions in Configuring instance metadata options for existing instances in the Amazon EC2 User Guide for Linux Instances.
To require the use of IMDSv2 on a new instance when you launch it, follow the instructions in Configuring instance metadata options for new instances in the Amazon EC2 User Guide for Linux Instances.
To configure your new EC2 instance with IMDSv2 from the console
1. Open the Amazon EC2 console.
2. Choose \\\"Launch instance\\\" and then choose \\\"Launch instance\\\".
3. In the \\\"Configure Instance Details\\\" step, under \\\"Advanced Details\\\", for \\\"Metadata version\\\", choose \\\"V2 (token required)\\\".
4. Choose \\\"Review and Launch\\\".
If your software uses IMDSv1, you can reconfigure your software to use IMDSv2. For details, see Transitioning to using Instance Metadata Service Version 2 in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/63afb20c-4e8e-42ad-bc6d-dc48d4bebc5f\",\r\n \"name\": \"63afb20c-4e8e-42ad-bc6d-dc48d4bebc5f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not have a public IP address\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether EC2 instances have a public IP address. The control fails if the \\\"publicIp\\\" field is present in the EC2 instance configuration item. This control applies to IPv4 addresses only.
A public IPv4 address is an IP address that is reachable from the internet. If you launch your instance with a public IP address, then your EC2 instance is reachable from the internet. A private IPv4 address is an IP address that is not reachable from the internet. You can use private IPv4 addresses for communication between EC2 instances in the same VPC or in your connected private network.
IPv6 addresses are globally unique, and therefore are reachable from the internet. However, by default all subnets have the IPv6 addressing attribute set to false. For more information about IPv6, see IP addressing in your VPC in the Amazon VPC User Guide.
If you have a legitimate use case to maintain EC2 instances with public IP addresses, then you can suppress the findings from this control. For more information about front-end architecture options, see the AWS Architecture Blog or the This Is My Architecture series.\",\r\n \"remediationDescription\": \"Use a non-default VPC so that your instance is not assigned a public IP address by default.
When you launch an EC2 instance into a default VPC, it is assigned a public IP address. When you launch an EC2 instance into a non-default VPC, the subnet configuration determines whether it receives a public IP address. The subnet has an attribute to determine if new EC2 instances in the subnet receive a public IP address from the public IPv4 address pool.
You cannot manually associate or disassociate an automatically-assigned public IP address from your EC2 instance. To control whether your EC2 instance receives a public IP address, do one of the following:
- Modify the public IP addressing attribute of your subnet. For more information, see Modifying the public IPv4 addressing attribute for your subnet in the Amazon VPC User Guide.
- Enable or disable the public IP addressing feature during launch. This overrides the subnet's public IP addressing attribute. For more information, see Assign a public IPv4 address during instance launch in the Amazon EC2 User Guide for Linux Instances.
For more information, see Public IPv4 addresses and external DNS hostnames in the Amazon EC2 User Guide for Linux Instances.
If your EC2 instance is associated with an Elastic IP address, then your EC2 instance is reachable from the internet. You can disassociate an Elastic IP address from an instance or network interface at any time.
To disassociate an Elastic IP address
1. Open the Amazon EC2 console
2. In the navigation pane, choose \\\"Elastic IPs\\\".
3. Select the Elastic IP address to disassociate.
4. From \\\"Actions\\\", choose \\\"Disassociate Elastic IP address\\\".
5. Choose \\\"Disassociate\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e700ddd4-bb55-4602-b93a-d75895fbf7c6\",\r\n \"name\": \"e700ddd4-bb55-4602-b93a-d75895fbf7c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 should be configured to use VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service.
To improve the security posture of your VPC, you can configure Amazon EC2 to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to access Amazon EC2 API operations privately. It restricts all network traffic between your VPC and Amazon EC2 to the Amazon network. Because endpoints are supported within the same Region only, you cannot create an endpoint between a VPC and a service in a different Region. This prevents unintended Amazon EC2 API calls to other Regions.
To learn more about creating VPC endpoints for Amazon EC2, see Amazon EC2 and interface VPC endpoints in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"remediationDescription\": \"To remediate this issue, you can create an interface VPC endpoint to Amazon EC2.
To create an interface endpoint to Amazon EC2 from the Amazon VPC console
1. Open the Amazon VPC console
2. In the navigation pane, choose \\\"Endpoints\\\".
3. Choose \\\"Create Endpoint\\\".
4. For \\\"Service category\\\", choose \\\"AWS services\\\".
5. For \\\"Service Name\\\", choose \\\"com.amazonaws.<region>.ec2\\\".
6. For \\\"Type\\\", choose \\\"Interface\\\".
7. Complete the following information.
  1. For \\\"VPC\\\", select a VPC in which to create the endpoint.
  2. For \\\"Subnets\\\", select the subnets (Availability Zones) in which to create the endpoint network interfaces. Not all Availability Zones are supported for all AWS services.
  3. To enable private DNS for the interface endpoint, select the check box for \\\"Enable DNS Name\\\". This option is enabled by default.
    To use the private DNS option, the following attributes of your VPC must be set to true:
    - \\\"enableDnsHostnames\\\"
    - \\\"enableDnsSupport\\\"
    For more information, see Viewing and updating DNS support for your VPC in the Amazon VPC User Guide.
  4. For \\\"Security group\\\", select the security groups to associate with the endpoint network interfaces.
  5. (Optional) Add or remove a tag. To add a tag, choose \\\"Add tag\\\" and do the following:
    - For \\\"Key\\\", enter the tag name.
    - For \\\"Value\\\", enter the tag value.
  6.  To remove a tag, choose the delete button (x) to the right of the tag Key and Value.
8. Choose \\\"Create endpoint\\\".
To create an interface VPC endpoint policy
You can attach a policy to your VPC endpoint to control access to the Amazon EC2 API. The policy specifies the following:
- The principal that can perform actions
- The actions that can be performed
- The resource on which the actions can be performed
For more details on creating a VPC endpoint policy, see Amazon EC2 and interface VPC endpoints In the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ace790eb-39b9-4b4f-b53d-26d0f77d4ab8\",\r\n \"name\": \"ace790eb-39b9-4b4f-b53d-26d0f77d4ab8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 subnets should not automatically assign public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the assignment of public IPs in Amazon Virtual Private Cloud (Amazon VPC) subnets have \\\"MapPublicIpOnLaunch\\\" set to \\\"FALSE\\\". The control passes if the flag is set to \\\"FALSE\\\".
All subnets have an attribute that determines whether a network interface created in the subnet automatically receives a public IPv4 address. Instances that are launched into subnets that have this attribute enabled have a public IP address assigned to their primary network interface.\",\r\n \"remediationDescription\": \"You can configure a subnet from the Amazon VPC console.
To configure a subnet to not assign public IP addresses
1. Open the Amazon VPC console.
2. In the navigation pane, choose \\\"Subnets\\\".
3. Select your subnet and then choose \\\"Subnet Actions\\\", \\\"Modify auto-assign IP settings\\\".
4. Clear the \\\"Enable auto-assign public IPv4 address\\\" check box and then choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f9a7d87-ec2e-409a-991a-48c29484d6b5\",\r\n \"name\": \"5f9a7d87-ec2e-409a-991a-48c29484d6b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused network access control lists should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether there are any unused network access control lists (ACLs).
The control checks the item configuration of the resource \\\"AWS::EC2::NetworkAcl\\\" and determines the relationships of the network ACL.
If the only relationship is the VPC of the network ACL, then the control fails.
If other relationships are listed, then the control passes.\",\r\n \"remediationDescription\": \"For instructions on how to delete an unused network ACL, see Deleting a network ACL in the Amazon VPC User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fead4128-7325-4b82-beda-3fd42de36920\",\r\n \"name\": \"fead4128-7325-4b82-beda-3fd42de36920\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not use multiple ENIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs).This control passes if a single network adapter is used. The control includes an optional parameter list to identify the allowed ENIs.
Multiple ENIs can cause dual-homed instances, meaning instances that have multiple subnets. This can add network security complexity and introduce unintended network paths and access.\",\r\n \"remediationDescription\": \"To remediate this issue, detach the additional ENIs.
To detach a network interface
1. Open the Amazon EC2 console.
2. Under \\\"Network & Security\\\", choose \\\"Network Interfaces\\\".
3. Filter the list by the noncompliant instance IDs to see the associated ENIs.
4. Select the ENIs that you want to remove.
5. From the \\\"Actions\\\" menu, choose \\\"Detach\\\".
6. If you see the prompt \\\"Are you sure that you want to detach the following network interface?\\\", choose \\\"Detach\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8b328664-f3f1-45ab-976d-f6c66647b3b8\",\r\n \"name\": \"8b328664-f3f1-45ab-976d-f6c66647b3b8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should only allow unrestricted incoming traffic for authorized ports\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the security groups that are in use allow unrestricted incoming traffic. Optionally the rule checks whether the port numbers are listed in the \\\"authorizedTcpPorts\\\" parameter.
- If the security group rule port number allows unrestricted incoming traffic, but the port number is specified in \\\"authorizedTcpPorts\\\", then the control passes. The default value for \\\"authorizedTcpPorts\\\" is 80, 443.
- If the security group rule port number allows unrestricted incoming traffic, but the port number is not specified in authorizedTcpPorts input parameter, then the control fails.
- If the parameter is not used, then the control fails for any security group that has an unrestricted inbound rule.
Security groups provide stateful filtering of ingress and egress network traffic to AWS. Security group rules should follow the principal of least privileged access. Unrestricted access (IP address with a /0 suffix) increases the opportunity for malicious activity such as hacking, denial-of-service attacks, and loss of data.
Unless a port is specifically allowed, the port should deny unrestricted access.\",\r\n \"remediationDescription\": \"For information on how to modify a security group, see Add, remove, or update rules in the Amazon VPC User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/194fd099-90fa-43e1-8d06-6b4f5138e952\",\r\n \"name\": \"194fd099-90fa-43e1-8d06-6b4f5138e952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow unrestricted access to ports with high risk\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for those ports.
Unrestricted access (0.0.0.0/0) increases opportunities for malicious activity, such as hacking, denial-of-service attacks, and loss of data.
Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. No security group should allow unrestricted ingress access to the following ports:
- 3389 (RDP)
- 20, 21 (FTP)
- 22 (SSH)
- 23 (Telnet)
- 110 (POP3)
- 143 (IMAP)
- 3306 (mySQL)
- 8080 (proxy)
- 1433, 1434 (MSSQL)
- 9200 or 9300 (Elasticsearch)
- 5601 (Kibana)
- 25 (SMTP)
- 445 (CIFS)
- 135 (RPC)
- 4333 (ahsp)
- 5432 (postgresql)
- 5500 (fcp-addr-srvr1)\",\r\n \"remediationDescription\": \"For information on how to delete rules from a security group, see Delete rules from a security group in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bfa7d2aa-f362-11eb-9a03-0242ac130003\",\r\n \"name\": \"bfa7d2aa-f362-11eb-9a03-0242ac130003\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether storage encryption is enabled for your Amazon RDS DB instances.
This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
For an added layer of security for your sensitive data in RDS DB instances, you should configure your RDS DB instances to be encrypted at rest. To encrypt your RDS DB instances and snapshots at rest, enable the encryption option for your RDS DB instances. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots.
RDS encrypted DB instances use the open standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You do not need to modify your database client applications to use encryption.
Amazon RDS encryption is currently available for all database engines and storage types. Amazon RDS encryption is available for most DB instance classes. To learn about DB instance classes that do not support Amazon RDS encryption, see Encrypting Amazon RDS resources in the Amazon RDS User Guide.
\",\r\n \"remediationDescription\": \"For information about encrypting DB instances in Amazon RDS, see Encrypting Amazon RDS resources in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4f4fbc5e-0b10-4208-b52f-1f47f1c73b6a\",\r\n \"name\": \"4f4fbc5e-0b10-4208-b52f-1f47f1c73b6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS cluster snapshots and database snapshots should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB snapshots are encrypted.
This control is intended for RDS DB instances. However, it can also generate findings for snapshots of Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. Data in RDS snapshots should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"To encrypt an unencrypted RDS snapshot: 1. Open the  Amazon RDS console. 2. In the navigation pane, choose \\\"Snapshots\\\". 3. Find the snapshot to encrypt under \\\"Manual\\\" or \\\"System\\\". 4. Select the check box next to the snapshot to encrypt. 5. Choose \\\"Actions\\\", then choose \\\"Copy Snapshot\\\". 6. Under \\\"New DB Snapshot Identifier\\\", type a name for the new snapshot.7. Under \\\"Encryption\\\", select \\\"Enable Encryption\\\". 8. Choose the KMS key to use to encrypt the snapshot. 9. Choose \\\"Copy Snapshot\\\". 10. After the new snapshot is created, delete the original snapshot. 11. For \\\"Backup Retention Period\\\", choose a positive nonzero value. For example, 30 days.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/70ebbd01-cd79-4bc8-ae85-49f47ccdd5ad\",\r\n \"name\": \"70ebbd01-cd79-4bc8-ae85-49f47ccdd5ad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured with multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether high availability is enabled for your RDS DB instances.
RDS DB instances should be configured for multiple Availability Zones (AZs). This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover if there is an issue with Availability Zone availability and during regular RDS maintenance.\",\r\n \"remediationDescription\": \"To enable multiple Availability Zones for a DB instance: 1. Open the Amazon RDS console at Amazon RDS console. 2. In the navigation pane, choose \\\"Databases\\\", and then choose the DB instance that you want to modify.3. Choose \\\"Modify\\\". The \\\"Modify DB Instance\\\" page appears.4. Under Instance Specifications, set \\\"Multi-AZ deployment \\\" to \\\"Yes\\\" .5. Choose \\\"Continue\\\" and then check the summary of modifications. 6. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide. 7. On the confirmation page, review your changes. If they are correct, choose \\\"Modify DB Instance\\\" to save your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93e5a579-dd2f-4a56-b827-ebbfe7376b16\",\r\n \"name\": \"93e5a579-dd2f-4a56-b827-ebbfe7376b16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enhanced monitoring should be configured for RDS DB instances and clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced monitoring is enabled for your RDS DB instances.
In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer.
Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU. For more information, see Enhanced Monitoring in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable Enhanced Monitoring for your DB instance, see Setting up for and enabling Enhanced Monitoring in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e769650-868c-46f5-b8c0-1a8ba12a4c92\",\r\n \"name\": \"9e769650-868c-46f5-b8c0-1a8ba12a4c92\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS clusters should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS clusters have deletion protection enabled.
This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
Enabling cluster deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity.
When deletion protection is enabled, an RDS cluster cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"To enable deletion protection for an RDS DB cluster:
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/. 2. In the navigation pane, choose \\\"Databases\\\", then choose the DB cluster that you want to modify. 3. Choose \\\"Modify\\\". 4. Under \\\"Deletion protection\\\", choose \\\"Enable deletion protection\\\".5. Choose \\\"Continue\\\" 6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\". 7. Choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e1f7933-faa9-4379-a9bd-697740dedac8\",\r\n \"name\": \"8e1f7933-faa9-4379-a9bd-697740dedac8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your RDS DB instances that use one of the listed database engines have deletion protection enabled.
Enabling instance deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity.
While deletion protection is enabled, an RDS DB instance cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"To enable deletion protection for an RDS DB instance: 1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/. 2. In the navigation pane, choose \\\"Databases\\\", then choose the DB instance that you want to modify. 3. Choose \\\"Modify\\\". 4. Under \\\"Deletion protection\\\", choose \\\"Enable deletion protection\\\". 5. Choose \\\"Continue\\\". 6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\". 7. Choose \\\"Modify DB Instance\\\"\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdf441dd-0ab7-4ef2-a643-de12725e5d5d\",\r\n \"name\": \"cdf441dd-0ab7-4ef2-a643-de12725e5d5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB clusters should be configured for multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"RDS DB clusters should be configured for multiple the data that is stored.
Deployment to multiple Availability Zones allows for automate Availability Zones to ensure availability of ed failover in the event of an Availability Zone availability issue and during regular RDS maintenance events.\",\r\n \"remediationDescription\": \"To enable multi-AZ for a DB cluster (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Databases\\\", and then choose the DB instance to modify.
3. choose \\\"Modify\\\", The \\\"Modify DB Instance\\\" page appears.
4. Under \\\"Instance Specifications\\\", set \\\"Multi-AZ deploymen\\\" to \\\"Yes\\\".
5. Choose \\\"Continue\\\" and check the summary of modifications.
6. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide.
On the confirmation page, review your changes. If they are correct, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b9ed02d0-afca-4bed-838d-70bf31ecf19a\",\r\n \"name\": \"b9ed02d0-afca-4bed-838d-70bf31ecf19a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB clusters should be configured to copy tags to snapshots\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identification and inventory of your IT assets is a crucial aspect of governance and security.
You need to have visibility of all your RDS DB clusters so that you can assess their security posture and act on potential areas of weakness.
Snapshots should be tagged in the same way as their parent RDS database clusters.
Enabling this setting ensures that snapshots inherit the tags of their parent database clusters.\",\r\n \"remediationDescription\": \"To enable automatic tag copying to snapshots for a DB cluster
1. Open theAmazon RDS console at https://console.aws.amazon.com/rds/.
2. Choose \\\"Databases\\\"
3. Select the DB cluster to modify.
4. choose \\\"Modify\\\".
5. Under \\\"Backup\\\", select \\\"Copy tags to snapshots\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fcd891e5-c6a2-41ce-bca6-f49ec582f3ce\",\r\n \"name\": \"fcd891e5-c6a2-41ce-bca6-f49ec582f3ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured to copy tags to snapshots\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created.
Identification and inventory of your IT assets is a crucial aspect of governance and security.
You need to have visibility of all your RDS DB instances so that you can assess their security posture and take action on potential areas of weakness.
Snapshots should be tagged in the same way as their parent RDS database instances. Enabling this setting ensures that snapshots inherit the tags of their parent database instances.\",\r\n \"remediationDescription\": \"To enable automatic tag copying to snapshots for a DB instance
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Databases\\\".
3. Select the DB instance to modify.
4. Under \\\"Backup\\\", select \\\"Copy tags to snapshots\\\".
5. Choose \\\"Continue\\\".
6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9a84b879-8aab-4b82-80f2-22e637a26813\",\r\n \"name\": \"9a84b879-8aab-4b82-80f2-22e637a26813\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS instances should be deployed in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPCs provide a number of network controls to secure access to RDS resources.
These controls include VPC Endpoints, network ACLs, and security groups.
To take advantage of these controls, we recommend that you move EC2-Classic RDS instances to EC2-VPC.\",\r\n \"remediationDescription\": \"For detailed instructions on how to move RDS instances to VPC, see Updating the VPC for a DB instance in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\",\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/65659c22-6588-405b-b118-614c2b4ead5b\",\r\n \"name\": \"65659c22-6588-405b-b118-614c2b4ead5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical cluster events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists that has notifications enabled for the following source type,
event category key-value pairs. DBCluster: [\\\"maintenance\\\" and \\\"failure\\\"].
RDS event notifications uses Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \" To subscribe to RDS cluster event notifications.
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Clusters\\\".
  d. Under \\\"Instances to include\\\", select \\\"All Clusters\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"maintenance\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff4f3ab3-8ed7-4b4f-a721-4c3b66a59140\",\r\n \"name\": \"ff4f3ab3-8ed7-4b4f-a721-4c3b66a59140\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database instance events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type.
event category key-value pairs. DBInstance: [\\\"maintenance\\\", \\\"configuration change\\\" and \\\"failure\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Instances\\\".
  d. Under \\\"Instances to include\\\", select \\\"All Instances\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"maintenance\\\", \\\"configuration change\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6f24bb0-b696-451c-a26e-0cc9ea8e97e3\",\r\n \"name\": \"c6f24bb0-b696-451c-a26e-0cc9ea8e97e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database parameter group events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type.
event category key-value pairs. DBParameterGroup: [\\\"configuration\\\",\\\"change\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create \\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Parameter groups\\\".
  d. Under \\\"Instances to include\\\", select \\\"All parameter groups\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"configuration change\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ab5c51fb-ecdb-46de-b8df-c28ae46ce5bc\",\r\n \"name\": \"ab5c51fb-ecdb-46de-b8df-c28ae46ce5bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database security group events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.DBSecurityGroup: [\\\"configuration\\\",\\\"change\\\",\\\"failure\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for a rapid response.
For additional information about RDS event notifications , see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event\\\",\\\"subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Security groups\\\".
  d. Under \\\"Instances to include\\\", select \\\"All security groups\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"configuration change\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47476790-2527-4bdb-b839-3b48ed18dccf\",\r\n \"name\": \"47476790-2527-4bdb-b839-3b48ed18dccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should automatically scale capacity with demand\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured.
Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications.\",\r\n \"remediationDescription\": \"For detailed instructions on enabling DynamoDB automatic scaling on existing tables in capacity mode, see Enabling DynamoDB auto scaling on existing tables. in the Amazon DynamoDB Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc873508-40c1-41b6-8507-8a431d74f831\",\r\n \"name\": \"cc873508-40c1-41b6-8507-8a431d74f831\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should have point-in-time recovery enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table.
Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. DynamoDB point-in-time recovery automates backups for DynamoDB tables. It reduces the time to recover from accidental delete or write operations.
DynamoDB tables that have PITR enabled can be restored to any point in time in the last 35 days.\",\r\n \"remediationDescription\": \"To remediate this issue, add point-in-time recovery to your DynamoDB table.
To enable DynamoDB \\\"point-in-time recovery\\\" for an existing table:
1. Open the DynamoDB console at https://console.aws.amazon.com/dynamodb/. 2. Choose the table that you want to work with, and then choose \\\"Backups\\\". 3. In the Point-in-time Recovery section, under Status, choose \\\"Enable\\\". 4. Choose \\\"Enable\\\" again to confirm the change.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58e67d3d-8b17-4c1c-9bc4-550b10f0328a\",\r\n \"name\": \"58e67d3d-8b17-4c1c-9bc4-550b10f0328a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB Accelerator (DAX) clusters should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a DAX cluster is encrypted at rest.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data.
For example, API permissions are required to decrypt the data before it can be read.\",\r\n \"remediationDescription\": \"You cannot enable or disable encryption at rest after a cluster is created. You must recreate the cluster in order to enable encryption at rest.
For detailed instructions on how to create a DAX cluster with encryption at rest enabled, see Enabling encryption at rest using the AWS Management Console in the Amazon DynamoDB Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e482075-311f-401e-adc7-f8a8affc5635\",\r\n \"name\": \"4e482075-311f-401e-adc7-f8a8affc5635\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be configured to encrypt file data at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. The check fails in the following cases:
*\\\"Encrypted\\\" is set to \\\"false\\\" in the DescribeFileSystems response.
The \\\"KmsKeyId\\\" key in the DescribeFileSystems response does not match the KmsKeyId parameter for efs-encrypted-check.
Note that this control does not use the \\\"KmsKeyId\\\" parameter for efs-encrypted-check. It only checks the value of \\\"Encrypted\\\". For an added layer of security for your sensitive data in Amazon EFS, you should create encrypted file systems.
Amazon EFS supports encryption for file systems at-rest. You can enable encryption of data at rest when you create an Amazon EFS file system.
To learn more about Amazon EFS encryption, see Data encryption in Amazon EFS in the Amazon Elastic File System User Guide.\",\r\n \"remediationDescription\": \"For details on how to encrypt a new Amazon EFS file system, see Encrypting data at rest in the Amazon Elastic File System User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e864e460-158b-4a4a-beb9-16ebc25c1240\",\r\n \"name\": \"e864e460-158b-4a4a-beb9-16ebc25c1240\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS volumes should be in backup plans\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup. The control fails if Amazon EFS file systems are not included in the backup plans.
Including EFS file systems in the backup plans helps you to protect your data from deletion and data loss.\",\r\n \"remediationDescription\": \"To remediate this issue, update your file system to enable automatic backups.
To enable automatic backups for an existing file system:
1.Open the Amazon Elastic File System console. 2. On the \\\"File systems\\\" page, choose the file system for which to enable automatic backups. The \\\"File system details\\\" page is displayed. 3. Under \\\"General\\\", choose \\\"Edit\\\". 4. To enable automatic backups, select \\\"Enable automatic backups\\\". 5. Choose \\\"Save changes\\\".
To learn more, visit Using AWS Backup with Amazon EFS in the Amazon Elastic File System User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e656e5b7-130c-4fb4-be90-9bdd4f82fdfb\",\r\n \"name\": \"e656e5b7-130c-4fb4-be90-9bdd4f82fdfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should use supported runtimes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the Lambda function settings for runtimes match the expected values set for the supported runtimes for each language. This control checks for the following runtimes:
nodejs14.x, nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, ruby2.7, ruby2.5, java11, java8, java8.al2, go1.x, dotnetcore3.1, dotnetcore2.1
Lambda runtimes are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When a runtime component is no longer supported for security updates, Lambda deprecates the runtime. Even though you cannot create functions that use the deprecated runtime, the function is still available to process invocation events. Make sure that your Lambda functions are current and do not use out-of-date runtime environments.
To learn more about the supported runtimes that this control checks for the supported languages, see AWS Lambda runtimes in the AWS Lambda Developer Guide.\",\r\n \"remediationDescription\": \"For more information on supported runtimes and deprecation schedules, see the Runtime support policy section of the AWS Lambda Developer Guide.
When you migrate your runtimes to the latest version, follow the syntax and guidance from the publishers of the language.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Persistence\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Proxy\",\r\n \"Account Manipulation\",\r\n \"Scheduled Task/Job\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dcf10b98-798f-4734-9afd-800916bf1e65\",\r\n \"name\": \"dcf10b98-798f-4734-9afd-800916bf1e65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should have a dead-letter queue configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is configured with a dead-letter queue. The control fails if the Lambda function is not configured with a dead-letter queue.
As an alternative to an on-failure destination, you can configure your function with a dead-letter queue to save discarded events for further processing.
A dead-letter queue acts the same as an on-failure destination. It is used when an event fails all processing attempts or expires without being processed.
A dead-letter queue allows you to look back at errors or failed requests to your Lambda function to debug or identify unusual behavior.
From a security perspective, it is important to understand why your function failed and to ensure that your function does not drop data or compromise data security as a result.
For example, if your function cannot communicate to an underlying resource, that could be a symptom of a denial of service (DoS) attack elsewhere in the network.\",\r\n \"remediationDescription\": \"You can configure a dead-letter queue from the AWS Lambda console.
To configure a dead-letter queue
1. Open the AWS Lambda console.
2. In the navigation pane, choose \\\"Functions\\\".
3. Choose a function.
4. Choose \\\"Configuration\\\" and then choose \\\"Asynchronous invocation\\\".
5. Under \\\"Asynchronous invocation\\\", choose \\\"Edit\\\".
6. Set \\\"DLQ resource\\\" to Amazon SQS or Amazon SNS.
7. Choose the target queue or topic.
8. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"plannedDeprecationDate\": \"12/2022\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90917e06-2781-4857-9d74-9043c6475d03\",\r\n \"name\": \"90917e06-2781-4857-9d74-9043c6475d03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SNS topics should be encrypted at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an SNS topic is encrypted at rest using AWS KMS.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It also adds another set of access controls to limit the ability of unauthorized users to access the data.
For example, API permissions are required to decrypt the data before it can be read. SNS topics should be encrypted at-rest for an added layer of security. For more information, see Encryption at rest in the Amazon Simple Notification Service Developer Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your SNS topic to enable encryption.
To encrypt an unencrypted SNS topic
1. Open the Amazon SNS console.
2. In the navigation pane, choose \\\"Topics\\\".
4. Choose the name of the topic to encrypt.
5. Choose \\\"Edit\\\".
6. Under \\\"Encryption\\\", choose Enable Encryption.
7. Choose the KMS key to use to encrypt the topic.
8. Choose \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"File and Directory Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/773667f7-6511-4aec-ae9c-e3286c56a254\",\r\n \"name\": \"773667f7-6511-4aec-ae9c-e3286c56a254\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancer listeners should be configured with HTTPS or TLS termination\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. The control is applicable if a Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the control does not report any findings.
The control passes if the Classic Load Balancer listeners are configured with TLS or HTTPS for front-end connections.
The control fails if the listener is not configured with TLS or HTTPS for front-end connections.
Before you start to use a load balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners can support both HTTP and HTTPS/TLS protocols. You should always use an HTTPS or TLS listener, so that the load balancer does the work of encryption and decryption in transit.\",\r\n \"remediationDescription\": \"To remediate this issue, update your listeners to use the TLS or HTTPS protocol.
To change all noncompliant listeners to TLS/HTTPS listeners
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load Balancers. Then choose your Classic Load Balancer.
3. Choose the Listeners tab, and then choose Edit.
4. For all listeners where Load Balancer Protocol is not set to HTTPS or SSL, change the setting to HTTPS or SSL.
5. For all modified listeners, under SSL Certificate, choose Change.
6. For all modified listeners, select Choose a certificate from ACM.
7. Select the certificate from the Certificates drop-down list. Then choose Saveb.
8. After you update all of the listeners, choose Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca924610-5a8e-4c5e-9f17-8dff1ab1757b\",\r\n \"name\": \"ca924610-5a8e-4c5e-9f17-8dff1ab1757b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application load balancers should be configured to drop HTTP headers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop invalid HTTP headers. The control fails if the value of routing.http.drop_invalid_header_fields.enabled is set to false.
By default, ALBs are not configured to drop invalid HTTP header values. Removing these header values prevents HTTP desync attacks.\",\r\n \"remediationDescription\": \"To remediate this issue, configure your load balancer to drop invalid header fields.
To configure the load balancer to drop invalid header fields
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load balancers.
3. Choose an Application Load Balancer.
4. From Actions, choose Edit attributes.
5. Under Drop Invalid Header Fields, choose Enable.
6. Choose Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ba5c359-495f-4ba6-9897-7fdbc0aed675\",\r\n \"name\": \"4ba5c359-495f-4ba6-9897-7fdbc0aed675\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application and Classic Load Balancers logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if access_logs.s3.enabled is false.
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.
To learn more, see Access logs for your Classic Load Balancer in User Guide for Classic Load Balancers.
\",\r\n \"remediationDescription\": \"To remediate this issue, configure your load balancer to drop invalid header fields.
To configure the load balancer to drop invalid header fields
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load balancers.
3. Choose an Application Load Balancer.
4. From Actions, choose Edit attributes.
5. Under Access logs, choose Enable.
6. Enter your S3 location. This location can exist or it can be created for you. If you do not specify a prefix, the access logs are stored in the root of the S3 bucket.
7. Choose Save\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5c508bf1-26f9-4696-bb61-8341d395e3de\",\r\n \"name\": \"5c508bf1-26f9-4696-bb61-8341d395e3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer deletion protection should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured.
Enable deletion protection to protect your Application Load Balancer from deletion.\",\r\n \"remediationDescription\": \"To prevent your load balancer from being deleted accidentally, you can enable deletion protection. By default, deletion protection is disabled for your load balancer.
If you enable deletion protection for your load balancer, you must disable delete protection before you can delete the load balancer.
To enable deletion protection from the console
1. Open the Amazon EC2 console.
2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.
3. Choose the load balancer.
4. On the Description tab, choose Edit attributes.
5. On the Edit load balancer attributes page, select Enable for Delete Protection, and then choose Save.
6. Choose Save.
To learn more, see Deletion protection in User Guide for Application Load Balancers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dd60e31e-073a-42b6-9b23-db7ca86fd5e0\",\r\n \"name\": \"dd60e31e-073a-42b6-9b23-db7ca86fd5e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancers should have connection draining enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Classic Load Balancers have connection draining enabled.
Enabling connection draining on Classic Load Balancers ensures that the load balancer stops sending requests to instances that are de-registering or unhealthy. It keeps the existing connections open. This is particularly useful for instances in Auto Scaling groups, to ensure that connections aren't severed abruptly.\",\r\n \"remediationDescription\": \"To enable connection draining on Classic Load Balancers, following the steps in Configure connection draining for your Classic Load Balancer in User Guide for Classic Load Balancers.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b63a099-6c0c-4354-848b-17de1f3c8ae3\",\r\n \"name\": \"9b63a099-6c0c-4354-848b-17de1f3c8ae3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should encrypt data sent between nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have node-to-node encryption enabled. HTTPS (TLS) can be used to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. Only encrypted connections over HTTPS (TLS) should be allowed. Enabling node-to-node encryption for Amazon ES domains ensures that intra-cluster communications are encrypted in transit. There can be a performance penalty associated with this configuration. You should be aware of and test the performance trade-off before enabling this option.\",\r\n \"remediationDescription\": \"Node-to-node encryption can only be enabled on a new domain. To remediate this finding, first create a new domain with the Node-to-node encryption check box selected. Then follow Using a snapshot to migrate data to migrate your data to the new domain.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/de8ae504-ec39-4ffb-b3ef-6e36fdcbb455\",\r\n \"name\": \"de8ae504-ec39-4ffb-b3ef-6e36fdcbb455\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker. The 'blacklistedactionpatterns' parameter allows for successful evaluation of the rule for S3 buckets. The parameter grants access to external accounts for action patterns that are not included in the 'blacklistedactionpatterns' list.\",\r\n \"remediationDescription\": \"To remediate this issue, edit the S3 bucket policy to remove the permissions.

To edit an S3 bucket policy

1. Open the Amazon S3 console.
2. In the Bucket name list, choose the name of the S3 bucket for which you want to edit the policy.
3. Choose Permissions, and then choose Bucket Policy.
4. In the Bucket policy editor text box, do one of the following:
* Remove the statements that grant access to denied actions to other AWS accounts
* Remove the permitted denied actions from the statements
5. Choose Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11d0f4af-6924-4a2e-8b66-781a4553c828\",\r\n \"name\": \"11d0f4af-6924-4a2e-8b66-781a4553c828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled on AWS connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides real-time threat protection for containerized environments and generates alerts about suspicious activities.
Use this information to harden the security of Kubernetes clusters and remediate security issues.

Important: When you've enabled Microsoft Defender for Containers and deployed Azure Arc to your EKS clusters, the protections - and charges - will begin. If you don't deploy Azure Arc on a cluster, Defender for Containers will not protect it and no charges will be incurred for this Microsoft Defender plan for that cluster.\",\r\n \"remediationDescription\": \"To enable Defender for Containers on all EKS clusters in an AWS account connected to Microsoft Defender for Cloud:
1. From the Azure portal, open Microsoft Defender for Cloud.
2. Open the \\\"Environment settings\\\" page and select the relevant AWS account.
3. Under \\\"Select plans\\\", set \\\"Containers\\\" to \\\"On\\\".
4. Select \\\"Next: Configure access\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/38307993-84fb-4636-8ce7-3a64466bb5cc\",\r\n \"name\": \"38307993-84fb-4636-8ce7-3a64466bb5cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EKS clusters should have Microsoft Defender's extension for Azure Arc installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender's cluster extension provides security capabilities for your EKS clusters. The extension collects data from a cluster and its nodes to identify security vulnerabilities and threats.
The extension works with Azure Arc-enabled Kubernetes.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct EKS cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
Note: When the process completes, it may take up to 12 hours until your resource moves to the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d3a977e-46f1-419a-9046-4bd44db80aac\",\r\n \"name\": \"7d3a977e-46f1-419a-9046-4bd44db80aac\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EKS clusters should grant the required AWS permissions to Microsoft Defender for Cloud\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides protections for your EKS clusters.
To monitor your cluster for security vulnerabilities and threats, Defender for Containers needs permissions for your AWS account. These permissions will be used to enable Kubernetes control plane logging on your cluster and establish a reliable pipeline between your cluster and Defender for Cloud's backend in the cloud.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"To grant the required permissions:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. 2. Open the \\\"Environment settings\\\" page and select the relevant AWS account.
  3. In the edit connector wizard, skip to step 3, \\\"Configure access\\\".
  4. Download the CloudFormation template.
  5. Open the template and copy the ARNs for the following roles:
    AzureDefenderKubernetesRole
    AzureDefenderKubernetesScubaReaderRole
    AzureDefenderCloudWatchToKinesisRole
    AzureDefenderKinesisToS3Role
  6. Folow the steps in \\\"Create Stack in AWS\\\" for those roles.
  7. In the connector wizard, update the role ARNs with the ARNs copied from the template.
  8. Save the changes.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4aa0f6dc-40be-43b2-92f1-3a52ad9d68d1\",\r\n \"name\": \"4aa0f6dc-40be-43b2-92f1-3a52ad9d68d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should have automatic rotation enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation.
Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically.
Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently. To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, you enable automatic rotation for your secrets.
To enable automatic rotation for secrets
1. Open the Secrets Manager console.
2. To find the secret that requires rotating, enter the secret name in the search field.
3. Choose the secret you want to rotate, which displays the secrets details page.
4. Under Rotation configuration, choose Edit rotation.
5. From Edit rotation configuration, choose Enable automatic rotation.
6. For Select Rotation Interval, choose a rotation interval.
7. Choose a Lambda function for rotation. For information about customizing your Lambda rotation function, see Understanding and customizing your Lambda rotation function in the AWS Secrets Manager User Guide.
8. To configure the secret for rotation, choose Next.
To learn more about Secrets Manager rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bec42e2d-956b-4940-a37d-7c1b1e8c525f\",\r\n \"name\": \"bec42e2d-956b-4940-a37d-7c1b1e8c525f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets configured with automatic rotation should rotate successfully\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The control fails if RotationOccurringAsScheduled is false. The control does not evaluate secrets that do not have rotation configured.
Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically.
Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently.
In addition to configuring secrets to rotate automatically, you should ensure that those secrets rotate successfully based on the rotation schedule.
To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"If the automatic rotation fails, then Secrets Manager might have encountered errors with the configuration.
To rotate secrets in Secrets Manager, you use a Lambda function that defines how to interact with the database or service that owns the secret.
For help on how to diagnose and fix common errors related to secrets rotation, see Troubleshooting AWS Secrets Manager rotation of secrets in the AWS Secrets Manager User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bfa82db5-c112-44f0-89e6-a9adfb9a4028\",\r\n \"name\": \"bfa82db5-c112-44f0-89e6-a9adfb9a4028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remove unused Secrets Manager secrets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your secrets have been accessed within a specified number of days. The default value is 90 days. If a secret was not accessed within the defined number of days, this control fails.
Deleting unused secrets is as important as rotating secrets. Unused secrets can be abused by their former users, who no longer need access to these secrets. Also, as more users get access to a secret, someone might have mishandled and leaked it to an unauthorized entity, which increases the risk of abuse. Deleting unused secrets helps revoke secret access from users who no longer need it. It also helps to reduce the cost of using Secrets Manager. Therefore, it is essential to routinely delete unused secrets.\",\r\n \"remediationDescription\": \"You can delete inactive secrets from the Secrets Manager console.
To delete inactive secrets
1. Open the Secrets Manager console
2. To locate the secret, enter the secret name in the search box.
3. Choose the secret to delete.
4. Under Secret details, from Actions, choose Delete secret.
5. Under Schedule secret deletion, enter the number of days to wait before the secret is deleted.
6. Choose Schedule deletion.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/323f0eb4-ea19-4b55-83e9-d104009616b4\",\r\n \"name\": \"323f0eb4-ea19-4b55-83e9-d104009616b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should be rotated within a specified number of days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your secrets have been rotated at least once within 90 days.
Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised.
As more users get access to a secret, it can become more likely that someone mishandled and leaked it to an unauthorized entity. Secrets can be leaked through logs and cache data. They can be shared for debugging purposes and not changed or revoked once the debugging completes. For all these reasons, secrets should be rotated frequently.
You can configure your secrets for automatic rotation in AWS Secrets Manager. With automatic rotation, you can replace long-term secrets with short-term ones, significantly reducing the risk of compromise.
Security Hub recommends that you enable rotation for your Secrets Manager secrets. To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"You can enable automatic secret rotation in the Secrets Manager console.
To enable secret rotation
1. Open the Secrets Manager console.
2. To locate the secret, enter the secret name in the search box.
3. Choose the secret to display.
4. Under Rotation configuration, choose Edit rotation.
5. From Edit rotation configuration, choose Enable automatic rotation.
6. From Select Rotation Interval, choose the rotation interval.
7. Choose a Lambda function to use for rotation.
8. Choose Next.
After you configure the secret for automatic rotation, under Rotation Configuration, choose Rotate secret immediately.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad593449-a095-47b5-91b8-894396a1aa7f\",\r\n \"name\": \"ad593449-a095-47b5-91b8-894396a1aa7f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS WAF Classic global web ACL logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether logging is enabled for an AWS WAF global Web ACL. This control fails if logging is not enabled for the web ACL.
Logging is an important part of maintaining the reliability, availability, and performance of AWS WAF globally. It is a business and compliance requirement in many organizations, and allows you to troubleshoot application behavior. It also provides detailed information about the traffic that is analyzed by the web ACL that is attached to AWS WAF.\",\r\n \"remediationDescription\": \"You can enable logging for a web ACL from the Kinesis Data Firehose console.
To enable logging for a web ACL
1. Open the Kinesis Data Firehose console.
2. Create a Kinesis Data Firehose delivery stream.
The name must start with the prefix aws-waf-logs-. For example, aws-waf-logs-us-east-2-analytics.
Create the Kinesis Data Firehose delivery stream with a PUT source and in the Region where you operate. If you capture logs for Amazon CloudFront, create the delivery stream in US East (N. Virginia). For more information, see Creating an Amazon Kinesis Data Firehose delivery stream in the Amazon Kinesis Data Firehose Developer Guide.
3. From \\\"Services\\\", choose \\\"WAF & Shield\\\". Then choose \\\"Switch to AWS WAF Classic\\\".
4. From \\\"Filter\\\", choose \\\"Global (CloudFront)\\\".
5. Choose the web ACL to enable logging for.
6. Under \\\"Logging\\\", choose \\\"Enable logging\\\".
7. Choose the Kinesis Data Firehose delivery stream that you created earlier. You must choose a delivery stream that has a name that begins with aws-waf-logs-.
8. Choose \\\"Enable logging\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/678b2afa-7fc7-45e5-ad4e-2c49efb57ac8\",\r\n \"name\": \"678b2afa-7fc7-45e5-ad4e-2c49efb57ac8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following logs of Amazon RDS are enabled and sent to CloudWatch Logs:
- Oracle: (Alert, Audit, Trace, Listener)
- PostgreSQL: (Postgresql, Upgrade)
- MySQL: (Audit, Error, General, SlowQuery)
- MariaDB: (Audit, Error, General, SlowQuery)
- SQL Server: (Error, Agent)
- Aurora: (Audit, Error, General, SlowQuery)
- Aurora-MySQL: (Audit, Error, General, SlowQuery)
- Aurora-PostgreSQL: (Postgresql, Upgrade).
RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"Logging options are contained in the DB parameter group associated with the RDS DB cluster or instance. To enable logging when the default parameter group for the database engine is used, you must create a new DB parameter group that has the required parameter values. You must then associate the customer DB parameter group with the DB cluster or instance.
To enable and publish MariaDB, MySQL, or PostgreSQL logs to CloudWatch Logs from the AWS Management Console, set the following parameters in a custom DB Parameter Group:

Database engineParameters
MariaDBgeneral_log=1
slow_query_log=1
log_output = FILE
- MariaDB also requires a custom options group, explained below.
MySQLgeneral_log=1
slow_query_log=1
log_output = FILE
PostgreSQLlog_statement=all
log_min_duration_statement=minimum query duration (ms) to log

To create a custom DB parameter group
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Parameter groups\\\".
3. Choose \\\"Create parameter group\\\". The \\\"Create parameter group\\\" window appears.
4. In the \\\"Parameter group\\\" family list, choose a DB parameter group family.
5. In the \\\"Type\\\" list, choose \\\"DB Parameter Group\\\".
6. In \\\"Group name\\\", enter the name of the new DB parameter group.
7. In \\\"Description\\\", enter a description for the new DB parameter group.
8. Choose \\\"Create\\\".

To create a new option group for MariaDB logging by using the console
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Option groups\\\".
3. Choose \\\"Create group\\\".
4. In the \\\"Create option group\\\" window, do the following:
  • For \\\"Name\\\", type a name for the option group that is unique within your AWS account. The name can contain only letters, digits, and hyphens.
  • For \\\"Description\\\", type a brief description of the option group. The description is used for display purposes.
  • For \\\"Engine\\\", choose the DB engine that you want.
  • For \\\"Major engine version\\\", choose the major version of the DB engine that you want.
5. To continue, choose \\\"Create\\\".
6. Choose the name of the option group you just created.
7. Choose \\\"Add option\\\".
8. Choose \\\"MARIADB_AUDIT_PLUGIN\\\" from the \\\"Option name\\\" list.
9. Set \\\"SERVER_AUDIT_EVENTS\\\" to \\\"CONNECT\\\", \\\"QUERY\\\", \\\"TABLE\\\", \\\"QUERY_DDL\\\", \\\"QUERY_DML\\\", \\\"QUERY_DCL\\\".
10. Choose Add option.

To publish SQL Server DB, Oracle DB, or PostgreSQL logs to CloudWatch Logs from the AWS Management Console
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Databases\\\".
3. Choose the DB instance that you want to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Log exports\\\", choose all of the log files to start publishing to CloudWatch Logs.
\\\"Log exports\\\" is available only for database engine versions that support publishing to CloudWatch Logs.
6. Choose \\\"Continue\\\". Then on the summary page, choose \\\"Modify DB Instance\\\".

To apply a new DB parameter group or DB options group to an RDS DB instance
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Databases\\\".
3. Choose the DB instance that you want to modify.
4. Choose \\\"Modify\\\". The \\\"Modify DB Instance\\\" page appears.
5. Under \\\"Database options\\\", change the DB parameter group and DB options group as needed.
6. When you finish you changes, choose \\\"Continue\\\". Check the summary of modifications.
7. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide.
8. Choose \\\"Modify DB Instance\\\" to save your changes.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cd307f02-2ca7-44b4-8c1b-b580251d613c\",\r\n \"name\": \"cd307f02-2ca7-44b4-8c1b-b580251d613c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB instance has IAM database authentication enabled.
IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL. For more information, see IAM database authentication in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your DB instance to enable IAM authentication.
To enable IAM authentication for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Select the DB instance to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", choose \\\"Enable IAM DB authentication\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ac30502-52e5-4fc6-af40-095dddfbc8b9\",\r\n \"name\": \"3ac30502-52e5-4fc6-af40-095dddfbc8b9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB cluster has IAM database authentication enabled.
IAM database authentication allows for password-free authentication to database instances. The authentication uses an authentication token. Network traffic to and from the database is encrypted using SSL. For more information, see IAM database authentication in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your DB instance to enable IAM authentication.
To enable IAM authentication for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Select the DB cluster to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", choose \\\"Enable IAM DB authentication\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d352afac-cebc-4e02-b474-7ef402fb1d65\",\r\n \"name\": \"d352afac-cebc-4e02-b474-7ef402fb1d65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS automatic minor version upgrades should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic minor version upgrades are enabled for the RDS database instance.
Enabling automatic minor version upgrades ensures that the latest minor version updates to the relational database management system (RDBMS) are installed. These upgrades might include security patches and bug fixes. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"You can enable minor version upgrades for a DB instance from the Amazon RDS console.
To enable automatic minor version upgrades for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Choose the DB instance to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Maintenance\\\", select \\\"Yes\\\" for \\\"Auto minor version upgrade\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications: \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. Choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d0ef47dc-95aa-4765-a075-72c07df8acff\",\r\n \"name\": \"d0ef47dc-95aa-4765-a075-72c07df8acff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Aurora clusters should have backtracking enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Aurora clusters have backtracking enabled.
Backups help you to recover more quickly from a security incident. They also strengthens the resilience of your systems. Aurora backtracking reduces the time to recover a database to a point in time. It does not require a database restore to do so.
For more information about backtracking in Aurora, see Backtracking an Aurora DB cluster in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable Aurora backtracking, see Configuring backtracking in the Amazon Aurora User Guide.
Note that you cannot enable backtracking on an existing cluster. Instead, you can create a clone that has backtracking enabled. For more information about the limitations of Aurora backtracking, see the list of limitations in Overview of backtracking.For information about pricing for backtracking, see the Aurora pricing page.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/176f9062-64d0-4edd-bb0f-915012a6ef16\",\r\n \"name\": \"176f9062-64d0-4edd-bb0f-915012a6ef16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift should have automatic upgrades to major versions enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster.
Enabling automatic major version upgrades ensures that the latest major version updates to Amazon Redshift clusters are installed during the maintenance window.
These updates might include security patches and bug fixes. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"To remediate this issue from the AWS CLI, use the Amazon Redshift modify-cluster command to set the --allow-version-upgrade attribute.
Copy the following command aws redshift modify-cluster --cluster-identifier clustername --allow-version-upgrade Where clustername is the name of your Amazon Redshift cluster.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ee72ceb-2cb7-4686-84e6-0e1ac1c27241\",\r\n \"name\": \"1ee72ceb-2cb7-4686-84e6-0e1ac1c27241\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should use enhanced VPC routing\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon Redshift cluster has EnhancedVpcRouting enabled.
Enhanced VPC routing forces all COPY and UNLOAD traffic between the cluster and data repositories to go through your VPC. You can then use VPC features such as security groups and network access control lists to secure network traffic. You can also use VPC Flow Logs to monitor network traffic.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Enabling enhanced VPC routing in the Amazon Redshift Cluster Management Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/036bb56b-c442-4352-bb4c-5bd0353ad314\",\r\n \"name\": \"036bb56b-c442-4352-bb4c-5bd0353ad314\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Amazon Redshift clusters should be encrypted in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit. The check fails if the Amazon Redshift cluster parameter require_SSL is not set to '1'.
TLS can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over TLS should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"To remediate this issue, update the parameter group to require encryption.
To modify a parameter group
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose Config, then choose Workload management to display the Workload management page.
3. Choose the parameter group that you want to modify.
4. Choose Parameters.
5. Choose Edit parameters then set require_ssl to '1'.
6. Enter your changes and then choose Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a152832-6600-49d1-89be-82e474190e13\",\r\n \"name\": \"7a152832-6600-49d1-89be-82e474190e13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have automatic snapshots enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven.
Backups help you to recover more quickly from a security incident. They strengthen the resilience of your systems. Amazon Redshift takes periodic snapshots by default. This control checks whether automatic snapshots are enabled and retained for at least seven days. For more details on Amazon Redshift automated snapshots, see Automated snapshots in the Amazon Redshift Cluster Management Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update the snapshot retention period to at least 7.
To modify the snapshot retention period
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose \\\"Clusters\\\", then choose the name of the cluster to modify.
3. Choose \\\"Edit\\\".
4. Under \\\"Backup\\\", set \\\"Snapshot retention\\\" to a value of 7 or greater.
5. Choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e2a0ec17-447b-44b6-8646-c0b5584b6b0a\",\r\n \"name\": \"e2a0ec17-447b-44b6-8646-c0b5584b6b0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have audit logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon Redshift cluster has audit logging enabled.
Amazon Redshift audit logging provides additional information about connections and user activities in your cluster. This data can be stored and secured in Amazon S3 and can be helpful in security audits and investigations. For more information, see Database audit logging in the Amazon Redshift Cluster Management Guide.\",\r\n \"remediationDescription\": \"To enable cluster audit logging
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose \\\"Clusters\\\", then choose the name of the cluster to modify.
3. Choose \\\"Maintenance and monitoring\\\"
4. Under \\\"Audit logging\\\", choose \\\"Edit\\\".
5. Set \\\"Enable audit logging\\\" to \\\"yes\\\", then enter the log destination bucket details.
6. Choose \\\"Confirm\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4170067b-345d-47ed-ab4a-c6b6046881f1\",\r\n \"name\": \"4170067b-345d-47ed-ab4a-c6b6046881f1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Beanstalk environments should have enhanced health reporting enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced health reporting is enabled for your AWS Elastic Beanstalk environments.
Elastic Beanstalk enhanced health reporting enables a more rapid response to changes in the health of the underlying infrastructure. These changes could result in a lack of availability of the application.
Elastic Beanstalk enhanced health reporting provides a status descriptor to gauge the severity of the identified issues and identify possible causes to investigate. The Elastic Beanstalk health agent, included in supported Amazon Machine Images (AMIs), evaluates logs and metrics of environment EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to enable enhanced health reporting, see Enabling enhanced health reporting using the Elastic Beanstalk console in the AWS Elastic Beanstalk Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"10/04/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/820f6c6e-f73f-432c-8c60-cae1794ea150\",\r\n \"name\": \"820f6c6e-f73f-432c-8c60-cae1794ea150\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Beanstalk managed platform updates should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"his control checks whether managed platform updates are enabled for the Elastic Beanstalk environment.
Enabling managed platform updates ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"For instructions on how to enable managed platform updates, see To configure managed platform updates under Managed platform updates in the AWS Elastic Beanstalk Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"10/04/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f48af569-2e67-464b-9a62-b8df0f85bc5e\",\r\n \"name\": \"f48af569-2e67-464b-9a62-b8df0f85bc5e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domain error logging to CloudWatch Logs should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs.
You should enable error logs for Elasticsearch domains and send those logs to CloudWatch Logs for retention and response. Domain error logs can assist with security and access audits, and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"For information on how to enable log publishing, see Enabling log publishing (console) in the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12ebb4cd-34b6-4c3a-bee9-7e35f4f6caff\",\r\n \"name\": \"12ebb4cd-34b6-4c3a-bee9-7e35f4f6caff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have audit logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled.
Audit logs are highly customizable. They allow you to track user activity on your Elasticsearch clusters, including authentication successes and failures, requests to OpenSearch, index changes, and incoming search queries.\",\r\n \"remediationDescription\": \"For detailed instructions on enabling audit logs, see Enabling audit logs in the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/994cbcb3-43d4-419d-b5c4-9adc558f3ca2\",\r\n \"name\": \"994cbcb3-43d4-419d-b5c4-9adc558f3ca2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have at least three data nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true.
An Elasticsearch domain requires at least three data nodes for high availability and fault-tolerance. Deploying an Elasticsearch domain with at least three data nodes ensures cluster operations if a node fails.\",\r\n \"remediationDescription\": \"To modify the number of data nodes in an Elasticsearch domain
1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/es/.
2. Under \\\"My domains\\\", choose the name of the domain to edit.
3. Choose \\\"Edit domain\\\".
4. Under \\\"Data nodes\\\", set \\\"Number of nodes\\\" to a number greater than or equal to three. For three Availability Zone deployments, set to a multiple of three to ensure equal distribution across Availability Zones.
5. Choose \\\"Submit\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b4b9a67c-c315-4f9b-b06b-04867a453aab\",\r\n \"name\": \"b4b9a67c-c315-4f9b-b06b-04867a453aab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should be configured with at least three dedicated master nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. This control passes if Elasticsearch domains have five dedicated master nodes. However, using more than three master nodes might be unnecessary to mitigate the availability risk, and will result in additional cost.
An Elasticsearch domain requires at least three dedicated master nodes for high availability and fault-tolerance. Dedicated master node resources can be strained during data node blue/green deployments because there are additional nodes to manage. Deploying an Elasticsearch domain with at least three dedicated master nodes ensures sufficient master node resource capacity and cluster operations if a node fails.\",\r\n \"remediationDescription\": \"To modify the number of dedicated master nodes in an OpenSearch domain
1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/es/.
2. Under \\\"My domains\\\", choose the name of the domain to edit.
3. Choose \\\"Edit domain\\\".
4. Under \\\"Dedicated master nodes\\\", set \\\"Instance type\\\" to the desired instance type.
5. Set \\\"Number of master nodes\\\" equal to three or greater.
6. Choose \\\"Submit\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/effb5011-f8db-45ac-b981-b5bdfd7beb88\",\r\n \"name\": \"effb5011-f8db-45ac-b981-b5bdfd7beb88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Elasticsearch domains should be encrypted using TLS 1.2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07.
HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS. TLS 1.2 provides several security enhancements over previous versions of TLS.\",\r\n \"remediationDescription\": \"To enable TLS encryption, use the UpdateDomainConfig API operation to configure the DomainEndpointOptions in order to set the TLSSecurityPolicy. For more information, see the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f16376-e2dd-487d-b5ee-ba67fef4c5c0\",\r\n \"name\": \"83f16376-e2dd-487d-b5ee-ba67fef4c5c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled at the bucket level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether S3 buckets have bucket-level public access blocks applied. This control fails is if any of the following settings are set to false:
* ignorePublicAcls
* blockPublicPolicy
* blockPublicAcls
* restrictPublicBuckets
Block Public Access at the S3 bucket level provides controls to ensure that objects never have public access. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both.
Unless you intend to have your S3 buckets publicly accessible, you should configure the bucket level Amazon S3 Block Public Access feature.\",\r\n \"remediationDescription\": \"For information on how to remove public access at a bucket level, see Blocking public access to your Amazon S3 storage in the Amazon S3 User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/340a07a1-7d68-4562-ac25-df77c214fe13\",\r\n \"name\": \"340a07a1-7d68-4562-ac25-df77c214fe13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SQS queues should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon SQS queues are encrypted at rest.
Server-side encryption (SSE) allows you to transmit sensitive data in encrypted queues. To protect the content of messages in queues, SSE uses keys managed in AWS KMS.
For more information, see Encryption at rest in the Amazon Simple Queue Service Developer Guide.\",\r\n \"remediationDescription\": \"For information about managing SSE using the AWS Management Console, see  Configuring server-side encryption (SSE) for a queue (console) in the Amazon Simple Queue Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/882a80f0-943f-473e-b6d7-40c7a625540e\",\r\n \"name\": \"882a80f0-943f-473e-b6d7-40c7a625540e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS accounts should have Azure Arc auto provisioning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For full visibility of the security content from Microsoft Defender for servers, EC2 instances should be connected to Azure Arc. To ensure that all eligible EC2 instances automatically receive Azure Arc, enable auto-provisioning from Defender for Cloud at the AWS account level. Learn more about Azure Arc, and Microsoft Defender for Servers.\",\r\n \"remediationDescription\": \"1. From the Defender for Cloud, open \\\"Environment settings\\\".
2. For the relevant AWS account, select the three dots at the end of the row, and select \\\"Edit settings\\\".
3. For the \\\"Servers\\\" plan, select \\\"View configuration\\\".
4. Enable auto-provisioning for the Azure Arc agent and click on the \\\"Save\\\" button.
5. Select \\\"Next\\\" and follow the instructions.
Note: To enable auto-provisioning, you'll need owner permissions for the relevant subscription.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"25/10/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/231dee23-84db-44d2-bd9d-c32fbcfb42a3\",\r\n \"name\": \"231dee23-84db-44d2-bd9d-c32fbcfb42a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be connected to Azure Arc\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Connect your EC2 instances to Azure Arc in order to have full visibility to Microsoft Defender for Servers security content. Learn more about Azure Arc, and about Microsoft Defender for Servers on hybrid-cloud environment.\",\r\n \"remediationDescription\": \"1. From the Azure portal, open \\\"Servers - Azure Arc\\\".
2. From the top left corner, select \\\"Add\\\".
3. From \\\"Add a single server\\\", select \\\"Generate script\\\".
4. In the \\\"Resource details\\\" page, select the subscription and resource group to which you have connected the machine's AWS account.
5. Select \\\"Next\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"25/10/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1736090-65fc-454f-a437-af58fd91ad1e\",\r\n \"name\": \"f1736090-65fc-454f-a437-af58fd91ad1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS databases and clusters should not use a database engine default port\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the RDS cluster or instance uses a port other than the default port of the database engine.
If you use a known port to deploy an RDS cluster or instance, an attacker can guess information about the cluster or instance.
The attacker can use this information in conjunction with other information to connect to an RDS cluster or instance or gain additional information about your application.
When you change the port, you must also update the existing connection strings that were used to connect to the old port.
You should also check the security group of the DB instance to ensure that it includes an ingress rule that allows connectivity on the new port.\",\r\n \"remediationDescription\": \"To modify the default port of an existing DB instance
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/
2. Choose \\\"Databases\\\".
3. Select the DB instance to modify
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", change \\\"Database port\\\" to a non-default value.
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify cluster\\\". For instances, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0dc124a8-2a69-47c5-a4e1-678d725a33ab\",\r\n \"name\": \"0dc124a8-2a69-47c5-a4e1-678d725a33ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon ECS task definitions should have secure networking modes and user definitions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an active Amazon ECS task definition that has host networking mode also has privileged or user container definitions.
The control fails for task definitions that have host network mode and container definitions where privileged=false or is empty and user=root or is empty.
If a task definition has elevated privileges, it is because the customer has specifically opted in to that configuration.
This control checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted in to elevated privileges.\",\r\n \"remediationDescription\": \"For information on how to update a task definition, see Updating a task definition in the Amazon Elastic Container Service Developer Guide.
Note that when you update a task definition, it does not update running tasks that were launched from the previous task definition. To update a running task, you must redeploy the task with the new task definition.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9bb205cd-a931-4f77-a620-0a263479732b\",\r\n \"name\": \"9bb205cd-a931-4f77-a620-0a263479732b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon ECS services should not have public IP addresses assigned to them automatically\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A public IP address is an IP address that is reachable from the internet.
If you launch your Amazon ECS instances with a public IP address, then your Amazon ECS instances are reachable from the internet.
Amazon ECS services should not be publicly accessible, as this may allow unintended access to your container application servers.\",\r\n \"remediationDescription\": \"To disable automatic public IP assignment, see To configure VPC and security group settings for your service in the Amazon Elastic Container Service Developer Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e68b4d8-1a5e-47fc-a3eb-b3542fea43f1\",\r\n \"name\": \"0e68b4d8-1a5e-47fc-a3eb-b3542fea43f1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Imported ACM certificates should be renewed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager.
ACM can automatically renew certificates that use DNS validation. For certificates that use email validation, you must respond to a domain validation email.
ACM also does not automatically renew certificates that you import. You must renew imported certificates manually.
For more information about managed renewal for ACM certificates, see Managed renewal for ACM certificates in the AWS Certificate Manager User Guide.\",\r\n \"remediationDescription\": \"ACM provides managed renewal for your Amazon-issued SSL/TLS certificates.
This means that ACM either renews your certificates automatically (if you use DNS validation), or it sends you email notices when the certificate expiration approaches. These services are provided for both public and private ACM certificates.
\\\"For domains validated by email\\\"
When a certificate is 45 days from expiration, ACM sends to the domain owner an email for each domain name.
To validate the domains and complete the renewal, you must respond to the email notifications.
For more information, see Renewal for domains validated by email in the AWS Certificate Manager User Guide.
\\\"For domains validated by DNS\\\"
ACM automatically renews certificates that use DNS validation. 60 days before the expiration, ACM verifies that the certificate can be renewed.
If it cannot validate a domain name, then ACM sends a notification that manual validation is required.
It sends these notifications 45 days, 30 days, 7days, and 1 day before the expiration.
For more information, see Renewal for domains validated by DNS in the AWS Certificate Manager User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aad436f2-f0a2-46d8-acf1-19452fb732d2\",\r\n \"name\": \"aad436f2-f0a2-46d8-acf1-19452fb732d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC subnets should not allow automatic public IP assignment\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC subnets which allow automatic public IP assignment.
VPC subnet is a part of the VPC having its own rules for traffic.
Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. In the console, select the specific region from \\\"region drop down\\\" on the top right corner, for which the alert is generated. 3. Navigate to the \\\"VPC\\\" service. 4. In the navigation pane, click on \\\"Subnets\\\". 5. Select the identified Subnet and choose the option \\\"Modify auto-assign IP settings\\\" under the Subnet Actions. 6. Disable the \\\"Auto-Assign IP\\\" option and save it.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a3697e4-d854-41a5-a3df-d6a5fc664689\",\r\n \"name\": \"1a3697e4-d854-41a5-a3df-d6a5fc664689\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 bucket should not be configured with policy overly permissive to VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies S3 buckets that have the bucket policy overly permissive to VPC endpoints. It is a leading practice to follow the principle of least privileges ensuring that the VPC endpoints have only necessary permissions instead of full permission on S3 operations.
NOTE: When working with Amazon S3 bucket policies for VPC endpoints, you might block your access to that bucket without intending to do so.
Bucket permissions that are intended to specifically limit bucket access to connections originating from your VPC endpoint can block all connections to the bucket.
Additionally, The Amazon S3 bucket policy might disable console access to the specified bucket because console requests don't originate from the specified VPC endpoint.
Hence, additional care should be taken while remediating any such overly permissive policies.
For more details refer https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the S3 dashboard. 3. Choose the reported S3 bucket. 4. In the \\\"Permissions\\\" tab, click on the \\\"Bucket Policy\\\". 5. Update the S3 bucket policy for the VPC endpoint so that it has only required permissions instead of full S3 permission.
Refer for example: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ca6e24c-b113-429c-83e1-38e8c4b91396\",\r\n \"name\": \"0ca6e24c-b113-429c-83e1-38e8c4b91396\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC enpoint should not be configured with policy overly permissive to any principal\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC endpoints that have a VPC endpoint (VPCE) policy that is overly permissive.
When the Principal element value is set to '*' within the access policy, the VPC endpoint allows full access to any IAM user or service within the VPC using credentials from any AWS accounts.
It is a leading practice to follow the principle of least privileged VPCE policy ensuring security against any data leakage and unauthorized access.

For more details refer:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. In the console, select the specific region from the region drop-down on the top right corner, for which the alert is generated. 3. Navigate to the \\\"VPC dashboard\\\". 4. Go to \\\"Endpoints\\\", from the left panel VIRTUAL PRIVATE CLOUD section. 5. Select the reported VPC endpoint. 6. On the \\\"Actions\\\" drop-down button, click on the \\\"Edit policy\\\". 7. On the \\\"Edit Policy\\\" page, Choose \\\"Custom\\\" policy.
a. Then add policy, without the \\\"Everyone\\\" grantee (i.e. '*' or 'AWS': '*') from the Principal element value with an AWS account ID (e.g. '123456789'), an AWS account ARN (e.g. 'arn:aws:iam::123456789:root') or an IAM user ARN (e.g. 'arn:aws:iam::123456789:user/vpce-admin').
b. Add a Condition clause to the policy statement to filter the endpoint access to specific entities. 8. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ed36584a-91d9-4639-ae8d-893d0f2cb462\",\r\n \"name\": \"ed36584a-91d9-4639-ae8d-893d0f2cb462\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cloudfront distribution should have WAF enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Amazon CloudFront web distributions which don't have AWS Web Application Firewall (AWS WAF) protection enabled.
it is a leading practice to enable the AWS WAF service on CloudFront web distributions to protect web applications from common web exploits, application layer attacks that could affect application availability, compromise security, or consume excessive resources.
To block malicious requests to your Cloudfront Content Delivery Network you should define the 'block' criteria in the WAF web access control list (web ACL).\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Go to the CloudFront Distributions Dashboard. 3. Click on the reported web distribution. 4. On \\\"General\\\" tab, Click on \\\"Edit\\\" button. 5. On \\\"Edit Distribution\\\" page, Choose a \\\"AWS WAF Web ACL\\\" from dropdown. 6. Click on \\\"Yes, Edit\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45f50501-deed-438b-b931-340078d0022f\",\r\n \"name\": \"45f50501-deed-438b-b931-340078d0022f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cloudfront should have AWS WAF V2 enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS cloudfront distribution not configured with AWS WAF V2 web acl.
As a leading practice it is recommended to configure AWS WAF v2 on the cloudfront to protect against application-layer attacks.
To block malicious requests to your cloudfront, define the block criteria in the WAFv2 web acl.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Go to the CloudFront Distributions Dashboard. 3. Click on the reported web distribution. 4. On \\\"General\\\" tab, Click on \\\"Edit\\\" button under \\\"Settings\\\". 5. On \\\"Edit Distribution\\\" page, from \\\"AWS WAF Web ACL\\\" dropdown select WAFv2 ACL which you want to apply.
Note: In case no WAFv2 ACL found from \\\"AWS WAF Web ACL\\\" dropdown list, Please follow below URL to create WAFv2 ACL:
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-creating.html. 6. Click on \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b288b879-d5e3-49d0-9bad-a9ddf738838a\",\r\n \"name\": \"b288b879-d5e3-49d0-9bad-a9ddf738838a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API should have AWS WAF V2 enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS API Gateway REST API which is not configured with AWS Web Application Firewall protection.
As a leading practice, you should enable the AWS WAF service on API Gateway REST API to protect against common web exploits, application layer attacks.
To block malicious requests to your API Gateway REST API, define the block criteria in the WAF web access control list (web ACL).\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Make sure your the reported API Gateway REST API requires WAF based on your requirement and Note down the API Gateway REST API name Follow steps given in below URL to associate API Gateway REST API to WAF Web ACL ,
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eb2a1621-6fe5-4b17-be36-082897f04987\",\r\n \"name\": \"eb2a1621-6fe5-4b17-be36-082897f04987\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"ELB v2 should not have SSL negotiation policy configured with weak cipher\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers v2 (ELBv2) which are configured with SSL negotiation policy containing weak ciphers.
To simplify, An SSL cipher, or an SSL cipher suite, is a set of algorithms or a set of instructions/steps that uses encryption keys to establish a secure connection between two entities usually the client (a user's browser) and the web server they are connecting to (your website).
As many of the other ciphers are not secure as per industry standards, it is recommended to use only the ciphers recommended in the following AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Go to the EC2 Dashboard, and select \\\"Load Balancers\\\". 4. Click on the reported Load Balancer. 5. On the 'Listeners' tab, Choose the \\\"HTTPS\\\" or 'SSL' rule; Click on \\\"Edit\\\", Change 'Security policy' to other than \\\"ELBSecurityPolicy-TLS-1-0-2015-04\\\" as it contains DES-CBC3-SHA cipher, which is a weak cipher. 6. Click on \\\"Update\\\" to save your changes.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d13e510-5e69-43ec-921f-fe52e2ecc36b\",\r\n \"name\": \"9d13e510-5e69-43ec-921f-fe52e2ecc36b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC route table should not allow VPC peering overly permissive to all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC route tables with overly permissive peering connection to all traffic.
It is a leading practice to ensure selective peering connection route tables to reduce the attack surface as resources outside of these routes are inaccessible to the peered VPC.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to \\\"VPC\\\" dashboard from \\\"Services\\\" dropdown. 4. From left menu, select \\\"Route Tables\\\". 5. Click on the alerted route table. 6. From top click on \\\"Action\\\" button. 7. From the Action menu dropdown, select \\\"Edit routes\\\". 8. From the list of destination remove the extra permissive destination by clicking the cross symbol available for that destination. 9. Add a destination with \\\"least access\\\". 10. Click on \\\"Save Routes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5e4503df-e4f7-4055-a38e-ff8ae44dfd1e\",\r\n \"name\": \"5e4503df-e4f7-4055-a38e-ff8ae44dfd1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS key automatic rotation is not enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS KMS key that are not enabled with key rotation.
As a security leading practice, it is important to rotate the keys periodically so that if the keys are compromised, the data in the underlying service is still secure with the new keys.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Key Management Service (KMS). 4. Click on \\\"Customer managed keys\\\" (Left Panel). 5. Select reported KMS Customer managed key. 6. Under the \\\"Key Rotation\\\" tab, Enable \\\"Automatically rotate this KMS every year\\\". 7. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c548e51-ca15-4b21-92b7-80acef51da37\",\r\n \"name\": \"4c548e51-ca15-4b21-92b7-80acef51da37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrails logs should be encrypted using AWS KMS key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check ensures that CloudTrail logs are encrypted using AWS KMS key.
AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account.
It is a compliance and security leading practice to encrypt the CloudTrail data with AWS KMS key as it may contain sensitive information.\",\r\n \"remediationDescription\": \"1. Login to AWS Console and navigate to the \\\"CloudTrail\\\" service. 2. For each trail, under Configuration > Storage Location, select \\\"Yes\\\" to \\\"Encrypt log files\\\" setting. 3.Choose and existing KMS key or create a new one to encrypt the logs with.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a102936-e0ab-4ab6-ab05-0cb15a6587f6\",\r\n \"name\": \"2a102936-e0ab-4ab6-ab05-0cb15a6587f6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RedShift cluster should be encrypted using customer-managed keys (CMKs)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Redshift Clusters which are encrypted with default KMS keys and not with customer-managed key.
It is a leading practice to use customer managed KMS Keys to encrypt your Redshift databases data.
Customer-managed CMKs give you more flexibility, including the ability to create, rotate, disable, define access control for,
and audit the encryption keys used to help protect your data.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift. 2. On the navigation menu, choose \\\"Clusters\\\", then choose the cluster that you want to modify encryption. 3. Choose \\\"Properties\\\". 4. In the Database configurations section, choose \\\"Edit\\\" then choose \\\"Edit encryption\\\". 5. Choose \\\"customer-managed key encryption options\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/885a3b62-d0de-4e54-aaba-f58875fb7888\",\r\n \"name\": \"885a3b62-d0de-4e54-aaba-f58875fb7888\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be encrypted using CMK\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic File Systems (EFSs) which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your EFS data. It gives you full control over the encrypted data.\",\r\n \"remediationDescription\": \"AWS EFS Encryption of data at rest can only be enabled during file system creation. In order to resolve this alert, create a new EFS with encryption enabled with the customer-managed key, then migrate all required data from the reported EFS to this newly created EFS and delete reported EFS.

To create new EFS with encryption enabled, perform the following:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to EFS dashboard and click on \\\"File systems\\\" on the left panel. 4. Click on \\\"Create file system\\\" button. 5. On the \\\"Configure file system access\\\" step, specify EFS details as per your requirements and Click on \\\"Next Step\\\". 6. On the \\\"Configure optional settings\\\" step, Under \\\"Enable encryption\\\" Choose \\\"Enable encryption of data at rest\\\" and Select customer managed key from \\\"Select KMS master key\\\" dropdown list along with other parameters and Click on \\\"Next Step\\\". 7. On the \\\"Review and create\\\" step, Review all your setting and Click on \\\"Create File System\\\" button.

To delete reported EFS which does not has encryption, perform the following:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to EFS dashboard and click on \\\"File systems\\\" on the left panel. 4. Select the reported file system. 5. Click on \\\"Actions\\\" drop-down. 6. Click on \\\"Delete file system\\\". 7. In the \\\"Permanently delete file system\\\" popup box, To confirm the deletion enter the file system's ID and Click on \\\"Delete File System\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/db0cfb9d-c281-4301-92aa-3d6d12837d8d\",\r\n \"name\": \"db0cfb9d-c281-4301-92aa-3d6d12837d8d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policy should not allow assume role permission across all services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS IAM policy which allows assume role permission across all services. Typically, AssumeRole is used if you have multiple accounts and need to access resources from each account then you can create long term credentials in one account and then use temporary security credentials to access all the other accounts by assuming roles in those accounts.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Navigate to the \\\"IAM\\\" service. 3. Identify the reported policy. 4. Change the Service element of the policy document to be more restrictive so that it only allows AssumeRole permission on select services.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/894259c2-c1d5-47dc-b5c6-b242d5c76fdf\",\r\n \"name\": \"894259c2-c1d5-47dc-b5c6-b242d5c76fdf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon RDS instance should be configured with automatic backup settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies RDS instances which are not set with the automatic backup setting. If Automatic Backup is set, RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases which provide for point-in-time recovery. The automatic backup will happen during the specified backup window time and keeps the backups for a limited period of time as defined in the retention period. It is recommended to set automatic backups for your critical RDS servers that will help in the data restoration process.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated. 3. Navigate to \\\"Amazon RDS\\\" console. 4. Choose \\\"DB Instances\\\", and then select the \\\"reported DB\\\" instance. 5. On \\\"Instance Actions\\\" drop-down list, choose \\\"Modify\\\". 6. In \\\"Backup\\\" section,
a. From the \\\"Backup Retention Period\\\" drop-down list, select the number of days you want RDS should retain automatic backups of this DB instance. b. Choose \\\"Start Time\\\" and \\\"Duration\\\" in \\\"Backup window\\\" which is the daily time range (in UTC) during which automated backups created. 7. Click on \\\"Continue\\\". 8. On the confirmation page, choose \\\"Modify DB Instance\\\" to save your changes\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a5e0d700-3de1-469a-96d2-6536d9a92604\",\r\n \"name\": \"a5e0d700-3de1-469a-96d2-6536d9a92604\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Load Balancer should not have ACM certificate expired or expiring in 90 days.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (ELB) which are using ACM certificates expired or expiring in 90 days. AWS Certificate Manager (ACM) is the preferred tool to provision, manage, and deploy your server certificates. With ACM you can request a certificate or deploy an existing ACM or external certificate to AWS resources. As a best practice, it is recommended to reimport expiring/expired certificates while preserving the ELB associations of the original certificate.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service dashboard. 4. Choose the reported certificate. 5. Under \\\"Actions\\\" drop-down click on 'Reimport certificate'. 6. On the \\\"Import a certificate\\\" page:
6a. For \\\"Certificate body*\\\", paste the PEM-encoded certificate to import. 6b. For \\\"Certificate private key*\\\", paste the PEM-encoded, unencrypted private key that matches the SSL/TLS certificate public key. 6c. (Optional) For \\\"Certificate chain\\\", paste the PEM-encoded certificate chain delivered. 6d. Click Review and import button to continue the process. 7. On the \\\"Review and import\\\" page, review the imported certificate details then click on \\\"Import\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9137f5de-aac8-4cee-a22f-8d81f19be67f\",\r\n \"name\": \"9137f5de-aac8-4cee-a22f-8d81f19be67f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon RDS database should be encrypted using customer managed key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies RDS databases that are encrypted with default KMS keys and not with customer managed keys. As a leading practice, use customer managed keys to encrypt the data on your RDS databases and maintain control of your keys and data on sensitive workloads.\",\r\n \"remediationDescription\": \"You can set AWS RDS database encryption only during database creation. Thus, the steps for resolving this alert requires you to create a new RDS database with a customer managed key for encryption, migrate the data from the identified database to this newly created database, and delete the RDS database identified in the alert.

To create a new RDS database with encryption using a customer managed key:
1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the Amazon RDS Dashboard. 4. Select \\\"Create database\\\". 5. On the \\\"Select engine\\\" page, select \\\"Engine options\\\" and \\\"Next\\\". 6. On the \\\"Choose use case\\\" page, select \\\"Use case\\\" of database and \\\"Next\\\". 7. On the \\\"Specify DB details\\\" page, specify the database details you need and click \\\"Next\\\". 8. On the \\\"Configure advanced settings\\\" page, Under \\\"Encryption\\\", select \\\"Enable encryption\\\" and select the customer managed key from \\\"Master key\\\" dropdown list. 9. Select \\\"Create database\\\".

To delete the RDS database that uses the default KMS keys, which triggered the alert:
1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the Amazon RDS Dashboard. 4. Click on Instances, and select the reported RDS database. 5. Select the \\\"Instance actions\\\" drop-down and click \\\"Delete\\\". 6. In the \\\"Delete\\\" dialog, select the \\\"Create final snapshot?\\\" checkbox, if you want a backup. Provide a name for the final snapshot, confirm deletion and select \\\"Delete\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03a8f33c-b01c-4dfc-b627-f98114715ae0\",\r\n \"name\": \"03a8f33c-b01c-4dfc-b627-f98114715ae0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM should not have expired SSL/TLS certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies expired SSL/TLS certificates. To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. This check generates alerts if there are any expired SSL/TLS certificates stored in AWS IAM. As a best practice, it is recommended to delete expired certificates.\",\r\n \"remediationDescription\": \"Removing invalid certificates through AWS Management Console is currently not supported. To delete SSL/TLS certificates stored in IAM through the AWS API i.e. the Command Line Interface (CLI).

Remediation CLI:
1. Run describe-load-balancers command to make sure that the expired server certificate is not currently used by any active load balancer.
aws elb describe-load-balancers --region 'COMPUTE_REGION' --load-balancer-names 'ELB_NAME' --query 'LoadBalancerDescriptions[*].ListenerDescriptions [*].Listener.SSLCertificateId'

- This command output will return the Amazon Resource Name (ARN) for the SSL certificate currently used by the selected ELB:
arn:aws:iam::1234567890:server-certificate/MyCertificate

- If the load balancer listener using the reported expired certificate is not removed before the certificate, the ELB may continue to use the same certificate and work improperly. Thus, to delete the ELB listener that is using the expired SSL certificate, run following command:
aws elb delete-load-balancer-listeners --region 'COMPUTE_REGION' --load-balancer-name 'ELB_NAME' --load-balancer-ports 443

2. Now that is safe to remove the expired SSL/TLS certificate from AWS IAM, To delete it run:
aws iam delete-server-certificate --server-certificate-name 'CERTIFICATE_NAME'\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0cd8771b-44a7-46bd-b8ba-2fb84d20d8d1\",\r\n \"name\": \"0cd8771b-44a7-46bd-b8ba-2fb84d20d8d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 Classic instance should be configured with VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS EC2 instances which are still using EC2 Classic. With EC2-Classic(if your AWS Account supports it), your instances run in a single, flat network that you share with other customers.
Where as with Amazon VPC, your instances run in a virtual private cloud (VPC) that's logically isolated to your AWS account.
It is a security good practice that deploying VPCs will enable you to leverage enhanced infrastructure security controls.
Note: This alert only triggers in regions that support launching into AWS Classic\",\r\n \"remediationDescription\": \"1. Open the AWS Systems Manager console, and then choose \\\"Automation\\\" from the navigation pane. 2. Choose \\\"Execute automation\\\". 3. On the Owned by \\\"Amazon tab\\\", in the \\\"Automation document search box\\\", enter MigrateEC2Classic. 4. Select the \\\"radio button\\\" for the AWSSupport-MigrateEC2ClassicToVPC document, and then choose \\\"Next\\\". 5. Under Input parameters, for \\\"InstanceId\\\", enter your source \\\"EC2-Classic instance ID\\\". 6. For \\\"AutomationAssumeRole\\\" and \\\"TargetInstanceType\\\", choose your required parameters. By default, \\\"TargetInstanceType\\\" is set to t2.xlarge.
Note:: For more information about the AWS Identity and Access Management (IAM) permissions that are required for AutomationAssumeRole to successfully run the Automation, see AWSSupport-MigrateEC2ClassicToVPC. 7. For \\\"MigrationType\\\", select \\\"Test\\\" or \\\"CutOver\\\". 8. If you select \\\"CutOver\\\" for \\\"MigrationType\\\", then \\\"set\\\" the following parameters:
\\\"SNSNotificationARNForApproval\\\": Enter the ARN of the SNS topic used to send Approval notifications to stop the source instance.
\\\"ApproverIAM\\\": Enter the ARN of the IAM users or roles that can approve or reject the action to stop the source instance. 9. Choose \\\"Execute\\\".
Note: You should also consider disable EC2 Classic in the region to prevent further use.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04bf6bba-7661-45b7-8d81-a25d34330b7a\",\r\n \"name\": \"04bf6bba-7661-45b7-8d81-a25d34330b7a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AppSync should be configured with AWS WAF V2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS AppSync which is not configured with AWS Web Application Firewall V2.
As a leading practice, enable the AWS WAF service on AppSync to protect against application layer attacks.
To block malicious requests to your AppSync, you can define the block criteria in the WAF web access control list (web ACL) for granular control.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console and open the \\\"AppSync Console\\\". 2. Choose the \\\"API\\\" that you want to associate with a \\\"web ACL\\\". 3. In the navigation \\\"pane\\\", choose \\\"Settings\\\". 4. In the \\\"Web application firewall\\\" section, turn on \\\"Enable AWS WAF\\\". 5. In the \\\"Web ACL\\\" dropdown list, choose the \\\"name\\\" of the \\\"web ACL\\\" to associate with your API. 6. Choose \\\"Save\\\" to associate the web ACL with your API.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9a947ba-7d72-482d-9a73-f426e931d4ff\",\r\n \"name\": \"f9a947ba-7d72-482d-9a73-f426e931d4ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Application Load Balancer should be configured with AWS WAF V2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS ALB(Application Load Balancer) which is not configured with AWS Web Application Firewall V2.
As a leading practice, enable the AWS WAF service on AWS ALB to protect against application layer attacks.
To block malicious requests to your AppSync, you can define the block criteria in the WAF web access control list (web ACL) for granular control.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Make sure your the reported \\\"Application Load Balancer\\\" requires \\\"WAF\\\" based on your requirement and Note down the load balancer name. 3. Navigate to \\\"WAF & Shield\\\" dashboard. 4. Click on \\\"Web ACLs\\\", under \\\"AWS WAF\\\" section from left panel. 5. If Web ACL is not created; create a new \\\"Web ACL\\\" and add reported \\\"Application Load Balancer\\\" to \\\"Associated AWS resources\\\". 6. If you have Web ACL already created; Click on \\\"Web ACL\\\" and add your reported Application \\\"Load Balancer\\\" to \\\"Associated AWS resources\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ab12a85-37fc-47f3-a570-4688945ac7c8\",\r\n \"name\": \"2ab12a85-37fc-47f3-a570-4688945ac7c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Classic Load Balancer should not have SSL negotiation configured with vulnerable SSL protocol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (Classic) which are configured with SSL negotiation policy containing vulnerable SSL protocol.
The SSL protocol establishes a secure connection between a client and a server and ensures that all the data passed between the client and your load balancer is private.
As a security leading practice, it is important to use the latest version SSL protocol.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to \\\"EC2 Dashboard\\\" and click on \\\"Load Balancers\\\" (Left Panel). 4. Click on the reported Load Balancer's \\\"Listeners\\\" tab and Click on \\\"Edit\\\" button. 5. On \\\"Edit Listeners\\\" popup for rule \\\"HTTPS/SSL\\\", - If your cipher is \\\"Predefined Security Policy\\\", change \\\"Cipher\\\" to \\\"ELBSecurityPolicy-TLS-1-2-2017-01 or latest\\\" (OR) - If your cipher is \\\"Custom Security Policy\\\", Choose \\\"Protocol-TLSv1.2\\\" only on \\\"SSL Protocols\\\" section. 6. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e44dfbce-8551-4935-8016-ccad8701ad12\",\r\n \"name\": \"e44dfbce-8551-4935-8016-ccad8701ad12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Classic Load Balancer should not have SSL negotiation policy configured with weak cipher\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (Classic) which are configured with SSL negotiation policy containing insecure ciphers.
An SSL cipher is an encryption algorithm that uses encryption keys to create a coded message.
SSL protocols use several SSL ciphers to encrypt data over the Internet.
As many of the other ciphers are not secure, it is a leading practice to use only the ciphers recommended in the following AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Go to the \\\"EC2 Dashboard\\\", and select \\\"Load Balancers\\\". 4. Click on the reported \\\"Load Balancer\\\". 5. On \\\"Listeners\\\" tab, Change the cipher for the \\\"HTTPS/SSL\\\" rule. - For a \\\"Predefined Security Policy', change \\\"Cipher\\\" to \\\"ELBSecurityPolicy-TLS-1-2-2017-01' or latest\\\" - For a \\\"Custom Security Policy\\\", select from the secure ciphers as recommended in the below AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html. 6. \\\"Save\\\" your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fef14c73-c63f-4bcb-883b-113288b6d77b\",\r\n \"name\": \"fef14c73-c63f-4bcb-883b-113288b6d77b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC should not allow unauthorized peering connection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the VPCs which have unauthorized peering. The leading practice is to disallow VPC peering between two VPCs from different AWS accounts, as this potentially enables unauthorized access to private resources.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS Console and navigate to AWS VPC service console. 2. In the left navigation panel, select \\\"Peering Connection\\\". 3. Choose the reported \\\"Peering Connection\\\". 4. Click on \\\"Actions\\\" and select \\\"Delete VPC Peering Connection\\\". 5. click on \\\"Yes, Delete\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/470dc8a8-f118-40a1-96ed-a30f026c3d01\",\r\n \"name\": \"470dc8a8-f118-40a1-96ed-a30f026c3d01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Route53 having public hosted zone with private records\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A hosted zone is a container for records (An object in a hosted zone that you use to define how you want to route traffic for the domain or a subdomain), which include information about how you want to route traffic for a domain (such as example.com) and all of its subdomains (such as www.example.com, retail.example.com, and seattle.accounting.example.com). A hosted zone has the same name as the corresponding domain. A public hosted zone is a container that holds information about how you want to route traffic on the internet for a specific domain. It is best practice to avoid AWS Route 53 Public Hosted Zones containing DNS records for private IPs or resources within your AWS account to overcome information leakage of your internal network and resources.\",\r\n \"remediationDescription\": \"You can not convert a public hosted zone into a private hosted zone. Hence, it is a leading practice to create and configure a Private Hosted Zone to manage private IPs within your Virtual Private Cloud (VPC) as Amazon Route 53 service will only return your private DNS records when queried from within the associated VPC, and delete the associated public hosted zone once the Private hosted zone is configured with all the records.

To create a private hosted zone using the Route 53 console:
1. Sign into the AWS console and navigate to Route53 console. 2. choose Hosted Zones in the navigation pane. 3. Choose \\\"Create Hosted Zone\\\". 4. In the Create Private Hosted Zone pane, enter a \\\"domain name\\\". 5. In the Type list, choose \\\"Private Hosted Zone\\\" for Amazon VPC. 6. In the VPC ID list, choose the \\\"VPC\\\" that you want to associate with the hosted zone. If you want to associate more than one VPC with the hosted zone, you can add VPCs after you create the hosted zone. 7. Choose \\\"Create\\\".

To delete a public hosted zone using the Route 53 console:

1. Sign into the AWS console and navigate to Route53 console. 2. Confirm that the hosted zone that you want to delete contains only an NS and an \\\"SOA record\\\". If it contains additional records, \\\"delete\\\" them. 3. On the Hosted Zones page, choose the \\\"row for the hosted zone\\\" that you want to delete. 4. Choose \\\"Delete Hosted Zone\\\". 5. Choose \\\"OK\\\" to confirm.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a5f791e6-be98-47ed-a865-538c759c62b4\",\r\n \"name\": \"a5f791e6-be98-47ed-a865-538c759c62b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Certificate Manager certificate should not have wildcard domain name\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies ACM Certificates which are using wildcard certificates for wildcard domain name instead of single domain name certificates. ACM allows you to use an asterisk (*) in the domain name to create an ACM Certificate containing a wildcard name that can protect several sites in the same domain. For example, a wildcard certificate issued for *.prismacloud.io can match both www.prismacloud.io and images.prismacloud.io. When you use wildcard certificates, if the private key of a certificate is compromised, then all domain and subdomains that use the compromised certificate are potentially impacted. So it is recommended to use single domain name certificates instead of wildcard certificates to reduce the associated risks with a compromised domain or subdomain.\",\r\n \"remediationDescription\": \"To remediate this finding, you have to replace the reported wildcard certificate with single domain name certificate for all the first-level subdomains resulted from the domain name of the website secured with the wildcard certificate and delete the reported wildcard domain certificate.

To create a new certificate with a single domain:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service. 4. In \\\"Request a certificate\\\" page enter the information requested:
a. On Step 1: \\\"Add domain names\\\" page, in the \\\"Domain name\\\" box, type the fully qualified domain name. Click on \\\"Next\\\". b. On Step 2: \\\"Select validation method\\\" page, Select the validation method. Click on \\\"Review\\\". c. On Step 3: \\\"Review\\\" page, review the domain name and validation method details. click on \\\"Confirm\\\". d. On Step 4: \\\"Validation\\\" page, validate the certificate request based on the validation method selected. then click on \\\"Continue\\\".

The certificate status should change from \\\"Pending validation\\\" to \\\"Issued\\\". Now access your application's web server configuration and replace the wildcard certificate with the newly issued single domain name certificate.

To delete the reported wildcard certificate:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service. 4. Choose the reported certificate. 5. Under \\\"Actions\\\" drop-down click on \\\"Delete\\\". 6. On \\\"Delete certificate\\\" popup windows, Click on \\\"Delete\\\" button.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad7b369-2c97-406d-ac70-5d9f22bfcbd9\",\r\n \"name\": \"0ad7b369-2c97-406d-ac70-5d9f22bfcbd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM Access Analyzer should be configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS regions in which the IAM Access Analyzer is not configured. AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity and identify unintended access to your resources and data. So it is recommended to configure the Access analyzer in all regions in your account.\\n\\nNOTE: Access Analyzer analyzes only policies that are applied to resources in the same AWS Region that it's enabled in. To monitor all resources in your AWS environment, you must create an analyzer to enable Access Analyzer in each Region where you're using supported AWS resources.

For more details:
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the IAM dashboard. 4. Go to \\\"Access analyzer\\\", from the left panel. 5. Click on the \\\"Create analyzer\\\" button. 6. On the Create analyzer page, enter the parameters as per your requirements. 7. Click on the \\\"Create analyzer\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/851c1c56-3a4a-422d-b86b-efa629b043b0\",\r\n \"name\": \"851c1c56-3a4a-422d-b86b-efa629b043b0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon private ECR repository policy should not be overly permissive\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS Private ECR repositories that have overly permissive registry policies. An ECR(Elastic Container Registry) repository is a collection of Docker images available on the AWS cloud. These images might contain sensitive information which should be restricted to unauthorized users.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the AWS ECR Repository service dashboard. 4. Go to \\\"Repository\\\", from the left panel. 5. Select the repository for which alert is being generated. 6. Select the \\\"Permissions\\\" option from left menu below 'repositories'. 7. Click on \\\"Edit policy JSON\\\" to modify the JSON so that Principal is restrictive. 8. After modifications, click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e4dc63-ee46-405b-a02a-2a8395fe233d\",\r\n \"name\": \"04e4dc63-ee46-405b-a02a-2a8395fe233d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS ECR Repository should not be publicly accessible through IAM policies.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS ECR Repository resources which are publicly accessible through IAM policies. Ensure that the AWS ECR Repository resources provisioned in your AWS account are not publicly accessible from the Internet to avoid sensitive data exposure and minimize security risks.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the AWS ECR Repository service dashboard. 3. Find resource-based policy of the AWS ECR Repository resource. 4. Update the \\\"Principal\\\" section of the policy to avoid public access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1bd970e0-1d18-4aed-8216-d0005f6595c2\",\r\n \"name\": \"1bd970e0-1d18-4aed-8216-d0005f6595c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFormation template should not contain globally open resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This alert triggers if a CloudFormation template that when launched will result in resources allowing global network access. Below are three common causes:\\n\\n- Security Group with a {0.0.0.0/0, ::/0} rule\\n- Network Access Control List with a {0.0.0.0/0, ::/0} rule\\n- Network Access Control List with -1 IpProtocol\",\r\n \"remediationDescription\": \"It is a leading practice to review the template and ensure this is the intended behavior.
1. Goto the AWS CloudFormation dashboard. 2. Click on the Stack you want to modify. 3. Select the \\\"Template\\\" tab and then View in \\\"Designer\\\". 4. Make your template modifications. 5. Check for \\\"syntax errors\\\" in your template by choosing \\\"Validate template\\\" near the top of the page and save. 6. Choose \\\"Amazon S3 bucket\\\", name your template and Save. 7. Copy the bucket URL and click OK. 8. Select \\\"Close\\\" to close Designer. 9. Click on the \\\"Stack\\\" you want to modify. 10. From the \\\"Actions\\\" pull down menu, select \\\"Update stack\\\". 11. Choose \\\"Replace current template\\\" and paste the URL from Designer into the Amazon S3 URL field. Then click on \\\"Next\\\". 12. Specify stack details, then click on \\\"Next\\\". 13. Configure stack options, then click on \\\"Next\\\". 14. Review, then select \\\"Update\\\" stack near the bottom of the page.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/baad8309-83f2-437a-a131-6e357c8db91f\",\r\n \"name\": \"baad8309-83f2-437a-a131-6e357c8db91f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Secret Manager resource IAM policy allow secret publically accessible.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS Secret Manager Secret resources which are publicly accessible through IAM policies. Ensure that the AWS Secret Manager Secret resources provisioned in your AWS account are not publicly accessible from the Internet to avoid sensitive data exposure and minimize security risks.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the AWS Secret Manager Secret service. 3. Find resource-based policy of the AWS Secret Manager Secret resource. 4. Update the \\\"Principal\\\" section of the policy to avoid public access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7b076bd-9747-490f-b04d-1cf0418bc428\",\r\n \"name\": \"f7b076bd-9747-490f-b04d-1cf0418bc428\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Domain transfer lock is not enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The domain registries for all generic TLDs and many geographic TLDs let you lock a domain to prevent someone from transferring the domain to another registrar without your permission.
It is a leading practice to lock your domain.\",\r\n \"remediationDescription\": \"To lock a domain to prevent unauthorized transfer to another registrar:

1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/. 2. In the navigation pane, choose \\\"Registered Domains\\\". 3. Choose the name of the domain that you want to update. 4. Choose \\\"Enable\\\" (to lock the domain) or \\\"Disable\\\" (to unlock the domain). 5. Choose \\\"Save\\\". \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/06ee058b-9ba9-4a54-a6d3-7214703d309f\",\r\n \"name\": \"06ee058b-9ba9-4a54-a6d3-7214703d309f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open CASSANDRA port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:7000-7001, 7199, 8888, 9042, 9160, 61620-61621.\",\r\n \"remediationDescription\": \"Configuring firewall rules to allow any IP address to connect to Cassandra ports can expose Cassandra services to attackers.
For more information, see VPC firewall rules overview.

This recommendation is generated for vulnerable firewall rules, even if they were intentionally disabled. Disabled firewall rules alert you to unsafe configurations which could allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87cb47d9-eb93-4413-be7f-2f89112d3e22\",\r\n \"name\": \"87cb47d9-eb93-4413-be7f-2f89112d3e22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open CISCOSECURE_WEBSM port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:9090.\",\r\n \"remediationDescription\": \"Configuring Firewall rules to allow any IP address to connect to CiscoSecure/WebSM ports can expose your CiscoSecure/WebSM services to attackers. For more information, see VPC firewall rules overview

This recommendation is generated for vulnerable firewall rules, even if they were intentionally disabled. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c59d6ae-79c9-4f74-bacd-9bb8d2b05576\",\r\n \"name\": \"9c59d6ae-79c9-4f74-bacd-9bb8d2b05576\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open DIRECTORY_SERVICES port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:445 and UDP:445.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Directory ports might expose your Directory services to attackers. For more information, see VPC firewall rules overview.
The Directory service ports are:
TCP - 445
UDP - 445

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/99fa8cd5-10fc-4051-909c-62a6d1272956\",\r\n \"name\": \"99fa8cd5-10fc-4051-909c-62a6d1272956\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open DNS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:53 and UDP:53.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to DNS ports might expose your DNS services to attackers.
For more information, see VPC firewall rules overview.
The DNS service ports are:
TCP - 53
UDP - 53

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c39d3a7-a11d-4f1e-a5b8-8c3be23fe0d1\",\r\n \"name\": \"9c39d3a7-a11d-4f1e-a5b8-8c3be23fe0d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open ELASTICSEARCH port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:9200, 9300.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Elasticsearch ports might expose your Elasticsearch services to attackers. For more information, see VPC firewall rules overview.

The Elasticsearch service ports are:
TCP - 9200, 9300

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/98c71657-9a57-4a9c-8cc0-e69136b9ec13\",\r\n \"name\": \"98c71657-9a57-4a9c-8cc0-e69136b9ec13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to be open to public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the sourceRanges and allowed properties for one of two configurations:

The sourceRanges property contains 0.0.0.0/0 and the allowed property contains a combination of rules that includes any protocol or protocol:port, except the following:
icmp
tcp:22
tcp:443
tcp:3389
udp:3389
sctp:22

The sourceRanges property contains a combination of IP ranges that includes any non-private IP address and the allowed property contains a combination of rules that permit either all tcp ports or all udp ports.\",\r\n \"remediationDescription\": \"Firewall rules that allow connections from all IP addresses, like 0.0.0.0/0, or from all ports can unnecessarily expose resources to attacks from unintended sources. These rules should be removed or scoped explicitly to the intended source IP ranges or ports.
For example, in applications intended to be public, consider restricting allowed ports to those needed for the application, like 80 and 443. If your application needs to allow connections from all IP addresses or ports, consider adding the asset to an allowlist. Learn more about Updating firewall rules.

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. Click the firewall rule listed in the Security Health Analytics finding, and then click \\\"Edit\\\". 3. Under \\\"Source IP ranges\\\", \\\"edit\\\" the IP values to restrict the range of IPs that is allowed. 4. Under \\\"Protocols and ports\\\", \\\"select\\\" \\\"Specified protocols and ports\\\", \\\"select\\\" the allowed protocols, and enter ports that are allowed. 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14dae408-be1b-4ab9-8645-1d9eba885a3e\",\r\n \"name\": \"14dae408-be1b-4ab9-8645-1d9eba885a3e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open FTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:21.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to FTP ports might expose your FTP services to attackers. For more information, see VPC firewall rules overview.

The FTP service ports are:
TCP - 21

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d6e19ca8-7446-4b1a-87e9-fb0bee876c80\",\r\n \"name\": \"d6e19ca8-7446-4b1a-87e9-fb0bee876c80\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open HTTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:80.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to HTTP ports might expose your HTTP services to attackers. For more information, see VPC firewall rules overview.

The HTTP service ports are:
TCP - 80

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/114491f8-1760-40b9-ad56-04be9c0be1d6\",\r\n \"name\": \"114491f8-1760-40b9-ad56-04be9c0be1d6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open LDAP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:389, 636 and UDP:389.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to LDAP ports might expose your LDAP services to attackers. For more information, see VPC firewall rules overview.

The LDAP service ports are:
TCP - 389, 636
UDP - 389

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dcbfebbd-0d89-4605-b29c-a8b94a11ca4c\",\r\n \"name\": \"dcbfebbd-0d89-4605-b29c-a8b94a11ca4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MEMCACHED port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:11211, 11214-11215 and UDP:11211, 11214-11215.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Memcached ports might expose your Memcached services to attackers. For more information, see VPC firewall rules overview.

The Memcached service ports are:
TCP - 11211, 11214, 11215
UDP - 11211, 11214, 11215

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0088a052-38cd-4ef3-80bc-982871756481\",\r\n \"name\": \"0088a052-38cd-4ef3-80bc-982871756481\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MONGODB port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:27017-27019.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to MongoDB ports might expose your MongoDB services to attackers. For more information, see VPC firewall rules overview.

The MongoDB service ports are:
TCP - 27017, 27018, 27019

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/184a6210-9eb3-4d41-9453-84fd7f01186e\",\r\n \"name\": \"184a6210-9eb3-4d41-9453-84fd7f01186e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MYSQL port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:3306.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to MySQL ports might expose your MySQL services to attackers. For more information, see VPC firewall rules overview.

The MySQL service ports are:
TCP - 3306

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f39b9212-7c2e-4265-85ad-14701b0209e3\",\r\n \"name\": \"f39b9212-7c2e-4265-85ad-14701b0209e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open NETBIOS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:137-139 and UDP:137-139.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to NetBIOS ports might expose your NetBIOS services to attackers. For more information, see VPC firewall rules overview.

The NetBIOS service ports are:
TCP - 137, 138, 139
UDP - 137, 138, 139

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802bc806-5136-461f-a95d-dd65f8725af0\",\r\n \"name\": \"802bc806-5136-461f-a95d-dd65f8725af0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open ORACLEDB port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:1521, 2483-2484 and UDP:2483-2484.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to OracleDB ports might expose your OracleDB services to attackers. SeFor more information, see VPC firewall rules overview.

The OracleDB service ports are:
TCP - 1521, 2483, 2484
UDP - 2483, 2484

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4f5e97a0-d563-4c0a-8aca-958753dfbeb6\",\r\n \"name\": \"4f5e97a0-d563-4c0a-8aca-958753dfbeb6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open POP3 port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:110.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to POP3 ports might expose your POP3 services to attackers. For more information, see VPC firewall rules overview.

The POP3 service ports are:
TCP - 110

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d1143d-a7ab-405c-a80c-8b9da25bc5e4\",\r\n \"name\": \"27d1143d-a7ab-405c-a80c-8b9da25bc5e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open PostgreSQL port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:5432 and UDP:5432.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to PostgreSQL ports might expose your PostgreSQL services to attackers. For more information, see VPC firewall rules overview.

The PostgreSQL service ports are:
TCP - 5432
UDP - 5432

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9a7b9056-30af-476f-bdc8-8b421d29b5e3\",\r\n \"name\": \"9a7b9056-30af-476f-bdc8-8b421d29b5e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open REDIS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:6379.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Redis ports might expose your Redis services to attackers. For more information, see VPC firewall rules overview.

The Redis service ports are:
TCP - 6379

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5855b7ce-fded-464c-894c-d34bd834f17e\",\r\n \"name\": \"5855b7ce-fded-464c-894c-d34bd834f17e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open SMTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:25.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to SMTP ports might expose your SMTP services to attackers. For more information, see VPC firewall rules overview.

The SMTP service ports are:
TCP - 25

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c8753af-c7d5-404f-abdf-8e8bef018dc9\",\r\n \"name\": \"4c8753af-c7d5-404f-abdf-8e8bef018dc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open SSH port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocols and ports: TCP:22 and SCTP:22.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to SSH ports might expose your SSH services to attackers. For more information, see VPC firewall rules overview.

The SSH service ports are:
SCTP - 22
TCP - 22

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bdb01af7-e42a-49c6-952f-b83ce13914a7\",\r\n \"name\": \"bdb01af7-e42a-49c6-952f-b83ce13914a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open TELNET port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:23.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Telnet ports might expose your Telnet services to attackers. For more information, see VPC firewall rules overview.

The Telnet service ports are:
TCP - 23

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3be77f6-6fa9-45bd-9bdb-420484420235\",\r\n \"name\": \"c3be77f6-6fa9-45bd-9bdb-420484420235\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Compute instances should use a load balancer that is configured to use a target HTTPS proxy\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates if the selfLink property of the targetHttpProxy resource matches the target attribute in the forwarding rule, and if the forwarding rule contains a loadBalancingScheme field set to External.\",\r\n \"remediationDescription\": \"A Compute Engine instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy.

To protect the integrity of your data and prevent intruders from tampering with your communications, configure your HTTP(S) load balancers to allow only HTTPS traffic. For more information, see External HTTP(S) Load Balancing overview.

To remediate this finding, complete the following steps:
1. Go to the \\\"Target proxies\\\" page in the GCP Cloud Console. Go to Target proxies. 2. In the list of target proxies, click the name of the target proxy in the finding. 3. Click the link under the \\\"URL map\\\". 4. Click \\\"Edit\\\". 5. Click \\\"Frontend configuration\\\". 6. Delete all \\\"Frontend IP\\\" and port configurations that allow HTTP traffic and create new ones that allow HTTPS traffic.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6aeb69dc-0d01-4228-88e9-7e610891d5dd\",\r\n \"name\": \"6aeb69dc-0d01-4228-88e9-7e610891d5dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE cluster's auto repair feature should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the management property of a node pool for the key-value pair, 'key': 'autoRepair', 'value': true.\",\r\n \"remediationDescription\": \"A Google Kubernetes Engine (GKE) cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled.

When enabled, GKE makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, GKE initiates a repair process for that node. For more information, see Auto-repairing nodes.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Click the \\\"Nodes\\\" tab. 3. For each node pool:
1. Click the name of the node pool to go to its detail page. 2. Click \\\"Edit\\\". 3. Under \\\"Management\\\", select \\\"Enable auto-repair\\\". 4. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1680e053-2e9b-4e77-a1c7-793ae286155e\",\r\n \"name\": \"1680e053-2e9b-4e77-a1c7-793ae286155e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE cluster's auto upgrade feature should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the management property of a node pool for the key-value pair, 'key': 'autoUpgrade', 'value': true.\",\r\n \"remediationDescription\": \"A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled.

For more information, see Auto-upgrading nodes.

To remediate this finding, complete the following steps:
1. Go to the Kubernetes clusters page in the GCP Cloud Console. Go to Kubernetes clusters
2. In the list of clusters, click the name of the cluster.
3. Click the Nodes tab.
For each node pool:
1. Click the name of the node pool to go to its detail page.
2. Click \\\"Edit\\\".
3. Under \\\"Management\\\", select \\\"Enable auto-upgrade\\\".
4. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa160a2c-e976-41cb-acff-1e1e3f1ed032\",\r\n \"name\": \"fa160a2c-e976-41cb-acff-1e1e3f1ed032\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Logging for GKE clusters should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the loggingService property of a cluster contains the location Cloud Logging should use to write logs.\",\r\n \"remediationDescription\": \"Logging isn't enabled for a GKE cluster.

To help investigate security issues and monitor usage, enable Cloud Logging on your clusters.

Depending on the quantity of information, Cloud Logging costs can be significant. To understand your usage of the service and its cost,
see Cost optimization for Google Cloud's operations suite.

To remediate this finding, complete the following steps:
1. Go to the Kubernetes clusters page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Stackdriver Logging\\\" or \\\"Stackdriver Kubernetes Engine Monitoring\\\" drop-down list, select \\\"Enabled\\\".
These options aren't compatible. Make sure that you use either \\\"Stackdriver Kubernetes Engine Monitoring\\\" alone, or \\\"Legacy Stackdriver Logging\\\" with \\\"Legacy Stackdriver Monitoring\\\". 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a7b7361-5100-4a8c-b23e-f712d7dad39b\",\r\n \"name\": \"6a7b7361-5100-4a8c-b23e-f712d7dad39b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring on GKE clusters should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the monitoringService property of a cluster contains the location Cloud Monitoring should use to write metrics.\",\r\n \"remediationDescription\": \"Monitoring is disabled on GKE clusters.

To help investigate security issues and monitor usage, enable Cloud Monitoring on your clusters.

Depending on the quantity of information, Cloud Monitoring costs can be significant. To understand your usage of the service and its costs, see Cost optimization for Google Cloud's operations suite.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Stackdriver Monitoring\\\" or \\\"Stackdriver Kubernetes Engine Monitoring\\\" drop-down list, select \\\"Enabled\\\".
These options aren't compatible. Make sure that you use either \\\"Stackdriver Kubernetes Engine Monitoring\\\" alone, or \\\"Legacy Stackdriver Monitoring\\\" with \\\"Legacy Stackdriver Logging\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fae39f34-d931-4026-b09c-b0a785bb1ff9\",\r\n \"name\": \"fae39f34-d931-4026-b09c-b0a785bb1ff9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cluster hosts should be configured to use only private, internal IP addresses to access Google APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the privateIpGoogleAccess property of a subnetwork is set to false.\",\r\n \"remediationDescription\": \"Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs.

Private Google Access enables virtual machine (VM) instances with only private, internal IP addresses to reach the public IP addresses of Google APIs and services. For more information, see Configuring Google Private Access.

To remediate this finding, complete the following steps:
1. Go to the \\\"Virtual Private Cloud networks\\\" page in the GCP Cloud Console. Go to VPC networks . 2. In the list of networks, click the name of the desired network. 3. On the \\\"VPC network details\\\" page, click the \\\"Subnets\\\" tab. 4. In the list of subnets, click the name of the subnet associated with the Kubernetes cluster in the finding. 5. On the \\\"Subnet details\\\" page, click \\\"Edit\\\". 6. Under \\\"Private Google Access\\\", select \\\"On\\\". 7. Click \\\"Save\\\". 8. To remove public (external) IPs from VM instances whose only external traffic is to Google APIs, see Unassigning a static external IP address.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3e33004b-f0b8-488d-85ed-61336c7ad4ca\",\r\n \"name\": \"3e33004b-f0b8-488d-85ed-61336c7ad4ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Compute Engine VMs should use the Container-Optimized OS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the config property of a node pool for the key-value pair, 'imageType': 'COS'.\",\r\n \"remediationDescription\": \"Compute Engine VMs aren't using the Container-Optimized OS, which is designed to run Docker containers on Google Cloud securely.

Container-Optimized OS is Google's recommended OS for hosting and running containers on Google Cloud. Its small OS footprint minimizes security exposure, while automatic updates patch security vulnerabilities in a timely manner. For more information, see Container-Optimized OS Overview.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters 2. In the list of clusters, click the name of the cluster in the finding. 3. Click the \\\"Nodes\\\" tab. 4. For each node pool:
1. Click the name of the node pool to go to its detail page. 2. Click \\\"Edit\\\". 3. Under \\\"Nodes\\\" -> \\\"Image type\\\", click \\\"Change\\\". 4. Select \\\"Container-Optimized OS\\\", and then click \\\"Change\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/49016ecd-d4d6-4f48-a64f-42af93e15120\",\r\n \"name\": \"49016ecd-d4d6-4f48-a64f-42af93e15120\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have alias IP ranges enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the useIPAliases field of the ipAllocationPolicy in a cluster is set to false.\",\r\n \"remediationDescription\": \"A GKE cluster was created with alias IP ranges disabled.

When you enable alias IP ranges, GKE clusters allocate IP addresses from a known CIDR block, so your cluster is scalable and interacts better with Google Cloud products and entities. For more information, see Alias IP ranges overview .

To remediate this finding, complete the following steps:
You cannot migrate an existing cluster to use alias IPs. To create a new cluster with alias IPs enabled, do the following:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Click \\\"Create\\\". 3. From the navigation pane, under \\\"Cluster\\\", click \\\"Networking\\\". 4. Under \\\"Advanced networking options\\\", select \\\"Enable VPC-native traffic routing (uses alias IP)\\\". 5. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd1096e1-73cf-41ab-8f2a-257b78aed9dc\",\r\n \"name\": \"bd1096e1-73cf-41ab-8f2a-257b78aed9dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Legacy Authorization should be disabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the legacyAbac property of a cluster for the key-value pair, 'enabled': true.\",\r\n \"remediationDescription\": \"Legacy Authorization is enabled on GKE clusters.

In Kubernetes, role-based access control (RBAC) lets you define roles with rules containing a set of permissions, and grant permissions at the cluster and namespace level. This feature provides better security by ensuring that users only have access to specific resources. Consider disabling legacy attribute-based access control (ABAC).

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Authorization\\\" drop-down list, select \\\"Disabled\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24df9ba4-8c98-42f2-9f64-50b095eca06f\",\r\n \"name\": \"24df9ba4-8c98-42f2-9f64-50b095eca06f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Control Plane Authorized Networks should be enabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the masterAuthorizedNetworksConfig property of a cluster for the key-value pair, 'enabled': false.\",\r\n \"remediationDescription\": \"Control Plane Authorized Networks is not enabled on GKE clusters.

Control Plane Authorized Networks improves security for your container cluster by blocking specified IP addresses from accessing your cluster's control plane.
For more information, see Adding authorized networks for control plane access.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Control Plane Authorized Networks\\\" drop-down list, select \\\"Enabled\\\". 5. Click \\\"Add authorized network\\\". 6. Specify the authorized networks you want to use.
7. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd06513a-1e03-4d40-9159-243f76dcdcb7\",\r\n \"name\": \"fd06513a-1e03-4d40-9159-243f76dcdcb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network policy should be enabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the networkPolicy field of the addonsConfig property for the key-value pair, 'disabled': true.\",\r\n \"remediationDescription\": \"Network policy is disabled on GKE clusters.

By default, pod to pod communication is open. Open communication allows pods to connect directly across nodes, with or without network address translation. A NetworkPolicy resource is like a pod-level firewall that restricts connections between pods, unless the NetworkPolicy resource explicitly allows the connection. Learn how to define a network policy.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Click the name of the cluster listed in the Security Health Analytics finding. 3. Under \\\"Networking\\\", in the row for \\\"Network policy\\\", click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. In the dialog, select \\\"Enable network policy for control plane\\\" and \\\"Enable network policy for nodes\\\". 5. Click \\\"Save Changes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b73bad4f-4ea7-4d04-bab0-d400cb3ad639\",\r\n \"name\": \"b73bad4f-4ea7-4d04-bab0-d400cb3ad639\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service accounts should have restricted project access in a cluster\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the config property of a node pool to check if no service account is specified or if the default service account is used.\",\r\n \"remediationDescription\": \"A GKE node is using the Compute Engine default service node, which has broad access by default and might be over-privileged for running your GKE cluster.

To remediate this finding, complete the following steps:
Follow the instructions to Use least privilege Google service accounts.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d3e70cff-e4db-47b1-b646-0ac5ed8ada36\",\r\n \"name\": \"d3e70cff-e4db-47b1-b646-0ac5ed8ada36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have Private clusters enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the enablePrivateNodes field of the privateClusterConfig property is set to false.\",\r\n \"remediationDescription\": \"A GKE cluster has a private cluster disabled.

Private clusters allow nodes to only have private IP addresses. This feature limits outbound internet access for nodes. If a cluster node doesn't have a public IP address, it isn't discoverable or exposed to the public internet. You can still route traffic to a node by using an internal load balancer. For more information, see Private clusters

You can't make an existing cluster private. To remediate this finding, create a new private cluster:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters 2. Click \\\"Create Cluster\\\". 3. In the navigation menu, under \\\"Cluster\\\", select \\\"Networking\\\". 4. Select the radio button for \\\"Private cluster\\\". 5. Under \\\"Advanced networking options\\\", select the checkbox for \\\"Enable VPC-native traffic routing (uses alias IP)\\\". 6. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8fa5c03-a8e8-467b-992c-ad8b2db0f55e\",\r\n \"name\": \"d8fa5c03-a8e8-467b-992c-ad8b2db0f55e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE web dashboard should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the kubernetesDashboard field of the addonsConfig property for the key-value pair, 'disabled': false.\",\r\n \"remediationDescription\": \"The GKE web UI (dashboard) is enabled.

A highly privileged Kubernetes Service Accounts backs the Kubernetes web interface. If compromised, the service account can be abused. If you are already using the Cloud Console, the Kubernetes web interface extends your attack surface unnecessarily. Learn about Disabling the Kubernetes web interface.

To remediate this finding, disable the Kubernetes web interface:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Click the name of the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. Click \\\"Add-ons\\\". The section expands to display available add-ons. 5. On the \\\"Kubernetes dashboard\\\" drop-down list, select \\\"Disabled\\\". 6. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc6ce9-c9a7-4d91-b7c8-f2314ecbf8af\",\r\n \"name\": \"2acc6ce9-c9a7-4d91-b7c8-f2314ecbf8af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Egress deny rule should be set on a firewall to block unwanted outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the destinationRanges property in the firewall is set to 0.0.0.0/0 and the denied property contains the key-value pair, 'IPProtocol': 'all'.\",\r\n \"remediationDescription\": \"An egress deny rule is not set on a firewall.

A firewall that denies all egress network traffic prevents any unwanted outbound network connections, except those connections other firewalls explicitly authorize. For more information, see Egress cases.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. Click \\\"Create Firewall Rule\\\". 3. Give the firewall a name and, optionally, a description. 4. Under \\\"Direction of traffic\\\", select \\\"Egress\\\". 5. Under \\\"Action on match\\\", select \\\"Deny\\\". 6. In the \\\"Targets\\\" drop-down menu, select \\\"All instances in the network\\\". 7. In the \\\"Destination filter\\\" drop-down menu, select \\\"IP ranges\\\", and then type 0.0.0.0/0 into the \\\"Destination IP ranges\\\" box. 8. Under \\\"Protocols and ports\\\", select \\\"Deny all\\\". 9. Click \\\"Disable Rule\\\" then, under \\\"Enforcement\\\", select \\\"Enabled\\\". 10. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37e5206e-a928-416b-9851-3689f506f73f\",\r\n \"name\": \"37e5206e-a928-416b-9851-3689f506f73f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall rule logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the logConfig property in firewall metadata to see if it's empty or contains the key-value pair 'enable': false.\",\r\n \"remediationDescription\": \"Firewall rules logging is disabled.

Firewall rules logging lets you audit, verify, and analyze the effects of your firewall rules. It can be useful for auditing network access or providing early warning that the network is being used in an unapproved manner. The cost of logs can be significant. For more information on Firewall Rules Logging and its cost, see Using Firewall Rules Logging.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, click the name of the desired firewall rule. 3. Click \\\"Edit\\\". 4. Under \\\"Logs\\\", select \\\"On\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a7771a9-a2dd-40e8-87a2-921259d68667\",\r\n \"name\": \"4a7771a9-a2dd-40e8-87a2-921259d68667\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Users should have least privilege access with granular IAM roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM policy in resource metadata for any principals assigned roles/Owner, roles/Writer, or roles/Reader.\",\r\n \"remediationDescription\": \"A user has one of the following IAM basic roles: roles/owner, roles/editor, or roles/viewer.
These roles are too permissive and shouldn't be used. Instead, they should be assigned per project only.

For more information, see Understanding roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM policy\\\" page in the GCP Cloud Console. Go to IAM policy. 2. For each user assigned a primitive role, consider using more granular roles instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24eb0365-d63d-43c0-b11f-8b0a1a0842f7\",\r\n \"name\": \"24eb0365-d63d-43c0-b11f-8b0a1a0842f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cryptographic keys should not have more than three users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates IAM policies for key rings, projects, and organizations, and retrieves principals with roles that allow them to encrypt, decrypt or sign data using Cloud KMS keys: roles/owner, roles/cloudkms.cryptoKeyEncrypterDecrypter, roles/cloudkms.cryptoKeyEncrypter, roles/cloudkms.cryptoKeyDecrypter, roles/cloudkms.signer, and roles/cloudkms.signerVerifier.\",\r\n \"remediationDescription\": \"Limit the number of principal users that can use cryptographic keys to three.

The following predefined roles grant permissions to encrypt, decrypt, or sign data using cryptographic keys:
1. roles/owner 2. roles/cloudkms.cryptoKeyEncrypterDecrypter 3. roles/cloudkms.cryptoKeyEncrypter 4. roles/cloudkms.cryptoKeyDecrypter 5. roles/cloudkms.signer
6. roles/cloudkms.signerVerifier

For more information, see Permissions and roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"Cloud KMS keys\\\" page in the GCP Cloud Console. Go to Cloud KMS keys. 2. Click the \\\"name\\\" of the key ring indicated in the finding. 3. Click the \\\"name\\\" of the key indicated in the finding. 4. Select the box next to the primary version, and then click \\\"Show Info Panel\\\". 5. Reduce the number of principals having permissions to encrypt, decrypt, or sign data to three or fewer.
To revoke permissions, click \\\"Delete\\\" delete next to each principal.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e836b239-c7dc-476a-9a85-829b565cbc59\",\r\n \"name\": \"e836b239-c7dc-476a-9a85-829b565cbc59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Object versioning should be enabled on storage buckets where sinks are configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the enabled field in the bucket's versioning property is set to true.\",\r\n \"remediationDescription\": \"Object versioning isn't enabled on a storage bucket where sinks are configured.

To support the retrieval of objects that are deleted or overwritten, GCP Cloud Storage offers the Object Versioning feature. Enable Object Versioning to protect your Cloud Storage data from being overwritten or accidentally deleted. Learn how to Enable Object Versioning.

To remediate this finding, use the gsutil versioning set on command with the appropriate value:
gsutil versioning set on gs://finding.assetDisplayName
Replace finding.assetDisplayName with the name of the relevant bucket.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76261631-76ea-4bd4-b064-34a619be1de0\",\r\n \"name\": \"76261631-76ea-4bd4-b064-34a619be1de0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage buckets used as a log sink should not be publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM policy of a bucket for the principals allUsers or allAuthenticatedUsers, which grant public access.\",\r\n \"remediationDescription\": \"A storage bucket is public and used as a log sink, meaning that anyone on the internet can access logs stored in this bucket.
allUsers represents anyone on the internet and allAuthenticatedUsers represents anyone who is logged into a Google service;
neither is constrained to users within your organization.

For more information, see Overview of access control.

To remediate this finding, complete the following steps:
1. Go to the \\\"Cloud Storage browser\\\" page in the GCP Cloud Console. Go to Cloud Storage browser . 2. In the list of buckets, click the name of the bucket indicated in the finding. 3. Click the \\\"Permissions\\\" tab. 4. Remove \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" from the list of principals.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7c20b7aa-be3d-4a4b-af45-1b432c02f86b\",\r\n \"name\": \"7c20b7aa-be3d-4a4b-af45-1b432c02f86b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redis IAM role should not be assigned at the organization or folder level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM allow policy in resource metadata for principals assigned roles/redis.admin, roles/redis.editor, roles/redis.viewer at the organization or folder level.\",\r\n \"remediationDescription\": \"A Redis IAM role is assigned at the organization or folder level.

The following Redis IAM roles should be assigned per project only, not at the organization or folder level:
1. roles/redis.admin
2. roles/redis.viewer
3. roles/redis.editor

For more information, see Access control and permissions.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM policy\\\" page in the GCP Cloud Console. Go to IAM policy. 2. Remove the \\\"Redis IAM roles\\\" indicated in the finding and add them on the individual projects instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/986fe72e-466a-462d-a06e-c77b439c53c0\",\r\n \"name\": \"986fe72e-466a-462d-a06e-c77b439c53c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Projects that have cryptographic keys should not have users with Owner permissions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM allow policy in project metadata for principals assigned roles/Owner.\",\r\n \"remediationDescription\": \"A user has roles/Owner permissions on a project that has cryptographic keys. For more information, see Permissions and roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM page\\\" in the GCP Cloud Console. Go IAM page. 2. If necessary, select the project in the finding. 3. For each principal assigned the \\\"Owner\\\" role:
1. Click \\\"Edit\\\". 2. In the \\\"Edit permissions\\\" panel, next to the \\\"Owner\\\" role, click \\\"Delete\\\". 3. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67ebdf6b-6197-4e42-bbbf-eaf4e6c20b4c\",\r\n \"name\": \"67ebdf6b-6197-4e42-bbbf-eaf4e6c20b4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Use corporate login credentials instead of personal accounts, such as Gmail accounts.
It is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources.
Gmail accounts based outside of the user's organization, such as personal accounts, should not be used for business purposes.\",\r\n \"remediationDescription\": \"Follow the documentation and setup corporate login accounts Manage Identities.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6991b2e9-ae9e-4e99-acb6-037c4b575215\",\r\n \"name\": \"6991b2e9-ae9e-4e99-acb6-037c4b575215\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that there are only GCP-managed service account keys for each service account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"User managed service accounts should not have user-managed keys.
Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis.
User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.
For user-managed keys, the user has to take ownership of key management activities which include:
  • Key storage
  • Key distribution
  • Key revocation
  • Key rotation
  • Protecting the keys from unauthorized users
  • Key recovery
Even with key owner precautions, keys can be easily leaked by common development malpractices like checking keys into the source code or leaving them in the Downloads directory, or accidentally leaving them on support blogs/channels. It is recommended to prevent user-managed service account keys.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the IAM page in the GCP Console using https://console.cloud.google.com/apis/credentials. 2. In the left navigation pane, click \\\"Service accounts\\\". All service accounts and their corresponding keys are listed. 3. Click the service account. 4. Click the \\\"edit\\\" and delete the keys.

From CLI:
To delete a user managed Service Account Key, run gcloud iam service-accounts keys delete --iam-account=<user-managed-service-account-EMAIL> <KEY-ID>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/54c381fe-a80a-4038-8a9d-c166d2922ea9\",\r\n \"name\": \"54c381fe-a80a-4038-8a9d-c166d2922ea9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to assign the \\\"Service Account User (iam.serviceAccountUser)\\\" and \\\"Service Account Token Creator (iam.serviceAccountTokenCreator)\\\" roles to a user for a specific service account rather than assigning the role to a user at project level.
A service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end-user.
Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved.
In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.
Users with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access.
Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/Service account.
Based on business needs, there could be multiple user-managed service accounts configured for a project.
Granting the \\\"iam.serviceAccountUser\\\" or \\\"iam.serviceAserviceAccountTokenCreatorccountUser\\\" roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future.
This can result in elevation of privileges by using service accounts and corresponding \\\"Compute Engine instances\\\".
In order to implement \\\"least privileges\\\" best practices, IAM users should not be assigned the \\\"Service Account User\\\" or \\\"Service Account Token Creator\\\" roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The \\\"Service Account User\\\" allows a user to bind a service account to a long-running job service, whereas the \\\"Service Account Token Creator\\\" role allows a user to directly impersonate (or assert) the identity of a service account.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the IAM page in the GCP Console by visiting: GCP Console IAM. 2. Click on the filter table text bar. Type \\\"Role: Service Account User\\\" 3. Click the \\\"Delete Bin\\\" icon in front of the role \\\"Service Account User\\\" for every user listed as a result of a filter. 4. Click on the filter table text bar. Type \\\"Role: Service Account Token Creator\\\" 5. Click the \\\"Delete Bin\\\" icon in front of the role \\\"Service Account Token Creator\\\" for every user listed as a result of a filter.

From Command Line:
1. Using a text editor, remove the bindings with the \\\"roles/iam.serviceAccountUser\\\" or \\\"roles/iam.serviceAccountTokenCreator\\\".
For example, you can use the iam.json file shown below as follows:
{ "bindings": [ { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", ], "role": "roles/appengine.appViewer" }, { "members": [ "user:email1@gmail.com" ], "role": "roles/owner" }, { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", "serviceAccount:123456789012-compute@developer.gserviceaccount.com" ], "role": "roles/editor" } ], "etag": "BwUjMhCsNvY=" }
2. Update the project's IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0007dd31-9e95-460d-82bd-ae3e9e623161\",\r\n \"name\": \"0007dd31-9e95-460d-82bd-ae3e9e623161\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests users make to Google cloud services accessible to that particular service account.
It is recommended that all Service Account keys are regularly rotated.
Rotating Service Account keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.
Each service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.
GCP provides the option to create one or more user-managed (also called external key pairs) key pairs for use from outside GCP (for example, for use with Application Default Credentials). When a new key pair is created, the user is required to download the private key (which is not retained by Google).
With external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, gcloud command-line tool, or the Service Accounts page in the Google Cloud Platform Console.
GCP facilitates up to 10 external service account keys per service account to facilitate key rotation.\",\r\n \"remediationDescription\": \"From Console:
Delete any external (user-managed) Service Account Key older than 90 days: 1. Go to APIs & Services\\\\Credentials using https://console.cloud.google.com/apis/credentials
2. In the Section \\\"Service Account Keys\\\", for every external (user-managed) service account key where \\\"creation date is\\\" greater than or equal to the past 90 days, click \\\"Delete Bin Icon\\\" to Delete Service Account key.
Create a new external (user-managed) Service Account Key for a Service Account:
1. Go to \\\"APIs & Services\\\\Credentials\\\" using https://console.cloud.google.com/apis/credentials
2. Click \\\"Create Credentials\\\" and Select \\\"Service Account Key\\\". 3. Choose the service account in the drop-down list for which an External (user-anaged) Service Account key needs to be created. 4. Select the desired key type format among \\\"JSON\\\" or \\\"P12\\\". 5. Click \\\"Create\\\". It will download the private key. Keep it safe. 6. Click \\\"Close\\\" if prompted. 7. The site will redirect to the \\\"APIs & Services\\\\Credentials\\\" page. Make a note of the new ID displayed in the Service account keys section.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e8cb9ac-87ee-424b-a9d2-0d41e411d18f\",\r\n \"name\": \"9e8cb9ac-87ee-424b-a9d2-0d41e411d18f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users.
The built-in/predefined IAM role \\\"Service Account admin\\\" allows the user/identity to create, delete, and manage service account(s).
The built-in/predefined IAM role \\\"Service Account User\\\" allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances.
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action.
In Cloud IAM - service accounts, this could be an action such as using a service account to access resources that user should not normally have access to.
Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.
No user should have \\\"Service Account Admin\\\" and \\\"Service Account User\\\" roles assigned at the same time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to IAM & Admin/IAM. 2. For any member having both \\\"Service Account Admin\\\" and \\\"Service account User\\\" roles granted/assigned, click the \\\"Delete Bin icon\\\" to remove either role from the member.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fcbcaef9-4bb0-49db-a932-afd64ed221d4\",\r\n \"name\": \"fcbcaef9-4bb0-49db-a932-afd64ed221d4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the IAM policy on Cloud KMS \\\"cryptokeys\\\" should restrict anonymous and/or public access.
Granting permissions to \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\" allows anyone to access the dataset.
Such access might not be desirable if sensitive data is stored at the location.
In this case, ensure that anonymous and/or public access to a Cloud KMS \\\"cryptokey\\\" is not allowed.\",\r\n \"remediationDescription\": \"From Command Line:
1. List all Cloud KMS \\\"Cryptokeys\\\".
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'. 2. Remove IAM policy binding for a KMS key to remove access to \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" using the below command.
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f756937d-b790-4718-8dd7-fa995930c4a1\",\r\n \"name\": \"f756937d-b790-4718-8dd7-fa995930c4a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.
The format for the rotation schedule depends on the client library that is used.
For the gcloud command-line tool, the next rotation time must be in \\\"ISO\\\" or \\\"RFC3339\\\" format, and the rotation period must be in the form \\\"INTEGER[UNIT]\\\", where units can be one of seconds (s), minutes (m), hours (h) or days (d).
Set a key rotation period and starting time. A key can be created with a specified \\\"rotation period\\\", which is the time between when new key versions are generated automatically.
A key can also be created with a specified next rotation time.
A key is a named object representing a \\\"cryptographic key\\\" used for a specific purpose.
The key material, the actual bits used for \\\"encryption\\\", can change over time as new key versions are created.
A key is used to protect some \\\"corpus of data\\\". A collection of files could be encrypted with the same key and people with \\\"decrypt\\\" permissions on that key would be able to decrypt those files.
Therefore, it's necessary to make sure the \\\"rotation period\\\" is set to a specific time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to Cryptographic Keys. 2. Click on the specific key ring. 3. From the list of keys, choose the specific key and Click on \\\"Right side pop up the blade (3 dots)\\\". 4. Click on \\\"Edit rotation period\\\". 5. On the pop-up window, \\\"Select a new rotation period\\\" in days which should be less than 90 and then choose \\\"Starting on\\\" date (date from which the rotation period begins).

From Command Line:
1. Update and schedule rotation by \\\"ROTATION_PERIOD\\\" and \\\"NEXT_ROTATION_TIME\\\" for each key:
gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next-rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14007242-eadd-4d15-ad54-97201351c0ec\",\r\n \"name\": \"14007242-eadd-4d15-ad54-97201351c0ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.
The built-in/predefined IAM role \\\"Cloud KMS Admin\\\" allows the user/identity to create, delete, and manage service account(s).
The built-in/predefined IAM role \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\" allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).
The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).
The built-in/predefined IAM role \\\"Cloud KMS CryptoKey Decrypter\\\" allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action.
In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to.
Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors.
It is considered best practice. No user(s) should have Cloud KMS Admin and any of the \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\", \\\"Cloud KMS CryptoKey Encrypter\\\", \\\"Cloud KMS CryptoKey Decrypter\\\" roles assigned at the same time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to IAM & Admin/IAM. 2. For any member having \\\"Cloud KMS Admin\\\" and any of the \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\", \\\"Cloud KMS CryptoKey Encrypter\\\", \\\"Cloud KMS CryptoKey Decrypter\\\" roles granted/assigned, click the \\\"Delete Bin\\\" icon to remove the role from the member.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b9173aa-68d9-4581-814f-fab4a91aa9af\",\r\n \"name\": \"0b9173aa-68d9-4581-814f-fab4a91aa9af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that Cloud Audit Logging is configured to track all admin activities and read, write access to user data.
Cloud Audit Logging maintains two audit logs for each project, folder, and organization: Admin Activity and Data Access.
1. Admin Activity logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources.
Admin Activity audit logs are enabled for all services and cannot be configured. 2. Data Access audit logs record API calls that create, modify, or read user-provided data. These are disabled by default and should be enabled.
There are three kinds of Data Access audit log information:
  • Admin read: Records operations that read metadata or configuration information. Admin Activity audit logs record writes of metadata and configuration information that cannot be disabled.
  • Data read: Records operations that read user-provided data.
  • Data write: Records operations that write user-provided data.
It is recommended to have an effective default audit config configured in such a way that:
1. logtype is set to DATA_READ (to log user activity tracking) and DATA_WRITES (to log changes/tampering to user data). 2. audit config is enabled for all the services supported by the Data Access audit logs feature. 3. Logs should be captured for all users, i.e., there are no exempted users in any of the audit config sections. This will ensure overriding the audit config will not contradict the requirement.\",\r\n \"remediationDescription\": \"From Console:
1. Go to Audit Logs. 2. Follow the steps at Configure Data Access to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.

From Command Line:
1. To read the project's IAM policy and store it in a file run a command:
gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml
Alternatively, the policy can be set at the organization or folder level. If setting the policy at the organization level, it is not necessary to also set it for each folder or project.
gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml
gcloud resource-manager folders get-iam-policy FOLDER_ID > /tmp/folder_policy.yaml
2. Edit policy in /tmp/policy.yaml, adding or changing only the audit logs configuration to:
auditConfigs: - auditLogConfigs: - logType: DATA_WRITE - logType: DATA_READ service: allServices

Note: \\\"exemptedMembers\\\": is not set as audit logging should be enabled for all the users
3. To write new IAM policy run command:
gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml
gcloud resource-manager folders set-iam-policy FOLDER_ID /tmp/folder_policy.yaml
gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml

If the preceding command reports a conflict with another change, then repeat these steps, starting with the first step.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/194b473e-7c5a-4754-b1ae-76591fe11b5c\",\r\n \"name\": \"194b473e-7c5a-4754-b1ae-76591fe11b5c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).
Log entries are held in Stackdriver Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. Exporting involves writing a filter that selects the log entries to export, and choosing a destination in Cloud Storage, BigQuery, or Cloud Pub/Sub.
The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts. \",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"Logging/Logs\\\" by visiting: GCP Logs explorer. 2. Click the down arrow symbol on \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. This step converts \\\"Filter Bar\\\" to \\\"Advanced Filter Bar\\\".4.Clear any text from the \\\"Advanced Filter\\\" field. This ensures that the \\\"log-filter\\\" is set to empty and captures all the logs. 5. Click \\\"Submit Filter\\\" and the result should display all logs. 6. Click \\\"Create Sink\\\", which opens a menu on the right. 7. Fill out the fields and click \\\"Create Sink\\\".
For more information, see GCP Logging Documentation.

From Command Line:
To create a sink to export all log entries in a Google Cloud Storage bucket:
gcloud logging sinks create <sink-name>
storage.googleapis.com/DESTINATION_BUCKET_NAME
Sinks can be created for a folder or organization, which will include all projects.
gcloud logging sinks create <sink-name>
storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children --folder=FOLDER_ID | --organization=ORGANIZATION_ID \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/07ca1398-d477-400a-a9fc-4cfc78f723f9\",\r\n \"name\": \"07ca1398-d477-400a-a9fc-4cfc78f723f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that retention policies on log buckets are configured using Bucket Lock\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted.
It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.
Logs can be exported by creating one or more sinks that include a log filter and a destination. As Stackdriver Logging receives new log entries, they are compared against each sink.
If a log entry matches a sink's filter, then a copy of the log entry is written to the destination.
Sinks can be configured to export logs in storage buckets.
It is recommended to configure a data retention policy for these cloud storage buckets and to lock the data retention policy; thus permanently preventing the policy from being reduced or removed.
This way, if the system is ever compromised by an attacker or a malicious insider who wants to cover their tracks, the activity logs are definitely preserved for forensics and security investigations.\",\r\n \"remediationDescription\": \" From the Console:
1. If sinks are not configured, first follow the instructions in the recommendation: \\\"Ensure that sinks are configured for all Log entries\\\". 2. For each storage bucket configured as a sink, go to the Cloud Storage browser at \\\"https://console.cloud.google.com/storage/browser/<BUCKET_NAME>\\\". 3. Select the Bucket Lock tab near the top of the page. 4. In the Retention policy entry, click the Add Duration link. The \\\"Set a retention policy\\\" dialog box appears. 5. Enter the desired length of time for the retention period and click \\\"Save policy\\\". 6. Set the \\\"Lock status\\\" for this retention policy to \\\"Locked\\\".

From Command Line:
1.To list all sinks destined to storage buckets:
gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID | --project=PROJECT_ID
2. For each storage bucket listed above, set a retention policy and lock it:
gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]
gsutil retention lock gs://[BUCKET_NAME]
For more information, see Bucket lock retention policy.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f42c20a6-8012-4e1e-bf4d-19b977e8c8d7\",\r\n \"name\": \"f42c20a6-8012-4e1e-bf4d-19b977e8c8d7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all \\\"roles/Owner\\\" assignments should be monitored.
Members (users/Service-Accounts) with a role assignment to primitive role \\\"roles/Owner\\\" are project owners.
The project owner has all the privileges on the project the role belongs to. These are summarized below:
- All viewer permissions on all GCP Services within the project
- Permissions for actions that modify the state of all GCP services within the project
- Manage roles and permissions for a project and all resources within the project
- Set up billing for a project
Granting the owner role to a member (user/Service-Account) will allow that member to modify the Identity and Access Management (IAM) policy. Therefore, grant the owner role only if the member has a legitimate purpose to manage the IAM policy. This is because the project IAM policy contains sensitive access control data. Having a minimal set of users allowed to manage IAM policy will simplify any auditing that may be necessary.
Project ownership has the highest level of privileges on a project. To avoid misuse of project resources, the project ownership assignment/change actions mentioned above should be monitored and alerted to concerned recipients.
- Sending project ownership invites
- Acceptance/Rejection of project ownership invite by user
- Adding `role\\\\Owner` to a user/service-account
- Removing a user/Service account from `role\\\\Owner`\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
(protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\")
AND (ProjectOwnership OR projectOwnerInvitee)
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\")
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\")
 4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/34ed4dfb-fc6d-498f-b2b0-d1099704775d\",\r\n \"name\": \"34ed4dfb-fc6d-498f-b2b0-d1099704775d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data Access logs to help answer the questions of, \\\"who did what, where, and when?\\\" within GCP projects.
Cloud audit logging records information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by GCP services. Cloud audit logging provides a history of GCP API calls for an account, including API calls made via the console, SDKs, command-line tools, and other GCP services.
Admin activity and data access logs produced by cloud audit logging enable security analysis, resource change tracking, and compliance auditing.
Configuring the metric filter and alerts for audit configuration changes ensures the recommended state of audit configuration is maintained so that all activities in the project are audit-able at any point in time.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
protoPayload.methodName=\\\"SetIamPolicy\\\" AND
protoPayload.serviceData.policyDelta.auditConfigDeltas:*
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba27e90d-311d-409d-8c69-7dfac0a1351c\",\r\n \"name\": \"ba27e90d-311d-409d-8c69-7dfac0a1351c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for changes to Identity and Access Management (IAM) role creation, deletion and updating activities.
Google Cloud IAM provides predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources. However, to cater to organization-specific needs, Cloud IAM also provides the ability to create custom roles. Project owners and administrators with the Organization Role Administrator role or the IAM Role Administrator role can create custom roles. Monitoring role creation, deletion and updating activities will help in identifying any over-privileged role at early stages.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"iam_role\\\"
AND protoPayload.methodName=\\\"google.iam.admin.v1.CreateRole\\\"
OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\"
OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a7723f9-ee51-4a2b-a4e5-2497a20c1964\",\r\n \"name\": \"4a7723f9-ee51-4a2b-a4e5-2497a20c1964\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes.
Monitoring for Create or Update Firewall rule events gives insight to network access changes and may reduce the time it takes to detect suspicious activity.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"gce_firewall_rule\\\"
AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\"
OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b5c8e32b-a400-4d4b-8d2d-c5afbd4a6997\",\r\n \"name\": \"b5c8e32b-a400-4d4b-8d2d-c5afbd4a6997\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network route changes.
Google Cloud Platform (GCP) routes define the paths network traffic takes from a VM instance to another destination. The other destination can be inside the organization VPC network (such as another VM) or outside of it. Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop for delivery.
Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"gce_route\\\"
AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\"
OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/59aef38a-19c2-4663-97a7-4c82a98dbab5\",\r\n \"name\": \"59aef38a-19c2-4663-97a7-4c82a98dbab5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network changes.
It is possible to have more than one VPC within a project. In addition, it is also possible to create a peer connection between two VPCs enabling network traffic to route between VPCs.
Monitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=gce_network
AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2e14266c-76ea-4479-915e-4edaae7d78ec\",\r\n \"name\": \"2e14266c-76ea-4479-915e-4edaae7d78ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.
Monitoring changes to cloud storage bucket permissions may reduce the time needed to detect and correct permissions on sensitive cloud storage buckets and objects inside the bucket.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=gcs_bucket
AND protoPayload.methodName=\\\"storage.setIamPermissions\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dce022e-f7f9-4725-8a63-c0d4a868b4d3\",\r\n \"name\": \"9dce022e-f7f9-4725-8a63-c0d4a868b4d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for SQL instance configuration changes.
Monitoring changes to SQL instance configuration changes may reduce the time needed to detect and correct misconfigurations done on the SQL server.
Below are a few of the configurable options which may the impact security posture of an SQL instance:
* Enable auto backups and high availability: Misconfiguration may adversely impact business continuity, disaster recovery, and high availability
* Authorize networks: Misconfiguration may increase exposure to untrusted networks\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
protoPayload.methodName=\\\"cloudsql.instances.update\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9f88a5b8-2853-4b3f-a4c7-33f225cae99a\",\r\n \"name\": \"9f88a5b8-2853-4b3f-a4c7-33f225cae99a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic.
When specifying a source for an ingress rule or a destination for an egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using SSH on Port 22 can be avoided.
GCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network.
Egress and ingresstraffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication).
For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified.
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default Port '22'.
Generic access from the Internet to a specific IP Range needs to be restricted.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to VPC Network. 2. Go to the Firewall Rules. 3. Click the Firewall Rule you want to modify. 4. Click Edit. 5. Modify Source IP ranges to specific IP. 6. Click Save.

From Command Line:
gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[- PORT]],...] --source-ranges=[CIDR_RANGE,...] \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc8464f-f32a-4b3c-954e-48f9db2d9bcf\",\r\n \"name\": \"8bc8464f-f32a-4b3c-954e-48f9db2d9bcf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic.
When specifying a source for an ingress rule or a destination for an egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming raffic from the Internet to a VPC or VM instance using RDP on Port 3389 can be avoided.
GCP Firewall Rules within a VPC Network. These rules apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network.
Egress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication). For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified.
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default Port 3389. Generic access from the Internet to a specific IP Range should be restricted.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to VPC Network. 2. Go to the Firewall Rules. 3. Click the Firewall Rule to be modified. 4. Click Edit. 5. Modify Source IP ranges to specific IP. 6. Click Save.

From Command Line:
1.Update RDP Firewall rule with new SOURCE_RANGE from the below command:
gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ea1989f3-de6c-4389-8b6c-c8b9a3df1595\",\r\n \"name\": \"ea1989f3-de6c-4389-8b6c-c8b9a3df1595\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent use of \\\"default\\\" network, a project should not have a \\\"default\\\" network.
The default network has a preconfigured network configuration and automatically generates the following insecure firewall rules:
  • default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.
  • default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.
  • default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.
  • default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.
These automatically created firewall rules do not get audit logged and cannot be configured to enable firewall rule logging.
Furthermore, the default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses, and as a result, it's not possible to use Cloud VPN or VPC Network Peering with the default network.
Based on organization security and networking requirements, the organization should create a new network and delete the default network.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the \\\"VPC networks\\\" page by visiting:
VPC networks. 2. Click the network named default. 3. On the network detail page, click \\\"EDIT\\\". 4. Click \\\"DELETE VPC NETWORK\\\". 5. If needed, create a new network to replace the default network.

From Command Line:
For each Google Cloud Platform project,
1. Delete the default network:
gcloud compute networks delete default
2. If needed, create a new network to replace it:
gcloud compute networks create NETWORK_NAME\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/44995f9b-5963-4a92-8e99-6d68acbc187c\",\r\n \"name\": \"44995f9b-5963-4a92-8e99-6d68acbc187c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In order to prevent use of legacy networks, a project should not have a legacy network configured.
Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions.
Subnetworks cannot be created in a legacy network and are unable to switch from legacy to auto or custom subnet networks. Legacy networks can have an impact for high network traffic projects and are subject to a single point of contention or failure.\",\r\n \"remediationDescription\": \"For each Google Cloud Platform project,
1. Follow the documentation and create a non-legacy network suitable for the organization's requirements. 2. Follow the documentation and delete the networks in the \\\"legacy\\\" mode.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33509176-9e4d-4238-84ec-984ba67019fa\",\r\n \"name\": \"33509176-9e4d-4238-84ec-984ba67019fa\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet.
Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.
Domain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling DNS responses to be validated.
Having a trustworthy DNS that translates a domain name like www.example.com into its associated IP address is an increasingly important building block of today's web-based applications.
Attackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks.
DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records.
As a result, it prevents attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"Cloud DNS\\\" by visiting Cloud DNS. 2. For each zone of Type Public, set DNSSEC to \\\"On\\\".

From Command Line:
Use the below command to enable \\\"DNSSEC\\\" for Cloud DNS Zone Name.
gcloud dns managed-zones update ZONE_NAME --dnssec-state on \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87356ecc-b718-442d-af22-677bceaeae06\",\r\n \"name\": \"87356ecc-b718-442d-af22-677bceaeae06\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
Domain Name System Security Extensions (DNSSEC) algorithm numbers in this registry may be used in CERT RRs.
Zonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the user can select the DNSSEC signing algorithms and the denial-of-existence type.
Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled.
If there is a need to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.\",\r\n \"remediationDescription\": \"1. If it is necessary to change the settings for a managed zone where it has been enabled, NSSEC must be turned off and re-enabled with different settings.
To turn off DNSSEC, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state off
2. To update key-signing for a reported managed DNS Zone, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM - -zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE

Algorithm KSK Length ZSK Length
RSASHA1 1024,2048 1024,2048
RSASHA256 1024,2048 1024,2048
RSASHA512 1024,2048 1024,2048
ECDSAP256SHA256 256 256
ECDSAP384SHA384 384 384
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/117ad72e-fed7-4dc8-995d-39919b9ba2d9\",\r\n \"name\": \"117ad72e-fed7-4dc8-995d-39919b9ba2d9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the DNSSEC signing algorithms and the denial-of-existence type can be selected.
Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled.
If the need exists to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.\",\r\n \"remediationDescription\": \"1. If it is necessary to change the settings for a managed zone where it has been enabled, DNSSEC must be turned off and re-enabled with different settings.
To turn off DNSSEC, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state off
2. To update zone-signing for a reported managed DNS Zone, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM - -zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE

Algorithm KSK Length ZSK Length
RSASHA1 1024,2048 1024,2048
RSASHA256 1024,2048 1024,2048
RSASHA512 1024,2048 1024,2048
ECDSAP256SHA256 256 256
ECDSAP384SHA384 384 384
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a107c44c-75e4-4607-b1b0-cd5cfcf249e0\",\r\n \"name\": \"a107c44c-75e4-4607-b1b0-cd5cfcf249e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.
The default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services.
To defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended to not use the default Compute Engine service account.
Instead, you should create a new service account and assigning only the permissions needed by your instance.
The default Compute Engine service account is named [PROJECT_NUMBER]- compute@developer.gserviceaccount.com.
VMs created by GKE should be excluded. These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to go to its \\\"VM instance details\\\" page. 3. Click \\\"STOP\\\" and then click \\\"EDIT\\\". 4. Under the section \\\"Service Account\\\", select a service account other that the default Compute Engine service account. You may first need to create a new service account. 5. Click \\\"Save\\\" and then click \\\"START\\\".

From Command Line:
1. Stop the instance: gcloud compute instances stop INSTANCE_NAME
2. Update the instance: gcloud compute instances set-service-account INSTANCE_NAME --serviceaccount=SERVICE_ACCOUNT
3. Restart the instance: gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c1fcf1-ca66-4fc1-b5e6-51d7f4f76782\",\r\n \"name\": \"a8c1fcf1-ca66-4fc1-b5e6-51d7f4f76782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account \\\"Compute Engine default service account\\\" with Scope \\\"Allow full access to all Cloud APIs\\\".
Along with ability to optionally create, manage and use user managed custom service accounts, Google Compute Engine provides default service account \\\"Compute Engine default service account\\\" for an instances to access necessary cloud services.
\\\"Project Editor\\\" role is assigned to \\\"Compute Engine default service account\\\" hence, This service account has almost all capabilities over all cloud services except billing.
However, when \\\"Compute Engine default service account\\\" assigned to an instance it can operate in 3 scopes.
1. Allow default access: Allows only minimum access required to run an Instance (Least Privileges) 2. Allow full access to all Cloud APIs: Allow full access to all the cloud APIs/Services (Too much access) 3. Set access for each API: Allows Instance administrator to choose only those APIs that are needed to perform specific business functionality expected by instance
When an instance is configured with \\\"Compute Engine default service account\\\" with Scope \\\"Allow full access to all Cloud APIs\\\", based on IAM roles assigned to the user(s) accessing Instance,
it may allow user to perform cloud operations/API calls that user is not supposed to perform leading to successful privilege escalation.
VMs created by GKE should be excluded. These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the impacted VM instance. 3. If the instance is not stopped, click the \\\"Stop\\\" button. Wait for the instance to be stopped. 4. Next, click the \\\"Edit\\\" button. 5. Scroll down to the \\\"Service Account\\\" section. 6. Select a different service account or ensure that \\\"Allow full access to all Cloud APIs\\\" is not selected.  7. Click the \\\"Save\\\" button to save your changes and then click \\\"START\\\".

From Command Line:
1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
2. Update the instance:
gcloud compute instances set-service-account INSTANCE_NAME --serviceaccount=SERVICE_ACCOUNT --scopes [SCOPE1, SCOPE2...]
3. Restart the instance:
gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/49cb12f0-3dd3-4220-9cfb-5c3fd514a6d8\",\r\n \"name\": \"49cb12f0-3dd3-4220-9cfb-5c3fd514a6d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user.
It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.
To find out which instance causes the project to be unhealthy see recommendation \\\"Ensure oslogin is enabled for all instances\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM compute metadata page. 2. Click \\\"Edit\\\". 3. Add a metadata entry where the key is \\\"enable-oslogin\\\" and the value is \\\"TRUE\\\". 4. Click \\\"Save\\\" to apply the changes. 5. For every instance that overrides the project setting, go to the VM instances page. 6. Click the name of the instance on which you want to remove the metadata value. 7. At the top of the instance details page, click \\\"Edit\\\" to edit the instance settings. 8. Under \\\"Custom metadata\\\", remove any entry with key \\\"enable-oslogin\\\" and the value is \\\"FALSE\\\" 9. At the bottom of the instance details page, click \\\"Save\\\" to apply your changes to the instance.

From Command Line:
1. Configure oslogin on the project:
gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE
2. Remove instance metadata that overrides the project settings.
gcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin
Optionally, you can enable two factor authentication for OS login. For more information, see here.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/569ef64e-d7aa-4d7e-aa0b-5b3e045ca2c3\",\r\n \"name\": \"569ef64e-d7aa-4d7e-aa0b-5b3e045ca2c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for all instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user.
It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click the name of the instance on which you want to remove the metadata value. 3. At the top of the instance details page, click \\\"Edit\\\" to edit the instance settings. 4. Under \\\"Custom metadata\\\", remove any entry with key \\\"enable-oslogin\\\" and the value is \\\"FALSE\\\" 5. At the bottom of the instance details page, click \\\"Save\\\" to apply your changes to the instance.

From Command Line:
Remove instance metadata that overrides the project settings.
gcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin
Optionally, you can enable two factor authentication for OS login. For more information, see here.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e060336-2c9e-4289-a2a6-8d301bad47bb\",\r\n \"name\": \"7e060336-2c9e-4289-a2a6-8d301bad47bb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.
If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.
A virtual machine instance has four virtual serial ports. Interacting with a serial port is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.
The instance's operating system, BIOS, and other system-level entities often write output to the serial ports, and can accept input such as commands or answers to prompts.
Typically, these system-level entities use the first serial port (port 1) and serial port 1 is often referred to as the serial console.
The interactive serial console does not support IP-based access restrictions such as IP whitelists. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address.
This allows anybody to connect to that instance if they know the correct SSH key, username, project ID, zone, and instance name.
Therefore interactive serial console support should be disabled.\",\r\n \"remediationDescription\": \"From Console:
1. Login to Google Cloud console 2. Go to Computer Engine 3. Go to VM instances 4. Click on the Specific VM 5. Click \\\"EDIT\\\" 6. Unselect \\\"Enable connecting to serial ports\\\" below \\\"Remote access\\\" block. 7. Click \\\"Save\\\".

From Command Line:
Use the below command to disable
gcloud compute instances add-metadata INSTANCE_NAME --zone=ZONE --metadata=serial-port-enable=false
or
gcloud compute instances add-metadata INSTANCE_NAME --zone=ZONE --metadata=serial-port-enable=0\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a4b3b3a-7de9-4aa4-a29b-580d59b43f79\",\r\n \"name\": \"1a4b3b3a-7de9-4aa4-a29b-580d59b43f79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To defend against against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.
Shielded VMs are virtual machines (VMs) on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits.
Shielded VM offers verifiable integrity of your Compute Engine VM instances, so you can be confident your instances haven't been compromised by boot- or kernel-level malware or rootkits.
Shielded VM's verifiable integrity is achieved through the use of Secure Boot, virtual trusted platform module (vTPM)-enabled Measured Boot, and integrity monitoring.
Shielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishing the root of trust for Secure Boot.
Integrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, called the integrity policy baseline.
The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.
Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to see its \\\"VM instance details\\\" page. 3. Click \\\"STOP\\\" to stop the instance. 4. When the instance has stopped, click \\\"EDIT\\\". 5. In the Shielded VM section, select \\\"Turn on vTPM\\\" and \\\"Turn on Integrity Monitoring\\\". 6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select \\\"Turn on Secure Boot\\\". 7. Click the \\\"Save\\\" button to modify the instance and then click \\\"START\\\" to restart it.

From Command Line:
You can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:
gcloud compute images list --project gce-uefi-images --no-standard-images
1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
2. Update the instance:
gcloud compute instances update INSTANCE_NAME --shielded-vtpm --shielded-vmintegrity-monitoring
3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on secure boot.
gcloud compute instances update INSTANCE_NAME --shielded-vm-secure-boot
4. Restart the instance:
gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bdd13ad-a9d2-4910-8b06-9c4cddb55abb\",\r\n \"name\": \"8bdd13ad-a9d2-4910-8b06-9c4cddb55abb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances should not be configured to have external IP addresses.
To reduce your attack surface, Compute instances should not have public IP addresses. Instead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.
Instances created by GKE should be excluded because some of them have external IP addresses and cannot be changed by editing the instance settings.
These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to go the the Instance detail page. 3. Click \\\"Edit\\\". 4. For each Network interface, ensure that External IP is set to None. 5. Click \\\"Done\\\" and then click \\\"Save\\\".

From Command Line:
1. Describe the instance properties: gcloud compute instances describe INSTANCE_NAME --zone=ZONE
2. Identify the access config name that contains the external IP address. This access config appears in the following format:
networkInterfaces: - accessConfigs: - kind: compute#accessConfig name: External NAT natIP: 130.211.181.55 type: ONE_TO_ONE_NAT
3. Delete the access config.
gcloud compute instances delete-access-config INSTANCE_NAME --zone=ZONE --access-config-name \\\"ACCESS_CONFIG_NAME\\\"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8305d96-2aa5-458d-92b7-f8418f5f3328\",\r\n \"name\": \"d8305d96-2aa5-458d-92b7-f8418f5f3328\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.
Allowing anonymous or public access grants permissions to anyone to access bucket content.
Such access might not be desired if you are storing any sensitive data.
Hence, ensure that anonymous or public access to a bucket is not allowed.\",\r\n \"remediationDescription\": \"From Console:
1. Go to \\\"Storage browser\\\" by visiting GCP Storage browser. 2. Click on the bucket name to go to its \\\"Bucket details\\\" page. 3. Click on the \\\"Permissions\\\" tab. 4. Click \\\"Delete\\\" button in front of \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" to remove that particular role assignment.
From Command Line:
Remove \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" access.
gsutil iam ch -d allUsers gs://BUCKET_NAME
gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b5cdbc-0633-49af-b63d-a9dc90560196\",\r\n \"name\": \"64b5cdbc-0633-49af-b63d-a9dc90560196\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.
It is recommended to use uniform bucket-level access to unify and simplify how you grant access to your Cloud Storage resources.
Cloud Storage offers two systems for granting users permission to access your buckets and objects:
Cloud Identity and Access Management (Cloud IAM) and Access Control Lists (ACLs).
These systems act in parallel - in order for a user to access a Cloud Storage resource, only one of the systems needs to grant the user permission.
Cloud IAM is used throughout Google Cloud and allows you to grant a variety of permissions at the bucket and project levels.
ACLs are used only by Cloud Storage and have limited permission options, but they allow you to grant permissions on a per-object basis.

In order to support a uniform permissioning system, Cloud Storage has uniform bucket-level access.
Using this feature disables ACLs for all Cloud Storage resources:
access to Cloud Storage resources then is granted exclusively through Cloud IAM.
Enabling uniform bucket-level access guarantees that if a Storage bucket is not publicly accessible,
no object in the bucket is publicly accessible either.\",\r\n \"remediationDescription\": \"From Console:
1. Open the \\\"Cloud Storage browser\\\" in the Google Cloud Console by visiting: GCP Storage browser. 2. In the list of buckets, click on the name of the desired bucket. 3. Select the \\\"Permissions\\\" tab near the top of the page. 4. In the text box that starts with \\\"This bucket uses fine-grained access control...\\\", click \\\"Edit\\\". 5. In the pop-up menu that appears, select \\\"Uniform\\\". 6. Click \\\"Save\\\".
From Command Line:
Use the \\\"on\\\" option in a uniformbucketlevelaccess set command:
gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dab1eea3-7693-4da3-af1b-2f73832655fa\",\r\n \"name\": \"dab1eea3-7693-4da3-af1b-2f73832655fa\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.
Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset.
Such access might not be desirable if sensitive data is being stored in the dataset.
Therefore, ensure that anonymous and/or public access to a dataset is not allowed.\",\r\n \"remediationDescription\": \"From Console:
1. Go to \\\"BigQuery\\\" by visiting: BigQuery. 2. Select the dataset from \\\"Resources\\\". 3. Click \\\"SHARE DATASET\\\" near the right side of the window. 4. Review each attached role. 5. Click the \\\"delete\\\" icon for each member \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\". On the popup click \\\"Remove\\\".
From Command Line:
1. Retrieve the data set information:
bq show --format=prettyjson PROJECT_ID:DATASET_NAME > PATH_TO_FILE
2. In the access section of the JSON file, update the dataset information to remove all roles containing \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\". 3. Update the dataset:
bq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8191f530-fde7-4177-827a-43ce0f69ffe7\",\r\n \"name\": \"8191f530-fde7-4177-827a-43ce0f69ffe7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the \\\"log_lock_waits\\\" flag for a PostgreSQL instance creates a log for any session waits that take longer than the alloted \\\"deadlock_timeout\\\" time to acquire a lock.
The deadlock timeout defines the time to wait on a lock before checking for any conditions. Frequent run overs on deadlock timeout can be an indication of an underlying issue.
Logging such waits on locks by enabling the log_lock_waits flag can be used to identify poor performance due to locking delays or if a specially-crafted SQL is attempting to starve resources through holding locks for excessive amounts of time.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_lock_waits\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_lock_waits\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_lock_waits=on

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/492fed4e-1871-4c12-948d-074ee0f07559\",\r\n \"name\": \"492fed4e-1871-4c12-948d-074ee0f07559\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_error_statement\\\" flag defines the minimum message severity level that is considered as an error statement.
Messages for error statements are logged with the SQL statement.
Valid values include \\\"DEBUG5\\\", \\\"DEBUG4\\\", \\\"DEBUG3\\\", \\\"DEBUG2\\\", \\\"DEBUG1\\\", \\\"INFO\\\", \\\"NOTICE\\\", \\\"WARNING\\\", \\\"ERROR\\\", \\\"LOG\\\", \\\"FATAL\\\", and \\\"PANIC\\\".
Each severity level includes the subsequent levels mentioned above.
Note: To effectively turn off logging failing statements, set this parameter to PANIC.
ERROR is considered the best practice setting. Changes should only be made in accordance with the organization's logging policy.
Auditing helps in troubleshooting operational problems and also permits forensic analysis.
If \\\"log_min_error_statement\\\" is not set to the correct value, messages may not be classified as error messages appropriately.
Considering general log messages as error messages would make it difficult to find actual errors, while considering only stricter severity levels as error messages may skip actual errors to log their SQL statements.
The \\\"log_min_error_statement\\\" flag should be set in accordance with the organization's logging policy.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_error_statement\\\" from the drop-down menu and set appropriate value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_min_error_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_error_statement=

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/29622fc0-14dc-4d65-a5a8-e9a39ffc4b62\",\r\n \"name\": \"29622fc0-14dc-4d65-a5a8-e9a39ffc4b62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' \",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"PostgreSQL can create a temporary file for actions such as sorting, hashing and temporary query results when these operations exceed \\\"work_mem\\\".
The \\\"log_temp_files\\\" flag controls logging names and the file size when it is deleted.
Configuring \\\"log_temp_files\\\" to 0 causes all temporary file information to be logged, while positive values log only files whose size is greater than or equal to the specified number of kilobytes.
A value of \\\"-1\\\" disables temporary file information logging.
If all temporary files are not logged, it may be more difficult to identify potential performance issues that may be due to either poor application coding or deliberate resource starvation attempts.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_temp_files\\\" from the drop-down menu and set the value as 0. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_temp_files\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_temp_files=`0`

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c9e237b-419f-4e73-b43a-94b5863dd73e\",\r\n \"name\": \"1c9e237b-419f-4e73-b43a-94b5863dd73e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_duration_statement\\\" flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that \\\"log_min_duration_statement\\\" is disabled, i.e., a value of -1 is set.
Logging SQL statements may include sensitive information that should not be recorded in logs. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_duration_statement\\\" from the drop-down menu and set the value of \\\"-1\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Configure the \\\"log_min_duration_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_duration_statement=-1

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/26973a34-79a6-46a0-874f-358c8c00af05\",\r\n \"name\": \"26973a34-79a6-46a0-874f-358c8c00af05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"cross db ownership chaining\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
Use the \\\"cross db ownership\\\" for chaining option to configure cross-database ownership chaining for an instance of Microsoft SQL Server.
This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases.
Enabling \\\"cross db ownership\\\" is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining and you are aware of the security implications of this setting.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance for which you want to enable to database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"cross db ownership chaining\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"cross db ownership chaining\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"cross db ownership chaining=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/658ce98f-ecf1-4c14-967f-3c4faf130fbf\",\r\n \"name\": \"658ce98f-ecf1-4c14-967f-3c4faf130fbf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"contained database authentication\\\" database flag for Cloud SQL on the SQL Server instance is set to \\\"off\\\".
A contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed.
Users can connect to the database without authenticating a login at the Database Engine level.
Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server.
Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators.
Most of the threats are related to the USER WITH PASSWORD authentication process, which moves the authentication boundary from the Database Engine level to the database level, hence this is recommended to disable this flag.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance for which you want to enable to database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"contained database authentication\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Configure the \\\"contained database authentication\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"contained database authentication=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/13872d43-aac6-4018-9c89-507b8fe9be54\",\r\n \"name\": \"13872d43-aac6-4018-9c89-507b8fe9be54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to enforce all incoming connections to SQL database instance to use SSL.
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc.
For security, it is recommended to always use SSL encryption when connecting to your instance.
This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to Cloud SQL Instances. 2. Click on an instance name to see its configuration overview. 3. In the left-side panel, select \\\"Connections\\\". 4. In the \\\"SSL connections\\\" section, click \\\"Allow only SSL connections\\\". 5. Under \\\"Configure SSL server certificates\\\" click \\\"Create new certificate\\\". 6. Under \\\"Configure SSL client certificates\\\" click \\\"Create a client certificate\\\". 7. Follow the instructions shown to learn how to connect to your instance.

From Command Line:
To enforce SSL encryption for an instance run the command:
gcloud sql instances patch INSTANCE_NAME --require-ssl

Note:
\\\"RESTART\\\" is required for type MySQL Generation 1 Instances (\\\"backendType: FIRST_GEN\\\") to get this configuration in effect.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/de78ebca-1ec6-4872-8061-8fcfb27752fc\",\r\n \"name\": \"de78ebca-1ec6-4872-8061-8fcfb27752fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from the world.
To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it.
An authorized network should not have IPs/networks configured to \\\"0.0.0.0/0\\\" which will allow access to the instance from anywhere in the world. Note that authorized networks apply only to instances with public IPs.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Click the instance name to open its \\\"Instance details\\\" page. 3. Under the \\\"Configuration\\\" section click \\\"Edit configurations\\\". 4. Under \\\"Configuration options\\\" expand the \\\"Connectivity\\\" section. 5. Click the \\\"delete\\\" icon for the authorized network \\\"0.0.0.0/0\\\". 6. Click \\\"Save\\\" to update the instance.

From Command Line:
Update the authorized network list by dropping off any addresses.
oud sql instances patch INSTANCE_NAME --authorized-networks=IP_ADDR1,IP_ADDR2... \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1658239d-caf7-471d-83c5-2e4c44afdcff\",\r\n \"name\": \"1658239d-caf7-471d-83c5-2e4c44afdcff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.
To lower the organization's attack surface, Cloud SQL databases should not have public IPs.
Private IPs provide improved network security and lower latency for your application.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Click the instance name to open its Instance details page. 3. Select the \\\"Connections\\\" tab. 4. Deselect the \\\"Public IP\\\" checkbox. 5. Click \\\"Save\\\" to update the instance.

From Command Line:
1. For every instance remove its public IP and assign a private IP instead:
gcloud beta sql instances patch INSTANCE_NAME --network=VPC_NETWOR_NAME --no-assign-ip 2. Confirm the changes using the following command:
gcloud sql instances describe INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/afaac6e6-6240-48a2-9f62-4e257b851311\",\r\n \"name\": \"afaac6e6-6240-48a2-9f62-4e257b851311\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to have all SQL database instances set to enable automated backups.
Backups provide a way to restore a Cloud SQL instance to recover lost data or recover from a problem with that instance.
Automated backups need to be set for any instance that contains data that should be protected from loss or damage.
This recommendation is applicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2 instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the instance where the backups need to be configured. 3. Click \\\"Edit\\\". 4. In the \\\"Backups\\\" section, check \\\"Enable automated backups\\\", and choose a backup window. 5. Click \\\"Save\\\".
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Enable \\\"Automated backups\\\" for every Cloud SQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --backup-start-time [HH:MM] The \\\"backup-start-time\\\" parameter is specified in 24-hour time, in the UTC+00 time zone, and specifies the start of a 4-hour backup window. Backups can start any time during the backup window.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/633a87f4-bd71-45ce-9eca-c6bb8cbe8b21\",\r\n \"name\": \"633a87f4-bd71-45ce-9eca-c6bb8cbe8b21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.
The local_infile flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the local_infile setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.
To explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with local_infile disabled. local_infile can also be set at runtime.
Due to security issues associated with the local_infile flag, it is recommended to disable it. This recommendation is applicable to MySQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the MySQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"local_infile\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the local_infile database flag for every Cloud SQL Mysql database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off
Note:
This command will overwrite all database flags that were previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2404629-0132-4ab3-839e-8389dbe9fe98\",\r\n \"name\": \"a2404629-0132-4ab3-839e-8389dbe9fe98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log_checkpoints database flag for the Cloud SQL PostgreSQL instance is set to on.
Enabling log_checkpoints causes checkpoints and restart points to be logged in the server log. Some statistics are included in the log messages, including the number of buffers written and the time spent writing them.
This parameter can only be set in the postgresql.conf file or on the server command line. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_checkpoints\\\" from the drop-down menu, and set its value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_checkpoints database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_checkpoints=on
Note: This command will overwrite all previously set database flags. To keep those and add new ones, include the values for all flags to be set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4016e27f-a451-4e24-9222-39d7d107ad74\",\r\n \"name\": \"4016e27f-a451-4e24-9222-39d7d107ad74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.
PostgreSQL does not log attempted connections by default. Enabling the log_connections setting will create log entries for each attempted connection as well as successful completion of client authentication which can be useful in troubleshooting issues and to determine any unusual connection attempts to the server.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance for which you want to enable the database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_connections\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_connections database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_connections=on
Note:
This command will overwrite all previously set database flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a86f62be-7402-4797-91dc-8ba2b976cb74\",\r\n \"name\": \"a86f62be-7402-4797-91dc-8ba2b976cb74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_disconnections setting logs the end of each session, including the session duration.
PostgreSQL does not log session details such as duration and session end by default. Enabling the log_disconnections setting will create log entries at the end of each session which can be useful in troubleshooting issues and determine any unusual activity across a time period.
The log_disconnections and log_connections work hand in hand and generally, the pair would be enabled/disabled together. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_disconnections\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_disconnections database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_disconnections=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ae77cb8b-0b43-4e86-8b5c-f5afcf95766a\",\r\n \"name\": \"ae77cb8b-0b43-4e86-8b5c-f5afcf95766a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user.
The application uses the service account to call the service's Google API so that users aren't directly involved.
It's recommended not to use admin access for ServiceAccount.
Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it.
Enrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM.
A ServiceAccount Access holder can perform critical actions like delete, update change settings, etc.
without user intervention.
For this reason, it's recommended that service accounts not have Admin rights.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to IAM & admin/IAM. 2. Go to the \\\"Members\\\". 3. Identify \\\"User-Managed user created\\\" service account with roles containing \\\"*Admin\\\" or \\\"*admin\\\" or role matching \\\"Editor\\\" or role matching \\\"Owner\\\". 4. Click the \\\"Delete bin\\\" icon to remove the role from the member (service account in this case)
From Command Line:
1. Using a text editor, Remove \\\"Role\\\" which contains \\\"roles/*Admin\\\" or \\\"roles/*admin\\\" or matched \\\"roles/editor\\\" or matches \\\"roles/owner\\\". Add a role to the bindings array that defines the group members and the role for those members.
For example, to grant the role roles/appengine.appViewer to the \\\"ServiceAccount\\\" which is roles/editor, you would change the example shown below as follows:
{ 'bindings': [ { 'members': [ 'serviceAccount:our-project-123@appspot.gserviceaccount.com', ], 'role': 'roles/appengine.appViewer' }, { 'members': [ 'user:email1@gmail.com' ], 'role': 'roles/owner' }, { 'members': [ 'serviceAccount:our-project-123@appspot.gserviceaccount.com', 'serviceAccount:123456789012-compute@developer.gserviceaccount.com' ], 'role': 'roles/editor' } ], 'etag': 'BwUjMhCsNvY=' }
2. Update the project's IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e5b33de-bcfa-4044-93ce-4937bf8f0bbd\",\r\n \"name\": \"9e5b33de-bcfa-4044-93ce-4937bf8f0bbd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"skip_show_database\\\" database flag for Cloud SQL Mysql instance to \\\"on\\\".
'skip_show_database' database flag prevents people from using the SHOW DATABASES statement if they do not have the SHOW DATABASES privilege.
This can improve security if you have concerns about users being able to see databases belonging to other users.
Its effect depends on the SHOW DATABASES privilege: If the variable value is ON, the SHOW DATABASES statement is permitted only to users who have the SHOW DATABASES privilege, and the statement displays all database names.
If the value is OFF, SHOW DATABASES is permitted to all users, but displays the names of only those databases for which the user has the SHOW DATABASES or other privilege.
This recommendation is applicable to Mysql database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the Mysql instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"skip_show_database\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"skip_show_database\\\" database flag for every Cloud SQL Mysql database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags skip_show_database=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/272820a7-06ce-44b3-8318-4ec1f82237dc\",\r\n \"name\": \"272820a7-06ce-44b3-8318-4ec1f82237dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_hostname setting causes the duration of each completed statement to be logged.
This does not logs the text of the query and thus behaves different from the log_min_duration_statement flag.
This parameter cannot be changed after session start.
Monitoring the time taken to execute the queries can be crucial in identifying any resource hogging queries and assessing the performance of the server.
Further steps such as load balancing and use of optimized queries can be taken to ensure the performance and stability of the server.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_duration\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_duration\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_duration=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/989db7d6-71d5-4928-a9a6-c9ab7b8044e9\",\r\n \"name\": \"989db7d6-71d5-4928-a9a6-c9ab7b8044e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"PostgreSQL logs only the IP address of the connecting hosts.
The \\\"log_hostname\\\" flag controls the logging of \\\"hostnames\\\" in addition to the IP addresses logged.
The performance hit is dependent on the configuration of the environment and the host name resolution setup.
This parameter can only be set in the \\\"postgresql.conf\\\" file or on the server command line.
Logging hostnames can incur overhead on server performance as for each statement logged, DNS resolution will be required to convert IP address to hostname.
Depending on the setup, this may be non-negligible.
Additionally, the IP addresses that are logged can be resolved to their DNS names later when reviewing the logs excluding the cases where dynamic hostnames are used.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_hostname\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_hostname\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_hostname=
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Gather Victim Host Information\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a6efc275-b1c1-4003-8e85-2f30b2eb56e6\",\r\n \"name\": \"a6efc275-b1c1-4003-8e85-2f30b2eb56e6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The PostgreSQL planner/optimizer is responsible to parse and verify the syntax of each query received by the server.
If the syntax is correct a \\\"parse tree\\\" is built up else an error is generated.
The \\\"log_parser_stats\\\" flag controls the inclusion of parser performance statistics in the PostgreSQL logs for each query.
The \\\"log_parser_stats\\\" flag enables a crude profiling method for logging parser performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_parser_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_parser_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_parser_stats=off
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/25631aaa-3866-43ac-860f-22c12bff1a4b\",\r\n \"name\": \"25631aaa-3866-43ac-860f-22c12bff1a4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging.
It is recommended that Flow Logs be enabled for every business-critical VPC subnet.
VPC networks and subnetworks provide logically isolated and secure network partitions where GCP resources can be launched. When Flow Logs is enabled for a subnet, VMs within that subnet start reporting on all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows.
Each VM samples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or from another VM, a host in the on-premises datacenter, a Google service, or a host on the Internet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow Logs enabled, both VMs report the flows.
Flow Logs supports the following use cases: 1. Network monitoring. 2. Understanding network usage and optimizing network traffic expenses. 3. Network forensics. 4. Real-time security analysis
Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the VPC network GCP Console visiting https://console.cloud.google.com/networking/networks/list. 2. Click the \\\"name\\\" of a subnet, The Subnet details page displays. 3. Click the \\\"EDIT\\\" button. 4. Set \\\"Flow Logs\\\" to On. 5. Click \\\"Save\\\".

From Command Line:
To set Private Google access for a network subnet, run the following command::
gcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --enable-flow-logs \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00f8a6a6-cf69-4c11-822e-3ebf4910e545\",\r\n \"name\": \"00f8a6a6-cf69-4c11-822e-3ebf4910e545\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Block Project-wide SSH keys' is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project.
It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.It will list all the instances in your project. 2. Click on the \\\"name\\\" of the Impacted instance. 3. Click \\\"Edit\\\" in the toolbar. 4. Under \\\"SSH Keys\\\", go to the \\\"Block project-wide\\\" SSH keys checkbox. 5. To block users with project-wide SSH keys from connecting to this instance, select \\\"Block project-wide\\\" SSH keys. 6. Click \\\"Save\\\" at the bottom of the page. 7. Repeat steps for every impacted Instance.

From Command Line:
Block project-wide public SSH keys, set the metadata value to TRUE:
gcloud compute instances add-metadata INSTANCE_NAME --metadata block-project-ssh-keys=TRUE \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ba588a6-4539-4e67-bc62-d7b2b51300fb\",\r\n \"name\": \"0ba588a6-4539-4e67-bc62-d7b2b51300fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet.
However, both capabilities are required if you want to use instances to help route packets.
Forwarding of data packets should be disabled to prevent data loss or information disclosure.
Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet.
However, both capabilities are required if you want to use instances to help route packets. To enable this source and destination IP check, disable the canIpForward field, which allows an instance to send and receive packets with non-matching destination or source IPs.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the \\\"VM Instances\\\" page by visiting: https://console.cloud.google.com/compute/instances. 2. Select the \\\"VM Instance\\\" you want to remediate 3. Click the \\\"Delete\\\" button. 4. On the \\\"VM Instances\\\" page, click \\\"CREATE INSTANCE\\\". 5. Create a new instance with the desired configuration. By default, the instance is configured to not allow IP forwarding.

From Command Line:
Delete the instance
gcloud compute instances delete INSTANCE_NAME
Create a new instance to replace it, with IP forwarding set to Off
gcloud compute instances create \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"techniques\": [\r\n \"Exfiltration over C2 Channel\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d87879a-d498-4e61-b552-b34463f87f83\",\r\n \"name\": \"7d87879a-d498-4e61-b552-b34463f87f83\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The same SQL query can be excuted in multiple ways and still produce different results.
The PostgreSQL planner/optimizer is responsible to create an optimal execution plan for each query.
The \\\"log_planner_stats\\\" flag controls the inclusion of PostgreSQL planner performance statistics in the PostgreSQL logs for each query.
The \\\"log_planner_stats\\\" flag enables a crude profiling method for logging PostgreSQL planner performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_planner_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_planner_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_planner_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19711549-76eb-4f1f-b43b-b1048e66c1f0\",\r\n \"name\": \"19711549-76eb-4f1f-b43b-b1048e66c1f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The PostgreSQL executor is responsible to execute the plan handed over by the PostgreSQL planner.
The executor processes the plan recursively to extract the required set of rows.
The \\\"log_executor_stats\\\" flag controls the inclusion of PostgreSQL executor performance statistics in the PostgreSQL logs for each query.
The \\\"log_executor_stats\\\" flag enables a crude profiling method for logging PostgreSQL executor performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_executor_stats\\\" from the drop-down menu and set appropriate value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_executor_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_executor_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c36e73b7-ee30-4684-a1ad-2b878d2b10bf\",\r\n \"name\": \"c36e73b7-ee30-4684-a1ad-2b878d2b10bf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_statement_stats\\\" flag controls the inclusion of end to end performance statistics of a SQL query in the PostgreSQL logs for each query.
This cannot be enabled with other module statistics (\\\"log_parser_stats\\\", \\\"log_planner_stats\\\", \\\"log_executor_stats\\\").
The \\\"log_statement_stats\\\" flag enables a crude profiling method for logging end to end performance statistics of a SQL query.
This can be useful for troubleshooting but may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_statement_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_statement_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_statement_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/50a1058e-925b-4998-9d93-5eaa8f7021a3\",\r\n \"name\": \"50a1058e-925b-4998-9d93-5eaa8f7021a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_error_statement\\\" flag defines the minimum message severity level that are considered as an error statement.
Messages for error statements are logged with the SQL statement.
Valid values include \\\"DEBUG5\\\", \\\"DEBUG4\\\", \\\"DEBUG3\\\", \\\"DEBUG2\\\", \\\"DEBUG1\\\", \\\"INFO\\\", \\\"NOTICE\\\", \\\"WARNING\\\", \\\"ERROR\\\", \\\"LOG\\\", \\\"FATAL\\\", and \\\"PANIC\\\".
Each severity level includes the subsequent levels mentioned above.
Ensure a value of ERROR or stricter is set.
Auditing helps in troubleshooting operational problems and also permits forensic analysis.
If \\\"log_min_error_statement\\\" is not set to the correct value, messages may not be classified as error messages appropriately.
Considering general log messages as error messages would make is difficult to find actual errors and considering only stricter severity levels as error messages may skip actual errors to log their SQL statements.
The \\\"log_min_error_statement\\\" flag should be set to \\\"ERROR\\\" or stricter.
This recommendation is applicable to PostgreSQL database instances. \",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_error_statement\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_min_error_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_error_statement=

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/98b8908a-18b9-46ea-8c52-3f8db1da996f\",\r\n \"name\": \"98b8908a-18b9-46ea-8c52-3f8db1da996f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"external scripts enabled\\\" database flag for Cloud SQL SQL Server instance to off.
\\\"external scripts enabled\\\" enable the execution of scripts with certain remote language extensions.
This property is OFF by default.
When Advanced Analytics Services is installed, setup can optionally set this property to true.
As the \\\"External Scripts Enabled\\\" feature allows scripts external to SQL such as files located in an R library to be executed, which could adversely affect the security of the system, hence this should be disabled.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"external scripts enabled\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"external scripts enabled\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"external scripts enabled=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91f55b07-083c-4ec5-a2be-4b52bbc2e2df\",\r\n \"name\": \"91f55b07-083c-4ec5-a2be-4b52bbc2e2df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"user connections\\\" database flag for Cloud SQL SQL Server instance according organization-defined value.
The \\\"user connections\\\" option specifies the maximum number of simultaneous user connections that are allowed on an instance of SQL Server.
The actual number of user connections allowed also depends on the version of SQL Server that you are using, and also the limits of your application or applications and hardware.
SQL Server allows a maximum of 32,767 user connections.
Because user connections is a dynamic (self-configuring) option, SQL Server adjusts the maximum number of user connections automatically as needed, up to the maximum value allowable.
For example, if only 10 users are logged in, 10 user connection objects are allocated.
In most cases, you do not have to change the value for this option.
The default is 0, which means that the maximum (32,767) user connections are allowed.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"user connections\\\" from the drop-down menu and set the value as organization recommended value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"user connections\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"user connections=[0-32,767]\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fab1e680-86f0-4616-bee9-1b7394e49ade\",\r\n \"name\": \"fab1e680-86f0-4616-bee9-1b7394e49ade\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that, \\\"user options\\\" database flag for Cloud SQL SQL Server instance should not be configured.
The \\\"user options\\\" option specifies global defaults for all users.
A list of default query processing options is established for the duration of a user's work session.
The user options option allows you to change the default values of the SET options (if the server's default settings are not appropriate).
A user can override these defaults by using the SET statement.
You can configure user options dynamically for new logins.
After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. Click the X next \\\"user options\\\" flag shown. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands:
1.Clearing all flags to their default value:
gcloud sql instances patch [INSTANCE_NAME] --clear-database-flags
OR
2. To clear only \\\"user options\\\" database flag, configure the database flag by overriding the \\\"user options\\\". Exclude \\\"user options\\\" flag and its value, and keep all other flags you want to configure:
gcloud sql instances patch [INSTANCE_NAME] --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dddbbe7d-7e32-47d8-b319-39cbb70b8f88\",\r\n \"name\": \"dddbbe7d-7e32-47d8-b319-39cbb70b8f88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"remote access\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
The \\\"remote access\\\" option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running.
This default value for this option is 1.
This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server.
To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled.
The Remote Access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server.
'Remote access' functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, hence this should be disabled.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"remote access\\\" from the drop-down menu and set the value as \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"remote access\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"remote access=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/631246fb-7192-4709-a0b3-b83e65e6b550\",\r\n \"name\": \"631246fb-7192-4709-a0b3-b83e65e6b550\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"3625 (trace flag)\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
Trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload.
All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed.
\\\"3625(trace log)\\\" Limits the amount of information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'.
This can help prevent disclosure of sensitive information, hence this is recommended to disable this flag.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"3625\\\" from the drop-down menu and set the value as \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"3625\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"3625=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"System Information Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58c07fca-9c6e-46fa-84a7-642f224a1d18\",\r\n \"name\": \"58c07fca-9c6e-46fa-84a7-642f224a1d18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Secure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS) features clients are permitted to use when connecting to load balancers.
To prevent usage of insecure features, SSL policies should use (a) at least TLS 1.2 with the MODERN profile;
or (b) the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version;
or (3) a CUSTOM profile that does not support any of the following features:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

Load balancers are used to efficiently distribute traffic across multiple servers.
Both SSL proxy and HTTPS load balancers are external load balancers, meaning they distribute traffic from the Internet to a GCP network.
GCP customers can configure load balancer SSL policies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a connection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies permissible cipher suites.
To comply with users using outdated protocols, GCP load balancers can be configured to permit insecure cipher suites.
In fact, the GCP default SSL policy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the widest range of insecure cipher suites.
As a result, it is easy for customers to configure a load balancer without even knowing that they are permitting outdated cipher suites.\",\r\n \"remediationDescription\": \" From the Console:
1. If the \\\"TargetSSLProxy\\\" or \\\"TargetHttpsProxy\\\" does not have an SSL policy configured, create a new \\\"SSL policy\\\". Otherwise, modify the existing insecure policy. 2. Navigate to the \\\"SSL Policies\\\" page by visiting: https://console.cloud.google.com/net-security/sslpolicies. 3. Click on the name of the \\\"insecure policy\\\" to go to its \\\"SSL policy\\\" details page. 4. Click \\\"EDIT\\\". 5. Set \\\"Minimum TLS version\\\" to \\\"TLS 1.2\\\". 6. Set \\\"Profile\\\" to \\\"Modern\\\" or \\\"Restricted\\\". 7. Alternatively, if teh user selects the profile \\\"Custom\\\", make sure that the following features are disabled:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

From Command Line:
For each insecure SSL policy, update it to use secure cyphers:
gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]
If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it:
gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME
gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ca40f30-2508-4c90-85b6-36564b909364\",\r\n \"name\": \"6ca40f30-2508-4c90-85b6-36564b909364\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine.
If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data.
By default, Google Compute Engine encrypts all data at rest.
Compute Engine handles and manages this encryption for you without any additional actions on your part.
However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.
By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part.
However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.
If you provide your own encryption keys, Compute Engine uses your key to protect the Google-generated keys used to encrypt and decrypt your data.
Only users who can provide the correct key can use resources protected by a customer-supplied encryption key.
Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.
At least business critical VMs should have VM disks encrypted with CSEK.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to Compute Engine \\\"Disks\\\" by visiting: https://console.cloud.google.com/compute/disks. 2. Click \\\"CREATE DISK\\\". 3. Set \\\"Encryption\\\" type to \\\"Customer supplied\\\". 4. Provide the \\\"Key\\\" in the box. 5. Select \\\"Wrapped key\\\". 6. Click \\\"Create\\\".

From Command Line:
In the gcloud compute tool, encrypt a disk using the --csek-key-file flag during instance creation. If you are using an RSA-wrapped key, use the gcloud beta component:
gcloud (beta) compute instances create INSTANCE_NAME --csek-key-file example-file.json
To encrypt a standalone persistent disk:
gcloud (beta) compute disks create DISK_NAME --csek-key-file example-file.json \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Collection\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\",\r\n \"Data from Local System\",\r\n \"Data Encrypted for Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c10bad5f-cd86-4ea0-a40c-5d31510da525\",\r\n \"name\": \"c10bad5f-cd86-4ea0-a40c-5d31510da525\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud DNS logging is enabled for all VPC networks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver.
Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.
Security monitoring and forensics cannot depend solely on IP addresses from VPC flow logs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual host routing,
and other technology that can obscure the DNS name used by a client from the IP address.
Monitoring of Cloud DNS logs provides visibility to DNS names requested by the clients within the VPC.
These logs can be monitored for anomalous domain names, evaluated against threat intelligence, and
Note: For full capture of DNS, firewall must block egress UDP/53 (DNS)
and TCP/443 (DNS over HTTPS) to prevent client from using external DNS name server for resolution.\",\r\n \"remediationDescription\": \" From Command Line:
Add New DNS Policy With Logging Enabled
For each VPC network that needs a DNS policy with logging enabled:
gcloud dns policies create enable-dns-logging --enable-logging --description='Enable DNS Logging' --networks=VPC_NETWORK_NAME The VPC_NETWORK_NAME can be one or more networks in comma-separated list
Enable Logging for Existing DNS Policy For each VPC network that has an existing DNS policy that needs logging enabled:
gcloud dns policies update POLICY_NAME --enable-logging --networks=VPC_NETWORK_NAME
The VPC_NETWORK_NAME can be one or more networks in comma-separated list\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/814c3346-91c9-4e70-90b6-985cfd3e0478\",\r\n \"name\": \"814c3346-91c9-4e70-90b6-985cfd3e0478\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access to VMs should be restricted by firewall rules that allow only IAP traffic by ensuring only connections proxied by the IAP are allowed.
To ensure that load balancing works correctly health checks should also be allowed.
IAP ensure that access to VMs is controlled by authenticating incoming requests.
However if the VM is still accessible from IP addresses other than the IAP it may still be possible to send unauthenticated requests to the instance.
Care must be taken to ensure that loadblancer health checks are not blocked as this would stop the loadbalancer from correctly knowing the health of the VM and loadbalancing correctly.\",\r\n \"remediationDescription\": \" From the Console: 1. Go to the Cloud Console VPC network > Firewall rules. 2. Select the \\\"checkbox\\\" next to the following rules:
default-allow-http
default-allow-https
default-allow-internal. 3. Click \\\"Delete\\\". 4. Click \\\"Create\\\" firewall rule and set the following values:
\\\"Name:\\\" allow-iap-traffic
\\\"Targets:\\\" All instances in the network
\\\"Source IP ranges\\\" (press Enter after you paste each value in the box):
130.211.0.0/22
35.191.0.0/16
\\\"Protocols and ports:\\\"
Specified protocols and ports
tcp:80 5. When you're finished updating values, click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/171e9492-73a7-43de-adce-6bd0a3cf6045\",\r\n \"name\": \"171e9492-73a7-43de-adce-6bd0a3cf6045\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances have Confidential Computing enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use-while it is being processed.
Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).
Confidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD EPYC CPUs.
Customer data will stay encrypted while it is used, indexed, queried, or trained on.
Encryption keys are generated in hardware, per VM, and not exportable. Thanks to built-in hardware optimizations of both performance and security, there is no significant performance penalty to Confidential Computing workloads.
Confidential Computing enables customers' sensitive code and other data encrypted in memory during processing. Google does not have access to the encryption keys.
Confidential VM can help alleviate concerns about risk related to either dependency on Google infrastructure or Google insiders' access to customer data in the clear.\",\r\n \"remediationDescription\": \" From the Console: 1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances. 2. Click \\\"DCREATE INSTANCE\\\". 3. Fill out the desired \\\"configuration\\\" for your instance. 4. Under the \\\"Confidential VM service\\\" section, check the option \\\"Enable the Confidential Computing service on this VM instance\\\". 5. Click \\\"Create\\\".

From Command Line:
Create a new instance with Confidential Compute enabled.
gcloud beta compute instances create INSTANCE_NAME --zone ZONE --confidential-compute --maintenance-policy=TERMINATE \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f4cfc689-cac8-4f45-8355-652dcda3ec55\",\r\n \"name\": \"f4cfc689-cac8-4f45-8355-652dcda3ec55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys.
This is seamless and do not require any additional input from the user.
However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
This is seamless and does not require any additional input from the user.
For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery tables.
The CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.
BigQuery stores the table and CMEK association and the encryption/decryption is done automatically.
Applying the Default Customer-managed keys on BigQuery data sets ensures that all the new tables created in the future will be encrypted using CMEK but existing tables need to be updated to use CMEK individually.
Note: Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.\",\r\n \"remediationDescription\": \"Currently, there is no way to update the encryption of existing data in the table.
The data needs to be copied to either an original table or another table while specifying the customer managed encryption key (CMEK).
From Command Line:
Use the following command to copy the data. The source and the destination needs to be same in case copying to the original table.
bq cp --destination_kms_key 'customer_managed_key' source_dataset.source_table destination_dataset.destination_table \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f024ea22-7e48-4b3b-a824-d61794c14bb4\",\r\n \"name\": \"f024ea22-7e48-4b3b-a824-d61794c14bb4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys.
This is seamless and do not require any additional input from the user.
However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
This is seamless and does not require any additional input from the user.
For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
Setting a Default Customer-managed encryption key (CMEK) for a data set ensure any tables created in future will use the specified CMEK if none other is provided.
Note: Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.\",\r\n \"remediationDescription\": \"The default CMEK for existing data sets can be updated by specifying the default key in the EncryptionConfiguration.kmsKeyName field when calling the datasets.insert or datasets.patch methods\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0faf27b6-f1d5-4f50-b22a-5d129cba0113\",\r\n \"name\": \"0faf27b6-f1d5-4f50-b22a-5d129cba0113\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have Microsoft Defender's extension for Azure Arc installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender's cluster extension provides security capabilities for your GKE clusters. The extension collects data from a cluster and its nodes to identify security vulnerabilities and threats.
The extension works with Azure Arc-enabled Kubernetes.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct GKE cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6273e20b-8814-4fda-a297-42a70b16fcbf\",\r\n \"name\": \"6273e20b-8814-4fda-a297-42a70b16fcbf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have the Azure Policy extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Azure Policy extension for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
The extension works with Azure Arc-enabled Kubernetes.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct GKE cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9bbe2f0f-d6c6-48e8-b4d0-cf25d2c50206\",\r\n \"name\": \"9bbe2f0f-d6c6-48e8-b4d0-cf25d2c50206\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP VM instances should be connected to Azure Arc\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Connect your GCP Virtual Machines to Azure Arc in order to have full visibility to Microsoft Defender for Servers security content. Learn more about Azure Arc, and about Microsoft Defender for Servers on hybrid-cloud environment.\",\r\n \"remediationDescription\": \"1. From the Azure portal, open \\\"Servers - Azure Arc\\\". 2. From the top left corner, select \\\"Add\\\". 3. From \\\"Add a single server\\\", select \\\"Generate script\\\". 4. In the \\\"Resource details\\\" page, select the subscription and resource group to which you have connected the machine's GCP Project. 5. Select \\\"Next\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20622d8c-2a4f-4a03-9896-a5f2f7ede717\",\r\n \"name\": \"20622d8c-2a4f-4a03-9896-a5f2f7ede717\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP VM instances should have OS config agent installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To receive the full Defender for Servers capabilities using Azure Arc auto-provisioning, GCP VMs should have OS config agent enabled\",\r\n \"remediationDescription\": \"Follow the steps described in GCP documentation to install the OS config agent. Learn more\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1716d754-8d50-4b90-87b6-0404cad9b4e3\",\r\n \"name\": \"1716d754-8d50-4b90-87b6-0404cad9b4e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP projects should have Azure Arc auto provisioning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For full visibility of the security content from Microsoft Defender for servers, GCP VM instances should be connected to Azure Arc. To ensure that all eligible VM instances automatically receive Azure Arc, enable auto-provisioning from Defender for Cloud at the GCP project level. Learn more about Azure Arc, and Microsoft Defender for Servers.\",\r\n \"remediationDescription\": \"1. From the Defender for Cloud, open \\\"Environment settings\\\". 2. For the relevant GCP project, select the three dots at the end of the row, and select \\\"Edit settings\\\". 3. For the \\\"Servers\\\" plan, select \\\"View configuration\\\". 4. Enable auto-provisioning for the Azure Arc agent and click on the \\\"Save\\\" button. 5. Select \\\"Next\\\" and follow the instructions.
Note: To enable auto-provisioning, you'll need owner permissions for the relevant subscription.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/29ed3416-2035-4d44-986e-0bcbb7de172e\",\r\n \"name\": \"29ed3416-2035-4d44-986e-0bcbb7de172e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead.

Security risks involved in using API-Keys appear below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

To avoid the security risk in using API keys, it is recommended to use standard authentication flow instead.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", to delete API Keys: Click the \\\"Delete Bin Icon\\\" in front of every \\\"API Key Name\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/63e0e2db-70c3-4edc-becf-93961d3156ed\",\r\n \"name\": \"63e0e2db-70c3-4edc-becf-93961d3156ed\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API key usage to trusted hosts, HTTP referrers and apps.

Security risks involved in using API-Keys appear below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

In light of these potential risks, Google recommends using the standard authentication flow instead of API keys. However, there are limited cases where API keys are more appropriat.
For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

In order to reduce attack vectors, API-Keys can be restricted only to trusted hosts, HTTP referrers and applications.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. In the \\\"Key restrictions\\\" section, set the application restrictions to any of \\\"HTTP referrers\\\", \\\"IP Adresses\\\", \\\"Android Apps\\\", \\\"iOs Apps\\\". 4. Click \\\"Save\\\". 5. Repeat steps 2,3,4 for every unrestricted API key.

\\\"Note\\\": Do not set \\\"HTTP referrers\\\" to wild-cards (* or *.[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s).
Do not set \\\"IP addresses\\\" and referrer to any host \\\"(0.0.0.0 or 0.0.0.0/0 or ::0)\\\"\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Steal Application Access Token\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/54d3b0ae-67b3-4fee-9ac4-f6c784b9d16b\",\r\n \"name\": \"54d3b0ae-67b3-4fee-9ac4-f6c784b9d16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"API keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API keys to use (call) only APIs required by an application.

Security risks involved in using API-Keys are below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

In light of these potential risks, Google recommends using the standard authentication flow instead of API-Keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

In order to reduce attack surfaces by providing least privileges, API-Keys can be restricted to use (call) only APIs required by an application.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. In the \\\"Key restrictions\\\" section go to \\\"API restrictions\\\". 4. Click the \\\"Select API\\\" drop-down to choose an API. 5. Click \\\"Save\\\". 6. Repeat steps 2,3,4,5 for every unrestricted API key.

\\\"Note\\\": Do not set API restrictions to Google Cloud APIs, as this option allows access to all services offered by Google cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Steal Application Access Token\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fbc1ef5d-989e-4b64-8e9d-221b422f9c43\",\r\n \"name\": \"fbc1ef5d-989e-4b64-8e9d-221b422f9c43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to rotate API keys every 90 days.

Security risks involved in using API-Keys are listed below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

Because of these potential risks, Google recommends using the standard authentication flow instead of API Keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

Once a key is stolen, it has no expiration, meaning it may be used indefinitely unless the project owner revokes or regenerates the key. Rotating API keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.

API keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. Click \\\"REGENERATE KEY\\\" to rotate API key. 4. Click \\\"Save\\\". 5. Repeat steps 2,3,4 for every API key that has not been rotated in the last 90 days.

\\\"Note\\\": Do not set \\\"HTTP referrers\\\" to wild-cards (* or *.[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s).
Do not set \\\"IP addresses\\\" and referrer to \\\"any host (0.0.0.0 or 0.0.0.0/0 or ::0)\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a47a6c3b-0629-406c-ad09-d91f7d9f78a3\",\r\n \"name\": \"a47a6c3b-0629-406c-ad09-d91f7d9f78a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"root\\\" account has unrestricted access to all resources in the AWS account. It is highly recommend that the use of this account be avoided.
The \\\"root\\\" account is the most privileged AWS account. Minimizing the use of this account and adopting the principle of least privilege for access management will reduce the risk of accidental changes and unintended disclosure of highly privileged credentials.\",\r\n \"remediationDescription\": \"Follow the remediation instructions of the \\\"Ensure IAM policies are attached only to groups or roles\\\" recommendation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b73d3c97-01e1-43b4-bf01-a459e5eed3de\",\r\n \"name\": \"b73d3c97-01e1-43b4-bf01-a459e5eed3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password.
With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.
It is recommended that MFA be enabled for all accounts that have a console password.
Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.\",\r\n \"remediationDescription\": \"Perform the following to enable MFA: 1. Sign in to the AWS Management Console and open the IAM console. 2. In the navigation pane, choose Users. 3. In the User Name list, choose the name of the intended MFA user. 4. Choose the Security Credentials tab, and then choose Manage MFA Device. 5. In the Manage MFA Device wizard, choose A virtual MFA device, and then chooseNext Step. IAM generates and displays configuration information for the virtual MFA device, includinga QR code graphic. The graphic is a representation of the 'secret configuration key' that isavailable for manual entry on devices that do not support QR codes. 6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications.) If the virtual MFA application support smultiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following:
* Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.
* In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.
When you are finished, the virtual MFA device starts generating one-time passwords. 8. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Active Virtual MFA.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f13dc885-79aa-456b-ba28-3428147ecf55\",\r\n \"name\": \"f13dc885-79aa-456b-ba28-3428147ecf55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys.
It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated.
Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.\",\r\n \"remediationDescription\": \"Perform the following to remove or deactivate credentials:
1. Login to the AWS Management Console:
2. Click \\\"Services\\\"
3. Click \\\"IAM\\\"
4. Click on \\\"Users\\\"
5. Click on \\\"Security Credentials\\\"
6. As an Administrator: Click on \\\"Make Inactive\\\" for credentials that have not been used in 90 Days
7. As an IAM User: Click on \\\"Make Inactive\\\" or \\\"Delete\\\" for credentials which have not been used in 90 Days\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d72f547e-c011-4cdb-9dda-8c4d6dc09bf2\",\r\n \"name\": \"d72f547e-c011-4cdb-9dda-8c4d6dc09bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS.
AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services.
It is recommended that all access keys be regularly rotated.
Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.
Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"Perform the following to rotate access keys:
1. Login to the AWS Management Console:
2. Click \\\"Services\\\"
3. Click \\\"IAM\\\"
4.Click on \\\"Users\\\"
5. Click on \\\"Security Credentials\\\"
6. As an Administrator: Click on \\\"Make Inactive\\\" for keys that have not been rotated in 90 Days
7. As an IAM User: Click on \\\"MakeInactive\\\" or \\\"Delete\\\" for keys which have not been rotated or used in 90 Days
8. Click on \\\"Create Access Key\\\"
9. Update programmatic call with new Access Key credentials
Via CLI:
aws iam update-access-key
aws iam create-access-key
aws iam delete-access-key \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6e5ebe18-e026-4c26-875c-fcbea8089071\",\r\n \"name\": \"6e5ebe18-e026-4c26-875c-fcbea8089071\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one uppercase letter.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one uppercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-uppercase-characters
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c420241-9bec-4af8-afb7-038a711b7d22\",\r\n \"name\": \"1c420241-9bec-4af8-afb7-038a711b7d22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one lowercase letter.
Setting a password complexity policy increases account resiliency against brute force login attempts\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via the AWS Console
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one lowercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-lowercase-characters
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1919c309-1c8b-4fab-bd8c-7ff77521db40\",\r\n \"name\": \"1919c309-1c8b-4fab-bd8c-7ff77521db40\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements.
IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one symbol.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via the AWS Console
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one lowercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-symbols
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/84fb0ae8-4785-449c-b9ac-e106a2509540\",\r\n \"name\": \"84fb0ae8-4785-449c-b9ac-e106a2509540\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one number.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Require at least one number\\\" 5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-numbers
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e109af9f-128b-4774-a40c-aab8eff3934c\",\r\n \"name\": \"e109af9f-128b-4774-a40c-aab8eff3934c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length.
It is recommended that the password policy require a minimum password length '14'.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Set \\\"Minimum password length\\\" to 14 or greater.
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --minimum-password-length 14
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e99393-671c-4979-a08a-cd1533da9ece\",\r\n \"name\": \"22e99393-671c-4979-a08a-cd1533da9ece\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can prevent the reuse of a given password by the same user.
It is recommended that the password policy prevent the reuse of passwords.
Preventing password reuse increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Prevent password reuse\\\" 5. Set \\\"Number of passwords to remember\\\" is set to '24'.
Via CLI:
aws iam update-account-password-policy --password-reuse-prevention 24
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/729c20d1-fe7c-4e1b-8c9c-ab5ad56d7f96\",\r\n \"name\": \"729c20d1-fe7c-4e1b-8c9c-ab5ad56d7f96\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can require passwords to be rotated or expired after a given number of days.
It is recommended that the password policy expire passwords after 90 days or less.
Reducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help in the following scenarios:
* Passwords can be stolen or compromised sometimes without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat.
* Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted.
* Many people use the same password for many systems such as work, email, and personal.
* Compromised end user workstations might have a keystroke logger.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Enable password expiration\\\" 5. Set \\\"Password expiration period (in days):\\\" to 90 or less
Via CLI:
aws iam update-account-password-policy --max-password-age 90
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/412835f5-0339-4180-9c22-ea8735dc6c24\",\r\n \"name\": \"412835f5-0339-4180-9c22-ea8735dc6c24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Root account access key shouldn't exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account.
It is recommended that all access keys associated with the root account be removed.
Removing access keys associated with the root account limits vectors by which the account can be compromised.
Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.\",\r\n \"remediationDescription\": \"To delete access keys:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\".
4. Select \\\"Access keys (access key ID and secret access key)\\\".
5. To permanently delete the key, select \\\"Delete\\\" and then select \\\"Yes\\\". You cannot recover deleted keys.
6. If there is more than one root user access key, then repeat steps 4 and 5 for each key.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c9ea4ef-3bb5-4f02-b8b9-55e788e1a21a\",\r\n \"name\": \"1c9ea4ef-3bb5-4f02-b8b9-55e788e1a21a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.
When you use virtual MFA for root accounts, it is recommended that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices.
This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\",\r\n \"remediationDescription\": \"To enable MFA for the root account:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\".
4. Select \\\"Multi-factor authentication (MFA)\\\".
\\t5. Select \\\"Activate MFA\\\".
6. Select the type of device to use for MFA and then select \\\"Continue\\\".
7. Complete the steps to configure the device type appropriate to your selection.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eb39e935-38fc-4b0c-8cf2-d6affab0306a\",\r\n \"name\": \"eb39e935-38fc-4b0c-8cf2-d6affab0306a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.
For Level 2, it is recommended that you protect the root account with a hardware MFA. A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA doesn't suffer the attack surface introduced by the mobile smartphone that a virtual MFA resides on.
Using hardware MFA for many, many accounts might create a logistical device management issue. If this occurs, consider implementing this Level 2 recommendation selectively to the highest security accounts. You can then apply the Level 1 recommendation to the remaining accounts.\",\r\n \"remediationDescription\": \"To enable hardware-based MFA for the root account:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\". 4. Select \\\"Multi-factor authentication (MFA)\\\".
5. Select \\\"Activate MFA\\\".
6. Select a hardware-based (not virtual) device to use for MFA and then select \\\"Continue\\\".
7. Complete the steps to configure the device type appropriate to your selection.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a773f81a-0b2d-4f8e-826a-77fc432416c3\",\r\n \"name\": \"a773f81a-0b2d-4f8e-826a-77fc432416c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should be attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles.
It is recommended that IAM policies be applied directly to groups and roles but not users.
Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow.
Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.\",\r\n \"remediationDescription\": \"To remediate, create an IAM group, assign the policy to the group, and then add the users to the group. The policy is applied to each user in the group.

To create an IAM group:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Groups\\\" and then select \\\"Create New Group\\\".
\\t3. Enter a name for the group to create and then select \\\"Next Step\\\".
4. Select each policy to assign to the group and then select \\\"Next Step\\\".
The policies that you Select should include any policies currently attached directly to a user account.
The next step to resolve a failed check is to add users to a group and then assign the policies to that group.
Each user in the group gets assigned the policies assigned to the group.
5. Confirm the details on the \\\"Review\\\" page and then select \\\"Create Group\\\".
For more information about creating groups, see Creating IAM groups [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_create.html] in the IAM User Guide.

To add users to an IAM group:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Groups\\\".
3. select \\\"Group Actions\\\" and then select \\\"Add Users to Group\\\".
4. Select the users to add to the group and then select \\\"Add Users\\\".
For more information about adding users to groups, see Adding and removing users in an IAM group [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_add-remove-users.html].

To remove a policy attached directly to a user:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Users\\\".
3. For the user to detach a policy from, select the name in the \\\"User name\\\" column.
4. For each policy listed under \\\"Attached directly\\\", select the \\\"X\\\" on the right side of the page to remove the policy from the user and then select \\\"Remove\\\".
5. Confirm that the user can still use AWS services as expected.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6614c30d-c9f3-4acd-8371-c8f362148398\",\r\n \"name\": \"6614c30d-c9f3-4acd-8371-c8f362148398\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services.
Create an IAM Role to allow authorized users to manage incidents with AWS Support.
By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.\",\r\n \"remediationDescription\": \"Using the Amazon unified command line interface:
Create an IAM role for managing incidents with AWS:
* Create a trust relationship policy document that allows \\\"iam_user\\\" to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:
{ \\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [ { \\\"Effect\\\": \\\"Allow\\\", \\\"Principal\\\": { \\\"AWS\\\": \\\"<span style=\\\"font-style: italic;\\\"><iam_user></span>\\\" }, \\\"Action\\\": \\\"sts:AssumeRole\\\" } ] }
* Create the IAM role using the above trust policy:
aws iam create-role --role-name <aws_support_iam_role> --assume-rolepolicy-document file:///tmp/TrustPolicy.json
* Attach \\\"AWSSupportAccess\\\" managed policy to the created IAM role:
aws iam attach-role-policy --policy-arn <iam_policy_arn> --role-name<aws_support_iam_role>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/655f9340-184f-4b6e-8214-b835003ab0b1\",\r\n \"name\": \"655f9340-184f-4b6e-8214-b835003ab0b1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Do not setup access keys during initial user setup for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily.
In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys.
Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization\",\r\n \"remediationDescription\": \"Perform the following to delete access keys that do not pass the audit: 1. Login to the AWS Management Console: 2. Click \\\"Services\\\" 3. Click \\\"IAM\\\" 4. Click on \\\"Users\\\" 5. Click on \\\"Security Credentials\\\" 6. As an Administrator
* Click on \\\"Delete\\\" for keys that were created at the same time as the user profile but have not been used. 7. As an IAM User
* Click on \\\"Delete\\\" for keys that were created at the same time as the user profile but have not been used.
Via CLI:
aws iam delete-access-key\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Persistence\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1d08b362-7e24-46b0-bed1-4a6c1d1526a5\",\r\n \"name\": \"1d08b362-7e24-46b0-bed1-4a6c1d1526a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies that allow full \\\"*:*\\\" administrative privileges should not be created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies are the means by which privileges are granted to users, groups, or roles.
It is recommended and considered a standard security advice to grant least privilege-that is, granting only the permissions required to perform a task.
Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.
It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.
Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.
IAM policies that have a statement with \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\" should be removed.\",\r\n \"remediationDescription\": \"To modify an IAM policy:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Policies\\\".
3. Select the radio button next to the policy to remove. 4. From the \\\"Policy actions\\\" drop-down menu, select \\\"Detach\\\".
5. On the \\\"Detach policy\\\" page, select the radio button next to each user to detach the policy from and then select \\\"Detach policy\\\".
Confirm that the user that you detached the policy from can still access AWS services and resources as expected.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3d8e09b-83a6-417a-ae1e-3f5b54576965\",\r\n \"name\": \"b3d8e09b-83a6-417a-ae1e-3f5b54576965\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you.
The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).
The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally,
* ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected
* ensuring that a multi-regions trail exists will ensure that \\\"Global Service Logging\\\" is enabled for a trail by default to capture recording of events generated on AWS global services
* for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account.\",\r\n \"remediationDescription\": \"Perform the following to enable global (Multi-region) CloudTrail logging:
Via the management Console:
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
2. Click on \\\"Trails\\\" on the left navigation pane.
3. Click \\\"Get Started Now\\\", if presented
* Click \\\"Add new trail\\\"
* Enter a trail name in the \\\"Trail name\\\" box.
* Set the \\\"Apply trail to all regions\\\" option to \\\"Yes\\\".
* Specify an S3 bucket name in the \\\"S3 bucket\\\" box.
* Click \\\"Create\\\".
4. If 1 or more trails already exist, select the target trail to enable for global logging.
5. Click the edit icon (pencil) next to \\\"Apply trail to all regions\\\", Click \\\"Yes\\\" and Click \\\"Save\\\". 6. Click the edit icon (pencil) next to \\\"Management Events\\\", click \\\"All\\\" for setting \\\"Read/Write Events\\\" and Click \\\"Save\\\".
Via CLI:
aws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail

Note: Creating CloudTrail via CLI without providing any overriding options configures
Management Events to set All type of Read/Writes by default.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/324ec96c-9719-46ce-b6a9-e7f4fed7dd6e\",\r\n \"name\": \"324ec96c-9719-46ce-b6a9-e7f4fed7dd6e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure additional integrity checking of CloudTrail logs, we recommend enabling file validation on all CloudTrails.\",\r\n \"remediationDescription\": \"Enable log file validation on a given trail:
Via the management Console
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
2. Select on \\\"Trails\\\" on the left navigation pane
3. Select the target trail
4. Within the \\\"S3\\\" section select the edit icon (pencil)
5. Select \\\"Advanced\\\"
6. Select \\\"Yes\\\" radio button in section \\\"Enable log file validation\\\"
7. Click \\\"Save\\\"
Via CLI
aws cloudtrail update-trail --name --enable-log-file-validation

Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn --start-time --end-time\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a41f2846-4a59-44e9-89bb-1f62d4b03a85\",\r\n \"name\": \"a41f2846-4a59-44e9-89bb-1f62d4b03a85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs a record of every API call made in your AWS account. These log files are stored in an S3 bucket.
It is recommended that the bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs.
Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.\",\r\n \"remediationDescription\": \"Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:
1. Go to Amazon S3 console at https://console.aws.amazon.com/s3/home
2. Right-click on the bucket and click Properties.
3. In the \\\"Properties\\\" pane, click the \\\"Permissions\\\" tab.
4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.
5. Select the row that grants permission to \\\"Everyone\\\" or \\\"Any Authenticated User\\\".
6. Uncheck all the permissions granted to \\\"Everyone\\\" or \\\"Any Authenticated User\\\" (click x to delete the row).
7. Click \\\"Save\\\" to save the ACL.
8. If the \\\"Edit bucket policy\\\" button is present, click it.
9. Remove any \\\"Statement\\\" having an \\\"Effect\\\" set to \\\"Allow\\\" and a \\\"Principal\\\" set to \\\"*\\\" or {\\\"AWS\\\" : \\\"*\\\"}.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/842be2e5-2cd8-420f-969a-6d6b4096c580\",\r\n \"name\": \"842be2e5-2cd8-420f-969a-6d6b4096c580\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, real-time analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs.
For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. We recommended that CloudTrail logs will be sent to CloudWatch Logs to ensure AWS account activity is being captured, monitored, and appropriately alarmed on.
Sending CloudTrail logs to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.\",\r\n \"remediationDescription\": \"Via the AWS management Console:
1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/
2. Under All Buckets, select the target bucket you wish to evaluate.
3. Select Properties on the top right of the console.
4. Select Trails\\\" in the left menu.
5. Click on each trail where no \\\"CloudWatch Logs\\\" are defined.
6. Go to the \\\"CloudWatch Logs\\\" section and then select \\\"Configure\\\".
7. Define a new or select an existing log group.
8. Click on \\\"Continue\\\".
9. Configure \\\"IAM Role\\\" which will deliver CloudTrail events to CloudWatch Logs
* Create/Select an \\\"IAM Role\\\" and \\\"Policy Name\\\".
* Select \\\"Allow\\\" to continue.
Note that it can also be enabled via CLI:
aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-grouparn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff06f36-f8fd-4af5-bd02-5195593423fb\",\r\n \"name\": \"3ff06f36-f8fd-4af5-bd02-5195593423fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you.
The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources.
It is recommended to enable AWS Config be enabled in all regions.

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"To implement AWS Config configuration:
Via AWS Management Console:
1. Select the region you want to focus on in the top right of the console.
2. Click \\\"Services\\\".
3. Click \\\"Config\\\".
4. Define which resources you want to record in the selected region.
5. Choose to include global resources (IAM resources).
6. Specify an S3 bucket in the same account or in another managed AWS account.
7. Create an SNS Topic from the same AWS account or another managed AWS account.

Via AWS Command Line Interface:
1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.
2. Run this command to set up the configuration recorder:
aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole
3. Run this command to start the configuration recorder:
start-configuration-recorder --configuration-recorder-name <value>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/759e80dc-92c2-4afd-afa3-c01294999363\",\r\n \"name\": \"759e80dc-92c2-4afd-afa3-c01294999363\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 Bucket Access Logging generates a log that contains access records Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket for each request made to your S3 bucket.
An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed.
It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.
By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within an target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.\",\r\n \"remediationDescription\": \"Perform the following to enable S3 bucket logging:
Via the Management Console.
1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.
2. Under \\\"All Buckets\\\" click on the target S3 bucket.
3. Click on \\\"Properties\\\" in the top right of the console.
4. Under \\\"Bucket\\\": <s3_bucket_for_cloudtrail> click on \\\"Logging\\\".
5. Configure bucket logging.
* Click on \\\"Enabled\\\" checkbox.
* Select Target Bucket from list.
* Enter a Target Prefix.
6. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/190f732b-c68e-4816-9961-aba074272627\",\r\n \"name\": \"190f732b-c68e-4816-9961-aba074272627\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommended to configure CloudTrail use SSE-KMS.
Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.\",\r\n \"remediationDescription\": \"To configure CloudTrail SSE-KMS:
Via the Management Console:
1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail.
2. In the left navigation pane, select \\\"Trails\\\".
3. Click on a Trail.
4. Under the \\\"S3\\\"section click on the edit button (pencil icon).
5. Click \\\"Advanced\\\".
6. Select an existing CMK from the \\\"KMS key Id\\\" drop-down menu.
* Note: Ensure the CMK is located in the same region as the S3 bucket
* Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided here for editing the selected CMK Key policy.
7. Click \\\"Save\\\".
8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files.
9. Click \\\"Yes\\\".

Via CLI:
aws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key> aws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66748314-d51c-4d9c-b789-eebef29a7039\",\r\n \"name\": \"66748314-d51c-4d9c-b789-eebef29a7039\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK).
It is the backing key that is used to perform cryptographic operations such as encryption and decryption.
Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled.
Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\",\r\n \"remediationDescription\": \"Via the Management Console:
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam.
2. In the left navigation pane, choose \\\"Encryption Keys\\\".
3. Select a customer created master key (CMK).
4. Under the \\\"Key Policy\\\" section, move down to \\\"Key Rotation\\\".
5. Check the \\\"Rotate this key every year\\\" checkbox.

Via CLI
Run the following command to enable key rotation:
aws kms enable-key-rotation --key-id <kms_key_id>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3428e584-0fa6-48c0-817e-6d689d7bb879\",\r\n \"name\": \"3428e584-0fa6-48c0-817e-6d689d7bb879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC Flow Logs provide visibility into network traffic that passes through the VPC and can be used to detect anomalous traffic or insight during security events.\",\r\n \"remediationDescription\": \"1. Sign into the management console.
2. Select \\\"Services\\\" then \\\"VPC\\\".
3. In the left navigation pane, select \\\"Your VPCs\\\".
4. Select a VPC.
5. In the right pane, select the \\\"Flow Logs\\\" tab.
6. If no Flow Log exists, select \\\"Create Flow Log\\\".
7. For Filter, select Reject.
8. Enter in a \\\"Role\\\" and \\\"Destination Log Group\\\".
9. Select \\\"Create Log Flow\\\".
10. Select \\\"CloudWatch Logs Group\\\".

Note: Setting the filter to \\\"Reject\\\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/231951ea-e9db-41cd-a7d0-611105fa4fb9\",\r\n \"name\": \"231951ea-e9db-41cd-a7d0-611105fa4fb9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for unauthorized API calls.
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<unauthorized_api_calls_metric>` --metric-transformations metricName= `<unauthorized_api_calls_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.errorCode = \\\"*UnauthorizedOperation\\\") || ($.errorCode = \\\"AccessDenied*\\\")}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<unauthorized_api_calls_alarm>` --metric-name `<unauthorized_api_calls_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/001ddfe0-1b98-443f-819d-99f060fd67d5\",\r\n \"name\": \"001ddfe0-1b98-443f-819d-99f060fd67d5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).
Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>`,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = \\\"ConsoleLogin\\\") && ($.additionalEventData.MFAUsed != \\\"Yes\\\") }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<no_mfa_console_signin_alarm>` --metric-name `<no_mfa_console_signin_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/59f84fbd-7946-41b3-88b1-d899dcac92bc\",\r\n \"name\": \"59f84fbd-7946-41b3-88b1-d899dcac92bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of 'root' account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for root login attempts.

Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for \\\"Root\\\" account usage and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<root_usage_metric>` --metric-transformations metricName= `<root_usage_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filterpattern '{ $.userIdentity.type = \\\"Root\\\" && $.userIdentity.invokedBy NOTEXISTS && $.eventType != \\\"AwsServiceEvent\\\" }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<root_usage_alarm>` --metricname `<root_usage_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e5ad1a9-3803-4399-baf2-a7eb9483b954\",\r\n \"name\": \"8e5ad1a9-3803-4399-baf2-a7eb9483b954\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.
Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<iam_changes_metric>` --metric-transformations metricName=`<iam_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name `<iam_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0dc3b824-092a-4fc6-b8b4-31d5c2403024\",\r\n \"name\": \"0dc3b824-092a-4fc6-b8b4-31d5c2403024\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.

Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<cloudtrail_cfg_changes_metric>` --metric-transformations metricName= `<cloudtrail_cfg_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging)}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name aws cloudwatch put-metric-alarm --alarm-name `<cloudtrail_cfg_changes_alarm>` --metric-name `<cloudtrail_cfg_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e09bb35-54a3-48a1-855d-9fd3239deaf7\",\r\n \"name\": \"0e09bb35-54a3-48a1-855d-9fd3239deaf7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for failed console authentication attempts.
Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<console_signin_failure_metric>` --metric-transformations metricName= `<console_signin_failure_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = ConsoleLogin) && ($.errorMessage = \\\"Failed authentication\\\") }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<console_signin_failure_alarm>` --metric-name `<console_signin_failure_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d12e97c1-1f3e-4c69-8cc1-6e4cc6a9b167\",\r\n \"name\": \"d12e97c1-1f3e-4c69-8cc1-6e4cc6a9b167\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.
Data encrypted with disabled or deleted keys will no longer be accessible.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<disable_or_delete_cmk_changes_metric>` --metrictransformations metricName= `<disable_or_delete_cmk_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<disable_or_delete_cmk_changes_alarm>` --metric-name `<disable_or_delete_cmk_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69ed2dc0-6f39-4a33-a747-20a28f85b33c\",\r\n \"name\": \"69ed2dc0-6f39-4a33-a747-20a28f85b33c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.
Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<s3_bucket_policy_changes_metric>` --metric-transformations metricName= `<s3_bucket_policy_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<s3_bucket_policy_changes_alarm>` --metric-name `<s3_bucket_policy_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/965a7c7f-e6da-4062-83f4-9c1800e51e44\",\r\n \"name\": \"965a7c7f-e6da-4062-83f4-9c1800e51e44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.
Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<aws_config_changes_metric>` --metric-transformations metricName= `<aws_config_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel) ||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `` - -metric-name `` --statistic Sum --period 300 -- threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aedabb63-8bdb-47f9-955c-72b652a75e2a\",\r\n \"name\": \"aedabb63-8bdb-47f9-955c-72b652a75e2a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC.
It is recommended that a metric filter and alarm be established changes to Security Groups.
Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for security groups changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<security_group_changes_metric>` --metric-transformations metricName= `<security_group_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<security_group_changes_alarm>` --metric-name `<security_group_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec356185-75b9-4ff2-a284-9f64fc885e72\",\r\n \"name\": \"ec356185-75b9-4ff2-a284-9f64fc885e72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC.
It is recommended that a metric filter and alarm be established for changes made to NACLs.
Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for NACL changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<nacl_changes_metric>` --metric-transformations metricName = `<nacl_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<nacl_changes_alarm>` --metric-name `<nacl_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c7156050-6f51-4d3f-a880-9f2363648cfb\",\r\n \"name\": \"c7156050-6f51-4d3f-a880-9f2363648cfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC.
It is recommended that a metric filter and alarm be established for changes to network gateways.
Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<network_gw_changes_metric>` --metric-transformations metricName= `<network_gw_changes_metric>`,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<network_gw_changes_alarm>` --metric-name `<network_gw_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e70666f-4bec-4ca0-8b59-c6c8b9b3cc1e\",\r\n \"name\": \"7e70666f-4bec-4ca0-8b59-c6c8b9b3cc1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways.
It is recommended that a metric filter and alarm be established for changes to route tables.
Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for route table changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<route_table_changes_metric>` --metric-transformations metricName= `<route_table_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<route_table_changes_alarm>` --metric-name `<route_table_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4b4bfa9b-fd2a-43f1-961f-654b9d5c9a60\",\r\n \"name\": \"4b4bfa9b-fd2a-43f1-961f-654b9d5c9a60\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.
Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact. \",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for VPC changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<vpc_changes_metric>` --metric-transformations metricName = `<vpc_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<vpc_changes_alarm>` --metric-name `<vpc_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e1f4bba6-5f43-4dc5-ab15-f2a9f5807fea\",\r\n \"name\": \"e1f4bba6-5f43-4dc5-ab15-f2a9f5807fea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To reduce the server's exposure, it is recommended not to allow unrestricted ingress access to port '22'.\",\r\n \"remediationDescription\": \"1. Login to the AWS Management Console at VPC
2. In the left pane, select \\\"Security Groups\\\"
3. For each security group, perform the following:
4. Select the security group
5. Select the \\\"Inbound Rules\\\" tab
6. Identify the rules to be removed
7. Select the \\\"x\\\" in the \\\"Remove\\\" column
8. Select \\\"Save\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79082bbe-34fc-480a-a7fc-3aad94954609\",\r\n \"name\": \"79082bbe-34fc-480a-a7fc-3aad94954609\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389.
Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"Perform the following to implement the prescribed state:
1. Login to the AWS Management Console at VPC
2. In the left pane, click \\\"Security Groups\\\"
3. For each security group, perform the following:
4. Select the security group
5.Click the \\\"Inbound Rules\\\" tab
6. Identify the rules to be removed
7. Click the \\\"x\\\" in the \\\"Remove\\\" column
8. Click \\\"Save\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/500c4d2e-9baf-4081-b8a8-936ac85771a5\",\r\n \"name\": \"500c4d2e-9baf-4081-b8a8-936ac85771a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC's default security group should restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security group should restrict all traffic to reduce resource exposure.\",\r\n \"remediationDescription\": \"1. Identify AWS resources that exist within the default security group 2. Create a set of least privilege security groups for those resources 3. Place the resources in those security groups 4. Remove the resources noted in #1 from the default security group

Security Group State:
1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:
3. In the left pane, select \\\"Security Groups\\\"
4. For each default security group, perform the following:
5. Select the \\\"default\\\" security group
6. Select the \\\"Inbound Rules\\\" tab
7. Remove any inbound rules
8. Select the \\\"Outbound Rules\\\" tab
9. Remove any outbound rules\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/837d6a45-503f-4c95-bf42-323763960b62\",\r\n \"name\": \"837d6a45-503f-4c95-bf42-323763960b62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto Scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.
PCI DSS does not require load balancing or highly available configurations. This is recommended by AWS best practices.\",\r\n \"remediationDescription\": \"To enable Elastic Load Balancing health checks:
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. On the navigation pane, under \\\"Auto Scaling\\\", choose \\\"Auto Scaling Groups\\\".
3. To select the group from the list, choose the right box.
4. From \\\"Actions\\\", choose \\\"Edit\\\"
5. For \\\"Health Check Type\\\", choose \\\"ELB\\\".
6. For \\\"Health Check Grace Period\\\", enter \\\"300\\\".
7. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2917bcec-6991-4ea4-9e73-156e6ef831e4\",\r\n \"name\": \"2917bcec-6991-4ea4-9e73-156e6ef831e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. Not all services enable logging by default for all APIs and events.
You should implement any additional audit trails other than CloudTrail and review the documentation for each service in CloudTrail Supported Services and Integrations.\",\r\n \"remediationDescription\": \"To create a new trail in CloudTrail
1. Sign in to the AWS Management Console using the IAM user you configured for CloudTrail administration.
2. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
3. Select the AWS Region where you want your trail to be created.
4. In the navigation pane, select \\\"Trails\\\".
5. On the \\\"Trails\\\" page, select \\\"Get Started Now\\\". If you do not see that option, select \\\"Create Trail\\\".
6. In\\\" Trail name\\\", provide your trail a name, such as My-Management-Events-Trail. As a best practice, use a name that quickly identifies the purpose of the trail. In this case, you're creating a trail that logs management events.
7. In \\\"Management Events\\\", make sure \\\"Read/Write\\\" events is set to \\\"All\\\".
8. In \\\"Data Events\\\", do not make any changes. This trail will not log any data events.
9. Create a new S3 bucket for the logs:
a. In \\\"Storage Location\\\", in \\\"Create a new S3 bucket\\\", select \\\"Yes\\\".
b. In \\\"S3 bucket\\\", provide your bucket a name.
c. Under \\\"Advanced\\\", choose \\\"Yes\\\" for both \\\"Encrypt log files with SSE-KMS\\\" and \\\"Enable log file validation\\\".
10. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/132a70b8-ffda-457a-b7a3-e6f2e01fc0af\",\r\n \"name\": \"132a70b8-ffda-457a-b7a3-e6f2e01fc0af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect your replicated instances from threats. A private replication instance should have a private IP address that you cannot access outside of the replication network.
A replication instance should have a private IP address when the source and target databases are in the same network, and the network is connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering.
You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users.
To do this, restrict users' IAM permissions to modify AWS DMS settings and resources.\",\r\n \"remediationDescription\": \"To configure the AWS DMS replication instances setting to be not publicly accessible:
1. Open the AWS Database Migration Service console at https://console.aws.amazon.com/dms/.
2. In the left navigation pane, under \\\"Resource management\\\", navigate to \\\"Replication instances\\\".
3. To delete the public instance, select the check box for the instance, choose \\\"Actions\\\", then choose \\\"delete\\\".
4. Choose \\\"Create replication instance\\\". Provide the configuration details.
5.To disable public access, make sure that \\\"Publicly accessible\\\" is not selected.
6. Choose \\\"Create\\\",
Note: public access setting cannot be changed once a replication instance is created. It must be deleted and recreated.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/02e8de17-1a01-45cb-b906-6d07a78f4b3c\",\r\n \"name\": \"02e8de17-1a01-45cb-b906-6d07a78f4b3c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Amazon EBS snapshots should not be publicly restorable by everyone unless explicitly allowed, to avoid accidental exposure of data. Additionally, permission to change Amazon EBS configurations should be restricted to authorized AWS accounts only.\",\r\n \"remediationDescription\": \"Make a public Amazon EBS snapshot private
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Elastic Block Store\\\", select \\\"Snapshots\\\" and then select your public snapshot.
3. Select \\\"Actions\\\", then select \\\"Modify permissions\\\".
4. Select \\\"Private\\\".
5. (Optional) Add AWS account numbers for authorized accounts to share your snapshot with.
6. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f065cc7b-f63b-4865-b8ff-4a1292e1a5cb\",\r\n \"name\": \"f065cc7b-f63b-4865-b8ff-4a1292e1a5cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups should be attached to Amazon EC2 instances or to an ENI.
healthy finding can indicate there are unused Amazon EC2 security groups.\",\r\n \"remediationDescription\": \"The following steps should be applied to each security group not attached to an ENI.
To delete a security group:
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, under \\\"Security\\\", select \\\"Security groups\\\".
3. Select the check box for the security group to delete.
4. From \\\"Actions\\\", select \\\"Delete security group\\\".
5. Select \\\"Delete\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/601406b5-110c-41be-ad69-9c5661ba5f7c\",\r\n \"name\": \"601406b5-110c-41be-ad69-9c5661ba5f7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Elastic IP addresses that are allocated to a VPC should be attached to Amazon EC2 instances or in-use elastic network interfaces (ENIs).\",\r\n \"remediationDescription\": \"To release an Elastic IP address follow the following steps. Note that in oder to release an address, it shouldn't be associated with an instance
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Network & Security\\\", select \\\"Elastic IPs\\\".
3. Select the Elastic IP address, select \\\"Actions\\\", and then select \\\"Release Elastic IP address\\\".
4. When prompted, select \\\"Release\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fce0daac-96e4-47ab-ab35-18ac6b7dcc70\",\r\n \"name\": \"fce0daac-96e4-47ab-ab35-18ac6b7dcc70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To enforce encryption in transit, you should use redirect actions with Application Load Balancers to redirect client HTTP requests to an HTTPS request on port 443.\",\r\n \"remediationDescription\": \"To redirect HTTP requests to HTTPS on an Application Load Balancer:
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Load Balancing\\\", select \\\"Load balancers\\\".
3. Select an Application Load Balancer.
4. Select \\\"Listeners\\\".
5. Enable the check box for an HTTP listener (port 80 TCP) and then select \\\"Edit\\\".
6. If there is an existing rule, you must delete it. Otherwise, select \\\"Add action\\\" and then select \\\"Redirect to...\\\".
7. Select \\\"HTTPS\\\" and then enter 443.
8. Select the check mark in a circle symbol and then select \\\"Update\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df952171-786d-44b5-b309-9c982bddeb7c\",\r\n \"name\": \"df952171-786d-44b5-b309-9c982bddeb7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC cannot contain domains with a public endpoint.
Note: this does not evaluate the VPC subnet routing configuration to determine public reachability.\",\r\n \"remediationDescription\": \"If you create a domain with a public endpoint, you cannot later place it within a VPC. Instead, you must create a new domain and migrate your data.
The reverse is also true. If you create a domain within a VPC, it cannot have a public endpoint. Instead, you must either create another domain or disable this control.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cf747c91-14f3-4b30-aafe-eb12c18fd030\",\r\n \"name\": \"cf747c91-14f3-4b30-aafe-eb12c18fd030\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is important to enable encryptions rest of Amazon ES domains to protect sensitive data\",\r\n \"remediationDescription\": \"By default, domains do not encrypt data at rest.
To enable the feature, you must create another domain and migrate your data.
Note: existing domains cannot be configured to use the feature.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4b32e0a4-44a7-4f18-ad92-549f7d219061\",\r\n \"name\": \"4b32e0a4-44a7-4f18-ad92-549f7d219061\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To provide additional protection against intrusions, GuardDuty should be enabled on your AWS account and region.
Note: GuardDuty might not be a complete solution for every environment\",\r\n \"remediationDescription\": \"To enable GuardDuty:
1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/ \\t
2. Choose \\\"Get Started\\\".
Choose \\\"Enable GuardDuty\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c676d6f-60cb-4c7b-a484-17164c598016\",\r\n \"name\": \"9c676d6f-60cb-4c7b-a484-17164c598016\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"All IAM users should have multi-factor authentication (MFA) enabled.\",\r\n \"remediationDescription\": \"To configure MFA for a user:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Users\\\".
3. Select the user name of the user to configure MFA for.
4. Select \\\"Security credentials\\\" and then Select \\\"Manage\\\" next to \\\"Assigned MFA device\\\".
5. Follow the \\\"Manage MFA Device\\\" wizard to assign the type of device appropriate for your environments.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd751d04-8378-4cf8-8f1b-594ee340ae08\",\r\n \"name\": \"fd751d04-8378-4cf8-8f1b-594ee340ae08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the account password policy for IAM users uses the following minimum configurations.
* RequireUppercaseCharacters- Require at least one uppercase character in password. (Default = true)
* RequireLowercaseCharacters- Require at least one lowercase character in password. (Default = true)
* RequireNumbers- Require at least one number in password. (Default = true)
* MinimumPasswordLength- Password minimum length. (Default = 7 or longer)
* PasswordReusePrevention- Number of passwords before allowing reuse. (Default = 4)
* MaxPasswordAge- Number of days before password expiration. (Default = 90)\",\r\n \"remediationDescription\": \"To modify the password policy:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Under \\\"Access management\\\", select \\\"Account settings\\\".
3. Select \\\"Prevent password reuse\\\". For \\\"Number of passwords to remember\\\", enter \\\"24\\\".
\\t4. Select \\\"Change password policy\\\".
5. Select \\\"Require at least one uppercase letter from Latin alphabet (A-Z)\\\".
6. Select \\\"Require at least one lowercase letter from Latin alphabet (a-z)\\\".
7. Select \\\"Require at least one non-alphanumeric character (!@#$%^&*()_+-=[]{}|')\\\".
8. Select \\\"Require at least one number\\\".
9. For \\\"Enforce minimum password length\\\", enter \\\"14\\\".
10. Select \\\"Enable password expiration\\\". For \\\"Expire passwords in day(s)\\\", enter \\\"90\\\".
11. Select \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b236a0-f9d7-454a-942a-8c2ba3943cf7\",\r\n \"name\": \"64b236a0-f9d7-454a-942a-8c2ba3943cf7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should restrict public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Lambda function resource-based policy should restrict public access. This recommendation does not check access by internal principals.
Ensure access to the function is restricted to authorized principals only by using least privilege resource-based policies.\",\r\n \"remediationDescription\": \"To use the AWS CLI to revoke function-use permission from an AWS service or another account:
1. Get the statement ID from the output of GetPolicy, from the AWS CLI and run the following:
aws lambda get-policy --function-name yourfunctionname
This returns the policy string associated with the publicly accessible Lambda function.
2. From the policy statement returned by the get-policy command, copy the string value of the Sid field, and run from the AWS CLI, run
aws lambda remove-permission --function-name yourfunctionname --statement-id youridvalue

To use the Lambda console to restrict access to the Lambda function:
1. Open the AWS Lambda console at https://console.aws.amazon.com/lambda/, Navigate to \\\"Functions\\\" and then select your publicly accessible Lambda function.
2. Under \\\"Designer\\\" select the key icon at the top left, that has the tool-tip \\\"View permissions\\\".
3. Under \\\"Function policy\\\", Consider adding the following IAM condition to scope access to your account only.
\\\"Condition\\\":{\\\"StringEquals\\\":{\\\"AWS:SourceAccount\\\":\\\"account_id\\\"}}\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10445918-c305-4c6a-9851-250e8ec7b872\",\r\n \"name\": \"10445918-c305-4c6a-9851-250e8ec7b872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Configure Lambda functions to a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability.
Note that if Lambda@Edge is found in the account, then this control generates failed findings. To prevent these findings, you can disable this control.\",\r\n \"remediationDescription\": \"To configure a function to connect to private subnets in a virtual private cloud (VPC) in your account:
1. From the AWS Lambda console, https://console.aws.amazon.com/lambda/, open \\\"Functions\\\" and select your Lambda function.
2. From the \\\"Network\\\" section, select a VPC with the connectivity requirements of the function.
3. To run your functions in high availability mode, select at least two subnets.
4. Select at least one security group that has the connectivity requirements of the function.
5. Save your changes.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f64521fc-a9f1-4d43-b667-8d94b4a202af\",\r\n \"name\": \"f64521fc-a9f1-4d43-b667-8d94b4a202af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend only allowing authorized principals to access the snapshot and change Amazon RDS configuration.\",\r\n \"remediationDescription\": \"To remove public access for Amazon RDS Snapshots:
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Snapshots\\\" and select the public Snapshot to modify.
2. From the \\\"Actions\\\" list, select \\\"Share Snapshots\\\".
3. From \\\"DB snapshot visibility\\\", select \\\"Private\\\" and \\\"for all\\\".
4. Save your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/72f3b7f1-76b8-4cf5-8da5-4ba5745b512c\",\r\n \"name\": \"72f3b7f1-76b8-4cf5-8da5-4ba5745b512c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend that you also ensure that access to your RDS instance's configuration is limited to authorized users only, by restricting users' IAM permissions to modify RDS instances' settings and resources.\",\r\n \"remediationDescription\": \"To remove public access for an Amazon RDS Database, follow one of these procedures:

\\\"Modify the DB instance's publicly accessible configuration:\\\"
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Databases\\\" and select the public database.
2. Select \\\"Modify\\\".
3. Scroll to \\\"Network & Security\\\".
4. For the Public accessibility option, select \\\"No\\\".
5. Scroll to the bottom and select \\\"Continue\\\".
6. From \\\"Scheduling of modifications\\\", select \\\"Apply immediately\\\".
7. Select \\\"Modify DB Instance\\\".
\\\"Configure the VPC subnet security group to prohibit public access:\\\"
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Databases\\\" and select the public database.
2. From \\\"Connectivity & Security\\\", select the configured VPC security group.
3. From the \\\"Actions\\\" list, select \\\"Edit inbound rules\\\".
4. Define rules to prohibit public access (you can choose between specific IPs, ranges of IPs and security groups).
5. Select \\\"Save rules\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f5ac036-11e1-4cda-89b5-a115b9ae4f72\",\r\n \"name\": \"7f5ac036-11e1-4cda-89b5-a115b9ae4f72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend Amazon Redshift clusters to avoid public accessibility by evaluating the 'publiclyAccessible' field in the cluster configuration item.\",\r\n \"remediationDescription\": \"To disable public access for an Amazon Redshift cluster:
1. From the Amazon RDS console, https://console.aws.amazon.com/redshift/, open \\\"Clusters\\\" and select your public Amazon Redshift cluster.
2. From the \\\"Cluster\\\" drop-down menu, select \\\"Modify cluster\\\".
3. For the \\\"Publicly accessible\\\" option, select \\\"No\\\".
4. Select \\\"Modify\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/994d14f1-b8d7-4cb3-ad4e-a7ccb08065d5\",\r\n \"name\": \"994d14f1-b8d7-4cb3-ad4e-a7ccb08065d5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets public write access should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Allowing public write access to your S3 bucket can leave you vulnerable to malicious actions such as storing data at your expense, encrypting your files for ransom, or using your bucket to operate malware.\",\r\n \"remediationDescription\": \"To remove public write access for an S3 bucket
1. Open the AWS console at https://console.aws.amazon.com/s3/ and select the name of the bucket identified in the recommendation.
2. Select the \\\"Permissions\\\" tab and then select \\\"Public access settings\\\".
3. Select \\\"Edit\\\", select all four options, and then select \\\"save\\\".
4. If prompted, enter \\\"confirm\\\" and then choose \\\"confirm\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f65de27c-1b77-4a2d-bc89-8631ff9ee786\",\r\n \"name\": \"f65de27c-1b77-4a2d-bc89-8631ff9ee786\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets public read access should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Removing public read access to your S3 bucket can help protect your data and prevent a data breach.\",\r\n \"remediationDescription\": \"To remove public read access for an S3 bucket
1. Open the AWS console at https://console.aws.amazon.com/s3/, and select the name of the bucket identified in the recommendation.
2. Select the \\\"Permissions\\\" tab and then select \\\"Public access settings\\\".
3. Select \\\"Edit\\\", select all four options, and then select \\\"save\\\".
4. If prompted, enter \\\"confirm\\\" and then choose \\\"confirm\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35713036-bd12-4646-9b92-4c56a761a710\",\r\n \"name\": \"35713036-bd12-4646-9b92-4c56a761a710\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling S3 cross-region replication ensures that multiple versions of the data are available in different distinct Regions.
This allows you to protect your S3 bucket against DDoS attacks and data corruption events.\",\r\n \"remediationDescription\": \"To enable S3 bucket replication:
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and Select the name of the bucket identified in the recommendation.
2. Select \\\"Management\\\" and then select \\\"Replication\\\".
3. Select \\\"add rule\\\", and then select \\\"Entire bucket\\\" as your source bucket.
4. Select your destination bucket (Versioning should be enabled on the destination bucket as well).
5. Select an IAM role.
6. Enter a name for the rule, select \\\"Enabled\\\" for the status, then select \\\"Next\\\".
7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3cb793ab-20d3-4677-9723-024c8fed0c23\",\r\n \"name\": \"3cb793ab-20d3-4677-9723-024c8fed0c23\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enable server-side encryption to protect data in your S3 buckets.
Encrypting the data can prevent access to sensitive data in the event of a data breach.\",\r\n \"remediationDescription\": \"To enable default encryption on an S3 bucket
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and Select the name of the bucket identified in the recommendation.
2. Select \\\"Properties\\\" and then under the \\\"Default encryption\\\" section, select either \\\"AES-256\\\" to use keys that are managed by Amazon S3, or \\\"AWS-KMS\\\" to use keys that are managed by AWS-KMS.
*If you use AWS-KMS for default encryption, you need to choose a master key from the list of the AWS KMS master keys that you have created.
*Please note that if you use the AWS KMS you are subject to the requests per second limits. For more information about the AWS KMS limits, see the AWS Key Management Service Developer Guide.
3.Select \\\"save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fb7ea50-412e-4dd4-ac79-94d54bd8f21e\",\r\n \"name\": \"1fb7ea50-412e-4dd4-ac79-94d54bd8f21e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend to require requests to use Secure Socket Layer (SSL) on all Amazon S3 bucket.
S3 buckets should have policies that require all requests ('Action: S3:*') to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key 'aws:SecureTransport'.\",\r\n \"remediationDescription\": \"To configure an S3 bucket to deny nonsecure transport
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.
2. Navigate to the noncompliant bucket, and then choose the bucket name.
3. Choose \\\"Permissions\\\", then choose \\\"Bucket Policy\\\".
4. Add a similar policy statement to that in the policy below. Replace \\\"awsexamplebucket\\\" with the name of the bucket you are modifying.
{\\\"Id\\\":\\\"ExamplePolicy\\\",\\\"Version\\\":\\\"2012-10-17\\\",\\\"Statement\\\":[{\\\"Sid\\\":\\\"AllowSSLRequestsOnly\\\",\\\"Action\\\":\\\"s3:*\\\",\\\"Effect\\\":\\\"Deny\\\",\\\"Resource\\\":[\\\"arn:aws:s3:::awsexamplebucket\\\",\\\"arn:aws:s3:::awsexamplebucket/*\\\"],\\\"Condition\\\": {\\\"Bool\\\":{\\\"aws:SecureTransport\\\":\\\"false\\\"}},\\\"Principal\\\": \\\"*\\\"}]}
5. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ac66d910-ae29-4cab-967b-c3f0810b7642\",\r\n \"name\": \"ac66d910-ae29-4cab-967b-c3f0810b7642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling Block Public Access setting for your S3 bucket can help prevent sensitive data leaks and protect your bucket from malicious actions.\",\r\n \"remediationDescription\": \"To enable Amazon S3 Block Public Access:
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and then select \\\"Block public access\\\" under \\\"account settings\\\".
2. Select \\\"Edit\\\" and then select \\\"Block all public access\\\".
3. Select \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0991c64b-ccf5-4408-aee9-2ef03d460020\",\r\n \"name\": \"0991c64b-ccf5-4408-aee9-2ef03d460020\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disable direct internet access for Amazon SageMaker notebook instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Direct internet access should be disabled for an SageMaker notebook instance.
This checks whether the 'DirectInternetAccess' field is disabled for the notebook instance.
Your instance should be configured with a VPC and the default setting should be Disable - Access the internet through a VPC.
In order to enable internet access to train or host models from a notebook, make sure that your VPC has a NAT gateway and your security group allows outbound connections. Ensure access to your SageMaker configuration is limited to only authorized users, and restrict users' IAM permissions to modify SageMaker settings and resources.\",\r\n \"remediationDescription\": \"Note that you can't change the internet access setting after a notebook instance is created. It must be stopped, deleted, and recreated.
To configure an SageMaker notebook instance to deny direct internet access:
1. From the SageMaker console, https://console.aws.amazon.com/sagemaker/, open \\\"Notebook instances\\\" and delete the instance that has direct internet access enabled.
2. Select the instance, open \\\"Actions\\\", and select \\\"Stop\\\". When the instance has stopped, open \\\"Actions\\\", and select \\\"Delete\\\".
3. Select \\\"Create notebook instance\\\" and enter the configuration details.
4. Expand the \\\"Network\\\" section and select the VPC, subnet, and security group. Under \\\"Direct internet access\\\", select \\\"Disable — Access the internet through a VPC\\\".
5. Select \\\"Create notebook instance\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5b3c2887-d7b7-4887-b074-4e6057027709\",\r\n \"name\": \"5b3c2887-d7b7-4887-b074-4e6057027709\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance.
It only checks instances that are managed by AWS Systems Manager Patch Manager.
It does not check whether the patch was applied within the 30-day limit prescribed by PCI DSS requirement '6.2'.
It also does not validate whether the patches applied were classified as security patches.
You should create patching groups with the appropriate baseline settings and ensure in-scope systems are managed by those patch groups in Systems Manager. For more information about patch groups, see the AWS Systems Manager User Guide.\",\r\n \"remediationDescription\": \"\\\"To remediate noncompliant patches\\\"
This rule checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT. To find out more about patch compliance states, see the AWS Systems Manager User Guide.
1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
2. In the navigation pane, under \\\"Node Management\\\", choose \\\"Run Command\\\".
3. Choose \\\"Run command\\\".
4. Choose the radio button next to AWS-RunPatchBaseline and then change the \\\"Operation\\\" to \\\"Install\\\".
5. Choose \\\"Choose instances manually\\\" and then choose the noncompliant instance(s).
6. Scroll to the bottom and then choose \\\"Run\\\".
7. After the command has completed, to monitor the new compliance status of your patched instances, in the navigation pane, choose \\\"Compliance\\\".
See the AWS Systems Manager User Guide for more information about the following
* Using Systems Manager documents to patch a managed instance
* Running commands using the Systems Manager Run command\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67a90ae0-b3d1-44f0-9dcf-a03234ebeb65\",\r\n \"name\": \"67a90ae0-b3d1-44f0-9dcf-a03234ebeb65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association is run on an instance. The control passes if the association compliance status is COMPLIANT.
A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed.
After you create one or more State Manager associations, compliance status information is immediately available to you in the console or in response to AWS CLI commands or corresponding Systems Manager API operations. For associations, \\\"Configuration\\\" Compliance shows statuses of Compliant or Non-compliant and the severity level assigned to the association, such as \\\"Critical\\\" or \\\"Medium\\\". To learn more about State Manager association compliance, see About About State Manager association compliance in the AWS Systems Manager User Guide.
You must configure your in-scope EC2 instances for Systems Manager association. You must also configure the patch baseline for the security rating of the vendor of patches, and set the autoapproval date to meet PCI DSS '3.2.1' requirement '6.2'. For additional guidance on how to Create an association, see Create an association in the AWS Systems Manager User Guide. For additional information on working with patching in Systems Manager, see AWS Systems Manager Patch Manager in the AWS Systems Manager User Guide.\",\r\n \"remediationDescription\": \"A failed association can be related to different things, including targets and SSM document names. To remediate this issue, you must first identify and investigate the association. You can then update the association to correct the specific issue.
You can edit an association to specify a new name, schedule, severity level, or targets. After you edit an association, Systems Manager creates a new version.
\\\"To investigate and update a failed association\\\"
1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
2. In the navigation pane, under \\\"Node Management\\\", choose \\\"Fleet Manager\\\".
3. Choose the instance ID that has an \\\"Association status\\\" of \\\"Failed\\\".
4. Choose \\\"View details\\\".
5. Choose \\\"Associations\\\".
6. Note the name of the association that has an \\\"Association status\\\" of \\\"Failed\\\". This is the association that you need to investigate. You need to use the association name in the next step.
7. In the navigation pane,under \\\"Node Management\\\", choose \\\"State Manager\\\". Search for the association name, then select the association. After you determine the issue, edit the failed association to correct the problem. For information on how to edit an association, see Edit an association.
For more information on creating and editing State Manager associations, see Working with associations in Systems Manager in the AWS Systems Manager User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4be5393d-cc33-4ef7-acae-80295bc3ae35\",\r\n \"name\": \"4be5393d-cc33-4ef7-acae-80295bc3ae35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Status of the Amazon EC2 Systems Manager patch compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the patch installation on the instance.
Only instances that are managed by AWS Systems Manager Patch Manager are checked. Patches that were applied within the 30-day limit prescribed by PCI DSS requirement '6' are not checked. \",\r\n \"remediationDescription\": \"To ensure EC2 instances are managed by Systems Manager:
1. From the AWS Systems Manager console, https://console.aws.amazon.com/systems-manager/, select \\\"Quick setup\\\".
2. Leave the default options.
3. Select \\\"Set up Systems Manager\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9694d4ef-f21a-40b7-b535-618ac5c5d21e\",\r\n \"name\": \"9694d4ef-f21a-40b7-b535-618ac5c5d21e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.
Authentication credentials should never be stored or transmitted in clear text or appear in the repository URL. Instead of personal access tokens or user name and password, you should use OAuth to grant authorization for accessing GitHub or Bitbucket repositories.
Using personal access tokens or a user name and password could expose your credentials to unintended data exposure and unauthorized access.\",\r\n \"remediationDescription\": \"You can update your CodeBuild project to use OAuth.
To remove basic authentication / (GitHub) Personal Access Token from CodeBuild project source
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Choose the build project that contains personal access tokens or a user name and password.
3. From \\\"Edit\\\", choose \\\"Source\\\".
4. Choose \\\"Disconnect from GitHub / Bitbucket\\\".
5. Choose \\\"Connect using OAuth\\\", then choose \\\"Connect to GitHub / Bitbucket\\\".
6. When prompted, choose \\\"authorize as appropriate\\\".
7. Reconfigure your repository URL and additional configuration settings, as needed.
8. Choose \\\"Update source\\\".
For more information, refer to CodeBuild use case-based samples the AWS CodeBuild User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a88b4b72-b461-4b5e-b024-91da1cbe500f\",\r\n \"name\": \"a88b4b72-b461-4b5e-b024-91da1cbe500f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the project contains the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
Authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY should never be stored in clear text, as this could lead to unintended data exposure and unauthorized access.\",\r\n \"remediationDescription\": \"To remediate this issue, update your CodeBuild project to remove the environment variable.
To remove environment variables from a CodeBuild project
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Expand \\\"Build\\\".
3. Choose \\\"Build project\\\", and then choose the build project that contains plaintext credentials.
4. From \\\"Edit\\\", choose \\\"Environment\\\".
5. Expand \\\"Additional configuration\\\".
6. Choose \\\"Update environment\\\".

To store sensitive values in the Amazon EC2 Systems Manager Parameter Store and then retrieve them from your build spec
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Expand \\\"Build\\\".
3. Choose \\\"Build project\\\", and then choose the build project that contains plaintext credentials.
4. From \\\"Edit\\\", choose \\\"Environment\\\".
5. Expand \\\"Additional configuration\\\" and scroll to \\\"Environment variables\\\".
6. Follow this tutorial to create a Systems Manager parameter that contains your sensitive data.
7. After you create the parameter, copy the parameter name.
8. Back in the CodeBuild console, choose \\\"Create environmental variable\\\".
9. Enter the name of your variable as it appears in your build spec.
10. For \\\"Value\\\", paste the name of your parameter.
11. For \\\"Type\\\", choose \\\"Parameter\\\".
12. To remove your noncompliant environmental variable that contains plaintext credentials, choose \\\"Remove\\\".
13. Choose \\\"Update environment\\\".
For more information, see Environment variables in build environments in the AWS CodeBuild User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should use Secure Boot\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against the installation of malware-based rootkits and boot kits, enable Secure Boot on supported Linux virtual machines. Secure Boot ensures that only signed operating systems and drivers will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"Enabling Secure Boot will trigger an immediate system reboot. To enable it:
1. From Azure Virtual Machines, open your machine.
2. From the VM details page, open the 'Configuration' tab and select 'Secure boot'.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e2f798b8-621a-4d46-99d7-1310e09eba26\",\r\n \"name\": \"e2f798b8-621a-4d46-99d7-1310e09eba26\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should enforce kernel module signature validation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To help mitigate against the execution of malicious or unauthorized code in kernel mode, enforce kernel module signature validation on supported Linux virtual machines. Kernel module signature validation ensures that only trusted kernel modules will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"Enforcing kernel module signature validation requires a system reboot. To enforce it:
1. From Azure Virtual Machines, open your machine.
2. Run:
sudo azsecd remediate -r enforce-kernelmodule-ci
3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d79a60ef-d490-484e-91ed-f45ceb0e7cfb\",\r\n \"name\": \"d79a60ef-d490-484e-91ed-f45ceb0e7cfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be restarted to apply security configuration updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To apply security configuration updates and protect against vulnerabilities, restart your machines. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"To restart the machine:
1. From Azure Virtual Machines, open your machine.
2. Select 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b7604066-ed76-45f9-a5c1-c97e4812dc55\",\r\n \"name\": \"b7604066-ed76-45f9-a5c1-c97e4812dc55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines guest attestation status should be healthy\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Guest attestation is performed by sending a trusted log (TCGLog) to an attestation server. The server uses these logs to determine whether boot components are trustworthy. This assessment is intended to detect compromises of the boot chain which might be the result of a bootkit or rootkit infection.
This assessment applies to Trusted Launch and Confidential virtual machines that have the Guest Attestation extension installed.\",\r\n \"remediationDescription\": \"1. Scan your machine to ensure it isn't infected with malicious software.
2. Verify across your organization whether components of your operating system have been manually replaced.
3. Verify that a TPM device is installed on your machine: on Windows, run the PowerShell command \\\"Get-tpm\\\" as admin, and on Linux, use \\\"ls /dev/tpm0\\\" (with \\\"/dev/tpm0\\\" returning).
4. Remove any untrusted software or drivers with admin access.
5. Restart your machine in normal mode.
6. If all else fails, securely back up your data and create a new machine from a known-good image.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an Azure Function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Select Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access Function Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the Function App custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access API Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the API App custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys;
temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources.
For a comparison of different disk encryption technologies in Azure, see https://aka.ms/diskencryptioncomparison.
Use Azure Disk Encryption to encrypt all this data.
Disregard this recommendation if:
1. You're using the encryption-at-host feature, or 2. Server-side encryption on Managed Disks meets your security requirements.
Learn more in Server-side encryption of Azure Disk Storage.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Click any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Defender for Cloud protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Select Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases:
1. Select the SQL database.
2. Under Data encryption, select On.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
1. Go to 'SQL servers' page in the Azure portal and select your SQL server.
2. From the top left menu, select 'Auditing' and choose 'Enable Azure SQL Auditing'.
3. Select one of the options to store the Audit logs and follow the instructions.
4. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499\",\r\n \"description\": \"Defender for Cloud collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. This agent is also required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. We recommend configuring auto-provisioning to automatically deploy the agent. If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.\",\r\n \"remediationDescription\": \"For multiple ways to install and configure your Log Analytics agent see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"To reduce the potential for breaches by compromised owner accounts, we recommend limiting the number of owner accounts to a maximum of 3\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click the Role assignments tab and set the 'Role' filter to 'Owner'.
2. Select the owners you want to remove.
3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled
1. In the 'Role' drop-down list, select the Owner role.
2. In the Select list, select a user.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Signed Binary Proxy Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container hosts should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Privilege Escalation\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Local System\",\r\n \"Remote Services\",\r\n \"Network Sniffing\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"File and Directory Discovery\",\r\n \"Implant Container Image\",\r\n \"Abuse Elevation Control Mechanism\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers:
1. Select the SQL server.
2. Open 'Microsoft Defender for Cloud' under 'Security'
3. Make sure Microsoft Defender for Cloud's status is 'enabled at the server-level' or 'enabled at the subscription-level'
4. Open '(Configure)'
5. Under 'Vulnerability assessment settings', turn Periodic recurring scans to On, and configure a storage account for storing vulnerability assessment scan results.
6. Select 'Save'\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"SQL Stored Procedures\",\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on SQL servers: 1. Select the SQL server. 2. Under 'Defender for Cloud', set Microsoft Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Select 'Save'.
Note: Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.
Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.

To view all affected classic VMs make sure to select all your Azure subscriptions under 'directories + subscriptions' tab.

Available resources and information about this tool & migration:
Overview of Virtual machines (classic) deprecation, step by step process for migration & available Microsoft resources.
Details about Migrate to Azure Resource Manager migration tool.
Migrate to Azure Resource Manager migration tool using PowerShell.\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources:
1. Go to the Virtual machines (classic) Portal Blade.
2. Under Subscriptions, select all available subscriptions to get full list of affected classic VMs.
3. Click on Migrate to ARM.
4. Click on Validate. If validate failed, use the suggested methods in the error messages or at Migration Overview document to fix the errors.
5. Click on Prepare. If prepare failed, use the suggested methods in the error messages or at Migration Overview document to fix the errors.
6. View migrated virtual machines at Virtual Machines Portal Blade and Test their operation.
7. (Optional) Click on Abort to rollback migration.
8. Click on Commit. Commit finalizes the migration and cannot be rolled back.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics:
1. Go to Data Lake Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL managed instances should have vulnerability assessment configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance:
1. Select the SQL managed instance.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"SQL Stored Procedures\",\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected SQL Managed Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on managed SQL servers:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Microsoft Defender for SQL to On.
3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set Periodic recurring scans to On.4. Select Save.
Note: Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redis Cache should allow access only via SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps:
1. Go to the Redis Caches, and select your redis cache.
2. Select 'Advanced settings'.
3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics:
1. Go to Batch and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics:
1. Go to Stream Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics:
1. Go to the Service Bus.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"You should encrypt Automation Account Variables that store sensitive data. This step can only be taken at creation time.
If you have Automation Account Variables storing sensitive data that are not already encrypted, then you will need to delete them and recreate them as encrypted variables.
To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics:
1. Go to Data Lake Store and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics:
1. Go to Search and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign':
1. Go to the Service fabric cluster.
2. Click on 'Custom fabric settings'.
3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bb318338-de6a-42ff-8428-8274c897d564\",\r\n \"name\": \"bb318338-de6a-42ff-8428-8274c897d564\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Kubernetes services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c\",\r\n \"description\": \"Enable diagnostic logs in your Kubernetes services and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs.\",\r\n \"remediationDescription\": \"To enable diagnostics logs in one of your Kubernetes services: 1. Go to Kubernetes services and select one of your Kubernetes clusters. 2. From the left menu, open the diagnostic settings and select Add diagnostic setting. 3. Select one of the options to store the diagnostics logs and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"10/07/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"To ensure you can recreate activity trails for investigation purposes when a security incident occurs or your network is compromised, enable logging. If your diagnostic logs aren't being sent to a Log Analytics workspace, Azure Storage account, or Azure Event Hub, ensure you've configured diagnostic settings to send platform metrics and platform logs to the relevant destinations. Learn more in Create diagnostic settings to send platform logs and metrics to different destinations.\",\r\n \"remediationDescription\": \"To enable diagnostics for a logic app: 1. Open Azure Logic Apps and select the logic app. 2. From the menu, select Diagnostic settings. 3. Select Edit setting if you have an existing setting or select Add diagnostic setting to create a new configuration. 4. Select the options to define what to log and where to store it. 5. Save your settings.
Note : If you use storage accounts, we recommend setting a retention for the logs. To ensure the recommendation evaluates the retention dates across all resources, open the ASC default initiative assignment and set the parameter \\\"Required retention (in days) for logs..\\\" to the desired retention dates that you want the recommendation to evaluate.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"plannedDeprecationDate\": \"12/2022\",\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources :
1. Go to the Storage Account
2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics:
1. Go to Key Vault and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. We recommended configuring network rules so that only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"
1. In your storage account, go to 'Firewalls and virtual networks'.
2. Under 'Allow access from', choose 'Selected networks'.
3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account.
4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required:
1. In your storage account, go to the 'Configuration' page.
2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates:
1. Review the list of missing system updates.
2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Software Deployment Tools\",\r\n \"Exploit Public-Facing Application\",\r\n \"Supply Chain Compromise\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Drive-by Compromise\",\r\n \"Endpoint Denial of Service\",\r\n \"Compromise Client Software Binary\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b\",\r\n \"description\": \"Defender for Cloud collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. You'll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets. To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"For information on how to add the Log Analytics agent as an extension to your virtual machine scale set, see the following instructions. For information on how to deploy the log analytics agent at scale on virtual machine scale set using Azure Policy please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machine scale sets should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution:
1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on virtual machine scale sets should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Microsoft Defender for Cloud. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c\",\r\n \"description\": \"To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more.\",\r\n \"remediationDescription\": \"1. Register your subscription to Guest Configuration resource provider. 2. Install the Guest Configuration extension on your machine. 3. Enable a system-assigned managed identity, if one doesn't exist. Learn more in Enable Guest Configuration.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69133b6b-695a-43eb-a763-221e19556755\",\r\n \"name\": \"69133b6b-695a-43eb-a763-221e19556755\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a\",\r\n \"description\": \"The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more\",\r\n \"remediationDescription\": \"To enable a system-assigned managed identity, deploy the 'Enable a system-assigned managed identity' initiative: 1. Register the resource provider. 2. Deploy requirements for Azure virtual machines. Learn more about configuring the Guest Configuration prerequisites in Enable Guest Configuration.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"1. Enable controlled folder access.
2. Configure the following attack surface reduction rules: 'Block executable content from email client and webmail', 'Block untrusted and unsigned processes that run from USB', 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)', ' Block all Office applications from creating child processes', 'Block JavaScript or VBScript from launching downloaded executable content', 'Block execution of potentially obfuscated scripts ', 'Block Office applications from creating executable content', 'Block Office communication application from creating child processes', 'Block Win32 API calls from Office macros', 'Block Adobe Reader from creating child processes', 'Block Office applications from injecting code into other processes'.
Learn more in Use attack surface reduction rules to prevent malware infection.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Privilege Escalation\",\r\n \"Lateral Movement\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Taint Shared Content\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploit Public-Facing Application\",\r\n \"Drive-by Compromise\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4078e558-bda6-41fb-9b3c-361e8875200d\",\r\n \"description\": \"Defender for Cloud uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Windows.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on Linux-based Azure Arc-enabled machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/1e7fed80-8321-4605-b42c-65fc300f23a3\",\r\n \"description\": \"Defender for Cloud uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Linux.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"name\": \"fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Validity period of certificates stored in Azure Key Vault should not exceed 12 months\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\r\n \"description\": \"Ensure your certificates do not have a validity period that exceeds 12 months.\",\r\n \"remediationDescription\": \"To remediate you must create a new version of the certificate. Ensure that your application or service will be able to get a new version of the certificate before proceeding. Select a key vault from the list below. The list of certificates with a validity period that exceeds 12 months will appear. From the Azure Portal, open Azure Key Vault and select the vault with the certificate that needs to be replaced. Select the relevant certificate and the certificate details page opens. 1. On the certificate details page, select \\\"+ New Version\\\". The \\\"Create a Certificate\\\" pane opens. 2. Change the \\\"Validity period (in months)\\\" field to 12 or less. 3. Select \\\"Create\\\". 4. Ensure that you have set up auto-renewal, or have a process to renew your certificate prior to expiration.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Credentials from Password Stores\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\r\n \"description\": \"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.\",\r\n \"remediationDescription\": \"To prevent public access to containers and blobs in your storage account:
1. In the Azure portal, navigate to your storage account.
2. From the settings menu, select \\\"Configuration\\\".
3. Set \\\"Allow Blob public access\\\" to \\\"Disabled\\\".
Learn more about public access
Note: It might take several minutes after remediation completes until the resource appears in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for servers brings threat detection and advanced defenses for your Windows and Linux machines.
With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for servers but missing out on some of the benefits.
When you enable Microsoft Defender for servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for servers on the identified workspaces, select the workspaces and select Remediate.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for servers brings threat detection and advanced defenses for your Windows and Linux machines.
With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for servers but missing out on some of the benefits.
When you enable Microsoft Defender for servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on machines on the identified workspaces, select the workspaces and select Remediate.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"09/29/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"name\": \"14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\r\n \"description\": \"The best way to authenticate to Azure services is by using Role-Based Access Control (RBAC). RBAC allows you to maintain the minimum privilege principle and supports the ability to revoke permissions as an effective method of response when compromised. You can configure your Azure Cosmos DB account to enforce RBAC as the only authentication method. When the enforcement is configured, all other methods of access will be denied (primary/secondary keys and access tokens).\",\r\n \"remediationDescription\": \"Change your resource authentication method to RBAC. After RBAC is enabled, edit the configuration settings to enforce RBAC as the only authentication method.
  1. Change the resources' authentication method from primary key to Azure Active Directory (AAD):

    1. Map all the resources that currently access to the Azure Cosmos DB account with keys or access tokens.
    2. Create an Azure Active Directory (AAD) identity for each of these resources:
      1. For Azure resources, you can create a managed identity . You may choose between system-assigned and user-assigned managed identities.
      2. For non-Azure resources, create an AAD identity.
    3. Grant each AAD identity the minimum permission it requires. When possible, we recommend you use one of the 2 built-in role definitions: Cosmos DB Built-in Data Reader or Cosmos DB Built-in Data Contributor.
    4. Validate that the new resource is functioning correctly. After new permissions are granted to identities, it may take a few hours until they propagate. When all resources are working correctly with the new identities, continue to the next step.

    You can read more about configuring role-based access control with Azure Active Directory for your Azure Cosmos DB account.

  2. Enforce RBAC as the only authentication method:
    You may choose one of the two options listed below:
    1. You can use the az resource update powershell command:
      $cosmosdbname = \\\"cosmos-db-account-name\\\"
      $resourcegroup = \\\"resource-group-name\\\"
      $cosmosdb = az cosmosdb show --name $cosmosdbname --resource-group $resourcegroup | ConvertFrom-Json

      az resource update --ids $cosmosdb.id --set properties.disableLocalAuth=true --latest-include-preview

    2. Deploy these changes in your ARM template to enforce RBAC as the only authentication method.

      You can read more about using ARM templates on existing resources.

    After these changes have been implemented, all access attempts that use primary/secondary key or access tokens authentication will be denied.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2482620f-f324-4add-af68-2e01e27485e9\",\r\n \"name\": \"2482620f-f324-4add-af68-2e01e27485e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d103537b-9f3d-4658-a568-31dd66eb05cb\",\r\n \"name\": \"d103537b-9f3d-4658-a568-31dd66eb05cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in subscription should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a6cd9b98-3b29-4213-b880-43f0b0897b83\",\r\n \"name\": \"a6cd9b98-3b29-4213-b880-43f0b0897b83\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in projects should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in projects should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\r\n \"description\": \"Protect the data on your Azure virtual machines with Azure Backup.
Azure Backup is an Azure-native, cost-effective, data protection solution.
It creates recovery points that are stored in geo-redundant recovery vaults.
When you restore from a recovery point, you can restore the whole VM or specific files.\",\r\n \"remediationDescription\": \"1. To enable Azure Backup for a virtual machine, navigate to the virtual machine on the Azure portal and select 'Backup' from the menu. In the screen that appears, choose whether to backup the machine to a new or existing Recovery Services vault in the same location and subscription. Learn more at https://aka.ms/AzureVMBackupDoc 2. To enable Azure Backup for multiple virtual machines, assign the policy 'Configure backup on VMs of a location to an existing central Vault in the same location' to the relevant scope. This policy can be assigned to one subscription-location pair at a time. Learn more at http://aka.ms/AzureBackupVMGovernance. Charges are based on the number and size of VMs being protected. Learn more about pricing at https://azure.microsoft.com/pricing/details/backup/\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Disk Wipe\",\r\n \"Defacement\",\r\n \"Data Encrypted for Impact\",\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your function app:
1. Go to the App Service for your API app 2. Navigate to Platform features 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"name\": \"2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MariaDB\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\r\n \"description\": \"Azure Database for MariaDB allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MariaDB server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=2086853\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your web app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"name\": \"95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for PostgreSQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\r\n \"description\": \"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for PostgreSQL server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867615\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests.
Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Web App:
1. Navigate to Azure App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require.
For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"name\": \"8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MySQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\r\n \"description\": \"Azure Database for MySQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MySQL server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867608\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"name\": \"5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your API app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/91a78b24-f231-4a8a-8da9-02c35b2b6510\",\r\n \"description\": \"Audit enabling of diagnostic logs on the app.
This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised\",\r\n \"remediationDescription\": \"To enable resource logs for an App Service: 1. Navigate to your App Service. 2. Go to 'Diagnostic Settings' tab. 3. Enable necessary auditing services for your specified apps. For more information, please go to https://aka.ms/enabling-diagnostic-settings.\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"name\": \"cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your API app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"name\": \"1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for PostgreSQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\r\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for PostgreSQL:
1. Select your Azure Database for PostgreSQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848213\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"name\": \"1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for MySQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\r\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for MySQL:
1. Select your Azure Database for MySQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848211\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your web app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your function app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"name\": \"6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"name\": \"7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"name\": \"39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your web app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"name\": \"f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your function app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"name\": \"08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\r\n \"description\": \"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your API app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"name\": \"e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"name\": \"96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your function app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"name\": \"c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"name\": \"c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for PostgreSQL:
1. Navigate to your Azure Database for PostgreSQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/postgresql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/pgprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"name\": \"ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MariaDB:
1. Navigate to your Azure Database for MariaDB. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mariadbprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"name\": \"cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MySQL:
1. Navigate to your Azure Database for MySQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mysql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mysqlprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\r\n \"description\": \"Audit SQL servers configured with an auditing retention period of less than 90 days.\",\r\n \"remediationDescription\": \"To configure auditing retention on your Azure SQL server or Azure Synapse server:
1.From the Azure portal, select the Azure SQL Server or Azure Synapse resource. 2.From the menu, select Auditing. 3.Select Storage details. 4.To set a new retention period of 90 days or higher, manually enter a value or move the slider for Retention (Days). 5.Select OK.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your function app:
1. Navigate to the Configurations for your Function app.
2. Select Configuration, and go to the General Settings tab.
3. Select the General Settings tab.
4. Under the FTP state section, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp
Learn more about Azure Functions Deployment Technology Availability\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your web app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"name\": \"67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your API app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"name\": \"c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function apps should have Client Certificates (Incoming client certificates) enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Function App: 1. Navigate to your App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"name\": \"4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key vaults should have purge protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\r\n \"description\": \"Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.\",\r\n \"remediationDescription\": \"To enable purge protection for your key vault: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Properties' tab. 3. Select the radio button corresponding to \\\"Enable purge protection\\\". 4. Select 'Save'. Soft delete is a pre-requisite for purge protection, if you have not already enabled this option, please select the radio button corresponding to \\\"Enable soft delete\\\" first. Please visit https://aka.ms/keyvaultsoftdelete for detailed configuration steps.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"name\": \"9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Email notification to subscription owner for high severity alerts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d\",\r\n \"description\": \"To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Defender for Cloud.\",\r\n \"remediationDescription\": \"To configure email notifications: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/13e7d036-6903-821c-6018-962938929bf0\",\r\n \"name\": \"13e7d036-6903-821c-6018-962938929bf0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registries should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.\",\r\n \"remediationDescription\": \"To enable private links for a registry: 1. Ensure the registry's SKU is set to Premium (SKUs can be upgraded) 2. In the Private endpoints tab, under Network Settings, add basic endpoint information such as name and region 3. On the next page, add registry resource information (such as: name, resource type and subscription) 4. On the next page, add networking and private dns configuration. 5. Create the private endpoint resource. For more information, see: https://aka.ms/acr/privatelink\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/d85c6833-7d33-4cf5-a915-aaa2de84405f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5d090f1-7d5c-9b38-7344-0ede8343276d\",\r\n \"name\": \"d5d090f1-7d5c-9b38-7344-0ede8343276d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for MySQL is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for MySQL server to deny all public network access and allow connections ONLY through private endpoints: 1. Select the Azure Database for MySQL. 2. In Connection security, set deny public network access to 'Yes'. For details, see: https://go.microsoft.com/fwlink/?linkid=2120014.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/06ac6ef4-1e66-1334-5418-6e79ab444ce0\",\r\n \"name\": \"06ac6ef4-1e66-1334-5418-6e79ab444ce0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] SQL managed instances should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\r\n \"remediationDescription\": \"To configure your own encryption key for SQL Server Transparent Data encryption: 1. Select the SQL server. 2. On the Transparent data encryption page, select Customer-managed key. 3. For Key selection method, choose Select a key or Enter a key identifier if you have one. 4. If you chose Select a key, configure the desired Key vault and Key. For more information, see this article: https://docs.microsoft.com/azure/sql-database/transparent-data-encryption-byok-azure-sql\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b51b7f7-cbed-75bf-8a02-43384bf47562\",\r\n \"name\": \"6b51b7f7-cbed-75bf-8a02-43384bf47562\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] MySQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\r\n \"remediationDescription\": \"Azure automatically encrypts data at rest with service-managed keys. To use a customer-managed key to protect and control access to the key that encrypts your data: 1. Create a key vault with soft delete and purge protection enabled. 2. Create your own encryption key or use the Azure Key Vault API to generate a key. 3. Grant the Azure Database for MySQL access to the key vault with the get, wrapKey, and unwrapKey permissions by using its unique managed identity. 4. Select the Azure Database for MySQL, go to data encryption, and pass the key vault and key information. Learn more https://aka.ms/mysqlbyok\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19d45f8f-245c-852e-dbf9-d4aab4758b1f\",\r\n \"name\": \"19d45f8f-245c-852e-dbf9-d4aab4758b1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\r\n \"remediationDescription\": \"Azure automatically encrypts data at rest with service-managed keys. To use a customer-managed key to protect and control access to the key that encrypts your data: 1. Create a key vault with soft delete and purge protection enabled. 2. Create your own encryption key or use the Azure Key Vault API to generate a key. 3. Grant the Azure Database for PostgreSQL access to the key vault with the get, wrapKey, and unwrapKey permissions by using its unique managed identity. 4. Select the Azure Database for PostgreSQL, go to data encryption, and pass the key vault and key information. Learn more https://aka.ms/postgresqlbyok\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ab153e43-2fb5-0670-2117-70340851ea9b\",\r\n \"name\": \"ab153e43-2fb5-0670-2117-70340851ea9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for MariaDB is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for MariaDB server to deny all public network access and allow connections ONLY through private endpoints: 1. Select the Azure Database for MariaDB. 2. In Connection security, set deny public network access to 'Yes'. For more information, see: https://go.microsoft.com/fwlink/?linkid=2119542\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a93e945-3675-aef6-075d-c661498e1046\",\r\n \"name\": \"1a93e945-3675-aef6-075d-c661498e1046\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] SQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\r\n \"remediationDescription\": \"To configure your own encryption key for SQL Server Transparent Data encryption: 1. Select the SQL server. 2. On the Transparent data encryption page, select Customer-managed key. 3. For Key selection method, choose Select a key or Enter a key identifier if you have one. 4. If you chose Select a key, configure the desired Key vault and Key. For more information, see this article: https://docs.microsoft.com/azure/sql-database/transparent-data-encryption-byok-azure-sql\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/be264018-593c-1162-bd5e-b74a39396652\",\r\n \"name\": \"be264018-593c-1162-bd5e-b74a39396652\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cache for Redis should reside within a virtual network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d092e0a-7acd-40d2-a975-dca21cae48c4\",\r\n \"description\": \"Azure Virtual Network (VNet) deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access. When an Azure Cache for Redis instance is configured with a VNet, it is not publicly addressable and can only be accessed from virtual machines and applications within the VNet.\",\r\n \"remediationDescription\": \"Injection into your custom Virtual Network/Subnet can only be done at cache creation time, so take these steps to mitigate: 1. Create and configure a new VNet-injected cache into your custom subnet for the Azure Cache for Redis. 2. Either embed your client application into the same virtual network or allow access for your client application to communicate with the cache instance within your subnet using NSG rules. Follow the guidance here: https://aka.ms/redis/vnet-faq 3. If necessary, export the data from your instance and import it into the new Azure Cache for Redis instance. Learn more about the import/export feature here: https://aka.ms/redis/import-export.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"name\": \"af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto provisioning of the Log Analytics agent should be enabled on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17\",\r\n \"description\": \"To monitor for security vulnerabilities and threats, Microsoft Defender for Cloud collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.\",\r\n \"remediationDescription\": \"To configure auto provisioning:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. Open the Auto provisioning page and set the toggle to On for the Log Analytics agent.
3. Select the workspace to receive the data from the machines.
Learn more in Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"name\": \"77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subscriptions should have a contact email address for security issues\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\",\r\n \"description\": \"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Defender for Cloud.\",\r\n \"remediationDescription\": \"To set up a security contact:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/af560c4d-9c05-e073-b9f1-f7a94958ff25\",\r\n \"name\": \"af560c4d-9c05-e073-b9f1-f7a94958ff25\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Container registries should be encrypted with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\",\r\n \"remediationDescription\": \"Azure automatically encrypts registry Contents. To encrypt a registry using a customer-managed key (CMK): 1. Create a user-assigned managed identity. 2. Create a Key Vault with soft delete and purge protection enabled. 3. Give the Managed Identity (Get, Unwrap and Wrap) Key Permissions to the key vault by adding a key vault Access Policy. 4. Create a key for encryption. 5. Create the registry: enable customer-managed key, add the managed identity, and provid the created key's version. For more information, see: https://aka.ms/acr/cmk\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8318c3a1-fcac-2e1d-9582-50912e5578e5\",\r\n \"name\": \"8318c3a1-fcac-2e1d-9582-50912e5578e5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"App Configuration should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint.\",\r\n \"remediationDescription\": \"To enable private link for Azure App Configuration: 1. In the Azure portal, open the App Configuration instance. 2. Navigate to Settings --> Private endpoint connections 3. Click on Add and configure the private endpoint. For details, see https://aka.ms/appconfig/private-endpoint\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/614ffa75-862c-456e-ad8b-eaa1b0844b07\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"name\": \"3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Email notification for high severity alerts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899\",\r\n \"description\": \"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Defender for Cloud.\",\r\n \"remediationDescription\": \"To configure email notifications: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. In the 'Notification type' area, ensure mails are sent regarding security alerts from severity 'high'.
4. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b34f9fe7-80cd-6fb3-2c5b-951993746ca8\",\r\n \"name\": \"b34f9fe7-80cd-6fb3-2c5b-951993746ca8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for PostgreSQL is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for PostgreSQL server to deny all public network access and allow connections only through private endpoints: 1. Select the Azure Database for PostgreSQL. 2. In Connection security, set deny public network access to 'Yes'. For more information, see: https://go.microsoft.com/fwlink/?linkid=2120015.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"name\": \"9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registries should not allow unrestricted network access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\r\n \"description\": \"Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet.\",\r\n \"remediationDescription\": \"To enable VNet/Firewall rules for a registry: 1. In the Azure Portal, navigate to your registry in the Azure portal 2. Under Networking settings, on the Public access tab, select allow public access from 'Selected networks' instead of 'All Networks' 3. Under Firewall, enter a public IP address, such as the public IP address of a VM in a virtual network. Or, enter an address range in CIDR notation that contains the VM's IP address 4. Select save. For more information, see: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bef092f5-bea7-3df3-1ee8-4376dd9c111e\",\r\n \"name\": \"bef092f5-bea7-3df3-1ee8-4376dd9c111e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Event Grid domains should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domains instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure Event Grid Domain resource: 1. In the Azure portal, find your Event Grid Domain resource. 2. Navigate to Settings --> Networking, 3. Select \\\"+ Public network access\\\" and choose \\\"+ Private endpoints only\\\" to restrict access only via private endpoint connections, 4. Select \\\"+ Private endpoint connections\\\" to configure the values. For details, see https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/36f4658a-848a-467b-881c-e6fa20cf75fc\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bdac9c7b-b9b8-f572-0450-f161c430861c\",\r\n \"name\": \"bdac9c7b-b9b8-f572-0450-f161c430861c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Event Grid topics should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your topics instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure Event Grid Topic resource: 1. In the Azure portal, find your Event Grid Topic resource. 2. Navigate to Settings --> Networking, 3. Select \\\"+ Public network access\\\" and choose \\\"+ Private endpoints only\\\" to restrict access only via private endpoint connections, 4. Select \\\"+ Private endpoint connections\\\" to configure the values. For details, see https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6fcec95c-fbdf-45e8-91e1-e3175d9c9eca\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/18bf29b3-a844-e170-2826-4e95d0ba4dc9\",\r\n \"name\": \"18bf29b3-a844-e170-2826-4e95d0ba4dc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\r\n \"remediationDescription\": \"To enable customer-managed keys for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using customer-managed keys. Learn more about configuring customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b6f84d18-0137-3176-6aa1-f4d9ac95155c\",\r\n \"name\": \"b6f84d18-0137-3176-6aa1-f4d9ac95155c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure SignalR Service should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/53503636-bcc9-4748-9663-5348217f160f\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your SignalR resources instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/asrs/privatelink.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure SignalR service resource: 1.. Find your SignalR resource in the Azure portal, 2. Navigate to Settings --> Private endpoint connections, 3 Click \\\"+ Private endpoint\\\" to configure the values. Learn more here: https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/ef45854f-b33f-49a3-8041-9057e915d88f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/814df446-7128-eff0-9177-fa52ac035b74\",\r\n \"name\": \"814df446-7128-eff0-9177-fa52ac035b74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\r\n \"remediationDescription\": \"To enable customer-managed keys on an Azure Cosmos DB account, create an encryption key in Azure Key Vault then pass the key identifier when creating the account. For details, see https://aka.ms/cosmosdb-cmk.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\r\n \"description\": \"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.\",\r\n \"remediationDescription\": \"Azure Web Application Firewall is a paid solution, refer to https://aka.ms/applicationgateway-pricing for full pricing details. To manually add an Azure Web Application Firewall to Azure Application Gateway: 1. If you want to use an existing Azure Web Application Firewall for Azure Application Gateway policy, proceed to Step 2. Otherwise, open the Azure Web Application Firewall service and select 'add'. 3. On the Basics tab, in 'Policy for', select 'Regional WAF (Application Gateway)'. Customize the Azure Web Application Firewall as required. To finish, select 'Review + create' and 'create' the Azure Web Application Firewall. 4. Go to the Azure Application Gateway and select the Azure Application Gateway that does not have an Azure Web Application Firewall. 5. From the left sidebar, select settings, and select 'Web application firewall'. If your current tier is not 'WAF V2' change your tier to 'WAF V2'. There are differences in pricing when changing WAF tiers, refer to https://aka.ms/applicationgateway-pricing for full details. 6. Return to the Web Application Firewall created earlier. Select 'Associated application gateways on the sidebar'. 7. Select 'Associate an application gateway' and add your application gateway. To save the changes, Select 'Save'. An Azure Web Application Firewall is now protecting your application gateway resource. For details, see https://aka.ms/applicationgateway-waf.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Reconnaissance\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Scanning\",\r\n \"Application Layer Protocol\",\r\n \"Active Scanning\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0c02a769-03f1-c4d7-85a5-db5dca505c49\",\r\n \"name\": \"0c02a769-03f1-c4d7-85a5-db5dca505c49\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Azure Front Door Service service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\r\n \"description\": \"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.\",\r\n \"remediationDescription\": \"Azure Web Application Firewall is a paid solution, refer to https://aka.ms/frontdoor-pricing for full pricing details. To manually add an Azure Web Application Firewall to your Azure Front Door Service 1. If you want to use an existing Azure Web Application Firewall for Azure Front Door Service policy, proceed to Step 2. Otherwise, open the Azure Web Application Firewall service and select 'add'. 3. On the Basics tab, in 'Policy for', select 'Global WAF (Front Door)' and in 'Policy state' select 'Enabled'. Customize the Azure Web Application Firewall as required. To finish, select 'Review + create' and 'create' the Azure Web Application Firewall. 4. Go to the Front Door service and select the Front Door service that does not have an Azure Web Application Firewall. 5. From the left sidebar, select 'Web application firewall'. 6. Select the frontend to which you're adding an Azure Web Application Firewall policy. Select 'Apply policy'. From the dropdown, select the Azure Web Application Firewall policy. Select 'Add'. 7. To save the Azure Web Application Firewall for the chosen frontend, select 'Save'. An Azure Web Application Firewall will now be applied to the Azure Front Door Service. For details, see https://aka.ms/waf-frontdoor-tutorial\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Reconnaissance\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Scanning\",\r\n \"Application Layer Protocol\",\r\n \"Active Scanning\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f6b0e473-eb23-c3be-fe61-2ae3e8309530\",\r\n \"name\": \"f6b0e473-eb23-c3be-fe61-2ae3e8309530\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VM Image Builder templates should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa\",\r\n \"description\": \"Audit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead, which may directly expose resources to the internet and increase the potential attack surface.\",\r\n \"remediationDescription\": \"To enable private link connection when building VM Image Builder templates, add vnetConfig to templates. For details, see http://aka.ms/azvmimagebuildertmplref.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9\",\r\n \"description\": \"Private links enforce secure communication, by providing private connectivity to the storage account\",\r\n \"remediationDescription\": \"To enforce secure communications for your storage accounts, add a private endpoint as described here: https://aka.ms/connectprivatelytostorageaccount.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/9f766f00-8d11-464e-80e1-4091d7874074\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca98bba7-719e-48ee-e193-0b76766cdb07\",\r\n \"name\": \"ca98bba7-719e-48ee-e193-0b76766cdb07\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Storage accounts should use customer-managed key (CMK) for encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\",\r\n \"remediationDescription\": \"To enable customer-managed keys on your storage accounts, create an encryption key in your key vault then pass the key identifier to the storage account. For details, see https://aka.ms/storageencryptionkeys.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c768356-5ad2-e3cc-c799-252b27d3865a\",\r\n \"name\": \"4c768356-5ad2-e3cc-c799-252b27d3865a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Spring Cloud should use network injection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4\",\r\n \"description\": \"Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.\",\r\n \"remediationDescription\": \"Virtual network injection brings the following benefits to your Azure Spring Cloud instances: 1. Isolates Azure Spring Cloud from the internet. 2. Enables Azure Spring Cloud to interact with systems in either on- premises data centers or Azure services in other virtual networks. 3. Provides greater control over inbound and outbound network communications for Azure Spring Cloud.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Trusted Relationship\",\r\n \"Exploitation of Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Non-Standard Port\",\r\n \"Lateral Tool Transfer\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\r\n \"description\": \"Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.\",\r\n \"remediationDescription\": \"To protect your storage account from potential threats using virtual network rules: 1. In the Azure portal, open your storage account. 2. From the left sidebar, select 'Networking'. 3. From the 'Allow access from' section, select 'Selected networks'. 4. Add a Virtual network under the 'Virtual networks' section. Do not add allowed IP ranges/ or addresses in the firewall. This is to prevent public IPs from accessing your storage account. For details, see: https://aka.ms/storagenetworksecurity.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbd14f11-6228-4588-82a4-517b8d77b23f\",\r\n \"name\": \"bbd14f11-6228-4588-82a4-517b8d77b23f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\",\r\n \"remediationDescription\": \"To setup CMK on Azure Machine Learning workspaces, follow the instructions. here: https://aka.ms/azureml-workspaces-cmk\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/692343df-7e70-b082-7b0e-67f97146cea3\",\r\n \"name\": \"692343df-7e70-b082-7b0e-67f97146cea3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Machine Learning workspaces should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Machine Learning workspaces instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/azureml-workspaces-privatelink.\",\r\n \"remediationDescription\": \"To enable private link on Azure Machine Learning workspaces, follow the instructions here: https://aka.ms/azureml-workspaces-privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/7838fd83-5cbb-4b5d-888c-bfa240972597\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"name\": \"2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be configured for Key Vault\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0bc445-3935-4915-9981-011aa2b46147\",\r\n \"description\": \"Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.\",\r\n \"remediationDescription\": \"For detailed steps, see https://aka.ms/akvprivatelink.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"name\": \"52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should be enabled on Key Vault\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\r\n \"description\": \"Key vault's firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the firewall to make sure that only traffic from allowed networks can access your key vault.\",\r\n \"remediationDescription\": \"To enable the key vault firewall: 1. In the Azure portal, open your key vault. 2.From the left sidebar, select Networking (located under the \\\"Settings\\\" section). 3. Set the radio button to Private endpoint and selected networks and select Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1aabfa0d-7585-f9f5-1d92-ecb40291d9f2\",\r\n \"name\": \"1aabfa0d-7585-f9f5-1d92-ecb40291d9f2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key Vault keys should have an expiration date\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\r\n \"description\": \"Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.\",\r\n \"remediationDescription\": \"To enable an expiration date on your key: 1. Log in to the Azure portal and select your key vault. 2. Open the 'Keys' tab. 3. Find all keys in the table that do not have an expiration date. 4. Select a key. 5. Select the current version of the key. 6. Select the box corresponding to 'Set expiration date'. 7. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Credentials from Password Stores\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"name\": \"14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key Vault secrets should have an expiration date\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\r\n \"description\": \"Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.\",\r\n \"remediationDescription\": \"To enable an expiration date on your secret: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Secrets' tab. 3. Find all secrets in the table that do not have an expiration date. 4. Click on a secret. 5. Click the current version of the secret. 6. Check the box corresponding to 'Set expiration date'. 7. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Credentials from Password Stores\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"name\": \"78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key vaults should have soft delete enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\r\n \"description\": \"Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.\",\r\n \"remediationDescription\": \"To enable soft delete protection for your key vault: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Properties' tab. 3. Select the radio button corresponding to \\\"Enable soft delete\\\". 4. Enter a retention period in days. Select 'Save'. Please visit https://aka.ms/keyvaultsoftdelete for detailed configuration steps.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6\",\r\n \"description\": \"Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more in Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure.\",\r\n \"remediationDescription\": \"To use SSH for authentication to your Linux virtual machine: 1. Create an SSH key pair for the Linux virtual machine. 2. Disable password authentication in the Linux virtual machine's configuration. 3. Update the SSH key in your Azure Resource Manager template (replace the admin password with the adminSSHKey parameter) or via the Azure CLI (with the --generate-ssh-keys command). Learn more in Create and use an SSH public-private key pair for Linux VMs in Azure.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.\",\r\n \"remediationDescription\": \"To enable Private Endpoint Connections: 1. Open Azure SQL Database and browse to the server blade 2. Navigate to Security --> Private endpoint connections blade via the navigation menu 3. Select the \\\"+ Private Endpoint\\\" button 4. Follow the instructions here: https://docs.microsoft.com/azure/azure-sql/database/private-endpoint-overview#how-to-set-up-private-link-for-azure-sql-database.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\r\n \"description\": \"Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.\",\r\n \"remediationDescription\": \"To disable Public Network Access: 1. Open Azure SQL Database and browse to the server blade 2. Navigate to Security --> Firewalls and virtual networks blade via the navigation menu on the left. 3. Select Deny Public Network Access control and change the value to Yes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce2768c3-a7c7-1bbf-22cd-f9db675a9807\",\r\n \"name\": \"ce2768c3-a7c7-1bbf-22cd-f9db675a9807\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API app has Client Certificates Incoming client certificates set to On\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your API App: 1. Navigate to your App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112\",\r\n \"description\": \"To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.\",\r\n \"remediationDescription\": \"To ensure your windows web server is using secure communication protocol: 1. Enable Guest Configuration extension and system assigned identity: https://docs.microsoft.com/azure/virtual-machines/extensions/guest-configuration 2. Enable TLS on your machine. For Windows Server 2008 R2, Windows Server 2012, or Windows 7, install the update at https://support.microsoft.com/help/3140245. For Windows 2012 R2 Server or later, no updates are necessary. 3. Update the Windows and WinHTTP registry keys (or verify that they're correct) according to the information here: https://docs.microsoft.com/dotnet/framework/network-programming/tls#configuring-schannel-protocols-in-the-windows-registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f738efb8-005f-680d-3d43-b3db762d6243\",\r\n \"name\": \"f738efb8-005f-680d-3d43-b3db762d6243\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should restrict network access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\r\n \"description\": \"Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"To restrict access for Cognitive Services from public networks: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"Networking\\\" page, 3. In \\\"Firewalls and virtual networks\\\" select \\\"Selected Networks and Private Endpoints\\\" or \\\"Disabled\\\". Learn more about Private Endpoints in https://go.microsoft.com/fwlink/?linkid=2129800. Learn more about configuration Virtual Networks for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2110097.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Trusted Relationship\",\r\n \"Exploitation of Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Non-Standard Port\",\r\n \"Lateral Tool Transfer\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aa395469-1687-78a7-bf76-f4614ef72977\",\r\n \"name\": \"aa395469-1687-78a7-bf76-f4614ef72977\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should use customer owned storage or enable data encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11566b39-f7f7-4b82-ab06-68d8700eb0a4\",\r\n \"description\": \"This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption.\",\r\n \"remediationDescription\": \"To enable encryption for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using either Microsoft-managed keys or customer-managed keys. Learn more about configuration customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321. To request access to bring your own storage, fill out and submit the request form from https://aka.ms/cogsvc-cmk.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684a5b6d-a270-61ce-306e-5cea400dc3a7\",\r\n \"name\": \"684a5b6d-a270-61ce-306e-5cea400dc3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for Cognitive Services accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\r\n \"description\": \"This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed.\",\r\n \"remediationDescription\": \"To only allow access for Cognitive Services from Private Endpoints: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"Networking\\\" page, 3. In \\\"Firewalls and virtual networks\\\" select \\\"Disabled\\\". Learn more about Private Endpoints in https://go.microsoft.com/fwlink/?linkid=2129800.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdcf4f71-60d3-540b-91e3-aa19792da364\",\r\n \"name\": \"cdcf4f71-60d3-540b-91e3-aa19792da364\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should enable data encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2bdd0062-9d75-436e-89df-487dd8e4b3c7\",\r\n \"description\": \"This policy audits any Cognitive Services account not using data encryption. For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key.\",\r\n \"remediationDescription\": \"To enable encryption for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using either Microsoft-managed keys or customer-managed keys. Learn more about configuration customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/74e7dcff-317f-9635-41d2-ead5019acc99\",\r\n \"name\": \"74e7dcff-317f-9635-41d2-ead5019acc99\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Management services should use a virtual network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\r\n \"description\": \"Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.\",\r\n \"remediationDescription\": \"To enable Virtual Network on API Management Service: 1. In the Azure portal, open API Management services, 2. Select the desired service from the list, and open the \\\"Virtual Network\\\" page, 3. Setup virtual network along with desired type of virtual network. Learn more about configuring virtual network for API Management Services at https://aka.ms/apim-vnet\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Create Account\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"name\": \"276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cosmos DB accounts should have firewall rules\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\r\n \"description\": \"Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.\",\r\n \"remediationDescription\": \"To configure your Azure Cosmos DB firewall and add IP rules: 1. Go to the \\\"Firewall and virtual networks\\\" section of your Cosmos DB account. 2. Select \\\"Selected networks\\\". 3. Add the IP addresses or ranges you want to allow. For more details, follow the instructions in https://aka.ms/cosmosdb-firewall\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Initial Access\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Fallback Channels\",\r\n \"Remote System Discovery\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Non-Standard Port\",\r\n \"Gather Victim Network Information\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\",\r\n \"description\": \"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end-to-end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure.\",\r\n \"remediationDescription\": \"To enable Network Watcher: 1. Navigate to the Network Watcher page on the Azure portal 2. Select the relevant subscription and click on the region drop down 3. For any regions that are listed as Disabled, enable them by selecting \\\"Enable network watcher\\\" in the context menu For more information, visit here: https://docs.microsoft.com/azure/network-watcher/network-watcher-create\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"name\": \"f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Resource Manager should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99\",\r\n \"description\": \"Microsoft Defender for Resource Manager automatically monitors the resource management operations in your organization. Defender for Cloud detects threats and alerts you about suspicious activity. Learn more in Introduction to Microsoft Defender for Resource Manager. Enabling this Defender plan results in charges. Learn about the pricing details per region on Defender for Cloud's pricing page: https://azure.microsoft.com/services/defender-for-cloud/#pricing.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for Resource Manager on your subscription: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Resource Manager to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\",\r\n \"Permission Groups Discovery\",\r\n \"Account Discovery\",\r\n \"Cloud Service Discovery\",\r\n \"Credentials from Password Stores\",\r\n \"Impair Defenses\",\r\n \"Cloud Infrastructure Discovery\",\r\n \"Cloud Service Dashboard\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"name\": \"aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for DNS should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bdc59948-5574-49b3-bb91-76b7c986428d\",\r\n \"description\": \"Microsoft Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Defender for DNS alerts you about suspicious activity at the DNS layer. Learn more in Introduction to Microsoft Defender for DNS. Enabling this Defender plan results in charges. Learn about the pricing details per region on Defender for Cloud's pricing page: https://azure.microsoft.com/services/defender-for-cloud/#pricing.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for DNS on your subscription: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set DNS to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Exfiltration\",\r\n \"Command and Control\"\r\n ],\r\n \"techniques\": [\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Application Layer Protocol\",\r\n \"Proxy\",\r\n \"Dynamic Resolution\",\r\n \"Protocol Tunneling\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3\",\r\n \"description\": \"Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.\",\r\n \"remediationDescription\": \"Enabling vTPM will trigger an immediate SYSTEM REBOOT. To enable it: 1. Select the VM. 2. On the VM page, navigate to the 'Configuration' tab. 3. On the 'Configuration' page, check 'vTPM'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/e494853f-93c3-4e44-9210-d12f61a64b34\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121\",\r\n \"description\": \"Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.\",\r\n \"remediationDescription\": \"Enabling Secure Boot will trigger an immediate SYSTEM REBOOT. To enable it: 1. Select the VM. 2. On the VM page, navigate to the 'Configuration' tab. 3. On the 'Configuration' page, check 'Secure boot'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/7cb1b219-61c6-47e0-b80c-4472cadeeb5f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e94a7421-fc27-7a4d-e9ba-2ba01384cacd\",\r\n \"name\": \"e94a7421-fc27-7a4d-e9ba-2ba01384cacd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/672fe5a1-2fcd-42d7-b85d-902b6e28c6ff\",\r\n \"description\": \"Install Guest Attestation extension on supported Linux virtual machines to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Linux virtual machines: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vm extension set --name GuestAttestation --publisher Microsoft.Azure.Security.LinuxAttestation --vm-name MyVM --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6074e9a3-c711-4856-976d-24d51f9e065b\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a53f4f-26b6-3d68-33f3-2ec1f2452b5d\",\r\n \"name\": \"a9a53f4f-26b6-3d68-33f3-2ec1f2452b5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Linux virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a21f8c92-9e22-4f09-b759-50500d1d2dda\",\r\n \"description\": \"Install Guest Attestation extension on supported Linux virtual machine scale sets to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Linux virtual machine scale sets: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vmss extension set --name GuestAttestation --publisher Microsoft.Azure.Security.LinuxAttestation' --vmss-name MyVMSS --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/874b14bd-b49e-495a-88c6-46acb89b0a33\",\r\n \"name\": \"874b14bd-b49e-495a-88c6-46acb89b0a33\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cb4d9c2-f88f-4069-bee0-dba239a57b09\",\r\n \"description\": \"Install Guest Attestation extension on supported virtual machines to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Windows virtual machines: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vm extension set --name GuestAttestation --publisher Microsoft.Azure.Security.WindowsAttestation --vm-name MyVM --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/98ea2fc7-6fc6-4fd1-9d8d-6331154da071\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/02e8ca50-0e7e-cc34-0b91-215af2904248\",\r\n \"name\": \"02e8ca50-0e7e-cc34-0b91-215af2904248\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Windows virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f655e522-adff-494d-95c2-52d4f6d56a42\",\r\n \"description\": \"Install Guest Attestation extension on supported virtual machine scale sets to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Windows virtual machine scale sets: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vmss extension set --name GuestAttestation --publisher Microsoft.Azure.Security.WindowsAttestation' --vmss-name MyVMSS --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"name\": \"506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The control fails if any of the HTTP listeners of Application Load Balancers do not have HTTP to HTTPS redirection configured. Before you start to use your Application Load Balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners support both the HTTP and HTTPS protocols. You can use an HTTPS listener to offload the work of encryption and decryption to your load balancer. To enforce encryption in transit, you should use redirect actions with Application Load Balancers to redirect client HTTP requests to an HTTPS request on port 443.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"name\": \"4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon S3 buckets have policies that require requests to use Secure Socket Layer (SSL). S3 buckets should have policies that require all requests ('Action: S3:*') to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key 'aws:SecureTransport'. This does not check the SSL or TLS version. You should not allow early versions of SSL or TLS (SSLv3, TLS1.0) per PCI DSS requirements.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"name\": \"b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server-side encryption. When you set default encryption on a bucket, all new objects stored in the bucket are encrypted when they are stored, including clear text PAN data. Server-side encryption for all of the objects stored in a bucket can also be enforced using a bucket policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"name\": \"c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Config should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS Config is enabled in the account for the local Region and is recording all resources. It does not check for change detection for all critical system files and content files, as AWS Config supports only a subset of resource types. The AWS Config service performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items, and any configuration changes between resources. Security Hub recommends that you enable AWS Config in all Regions. The AWS configuration item history that AWS Config captures enables security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"name\": \"bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root user credentials. It does not check whether you are using virtual MFA. To address PCI DSS requirement 8.3.1, you can choose between hardware MFA (this control) or virtual MFA.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"name\": \"9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the IAM users have multi-factor authentication (MFA) enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"name\": \"b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root user credentials. It does not check whether you are using hardware MFA. To address PCI DSS requirement 8.3.1, you can choose between virtual MFA (this control) or hardware MFA.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"name\": \"5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public write access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your S3 buckets allow public write access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). It does not check for write access to the bucket by internal principals, such as IAM roles. You should ensure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"name\": \"7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public read access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). Unless you explicitly require everyone on the internet to be able to write to your S3 bucket, you should ensure that your S3 bucket is not publicly writable. It does not check for read access to the bucket by internal principals, such as IAM roles. You should ensure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"name\": \"7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM user credentials should be disabled if not used within a pre-defined number days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your IAM users have passwords or active access keys that have not been used within a specified number of days. The default is 90 days. Security Hub strongly recommends that you do not generate and remove all access keys in your account. Instead, the recommended best practice is to either create one or more IAM roles or to use federation. These practices allow your users to use their existing corporate credentials to sign in to the AWS Management Console console and AWS CLI. Each approach has its use cases. Federation is generally better for enterprises that have an existing central directory or who plan to need more than the current quota of IAM users. Applications running outside of an AWS environment need access keys for programmatic access to AWS resources. However, if the resources that need programmatic access run inside AWS, the best practice is to use IAM roles. You can use roles to grant a resource access without hardcoding an access key ID and secret access key into the configuration. If you already have an access key, we recommend that you remove or deactivate unused user credentials that are inactive for 90 days or longer. This control only checks for inactive passwords or active access keys. It does not disable the account from use after 90 days. Customers are responsible for taking action and disabling the unused credentials.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"name\": \"d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the account password policy for IAM users uses the following minimum PCI DSS configurations: 'RequireUppercaseCharacters' - Require at least one uppercase character in password. (Default = 'true'); 'RequireLowercaseCharacters' - Require at least one lowercase character in password. (Default = 'true'); 'RequireNumbers' - Require at least one number in password. (Default = 'true'); 'MinimumPasswordLength' - Password minimum length. (Default = 7 or longer); 'PasswordReusePrevention' - Number of passwords before allowing reuse. (Default = 4); MaxPasswordAge - Number of days before password expiration. (Default = 90).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"name\": \"d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM root user access key should not exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether user access keys exist for the root user.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"name\": \"7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users should not have IAM policies attached\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles. It does not check whether least privileged policies are applied to IAM roles and groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"name\": \"c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should not allow full \\\"*\\\" administrative privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the default version of AWS Identity and Access Management policies (also known as customer managed policies) do not have administrator access with a statement that has \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\". It only checks for the customer managed policies that you created, but does not check for full access to individual services, such as \\\"S3:*\\\". It does not check for inline and AWS managed policies.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"name\": \"a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer master key (CMK) rotation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that key rotation is enabled for each customer master key (CMK). It does not check CMKs that have imported key material. You should ensure keys that have imported material and those that are not stored in AWS KMS are rotated. AWS managed customer master keys are rotated once every 3 years.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"name\": \"b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Lambda function resource-based policy prohibits public access. It does not check for access to the Lambda function by internal principals, such as IAM roles. You should ensure that access to the Lambda function is restricted to authorized principals only by using least privilege Lambda resource-based policies.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"name\": \"e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS DB snapshots prohibit access by other accounts. You should also ensure that access to the snapshot and permission to change Amazon RDS configuration is restricted to authorized principals only. Note that if the configuration is changed to allow public access, the AWS Config rule may not be able to detect the change for up to 12 hours. Until the AWS Config rule detects the change, the check passes even though the configuration violates the rule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"name\": \"ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS instances are publicly accessible by evaluating the publiclyAccessible field in the instance configuration item. The value of publiclyAccessible indicates whether the DB instance is publicly accessible. When the DB instance is publicly accessible, it is an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. When the DB instance isn't publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. The control does not check VPC subnet routing settings or the Security Group rules. You should also ensure VPC subnet routing does not allow public access, and that the security group inbound rule associated with the RDS instance does not allow unrestricted access (0.0.0.0/0). You should also ensure that access to your RDS instance configuration is limited to only authorized users by restricting users' IAM permissions to modify RDS instances settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"name\": \"d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters are publicly accessible by evaluating the 'publiclyAccessible' field in the cluster configuration item.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"name\": \"529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"name\": \"8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS DMS replication instances are public. To do this, it examines the value of the PubliclyAccessible field. A private replication instance has a private IP address that you cannot access outside of the replication network. A replication instance should have a private IP address when the source and target databases are in the same network, and the network is connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering. You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users. To do this, restrict users' IAM permissions to modify AWS DMS settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"name\": \"b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic Block Store snapshots are not publicly restorable by everyone, which makes them public. Amazon EBS snapshots should not be publicly restorable by everyone unless you explicitly allow it, to avoid accidental exposure of your company's sensitive data. You should also ensure that permission to change Amazon EBS configurations are restricted to authorized AWS accounts only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"name\": \"3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following public access block settings are configured at the account level: 'ignorePublicAcls': 'true'; 'blockPublicPolicy': 'true'; 'blockPublicAcls': 'true'; 'restrictPublicBuckets': 'true'. As an AWS best practice, S3 buckets should block public access. Unless you explicitly require everyone on the internet to be able to access your S3 bucket, you should ensure that your S3 bucket is not publicly accessible.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"name\": \"93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC default security group should prohibit inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the default security group of a VPC does not allow inbound or outbound traffic. It does not check for access restrictions for other security groups that are not default, and other VPC configurations.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"name\": \"390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether security groups in use disallow unrestricted incoming SSH traffic. It does not evaluate outbound traffic. Note that security groups are stateful. If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out regardless of outbound rules.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"name\": \"86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control helps you maintain an accurate asset inventory of needed security groups in your cardholder data environment (CDE). It does so by checking that security groups are attached to Amazon EC2 instances or to an ENI. A failed finding indicates you may have unused Amazon EC2 security groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/099e9ded-7834-43ad-be02-30114c800211\",\r\n \"name\": \"099e9ded-7834-43ad-be02-30114c800211\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability. This AWS control also does not check whether the Amazon ES resource-based policy permits public access by other accounts or external entities. You should ensure that Amazon ES domains are not attached to public subnets. You should also ensure that your VPC is configured according to the recommended best practices.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"name\": \"40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability. Note that if Lambda@Edge is found in the account, then this control generates failed findings. To prevent these findings, you can disable this control.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"name\": \"5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain clear text credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the project contains environment variables 'AWS_ACCESS_KEY_ID' and 'AWS_SECRET_ACCESS_KEY'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"name\": \"ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elastic IP addresses that are allocated to a VPC are attached to Amazon EC2 instances or in-use elastic network interfaces (ENIs). A failed finding indicates you may have unused Amazon EC2 EIPs. This will help you maintain an accurate asset inventory of EIPs in your cardholder data environment (CDE).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"name\": \"023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SageMaker notebook instances should not have direct internet access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether direct internet access is disabled for an SageMaker notebook instance. To do this, it checks whether the 'DirectInternetAccess' field is disabled for the notebook instance. If you configure your SageMaker instance without a VPC, then by default direct internet access is enabled on your instance. You should configure your instance with a VPC and change the default setting to Disable - Access the internet through a VPC. To train or host models from a notebook, you need internet access. To enable internet access, make sure that your VPC has a NAT gateway and your security group allows outbound connections. You should also ensure that access to your SageMaker configuration is limited to only authorized users. Restrict users' IAM permissions to modify SageMaker settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"name\": \"0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS CloudTrail is configured to use the server-side encryption (SSE) AWS KMS customer master key (CMK) encryption. If you are only using the default encryption option, you can choose to disable this check.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"name\": \"f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have encryption at rest configuration enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"name\": \"336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A log metric filter and alarm should exist for usage of the \\\"root\\\" user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks for the CloudWatch metric filters using the following pattern: '{ $.userIdentity.type = \\\"Root\\\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \\\"AwsServiceEvent\\\" }'. It checks the following: The log group name is configured for use with active multi-Region CloudTrail; There is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All; There is at least one active subscriber to an Amazon SNS topic associated with the alarm.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"name\": \"5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether VPC flow logs are found and enabled for VPCs. The traffic type is set to REJECT. With VPC Flow Logs, you can capture information about the IP address traffic to and from network interfaces in your VPC. After you create a flow log, you can use CloudWatch Logs to view and retrieve the log data. Security Hub recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC. They can detect anomalous traffic and provide insight into security workflows. By default, the record includes values for the different components of the IP address flow, including the source, destination, and protocol.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"name\": \"4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail trails are configured to send logs to CloudWatch Logs. It does not check for user permissions to alter logs or log groups. You should create specific CloudWatch rules to alert when CloudTrail logs are altered. This control also does not check for any additional audit log sources other than CloudTrail being sent to a CloudWatch Logs group.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"name\": \"6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail is enabled in your AWS account. However, some AWS services do not enable logging of all APIs and events. You should implement any additional audit trails other than CloudTrail and review the documentation for each service in CloudTrail Supported Services and Integrations.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"name\": \"21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail log file validation is enabled. It does not check when configurations are altered. To monitor and alert on log file changes, you can use Amazon EventBridge or CloudWatch metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"name\": \"75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the patch installation on the instance. It only checks instances that are managed by AWS Systems Manager Patch Manager. It does not check whether the patch was applied within the 30-day limit prescribed by PCI DSS requirement 6.2. It also does not validate whether the patches applied were classified as security patches. You should create patching groups with the appropriate baseline settings and ensure in-scope systems are managed by those patch groups in Systems Manager.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"name\": \"6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EC2 instances in your account are managed by Systems Manager. AWS Systems Manager is an AWS service that you can use to view and control your AWS infrastructure. To help you to maintain security and compliance, Systems Manager scans your managed instances. A managed instance is a machine that is configured for use with Systems Manager. Systems Manager then reports or takes corrective action on any policy violations that it detects. Systems Manager also helps you to configure and maintain your managed instances. Additional configuration is needed in Systems Manager for patch deployment to managed EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"name\": \"32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the status of the AWS Systems Manager association compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the association is run on an instance. The control passes if the association compliance status is COMPLIANT. A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed. After you create one or more State Manager associations, compliance status information is immediately available to you in the console or in response to AWS CLI commands or corresponding Systems Manager API operations. For associations, Configuration Compliance shows statuses of Compliant or Non-compliant and the severity level assigned to the association, such as Critical or Medium. You must configure your in-scope EC2 instances for Systems Manager association. You must also configure the patch baseline for the security rating of the vendor of patches, and set the autoapproval date to meet PCI DSS 3.2.1 requirement 6.2.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"name\": \"5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether S3 buckets have cross-region replication enabled. PCI DSS does not require data replication or highly available configurations. However, this check aligns with AWS best practices for this control. In addition to availability, you should consider other systems hardening settings.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"name\": \"94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. PCI DSS does not require load balancing or highly available configurations. However, this check aligns with AWS best practices.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"name\": \"d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon GuardDuty is enabled in your AWS account and Region. While GuardDuty can be effective against attacks that an intrusion detection system would typically protect, it might not be a complete solution for every environment. This rule also does not check for the generation of alerts to personnel.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"name\": \"bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SSM agent should be installed on your AWS EC2 instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Systems Manager is an AWS service that can be used to control and view your AWS infrastructure. The AWS Systems Manager Agent (SSM Agent) is a software that can be installed and configured on a machine and makes it possible for Systems Manager to update and configure these resources. Defender for Cloud leverages the SSM Agent for automatic installation of Azure Arc, that enables greater parity for AWS instances to Azure VMs.\",\r\n \"remediationDescription\": \"First, Make sure EC2 instances are managed by Systems Manager: 1.Open AWS System Manager.
2. Choose Quick setup
3. keep the default options on the configuration screen.
4. Choose Set up Systems Manager.
For directions on installing and configuring the SSM Agent on Windows instances visit this page For directions on installing and configuring the SSM Agent on Linux instances visit this page \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"name\": \"a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled in every region in your AWS accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub is a regional service and customer must enable Security Hub in each region to view findings in that region. You should continuously monitor all regions across all of your AWS accounts for unauthorized behavior or misconfigurations, including regions you don't use heavily.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"name\": \"20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled for all AWS member accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. Integrating it into Defender for Cloud enables a comprehensive view across multiple cloud environments. any AWS member account related to an onboarded account should have Security Hub enabled as well.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"name\": \"726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Make sure to log in using the credentials of a fully-managed corporate account and not a personal account.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select the checkbox next to non-corporate users, and then click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"name\": \"4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that multi-factor authentication is enabled for all non-service accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) must be enabled for all Google Cloud Platform accounts, excluding service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP Security Settings and set up multi-factor authentication for all non-service accounts within the project.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"name\": \"0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service accounts are not configured with administrative roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select Members and make sure that there aren't any 'User-Managed user created service account' accounts with one of the following roles: admin, editor, or owner.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"name\": \"90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the 'Service Account User' and 'Service Account Token Creator' roles are not granted to users at a project level. Instead, grant these roles to users in the context of specific service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. In the filter table field, enter 'Role: Service Account User' and click 'Delete' (bin icon) for every user listed. Similarly, filter using 'Role: Service Account Token Creator' and delete every user listed.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"name\": \"ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service account keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'Service Account Keys', for every External (user-managed) service account where the creation date is 90 days or more, delete the service account key and create a new one instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"name\": \"f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties. Also, make sure that users are not assigned with both 'Service Account Admin' and other 'Service Account User' roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Edit members with both 'Service Account Admin' and 'Service Account User', delete one of the roles, and then click 'Save'. \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"name\": \"3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud KMS encryption keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to GCP Security Kms. For every key ring, for every key in the key ring, do the following: Select 'Right side pop up the blade' > 'Edit rotation period' > 'Select a new rotation period' and specify a period of less than 90 days, and then specify a 'Starting on' date.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"name\": \"3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties and that there are no users assigned with both the 'Cloud KMS Admin' role and any of the following roles: 'Cloud KMS CryptoKey', 'Cloud KMS Encrypter/Decrypter', 'Cloud KMS CryptoKey Encrypter' or 'Cloud KMS CryptoKey Decrypterer'.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. For the member that is listed at the recommendation, click 'Edit'. For the 'Cloud KMS Admin' role, click 'Delete', and then Click 'Save'. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"name\": \"52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all API keys are not used within the scope of projects. The standard authentication flow should be implemented, since the use of API keys presents many security risks.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', delete the relevant API Keys. These API keys should be replaced by a standard authentication flow as described In the Authentication overview [GCP docs authentication]\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"name\": \"76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted, and used only by trusted hosts, HTTP referrers, or applications.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. Under 'Key restrictions', set application restriction to HTTP referrers, IP Addresses, Android Apps, or iOS Apps, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"name\": \"0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted to only access API endpoints that are essential to the calling application.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. For every API key, make sure that the 'Key restrictions' parameter 'API restrictions' is not set to 'None'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"name\": \"5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys'. Select 'API Key Name'. Click 'REGENERATE KEY' to rotate the API key, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"name\": \"f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud Audit Logging is configured to track read and write activities across all supported services and for all users. Configured this way, all administrative activities, or attempts to access user data, will be tracked.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin Audit. On the 'Audit Log' page, select the 'Log type' tab. Select 'Admin read', 'Data read', and 'Data write', and then click 'Save'. Make sure there are no exemptions.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"name\": \"cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all resource have a log sink configured, exporting copies of all the log entries to a centralized location such as a SIEM.\",\r\n \"remediationDescription\": \"Browse to GCP Logs viewer. Switch to the 'Advanced' filter bar, clear any text from the filter field, and then click 'Submit Filter'. Click 'Create Sink', fill out the required details, and then click 'Create Sink'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"name\": \"bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filters and alerts are configured to monitor project ownership assignment/change actions.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browse to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, and run the following query: (protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'. Finally, edit the alert policy and update the 'Target Aggregation' option to 'Count'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"name\": \"3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filter and alerts are configured for Audit Configuration changes. Audit logging data is required for security analysis. Tracking the log metric filters and alerts is important to ensure that all activities in the projects are being audited as planned.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"SetIamPolicy\\\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*. In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"name\": \"f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Custom Role changes. Monitoring role creation, update, or deletion may help to identify over-privileged or misused roles. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"iam_role\\\" AND protoPayload.methodName = \\\"google.iam.admin.v1.CreateRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"name\": \"c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Virtual Private Cloud (VPC) Network Firewall rule changes. Firewall create or update rule events indicate network access changes, which may indicate suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_firewall_rule\\\" AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\" OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to https://console.cloud.google.com/logs/metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"name\": \"7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network route changes. Monitoring network route changes to route tables may indicate of a suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_route\\\" AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\" OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Creat Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"name\": \"0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network changes. Monitoring network changes to the VPC is important to make sure it is not compromised.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gce_network AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\" OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\" OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\" OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\" OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add 'Alert Triggers', and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"name\": \"46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"\\\"Ensure that the log metric filter and alerts are configured for Cloud Storage IAM permission changes. Monitoring changes to a storage bucket permissions can help identify malicious attempts to access a sensitive storage buckets and objects inside buckets.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gcs_bucket AND protoPayload.methodName=\\\"storage.setIamPermissions\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"name\": \"b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for SQL instance configuration changes. Monitoring changes to an SQL instance can help identify malicious attempts to access a sensitive data stored in an SQL instance. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"cloudsql.instances.update\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"name\": \"ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that projects do not have a default network. A default predefined network generates multiple unsecure firewall rules that are not audit logged, cannot be configured to enable firewall rule logging, and do not allow the use of a Cloud VPN or VPC Network Peering with the default network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the 'default' network. On the network detail page, click 'edit', and then click 'Delete VPC network'. If required, you can to create a new network with custom firewall rules to replace the 'default' network.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"name\": \"3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all projects do not have a legacy network. Legacy networks may have an impact for high network traffic projects and pose a single point of contention or failure.\",\r\n \"remediationDescription\": \"Create a non-legacy network and then delete the legacy networks using the following command: 'gcloud compute networks delete my-legacy-network'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"name\": \"e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Domain Name System Security Extensions (DNSSEC) is enabled for Cloud DNS zones. DNSSEC helps mitigate the risk of a DNS hijacking and man-in-the-middle attacks, by preventing attackers from issuing fake DNS responses that may misdirect browsers to malicious websites.\",\r\n \"remediationDescription\": \"Browse to GCP DNS zones. For each zone of type 'Public', set DNSSEC to 'On'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"name\": \"049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the key-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the key-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"name\": \"cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the zone-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the zone-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"name\": \"0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that SSH access is restricted from the internet because it can be used as initial access to the network. Prevent inbound traffic via SSH (port 22) from the internet using the generic IP address (0.0.0.0/0).\",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"name\": \"684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RDP access is restricted from the internet, as is may be used for initial access to the network. Prevent inbound traffic via RDP (port 3389) from the internet using the generic IP address (0.0.0.0/0). \",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"name\": \"3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all VPC Flow Logs are enabled, for every subnet in a VPC Network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the relevant subnet, click 'Edit', set 'Flow Logs' to 'On', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"name\": \"c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there are no HTTPS or SSL Proxy Load Balancers that use weak SSL policies with TLS or 1.1.\",\r\n \"remediationDescription\": \"Browser to GCP SSL Policies. Select the relevant policy, click 'Edit', set 'Minimum TLS version' to 'TLS 1.2', set 'Profile' to 'Modern' or 'Restricted', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"name\": \"233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all instances are not configured to use the default service account with full access to all Google Cloud APIs.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant VM instance, stop the instance if it is currently started, and then click 'Edit'. Under 'Service Account', select 'Compute Engine default service account', make sure that 'Allow full access to all Cloud APIs' is not selected, click 'Save' and then 'Start'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"name\": \"1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure \\\"Block Project-wide SSH keys\\\" is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that no project-wide SSH keys are used for VM instances, as they enable login to all instances in the project.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the impacted instance, click 'Edit', under 'SSH Keys', select 'Block project-wide SSH keys', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"name\": \"fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that OS login is enabled for all projects, as this pairs the SSH keys in use with IAM users. \",\r\n \"remediationDescription\": \"Browse to GCP Compute metadata. Click 'Edit', add metadata key for 'enable-oslogin' with value 'TRUE', and then click 'Save'. For every instances that overrides the project setting, browse to GCP Compute instances. Select the relevant instance name, click 'Edit', under 'custom metadata', remove 'enable-oslogin' keys with the value 'FALSE', and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"name\": \"c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that 'Enable connecting to serial ports' is not enabled for all VM Instance. When the interactive serial console is enabled for an instance, clients can connect to the instance from any IP address using the proper username and SSH key.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Remote access', make sure that 'Enable connecting to serial ports' is not selected.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"name\": \"3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent data loss, forwarding of data packets should not be enabled on instances.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Network interfaces', make sure that 'IP forwarding' is set to 'Off' for every network interface.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"name\": \"6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, all data at rest is encrypted by Google Compute Engine. Make sure that VM disks are encrypted using Customer-Supplied Encryption Keys (CSEK) enabling you to control and manage the encryption keys yourself.\",\r\n \"remediationDescription\": \"Browse to GCP Compute disks. Select the relevant disk and make sure that the 'Encryption type' is set to 'Customer supplied'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"name\": \"9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against advanced threats, a Compute Engine instance using a public image and must be launched with a Shielded VM. It is also important to verify that the boot loader and firmware on the VMs are signed and untampered.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Shielded VM', make sure that 'Turn on vTPM' and 'Turn on Integrity Monitoring' are enabled.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"name\": \"0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances must not be configured with public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"name\": \"79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that an IAM policy on Cloud Storage buckets does not allow anonymous or public access so sensitive data.\",\r\n \"remediationDescription\": \"To restrict access to Cloud Storage Buckets: Browse to GCP Storage browser. Select the relevant bucket, select 'Permissions', and then under 'Role(s)', remove all Cloud IAM permissions that were granted to 'allUsers' and 'allAuthenticatedUsers'. To restrict access from public addresses: browse to GCP Firewalls List.. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP adress values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"name\": \"a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For simple and unified resource access, ensure that Cloud Storage buckets have uniform bucket-level access enabled.\",\r\n \"remediationDescription\": \"Browse to GCP Storage browser. Edit the relevant bucket, under 'Access Control', select 'Uniform', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"name\": \"a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the Cloud SQL Database instance requires all incoming connections to always use SSL encryption.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances, select the relevant instance and under 'Connections', select 'Allow only SSL connections'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"name\": \"1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to only accept connections from trustworthy networks and/or IP addresses and restrict all other access. \",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"name\": \"2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to use private IP addresses, and not public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"name\": \"664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL database instances must be configured with automated backups.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances. Select the relevant instance, and under 'Backups', make sure that 'Automated backups' is set to 'Enabled' and that the 'Backup time' is set.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"name\": \"5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure that sensitive data is not compromised, IAM policies on BigQuery datasets must not allow anonymous or public access.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"name\": \"582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account has unrestricted access to all resources in the AWS account. We highly recommend that you avoid using this account. The root account is the most privileged account. Minimizing the use of this account and adopting the principle of least privilege for access management reduces the risk of accidental changes and unintended disclosure of highly privileged credentials. As a best practice, use your root credentials only when required to perform account and service management tasks. Apply IAM policies directly to groups and roles but not users. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.3 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"name\": \"1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-factor authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password as well as for an authentication code from their AWS MFA device. Security Hub recommends enabling MFA for all accounts that have a console password. Enabling MFA provides increased security for console access because it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"name\": \"8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM users can access AWS resources using different types of credentials, such as passwords or access keys. Security Hub recommends that you remove or deactivate all credentials that have been unused in 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used. The AWS Config rule for this control uses the 'GetCredentialReport; and 'GenerateCredentialReport' API operations, which are only updated every four hours. Changes to IAM users can take up to four hours to be visible to this control.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"name\": \"9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. Security Hub recommends that you regularly rotate all access keys. Rotating access keys reduces the chance for an access key that is associated with a compromised or terminated account to be used. Rotate access keys to ensure that data can't be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"name\": \"554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one uppercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"name\": \"66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one lowercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"name\": \"b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one symbol. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5425052d-cc0d-4424-af71-050311f99634\",\r\n \"name\": \"5425052d-cc0d-4424-af71-050311f99634\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one number. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"name\": \"09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum password length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords are at least a given length. Security Hub recommends that the password policy require a minimum password length of 14 characters. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"name\": \"01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the number of passwords to remember is set to 24. The control fails if the value is not 24. IAM password policies can prevent the reuse of a given password by the same user. Security Hub recommends that the password policy prevent the reuse of passwords. Preventing password reuse increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"name\": \"0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can require passwords to be rotated or expired after a given number of days. Security Hub recommends that the password policy expire passwords after 90 days or less. Reducing the password lifetime increases account resiliency against brute force login attempts. Requiring regular password changes also helps in the following scenarios: Passwords can be stolen or compromised without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat; Certain corporate and government web filters or proxy servers can intercept and record traffic even if it's encrypted; Many people use the same password for many systems such as work, email, and personal; Compromised end-user workstations might have a keystroke logger.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"name\": \"8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no root account access key exists\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given account. Security Hub recommends that all access keys be associated with the root account be removed. Removing access keys associated with the root account limits vectors that the account can be compromised by. Removing the root access keys also encourages the creation and use of role-based accounts that are least privileged.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"name\": \"8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device. When you use virtual MFA for root accounts, Security Hub recommends that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices. This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"name\": \"8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure hardware MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device. For Level 2, Security Hub recommends that you protect the root account with a hardware MFA. A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA doesn't suffer the attack surface introduced by the mobile smartphone that a virtual MFA resides on. Using hardware MFA for many, many accounts might create a logistical device management issue. If this occurs, consider implementing this Level 2 recommendation selectively to the highest security accounts. You can then apply the Level 1 recommendation to the remaining accounts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"name\": \"c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies are attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. Security Hub recommends that you apply IAM policies directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity might in turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"name\": \"bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM role to allow authorized users to manage incidents with AWS Support. By implementing least privilege for access control, an IAM role will require an appropriate IAM policy to allow support center access in order to manage incidents with AWS Support.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"name\": \"9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies define a set of privileges granted to users, groups, or roles. It's recommended and considered a standard security advice to grant least privilege-that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges. It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. You should remove IAM policies that have a statement with '\\\"Effect\\\": \\\"Allow\\\"' with '\\\"Action\\\": \\\"*\\\"' over '\\\"Resource\\\": \\\"*\\\"'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"name\": \"22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the AWS Management Console, AWS SDKs, command-line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally: Ensuring that a multi-Region trail exists ensures that unexpected activity occurring in otherwise unused Regions is detected; Ensuring that a multi-Region trail exists ensures that Global Service Logging is enabled for a trail by default to capture recording of events generated on AWS global services; For a multi-Region trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"name\": \"fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail log file validation is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. You can use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. Security Hub recommends that you enable file validation on all trails. Enabling log file validation provides additional integrity checking of CloudTrail logs.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"name\": \"0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket CloudTrail logs to is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. Security Hub recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account's use or configuration. To run this check, Security Hub first uses custom logic to look for the S3 bucket where your CloudTrail logs are stored. It then uses the AWS Config managed rules to check that bucket is publicly accessible. If you aggregate your logs into a single centralized S3 bucket, then Security Hub only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is 'No data'. If the bucket is publicly accessible, the check generates a failed finding.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"name\": \"5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a web service that records AWS API calls made in a given account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs in a specified Amazon S3 bucket for long-term analysis, you can perform real-time analysis by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all Regions in an account, CloudTrail sends log files from all those Regions to a CloudWatch Logs log group. Security Hub recommends that you send CloudTrail logs to CloudWatch Logs.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"name\": \"dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. Security Hub recommends that you enable AWS Config in all Regions. The AWS configuration item history that AWS Config captures enables security analysis, resource change tracking, and compliance auditing. To run this check, Security Hub performs custom logic to perform the audit steps prescribed for it in the CIS AWS Foundations Benchmark v1.2. Security Hub also requires that global resources are recorded in each Region, because Security Hub is a regional service and performs its security checks on a Region-by-Region basis.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"name\": \"30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Amazon S3 bucket access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. Security Hub recommends that you enable bucket access logging on the CloudTrail S3 bucket. By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows. To run this check, Security Hub first uses custom logic to look for the bucket where your CloudTrail logs are stored and then uses the AWS Config managed rule to check if logging is enabled. If you aggregate your logs into a single centralized S3 bucket, then Security Hub only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is 'No data'. If the bucket is publicly accessible, the check generates a failed finding.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"name\": \"c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (AWS KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses hardware security modules (HSMs) to protect the security of encryption keys. You can configure CloudTrail logs to leverage server-side encryption (SSE) and AWS KMS customer-created master keys (CMKs) to further protect CloudTrail logs. Security Hub recommends that you configure CloudTrail to use SSE-KMS. Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data because a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"name\": \"23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS KMS enables customers to rotate the backing key, which is key material stored in AWS KMS and is tied to the key ID of the CMK. It's the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all previous backing keys so that decryption of encrypted data can take place transparently. Security Hub recommends that you enable CMK key rotation. Rotating encryption keys helps reduce the potential impact of a compromised key because data encrypted with a new key can't be accessed with a previous key that might have been exposed.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"name\": \"a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VPC flow logging is enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC flow logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you have created a flow log, you can view and retrieve its data in CloudWatch Logs. Security Hub recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC and can detect anomalous traffic or insight during security workflows.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"name\": \"00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm unauthorized API calls. Monitoring unauthorized API calls helps reveal application errors and might reduce time to detect malicious activity. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.1 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"name\": \"83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm console logins that aren't protected by MFA. Monitoring for single-factor console logins increases visibility into accounts that aren't protected by MFA. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.2 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"name\": \"a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for root login attempts. Monitoring for root account logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.3 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"name\": \"5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes made to IAM policies. Monitoring these changes helps ensure that authentication and authorization controls remain intact. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.4 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"name\": \"011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to CloudTrail configuration settings. Monitoring these changes helps ensure sustained visibility to activities in the account. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.5 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"name\": \"c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for failed console authentication attempts. Monitoring failed console logins might decrease lead time to detect an attempt to brute-force a credential, which might provide an indicator, such as source IP, that you can use in other event correlations. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.6 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"name\": \"293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for customer-created CMKs that have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys is no longer accessible. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.7 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"name\": \"0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to S3 bucket policies. Monitoring these changes might reduce time to detect and correct permissive policies on sensitive S3 buckets. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.8 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"name\": \"7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to AWS Config configuration settings. Monitoring these changes helps ensure sustained visibility of configuration items in the account. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.9 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"name\": \"b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security groups are a stateful packet filter that controls ingress and egress traffic in a VPC. Security Hub recommends that you create a metric filter and alarm for changes to security groups. Monitoring these changes helps ensure that resources and services aren't unintentionally exposed. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.10 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"name\": \"022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets in a VPC. Security Hub recommends that you create a metric filter and alarm for changes to NACLs. Monitoring these changes helps ensure that AWS resources and services aren't unintentionally exposed. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.11 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"name\": \"3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send and receive traffic to a destination outside a VPC. Security Hub recommends that you create a metric filter and alarm for changes to network gateways. Monitoring these changes helps ensure that all ingress and egress traffic traverses the VPC border via a controlled path. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.12 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"name\": \"33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables route network traffic between subnets and to network gateways. Security Hub recommends that you create a metric filter and alarm for changes to route tables. Monitoring these changes helps ensure that all VPC traffic flows through an expected path. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.13 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"name\": \"9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs. Security Hub recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.14 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"name\": \"b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that no security group allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"name\": \"9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that no security group allow unrestricted ingress access to port 3389. Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"name\": \"ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the default security group of every VPC restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A VPC comes with a default security group with initial settings that deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that the default security group restrict all traffic. Update the default security group for the default VPC in every Region to comply. Any new VPCs automatically contain a default security group that you need to remediate to comply with this recommendation. Configuring all VPC default security groups to restrict all traffic encourages least-privilege security group development and mindful placement of AWS resources into security groups, which in turn reduces the exposure of those resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47a6d30e-79c4-411b-920a-06a7eab22bad\",\r\n \"name\": \"47a6d30e-79c4-411b-920a-06a7eab22bad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Imported ACM certificates should be renewed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager. Certificates provided by ACM are automatically renewed. If you're using certificates provided by ACM, you do not need to rotate SSL/TLS certificates. ACM manages certificate renewals for you. ACM does not automatically renew certificates that you import. You must renew imported certificates manually.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f74c50e7-84a3-4e64-ac2b-c4ec74e0cb71\",\r\n \"name\": \"f74c50e7-84a3-4e64-ac2b-c4ec74e0cb71\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST and HTTP API logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all methods of an Amazon API Gateway REST or HTTP API stage have logging enabled. The control fails if logging is not enabled for all methods of a stage or if 'loggingLevel' is neither 'ERROR' nor 'INFO'. API Gateway REST or HTTP API stages should have relevant logs enabled. API Gateway REST API execution logging provides detailed records of requests made to API Gateway REST API stages. The stages include API integration backend responses, Lambda authorizer responses, and the 'requestId' for AWS integration endpoints. HTTP API access logs include information about requests made to the HTTP API. The information includes the IP address of the caller, the method of the request, the time of the request, and the HTTP status code response. Logs can assist with security and access audits, power additional threat detections, and aid in diagnosing availability issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8127ddad-f29f-4207-a9d3-9bb3ba3f1485\",\r\n \"name\": \"8127ddad-f29f-4207-a9d3-9bb3ba3f1485\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto Scaling groups associated with a load balancer should use load balancer health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. This ensures that the group can determine an instance's health based on additional tests provided by the load balancer. Using Elastic Load Balancing health checks can help support the availability of applications that use EC2 Auto Scaling groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/73c17f13-ba0c-4227-84ee-f34eb85431ca\",\r\n \"name\": \"73c17f13-ba0c-4227-84ee-f34eb85431ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have a default root object configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured. A user might sometimes request the distribution's root URL instead of an object in the distribution. When this happens, specifying a default root object can help you to avoid exposing the contents of your web distribution.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1fb3f16-5849-4b9d-a7e6-03df4a2235bb\",\r\n \"name\": \"c1fb3f16-5849-4b9d-a7e6-03df4a2235bb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin access identity enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured. CloudFront OAI prevents users from accessing S3 bucket content directly. When users access an S3 bucket directly, they effectively bypass the CloudFront distribution and any permissions that are applied to the underlying S3 bucket content.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbadae9a-7672-4ab2-821a-71f13d319b3b\",\r\n \"name\": \"bbadae9a-7672-4ab2-821a-71f13d319b3b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should require encryption in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if 'ViewerProtocolPolicy' is set to 'allow-all' for 'defaultCacheBehavior' or for 'cacheBehaviors'. HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7196e4f7-7136-4003-b3e5-a8156d160a3f\",\r\n \"name\": \"7196e4f7-7136-4003-b3e5-a8156d160a3f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin failover configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins. CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ce0c201-fc34-43ba-85ef-d47406a9ca05\",\r\n \"name\": \"3ce0c201-fc34-43ba-85ef-d47406a9ca05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled and configured with at least one multi-Region trail\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that there is at least one multi-Region CloudTrail trail.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4788ce7d-f39d-40e4-8a46-4308a5bd80ea\",\r\n \"name\": \"4788ce7d-f39d-40e4-8a46-4308a5bd80ea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should have encryption at-rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail is configured to use the server-side encryption (SSE) AWS Key Management Service customer master key (CMK) encryption. The check passes if the 'KmsKeyId' is defined. For an added layer of security for your sensitive CloudTrail log files, you should use server-side encryption with AWS KMS-managed keys (SSE-KMS) for your CloudTrail log files for encryption at rest. Note that by default, the log files delivered by CloudTrail to your buckets are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03c0e8b8-fcb4-48d1-ae1a-d35e08748340\",\r\n \"name\": \"03c0e8b8-fcb4-48d1-ae1a-d35e08748340\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should automatically scale capacity with demand\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured. Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cf8a0486-5ef6-42f1-8403-35ecd324153f\",\r\n \"name\": \"cf8a0486-5ef6-42f1-8403-35ecd324153f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should have point-in-time recovery enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. DynamoDB point-in-time recovery automates backups for DynamoDB tables. It reduces the time to recover from accidental delete or write operations. DynamoDB tables that have PITR enabled can be restored to any point in time in the last 35 days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ae2524f-9c45-49d6-af31-ec19df32bbe4\",\r\n \"name\": \"5ae2524f-9c45-49d6-af31-ec19df32bbe4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB Accelerator (DAX) clusters should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a DAX cluster is encrypted at rest. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data. For example, API permissions are required to decrypt the data before it can be read.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eaca2aff-0681-4c41-8d7f-04c71577f298\",\r\n \"name\": \"eaca2aff-0681-4c41-8d7f-04c71577f298\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that Amazon Elastic Block Store snapshots are not public, as determined by the ability to be restorable by anyone. EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a specific point in time. You can use the snapshots to restore previous states of EBS volumes. It is rarely acceptable to share a snapshot with the public. Typically the decision to share a snapshot publicly was made in error or without a complete understanding of the implications. This check helps ensure that all such sharing was fully planned and intentional.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b31e09dd-677c-4e14-8ab1-0a9f13e54218\",\r\n \"name\": \"b31e09dd-677c-4e14-8ab1-0a9f13e54218\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"The VPC default security group should not allow inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the default security group of a VPC does not allow inbound or outbound traffic. The rules for the default security group allow all outbound and inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. We do not recommend using the default security group. Because the default security group cannot be deleted, you should change the default security group rules setting to restrict inbound and outbound traffic. This prevents unintended traffic if the default security group is accidentally configured for resources such as EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d828e79-c441-43c3-807e-38ce88a728a5\",\r\n \"name\": \"5d828e79-c441-43c3-807e-38ce88a728a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Attached EBS volumes should be encrypted at-rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check. For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1a7dd27-bb23-4de0-a249-adc3c14aa144\",\r\n \"name\": \"f1a7dd27-bb23-4de0-a249-adc3c14aa144\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Stopped EC2 instances should be removed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days. A failed finding indicates that an EC2 instance has not run for a significant period of time. This creates a security risk because the EC2 instance is not being actively maintained (analyzed, patched, updated). If it is later launched, the lack of proper maintenance could result in unexpected issues in your AWS environment. To safely maintain an EC2 instance over time in a nonrunning state, start it periodically for maintenance and then stop it after maintenance. Ideally this is an automated process.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3f15179b-8414-407a-9432-2b0c131695f3\",\r\n \"name\": \"3f15179b-8414-407a-9432-2b0c131695f3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS default encryption should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS). The control fails if the account level encryption is not enabled. When encryption is enabled for your account, Amazon EBS volumes and snapshot copies are encrypted at rest. This adds an additional layer of protection for your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91ffef5d-42a9-4e34-b1d0-68cdc160748d\",\r\n \"name\": \"91ffef5d-42a9-4e34-b1d0-68cdc160748d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should use IMDSv2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if 'HttpTokens' is set to required for IMDSv2. The control fails if 'HttpTokens' is set to 'optional'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f53022b-ffee-44cc-b84e-6bcc1bcef11f\",\r\n \"name\": \"6f53022b-ffee-44cc-b84e-6bcc1bcef11f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not have a public IP address\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether EC2 instances have a public IP address. The control fails if the publicIp field is present in the EC2 instance configuration item. This control applies to IPv4 addresses only. A public IPv4 address is an IP address that is reachable from the internet. If you launch your instance with a public IP address, then your EC2 instance is reachable from the internet. A private IPv4 address is an IP address that is not reachable from the internet. You can use private IPv4 addresses for communication between EC2 instances in the same VPC or in your connected private network. IPv6 addresses are globally unique, and therefore are reachable from the internet. However, by default all subnets have the IPv6 addressing attribute set to false.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aa3fb42f-04c9-4e17-b05b-e4e4f1f90f15\",\r\n \"name\": \"aa3fb42f-04c9-4e17-b05b-e4e4f1f90f15\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 should be configured to use VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service. To improve the security posture of your VPC, you can configure Amazon EC2 to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to access Amazon EC2 APIs privately. It restricts all network traffic between your VPC and Amazon EC2 to the Amazon network. Because endpoints are supported within the same Region only, you cannot create an endpoint between a VPC and a service in a different Region. This prevents unintended Amazon EC2 API calls to other Regions.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d9e95363-3a8a-498b-bef3-b869869b20b5\",\r\n \"name\": \"d9e95363-3a8a-498b-bef3-b869869b20b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be configured to encrypt file data at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. The check fails in the following cases: 'Encrypted' is set to 'false' in the 'DescribeFileSystems' response; The 'KmsKeyId' key in the 'DescribeFileSystems' response does not match the 'KmsKeyId' parameter for 'efs-encrypted-check'. Note that this control does not use the 'KmsKeyId' parameter for 'efs-encrypted-check'. It only checks the value of 'Encrypted'. For an added layer of security for your sensitive data in Amazon EFS, you should create encrypted file systems. Amazon EFS supports encryption for file systems at-rest. You can enable encryption of data at rest when you create an Amazon EFS file system.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f5375c36-4d39-436b-a5fc-42576f9c4c24\",\r\n \"name\": \"f5375c36-4d39-436b-a5fc-42576f9c4c24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS volumes should be in backup plans\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup. The control fails if Amazon EFS file systems are not included in the backup plans. Including EFS file systems in the backup plans helps you to protect your data from deletion and data loss.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10b9bd1a-d845-4d29-a8f0-aa9386f93226\",\r\n \"name\": \"10b9bd1a-d845-4d29-a8f0-aa9386f93226\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancer listeners should be configured with HTTPS or TLS termination\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. The control is applicable if a Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the control does not report any findings. The control passes if the Classic Load Balancer listeners are configured with TLS or HTTPS for front-end connections. The control fails if the listener is not configured with TLS or HTTPS for front-end connections. Before you start to use a load balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners can support both HTTP and HTTPS/TLS protocols. You should always use an HTTPS or TLS listener, so that the load balancer does the work of encryption and decryption in transit.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4d75936d-e541-4a75-a183-99cc54462cf1\",\r\n \"name\": \"4d75936d-e541-4a75-a183-99cc54462cf1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application load balancers should be configured to drop HTTP headers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop invalid HTTP headers. The control fails if the value of 'routing.http.drop_invalid_header_fields.enabled' is set to 'false'. By default, ALBs are not configured to drop invalid HTTP header values. Removing these header values prevents HTTP desync attacks.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cbc0dd46-9b4b-4078-8340-b20283037770\",\r\n \"name\": \"cbc0dd46-9b4b-4078-8340-b20283037770\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application and Classic Load Balancers logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if 'access_logs.s3.enabled' is 'false'. Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fbec0eb1-0e7e-4df0-8f3c-bf9ac1601927\",\r\n \"name\": \"fbec0eb1-0e7e-4df0-8f3c-bf9ac1601927\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer deletion protection should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured. Enable deletion protection to protect your Application Load Balancer from deletion.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f4705af2-9651-47f1-8797-2050c0870f35\",\r\n \"name\": \"f4705af2-9651-47f1-8797-2050c0870f35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EMR cluster master nodes should not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether master nodes on Amazon EMR clusters have public IP addresses. The control fails if the master node has public IP addresses that are associated with any of its instances. Public IP addresses are designated in the 'PublicIp' field of the 'NetworkInterfaces' configuration for the instance. This control only checks Amazon EMR clusters that are in a 'RUNNING' or 'WAITING' state.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c459de6-4a24-4f24-93bb-6533935019f5\",\r\n \"name\": \"4c459de6-4a24-4f24-93bb-6533935019f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have encryption at-rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled. The check fails if encryption at rest is not enabled. For an added layer of security for your sensitive data in Elasticsearch, you should configure your Elasticsearch to be encrypted at rest. Elasticsearch domains offer encryption of data at rest. The feature uses AWS KMS to store and manage your encryption keys. To perform the encryption, it uses the Advanced Encryption Standard algorithm with 256-bit keys (AES-256).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ecae3088-3cc5-4b7a-bc19-2c20719ab4fb\",\r\n \"name\": \"ecae3088-3cc5-4b7a-bc19-2c20719ab4fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. You should ensure that Amazon ES domains are not attached to public subnets. You should also ensure that your VPC is configured according to the recommended best practices. Amazon ES domains deployed within a VPC can communicate with VPC resources over the private AWS network, without the need to traverse the public internet. This configuration increases the security posture by limiting access to the data in transit. VPCs provide a number of network controls to secure access to Amazon ES domains, including network ACL and security groups. Security Hub recommends that you migrate public Amazon ES domains to VPCs to take advantage of these controls.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1518211b-17f4-46bc-9538-d6ccd8efa3c4\",\r\n \"name\": \"1518211b-17f4-46bc-9538-d6ccd8efa3c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should encrypt data sent between nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have node-to-node encryption enabled. HTTPS (TLS) can be used to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. Only encrypted connections over HTTPS (TLS) should be allowed. Enabling node-to-node encryption for Amazon ES domains ensures that intra-cluster communications are encrypted in transit. There can be a performance penalty associated with this configuration. You should be aware of and test the performance trade-off before enabling this option.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233d2b0e-27cd-4589-aed5-b76e73744071\",\r\n \"name\": \"233d2b0e-27cd-4589-aed5-b76e73744071\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users' access keys should be rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the active access keys are rotated within 90 days. We highly recommend that you do not generate and remove all access keys in your account. Instead, the recommended best practice is to either create one or more IAM roles or to use federation. You can use these methods to allow your users to use their existing corporate credentials to log into the AWS Management Console and AWS CLI. Each approach has its use cases. Federation is generally better for enterprises that have an existing central directory or plan to need more than the current limit IAM users. Applications that run outside of an AWS environment need access keys for programmatic access to AWS resources. However, if the resources that need programmatic access run inside AWS, the best practice is to use IAM roles. Roles allow you to grant a resource access without hardcoding an access key ID and secret access key into the configuration. If you already have an access key, Security Hub recommends that you rotate the access keys every 90 days. Rotating access keys reduces the chance that an access key that is associated with a compromised or terminated account is used. It also ensures that data cannot be accessed with an old key that might have been lost, cracked, or stolen. Always update your applications after you rotate access keys. Access keys consist of an access key ID and a secret access key. They are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS CLI, Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. If your organization uses AWS Single Sign-On (AWS SSO), your users can sign in to Active Directory, a built-in AWS SSO directory, or another identity provider (IdP) connected to AWS SSO. They can then be mapped to an IAM role that enables them to run AWS CLI commands or call AWS APIs without the need for IAM user access keys.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e5c918c8-d7f6-4d5d-b91f-9b9736457ce9\",\r\n \"name\": \"e5c918c8-d7f6-4d5d-b91f-9b9736457ce9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS Multi-Factor Authentication (MFA) is enabled for all IAM users that use a console password. Multi-factor authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password. In addition, they are prompted for an authentication code from their AWS MFA device. We recommend that you enable MFA for all accounts that have a console password. MFA is designed to provide increased security for console access. The authenticating principal must possess a device that emits a time-sensitive key and must have knowledge of a credential.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2af5aa8e-6e0a-4cf4-82e7-ad17ba327c3c\",\r\n \"name\": \"2af5aa8e-6e0a-4cf4-82e7-ad17ba327c3c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused IAM user credentials should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your IAM users have passwords or active access keys that have not been used for 90 days. IAM users can access AWS resources using different types of credentials, such as passwords or access keys. Security Hub recommends that you remove or deactivate all credentials that were unused for 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d945fb4-6cf1-431b-8e96-66dba76ab2b1\",\r\n \"name\": \"9d945fb4-6cf1-431b-8e96-66dba76ab2b1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies should not allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if the 'kms:Decrypt' or 'kms:ReEncryptFrom' actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies. With AWS KMS, you control who can use your customer master keys (CMKs) and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the 'kms:Decrypt' or 'kms:ReEncryptFrom' permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data. Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, do not allow 'kms:Decrypt' permission on all KMS keys. Instead, allow 'kms:Decrypt' only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d3746ffb-51b3-4cc9-8b5d-2ac1f9192d37\",\r\n \"name\": \"d3746ffb-51b3-4cc9-8b5d-2ac1f9192d37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if 'kms:Decrypt' or 'kms:ReEncryptFrom' actions are allowed on all KMS keys in an inline policy. With AWS KMS, you control who can use your customer master keys (CMKs) and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the permissions they need and only for keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data. Instead of granting permission for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow the users to use only those keys. For example, do not allow 'kms:Decrypt' permission on all KMS keys. Instead, allow them only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91b8d230-94ad-4df8-b737-f585df30fa30\",\r\n \"name\": \"91b8d230-94ad-4df8-b737-f585df30fa30\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS keys should not be unintentionally deleted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS KMS customer managed keys (CMK) are scheduled for deletion. The control fails if a CMK is scheduled for deletion. CMKs cannot be recovered once deleted. Data encrypted under a KMS CMK is also permanently unrecoverable if the CMK is deleted. If meaningful data has been encrypted under a CMK scheduled for deletion, consider decrypting the data or re-encrypting the data under a new CMK unless you are intentionally performing a cryptographic erasure. When a CMK is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS CMK is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS CMK will not be deleted.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/706a0138-900e-4c53-8114-bb5f19eccd09\",\r\n \"name\": \"706a0138-900e-4c53-8114-bb5f19eccd09\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda function policies should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Lambda function resource-based policy prohibits public access outside of your account. The Lambda function should not be publicly accessible, as this may allow unintended access to your code stored in the function.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ac49a0a5-db33-4be7-9738-301783b6bba9\",\r\n \"name\": \"ac49a0a5-db33-4be7-9738-301783b6bba9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should use latest runtimes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the Lambda function settings for runtimes match the expected values set for the latest runtimes for each supported language. This control checks for the following runtimes: nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, ruby2.5, ruby2.7,java11, java8, go1.x, dotnetcore2.1, dotnetcore3.1 Lambda runtimes are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When a runtime component is no longer supported for security updates, Lambda deprecates the runtime. Even though you cannot create functions that use the deprecated runtime, the function is still available to process invocation events. Make sure that your Lambda functions are current and do not use out-of-date runtime environments.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/480c2cd4-467d-4ea5-8ffa-c459cf8503c0\",\r\n \"name\": \"480c2cd4-467d-4ea5-8ffa-c459cf8503c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should be private\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS snapshots are public. RDS snapshots are used to back up the data on your RDS instances at a specific point in time. They can be used to restore previous states of RDS instances. An RDS snapshot must not be public unless intended. If you share an unencrypted manual snapshot as public, this makes the snapshot available to all AWS accounts. This may result in unintended data exposure of your RDS instance. Note that if the configuration is changed to allow public access, the AWS Config rule may not be able to detect the change for up to 12 hours. Until the AWS Config rule detects the change, the check passes even though the configuration violates the rule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/efe6ff8c-8247-4705-9a06-097d57b93305\",\r\n \"name\": \"efe6ff8c-8247-4705-9a06-097d57b93305\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS instances are publicly accessible by evaluating the 'PubliclyAccessible' field in the instance configuration item. The 'PubliclyAccessible' value in the RDS instance configuration indicates whether the DB instance is publicly accessible. When the DB instance is configured with 'PubliclyAccessible', it is an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. When the DB instance isn't publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your RDS instance to be publicly accessible, the RDS instance should not be configured with 'PubliclyAccessible' value. Doing so might allow unnecessary traffic to your database instance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52a194fc-4cc6-4bc3-92c0-7c2454dd1043\",\r\n \"name\": \"52a194fc-4cc6-4bc3-92c0-7c2454dd1043\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether storage encryption is enabled for your Amazon RDS DB instances. For an added layer of security for your sensitive data in RDS DB instances, you should configure your RDS DB instances to be encrypted at rest. To encrypt your RDS DB instances and snapshots at rest, enable the encryption option for your RDS DB instances. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots. RDS encrypted DB instances use the open standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You do not need to modify your database client applications to use encryption. Amazon RDS encryption is currently available for all database engines and storage types. Amazon RDS encryption is available for most DB instance classes.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a9abb2d-5fdd-4264-8770-91c66cf58ecf\",\r\n \"name\": \"5a9abb2d-5fdd-4264-8770-91c66cf58ecf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS cluster snapshots and database snapshots should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB snapshots are encrypted. Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. Data in RDS snapshots should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f3b277d1-0c86-445b-acf1-bc0a405b193b\",\r\n \"name\": \"f3b277d1-0c86-445b-acf1-bc0a405b193b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured with multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether high availability is enabled for your RDS DB instances. RDS DB instances should be configured for multiple Availability Zones (AZs). This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover if there is an issue with Availability Zone availability and during regular RDS maintenance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e91ce41-1c19-4950-8a76-cfe3c6596250\",\r\n \"name\": \"7e91ce41-1c19-4950-8a76-cfe3c6596250\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enhanced monitoring should be configured for RDS DB instances and clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced monitoring is enabled for your RDS DB instances. In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer. Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1d16fd74-7014-464b-b981-6242a4c2be32\",\r\n \"name\": \"1d16fd74-7014-464b-b981-6242a4c2be32\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS clusters should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS clusters have deletion protection enabled. Enabling cluster deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity. When deletion protection is enabled, an RDS cluster cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1831430a-6cf6-4341-b2cc-1e66168bdd21\",\r\n \"name\": \"1831430a-6cf6-4341-b2cc-1e66168bdd21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your RDS DB instances have deletion protection enabled. Enabling instance deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity. While deletion protection is enabled, an RDS DB instance cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3c0f7022-8906-4a8c-b993-9675f89d8d3e\",\r\n \"name\": \"3c0f7022-8906-4a8c-b993-9675f89d8d3e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following logs of Amazon RDS are enabled and sent to CloudWatch Logs: Oracle: (Alert, Audit, Trace, Listener), PostgreSQL: (Postgresql, Upgrade), MySQL: (Audit, Error, General, SlowQuery), MariaDB: (Audit, Error, General, SlowQuery), SQL Server: (Error, Agent), Aurora: (Audit, Error, General, SlowQuery), Aurora-MySQL: (Audit, Error, General, SlowQuery), Aurora-PostgreSQL: (Postgresql, Upgrade). RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a9c7f5-85ba-4091-b15a-c06bec33faf8\",\r\n \"name\": \"66a9c7f5-85ba-4091-b15a-c06bec33faf8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB instance has IAM database authentication enabled. IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b948796-172f-426e-a3bd-3f0b1999d0e0\",\r\n \"name\": \"7b948796-172f-426e-a3bd-3f0b1999d0e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS instances should have automatic backups enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB instances have automated backups enabled and whether the backup retention period is greater than or equal to seven. Optionally, you can supply a 'retentionPeriod' to compare against. The control passes if all of the following are true: Backups are enabled, The backup retention period is greater than or equal to retentionPeriod, The retention period is greater than or equal to seven. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. Amazon RDS provides an easy way to configure daily full instance volume snapshots. This control checks that backups are enabled and retained for at least seven days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/53af35b0-2338-4783-9ba9-8399f610a783\",\r\n \"name\": \"53af35b0-2338-4783-9ba9-8399f610a783\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters are publicly accessible. It evaluates the 'PubliclyAccessible' field in the cluster configuration item. The 'PubliclyAccessible' attribute of the Amazon Redshift cluster configuration indicates whether the cluster is publicly accessible. When the cluster is configured with 'PubliclyAccessible' set to 'true', it is an Internet-facing instance that has a publicly resolvable DNS name, which resolves to a public IP address. When the cluster is not publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your cluster to be publicly accessible, the cluster should not be configured with 'PubliclyAccessible' set to 'true'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4bd4c29c-8565-4052-96b4-5405e68f51ba\",\r\n \"name\": \"4bd4c29c-8565-4052-96b4-5405e68f51ba\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Amazon Redshift clusters should be encrypted in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit. The check fails if the Amazon Redshift cluster parameter require_SSL is not set to 1. TLS can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over TLS should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b032ed58-d158-401f-b820-424a48414f93\",\r\n \"name\": \"b032ed58-d158-401f-b820-424a48414f93\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have automatic snapshots enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven. Backups help you to recover more quickly from a security incident. They strengthen the resilience of your systems. Amazon Redshift takes periodic snapshots by default. This control checks whether automatic snapshots are enabled and retained for at least seven days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/643a00cb-3da3-43ef-b523-15a0f3198e45\",\r\n \"name\": \"643a00cb-3da3-43ef-b523-15a0f3198e45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift should have automatic upgrades to major versions enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster. Enabling automatic major version upgrades ensures that the latest major version updates to Amazon Redshift clusters are installed during the maintenance window. These updates might include security patches and bug fixes. Keeping up-to-date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c816f41-886f-4e31-87f2-41cfb091d59b\",\r\n \"name\": \"2c816f41-886f-4e31-87f2-41cfb091d59b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker. The 'blacklistedactionpatterns' parameter allows for successful evaluation of the rule for S3 buckets. The parameter grants access to external accounts for action patterns that are not included in the 'blacklistedactionpatterns' list.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df8e8066-1415-40c7-9844-f495a1ad179e\",\r\n \"name\": \"df8e8066-1415-40c7-9844-f495a1ad179e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should have automatic rotation enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically. Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5110f9f8-2bf7-444f-81d7-321bfeceec06\",\r\n \"name\": \"5110f9f8-2bf7-444f-81d7-321bfeceec06\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets configured with automatic rotation should rotate successfully\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The control fails if 'RotationOccurringAsScheduled' is 'false'. The control does not evaluate secrets that do not have rotation configured. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically. Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently. In addition to configuring secrets to rotate automatically, you should ensure that those secrets rotate successfully based on the rotation schedule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad8217e9-5e93-4be2-88bc-3e538960209d\",\r\n \"name\": \"ad8217e9-5e93-4be2-88bc-3e538960209d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SNS topics should be encrypted at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an SNS topic is encrypted at rest using AWS KMS. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It also adds another set of access controls to limit the ability of unauthorized users to access the data. For example, API permissions are required to decrypt the data before it can be read. SNS topics should be encrypted at-rest for an added layer of security.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c3f3c8-3c13-48be-9ee5-67b6865e7462\",\r\n \"name\": \"11c3f3c8-3c13-48be-9ee5-67b6865e7462\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All EC2 instances managed by Systems Manager should be compliant with patching requirements\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. It only checks instances that are managed by Systems Manager Patch Manager. Having your EC2 instances fully patched as required by your organization reduces the attack surface of your AWS accounts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.
Note that the following subnet types will be listed as not applicable: GatewaySubnet, AzureFirewallSubnet, AzureBastionSubnet.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your subnets:
1. Select a subnet to enable NSG on.
2. Click the 'Network security group' section.
3. Follow the steps and select an existing network security group to attach to this specific subnet.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Defender for Cloud has discovered virtual networks with Application Gateway resources unprotected by the DDoS protection service. These resources contain public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"
1. Select a virtual network to enable the DDoS protection service standard on.
2. Select the Standard option.
3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\",\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Defender for Cloud uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls:
1. Open the Workload protections dashboard and from the advanced protection area, select Adaptive application controls.
2. To see the groups of machines that Defender for Cloud recommends protecting with adaptive application controls, select the Recommended3. Create a new applications control policy according to the instructions in Defender for Cloud's documentation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Defender for Cloud's adaptive application controls. Defender for Cloud uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your list of known-safe applications:
1. From the portal, open Defender for Cloud.
2. Select \\\"Adaptive application controls\\\" from Defender for Cloud's sidebar.
3. To see the groups of machines for which Defender for Cloud recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines.
4. The current policy will be displayed together with the new rules that Defender for Cloud recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Defender for Cloud has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly-permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Defender for Cloud's threat intelligence sources. Learn more in Improve your network security posture with adaptive network hardening.\",\r\n \"remediationDescription\": \"To review the recommended changes to the traffic rules for your network security groups, select a machine or select 'Take action'\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"Defender for Cloud has identified some overly-permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks. Learn more in Understanding just-in-time (JIT) VM access.\",\r\n \"remediationDescription\": \"To enable just-in-time VM access:
  • Select one or more VMs from the list below and select \\\"Remediate\\\", or select \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
  • On the \\\"JIT VM access configuration\\\" page, define the ports for which the just-in-time VM access will be applicable.
    • To add additional ports, select the \\\"Add\\\" button on the top left, or select an existing port and edit it.
    • On the \\\"Add port configuration\\\" pane, enter the required parameters.
  • Select \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click on each of the rules that allow management ports (for example, RDP-3389, WINRM-5985, SSH-22).
3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges.
4. Click 'Save'.
Use Defender for Cloud's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Learn more in Understanding just-in-time (JIT) VM access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Defender for Cloud has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding:
1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade.
2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left).
3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'.
4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Defender for Cloud has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click the Network Security Group with overly permissive rules.
3. In the 'Network security group' blade, click on each of the rules that are overly permissive.
4. Improve the rule by applying less permissive source IP ranges.
5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
To keep your machine as secure as possible, the VM access to the internet must be restricted and an NSG should be enabled on the subnet.
VMs with 'High' severity are internet-facing VMs.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a Network Security Group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the Network Security Group to assign to the subnet and click \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Click 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the Network Security Group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a network security group:
1. Select a VM from the list below, or select \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the network security group to assign to the subnet and select \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Select 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the network security group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Defender for Cloud regularly checks your connected machines to ensure they're running vulnerability assessment tools. Use this recommendation to deploy a vulnerability assessment solution.\",\r\n \"remediationDescription\": \"To deploy a vulnerability assessment solution, in the \\\"Unhealthy resources\\\" tab, select the resources, then select \\\"Remediate\\\". Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several hours after remediation completes to see the resources in the 'Healthy resources' tab\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c\",\r\n \"description\": \"Some of your virtual networks aren't protected with a firewall. Use Azure Firewall to restrict access to your virtual networks and prevent potential threats. Learn more about Azure Firewall.\",\r\n \"remediationDescription\": \"To protect your virtual networks with Azure Firewall:
1. From the list below, select a network. Or select Take action if you've arrived here from a specific virtual network page.
2. Follow the Azure Firewall deployment instructions. Make sure to configure all default routes properly.
Important: Azure Firewall is billed separately from Defender for Cloud. Learn more about Azure Firewall pricing.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Initial Access\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Fallback Channels\",\r\n \"Remote System Discovery\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Non-Standard Port\",\r\n \"Gather Victim Network Information\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for Cloud has identified machines that are missing a file integrity monitoring solution. To monitor changes to critical files, registry keys, and more on your servers, enable file integrity monitoring.
When the file integrity monitoring solution is enabled, a data collection rule is assigned to your machines, and defines the files to be monitored. To edit rules, or see the files changed on machines with existing rules, go to the file integrity monitoring management page\",\r\n \"remediationDescription\": \"To enable file integrity monitoring:
From the list below, select one or more virtual machines and select Remediate\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Privilege Escalation\",\r\n \"Execution\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"OS Credential Dumping\",\r\n \"Boot or Logon Initialization Scripts\",\r\n \"Scheduled Task/Job\",\r\n \"Account Manipulation\",\r\n \"Office Application Startup\",\r\n \"File and Directory Permissions Modification\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Subvert Trust Controls\",\r\n \"Modify Authentication Process\",\r\n \"Impair Defenses\",\r\n \"Hijack Execution Flow\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047\",\r\n \"description\": \"Microsoft Defender for Cloud includes Microsoft Defender for Key Vault, providing an additional layer of security intelligence.
Microsoft Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any key vaults in this subscription, you won't be charged. If you later create key vaults on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for Key Vault.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for Key Vault on all key vaults in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Key Vault to On.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Credentials from Password Stores\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Azure SQL Database servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any Azure SQL Database servers in this subscription, you won't be charged. If you later create Azure SQL Database servers on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for SQL.\",\r\n \"remediationDescription\": \"To enable this plan on all Azure SQL Database servers in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Azure SQL Database servers to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Defense Evasion\",\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Modify Registry\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL servers on machines should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.

Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. If you don't have any SQL servers on machines in this subscription, no charges will be incurred.
If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Microsoft Defender for SQL servers on machines.\",\r\n \"remediationDescription\": \"To enable this plan on all SQL servers on machines in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set SQL servers on machines to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Defense Evasion\",\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Modify Registry\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Storage should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa\",\r\n \"description\": \"Microsoft Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any Azure Storage accounts in this subscription, you won't be charged. If you later create Azure Storage accounts on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for Storage.\",\r\n \"remediationDescription\": \"To enable this plan on all Azure Storage accounts in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Storage to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Lateral Movement\",\r\n \"Command and Control\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Taint Shared Content\",\r\n \"Ingress Tool Transfer\",\r\n \"Data Destruction\",\r\n \"Data from Cloud Storage Object\",\r\n \"Transfer Data to Cloud Account\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb\",\r\n \"description\": \"Microsoft Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
Microsoft Defender for App Service can discover attacks on your applications and identify emerging attacks.

Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred.
If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Protect your web apps and APIs.\",\r\n \"remediationDescription\": \"To enable this plan on all App Service plans in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set App Service to On.\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Collection\",\r\n \"Discovery\",\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Privilege Escalation\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Resource Development\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"OS Credential Dumping\",\r\n \"Data from Local System\",\r\n \"Query Registry\",\r\n \"Obfuscated Files or Information\",\r\n \"Masquerading\",\r\n \"Windows Management Instrumentation\",\r\n \"Scheduled Task/Job\",\r\n \"Process Injection\",\r\n \"Input Capture\",\r\n \"Process Discovery\",\r\n \"Command and Scripting Interpreter\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Account Discovery\",\r\n \"Ingress Tool Transfer\",\r\n \"Screen Capture\",\r\n \"Audio Capture\",\r\n \"Access Token Manipulation\",\r\n \"Deobfuscate/Decode Files or Information\",\r\n \"Drive-by Compromise\",\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"User Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Domain Trust Discovery\",\r\n \"Resource Hijacking\",\r\n \"Create or Modify System Process\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Unsecured Credentials\",\r\n \"Steal or Forge Kerberos Tickets\",\r\n \"Inter-Process Communication\",\r\n \"Phishing\",\r\n \"Hijack Execution Flow\",\r\n \"Compromise Infrastructure\",\r\n \"Search Victim-Owned Websites\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"name\": \"e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38\",\r\n \"description\": \"Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.
You can use this information to quickly remediate security issues and improve the security of your containers.

Important: Remediating this recommendation will result in charges for protecting your Kubernetes clusters. If you don't have any Kubernetes clusters in this subscription, no charges will be incurred.
If you create any Kubernetes clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Introduction to Microsoft Defender for Containers.\",\r\n \"remediationDescription\": \"To enable this plan on all Kubernetes clusters in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Containers to On.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"DenialOfService\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"11/01/2021\",\r\n \"public\": \"11/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Indicator Removal on Host\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Implant Container Image\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d\",\r\n \"description\": \"Microsoft Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your servers.

Important: Remediating this recommendation will result in charges for protecting your servers. If you don't have any servers in this subscription, no charges will be incurred.
If you create any servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable this plan on all servers in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Servers to On.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\",\r\n \"Execution\",\r\n \"Defense Evasion\",\r\n \"Exfiltration\",\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Hijack Execution Flow\",\r\n \"Modify Authentication Process\",\r\n \"Boot or Logon Initialization Scripts\",\r\n \"Scheduled Task/Job\",\r\n \"Account Manipulation\",\r\n \"Office Application Startup\",\r\n \"OS Credential Dumping\",\r\n \"Obfuscated Files or Information\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Process Injection\",\r\n \"Command and Scripting Interpreter\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Indicator Removal on Host\",\r\n \"Valid Accounts\",\r\n \"System Information Discovery\",\r\n \"Account Discovery\",\r\n \"Ingress Tool Transfer\",\r\n \"Modify Registry\",\r\n \"Create Account\",\r\n \"Deobfuscate/Decode Files or Information\",\r\n \"Drive-by Compromise\",\r\n \"Indirect Command Execution\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Signed Binary Proxy Execution\",\r\n \"File and Directory Permissions Modification\",\r\n \"Service Stop\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Steal or Forge Kerberos Tickets\",\r\n \"Impair Defenses\",\r\n \"Remote Service Session Hijacking\",\r\n \"Hide Artifacts\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Brute Force\",\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"name\": \"b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for open-source relational databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835\",\r\n \"description\": \"Microsoft Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more in Introduction to Microsoft Defender for open-source relational databases.

Important: Enabling this plan will result in charges for protecting your open-source relational databases. If you don't have any open-source relational databases in this subscription, no charges will be incurred. If you create any open-source relational databases on this subscription in the future, they will automatically be protected and charges will begin at that time.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for open-source relational databases on your subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Open-source relational databases to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"09/19/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ebc815f-7bc7-4573-994d-e1cc46fb4a35\",\r\n \"name\": \"2ebc815f-7bc7-4573-994d-e1cc46fb4a35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have infrastructure as code scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found infrastructure as code security configuration issues in repositories. The issues shown below have been detected in template files. To improve the security posture of the related cloud resources, it is highly recommended to remediate these issues.\",\r\n \"remediationDescription\": \"Security issues and vulnerabilities in infrastructure as code can lead to compliance violations and data breaches in production environments. It is recommended to improve the security posture by remediating and fixing these findings to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c68a8c2a-6ed4-454b-9e37-4b7654f2165f\",\r\n \"name\": \"c68a8c2a-6ed4-454b-9e37-4b7654f2165f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have code scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found vulnerabilities in code repositories. To improve the security posture of the repositories, it is highly recommended to remediate these vulnerabilities.\",\r\n \"remediationDescription\": \"The vulnerabilities detected in code repositories can lead to compliance violations and data breaches. It is highly recommended to remediate these vulnerabilities to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27\",\r\n \"name\": \"4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have secret scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found a secret in code repositories. This should be remediated immediately to prevent a security breach. Secrets found in repositories can be leaked or discovered by adversaries, leading to compromise of an application or service. For Azure DevOps, the Microsoft Security DevOps CredScan tool only scans builds on which it has been configured to run. Therefore, results may not reflect the complete status of secrets in your repositories.\",\r\n \"remediationDescription\": \"Invalidate the secrets, tokens, and/or passwords that were found by the secret scanner.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/822425e3-827f-4f35-bc33-33749257f851\",\r\n \"name\": \"822425e3-827f-4f35-bc33-33749257f851\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have Dependabot scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found vulnerabilities in code repositories. To improve the security posture of the repositories, it is highly recommended to remediate these vulnerabilities.\",\r\n \"remediationDescription\": \"The vulnerabilities detected in the code repositories can lead to compliance violations and data breaches. It is recommended to remediate these vulnerabilities to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dbf49ec-ce06-476d-ab70-7bd612c4a52c\",\r\n \"name\": \"9dbf49ec-ce06-476d-ab70-7bd612c4a52c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DevOps security posture findings should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps security posture checks helps you keep your ADO artifacts such as various org/project settings, build/release configurations, service connections, agent pools, etc., configured securely.\",\r\n \"remediationDescription\": \"The security posture checks found can lead to compliance violations and data breaches. It is recommended to improve the security posture by remediating and fixing these configuration findings to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MissingCoverage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"02/06/2023\",\r\n \"public\": \"10/01/2022\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Reconnaissance\",\r\n \"Exfiltration\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Application Layer Protocol\",\r\n \"Compromise Infrastructure\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03587042-5d4b-44ff-af42-ae99e3c71c87\",\r\n \"name\": \"03587042-5d4b-44ff-af42-ae99e3c71c87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic container registry images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"23/06/2022\",\r\n \"public\": \"23/06/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registry images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Resolve the findings from the vulnerability assessment solutions on your virtual machines.\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by the vulnerability assessment solutions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77a4a140-e051-481a-84cc-d4bf2109bd65\",\r\n \"name\": \"77a4a140-e051-481a-84cc-d4bf2109bd65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Resolve the findings from the vulnerability assessment solutions on your EC2 instances.\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by the vulnerability assessment solutions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/14/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL databases should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. Learn more\",\r\n \"remediationDescription\": \"To remediate SQL vulnerabilities and mitigate risks:
1. Navigate to a database in the Unhealthy databases list.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Valid Accounts\",\r\n \"Modify Registry\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers on machines should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. Learn more\",\r\n \"remediationDescription\": \"To remediate SQL vulnerabilities and mitigate risks:
1. Navigate to a database in the Unhealthy databases list.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Valid Accounts\",\r\n \"Modify Registry\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your Windows machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Select any of the findings below.
2. On the right pane opened, follow the instructions under 'Remediation' if exist.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Lateral Movement\",\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your Linux machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Select any of the findings below.
2. On the right pane opened, follow the instructions under 'Remediation' if exist.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Lateral Movement\",\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"
1. Click an identified outstanding update.
2. In the Missing system updates pane, click the support link (when exists) and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Software Deployment Tools\",\r\n \"Exploit Public-Facing Application\",\r\n \"Supply Chain Compromise\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Drive-by Compromise\",\r\n \"Endpoint Denial of Service\",\r\n \"Compromise Client Software Binary\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b\",\r\n \"description\": \"Ensure your machines are up to date by installing missing security and critical OS updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install missing system updates on a selected machine: 1. From \\\"Affected resources\\\", select a virtual machine. 2. Select the \\\"Fix\\\" button. This will redirect you to Update management center (preview). 3. In update management center (preview), select \\\"One-time update\\\" or \\\"Schedule updates\\\", and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Click any of the configuration vulnerability rules 2. In the Vulnerability details pane, see the remediation description and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"10/24/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2\",\r\n \"description\": \"Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. See the documentation for the endpoint protection solutions supported by Defender for Cloud and the endpoint protection assessments.\",\r\n \"remediationDescription\": \"
1. Confirm that your solution is on the list of tools supported by Defender for Cloud.
2. For a list of possible health issues with your solution and advice on how to resolve the health issues, consult this page of the Defender for Cloud documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad50b498-f90c-451f-886f-d0a169cc5002\",\r\n \"name\": \"ad50b498-f90c-451f-886f-d0a169cc5002\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should use only signed and trusted boot components\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"With Secure Boot enabled, all OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Defender for Cloud has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allow list or remove the identified components.\",\r\n \"remediationDescription\": \"Investigate the untrusted boot components. If they are legitimate, add them to the allow list. Otherwise, remove them.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"name\": \"dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with read permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have read permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"name\": \"c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with write permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/931e118d-50a1-4457-a5e4-78550e086c52\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have write permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"name\": \"6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with owner permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have owner permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"name\": \"fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with read permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52\",\r\n \"description\": \"Accounts with read permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"name\": \"0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with write permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87\",\r\n \"description\": \"Accounts with write permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"name\": \"20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with owner permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/339353f6-2387-4a45-abe4-7f529d121046\",\r\n \"description\": \"Accounts with owner permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"name\": \"1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Blocked accounts with read and write permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be\",\r\n \"description\": \"Accounts that have been blocked from signing in on Active Directory, should be removed from your Azure resources.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of accounts that are blocked from signing in on the Accounts section. Click on each account to view its role definitions and locate the source scope. If you accept the risk for specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the blocked user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"name\": \"050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Blocked accounts with owner permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5\",\r\n \"description\": \"Accounts that have been blocked from signing in on Active Directory, should be removed from your Azure resources.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of accounts that are blocked from signing in on the Accounts section. Click on each account to view its role definitions and locate the source scope. If you accept the risk for specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the blocked user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af99038c-02fd-4a2f-ac24-386b62bf32de\",\r\n \"description\": \" Azure's terms of use prohibit the use of Azure services in ways that could damage, disable, overburden, or impair any Microsoft server or the network. This recommendation lists exposed ports that need to be closed for your continued security. It also illustrates the potential threat to each port.\",\r\n \"remediationDescription\": \"Review the findings and evaluate if any ports need to remain open for your service to function or if they can be closed to protect your resources. Please, opt out of the recommendation by using the exemption workflow for any ports that need to remain open.
For all other findings, remediate per instructions below:
• Need to secure network traffic for a single VNet, please follow instruction to setup Network Security Groups (NSG).
• Need to secure network traffic for one or more peered VNet, please follow instruction to setup Azure Firewall.
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"04/04/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/41503391-efa5-47ee-9282-4eff6131462c\",\r\n \"name\": \"41503391-efa5-47ee-9282-4eff6131462c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running container images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fc39691-5a3f-4e3e-94ee-2e6447309ad9\",\r\n \"description\": \"Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.
7. Use the new image across all pods where it is currently being used.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ElevationOfPrivilege\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"12/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/afd071f0-ebaa-422b-bb2f-8a772a31db75\",\r\n \"name\": \"afd071f0-ebaa-422b-bb2f-8a772a31db75\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function apps should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Runtime vulnerability scanning for functions scans your function apps for security vulnerabilities and exposes detailed findings. Resolving the vulnerabilities can greatly improve your serverless applications security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve function app vulnerabilities:
1. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
2. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [],\r\n \"publishDates\": {\r\n \"public\": \"03/18/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"name\": \"08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d\",\r\n \"description\": \"Azure Policy add-on for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.

Defender for Cloud requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. Learn more.

Requires Kubernetes v1.14.0 or later.

\",\r\n \"remediationDescription\": \"To configure the Azure Policy Add-on for use with your Azure Kubernetes Service cluster, follow the instructions in Install Azure Policy Add-on for AKS.

Auto provisioning:
You can also auto deploy this add-on as explained in Enable auto provisioning of extensions.
When auto provisioning for the add-on is set to On, the extension is enabled by default in all existing and future clusters (that meet the add-on installation requirements).\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0642d770-b189-42ef-a2ce-9dcc3ec6c169\",\r\n \"name\": \"0642d770-b189-42ef-a2ce-9dcc3ec6c169\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b2122c1-8120-4ff5-801b-17625a355590\",\r\n \"description\": \"Azure Policy extension for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.\",\r\n \"remediationDescription\": \"To configure the Azure Policy extension for use with your Azure Arc-enabled Kubernetes cluster, follow the instructions in #Install Azure Policy Extension for Azure Arc-enabled Kubernetes.

Auto provisioning:
You can also auto deploy this extension as explained in Enable auto provisioning of extensions .
When auto provisioning for the extension is set to \\\"on\\\", the extension is enabled by default in all existing and future clusters (that meet the extension installation requirements).\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2022\",\r\n \"public\": \"06/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/0adc5395-9169-4b9b-8687-af838d69410a\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"name\": \"405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container CPU and memory limits should be enforced\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\r\n \"description\": \"Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).

We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods without CPU and memory limits. To control a pod's limits, set quotas at the container level. Each container of a pod can specify one or both of the following:
  • spec.containers[].resources.limits.cpu
  • spec.containers[].resources.limits.memory

After making your changes, redeploy the pod with the new limits.

Note: Although requests and limits can only be specified on individual containers, it is convenient to talk about pod resource limits. A Pod resource limit is the sum of the resource limits for all the containers in the pod. Learn more.

\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"DenialOfService\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"name\": \"5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Privileged containers should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\r\n \"description\": \"To prevent unrestricted host access, avoid privileged containers whenever possible.

Privileged containers have all of the root capabilities of a host machine. They can be used as entry points for attacks and to spread malicious code or malware to compromised applications, hosts and networks.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods running privileged containers.

For these pods, set the privileged flag to 'false' or remove this property on the security context of the container's spec. After making your changes, redeploy the pod with the updated spec.

\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"name\": \"8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container images should be deployed from trusted registries only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\r\n \"description\": \"Images running on your Kubernetes cluster should come from known and monitored container image registries. Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.\",\r\n \"remediationDescription\": \"
  1. Ensure a regex, defining your organization private registries is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods running images from untrusted registries. If you see a pod running an unfamiliar image, remove it and report the incident to your security admin. Otherwise, move all images to a trusted private registry and redeploy the pods with the updated registry.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"name\": \"add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Services should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services access to the configured ports.\",\r\n \"remediationDescription\": \"
  1. Ensure a list of ports on which your services are allowed to listen, is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the services which listen on ports outside the configured list.
  3. Limit the services' ports. After making your changes, redeploy the services with the updated ports.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\",\r\n \"Non-Standard Port\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"name\": \"11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Least privileged Linux capabilities should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\r\n \"description\": \"To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user. We recommend dropping all capabilities, then adding those that are required\",\r\n \"remediationDescription\": \"
1. Make sure lists of dropped capabilities and allowed capabilities are configured, via the security policy parameters. Recommend to set parameter 'Required drop capabilities' as [\\\"ALL\\\"] to enforce to drop all capabilities. The recommendation by default will only block to add capacities.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the running containers with capabilities outside the configured list.
3. Limit the containers' Linux capabilities. To add or remove Linux capabilities for a container, include a capabilities section in the securityContext section of the container manifest with the relevant capabilities set e.g. Drop: ALL ; add: [\\\"NET_ADMIN\\\", \\\"SYS_TIME\\\"].
4. After making your changes, redeploy the pod with the updated capabilities.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"name\": \"27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Immutable (read-only) root filesystem should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80\",\r\n \"description\": \"Containers should run with a read only root file system in your Kubernetes cluster. Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers without read only root file system.
2. For these pods, set the readOnlyRootFilesystem flag to 'true' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Collection\",\r\n \"Lateral Movement\",\r\n \"Persistence\",\r\n \"Defense Evasion\",\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Scheduled Task/Job\",\r\n \"Data Staged\",\r\n \"Taint Shared Content\",\r\n \"Account Manipulation\",\r\n \"Create Account\",\r\n \"File and Directory Permissions Modification\",\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Server Software Component\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Compromise Client Software Binary\",\r\n \"Modify Authentication Process\",\r\n \"Hide Artifacts\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"name\": \"f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75\",\r\n \"description\": \"We recommend limiting pod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths. If there's a compromise, the container node access from the containers should be restricted.\",\r\n \"remediationDescription\": \"
1. Ensure a list of allowed host paths is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running pods with hostPath volume violating the configured list.
3. Update hostPath and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Taint Shared Content\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"name\": \"9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running containers as root user should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042\",\r\n \"description\": \"Containers shouldn't run as root users in your Kubernetes cluster. Running a process as the root user inside a container runs it as root on the host. If there's a compromise, an attacker has root in the container, and any misconfigurations become easier to exploit.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the relevant pods.
2. For these pods, ensure the runAsUser property is set to a non-zero value or set property runAsNonRoot=true.
3. After making your changes, redeploy the pod with the updated rule.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"name\": \"ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of host networking and ports should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe\",\r\n \"description\": \"Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. Pods created with the hostNetwork attribute enabled will share the node's network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node's network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.\",\r\n \"remediationDescription\": \"
1. Ensure the following are all configured in the security policy parameters: allow host network usage, and min and max host ports.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers with host networking violating the configured list.
3. Validate the host networking using the hostNetwork and hostPort attributes (when applicable) of the container's spec.
4. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"name\": \"802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers sharing sensitive host namespaces should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\r\n \"description\": \"To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods sharing host process ID or host IPC.
2. Set the host process ID and host IPC to 'false' on the pod's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"name\": \"43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container with privilege escalation should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\r\n \"description\": \"Containers shouldn't run with privilege escalation to root in your Kubernetes cluster.
The AllowPrivilegeEscalation attribute controls whether a process can gain more privileges than its parent process.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers with privilege escalation to root in your Kubernetes cluster.
2. For these pods, set the AllowPrivilegeEscalation flag to 'false' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"name\": \"86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers should only use allowed AppArmor profiles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e\",\r\n \"description\": \"Containers running on Kubernetes clusters should be limited to allowed AppArmor profiles only.
;AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program.\",\r\n \"remediationDescription\": \"
1. Ensure a list of AppArmor profiles containers are allowed to use is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the running pods with AppArmor profile violating the configured list.
3. Update AppArmor annotation in the Pod's metadata and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Process Injection\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/111cb068-89df-48bd-9493-2e6773444af8\",\r\n \"name\": \"111cb068-89df-48bd-9493-2e6773444af8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should gate deployment of vulnerable images\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759\",\r\n \"description\": \"Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Defender for Cloud's CI/CD scanning and Microsoft Defender for container registries to identify and patch vulnerabilities prior to deployment.
Evaluation prerequisite: Azure policy add-on/extension and the Defender profile/extension.
Applicable only for private preview customers.\",\r\n \"remediationDescription\": \"Configuration

Use the Settings tab to ensure the recommendation policy meets your requirement.

Monitor and resolve violations in audit mode
  1. Click on a cluster to see violating pods.
  2. For each non-compliant pod, extract used images using 'kubectl get pods <pod name> -n <pod namespace> -o json'
  3. Retrieve list of vulnerabilities per pod using the 'Container registry images should have vulnerability findings resolved' recommendation:
    1. If an image is unscanned, push/import image to registry protected by Defender for Containers and re-deploy pod.
    2. If scan result violates security policy, follow scan findings remediation steps to remediate image and re-deploy pod.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"10/25/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes API server should be configured with restricted access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes API server. You can restrict access by defining authorized IP ranges, or by setting up your API servers as private clusters as explained inCreate a private Azure Kubernetes Service cluster.\",\r\n \"remediationDescription\": \"To manually configure authorized IP ranges, follow the steps in Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS). If your existing cluster uses a Basic SKU Load Balancer, you'll need to redeploy or migrate to a new AKS cluster using the Standard SKU Load Balancer as explained in Moving from a basic SKU load balancer to standard SKU. If you decide not to redeploy, and you want to move these clusters to the 'not applicable' tab, follow the steps in Define an exemption.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Container and Resource Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows:
1. Go to Azure Kubernetes Services.
2. Select 'Add' and enter your cluster's configuration.
3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6d87087-9ebe-b31f-b452-0bf3bbbaccd2\",\r\n \"name\": \"c6d87087-9ebe-b31f-b452-0bf3bbbaccd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should be accessible only over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\r\n \"description\": \"Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc-enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc\",\r\n \"remediationDescription\": \"From the unhealthy resources tab, select the cluster. Defender for Cloud lists the ingress objects that are accessible without HTTPS. 1. If the ingress controlled by nginx ingress controller, must first set annotation \\\"nginx.ingress.kubernetes.io/force-ssl-redirect\\\"=true. 2. Add the Transport Layer Security (TLS) configuration to your ingress manifest. After making your changes, redeploy the updated ingress object.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6\",\r\n \"name\": \"3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Arc-enabled Kubernetes clusters should have the Defender extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8dfab9c4-fe7b-49ad-85e4-1e9be085358f\",\r\n \"description\": \"Defender's extension for Azure Arc provides threat protection for your Arc-enabled Kubernetes clusters. The extension collects data from all control plane (master) nodes in the cluster and sends it to the Microsoft Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-kubernetes-azure-arc?wt.mc_id=defenderforcloud_inproduct_portal_recoremediation.\",\r\n \"remediationDescription\": \"To install the Defender extension on your Arc-enabled Kubernetes clusters, select an unhealthy cluster and select Remediate.
To manually deploy the extension with Azure Resource Manager, Azure CLI, or the REST API, see the instructions in Microsoft Defender for Arc-enabled Kubernetes.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/708b60a6-d253-4fe0-9114-4be4c00f012c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a83a6e-c417-42ec-b567-1e6fcb3d09a9\",\r\n \"name\": \"56a83a6e-c417-42ec-b567-1e6fcb3d09a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Kubernetes Service clusters should have Defender profile enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1840de2-8088-4ea8-b153-b4c723e9cb01\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection.
When you enable the SecurityProfile.AzureDefender profile on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data.
Learn more about [Microsoft Defender for Containers](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks#architecture-overview).\",\r\n \"remediationDescription\": \"To enable the profile using Azure CLI, Azure Resource Manager, or the REST API, follow the instructions in Enable the SecurityProfile.AzureDefender profile.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"12/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff87e0b4-17df-d338-5b19-80e71e0dcc9d\",\r\n \"name\": \"ff87e0b4-17df-d338-5b19-80e71e0dcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should not use the default namespace\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\r\n \"description\": \"Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"Defender for Cloud lists the components using the default namespace.
1. From the unhealthy resources tab, select a cluster.
2. Define a namespace for the components.
3. After making your changes, redeploy the components with the updated namespace. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/namespaces/#creating-a-new-namespace\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32060ac3-f17f-4848-db8e-e7cf2c9a53eb\",\r\n \"name\": \"32060ac3-f17f-4848-db8e-e7cf2c9a53eb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should disable automounting API credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/423dd1ba-798e-40e4-9c4d-b6902674b423\",\r\n \"description\": \"Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"From the unhealthy resources tab, select the cluster. Defender for Cloud lists the pods missing the automountServiceAccountToken: false flag. There are multiple ways to opt out of automounting API credentials for a service account. To opt out of automounting API credentials for a single pod, set automountServiceAccountToken: false in PodSpec. After making your changes, redeploy your updated pod or service account.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aba14f78-27c5-af84-848e-9105d18dfd92\",\r\n \"name\": \"aba14f78-27c5-af84-848e-9105d18dfd92\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should not grant CAPSYSADMIN security capabilities\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d2e7ea85-6b44-4317-a0be-1b951587f626\",\r\n \"description\": \"To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"Defender for Cloud lists the pods running containers that have the CAP_SYS_ADMIN Linux security capability. To remove containers' CAP_SYS_ADMIN Linux security capabilities: 1. From the unhealthy resources tab, select the cluster. 2. Insert a capabilities section in the securityContext section of the container manifest with Drop: SYS_ADMIN. 3. After making your changes, redeploy the pod with the updated capabilities\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b7683ca3-3a11-49b6-b9d4-a112713edfa3\",\r\n \"name\": \"b7683ca3-3a11-49b6-b9d4-a112713edfa3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced configuration of Defender for Containers should be enabled on GCP connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. To ensure you the solution is provisioned properly, and the full set of capabilities are available, enable all advanced configuration settings.\",\r\n \"remediationDescription\": \"To enable advanced configuration of the Containers plan for a GCP account connected to Microsoft Defender for Cloud:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. Navigate to the \\\"Environment settings\\\" page, and select the relevant GCP account.
  3. Navigate to \\\"Select plans\\\"> \\\"Containers\\\" row, and select \\\"Configure >\\\".
  4. Enable the missing auto provision features and select Save.
  5. Select \\\"Next: Configure access\\\" and follow the instructions.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"03/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d42ac63d-0592-43b2-8bfa-ff9199da595e\",\r\n \"name\": \"d42ac63d-0592-43b2-8bfa-ff9199da595e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled on GCP connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. Enable Containers plan on your GCP connector, to harden the security of Kubernetes clusters and remediate security issues. Learn more about Microsoft Defender for Containers.\",\r\n \"remediationDescription\": \"To enable Defender for Containers on all GKE clusters in an GCP project connected to Microsoft Defender for Cloud:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. Navigate to the \\\"Environment settings\\\" page, and select the relevant GCP account.
  3. Navigate to \\\"Select plans\\\", and toggle \\\"Containers\\\" to \\\"On\\\".
  4. Select \\\"Next: Configure access\\\" and follow the instructions.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"03/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6672df26-ff2e-4282-83c3-e2f20571bd11\",\r\n \"name\": \"6672df26-ff2e-4282-83c3-e2f20571bd11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have code scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub uses code scanning to analyze code in order to find security vulnerabilities and errors in code. Code scanning can be used to find, triage, and prioritize fixes for existing problems in your code. Code scanning can also prevent developers from introducing new problems. Scans can be scheduled for specific days and times, or scans can be triggered when a specific event occurs in the repository, such as a push. If code scanning finds a potential vulnerability or error in code, GitHub displays an alert in the repository. A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project.\",\r\n \"remediationDescription\": \"1. On GitHub.com, navigate to the main page of the repository. 2. Under your repository name, click Security. 3. To the right of Code scanning alerts, click Set up code scanning. If code scanning is missing, you need to ask an organization owner or repository administrator to enable GitHub Advanced Security. 4. Under 'Get started with code scanning', click Set up this workflow on the CodeQL analysis workflow or on a third-party workflow. 5.To customize how code scanning scans your code, edit the workflow. 6. Use the Start commit drop-down, and type a commit message. 7. Click Commit new file or Propose new file\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/92643c1f-1a95-4b68-bbd2-5117f92d6e35\",\r\n \"name\": \"92643c1f-1a95-4b68-bbd2-5117f92d6e35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have Dependabot scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub sends Dependabot alerts when it detects vulnerabilities in code dependencies that affect repositories. A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. Vulnerabilities vary in type, severity, and method of attack. When code depends on a package that has a security vulnerability, this vulnerable dependency can cause a range of problems.\",\r\n \"remediationDescription\": \"1. Browse to a GitHub repository. 2. Click on the Settings. 3. Click 'Security & analysis'. 4. Enable Dependabot alerts\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a600c61-6443-4ab4-bd28-7a6b6fb4691d\",\r\n \"name\": \"1a600c61-6443-4ab4-bd28-7a6b6fb4691d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have secret scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were accidentally committed to repositories. Secret scanning will scan the entire Git history on all branches present in the GitHub repository for any secrets. Examples of secrets are tokens and private keys that a service provider can issue for authentication. If a secret is checked into a repository, anyone who has read access to the repository can use the secret to access the external service with those privileges. Secrets should be stored in a dedicated, secure location outside the repository for the project.\",\r\n \"remediationDescription\": \"1. On GitHub.com, navigate to the main page of the repository. 2. Under your repository name, click Settings. 3.In the left sidebar, click Security and analysis. 4. If Advanced Security is not already enabled for the repository, to the right of GitHub Advanced Security, click Enable. 5. Review the impact of enabling Advanced Security, then click Enable GitHub Advanced Security for this repository. 6. When you enable Advanced Security, secret scanning may automatically be enabled for the repository due to the organization's settings. If Secret scanning is shown with an Enable button, you still need to enable secret scanning by clicking Enable. If you see a Disable button, secret scanning is already enabled\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c0ba94f-e732-43c7-bf3a-05e80f45d642\",\r\n \"name\": \"1c0ba94f-e732-43c7-bf3a-05e80f45d642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure API Management APIs should be onboarded to Defender for APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfiguration.
In order to enable security monitoring & coverage on your APIs within Azure API Management, please remediate this recommendation through steps below.
Important: Enabling Defender for APIs monitoring coverage will require compute & memory utilization on the Azure API Management service.
Please monitor the performance of your Azure API Management service while onboarding APIs, and scale out your Azure API Managment resources when needed.\",\r\n \"remediationDescription\": \"Select the unhealthy resources and click \\\"Fix\\\" to launch \\\"Quick fix\\\" remediation. Note: After the process completes, it may take up 3 hurs until your resources move to the \\\"Healthy resources\\\" tab.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e8c00a2-e8bc-42a8-9e12-99584a51ad10\",\r\n \"name\": \"4e8c00a2-e8bc-42a8-9e12-99584a51ad10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API endpoints that are unused should be disabled and removed from the Azure API Management service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"API endpoints that are no longer in use should be removed from the Azure API Management service as a best practice. API endpoints that are unused (haven't received traffic for a threshold of 30 days) may pose a risk to an organization. These may be APIs that should have been deprecated from the Azure API Management service, but may have been accidently left as active and they may not be receiving the most up to date security coverage.\",\r\n \"remediationDescription\": \"Note: Manually verify that the API endpoint is unused and consider any potential impact this may cause before removing the API endpoint from the Azure API Management service.
1. Navigate to the Azure API Management resource to locate the unhealthy resources within the Azure Portal.
2. In the left pane, select APIs.
3. Select the API with the associated API collection name that is hosting the affected API endpoint (in Azure API Management, known as \\\"API operation\\\").
4. Select the ellipses next to the endpoint and select \\\"Delete\\\" to remove the unused API endpoint.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91af2040-7874-4659-abf0-578e1f8d07dc\",\r\n \"name\": \"91af2040-7874-4659-abf0-578e1f8d07dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API endpoints in Azure API Management should be authenticated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Authentication mechanisms are often implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. API endpoints published within Azure API Management should enforce authentication to help minimize this risk. Learn More\",\r\n \"remediationDescription\": \"1. Verify the configuration of the authentication on the API endpoint. For APIs published in Azure API Management, this recommendation assesses the execution of authentication via the Subscription Keys, JWT and Client Certificate configured within Azure API Management. If none of these authentication mechanisms are present, or if none of these authentication mechanisms are executed, the API will receive this recommendation.
2. After the assessment, if the API is verified and is missing or incorrectly configured authentication, enable & ensure the proper configuration of authentication for the API endpoint. For Azure API Management, steps and a reference example regarding how to enable authentication can be found here in this document: API Management authentication policies\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/45fb078b-a96e-4d0b-90cb-f3ed8a5530c0\",\r\n \"name\": \"45fb078b-a96e-4d0b-90cb-f3ed8a5530c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Testing the cmdlet\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Testing that creating a new metadata is working\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer managed metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Customer managed description\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"[elgrady] custom assessment metadata description\",\r\n \"remediationDescription\": \"[elgrady] custom assessment remediationDescription\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"name\": \"9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer managed metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Customer managed description\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"[elgrady] custom assessment metadata description\",\r\n \"remediationDescription\": \"[elgrady] custom assessment remediationDescription\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n }\r\n ]\r\n}", "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata?api-version=2020-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata?api-version=2021-06-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhP2FwaS12ZXJzaW9uPTIwMjEtMDYtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "0135e230-0c24-4c69-862f-8c6779d934e1" + "75971b95-40c7-48b7-af27-8a3c3a05453d" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.27317.07", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.19041.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.1.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -147,16 +147,16 @@ "no-cache" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "747" + "749" ], "x-ms-request-id": [ - "4ac4efa4-68ef-47b0-a80b-6f6d16b52d71" + "32b37e39-0e55-47cd-a170-ba9806eceed8" ], "x-ms-correlation-request-id": [ - "4ac4efa4-68ef-47b0-a80b-6f6d16b52d71" + "32b37e39-0e55-47cd-a170-ba9806eceed8" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200602T104818Z:4ac4efa4-68ef-47b0-a80b-6f6d16b52d71" + "FRANCESOUTH:20221117T082010Z:32b37e39-0e55-47cd-a170-ba9806eceed8" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -165,10 +165,10 @@ "nosniff" ], "Date": [ - "Tue, 02 Jun 2020 10:48:18 GMT" + "Thu, 17 Nov 2022 08:20:09 GMT" ], "Content-Length": [ - "133768" + "1308177" ], "Content-Type": [ "application/json; charset=utf-8" @@ -177,26 +177,25 @@ "-1" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"\",\r\n \"remediationDescription\": \"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine: 1. Stop your VM when it is safe to do so. 2. Enable Secure Boot for the VM. 3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps: 1. Go to the app service applications settings page 2. In the remote debugging toggle select Off 3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the �*� defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"1. Click an identified outstanding update. 2. In the Missing system updates pane, click the support link and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
\\n1. Go to Virtual machines and click on your machine.
\\n2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases: 1. Select the SQL database. 2. Under Data encryption, select On. 3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
\\n1. Select the SQL server.
\\n2. Under Auditing, select On.
\\n3. Select Storage details and configure a storage account for the audit log.
\\n4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines. To make sure your virtual machines are successfully monitored,
\\n you need to enable data collection in Security Center and make sure the MMA agent is both installed on the virtual machines and properly collects security events to the configured workspace.
\\n In some cases, the MMA agent may fail to properly report security events, due to multiple reasons. In these cases, coverage may be partial - security events won�t be properly processed,
\\n and in turn threat detection for the affected VMs may fail to function.\",\r\n \"remediationDescription\": \"To resolve monitoring agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install monitoring agent on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines.<br> We recommend configuring auto-provisioning to ensure the MMA is deployed automatically.<br> If you choose not to use auto-provisioning, you�ll need to follow the remediation steps to manually deploy the MMA for all your VMs.<br> You�ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric.\",\r\n \"remediationDescription\": \"Installation of the monitoring agent and enabling data collection in Security Center can be done in several ways:\\n
  • Using Security Center�s automatic provisioning on your subscription(s).
    This will automatically provision the monitoring agent on current and future-created virtual machines on your subscription(s). (Learn more)
    \\nYou can enable automatic provisioning on multiple subscriptions by clicking on the Getting started menu item, and select 'Install agents'.
    You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Security policy' menu item,
    select 'Edit settings' on a subscription and enable auto provisioning in the 'data collection' menu item.
    • \\n
  • Install the Microsoft Monitoring agent on your Virtual machines as a VM extension or directly, by following these instructions.
    • \\n
  • Provision the Microsoft Monitoring agent with Azure Policies. The applicable policy definitions are:
    �[Preview]: Deploy Log Analytics Agent for Windows VMs� and �[Preview]: Deploy Log Analytics Agent for Linux VMs.
    • \\n
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.

To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
 a. Click '+New policy'.
 b. In the 'Name' text box, enter a policy name.
 c. Assign 'User and groups':
  i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
  ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
  iii. After selecting the users, at the bottom of the list, click 'Select'.
  iv. Click 'Done'.
 d. Assign 'Cloud apps'
  i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
  ii. Click 'Done'.
 e. Assign 'Access Controls'
  i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
  ii. Click 'Select'.
 f. Enable Policy.
  i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.

To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
 a. Click '+New policy'.
 b. In the 'Name' text box, enter a policy name.
 c. Assign 'User and groups':
  i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
  ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
  iii. After selecting the users, at the bottom of the list, click 'Select'.
  iv. Click 'Done'.
 d. Assign 'Cloud apps'
  i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
  ii. Click 'Done'.
 e. Assign 'Access Controls'
  i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
  ii. Click 'Select'.
 f. Enable Policy.
  i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.

To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
 a. Click '+New policy'.
 b. In the 'Name' text box, enter a policy name.
 c. Assign 'User and groups':
  i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
  ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
  iii. After selecting the users, at the bottom of the list, click 'Select'.
  iv. Click 'Done'.
 d. Assign 'Cloud apps'
  i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
  ii. Click 'Done'.
 e. Assign 'Access Controls'
  i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
  ii. Click 'Select'.
 f. Enable Policy.
  i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click the Role assignments tab and set the 'Role' filter to 'Owner'. 2. Select the owners you want to remove. 3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled 1. In the 'Role' drop-down list, select the Owner role. 2. In the Select list, select a user. 3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To Remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on SQL servers: 1. Select the SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources : 1. Go to the Virtual machine 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal: 1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service. 2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows: 1. Go to Azure Kubernetes Services. 2. Click 'Add' and enter your cluster's configuration. 3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics: 1. Go to Data Lake Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance: 1. Select the SQL managed instance. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per managed SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per managed SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps: 1. Go to the Redis Caches, and select your redis cache. 2. Select 'Advanced settings'. 3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics: 1. Go to Batch and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics: 1. Go to Stream Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics: 1. Go to the Service Bus. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics: 1. Go to Data Lake Store and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics: 1. Go to Search and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign': 1. Go to the Service fabric cluster. 2. Click on 'Custom fabric settings'. 3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics: 1. Go to Logic Apps and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources : 1. Go to the Storage Account 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics: 1. Go to Key Vault and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"1. In your storage account, go to 'Firewalls and virtual networks'. 2. Under 'Allow access from', choose 'Selected networks'. 3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account. 4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required: 1. In your storage account, go to the 'Configuration' page. 2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates: 1. Review the list of missing system updates. 2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/f3631911-7880-4edb-88bd-6411f5e3b6ec\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machine scale sets.<br> You cannot configure auto-provisioning of the MMA for Azure virtual machine scale sets. To deploy the MMA on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), please follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"To install monitoring agent : 1. Select or create a workspace. 2. Click on Install to install the agent on the scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations: 1. Review the list of failed rules. 2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution: 1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as:
  • The configuration of the operating system
  • Application configuration or presence
  • Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’ tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:attack surface reduction\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5468b9f3-f0dd-41e3-a383-f0f442f34bcf\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bde66085-0bff-4163-a200-2ff7c1175045\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3f528984-4591-4989-b6bc-6d9f67f3de57\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa676ae0-e4c3-4803-8ce8-e85df20b57cd\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a782bbed-a876-4631-9bc5-7ace7d466dc8\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fce8d615-a5d2-431d-ba4d-2d9ae164224f\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75af18a4-86e2-40ab-a157-359d67bd9314\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"name\": \"3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Install the Azure Security of Things Agent\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b122f8fc-72f9-4a24-87ec-b71bdfb5a890\",\r\n \"description\": \"Installing the Azure Security of Things agent on a device increases the security detections available for it\",\r\n \"remediationDescription\": \"Install the Azure Security of Things Security Agent\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15d59b-fbfe-41c9-bdb1-d900cc77eb6e\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6cb74de-df4c-497f-9e87-f0ccd430de6c\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4912296-8654-4bf1-bb7b-a42bfa368af6\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5502d409-6ab3-401d-a4ae-619cf2bbf68e\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:1. Follow the guidance here to create service principals with a certificate. 2. Select a subscription from the list of subscriptions below or navigate to the specific subscription. 3. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.

Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with applications and firewalls unprotected by the DDoS protection service. These apps and firewalls have public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"1. Select a virtual network to enable the DDoS protection service standard on. 2. Select the Standard option. 3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for whitelisting safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect. 4. Create a new applications control policy according to the instructions in Security Center’s documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Whitelisting rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to whitelist in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your whitelists of known-safe applications: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines. 4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
  1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
  2. Click the \\\"Rules\\\" tab.
  3. If you want to modify a recommended rule's parameters:
    • In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
    • Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
  4. If you want to create a new rule:
    • Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
    • Fill in the parameters and click \\\"Add rule\\\". The pane closes and the new rule is listed in the Rules tab.
  5. Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22). 3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges. 4. Click 'Save'.

Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding: 1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade. 2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left). 3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on NSG associated to your VM\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to easily target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click the Network Security Group with overly permissive rules. 3. In the 'Network security group' blade, click on each of the rules that are overly permissive. 4. Improve the rule by applying less permissive source IP ranges. 5. Apply the suggested changes and click 'Save'.

If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.

Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable an NSG on its NIC. 2. In the 'Networking' pane, select the Network Interface that is associated with the selected VM. 3. In the 'Network interface' pane, select the 'Network security group' menu item. 4. Select 'Edit' at the top of the pane. 5. Follow the steps and select an existing network security group to attach to this VM.

Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65f6008c-c7de-4146-b4f2-0f91aa80ebe0\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation: 1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'. 2. Review the recommended classifications. 3. Apply the relevant recommendations and dismiss the ones that are not applicable.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"name\": \"fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases in VMs should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bf49982c-9e3e-4fc4-bc20-67afecd23512\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities: 1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate. 2. Review the set of failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field. 5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exist. 6. Delete the old image with the vulnerability from you registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remediate vulnerabilities found on your virtual machines (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerability findings that were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8\",\r\n \"description\": \"To protect machines from threats and vulnerabilities, install a supported endpoint protection solution.
Learn more about how endpoint protection for machines is evaluated in Endpoint protection assessment and recommendations in Microsoft Defender for Cloud.\",\r\n \"remediationDescription\": \"To remediate missing endpoint protection:
1. Confirm that your solution is on the list of tools supported by Defender for Cloud.
2. Install the supported endpoint protection solution or enable an existing tool.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b26b102-ccde-4697-aa30-f0621f865f99\",\r\n \"name\": \"9b26b102-ccde-4697-aa30-f0621f865f99\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of EC2 instances should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Cloud has identified some overly-permissive inbound rules for management ports in your network. Enable just-in-time access control to protect your Instances from internet-based brute-force attacks. Learn more.\",\r\n \"remediationDescription\": \"To enable just-in-time instance access:
  • Select one or more Instances from the list below and click \\\"Remediate\\\", or click \\\"Take action\\\" if you've arrived from a recommendation for a specific instance.
  • On the \\\"JIT instance access configuration\\\" page, define the ports for which the just-in-time instance access will be applicable.
    • To add additional ports, click the \\\"Add\\\" button on the top left, or click an existing port and edit it.
    • On the \\\"Add port configuration\\\" blade, enter the required parameters.
  • Click \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"11/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2cac0072-6f56-46f0-9518-ddec3660ee56\",\r\n \"name\": \"2cac0072-6f56-46f0-9518-ddec3660ee56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST and WebSocket API logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled.
The control fails if logging is not enabled for all methods of a stage or if logging Level is neither ERROR nor INFO.
API Gateway REST or WebSocket API stages should have relevant logs enabled. API Gateway REST and WebSocket API execution logging provides detailed records of requests made to API Gateway REST and WebSocket API stages.
The stages include API integration backend responses, Lambda authorizer responses, and the requestId for AWS integration endpoints.\",\r\n \"remediationDescription\": \"To enable logging for REST and WebSocket API operations, Set up CloudWatch API logging using the API Gateway console in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec268d38-c94b-4df3-8b4e-5248fcaaf3fc\",\r\n \"name\": \"ec268d38-c94b-4df3-8b4e-5248fcaaf3fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API stages should be configured to use SSL certificates for backend authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon API Gateway REST API stages have SSL certificates configured.
Backend systems use these certificates to authenticate that incoming requests are from API Gateway.
API Gateway REST API stages should be configured with SSL certificates to allow backend systems to authenticate that requests originate from API Gateway.\",\r\n \"remediationDescription\": \"For detailed instructions on how to generate and configure API Gateway REST API SSL certificates, see Generate and configure an SSL certificate for backend authentication in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5cbaff4f-f8d5-49fe-9fdc-63c4507ac670\",\r\n \"name\": \"5cbaff4f-f8d5-49fe-9fdc-63c4507ac670\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API stages should have AWS X-Ray tracing enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages.
X-Ray active tracing enables a more rapid response to performance changes in the underlying infrastructure. Changes in performance could result in a lack of availability of the API.
X-Ray active tracing provides real-time metrics of user requests that flow through your API Gateway REST API operations and connected services.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable X-Ray active tracing for API Gateway REST API operations, see Amazon API Gateway active tracing support for AWS X-Ray in the AWS X-Ray Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d69eb8b0-79ba-4963-a683-a96a8ea787e2\",\r\n \"name\": \"d69eb8b0-79ba-4963-a683-a96a8ea787e2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway should be associated with an AWS WAF web ACL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an API Gateway stage uses an AWS WAF web access control list (ACL).
This control fails if an AWS WAF web ACL is not attached to a REST API Gateway stage.
AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It enables you to configure an ACL, which is a set of rules that allow, block, or count web requests based on customizable web security rules and conditions that you define.
Ensure that your API Gateway stage is associated with an AWS WAF web ACL to help protect it from malicious attacks.\",\r\n \"remediationDescription\": \"For information on how to use the API Gateway console to associate an AWS WAF Regional web ACL with an existing API Gateway API stage, see Using AWS WAF to protect your APIs in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a0ce4e0-b61e-4ec7-ab65-aeaff3893bd3\",\r\n \"name\": \"1a0ce4e0-b61e-4ec7-ab65-aeaff3893bd3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API cache data should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It adds another set of access controls to limit unauthorized users ability access the data. For example, API permissions are required to decrypt the data before it can be read.
API Gateway REST API caches should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"To remediate this control, configure the stage to encrypt the cache data.
To configure API caching for a given stage
1. Open the API Gateway console.
2. Choose the API.
3. Choose \\\"Stages\\\".
4. In the \\\"Stages\\\" list for the API, choose the stage to add caching to.
5. Choose \\\"Settings\\\".
6. Choose \\\"Enable API cache\\\".
7. Update the desired settings, then select \\\"Encrypt cache data\\\".
Choose \\\"Save Changes\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/186509dc-f326-415f-b085-4d27f1342849\",\r\n \"name\": \"186509dc-f326-415f-b085-4d27f1342849\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have a default root object configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured.
A user might sometimes request the distributions root URL instead of an object in the distribution. When this happens, specifying a default root object can help you to avoid exposing the contents of your web distribution.\",\r\n \"remediationDescription\": \"For detailed instructions on how to specify a default root object for your distribution, see How to specify a default root object in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a0ab1f4e-bafb-4947-a7d1-13a9c35c7d82\",\r\n \"name\": \"a0ab1f4e-bafb-4947-a7d1-13a9c35c7d82\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin access identity enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured.
CloudFront OAI prevents users from accessing S3 bucket content directly. When users access an S3 bucket directly, they effectively bypass the CloudFront distribution and any permissions that are applied to the underlying S3 bucket content.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Creating a CloudFront OAI and adding it to your distribution in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a67adff8-625f-4891-9f61-43f837d18ad2\",\r\n \"name\": \"a67adff8-625f-4891-9f61-43f837d18ad2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should require encryption in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors.
HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Requiring HTTPS for communication between viewers and CloudFront in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4779e962-2ea3-4126-aa76-379ea271887c\",\r\n \"name\": \"4779e962-2ea3-4126-aa76-379ea271887c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin failover configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins.
CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Creating an origin group in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88114970-36db-42b3-9549-20608b1ab8ad\",\r\n \"name\": \"88114970-36db-42b3-9549-20608b1ab8ad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether server access logging is enabled on CloudFront distributions. The control fails if access logging is not enabled for a distribution.
CloudFront access logs provide detailed information about every user request that CloudFront receives. Each log contains information such as the date and time the request was received, the IP address of the viewer that made the request, the source of the request, and the port number of the request from the viewer.
These logs are useful for applications such as security and access audits and forensics investigation. For additional guidance on how to analyze access logs, see Querying Amazon CloudFront logs in the Amazon Athena User Guide.\",\r\n \"remediationDescription\": \"For information on how to configure access logging for a CloudFront distribution, see Configuring and using standard logs (access logs) in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e0d5964-2895-45b1-b646-fcded8d567be\",\r\n \"name\": \"0e0d5964-2895-45b1-b646-fcded8d567be\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have AWS WAF enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudFront distributions are associated with either AWS WAF or AWS WAFv2 web ACLs. The control fails if the distribution is not associated with a web ACL.
AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It allows you to configure a set of rules, called a web access control list (web ACL), that allow, block, or count web requests based on customizable web security rules and conditions that you define. Ensure your CloudFront distribution is associated with an AWS WAF web ACL to help protect it from malicious attacks.\",\r\n \"remediationDescription\": \"For information on how to associate a web ACL with a CloudFront distribution, see Using AWS WAF to control access to your content in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d088fb9f-11dc-451e-8f79-393916e42bb2\",\r\n \"name\": \"d088fb9f-11dc-451e-8f79-393916e42bb2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies should not allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts.This control fails if the \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies.
With AWS KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data.
Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, do not allow \\\"kms:Decrypt\\\" permission on all KMS keys. Instead, allow \\\"kms:Decrypt\\\" only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"To remediate this issue, you modify the IAM customer managed policies to restrict access to the keys.

To modify an IAM customer managed policy

1. Open the IAM console at https://console.aws.amazon.com/iam/
2. In the IAM navigation pane, choose \\\"Policies\\\".
3. Choose the arrow next to the policy you want to modify.
4. Choose \\\"Edit policy\\\".
5. Choose the \\\"JSON\\\" tab.
6. Change the \\\"Resource\\\" value to the specific key or keys that you want to allow.
7. After you modify the policy, choose \\\"Review policy\\\".
8. Choose \\\"Save changes\\\".

For more information, see Using IAM policies with AWS KMS in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/18be55d0-b681-4693-af8d-b8815518d758\",\r\n \"name\": \"18be55d0-b681-4693-af8d-b8815518d758\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts.
This control fails if \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" actions are allowed on all KMS keys in an inline policy.
With AWS KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the permissions they need and only for keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data.
Instead of granting permission for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow the users to use only those keys. For example, do not allow \\\"kms:Decrypt\\\" permission on all KMS keys. Instead, allow them only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"To remediate this issue, you modify the inline policy to restrict access to the keys.

To modify an IAM inline policy

1. Open the IAM console at https://console.aws.amazon.com/iam/
2. In the IAM navigation pane, choose \\\"Users, Groups\\\", or \\\"Roles\\\".
3. Choose the name of the user, group or role for which to modify IAM inline policies.
4. Choose the arrow next to the policy to modify.
5. Choose \\\"Edit policy\\\".
6. Choose the \\\"JSON\\\" tab.
7. Change the \\\"Resource\\\" value to the specific keys you want to allow.
8. After you modify the policy, choose \\\"Review policy\\\".
9. Choose \\\"Save changes\\\".

For more information, see Using IAM policies with AWS KMS in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10c59743-84c4-4711-adb7-ba895dc57339\",\r\n \"name\": \"10c59743-84c4-4711-adb7-ba895dc57339\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS keys should not be unintentionally deleted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether KMS keys are scheduled for deletion. The control fails if a KMS key is scheduled for deletion.
KMS keys cannot be recovered once deleted. Data encrypted under a KMS key is also permanently unrecoverable if the KMS key is deleted. If meaningful data has been encrypted under a KMS key scheduled for deletion, consider decrypting the data or re-encrypting the data under a new KMS key unless you are intentionally performing a cryptographic erasure.
When a KMS key is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS key is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS key will not be deleted.
For additional information regarding deleting KMS keys, see Deleting KMS keys in the AWS Key Management Service Developer Guide.\",\r\n \"remediationDescription\": \"For detailed remediation instructions to cancel a scheduled KMS key deletion, see \\\"To cancel key deletion\\\" under Scheduling and canceling key deletion (console) in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe770214-7b47-48f7-a78c-1279c35d8279\",\r\n \"name\": \"fe770214-7b47-48f7-a78c-1279c35d8279\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EMR cluster master nodes should not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether master nodes on Amazon EMR clusters have public IP addresses.
The control fails if the master node has public IP addresses that are associated with any of its instances. Public IP addresses are designated in the PublicIp field of the NetworkInterfaces configuration for the instance.
This control only checks Amazon EMR clusters that are in a RUNNING or WAITING state.\",\r\n \"remediationDescription\": \"During launch, you can control whether your instance in a default or nondefault subnet is assigned a public IPv4 address.
By default, default subnets have this attribute set to true. Nondefault subnets have the IPv4 public addressing attribute set to false, unless it was created by the Amazon EC2 launch instance wizard. In that case, the wizard sets the attribute to true.
You need to launch your cluster in a VPC with a private subnet that has the IPv4 public addressing attribute set to false.
After launch, you cannot manually disassociate a public IPv4 address from your instance.
To remediate this finding, you need to create a new cluster in VPC private subnet. For information on how to launch a cluster in into a VPC private subnet, see Launch clusters into a VPC in the Amazon EMR Management Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a0476c5-a14b-4195-8c31-633511234b38\",\r\n \"name\": \"5a0476c5-a14b-4195-8c31-633511234b38\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies that you create should not allow wildcard actions for services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the IAM identity-based policies that you create have Allow statements that use the * wildcard to grant permissions for all actions on any service. The control fails if any policy statement includes 'Effect': 'Allow' with 'Action': 'Service:*'.
For example, the following statement in a policy results in a failed finding.
'Statement': [
{
'Sid': 'EC2-Wildcard',
'Effect': 'Allow',
'Action': 'ec2:*',
'Resource': '*'
}
The control also fails if you use 'Effect': 'Allow' with 'NotAction': 'service:*'. In that case, the NotAction element provides access to all of the actions in an AWS service, except for the actions specified in NotAction.
This control only applies to customer managed IAM policies. It does not apply to IAM policies that are managed by AWS.
When you assign permissions to AWS services, it is important to scope the allowed IAM actions in your IAM policies. You should restrict IAM actions to only those actions that are needed. This helps you to provision least privilege permissions. Overly permissive policies might lead to privilege escalation if the policies are attached to an IAM principal that might not require the permission.
In some cases, you might want to allow IAM actions that have a similar prefix, such as DescribeFlowLogs and DescribeAvailabilityZones. In these authorized cases, you can add a suffixed wildcard to the common prefix. For example, ec2:Describe*.

This control passes if you use a prefixed IAM action with a suffixed wildcard. For example, the following statement in a policy results in a passed finding.
'Statement': [
{
'Sid': 'EC2-Wildcard',
'Effect': 'Allow',
'Action': 'ec2:Describe*',
'Resource': '*'
}
When you group related IAM actions in this way, you can also avoid exceeding the IAM policy size limits.\",\r\n \"remediationDescription\": \"To remediate this issue, update your IAM policies so that they do not allow full '*' administrative privileges.
For details on how to edit an IAM policy, see Editing IAM policies in the IAM User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bde343a-0681-4ee2-883a-027cc1e655b8\",\r\n \"name\": \"0bde343a-0681-4ee2-883a-027cc1e655b8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Attached EBS volumes should be encrypted at-rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check.
For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.
To learn more about Amazon EBS encryption, see Amazon EBS encryption in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"remediationDescription\": \"There is no direct way to encrypt an existing unencrypted volume or snapshot. You can only encrypt a new volume or snapshot when you create it.
If you enabled encryption by default, Amazon EBS encrypts the resulting new volume or snapshot using your default key for Amazon EBS encryption. Even if you have not enabled encryption by default, you can enable encryption when you create an individual volume or snapshot. In both cases, you can override the default key for Amazon EBS encryption and choose a symmetric customer managed CMK.
For more information, see Creating an Amazon EBS volume and Copying an Amazon EBS snapshot in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a3340b3-8916-40fe-942d-a937e60f5d4c\",\r\n \"name\": \"1a3340b3-8916-40fe-942d-a937e60f5d4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Stopped EC2 instances should be removed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days.
A failed finding indicates that an EC2 instance has not run for a significant period of time. This creates a security risk because the EC2 instance is not being actively maintained (analyzed, patched, updated). If it is later launched, the lack of proper maintenance could result in unexpected issues in your AWS environment. To safely maintain an EC2 instance over time in a nonrunning state, start it periodically for maintenance and then stop it after maintenance. Ideally this is an automated process.\",\r\n \"remediationDescription\": \"You can terminate an EC2 instance using either the console or the command line.
Before you terminate the EC2 instance, verify that you won't lose any data:
* Check that your Amazon EBS volumes will not be deleted on termination.
* Copy any data that you need from your EC2 instance store volumes to Amazon EBS or Amazon S3.
To terminate an EC2 instance (console)
1. Open the Amazon EC2 console.
2. In the navigation pane, under Instances, choose \\\"Instances\\\".
3. Select the instance, and then choose \\\"Actions\\\", \\\"Instance State\\\", \\\"Terminate\\\".
4. When prompted for confirmation, choose \\\"Yes, Terminate\\\".
To terminate an EC2 instance (AWS CLI, Tools for Windows PowerShell)
Use one of the following commands. For more information about the command line interface, see Accessing Amazon EC2 in the Amazon EC2 User Guide for Linux Instances.
- From the AWS CLI, use terminate-instances
- From the Tools for Windows PowerShell, use Stop-EC2Instance.
To learn more about terminating instances, see Terminating an instancein the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56406d4c-87b4-4aeb-b1cc-7f6312d78e0a\",\r\n \"name\": \"56406d4c-87b4-4aeb-b1cc-7f6312d78e0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS default encryption should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS).
The control fails if the account level encryption is not enabled.
When encryption is enabled for your account, Amazon EBS volumes and snapshot copies are encrypted at rest. This adds an additional layer of protection for your data.
For more information, see Encryption by default in the Amazon EC2 User Guide for Linux Instances.
Note that following instance types do not support encryption: R1, C1, and M1.\",\r\n \"remediationDescription\": \"You can use the Amazon EC2 console to enable default encryption for Amazon EBS volumes.

To configure the default encryption for Amazon EBS encryption for a Region
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
2. From the navigation pane, select \\\"EC2 Dashboard\\\".
3. In the upper-right corner of the page, choose \\\"Account Attributes\\\", \\\"EBS encryption\\\".
4. Choose \\\"Manage\\\".
5. Select \\\"Enable\\\". You can keep the AWS managed key with the alias alias/aws/ebs created on your behalf as the default encryption key, or choose a symmetric customer managed key.
6. Choose \\\"Update EBS encryption\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea3248a-8af5-4df3-8e08-f7d1925ea147\",\r\n \"name\": \"5ea3248a-8af5-4df3-8e08-f7d1925ea147\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should use IMDSv2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if \\\"HttpTokens\\\" is set to \\\"required\\\" for IMDSv2. The control fails if \\\"HttpTokens\\\" is set to \\\"optional\\\".
You use instance metadata to configure or manage the running instance. The IMDS provides access to temporary, frequently rotated credentials. These credentials remove the need to hard code or distribute sensitive credentials to instances manually or programmatically. The IMDS is attached locally to every EC2 instance. It runs on a special 'link local' IP address of 169.254.169.254. This IP address is only accessible by software that runs on the instance.
Version 2 of the IMDS adds new protections for the following types of vulnerabilities. These vulnerabilities could be used to try to access the IMDS.
* Open website application firewalls
* Open reverse proxies
* Server-side request forgery (SSRF) vulnerabilities
* Open Layer 3 firewalls and network address translation (NAT)
Security Hub recommends that you configure your EC2 instances with IMDSv2.\",\r\n \"remediationDescription\": \"To remediate an EC2 instance that is not configured with IMDSv2, you can require the use of IMDSv2.
To require IMDSv2 on an existing instance, when you request instance metadata, modify the Amazon EC2 metadata options. Follow the instructions in Configuring instance metadata options for existing instances in the Amazon EC2 User Guide for Linux Instances.
To require the use of IMDSv2 on a new instance when you launch it, follow the instructions in Configuring instance metadata options for new instances in the Amazon EC2 User Guide for Linux Instances.
To configure your new EC2 instance with IMDSv2 from the console
1. Open the Amazon EC2 console.
2. Choose \\\"Launch instance\\\" and then choose \\\"Launch instance\\\".
3. In the \\\"Configure Instance Details\\\" step, under \\\"Advanced Details\\\", for \\\"Metadata version\\\", choose \\\"V2 (token required)\\\".
4. Choose \\\"Review and Launch\\\".
If your software uses IMDSv1, you can reconfigure your software to use IMDSv2. For details, see Transitioning to using Instance Metadata Service Version 2 in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/63afb20c-4e8e-42ad-bc6d-dc48d4bebc5f\",\r\n \"name\": \"63afb20c-4e8e-42ad-bc6d-dc48d4bebc5f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not have a public IP address\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether EC2 instances have a public IP address. The control fails if the \\\"publicIp\\\" field is present in the EC2 instance configuration item. This control applies to IPv4 addresses only.
A public IPv4 address is an IP address that is reachable from the internet. If you launch your instance with a public IP address, then your EC2 instance is reachable from the internet. A private IPv4 address is an IP address that is not reachable from the internet. You can use private IPv4 addresses for communication between EC2 instances in the same VPC or in your connected private network.
IPv6 addresses are globally unique, and therefore are reachable from the internet. However, by default all subnets have the IPv6 addressing attribute set to false. For more information about IPv6, see IP addressing in your VPC in the Amazon VPC User Guide.
If you have a legitimate use case to maintain EC2 instances with public IP addresses, then you can suppress the findings from this control. For more information about front-end architecture options, see the AWS Architecture Blog or the This Is My Architecture series.\",\r\n \"remediationDescription\": \"Use a non-default VPC so that your instance is not assigned a public IP address by default.
When you launch an EC2 instance into a default VPC, it is assigned a public IP address. When you launch an EC2 instance into a non-default VPC, the subnet configuration determines whether it receives a public IP address. The subnet has an attribute to determine if new EC2 instances in the subnet receive a public IP address from the public IPv4 address pool.
You cannot manually associate or disassociate an automatically-assigned public IP address from your EC2 instance. To control whether your EC2 instance receives a public IP address, do one of the following:
- Modify the public IP addressing attribute of your subnet. For more information, see Modifying the public IPv4 addressing attribute for your subnet in the Amazon VPC User Guide.
- Enable or disable the public IP addressing feature during launch. This overrides the subnet's public IP addressing attribute. For more information, see Assign a public IPv4 address during instance launch in the Amazon EC2 User Guide for Linux Instances.
For more information, see Public IPv4 addresses and external DNS hostnames in the Amazon EC2 User Guide for Linux Instances.
If your EC2 instance is associated with an Elastic IP address, then your EC2 instance is reachable from the internet. You can disassociate an Elastic IP address from an instance or network interface at any time.
To disassociate an Elastic IP address
1. Open the Amazon EC2 console
2. In the navigation pane, choose \\\"Elastic IPs\\\".
3. Select the Elastic IP address to disassociate.
4. From \\\"Actions\\\", choose \\\"Disassociate Elastic IP address\\\".
5. Choose \\\"Disassociate\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e700ddd4-bb55-4602-b93a-d75895fbf7c6\",\r\n \"name\": \"e700ddd4-bb55-4602-b93a-d75895fbf7c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 should be configured to use VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service.
To improve the security posture of your VPC, you can configure Amazon EC2 to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to access Amazon EC2 API operations privately. It restricts all network traffic between your VPC and Amazon EC2 to the Amazon network. Because endpoints are supported within the same Region only, you cannot create an endpoint between a VPC and a service in a different Region. This prevents unintended Amazon EC2 API calls to other Regions.
To learn more about creating VPC endpoints for Amazon EC2, see Amazon EC2 and interface VPC endpoints in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"remediationDescription\": \"To remediate this issue, you can create an interface VPC endpoint to Amazon EC2.
To create an interface endpoint to Amazon EC2 from the Amazon VPC console
1. Open the Amazon VPC console
2. In the navigation pane, choose \\\"Endpoints\\\".
3. Choose \\\"Create Endpoint\\\".
4. For \\\"Service category\\\", choose \\\"AWS services\\\".
5. For \\\"Service Name\\\", choose \\\"com.amazonaws.<region>.ec2\\\".
6. For \\\"Type\\\", choose \\\"Interface\\\".
7. Complete the following information.
  1. For \\\"VPC\\\", select a VPC in which to create the endpoint.
  2. For \\\"Subnets\\\", select the subnets (Availability Zones) in which to create the endpoint network interfaces. Not all Availability Zones are supported for all AWS services.
  3. To enable private DNS for the interface endpoint, select the check box for \\\"Enable DNS Name\\\". This option is enabled by default.
    To use the private DNS option, the following attributes of your VPC must be set to true:
    - \\\"enableDnsHostnames\\\"
    - \\\"enableDnsSupport\\\"
    For more information, see Viewing and updating DNS support for your VPC in the Amazon VPC User Guide.
  4. For \\\"Security group\\\", select the security groups to associate with the endpoint network interfaces.
  5. (Optional) Add or remove a tag. To add a tag, choose \\\"Add tag\\\" and do the following:
    - For \\\"Key\\\", enter the tag name.
    - For \\\"Value\\\", enter the tag value.
  6.  To remove a tag, choose the delete button (x) to the right of the tag Key and Value.
8. Choose \\\"Create endpoint\\\".
To create an interface VPC endpoint policy
You can attach a policy to your VPC endpoint to control access to the Amazon EC2 API. The policy specifies the following:
- The principal that can perform actions
- The actions that can be performed
- The resource on which the actions can be performed
For more details on creating a VPC endpoint policy, see Amazon EC2 and interface VPC endpoints In the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ace790eb-39b9-4b4f-b53d-26d0f77d4ab8\",\r\n \"name\": \"ace790eb-39b9-4b4f-b53d-26d0f77d4ab8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 subnets should not automatically assign public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the assignment of public IPs in Amazon Virtual Private Cloud (Amazon VPC) subnets have \\\"MapPublicIpOnLaunch\\\" set to \\\"FALSE\\\". The control passes if the flag is set to \\\"FALSE\\\".
All subnets have an attribute that determines whether a network interface created in the subnet automatically receives a public IPv4 address. Instances that are launched into subnets that have this attribute enabled have a public IP address assigned to their primary network interface.\",\r\n \"remediationDescription\": \"You can configure a subnet from the Amazon VPC console.
To configure a subnet to not assign public IP addresses
1. Open the Amazon VPC console.
2. In the navigation pane, choose \\\"Subnets\\\".
3. Select your subnet and then choose \\\"Subnet Actions\\\", \\\"Modify auto-assign IP settings\\\".
4. Clear the \\\"Enable auto-assign public IPv4 address\\\" check box and then choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f9a7d87-ec2e-409a-991a-48c29484d6b5\",\r\n \"name\": \"5f9a7d87-ec2e-409a-991a-48c29484d6b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused network access control lists should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether there are any unused network access control lists (ACLs).
The control checks the item configuration of the resource \\\"AWS::EC2::NetworkAcl\\\" and determines the relationships of the network ACL.
If the only relationship is the VPC of the network ACL, then the control fails.
If other relationships are listed, then the control passes.\",\r\n \"remediationDescription\": \"For instructions on how to delete an unused network ACL, see Deleting a network ACL in the Amazon VPC User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fead4128-7325-4b82-beda-3fd42de36920\",\r\n \"name\": \"fead4128-7325-4b82-beda-3fd42de36920\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not use multiple ENIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs).This control passes if a single network adapter is used. The control includes an optional parameter list to identify the allowed ENIs.
Multiple ENIs can cause dual-homed instances, meaning instances that have multiple subnets. This can add network security complexity and introduce unintended network paths and access.\",\r\n \"remediationDescription\": \"To remediate this issue, detach the additional ENIs.
To detach a network interface
1. Open the Amazon EC2 console.
2. Under \\\"Network & Security\\\", choose \\\"Network Interfaces\\\".
3. Filter the list by the noncompliant instance IDs to see the associated ENIs.
4. Select the ENIs that you want to remove.
5. From the \\\"Actions\\\" menu, choose \\\"Detach\\\".
6. If you see the prompt \\\"Are you sure that you want to detach the following network interface?\\\", choose \\\"Detach\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8b328664-f3f1-45ab-976d-f6c66647b3b8\",\r\n \"name\": \"8b328664-f3f1-45ab-976d-f6c66647b3b8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should only allow unrestricted incoming traffic for authorized ports\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the security groups that are in use allow unrestricted incoming traffic. Optionally the rule checks whether the port numbers are listed in the \\\"authorizedTcpPorts\\\" parameter.
- If the security group rule port number allows unrestricted incoming traffic, but the port number is specified in \\\"authorizedTcpPorts\\\", then the control passes. The default value for \\\"authorizedTcpPorts\\\" is 80, 443.
- If the security group rule port number allows unrestricted incoming traffic, but the port number is not specified in authorizedTcpPorts input parameter, then the control fails.
- If the parameter is not used, then the control fails for any security group that has an unrestricted inbound rule.
Security groups provide stateful filtering of ingress and egress network traffic to AWS. Security group rules should follow the principal of least privileged access. Unrestricted access (IP address with a /0 suffix) increases the opportunity for malicious activity such as hacking, denial-of-service attacks, and loss of data.
Unless a port is specifically allowed, the port should deny unrestricted access.\",\r\n \"remediationDescription\": \"For information on how to modify a security group, see Add, remove, or update rules in the Amazon VPC User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/194fd099-90fa-43e1-8d06-6b4f5138e952\",\r\n \"name\": \"194fd099-90fa-43e1-8d06-6b4f5138e952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow unrestricted access to ports with high risk\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for those ports.
Unrestricted access (0.0.0.0/0) increases opportunities for malicious activity, such as hacking, denial-of-service attacks, and loss of data.
Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. No security group should allow unrestricted ingress access to the following ports:
- 3389 (RDP)
- 20, 21 (FTP)
- 22 (SSH)
- 23 (Telnet)
- 110 (POP3)
- 143 (IMAP)
- 3306 (mySQL)
- 8080 (proxy)
- 1433, 1434 (MSSQL)
- 9200 or 9300 (Elasticsearch)
- 5601 (Kibana)
- 25 (SMTP)
- 445 (CIFS)
- 135 (RPC)
- 4333 (ahsp)
- 5432 (postgresql)
- 5500 (fcp-addr-srvr1)\",\r\n \"remediationDescription\": \"For information on how to delete rules from a security group, see Delete rules from a security group in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bfa7d2aa-f362-11eb-9a03-0242ac130003\",\r\n \"name\": \"bfa7d2aa-f362-11eb-9a03-0242ac130003\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether storage encryption is enabled for your Amazon RDS DB instances.
This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
For an added layer of security for your sensitive data in RDS DB instances, you should configure your RDS DB instances to be encrypted at rest. To encrypt your RDS DB instances and snapshots at rest, enable the encryption option for your RDS DB instances. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots.
RDS encrypted DB instances use the open standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You do not need to modify your database client applications to use encryption.
Amazon RDS encryption is currently available for all database engines and storage types. Amazon RDS encryption is available for most DB instance classes. To learn about DB instance classes that do not support Amazon RDS encryption, see Encrypting Amazon RDS resources in the Amazon RDS User Guide.
\",\r\n \"remediationDescription\": \"For information about encrypting DB instances in Amazon RDS, see Encrypting Amazon RDS resources in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4f4fbc5e-0b10-4208-b52f-1f47f1c73b6a\",\r\n \"name\": \"4f4fbc5e-0b10-4208-b52f-1f47f1c73b6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS cluster snapshots and database snapshots should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB snapshots are encrypted.
This control is intended for RDS DB instances. However, it can also generate findings for snapshots of Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. Data in RDS snapshots should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"To encrypt an unencrypted RDS snapshot: 1. Open the  Amazon RDS console. 2. In the navigation pane, choose \\\"Snapshots\\\". 3. Find the snapshot to encrypt under \\\"Manual\\\" or \\\"System\\\". 4. Select the check box next to the snapshot to encrypt. 5. Choose \\\"Actions\\\", then choose \\\"Copy Snapshot\\\". 6. Under \\\"New DB Snapshot Identifier\\\", type a name for the new snapshot.7. Under \\\"Encryption\\\", select \\\"Enable Encryption\\\". 8. Choose the KMS key to use to encrypt the snapshot. 9. Choose \\\"Copy Snapshot\\\". 10. After the new snapshot is created, delete the original snapshot. 11. For \\\"Backup Retention Period\\\", choose a positive nonzero value. For example, 30 days.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/70ebbd01-cd79-4bc8-ae85-49f47ccdd5ad\",\r\n \"name\": \"70ebbd01-cd79-4bc8-ae85-49f47ccdd5ad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured with multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether high availability is enabled for your RDS DB instances.
RDS DB instances should be configured for multiple Availability Zones (AZs). This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover if there is an issue with Availability Zone availability and during regular RDS maintenance.\",\r\n \"remediationDescription\": \"To enable multiple Availability Zones for a DB instance: 1. Open the Amazon RDS console at Amazon RDS console. 2. In the navigation pane, choose \\\"Databases\\\", and then choose the DB instance that you want to modify.3. Choose \\\"Modify\\\". The \\\"Modify DB Instance\\\" page appears.4. Under Instance Specifications, set \\\"Multi-AZ deployment \\\" to \\\"Yes\\\" .5. Choose \\\"Continue\\\" and then check the summary of modifications. 6. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide. 7. On the confirmation page, review your changes. If they are correct, choose \\\"Modify DB Instance\\\" to save your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93e5a579-dd2f-4a56-b827-ebbfe7376b16\",\r\n \"name\": \"93e5a579-dd2f-4a56-b827-ebbfe7376b16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enhanced monitoring should be configured for RDS DB instances and clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced monitoring is enabled for your RDS DB instances.
In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer.
Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU. For more information, see Enhanced Monitoring in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable Enhanced Monitoring for your DB instance, see Setting up for and enabling Enhanced Monitoring in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e769650-868c-46f5-b8c0-1a8ba12a4c92\",\r\n \"name\": \"9e769650-868c-46f5-b8c0-1a8ba12a4c92\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS clusters should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS clusters have deletion protection enabled.
This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
Enabling cluster deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity.
When deletion protection is enabled, an RDS cluster cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"To enable deletion protection for an RDS DB cluster:
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/. 2. In the navigation pane, choose \\\"Databases\\\", then choose the DB cluster that you want to modify. 3. Choose \\\"Modify\\\". 4. Under \\\"Deletion protection\\\", choose \\\"Enable deletion protection\\\".5. Choose \\\"Continue\\\" 6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\". 7. Choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e1f7933-faa9-4379-a9bd-697740dedac8\",\r\n \"name\": \"8e1f7933-faa9-4379-a9bd-697740dedac8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your RDS DB instances that use one of the listed database engines have deletion protection enabled.
Enabling instance deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity.
While deletion protection is enabled, an RDS DB instance cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"To enable deletion protection for an RDS DB instance: 1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/. 2. In the navigation pane, choose \\\"Databases\\\", then choose the DB instance that you want to modify. 3. Choose \\\"Modify\\\". 4. Under \\\"Deletion protection\\\", choose \\\"Enable deletion protection\\\". 5. Choose \\\"Continue\\\". 6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\". 7. Choose \\\"Modify DB Instance\\\"\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdf441dd-0ab7-4ef2-a643-de12725e5d5d\",\r\n \"name\": \"cdf441dd-0ab7-4ef2-a643-de12725e5d5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB clusters should be configured for multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"RDS DB clusters should be configured for multiple the data that is stored.
Deployment to multiple Availability Zones allows for automate Availability Zones to ensure availability of ed failover in the event of an Availability Zone availability issue and during regular RDS maintenance events.\",\r\n \"remediationDescription\": \"To enable multi-AZ for a DB cluster (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Databases\\\", and then choose the DB instance to modify.
3. choose \\\"Modify\\\", The \\\"Modify DB Instance\\\" page appears.
4. Under \\\"Instance Specifications\\\", set \\\"Multi-AZ deploymen\\\" to \\\"Yes\\\".
5. Choose \\\"Continue\\\" and check the summary of modifications.
6. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide.
On the confirmation page, review your changes. If they are correct, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b9ed02d0-afca-4bed-838d-70bf31ecf19a\",\r\n \"name\": \"b9ed02d0-afca-4bed-838d-70bf31ecf19a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB clusters should be configured to copy tags to snapshots\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identification and inventory of your IT assets is a crucial aspect of governance and security.
You need to have visibility of all your RDS DB clusters so that you can assess their security posture and act on potential areas of weakness.
Snapshots should be tagged in the same way as their parent RDS database clusters.
Enabling this setting ensures that snapshots inherit the tags of their parent database clusters.\",\r\n \"remediationDescription\": \"To enable automatic tag copying to snapshots for a DB cluster
1. Open theAmazon RDS console at https://console.aws.amazon.com/rds/.
2. Choose \\\"Databases\\\"
3. Select the DB cluster to modify.
4. choose \\\"Modify\\\".
5. Under \\\"Backup\\\", select \\\"Copy tags to snapshots\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fcd891e5-c6a2-41ce-bca6-f49ec582f3ce\",\r\n \"name\": \"fcd891e5-c6a2-41ce-bca6-f49ec582f3ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured to copy tags to snapshots\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created.
Identification and inventory of your IT assets is a crucial aspect of governance and security.
You need to have visibility of all your RDS DB instances so that you can assess their security posture and take action on potential areas of weakness.
Snapshots should be tagged in the same way as their parent RDS database instances. Enabling this setting ensures that snapshots inherit the tags of their parent database instances.\",\r\n \"remediationDescription\": \"To enable automatic tag copying to snapshots for a DB instance
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Databases\\\".
3. Select the DB instance to modify.
4. Under \\\"Backup\\\", select \\\"Copy tags to snapshots\\\".
5. Choose \\\"Continue\\\".
6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9a84b879-8aab-4b82-80f2-22e637a26813\",\r\n \"name\": \"9a84b879-8aab-4b82-80f2-22e637a26813\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS instances should be deployed in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPCs provide a number of network controls to secure access to RDS resources.
These controls include VPC Endpoints, network ACLs, and security groups.
To take advantage of these controls, we recommend that you move EC2-Classic RDS instances to EC2-VPC.\",\r\n \"remediationDescription\": \"For detailed instructions on how to move RDS instances to VPC, see Updating the VPC for a DB instance in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\",\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/65659c22-6588-405b-b118-614c2b4ead5b\",\r\n \"name\": \"65659c22-6588-405b-b118-614c2b4ead5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical cluster events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists that has notifications enabled for the following source type,
event category key-value pairs. DBCluster: [\\\"maintenance\\\" and \\\"failure\\\"].
RDS event notifications uses Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \" To subscribe to RDS cluster event notifications.
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Clusters\\\".
  d. Under \\\"Instances to include\\\", select \\\"All Clusters\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"maintenance\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff4f3ab3-8ed7-4b4f-a721-4c3b66a59140\",\r\n \"name\": \"ff4f3ab3-8ed7-4b4f-a721-4c3b66a59140\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database instance events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type.
event category key-value pairs. DBInstance: [\\\"maintenance\\\", \\\"configuration change\\\" and \\\"failure\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Instances\\\".
  d. Under \\\"Instances to include\\\", select \\\"All Instances\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"maintenance\\\", \\\"configuration change\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6f24bb0-b696-451c-a26e-0cc9ea8e97e3\",\r\n \"name\": \"c6f24bb0-b696-451c-a26e-0cc9ea8e97e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database parameter group events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type.
event category key-value pairs. DBParameterGroup: [\\\"configuration\\\",\\\"change\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create \\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Parameter groups\\\".
  d. Under \\\"Instances to include\\\", select \\\"All parameter groups\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"configuration change\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ab5c51fb-ecdb-46de-b8df-c28ae46ce5bc\",\r\n \"name\": \"ab5c51fb-ecdb-46de-b8df-c28ae46ce5bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database security group events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.DBSecurityGroup: [\\\"configuration\\\",\\\"change\\\",\\\"failure\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for a rapid response.
For additional information about RDS event notifications , see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event\\\",\\\"subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Security groups\\\".
  d. Under \\\"Instances to include\\\", select \\\"All security groups\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"configuration change\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47476790-2527-4bdb-b839-3b48ed18dccf\",\r\n \"name\": \"47476790-2527-4bdb-b839-3b48ed18dccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should automatically scale capacity with demand\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured.
Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications.\",\r\n \"remediationDescription\": \"For detailed instructions on enabling DynamoDB automatic scaling on existing tables in capacity mode, see Enabling DynamoDB auto scaling on existing tables. in the Amazon DynamoDB Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc873508-40c1-41b6-8507-8a431d74f831\",\r\n \"name\": \"cc873508-40c1-41b6-8507-8a431d74f831\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should have point-in-time recovery enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table.
Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. DynamoDB point-in-time recovery automates backups for DynamoDB tables. It reduces the time to recover from accidental delete or write operations.
DynamoDB tables that have PITR enabled can be restored to any point in time in the last 35 days.\",\r\n \"remediationDescription\": \"To remediate this issue, add point-in-time recovery to your DynamoDB table.
To enable DynamoDB \\\"point-in-time recovery\\\" for an existing table:
1. Open the DynamoDB console at https://console.aws.amazon.com/dynamodb/. 2. Choose the table that you want to work with, and then choose \\\"Backups\\\". 3. In the Point-in-time Recovery section, under Status, choose \\\"Enable\\\". 4. Choose \\\"Enable\\\" again to confirm the change.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58e67d3d-8b17-4c1c-9bc4-550b10f0328a\",\r\n \"name\": \"58e67d3d-8b17-4c1c-9bc4-550b10f0328a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB Accelerator (DAX) clusters should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a DAX cluster is encrypted at rest.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data.
For example, API permissions are required to decrypt the data before it can be read.\",\r\n \"remediationDescription\": \"You cannot enable or disable encryption at rest after a cluster is created. You must recreate the cluster in order to enable encryption at rest.
For detailed instructions on how to create a DAX cluster with encryption at rest enabled, see Enabling encryption at rest using the AWS Management Console in the Amazon DynamoDB Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e482075-311f-401e-adc7-f8a8affc5635\",\r\n \"name\": \"4e482075-311f-401e-adc7-f8a8affc5635\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be configured to encrypt file data at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. The check fails in the following cases:
*\\\"Encrypted\\\" is set to \\\"false\\\" in the DescribeFileSystems response.
The \\\"KmsKeyId\\\" key in the DescribeFileSystems response does not match the KmsKeyId parameter for efs-encrypted-check.
Note that this control does not use the \\\"KmsKeyId\\\" parameter for efs-encrypted-check. It only checks the value of \\\"Encrypted\\\". For an added layer of security for your sensitive data in Amazon EFS, you should create encrypted file systems.
Amazon EFS supports encryption for file systems at-rest. You can enable encryption of data at rest when you create an Amazon EFS file system.
To learn more about Amazon EFS encryption, see Data encryption in Amazon EFS in the Amazon Elastic File System User Guide.\",\r\n \"remediationDescription\": \"For details on how to encrypt a new Amazon EFS file system, see Encrypting data at rest in the Amazon Elastic File System User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e864e460-158b-4a4a-beb9-16ebc25c1240\",\r\n \"name\": \"e864e460-158b-4a4a-beb9-16ebc25c1240\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS volumes should be in backup plans\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup. The control fails if Amazon EFS file systems are not included in the backup plans.
Including EFS file systems in the backup plans helps you to protect your data from deletion and data loss.\",\r\n \"remediationDescription\": \"To remediate this issue, update your file system to enable automatic backups.
To enable automatic backups for an existing file system:
1.Open the Amazon Elastic File System console. 2. On the \\\"File systems\\\" page, choose the file system for which to enable automatic backups. The \\\"File system details\\\" page is displayed. 3. Under \\\"General\\\", choose \\\"Edit\\\". 4. To enable automatic backups, select \\\"Enable automatic backups\\\". 5. Choose \\\"Save changes\\\".
To learn more, visit Using AWS Backup with Amazon EFS in the Amazon Elastic File System User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e656e5b7-130c-4fb4-be90-9bdd4f82fdfb\",\r\n \"name\": \"e656e5b7-130c-4fb4-be90-9bdd4f82fdfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should use supported runtimes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the Lambda function settings for runtimes match the expected values set for the supported runtimes for each language. This control checks for the following runtimes:
nodejs14.x, nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, ruby2.7, ruby2.5, java11, java8, java8.al2, go1.x, dotnetcore3.1, dotnetcore2.1
Lambda runtimes are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When a runtime component is no longer supported for security updates, Lambda deprecates the runtime. Even though you cannot create functions that use the deprecated runtime, the function is still available to process invocation events. Make sure that your Lambda functions are current and do not use out-of-date runtime environments.
To learn more about the supported runtimes that this control checks for the supported languages, see AWS Lambda runtimes in the AWS Lambda Developer Guide.\",\r\n \"remediationDescription\": \"For more information on supported runtimes and deprecation schedules, see the Runtime support policy section of the AWS Lambda Developer Guide.
When you migrate your runtimes to the latest version, follow the syntax and guidance from the publishers of the language.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Persistence\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Proxy\",\r\n \"Account Manipulation\",\r\n \"Scheduled Task/Job\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dcf10b98-798f-4734-9afd-800916bf1e65\",\r\n \"name\": \"dcf10b98-798f-4734-9afd-800916bf1e65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should have a dead-letter queue configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is configured with a dead-letter queue. The control fails if the Lambda function is not configured with a dead-letter queue.
As an alternative to an on-failure destination, you can configure your function with a dead-letter queue to save discarded events for further processing.
A dead-letter queue acts the same as an on-failure destination. It is used when an event fails all processing attempts or expires without being processed.
A dead-letter queue allows you to look back at errors or failed requests to your Lambda function to debug or identify unusual behavior.
From a security perspective, it is important to understand why your function failed and to ensure that your function does not drop data or compromise data security as a result.
For example, if your function cannot communicate to an underlying resource, that could be a symptom of a denial of service (DoS) attack elsewhere in the network.\",\r\n \"remediationDescription\": \"You can configure a dead-letter queue from the AWS Lambda console.
To configure a dead-letter queue
1. Open the AWS Lambda console.
2. In the navigation pane, choose \\\"Functions\\\".
3. Choose a function.
4. Choose \\\"Configuration\\\" and then choose \\\"Asynchronous invocation\\\".
5. Under \\\"Asynchronous invocation\\\", choose \\\"Edit\\\".
6. Set \\\"DLQ resource\\\" to Amazon SQS or Amazon SNS.
7. Choose the target queue or topic.
8. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"plannedDeprecationDate\": \"12/2022\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90917e06-2781-4857-9d74-9043c6475d03\",\r\n \"name\": \"90917e06-2781-4857-9d74-9043c6475d03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SNS topics should be encrypted at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an SNS topic is encrypted at rest using AWS KMS.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It also adds another set of access controls to limit the ability of unauthorized users to access the data.
For example, API permissions are required to decrypt the data before it can be read. SNS topics should be encrypted at-rest for an added layer of security. For more information, see Encryption at rest in the Amazon Simple Notification Service Developer Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your SNS topic to enable encryption.
To encrypt an unencrypted SNS topic
1. Open the Amazon SNS console.
2. In the navigation pane, choose \\\"Topics\\\".
4. Choose the name of the topic to encrypt.
5. Choose \\\"Edit\\\".
6. Under \\\"Encryption\\\", choose Enable Encryption.
7. Choose the KMS key to use to encrypt the topic.
8. Choose \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"File and Directory Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/773667f7-6511-4aec-ae9c-e3286c56a254\",\r\n \"name\": \"773667f7-6511-4aec-ae9c-e3286c56a254\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancer listeners should be configured with HTTPS or TLS termination\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. The control is applicable if a Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the control does not report any findings.
The control passes if the Classic Load Balancer listeners are configured with TLS or HTTPS for front-end connections.
The control fails if the listener is not configured with TLS or HTTPS for front-end connections.
Before you start to use a load balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners can support both HTTP and HTTPS/TLS protocols. You should always use an HTTPS or TLS listener, so that the load balancer does the work of encryption and decryption in transit.\",\r\n \"remediationDescription\": \"To remediate this issue, update your listeners to use the TLS or HTTPS protocol.
To change all noncompliant listeners to TLS/HTTPS listeners
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load Balancers. Then choose your Classic Load Balancer.
3. Choose the Listeners tab, and then choose Edit.
4. For all listeners where Load Balancer Protocol is not set to HTTPS or SSL, change the setting to HTTPS or SSL.
5. For all modified listeners, under SSL Certificate, choose Change.
6. For all modified listeners, select Choose a certificate from ACM.
7. Select the certificate from the Certificates drop-down list. Then choose Saveb.
8. After you update all of the listeners, choose Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca924610-5a8e-4c5e-9f17-8dff1ab1757b\",\r\n \"name\": \"ca924610-5a8e-4c5e-9f17-8dff1ab1757b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application load balancers should be configured to drop HTTP headers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop invalid HTTP headers. The control fails if the value of routing.http.drop_invalid_header_fields.enabled is set to false.
By default, ALBs are not configured to drop invalid HTTP header values. Removing these header values prevents HTTP desync attacks.\",\r\n \"remediationDescription\": \"To remediate this issue, configure your load balancer to drop invalid header fields.
To configure the load balancer to drop invalid header fields
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load balancers.
3. Choose an Application Load Balancer.
4. From Actions, choose Edit attributes.
5. Under Drop Invalid Header Fields, choose Enable.
6. Choose Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ba5c359-495f-4ba6-9897-7fdbc0aed675\",\r\n \"name\": \"4ba5c359-495f-4ba6-9897-7fdbc0aed675\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application and Classic Load Balancers logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if access_logs.s3.enabled is false.
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.
To learn more, see Access logs for your Classic Load Balancer in User Guide for Classic Load Balancers.
\",\r\n \"remediationDescription\": \"To remediate this issue, configure your load balancer to drop invalid header fields.
To configure the load balancer to drop invalid header fields
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load balancers.
3. Choose an Application Load Balancer.
4. From Actions, choose Edit attributes.
5. Under Access logs, choose Enable.
6. Enter your S3 location. This location can exist or it can be created for you. If you do not specify a prefix, the access logs are stored in the root of the S3 bucket.
7. Choose Save\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5c508bf1-26f9-4696-bb61-8341d395e3de\",\r\n \"name\": \"5c508bf1-26f9-4696-bb61-8341d395e3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer deletion protection should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured.
Enable deletion protection to protect your Application Load Balancer from deletion.\",\r\n \"remediationDescription\": \"To prevent your load balancer from being deleted accidentally, you can enable deletion protection. By default, deletion protection is disabled for your load balancer.
If you enable deletion protection for your load balancer, you must disable delete protection before you can delete the load balancer.
To enable deletion protection from the console
1. Open the Amazon EC2 console.
2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.
3. Choose the load balancer.
4. On the Description tab, choose Edit attributes.
5. On the Edit load balancer attributes page, select Enable for Delete Protection, and then choose Save.
6. Choose Save.
To learn more, see Deletion protection in User Guide for Application Load Balancers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dd60e31e-073a-42b6-9b23-db7ca86fd5e0\",\r\n \"name\": \"dd60e31e-073a-42b6-9b23-db7ca86fd5e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancers should have connection draining enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Classic Load Balancers have connection draining enabled.
Enabling connection draining on Classic Load Balancers ensures that the load balancer stops sending requests to instances that are de-registering or unhealthy. It keeps the existing connections open. This is particularly useful for instances in Auto Scaling groups, to ensure that connections aren't severed abruptly.\",\r\n \"remediationDescription\": \"To enable connection draining on Classic Load Balancers, following the steps in Configure connection draining for your Classic Load Balancer in User Guide for Classic Load Balancers.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b63a099-6c0c-4354-848b-17de1f3c8ae3\",\r\n \"name\": \"9b63a099-6c0c-4354-848b-17de1f3c8ae3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should encrypt data sent between nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have node-to-node encryption enabled. HTTPS (TLS) can be used to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. Only encrypted connections over HTTPS (TLS) should be allowed. Enabling node-to-node encryption for Amazon ES domains ensures that intra-cluster communications are encrypted in transit. There can be a performance penalty associated with this configuration. You should be aware of and test the performance trade-off before enabling this option.\",\r\n \"remediationDescription\": \"Node-to-node encryption can only be enabled on a new domain. To remediate this finding, first create a new domain with the Node-to-node encryption check box selected. Then follow Using a snapshot to migrate data to migrate your data to the new domain.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/de8ae504-ec39-4ffb-b3ef-6e36fdcbb455\",\r\n \"name\": \"de8ae504-ec39-4ffb-b3ef-6e36fdcbb455\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker. The 'blacklistedactionpatterns' parameter allows for successful evaluation of the rule for S3 buckets. The parameter grants access to external accounts for action patterns that are not included in the 'blacklistedactionpatterns' list.\",\r\n \"remediationDescription\": \"To remediate this issue, edit the S3 bucket policy to remove the permissions.

To edit an S3 bucket policy

1. Open the Amazon S3 console.
2. In the Bucket name list, choose the name of the S3 bucket for which you want to edit the policy.
3. Choose Permissions, and then choose Bucket Policy.
4. In the Bucket policy editor text box, do one of the following:
* Remove the statements that grant access to denied actions to other AWS accounts
* Remove the permitted denied actions from the statements
5. Choose Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11d0f4af-6924-4a2e-8b66-781a4553c828\",\r\n \"name\": \"11d0f4af-6924-4a2e-8b66-781a4553c828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled on AWS connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides real-time threat protection for containerized environments and generates alerts about suspicious activities.
Use this information to harden the security of Kubernetes clusters and remediate security issues.

Important: When you've enabled Microsoft Defender for Containers and deployed Azure Arc to your EKS clusters, the protections - and charges - will begin. If you don't deploy Azure Arc on a cluster, Defender for Containers will not protect it and no charges will be incurred for this Microsoft Defender plan for that cluster.\",\r\n \"remediationDescription\": \"To enable Defender for Containers on all EKS clusters in an AWS account connected to Microsoft Defender for Cloud:
1. From the Azure portal, open Microsoft Defender for Cloud.
2. Open the \\\"Environment settings\\\" page and select the relevant AWS account.
3. Under \\\"Select plans\\\", set \\\"Containers\\\" to \\\"On\\\".
4. Select \\\"Next: Configure access\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/38307993-84fb-4636-8ce7-3a64466bb5cc\",\r\n \"name\": \"38307993-84fb-4636-8ce7-3a64466bb5cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EKS clusters should have Microsoft Defender's extension for Azure Arc installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender's cluster extension provides security capabilities for your EKS clusters. The extension collects data from a cluster and its nodes to identify security vulnerabilities and threats.
The extension works with Azure Arc-enabled Kubernetes.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct EKS cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
Note: When the process completes, it may take up to 12 hours until your resource moves to the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d3a977e-46f1-419a-9046-4bd44db80aac\",\r\n \"name\": \"7d3a977e-46f1-419a-9046-4bd44db80aac\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EKS clusters should grant the required AWS permissions to Microsoft Defender for Cloud\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides protections for your EKS clusters.
To monitor your cluster for security vulnerabilities and threats, Defender for Containers needs permissions for your AWS account. These permissions will be used to enable Kubernetes control plane logging on your cluster and establish a reliable pipeline between your cluster and Defender for Cloud's backend in the cloud.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"To grant the required permissions:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. 2. Open the \\\"Environment settings\\\" page and select the relevant AWS account.
  3. In the edit connector wizard, skip to step 3, \\\"Configure access\\\".
  4. Download the CloudFormation template.
  5. Open the template and copy the ARNs for the following roles:
    AzureDefenderKubernetesRole
    AzureDefenderKubernetesScubaReaderRole
    AzureDefenderCloudWatchToKinesisRole
    AzureDefenderKinesisToS3Role
  6. Folow the steps in \\\"Create Stack in AWS\\\" for those roles.
  7. In the connector wizard, update the role ARNs with the ARNs copied from the template.
  8. Save the changes.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4aa0f6dc-40be-43b2-92f1-3a52ad9d68d1\",\r\n \"name\": \"4aa0f6dc-40be-43b2-92f1-3a52ad9d68d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should have automatic rotation enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation.
Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically.
Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently. To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, you enable automatic rotation for your secrets.
To enable automatic rotation for secrets
1. Open the Secrets Manager console.
2. To find the secret that requires rotating, enter the secret name in the search field.
3. Choose the secret you want to rotate, which displays the secrets details page.
4. Under Rotation configuration, choose Edit rotation.
5. From Edit rotation configuration, choose Enable automatic rotation.
6. For Select Rotation Interval, choose a rotation interval.
7. Choose a Lambda function for rotation. For information about customizing your Lambda rotation function, see Understanding and customizing your Lambda rotation function in the AWS Secrets Manager User Guide.
8. To configure the secret for rotation, choose Next.
To learn more about Secrets Manager rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bec42e2d-956b-4940-a37d-7c1b1e8c525f\",\r\n \"name\": \"bec42e2d-956b-4940-a37d-7c1b1e8c525f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets configured with automatic rotation should rotate successfully\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The control fails if RotationOccurringAsScheduled is false. The control does not evaluate secrets that do not have rotation configured.
Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically.
Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently.
In addition to configuring secrets to rotate automatically, you should ensure that those secrets rotate successfully based on the rotation schedule.
To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"If the automatic rotation fails, then Secrets Manager might have encountered errors with the configuration.
To rotate secrets in Secrets Manager, you use a Lambda function that defines how to interact with the database or service that owns the secret.
For help on how to diagnose and fix common errors related to secrets rotation, see Troubleshooting AWS Secrets Manager rotation of secrets in the AWS Secrets Manager User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bfa82db5-c112-44f0-89e6-a9adfb9a4028\",\r\n \"name\": \"bfa82db5-c112-44f0-89e6-a9adfb9a4028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remove unused Secrets Manager secrets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your secrets have been accessed within a specified number of days. The default value is 90 days. If a secret was not accessed within the defined number of days, this control fails.
Deleting unused secrets is as important as rotating secrets. Unused secrets can be abused by their former users, who no longer need access to these secrets. Also, as more users get access to a secret, someone might have mishandled and leaked it to an unauthorized entity, which increases the risk of abuse. Deleting unused secrets helps revoke secret access from users who no longer need it. It also helps to reduce the cost of using Secrets Manager. Therefore, it is essential to routinely delete unused secrets.\",\r\n \"remediationDescription\": \"You can delete inactive secrets from the Secrets Manager console.
To delete inactive secrets
1. Open the Secrets Manager console
2. To locate the secret, enter the secret name in the search box.
3. Choose the secret to delete.
4. Under Secret details, from Actions, choose Delete secret.
5. Under Schedule secret deletion, enter the number of days to wait before the secret is deleted.
6. Choose Schedule deletion.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/323f0eb4-ea19-4b55-83e9-d104009616b4\",\r\n \"name\": \"323f0eb4-ea19-4b55-83e9-d104009616b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should be rotated within a specified number of days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your secrets have been rotated at least once within 90 days.
Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised.
As more users get access to a secret, it can become more likely that someone mishandled and leaked it to an unauthorized entity. Secrets can be leaked through logs and cache data. They can be shared for debugging purposes and not changed or revoked once the debugging completes. For all these reasons, secrets should be rotated frequently.
You can configure your secrets for automatic rotation in AWS Secrets Manager. With automatic rotation, you can replace long-term secrets with short-term ones, significantly reducing the risk of compromise.
Security Hub recommends that you enable rotation for your Secrets Manager secrets. To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"You can enable automatic secret rotation in the Secrets Manager console.
To enable secret rotation
1. Open the Secrets Manager console.
2. To locate the secret, enter the secret name in the search box.
3. Choose the secret to display.
4. Under Rotation configuration, choose Edit rotation.
5. From Edit rotation configuration, choose Enable automatic rotation.
6. From Select Rotation Interval, choose the rotation interval.
7. Choose a Lambda function to use for rotation.
8. Choose Next.
After you configure the secret for automatic rotation, under Rotation Configuration, choose Rotate secret immediately.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad593449-a095-47b5-91b8-894396a1aa7f\",\r\n \"name\": \"ad593449-a095-47b5-91b8-894396a1aa7f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS WAF Classic global web ACL logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether logging is enabled for an AWS WAF global Web ACL. This control fails if logging is not enabled for the web ACL.
Logging is an important part of maintaining the reliability, availability, and performance of AWS WAF globally. It is a business and compliance requirement in many organizations, and allows you to troubleshoot application behavior. It also provides detailed information about the traffic that is analyzed by the web ACL that is attached to AWS WAF.\",\r\n \"remediationDescription\": \"You can enable logging for a web ACL from the Kinesis Data Firehose console.
To enable logging for a web ACL
1. Open the Kinesis Data Firehose console.
2. Create a Kinesis Data Firehose delivery stream.
The name must start with the prefix aws-waf-logs-. For example, aws-waf-logs-us-east-2-analytics.
Create the Kinesis Data Firehose delivery stream with a PUT source and in the Region where you operate. If you capture logs for Amazon CloudFront, create the delivery stream in US East (N. Virginia). For more information, see Creating an Amazon Kinesis Data Firehose delivery stream in the Amazon Kinesis Data Firehose Developer Guide.
3. From \\\"Services\\\", choose \\\"WAF & Shield\\\". Then choose \\\"Switch to AWS WAF Classic\\\".
4. From \\\"Filter\\\", choose \\\"Global (CloudFront)\\\".
5. Choose the web ACL to enable logging for.
6. Under \\\"Logging\\\", choose \\\"Enable logging\\\".
7. Choose the Kinesis Data Firehose delivery stream that you created earlier. You must choose a delivery stream that has a name that begins with aws-waf-logs-.
8. Choose \\\"Enable logging\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/678b2afa-7fc7-45e5-ad4e-2c49efb57ac8\",\r\n \"name\": \"678b2afa-7fc7-45e5-ad4e-2c49efb57ac8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following logs of Amazon RDS are enabled and sent to CloudWatch Logs:
- Oracle: (Alert, Audit, Trace, Listener)
- PostgreSQL: (Postgresql, Upgrade)
- MySQL: (Audit, Error, General, SlowQuery)
- MariaDB: (Audit, Error, General, SlowQuery)
- SQL Server: (Error, Agent)
- Aurora: (Audit, Error, General, SlowQuery)
- Aurora-MySQL: (Audit, Error, General, SlowQuery)
- Aurora-PostgreSQL: (Postgresql, Upgrade).
RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"Logging options are contained in the DB parameter group associated with the RDS DB cluster or instance. To enable logging when the default parameter group for the database engine is used, you must create a new DB parameter group that has the required parameter values. You must then associate the customer DB parameter group with the DB cluster or instance.
To enable and publish MariaDB, MySQL, or PostgreSQL logs to CloudWatch Logs from the AWS Management Console, set the following parameters in a custom DB Parameter Group:

Database engineParameters
MariaDBgeneral_log=1
slow_query_log=1
log_output = FILE
- MariaDB also requires a custom options group, explained below.
MySQLgeneral_log=1
slow_query_log=1
log_output = FILE
PostgreSQLlog_statement=all
log_min_duration_statement=minimum query duration (ms) to log

To create a custom DB parameter group
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Parameter groups\\\".
3. Choose \\\"Create parameter group\\\". The \\\"Create parameter group\\\" window appears.
4. In the \\\"Parameter group\\\" family list, choose a DB parameter group family.
5. In the \\\"Type\\\" list, choose \\\"DB Parameter Group\\\".
6. In \\\"Group name\\\", enter the name of the new DB parameter group.
7. In \\\"Description\\\", enter a description for the new DB parameter group.
8. Choose \\\"Create\\\".

To create a new option group for MariaDB logging by using the console
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Option groups\\\".
3. Choose \\\"Create group\\\".
4. In the \\\"Create option group\\\" window, do the following:
  • For \\\"Name\\\", type a name for the option group that is unique within your AWS account. The name can contain only letters, digits, and hyphens.
  • For \\\"Description\\\", type a brief description of the option group. The description is used for display purposes.
  • For \\\"Engine\\\", choose the DB engine that you want.
  • For \\\"Major engine version\\\", choose the major version of the DB engine that you want.
5. To continue, choose \\\"Create\\\".
6. Choose the name of the option group you just created.
7. Choose \\\"Add option\\\".
8. Choose \\\"MARIADB_AUDIT_PLUGIN\\\" from the \\\"Option name\\\" list.
9. Set \\\"SERVER_AUDIT_EVENTS\\\" to \\\"CONNECT\\\", \\\"QUERY\\\", \\\"TABLE\\\", \\\"QUERY_DDL\\\", \\\"QUERY_DML\\\", \\\"QUERY_DCL\\\".
10. Choose Add option.

To publish SQL Server DB, Oracle DB, or PostgreSQL logs to CloudWatch Logs from the AWS Management Console
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Databases\\\".
3. Choose the DB instance that you want to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Log exports\\\", choose all of the log files to start publishing to CloudWatch Logs.
\\\"Log exports\\\" is available only for database engine versions that support publishing to CloudWatch Logs.
6. Choose \\\"Continue\\\". Then on the summary page, choose \\\"Modify DB Instance\\\".

To apply a new DB parameter group or DB options group to an RDS DB instance
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Databases\\\".
3. Choose the DB instance that you want to modify.
4. Choose \\\"Modify\\\". The \\\"Modify DB Instance\\\" page appears.
5. Under \\\"Database options\\\", change the DB parameter group and DB options group as needed.
6. When you finish you changes, choose \\\"Continue\\\". Check the summary of modifications.
7. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide.
8. Choose \\\"Modify DB Instance\\\" to save your changes.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cd307f02-2ca7-44b4-8c1b-b580251d613c\",\r\n \"name\": \"cd307f02-2ca7-44b4-8c1b-b580251d613c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB instance has IAM database authentication enabled.
IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL. For more information, see IAM database authentication in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your DB instance to enable IAM authentication.
To enable IAM authentication for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Select the DB instance to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", choose \\\"Enable IAM DB authentication\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ac30502-52e5-4fc6-af40-095dddfbc8b9\",\r\n \"name\": \"3ac30502-52e5-4fc6-af40-095dddfbc8b9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB cluster has IAM database authentication enabled.
IAM database authentication allows for password-free authentication to database instances. The authentication uses an authentication token. Network traffic to and from the database is encrypted using SSL. For more information, see IAM database authentication in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your DB instance to enable IAM authentication.
To enable IAM authentication for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Select the DB cluster to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", choose \\\"Enable IAM DB authentication\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d352afac-cebc-4e02-b474-7ef402fb1d65\",\r\n \"name\": \"d352afac-cebc-4e02-b474-7ef402fb1d65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS automatic minor version upgrades should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic minor version upgrades are enabled for the RDS database instance.
Enabling automatic minor version upgrades ensures that the latest minor version updates to the relational database management system (RDBMS) are installed. These upgrades might include security patches and bug fixes. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"You can enable minor version upgrades for a DB instance from the Amazon RDS console.
To enable automatic minor version upgrades for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Choose the DB instance to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Maintenance\\\", select \\\"Yes\\\" for \\\"Auto minor version upgrade\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications: \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. Choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d0ef47dc-95aa-4765-a075-72c07df8acff\",\r\n \"name\": \"d0ef47dc-95aa-4765-a075-72c07df8acff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Aurora clusters should have backtracking enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Aurora clusters have backtracking enabled.
Backups help you to recover more quickly from a security incident. They also strengthens the resilience of your systems. Aurora backtracking reduces the time to recover a database to a point in time. It does not require a database restore to do so.
For more information about backtracking in Aurora, see Backtracking an Aurora DB cluster in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable Aurora backtracking, see Configuring backtracking in the Amazon Aurora User Guide.
Note that you cannot enable backtracking on an existing cluster. Instead, you can create a clone that has backtracking enabled. For more information about the limitations of Aurora backtracking, see the list of limitations in Overview of backtracking.For information about pricing for backtracking, see the Aurora pricing page.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/176f9062-64d0-4edd-bb0f-915012a6ef16\",\r\n \"name\": \"176f9062-64d0-4edd-bb0f-915012a6ef16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift should have automatic upgrades to major versions enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster.
Enabling automatic major version upgrades ensures that the latest major version updates to Amazon Redshift clusters are installed during the maintenance window.
These updates might include security patches and bug fixes. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"To remediate this issue from the AWS CLI, use the Amazon Redshift modify-cluster command to set the --allow-version-upgrade attribute.
Copy the following command aws redshift modify-cluster --cluster-identifier clustername --allow-version-upgrade Where clustername is the name of your Amazon Redshift cluster.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ee72ceb-2cb7-4686-84e6-0e1ac1c27241\",\r\n \"name\": \"1ee72ceb-2cb7-4686-84e6-0e1ac1c27241\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should use enhanced VPC routing\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon Redshift cluster has EnhancedVpcRouting enabled.
Enhanced VPC routing forces all COPY and UNLOAD traffic between the cluster and data repositories to go through your VPC. You can then use VPC features such as security groups and network access control lists to secure network traffic. You can also use VPC Flow Logs to monitor network traffic.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Enabling enhanced VPC routing in the Amazon Redshift Cluster Management Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/036bb56b-c442-4352-bb4c-5bd0353ad314\",\r\n \"name\": \"036bb56b-c442-4352-bb4c-5bd0353ad314\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Amazon Redshift clusters should be encrypted in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit. The check fails if the Amazon Redshift cluster parameter require_SSL is not set to '1'.
TLS can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over TLS should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"To remediate this issue, update the parameter group to require encryption.
To modify a parameter group
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose Config, then choose Workload management to display the Workload management page.
3. Choose the parameter group that you want to modify.
4. Choose Parameters.
5. Choose Edit parameters then set require_ssl to '1'.
6. Enter your changes and then choose Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a152832-6600-49d1-89be-82e474190e13\",\r\n \"name\": \"7a152832-6600-49d1-89be-82e474190e13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have automatic snapshots enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven.
Backups help you to recover more quickly from a security incident. They strengthen the resilience of your systems. Amazon Redshift takes periodic snapshots by default. This control checks whether automatic snapshots are enabled and retained for at least seven days. For more details on Amazon Redshift automated snapshots, see Automated snapshots in the Amazon Redshift Cluster Management Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update the snapshot retention period to at least 7.
To modify the snapshot retention period
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose \\\"Clusters\\\", then choose the name of the cluster to modify.
3. Choose \\\"Edit\\\".
4. Under \\\"Backup\\\", set \\\"Snapshot retention\\\" to a value of 7 or greater.
5. Choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e2a0ec17-447b-44b6-8646-c0b5584b6b0a\",\r\n \"name\": \"e2a0ec17-447b-44b6-8646-c0b5584b6b0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have audit logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon Redshift cluster has audit logging enabled.
Amazon Redshift audit logging provides additional information about connections and user activities in your cluster. This data can be stored and secured in Amazon S3 and can be helpful in security audits and investigations. For more information, see Database audit logging in the Amazon Redshift Cluster Management Guide.\",\r\n \"remediationDescription\": \"To enable cluster audit logging
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose \\\"Clusters\\\", then choose the name of the cluster to modify.
3. Choose \\\"Maintenance and monitoring\\\"
4. Under \\\"Audit logging\\\", choose \\\"Edit\\\".
5. Set \\\"Enable audit logging\\\" to \\\"yes\\\", then enter the log destination bucket details.
6. Choose \\\"Confirm\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4170067b-345d-47ed-ab4a-c6b6046881f1\",\r\n \"name\": \"4170067b-345d-47ed-ab4a-c6b6046881f1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Beanstalk environments should have enhanced health reporting enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced health reporting is enabled for your AWS Elastic Beanstalk environments.
Elastic Beanstalk enhanced health reporting enables a more rapid response to changes in the health of the underlying infrastructure. These changes could result in a lack of availability of the application.
Elastic Beanstalk enhanced health reporting provides a status descriptor to gauge the severity of the identified issues and identify possible causes to investigate. The Elastic Beanstalk health agent, included in supported Amazon Machine Images (AMIs), evaluates logs and metrics of environment EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to enable enhanced health reporting, see Enabling enhanced health reporting using the Elastic Beanstalk console in the AWS Elastic Beanstalk Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"10/04/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/820f6c6e-f73f-432c-8c60-cae1794ea150\",\r\n \"name\": \"820f6c6e-f73f-432c-8c60-cae1794ea150\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Beanstalk managed platform updates should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"his control checks whether managed platform updates are enabled for the Elastic Beanstalk environment.
Enabling managed platform updates ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"For instructions on how to enable managed platform updates, see To configure managed platform updates under Managed platform updates in the AWS Elastic Beanstalk Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"10/04/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f48af569-2e67-464b-9a62-b8df0f85bc5e\",\r\n \"name\": \"f48af569-2e67-464b-9a62-b8df0f85bc5e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domain error logging to CloudWatch Logs should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs.
You should enable error logs for Elasticsearch domains and send those logs to CloudWatch Logs for retention and response. Domain error logs can assist with security and access audits, and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"For information on how to enable log publishing, see Enabling log publishing (console) in the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12ebb4cd-34b6-4c3a-bee9-7e35f4f6caff\",\r\n \"name\": \"12ebb4cd-34b6-4c3a-bee9-7e35f4f6caff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have audit logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled.
Audit logs are highly customizable. They allow you to track user activity on your Elasticsearch clusters, including authentication successes and failures, requests to OpenSearch, index changes, and incoming search queries.\",\r\n \"remediationDescription\": \"For detailed instructions on enabling audit logs, see Enabling audit logs in the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/994cbcb3-43d4-419d-b5c4-9adc558f3ca2\",\r\n \"name\": \"994cbcb3-43d4-419d-b5c4-9adc558f3ca2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have at least three data nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true.
An Elasticsearch domain requires at least three data nodes for high availability and fault-tolerance. Deploying an Elasticsearch domain with at least three data nodes ensures cluster operations if a node fails.\",\r\n \"remediationDescription\": \"To modify the number of data nodes in an Elasticsearch domain
1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/es/.
2. Under \\\"My domains\\\", choose the name of the domain to edit.
3. Choose \\\"Edit domain\\\".
4. Under \\\"Data nodes\\\", set \\\"Number of nodes\\\" to a number greater than or equal to three. For three Availability Zone deployments, set to a multiple of three to ensure equal distribution across Availability Zones.
5. Choose \\\"Submit\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b4b9a67c-c315-4f9b-b06b-04867a453aab\",\r\n \"name\": \"b4b9a67c-c315-4f9b-b06b-04867a453aab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should be configured with at least three dedicated master nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. This control passes if Elasticsearch domains have five dedicated master nodes. However, using more than three master nodes might be unnecessary to mitigate the availability risk, and will result in additional cost.
An Elasticsearch domain requires at least three dedicated master nodes for high availability and fault-tolerance. Dedicated master node resources can be strained during data node blue/green deployments because there are additional nodes to manage. Deploying an Elasticsearch domain with at least three dedicated master nodes ensures sufficient master node resource capacity and cluster operations if a node fails.\",\r\n \"remediationDescription\": \"To modify the number of dedicated master nodes in an OpenSearch domain
1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/es/.
2. Under \\\"My domains\\\", choose the name of the domain to edit.
3. Choose \\\"Edit domain\\\".
4. Under \\\"Dedicated master nodes\\\", set \\\"Instance type\\\" to the desired instance type.
5. Set \\\"Number of master nodes\\\" equal to three or greater.
6. Choose \\\"Submit\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/effb5011-f8db-45ac-b981-b5bdfd7beb88\",\r\n \"name\": \"effb5011-f8db-45ac-b981-b5bdfd7beb88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Elasticsearch domains should be encrypted using TLS 1.2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07.
HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS. TLS 1.2 provides several security enhancements over previous versions of TLS.\",\r\n \"remediationDescription\": \"To enable TLS encryption, use the UpdateDomainConfig API operation to configure the DomainEndpointOptions in order to set the TLSSecurityPolicy. For more information, see the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f16376-e2dd-487d-b5ee-ba67fef4c5c0\",\r\n \"name\": \"83f16376-e2dd-487d-b5ee-ba67fef4c5c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled at the bucket level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether S3 buckets have bucket-level public access blocks applied. This control fails is if any of the following settings are set to false:
* ignorePublicAcls
* blockPublicPolicy
* blockPublicAcls
* restrictPublicBuckets
Block Public Access at the S3 bucket level provides controls to ensure that objects never have public access. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both.
Unless you intend to have your S3 buckets publicly accessible, you should configure the bucket level Amazon S3 Block Public Access feature.\",\r\n \"remediationDescription\": \"For information on how to remove public access at a bucket level, see Blocking public access to your Amazon S3 storage in the Amazon S3 User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/340a07a1-7d68-4562-ac25-df77c214fe13\",\r\n \"name\": \"340a07a1-7d68-4562-ac25-df77c214fe13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SQS queues should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon SQS queues are encrypted at rest.
Server-side encryption (SSE) allows you to transmit sensitive data in encrypted queues. To protect the content of messages in queues, SSE uses keys managed in AWS KMS.
For more information, see Encryption at rest in the Amazon Simple Queue Service Developer Guide.\",\r\n \"remediationDescription\": \"For information about managing SSE using the AWS Management Console, see  Configuring server-side encryption (SSE) for a queue (console) in the Amazon Simple Queue Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/882a80f0-943f-473e-b6d7-40c7a625540e\",\r\n \"name\": \"882a80f0-943f-473e-b6d7-40c7a625540e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS accounts should have Azure Arc auto provisioning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For full visibility of the security content from Microsoft Defender for servers, EC2 instances should be connected to Azure Arc. To ensure that all eligible EC2 instances automatically receive Azure Arc, enable auto-provisioning from Defender for Cloud at the AWS account level. Learn more about Azure Arc, and Microsoft Defender for Servers.\",\r\n \"remediationDescription\": \"1. From the Defender for Cloud, open \\\"Environment settings\\\".
2. For the relevant AWS account, select the three dots at the end of the row, and select \\\"Edit settings\\\".
3. For the \\\"Servers\\\" plan, select \\\"View configuration\\\".
4. Enable auto-provisioning for the Azure Arc agent and click on the \\\"Save\\\" button.
5. Select \\\"Next\\\" and follow the instructions.
Note: To enable auto-provisioning, you'll need owner permissions for the relevant subscription.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"25/10/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/231dee23-84db-44d2-bd9d-c32fbcfb42a3\",\r\n \"name\": \"231dee23-84db-44d2-bd9d-c32fbcfb42a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be connected to Azure Arc\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Connect your EC2 instances to Azure Arc in order to have full visibility to Microsoft Defender for Servers security content. Learn more about Azure Arc, and about Microsoft Defender for Servers on hybrid-cloud environment.\",\r\n \"remediationDescription\": \"1. From the Azure portal, open \\\"Servers - Azure Arc\\\".
2. From the top left corner, select \\\"Add\\\".
3. From \\\"Add a single server\\\", select \\\"Generate script\\\".
4. In the \\\"Resource details\\\" page, select the subscription and resource group to which you have connected the machine's AWS account.
5. Select \\\"Next\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"25/10/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1736090-65fc-454f-a437-af58fd91ad1e\",\r\n \"name\": \"f1736090-65fc-454f-a437-af58fd91ad1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS databases and clusters should not use a database engine default port\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the RDS cluster or instance uses a port other than the default port of the database engine.
If you use a known port to deploy an RDS cluster or instance, an attacker can guess information about the cluster or instance.
The attacker can use this information in conjunction with other information to connect to an RDS cluster or instance or gain additional information about your application.
When you change the port, you must also update the existing connection strings that were used to connect to the old port.
You should also check the security group of the DB instance to ensure that it includes an ingress rule that allows connectivity on the new port.\",\r\n \"remediationDescription\": \"To modify the default port of an existing DB instance
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/
2. Choose \\\"Databases\\\".
3. Select the DB instance to modify
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", change \\\"Database port\\\" to a non-default value.
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify cluster\\\". For instances, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0dc124a8-2a69-47c5-a4e1-678d725a33ab\",\r\n \"name\": \"0dc124a8-2a69-47c5-a4e1-678d725a33ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon ECS task definitions should have secure networking modes and user definitions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an active Amazon ECS task definition that has host networking mode also has privileged or user container definitions.
The control fails for task definitions that have host network mode and container definitions where privileged=false or is empty and user=root or is empty.
If a task definition has elevated privileges, it is because the customer has specifically opted in to that configuration.
This control checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted in to elevated privileges.\",\r\n \"remediationDescription\": \"For information on how to update a task definition, see Updating a task definition in the Amazon Elastic Container Service Developer Guide.
Note that when you update a task definition, it does not update running tasks that were launched from the previous task definition. To update a running task, you must redeploy the task with the new task definition.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9bb205cd-a931-4f77-a620-0a263479732b\",\r\n \"name\": \"9bb205cd-a931-4f77-a620-0a263479732b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon ECS services should not have public IP addresses assigned to them automatically\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A public IP address is an IP address that is reachable from the internet.
If you launch your Amazon ECS instances with a public IP address, then your Amazon ECS instances are reachable from the internet.
Amazon ECS services should not be publicly accessible, as this may allow unintended access to your container application servers.\",\r\n \"remediationDescription\": \"To disable automatic public IP assignment, see To configure VPC and security group settings for your service in the Amazon Elastic Container Service Developer Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e68b4d8-1a5e-47fc-a3eb-b3542fea43f1\",\r\n \"name\": \"0e68b4d8-1a5e-47fc-a3eb-b3542fea43f1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Imported ACM certificates should be renewed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager.
ACM can automatically renew certificates that use DNS validation. For certificates that use email validation, you must respond to a domain validation email.
ACM also does not automatically renew certificates that you import. You must renew imported certificates manually.
For more information about managed renewal for ACM certificates, see Managed renewal for ACM certificates in the AWS Certificate Manager User Guide.\",\r\n \"remediationDescription\": \"ACM provides managed renewal for your Amazon-issued SSL/TLS certificates.
This means that ACM either renews your certificates automatically (if you use DNS validation), or it sends you email notices when the certificate expiration approaches. These services are provided for both public and private ACM certificates.
\\\"For domains validated by email\\\"
When a certificate is 45 days from expiration, ACM sends to the domain owner an email for each domain name.
To validate the domains and complete the renewal, you must respond to the email notifications.
For more information, see Renewal for domains validated by email in the AWS Certificate Manager User Guide.
\\\"For domains validated by DNS\\\"
ACM automatically renews certificates that use DNS validation. 60 days before the expiration, ACM verifies that the certificate can be renewed.
If it cannot validate a domain name, then ACM sends a notification that manual validation is required.
It sends these notifications 45 days, 30 days, 7days, and 1 day before the expiration.
For more information, see Renewal for domains validated by DNS in the AWS Certificate Manager User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aad436f2-f0a2-46d8-acf1-19452fb732d2\",\r\n \"name\": \"aad436f2-f0a2-46d8-acf1-19452fb732d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC subnets should not allow automatic public IP assignment\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC subnets which allow automatic public IP assignment.
VPC subnet is a part of the VPC having its own rules for traffic.
Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. In the console, select the specific region from \\\"region drop down\\\" on the top right corner, for which the alert is generated. 3. Navigate to the \\\"VPC\\\" service. 4. In the navigation pane, click on \\\"Subnets\\\". 5. Select the identified Subnet and choose the option \\\"Modify auto-assign IP settings\\\" under the Subnet Actions. 6. Disable the \\\"Auto-Assign IP\\\" option and save it.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a3697e4-d854-41a5-a3df-d6a5fc664689\",\r\n \"name\": \"1a3697e4-d854-41a5-a3df-d6a5fc664689\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 bucket should not be configured with policy overly permissive to VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies S3 buckets that have the bucket policy overly permissive to VPC endpoints. It is a leading practice to follow the principle of least privileges ensuring that the VPC endpoints have only necessary permissions instead of full permission on S3 operations.
NOTE: When working with Amazon S3 bucket policies for VPC endpoints, you might block your access to that bucket without intending to do so.
Bucket permissions that are intended to specifically limit bucket access to connections originating from your VPC endpoint can block all connections to the bucket.
Additionally, The Amazon S3 bucket policy might disable console access to the specified bucket because console requests don't originate from the specified VPC endpoint.
Hence, additional care should be taken while remediating any such overly permissive policies.
For more details refer https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the S3 dashboard. 3. Choose the reported S3 bucket. 4. In the \\\"Permissions\\\" tab, click on the \\\"Bucket Policy\\\". 5. Update the S3 bucket policy for the VPC endpoint so that it has only required permissions instead of full S3 permission.
Refer for example: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ca6e24c-b113-429c-83e1-38e8c4b91396\",\r\n \"name\": \"0ca6e24c-b113-429c-83e1-38e8c4b91396\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC enpoint should not be configured with policy overly permissive to any principal\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC endpoints that have a VPC endpoint (VPCE) policy that is overly permissive.
When the Principal element value is set to '*' within the access policy, the VPC endpoint allows full access to any IAM user or service within the VPC using credentials from any AWS accounts.
It is a leading practice to follow the principle of least privileged VPCE policy ensuring security against any data leakage and unauthorized access.

For more details refer:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. In the console, select the specific region from the region drop-down on the top right corner, for which the alert is generated. 3. Navigate to the \\\"VPC dashboard\\\". 4. Go to \\\"Endpoints\\\", from the left panel VIRTUAL PRIVATE CLOUD section. 5. Select the reported VPC endpoint. 6. On the \\\"Actions\\\" drop-down button, click on the \\\"Edit policy\\\". 7. On the \\\"Edit Policy\\\" page, Choose \\\"Custom\\\" policy.
a. Then add policy, without the \\\"Everyone\\\" grantee (i.e. '*' or 'AWS': '*') from the Principal element value with an AWS account ID (e.g. '123456789'), an AWS account ARN (e.g. 'arn:aws:iam::123456789:root') or an IAM user ARN (e.g. 'arn:aws:iam::123456789:user/vpce-admin').
b. Add a Condition clause to the policy statement to filter the endpoint access to specific entities. 8. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ed36584a-91d9-4639-ae8d-893d0f2cb462\",\r\n \"name\": \"ed36584a-91d9-4639-ae8d-893d0f2cb462\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cloudfront distribution should have WAF enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Amazon CloudFront web distributions which don't have AWS Web Application Firewall (AWS WAF) protection enabled.
it is a leading practice to enable the AWS WAF service on CloudFront web distributions to protect web applications from common web exploits, application layer attacks that could affect application availability, compromise security, or consume excessive resources.
To block malicious requests to your Cloudfront Content Delivery Network you should define the 'block' criteria in the WAF web access control list (web ACL).\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Go to the CloudFront Distributions Dashboard. 3. Click on the reported web distribution. 4. On \\\"General\\\" tab, Click on \\\"Edit\\\" button. 5. On \\\"Edit Distribution\\\" page, Choose a \\\"AWS WAF Web ACL\\\" from dropdown. 6. Click on \\\"Yes, Edit\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45f50501-deed-438b-b931-340078d0022f\",\r\n \"name\": \"45f50501-deed-438b-b931-340078d0022f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cloudfront should have AWS WAF V2 enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS cloudfront distribution not configured with AWS WAF V2 web acl.
As a leading practice it is recommended to configure AWS WAF v2 on the cloudfront to protect against application-layer attacks.
To block malicious requests to your cloudfront, define the block criteria in the WAFv2 web acl.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Go to the CloudFront Distributions Dashboard. 3. Click on the reported web distribution. 4. On \\\"General\\\" tab, Click on \\\"Edit\\\" button under \\\"Settings\\\". 5. On \\\"Edit Distribution\\\" page, from \\\"AWS WAF Web ACL\\\" dropdown select WAFv2 ACL which you want to apply.
Note: In case no WAFv2 ACL found from \\\"AWS WAF Web ACL\\\" dropdown list, Please follow below URL to create WAFv2 ACL:
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-creating.html. 6. Click on \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b288b879-d5e3-49d0-9bad-a9ddf738838a\",\r\n \"name\": \"b288b879-d5e3-49d0-9bad-a9ddf738838a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API should have AWS WAF V2 enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS API Gateway REST API which is not configured with AWS Web Application Firewall protection.
As a leading practice, you should enable the AWS WAF service on API Gateway REST API to protect against common web exploits, application layer attacks.
To block malicious requests to your API Gateway REST API, define the block criteria in the WAF web access control list (web ACL).\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Make sure your the reported API Gateway REST API requires WAF based on your requirement and Note down the API Gateway REST API name Follow steps given in below URL to associate API Gateway REST API to WAF Web ACL ,
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eb2a1621-6fe5-4b17-be36-082897f04987\",\r\n \"name\": \"eb2a1621-6fe5-4b17-be36-082897f04987\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"ELB v2 should not have SSL negotiation policy configured with weak cipher\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers v2 (ELBv2) which are configured with SSL negotiation policy containing weak ciphers.
To simplify, An SSL cipher, or an SSL cipher suite, is a set of algorithms or a set of instructions/steps that uses encryption keys to establish a secure connection between two entities usually the client (a user's browser) and the web server they are connecting to (your website).
As many of the other ciphers are not secure as per industry standards, it is recommended to use only the ciphers recommended in the following AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Go to the EC2 Dashboard, and select \\\"Load Balancers\\\". 4. Click on the reported Load Balancer. 5. On the 'Listeners' tab, Choose the \\\"HTTPS\\\" or 'SSL' rule; Click on \\\"Edit\\\", Change 'Security policy' to other than \\\"ELBSecurityPolicy-TLS-1-0-2015-04\\\" as it contains DES-CBC3-SHA cipher, which is a weak cipher. 6. Click on \\\"Update\\\" to save your changes.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d13e510-5e69-43ec-921f-fe52e2ecc36b\",\r\n \"name\": \"9d13e510-5e69-43ec-921f-fe52e2ecc36b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC route table should not allow VPC peering overly permissive to all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC route tables with overly permissive peering connection to all traffic.
It is a leading practice to ensure selective peering connection route tables to reduce the attack surface as resources outside of these routes are inaccessible to the peered VPC.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to \\\"VPC\\\" dashboard from \\\"Services\\\" dropdown. 4. From left menu, select \\\"Route Tables\\\". 5. Click on the alerted route table. 6. From top click on \\\"Action\\\" button. 7. From the Action menu dropdown, select \\\"Edit routes\\\". 8. From the list of destination remove the extra permissive destination by clicking the cross symbol available for that destination. 9. Add a destination with \\\"least access\\\". 10. Click on \\\"Save Routes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5e4503df-e4f7-4055-a38e-ff8ae44dfd1e\",\r\n \"name\": \"5e4503df-e4f7-4055-a38e-ff8ae44dfd1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS key automatic rotation is not enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS KMS key that are not enabled with key rotation.
As a security leading practice, it is important to rotate the keys periodically so that if the keys are compromised, the data in the underlying service is still secure with the new keys.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Key Management Service (KMS). 4. Click on \\\"Customer managed keys\\\" (Left Panel). 5. Select reported KMS Customer managed key. 6. Under the \\\"Key Rotation\\\" tab, Enable \\\"Automatically rotate this KMS every year\\\". 7. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c548e51-ca15-4b21-92b7-80acef51da37\",\r\n \"name\": \"4c548e51-ca15-4b21-92b7-80acef51da37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrails logs should be encrypted using AWS KMS key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check ensures that CloudTrail logs are encrypted using AWS KMS key.
AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account.
It is a compliance and security leading practice to encrypt the CloudTrail data with AWS KMS key as it may contain sensitive information.\",\r\n \"remediationDescription\": \"1. Login to AWS Console and navigate to the \\\"CloudTrail\\\" service. 2. For each trail, under Configuration > Storage Location, select \\\"Yes\\\" to \\\"Encrypt log files\\\" setting. 3.Choose and existing KMS key or create a new one to encrypt the logs with.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a102936-e0ab-4ab6-ab05-0cb15a6587f6\",\r\n \"name\": \"2a102936-e0ab-4ab6-ab05-0cb15a6587f6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RedShift cluster should be encrypted using customer-managed keys (CMKs)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Redshift Clusters which are encrypted with default KMS keys and not with customer-managed key.
It is a leading practice to use customer managed KMS Keys to encrypt your Redshift databases data.
Customer-managed CMKs give you more flexibility, including the ability to create, rotate, disable, define access control for,
and audit the encryption keys used to help protect your data.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift. 2. On the navigation menu, choose \\\"Clusters\\\", then choose the cluster that you want to modify encryption. 3. Choose \\\"Properties\\\". 4. In the Database configurations section, choose \\\"Edit\\\" then choose \\\"Edit encryption\\\". 5. Choose \\\"customer-managed key encryption options\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/885a3b62-d0de-4e54-aaba-f58875fb7888\",\r\n \"name\": \"885a3b62-d0de-4e54-aaba-f58875fb7888\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be encrypted using CMK\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic File Systems (EFSs) which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your EFS data. It gives you full control over the encrypted data.\",\r\n \"remediationDescription\": \"AWS EFS Encryption of data at rest can only be enabled during file system creation. In order to resolve this alert, create a new EFS with encryption enabled with the customer-managed key, then migrate all required data from the reported EFS to this newly created EFS and delete reported EFS.

To create new EFS with encryption enabled, perform the following:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to EFS dashboard and click on \\\"File systems\\\" on the left panel. 4. Click on \\\"Create file system\\\" button. 5. On the \\\"Configure file system access\\\" step, specify EFS details as per your requirements and Click on \\\"Next Step\\\". 6. On the \\\"Configure optional settings\\\" step, Under \\\"Enable encryption\\\" Choose \\\"Enable encryption of data at rest\\\" and Select customer managed key from \\\"Select KMS master key\\\" dropdown list along with other parameters and Click on \\\"Next Step\\\". 7. On the \\\"Review and create\\\" step, Review all your setting and Click on \\\"Create File System\\\" button.

To delete reported EFS which does not has encryption, perform the following:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to EFS dashboard and click on \\\"File systems\\\" on the left panel. 4. Select the reported file system. 5. Click on \\\"Actions\\\" drop-down. 6. Click on \\\"Delete file system\\\". 7. In the \\\"Permanently delete file system\\\" popup box, To confirm the deletion enter the file system's ID and Click on \\\"Delete File System\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/db0cfb9d-c281-4301-92aa-3d6d12837d8d\",\r\n \"name\": \"db0cfb9d-c281-4301-92aa-3d6d12837d8d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policy should not allow assume role permission across all services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS IAM policy which allows assume role permission across all services. Typically, AssumeRole is used if you have multiple accounts and need to access resources from each account then you can create long term credentials in one account and then use temporary security credentials to access all the other accounts by assuming roles in those accounts.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Navigate to the \\\"IAM\\\" service. 3. Identify the reported policy. 4. Change the Service element of the policy document to be more restrictive so that it only allows AssumeRole permission on select services.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/894259c2-c1d5-47dc-b5c6-b242d5c76fdf\",\r\n \"name\": \"894259c2-c1d5-47dc-b5c6-b242d5c76fdf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon RDS instance should be configured with automatic backup settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies RDS instances which are not set with the automatic backup setting. If Automatic Backup is set, RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases which provide for point-in-time recovery. The automatic backup will happen during the specified backup window time and keeps the backups for a limited period of time as defined in the retention period. It is recommended to set automatic backups for your critical RDS servers that will help in the data restoration process.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated. 3. Navigate to \\\"Amazon RDS\\\" console. 4. Choose \\\"DB Instances\\\", and then select the \\\"reported DB\\\" instance. 5. On \\\"Instance Actions\\\" drop-down list, choose \\\"Modify\\\". 6. In \\\"Backup\\\" section,
a. From the \\\"Backup Retention Period\\\" drop-down list, select the number of days you want RDS should retain automatic backups of this DB instance. b. Choose \\\"Start Time\\\" and \\\"Duration\\\" in \\\"Backup window\\\" which is the daily time range (in UTC) during which automated backups created. 7. Click on \\\"Continue\\\". 8. On the confirmation page, choose \\\"Modify DB Instance\\\" to save your changes\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a5e0d700-3de1-469a-96d2-6536d9a92604\",\r\n \"name\": \"a5e0d700-3de1-469a-96d2-6536d9a92604\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Load Balancer should not have ACM certificate expired or expiring in 90 days.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (ELB) which are using ACM certificates expired or expiring in 90 days. AWS Certificate Manager (ACM) is the preferred tool to provision, manage, and deploy your server certificates. With ACM you can request a certificate or deploy an existing ACM or external certificate to AWS resources. As a best practice, it is recommended to reimport expiring/expired certificates while preserving the ELB associations of the original certificate.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service dashboard. 4. Choose the reported certificate. 5. Under \\\"Actions\\\" drop-down click on 'Reimport certificate'. 6. On the \\\"Import a certificate\\\" page:
6a. For \\\"Certificate body*\\\", paste the PEM-encoded certificate to import. 6b. For \\\"Certificate private key*\\\", paste the PEM-encoded, unencrypted private key that matches the SSL/TLS certificate public key. 6c. (Optional) For \\\"Certificate chain\\\", paste the PEM-encoded certificate chain delivered. 6d. Click Review and import button to continue the process. 7. On the \\\"Review and import\\\" page, review the imported certificate details then click on \\\"Import\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9137f5de-aac8-4cee-a22f-8d81f19be67f\",\r\n \"name\": \"9137f5de-aac8-4cee-a22f-8d81f19be67f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon RDS database should be encrypted using customer managed key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies RDS databases that are encrypted with default KMS keys and not with customer managed keys. As a leading practice, use customer managed keys to encrypt the data on your RDS databases and maintain control of your keys and data on sensitive workloads.\",\r\n \"remediationDescription\": \"You can set AWS RDS database encryption only during database creation. Thus, the steps for resolving this alert requires you to create a new RDS database with a customer managed key for encryption, migrate the data from the identified database to this newly created database, and delete the RDS database identified in the alert.

To create a new RDS database with encryption using a customer managed key:
1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the Amazon RDS Dashboard. 4. Select \\\"Create database\\\". 5. On the \\\"Select engine\\\" page, select \\\"Engine options\\\" and \\\"Next\\\". 6. On the \\\"Choose use case\\\" page, select \\\"Use case\\\" of database and \\\"Next\\\". 7. On the \\\"Specify DB details\\\" page, specify the database details you need and click \\\"Next\\\". 8. On the \\\"Configure advanced settings\\\" page, Under \\\"Encryption\\\", select \\\"Enable encryption\\\" and select the customer managed key from \\\"Master key\\\" dropdown list. 9. Select \\\"Create database\\\".

To delete the RDS database that uses the default KMS keys, which triggered the alert:
1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the Amazon RDS Dashboard. 4. Click on Instances, and select the reported RDS database. 5. Select the \\\"Instance actions\\\" drop-down and click \\\"Delete\\\". 6. In the \\\"Delete\\\" dialog, select the \\\"Create final snapshot?\\\" checkbox, if you want a backup. Provide a name for the final snapshot, confirm deletion and select \\\"Delete\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03a8f33c-b01c-4dfc-b627-f98114715ae0\",\r\n \"name\": \"03a8f33c-b01c-4dfc-b627-f98114715ae0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM should not have expired SSL/TLS certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies expired SSL/TLS certificates. To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. This check generates alerts if there are any expired SSL/TLS certificates stored in AWS IAM. As a best practice, it is recommended to delete expired certificates.\",\r\n \"remediationDescription\": \"Removing invalid certificates through AWS Management Console is currently not supported. To delete SSL/TLS certificates stored in IAM through the AWS API i.e. the Command Line Interface (CLI).

Remediation CLI:
1. Run describe-load-balancers command to make sure that the expired server certificate is not currently used by any active load balancer.
aws elb describe-load-balancers --region 'COMPUTE_REGION' --load-balancer-names 'ELB_NAME' --query 'LoadBalancerDescriptions[*].ListenerDescriptions [*].Listener.SSLCertificateId'

- This command output will return the Amazon Resource Name (ARN) for the SSL certificate currently used by the selected ELB:
arn:aws:iam::1234567890:server-certificate/MyCertificate

- If the load balancer listener using the reported expired certificate is not removed before the certificate, the ELB may continue to use the same certificate and work improperly. Thus, to delete the ELB listener that is using the expired SSL certificate, run following command:
aws elb delete-load-balancer-listeners --region 'COMPUTE_REGION' --load-balancer-name 'ELB_NAME' --load-balancer-ports 443

2. Now that is safe to remove the expired SSL/TLS certificate from AWS IAM, To delete it run:
aws iam delete-server-certificate --server-certificate-name 'CERTIFICATE_NAME'\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0cd8771b-44a7-46bd-b8ba-2fb84d20d8d1\",\r\n \"name\": \"0cd8771b-44a7-46bd-b8ba-2fb84d20d8d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 Classic instance should be configured with VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS EC2 instances which are still using EC2 Classic. With EC2-Classic(if your AWS Account supports it), your instances run in a single, flat network that you share with other customers.
Where as with Amazon VPC, your instances run in a virtual private cloud (VPC) that's logically isolated to your AWS account.
It is a security good practice that deploying VPCs will enable you to leverage enhanced infrastructure security controls.
Note: This alert only triggers in regions that support launching into AWS Classic\",\r\n \"remediationDescription\": \"1. Open the AWS Systems Manager console, and then choose \\\"Automation\\\" from the navigation pane. 2. Choose \\\"Execute automation\\\". 3. On the Owned by \\\"Amazon tab\\\", in the \\\"Automation document search box\\\", enter MigrateEC2Classic. 4. Select the \\\"radio button\\\" for the AWSSupport-MigrateEC2ClassicToVPC document, and then choose \\\"Next\\\". 5. Under Input parameters, for \\\"InstanceId\\\", enter your source \\\"EC2-Classic instance ID\\\". 6. For \\\"AutomationAssumeRole\\\" and \\\"TargetInstanceType\\\", choose your required parameters. By default, \\\"TargetInstanceType\\\" is set to t2.xlarge.
Note:: For more information about the AWS Identity and Access Management (IAM) permissions that are required for AutomationAssumeRole to successfully run the Automation, see AWSSupport-MigrateEC2ClassicToVPC. 7. For \\\"MigrationType\\\", select \\\"Test\\\" or \\\"CutOver\\\". 8. If you select \\\"CutOver\\\" for \\\"MigrationType\\\", then \\\"set\\\" the following parameters:
\\\"SNSNotificationARNForApproval\\\": Enter the ARN of the SNS topic used to send Approval notifications to stop the source instance.
\\\"ApproverIAM\\\": Enter the ARN of the IAM users or roles that can approve or reject the action to stop the source instance. 9. Choose \\\"Execute\\\".
Note: You should also consider disable EC2 Classic in the region to prevent further use.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04bf6bba-7661-45b7-8d81-a25d34330b7a\",\r\n \"name\": \"04bf6bba-7661-45b7-8d81-a25d34330b7a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AppSync should be configured with AWS WAF V2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS AppSync which is not configured with AWS Web Application Firewall V2.
As a leading practice, enable the AWS WAF service on AppSync to protect against application layer attacks.
To block malicious requests to your AppSync, you can define the block criteria in the WAF web access control list (web ACL) for granular control.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console and open the \\\"AppSync Console\\\". 2. Choose the \\\"API\\\" that you want to associate with a \\\"web ACL\\\". 3. In the navigation \\\"pane\\\", choose \\\"Settings\\\". 4. In the \\\"Web application firewall\\\" section, turn on \\\"Enable AWS WAF\\\". 5. In the \\\"Web ACL\\\" dropdown list, choose the \\\"name\\\" of the \\\"web ACL\\\" to associate with your API. 6. Choose \\\"Save\\\" to associate the web ACL with your API.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9a947ba-7d72-482d-9a73-f426e931d4ff\",\r\n \"name\": \"f9a947ba-7d72-482d-9a73-f426e931d4ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Application Load Balancer should be configured with AWS WAF V2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS ALB(Application Load Balancer) which is not configured with AWS Web Application Firewall V2.
As a leading practice, enable the AWS WAF service on AWS ALB to protect against application layer attacks.
To block malicious requests to your AppSync, you can define the block criteria in the WAF web access control list (web ACL) for granular control.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Make sure your the reported \\\"Application Load Balancer\\\" requires \\\"WAF\\\" based on your requirement and Note down the load balancer name. 3. Navigate to \\\"WAF & Shield\\\" dashboard. 4. Click on \\\"Web ACLs\\\", under \\\"AWS WAF\\\" section from left panel. 5. If Web ACL is not created; create a new \\\"Web ACL\\\" and add reported \\\"Application Load Balancer\\\" to \\\"Associated AWS resources\\\". 6. If you have Web ACL already created; Click on \\\"Web ACL\\\" and add your reported Application \\\"Load Balancer\\\" to \\\"Associated AWS resources\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ab12a85-37fc-47f3-a570-4688945ac7c8\",\r\n \"name\": \"2ab12a85-37fc-47f3-a570-4688945ac7c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Classic Load Balancer should not have SSL negotiation configured with vulnerable SSL protocol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (Classic) which are configured with SSL negotiation policy containing vulnerable SSL protocol.
The SSL protocol establishes a secure connection between a client and a server and ensures that all the data passed between the client and your load balancer is private.
As a security leading practice, it is important to use the latest version SSL protocol.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to \\\"EC2 Dashboard\\\" and click on \\\"Load Balancers\\\" (Left Panel). 4. Click on the reported Load Balancer's \\\"Listeners\\\" tab and Click on \\\"Edit\\\" button. 5. On \\\"Edit Listeners\\\" popup for rule \\\"HTTPS/SSL\\\", - If your cipher is \\\"Predefined Security Policy\\\", change \\\"Cipher\\\" to \\\"ELBSecurityPolicy-TLS-1-2-2017-01 or latest\\\" (OR) - If your cipher is \\\"Custom Security Policy\\\", Choose \\\"Protocol-TLSv1.2\\\" only on \\\"SSL Protocols\\\" section. 6. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e44dfbce-8551-4935-8016-ccad8701ad12\",\r\n \"name\": \"e44dfbce-8551-4935-8016-ccad8701ad12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Classic Load Balancer should not have SSL negotiation policy configured with weak cipher\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (Classic) which are configured with SSL negotiation policy containing insecure ciphers.
An SSL cipher is an encryption algorithm that uses encryption keys to create a coded message.
SSL protocols use several SSL ciphers to encrypt data over the Internet.
As many of the other ciphers are not secure, it is a leading practice to use only the ciphers recommended in the following AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Go to the \\\"EC2 Dashboard\\\", and select \\\"Load Balancers\\\". 4. Click on the reported \\\"Load Balancer\\\". 5. On \\\"Listeners\\\" tab, Change the cipher for the \\\"HTTPS/SSL\\\" rule. - For a \\\"Predefined Security Policy', change \\\"Cipher\\\" to \\\"ELBSecurityPolicy-TLS-1-2-2017-01' or latest\\\" - For a \\\"Custom Security Policy\\\", select from the secure ciphers as recommended in the below AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html. 6. \\\"Save\\\" your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fef14c73-c63f-4bcb-883b-113288b6d77b\",\r\n \"name\": \"fef14c73-c63f-4bcb-883b-113288b6d77b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC should not allow unauthorized peering connection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the VPCs which have unauthorized peering. The leading practice is to disallow VPC peering between two VPCs from different AWS accounts, as this potentially enables unauthorized access to private resources.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS Console and navigate to AWS VPC service console. 2. In the left navigation panel, select \\\"Peering Connection\\\". 3. Choose the reported \\\"Peering Connection\\\". 4. Click on \\\"Actions\\\" and select \\\"Delete VPC Peering Connection\\\". 5. click on \\\"Yes, Delete\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/470dc8a8-f118-40a1-96ed-a30f026c3d01\",\r\n \"name\": \"470dc8a8-f118-40a1-96ed-a30f026c3d01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Route53 having public hosted zone with private records\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A hosted zone is a container for records (An object in a hosted zone that you use to define how you want to route traffic for the domain or a subdomain), which include information about how you want to route traffic for a domain (such as example.com) and all of its subdomains (such as www.example.com, retail.example.com, and seattle.accounting.example.com). A hosted zone has the same name as the corresponding domain. A public hosted zone is a container that holds information about how you want to route traffic on the internet for a specific domain. It is best practice to avoid AWS Route 53 Public Hosted Zones containing DNS records for private IPs or resources within your AWS account to overcome information leakage of your internal network and resources.\",\r\n \"remediationDescription\": \"You can not convert a public hosted zone into a private hosted zone. Hence, it is a leading practice to create and configure a Private Hosted Zone to manage private IPs within your Virtual Private Cloud (VPC) as Amazon Route 53 service will only return your private DNS records when queried from within the associated VPC, and delete the associated public hosted zone once the Private hosted zone is configured with all the records.

To create a private hosted zone using the Route 53 console:
1. Sign into the AWS console and navigate to Route53 console. 2. choose Hosted Zones in the navigation pane. 3. Choose \\\"Create Hosted Zone\\\". 4. In the Create Private Hosted Zone pane, enter a \\\"domain name\\\". 5. In the Type list, choose \\\"Private Hosted Zone\\\" for Amazon VPC. 6. In the VPC ID list, choose the \\\"VPC\\\" that you want to associate with the hosted zone. If you want to associate more than one VPC with the hosted zone, you can add VPCs after you create the hosted zone. 7. Choose \\\"Create\\\".

To delete a public hosted zone using the Route 53 console:

1. Sign into the AWS console and navigate to Route53 console. 2. Confirm that the hosted zone that you want to delete contains only an NS and an \\\"SOA record\\\". If it contains additional records, \\\"delete\\\" them. 3. On the Hosted Zones page, choose the \\\"row for the hosted zone\\\" that you want to delete. 4. Choose \\\"Delete Hosted Zone\\\". 5. Choose \\\"OK\\\" to confirm.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a5f791e6-be98-47ed-a865-538c759c62b4\",\r\n \"name\": \"a5f791e6-be98-47ed-a865-538c759c62b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Certificate Manager certificate should not have wildcard domain name\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies ACM Certificates which are using wildcard certificates for wildcard domain name instead of single domain name certificates. ACM allows you to use an asterisk (*) in the domain name to create an ACM Certificate containing a wildcard name that can protect several sites in the same domain. For example, a wildcard certificate issued for *.prismacloud.io can match both www.prismacloud.io and images.prismacloud.io. When you use wildcard certificates, if the private key of a certificate is compromised, then all domain and subdomains that use the compromised certificate are potentially impacted. So it is recommended to use single domain name certificates instead of wildcard certificates to reduce the associated risks with a compromised domain or subdomain.\",\r\n \"remediationDescription\": \"To remediate this finding, you have to replace the reported wildcard certificate with single domain name certificate for all the first-level subdomains resulted from the domain name of the website secured with the wildcard certificate and delete the reported wildcard domain certificate.

To create a new certificate with a single domain:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service. 4. In \\\"Request a certificate\\\" page enter the information requested:
a. On Step 1: \\\"Add domain names\\\" page, in the \\\"Domain name\\\" box, type the fully qualified domain name. Click on \\\"Next\\\". b. On Step 2: \\\"Select validation method\\\" page, Select the validation method. Click on \\\"Review\\\". c. On Step 3: \\\"Review\\\" page, review the domain name and validation method details. click on \\\"Confirm\\\". d. On Step 4: \\\"Validation\\\" page, validate the certificate request based on the validation method selected. then click on \\\"Continue\\\".

The certificate status should change from \\\"Pending validation\\\" to \\\"Issued\\\". Now access your application's web server configuration and replace the wildcard certificate with the newly issued single domain name certificate.

To delete the reported wildcard certificate:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service. 4. Choose the reported certificate. 5. Under \\\"Actions\\\" drop-down click on \\\"Delete\\\". 6. On \\\"Delete certificate\\\" popup windows, Click on \\\"Delete\\\" button.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad7b369-2c97-406d-ac70-5d9f22bfcbd9\",\r\n \"name\": \"0ad7b369-2c97-406d-ac70-5d9f22bfcbd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM Access Analyzer should be configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS regions in which the IAM Access Analyzer is not configured. AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity and identify unintended access to your resources and data. So it is recommended to configure the Access analyzer in all regions in your account.\\n\\nNOTE: Access Analyzer analyzes only policies that are applied to resources in the same AWS Region that it's enabled in. To monitor all resources in your AWS environment, you must create an analyzer to enable Access Analyzer in each Region where you're using supported AWS resources.

For more details:
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the IAM dashboard. 4. Go to \\\"Access analyzer\\\", from the left panel. 5. Click on the \\\"Create analyzer\\\" button. 6. On the Create analyzer page, enter the parameters as per your requirements. 7. Click on the \\\"Create analyzer\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/851c1c56-3a4a-422d-b86b-efa629b043b0\",\r\n \"name\": \"851c1c56-3a4a-422d-b86b-efa629b043b0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon private ECR repository policy should not be overly permissive\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS Private ECR repositories that have overly permissive registry policies. An ECR(Elastic Container Registry) repository is a collection of Docker images available on the AWS cloud. These images might contain sensitive information which should be restricted to unauthorized users.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the AWS ECR Repository service dashboard. 4. Go to \\\"Repository\\\", from the left panel. 5. Select the repository for which alert is being generated. 6. Select the \\\"Permissions\\\" option from left menu below 'repositories'. 7. Click on \\\"Edit policy JSON\\\" to modify the JSON so that Principal is restrictive. 8. After modifications, click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e4dc63-ee46-405b-a02a-2a8395fe233d\",\r\n \"name\": \"04e4dc63-ee46-405b-a02a-2a8395fe233d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS ECR Repository should not be publicly accessible through IAM policies.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS ECR Repository resources which are publicly accessible through IAM policies. Ensure that the AWS ECR Repository resources provisioned in your AWS account are not publicly accessible from the Internet to avoid sensitive data exposure and minimize security risks.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the AWS ECR Repository service dashboard. 3. Find resource-based policy of the AWS ECR Repository resource. 4. Update the \\\"Principal\\\" section of the policy to avoid public access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1bd970e0-1d18-4aed-8216-d0005f6595c2\",\r\n \"name\": \"1bd970e0-1d18-4aed-8216-d0005f6595c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFormation template should not contain globally open resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This alert triggers if a CloudFormation template that when launched will result in resources allowing global network access. Below are three common causes:\\n\\n- Security Group with a {0.0.0.0/0, ::/0} rule\\n- Network Access Control List with a {0.0.0.0/0, ::/0} rule\\n- Network Access Control List with -1 IpProtocol\",\r\n \"remediationDescription\": \"It is a leading practice to review the template and ensure this is the intended behavior.
1. Goto the AWS CloudFormation dashboard. 2. Click on the Stack you want to modify. 3. Select the \\\"Template\\\" tab and then View in \\\"Designer\\\". 4. Make your template modifications. 5. Check for \\\"syntax errors\\\" in your template by choosing \\\"Validate template\\\" near the top of the page and save. 6. Choose \\\"Amazon S3 bucket\\\", name your template and Save. 7. Copy the bucket URL and click OK. 8. Select \\\"Close\\\" to close Designer. 9. Click on the \\\"Stack\\\" you want to modify. 10. From the \\\"Actions\\\" pull down menu, select \\\"Update stack\\\". 11. Choose \\\"Replace current template\\\" and paste the URL from Designer into the Amazon S3 URL field. Then click on \\\"Next\\\". 12. Specify stack details, then click on \\\"Next\\\". 13. Configure stack options, then click on \\\"Next\\\". 14. Review, then select \\\"Update\\\" stack near the bottom of the page.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/baad8309-83f2-437a-a131-6e357c8db91f\",\r\n \"name\": \"baad8309-83f2-437a-a131-6e357c8db91f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Secret Manager resource IAM policy allow secret publically accessible.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS Secret Manager Secret resources which are publicly accessible through IAM policies. Ensure that the AWS Secret Manager Secret resources provisioned in your AWS account are not publicly accessible from the Internet to avoid sensitive data exposure and minimize security risks.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the AWS Secret Manager Secret service. 3. Find resource-based policy of the AWS Secret Manager Secret resource. 4. Update the \\\"Principal\\\" section of the policy to avoid public access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7b076bd-9747-490f-b04d-1cf0418bc428\",\r\n \"name\": \"f7b076bd-9747-490f-b04d-1cf0418bc428\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Domain transfer lock is not enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The domain registries for all generic TLDs and many geographic TLDs let you lock a domain to prevent someone from transferring the domain to another registrar without your permission.
It is a leading practice to lock your domain.\",\r\n \"remediationDescription\": \"To lock a domain to prevent unauthorized transfer to another registrar:

1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/. 2. In the navigation pane, choose \\\"Registered Domains\\\". 3. Choose the name of the domain that you want to update. 4. Choose \\\"Enable\\\" (to lock the domain) or \\\"Disable\\\" (to unlock the domain). 5. Choose \\\"Save\\\". \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/06ee058b-9ba9-4a54-a6d3-7214703d309f\",\r\n \"name\": \"06ee058b-9ba9-4a54-a6d3-7214703d309f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open CASSANDRA port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:7000-7001, 7199, 8888, 9042, 9160, 61620-61621.\",\r\n \"remediationDescription\": \"Configuring firewall rules to allow any IP address to connect to Cassandra ports can expose Cassandra services to attackers.
For more information, see VPC firewall rules overview.

This recommendation is generated for vulnerable firewall rules, even if they were intentionally disabled. Disabled firewall rules alert you to unsafe configurations which could allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87cb47d9-eb93-4413-be7f-2f89112d3e22\",\r\n \"name\": \"87cb47d9-eb93-4413-be7f-2f89112d3e22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open CISCOSECURE_WEBSM port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:9090.\",\r\n \"remediationDescription\": \"Configuring Firewall rules to allow any IP address to connect to CiscoSecure/WebSM ports can expose your CiscoSecure/WebSM services to attackers. For more information, see VPC firewall rules overview

This recommendation is generated for vulnerable firewall rules, even if they were intentionally disabled. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c59d6ae-79c9-4f74-bacd-9bb8d2b05576\",\r\n \"name\": \"9c59d6ae-79c9-4f74-bacd-9bb8d2b05576\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open DIRECTORY_SERVICES port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:445 and UDP:445.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Directory ports might expose your Directory services to attackers. For more information, see VPC firewall rules overview.
The Directory service ports are:
TCP - 445
UDP - 445

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/99fa8cd5-10fc-4051-909c-62a6d1272956\",\r\n \"name\": \"99fa8cd5-10fc-4051-909c-62a6d1272956\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open DNS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:53 and UDP:53.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to DNS ports might expose your DNS services to attackers.
For more information, see VPC firewall rules overview.
The DNS service ports are:
TCP - 53
UDP - 53

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c39d3a7-a11d-4f1e-a5b8-8c3be23fe0d1\",\r\n \"name\": \"9c39d3a7-a11d-4f1e-a5b8-8c3be23fe0d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open ELASTICSEARCH port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:9200, 9300.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Elasticsearch ports might expose your Elasticsearch services to attackers. For more information, see VPC firewall rules overview.

The Elasticsearch service ports are:
TCP - 9200, 9300

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/98c71657-9a57-4a9c-8cc0-e69136b9ec13\",\r\n \"name\": \"98c71657-9a57-4a9c-8cc0-e69136b9ec13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to be open to public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the sourceRanges and allowed properties for one of two configurations:

The sourceRanges property contains 0.0.0.0/0 and the allowed property contains a combination of rules that includes any protocol or protocol:port, except the following:
icmp
tcp:22
tcp:443
tcp:3389
udp:3389
sctp:22

The sourceRanges property contains a combination of IP ranges that includes any non-private IP address and the allowed property contains a combination of rules that permit either all tcp ports or all udp ports.\",\r\n \"remediationDescription\": \"Firewall rules that allow connections from all IP addresses, like 0.0.0.0/0, or from all ports can unnecessarily expose resources to attacks from unintended sources. These rules should be removed or scoped explicitly to the intended source IP ranges or ports.
For example, in applications intended to be public, consider restricting allowed ports to those needed for the application, like 80 and 443. If your application needs to allow connections from all IP addresses or ports, consider adding the asset to an allowlist. Learn more about Updating firewall rules.

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. Click the firewall rule listed in the Security Health Analytics finding, and then click \\\"Edit\\\". 3. Under \\\"Source IP ranges\\\", \\\"edit\\\" the IP values to restrict the range of IPs that is allowed. 4. Under \\\"Protocols and ports\\\", \\\"select\\\" \\\"Specified protocols and ports\\\", \\\"select\\\" the allowed protocols, and enter ports that are allowed. 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14dae408-be1b-4ab9-8645-1d9eba885a3e\",\r\n \"name\": \"14dae408-be1b-4ab9-8645-1d9eba885a3e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open FTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:21.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to FTP ports might expose your FTP services to attackers. For more information, see VPC firewall rules overview.

The FTP service ports are:
TCP - 21

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d6e19ca8-7446-4b1a-87e9-fb0bee876c80\",\r\n \"name\": \"d6e19ca8-7446-4b1a-87e9-fb0bee876c80\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open HTTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:80.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to HTTP ports might expose your HTTP services to attackers. For more information, see VPC firewall rules overview.

The HTTP service ports are:
TCP - 80

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/114491f8-1760-40b9-ad56-04be9c0be1d6\",\r\n \"name\": \"114491f8-1760-40b9-ad56-04be9c0be1d6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open LDAP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:389, 636 and UDP:389.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to LDAP ports might expose your LDAP services to attackers. For more information, see VPC firewall rules overview.

The LDAP service ports are:
TCP - 389, 636
UDP - 389

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dcbfebbd-0d89-4605-b29c-a8b94a11ca4c\",\r\n \"name\": \"dcbfebbd-0d89-4605-b29c-a8b94a11ca4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MEMCACHED port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:11211, 11214-11215 and UDP:11211, 11214-11215.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Memcached ports might expose your Memcached services to attackers. For more information, see VPC firewall rules overview.

The Memcached service ports are:
TCP - 11211, 11214, 11215
UDP - 11211, 11214, 11215

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0088a052-38cd-4ef3-80bc-982871756481\",\r\n \"name\": \"0088a052-38cd-4ef3-80bc-982871756481\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MONGODB port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:27017-27019.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to MongoDB ports might expose your MongoDB services to attackers. For more information, see VPC firewall rules overview.

The MongoDB service ports are:
TCP - 27017, 27018, 27019

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/184a6210-9eb3-4d41-9453-84fd7f01186e\",\r\n \"name\": \"184a6210-9eb3-4d41-9453-84fd7f01186e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MYSQL port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:3306.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to MySQL ports might expose your MySQL services to attackers. For more information, see VPC firewall rules overview.

The MySQL service ports are:
TCP - 3306

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f39b9212-7c2e-4265-85ad-14701b0209e3\",\r\n \"name\": \"f39b9212-7c2e-4265-85ad-14701b0209e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open NETBIOS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:137-139 and UDP:137-139.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to NetBIOS ports might expose your NetBIOS services to attackers. For more information, see VPC firewall rules overview.

The NetBIOS service ports are:
TCP - 137, 138, 139
UDP - 137, 138, 139

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802bc806-5136-461f-a95d-dd65f8725af0\",\r\n \"name\": \"802bc806-5136-461f-a95d-dd65f8725af0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open ORACLEDB port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:1521, 2483-2484 and UDP:2483-2484.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to OracleDB ports might expose your OracleDB services to attackers. SeFor more information, see VPC firewall rules overview.

The OracleDB service ports are:
TCP - 1521, 2483, 2484
UDP - 2483, 2484

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4f5e97a0-d563-4c0a-8aca-958753dfbeb6\",\r\n \"name\": \"4f5e97a0-d563-4c0a-8aca-958753dfbeb6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open POP3 port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:110.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to POP3 ports might expose your POP3 services to attackers. For more information, see VPC firewall rules overview.

The POP3 service ports are:
TCP - 110

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d1143d-a7ab-405c-a80c-8b9da25bc5e4\",\r\n \"name\": \"27d1143d-a7ab-405c-a80c-8b9da25bc5e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open PostgreSQL port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:5432 and UDP:5432.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to PostgreSQL ports might expose your PostgreSQL services to attackers. For more information, see VPC firewall rules overview.

The PostgreSQL service ports are:
TCP - 5432
UDP - 5432

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9a7b9056-30af-476f-bdc8-8b421d29b5e3\",\r\n \"name\": \"9a7b9056-30af-476f-bdc8-8b421d29b5e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open REDIS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:6379.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Redis ports might expose your Redis services to attackers. For more information, see VPC firewall rules overview.

The Redis service ports are:
TCP - 6379

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5855b7ce-fded-464c-894c-d34bd834f17e\",\r\n \"name\": \"5855b7ce-fded-464c-894c-d34bd834f17e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open SMTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:25.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to SMTP ports might expose your SMTP services to attackers. For more information, see VPC firewall rules overview.

The SMTP service ports are:
TCP - 25

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c8753af-c7d5-404f-abdf-8e8bef018dc9\",\r\n \"name\": \"4c8753af-c7d5-404f-abdf-8e8bef018dc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open SSH port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocols and ports: TCP:22 and SCTP:22.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to SSH ports might expose your SSH services to attackers. For more information, see VPC firewall rules overview.

The SSH service ports are:
SCTP - 22
TCP - 22

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bdb01af7-e42a-49c6-952f-b83ce13914a7\",\r\n \"name\": \"bdb01af7-e42a-49c6-952f-b83ce13914a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open TELNET port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:23.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Telnet ports might expose your Telnet services to attackers. For more information, see VPC firewall rules overview.

The Telnet service ports are:
TCP - 23

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3be77f6-6fa9-45bd-9bdb-420484420235\",\r\n \"name\": \"c3be77f6-6fa9-45bd-9bdb-420484420235\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Compute instances should use a load balancer that is configured to use a target HTTPS proxy\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates if the selfLink property of the targetHttpProxy resource matches the target attribute in the forwarding rule, and if the forwarding rule contains a loadBalancingScheme field set to External.\",\r\n \"remediationDescription\": \"A Compute Engine instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy.

To protect the integrity of your data and prevent intruders from tampering with your communications, configure your HTTP(S) load balancers to allow only HTTPS traffic. For more information, see External HTTP(S) Load Balancing overview.

To remediate this finding, complete the following steps:
1. Go to the \\\"Target proxies\\\" page in the GCP Cloud Console. Go to Target proxies. 2. In the list of target proxies, click the name of the target proxy in the finding. 3. Click the link under the \\\"URL map\\\". 4. Click \\\"Edit\\\". 5. Click \\\"Frontend configuration\\\". 6. Delete all \\\"Frontend IP\\\" and port configurations that allow HTTP traffic and create new ones that allow HTTPS traffic.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6aeb69dc-0d01-4228-88e9-7e610891d5dd\",\r\n \"name\": \"6aeb69dc-0d01-4228-88e9-7e610891d5dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE cluster's auto repair feature should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the management property of a node pool for the key-value pair, 'key': 'autoRepair', 'value': true.\",\r\n \"remediationDescription\": \"A Google Kubernetes Engine (GKE) cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled.

When enabled, GKE makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, GKE initiates a repair process for that node. For more information, see Auto-repairing nodes.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Click the \\\"Nodes\\\" tab. 3. For each node pool:
1. Click the name of the node pool to go to its detail page. 2. Click \\\"Edit\\\". 3. Under \\\"Management\\\", select \\\"Enable auto-repair\\\". 4. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1680e053-2e9b-4e77-a1c7-793ae286155e\",\r\n \"name\": \"1680e053-2e9b-4e77-a1c7-793ae286155e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE cluster's auto upgrade feature should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the management property of a node pool for the key-value pair, 'key': 'autoUpgrade', 'value': true.\",\r\n \"remediationDescription\": \"A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled.

For more information, see Auto-upgrading nodes.

To remediate this finding, complete the following steps:
1. Go to the Kubernetes clusters page in the GCP Cloud Console. Go to Kubernetes clusters
2. In the list of clusters, click the name of the cluster.
3. Click the Nodes tab.
For each node pool:
1. Click the name of the node pool to go to its detail page.
2. Click \\\"Edit\\\".
3. Under \\\"Management\\\", select \\\"Enable auto-upgrade\\\".
4. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa160a2c-e976-41cb-acff-1e1e3f1ed032\",\r\n \"name\": \"fa160a2c-e976-41cb-acff-1e1e3f1ed032\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Logging for GKE clusters should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the loggingService property of a cluster contains the location Cloud Logging should use to write logs.\",\r\n \"remediationDescription\": \"Logging isn't enabled for a GKE cluster.

To help investigate security issues and monitor usage, enable Cloud Logging on your clusters.

Depending on the quantity of information, Cloud Logging costs can be significant. To understand your usage of the service and its cost,
see Cost optimization for Google Cloud's operations suite.

To remediate this finding, complete the following steps:
1. Go to the Kubernetes clusters page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Stackdriver Logging\\\" or \\\"Stackdriver Kubernetes Engine Monitoring\\\" drop-down list, select \\\"Enabled\\\".
These options aren't compatible. Make sure that you use either \\\"Stackdriver Kubernetes Engine Monitoring\\\" alone, or \\\"Legacy Stackdriver Logging\\\" with \\\"Legacy Stackdriver Monitoring\\\". 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a7b7361-5100-4a8c-b23e-f712d7dad39b\",\r\n \"name\": \"6a7b7361-5100-4a8c-b23e-f712d7dad39b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring on GKE clusters should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the monitoringService property of a cluster contains the location Cloud Monitoring should use to write metrics.\",\r\n \"remediationDescription\": \"Monitoring is disabled on GKE clusters.

To help investigate security issues and monitor usage, enable Cloud Monitoring on your clusters.

Depending on the quantity of information, Cloud Monitoring costs can be significant. To understand your usage of the service and its costs, see Cost optimization for Google Cloud's operations suite.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Stackdriver Monitoring\\\" or \\\"Stackdriver Kubernetes Engine Monitoring\\\" drop-down list, select \\\"Enabled\\\".
These options aren't compatible. Make sure that you use either \\\"Stackdriver Kubernetes Engine Monitoring\\\" alone, or \\\"Legacy Stackdriver Monitoring\\\" with \\\"Legacy Stackdriver Logging\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fae39f34-d931-4026-b09c-b0a785bb1ff9\",\r\n \"name\": \"fae39f34-d931-4026-b09c-b0a785bb1ff9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cluster hosts should be configured to use only private, internal IP addresses to access Google APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the privateIpGoogleAccess property of a subnetwork is set to false.\",\r\n \"remediationDescription\": \"Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs.

Private Google Access enables virtual machine (VM) instances with only private, internal IP addresses to reach the public IP addresses of Google APIs and services. For more information, see Configuring Google Private Access.

To remediate this finding, complete the following steps:
1. Go to the \\\"Virtual Private Cloud networks\\\" page in the GCP Cloud Console. Go to VPC networks . 2. In the list of networks, click the name of the desired network. 3. On the \\\"VPC network details\\\" page, click the \\\"Subnets\\\" tab. 4. In the list of subnets, click the name of the subnet associated with the Kubernetes cluster in the finding. 5. On the \\\"Subnet details\\\" page, click \\\"Edit\\\". 6. Under \\\"Private Google Access\\\", select \\\"On\\\". 7. Click \\\"Save\\\". 8. To remove public (external) IPs from VM instances whose only external traffic is to Google APIs, see Unassigning a static external IP address.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3e33004b-f0b8-488d-85ed-61336c7ad4ca\",\r\n \"name\": \"3e33004b-f0b8-488d-85ed-61336c7ad4ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Compute Engine VMs should use the Container-Optimized OS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the config property of a node pool for the key-value pair, 'imageType': 'COS'.\",\r\n \"remediationDescription\": \"Compute Engine VMs aren't using the Container-Optimized OS, which is designed to run Docker containers on Google Cloud securely.

Container-Optimized OS is Google's recommended OS for hosting and running containers on Google Cloud. Its small OS footprint minimizes security exposure, while automatic updates patch security vulnerabilities in a timely manner. For more information, see Container-Optimized OS Overview.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters 2. In the list of clusters, click the name of the cluster in the finding. 3. Click the \\\"Nodes\\\" tab. 4. For each node pool:
1. Click the name of the node pool to go to its detail page. 2. Click \\\"Edit\\\". 3. Under \\\"Nodes\\\" -> \\\"Image type\\\", click \\\"Change\\\". 4. Select \\\"Container-Optimized OS\\\", and then click \\\"Change\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/49016ecd-d4d6-4f48-a64f-42af93e15120\",\r\n \"name\": \"49016ecd-d4d6-4f48-a64f-42af93e15120\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have alias IP ranges enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the useIPAliases field of the ipAllocationPolicy in a cluster is set to false.\",\r\n \"remediationDescription\": \"A GKE cluster was created with alias IP ranges disabled.

When you enable alias IP ranges, GKE clusters allocate IP addresses from a known CIDR block, so your cluster is scalable and interacts better with Google Cloud products and entities. For more information, see Alias IP ranges overview .

To remediate this finding, complete the following steps:
You cannot migrate an existing cluster to use alias IPs. To create a new cluster with alias IPs enabled, do the following:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Click \\\"Create\\\". 3. From the navigation pane, under \\\"Cluster\\\", click \\\"Networking\\\". 4. Under \\\"Advanced networking options\\\", select \\\"Enable VPC-native traffic routing (uses alias IP)\\\". 5. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd1096e1-73cf-41ab-8f2a-257b78aed9dc\",\r\n \"name\": \"bd1096e1-73cf-41ab-8f2a-257b78aed9dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Legacy Authorization should be disabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the legacyAbac property of a cluster for the key-value pair, 'enabled': true.\",\r\n \"remediationDescription\": \"Legacy Authorization is enabled on GKE clusters.

In Kubernetes, role-based access control (RBAC) lets you define roles with rules containing a set of permissions, and grant permissions at the cluster and namespace level. This feature provides better security by ensuring that users only have access to specific resources. Consider disabling legacy attribute-based access control (ABAC).

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Authorization\\\" drop-down list, select \\\"Disabled\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24df9ba4-8c98-42f2-9f64-50b095eca06f\",\r\n \"name\": \"24df9ba4-8c98-42f2-9f64-50b095eca06f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Control Plane Authorized Networks should be enabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the masterAuthorizedNetworksConfig property of a cluster for the key-value pair, 'enabled': false.\",\r\n \"remediationDescription\": \"Control Plane Authorized Networks is not enabled on GKE clusters.

Control Plane Authorized Networks improves security for your container cluster by blocking specified IP addresses from accessing your cluster's control plane.
For more information, see Adding authorized networks for control plane access.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Control Plane Authorized Networks\\\" drop-down list, select \\\"Enabled\\\". 5. Click \\\"Add authorized network\\\". 6. Specify the authorized networks you want to use.
7. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd06513a-1e03-4d40-9159-243f76dcdcb7\",\r\n \"name\": \"fd06513a-1e03-4d40-9159-243f76dcdcb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network policy should be enabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the networkPolicy field of the addonsConfig property for the key-value pair, 'disabled': true.\",\r\n \"remediationDescription\": \"Network policy is disabled on GKE clusters.

By default, pod to pod communication is open. Open communication allows pods to connect directly across nodes, with or without network address translation. A NetworkPolicy resource is like a pod-level firewall that restricts connections between pods, unless the NetworkPolicy resource explicitly allows the connection. Learn how to define a network policy.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Click the name of the cluster listed in the Security Health Analytics finding. 3. Under \\\"Networking\\\", in the row for \\\"Network policy\\\", click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. In the dialog, select \\\"Enable network policy for control plane\\\" and \\\"Enable network policy for nodes\\\". 5. Click \\\"Save Changes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b73bad4f-4ea7-4d04-bab0-d400cb3ad639\",\r\n \"name\": \"b73bad4f-4ea7-4d04-bab0-d400cb3ad639\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service accounts should have restricted project access in a cluster\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the config property of a node pool to check if no service account is specified or if the default service account is used.\",\r\n \"remediationDescription\": \"A GKE node is using the Compute Engine default service node, which has broad access by default and might be over-privileged for running your GKE cluster.

To remediate this finding, complete the following steps:
Follow the instructions to Use least privilege Google service accounts.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d3e70cff-e4db-47b1-b646-0ac5ed8ada36\",\r\n \"name\": \"d3e70cff-e4db-47b1-b646-0ac5ed8ada36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have Private clusters enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the enablePrivateNodes field of the privateClusterConfig property is set to false.\",\r\n \"remediationDescription\": \"A GKE cluster has a private cluster disabled.

Private clusters allow nodes to only have private IP addresses. This feature limits outbound internet access for nodes. If a cluster node doesn't have a public IP address, it isn't discoverable or exposed to the public internet. You can still route traffic to a node by using an internal load balancer. For more information, see Private clusters

You can't make an existing cluster private. To remediate this finding, create a new private cluster:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters 2. Click \\\"Create Cluster\\\". 3. In the navigation menu, under \\\"Cluster\\\", select \\\"Networking\\\". 4. Select the radio button for \\\"Private cluster\\\". 5. Under \\\"Advanced networking options\\\", select the checkbox for \\\"Enable VPC-native traffic routing (uses alias IP)\\\". 6. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8fa5c03-a8e8-467b-992c-ad8b2db0f55e\",\r\n \"name\": \"d8fa5c03-a8e8-467b-992c-ad8b2db0f55e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE web dashboard should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the kubernetesDashboard field of the addonsConfig property for the key-value pair, 'disabled': false.\",\r\n \"remediationDescription\": \"The GKE web UI (dashboard) is enabled.

A highly privileged Kubernetes Service Accounts backs the Kubernetes web interface. If compromised, the service account can be abused. If you are already using the Cloud Console, the Kubernetes web interface extends your attack surface unnecessarily. Learn about Disabling the Kubernetes web interface.

To remediate this finding, disable the Kubernetes web interface:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Click the name of the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. Click \\\"Add-ons\\\". The section expands to display available add-ons. 5. On the \\\"Kubernetes dashboard\\\" drop-down list, select \\\"Disabled\\\". 6. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc6ce9-c9a7-4d91-b7c8-f2314ecbf8af\",\r\n \"name\": \"2acc6ce9-c9a7-4d91-b7c8-f2314ecbf8af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Egress deny rule should be set on a firewall to block unwanted outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the destinationRanges property in the firewall is set to 0.0.0.0/0 and the denied property contains the key-value pair, 'IPProtocol': 'all'.\",\r\n \"remediationDescription\": \"An egress deny rule is not set on a firewall.

A firewall that denies all egress network traffic prevents any unwanted outbound network connections, except those connections other firewalls explicitly authorize. For more information, see Egress cases.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. Click \\\"Create Firewall Rule\\\". 3. Give the firewall a name and, optionally, a description. 4. Under \\\"Direction of traffic\\\", select \\\"Egress\\\". 5. Under \\\"Action on match\\\", select \\\"Deny\\\". 6. In the \\\"Targets\\\" drop-down menu, select \\\"All instances in the network\\\". 7. In the \\\"Destination filter\\\" drop-down menu, select \\\"IP ranges\\\", and then type 0.0.0.0/0 into the \\\"Destination IP ranges\\\" box. 8. Under \\\"Protocols and ports\\\", select \\\"Deny all\\\". 9. Click \\\"Disable Rule\\\" then, under \\\"Enforcement\\\", select \\\"Enabled\\\". 10. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37e5206e-a928-416b-9851-3689f506f73f\",\r\n \"name\": \"37e5206e-a928-416b-9851-3689f506f73f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall rule logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the logConfig property in firewall metadata to see if it's empty or contains the key-value pair 'enable': false.\",\r\n \"remediationDescription\": \"Firewall rules logging is disabled.

Firewall rules logging lets you audit, verify, and analyze the effects of your firewall rules. It can be useful for auditing network access or providing early warning that the network is being used in an unapproved manner. The cost of logs can be significant. For more information on Firewall Rules Logging and its cost, see Using Firewall Rules Logging.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, click the name of the desired firewall rule. 3. Click \\\"Edit\\\". 4. Under \\\"Logs\\\", select \\\"On\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a7771a9-a2dd-40e8-87a2-921259d68667\",\r\n \"name\": \"4a7771a9-a2dd-40e8-87a2-921259d68667\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Users should have least privilege access with granular IAM roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM policy in resource metadata for any principals assigned roles/Owner, roles/Writer, or roles/Reader.\",\r\n \"remediationDescription\": \"A user has one of the following IAM basic roles: roles/owner, roles/editor, or roles/viewer.
These roles are too permissive and shouldn't be used. Instead, they should be assigned per project only.

For more information, see Understanding roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM policy\\\" page in the GCP Cloud Console. Go to IAM policy. 2. For each user assigned a primitive role, consider using more granular roles instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24eb0365-d63d-43c0-b11f-8b0a1a0842f7\",\r\n \"name\": \"24eb0365-d63d-43c0-b11f-8b0a1a0842f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cryptographic keys should not have more than three users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates IAM policies for key rings, projects, and organizations, and retrieves principals with roles that allow them to encrypt, decrypt or sign data using Cloud KMS keys: roles/owner, roles/cloudkms.cryptoKeyEncrypterDecrypter, roles/cloudkms.cryptoKeyEncrypter, roles/cloudkms.cryptoKeyDecrypter, roles/cloudkms.signer, and roles/cloudkms.signerVerifier.\",\r\n \"remediationDescription\": \"Limit the number of principal users that can use cryptographic keys to three.

The following predefined roles grant permissions to encrypt, decrypt, or sign data using cryptographic keys:
1. roles/owner 2. roles/cloudkms.cryptoKeyEncrypterDecrypter 3. roles/cloudkms.cryptoKeyEncrypter 4. roles/cloudkms.cryptoKeyDecrypter 5. roles/cloudkms.signer
6. roles/cloudkms.signerVerifier

For more information, see Permissions and roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"Cloud KMS keys\\\" page in the GCP Cloud Console. Go to Cloud KMS keys. 2. Click the \\\"name\\\" of the key ring indicated in the finding. 3. Click the \\\"name\\\" of the key indicated in the finding. 4. Select the box next to the primary version, and then click \\\"Show Info Panel\\\". 5. Reduce the number of principals having permissions to encrypt, decrypt, or sign data to three or fewer.
To revoke permissions, click \\\"Delete\\\" delete next to each principal.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e836b239-c7dc-476a-9a85-829b565cbc59\",\r\n \"name\": \"e836b239-c7dc-476a-9a85-829b565cbc59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Object versioning should be enabled on storage buckets where sinks are configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the enabled field in the bucket's versioning property is set to true.\",\r\n \"remediationDescription\": \"Object versioning isn't enabled on a storage bucket where sinks are configured.

To support the retrieval of objects that are deleted or overwritten, GCP Cloud Storage offers the Object Versioning feature. Enable Object Versioning to protect your Cloud Storage data from being overwritten or accidentally deleted. Learn how to Enable Object Versioning.

To remediate this finding, use the gsutil versioning set on command with the appropriate value:
gsutil versioning set on gs://finding.assetDisplayName
Replace finding.assetDisplayName with the name of the relevant bucket.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76261631-76ea-4bd4-b064-34a619be1de0\",\r\n \"name\": \"76261631-76ea-4bd4-b064-34a619be1de0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage buckets used as a log sink should not be publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM policy of a bucket for the principals allUsers or allAuthenticatedUsers, which grant public access.\",\r\n \"remediationDescription\": \"A storage bucket is public and used as a log sink, meaning that anyone on the internet can access logs stored in this bucket.
allUsers represents anyone on the internet and allAuthenticatedUsers represents anyone who is logged into a Google service;
neither is constrained to users within your organization.

For more information, see Overview of access control.

To remediate this finding, complete the following steps:
1. Go to the \\\"Cloud Storage browser\\\" page in the GCP Cloud Console. Go to Cloud Storage browser . 2. In the list of buckets, click the name of the bucket indicated in the finding. 3. Click the \\\"Permissions\\\" tab. 4. Remove \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" from the list of principals.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7c20b7aa-be3d-4a4b-af45-1b432c02f86b\",\r\n \"name\": \"7c20b7aa-be3d-4a4b-af45-1b432c02f86b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redis IAM role should not be assigned at the organization or folder level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM allow policy in resource metadata for principals assigned roles/redis.admin, roles/redis.editor, roles/redis.viewer at the organization or folder level.\",\r\n \"remediationDescription\": \"A Redis IAM role is assigned at the organization or folder level.

The following Redis IAM roles should be assigned per project only, not at the organization or folder level:
1. roles/redis.admin
2. roles/redis.viewer
3. roles/redis.editor

For more information, see Access control and permissions.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM policy\\\" page in the GCP Cloud Console. Go to IAM policy. 2. Remove the \\\"Redis IAM roles\\\" indicated in the finding and add them on the individual projects instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/986fe72e-466a-462d-a06e-c77b439c53c0\",\r\n \"name\": \"986fe72e-466a-462d-a06e-c77b439c53c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Projects that have cryptographic keys should not have users with Owner permissions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM allow policy in project metadata for principals assigned roles/Owner.\",\r\n \"remediationDescription\": \"A user has roles/Owner permissions on a project that has cryptographic keys. For more information, see Permissions and roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM page\\\" in the GCP Cloud Console. Go IAM page. 2. If necessary, select the project in the finding. 3. For each principal assigned the \\\"Owner\\\" role:
1. Click \\\"Edit\\\". 2. In the \\\"Edit permissions\\\" panel, next to the \\\"Owner\\\" role, click \\\"Delete\\\". 3. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67ebdf6b-6197-4e42-bbbf-eaf4e6c20b4c\",\r\n \"name\": \"67ebdf6b-6197-4e42-bbbf-eaf4e6c20b4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Use corporate login credentials instead of personal accounts, such as Gmail accounts.
It is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources.
Gmail accounts based outside of the user's organization, such as personal accounts, should not be used for business purposes.\",\r\n \"remediationDescription\": \"Follow the documentation and setup corporate login accounts Manage Identities.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6991b2e9-ae9e-4e99-acb6-037c4b575215\",\r\n \"name\": \"6991b2e9-ae9e-4e99-acb6-037c4b575215\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that there are only GCP-managed service account keys for each service account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"User managed service accounts should not have user-managed keys.
Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis.
User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.
For user-managed keys, the user has to take ownership of key management activities which include:
  • Key storage
  • Key distribution
  • Key revocation
  • Key rotation
  • Protecting the keys from unauthorized users
  • Key recovery
Even with key owner precautions, keys can be easily leaked by common development malpractices like checking keys into the source code or leaving them in the Downloads directory, or accidentally leaving them on support blogs/channels. It is recommended to prevent user-managed service account keys.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the IAM page in the GCP Console using https://console.cloud.google.com/apis/credentials. 2. In the left navigation pane, click \\\"Service accounts\\\". All service accounts and their corresponding keys are listed. 3. Click the service account. 4. Click the \\\"edit\\\" and delete the keys.

From CLI:
To delete a user managed Service Account Key, run gcloud iam service-accounts keys delete --iam-account=<user-managed-service-account-EMAIL> <KEY-ID>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/54c381fe-a80a-4038-8a9d-c166d2922ea9\",\r\n \"name\": \"54c381fe-a80a-4038-8a9d-c166d2922ea9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to assign the \\\"Service Account User (iam.serviceAccountUser)\\\" and \\\"Service Account Token Creator (iam.serviceAccountTokenCreator)\\\" roles to a user for a specific service account rather than assigning the role to a user at project level.
A service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end-user.
Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved.
In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.
Users with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access.
Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/Service account.
Based on business needs, there could be multiple user-managed service accounts configured for a project.
Granting the \\\"iam.serviceAccountUser\\\" or \\\"iam.serviceAserviceAccountTokenCreatorccountUser\\\" roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future.
This can result in elevation of privileges by using service accounts and corresponding \\\"Compute Engine instances\\\".
In order to implement \\\"least privileges\\\" best practices, IAM users should not be assigned the \\\"Service Account User\\\" or \\\"Service Account Token Creator\\\" roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The \\\"Service Account User\\\" allows a user to bind a service account to a long-running job service, whereas the \\\"Service Account Token Creator\\\" role allows a user to directly impersonate (or assert) the identity of a service account.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the IAM page in the GCP Console by visiting: GCP Console IAM. 2. Click on the filter table text bar. Type \\\"Role: Service Account User\\\" 3. Click the \\\"Delete Bin\\\" icon in front of the role \\\"Service Account User\\\" for every user listed as a result of a filter. 4. Click on the filter table text bar. Type \\\"Role: Service Account Token Creator\\\" 5. Click the \\\"Delete Bin\\\" icon in front of the role \\\"Service Account Token Creator\\\" for every user listed as a result of a filter.

From Command Line:
1. Using a text editor, remove the bindings with the \\\"roles/iam.serviceAccountUser\\\" or \\\"roles/iam.serviceAccountTokenCreator\\\".
For example, you can use the iam.json file shown below as follows:
{ "bindings": [ { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", ], "role": "roles/appengine.appViewer" }, { "members": [ "user:email1@gmail.com" ], "role": "roles/owner" }, { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", "serviceAccount:123456789012-compute@developer.gserviceaccount.com" ], "role": "roles/editor" } ], "etag": "BwUjMhCsNvY=" }
2. Update the project's IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0007dd31-9e95-460d-82bd-ae3e9e623161\",\r\n \"name\": \"0007dd31-9e95-460d-82bd-ae3e9e623161\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests users make to Google cloud services accessible to that particular service account.
It is recommended that all Service Account keys are regularly rotated.
Rotating Service Account keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.
Each service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.
GCP provides the option to create one or more user-managed (also called external key pairs) key pairs for use from outside GCP (for example, for use with Application Default Credentials). When a new key pair is created, the user is required to download the private key (which is not retained by Google).
With external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, gcloud command-line tool, or the Service Accounts page in the Google Cloud Platform Console.
GCP facilitates up to 10 external service account keys per service account to facilitate key rotation.\",\r\n \"remediationDescription\": \"From Console:
Delete any external (user-managed) Service Account Key older than 90 days: 1. Go to APIs & Services\\\\Credentials using https://console.cloud.google.com/apis/credentials
2. In the Section \\\"Service Account Keys\\\", for every external (user-managed) service account key where \\\"creation date is\\\" greater than or equal to the past 90 days, click \\\"Delete Bin Icon\\\" to Delete Service Account key.
Create a new external (user-managed) Service Account Key for a Service Account:
1. Go to \\\"APIs & Services\\\\Credentials\\\" using https://console.cloud.google.com/apis/credentials
2. Click \\\"Create Credentials\\\" and Select \\\"Service Account Key\\\". 3. Choose the service account in the drop-down list for which an External (user-anaged) Service Account key needs to be created. 4. Select the desired key type format among \\\"JSON\\\" or \\\"P12\\\". 5. Click \\\"Create\\\". It will download the private key. Keep it safe. 6. Click \\\"Close\\\" if prompted. 7. The site will redirect to the \\\"APIs & Services\\\\Credentials\\\" page. Make a note of the new ID displayed in the Service account keys section.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e8cb9ac-87ee-424b-a9d2-0d41e411d18f\",\r\n \"name\": \"9e8cb9ac-87ee-424b-a9d2-0d41e411d18f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users.
The built-in/predefined IAM role \\\"Service Account admin\\\" allows the user/identity to create, delete, and manage service account(s).
The built-in/predefined IAM role \\\"Service Account User\\\" allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances.
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action.
In Cloud IAM - service accounts, this could be an action such as using a service account to access resources that user should not normally have access to.
Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.
No user should have \\\"Service Account Admin\\\" and \\\"Service Account User\\\" roles assigned at the same time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to IAM & Admin/IAM. 2. For any member having both \\\"Service Account Admin\\\" and \\\"Service account User\\\" roles granted/assigned, click the \\\"Delete Bin icon\\\" to remove either role from the member.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fcbcaef9-4bb0-49db-a932-afd64ed221d4\",\r\n \"name\": \"fcbcaef9-4bb0-49db-a932-afd64ed221d4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the IAM policy on Cloud KMS \\\"cryptokeys\\\" should restrict anonymous and/or public access.
Granting permissions to \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\" allows anyone to access the dataset.
Such access might not be desirable if sensitive data is stored at the location.
In this case, ensure that anonymous and/or public access to a Cloud KMS \\\"cryptokey\\\" is not allowed.\",\r\n \"remediationDescription\": \"From Command Line:
1. List all Cloud KMS \\\"Cryptokeys\\\".
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'. 2. Remove IAM policy binding for a KMS key to remove access to \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" using the below command.
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f756937d-b790-4718-8dd7-fa995930c4a1\",\r\n \"name\": \"f756937d-b790-4718-8dd7-fa995930c4a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.
The format for the rotation schedule depends on the client library that is used.
For the gcloud command-line tool, the next rotation time must be in \\\"ISO\\\" or \\\"RFC3339\\\" format, and the rotation period must be in the form \\\"INTEGER[UNIT]\\\", where units can be one of seconds (s), minutes (m), hours (h) or days (d).
Set a key rotation period and starting time. A key can be created with a specified \\\"rotation period\\\", which is the time between when new key versions are generated automatically.
A key can also be created with a specified next rotation time.
A key is a named object representing a \\\"cryptographic key\\\" used for a specific purpose.
The key material, the actual bits used for \\\"encryption\\\", can change over time as new key versions are created.
A key is used to protect some \\\"corpus of data\\\". A collection of files could be encrypted with the same key and people with \\\"decrypt\\\" permissions on that key would be able to decrypt those files.
Therefore, it's necessary to make sure the \\\"rotation period\\\" is set to a specific time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to Cryptographic Keys. 2. Click on the specific key ring. 3. From the list of keys, choose the specific key and Click on \\\"Right side pop up the blade (3 dots)\\\". 4. Click on \\\"Edit rotation period\\\". 5. On the pop-up window, \\\"Select a new rotation period\\\" in days which should be less than 90 and then choose \\\"Starting on\\\" date (date from which the rotation period begins).

From Command Line:
1. Update and schedule rotation by \\\"ROTATION_PERIOD\\\" and \\\"NEXT_ROTATION_TIME\\\" for each key:
gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next-rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14007242-eadd-4d15-ad54-97201351c0ec\",\r\n \"name\": \"14007242-eadd-4d15-ad54-97201351c0ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.
The built-in/predefined IAM role \\\"Cloud KMS Admin\\\" allows the user/identity to create, delete, and manage service account(s).
The built-in/predefined IAM role \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\" allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).
The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).
The built-in/predefined IAM role \\\"Cloud KMS CryptoKey Decrypter\\\" allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action.
In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to.
Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors.
It is considered best practice. No user(s) should have Cloud KMS Admin and any of the \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\", \\\"Cloud KMS CryptoKey Encrypter\\\", \\\"Cloud KMS CryptoKey Decrypter\\\" roles assigned at the same time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to IAM & Admin/IAM. 2. For any member having \\\"Cloud KMS Admin\\\" and any of the \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\", \\\"Cloud KMS CryptoKey Encrypter\\\", \\\"Cloud KMS CryptoKey Decrypter\\\" roles granted/assigned, click the \\\"Delete Bin\\\" icon to remove the role from the member.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b9173aa-68d9-4581-814f-fab4a91aa9af\",\r\n \"name\": \"0b9173aa-68d9-4581-814f-fab4a91aa9af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that Cloud Audit Logging is configured to track all admin activities and read, write access to user data.
Cloud Audit Logging maintains two audit logs for each project, folder, and organization: Admin Activity and Data Access.
1. Admin Activity logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources.
Admin Activity audit logs are enabled for all services and cannot be configured. 2. Data Access audit logs record API calls that create, modify, or read user-provided data. These are disabled by default and should be enabled.
There are three kinds of Data Access audit log information:
  • Admin read: Records operations that read metadata or configuration information. Admin Activity audit logs record writes of metadata and configuration information that cannot be disabled.
  • Data read: Records operations that read user-provided data.
  • Data write: Records operations that write user-provided data.
It is recommended to have an effective default audit config configured in such a way that:
1. logtype is set to DATA_READ (to log user activity tracking) and DATA_WRITES (to log changes/tampering to user data). 2. audit config is enabled for all the services supported by the Data Access audit logs feature. 3. Logs should be captured for all users, i.e., there are no exempted users in any of the audit config sections. This will ensure overriding the audit config will not contradict the requirement.\",\r\n \"remediationDescription\": \"From Console:
1. Go to Audit Logs. 2. Follow the steps at Configure Data Access to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.

From Command Line:
1. To read the project's IAM policy and store it in a file run a command:
gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml
Alternatively, the policy can be set at the organization or folder level. If setting the policy at the organization level, it is not necessary to also set it for each folder or project.
gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml
gcloud resource-manager folders get-iam-policy FOLDER_ID > /tmp/folder_policy.yaml
2. Edit policy in /tmp/policy.yaml, adding or changing only the audit logs configuration to:
auditConfigs: - auditLogConfigs: - logType: DATA_WRITE - logType: DATA_READ service: allServices

Note: \\\"exemptedMembers\\\": is not set as audit logging should be enabled for all the users
3. To write new IAM policy run command:
gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml
gcloud resource-manager folders set-iam-policy FOLDER_ID /tmp/folder_policy.yaml
gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml

If the preceding command reports a conflict with another change, then repeat these steps, starting with the first step.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/194b473e-7c5a-4754-b1ae-76591fe11b5c\",\r\n \"name\": \"194b473e-7c5a-4754-b1ae-76591fe11b5c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).
Log entries are held in Stackdriver Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. Exporting involves writing a filter that selects the log entries to export, and choosing a destination in Cloud Storage, BigQuery, or Cloud Pub/Sub.
The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts. \",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"Logging/Logs\\\" by visiting: GCP Logs explorer. 2. Click the down arrow symbol on \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. This step converts \\\"Filter Bar\\\" to \\\"Advanced Filter Bar\\\".4.Clear any text from the \\\"Advanced Filter\\\" field. This ensures that the \\\"log-filter\\\" is set to empty and captures all the logs. 5. Click \\\"Submit Filter\\\" and the result should display all logs. 6. Click \\\"Create Sink\\\", which opens a menu on the right. 7. Fill out the fields and click \\\"Create Sink\\\".
For more information, see GCP Logging Documentation.

From Command Line:
To create a sink to export all log entries in a Google Cloud Storage bucket:
gcloud logging sinks create <sink-name>
storage.googleapis.com/DESTINATION_BUCKET_NAME
Sinks can be created for a folder or organization, which will include all projects.
gcloud logging sinks create <sink-name>
storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children --folder=FOLDER_ID | --organization=ORGANIZATION_ID \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/07ca1398-d477-400a-a9fc-4cfc78f723f9\",\r\n \"name\": \"07ca1398-d477-400a-a9fc-4cfc78f723f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that retention policies on log buckets are configured using Bucket Lock\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted.
It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.
Logs can be exported by creating one or more sinks that include a log filter and a destination. As Stackdriver Logging receives new log entries, they are compared against each sink.
If a log entry matches a sink's filter, then a copy of the log entry is written to the destination.
Sinks can be configured to export logs in storage buckets.
It is recommended to configure a data retention policy for these cloud storage buckets and to lock the data retention policy; thus permanently preventing the policy from being reduced or removed.
This way, if the system is ever compromised by an attacker or a malicious insider who wants to cover their tracks, the activity logs are definitely preserved for forensics and security investigations.\",\r\n \"remediationDescription\": \" From the Console:
1. If sinks are not configured, first follow the instructions in the recommendation: \\\"Ensure that sinks are configured for all Log entries\\\". 2. For each storage bucket configured as a sink, go to the Cloud Storage browser at \\\"https://console.cloud.google.com/storage/browser/<BUCKET_NAME>\\\". 3. Select the Bucket Lock tab near the top of the page. 4. In the Retention policy entry, click the Add Duration link. The \\\"Set a retention policy\\\" dialog box appears. 5. Enter the desired length of time for the retention period and click \\\"Save policy\\\". 6. Set the \\\"Lock status\\\" for this retention policy to \\\"Locked\\\".

From Command Line:
1.To list all sinks destined to storage buckets:
gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID | --project=PROJECT_ID
2. For each storage bucket listed above, set a retention policy and lock it:
gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]
gsutil retention lock gs://[BUCKET_NAME]
For more information, see Bucket lock retention policy.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f42c20a6-8012-4e1e-bf4d-19b977e8c8d7\",\r\n \"name\": \"f42c20a6-8012-4e1e-bf4d-19b977e8c8d7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all \\\"roles/Owner\\\" assignments should be monitored.
Members (users/Service-Accounts) with a role assignment to primitive role \\\"roles/Owner\\\" are project owners.
The project owner has all the privileges on the project the role belongs to. These are summarized below:
- All viewer permissions on all GCP Services within the project
- Permissions for actions that modify the state of all GCP services within the project
- Manage roles and permissions for a project and all resources within the project
- Set up billing for a project
Granting the owner role to a member (user/Service-Account) will allow that member to modify the Identity and Access Management (IAM) policy. Therefore, grant the owner role only if the member has a legitimate purpose to manage the IAM policy. This is because the project IAM policy contains sensitive access control data. Having a minimal set of users allowed to manage IAM policy will simplify any auditing that may be necessary.
Project ownership has the highest level of privileges on a project. To avoid misuse of project resources, the project ownership assignment/change actions mentioned above should be monitored and alerted to concerned recipients.
- Sending project ownership invites
- Acceptance/Rejection of project ownership invite by user
- Adding `role\\\\Owner` to a user/service-account
- Removing a user/Service account from `role\\\\Owner`\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
(protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\")
AND (ProjectOwnership OR projectOwnerInvitee)
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\")
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\")
 4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/34ed4dfb-fc6d-498f-b2b0-d1099704775d\",\r\n \"name\": \"34ed4dfb-fc6d-498f-b2b0-d1099704775d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data Access logs to help answer the questions of, \\\"who did what, where, and when?\\\" within GCP projects.
Cloud audit logging records information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by GCP services. Cloud audit logging provides a history of GCP API calls for an account, including API calls made via the console, SDKs, command-line tools, and other GCP services.
Admin activity and data access logs produced by cloud audit logging enable security analysis, resource change tracking, and compliance auditing.
Configuring the metric filter and alerts for audit configuration changes ensures the recommended state of audit configuration is maintained so that all activities in the project are audit-able at any point in time.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
protoPayload.methodName=\\\"SetIamPolicy\\\" AND
protoPayload.serviceData.policyDelta.auditConfigDeltas:*
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba27e90d-311d-409d-8c69-7dfac0a1351c\",\r\n \"name\": \"ba27e90d-311d-409d-8c69-7dfac0a1351c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for changes to Identity and Access Management (IAM) role creation, deletion and updating activities.
Google Cloud IAM provides predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources. However, to cater to organization-specific needs, Cloud IAM also provides the ability to create custom roles. Project owners and administrators with the Organization Role Administrator role or the IAM Role Administrator role can create custom roles. Monitoring role creation, deletion and updating activities will help in identifying any over-privileged role at early stages.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"iam_role\\\"
AND protoPayload.methodName=\\\"google.iam.admin.v1.CreateRole\\\"
OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\"
OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a7723f9-ee51-4a2b-a4e5-2497a20c1964\",\r\n \"name\": \"4a7723f9-ee51-4a2b-a4e5-2497a20c1964\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes.
Monitoring for Create or Update Firewall rule events gives insight to network access changes and may reduce the time it takes to detect suspicious activity.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"gce_firewall_rule\\\"
AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\"
OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b5c8e32b-a400-4d4b-8d2d-c5afbd4a6997\",\r\n \"name\": \"b5c8e32b-a400-4d4b-8d2d-c5afbd4a6997\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network route changes.
Google Cloud Platform (GCP) routes define the paths network traffic takes from a VM instance to another destination. The other destination can be inside the organization VPC network (such as another VM) or outside of it. Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop for delivery.
Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"gce_route\\\"
AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\"
OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/59aef38a-19c2-4663-97a7-4c82a98dbab5\",\r\n \"name\": \"59aef38a-19c2-4663-97a7-4c82a98dbab5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network changes.
It is possible to have more than one VPC within a project. In addition, it is also possible to create a peer connection between two VPCs enabling network traffic to route between VPCs.
Monitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=gce_network
AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2e14266c-76ea-4479-915e-4edaae7d78ec\",\r\n \"name\": \"2e14266c-76ea-4479-915e-4edaae7d78ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.
Monitoring changes to cloud storage bucket permissions may reduce the time needed to detect and correct permissions on sensitive cloud storage buckets and objects inside the bucket.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=gcs_bucket
AND protoPayload.methodName=\\\"storage.setIamPermissions\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dce022e-f7f9-4725-8a63-c0d4a868b4d3\",\r\n \"name\": \"9dce022e-f7f9-4725-8a63-c0d4a868b4d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for SQL instance configuration changes.
Monitoring changes to SQL instance configuration changes may reduce the time needed to detect and correct misconfigurations done on the SQL server.
Below are a few of the configurable options which may the impact security posture of an SQL instance:
* Enable auto backups and high availability: Misconfiguration may adversely impact business continuity, disaster recovery, and high availability
* Authorize networks: Misconfiguration may increase exposure to untrusted networks\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
protoPayload.methodName=\\\"cloudsql.instances.update\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9f88a5b8-2853-4b3f-a4c7-33f225cae99a\",\r\n \"name\": \"9f88a5b8-2853-4b3f-a4c7-33f225cae99a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic.
When specifying a source for an ingress rule or a destination for an egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using SSH on Port 22 can be avoided.
GCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network.
Egress and ingresstraffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication).
For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified.
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default Port '22'.
Generic access from the Internet to a specific IP Range needs to be restricted.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to VPC Network. 2. Go to the Firewall Rules. 3. Click the Firewall Rule you want to modify. 4. Click Edit. 5. Modify Source IP ranges to specific IP. 6. Click Save.

From Command Line:
gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[- PORT]],...] --source-ranges=[CIDR_RANGE,...] \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc8464f-f32a-4b3c-954e-48f9db2d9bcf\",\r\n \"name\": \"8bc8464f-f32a-4b3c-954e-48f9db2d9bcf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic.
When specifying a source for an ingress rule or a destination for an egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming raffic from the Internet to a VPC or VM instance using RDP on Port 3389 can be avoided.
GCP Firewall Rules within a VPC Network. These rules apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network.
Egress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication). For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified.
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default Port 3389. Generic access from the Internet to a specific IP Range should be restricted.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to VPC Network. 2. Go to the Firewall Rules. 3. Click the Firewall Rule to be modified. 4. Click Edit. 5. Modify Source IP ranges to specific IP. 6. Click Save.

From Command Line:
1.Update RDP Firewall rule with new SOURCE_RANGE from the below command:
gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ea1989f3-de6c-4389-8b6c-c8b9a3df1595\",\r\n \"name\": \"ea1989f3-de6c-4389-8b6c-c8b9a3df1595\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent use of \\\"default\\\" network, a project should not have a \\\"default\\\" network.
The default network has a preconfigured network configuration and automatically generates the following insecure firewall rules:
  • default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.
  • default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.
  • default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.
  • default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.
These automatically created firewall rules do not get audit logged and cannot be configured to enable firewall rule logging.
Furthermore, the default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses, and as a result, it's not possible to use Cloud VPN or VPC Network Peering with the default network.
Based on organization security and networking requirements, the organization should create a new network and delete the default network.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the \\\"VPC networks\\\" page by visiting:
VPC networks. 2. Click the network named default. 3. On the network detail page, click \\\"EDIT\\\". 4. Click \\\"DELETE VPC NETWORK\\\". 5. If needed, create a new network to replace the default network.

From Command Line:
For each Google Cloud Platform project,
1. Delete the default network:
gcloud compute networks delete default
2. If needed, create a new network to replace it:
gcloud compute networks create NETWORK_NAME\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/44995f9b-5963-4a92-8e99-6d68acbc187c\",\r\n \"name\": \"44995f9b-5963-4a92-8e99-6d68acbc187c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In order to prevent use of legacy networks, a project should not have a legacy network configured.
Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions.
Subnetworks cannot be created in a legacy network and are unable to switch from legacy to auto or custom subnet networks. Legacy networks can have an impact for high network traffic projects and are subject to a single point of contention or failure.\",\r\n \"remediationDescription\": \"For each Google Cloud Platform project,
1. Follow the documentation and create a non-legacy network suitable for the organization's requirements. 2. Follow the documentation and delete the networks in the \\\"legacy\\\" mode.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33509176-9e4d-4238-84ec-984ba67019fa\",\r\n \"name\": \"33509176-9e4d-4238-84ec-984ba67019fa\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet.
Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.
Domain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling DNS responses to be validated.
Having a trustworthy DNS that translates a domain name like www.example.com into its associated IP address is an increasingly important building block of today's web-based applications.
Attackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks.
DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records.
As a result, it prevents attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"Cloud DNS\\\" by visiting Cloud DNS. 2. For each zone of Type Public, set DNSSEC to \\\"On\\\".

From Command Line:
Use the below command to enable \\\"DNSSEC\\\" for Cloud DNS Zone Name.
gcloud dns managed-zones update ZONE_NAME --dnssec-state on \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87356ecc-b718-442d-af22-677bceaeae06\",\r\n \"name\": \"87356ecc-b718-442d-af22-677bceaeae06\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
Domain Name System Security Extensions (DNSSEC) algorithm numbers in this registry may be used in CERT RRs.
Zonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the user can select the DNSSEC signing algorithms and the denial-of-existence type.
Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled.
If there is a need to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.\",\r\n \"remediationDescription\": \"1. If it is necessary to change the settings for a managed zone where it has been enabled, NSSEC must be turned off and re-enabled with different settings.
To turn off DNSSEC, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state off
2. To update key-signing for a reported managed DNS Zone, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM - -zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE

Algorithm KSK Length ZSK Length
RSASHA1 1024,2048 1024,2048
RSASHA256 1024,2048 1024,2048
RSASHA512 1024,2048 1024,2048
ECDSAP256SHA256 256 256
ECDSAP384SHA384 384 384
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/117ad72e-fed7-4dc8-995d-39919b9ba2d9\",\r\n \"name\": \"117ad72e-fed7-4dc8-995d-39919b9ba2d9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the DNSSEC signing algorithms and the denial-of-existence type can be selected.
Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled.
If the need exists to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.\",\r\n \"remediationDescription\": \"1. If it is necessary to change the settings for a managed zone where it has been enabled, DNSSEC must be turned off and re-enabled with different settings.
To turn off DNSSEC, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state off
2. To update zone-signing for a reported managed DNS Zone, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM - -zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE

Algorithm KSK Length ZSK Length
RSASHA1 1024,2048 1024,2048
RSASHA256 1024,2048 1024,2048
RSASHA512 1024,2048 1024,2048
ECDSAP256SHA256 256 256
ECDSAP384SHA384 384 384
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a107c44c-75e4-4607-b1b0-cd5cfcf249e0\",\r\n \"name\": \"a107c44c-75e4-4607-b1b0-cd5cfcf249e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.
The default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services.
To defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended to not use the default Compute Engine service account.
Instead, you should create a new service account and assigning only the permissions needed by your instance.
The default Compute Engine service account is named [PROJECT_NUMBER]- compute@developer.gserviceaccount.com.
VMs created by GKE should be excluded. These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to go to its \\\"VM instance details\\\" page. 3. Click \\\"STOP\\\" and then click \\\"EDIT\\\". 4. Under the section \\\"Service Account\\\", select a service account other that the default Compute Engine service account. You may first need to create a new service account. 5. Click \\\"Save\\\" and then click \\\"START\\\".

From Command Line:
1. Stop the instance: gcloud compute instances stop INSTANCE_NAME
2. Update the instance: gcloud compute instances set-service-account INSTANCE_NAME --serviceaccount=SERVICE_ACCOUNT
3. Restart the instance: gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c1fcf1-ca66-4fc1-b5e6-51d7f4f76782\",\r\n \"name\": \"a8c1fcf1-ca66-4fc1-b5e6-51d7f4f76782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account \\\"Compute Engine default service account\\\" with Scope \\\"Allow full access to all Cloud APIs\\\".
Along with ability to optionally create, manage and use user managed custom service accounts, Google Compute Engine provides default service account \\\"Compute Engine default service account\\\" for an instances to access necessary cloud services.
\\\"Project Editor\\\" role is assigned to \\\"Compute Engine default service account\\\" hence, This service account has almost all capabilities over all cloud services except billing.
However, when \\\"Compute Engine default service account\\\" assigned to an instance it can operate in 3 scopes.
1. Allow default access: Allows only minimum access required to run an Instance (Least Privileges) 2. Allow full access to all Cloud APIs: Allow full access to all the cloud APIs/Services (Too much access) 3. Set access for each API: Allows Instance administrator to choose only those APIs that are needed to perform specific business functionality expected by instance
When an instance is configured with \\\"Compute Engine default service account\\\" with Scope \\\"Allow full access to all Cloud APIs\\\", based on IAM roles assigned to the user(s) accessing Instance,
it may allow user to perform cloud operations/API calls that user is not supposed to perform leading to successful privilege escalation.
VMs created by GKE should be excluded. These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the impacted VM instance. 3. If the instance is not stopped, click the \\\"Stop\\\" button. Wait for the instance to be stopped. 4. Next, click the \\\"Edit\\\" button. 5. Scroll down to the \\\"Service Account\\\" section. 6. Select a different service account or ensure that \\\"Allow full access to all Cloud APIs\\\" is not selected.  7. Click the \\\"Save\\\" button to save your changes and then click \\\"START\\\".

From Command Line:
1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
2. Update the instance:
gcloud compute instances set-service-account INSTANCE_NAME --serviceaccount=SERVICE_ACCOUNT --scopes [SCOPE1, SCOPE2...]
3. Restart the instance:
gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/49cb12f0-3dd3-4220-9cfb-5c3fd514a6d8\",\r\n \"name\": \"49cb12f0-3dd3-4220-9cfb-5c3fd514a6d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user.
It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.
To find out which instance causes the project to be unhealthy see recommendation \\\"Ensure oslogin is enabled for all instances\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM compute metadata page. 2. Click \\\"Edit\\\". 3. Add a metadata entry where the key is \\\"enable-oslogin\\\" and the value is \\\"TRUE\\\". 4. Click \\\"Save\\\" to apply the changes. 5. For every instance that overrides the project setting, go to the VM instances page. 6. Click the name of the instance on which you want to remove the metadata value. 7. At the top of the instance details page, click \\\"Edit\\\" to edit the instance settings. 8. Under \\\"Custom metadata\\\", remove any entry with key \\\"enable-oslogin\\\" and the value is \\\"FALSE\\\" 9. At the bottom of the instance details page, click \\\"Save\\\" to apply your changes to the instance.

From Command Line:
1. Configure oslogin on the project:
gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE
2. Remove instance metadata that overrides the project settings.
gcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin
Optionally, you can enable two factor authentication for OS login. For more information, see here.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/569ef64e-d7aa-4d7e-aa0b-5b3e045ca2c3\",\r\n \"name\": \"569ef64e-d7aa-4d7e-aa0b-5b3e045ca2c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for all instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user.
It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click the name of the instance on which you want to remove the metadata value. 3. At the top of the instance details page, click \\\"Edit\\\" to edit the instance settings. 4. Under \\\"Custom metadata\\\", remove any entry with key \\\"enable-oslogin\\\" and the value is \\\"FALSE\\\" 5. At the bottom of the instance details page, click \\\"Save\\\" to apply your changes to the instance.

From Command Line:
Remove instance metadata that overrides the project settings.
gcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin
Optionally, you can enable two factor authentication for OS login. For more information, see here.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e060336-2c9e-4289-a2a6-8d301bad47bb\",\r\n \"name\": \"7e060336-2c9e-4289-a2a6-8d301bad47bb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.
If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.
A virtual machine instance has four virtual serial ports. Interacting with a serial port is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.
The instance's operating system, BIOS, and other system-level entities often write output to the serial ports, and can accept input such as commands or answers to prompts.
Typically, these system-level entities use the first serial port (port 1) and serial port 1 is often referred to as the serial console.
The interactive serial console does not support IP-based access restrictions such as IP whitelists. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address.
This allows anybody to connect to that instance if they know the correct SSH key, username, project ID, zone, and instance name.
Therefore interactive serial console support should be disabled.\",\r\n \"remediationDescription\": \"From Console:
1. Login to Google Cloud console 2. Go to Computer Engine 3. Go to VM instances 4. Click on the Specific VM 5. Click \\\"EDIT\\\" 6. Unselect \\\"Enable connecting to serial ports\\\" below \\\"Remote access\\\" block. 7. Click \\\"Save\\\".

From Command Line:
Use the below command to disable
gcloud compute instances add-metadata INSTANCE_NAME --zone=ZONE --metadata=serial-port-enable=false
or
gcloud compute instances add-metadata INSTANCE_NAME --zone=ZONE --metadata=serial-port-enable=0\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a4b3b3a-7de9-4aa4-a29b-580d59b43f79\",\r\n \"name\": \"1a4b3b3a-7de9-4aa4-a29b-580d59b43f79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To defend against against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.
Shielded VMs are virtual machines (VMs) on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits.
Shielded VM offers verifiable integrity of your Compute Engine VM instances, so you can be confident your instances haven't been compromised by boot- or kernel-level malware or rootkits.
Shielded VM's verifiable integrity is achieved through the use of Secure Boot, virtual trusted platform module (vTPM)-enabled Measured Boot, and integrity monitoring.
Shielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishing the root of trust for Secure Boot.
Integrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, called the integrity policy baseline.
The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.
Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to see its \\\"VM instance details\\\" page. 3. Click \\\"STOP\\\" to stop the instance. 4. When the instance has stopped, click \\\"EDIT\\\". 5. In the Shielded VM section, select \\\"Turn on vTPM\\\" and \\\"Turn on Integrity Monitoring\\\". 6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select \\\"Turn on Secure Boot\\\". 7. Click the \\\"Save\\\" button to modify the instance and then click \\\"START\\\" to restart it.

From Command Line:
You can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:
gcloud compute images list --project gce-uefi-images --no-standard-images
1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
2. Update the instance:
gcloud compute instances update INSTANCE_NAME --shielded-vtpm --shielded-vmintegrity-monitoring
3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on secure boot.
gcloud compute instances update INSTANCE_NAME --shielded-vm-secure-boot
4. Restart the instance:
gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bdd13ad-a9d2-4910-8b06-9c4cddb55abb\",\r\n \"name\": \"8bdd13ad-a9d2-4910-8b06-9c4cddb55abb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances should not be configured to have external IP addresses.
To reduce your attack surface, Compute instances should not have public IP addresses. Instead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.
Instances created by GKE should be excluded because some of them have external IP addresses and cannot be changed by editing the instance settings.
These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to go the the Instance detail page. 3. Click \\\"Edit\\\". 4. For each Network interface, ensure that External IP is set to None. 5. Click \\\"Done\\\" and then click \\\"Save\\\".

From Command Line:
1. Describe the instance properties: gcloud compute instances describe INSTANCE_NAME --zone=ZONE
2. Identify the access config name that contains the external IP address. This access config appears in the following format:
networkInterfaces: - accessConfigs: - kind: compute#accessConfig name: External NAT natIP: 130.211.181.55 type: ONE_TO_ONE_NAT
3. Delete the access config.
gcloud compute instances delete-access-config INSTANCE_NAME --zone=ZONE --access-config-name \\\"ACCESS_CONFIG_NAME\\\"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8305d96-2aa5-458d-92b7-f8418f5f3328\",\r\n \"name\": \"d8305d96-2aa5-458d-92b7-f8418f5f3328\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.
Allowing anonymous or public access grants permissions to anyone to access bucket content.
Such access might not be desired if you are storing any sensitive data.
Hence, ensure that anonymous or public access to a bucket is not allowed.\",\r\n \"remediationDescription\": \"From Console:
1. Go to \\\"Storage browser\\\" by visiting GCP Storage browser. 2. Click on the bucket name to go to its \\\"Bucket details\\\" page. 3. Click on the \\\"Permissions\\\" tab. 4. Click \\\"Delete\\\" button in front of \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" to remove that particular role assignment.
From Command Line:
Remove \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" access.
gsutil iam ch -d allUsers gs://BUCKET_NAME
gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b5cdbc-0633-49af-b63d-a9dc90560196\",\r\n \"name\": \"64b5cdbc-0633-49af-b63d-a9dc90560196\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.
It is recommended to use uniform bucket-level access to unify and simplify how you grant access to your Cloud Storage resources.
Cloud Storage offers two systems for granting users permission to access your buckets and objects:
Cloud Identity and Access Management (Cloud IAM) and Access Control Lists (ACLs).
These systems act in parallel - in order for a user to access a Cloud Storage resource, only one of the systems needs to grant the user permission.
Cloud IAM is used throughout Google Cloud and allows you to grant a variety of permissions at the bucket and project levels.
ACLs are used only by Cloud Storage and have limited permission options, but they allow you to grant permissions on a per-object basis.

In order to support a uniform permissioning system, Cloud Storage has uniform bucket-level access.
Using this feature disables ACLs for all Cloud Storage resources:
access to Cloud Storage resources then is granted exclusively through Cloud IAM.
Enabling uniform bucket-level access guarantees that if a Storage bucket is not publicly accessible,
no object in the bucket is publicly accessible either.\",\r\n \"remediationDescription\": \"From Console:
1. Open the \\\"Cloud Storage browser\\\" in the Google Cloud Console by visiting: GCP Storage browser. 2. In the list of buckets, click on the name of the desired bucket. 3. Select the \\\"Permissions\\\" tab near the top of the page. 4. In the text box that starts with \\\"This bucket uses fine-grained access control...\\\", click \\\"Edit\\\". 5. In the pop-up menu that appears, select \\\"Uniform\\\". 6. Click \\\"Save\\\".
From Command Line:
Use the \\\"on\\\" option in a uniformbucketlevelaccess set command:
gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dab1eea3-7693-4da3-af1b-2f73832655fa\",\r\n \"name\": \"dab1eea3-7693-4da3-af1b-2f73832655fa\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.
Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset.
Such access might not be desirable if sensitive data is being stored in the dataset.
Therefore, ensure that anonymous and/or public access to a dataset is not allowed.\",\r\n \"remediationDescription\": \"From Console:
1. Go to \\\"BigQuery\\\" by visiting: BigQuery. 2. Select the dataset from \\\"Resources\\\". 3. Click \\\"SHARE DATASET\\\" near the right side of the window. 4. Review each attached role. 5. Click the \\\"delete\\\" icon for each member \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\". On the popup click \\\"Remove\\\".
From Command Line:
1. Retrieve the data set information:
bq show --format=prettyjson PROJECT_ID:DATASET_NAME > PATH_TO_FILE
2. In the access section of the JSON file, update the dataset information to remove all roles containing \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\". 3. Update the dataset:
bq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8191f530-fde7-4177-827a-43ce0f69ffe7\",\r\n \"name\": \"8191f530-fde7-4177-827a-43ce0f69ffe7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the \\\"log_lock_waits\\\" flag for a PostgreSQL instance creates a log for any session waits that take longer than the alloted \\\"deadlock_timeout\\\" time to acquire a lock.
The deadlock timeout defines the time to wait on a lock before checking for any conditions. Frequent run overs on deadlock timeout can be an indication of an underlying issue.
Logging such waits on locks by enabling the log_lock_waits flag can be used to identify poor performance due to locking delays or if a specially-crafted SQL is attempting to starve resources through holding locks for excessive amounts of time.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_lock_waits\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_lock_waits\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_lock_waits=on

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/492fed4e-1871-4c12-948d-074ee0f07559\",\r\n \"name\": \"492fed4e-1871-4c12-948d-074ee0f07559\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_error_statement\\\" flag defines the minimum message severity level that is considered as an error statement.
Messages for error statements are logged with the SQL statement.
Valid values include \\\"DEBUG5\\\", \\\"DEBUG4\\\", \\\"DEBUG3\\\", \\\"DEBUG2\\\", \\\"DEBUG1\\\", \\\"INFO\\\", \\\"NOTICE\\\", \\\"WARNING\\\", \\\"ERROR\\\", \\\"LOG\\\", \\\"FATAL\\\", and \\\"PANIC\\\".
Each severity level includes the subsequent levels mentioned above.
Note: To effectively turn off logging failing statements, set this parameter to PANIC.
ERROR is considered the best practice setting. Changes should only be made in accordance with the organization's logging policy.
Auditing helps in troubleshooting operational problems and also permits forensic analysis.
If \\\"log_min_error_statement\\\" is not set to the correct value, messages may not be classified as error messages appropriately.
Considering general log messages as error messages would make it difficult to find actual errors, while considering only stricter severity levels as error messages may skip actual errors to log their SQL statements.
The \\\"log_min_error_statement\\\" flag should be set in accordance with the organization's logging policy.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_error_statement\\\" from the drop-down menu and set appropriate value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_min_error_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_error_statement=

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/29622fc0-14dc-4d65-a5a8-e9a39ffc4b62\",\r\n \"name\": \"29622fc0-14dc-4d65-a5a8-e9a39ffc4b62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' \",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"PostgreSQL can create a temporary file for actions such as sorting, hashing and temporary query results when these operations exceed \\\"work_mem\\\".
The \\\"log_temp_files\\\" flag controls logging names and the file size when it is deleted.
Configuring \\\"log_temp_files\\\" to 0 causes all temporary file information to be logged, while positive values log only files whose size is greater than or equal to the specified number of kilobytes.
A value of \\\"-1\\\" disables temporary file information logging.
If all temporary files are not logged, it may be more difficult to identify potential performance issues that may be due to either poor application coding or deliberate resource starvation attempts.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_temp_files\\\" from the drop-down menu and set the value as 0. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_temp_files\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_temp_files=`0`

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c9e237b-419f-4e73-b43a-94b5863dd73e\",\r\n \"name\": \"1c9e237b-419f-4e73-b43a-94b5863dd73e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_duration_statement\\\" flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that \\\"log_min_duration_statement\\\" is disabled, i.e., a value of -1 is set.
Logging SQL statements may include sensitive information that should not be recorded in logs. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_duration_statement\\\" from the drop-down menu and set the value of \\\"-1\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Configure the \\\"log_min_duration_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_duration_statement=-1

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/26973a34-79a6-46a0-874f-358c8c00af05\",\r\n \"name\": \"26973a34-79a6-46a0-874f-358c8c00af05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"cross db ownership chaining\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
Use the \\\"cross db ownership\\\" for chaining option to configure cross-database ownership chaining for an instance of Microsoft SQL Server.
This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases.
Enabling \\\"cross db ownership\\\" is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining and you are aware of the security implications of this setting.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance for which you want to enable to database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"cross db ownership chaining\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"cross db ownership chaining\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"cross db ownership chaining=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/658ce98f-ecf1-4c14-967f-3c4faf130fbf\",\r\n \"name\": \"658ce98f-ecf1-4c14-967f-3c4faf130fbf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"contained database authentication\\\" database flag for Cloud SQL on the SQL Server instance is set to \\\"off\\\".
A contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed.
Users can connect to the database without authenticating a login at the Database Engine level.
Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server.
Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators.
Most of the threats are related to the USER WITH PASSWORD authentication process, which moves the authentication boundary from the Database Engine level to the database level, hence this is recommended to disable this flag.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance for which you want to enable to database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"contained database authentication\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Configure the \\\"contained database authentication\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"contained database authentication=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/13872d43-aac6-4018-9c89-507b8fe9be54\",\r\n \"name\": \"13872d43-aac6-4018-9c89-507b8fe9be54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to enforce all incoming connections to SQL database instance to use SSL.
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc.
For security, it is recommended to always use SSL encryption when connecting to your instance.
This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to Cloud SQL Instances. 2. Click on an instance name to see its configuration overview. 3. In the left-side panel, select \\\"Connections\\\". 4. In the \\\"SSL connections\\\" section, click \\\"Allow only SSL connections\\\". 5. Under \\\"Configure SSL server certificates\\\" click \\\"Create new certificate\\\". 6. Under \\\"Configure SSL client certificates\\\" click \\\"Create a client certificate\\\". 7. Follow the instructions shown to learn how to connect to your instance.

From Command Line:
To enforce SSL encryption for an instance run the command:
gcloud sql instances patch INSTANCE_NAME --require-ssl

Note:
\\\"RESTART\\\" is required for type MySQL Generation 1 Instances (\\\"backendType: FIRST_GEN\\\") to get this configuration in effect.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/de78ebca-1ec6-4872-8061-8fcfb27752fc\",\r\n \"name\": \"de78ebca-1ec6-4872-8061-8fcfb27752fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from the world.
To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it.
An authorized network should not have IPs/networks configured to \\\"0.0.0.0/0\\\" which will allow access to the instance from anywhere in the world. Note that authorized networks apply only to instances with public IPs.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Click the instance name to open its \\\"Instance details\\\" page. 3. Under the \\\"Configuration\\\" section click \\\"Edit configurations\\\". 4. Under \\\"Configuration options\\\" expand the \\\"Connectivity\\\" section. 5. Click the \\\"delete\\\" icon for the authorized network \\\"0.0.0.0/0\\\". 6. Click \\\"Save\\\" to update the instance.

From Command Line:
Update the authorized network list by dropping off any addresses.
oud sql instances patch INSTANCE_NAME --authorized-networks=IP_ADDR1,IP_ADDR2... \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1658239d-caf7-471d-83c5-2e4c44afdcff\",\r\n \"name\": \"1658239d-caf7-471d-83c5-2e4c44afdcff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.
To lower the organization's attack surface, Cloud SQL databases should not have public IPs.
Private IPs provide improved network security and lower latency for your application.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Click the instance name to open its Instance details page. 3. Select the \\\"Connections\\\" tab. 4. Deselect the \\\"Public IP\\\" checkbox. 5. Click \\\"Save\\\" to update the instance.

From Command Line:
1. For every instance remove its public IP and assign a private IP instead:
gcloud beta sql instances patch INSTANCE_NAME --network=VPC_NETWOR_NAME --no-assign-ip 2. Confirm the changes using the following command:
gcloud sql instances describe INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/afaac6e6-6240-48a2-9f62-4e257b851311\",\r\n \"name\": \"afaac6e6-6240-48a2-9f62-4e257b851311\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to have all SQL database instances set to enable automated backups.
Backups provide a way to restore a Cloud SQL instance to recover lost data or recover from a problem with that instance.
Automated backups need to be set for any instance that contains data that should be protected from loss or damage.
This recommendation is applicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2 instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the instance where the backups need to be configured. 3. Click \\\"Edit\\\". 4. In the \\\"Backups\\\" section, check \\\"Enable automated backups\\\", and choose a backup window. 5. Click \\\"Save\\\".
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Enable \\\"Automated backups\\\" for every Cloud SQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --backup-start-time [HH:MM] The \\\"backup-start-time\\\" parameter is specified in 24-hour time, in the UTC+00 time zone, and specifies the start of a 4-hour backup window. Backups can start any time during the backup window.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/633a87f4-bd71-45ce-9eca-c6bb8cbe8b21\",\r\n \"name\": \"633a87f4-bd71-45ce-9eca-c6bb8cbe8b21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.
The local_infile flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the local_infile setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.
To explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with local_infile disabled. local_infile can also be set at runtime.
Due to security issues associated with the local_infile flag, it is recommended to disable it. This recommendation is applicable to MySQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the MySQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"local_infile\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the local_infile database flag for every Cloud SQL Mysql database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off
Note:
This command will overwrite all database flags that were previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2404629-0132-4ab3-839e-8389dbe9fe98\",\r\n \"name\": \"a2404629-0132-4ab3-839e-8389dbe9fe98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log_checkpoints database flag for the Cloud SQL PostgreSQL instance is set to on.
Enabling log_checkpoints causes checkpoints and restart points to be logged in the server log. Some statistics are included in the log messages, including the number of buffers written and the time spent writing them.
This parameter can only be set in the postgresql.conf file or on the server command line. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_checkpoints\\\" from the drop-down menu, and set its value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_checkpoints database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_checkpoints=on
Note: This command will overwrite all previously set database flags. To keep those and add new ones, include the values for all flags to be set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4016e27f-a451-4e24-9222-39d7d107ad74\",\r\n \"name\": \"4016e27f-a451-4e24-9222-39d7d107ad74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.
PostgreSQL does not log attempted connections by default. Enabling the log_connections setting will create log entries for each attempted connection as well as successful completion of client authentication which can be useful in troubleshooting issues and to determine any unusual connection attempts to the server.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance for which you want to enable the database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_connections\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_connections database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_connections=on
Note:
This command will overwrite all previously set database flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a86f62be-7402-4797-91dc-8ba2b976cb74\",\r\n \"name\": \"a86f62be-7402-4797-91dc-8ba2b976cb74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_disconnections setting logs the end of each session, including the session duration.
PostgreSQL does not log session details such as duration and session end by default. Enabling the log_disconnections setting will create log entries at the end of each session which can be useful in troubleshooting issues and determine any unusual activity across a time period.
The log_disconnections and log_connections work hand in hand and generally, the pair would be enabled/disabled together. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_disconnections\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_disconnections database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_disconnections=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ae77cb8b-0b43-4e86-8b5c-f5afcf95766a\",\r\n \"name\": \"ae77cb8b-0b43-4e86-8b5c-f5afcf95766a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user.
The application uses the service account to call the service's Google API so that users aren't directly involved.
It's recommended not to use admin access for ServiceAccount.
Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it.
Enrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM.
A ServiceAccount Access holder can perform critical actions like delete, update change settings, etc.
without user intervention.
For this reason, it's recommended that service accounts not have Admin rights.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to IAM & admin/IAM. 2. Go to the \\\"Members\\\". 3. Identify \\\"User-Managed user created\\\" service account with roles containing \\\"*Admin\\\" or \\\"*admin\\\" or role matching \\\"Editor\\\" or role matching \\\"Owner\\\". 4. Click the \\\"Delete bin\\\" icon to remove the role from the member (service account in this case)
From Command Line:
1. Using a text editor, Remove \\\"Role\\\" which contains \\\"roles/*Admin\\\" or \\\"roles/*admin\\\" or matched \\\"roles/editor\\\" or matches \\\"roles/owner\\\". Add a role to the bindings array that defines the group members and the role for those members.
For example, to grant the role roles/appengine.appViewer to the \\\"ServiceAccount\\\" which is roles/editor, you would change the example shown below as follows:
{ 'bindings': [ { 'members': [ 'serviceAccount:our-project-123@appspot.gserviceaccount.com', ], 'role': 'roles/appengine.appViewer' }, { 'members': [ 'user:email1@gmail.com' ], 'role': 'roles/owner' }, { 'members': [ 'serviceAccount:our-project-123@appspot.gserviceaccount.com', 'serviceAccount:123456789012-compute@developer.gserviceaccount.com' ], 'role': 'roles/editor' } ], 'etag': 'BwUjMhCsNvY=' }
2. Update the project's IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e5b33de-bcfa-4044-93ce-4937bf8f0bbd\",\r\n \"name\": \"9e5b33de-bcfa-4044-93ce-4937bf8f0bbd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"skip_show_database\\\" database flag for Cloud SQL Mysql instance to \\\"on\\\".
'skip_show_database' database flag prevents people from using the SHOW DATABASES statement if they do not have the SHOW DATABASES privilege.
This can improve security if you have concerns about users being able to see databases belonging to other users.
Its effect depends on the SHOW DATABASES privilege: If the variable value is ON, the SHOW DATABASES statement is permitted only to users who have the SHOW DATABASES privilege, and the statement displays all database names.
If the value is OFF, SHOW DATABASES is permitted to all users, but displays the names of only those databases for which the user has the SHOW DATABASES or other privilege.
This recommendation is applicable to Mysql database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the Mysql instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"skip_show_database\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"skip_show_database\\\" database flag for every Cloud SQL Mysql database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags skip_show_database=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/272820a7-06ce-44b3-8318-4ec1f82237dc\",\r\n \"name\": \"272820a7-06ce-44b3-8318-4ec1f82237dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_hostname setting causes the duration of each completed statement to be logged.
This does not logs the text of the query and thus behaves different from the log_min_duration_statement flag.
This parameter cannot be changed after session start.
Monitoring the time taken to execute the queries can be crucial in identifying any resource hogging queries and assessing the performance of the server.
Further steps such as load balancing and use of optimized queries can be taken to ensure the performance and stability of the server.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_duration\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_duration\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_duration=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/989db7d6-71d5-4928-a9a6-c9ab7b8044e9\",\r\n \"name\": \"989db7d6-71d5-4928-a9a6-c9ab7b8044e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"PostgreSQL logs only the IP address of the connecting hosts.
The \\\"log_hostname\\\" flag controls the logging of \\\"hostnames\\\" in addition to the IP addresses logged.
The performance hit is dependent on the configuration of the environment and the host name resolution setup.
This parameter can only be set in the \\\"postgresql.conf\\\" file or on the server command line.
Logging hostnames can incur overhead on server performance as for each statement logged, DNS resolution will be required to convert IP address to hostname.
Depending on the setup, this may be non-negligible.
Additionally, the IP addresses that are logged can be resolved to their DNS names later when reviewing the logs excluding the cases where dynamic hostnames are used.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_hostname\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_hostname\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_hostname=
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Gather Victim Host Information\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a6efc275-b1c1-4003-8e85-2f30b2eb56e6\",\r\n \"name\": \"a6efc275-b1c1-4003-8e85-2f30b2eb56e6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The PostgreSQL planner/optimizer is responsible to parse and verify the syntax of each query received by the server.
If the syntax is correct a \\\"parse tree\\\" is built up else an error is generated.
The \\\"log_parser_stats\\\" flag controls the inclusion of parser performance statistics in the PostgreSQL logs for each query.
The \\\"log_parser_stats\\\" flag enables a crude profiling method for logging parser performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_parser_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_parser_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_parser_stats=off
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/25631aaa-3866-43ac-860f-22c12bff1a4b\",\r\n \"name\": \"25631aaa-3866-43ac-860f-22c12bff1a4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging.
It is recommended that Flow Logs be enabled for every business-critical VPC subnet.
VPC networks and subnetworks provide logically isolated and secure network partitions where GCP resources can be launched. When Flow Logs is enabled for a subnet, VMs within that subnet start reporting on all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows.
Each VM samples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or from another VM, a host in the on-premises datacenter, a Google service, or a host on the Internet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow Logs enabled, both VMs report the flows.
Flow Logs supports the following use cases: 1. Network monitoring. 2. Understanding network usage and optimizing network traffic expenses. 3. Network forensics. 4. Real-time security analysis
Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the VPC network GCP Console visiting https://console.cloud.google.com/networking/networks/list. 2. Click the \\\"name\\\" of a subnet, The Subnet details page displays. 3. Click the \\\"EDIT\\\" button. 4. Set \\\"Flow Logs\\\" to On. 5. Click \\\"Save\\\".

From Command Line:
To set Private Google access for a network subnet, run the following command::
gcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --enable-flow-logs \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00f8a6a6-cf69-4c11-822e-3ebf4910e545\",\r\n \"name\": \"00f8a6a6-cf69-4c11-822e-3ebf4910e545\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Block Project-wide SSH keys' is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project.
It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.It will list all the instances in your project. 2. Click on the \\\"name\\\" of the Impacted instance. 3. Click \\\"Edit\\\" in the toolbar. 4. Under \\\"SSH Keys\\\", go to the \\\"Block project-wide\\\" SSH keys checkbox. 5. To block users with project-wide SSH keys from connecting to this instance, select \\\"Block project-wide\\\" SSH keys. 6. Click \\\"Save\\\" at the bottom of the page. 7. Repeat steps for every impacted Instance.

From Command Line:
Block project-wide public SSH keys, set the metadata value to TRUE:
gcloud compute instances add-metadata INSTANCE_NAME --metadata block-project-ssh-keys=TRUE \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ba588a6-4539-4e67-bc62-d7b2b51300fb\",\r\n \"name\": \"0ba588a6-4539-4e67-bc62-d7b2b51300fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet.
However, both capabilities are required if you want to use instances to help route packets.
Forwarding of data packets should be disabled to prevent data loss or information disclosure.
Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet.
However, both capabilities are required if you want to use instances to help route packets. To enable this source and destination IP check, disable the canIpForward field, which allows an instance to send and receive packets with non-matching destination or source IPs.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the \\\"VM Instances\\\" page by visiting: https://console.cloud.google.com/compute/instances. 2. Select the \\\"VM Instance\\\" you want to remediate 3. Click the \\\"Delete\\\" button. 4. On the \\\"VM Instances\\\" page, click \\\"CREATE INSTANCE\\\". 5. Create a new instance with the desired configuration. By default, the instance is configured to not allow IP forwarding.

From Command Line:
Delete the instance
gcloud compute instances delete INSTANCE_NAME
Create a new instance to replace it, with IP forwarding set to Off
gcloud compute instances create \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"techniques\": [\r\n \"Exfiltration over C2 Channel\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d87879a-d498-4e61-b552-b34463f87f83\",\r\n \"name\": \"7d87879a-d498-4e61-b552-b34463f87f83\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The same SQL query can be excuted in multiple ways and still produce different results.
The PostgreSQL planner/optimizer is responsible to create an optimal execution plan for each query.
The \\\"log_planner_stats\\\" flag controls the inclusion of PostgreSQL planner performance statistics in the PostgreSQL logs for each query.
The \\\"log_planner_stats\\\" flag enables a crude profiling method for logging PostgreSQL planner performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_planner_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_planner_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_planner_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19711549-76eb-4f1f-b43b-b1048e66c1f0\",\r\n \"name\": \"19711549-76eb-4f1f-b43b-b1048e66c1f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The PostgreSQL executor is responsible to execute the plan handed over by the PostgreSQL planner.
The executor processes the plan recursively to extract the required set of rows.
The \\\"log_executor_stats\\\" flag controls the inclusion of PostgreSQL executor performance statistics in the PostgreSQL logs for each query.
The \\\"log_executor_stats\\\" flag enables a crude profiling method for logging PostgreSQL executor performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_executor_stats\\\" from the drop-down menu and set appropriate value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_executor_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_executor_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c36e73b7-ee30-4684-a1ad-2b878d2b10bf\",\r\n \"name\": \"c36e73b7-ee30-4684-a1ad-2b878d2b10bf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_statement_stats\\\" flag controls the inclusion of end to end performance statistics of a SQL query in the PostgreSQL logs for each query.
This cannot be enabled with other module statistics (\\\"log_parser_stats\\\", \\\"log_planner_stats\\\", \\\"log_executor_stats\\\").
The \\\"log_statement_stats\\\" flag enables a crude profiling method for logging end to end performance statistics of a SQL query.
This can be useful for troubleshooting but may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_statement_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_statement_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_statement_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/50a1058e-925b-4998-9d93-5eaa8f7021a3\",\r\n \"name\": \"50a1058e-925b-4998-9d93-5eaa8f7021a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_error_statement\\\" flag defines the minimum message severity level that are considered as an error statement.
Messages for error statements are logged with the SQL statement.
Valid values include \\\"DEBUG5\\\", \\\"DEBUG4\\\", \\\"DEBUG3\\\", \\\"DEBUG2\\\", \\\"DEBUG1\\\", \\\"INFO\\\", \\\"NOTICE\\\", \\\"WARNING\\\", \\\"ERROR\\\", \\\"LOG\\\", \\\"FATAL\\\", and \\\"PANIC\\\".
Each severity level includes the subsequent levels mentioned above.
Ensure a value of ERROR or stricter is set.
Auditing helps in troubleshooting operational problems and also permits forensic analysis.
If \\\"log_min_error_statement\\\" is not set to the correct value, messages may not be classified as error messages appropriately.
Considering general log messages as error messages would make is difficult to find actual errors and considering only stricter severity levels as error messages may skip actual errors to log their SQL statements.
The \\\"log_min_error_statement\\\" flag should be set to \\\"ERROR\\\" or stricter.
This recommendation is applicable to PostgreSQL database instances. \",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_error_statement\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_min_error_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_error_statement=

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/98b8908a-18b9-46ea-8c52-3f8db1da996f\",\r\n \"name\": \"98b8908a-18b9-46ea-8c52-3f8db1da996f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"external scripts enabled\\\" database flag for Cloud SQL SQL Server instance to off.
\\\"external scripts enabled\\\" enable the execution of scripts with certain remote language extensions.
This property is OFF by default.
When Advanced Analytics Services is installed, setup can optionally set this property to true.
As the \\\"External Scripts Enabled\\\" feature allows scripts external to SQL such as files located in an R library to be executed, which could adversely affect the security of the system, hence this should be disabled.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"external scripts enabled\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"external scripts enabled\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"external scripts enabled=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91f55b07-083c-4ec5-a2be-4b52bbc2e2df\",\r\n \"name\": \"91f55b07-083c-4ec5-a2be-4b52bbc2e2df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"user connections\\\" database flag for Cloud SQL SQL Server instance according organization-defined value.
The \\\"user connections\\\" option specifies the maximum number of simultaneous user connections that are allowed on an instance of SQL Server.
The actual number of user connections allowed also depends on the version of SQL Server that you are using, and also the limits of your application or applications and hardware.
SQL Server allows a maximum of 32,767 user connections.
Because user connections is a dynamic (self-configuring) option, SQL Server adjusts the maximum number of user connections automatically as needed, up to the maximum value allowable.
For example, if only 10 users are logged in, 10 user connection objects are allocated.
In most cases, you do not have to change the value for this option.
The default is 0, which means that the maximum (32,767) user connections are allowed.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"user connections\\\" from the drop-down menu and set the value as organization recommended value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"user connections\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"user connections=[0-32,767]\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fab1e680-86f0-4616-bee9-1b7394e49ade\",\r\n \"name\": \"fab1e680-86f0-4616-bee9-1b7394e49ade\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that, \\\"user options\\\" database flag for Cloud SQL SQL Server instance should not be configured.
The \\\"user options\\\" option specifies global defaults for all users.
A list of default query processing options is established for the duration of a user's work session.
The user options option allows you to change the default values of the SET options (if the server's default settings are not appropriate).
A user can override these defaults by using the SET statement.
You can configure user options dynamically for new logins.
After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. Click the X next \\\"user options\\\" flag shown. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands:
1.Clearing all flags to their default value:
gcloud sql instances patch [INSTANCE_NAME] --clear-database-flags
OR
2. To clear only \\\"user options\\\" database flag, configure the database flag by overriding the \\\"user options\\\". Exclude \\\"user options\\\" flag and its value, and keep all other flags you want to configure:
gcloud sql instances patch [INSTANCE_NAME] --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dddbbe7d-7e32-47d8-b319-39cbb70b8f88\",\r\n \"name\": \"dddbbe7d-7e32-47d8-b319-39cbb70b8f88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"remote access\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
The \\\"remote access\\\" option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running.
This default value for this option is 1.
This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server.
To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled.
The Remote Access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server.
'Remote access' functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, hence this should be disabled.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"remote access\\\" from the drop-down menu and set the value as \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"remote access\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"remote access=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/631246fb-7192-4709-a0b3-b83e65e6b550\",\r\n \"name\": \"631246fb-7192-4709-a0b3-b83e65e6b550\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"3625 (trace flag)\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
Trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload.
All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed.
\\\"3625(trace log)\\\" Limits the amount of information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'.
This can help prevent disclosure of sensitive information, hence this is recommended to disable this flag.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"3625\\\" from the drop-down menu and set the value as \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"3625\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"3625=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"System Information Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58c07fca-9c6e-46fa-84a7-642f224a1d18\",\r\n \"name\": \"58c07fca-9c6e-46fa-84a7-642f224a1d18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Secure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS) features clients are permitted to use when connecting to load balancers.
To prevent usage of insecure features, SSL policies should use (a) at least TLS 1.2 with the MODERN profile;
or (b) the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version;
or (3) a CUSTOM profile that does not support any of the following features:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

Load balancers are used to efficiently distribute traffic across multiple servers.
Both SSL proxy and HTTPS load balancers are external load balancers, meaning they distribute traffic from the Internet to a GCP network.
GCP customers can configure load balancer SSL policies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a connection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies permissible cipher suites.
To comply with users using outdated protocols, GCP load balancers can be configured to permit insecure cipher suites.
In fact, the GCP default SSL policy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the widest range of insecure cipher suites.
As a result, it is easy for customers to configure a load balancer without even knowing that they are permitting outdated cipher suites.\",\r\n \"remediationDescription\": \" From the Console:
1. If the \\\"TargetSSLProxy\\\" or \\\"TargetHttpsProxy\\\" does not have an SSL policy configured, create a new \\\"SSL policy\\\". Otherwise, modify the existing insecure policy. 2. Navigate to the \\\"SSL Policies\\\" page by visiting: https://console.cloud.google.com/net-security/sslpolicies. 3. Click on the name of the \\\"insecure policy\\\" to go to its \\\"SSL policy\\\" details page. 4. Click \\\"EDIT\\\". 5. Set \\\"Minimum TLS version\\\" to \\\"TLS 1.2\\\". 6. Set \\\"Profile\\\" to \\\"Modern\\\" or \\\"Restricted\\\". 7. Alternatively, if teh user selects the profile \\\"Custom\\\", make sure that the following features are disabled:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

From Command Line:
For each insecure SSL policy, update it to use secure cyphers:
gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]
If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it:
gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME
gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ca40f30-2508-4c90-85b6-36564b909364\",\r\n \"name\": \"6ca40f30-2508-4c90-85b6-36564b909364\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine.
If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data.
By default, Google Compute Engine encrypts all data at rest.
Compute Engine handles and manages this encryption for you without any additional actions on your part.
However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.
By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part.
However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.
If you provide your own encryption keys, Compute Engine uses your key to protect the Google-generated keys used to encrypt and decrypt your data.
Only users who can provide the correct key can use resources protected by a customer-supplied encryption key.
Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.
At least business critical VMs should have VM disks encrypted with CSEK.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to Compute Engine \\\"Disks\\\" by visiting: https://console.cloud.google.com/compute/disks. 2. Click \\\"CREATE DISK\\\". 3. Set \\\"Encryption\\\" type to \\\"Customer supplied\\\". 4. Provide the \\\"Key\\\" in the box. 5. Select \\\"Wrapped key\\\". 6. Click \\\"Create\\\".

From Command Line:
In the gcloud compute tool, encrypt a disk using the --csek-key-file flag during instance creation. If you are using an RSA-wrapped key, use the gcloud beta component:
gcloud (beta) compute instances create INSTANCE_NAME --csek-key-file example-file.json
To encrypt a standalone persistent disk:
gcloud (beta) compute disks create DISK_NAME --csek-key-file example-file.json \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Collection\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\",\r\n \"Data from Local System\",\r\n \"Data Encrypted for Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c10bad5f-cd86-4ea0-a40c-5d31510da525\",\r\n \"name\": \"c10bad5f-cd86-4ea0-a40c-5d31510da525\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud DNS logging is enabled for all VPC networks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver.
Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.
Security monitoring and forensics cannot depend solely on IP addresses from VPC flow logs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual host routing,
and other technology that can obscure the DNS name used by a client from the IP address.
Monitoring of Cloud DNS logs provides visibility to DNS names requested by the clients within the VPC.
These logs can be monitored for anomalous domain names, evaluated against threat intelligence, and
Note: For full capture of DNS, firewall must block egress UDP/53 (DNS)
and TCP/443 (DNS over HTTPS) to prevent client from using external DNS name server for resolution.\",\r\n \"remediationDescription\": \" From Command Line:
Add New DNS Policy With Logging Enabled
For each VPC network that needs a DNS policy with logging enabled:
gcloud dns policies create enable-dns-logging --enable-logging --description='Enable DNS Logging' --networks=VPC_NETWORK_NAME The VPC_NETWORK_NAME can be one or more networks in comma-separated list
Enable Logging for Existing DNS Policy For each VPC network that has an existing DNS policy that needs logging enabled:
gcloud dns policies update POLICY_NAME --enable-logging --networks=VPC_NETWORK_NAME
The VPC_NETWORK_NAME can be one or more networks in comma-separated list\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/814c3346-91c9-4e70-90b6-985cfd3e0478\",\r\n \"name\": \"814c3346-91c9-4e70-90b6-985cfd3e0478\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access to VMs should be restricted by firewall rules that allow only IAP traffic by ensuring only connections proxied by the IAP are allowed.
To ensure that load balancing works correctly health checks should also be allowed.
IAP ensure that access to VMs is controlled by authenticating incoming requests.
However if the VM is still accessible from IP addresses other than the IAP it may still be possible to send unauthenticated requests to the instance.
Care must be taken to ensure that loadblancer health checks are not blocked as this would stop the loadbalancer from correctly knowing the health of the VM and loadbalancing correctly.\",\r\n \"remediationDescription\": \" From the Console: 1. Go to the Cloud Console VPC network > Firewall rules. 2. Select the \\\"checkbox\\\" next to the following rules:
default-allow-http
default-allow-https
default-allow-internal. 3. Click \\\"Delete\\\". 4. Click \\\"Create\\\" firewall rule and set the following values:
\\\"Name:\\\" allow-iap-traffic
\\\"Targets:\\\" All instances in the network
\\\"Source IP ranges\\\" (press Enter after you paste each value in the box):
130.211.0.0/22
35.191.0.0/16
\\\"Protocols and ports:\\\"
Specified protocols and ports
tcp:80 5. When you're finished updating values, click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/171e9492-73a7-43de-adce-6bd0a3cf6045\",\r\n \"name\": \"171e9492-73a7-43de-adce-6bd0a3cf6045\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances have Confidential Computing enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use-while it is being processed.
Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).
Confidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD EPYC CPUs.
Customer data will stay encrypted while it is used, indexed, queried, or trained on.
Encryption keys are generated in hardware, per VM, and not exportable. Thanks to built-in hardware optimizations of both performance and security, there is no significant performance penalty to Confidential Computing workloads.
Confidential Computing enables customers' sensitive code and other data encrypted in memory during processing. Google does not have access to the encryption keys.
Confidential VM can help alleviate concerns about risk related to either dependency on Google infrastructure or Google insiders' access to customer data in the clear.\",\r\n \"remediationDescription\": \" From the Console: 1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances. 2. Click \\\"DCREATE INSTANCE\\\". 3. Fill out the desired \\\"configuration\\\" for your instance. 4. Under the \\\"Confidential VM service\\\" section, check the option \\\"Enable the Confidential Computing service on this VM instance\\\". 5. Click \\\"Create\\\".

From Command Line:
Create a new instance with Confidential Compute enabled.
gcloud beta compute instances create INSTANCE_NAME --zone ZONE --confidential-compute --maintenance-policy=TERMINATE \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f4cfc689-cac8-4f45-8355-652dcda3ec55\",\r\n \"name\": \"f4cfc689-cac8-4f45-8355-652dcda3ec55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys.
This is seamless and do not require any additional input from the user.
However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
This is seamless and does not require any additional input from the user.
For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery tables.
The CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.
BigQuery stores the table and CMEK association and the encryption/decryption is done automatically.
Applying the Default Customer-managed keys on BigQuery data sets ensures that all the new tables created in the future will be encrypted using CMEK but existing tables need to be updated to use CMEK individually.
Note: Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.\",\r\n \"remediationDescription\": \"Currently, there is no way to update the encryption of existing data in the table.
The data needs to be copied to either an original table or another table while specifying the customer managed encryption key (CMEK).
From Command Line:
Use the following command to copy the data. The source and the destination needs to be same in case copying to the original table.
bq cp --destination_kms_key 'customer_managed_key' source_dataset.source_table destination_dataset.destination_table \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f024ea22-7e48-4b3b-a824-d61794c14bb4\",\r\n \"name\": \"f024ea22-7e48-4b3b-a824-d61794c14bb4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys.
This is seamless and do not require any additional input from the user.
However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
This is seamless and does not require any additional input from the user.
For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
Setting a Default Customer-managed encryption key (CMEK) for a data set ensure any tables created in future will use the specified CMEK if none other is provided.
Note: Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.\",\r\n \"remediationDescription\": \"The default CMEK for existing data sets can be updated by specifying the default key in the EncryptionConfiguration.kmsKeyName field when calling the datasets.insert or datasets.patch methods\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0faf27b6-f1d5-4f50-b22a-5d129cba0113\",\r\n \"name\": \"0faf27b6-f1d5-4f50-b22a-5d129cba0113\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have Microsoft Defender's extension for Azure Arc installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender's cluster extension provides security capabilities for your GKE clusters. The extension collects data from a cluster and its nodes to identify security vulnerabilities and threats.
The extension works with Azure Arc-enabled Kubernetes.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct GKE cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6273e20b-8814-4fda-a297-42a70b16fcbf\",\r\n \"name\": \"6273e20b-8814-4fda-a297-42a70b16fcbf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have the Azure Policy extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Azure Policy extension for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
The extension works with Azure Arc-enabled Kubernetes.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct GKE cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9bbe2f0f-d6c6-48e8-b4d0-cf25d2c50206\",\r\n \"name\": \"9bbe2f0f-d6c6-48e8-b4d0-cf25d2c50206\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP VM instances should be connected to Azure Arc\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Connect your GCP Virtual Machines to Azure Arc in order to have full visibility to Microsoft Defender for Servers security content. Learn more about Azure Arc, and about Microsoft Defender for Servers on hybrid-cloud environment.\",\r\n \"remediationDescription\": \"1. From the Azure portal, open \\\"Servers - Azure Arc\\\". 2. From the top left corner, select \\\"Add\\\". 3. From \\\"Add a single server\\\", select \\\"Generate script\\\". 4. In the \\\"Resource details\\\" page, select the subscription and resource group to which you have connected the machine's GCP Project. 5. Select \\\"Next\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20622d8c-2a4f-4a03-9896-a5f2f7ede717\",\r\n \"name\": \"20622d8c-2a4f-4a03-9896-a5f2f7ede717\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP VM instances should have OS config agent installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To receive the full Defender for Servers capabilities using Azure Arc auto-provisioning, GCP VMs should have OS config agent enabled\",\r\n \"remediationDescription\": \"Follow the steps described in GCP documentation to install the OS config agent. Learn more\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1716d754-8d50-4b90-87b6-0404cad9b4e3\",\r\n \"name\": \"1716d754-8d50-4b90-87b6-0404cad9b4e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP projects should have Azure Arc auto provisioning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For full visibility of the security content from Microsoft Defender for servers, GCP VM instances should be connected to Azure Arc. To ensure that all eligible VM instances automatically receive Azure Arc, enable auto-provisioning from Defender for Cloud at the GCP project level. Learn more about Azure Arc, and Microsoft Defender for Servers.\",\r\n \"remediationDescription\": \"1. From the Defender for Cloud, open \\\"Environment settings\\\". 2. For the relevant GCP project, select the three dots at the end of the row, and select \\\"Edit settings\\\". 3. For the \\\"Servers\\\" plan, select \\\"View configuration\\\". 4. Enable auto-provisioning for the Azure Arc agent and click on the \\\"Save\\\" button. 5. Select \\\"Next\\\" and follow the instructions.
Note: To enable auto-provisioning, you'll need owner permissions for the relevant subscription.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/29ed3416-2035-4d44-986e-0bcbb7de172e\",\r\n \"name\": \"29ed3416-2035-4d44-986e-0bcbb7de172e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead.

Security risks involved in using API-Keys appear below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

To avoid the security risk in using API keys, it is recommended to use standard authentication flow instead.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", to delete API Keys: Click the \\\"Delete Bin Icon\\\" in front of every \\\"API Key Name\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/63e0e2db-70c3-4edc-becf-93961d3156ed\",\r\n \"name\": \"63e0e2db-70c3-4edc-becf-93961d3156ed\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API key usage to trusted hosts, HTTP referrers and apps.

Security risks involved in using API-Keys appear below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

In light of these potential risks, Google recommends using the standard authentication flow instead of API keys. However, there are limited cases where API keys are more appropriat.
For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

In order to reduce attack vectors, API-Keys can be restricted only to trusted hosts, HTTP referrers and applications.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. In the \\\"Key restrictions\\\" section, set the application restrictions to any of \\\"HTTP referrers\\\", \\\"IP Adresses\\\", \\\"Android Apps\\\", \\\"iOs Apps\\\". 4. Click \\\"Save\\\". 5. Repeat steps 2,3,4 for every unrestricted API key.

\\\"Note\\\": Do not set \\\"HTTP referrers\\\" to wild-cards (* or *.[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s).
Do not set \\\"IP addresses\\\" and referrer to any host \\\"(0.0.0.0 or 0.0.0.0/0 or ::0)\\\"\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Steal Application Access Token\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/54d3b0ae-67b3-4fee-9ac4-f6c784b9d16b\",\r\n \"name\": \"54d3b0ae-67b3-4fee-9ac4-f6c784b9d16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"API keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API keys to use (call) only APIs required by an application.

Security risks involved in using API-Keys are below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

In light of these potential risks, Google recommends using the standard authentication flow instead of API-Keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

In order to reduce attack surfaces by providing least privileges, API-Keys can be restricted to use (call) only APIs required by an application.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. In the \\\"Key restrictions\\\" section go to \\\"API restrictions\\\". 4. Click the \\\"Select API\\\" drop-down to choose an API. 5. Click \\\"Save\\\". 6. Repeat steps 2,3,4,5 for every unrestricted API key.

\\\"Note\\\": Do not set API restrictions to Google Cloud APIs, as this option allows access to all services offered by Google cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Steal Application Access Token\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fbc1ef5d-989e-4b64-8e9d-221b422f9c43\",\r\n \"name\": \"fbc1ef5d-989e-4b64-8e9d-221b422f9c43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to rotate API keys every 90 days.

Security risks involved in using API-Keys are listed below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

Because of these potential risks, Google recommends using the standard authentication flow instead of API Keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

Once a key is stolen, it has no expiration, meaning it may be used indefinitely unless the project owner revokes or regenerates the key. Rotating API keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.

API keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. Click \\\"REGENERATE KEY\\\" to rotate API key. 4. Click \\\"Save\\\". 5. Repeat steps 2,3,4 for every API key that has not been rotated in the last 90 days.

\\\"Note\\\": Do not set \\\"HTTP referrers\\\" to wild-cards (* or *.[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s).
Do not set \\\"IP addresses\\\" and referrer to \\\"any host (0.0.0.0 or 0.0.0.0/0 or ::0)\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a47a6c3b-0629-406c-ad09-d91f7d9f78a3\",\r\n \"name\": \"a47a6c3b-0629-406c-ad09-d91f7d9f78a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"root\\\" account has unrestricted access to all resources in the AWS account. It is highly recommend that the use of this account be avoided.
The \\\"root\\\" account is the most privileged AWS account. Minimizing the use of this account and adopting the principle of least privilege for access management will reduce the risk of accidental changes and unintended disclosure of highly privileged credentials.\",\r\n \"remediationDescription\": \"Follow the remediation instructions of the \\\"Ensure IAM policies are attached only to groups or roles\\\" recommendation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b73d3c97-01e1-43b4-bf01-a459e5eed3de\",\r\n \"name\": \"b73d3c97-01e1-43b4-bf01-a459e5eed3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password.
With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.
It is recommended that MFA be enabled for all accounts that have a console password.
Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.\",\r\n \"remediationDescription\": \"Perform the following to enable MFA: 1. Sign in to the AWS Management Console and open the IAM console. 2. In the navigation pane, choose Users. 3. In the User Name list, choose the name of the intended MFA user. 4. Choose the Security Credentials tab, and then choose Manage MFA Device. 5. In the Manage MFA Device wizard, choose A virtual MFA device, and then chooseNext Step. IAM generates and displays configuration information for the virtual MFA device, includinga QR code graphic. The graphic is a representation of the 'secret configuration key' that isavailable for manual entry on devices that do not support QR codes. 6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications.) If the virtual MFA application support smultiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following:
* Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.
* In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.
When you are finished, the virtual MFA device starts generating one-time passwords. 8. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Active Virtual MFA.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f13dc885-79aa-456b-ba28-3428147ecf55\",\r\n \"name\": \"f13dc885-79aa-456b-ba28-3428147ecf55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys.
It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated.
Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.\",\r\n \"remediationDescription\": \"Perform the following to remove or deactivate credentials:
1. Login to the AWS Management Console:
2. Click \\\"Services\\\"
3. Click \\\"IAM\\\"
4. Click on \\\"Users\\\"
5. Click on \\\"Security Credentials\\\"
6. As an Administrator: Click on \\\"Make Inactive\\\" for credentials that have not been used in 90 Days
7. As an IAM User: Click on \\\"Make Inactive\\\" or \\\"Delete\\\" for credentials which have not been used in 90 Days\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d72f547e-c011-4cdb-9dda-8c4d6dc09bf2\",\r\n \"name\": \"d72f547e-c011-4cdb-9dda-8c4d6dc09bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS.
AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services.
It is recommended that all access keys be regularly rotated.
Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.
Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"Perform the following to rotate access keys:
1. Login to the AWS Management Console:
2. Click \\\"Services\\\"
3. Click \\\"IAM\\\"
4.Click on \\\"Users\\\"
5. Click on \\\"Security Credentials\\\"
6. As an Administrator: Click on \\\"Make Inactive\\\" for keys that have not been rotated in 90 Days
7. As an IAM User: Click on \\\"MakeInactive\\\" or \\\"Delete\\\" for keys which have not been rotated or used in 90 Days
8. Click on \\\"Create Access Key\\\"
9. Update programmatic call with new Access Key credentials
Via CLI:
aws iam update-access-key
aws iam create-access-key
aws iam delete-access-key \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6e5ebe18-e026-4c26-875c-fcbea8089071\",\r\n \"name\": \"6e5ebe18-e026-4c26-875c-fcbea8089071\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one uppercase letter.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one uppercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-uppercase-characters
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c420241-9bec-4af8-afb7-038a711b7d22\",\r\n \"name\": \"1c420241-9bec-4af8-afb7-038a711b7d22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one lowercase letter.
Setting a password complexity policy increases account resiliency against brute force login attempts\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via the AWS Console
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one lowercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-lowercase-characters
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1919c309-1c8b-4fab-bd8c-7ff77521db40\",\r\n \"name\": \"1919c309-1c8b-4fab-bd8c-7ff77521db40\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements.
IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one symbol.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via the AWS Console
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one lowercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-symbols
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/84fb0ae8-4785-449c-b9ac-e106a2509540\",\r\n \"name\": \"84fb0ae8-4785-449c-b9ac-e106a2509540\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one number.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Require at least one number\\\" 5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-numbers
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e109af9f-128b-4774-a40c-aab8eff3934c\",\r\n \"name\": \"e109af9f-128b-4774-a40c-aab8eff3934c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length.
It is recommended that the password policy require a minimum password length '14'.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Set \\\"Minimum password length\\\" to 14 or greater.
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --minimum-password-length 14
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e99393-671c-4979-a08a-cd1533da9ece\",\r\n \"name\": \"22e99393-671c-4979-a08a-cd1533da9ece\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can prevent the reuse of a given password by the same user.
It is recommended that the password policy prevent the reuse of passwords.
Preventing password reuse increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Prevent password reuse\\\" 5. Set \\\"Number of passwords to remember\\\" is set to '24'.
Via CLI:
aws iam update-account-password-policy --password-reuse-prevention 24
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/729c20d1-fe7c-4e1b-8c9c-ab5ad56d7f96\",\r\n \"name\": \"729c20d1-fe7c-4e1b-8c9c-ab5ad56d7f96\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can require passwords to be rotated or expired after a given number of days.
It is recommended that the password policy expire passwords after 90 days or less.
Reducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help in the following scenarios:
* Passwords can be stolen or compromised sometimes without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat.
* Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted.
* Many people use the same password for many systems such as work, email, and personal.
* Compromised end user workstations might have a keystroke logger.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Enable password expiration\\\" 5. Set \\\"Password expiration period (in days):\\\" to 90 or less
Via CLI:
aws iam update-account-password-policy --max-password-age 90
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/412835f5-0339-4180-9c22-ea8735dc6c24\",\r\n \"name\": \"412835f5-0339-4180-9c22-ea8735dc6c24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Root account access key shouldn't exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account.
It is recommended that all access keys associated with the root account be removed.
Removing access keys associated with the root account limits vectors by which the account can be compromised.
Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.\",\r\n \"remediationDescription\": \"To delete access keys:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\".
4. Select \\\"Access keys (access key ID and secret access key)\\\".
5. To permanently delete the key, select \\\"Delete\\\" and then select \\\"Yes\\\". You cannot recover deleted keys.
6. If there is more than one root user access key, then repeat steps 4 and 5 for each key.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c9ea4ef-3bb5-4f02-b8b9-55e788e1a21a\",\r\n \"name\": \"1c9ea4ef-3bb5-4f02-b8b9-55e788e1a21a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.
When you use virtual MFA for root accounts, it is recommended that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices.
This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\",\r\n \"remediationDescription\": \"To enable MFA for the root account:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\".
4. Select \\\"Multi-factor authentication (MFA)\\\".
\\t5. Select \\\"Activate MFA\\\".
6. Select the type of device to use for MFA and then select \\\"Continue\\\".
7. Complete the steps to configure the device type appropriate to your selection.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eb39e935-38fc-4b0c-8cf2-d6affab0306a\",\r\n \"name\": \"eb39e935-38fc-4b0c-8cf2-d6affab0306a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.
For Level 2, it is recommended that you protect the root account with a hardware MFA. A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA doesn't suffer the attack surface introduced by the mobile smartphone that a virtual MFA resides on.
Using hardware MFA for many, many accounts might create a logistical device management issue. If this occurs, consider implementing this Level 2 recommendation selectively to the highest security accounts. You can then apply the Level 1 recommendation to the remaining accounts.\",\r\n \"remediationDescription\": \"To enable hardware-based MFA for the root account:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\". 4. Select \\\"Multi-factor authentication (MFA)\\\".
5. Select \\\"Activate MFA\\\".
6. Select a hardware-based (not virtual) device to use for MFA and then select \\\"Continue\\\".
7. Complete the steps to configure the device type appropriate to your selection.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a773f81a-0b2d-4f8e-826a-77fc432416c3\",\r\n \"name\": \"a773f81a-0b2d-4f8e-826a-77fc432416c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should be attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles.
It is recommended that IAM policies be applied directly to groups and roles but not users.
Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow.
Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.\",\r\n \"remediationDescription\": \"To remediate, create an IAM group, assign the policy to the group, and then add the users to the group. The policy is applied to each user in the group.

To create an IAM group:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Groups\\\" and then select \\\"Create New Group\\\".
\\t3. Enter a name for the group to create and then select \\\"Next Step\\\".
4. Select each policy to assign to the group and then select \\\"Next Step\\\".
The policies that you Select should include any policies currently attached directly to a user account.
The next step to resolve a failed check is to add users to a group and then assign the policies to that group.
Each user in the group gets assigned the policies assigned to the group.
5. Confirm the details on the \\\"Review\\\" page and then select \\\"Create Group\\\".
For more information about creating groups, see Creating IAM groups [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_create.html] in the IAM User Guide.

To add users to an IAM group:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Groups\\\".
3. select \\\"Group Actions\\\" and then select \\\"Add Users to Group\\\".
4. Select the users to add to the group and then select \\\"Add Users\\\".
For more information about adding users to groups, see Adding and removing users in an IAM group [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_add-remove-users.html].

To remove a policy attached directly to a user:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Users\\\".
3. For the user to detach a policy from, select the name in the \\\"User name\\\" column.
4. For each policy listed under \\\"Attached directly\\\", select the \\\"X\\\" on the right side of the page to remove the policy from the user and then select \\\"Remove\\\".
5. Confirm that the user can still use AWS services as expected.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6614c30d-c9f3-4acd-8371-c8f362148398\",\r\n \"name\": \"6614c30d-c9f3-4acd-8371-c8f362148398\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services.
Create an IAM Role to allow authorized users to manage incidents with AWS Support.
By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.\",\r\n \"remediationDescription\": \"Using the Amazon unified command line interface:
Create an IAM role for managing incidents with AWS:
* Create a trust relationship policy document that allows \\\"iam_user\\\" to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:
{ \\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [ { \\\"Effect\\\": \\\"Allow\\\", \\\"Principal\\\": { \\\"AWS\\\": \\\"<span style=\\\"font-style: italic;\\\"><iam_user></span>\\\" }, \\\"Action\\\": \\\"sts:AssumeRole\\\" } ] }
* Create the IAM role using the above trust policy:
aws iam create-role --role-name <aws_support_iam_role> --assume-rolepolicy-document file:///tmp/TrustPolicy.json
* Attach \\\"AWSSupportAccess\\\" managed policy to the created IAM role:
aws iam attach-role-policy --policy-arn <iam_policy_arn> --role-name<aws_support_iam_role>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/655f9340-184f-4b6e-8214-b835003ab0b1\",\r\n \"name\": \"655f9340-184f-4b6e-8214-b835003ab0b1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Do not setup access keys during initial user setup for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily.
In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys.
Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization\",\r\n \"remediationDescription\": \"Perform the following to delete access keys that do not pass the audit: 1. Login to the AWS Management Console: 2. Click \\\"Services\\\" 3. Click \\\"IAM\\\" 4. Click on \\\"Users\\\" 5. Click on \\\"Security Credentials\\\" 6. As an Administrator
* Click on \\\"Delete\\\" for keys that were created at the same time as the user profile but have not been used. 7. As an IAM User
* Click on \\\"Delete\\\" for keys that were created at the same time as the user profile but have not been used.
Via CLI:
aws iam delete-access-key\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Persistence\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1d08b362-7e24-46b0-bed1-4a6c1d1526a5\",\r\n \"name\": \"1d08b362-7e24-46b0-bed1-4a6c1d1526a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies that allow full \\\"*:*\\\" administrative privileges should not be created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies are the means by which privileges are granted to users, groups, or roles.
It is recommended and considered a standard security advice to grant least privilege-that is, granting only the permissions required to perform a task.
Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.
It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.
Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.
IAM policies that have a statement with \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\" should be removed.\",\r\n \"remediationDescription\": \"To modify an IAM policy:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Policies\\\".
3. Select the radio button next to the policy to remove. 4. From the \\\"Policy actions\\\" drop-down menu, select \\\"Detach\\\".
5. On the \\\"Detach policy\\\" page, select the radio button next to each user to detach the policy from and then select \\\"Detach policy\\\".
Confirm that the user that you detached the policy from can still access AWS services and resources as expected.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3d8e09b-83a6-417a-ae1e-3f5b54576965\",\r\n \"name\": \"b3d8e09b-83a6-417a-ae1e-3f5b54576965\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you.
The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).
The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally,
* ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected
* ensuring that a multi-regions trail exists will ensure that \\\"Global Service Logging\\\" is enabled for a trail by default to capture recording of events generated on AWS global services
* for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account.\",\r\n \"remediationDescription\": \"Perform the following to enable global (Multi-region) CloudTrail logging:
Via the management Console:
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
2. Click on \\\"Trails\\\" on the left navigation pane.
3. Click \\\"Get Started Now\\\", if presented
* Click \\\"Add new trail\\\"
* Enter a trail name in the \\\"Trail name\\\" box.
* Set the \\\"Apply trail to all regions\\\" option to \\\"Yes\\\".
* Specify an S3 bucket name in the \\\"S3 bucket\\\" box.
* Click \\\"Create\\\".
4. If 1 or more trails already exist, select the target trail to enable for global logging.
5. Click the edit icon (pencil) next to \\\"Apply trail to all regions\\\", Click \\\"Yes\\\" and Click \\\"Save\\\". 6. Click the edit icon (pencil) next to \\\"Management Events\\\", click \\\"All\\\" for setting \\\"Read/Write Events\\\" and Click \\\"Save\\\".
Via CLI:
aws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail

Note: Creating CloudTrail via CLI without providing any overriding options configures
Management Events to set All type of Read/Writes by default.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/324ec96c-9719-46ce-b6a9-e7f4fed7dd6e\",\r\n \"name\": \"324ec96c-9719-46ce-b6a9-e7f4fed7dd6e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure additional integrity checking of CloudTrail logs, we recommend enabling file validation on all CloudTrails.\",\r\n \"remediationDescription\": \"Enable log file validation on a given trail:
Via the management Console
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
2. Select on \\\"Trails\\\" on the left navigation pane
3. Select the target trail
4. Within the \\\"S3\\\" section select the edit icon (pencil)
5. Select \\\"Advanced\\\"
6. Select \\\"Yes\\\" radio button in section \\\"Enable log file validation\\\"
7. Click \\\"Save\\\"
Via CLI
aws cloudtrail update-trail --name --enable-log-file-validation

Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn --start-time --end-time\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a41f2846-4a59-44e9-89bb-1f62d4b03a85\",\r\n \"name\": \"a41f2846-4a59-44e9-89bb-1f62d4b03a85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs a record of every API call made in your AWS account. These log files are stored in an S3 bucket.
It is recommended that the bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs.
Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.\",\r\n \"remediationDescription\": \"Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:
1. Go to Amazon S3 console at https://console.aws.amazon.com/s3/home
2. Right-click on the bucket and click Properties.
3. In the \\\"Properties\\\" pane, click the \\\"Permissions\\\" tab.
4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.
5. Select the row that grants permission to \\\"Everyone\\\" or \\\"Any Authenticated User\\\".
6. Uncheck all the permissions granted to \\\"Everyone\\\" or \\\"Any Authenticated User\\\" (click x to delete the row).
7. Click \\\"Save\\\" to save the ACL.
8. If the \\\"Edit bucket policy\\\" button is present, click it.
9. Remove any \\\"Statement\\\" having an \\\"Effect\\\" set to \\\"Allow\\\" and a \\\"Principal\\\" set to \\\"*\\\" or {\\\"AWS\\\" : \\\"*\\\"}.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/842be2e5-2cd8-420f-969a-6d6b4096c580\",\r\n \"name\": \"842be2e5-2cd8-420f-969a-6d6b4096c580\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, real-time analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs.
For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. We recommended that CloudTrail logs will be sent to CloudWatch Logs to ensure AWS account activity is being captured, monitored, and appropriately alarmed on.
Sending CloudTrail logs to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.\",\r\n \"remediationDescription\": \"Via the AWS management Console:
1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/
2. Under All Buckets, select the target bucket you wish to evaluate.
3. Select Properties on the top right of the console.
4. Select Trails\\\" in the left menu.
5. Click on each trail where no \\\"CloudWatch Logs\\\" are defined.
6. Go to the \\\"CloudWatch Logs\\\" section and then select \\\"Configure\\\".
7. Define a new or select an existing log group.
8. Click on \\\"Continue\\\".
9. Configure \\\"IAM Role\\\" which will deliver CloudTrail events to CloudWatch Logs
* Create/Select an \\\"IAM Role\\\" and \\\"Policy Name\\\".
* Select \\\"Allow\\\" to continue.
Note that it can also be enabled via CLI:
aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-grouparn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff06f36-f8fd-4af5-bd02-5195593423fb\",\r\n \"name\": \"3ff06f36-f8fd-4af5-bd02-5195593423fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you.
The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources.
It is recommended to enable AWS Config be enabled in all regions.

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"To implement AWS Config configuration:
Via AWS Management Console:
1. Select the region you want to focus on in the top right of the console.
2. Click \\\"Services\\\".
3. Click \\\"Config\\\".
4. Define which resources you want to record in the selected region.
5. Choose to include global resources (IAM resources).
6. Specify an S3 bucket in the same account or in another managed AWS account.
7. Create an SNS Topic from the same AWS account or another managed AWS account.

Via AWS Command Line Interface:
1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.
2. Run this command to set up the configuration recorder:
aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole
3. Run this command to start the configuration recorder:
start-configuration-recorder --configuration-recorder-name <value>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/759e80dc-92c2-4afd-afa3-c01294999363\",\r\n \"name\": \"759e80dc-92c2-4afd-afa3-c01294999363\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 Bucket Access Logging generates a log that contains access records Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket for each request made to your S3 bucket.
An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed.
It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.
By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within an target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.\",\r\n \"remediationDescription\": \"Perform the following to enable S3 bucket logging:
Via the Management Console.
1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.
2. Under \\\"All Buckets\\\" click on the target S3 bucket.
3. Click on \\\"Properties\\\" in the top right of the console.
4. Under \\\"Bucket\\\": <s3_bucket_for_cloudtrail> click on \\\"Logging\\\".
5. Configure bucket logging.
* Click on \\\"Enabled\\\" checkbox.
* Select Target Bucket from list.
* Enter a Target Prefix.
6. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/190f732b-c68e-4816-9961-aba074272627\",\r\n \"name\": \"190f732b-c68e-4816-9961-aba074272627\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommended to configure CloudTrail use SSE-KMS.
Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.\",\r\n \"remediationDescription\": \"To configure CloudTrail SSE-KMS:
Via the Management Console:
1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail.
2. In the left navigation pane, select \\\"Trails\\\".
3. Click on a Trail.
4. Under the \\\"S3\\\"section click on the edit button (pencil icon).
5. Click \\\"Advanced\\\".
6. Select an existing CMK from the \\\"KMS key Id\\\" drop-down menu.
* Note: Ensure the CMK is located in the same region as the S3 bucket
* Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided here for editing the selected CMK Key policy.
7. Click \\\"Save\\\".
8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files.
9. Click \\\"Yes\\\".

Via CLI:
aws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key> aws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66748314-d51c-4d9c-b789-eebef29a7039\",\r\n \"name\": \"66748314-d51c-4d9c-b789-eebef29a7039\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK).
It is the backing key that is used to perform cryptographic operations such as encryption and decryption.
Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled.
Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\",\r\n \"remediationDescription\": \"Via the Management Console:
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam.
2. In the left navigation pane, choose \\\"Encryption Keys\\\".
3. Select a customer created master key (CMK).
4. Under the \\\"Key Policy\\\" section, move down to \\\"Key Rotation\\\".
5. Check the \\\"Rotate this key every year\\\" checkbox.

Via CLI
Run the following command to enable key rotation:
aws kms enable-key-rotation --key-id <kms_key_id>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3428e584-0fa6-48c0-817e-6d689d7bb879\",\r\n \"name\": \"3428e584-0fa6-48c0-817e-6d689d7bb879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC Flow Logs provide visibility into network traffic that passes through the VPC and can be used to detect anomalous traffic or insight during security events.\",\r\n \"remediationDescription\": \"1. Sign into the management console.
2. Select \\\"Services\\\" then \\\"VPC\\\".
3. In the left navigation pane, select \\\"Your VPCs\\\".
4. Select a VPC.
5. In the right pane, select the \\\"Flow Logs\\\" tab.
6. If no Flow Log exists, select \\\"Create Flow Log\\\".
7. For Filter, select Reject.
8. Enter in a \\\"Role\\\" and \\\"Destination Log Group\\\".
9. Select \\\"Create Log Flow\\\".
10. Select \\\"CloudWatch Logs Group\\\".

Note: Setting the filter to \\\"Reject\\\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/231951ea-e9db-41cd-a7d0-611105fa4fb9\",\r\n \"name\": \"231951ea-e9db-41cd-a7d0-611105fa4fb9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for unauthorized API calls.
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<unauthorized_api_calls_metric>` --metric-transformations metricName= `<unauthorized_api_calls_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.errorCode = \\\"*UnauthorizedOperation\\\") || ($.errorCode = \\\"AccessDenied*\\\")}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<unauthorized_api_calls_alarm>` --metric-name `<unauthorized_api_calls_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/001ddfe0-1b98-443f-819d-99f060fd67d5\",\r\n \"name\": \"001ddfe0-1b98-443f-819d-99f060fd67d5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).
Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>`,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = \\\"ConsoleLogin\\\") && ($.additionalEventData.MFAUsed != \\\"Yes\\\") }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<no_mfa_console_signin_alarm>` --metric-name `<no_mfa_console_signin_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/59f84fbd-7946-41b3-88b1-d899dcac92bc\",\r\n \"name\": \"59f84fbd-7946-41b3-88b1-d899dcac92bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of 'root' account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for root login attempts.

Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for \\\"Root\\\" account usage and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<root_usage_metric>` --metric-transformations metricName= `<root_usage_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filterpattern '{ $.userIdentity.type = \\\"Root\\\" && $.userIdentity.invokedBy NOTEXISTS && $.eventType != \\\"AwsServiceEvent\\\" }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<root_usage_alarm>` --metricname `<root_usage_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e5ad1a9-3803-4399-baf2-a7eb9483b954\",\r\n \"name\": \"8e5ad1a9-3803-4399-baf2-a7eb9483b954\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.
Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<iam_changes_metric>` --metric-transformations metricName=`<iam_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name `<iam_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0dc3b824-092a-4fc6-b8b4-31d5c2403024\",\r\n \"name\": \"0dc3b824-092a-4fc6-b8b4-31d5c2403024\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.

Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<cloudtrail_cfg_changes_metric>` --metric-transformations metricName= `<cloudtrail_cfg_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging)}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name aws cloudwatch put-metric-alarm --alarm-name `<cloudtrail_cfg_changes_alarm>` --metric-name `<cloudtrail_cfg_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e09bb35-54a3-48a1-855d-9fd3239deaf7\",\r\n \"name\": \"0e09bb35-54a3-48a1-855d-9fd3239deaf7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for failed console authentication attempts.
Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<console_signin_failure_metric>` --metric-transformations metricName= `<console_signin_failure_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = ConsoleLogin) && ($.errorMessage = \\\"Failed authentication\\\") }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<console_signin_failure_alarm>` --metric-name `<console_signin_failure_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d12e97c1-1f3e-4c69-8cc1-6e4cc6a9b167\",\r\n \"name\": \"d12e97c1-1f3e-4c69-8cc1-6e4cc6a9b167\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.
Data encrypted with disabled or deleted keys will no longer be accessible.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<disable_or_delete_cmk_changes_metric>` --metrictransformations metricName= `<disable_or_delete_cmk_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<disable_or_delete_cmk_changes_alarm>` --metric-name `<disable_or_delete_cmk_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69ed2dc0-6f39-4a33-a747-20a28f85b33c\",\r\n \"name\": \"69ed2dc0-6f39-4a33-a747-20a28f85b33c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.
Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<s3_bucket_policy_changes_metric>` --metric-transformations metricName= `<s3_bucket_policy_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<s3_bucket_policy_changes_alarm>` --metric-name `<s3_bucket_policy_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/965a7c7f-e6da-4062-83f4-9c1800e51e44\",\r\n \"name\": \"965a7c7f-e6da-4062-83f4-9c1800e51e44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.
Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<aws_config_changes_metric>` --metric-transformations metricName= `<aws_config_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel) ||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `` - -metric-name `` --statistic Sum --period 300 -- threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aedabb63-8bdb-47f9-955c-72b652a75e2a\",\r\n \"name\": \"aedabb63-8bdb-47f9-955c-72b652a75e2a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC.
It is recommended that a metric filter and alarm be established changes to Security Groups.
Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for security groups changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<security_group_changes_metric>` --metric-transformations metricName= `<security_group_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<security_group_changes_alarm>` --metric-name `<security_group_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec356185-75b9-4ff2-a284-9f64fc885e72\",\r\n \"name\": \"ec356185-75b9-4ff2-a284-9f64fc885e72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC.
It is recommended that a metric filter and alarm be established for changes made to NACLs.
Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for NACL changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<nacl_changes_metric>` --metric-transformations metricName = `<nacl_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<nacl_changes_alarm>` --metric-name `<nacl_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c7156050-6f51-4d3f-a880-9f2363648cfb\",\r\n \"name\": \"c7156050-6f51-4d3f-a880-9f2363648cfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC.
It is recommended that a metric filter and alarm be established for changes to network gateways.
Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<network_gw_changes_metric>` --metric-transformations metricName= `<network_gw_changes_metric>`,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<network_gw_changes_alarm>` --metric-name `<network_gw_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e70666f-4bec-4ca0-8b59-c6c8b9b3cc1e\",\r\n \"name\": \"7e70666f-4bec-4ca0-8b59-c6c8b9b3cc1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways.
It is recommended that a metric filter and alarm be established for changes to route tables.
Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for route table changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<route_table_changes_metric>` --metric-transformations metricName= `<route_table_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<route_table_changes_alarm>` --metric-name `<route_table_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4b4bfa9b-fd2a-43f1-961f-654b9d5c9a60\",\r\n \"name\": \"4b4bfa9b-fd2a-43f1-961f-654b9d5c9a60\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.
Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact. \",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for VPC changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<vpc_changes_metric>` --metric-transformations metricName = `<vpc_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<vpc_changes_alarm>` --metric-name `<vpc_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e1f4bba6-5f43-4dc5-ab15-f2a9f5807fea\",\r\n \"name\": \"e1f4bba6-5f43-4dc5-ab15-f2a9f5807fea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To reduce the server's exposure, it is recommended not to allow unrestricted ingress access to port '22'.\",\r\n \"remediationDescription\": \"1. Login to the AWS Management Console at VPC
2. In the left pane, select \\\"Security Groups\\\"
3. For each security group, perform the following:
4. Select the security group
5. Select the \\\"Inbound Rules\\\" tab
6. Identify the rules to be removed
7. Select the \\\"x\\\" in the \\\"Remove\\\" column
8. Select \\\"Save\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79082bbe-34fc-480a-a7fc-3aad94954609\",\r\n \"name\": \"79082bbe-34fc-480a-a7fc-3aad94954609\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389.
Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"Perform the following to implement the prescribed state:
1. Login to the AWS Management Console at VPC
2. In the left pane, click \\\"Security Groups\\\"
3. For each security group, perform the following:
4. Select the security group
5.Click the \\\"Inbound Rules\\\" tab
6. Identify the rules to be removed
7. Click the \\\"x\\\" in the \\\"Remove\\\" column
8. Click \\\"Save\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/500c4d2e-9baf-4081-b8a8-936ac85771a5\",\r\n \"name\": \"500c4d2e-9baf-4081-b8a8-936ac85771a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC's default security group should restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security group should restrict all traffic to reduce resource exposure.\",\r\n \"remediationDescription\": \"1. Identify AWS resources that exist within the default security group 2. Create a set of least privilege security groups for those resources 3. Place the resources in those security groups 4. Remove the resources noted in #1 from the default security group

Security Group State:
1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:
3. In the left pane, select \\\"Security Groups\\\"
4. For each default security group, perform the following:
5. Select the \\\"default\\\" security group
6. Select the \\\"Inbound Rules\\\" tab
7. Remove any inbound rules
8. Select the \\\"Outbound Rules\\\" tab
9. Remove any outbound rules\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/837d6a45-503f-4c95-bf42-323763960b62\",\r\n \"name\": \"837d6a45-503f-4c95-bf42-323763960b62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto Scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.
PCI DSS does not require load balancing or highly available configurations. This is recommended by AWS best practices.\",\r\n \"remediationDescription\": \"To enable Elastic Load Balancing health checks:
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. On the navigation pane, under \\\"Auto Scaling\\\", choose \\\"Auto Scaling Groups\\\".
3. To select the group from the list, choose the right box.
4. From \\\"Actions\\\", choose \\\"Edit\\\"
5. For \\\"Health Check Type\\\", choose \\\"ELB\\\".
6. For \\\"Health Check Grace Period\\\", enter \\\"300\\\".
7. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2917bcec-6991-4ea4-9e73-156e6ef831e4\",\r\n \"name\": \"2917bcec-6991-4ea4-9e73-156e6ef831e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. Not all services enable logging by default for all APIs and events.
You should implement any additional audit trails other than CloudTrail and review the documentation for each service in CloudTrail Supported Services and Integrations.\",\r\n \"remediationDescription\": \"To create a new trail in CloudTrail
1. Sign in to the AWS Management Console using the IAM user you configured for CloudTrail administration.
2. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
3. Select the AWS Region where you want your trail to be created.
4. In the navigation pane, select \\\"Trails\\\".
5. On the \\\"Trails\\\" page, select \\\"Get Started Now\\\". If you do not see that option, select \\\"Create Trail\\\".
6. In\\\" Trail name\\\", provide your trail a name, such as My-Management-Events-Trail. As a best practice, use a name that quickly identifies the purpose of the trail. In this case, you're creating a trail that logs management events.
7. In \\\"Management Events\\\", make sure \\\"Read/Write\\\" events is set to \\\"All\\\".
8. In \\\"Data Events\\\", do not make any changes. This trail will not log any data events.
9. Create a new S3 bucket for the logs:
a. In \\\"Storage Location\\\", in \\\"Create a new S3 bucket\\\", select \\\"Yes\\\".
b. In \\\"S3 bucket\\\", provide your bucket a name.
c. Under \\\"Advanced\\\", choose \\\"Yes\\\" for both \\\"Encrypt log files with SSE-KMS\\\" and \\\"Enable log file validation\\\".
10. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/132a70b8-ffda-457a-b7a3-e6f2e01fc0af\",\r\n \"name\": \"132a70b8-ffda-457a-b7a3-e6f2e01fc0af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect your replicated instances from threats. A private replication instance should have a private IP address that you cannot access outside of the replication network.
A replication instance should have a private IP address when the source and target databases are in the same network, and the network is connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering.
You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users.
To do this, restrict users' IAM permissions to modify AWS DMS settings and resources.\",\r\n \"remediationDescription\": \"To configure the AWS DMS replication instances setting to be not publicly accessible:
1. Open the AWS Database Migration Service console at https://console.aws.amazon.com/dms/.
2. In the left navigation pane, under \\\"Resource management\\\", navigate to \\\"Replication instances\\\".
3. To delete the public instance, select the check box for the instance, choose \\\"Actions\\\", then choose \\\"delete\\\".
4. Choose \\\"Create replication instance\\\". Provide the configuration details.
5.To disable public access, make sure that \\\"Publicly accessible\\\" is not selected.
6. Choose \\\"Create\\\",
Note: public access setting cannot be changed once a replication instance is created. It must be deleted and recreated.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/02e8de17-1a01-45cb-b906-6d07a78f4b3c\",\r\n \"name\": \"02e8de17-1a01-45cb-b906-6d07a78f4b3c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Amazon EBS snapshots should not be publicly restorable by everyone unless explicitly allowed, to avoid accidental exposure of data. Additionally, permission to change Amazon EBS configurations should be restricted to authorized AWS accounts only.\",\r\n \"remediationDescription\": \"Make a public Amazon EBS snapshot private
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Elastic Block Store\\\", select \\\"Snapshots\\\" and then select your public snapshot.
3. Select \\\"Actions\\\", then select \\\"Modify permissions\\\".
4. Select \\\"Private\\\".
5. (Optional) Add AWS account numbers for authorized accounts to share your snapshot with.
6. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f065cc7b-f63b-4865-b8ff-4a1292e1a5cb\",\r\n \"name\": \"f065cc7b-f63b-4865-b8ff-4a1292e1a5cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups should be attached to Amazon EC2 instances or to an ENI.
healthy finding can indicate there are unused Amazon EC2 security groups.\",\r\n \"remediationDescription\": \"The following steps should be applied to each security group not attached to an ENI.
To delete a security group:
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, under \\\"Security\\\", select \\\"Security groups\\\".
3. Select the check box for the security group to delete.
4. From \\\"Actions\\\", select \\\"Delete security group\\\".
5. Select \\\"Delete\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/601406b5-110c-41be-ad69-9c5661ba5f7c\",\r\n \"name\": \"601406b5-110c-41be-ad69-9c5661ba5f7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Elastic IP addresses that are allocated to a VPC should be attached to Amazon EC2 instances or in-use elastic network interfaces (ENIs).\",\r\n \"remediationDescription\": \"To release an Elastic IP address follow the following steps. Note that in oder to release an address, it shouldn't be associated with an instance
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Network & Security\\\", select \\\"Elastic IPs\\\".
3. Select the Elastic IP address, select \\\"Actions\\\", and then select \\\"Release Elastic IP address\\\".
4. When prompted, select \\\"Release\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fce0daac-96e4-47ab-ab35-18ac6b7dcc70\",\r\n \"name\": \"fce0daac-96e4-47ab-ab35-18ac6b7dcc70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To enforce encryption in transit, you should use redirect actions with Application Load Balancers to redirect client HTTP requests to an HTTPS request on port 443.\",\r\n \"remediationDescription\": \"To redirect HTTP requests to HTTPS on an Application Load Balancer:
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Load Balancing\\\", select \\\"Load balancers\\\".
3. Select an Application Load Balancer.
4. Select \\\"Listeners\\\".
5. Enable the check box for an HTTP listener (port 80 TCP) and then select \\\"Edit\\\".
6. If there is an existing rule, you must delete it. Otherwise, select \\\"Add action\\\" and then select \\\"Redirect to...\\\".
7. Select \\\"HTTPS\\\" and then enter 443.
8. Select the check mark in a circle symbol and then select \\\"Update\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df952171-786d-44b5-b309-9c982bddeb7c\",\r\n \"name\": \"df952171-786d-44b5-b309-9c982bddeb7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC cannot contain domains with a public endpoint.
Note: this does not evaluate the VPC subnet routing configuration to determine public reachability.\",\r\n \"remediationDescription\": \"If you create a domain with a public endpoint, you cannot later place it within a VPC. Instead, you must create a new domain and migrate your data.
The reverse is also true. If you create a domain within a VPC, it cannot have a public endpoint. Instead, you must either create another domain or disable this control.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cf747c91-14f3-4b30-aafe-eb12c18fd030\",\r\n \"name\": \"cf747c91-14f3-4b30-aafe-eb12c18fd030\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is important to enable encryptions rest of Amazon ES domains to protect sensitive data\",\r\n \"remediationDescription\": \"By default, domains do not encrypt data at rest.
To enable the feature, you must create another domain and migrate your data.
Note: existing domains cannot be configured to use the feature.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4b32e0a4-44a7-4f18-ad92-549f7d219061\",\r\n \"name\": \"4b32e0a4-44a7-4f18-ad92-549f7d219061\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To provide additional protection against intrusions, GuardDuty should be enabled on your AWS account and region.
Note: GuardDuty might not be a complete solution for every environment\",\r\n \"remediationDescription\": \"To enable GuardDuty:
1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/ \\t
2. Choose \\\"Get Started\\\".
Choose \\\"Enable GuardDuty\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c676d6f-60cb-4c7b-a484-17164c598016\",\r\n \"name\": \"9c676d6f-60cb-4c7b-a484-17164c598016\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"All IAM users should have multi-factor authentication (MFA) enabled.\",\r\n \"remediationDescription\": \"To configure MFA for a user:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Users\\\".
3. Select the user name of the user to configure MFA for.
4. Select \\\"Security credentials\\\" and then Select \\\"Manage\\\" next to \\\"Assigned MFA device\\\".
5. Follow the \\\"Manage MFA Device\\\" wizard to assign the type of device appropriate for your environments.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd751d04-8378-4cf8-8f1b-594ee340ae08\",\r\n \"name\": \"fd751d04-8378-4cf8-8f1b-594ee340ae08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the account password policy for IAM users uses the following minimum configurations.
* RequireUppercaseCharacters- Require at least one uppercase character in password. (Default = true)
* RequireLowercaseCharacters- Require at least one lowercase character in password. (Default = true)
* RequireNumbers- Require at least one number in password. (Default = true)
* MinimumPasswordLength- Password minimum length. (Default = 7 or longer)
* PasswordReusePrevention- Number of passwords before allowing reuse. (Default = 4)
* MaxPasswordAge- Number of days before password expiration. (Default = 90)\",\r\n \"remediationDescription\": \"To modify the password policy:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Under \\\"Access management\\\", select \\\"Account settings\\\".
3. Select \\\"Prevent password reuse\\\". For \\\"Number of passwords to remember\\\", enter \\\"24\\\".
\\t4. Select \\\"Change password policy\\\".
5. Select \\\"Require at least one uppercase letter from Latin alphabet (A-Z)\\\".
6. Select \\\"Require at least one lowercase letter from Latin alphabet (a-z)\\\".
7. Select \\\"Require at least one non-alphanumeric character (!@#$%^&*()_+-=[]{}|')\\\".
8. Select \\\"Require at least one number\\\".
9. For \\\"Enforce minimum password length\\\", enter \\\"14\\\".
10. Select \\\"Enable password expiration\\\". For \\\"Expire passwords in day(s)\\\", enter \\\"90\\\".
11. Select \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b236a0-f9d7-454a-942a-8c2ba3943cf7\",\r\n \"name\": \"64b236a0-f9d7-454a-942a-8c2ba3943cf7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should restrict public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Lambda function resource-based policy should restrict public access. This recommendation does not check access by internal principals.
Ensure access to the function is restricted to authorized principals only by using least privilege resource-based policies.\",\r\n \"remediationDescription\": \"To use the AWS CLI to revoke function-use permission from an AWS service or another account:
1. Get the statement ID from the output of GetPolicy, from the AWS CLI and run the following:
aws lambda get-policy --function-name yourfunctionname
This returns the policy string associated with the publicly accessible Lambda function.
2. From the policy statement returned by the get-policy command, copy the string value of the Sid field, and run from the AWS CLI, run
aws lambda remove-permission --function-name yourfunctionname --statement-id youridvalue

To use the Lambda console to restrict access to the Lambda function:
1. Open the AWS Lambda console at https://console.aws.amazon.com/lambda/, Navigate to \\\"Functions\\\" and then select your publicly accessible Lambda function.
2. Under \\\"Designer\\\" select the key icon at the top left, that has the tool-tip \\\"View permissions\\\".
3. Under \\\"Function policy\\\", Consider adding the following IAM condition to scope access to your account only.
\\\"Condition\\\":{\\\"StringEquals\\\":{\\\"AWS:SourceAccount\\\":\\\"account_id\\\"}}\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10445918-c305-4c6a-9851-250e8ec7b872\",\r\n \"name\": \"10445918-c305-4c6a-9851-250e8ec7b872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Configure Lambda functions to a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability.
Note that if Lambda@Edge is found in the account, then this control generates failed findings. To prevent these findings, you can disable this control.\",\r\n \"remediationDescription\": \"To configure a function to connect to private subnets in a virtual private cloud (VPC) in your account:
1. From the AWS Lambda console, https://console.aws.amazon.com/lambda/, open \\\"Functions\\\" and select your Lambda function.
2. From the \\\"Network\\\" section, select a VPC with the connectivity requirements of the function.
3. To run your functions in high availability mode, select at least two subnets.
4. Select at least one security group that has the connectivity requirements of the function.
5. Save your changes.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f64521fc-a9f1-4d43-b667-8d94b4a202af\",\r\n \"name\": \"f64521fc-a9f1-4d43-b667-8d94b4a202af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend only allowing authorized principals to access the snapshot and change Amazon RDS configuration.\",\r\n \"remediationDescription\": \"To remove public access for Amazon RDS Snapshots:
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Snapshots\\\" and select the public Snapshot to modify.
2. From the \\\"Actions\\\" list, select \\\"Share Snapshots\\\".
3. From \\\"DB snapshot visibility\\\", select \\\"Private\\\" and \\\"for all\\\".
4. Save your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/72f3b7f1-76b8-4cf5-8da5-4ba5745b512c\",\r\n \"name\": \"72f3b7f1-76b8-4cf5-8da5-4ba5745b512c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend that you also ensure that access to your RDS instance's configuration is limited to authorized users only, by restricting users' IAM permissions to modify RDS instances' settings and resources.\",\r\n \"remediationDescription\": \"To remove public access for an Amazon RDS Database, follow one of these procedures:

\\\"Modify the DB instance's publicly accessible configuration:\\\"
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Databases\\\" and select the public database.
2. Select \\\"Modify\\\".
3. Scroll to \\\"Network & Security\\\".
4. For the Public accessibility option, select \\\"No\\\".
5. Scroll to the bottom and select \\\"Continue\\\".
6. From \\\"Scheduling of modifications\\\", select \\\"Apply immediately\\\".
7. Select \\\"Modify DB Instance\\\".
\\\"Configure the VPC subnet security group to prohibit public access:\\\"
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Databases\\\" and select the public database.
2. From \\\"Connectivity & Security\\\", select the configured VPC security group.
3. From the \\\"Actions\\\" list, select \\\"Edit inbound rules\\\".
4. Define rules to prohibit public access (you can choose between specific IPs, ranges of IPs and security groups).
5. Select \\\"Save rules\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f5ac036-11e1-4cda-89b5-a115b9ae4f72\",\r\n \"name\": \"7f5ac036-11e1-4cda-89b5-a115b9ae4f72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend Amazon Redshift clusters to avoid public accessibility by evaluating the 'publiclyAccessible' field in the cluster configuration item.\",\r\n \"remediationDescription\": \"To disable public access for an Amazon Redshift cluster:
1. From the Amazon RDS console, https://console.aws.amazon.com/redshift/, open \\\"Clusters\\\" and select your public Amazon Redshift cluster.
2. From the \\\"Cluster\\\" drop-down menu, select \\\"Modify cluster\\\".
3. For the \\\"Publicly accessible\\\" option, select \\\"No\\\".
4. Select \\\"Modify\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/994d14f1-b8d7-4cb3-ad4e-a7ccb08065d5\",\r\n \"name\": \"994d14f1-b8d7-4cb3-ad4e-a7ccb08065d5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets public write access should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Allowing public write access to your S3 bucket can leave you vulnerable to malicious actions such as storing data at your expense, encrypting your files for ransom, or using your bucket to operate malware.\",\r\n \"remediationDescription\": \"To remove public write access for an S3 bucket
1. Open the AWS console at https://console.aws.amazon.com/s3/ and select the name of the bucket identified in the recommendation.
2. Select the \\\"Permissions\\\" tab and then select \\\"Public access settings\\\".
3. Select \\\"Edit\\\", select all four options, and then select \\\"save\\\".
4. If prompted, enter \\\"confirm\\\" and then choose \\\"confirm\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f65de27c-1b77-4a2d-bc89-8631ff9ee786\",\r\n \"name\": \"f65de27c-1b77-4a2d-bc89-8631ff9ee786\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets public read access should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Removing public read access to your S3 bucket can help protect your data and prevent a data breach.\",\r\n \"remediationDescription\": \"To remove public read access for an S3 bucket
1. Open the AWS console at https://console.aws.amazon.com/s3/, and select the name of the bucket identified in the recommendation.
2. Select the \\\"Permissions\\\" tab and then select \\\"Public access settings\\\".
3. Select \\\"Edit\\\", select all four options, and then select \\\"save\\\".
4. If prompted, enter \\\"confirm\\\" and then choose \\\"confirm\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35713036-bd12-4646-9b92-4c56a761a710\",\r\n \"name\": \"35713036-bd12-4646-9b92-4c56a761a710\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling S3 cross-region replication ensures that multiple versions of the data are available in different distinct Regions.
This allows you to protect your S3 bucket against DDoS attacks and data corruption events.\",\r\n \"remediationDescription\": \"To enable S3 bucket replication:
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and Select the name of the bucket identified in the recommendation.
2. Select \\\"Management\\\" and then select \\\"Replication\\\".
3. Select \\\"add rule\\\", and then select \\\"Entire bucket\\\" as your source bucket.
4. Select your destination bucket (Versioning should be enabled on the destination bucket as well).
5. Select an IAM role.
6. Enter a name for the rule, select \\\"Enabled\\\" for the status, then select \\\"Next\\\".
7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3cb793ab-20d3-4677-9723-024c8fed0c23\",\r\n \"name\": \"3cb793ab-20d3-4677-9723-024c8fed0c23\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enable server-side encryption to protect data in your S3 buckets.
Encrypting the data can prevent access to sensitive data in the event of a data breach.\",\r\n \"remediationDescription\": \"To enable default encryption on an S3 bucket
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and Select the name of the bucket identified in the recommendation.
2. Select \\\"Properties\\\" and then under the \\\"Default encryption\\\" section, select either \\\"AES-256\\\" to use keys that are managed by Amazon S3, or \\\"AWS-KMS\\\" to use keys that are managed by AWS-KMS.
*If you use AWS-KMS for default encryption, you need to choose a master key from the list of the AWS KMS master keys that you have created.
*Please note that if you use the AWS KMS you are subject to the requests per second limits. For more information about the AWS KMS limits, see the AWS Key Management Service Developer Guide.
3.Select \\\"save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fb7ea50-412e-4dd4-ac79-94d54bd8f21e\",\r\n \"name\": \"1fb7ea50-412e-4dd4-ac79-94d54bd8f21e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend to require requests to use Secure Socket Layer (SSL) on all Amazon S3 bucket.
S3 buckets should have policies that require all requests ('Action: S3:*') to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key 'aws:SecureTransport'.\",\r\n \"remediationDescription\": \"To configure an S3 bucket to deny nonsecure transport
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.
2. Navigate to the noncompliant bucket, and then choose the bucket name.
3. Choose \\\"Permissions\\\", then choose \\\"Bucket Policy\\\".
4. Add a similar policy statement to that in the policy below. Replace \\\"awsexamplebucket\\\" with the name of the bucket you are modifying.
{\\\"Id\\\":\\\"ExamplePolicy\\\",\\\"Version\\\":\\\"2012-10-17\\\",\\\"Statement\\\":[{\\\"Sid\\\":\\\"AllowSSLRequestsOnly\\\",\\\"Action\\\":\\\"s3:*\\\",\\\"Effect\\\":\\\"Deny\\\",\\\"Resource\\\":[\\\"arn:aws:s3:::awsexamplebucket\\\",\\\"arn:aws:s3:::awsexamplebucket/*\\\"],\\\"Condition\\\": {\\\"Bool\\\":{\\\"aws:SecureTransport\\\":\\\"false\\\"}},\\\"Principal\\\": \\\"*\\\"}]}
5. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ac66d910-ae29-4cab-967b-c3f0810b7642\",\r\n \"name\": \"ac66d910-ae29-4cab-967b-c3f0810b7642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling Block Public Access setting for your S3 bucket can help prevent sensitive data leaks and protect your bucket from malicious actions.\",\r\n \"remediationDescription\": \"To enable Amazon S3 Block Public Access:
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and then select \\\"Block public access\\\" under \\\"account settings\\\".
2. Select \\\"Edit\\\" and then select \\\"Block all public access\\\".
3. Select \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0991c64b-ccf5-4408-aee9-2ef03d460020\",\r\n \"name\": \"0991c64b-ccf5-4408-aee9-2ef03d460020\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disable direct internet access for Amazon SageMaker notebook instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Direct internet access should be disabled for an SageMaker notebook instance.
This checks whether the 'DirectInternetAccess' field is disabled for the notebook instance.
Your instance should be configured with a VPC and the default setting should be Disable - Access the internet through a VPC.
In order to enable internet access to train or host models from a notebook, make sure that your VPC has a NAT gateway and your security group allows outbound connections. Ensure access to your SageMaker configuration is limited to only authorized users, and restrict users' IAM permissions to modify SageMaker settings and resources.\",\r\n \"remediationDescription\": \"Note that you can't change the internet access setting after a notebook instance is created. It must be stopped, deleted, and recreated.
To configure an SageMaker notebook instance to deny direct internet access:
1. From the SageMaker console, https://console.aws.amazon.com/sagemaker/, open \\\"Notebook instances\\\" and delete the instance that has direct internet access enabled.
2. Select the instance, open \\\"Actions\\\", and select \\\"Stop\\\". When the instance has stopped, open \\\"Actions\\\", and select \\\"Delete\\\".
3. Select \\\"Create notebook instance\\\" and enter the configuration details.
4. Expand the \\\"Network\\\" section and select the VPC, subnet, and security group. Under \\\"Direct internet access\\\", select \\\"Disable — Access the internet through a VPC\\\".
5. Select \\\"Create notebook instance\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5b3c2887-d7b7-4887-b074-4e6057027709\",\r\n \"name\": \"5b3c2887-d7b7-4887-b074-4e6057027709\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance.
It only checks instances that are managed by AWS Systems Manager Patch Manager.
It does not check whether the patch was applied within the 30-day limit prescribed by PCI DSS requirement '6.2'.
It also does not validate whether the patches applied were classified as security patches.
You should create patching groups with the appropriate baseline settings and ensure in-scope systems are managed by those patch groups in Systems Manager. For more information about patch groups, see the AWS Systems Manager User Guide.\",\r\n \"remediationDescription\": \"\\\"To remediate noncompliant patches\\\"
This rule checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT. To find out more about patch compliance states, see the AWS Systems Manager User Guide.
1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
2. In the navigation pane, under \\\"Node Management\\\", choose \\\"Run Command\\\".
3. Choose \\\"Run command\\\".
4. Choose the radio button next to AWS-RunPatchBaseline and then change the \\\"Operation\\\" to \\\"Install\\\".
5. Choose \\\"Choose instances manually\\\" and then choose the noncompliant instance(s).
6. Scroll to the bottom and then choose \\\"Run\\\".
7. After the command has completed, to monitor the new compliance status of your patched instances, in the navigation pane, choose \\\"Compliance\\\".
See the AWS Systems Manager User Guide for more information about the following
* Using Systems Manager documents to patch a managed instance
* Running commands using the Systems Manager Run command\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67a90ae0-b3d1-44f0-9dcf-a03234ebeb65\",\r\n \"name\": \"67a90ae0-b3d1-44f0-9dcf-a03234ebeb65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association is run on an instance. The control passes if the association compliance status is COMPLIANT.
A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed.
After you create one or more State Manager associations, compliance status information is immediately available to you in the console or in response to AWS CLI commands or corresponding Systems Manager API operations. For associations, \\\"Configuration\\\" Compliance shows statuses of Compliant or Non-compliant and the severity level assigned to the association, such as \\\"Critical\\\" or \\\"Medium\\\". To learn more about State Manager association compliance, see About About State Manager association compliance in the AWS Systems Manager User Guide.
You must configure your in-scope EC2 instances for Systems Manager association. You must also configure the patch baseline for the security rating of the vendor of patches, and set the autoapproval date to meet PCI DSS '3.2.1' requirement '6.2'. For additional guidance on how to Create an association, see Create an association in the AWS Systems Manager User Guide. For additional information on working with patching in Systems Manager, see AWS Systems Manager Patch Manager in the AWS Systems Manager User Guide.\",\r\n \"remediationDescription\": \"A failed association can be related to different things, including targets and SSM document names. To remediate this issue, you must first identify and investigate the association. You can then update the association to correct the specific issue.
You can edit an association to specify a new name, schedule, severity level, or targets. After you edit an association, Systems Manager creates a new version.
\\\"To investigate and update a failed association\\\"
1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
2. In the navigation pane, under \\\"Node Management\\\", choose \\\"Fleet Manager\\\".
3. Choose the instance ID that has an \\\"Association status\\\" of \\\"Failed\\\".
4. Choose \\\"View details\\\".
5. Choose \\\"Associations\\\".
6. Note the name of the association that has an \\\"Association status\\\" of \\\"Failed\\\". This is the association that you need to investigate. You need to use the association name in the next step.
7. In the navigation pane,under \\\"Node Management\\\", choose \\\"State Manager\\\". Search for the association name, then select the association. After you determine the issue, edit the failed association to correct the problem. For information on how to edit an association, see Edit an association.
For more information on creating and editing State Manager associations, see Working with associations in Systems Manager in the AWS Systems Manager User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4be5393d-cc33-4ef7-acae-80295bc3ae35\",\r\n \"name\": \"4be5393d-cc33-4ef7-acae-80295bc3ae35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Status of the Amazon EC2 Systems Manager patch compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the patch installation on the instance.
Only instances that are managed by AWS Systems Manager Patch Manager are checked. Patches that were applied within the 30-day limit prescribed by PCI DSS requirement '6' are not checked. \",\r\n \"remediationDescription\": \"To ensure EC2 instances are managed by Systems Manager:
1. From the AWS Systems Manager console, https://console.aws.amazon.com/systems-manager/, select \\\"Quick setup\\\".
2. Leave the default options.
3. Select \\\"Set up Systems Manager\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9694d4ef-f21a-40b7-b535-618ac5c5d21e\",\r\n \"name\": \"9694d4ef-f21a-40b7-b535-618ac5c5d21e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.
Authentication credentials should never be stored or transmitted in clear text or appear in the repository URL. Instead of personal access tokens or user name and password, you should use OAuth to grant authorization for accessing GitHub or Bitbucket repositories.
Using personal access tokens or a user name and password could expose your credentials to unintended data exposure and unauthorized access.\",\r\n \"remediationDescription\": \"You can update your CodeBuild project to use OAuth.
To remove basic authentication / (GitHub) Personal Access Token from CodeBuild project source
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Choose the build project that contains personal access tokens or a user name and password.
3. From \\\"Edit\\\", choose \\\"Source\\\".
4. Choose \\\"Disconnect from GitHub / Bitbucket\\\".
5. Choose \\\"Connect using OAuth\\\", then choose \\\"Connect to GitHub / Bitbucket\\\".
6. When prompted, choose \\\"authorize as appropriate\\\".
7. Reconfigure your repository URL and additional configuration settings, as needed.
8. Choose \\\"Update source\\\".
For more information, refer to CodeBuild use case-based samples the AWS CodeBuild User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a88b4b72-b461-4b5e-b024-91da1cbe500f\",\r\n \"name\": \"a88b4b72-b461-4b5e-b024-91da1cbe500f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the project contains the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
Authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY should never be stored in clear text, as this could lead to unintended data exposure and unauthorized access.\",\r\n \"remediationDescription\": \"To remediate this issue, update your CodeBuild project to remove the environment variable.
To remove environment variables from a CodeBuild project
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Expand \\\"Build\\\".
3. Choose \\\"Build project\\\", and then choose the build project that contains plaintext credentials.
4. From \\\"Edit\\\", choose \\\"Environment\\\".
5. Expand \\\"Additional configuration\\\".
6. Choose \\\"Update environment\\\".

To store sensitive values in the Amazon EC2 Systems Manager Parameter Store and then retrieve them from your build spec
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Expand \\\"Build\\\".
3. Choose \\\"Build project\\\", and then choose the build project that contains plaintext credentials.
4. From \\\"Edit\\\", choose \\\"Environment\\\".
5. Expand \\\"Additional configuration\\\" and scroll to \\\"Environment variables\\\".
6. Follow this tutorial to create a Systems Manager parameter that contains your sensitive data.
7. After you create the parameter, copy the parameter name.
8. Back in the CodeBuild console, choose \\\"Create environmental variable\\\".
9. Enter the name of your variable as it appears in your build spec.
10. For \\\"Value\\\", paste the name of your parameter.
11. For \\\"Type\\\", choose \\\"Parameter\\\".
12. To remove your noncompliant environmental variable that contains plaintext credentials, choose \\\"Remove\\\".
13. Choose \\\"Update environment\\\".
For more information, see Environment variables in build environments in the AWS CodeBuild User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should use Secure Boot\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against the installation of malware-based rootkits and boot kits, enable Secure Boot on supported Linux virtual machines. Secure Boot ensures that only signed operating systems and drivers will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"Enabling Secure Boot will trigger an immediate system reboot. To enable it:
1. From Azure Virtual Machines, open your machine.
2. From the VM details page, open the 'Configuration' tab and select 'Secure boot'.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e2f798b8-621a-4d46-99d7-1310e09eba26\",\r\n \"name\": \"e2f798b8-621a-4d46-99d7-1310e09eba26\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should enforce kernel module signature validation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To help mitigate against the execution of malicious or unauthorized code in kernel mode, enforce kernel module signature validation on supported Linux virtual machines. Kernel module signature validation ensures that only trusted kernel modules will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"Enforcing kernel module signature validation requires a system reboot. To enforce it:
1. From Azure Virtual Machines, open your machine.
2. Run:
sudo azsecd remediate -r enforce-kernelmodule-ci
3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d79a60ef-d490-484e-91ed-f45ceb0e7cfb\",\r\n \"name\": \"d79a60ef-d490-484e-91ed-f45ceb0e7cfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be restarted to apply security configuration updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To apply security configuration updates and protect against vulnerabilities, restart your machines. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"To restart the machine:
1. From Azure Virtual Machines, open your machine.
2. Select 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b7604066-ed76-45f9-a5c1-c97e4812dc55\",\r\n \"name\": \"b7604066-ed76-45f9-a5c1-c97e4812dc55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines guest attestation status should be healthy\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Guest attestation is performed by sending a trusted log (TCGLog) to an attestation server. The server uses these logs to determine whether boot components are trustworthy. This assessment is intended to detect compromises of the boot chain which might be the result of a bootkit or rootkit infection.
This assessment applies to Trusted Launch and Confidential virtual machines that have the Guest Attestation extension installed.\",\r\n \"remediationDescription\": \"1. Scan your machine to ensure it isn't infected with malicious software.
2. Verify across your organization whether components of your operating system have been manually replaced.
3. Verify that a TPM device is installed on your machine: on Windows, run the PowerShell command \\\"Get-tpm\\\" as admin, and on Linux, use \\\"ls /dev/tpm0\\\" (with \\\"/dev/tpm0\\\" returning).
4. Remove any untrusted software or drivers with admin access.
5. Restart your machine in normal mode.
6. If all else fails, securely back up your data and create a new machine from a known-good image.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an Azure Function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Select Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access Function Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the Function App custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access API Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the API App custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys;
temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources.
For a comparison of different disk encryption technologies in Azure, see https://aka.ms/diskencryptioncomparison.
Use Azure Disk Encryption to encrypt all this data.
Disregard this recommendation if:
1. You're using the encryption-at-host feature, or 2. Server-side encryption on Managed Disks meets your security requirements.
Learn more in Server-side encryption of Azure Disk Storage.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Click any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Defender for Cloud protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Select Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases:
1. Select the SQL database.
2. Under Data encryption, select On.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
1. Go to 'SQL servers' page in the Azure portal and select your SQL server.
2. From the top left menu, select 'Auditing' and choose 'Enable Azure SQL Auditing'.
3. Select one of the options to store the Audit logs and follow the instructions.
4. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499\",\r\n \"description\": \"Defender for Cloud collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. This agent is also required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. We recommend configuring auto-provisioning to automatically deploy the agent. If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.\",\r\n \"remediationDescription\": \"For multiple ways to install and configure your Log Analytics agent see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"To reduce the potential for breaches by compromised owner accounts, we recommend limiting the number of owner accounts to a maximum of 3\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click the Role assignments tab and set the 'Role' filter to 'Owner'.
2. Select the owners you want to remove.
3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled
1. In the 'Role' drop-down list, select the Owner role.
2. In the Select list, select a user.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Signed Binary Proxy Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container hosts should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Privilege Escalation\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Local System\",\r\n \"Remote Services\",\r\n \"Network Sniffing\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"File and Directory Discovery\",\r\n \"Implant Container Image\",\r\n \"Abuse Elevation Control Mechanism\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers:
1. Select the SQL server.
2. Open 'Microsoft Defender for Cloud' under 'Security'
3. Make sure Microsoft Defender for Cloud's status is 'enabled at the server-level' or 'enabled at the subscription-level'
4. Open '(Configure)'
5. Under 'Vulnerability assessment settings', turn Periodic recurring scans to On, and configure a storage account for storing vulnerability assessment scan results.
6. Select 'Save'\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"SQL Stored Procedures\",\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on SQL servers: 1. Select the SQL server. 2. Under 'Defender for Cloud', set Microsoft Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Select 'Save'.
Note: Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.
Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.

To view all affected classic VMs make sure to select all your Azure subscriptions under 'directories + subscriptions' tab.

Available resources and information about this tool & migration:
Overview of Virtual machines (classic) deprecation, step by step process for migration & available Microsoft resources.
Details about Migrate to Azure Resource Manager migration tool.
Migrate to Azure Resource Manager migration tool using PowerShell.\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources:
1. Go to the Virtual machines (classic) Portal Blade.
2. Under Subscriptions, select all available subscriptions to get full list of affected classic VMs.
3. Click on Migrate to ARM.
4. Click on Validate. If validate failed, use the suggested methods in the error messages or at Migration Overview document to fix the errors.
5. Click on Prepare. If prepare failed, use the suggested methods in the error messages or at Migration Overview document to fix the errors.
6. View migrated virtual machines at Virtual Machines Portal Blade and Test their operation.
7. (Optional) Click on Abort to rollback migration.
8. Click on Commit. Commit finalizes the migration and cannot be rolled back.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics:
1. Go to Data Lake Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL managed instances should have vulnerability assessment configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance:
1. Select the SQL managed instance.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"SQL Stored Procedures\",\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected SQL Managed Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on managed SQL servers:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Microsoft Defender for SQL to On.
3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set Periodic recurring scans to On.4. Select Save.
Note: Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redis Cache should allow access only via SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps:
1. Go to the Redis Caches, and select your redis cache.
2. Select 'Advanced settings'.
3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics:
1. Go to Batch and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics:
1. Go to Stream Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics:
1. Go to the Service Bus.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"You should encrypt Automation Account Variables that store sensitive data. This step can only be taken at creation time.
If you have Automation Account Variables storing sensitive data that are not already encrypted, then you will need to delete them and recreate them as encrypted variables.
To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics:
1. Go to Data Lake Store and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics:
1. Go to Search and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign':
1. Go to the Service fabric cluster.
2. Click on 'Custom fabric settings'.
3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bb318338-de6a-42ff-8428-8274c897d564\",\r\n \"name\": \"bb318338-de6a-42ff-8428-8274c897d564\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Kubernetes services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c\",\r\n \"description\": \"Enable diagnostic logs in your Kubernetes services and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs.\",\r\n \"remediationDescription\": \"To enable diagnostics logs in one of your Kubernetes services: 1. Go to Kubernetes services and select one of your Kubernetes clusters. 2. From the left menu, open the diagnostic settings and select Add diagnostic setting. 3. Select one of the options to store the diagnostics logs and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"10/07/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"To ensure you can recreate activity trails for investigation purposes when a security incident occurs or your network is compromised, enable logging. If your diagnostic logs aren't being sent to a Log Analytics workspace, Azure Storage account, or Azure Event Hub, ensure you've configured diagnostic settings to send platform metrics and platform logs to the relevant destinations. Learn more in Create diagnostic settings to send platform logs and metrics to different destinations.\",\r\n \"remediationDescription\": \"To enable diagnostics for a logic app: 1. Open Azure Logic Apps and select the logic app. 2. From the menu, select Diagnostic settings. 3. Select Edit setting if you have an existing setting or select Add diagnostic setting to create a new configuration. 4. Select the options to define what to log and where to store it. 5. Save your settings.
Note : If you use storage accounts, we recommend setting a retention for the logs. To ensure the recommendation evaluates the retention dates across all resources, open the ASC default initiative assignment and set the parameter \\\"Required retention (in days) for logs..\\\" to the desired retention dates that you want the recommendation to evaluate.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"plannedDeprecationDate\": \"12/2022\",\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources :
1. Go to the Storage Account
2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics:
1. Go to Key Vault and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. We recommended configuring network rules so that only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"
1. In your storage account, go to 'Firewalls and virtual networks'.
2. Under 'Allow access from', choose 'Selected networks'.
3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account.
4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required:
1. In your storage account, go to the 'Configuration' page.
2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates:
1. Review the list of missing system updates.
2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Software Deployment Tools\",\r\n \"Exploit Public-Facing Application\",\r\n \"Supply Chain Compromise\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Drive-by Compromise\",\r\n \"Endpoint Denial of Service\",\r\n \"Compromise Client Software Binary\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b\",\r\n \"description\": \"Defender for Cloud collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. You'll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets. To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"For information on how to add the Log Analytics agent as an extension to your virtual machine scale set, see the following instructions. For information on how to deploy the log analytics agent at scale on virtual machine scale set using Azure Policy please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machine scale sets should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution:
1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on virtual machine scale sets should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Microsoft Defender for Cloud. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c\",\r\n \"description\": \"To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more.\",\r\n \"remediationDescription\": \"1. Register your subscription to Guest Configuration resource provider. 2. Install the Guest Configuration extension on your machine. 3. Enable a system-assigned managed identity, if one doesn't exist. Learn more in Enable Guest Configuration.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69133b6b-695a-43eb-a763-221e19556755\",\r\n \"name\": \"69133b6b-695a-43eb-a763-221e19556755\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a\",\r\n \"description\": \"The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more\",\r\n \"remediationDescription\": \"To enable a system-assigned managed identity, deploy the 'Enable a system-assigned managed identity' initiative: 1. Register the resource provider. 2. Deploy requirements for Azure virtual machines. Learn more about configuring the Guest Configuration prerequisites in Enable Guest Configuration.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"1. Enable controlled folder access.
2. Configure the following attack surface reduction rules: 'Block executable content from email client and webmail', 'Block untrusted and unsigned processes that run from USB', 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)', ' Block all Office applications from creating child processes', 'Block JavaScript or VBScript from launching downloaded executable content', 'Block execution of potentially obfuscated scripts ', 'Block Office applications from creating executable content', 'Block Office communication application from creating child processes', 'Block Win32 API calls from Office macros', 'Block Adobe Reader from creating child processes', 'Block Office applications from injecting code into other processes'.
Learn more in Use attack surface reduction rules to prevent malware infection.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Privilege Escalation\",\r\n \"Lateral Movement\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Taint Shared Content\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploit Public-Facing Application\",\r\n \"Drive-by Compromise\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4078e558-bda6-41fb-9b3c-361e8875200d\",\r\n \"description\": \"Defender for Cloud uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Windows.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on Linux-based Azure Arc-enabled machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/1e7fed80-8321-4605-b42c-65fc300f23a3\",\r\n \"description\": \"Defender for Cloud uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Linux.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"name\": \"fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Validity period of certificates stored in Azure Key Vault should not exceed 12 months\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\r\n \"description\": \"Ensure your certificates do not have a validity period that exceeds 12 months.\",\r\n \"remediationDescription\": \"To remediate you must create a new version of the certificate. Ensure that your application or service will be able to get a new version of the certificate before proceeding. Select a key vault from the list below. The list of certificates with a validity period that exceeds 12 months will appear. From the Azure Portal, open Azure Key Vault and select the vault with the certificate that needs to be replaced. Select the relevant certificate and the certificate details page opens. 1. On the certificate details page, select \\\"+ New Version\\\". The \\\"Create a Certificate\\\" pane opens. 2. Change the \\\"Validity period (in months)\\\" field to 12 or less. 3. Select \\\"Create\\\". 4. Ensure that you have set up auto-renewal, or have a process to renew your certificate prior to expiration.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Credentials from Password Stores\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\r\n \"description\": \"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.\",\r\n \"remediationDescription\": \"To prevent public access to containers and blobs in your storage account:
1. In the Azure portal, navigate to your storage account.
2. From the settings menu, select \\\"Configuration\\\".
3. Set \\\"Allow Blob public access\\\" to \\\"Disabled\\\".
Learn more about public access
Note: It might take several minutes after remediation completes until the resource appears in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for servers brings threat detection and advanced defenses for your Windows and Linux machines.
With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for servers but missing out on some of the benefits.
When you enable Microsoft Defender for servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for servers on the identified workspaces, select the workspaces and select Remediate.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for servers brings threat detection and advanced defenses for your Windows and Linux machines.
With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for servers but missing out on some of the benefits.
When you enable Microsoft Defender for servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on machines on the identified workspaces, select the workspaces and select Remediate.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"09/29/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"name\": \"14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\r\n \"description\": \"The best way to authenticate to Azure services is by using Role-Based Access Control (RBAC). RBAC allows you to maintain the minimum privilege principle and supports the ability to revoke permissions as an effective method of response when compromised. You can configure your Azure Cosmos DB account to enforce RBAC as the only authentication method. When the enforcement is configured, all other methods of access will be denied (primary/secondary keys and access tokens).\",\r\n \"remediationDescription\": \"Change your resource authentication method to RBAC. After RBAC is enabled, edit the configuration settings to enforce RBAC as the only authentication method.
  1. Change the resources' authentication method from primary key to Azure Active Directory (AAD):

    1. Map all the resources that currently access to the Azure Cosmos DB account with keys or access tokens.
    2. Create an Azure Active Directory (AAD) identity for each of these resources:
      1. For Azure resources, you can create a managed identity . You may choose between system-assigned and user-assigned managed identities.
      2. For non-Azure resources, create an AAD identity.
    3. Grant each AAD identity the minimum permission it requires. When possible, we recommend you use one of the 2 built-in role definitions: Cosmos DB Built-in Data Reader or Cosmos DB Built-in Data Contributor.
    4. Validate that the new resource is functioning correctly. After new permissions are granted to identities, it may take a few hours until they propagate. When all resources are working correctly with the new identities, continue to the next step.

    You can read more about configuring role-based access control with Azure Active Directory for your Azure Cosmos DB account.

  2. Enforce RBAC as the only authentication method:
    You may choose one of the two options listed below:
    1. You can use the az resource update powershell command:
      $cosmosdbname = \\\"cosmos-db-account-name\\\"
      $resourcegroup = \\\"resource-group-name\\\"
      $cosmosdb = az cosmosdb show --name $cosmosdbname --resource-group $resourcegroup | ConvertFrom-Json

      az resource update --ids $cosmosdb.id --set properties.disableLocalAuth=true --latest-include-preview

    2. Deploy these changes in your ARM template to enforce RBAC as the only authentication method.

      You can read more about using ARM templates on existing resources.

    After these changes have been implemented, all access attempts that use primary/secondary key or access tokens authentication will be denied.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2482620f-f324-4add-af68-2e01e27485e9\",\r\n \"name\": \"2482620f-f324-4add-af68-2e01e27485e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d103537b-9f3d-4658-a568-31dd66eb05cb\",\r\n \"name\": \"d103537b-9f3d-4658-a568-31dd66eb05cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in subscription should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a6cd9b98-3b29-4213-b880-43f0b0897b83\",\r\n \"name\": \"a6cd9b98-3b29-4213-b880-43f0b0897b83\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in projects should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in projects should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\r\n \"description\": \"Protect the data on your Azure virtual machines with Azure Backup.
Azure Backup is an Azure-native, cost-effective, data protection solution.
It creates recovery points that are stored in geo-redundant recovery vaults.
When you restore from a recovery point, you can restore the whole VM or specific files.\",\r\n \"remediationDescription\": \"1. To enable Azure Backup for a virtual machine, navigate to the virtual machine on the Azure portal and select 'Backup' from the menu. In the screen that appears, choose whether to backup the machine to a new or existing Recovery Services vault in the same location and subscription. Learn more at https://aka.ms/AzureVMBackupDoc 2. To enable Azure Backup for multiple virtual machines, assign the policy 'Configure backup on VMs of a location to an existing central Vault in the same location' to the relevant scope. This policy can be assigned to one subscription-location pair at a time. Learn more at http://aka.ms/AzureBackupVMGovernance. Charges are based on the number and size of VMs being protected. Learn more about pricing at https://azure.microsoft.com/pricing/details/backup/\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Disk Wipe\",\r\n \"Defacement\",\r\n \"Data Encrypted for Impact\",\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your function app:
1. Go to the App Service for your API app 2. Navigate to Platform features 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"name\": \"2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MariaDB\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\r\n \"description\": \"Azure Database for MariaDB allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MariaDB server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=2086853\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your web app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"name\": \"95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for PostgreSQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\r\n \"description\": \"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for PostgreSQL server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867615\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests.
Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Web App:
1. Navigate to Azure App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require.
For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"name\": \"8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MySQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\r\n \"description\": \"Azure Database for MySQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MySQL server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867608\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"name\": \"5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your API app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/91a78b24-f231-4a8a-8da9-02c35b2b6510\",\r\n \"description\": \"Audit enabling of diagnostic logs on the app.
This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised\",\r\n \"remediationDescription\": \"To enable resource logs for an App Service: 1. Navigate to your App Service. 2. Go to 'Diagnostic Settings' tab. 3. Enable necessary auditing services for your specified apps. For more information, please go to https://aka.ms/enabling-diagnostic-settings.\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"name\": \"cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your API app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"name\": \"1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for PostgreSQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\r\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for PostgreSQL:
1. Select your Azure Database for PostgreSQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848213\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"name\": \"1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for MySQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\r\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for MySQL:
1. Select your Azure Database for MySQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848211\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your web app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your function app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"name\": \"6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"name\": \"7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"name\": \"39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your web app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"name\": \"f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your function app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"name\": \"08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\r\n \"description\": \"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your API app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"name\": \"e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"name\": \"96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your function app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"name\": \"c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"name\": \"c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for PostgreSQL:
1. Navigate to your Azure Database for PostgreSQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/postgresql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/pgprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"name\": \"ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MariaDB:
1. Navigate to your Azure Database for MariaDB. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mariadbprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"name\": \"cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MySQL:
1. Navigate to your Azure Database for MySQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mysql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mysqlprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\r\n \"description\": \"Audit SQL servers configured with an auditing retention period of less than 90 days.\",\r\n \"remediationDescription\": \"To configure auditing retention on your Azure SQL server or Azure Synapse server:
1.From the Azure portal, select the Azure SQL Server or Azure Synapse resource. 2.From the menu, select Auditing. 3.Select Storage details. 4.To set a new retention period of 90 days or higher, manually enter a value or move the slider for Retention (Days). 5.Select OK.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your function app:
1. Navigate to the Configurations for your Function app.
2. Select Configuration, and go to the General Settings tab.
3. Select the General Settings tab.
4. Under the FTP state section, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp
Learn more about Azure Functions Deployment Technology Availability\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your web app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"name\": \"67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your API app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"name\": \"c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function apps should have Client Certificates (Incoming client certificates) enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Function App: 1. Navigate to your App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"name\": \"4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key vaults should have purge protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\r\n \"description\": \"Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.\",\r\n \"remediationDescription\": \"To enable purge protection for your key vault: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Properties' tab. 3. Select the radio button corresponding to \\\"Enable purge protection\\\". 4. Select 'Save'. Soft delete is a pre-requisite for purge protection, if you have not already enabled this option, please select the radio button corresponding to \\\"Enable soft delete\\\" first. Please visit https://aka.ms/keyvaultsoftdelete for detailed configuration steps.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"name\": \"9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Email notification to subscription owner for high severity alerts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d\",\r\n \"description\": \"To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Defender for Cloud.\",\r\n \"remediationDescription\": \"To configure email notifications: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/13e7d036-6903-821c-6018-962938929bf0\",\r\n \"name\": \"13e7d036-6903-821c-6018-962938929bf0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registries should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.\",\r\n \"remediationDescription\": \"To enable private links for a registry: 1. Ensure the registry's SKU is set to Premium (SKUs can be upgraded) 2. In the Private endpoints tab, under Network Settings, add basic endpoint information such as name and region 3. On the next page, add registry resource information (such as: name, resource type and subscription) 4. On the next page, add networking and private dns configuration. 5. Create the private endpoint resource. For more information, see: https://aka.ms/acr/privatelink\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/d85c6833-7d33-4cf5-a915-aaa2de84405f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5d090f1-7d5c-9b38-7344-0ede8343276d\",\r\n \"name\": \"d5d090f1-7d5c-9b38-7344-0ede8343276d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for MySQL is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for MySQL server to deny all public network access and allow connections ONLY through private endpoints: 1. Select the Azure Database for MySQL. 2. In Connection security, set deny public network access to 'Yes'. For details, see: https://go.microsoft.com/fwlink/?linkid=2120014.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/06ac6ef4-1e66-1334-5418-6e79ab444ce0\",\r\n \"name\": \"06ac6ef4-1e66-1334-5418-6e79ab444ce0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] SQL managed instances should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\r\n \"remediationDescription\": \"To configure your own encryption key for SQL Server Transparent Data encryption: 1. Select the SQL server. 2. On the Transparent data encryption page, select Customer-managed key. 3. For Key selection method, choose Select a key or Enter a key identifier if you have one. 4. If you chose Select a key, configure the desired Key vault and Key. For more information, see this article: https://docs.microsoft.com/azure/sql-database/transparent-data-encryption-byok-azure-sql\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b51b7f7-cbed-75bf-8a02-43384bf47562\",\r\n \"name\": \"6b51b7f7-cbed-75bf-8a02-43384bf47562\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] MySQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\r\n \"remediationDescription\": \"Azure automatically encrypts data at rest with service-managed keys. To use a customer-managed key to protect and control access to the key that encrypts your data: 1. Create a key vault with soft delete and purge protection enabled. 2. Create your own encryption key or use the Azure Key Vault API to generate a key. 3. Grant the Azure Database for MySQL access to the key vault with the get, wrapKey, and unwrapKey permissions by using its unique managed identity. 4. Select the Azure Database for MySQL, go to data encryption, and pass the key vault and key information. Learn more https://aka.ms/mysqlbyok\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19d45f8f-245c-852e-dbf9-d4aab4758b1f\",\r\n \"name\": \"19d45f8f-245c-852e-dbf9-d4aab4758b1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\r\n \"remediationDescription\": \"Azure automatically encrypts data at rest with service-managed keys. To use a customer-managed key to protect and control access to the key that encrypts your data: 1. Create a key vault with soft delete and purge protection enabled. 2. Create your own encryption key or use the Azure Key Vault API to generate a key. 3. Grant the Azure Database for PostgreSQL access to the key vault with the get, wrapKey, and unwrapKey permissions by using its unique managed identity. 4. Select the Azure Database for PostgreSQL, go to data encryption, and pass the key vault and key information. Learn more https://aka.ms/postgresqlbyok\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ab153e43-2fb5-0670-2117-70340851ea9b\",\r\n \"name\": \"ab153e43-2fb5-0670-2117-70340851ea9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for MariaDB is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for MariaDB server to deny all public network access and allow connections ONLY through private endpoints: 1. Select the Azure Database for MariaDB. 2. In Connection security, set deny public network access to 'Yes'. For more information, see: https://go.microsoft.com/fwlink/?linkid=2119542\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a93e945-3675-aef6-075d-c661498e1046\",\r\n \"name\": \"1a93e945-3675-aef6-075d-c661498e1046\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] SQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\r\n \"remediationDescription\": \"To configure your own encryption key for SQL Server Transparent Data encryption: 1. Select the SQL server. 2. On the Transparent data encryption page, select Customer-managed key. 3. For Key selection method, choose Select a key or Enter a key identifier if you have one. 4. If you chose Select a key, configure the desired Key vault and Key. For more information, see this article: https://docs.microsoft.com/azure/sql-database/transparent-data-encryption-byok-azure-sql\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/be264018-593c-1162-bd5e-b74a39396652\",\r\n \"name\": \"be264018-593c-1162-bd5e-b74a39396652\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cache for Redis should reside within a virtual network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d092e0a-7acd-40d2-a975-dca21cae48c4\",\r\n \"description\": \"Azure Virtual Network (VNet) deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access. When an Azure Cache for Redis instance is configured with a VNet, it is not publicly addressable and can only be accessed from virtual machines and applications within the VNet.\",\r\n \"remediationDescription\": \"Injection into your custom Virtual Network/Subnet can only be done at cache creation time, so take these steps to mitigate: 1. Create and configure a new VNet-injected cache into your custom subnet for the Azure Cache for Redis. 2. Either embed your client application into the same virtual network or allow access for your client application to communicate with the cache instance within your subnet using NSG rules. Follow the guidance here: https://aka.ms/redis/vnet-faq 3. If necessary, export the data from your instance and import it into the new Azure Cache for Redis instance. Learn more about the import/export feature here: https://aka.ms/redis/import-export.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"name\": \"af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto provisioning of the Log Analytics agent should be enabled on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17\",\r\n \"description\": \"To monitor for security vulnerabilities and threats, Microsoft Defender for Cloud collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.\",\r\n \"remediationDescription\": \"To configure auto provisioning:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. Open the Auto provisioning page and set the toggle to On for the Log Analytics agent.
3. Select the workspace to receive the data from the machines.
Learn more in Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"name\": \"77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subscriptions should have a contact email address for security issues\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\",\r\n \"description\": \"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Defender for Cloud.\",\r\n \"remediationDescription\": \"To set up a security contact:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/af560c4d-9c05-e073-b9f1-f7a94958ff25\",\r\n \"name\": \"af560c4d-9c05-e073-b9f1-f7a94958ff25\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Container registries should be encrypted with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\",\r\n \"remediationDescription\": \"Azure automatically encrypts registry Contents. To encrypt a registry using a customer-managed key (CMK): 1. Create a user-assigned managed identity. 2. Create a Key Vault with soft delete and purge protection enabled. 3. Give the Managed Identity (Get, Unwrap and Wrap) Key Permissions to the key vault by adding a key vault Access Policy. 4. Create a key for encryption. 5. Create the registry: enable customer-managed key, add the managed identity, and provid the created key's version. For more information, see: https://aka.ms/acr/cmk\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8318c3a1-fcac-2e1d-9582-50912e5578e5\",\r\n \"name\": \"8318c3a1-fcac-2e1d-9582-50912e5578e5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"App Configuration should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint.\",\r\n \"remediationDescription\": \"To enable private link for Azure App Configuration: 1. In the Azure portal, open the App Configuration instance. 2. Navigate to Settings --> Private endpoint connections 3. Click on Add and configure the private endpoint. For details, see https://aka.ms/appconfig/private-endpoint\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/614ffa75-862c-456e-ad8b-eaa1b0844b07\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"name\": \"3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Email notification for high severity alerts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899\",\r\n \"description\": \"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Defender for Cloud.\",\r\n \"remediationDescription\": \"To configure email notifications: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. In the 'Notification type' area, ensure mails are sent regarding security alerts from severity 'high'.
4. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b34f9fe7-80cd-6fb3-2c5b-951993746ca8\",\r\n \"name\": \"b34f9fe7-80cd-6fb3-2c5b-951993746ca8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for PostgreSQL is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for PostgreSQL server to deny all public network access and allow connections only through private endpoints: 1. Select the Azure Database for PostgreSQL. 2. In Connection security, set deny public network access to 'Yes'. For more information, see: https://go.microsoft.com/fwlink/?linkid=2120015.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"name\": \"9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registries should not allow unrestricted network access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\r\n \"description\": \"Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet.\",\r\n \"remediationDescription\": \"To enable VNet/Firewall rules for a registry: 1. In the Azure Portal, navigate to your registry in the Azure portal 2. Under Networking settings, on the Public access tab, select allow public access from 'Selected networks' instead of 'All Networks' 3. Under Firewall, enter a public IP address, such as the public IP address of a VM in a virtual network. Or, enter an address range in CIDR notation that contains the VM's IP address 4. Select save. For more information, see: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bef092f5-bea7-3df3-1ee8-4376dd9c111e\",\r\n \"name\": \"bef092f5-bea7-3df3-1ee8-4376dd9c111e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Event Grid domains should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domains instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure Event Grid Domain resource: 1. In the Azure portal, find your Event Grid Domain resource. 2. Navigate to Settings --> Networking, 3. Select \\\"+ Public network access\\\" and choose \\\"+ Private endpoints only\\\" to restrict access only via private endpoint connections, 4. Select \\\"+ Private endpoint connections\\\" to configure the values. For details, see https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/36f4658a-848a-467b-881c-e6fa20cf75fc\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bdac9c7b-b9b8-f572-0450-f161c430861c\",\r\n \"name\": \"bdac9c7b-b9b8-f572-0450-f161c430861c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Event Grid topics should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your topics instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure Event Grid Topic resource: 1. In the Azure portal, find your Event Grid Topic resource. 2. Navigate to Settings --> Networking, 3. Select \\\"+ Public network access\\\" and choose \\\"+ Private endpoints only\\\" to restrict access only via private endpoint connections, 4. Select \\\"+ Private endpoint connections\\\" to configure the values. For details, see https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6fcec95c-fbdf-45e8-91e1-e3175d9c9eca\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/18bf29b3-a844-e170-2826-4e95d0ba4dc9\",\r\n \"name\": \"18bf29b3-a844-e170-2826-4e95d0ba4dc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\r\n \"remediationDescription\": \"To enable customer-managed keys for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using customer-managed keys. Learn more about configuring customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b6f84d18-0137-3176-6aa1-f4d9ac95155c\",\r\n \"name\": \"b6f84d18-0137-3176-6aa1-f4d9ac95155c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure SignalR Service should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/53503636-bcc9-4748-9663-5348217f160f\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your SignalR resources instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/asrs/privatelink.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure SignalR service resource: 1.. Find your SignalR resource in the Azure portal, 2. Navigate to Settings --> Private endpoint connections, 3 Click \\\"+ Private endpoint\\\" to configure the values. Learn more here: https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/ef45854f-b33f-49a3-8041-9057e915d88f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/814df446-7128-eff0-9177-fa52ac035b74\",\r\n \"name\": \"814df446-7128-eff0-9177-fa52ac035b74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\r\n \"remediationDescription\": \"To enable customer-managed keys on an Azure Cosmos DB account, create an encryption key in Azure Key Vault then pass the key identifier when creating the account. For details, see https://aka.ms/cosmosdb-cmk.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\r\n \"description\": \"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.\",\r\n \"remediationDescription\": \"Azure Web Application Firewall is a paid solution, refer to https://aka.ms/applicationgateway-pricing for full pricing details. To manually add an Azure Web Application Firewall to Azure Application Gateway: 1. If you want to use an existing Azure Web Application Firewall for Azure Application Gateway policy, proceed to Step 2. Otherwise, open the Azure Web Application Firewall service and select 'add'. 3. On the Basics tab, in 'Policy for', select 'Regional WAF (Application Gateway)'. Customize the Azure Web Application Firewall as required. To finish, select 'Review + create' and 'create' the Azure Web Application Firewall. 4. Go to the Azure Application Gateway and select the Azure Application Gateway that does not have an Azure Web Application Firewall. 5. From the left sidebar, select settings, and select 'Web application firewall'. If your current tier is not 'WAF V2' change your tier to 'WAF V2'. There are differences in pricing when changing WAF tiers, refer to https://aka.ms/applicationgateway-pricing for full details. 6. Return to the Web Application Firewall created earlier. Select 'Associated application gateways on the sidebar'. 7. Select 'Associate an application gateway' and add your application gateway. To save the changes, Select 'Save'. An Azure Web Application Firewall is now protecting your application gateway resource. For details, see https://aka.ms/applicationgateway-waf.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Reconnaissance\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Scanning\",\r\n \"Application Layer Protocol\",\r\n \"Active Scanning\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0c02a769-03f1-c4d7-85a5-db5dca505c49\",\r\n \"name\": \"0c02a769-03f1-c4d7-85a5-db5dca505c49\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Azure Front Door Service service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\r\n \"description\": \"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.\",\r\n \"remediationDescription\": \"Azure Web Application Firewall is a paid solution, refer to https://aka.ms/frontdoor-pricing for full pricing details. To manually add an Azure Web Application Firewall to your Azure Front Door Service 1. If you want to use an existing Azure Web Application Firewall for Azure Front Door Service policy, proceed to Step 2. Otherwise, open the Azure Web Application Firewall service and select 'add'. 3. On the Basics tab, in 'Policy for', select 'Global WAF (Front Door)' and in 'Policy state' select 'Enabled'. Customize the Azure Web Application Firewall as required. To finish, select 'Review + create' and 'create' the Azure Web Application Firewall. 4. Go to the Front Door service and select the Front Door service that does not have an Azure Web Application Firewall. 5. From the left sidebar, select 'Web application firewall'. 6. Select the frontend to which you're adding an Azure Web Application Firewall policy. Select 'Apply policy'. From the dropdown, select the Azure Web Application Firewall policy. Select 'Add'. 7. To save the Azure Web Application Firewall for the chosen frontend, select 'Save'. An Azure Web Application Firewall will now be applied to the Azure Front Door Service. For details, see https://aka.ms/waf-frontdoor-tutorial\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Reconnaissance\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Scanning\",\r\n \"Application Layer Protocol\",\r\n \"Active Scanning\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f6b0e473-eb23-c3be-fe61-2ae3e8309530\",\r\n \"name\": \"f6b0e473-eb23-c3be-fe61-2ae3e8309530\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VM Image Builder templates should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa\",\r\n \"description\": \"Audit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead, which may directly expose resources to the internet and increase the potential attack surface.\",\r\n \"remediationDescription\": \"To enable private link connection when building VM Image Builder templates, add vnetConfig to templates. For details, see http://aka.ms/azvmimagebuildertmplref.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9\",\r\n \"description\": \"Private links enforce secure communication, by providing private connectivity to the storage account\",\r\n \"remediationDescription\": \"To enforce secure communications for your storage accounts, add a private endpoint as described here: https://aka.ms/connectprivatelytostorageaccount.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/9f766f00-8d11-464e-80e1-4091d7874074\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca98bba7-719e-48ee-e193-0b76766cdb07\",\r\n \"name\": \"ca98bba7-719e-48ee-e193-0b76766cdb07\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Storage accounts should use customer-managed key (CMK) for encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\",\r\n \"remediationDescription\": \"To enable customer-managed keys on your storage accounts, create an encryption key in your key vault then pass the key identifier to the storage account. For details, see https://aka.ms/storageencryptionkeys.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c768356-5ad2-e3cc-c799-252b27d3865a\",\r\n \"name\": \"4c768356-5ad2-e3cc-c799-252b27d3865a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Spring Cloud should use network injection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4\",\r\n \"description\": \"Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.\",\r\n \"remediationDescription\": \"Virtual network injection brings the following benefits to your Azure Spring Cloud instances: 1. Isolates Azure Spring Cloud from the internet. 2. Enables Azure Spring Cloud to interact with systems in either on- premises data centers or Azure services in other virtual networks. 3. Provides greater control over inbound and outbound network communications for Azure Spring Cloud.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Trusted Relationship\",\r\n \"Exploitation of Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Non-Standard Port\",\r\n \"Lateral Tool Transfer\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\r\n \"description\": \"Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.\",\r\n \"remediationDescription\": \"To protect your storage account from potential threats using virtual network rules: 1. In the Azure portal, open your storage account. 2. From the left sidebar, select 'Networking'. 3. From the 'Allow access from' section, select 'Selected networks'. 4. Add a Virtual network under the 'Virtual networks' section. Do not add allowed IP ranges/ or addresses in the firewall. This is to prevent public IPs from accessing your storage account. For details, see: https://aka.ms/storagenetworksecurity.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbd14f11-6228-4588-82a4-517b8d77b23f\",\r\n \"name\": \"bbd14f11-6228-4588-82a4-517b8d77b23f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\",\r\n \"remediationDescription\": \"To setup CMK on Azure Machine Learning workspaces, follow the instructions. here: https://aka.ms/azureml-workspaces-cmk\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/692343df-7e70-b082-7b0e-67f97146cea3\",\r\n \"name\": \"692343df-7e70-b082-7b0e-67f97146cea3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Machine Learning workspaces should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Machine Learning workspaces instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/azureml-workspaces-privatelink.\",\r\n \"remediationDescription\": \"To enable private link on Azure Machine Learning workspaces, follow the instructions here: https://aka.ms/azureml-workspaces-privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/7838fd83-5cbb-4b5d-888c-bfa240972597\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"name\": \"2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be configured for Key Vault\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0bc445-3935-4915-9981-011aa2b46147\",\r\n \"description\": \"Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.\",\r\n \"remediationDescription\": \"For detailed steps, see https://aka.ms/akvprivatelink.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"name\": \"52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should be enabled on Key Vault\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\r\n \"description\": \"Key vault's firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the firewall to make sure that only traffic from allowed networks can access your key vault.\",\r\n \"remediationDescription\": \"To enable the key vault firewall: 1. In the Azure portal, open your key vault. 2.From the left sidebar, select Networking (located under the \\\"Settings\\\" section). 3. Set the radio button to Private endpoint and selected networks and select Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1aabfa0d-7585-f9f5-1d92-ecb40291d9f2\",\r\n \"name\": \"1aabfa0d-7585-f9f5-1d92-ecb40291d9f2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key Vault keys should have an expiration date\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\r\n \"description\": \"Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.\",\r\n \"remediationDescription\": \"To enable an expiration date on your key: 1. Log in to the Azure portal and select your key vault. 2. Open the 'Keys' tab. 3. Find all keys in the table that do not have an expiration date. 4. Select a key. 5. Select the current version of the key. 6. Select the box corresponding to 'Set expiration date'. 7. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Credentials from Password Stores\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"name\": \"14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key Vault secrets should have an expiration date\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\r\n \"description\": \"Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.\",\r\n \"remediationDescription\": \"To enable an expiration date on your secret: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Secrets' tab. 3. Find all secrets in the table that do not have an expiration date. 4. Click on a secret. 5. Click the current version of the secret. 6. Check the box corresponding to 'Set expiration date'. 7. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Credentials from Password Stores\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"name\": \"78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key vaults should have soft delete enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\r\n \"description\": \"Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.\",\r\n \"remediationDescription\": \"To enable soft delete protection for your key vault: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Properties' tab. 3. Select the radio button corresponding to \\\"Enable soft delete\\\". 4. Enter a retention period in days. Select 'Save'. Please visit https://aka.ms/keyvaultsoftdelete for detailed configuration steps.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6\",\r\n \"description\": \"Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more in Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure.\",\r\n \"remediationDescription\": \"To use SSH for authentication to your Linux virtual machine: 1. Create an SSH key pair for the Linux virtual machine. 2. Disable password authentication in the Linux virtual machine's configuration. 3. Update the SSH key in your Azure Resource Manager template (replace the admin password with the adminSSHKey parameter) or via the Azure CLI (with the --generate-ssh-keys command). Learn more in Create and use an SSH public-private key pair for Linux VMs in Azure.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.\",\r\n \"remediationDescription\": \"To enable Private Endpoint Connections: 1. Open Azure SQL Database and browse to the server blade 2. Navigate to Security --> Private endpoint connections blade via the navigation menu 3. Select the \\\"+ Private Endpoint\\\" button 4. Follow the instructions here: https://docs.microsoft.com/azure/azure-sql/database/private-endpoint-overview#how-to-set-up-private-link-for-azure-sql-database.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\r\n \"description\": \"Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.\",\r\n \"remediationDescription\": \"To disable Public Network Access: 1. Open Azure SQL Database and browse to the server blade 2. Navigate to Security --> Firewalls and virtual networks blade via the navigation menu on the left. 3. Select Deny Public Network Access control and change the value to Yes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce2768c3-a7c7-1bbf-22cd-f9db675a9807\",\r\n \"name\": \"ce2768c3-a7c7-1bbf-22cd-f9db675a9807\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API app has Client Certificates Incoming client certificates set to On\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your API App: 1. Navigate to your App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112\",\r\n \"description\": \"To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.\",\r\n \"remediationDescription\": \"To ensure your windows web server is using secure communication protocol: 1. Enable Guest Configuration extension and system assigned identity: https://docs.microsoft.com/azure/virtual-machines/extensions/guest-configuration 2. Enable TLS on your machine. For Windows Server 2008 R2, Windows Server 2012, or Windows 7, install the update at https://support.microsoft.com/help/3140245. For Windows 2012 R2 Server or later, no updates are necessary. 3. Update the Windows and WinHTTP registry keys (or verify that they're correct) according to the information here: https://docs.microsoft.com/dotnet/framework/network-programming/tls#configuring-schannel-protocols-in-the-windows-registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f738efb8-005f-680d-3d43-b3db762d6243\",\r\n \"name\": \"f738efb8-005f-680d-3d43-b3db762d6243\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should restrict network access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\r\n \"description\": \"Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"To restrict access for Cognitive Services from public networks: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"Networking\\\" page, 3. In \\\"Firewalls and virtual networks\\\" select \\\"Selected Networks and Private Endpoints\\\" or \\\"Disabled\\\". Learn more about Private Endpoints in https://go.microsoft.com/fwlink/?linkid=2129800. Learn more about configuration Virtual Networks for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2110097.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Trusted Relationship\",\r\n \"Exploitation of Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Non-Standard Port\",\r\n \"Lateral Tool Transfer\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aa395469-1687-78a7-bf76-f4614ef72977\",\r\n \"name\": \"aa395469-1687-78a7-bf76-f4614ef72977\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should use customer owned storage or enable data encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11566b39-f7f7-4b82-ab06-68d8700eb0a4\",\r\n \"description\": \"This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption.\",\r\n \"remediationDescription\": \"To enable encryption for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using either Microsoft-managed keys or customer-managed keys. Learn more about configuration customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321. To request access to bring your own storage, fill out and submit the request form from https://aka.ms/cogsvc-cmk.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684a5b6d-a270-61ce-306e-5cea400dc3a7\",\r\n \"name\": \"684a5b6d-a270-61ce-306e-5cea400dc3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for Cognitive Services accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\r\n \"description\": \"This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed.\",\r\n \"remediationDescription\": \"To only allow access for Cognitive Services from Private Endpoints: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"Networking\\\" page, 3. In \\\"Firewalls and virtual networks\\\" select \\\"Disabled\\\". Learn more about Private Endpoints in https://go.microsoft.com/fwlink/?linkid=2129800.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdcf4f71-60d3-540b-91e3-aa19792da364\",\r\n \"name\": \"cdcf4f71-60d3-540b-91e3-aa19792da364\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should enable data encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2bdd0062-9d75-436e-89df-487dd8e4b3c7\",\r\n \"description\": \"This policy audits any Cognitive Services account not using data encryption. For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key.\",\r\n \"remediationDescription\": \"To enable encryption for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using either Microsoft-managed keys or customer-managed keys. Learn more about configuration customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/74e7dcff-317f-9635-41d2-ead5019acc99\",\r\n \"name\": \"74e7dcff-317f-9635-41d2-ead5019acc99\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Management services should use a virtual network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\r\n \"description\": \"Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.\",\r\n \"remediationDescription\": \"To enable Virtual Network on API Management Service: 1. In the Azure portal, open API Management services, 2. Select the desired service from the list, and open the \\\"Virtual Network\\\" page, 3. Setup virtual network along with desired type of virtual network. Learn more about configuring virtual network for API Management Services at https://aka.ms/apim-vnet\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Create Account\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"name\": \"276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cosmos DB accounts should have firewall rules\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\r\n \"description\": \"Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.\",\r\n \"remediationDescription\": \"To configure your Azure Cosmos DB firewall and add IP rules: 1. Go to the \\\"Firewall and virtual networks\\\" section of your Cosmos DB account. 2. Select \\\"Selected networks\\\". 3. Add the IP addresses or ranges you want to allow. For more details, follow the instructions in https://aka.ms/cosmosdb-firewall\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Initial Access\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Fallback Channels\",\r\n \"Remote System Discovery\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Non-Standard Port\",\r\n \"Gather Victim Network Information\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\",\r\n \"description\": \"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end-to-end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure.\",\r\n \"remediationDescription\": \"To enable Network Watcher: 1. Navigate to the Network Watcher page on the Azure portal 2. Select the relevant subscription and click on the region drop down 3. For any regions that are listed as Disabled, enable them by selecting \\\"Enable network watcher\\\" in the context menu For more information, visit here: https://docs.microsoft.com/azure/network-watcher/network-watcher-create\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"name\": \"f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Resource Manager should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99\",\r\n \"description\": \"Microsoft Defender for Resource Manager automatically monitors the resource management operations in your organization. Defender for Cloud detects threats and alerts you about suspicious activity. Learn more in Introduction to Microsoft Defender for Resource Manager. Enabling this Defender plan results in charges. Learn about the pricing details per region on Defender for Cloud's pricing page: https://azure.microsoft.com/services/defender-for-cloud/#pricing.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for Resource Manager on your subscription: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Resource Manager to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\",\r\n \"Permission Groups Discovery\",\r\n \"Account Discovery\",\r\n \"Cloud Service Discovery\",\r\n \"Credentials from Password Stores\",\r\n \"Impair Defenses\",\r\n \"Cloud Infrastructure Discovery\",\r\n \"Cloud Service Dashboard\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"name\": \"aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for DNS should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bdc59948-5574-49b3-bb91-76b7c986428d\",\r\n \"description\": \"Microsoft Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Defender for DNS alerts you about suspicious activity at the DNS layer. Learn more in Introduction to Microsoft Defender for DNS. Enabling this Defender plan results in charges. Learn about the pricing details per region on Defender for Cloud's pricing page: https://azure.microsoft.com/services/defender-for-cloud/#pricing.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for DNS on your subscription: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set DNS to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Exfiltration\",\r\n \"Command and Control\"\r\n ],\r\n \"techniques\": [\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Application Layer Protocol\",\r\n \"Proxy\",\r\n \"Dynamic Resolution\",\r\n \"Protocol Tunneling\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3\",\r\n \"description\": \"Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.\",\r\n \"remediationDescription\": \"Enabling vTPM will trigger an immediate SYSTEM REBOOT. To enable it: 1. Select the VM. 2. On the VM page, navigate to the 'Configuration' tab. 3. On the 'Configuration' page, check 'vTPM'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/e494853f-93c3-4e44-9210-d12f61a64b34\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121\",\r\n \"description\": \"Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.\",\r\n \"remediationDescription\": \"Enabling Secure Boot will trigger an immediate SYSTEM REBOOT. To enable it: 1. Select the VM. 2. On the VM page, navigate to the 'Configuration' tab. 3. On the 'Configuration' page, check 'Secure boot'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/7cb1b219-61c6-47e0-b80c-4472cadeeb5f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e94a7421-fc27-7a4d-e9ba-2ba01384cacd\",\r\n \"name\": \"e94a7421-fc27-7a4d-e9ba-2ba01384cacd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/672fe5a1-2fcd-42d7-b85d-902b6e28c6ff\",\r\n \"description\": \"Install Guest Attestation extension on supported Linux virtual machines to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Linux virtual machines: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vm extension set --name GuestAttestation --publisher Microsoft.Azure.Security.LinuxAttestation --vm-name MyVM --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6074e9a3-c711-4856-976d-24d51f9e065b\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a53f4f-26b6-3d68-33f3-2ec1f2452b5d\",\r\n \"name\": \"a9a53f4f-26b6-3d68-33f3-2ec1f2452b5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Linux virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a21f8c92-9e22-4f09-b759-50500d1d2dda\",\r\n \"description\": \"Install Guest Attestation extension on supported Linux virtual machine scale sets to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Linux virtual machine scale sets: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vmss extension set --name GuestAttestation --publisher Microsoft.Azure.Security.LinuxAttestation' --vmss-name MyVMSS --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/874b14bd-b49e-495a-88c6-46acb89b0a33\",\r\n \"name\": \"874b14bd-b49e-495a-88c6-46acb89b0a33\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cb4d9c2-f88f-4069-bee0-dba239a57b09\",\r\n \"description\": \"Install Guest Attestation extension on supported virtual machines to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Windows virtual machines: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vm extension set --name GuestAttestation --publisher Microsoft.Azure.Security.WindowsAttestation --vm-name MyVM --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/98ea2fc7-6fc6-4fd1-9d8d-6331154da071\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/02e8ca50-0e7e-cc34-0b91-215af2904248\",\r\n \"name\": \"02e8ca50-0e7e-cc34-0b91-215af2904248\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Windows virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f655e522-adff-494d-95c2-52d4f6d56a42\",\r\n \"description\": \"Install Guest Attestation extension on supported virtual machine scale sets to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Windows virtual machine scale sets: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vmss extension set --name GuestAttestation --publisher Microsoft.Azure.Security.WindowsAttestation' --vmss-name MyVMSS --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"name\": \"506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The control fails if any of the HTTP listeners of Application Load Balancers do not have HTTP to HTTPS redirection configured. Before you start to use your Application Load Balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners support both the HTTP and HTTPS protocols. You can use an HTTPS listener to offload the work of encryption and decryption to your load balancer. To enforce encryption in transit, you should use redirect actions with Application Load Balancers to redirect client HTTP requests to an HTTPS request on port 443.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"name\": \"4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon S3 buckets have policies that require requests to use Secure Socket Layer (SSL). S3 buckets should have policies that require all requests ('Action: S3:*') to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key 'aws:SecureTransport'. This does not check the SSL or TLS version. You should not allow early versions of SSL or TLS (SSLv3, TLS1.0) per PCI DSS requirements.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"name\": \"b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server-side encryption. When you set default encryption on a bucket, all new objects stored in the bucket are encrypted when they are stored, including clear text PAN data. Server-side encryption for all of the objects stored in a bucket can also be enforced using a bucket policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"name\": \"c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Config should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS Config is enabled in the account for the local Region and is recording all resources. It does not check for change detection for all critical system files and content files, as AWS Config supports only a subset of resource types. The AWS Config service performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items, and any configuration changes between resources. Security Hub recommends that you enable AWS Config in all Regions. The AWS configuration item history that AWS Config captures enables security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"name\": \"bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root user credentials. It does not check whether you are using virtual MFA. To address PCI DSS requirement 8.3.1, you can choose between hardware MFA (this control) or virtual MFA.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"name\": \"9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the IAM users have multi-factor authentication (MFA) enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"name\": \"b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root user credentials. It does not check whether you are using hardware MFA. To address PCI DSS requirement 8.3.1, you can choose between virtual MFA (this control) or hardware MFA.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"name\": \"5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public write access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your S3 buckets allow public write access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). It does not check for write access to the bucket by internal principals, such as IAM roles. You should ensure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"name\": \"7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public read access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). Unless you explicitly require everyone on the internet to be able to write to your S3 bucket, you should ensure that your S3 bucket is not publicly writable. It does not check for read access to the bucket by internal principals, such as IAM roles. You should ensure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"name\": \"7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM user credentials should be disabled if not used within a pre-defined number days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your IAM users have passwords or active access keys that have not been used within a specified number of days. The default is 90 days. Security Hub strongly recommends that you do not generate and remove all access keys in your account. Instead, the recommended best practice is to either create one or more IAM roles or to use federation. These practices allow your users to use their existing corporate credentials to sign in to the AWS Management Console console and AWS CLI. Each approach has its use cases. Federation is generally better for enterprises that have an existing central directory or who plan to need more than the current quota of IAM users. Applications running outside of an AWS environment need access keys for programmatic access to AWS resources. However, if the resources that need programmatic access run inside AWS, the best practice is to use IAM roles. You can use roles to grant a resource access without hardcoding an access key ID and secret access key into the configuration. If you already have an access key, we recommend that you remove or deactivate unused user credentials that are inactive for 90 days or longer. This control only checks for inactive passwords or active access keys. It does not disable the account from use after 90 days. Customers are responsible for taking action and disabling the unused credentials.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"name\": \"d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the account password policy for IAM users uses the following minimum PCI DSS configurations: 'RequireUppercaseCharacters' - Require at least one uppercase character in password. (Default = 'true'); 'RequireLowercaseCharacters' - Require at least one lowercase character in password. (Default = 'true'); 'RequireNumbers' - Require at least one number in password. (Default = 'true'); 'MinimumPasswordLength' - Password minimum length. (Default = 7 or longer); 'PasswordReusePrevention' - Number of passwords before allowing reuse. (Default = 4); MaxPasswordAge - Number of days before password expiration. (Default = 90).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"name\": \"d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM root user access key should not exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether user access keys exist for the root user.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"name\": \"7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users should not have IAM policies attached\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles. It does not check whether least privileged policies are applied to IAM roles and groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"name\": \"c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should not allow full \\\"*\\\" administrative privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the default version of AWS Identity and Access Management policies (also known as customer managed policies) do not have administrator access with a statement that has \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\". It only checks for the customer managed policies that you created, but does not check for full access to individual services, such as \\\"S3:*\\\". It does not check for inline and AWS managed policies.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"name\": \"a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer master key (CMK) rotation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that key rotation is enabled for each customer master key (CMK). It does not check CMKs that have imported key material. You should ensure keys that have imported material and those that are not stored in AWS KMS are rotated. AWS managed customer master keys are rotated once every 3 years.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"name\": \"b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Lambda function resource-based policy prohibits public access. It does not check for access to the Lambda function by internal principals, such as IAM roles. You should ensure that access to the Lambda function is restricted to authorized principals only by using least privilege Lambda resource-based policies.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"name\": \"e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS DB snapshots prohibit access by other accounts. You should also ensure that access to the snapshot and permission to change Amazon RDS configuration is restricted to authorized principals only. Note that if the configuration is changed to allow public access, the AWS Config rule may not be able to detect the change for up to 12 hours. Until the AWS Config rule detects the change, the check passes even though the configuration violates the rule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"name\": \"ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS instances are publicly accessible by evaluating the publiclyAccessible field in the instance configuration item. The value of publiclyAccessible indicates whether the DB instance is publicly accessible. When the DB instance is publicly accessible, it is an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. When the DB instance isn't publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. The control does not check VPC subnet routing settings or the Security Group rules. You should also ensure VPC subnet routing does not allow public access, and that the security group inbound rule associated with the RDS instance does not allow unrestricted access (0.0.0.0/0). You should also ensure that access to your RDS instance configuration is limited to only authorized users by restricting users' IAM permissions to modify RDS instances settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"name\": \"d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters are publicly accessible by evaluating the 'publiclyAccessible' field in the cluster configuration item.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"name\": \"529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"name\": \"8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS DMS replication instances are public. To do this, it examines the value of the PubliclyAccessible field. A private replication instance has a private IP address that you cannot access outside of the replication network. A replication instance should have a private IP address when the source and target databases are in the same network, and the network is connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering. You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users. To do this, restrict users' IAM permissions to modify AWS DMS settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"name\": \"b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic Block Store snapshots are not publicly restorable by everyone, which makes them public. Amazon EBS snapshots should not be publicly restorable by everyone unless you explicitly allow it, to avoid accidental exposure of your company's sensitive data. You should also ensure that permission to change Amazon EBS configurations are restricted to authorized AWS accounts only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"name\": \"3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following public access block settings are configured at the account level: 'ignorePublicAcls': 'true'; 'blockPublicPolicy': 'true'; 'blockPublicAcls': 'true'; 'restrictPublicBuckets': 'true'. As an AWS best practice, S3 buckets should block public access. Unless you explicitly require everyone on the internet to be able to access your S3 bucket, you should ensure that your S3 bucket is not publicly accessible.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"name\": \"93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC default security group should prohibit inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the default security group of a VPC does not allow inbound or outbound traffic. It does not check for access restrictions for other security groups that are not default, and other VPC configurations.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"name\": \"390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether security groups in use disallow unrestricted incoming SSH traffic. It does not evaluate outbound traffic. Note that security groups are stateful. If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out regardless of outbound rules.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"name\": \"86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control helps you maintain an accurate asset inventory of needed security groups in your cardholder data environment (CDE). It does so by checking that security groups are attached to Amazon EC2 instances or to an ENI. A failed finding indicates you may have unused Amazon EC2 security groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/099e9ded-7834-43ad-be02-30114c800211\",\r\n \"name\": \"099e9ded-7834-43ad-be02-30114c800211\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability. This AWS control also does not check whether the Amazon ES resource-based policy permits public access by other accounts or external entities. You should ensure that Amazon ES domains are not attached to public subnets. You should also ensure that your VPC is configured according to the recommended best practices.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"name\": \"40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability. Note that if Lambda@Edge is found in the account, then this control generates failed findings. To prevent these findings, you can disable this control.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"name\": \"5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain clear text credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the project contains environment variables 'AWS_ACCESS_KEY_ID' and 'AWS_SECRET_ACCESS_KEY'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"name\": \"ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elastic IP addresses that are allocated to a VPC are attached to Amazon EC2 instances or in-use elastic network interfaces (ENIs). A failed finding indicates you may have unused Amazon EC2 EIPs. This will help you maintain an accurate asset inventory of EIPs in your cardholder data environment (CDE).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"name\": \"023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SageMaker notebook instances should not have direct internet access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether direct internet access is disabled for an SageMaker notebook instance. To do this, it checks whether the 'DirectInternetAccess' field is disabled for the notebook instance. If you configure your SageMaker instance without a VPC, then by default direct internet access is enabled on your instance. You should configure your instance with a VPC and change the default setting to Disable - Access the internet through a VPC. To train or host models from a notebook, you need internet access. To enable internet access, make sure that your VPC has a NAT gateway and your security group allows outbound connections. You should also ensure that access to your SageMaker configuration is limited to only authorized users. Restrict users' IAM permissions to modify SageMaker settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"name\": \"0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS CloudTrail is configured to use the server-side encryption (SSE) AWS KMS customer master key (CMK) encryption. If you are only using the default encryption option, you can choose to disable this check.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"name\": \"f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have encryption at rest configuration enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"name\": \"336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A log metric filter and alarm should exist for usage of the \\\"root\\\" user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks for the CloudWatch metric filters using the following pattern: '{ $.userIdentity.type = \\\"Root\\\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \\\"AwsServiceEvent\\\" }'. It checks the following: The log group name is configured for use with active multi-Region CloudTrail; There is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All; There is at least one active subscriber to an Amazon SNS topic associated with the alarm.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"name\": \"5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether VPC flow logs are found and enabled for VPCs. The traffic type is set to REJECT. With VPC Flow Logs, you can capture information about the IP address traffic to and from network interfaces in your VPC. After you create a flow log, you can use CloudWatch Logs to view and retrieve the log data. Security Hub recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC. They can detect anomalous traffic and provide insight into security workflows. By default, the record includes values for the different components of the IP address flow, including the source, destination, and protocol.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"name\": \"4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail trails are configured to send logs to CloudWatch Logs. It does not check for user permissions to alter logs or log groups. You should create specific CloudWatch rules to alert when CloudTrail logs are altered. This control also does not check for any additional audit log sources other than CloudTrail being sent to a CloudWatch Logs group.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"name\": \"6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail is enabled in your AWS account. However, some AWS services do not enable logging of all APIs and events. You should implement any additional audit trails other than CloudTrail and review the documentation for each service in CloudTrail Supported Services and Integrations.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"name\": \"21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail log file validation is enabled. It does not check when configurations are altered. To monitor and alert on log file changes, you can use Amazon EventBridge or CloudWatch metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"name\": \"75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the patch installation on the instance. It only checks instances that are managed by AWS Systems Manager Patch Manager. It does not check whether the patch was applied within the 30-day limit prescribed by PCI DSS requirement 6.2. It also does not validate whether the patches applied were classified as security patches. You should create patching groups with the appropriate baseline settings and ensure in-scope systems are managed by those patch groups in Systems Manager.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"name\": \"6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EC2 instances in your account are managed by Systems Manager. AWS Systems Manager is an AWS service that you can use to view and control your AWS infrastructure. To help you to maintain security and compliance, Systems Manager scans your managed instances. A managed instance is a machine that is configured for use with Systems Manager. Systems Manager then reports or takes corrective action on any policy violations that it detects. Systems Manager also helps you to configure and maintain your managed instances. Additional configuration is needed in Systems Manager for patch deployment to managed EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"name\": \"32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the status of the AWS Systems Manager association compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the association is run on an instance. The control passes if the association compliance status is COMPLIANT. A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed. After you create one or more State Manager associations, compliance status information is immediately available to you in the console or in response to AWS CLI commands or corresponding Systems Manager API operations. For associations, Configuration Compliance shows statuses of Compliant or Non-compliant and the severity level assigned to the association, such as Critical or Medium. You must configure your in-scope EC2 instances for Systems Manager association. You must also configure the patch baseline for the security rating of the vendor of patches, and set the autoapproval date to meet PCI DSS 3.2.1 requirement 6.2.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"name\": \"5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether S3 buckets have cross-region replication enabled. PCI DSS does not require data replication or highly available configurations. However, this check aligns with AWS best practices for this control. In addition to availability, you should consider other systems hardening settings.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"name\": \"94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. PCI DSS does not require load balancing or highly available configurations. However, this check aligns with AWS best practices.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"name\": \"d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon GuardDuty is enabled in your AWS account and Region. While GuardDuty can be effective against attacks that an intrusion detection system would typically protect, it might not be a complete solution for every environment. This rule also does not check for the generation of alerts to personnel.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"name\": \"bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SSM agent should be installed on your AWS EC2 instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Systems Manager is an AWS service that can be used to control and view your AWS infrastructure. The AWS Systems Manager Agent (SSM Agent) is a software that can be installed and configured on a machine and makes it possible for Systems Manager to update and configure these resources. Defender for Cloud leverages the SSM Agent for automatic installation of Azure Arc, that enables greater parity for AWS instances to Azure VMs.\",\r\n \"remediationDescription\": \"First, Make sure EC2 instances are managed by Systems Manager: 1.Open AWS System Manager.
2. Choose Quick setup
3. keep the default options on the configuration screen.
4. Choose Set up Systems Manager.
For directions on installing and configuring the SSM Agent on Windows instances visit this page For directions on installing and configuring the SSM Agent on Linux instances visit this page \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"name\": \"a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled in every region in your AWS accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub is a regional service and customer must enable Security Hub in each region to view findings in that region. You should continuously monitor all regions across all of your AWS accounts for unauthorized behavior or misconfigurations, including regions you don't use heavily.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"name\": \"20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled for all AWS member accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. Integrating it into Defender for Cloud enables a comprehensive view across multiple cloud environments. any AWS member account related to an onboarded account should have Security Hub enabled as well.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"name\": \"726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Make sure to log in using the credentials of a fully-managed corporate account and not a personal account.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select the checkbox next to non-corporate users, and then click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"name\": \"4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that multi-factor authentication is enabled for all non-service accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) must be enabled for all Google Cloud Platform accounts, excluding service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP Security Settings and set up multi-factor authentication for all non-service accounts within the project.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"name\": \"0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service accounts are not configured with administrative roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select Members and make sure that there aren't any 'User-Managed user created service account' accounts with one of the following roles: admin, editor, or owner.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"name\": \"90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the 'Service Account User' and 'Service Account Token Creator' roles are not granted to users at a project level. Instead, grant these roles to users in the context of specific service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. In the filter table field, enter 'Role: Service Account User' and click 'Delete' (bin icon) for every user listed. Similarly, filter using 'Role: Service Account Token Creator' and delete every user listed.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"name\": \"ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service account keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'Service Account Keys', for every External (user-managed) service account where the creation date is 90 days or more, delete the service account key and create a new one instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"name\": \"f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties. Also, make sure that users are not assigned with both 'Service Account Admin' and other 'Service Account User' roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Edit members with both 'Service Account Admin' and 'Service Account User', delete one of the roles, and then click 'Save'. \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"name\": \"3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud KMS encryption keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to GCP Security Kms. For every key ring, for every key in the key ring, do the following: Select 'Right side pop up the blade' > 'Edit rotation period' > 'Select a new rotation period' and specify a period of less than 90 days, and then specify a 'Starting on' date.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"name\": \"3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties and that there are no users assigned with both the 'Cloud KMS Admin' role and any of the following roles: 'Cloud KMS CryptoKey', 'Cloud KMS Encrypter/Decrypter', 'Cloud KMS CryptoKey Encrypter' or 'Cloud KMS CryptoKey Decrypterer'.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. For the member that is listed at the recommendation, click 'Edit'. For the 'Cloud KMS Admin' role, click 'Delete', and then Click 'Save'. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"name\": \"52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all API keys are not used within the scope of projects. The standard authentication flow should be implemented, since the use of API keys presents many security risks.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', delete the relevant API Keys. These API keys should be replaced by a standard authentication flow as described In the Authentication overview [GCP docs authentication]\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"name\": \"76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted, and used only by trusted hosts, HTTP referrers, or applications.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. Under 'Key restrictions', set application restriction to HTTP referrers, IP Addresses, Android Apps, or iOS Apps, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"name\": \"0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted to only access API endpoints that are essential to the calling application.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. For every API key, make sure that the 'Key restrictions' parameter 'API restrictions' is not set to 'None'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"name\": \"5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys'. Select 'API Key Name'. Click 'REGENERATE KEY' to rotate the API key, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"name\": \"f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud Audit Logging is configured to track read and write activities across all supported services and for all users. Configured this way, all administrative activities, or attempts to access user data, will be tracked.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin Audit. On the 'Audit Log' page, select the 'Log type' tab. Select 'Admin read', 'Data read', and 'Data write', and then click 'Save'. Make sure there are no exemptions.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"name\": \"cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all resource have a log sink configured, exporting copies of all the log entries to a centralized location such as a SIEM.\",\r\n \"remediationDescription\": \"Browse to GCP Logs viewer. Switch to the 'Advanced' filter bar, clear any text from the filter field, and then click 'Submit Filter'. Click 'Create Sink', fill out the required details, and then click 'Create Sink'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"name\": \"bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filters and alerts are configured to monitor project ownership assignment/change actions.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browse to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, and run the following query: (protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'. Finally, edit the alert policy and update the 'Target Aggregation' option to 'Count'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"name\": \"3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filter and alerts are configured for Audit Configuration changes. Audit logging data is required for security analysis. Tracking the log metric filters and alerts is important to ensure that all activities in the projects are being audited as planned.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"SetIamPolicy\\\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*. In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"name\": \"f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Custom Role changes. Monitoring role creation, update, or deletion may help to identify over-privileged or misused roles. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"iam_role\\\" AND protoPayload.methodName = \\\"google.iam.admin.v1.CreateRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"name\": \"c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Virtual Private Cloud (VPC) Network Firewall rule changes. Firewall create or update rule events indicate network access changes, which may indicate suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_firewall_rule\\\" AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\" OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to https://console.cloud.google.com/logs/metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"name\": \"7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network route changes. Monitoring network route changes to route tables may indicate of a suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_route\\\" AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\" OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Creat Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"name\": \"0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network changes. Monitoring network changes to the VPC is important to make sure it is not compromised.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gce_network AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\" OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\" OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\" OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\" OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add 'Alert Triggers', and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"name\": \"46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"\\\"Ensure that the log metric filter and alerts are configured for Cloud Storage IAM permission changes. Monitoring changes to a storage bucket permissions can help identify malicious attempts to access a sensitive storage buckets and objects inside buckets.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gcs_bucket AND protoPayload.methodName=\\\"storage.setIamPermissions\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"name\": \"b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for SQL instance configuration changes. Monitoring changes to an SQL instance can help identify malicious attempts to access a sensitive data stored in an SQL instance. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"cloudsql.instances.update\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"name\": \"ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that projects do not have a default network. A default predefined network generates multiple unsecure firewall rules that are not audit logged, cannot be configured to enable firewall rule logging, and do not allow the use of a Cloud VPN or VPC Network Peering with the default network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the 'default' network. On the network detail page, click 'edit', and then click 'Delete VPC network'. If required, you can to create a new network with custom firewall rules to replace the 'default' network.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"name\": \"3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all projects do not have a legacy network. Legacy networks may have an impact for high network traffic projects and pose a single point of contention or failure.\",\r\n \"remediationDescription\": \"Create a non-legacy network and then delete the legacy networks using the following command: 'gcloud compute networks delete my-legacy-network'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"name\": \"e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Domain Name System Security Extensions (DNSSEC) is enabled for Cloud DNS zones. DNSSEC helps mitigate the risk of a DNS hijacking and man-in-the-middle attacks, by preventing attackers from issuing fake DNS responses that may misdirect browsers to malicious websites.\",\r\n \"remediationDescription\": \"Browse to GCP DNS zones. For each zone of type 'Public', set DNSSEC to 'On'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"name\": \"049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the key-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the key-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"name\": \"cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the zone-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the zone-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"name\": \"0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that SSH access is restricted from the internet because it can be used as initial access to the network. Prevent inbound traffic via SSH (port 22) from the internet using the generic IP address (0.0.0.0/0).\",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"name\": \"684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RDP access is restricted from the internet, as is may be used for initial access to the network. Prevent inbound traffic via RDP (port 3389) from the internet using the generic IP address (0.0.0.0/0). \",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"name\": \"3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all VPC Flow Logs are enabled, for every subnet in a VPC Network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the relevant subnet, click 'Edit', set 'Flow Logs' to 'On', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"name\": \"c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there are no HTTPS or SSL Proxy Load Balancers that use weak SSL policies with TLS or 1.1.\",\r\n \"remediationDescription\": \"Browser to GCP SSL Policies. Select the relevant policy, click 'Edit', set 'Minimum TLS version' to 'TLS 1.2', set 'Profile' to 'Modern' or 'Restricted', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"name\": \"233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all instances are not configured to use the default service account with full access to all Google Cloud APIs.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant VM instance, stop the instance if it is currently started, and then click 'Edit'. Under 'Service Account', select 'Compute Engine default service account', make sure that 'Allow full access to all Cloud APIs' is not selected, click 'Save' and then 'Start'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"name\": \"1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure \\\"Block Project-wide SSH keys\\\" is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that no project-wide SSH keys are used for VM instances, as they enable login to all instances in the project.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the impacted instance, click 'Edit', under 'SSH Keys', select 'Block project-wide SSH keys', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"name\": \"fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that OS login is enabled for all projects, as this pairs the SSH keys in use with IAM users. \",\r\n \"remediationDescription\": \"Browse to GCP Compute metadata. Click 'Edit', add metadata key for 'enable-oslogin' with value 'TRUE', and then click 'Save'. For every instances that overrides the project setting, browse to GCP Compute instances. Select the relevant instance name, click 'Edit', under 'custom metadata', remove 'enable-oslogin' keys with the value 'FALSE', and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"name\": \"c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that 'Enable connecting to serial ports' is not enabled for all VM Instance. When the interactive serial console is enabled for an instance, clients can connect to the instance from any IP address using the proper username and SSH key.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Remote access', make sure that 'Enable connecting to serial ports' is not selected.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"name\": \"3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent data loss, forwarding of data packets should not be enabled on instances.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Network interfaces', make sure that 'IP forwarding' is set to 'Off' for every network interface.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"name\": \"6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, all data at rest is encrypted by Google Compute Engine. Make sure that VM disks are encrypted using Customer-Supplied Encryption Keys (CSEK) enabling you to control and manage the encryption keys yourself.\",\r\n \"remediationDescription\": \"Browse to GCP Compute disks. Select the relevant disk and make sure that the 'Encryption type' is set to 'Customer supplied'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"name\": \"9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against advanced threats, a Compute Engine instance using a public image and must be launched with a Shielded VM. It is also important to verify that the boot loader and firmware on the VMs are signed and untampered.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Shielded VM', make sure that 'Turn on vTPM' and 'Turn on Integrity Monitoring' are enabled.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"name\": \"0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances must not be configured with public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"name\": \"79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that an IAM policy on Cloud Storage buckets does not allow anonymous or public access so sensitive data.\",\r\n \"remediationDescription\": \"To restrict access to Cloud Storage Buckets: Browse to GCP Storage browser. Select the relevant bucket, select 'Permissions', and then under 'Role(s)', remove all Cloud IAM permissions that were granted to 'allUsers' and 'allAuthenticatedUsers'. To restrict access from public addresses: browse to GCP Firewalls List.. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP adress values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"name\": \"a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For simple and unified resource access, ensure that Cloud Storage buckets have uniform bucket-level access enabled.\",\r\n \"remediationDescription\": \"Browse to GCP Storage browser. Edit the relevant bucket, under 'Access Control', select 'Uniform', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"name\": \"a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the Cloud SQL Database instance requires all incoming connections to always use SSL encryption.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances, select the relevant instance and under 'Connections', select 'Allow only SSL connections'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"name\": \"1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to only accept connections from trustworthy networks and/or IP addresses and restrict all other access. \",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"name\": \"2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to use private IP addresses, and not public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"name\": \"664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL database instances must be configured with automated backups.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances. Select the relevant instance, and under 'Backups', make sure that 'Automated backups' is set to 'Enabled' and that the 'Backup time' is set.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"name\": \"5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure that sensitive data is not compromised, IAM policies on BigQuery datasets must not allow anonymous or public access.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"name\": \"582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account has unrestricted access to all resources in the AWS account. We highly recommend that you avoid using this account. The root account is the most privileged account. Minimizing the use of this account and adopting the principle of least privilege for access management reduces the risk of accidental changes and unintended disclosure of highly privileged credentials. As a best practice, use your root credentials only when required to perform account and service management tasks. Apply IAM policies directly to groups and roles but not users. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.3 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"name\": \"1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-factor authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password as well as for an authentication code from their AWS MFA device. Security Hub recommends enabling MFA for all accounts that have a console password. Enabling MFA provides increased security for console access because it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"name\": \"8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM users can access AWS resources using different types of credentials, such as passwords or access keys. Security Hub recommends that you remove or deactivate all credentials that have been unused in 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used. The AWS Config rule for this control uses the 'GetCredentialReport; and 'GenerateCredentialReport' API operations, which are only updated every four hours. Changes to IAM users can take up to four hours to be visible to this control.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"name\": \"9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. Security Hub recommends that you regularly rotate all access keys. Rotating access keys reduces the chance for an access key that is associated with a compromised or terminated account to be used. Rotate access keys to ensure that data can't be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"name\": \"554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one uppercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"name\": \"66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one lowercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"name\": \"b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one symbol. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5425052d-cc0d-4424-af71-050311f99634\",\r\n \"name\": \"5425052d-cc0d-4424-af71-050311f99634\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one number. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"name\": \"09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum password length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords are at least a given length. Security Hub recommends that the password policy require a minimum password length of 14 characters. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"name\": \"01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the number of passwords to remember is set to 24. The control fails if the value is not 24. IAM password policies can prevent the reuse of a given password by the same user. Security Hub recommends that the password policy prevent the reuse of passwords. Preventing password reuse increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"name\": \"0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can require passwords to be rotated or expired after a given number of days. Security Hub recommends that the password policy expire passwords after 90 days or less. Reducing the password lifetime increases account resiliency against brute force login attempts. Requiring regular password changes also helps in the following scenarios: Passwords can be stolen or compromised without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat; Certain corporate and government web filters or proxy servers can intercept and record traffic even if it's encrypted; Many people use the same password for many systems such as work, email, and personal; Compromised end-user workstations might have a keystroke logger.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"name\": \"8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no root account access key exists\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given account. Security Hub recommends that all access keys be associated with the root account be removed. Removing access keys associated with the root account limits vectors that the account can be compromised by. Removing the root access keys also encourages the creation and use of role-based accounts that are least privileged.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"name\": \"8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device. When you use virtual MFA for root accounts, Security Hub recommends that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices. This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"name\": \"8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure hardware MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device. For Level 2, Security Hub recommends that you protect the root account with a hardware MFA. A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA doesn't suffer the attack surface introduced by the mobile smartphone that a virtual MFA resides on. Using hardware MFA for many, many accounts might create a logistical device management issue. If this occurs, consider implementing this Level 2 recommendation selectively to the highest security accounts. You can then apply the Level 1 recommendation to the remaining accounts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"name\": \"c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies are attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. Security Hub recommends that you apply IAM policies directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity might in turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"name\": \"bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM role to allow authorized users to manage incidents with AWS Support. By implementing least privilege for access control, an IAM role will require an appropriate IAM policy to allow support center access in order to manage incidents with AWS Support.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"name\": \"9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies define a set of privileges granted to users, groups, or roles. It's recommended and considered a standard security advice to grant least privilege-that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges. It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. You should remove IAM policies that have a statement with '\\\"Effect\\\": \\\"Allow\\\"' with '\\\"Action\\\": \\\"*\\\"' over '\\\"Resource\\\": \\\"*\\\"'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"name\": \"22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the AWS Management Console, AWS SDKs, command-line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally: Ensuring that a multi-Region trail exists ensures that unexpected activity occurring in otherwise unused Regions is detected; Ensuring that a multi-Region trail exists ensures that Global Service Logging is enabled for a trail by default to capture recording of events generated on AWS global services; For a multi-Region trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"name\": \"fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail log file validation is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. You can use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. Security Hub recommends that you enable file validation on all trails. Enabling log file validation provides additional integrity checking of CloudTrail logs.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"name\": \"0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket CloudTrail logs to is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. Security Hub recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account's use or configuration. To run this check, Security Hub first uses custom logic to look for the S3 bucket where your CloudTrail logs are stored. It then uses the AWS Config managed rules to check that bucket is publicly accessible. If you aggregate your logs into a single centralized S3 bucket, then Security Hub only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is 'No data'. If the bucket is publicly accessible, the check generates a failed finding.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"name\": \"5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a web service that records AWS API calls made in a given account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs in a specified Amazon S3 bucket for long-term analysis, you can perform real-time analysis by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all Regions in an account, CloudTrail sends log files from all those Regions to a CloudWatch Logs log group. Security Hub recommends that you send CloudTrail logs to CloudWatch Logs.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"name\": \"dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. Security Hub recommends that you enable AWS Config in all Regions. The AWS configuration item history that AWS Config captures enables security analysis, resource change tracking, and compliance auditing. To run this check, Security Hub performs custom logic to perform the audit steps prescribed for it in the CIS AWS Foundations Benchmark v1.2. Security Hub also requires that global resources are recorded in each Region, because Security Hub is a regional service and performs its security checks on a Region-by-Region basis.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"name\": \"30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Amazon S3 bucket access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. Security Hub recommends that you enable bucket access logging on the CloudTrail S3 bucket. By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows. To run this check, Security Hub first uses custom logic to look for the bucket where your CloudTrail logs are stored and then uses the AWS Config managed rule to check if logging is enabled. If you aggregate your logs into a single centralized S3 bucket, then Security Hub only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is 'No data'. If the bucket is publicly accessible, the check generates a failed finding.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"name\": \"c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (AWS KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses hardware security modules (HSMs) to protect the security of encryption keys. You can configure CloudTrail logs to leverage server-side encryption (SSE) and AWS KMS customer-created master keys (CMKs) to further protect CloudTrail logs. Security Hub recommends that you configure CloudTrail to use SSE-KMS. Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data because a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"name\": \"23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS KMS enables customers to rotate the backing key, which is key material stored in AWS KMS and is tied to the key ID of the CMK. It's the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all previous backing keys so that decryption of encrypted data can take place transparently. Security Hub recommends that you enable CMK key rotation. Rotating encryption keys helps reduce the potential impact of a compromised key because data encrypted with a new key can't be accessed with a previous key that might have been exposed.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"name\": \"a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VPC flow logging is enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC flow logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you have created a flow log, you can view and retrieve its data in CloudWatch Logs. Security Hub recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC and can detect anomalous traffic or insight during security workflows.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"name\": \"00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm unauthorized API calls. Monitoring unauthorized API calls helps reveal application errors and might reduce time to detect malicious activity. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.1 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"name\": \"83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm console logins that aren't protected by MFA. Monitoring for single-factor console logins increases visibility into accounts that aren't protected by MFA. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.2 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"name\": \"a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for root login attempts. Monitoring for root account logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.3 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"name\": \"5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes made to IAM policies. Monitoring these changes helps ensure that authentication and authorization controls remain intact. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.4 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"name\": \"011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to CloudTrail configuration settings. Monitoring these changes helps ensure sustained visibility to activities in the account. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.5 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"name\": \"c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for failed console authentication attempts. Monitoring failed console logins might decrease lead time to detect an attempt to brute-force a credential, which might provide an indicator, such as source IP, that you can use in other event correlations. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.6 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"name\": \"293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for customer-created CMKs that have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys is no longer accessible. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.7 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"name\": \"0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to S3 bucket policies. Monitoring these changes might reduce time to detect and correct permissive policies on sensitive S3 buckets. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.8 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"name\": \"7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to AWS Config configuration settings. Monitoring these changes helps ensure sustained visibility of configuration items in the account. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.9 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"name\": \"b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security groups are a stateful packet filter that controls ingress and egress traffic in a VPC. Security Hub recommends that you create a metric filter and alarm for changes to security groups. Monitoring these changes helps ensure that resources and services aren't unintentionally exposed. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.10 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"name\": \"022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets in a VPC. Security Hub recommends that you create a metric filter and alarm for changes to NACLs. Monitoring these changes helps ensure that AWS resources and services aren't unintentionally exposed. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.11 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"name\": \"3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send and receive traffic to a destination outside a VPC. Security Hub recommends that you create a metric filter and alarm for changes to network gateways. Monitoring these changes helps ensure that all ingress and egress traffic traverses the VPC border via a controlled path. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.12 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"name\": \"33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables route network traffic between subnets and to network gateways. Security Hub recommends that you create a metric filter and alarm for changes to route tables. Monitoring these changes helps ensure that all VPC traffic flows through an expected path. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.13 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"name\": \"9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs. Security Hub recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.14 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"name\": \"b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that no security group allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"name\": \"9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that no security group allow unrestricted ingress access to port 3389. Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"name\": \"ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the default security group of every VPC restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A VPC comes with a default security group with initial settings that deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that the default security group restrict all traffic. Update the default security group for the default VPC in every Region to comply. Any new VPCs automatically contain a default security group that you need to remediate to comply with this recommendation. Configuring all VPC default security groups to restrict all traffic encourages least-privilege security group development and mindful placement of AWS resources into security groups, which in turn reduces the exposure of those resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47a6d30e-79c4-411b-920a-06a7eab22bad\",\r\n \"name\": \"47a6d30e-79c4-411b-920a-06a7eab22bad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Imported ACM certificates should be renewed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager. Certificates provided by ACM are automatically renewed. If you're using certificates provided by ACM, you do not need to rotate SSL/TLS certificates. ACM manages certificate renewals for you. ACM does not automatically renew certificates that you import. You must renew imported certificates manually.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f74c50e7-84a3-4e64-ac2b-c4ec74e0cb71\",\r\n \"name\": \"f74c50e7-84a3-4e64-ac2b-c4ec74e0cb71\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST and HTTP API logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all methods of an Amazon API Gateway REST or HTTP API stage have logging enabled. The control fails if logging is not enabled for all methods of a stage or if 'loggingLevel' is neither 'ERROR' nor 'INFO'. API Gateway REST or HTTP API stages should have relevant logs enabled. API Gateway REST API execution logging provides detailed records of requests made to API Gateway REST API stages. The stages include API integration backend responses, Lambda authorizer responses, and the 'requestId' for AWS integration endpoints. HTTP API access logs include information about requests made to the HTTP API. The information includes the IP address of the caller, the method of the request, the time of the request, and the HTTP status code response. Logs can assist with security and access audits, power additional threat detections, and aid in diagnosing availability issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8127ddad-f29f-4207-a9d3-9bb3ba3f1485\",\r\n \"name\": \"8127ddad-f29f-4207-a9d3-9bb3ba3f1485\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto Scaling groups associated with a load balancer should use load balancer health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. This ensures that the group can determine an instance's health based on additional tests provided by the load balancer. Using Elastic Load Balancing health checks can help support the availability of applications that use EC2 Auto Scaling groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/73c17f13-ba0c-4227-84ee-f34eb85431ca\",\r\n \"name\": \"73c17f13-ba0c-4227-84ee-f34eb85431ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have a default root object configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured. A user might sometimes request the distribution's root URL instead of an object in the distribution. When this happens, specifying a default root object can help you to avoid exposing the contents of your web distribution.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1fb3f16-5849-4b9d-a7e6-03df4a2235bb\",\r\n \"name\": \"c1fb3f16-5849-4b9d-a7e6-03df4a2235bb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin access identity enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured. CloudFront OAI prevents users from accessing S3 bucket content directly. When users access an S3 bucket directly, they effectively bypass the CloudFront distribution and any permissions that are applied to the underlying S3 bucket content.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbadae9a-7672-4ab2-821a-71f13d319b3b\",\r\n \"name\": \"bbadae9a-7672-4ab2-821a-71f13d319b3b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should require encryption in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if 'ViewerProtocolPolicy' is set to 'allow-all' for 'defaultCacheBehavior' or for 'cacheBehaviors'. HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7196e4f7-7136-4003-b3e5-a8156d160a3f\",\r\n \"name\": \"7196e4f7-7136-4003-b3e5-a8156d160a3f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin failover configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins. CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ce0c201-fc34-43ba-85ef-d47406a9ca05\",\r\n \"name\": \"3ce0c201-fc34-43ba-85ef-d47406a9ca05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled and configured with at least one multi-Region trail\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that there is at least one multi-Region CloudTrail trail.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4788ce7d-f39d-40e4-8a46-4308a5bd80ea\",\r\n \"name\": \"4788ce7d-f39d-40e4-8a46-4308a5bd80ea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should have encryption at-rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail is configured to use the server-side encryption (SSE) AWS Key Management Service customer master key (CMK) encryption. The check passes if the 'KmsKeyId' is defined. For an added layer of security for your sensitive CloudTrail log files, you should use server-side encryption with AWS KMS-managed keys (SSE-KMS) for your CloudTrail log files for encryption at rest. Note that by default, the log files delivered by CloudTrail to your buckets are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03c0e8b8-fcb4-48d1-ae1a-d35e08748340\",\r\n \"name\": \"03c0e8b8-fcb4-48d1-ae1a-d35e08748340\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should automatically scale capacity with demand\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured. Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cf8a0486-5ef6-42f1-8403-35ecd324153f\",\r\n \"name\": \"cf8a0486-5ef6-42f1-8403-35ecd324153f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should have point-in-time recovery enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. DynamoDB point-in-time recovery automates backups for DynamoDB tables. It reduces the time to recover from accidental delete or write operations. DynamoDB tables that have PITR enabled can be restored to any point in time in the last 35 days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ae2524f-9c45-49d6-af31-ec19df32bbe4\",\r\n \"name\": \"5ae2524f-9c45-49d6-af31-ec19df32bbe4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB Accelerator (DAX) clusters should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a DAX cluster is encrypted at rest. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data. For example, API permissions are required to decrypt the data before it can be read.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eaca2aff-0681-4c41-8d7f-04c71577f298\",\r\n \"name\": \"eaca2aff-0681-4c41-8d7f-04c71577f298\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that Amazon Elastic Block Store snapshots are not public, as determined by the ability to be restorable by anyone. EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a specific point in time. You can use the snapshots to restore previous states of EBS volumes. It is rarely acceptable to share a snapshot with the public. Typically the decision to share a snapshot publicly was made in error or without a complete understanding of the implications. This check helps ensure that all such sharing was fully planned and intentional.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b31e09dd-677c-4e14-8ab1-0a9f13e54218\",\r\n \"name\": \"b31e09dd-677c-4e14-8ab1-0a9f13e54218\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"The VPC default security group should not allow inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the default security group of a VPC does not allow inbound or outbound traffic. The rules for the default security group allow all outbound and inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. We do not recommend using the default security group. Because the default security group cannot be deleted, you should change the default security group rules setting to restrict inbound and outbound traffic. This prevents unintended traffic if the default security group is accidentally configured for resources such as EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d828e79-c441-43c3-807e-38ce88a728a5\",\r\n \"name\": \"5d828e79-c441-43c3-807e-38ce88a728a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Attached EBS volumes should be encrypted at-rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check. For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1a7dd27-bb23-4de0-a249-adc3c14aa144\",\r\n \"name\": \"f1a7dd27-bb23-4de0-a249-adc3c14aa144\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Stopped EC2 instances should be removed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days. A failed finding indicates that an EC2 instance has not run for a significant period of time. This creates a security risk because the EC2 instance is not being actively maintained (analyzed, patched, updated). If it is later launched, the lack of proper maintenance could result in unexpected issues in your AWS environment. To safely maintain an EC2 instance over time in a nonrunning state, start it periodically for maintenance and then stop it after maintenance. Ideally this is an automated process.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3f15179b-8414-407a-9432-2b0c131695f3\",\r\n \"name\": \"3f15179b-8414-407a-9432-2b0c131695f3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS default encryption should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS). The control fails if the account level encryption is not enabled. When encryption is enabled for your account, Amazon EBS volumes and snapshot copies are encrypted at rest. This adds an additional layer of protection for your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91ffef5d-42a9-4e34-b1d0-68cdc160748d\",\r\n \"name\": \"91ffef5d-42a9-4e34-b1d0-68cdc160748d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should use IMDSv2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if 'HttpTokens' is set to required for IMDSv2. The control fails if 'HttpTokens' is set to 'optional'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f53022b-ffee-44cc-b84e-6bcc1bcef11f\",\r\n \"name\": \"6f53022b-ffee-44cc-b84e-6bcc1bcef11f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not have a public IP address\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether EC2 instances have a public IP address. The control fails if the publicIp field is present in the EC2 instance configuration item. This control applies to IPv4 addresses only. A public IPv4 address is an IP address that is reachable from the internet. If you launch your instance with a public IP address, then your EC2 instance is reachable from the internet. A private IPv4 address is an IP address that is not reachable from the internet. You can use private IPv4 addresses for communication between EC2 instances in the same VPC or in your connected private network. IPv6 addresses are globally unique, and therefore are reachable from the internet. However, by default all subnets have the IPv6 addressing attribute set to false.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aa3fb42f-04c9-4e17-b05b-e4e4f1f90f15\",\r\n \"name\": \"aa3fb42f-04c9-4e17-b05b-e4e4f1f90f15\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 should be configured to use VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service. To improve the security posture of your VPC, you can configure Amazon EC2 to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to access Amazon EC2 APIs privately. It restricts all network traffic between your VPC and Amazon EC2 to the Amazon network. Because endpoints are supported within the same Region only, you cannot create an endpoint between a VPC and a service in a different Region. This prevents unintended Amazon EC2 API calls to other Regions.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d9e95363-3a8a-498b-bef3-b869869b20b5\",\r\n \"name\": \"d9e95363-3a8a-498b-bef3-b869869b20b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be configured to encrypt file data at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. The check fails in the following cases: 'Encrypted' is set to 'false' in the 'DescribeFileSystems' response; The 'KmsKeyId' key in the 'DescribeFileSystems' response does not match the 'KmsKeyId' parameter for 'efs-encrypted-check'. Note that this control does not use the 'KmsKeyId' parameter for 'efs-encrypted-check'. It only checks the value of 'Encrypted'. For an added layer of security for your sensitive data in Amazon EFS, you should create encrypted file systems. Amazon EFS supports encryption for file systems at-rest. You can enable encryption of data at rest when you create an Amazon EFS file system.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f5375c36-4d39-436b-a5fc-42576f9c4c24\",\r\n \"name\": \"f5375c36-4d39-436b-a5fc-42576f9c4c24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS volumes should be in backup plans\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup. The control fails if Amazon EFS file systems are not included in the backup plans. Including EFS file systems in the backup plans helps you to protect your data from deletion and data loss.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10b9bd1a-d845-4d29-a8f0-aa9386f93226\",\r\n \"name\": \"10b9bd1a-d845-4d29-a8f0-aa9386f93226\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancer listeners should be configured with HTTPS or TLS termination\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. The control is applicable if a Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the control does not report any findings. The control passes if the Classic Load Balancer listeners are configured with TLS or HTTPS for front-end connections. The control fails if the listener is not configured with TLS or HTTPS for front-end connections. Before you start to use a load balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners can support both HTTP and HTTPS/TLS protocols. You should always use an HTTPS or TLS listener, so that the load balancer does the work of encryption and decryption in transit.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4d75936d-e541-4a75-a183-99cc54462cf1\",\r\n \"name\": \"4d75936d-e541-4a75-a183-99cc54462cf1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application load balancers should be configured to drop HTTP headers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop invalid HTTP headers. The control fails if the value of 'routing.http.drop_invalid_header_fields.enabled' is set to 'false'. By default, ALBs are not configured to drop invalid HTTP header values. Removing these header values prevents HTTP desync attacks.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cbc0dd46-9b4b-4078-8340-b20283037770\",\r\n \"name\": \"cbc0dd46-9b4b-4078-8340-b20283037770\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application and Classic Load Balancers logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if 'access_logs.s3.enabled' is 'false'. Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fbec0eb1-0e7e-4df0-8f3c-bf9ac1601927\",\r\n \"name\": \"fbec0eb1-0e7e-4df0-8f3c-bf9ac1601927\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer deletion protection should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured. Enable deletion protection to protect your Application Load Balancer from deletion.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f4705af2-9651-47f1-8797-2050c0870f35\",\r\n \"name\": \"f4705af2-9651-47f1-8797-2050c0870f35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EMR cluster master nodes should not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether master nodes on Amazon EMR clusters have public IP addresses. The control fails if the master node has public IP addresses that are associated with any of its instances. Public IP addresses are designated in the 'PublicIp' field of the 'NetworkInterfaces' configuration for the instance. This control only checks Amazon EMR clusters that are in a 'RUNNING' or 'WAITING' state.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c459de6-4a24-4f24-93bb-6533935019f5\",\r\n \"name\": \"4c459de6-4a24-4f24-93bb-6533935019f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have encryption at-rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled. The check fails if encryption at rest is not enabled. For an added layer of security for your sensitive data in Elasticsearch, you should configure your Elasticsearch to be encrypted at rest. Elasticsearch domains offer encryption of data at rest. The feature uses AWS KMS to store and manage your encryption keys. To perform the encryption, it uses the Advanced Encryption Standard algorithm with 256-bit keys (AES-256).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ecae3088-3cc5-4b7a-bc19-2c20719ab4fb\",\r\n \"name\": \"ecae3088-3cc5-4b7a-bc19-2c20719ab4fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. You should ensure that Amazon ES domains are not attached to public subnets. You should also ensure that your VPC is configured according to the recommended best practices. Amazon ES domains deployed within a VPC can communicate with VPC resources over the private AWS network, without the need to traverse the public internet. This configuration increases the security posture by limiting access to the data in transit. VPCs provide a number of network controls to secure access to Amazon ES domains, including network ACL and security groups. Security Hub recommends that you migrate public Amazon ES domains to VPCs to take advantage of these controls.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1518211b-17f4-46bc-9538-d6ccd8efa3c4\",\r\n \"name\": \"1518211b-17f4-46bc-9538-d6ccd8efa3c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should encrypt data sent between nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have node-to-node encryption enabled. HTTPS (TLS) can be used to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. Only encrypted connections over HTTPS (TLS) should be allowed. Enabling node-to-node encryption for Amazon ES domains ensures that intra-cluster communications are encrypted in transit. There can be a performance penalty associated with this configuration. You should be aware of and test the performance trade-off before enabling this option.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233d2b0e-27cd-4589-aed5-b76e73744071\",\r\n \"name\": \"233d2b0e-27cd-4589-aed5-b76e73744071\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users' access keys should be rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the active access keys are rotated within 90 days. We highly recommend that you do not generate and remove all access keys in your account. Instead, the recommended best practice is to either create one or more IAM roles or to use federation. You can use these methods to allow your users to use their existing corporate credentials to log into the AWS Management Console and AWS CLI. Each approach has its use cases. Federation is generally better for enterprises that have an existing central directory or plan to need more than the current limit IAM users. Applications that run outside of an AWS environment need access keys for programmatic access to AWS resources. However, if the resources that need programmatic access run inside AWS, the best practice is to use IAM roles. Roles allow you to grant a resource access without hardcoding an access key ID and secret access key into the configuration. If you already have an access key, Security Hub recommends that you rotate the access keys every 90 days. Rotating access keys reduces the chance that an access key that is associated with a compromised or terminated account is used. It also ensures that data cannot be accessed with an old key that might have been lost, cracked, or stolen. Always update your applications after you rotate access keys. Access keys consist of an access key ID and a secret access key. They are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS CLI, Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. If your organization uses AWS Single Sign-On (AWS SSO), your users can sign in to Active Directory, a built-in AWS SSO directory, or another identity provider (IdP) connected to AWS SSO. They can then be mapped to an IAM role that enables them to run AWS CLI commands or call AWS APIs without the need for IAM user access keys.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e5c918c8-d7f6-4d5d-b91f-9b9736457ce9\",\r\n \"name\": \"e5c918c8-d7f6-4d5d-b91f-9b9736457ce9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS Multi-Factor Authentication (MFA) is enabled for all IAM users that use a console password. Multi-factor authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password. In addition, they are prompted for an authentication code from their AWS MFA device. We recommend that you enable MFA for all accounts that have a console password. MFA is designed to provide increased security for console access. The authenticating principal must possess a device that emits a time-sensitive key and must have knowledge of a credential.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2af5aa8e-6e0a-4cf4-82e7-ad17ba327c3c\",\r\n \"name\": \"2af5aa8e-6e0a-4cf4-82e7-ad17ba327c3c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused IAM user credentials should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your IAM users have passwords or active access keys that have not been used for 90 days. IAM users can access AWS resources using different types of credentials, such as passwords or access keys. Security Hub recommends that you remove or deactivate all credentials that were unused for 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d945fb4-6cf1-431b-8e96-66dba76ab2b1\",\r\n \"name\": \"9d945fb4-6cf1-431b-8e96-66dba76ab2b1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies should not allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if the 'kms:Decrypt' or 'kms:ReEncryptFrom' actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies. With AWS KMS, you control who can use your customer master keys (CMKs) and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the 'kms:Decrypt' or 'kms:ReEncryptFrom' permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data. Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, do not allow 'kms:Decrypt' permission on all KMS keys. Instead, allow 'kms:Decrypt' only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d3746ffb-51b3-4cc9-8b5d-2ac1f9192d37\",\r\n \"name\": \"d3746ffb-51b3-4cc9-8b5d-2ac1f9192d37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if 'kms:Decrypt' or 'kms:ReEncryptFrom' actions are allowed on all KMS keys in an inline policy. With AWS KMS, you control who can use your customer master keys (CMKs) and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the permissions they need and only for keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data. Instead of granting permission for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow the users to use only those keys. For example, do not allow 'kms:Decrypt' permission on all KMS keys. Instead, allow them only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91b8d230-94ad-4df8-b737-f585df30fa30\",\r\n \"name\": \"91b8d230-94ad-4df8-b737-f585df30fa30\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS keys should not be unintentionally deleted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS KMS customer managed keys (CMK) are scheduled for deletion. The control fails if a CMK is scheduled for deletion. CMKs cannot be recovered once deleted. Data encrypted under a KMS CMK is also permanently unrecoverable if the CMK is deleted. If meaningful data has been encrypted under a CMK scheduled for deletion, consider decrypting the data or re-encrypting the data under a new CMK unless you are intentionally performing a cryptographic erasure. When a CMK is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS CMK is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS CMK will not be deleted.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/706a0138-900e-4c53-8114-bb5f19eccd09\",\r\n \"name\": \"706a0138-900e-4c53-8114-bb5f19eccd09\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda function policies should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Lambda function resource-based policy prohibits public access outside of your account. The Lambda function should not be publicly accessible, as this may allow unintended access to your code stored in the function.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ac49a0a5-db33-4be7-9738-301783b6bba9\",\r\n \"name\": \"ac49a0a5-db33-4be7-9738-301783b6bba9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should use latest runtimes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the Lambda function settings for runtimes match the expected values set for the latest runtimes for each supported language. This control checks for the following runtimes: nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, ruby2.5, ruby2.7,java11, java8, go1.x, dotnetcore2.1, dotnetcore3.1 Lambda runtimes are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When a runtime component is no longer supported for security updates, Lambda deprecates the runtime. Even though you cannot create functions that use the deprecated runtime, the function is still available to process invocation events. Make sure that your Lambda functions are current and do not use out-of-date runtime environments.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/480c2cd4-467d-4ea5-8ffa-c459cf8503c0\",\r\n \"name\": \"480c2cd4-467d-4ea5-8ffa-c459cf8503c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should be private\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS snapshots are public. RDS snapshots are used to back up the data on your RDS instances at a specific point in time. They can be used to restore previous states of RDS instances. An RDS snapshot must not be public unless intended. If you share an unencrypted manual snapshot as public, this makes the snapshot available to all AWS accounts. This may result in unintended data exposure of your RDS instance. Note that if the configuration is changed to allow public access, the AWS Config rule may not be able to detect the change for up to 12 hours. Until the AWS Config rule detects the change, the check passes even though the configuration violates the rule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/efe6ff8c-8247-4705-9a06-097d57b93305\",\r\n \"name\": \"efe6ff8c-8247-4705-9a06-097d57b93305\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS instances are publicly accessible by evaluating the 'PubliclyAccessible' field in the instance configuration item. The 'PubliclyAccessible' value in the RDS instance configuration indicates whether the DB instance is publicly accessible. When the DB instance is configured with 'PubliclyAccessible', it is an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. When the DB instance isn't publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your RDS instance to be publicly accessible, the RDS instance should not be configured with 'PubliclyAccessible' value. Doing so might allow unnecessary traffic to your database instance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52a194fc-4cc6-4bc3-92c0-7c2454dd1043\",\r\n \"name\": \"52a194fc-4cc6-4bc3-92c0-7c2454dd1043\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether storage encryption is enabled for your Amazon RDS DB instances. For an added layer of security for your sensitive data in RDS DB instances, you should configure your RDS DB instances to be encrypted at rest. To encrypt your RDS DB instances and snapshots at rest, enable the encryption option for your RDS DB instances. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots. RDS encrypted DB instances use the open standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You do not need to modify your database client applications to use encryption. Amazon RDS encryption is currently available for all database engines and storage types. Amazon RDS encryption is available for most DB instance classes.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a9abb2d-5fdd-4264-8770-91c66cf58ecf\",\r\n \"name\": \"5a9abb2d-5fdd-4264-8770-91c66cf58ecf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS cluster snapshots and database snapshots should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB snapshots are encrypted. Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. Data in RDS snapshots should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f3b277d1-0c86-445b-acf1-bc0a405b193b\",\r\n \"name\": \"f3b277d1-0c86-445b-acf1-bc0a405b193b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured with multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether high availability is enabled for your RDS DB instances. RDS DB instances should be configured for multiple Availability Zones (AZs). This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover if there is an issue with Availability Zone availability and during regular RDS maintenance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e91ce41-1c19-4950-8a76-cfe3c6596250\",\r\n \"name\": \"7e91ce41-1c19-4950-8a76-cfe3c6596250\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enhanced monitoring should be configured for RDS DB instances and clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced monitoring is enabled for your RDS DB instances. In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer. Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1d16fd74-7014-464b-b981-6242a4c2be32\",\r\n \"name\": \"1d16fd74-7014-464b-b981-6242a4c2be32\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS clusters should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS clusters have deletion protection enabled. Enabling cluster deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity. When deletion protection is enabled, an RDS cluster cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1831430a-6cf6-4341-b2cc-1e66168bdd21\",\r\n \"name\": \"1831430a-6cf6-4341-b2cc-1e66168bdd21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your RDS DB instances have deletion protection enabled. Enabling instance deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity. While deletion protection is enabled, an RDS DB instance cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3c0f7022-8906-4a8c-b993-9675f89d8d3e\",\r\n \"name\": \"3c0f7022-8906-4a8c-b993-9675f89d8d3e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following logs of Amazon RDS are enabled and sent to CloudWatch Logs: Oracle: (Alert, Audit, Trace, Listener), PostgreSQL: (Postgresql, Upgrade), MySQL: (Audit, Error, General, SlowQuery), MariaDB: (Audit, Error, General, SlowQuery), SQL Server: (Error, Agent), Aurora: (Audit, Error, General, SlowQuery), Aurora-MySQL: (Audit, Error, General, SlowQuery), Aurora-PostgreSQL: (Postgresql, Upgrade). RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a9c7f5-85ba-4091-b15a-c06bec33faf8\",\r\n \"name\": \"66a9c7f5-85ba-4091-b15a-c06bec33faf8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB instance has IAM database authentication enabled. IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b948796-172f-426e-a3bd-3f0b1999d0e0\",\r\n \"name\": \"7b948796-172f-426e-a3bd-3f0b1999d0e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS instances should have automatic backups enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB instances have automated backups enabled and whether the backup retention period is greater than or equal to seven. Optionally, you can supply a 'retentionPeriod' to compare against. The control passes if all of the following are true: Backups are enabled, The backup retention period is greater than or equal to retentionPeriod, The retention period is greater than or equal to seven. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. Amazon RDS provides an easy way to configure daily full instance volume snapshots. This control checks that backups are enabled and retained for at least seven days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/53af35b0-2338-4783-9ba9-8399f610a783\",\r\n \"name\": \"53af35b0-2338-4783-9ba9-8399f610a783\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters are publicly accessible. It evaluates the 'PubliclyAccessible' field in the cluster configuration item. The 'PubliclyAccessible' attribute of the Amazon Redshift cluster configuration indicates whether the cluster is publicly accessible. When the cluster is configured with 'PubliclyAccessible' set to 'true', it is an Internet-facing instance that has a publicly resolvable DNS name, which resolves to a public IP address. When the cluster is not publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your cluster to be publicly accessible, the cluster should not be configured with 'PubliclyAccessible' set to 'true'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4bd4c29c-8565-4052-96b4-5405e68f51ba\",\r\n \"name\": \"4bd4c29c-8565-4052-96b4-5405e68f51ba\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Amazon Redshift clusters should be encrypted in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit. The check fails if the Amazon Redshift cluster parameter require_SSL is not set to 1. TLS can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over TLS should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b032ed58-d158-401f-b820-424a48414f93\",\r\n \"name\": \"b032ed58-d158-401f-b820-424a48414f93\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have automatic snapshots enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven. Backups help you to recover more quickly from a security incident. They strengthen the resilience of your systems. Amazon Redshift takes periodic snapshots by default. This control checks whether automatic snapshots are enabled and retained for at least seven days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/643a00cb-3da3-43ef-b523-15a0f3198e45\",\r\n \"name\": \"643a00cb-3da3-43ef-b523-15a0f3198e45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift should have automatic upgrades to major versions enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster. Enabling automatic major version upgrades ensures that the latest major version updates to Amazon Redshift clusters are installed during the maintenance window. These updates might include security patches and bug fixes. Keeping up-to-date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c816f41-886f-4e31-87f2-41cfb091d59b\",\r\n \"name\": \"2c816f41-886f-4e31-87f2-41cfb091d59b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker. The 'blacklistedactionpatterns' parameter allows for successful evaluation of the rule for S3 buckets. The parameter grants access to external accounts for action patterns that are not included in the 'blacklistedactionpatterns' list.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df8e8066-1415-40c7-9844-f495a1ad179e\",\r\n \"name\": \"df8e8066-1415-40c7-9844-f495a1ad179e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should have automatic rotation enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically. Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5110f9f8-2bf7-444f-81d7-321bfeceec06\",\r\n \"name\": \"5110f9f8-2bf7-444f-81d7-321bfeceec06\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets configured with automatic rotation should rotate successfully\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The control fails if 'RotationOccurringAsScheduled' is 'false'. The control does not evaluate secrets that do not have rotation configured. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically. Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently. In addition to configuring secrets to rotate automatically, you should ensure that those secrets rotate successfully based on the rotation schedule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad8217e9-5e93-4be2-88bc-3e538960209d\",\r\n \"name\": \"ad8217e9-5e93-4be2-88bc-3e538960209d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SNS topics should be encrypted at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an SNS topic is encrypted at rest using AWS KMS. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It also adds another set of access controls to limit the ability of unauthorized users to access the data. For example, API permissions are required to decrypt the data before it can be read. SNS topics should be encrypted at-rest for an added layer of security.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c3f3c8-3c13-48be-9ee5-67b6865e7462\",\r\n \"name\": \"11c3f3c8-3c13-48be-9ee5-67b6865e7462\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All EC2 instances managed by Systems Manager should be compliant with patching requirements\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. It only checks instances that are managed by Systems Manager Patch Manager. Having your EC2 instances fully patched as required by your organization reduces the attack surface of your AWS accounts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.
Note that the following subnet types will be listed as not applicable: GatewaySubnet, AzureFirewallSubnet, AzureBastionSubnet.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your subnets:
1. Select a subnet to enable NSG on.
2. Click the 'Network security group' section.
3. Follow the steps and select an existing network security group to attach to this specific subnet.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Defender for Cloud has discovered virtual networks with Application Gateway resources unprotected by the DDoS protection service. These resources contain public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"
1. Select a virtual network to enable the DDoS protection service standard on.
2. Select the Standard option.
3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\",\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Defender for Cloud uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls:
1. Open the Workload protections dashboard and from the advanced protection area, select Adaptive application controls.
2. To see the groups of machines that Defender for Cloud recommends protecting with adaptive application controls, select the Recommended3. Create a new applications control policy according to the instructions in Defender for Cloud's documentation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Defender for Cloud's adaptive application controls. Defender for Cloud uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your list of known-safe applications:
1. From the portal, open Defender for Cloud.
2. Select \\\"Adaptive application controls\\\" from Defender for Cloud's sidebar.
3. To see the groups of machines for which Defender for Cloud recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines.
4. The current policy will be displayed together with the new rules that Defender for Cloud recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Defender for Cloud has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly-permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Defender for Cloud's threat intelligence sources. Learn more in Improve your network security posture with adaptive network hardening.\",\r\n \"remediationDescription\": \"To review the recommended changes to the traffic rules for your network security groups, select a machine or select 'Take action'\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"Defender for Cloud has identified some overly-permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks. Learn more in Understanding just-in-time (JIT) VM access.\",\r\n \"remediationDescription\": \"To enable just-in-time VM access:
  • Select one or more VMs from the list below and select \\\"Remediate\\\", or select \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
  • On the \\\"JIT VM access configuration\\\" page, define the ports for which the just-in-time VM access will be applicable.
    • To add additional ports, select the \\\"Add\\\" button on the top left, or select an existing port and edit it.
    • On the \\\"Add port configuration\\\" pane, enter the required parameters.
  • Select \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click on each of the rules that allow management ports (for example, RDP-3389, WINRM-5985, SSH-22).
3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges.
4. Click 'Save'.
Use Defender for Cloud's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Learn more in Understanding just-in-time (JIT) VM access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Defender for Cloud has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding:
1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade.
2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left).
3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'.
4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Defender for Cloud has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click the Network Security Group with overly permissive rules.
3. In the 'Network security group' blade, click on each of the rules that are overly permissive.
4. Improve the rule by applying less permissive source IP ranges.
5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
To keep your machine as secure as possible, the VM access to the internet must be restricted and an NSG should be enabled on the subnet.
VMs with 'High' severity are internet-facing VMs.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a Network Security Group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the Network Security Group to assign to the subnet and click \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Click 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the Network Security Group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a network security group:
1. Select a VM from the list below, or select \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the network security group to assign to the subnet and select \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Select 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the network security group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Defender for Cloud regularly checks your connected machines to ensure they're running vulnerability assessment tools. Use this recommendation to deploy a vulnerability assessment solution.\",\r\n \"remediationDescription\": \"To deploy a vulnerability assessment solution, in the \\\"Unhealthy resources\\\" tab, select the resources, then select \\\"Remediate\\\". Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several hours after remediation completes to see the resources in the 'Healthy resources' tab\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c\",\r\n \"description\": \"Some of your virtual networks aren't protected with a firewall. Use Azure Firewall to restrict access to your virtual networks and prevent potential threats. Learn more about Azure Firewall.\",\r\n \"remediationDescription\": \"To protect your virtual networks with Azure Firewall:
1. From the list below, select a network. Or select Take action if you've arrived here from a specific virtual network page.
2. Follow the Azure Firewall deployment instructions. Make sure to configure all default routes properly.
Important: Azure Firewall is billed separately from Defender for Cloud. Learn more about Azure Firewall pricing.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Initial Access\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Fallback Channels\",\r\n \"Remote System Discovery\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Non-Standard Port\",\r\n \"Gather Victim Network Information\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for Cloud has identified machines that are missing a file integrity monitoring solution. To monitor changes to critical files, registry keys, and more on your servers, enable file integrity monitoring.
When the file integrity monitoring solution is enabled, a data collection rule is assigned to your machines, and defines the files to be monitored. To edit rules, or see the files changed on machines with existing rules, go to the file integrity monitoring management page\",\r\n \"remediationDescription\": \"To enable file integrity monitoring:
From the list below, select one or more virtual machines and select Remediate\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Privilege Escalation\",\r\n \"Execution\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"OS Credential Dumping\",\r\n \"Boot or Logon Initialization Scripts\",\r\n \"Scheduled Task/Job\",\r\n \"Account Manipulation\",\r\n \"Office Application Startup\",\r\n \"File and Directory Permissions Modification\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Subvert Trust Controls\",\r\n \"Modify Authentication Process\",\r\n \"Impair Defenses\",\r\n \"Hijack Execution Flow\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047\",\r\n \"description\": \"Microsoft Defender for Cloud includes Microsoft Defender for Key Vault, providing an additional layer of security intelligence.
Microsoft Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any key vaults in this subscription, you won't be charged. If you later create key vaults on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for Key Vault.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for Key Vault on all key vaults in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Key Vault to On.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Credentials from Password Stores\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Azure SQL Database servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any Azure SQL Database servers in this subscription, you won't be charged. If you later create Azure SQL Database servers on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for SQL.\",\r\n \"remediationDescription\": \"To enable this plan on all Azure SQL Database servers in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Azure SQL Database servers to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Defense Evasion\",\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Modify Registry\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL servers on machines should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.

Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. If you don't have any SQL servers on machines in this subscription, no charges will be incurred.
If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Microsoft Defender for SQL servers on machines.\",\r\n \"remediationDescription\": \"To enable this plan on all SQL servers on machines in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set SQL servers on machines to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Defense Evasion\",\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Modify Registry\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Storage should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa\",\r\n \"description\": \"Microsoft Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any Azure Storage accounts in this subscription, you won't be charged. If you later create Azure Storage accounts on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for Storage.\",\r\n \"remediationDescription\": \"To enable this plan on all Azure Storage accounts in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Storage to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Lateral Movement\",\r\n \"Command and Control\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Taint Shared Content\",\r\n \"Ingress Tool Transfer\",\r\n \"Data Destruction\",\r\n \"Data from Cloud Storage Object\",\r\n \"Transfer Data to Cloud Account\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb\",\r\n \"description\": \"Microsoft Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
Microsoft Defender for App Service can discover attacks on your applications and identify emerging attacks.

Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred.
If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Protect your web apps and APIs.\",\r\n \"remediationDescription\": \"To enable this plan on all App Service plans in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set App Service to On.\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Collection\",\r\n \"Discovery\",\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Privilege Escalation\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Resource Development\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"OS Credential Dumping\",\r\n \"Data from Local System\",\r\n \"Query Registry\",\r\n \"Obfuscated Files or Information\",\r\n \"Masquerading\",\r\n \"Windows Management Instrumentation\",\r\n \"Scheduled Task/Job\",\r\n \"Process Injection\",\r\n \"Input Capture\",\r\n \"Process Discovery\",\r\n \"Command and Scripting Interpreter\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Account Discovery\",\r\n \"Ingress Tool Transfer\",\r\n \"Screen Capture\",\r\n \"Audio Capture\",\r\n \"Access Token Manipulation\",\r\n \"Deobfuscate/Decode Files or Information\",\r\n \"Drive-by Compromise\",\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"User Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Domain Trust Discovery\",\r\n \"Resource Hijacking\",\r\n \"Create or Modify System Process\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Unsecured Credentials\",\r\n \"Steal or Forge Kerberos Tickets\",\r\n \"Inter-Process Communication\",\r\n \"Phishing\",\r\n \"Hijack Execution Flow\",\r\n \"Compromise Infrastructure\",\r\n \"Search Victim-Owned Websites\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"name\": \"e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38\",\r\n \"description\": \"Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.
You can use this information to quickly remediate security issues and improve the security of your containers.

Important: Remediating this recommendation will result in charges for protecting your Kubernetes clusters. If you don't have any Kubernetes clusters in this subscription, no charges will be incurred.
If you create any Kubernetes clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Introduction to Microsoft Defender for Containers.\",\r\n \"remediationDescription\": \"To enable this plan on all Kubernetes clusters in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Containers to On.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"DenialOfService\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"11/01/2021\",\r\n \"public\": \"11/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Indicator Removal on Host\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Implant Container Image\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d\",\r\n \"description\": \"Microsoft Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your servers.

Important: Remediating this recommendation will result in charges for protecting your servers. If you don't have any servers in this subscription, no charges will be incurred.
If you create any servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable this plan on all servers in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Servers to On.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\",\r\n \"Execution\",\r\n \"Defense Evasion\",\r\n \"Exfiltration\",\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Hijack Execution Flow\",\r\n \"Modify Authentication Process\",\r\n \"Boot or Logon Initialization Scripts\",\r\n \"Scheduled Task/Job\",\r\n \"Account Manipulation\",\r\n \"Office Application Startup\",\r\n \"OS Credential Dumping\",\r\n \"Obfuscated Files or Information\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Process Injection\",\r\n \"Command and Scripting Interpreter\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Indicator Removal on Host\",\r\n \"Valid Accounts\",\r\n \"System Information Discovery\",\r\n \"Account Discovery\",\r\n \"Ingress Tool Transfer\",\r\n \"Modify Registry\",\r\n \"Create Account\",\r\n \"Deobfuscate/Decode Files or Information\",\r\n \"Drive-by Compromise\",\r\n \"Indirect Command Execution\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Signed Binary Proxy Execution\",\r\n \"File and Directory Permissions Modification\",\r\n \"Service Stop\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Steal or Forge Kerberos Tickets\",\r\n \"Impair Defenses\",\r\n \"Remote Service Session Hijacking\",\r\n \"Hide Artifacts\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Brute Force\",\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"name\": \"b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for open-source relational databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835\",\r\n \"description\": \"Microsoft Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more in Introduction to Microsoft Defender for open-source relational databases.

Important: Enabling this plan will result in charges for protecting your open-source relational databases. If you don't have any open-source relational databases in this subscription, no charges will be incurred. If you create any open-source relational databases on this subscription in the future, they will automatically be protected and charges will begin at that time.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for open-source relational databases on your subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Open-source relational databases to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"09/19/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ebc815f-7bc7-4573-994d-e1cc46fb4a35\",\r\n \"name\": \"2ebc815f-7bc7-4573-994d-e1cc46fb4a35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have infrastructure as code scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found infrastructure as code security configuration issues in repositories. The issues shown below have been detected in template files. To improve the security posture of the related cloud resources, it is highly recommended to remediate these issues.\",\r\n \"remediationDescription\": \"Security issues and vulnerabilities in infrastructure as code can lead to compliance violations and data breaches in production environments. It is recommended to improve the security posture by remediating and fixing these findings to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c68a8c2a-6ed4-454b-9e37-4b7654f2165f\",\r\n \"name\": \"c68a8c2a-6ed4-454b-9e37-4b7654f2165f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have code scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found vulnerabilities in code repositories. To improve the security posture of the repositories, it is highly recommended to remediate these vulnerabilities.\",\r\n \"remediationDescription\": \"The vulnerabilities detected in code repositories can lead to compliance violations and data breaches. It is highly recommended to remediate these vulnerabilities to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27\",\r\n \"name\": \"4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have secret scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found a secret in code repositories. This should be remediated immediately to prevent a security breach. Secrets found in repositories can be leaked or discovered by adversaries, leading to compromise of an application or service. For Azure DevOps, the Microsoft Security DevOps CredScan tool only scans builds on which it has been configured to run. Therefore, results may not reflect the complete status of secrets in your repositories.\",\r\n \"remediationDescription\": \"Invalidate the secrets, tokens, and/or passwords that were found by the secret scanner.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/822425e3-827f-4f35-bc33-33749257f851\",\r\n \"name\": \"822425e3-827f-4f35-bc33-33749257f851\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have Dependabot scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found vulnerabilities in code repositories. To improve the security posture of the repositories, it is highly recommended to remediate these vulnerabilities.\",\r\n \"remediationDescription\": \"The vulnerabilities detected in the code repositories can lead to compliance violations and data breaches. It is recommended to remediate these vulnerabilities to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dbf49ec-ce06-476d-ab70-7bd612c4a52c\",\r\n \"name\": \"9dbf49ec-ce06-476d-ab70-7bd612c4a52c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DevOps security posture findings should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps security posture checks helps you keep your ADO artifacts such as various org/project settings, build/release configurations, service connections, agent pools, etc., configured securely.\",\r\n \"remediationDescription\": \"The security posture checks found can lead to compliance violations and data breaches. It is recommended to improve the security posture by remediating and fixing these configuration findings to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MissingCoverage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"02/06/2023\",\r\n \"public\": \"10/01/2022\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Reconnaissance\",\r\n \"Exfiltration\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Application Layer Protocol\",\r\n \"Compromise Infrastructure\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03587042-5d4b-44ff-af42-ae99e3c71c87\",\r\n \"name\": \"03587042-5d4b-44ff-af42-ae99e3c71c87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic container registry images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"23/06/2022\",\r\n \"public\": \"23/06/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registry images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Resolve the findings from the vulnerability assessment solutions on your virtual machines.\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by the vulnerability assessment solutions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77a4a140-e051-481a-84cc-d4bf2109bd65\",\r\n \"name\": \"77a4a140-e051-481a-84cc-d4bf2109bd65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Resolve the findings from the vulnerability assessment solutions on your EC2 instances.\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by the vulnerability assessment solutions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/14/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL databases should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. Learn more\",\r\n \"remediationDescription\": \"To remediate SQL vulnerabilities and mitigate risks:
1. Navigate to a database in the Unhealthy databases list.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Valid Accounts\",\r\n \"Modify Registry\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers on machines should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. Learn more\",\r\n \"remediationDescription\": \"To remediate SQL vulnerabilities and mitigate risks:
1. Navigate to a database in the Unhealthy databases list.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Valid Accounts\",\r\n \"Modify Registry\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your Windows machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Select any of the findings below.
2. On the right pane opened, follow the instructions under 'Remediation' if exist.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Lateral Movement\",\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your Linux machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Select any of the findings below.
2. On the right pane opened, follow the instructions under 'Remediation' if exist.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Lateral Movement\",\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"
1. Click an identified outstanding update.
2. In the Missing system updates pane, click the support link (when exists) and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Software Deployment Tools\",\r\n \"Exploit Public-Facing Application\",\r\n \"Supply Chain Compromise\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Drive-by Compromise\",\r\n \"Endpoint Denial of Service\",\r\n \"Compromise Client Software Binary\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b\",\r\n \"description\": \"Ensure your machines are up to date by installing missing security and critical OS updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install missing system updates on a selected machine: 1. From \\\"Affected resources\\\", select a virtual machine. 2. Select the \\\"Fix\\\" button. This will redirect you to Update management center (preview). 3. In update management center (preview), select \\\"One-time update\\\" or \\\"Schedule updates\\\", and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Click any of the configuration vulnerability rules 2. In the Vulnerability details pane, see the remediation description and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"10/24/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2\",\r\n \"description\": \"Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. See the documentation for the endpoint protection solutions supported by Defender for Cloud and the endpoint protection assessments.\",\r\n \"remediationDescription\": \"
1. Confirm that your solution is on the list of tools supported by Defender for Cloud.
2. For a list of possible health issues with your solution and advice on how to resolve the health issues, consult this page of the Defender for Cloud documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad50b498-f90c-451f-886f-d0a169cc5002\",\r\n \"name\": \"ad50b498-f90c-451f-886f-d0a169cc5002\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should use only signed and trusted boot components\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"With Secure Boot enabled, all OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Defender for Cloud has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allow list or remove the identified components.\",\r\n \"remediationDescription\": \"Investigate the untrusted boot components. If they are legitimate, add them to the allow list. Otherwise, remove them.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"name\": \"dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with read permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have read permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"name\": \"c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with write permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/931e118d-50a1-4457-a5e4-78550e086c52\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have write permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"name\": \"6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with owner permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have owner permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"name\": \"fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with read permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52\",\r\n \"description\": \"Accounts with read permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"name\": \"0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with write permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87\",\r\n \"description\": \"Accounts with write permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"name\": \"20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with owner permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/339353f6-2387-4a45-abe4-7f529d121046\",\r\n \"description\": \"Accounts with owner permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"name\": \"1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Blocked accounts with read and write permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be\",\r\n \"description\": \"Accounts that have been blocked from signing in on Active Directory, should be removed from your Azure resources.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of accounts that are blocked from signing in on the Accounts section. Click on each account to view its role definitions and locate the source scope. If you accept the risk for specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the blocked user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"name\": \"050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Blocked accounts with owner permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5\",\r\n \"description\": \"Accounts that have been blocked from signing in on Active Directory, should be removed from your Azure resources.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of accounts that are blocked from signing in on the Accounts section. Click on each account to view its role definitions and locate the source scope. If you accept the risk for specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the blocked user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af99038c-02fd-4a2f-ac24-386b62bf32de\",\r\n \"description\": \" Azure's terms of use prohibit the use of Azure services in ways that could damage, disable, overburden, or impair any Microsoft server or the network. This recommendation lists exposed ports that need to be closed for your continued security. It also illustrates the potential threat to each port.\",\r\n \"remediationDescription\": \"Review the findings and evaluate if any ports need to remain open for your service to function or if they can be closed to protect your resources. Please, opt out of the recommendation by using the exemption workflow for any ports that need to remain open.
For all other findings, remediate per instructions below:
• Need to secure network traffic for a single VNet, please follow instruction to setup Network Security Groups (NSG).
• Need to secure network traffic for one or more peered VNet, please follow instruction to setup Azure Firewall.
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"04/04/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/41503391-efa5-47ee-9282-4eff6131462c\",\r\n \"name\": \"41503391-efa5-47ee-9282-4eff6131462c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running container images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fc39691-5a3f-4e3e-94ee-2e6447309ad9\",\r\n \"description\": \"Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.
7. Use the new image across all pods where it is currently being used.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ElevationOfPrivilege\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"12/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/afd071f0-ebaa-422b-bb2f-8a772a31db75\",\r\n \"name\": \"afd071f0-ebaa-422b-bb2f-8a772a31db75\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function apps should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Runtime vulnerability scanning for functions scans your function apps for security vulnerabilities and exposes detailed findings. Resolving the vulnerabilities can greatly improve your serverless applications security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve function app vulnerabilities:
1. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
2. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [],\r\n \"publishDates\": {\r\n \"public\": \"03/18/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"name\": \"08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d\",\r\n \"description\": \"Azure Policy add-on for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.

Defender for Cloud requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. Learn more.

Requires Kubernetes v1.14.0 or later.

\",\r\n \"remediationDescription\": \"To configure the Azure Policy Add-on for use with your Azure Kubernetes Service cluster, follow the instructions in Install Azure Policy Add-on for AKS.

Auto provisioning:
You can also auto deploy this add-on as explained in Enable auto provisioning of extensions.
When auto provisioning for the add-on is set to On, the extension is enabled by default in all existing and future clusters (that meet the add-on installation requirements).\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0642d770-b189-42ef-a2ce-9dcc3ec6c169\",\r\n \"name\": \"0642d770-b189-42ef-a2ce-9dcc3ec6c169\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b2122c1-8120-4ff5-801b-17625a355590\",\r\n \"description\": \"Azure Policy extension for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.\",\r\n \"remediationDescription\": \"To configure the Azure Policy extension for use with your Azure Arc-enabled Kubernetes cluster, follow the instructions in #Install Azure Policy Extension for Azure Arc-enabled Kubernetes.

Auto provisioning:
You can also auto deploy this extension as explained in Enable auto provisioning of extensions .
When auto provisioning for the extension is set to \\\"on\\\", the extension is enabled by default in all existing and future clusters (that meet the extension installation requirements).\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2022\",\r\n \"public\": \"06/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/0adc5395-9169-4b9b-8687-af838d69410a\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"name\": \"405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container CPU and memory limits should be enforced\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\r\n \"description\": \"Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).

We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods without CPU and memory limits. To control a pod's limits, set quotas at the container level. Each container of a pod can specify one or both of the following:
  • spec.containers[].resources.limits.cpu
  • spec.containers[].resources.limits.memory

After making your changes, redeploy the pod with the new limits.

Note: Although requests and limits can only be specified on individual containers, it is convenient to talk about pod resource limits. A Pod resource limit is the sum of the resource limits for all the containers in the pod. Learn more.

\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"DenialOfService\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"name\": \"5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Privileged containers should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\r\n \"description\": \"To prevent unrestricted host access, avoid privileged containers whenever possible.

Privileged containers have all of the root capabilities of a host machine. They can be used as entry points for attacks and to spread malicious code or malware to compromised applications, hosts and networks.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods running privileged containers.

For these pods, set the privileged flag to 'false' or remove this property on the security context of the container's spec. After making your changes, redeploy the pod with the updated spec.

\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"name\": \"8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container images should be deployed from trusted registries only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\r\n \"description\": \"Images running on your Kubernetes cluster should come from known and monitored container image registries. Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.\",\r\n \"remediationDescription\": \"
  1. Ensure a regex, defining your organization private registries is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods running images from untrusted registries. If you see a pod running an unfamiliar image, remove it and report the incident to your security admin. Otherwise, move all images to a trusted private registry and redeploy the pods with the updated registry.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"name\": \"add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Services should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services access to the configured ports.\",\r\n \"remediationDescription\": \"
  1. Ensure a list of ports on which your services are allowed to listen, is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the services which listen on ports outside the configured list.
  3. Limit the services' ports. After making your changes, redeploy the services with the updated ports.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\",\r\n \"Non-Standard Port\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"name\": \"11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Least privileged Linux capabilities should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\r\n \"description\": \"To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user. We recommend dropping all capabilities, then adding those that are required\",\r\n \"remediationDescription\": \"
1. Make sure lists of dropped capabilities and allowed capabilities are configured, via the security policy parameters. Recommend to set parameter 'Required drop capabilities' as [\\\"ALL\\\"] to enforce to drop all capabilities. The recommendation by default will only block to add capacities.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the running containers with capabilities outside the configured list.
3. Limit the containers' Linux capabilities. To add or remove Linux capabilities for a container, include a capabilities section in the securityContext section of the container manifest with the relevant capabilities set e.g. Drop: ALL ; add: [\\\"NET_ADMIN\\\", \\\"SYS_TIME\\\"].
4. After making your changes, redeploy the pod with the updated capabilities.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"name\": \"27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Immutable (read-only) root filesystem should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80\",\r\n \"description\": \"Containers should run with a read only root file system in your Kubernetes cluster. Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers without read only root file system.
2. For these pods, set the readOnlyRootFilesystem flag to 'true' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Collection\",\r\n \"Lateral Movement\",\r\n \"Persistence\",\r\n \"Defense Evasion\",\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Scheduled Task/Job\",\r\n \"Data Staged\",\r\n \"Taint Shared Content\",\r\n \"Account Manipulation\",\r\n \"Create Account\",\r\n \"File and Directory Permissions Modification\",\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Server Software Component\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Compromise Client Software Binary\",\r\n \"Modify Authentication Process\",\r\n \"Hide Artifacts\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"name\": \"f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75\",\r\n \"description\": \"We recommend limiting pod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths. If there's a compromise, the container node access from the containers should be restricted.\",\r\n \"remediationDescription\": \"
1. Ensure a list of allowed host paths is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running pods with hostPath volume violating the configured list.
3. Update hostPath and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Taint Shared Content\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"name\": \"9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running containers as root user should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042\",\r\n \"description\": \"Containers shouldn't run as root users in your Kubernetes cluster. Running a process as the root user inside a container runs it as root on the host. If there's a compromise, an attacker has root in the container, and any misconfigurations become easier to exploit.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the relevant pods.
2. For these pods, ensure the runAsUser property is set to a non-zero value or set property runAsNonRoot=true.
3. After making your changes, redeploy the pod with the updated rule.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"name\": \"ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of host networking and ports should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe\",\r\n \"description\": \"Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. Pods created with the hostNetwork attribute enabled will share the node's network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node's network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.\",\r\n \"remediationDescription\": \"
1. Ensure the following are all configured in the security policy parameters: allow host network usage, and min and max host ports.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers with host networking violating the configured list.
3. Validate the host networking using the hostNetwork and hostPort attributes (when applicable) of the container's spec.
4. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"name\": \"802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers sharing sensitive host namespaces should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\r\n \"description\": \"To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods sharing host process ID or host IPC.
2. Set the host process ID and host IPC to 'false' on the pod's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"name\": \"43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container with privilege escalation should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\r\n \"description\": \"Containers shouldn't run with privilege escalation to root in your Kubernetes cluster.
The AllowPrivilegeEscalation attribute controls whether a process can gain more privileges than its parent process.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers with privilege escalation to root in your Kubernetes cluster.
2. For these pods, set the AllowPrivilegeEscalation flag to 'false' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"name\": \"86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers should only use allowed AppArmor profiles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e\",\r\n \"description\": \"Containers running on Kubernetes clusters should be limited to allowed AppArmor profiles only.
;AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program.\",\r\n \"remediationDescription\": \"
1. Ensure a list of AppArmor profiles containers are allowed to use is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the running pods with AppArmor profile violating the configured list.
3. Update AppArmor annotation in the Pod's metadata and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Process Injection\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/111cb068-89df-48bd-9493-2e6773444af8\",\r\n \"name\": \"111cb068-89df-48bd-9493-2e6773444af8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should gate deployment of vulnerable images\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759\",\r\n \"description\": \"Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Defender for Cloud's CI/CD scanning and Microsoft Defender for container registries to identify and patch vulnerabilities prior to deployment.
Evaluation prerequisite: Azure policy add-on/extension and the Defender profile/extension.
Applicable only for private preview customers.\",\r\n \"remediationDescription\": \"Configuration

Use the Settings tab to ensure the recommendation policy meets your requirement.

Monitor and resolve violations in audit mode
  1. Click on a cluster to see violating pods.
  2. For each non-compliant pod, extract used images using 'kubectl get pods <pod name> -n <pod namespace> -o json'
  3. Retrieve list of vulnerabilities per pod using the 'Container registry images should have vulnerability findings resolved' recommendation:
    1. If an image is unscanned, push/import image to registry protected by Defender for Containers and re-deploy pod.
    2. If scan result violates security policy, follow scan findings remediation steps to remediate image and re-deploy pod.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"10/25/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes API server should be configured with restricted access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes API server. You can restrict access by defining authorized IP ranges, or by setting up your API servers as private clusters as explained inCreate a private Azure Kubernetes Service cluster.\",\r\n \"remediationDescription\": \"To manually configure authorized IP ranges, follow the steps in Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS). If your existing cluster uses a Basic SKU Load Balancer, you'll need to redeploy or migrate to a new AKS cluster using the Standard SKU Load Balancer as explained in Moving from a basic SKU load balancer to standard SKU. If you decide not to redeploy, and you want to move these clusters to the 'not applicable' tab, follow the steps in Define an exemption.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Container and Resource Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows:
1. Go to Azure Kubernetes Services.
2. Select 'Add' and enter your cluster's configuration.
3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6d87087-9ebe-b31f-b452-0bf3bbbaccd2\",\r\n \"name\": \"c6d87087-9ebe-b31f-b452-0bf3bbbaccd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should be accessible only over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\r\n \"description\": \"Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc-enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc\",\r\n \"remediationDescription\": \"From the unhealthy resources tab, select the cluster. Defender for Cloud lists the ingress objects that are accessible without HTTPS. 1. If the ingress controlled by nginx ingress controller, must first set annotation \\\"nginx.ingress.kubernetes.io/force-ssl-redirect\\\"=true. 2. Add the Transport Layer Security (TLS) configuration to your ingress manifest. After making your changes, redeploy the updated ingress object.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6\",\r\n \"name\": \"3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Arc-enabled Kubernetes clusters should have the Defender extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8dfab9c4-fe7b-49ad-85e4-1e9be085358f\",\r\n \"description\": \"Defender's extension for Azure Arc provides threat protection for your Arc-enabled Kubernetes clusters. The extension collects data from all control plane (master) nodes in the cluster and sends it to the Microsoft Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-kubernetes-azure-arc?wt.mc_id=defenderforcloud_inproduct_portal_recoremediation.\",\r\n \"remediationDescription\": \"To install the Defender extension on your Arc-enabled Kubernetes clusters, select an unhealthy cluster and select Remediate.
To manually deploy the extension with Azure Resource Manager, Azure CLI, or the REST API, see the instructions in Microsoft Defender for Arc-enabled Kubernetes.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/708b60a6-d253-4fe0-9114-4be4c00f012c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a83a6e-c417-42ec-b567-1e6fcb3d09a9\",\r\n \"name\": \"56a83a6e-c417-42ec-b567-1e6fcb3d09a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Kubernetes Service clusters should have Defender profile enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1840de2-8088-4ea8-b153-b4c723e9cb01\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection.
When you enable the SecurityProfile.AzureDefender profile on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data.
Learn more about [Microsoft Defender for Containers](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks#architecture-overview).\",\r\n \"remediationDescription\": \"To enable the profile using Azure CLI, Azure Resource Manager, or the REST API, follow the instructions in Enable the SecurityProfile.AzureDefender profile.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"12/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff87e0b4-17df-d338-5b19-80e71e0dcc9d\",\r\n \"name\": \"ff87e0b4-17df-d338-5b19-80e71e0dcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should not use the default namespace\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\r\n \"description\": \"Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"Defender for Cloud lists the components using the default namespace.
1. From the unhealthy resources tab, select a cluster.
2. Define a namespace for the components.
3. After making your changes, redeploy the components with the updated namespace. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/namespaces/#creating-a-new-namespace\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32060ac3-f17f-4848-db8e-e7cf2c9a53eb\",\r\n \"name\": \"32060ac3-f17f-4848-db8e-e7cf2c9a53eb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should disable automounting API credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/423dd1ba-798e-40e4-9c4d-b6902674b423\",\r\n \"description\": \"Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"From the unhealthy resources tab, select the cluster. Defender for Cloud lists the pods missing the automountServiceAccountToken: false flag. There are multiple ways to opt out of automounting API credentials for a service account. To opt out of automounting API credentials for a single pod, set automountServiceAccountToken: false in PodSpec. After making your changes, redeploy your updated pod or service account.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aba14f78-27c5-af84-848e-9105d18dfd92\",\r\n \"name\": \"aba14f78-27c5-af84-848e-9105d18dfd92\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should not grant CAPSYSADMIN security capabilities\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d2e7ea85-6b44-4317-a0be-1b951587f626\",\r\n \"description\": \"To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"Defender for Cloud lists the pods running containers that have the CAP_SYS_ADMIN Linux security capability. To remove containers' CAP_SYS_ADMIN Linux security capabilities: 1. From the unhealthy resources tab, select the cluster. 2. Insert a capabilities section in the securityContext section of the container manifest with Drop: SYS_ADMIN. 3. After making your changes, redeploy the pod with the updated capabilities\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b7683ca3-3a11-49b6-b9d4-a112713edfa3\",\r\n \"name\": \"b7683ca3-3a11-49b6-b9d4-a112713edfa3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced configuration of Defender for Containers should be enabled on GCP connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. To ensure you the solution is provisioned properly, and the full set of capabilities are available, enable all advanced configuration settings.\",\r\n \"remediationDescription\": \"To enable advanced configuration of the Containers plan for a GCP account connected to Microsoft Defender for Cloud:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. Navigate to the \\\"Environment settings\\\" page, and select the relevant GCP account.
  3. Navigate to \\\"Select plans\\\"> \\\"Containers\\\" row, and select \\\"Configure >\\\".
  4. Enable the missing auto provision features and select Save.
  5. Select \\\"Next: Configure access\\\" and follow the instructions.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"03/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d42ac63d-0592-43b2-8bfa-ff9199da595e\",\r\n \"name\": \"d42ac63d-0592-43b2-8bfa-ff9199da595e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled on GCP connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. Enable Containers plan on your GCP connector, to harden the security of Kubernetes clusters and remediate security issues. Learn more about Microsoft Defender for Containers.\",\r\n \"remediationDescription\": \"To enable Defender for Containers on all GKE clusters in an GCP project connected to Microsoft Defender for Cloud:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. Navigate to the \\\"Environment settings\\\" page, and select the relevant GCP account.
  3. Navigate to \\\"Select plans\\\", and toggle \\\"Containers\\\" to \\\"On\\\".
  4. Select \\\"Next: Configure access\\\" and follow the instructions.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"03/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6672df26-ff2e-4282-83c3-e2f20571bd11\",\r\n \"name\": \"6672df26-ff2e-4282-83c3-e2f20571bd11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have code scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub uses code scanning to analyze code in order to find security vulnerabilities and errors in code. Code scanning can be used to find, triage, and prioritize fixes for existing problems in your code. Code scanning can also prevent developers from introducing new problems. Scans can be scheduled for specific days and times, or scans can be triggered when a specific event occurs in the repository, such as a push. If code scanning finds a potential vulnerability or error in code, GitHub displays an alert in the repository. A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project.\",\r\n \"remediationDescription\": \"1. On GitHub.com, navigate to the main page of the repository. 2. Under your repository name, click Security. 3. To the right of Code scanning alerts, click Set up code scanning. If code scanning is missing, you need to ask an organization owner or repository administrator to enable GitHub Advanced Security. 4. Under 'Get started with code scanning', click Set up this workflow on the CodeQL analysis workflow or on a third-party workflow. 5.To customize how code scanning scans your code, edit the workflow. 6. Use the Start commit drop-down, and type a commit message. 7. Click Commit new file or Propose new file\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/92643c1f-1a95-4b68-bbd2-5117f92d6e35\",\r\n \"name\": \"92643c1f-1a95-4b68-bbd2-5117f92d6e35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have Dependabot scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub sends Dependabot alerts when it detects vulnerabilities in code dependencies that affect repositories. A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. Vulnerabilities vary in type, severity, and method of attack. When code depends on a package that has a security vulnerability, this vulnerable dependency can cause a range of problems.\",\r\n \"remediationDescription\": \"1. Browse to a GitHub repository. 2. Click on the Settings. 3. Click 'Security & analysis'. 4. Enable Dependabot alerts\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a600c61-6443-4ab4-bd28-7a6b6fb4691d\",\r\n \"name\": \"1a600c61-6443-4ab4-bd28-7a6b6fb4691d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have secret scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were accidentally committed to repositories. Secret scanning will scan the entire Git history on all branches present in the GitHub repository for any secrets. Examples of secrets are tokens and private keys that a service provider can issue for authentication. If a secret is checked into a repository, anyone who has read access to the repository can use the secret to access the external service with those privileges. Secrets should be stored in a dedicated, secure location outside the repository for the project.\",\r\n \"remediationDescription\": \"1. On GitHub.com, navigate to the main page of the repository. 2. Under your repository name, click Settings. 3.In the left sidebar, click Security and analysis. 4. If Advanced Security is not already enabled for the repository, to the right of GitHub Advanced Security, click Enable. 5. Review the impact of enabling Advanced Security, then click Enable GitHub Advanced Security for this repository. 6. When you enable Advanced Security, secret scanning may automatically be enabled for the repository due to the organization's settings. If Secret scanning is shown with an Enable button, you still need to enable secret scanning by clicking Enable. If you see a Disable button, secret scanning is already enabled\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c0ba94f-e732-43c7-bf3a-05e80f45d642\",\r\n \"name\": \"1c0ba94f-e732-43c7-bf3a-05e80f45d642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure API Management APIs should be onboarded to Defender for APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfiguration.
In order to enable security monitoring & coverage on your APIs within Azure API Management, please remediate this recommendation through steps below.
Important: Enabling Defender for APIs monitoring coverage will require compute & memory utilization on the Azure API Management service.
Please monitor the performance of your Azure API Management service while onboarding APIs, and scale out your Azure API Managment resources when needed.\",\r\n \"remediationDescription\": \"Select the unhealthy resources and click \\\"Fix\\\" to launch \\\"Quick fix\\\" remediation. Note: After the process completes, it may take up 3 hurs until your resources move to the \\\"Healthy resources\\\" tab.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e8c00a2-e8bc-42a8-9e12-99584a51ad10\",\r\n \"name\": \"4e8c00a2-e8bc-42a8-9e12-99584a51ad10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API endpoints that are unused should be disabled and removed from the Azure API Management service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"API endpoints that are no longer in use should be removed from the Azure API Management service as a best practice. API endpoints that are unused (haven't received traffic for a threshold of 30 days) may pose a risk to an organization. These may be APIs that should have been deprecated from the Azure API Management service, but may have been accidently left as active and they may not be receiving the most up to date security coverage.\",\r\n \"remediationDescription\": \"Note: Manually verify that the API endpoint is unused and consider any potential impact this may cause before removing the API endpoint from the Azure API Management service.
1. Navigate to the Azure API Management resource to locate the unhealthy resources within the Azure Portal.
2. In the left pane, select APIs.
3. Select the API with the associated API collection name that is hosting the affected API endpoint (in Azure API Management, known as \\\"API operation\\\").
4. Select the ellipses next to the endpoint and select \\\"Delete\\\" to remove the unused API endpoint.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91af2040-7874-4659-abf0-578e1f8d07dc\",\r\n \"name\": \"91af2040-7874-4659-abf0-578e1f8d07dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API endpoints in Azure API Management should be authenticated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Authentication mechanisms are often implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. API endpoints published within Azure API Management should enforce authentication to help minimize this risk. Learn More\",\r\n \"remediationDescription\": \"1. Verify the configuration of the authentication on the API endpoint. For APIs published in Azure API Management, this recommendation assesses the execution of authentication via the Subscription Keys, JWT and Client Certificate configured within Azure API Management. If none of these authentication mechanisms are present, or if none of these authentication mechanisms are executed, the API will receive this recommendation.
2. After the assessment, if the API is verified and is missing or incorrectly configured authentication, enable & ensure the proper configuration of authentication for the API endpoint. For Azure API Management, steps and a reference example regarding how to enable authentication can be found here in this document: API Management authentication policies\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer managed metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Customer managed description\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"[elgrady] custom assessment metadata description\",\r\n \"remediationDescription\": \"[elgrady] custom assessment remediationDescription\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"name\": \"9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer managed metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Customer managed description\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"[elgrady] custom assessment metadata description\",\r\n \"remediationDescription\": \"[elgrady] custom assessment remediationDescription\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n }\r\n ]\r\n}", "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/45fb078b-a96e-4d0b-90cb-f3ed8a5530c0?api-version=2020-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhLzQ1ZmIwNzhiLWE5NmUtNGQwYi05MGNiLWYzZWQ4YTU1MzBjMD9hcGktdmVyc2lvbj0yMDIwLTAxLTAx", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/45fb078b-a96e-4d0b-90cb-f3ed8a5530c0?api-version=2021-06-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhLzQ1ZmIwNzhiLWE5NmUtNGQwYi05MGNiLWYzZWQ4YTU1MzBjMD9hcGktdmVyc2lvbj0yMDIxLTA2LTAx", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"properties\": {\r\n \"displayName\": \"Testing the cmdlet\",\r\n \"description\": \"Testing that creating a new metadata is working\",\r\n \"severity\": \"High\",\r\n \"assessmentType\": \"CustomerManaged\"\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "ba46dc4d-1ef8-49ba-8885-2a34e7289c74" + "dff416e4-62e5-4769-9076-c1e303edb078" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.27317.07", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.19041.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.1.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" @@ -205,6 +204,7 @@ "207" ] }, + "RequestBody": "{\r\n \"properties\": {\r\n \"displayName\": \"Testing the cmdlet\",\r\n \"description\": \"Testing that creating a new metadata is working\",\r\n \"severity\": \"High\",\r\n \"assessmentType\": \"CustomerManaged\"\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -216,13 +216,13 @@ "1199" ], "x-ms-request-id": [ - "c5bee9bc-d4fe-49ca-a5fc-70bbc41b6cf7" + "38d91867-47a8-4e1d-96e6-cc43ab72f23e" ], "x-ms-correlation-request-id": [ - "c5bee9bc-d4fe-49ca-a5fc-70bbc41b6cf7" + "38d91867-47a8-4e1d-96e6-cc43ab72f23e" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200602T104817Z:c5bee9bc-d4fe-49ca-a5fc-70bbc41b6cf7" + "FRANCESOUTH:20221117T082006Z:38d91867-47a8-4e1d-96e6-cc43ab72f23e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -231,7 +231,7 @@ "nosniff" ], "Date": [ - "Tue, 02 Jun 2020 10:48:16 GMT" + "Thu, 17 Nov 2022 08:20:05 GMT" ], "Content-Length": [ "430" @@ -247,24 +247,24 @@ "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/45fb078b-a96e-4d0b-90cb-f3ed8a5530c0?api-version=2020-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhLzQ1ZmIwNzhiLWE5NmUtNGQwYi05MGNiLWYzZWQ4YTU1MzBjMD9hcGktdmVyc2lvbj0yMDIwLTAxLTAx", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/45fb078b-a96e-4d0b-90cb-f3ed8a5530c0?api-version=2021-06-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhLzQ1ZmIwNzhiLWE5NmUtNGQwYi05MGNiLWYzZWQ4YTU1MzBjMD9hcGktdmVyc2lvbj0yMDIxLTA2LTAx", "RequestMethod": "DELETE", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "b95923d2-cdbe-42be-a79c-daaeef2d0caf" + "c1ee1196-50f2-4f5e-a959-f871b54fb8fc" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.27317.07", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.19041.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.1.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -276,13 +276,13 @@ "14999" ], "x-ms-request-id": [ - "2f50b679-26ab-4792-bbe7-24e4192bb7aa" + "bf13f950-fd5b-4921-964c-e26f60f6a43d" ], "x-ms-correlation-request-id": [ - "2f50b679-26ab-4792-bbe7-24e4192bb7aa" + "bf13f950-fd5b-4921-964c-e26f60f6a43d" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200602T104818Z:2f50b679-26ab-4792-bbe7-24e4192bb7aa" + "FRANCESOUTH:20221117T082009Z:bf13f950-fd5b-4921-964c-e26f60f6a43d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -291,7 +291,7 @@ "nosniff" ], "Date": [ - "Tue, 02 Jun 2020 10:48:18 GMT" + "Thu, 17 Nov 2022 08:20:08 GMT" ], "Expires": [ "-1" diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/GetAllAssessmentMetadata.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/GetAllAssessmentMetadata.json index 38f8f940f22a..ed36c75e6c2c 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/GetAllAssessmentMetadata.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/GetAllAssessmentMetadata.json @@ -1,24 +1,24 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata?api-version=2020-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata?api-version=2021-06-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhP2FwaS12ZXJzaW9uPTIwMjEtMDYtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "513dd96a-4f86-4518-b92f-b414c7ff5f6c" + "d28540b6-de12-48e3-947f-400a85f47583" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.27317.07", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.19041.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.1.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -30,13 +30,13 @@ "749" ], "x-ms-request-id": [ - "b56eaa78-2038-4028-9cc9-74561b6b497a" + "2e5b12e2-ff09-4184-a2ac-d7722215366c" ], "x-ms-correlation-request-id": [ - "b56eaa78-2038-4028-9cc9-74561b6b497a" + "2e5b12e2-ff09-4184-a2ac-d7722215366c" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200602T104824Z:b56eaa78-2038-4028-9cc9-74561b6b497a" + "FRANCESOUTH:20221117T082015Z:2e5b12e2-ff09-4184-a2ac-d7722215366c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -45,10 +45,10 @@ "nosniff" ], "Date": [ - "Tue, 02 Jun 2020 10:48:23 GMT" + "Thu, 17 Nov 2022 08:20:14 GMT" ], "Content-Length": [ - "133768" + "1308177" ], "Content-Type": [ "application/json; charset=utf-8" @@ -57,7 +57,7 @@ "-1" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"\",\r\n \"remediationDescription\": \"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine: 1. Stop your VM when it is safe to do so. 2. Enable Secure Boot for the VM. 3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps: 1. Go to the app service applications settings page 2. In the remote debugging toggle select Off 3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:<br>1. Go to the app service applications settings page<br>2. In the remote debugging toggle select Off<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:<br>1. Go to the app service CORS page<br>2. Remove the �*� defined and instead specify explicit origins that should be allowed to make cross-origin calls<br>3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
\\n1. Go to the app service custom domains page
\\n2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"1. Click an identified outstanding update. 2. In the Missing system updates pane, click the support link and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
\\n1. Go to Virtual machines and click on your machine.
\\n2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases: 1. Select the SQL database. 2. Under Data encryption, select On. 3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
\\n1. Select the SQL server.
\\n2. Under Auditing, select On.
\\n3. Select Storage details and configure a storage account for the audit log.
\\n4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines. To make sure your virtual machines are successfully monitored,
\\n you need to enable data collection in Security Center and make sure the MMA agent is both installed on the virtual machines and properly collects security events to the configured workspace.
\\n In some cases, the MMA agent may fail to properly report security events, due to multiple reasons. In these cases, coverage may be partial - security events won�t be properly processed,
\\n and in turn threat detection for the affected VMs may fail to function.\",\r\n \"remediationDescription\": \"To resolve monitoring agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install monitoring agent on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines.<br> We recommend configuring auto-provisioning to ensure the MMA is deployed automatically.<br> If you choose not to use auto-provisioning, you�ll need to follow the remediation steps to manually deploy the MMA for all your VMs.<br> You�ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric.\",\r\n \"remediationDescription\": \"Installation of the monitoring agent and enabling data collection in Security Center can be done in several ways:\\n
  • Using Security Center�s automatic provisioning on your subscription(s).
    This will automatically provision the monitoring agent on current and future-created virtual machines on your subscription(s). (Learn more)
    \\nYou can enable automatic provisioning on multiple subscriptions by clicking on the Getting started menu item, and select 'Install agents'.
    You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Security policy' menu item,
    select 'Edit settings' on a subscription and enable auto provisioning in the 'data collection' menu item.
    • \\n
  • Install the Microsoft Monitoring agent on your Virtual machines as a VM extension or directly, by following these instructions.
    • \\n
  • Provision the Microsoft Monitoring agent with Azure Policies. The applicable policy definitions are:
    �[Preview]: Deploy Log Analytics Agent for Windows VMs� and �[Preview]: Deploy Log Analytics Agent for Linux VMs.
    • \\n
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.

To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
 a. Click '+New policy'.
 b. In the 'Name' text box, enter a policy name.
 c. Assign 'User and groups':
  i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
  ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
  iii. After selecting the users, at the bottom of the list, click 'Select'.
  iv. Click 'Done'.
 d. Assign 'Cloud apps'
  i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
  ii. Click 'Done'.
 e. Assign 'Access Controls'
  i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
  ii. Click 'Select'.
 f. Enable Policy.
  i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.

To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
 a. Click '+New policy'.
 b. In the 'Name' text box, enter a policy name.
 c. Assign 'User and groups':
  i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
  ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
  iii. After selecting the users, at the bottom of the list, click 'Select'.
  iv. Click 'Done'.
 d. Assign 'Cloud apps'
  i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
  ii. Click 'Done'.
 e. Assign 'Access Controls'
  i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
  ii. Click 'Select'.
 f. Enable Policy.
  i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"Before enabling MFA for the users, you may want to take this opportunity to delete any users listed that are no longer active users.

To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
To enable MFA on user accounts: 1. Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription. The list of user accounts that require enabling MFA opens. 2. Click 'Continue'. The Azure AD Conditional Access page opens. 3. In the Conditional Access page, add the list of users to an existing policy. If there are no existing policies create a new policy following these instructions:
 a. Click '+New policy'.
 b. In the 'Name' text box, enter a policy name.
 c. Assign 'User and groups':
  i. Select 'Users and groups' > In the 'Include' tab, select 'Select users and groups' and select the 'Users and groups' check box.
  ii. Select the users that are in the list of user accounts require enabling MFA. You can scroll back to the left to see the list.
  iii. After selecting the users, at the bottom of the list, click 'Select'.
  iv. Click 'Done'.
 d. Assign 'Cloud apps'
  i. Select 'Cloud apps' > In the 'Include' tab, select 'All cloud apps'. (Don't exclude any apps.)
  ii. Click 'Done'.
 e. Assign 'Access Controls'
  i. Select 'Grant' and select 'Require multi-factor authentication'. (Don't select any other options.)
  ii. Click 'Select'.
 f. Enable Policy.
  i. Click 'On' 4. Click 'Create'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page: 1. Click the 'Role assignments' 2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click �Continue�. The Access control (IAM) page opens.
In the Access control page:1. Click the 'Role assignments' tab. 2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list. 3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click the Role assignments tab and set the 'Role' filter to 'Owner'. 2. Select the owners you want to remove. 3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens. 1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled 1. In the 'Role' drop-down list, select the Owner role. 2. In the Select list, select a user. 3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To Remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on SQL servers: 1. Select the SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources : 1. Go to the Virtual machine 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal: 1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service. 2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows: 1. Go to Azure Kubernetes Services. 2. Click 'Add' and enter your cluster's configuration. 3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics: 1. Go to Data Lake Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance: 1. Select the SQL managed instance. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced data security should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per managed SQL server.\",\r\n \"remediationDescription\": \"To enable advanced data security on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Advanced Data Security', select 'On'. 3. Under 'Vulnerability Assessment Settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Click Save.
Note: ADS is charged at $15 per managed SQL server.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps: 1. Go to the Redis Caches, and select your redis cache. 2. Select 'Advanced settings'. 3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics: 1. Go to Batch and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics: 1. Go to Stream Analytics and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics: 1. Go to the Service Bus. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics: 1. Go to Data Lake Store and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics: 1. Go to Search and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign': 1. Go to the Service fabric cluster. 2. Click on 'Custom fabric settings'. 3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics: 1. Go to the Event Hub namespace. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics: 1. Go to Logic Apps and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources : 1. Go to the Storage Account 2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics: 1. Go to Key Vault and click on your subscription. 2. Click Diagnostic settings and then click Turn on diagnostics. 3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"1. In your storage account, go to 'Firewalls and virtual networks'. 2. Under 'Allow access from', choose 'Selected networks'. 3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account. 4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required: 1. In your storage account, go to the 'Configuration' page. 2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates: 1. Review the list of missing system updates. 2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/f3631911-7880-4edb-88bd-6411f5e3b6ec\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machine scale sets.<br> You cannot configure auto-provisioning of the MMA for Azure virtual machine scale sets. To deploy the MMA on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), please follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"To install monitoring agent : 1. Select or create a workspace. 2. Click on Install to install the agent on the scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations: 1. Review the list of failed rules. 2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution: 1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as:
  • The configuration of the operating system
  • Application configuration or presence
  • Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’ tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:attack surface reduction\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"Security Center can deploy the agents to all your machines with quick fix: 1. From the Unhealthy resources tab, select the relevant machines, and select \\\"Remediate\\\". 2. Read the remediation details in the confirmation box, modify the parameters as necessary, and approve the remediation. Note: It can take several minutes after remediation completes until the resources move to the Healthy resources tab. Manual Remediation: 1. From Azure Arc machine's page, go to Extensions and select Add. 2. Follow the instructions to add the relevant extension. You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5468b9f3-f0dd-41e3-a383-f0f442f34bcf\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bde66085-0bff-4163-a200-2ff7c1175045\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3f528984-4591-4989-b6bc-6d9f67f3de57\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa676ae0-e4c3-4803-8ce8-e85df20b57cd\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a782bbed-a876-4631-9bc5-7ace7d466dc8\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fce8d615-a5d2-431d-ba4d-2d9ae164224f\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75af18a4-86e2-40ab-a157-359d67bd9314\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"name\": \"3a577f3e-2a57-4197-bc79-85007d5c8cd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Install the Azure Security of Things Agent\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b122f8fc-72f9-4a24-87ec-b71bdfb5a890\",\r\n \"description\": \"Installing the Azure Security of Things agent on a device increases the security detections available for it\",\r\n \"remediationDescription\": \"Install the Azure Security of Things Security Agent\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15d59b-fbfe-41c9-bdb1-d900cc77eb6e\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6cb74de-df4c-497f-9e87-f0ccd430de6c\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4912296-8654-4bf1-bb7b-a42bfa368af6\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5502d409-6ab3-401d-a4ae-619cf2bbf68e\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:1. Follow the guidance here to create service principals with a certificate. 2. Select a subscription from the list of subscriptions below or navigate to the specific subscription. 3. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.

Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with applications and firewalls unprotected by the DDoS protection service. These apps and firewalls have public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"1. Select a virtual network to enable the DDoS protection service standard on. 2. Select the Standard option. 3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for whitelisting safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect. 4. Create a new applications control policy according to the instructions in Security Center’s documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Whitelisting rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to whitelist in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your whitelists of known-safe applications: 1. From the portal, open Security Center. 2. Select \\\"Adaptive application controls\\\" from Security Center’s sidebar. 3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines. 4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
  1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
  2. Click the \\\"Rules\\\" tab.
  3. If you want to modify a recommended rule's parameters:
    • In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
    • Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
  4. If you want to create a new rule:
    • Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
    • Fill in the parameters and click \\\"Add rule\\\". The pane closes and the new rule is listed in the Rules tab.
  5. Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"N/A\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22). 3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges. 4. Click 'Save'.

Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding: 1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade. 2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left). 3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on NSG associated to your VM\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to easily target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines: 1. Select a VM to restrict access to. 2. In the 'Networking' blade, click the Network Security Group with overly permissive rules. 3. In the 'Network security group' blade, click on each of the rules that are overly permissive. 4. Improve the rule by applying less permissive source IP ranges. 5. Apply the suggested changes and click 'Save'.

If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your virtual machines: 1. Select a VM to enable NSG on its NIC. 2. In the 'Networking' blade, click the Network Interface that is associated with the selected VM. 3. In the 'Network interface' blade, click the 'Network security group' menu item. 4. Click the 'Edit' button at the top of the blade. 5. Follow the steps and select an existing network security group to attach to this VM.

Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To enable network security groups on your virtual machines: 1. Select a VM to enable an NSG on its NIC. 2. In the 'Networking' pane, select the Network Interface that is associated with the selected VM. 3. In the 'Network interface' pane, select the 'Network security group' menu item. 4. Select 'Edit' at the top of the pane. 5. Follow the steps and select an existing network security group to attach to this VM.

Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65f6008c-c7de-4146-b4f2-0f91aa80ebe0\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines (Preview)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click Remediate. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation: 1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'. 2. Review the recommended classifications. 3. Apply the relevant recommendations and dismiss the ones that are not applicable.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"name\": \"fe02b3b7-a722-d4d6-6731-6493776203a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases in VMs should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bf49982c-9e3e-4fc4-bc20-67afecd23512\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities: 1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate. 2. Review the set of failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field. 5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exist. 6. Delete the old image with the vulnerability from you registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remediate vulnerabilities found on your virtual machines (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerability findings that were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities: 1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8\",\r\n \"description\": \"To protect machines from threats and vulnerabilities, install a supported endpoint protection solution.
Learn more about how endpoint protection for machines is evaluated in Endpoint protection assessment and recommendations in Microsoft Defender for Cloud.\",\r\n \"remediationDescription\": \"To remediate missing endpoint protection:
1. Confirm that your solution is on the list of tools supported by Defender for Cloud.
2. Install the supported endpoint protection solution or enable an existing tool.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b26b102-ccde-4697-aa30-f0621f865f99\",\r\n \"name\": \"9b26b102-ccde-4697-aa30-f0621f865f99\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of EC2 instances should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Cloud has identified some overly-permissive inbound rules for management ports in your network. Enable just-in-time access control to protect your Instances from internet-based brute-force attacks. Learn more.\",\r\n \"remediationDescription\": \"To enable just-in-time instance access:
  • Select one or more Instances from the list below and click \\\"Remediate\\\", or click \\\"Take action\\\" if you've arrived from a recommendation for a specific instance.
  • On the \\\"JIT instance access configuration\\\" page, define the ports for which the just-in-time instance access will be applicable.
    • To add additional ports, click the \\\"Add\\\" button on the top left, or click an existing port and edit it.
    • On the \\\"Add port configuration\\\" blade, enter the required parameters.
  • Click \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"11/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2cac0072-6f56-46f0-9518-ddec3660ee56\",\r\n \"name\": \"2cac0072-6f56-46f0-9518-ddec3660ee56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST and WebSocket API logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled.
The control fails if logging is not enabled for all methods of a stage or if logging Level is neither ERROR nor INFO.
API Gateway REST or WebSocket API stages should have relevant logs enabled. API Gateway REST and WebSocket API execution logging provides detailed records of requests made to API Gateway REST and WebSocket API stages.
The stages include API integration backend responses, Lambda authorizer responses, and the requestId for AWS integration endpoints.\",\r\n \"remediationDescription\": \"To enable logging for REST and WebSocket API operations, Set up CloudWatch API logging using the API Gateway console in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec268d38-c94b-4df3-8b4e-5248fcaaf3fc\",\r\n \"name\": \"ec268d38-c94b-4df3-8b4e-5248fcaaf3fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API stages should be configured to use SSL certificates for backend authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon API Gateway REST API stages have SSL certificates configured.
Backend systems use these certificates to authenticate that incoming requests are from API Gateway.
API Gateway REST API stages should be configured with SSL certificates to allow backend systems to authenticate that requests originate from API Gateway.\",\r\n \"remediationDescription\": \"For detailed instructions on how to generate and configure API Gateway REST API SSL certificates, see Generate and configure an SSL certificate for backend authentication in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5cbaff4f-f8d5-49fe-9fdc-63c4507ac670\",\r\n \"name\": \"5cbaff4f-f8d5-49fe-9fdc-63c4507ac670\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API stages should have AWS X-Ray tracing enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages.
X-Ray active tracing enables a more rapid response to performance changes in the underlying infrastructure. Changes in performance could result in a lack of availability of the API.
X-Ray active tracing provides real-time metrics of user requests that flow through your API Gateway REST API operations and connected services.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable X-Ray active tracing for API Gateway REST API operations, see Amazon API Gateway active tracing support for AWS X-Ray in the AWS X-Ray Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d69eb8b0-79ba-4963-a683-a96a8ea787e2\",\r\n \"name\": \"d69eb8b0-79ba-4963-a683-a96a8ea787e2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway should be associated with an AWS WAF web ACL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an API Gateway stage uses an AWS WAF web access control list (ACL).
This control fails if an AWS WAF web ACL is not attached to a REST API Gateway stage.
AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It enables you to configure an ACL, which is a set of rules that allow, block, or count web requests based on customizable web security rules and conditions that you define.
Ensure that your API Gateway stage is associated with an AWS WAF web ACL to help protect it from malicious attacks.\",\r\n \"remediationDescription\": \"For information on how to use the API Gateway console to associate an AWS WAF Regional web ACL with an existing API Gateway API stage, see Using AWS WAF to protect your APIs in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a0ce4e0-b61e-4ec7-ab65-aeaff3893bd3\",\r\n \"name\": \"1a0ce4e0-b61e-4ec7-ab65-aeaff3893bd3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API cache data should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It adds another set of access controls to limit unauthorized users ability access the data. For example, API permissions are required to decrypt the data before it can be read.
API Gateway REST API caches should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"To remediate this control, configure the stage to encrypt the cache data.
To configure API caching for a given stage
1. Open the API Gateway console.
2. Choose the API.
3. Choose \\\"Stages\\\".
4. In the \\\"Stages\\\" list for the API, choose the stage to add caching to.
5. Choose \\\"Settings\\\".
6. Choose \\\"Enable API cache\\\".
7. Update the desired settings, then select \\\"Encrypt cache data\\\".
Choose \\\"Save Changes\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/186509dc-f326-415f-b085-4d27f1342849\",\r\n \"name\": \"186509dc-f326-415f-b085-4d27f1342849\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have a default root object configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured.
A user might sometimes request the distributions root URL instead of an object in the distribution. When this happens, specifying a default root object can help you to avoid exposing the contents of your web distribution.\",\r\n \"remediationDescription\": \"For detailed instructions on how to specify a default root object for your distribution, see How to specify a default root object in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a0ab1f4e-bafb-4947-a7d1-13a9c35c7d82\",\r\n \"name\": \"a0ab1f4e-bafb-4947-a7d1-13a9c35c7d82\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin access identity enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured.
CloudFront OAI prevents users from accessing S3 bucket content directly. When users access an S3 bucket directly, they effectively bypass the CloudFront distribution and any permissions that are applied to the underlying S3 bucket content.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Creating a CloudFront OAI and adding it to your distribution in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a67adff8-625f-4891-9f61-43f837d18ad2\",\r\n \"name\": \"a67adff8-625f-4891-9f61-43f837d18ad2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should require encryption in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors.
HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Requiring HTTPS for communication between viewers and CloudFront in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4779e962-2ea3-4126-aa76-379ea271887c\",\r\n \"name\": \"4779e962-2ea3-4126-aa76-379ea271887c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin failover configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins.
CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Creating an origin group in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88114970-36db-42b3-9549-20608b1ab8ad\",\r\n \"name\": \"88114970-36db-42b3-9549-20608b1ab8ad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether server access logging is enabled on CloudFront distributions. The control fails if access logging is not enabled for a distribution.
CloudFront access logs provide detailed information about every user request that CloudFront receives. Each log contains information such as the date and time the request was received, the IP address of the viewer that made the request, the source of the request, and the port number of the request from the viewer.
These logs are useful for applications such as security and access audits and forensics investigation. For additional guidance on how to analyze access logs, see Querying Amazon CloudFront logs in the Amazon Athena User Guide.\",\r\n \"remediationDescription\": \"For information on how to configure access logging for a CloudFront distribution, see Configuring and using standard logs (access logs) in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e0d5964-2895-45b1-b646-fcded8d567be\",\r\n \"name\": \"0e0d5964-2895-45b1-b646-fcded8d567be\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have AWS WAF enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudFront distributions are associated with either AWS WAF or AWS WAFv2 web ACLs. The control fails if the distribution is not associated with a web ACL.
AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It allows you to configure a set of rules, called a web access control list (web ACL), that allow, block, or count web requests based on customizable web security rules and conditions that you define. Ensure your CloudFront distribution is associated with an AWS WAF web ACL to help protect it from malicious attacks.\",\r\n \"remediationDescription\": \"For information on how to associate a web ACL with a CloudFront distribution, see Using AWS WAF to control access to your content in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d088fb9f-11dc-451e-8f79-393916e42bb2\",\r\n \"name\": \"d088fb9f-11dc-451e-8f79-393916e42bb2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies should not allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts.This control fails if the \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies.
With AWS KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data.
Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, do not allow \\\"kms:Decrypt\\\" permission on all KMS keys. Instead, allow \\\"kms:Decrypt\\\" only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"To remediate this issue, you modify the IAM customer managed policies to restrict access to the keys.

To modify an IAM customer managed policy

1. Open the IAM console at https://console.aws.amazon.com/iam/
2. In the IAM navigation pane, choose \\\"Policies\\\".
3. Choose the arrow next to the policy you want to modify.
4. Choose \\\"Edit policy\\\".
5. Choose the \\\"JSON\\\" tab.
6. Change the \\\"Resource\\\" value to the specific key or keys that you want to allow.
7. After you modify the policy, choose \\\"Review policy\\\".
8. Choose \\\"Save changes\\\".

For more information, see Using IAM policies with AWS KMS in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/18be55d0-b681-4693-af8d-b8815518d758\",\r\n \"name\": \"18be55d0-b681-4693-af8d-b8815518d758\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts.
This control fails if \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" actions are allowed on all KMS keys in an inline policy.
With AWS KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the permissions they need and only for keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data.
Instead of granting permission for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow the users to use only those keys. For example, do not allow \\\"kms:Decrypt\\\" permission on all KMS keys. Instead, allow them only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"To remediate this issue, you modify the inline policy to restrict access to the keys.

To modify an IAM inline policy

1. Open the IAM console at https://console.aws.amazon.com/iam/
2. In the IAM navigation pane, choose \\\"Users, Groups\\\", or \\\"Roles\\\".
3. Choose the name of the user, group or role for which to modify IAM inline policies.
4. Choose the arrow next to the policy to modify.
5. Choose \\\"Edit policy\\\".
6. Choose the \\\"JSON\\\" tab.
7. Change the \\\"Resource\\\" value to the specific keys you want to allow.
8. After you modify the policy, choose \\\"Review policy\\\".
9. Choose \\\"Save changes\\\".

For more information, see Using IAM policies with AWS KMS in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10c59743-84c4-4711-adb7-ba895dc57339\",\r\n \"name\": \"10c59743-84c4-4711-adb7-ba895dc57339\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS keys should not be unintentionally deleted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether KMS keys are scheduled for deletion. The control fails if a KMS key is scheduled for deletion.
KMS keys cannot be recovered once deleted. Data encrypted under a KMS key is also permanently unrecoverable if the KMS key is deleted. If meaningful data has been encrypted under a KMS key scheduled for deletion, consider decrypting the data or re-encrypting the data under a new KMS key unless you are intentionally performing a cryptographic erasure.
When a KMS key is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS key is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS key will not be deleted.
For additional information regarding deleting KMS keys, see Deleting KMS keys in the AWS Key Management Service Developer Guide.\",\r\n \"remediationDescription\": \"For detailed remediation instructions to cancel a scheduled KMS key deletion, see \\\"To cancel key deletion\\\" under Scheduling and canceling key deletion (console) in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe770214-7b47-48f7-a78c-1279c35d8279\",\r\n \"name\": \"fe770214-7b47-48f7-a78c-1279c35d8279\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EMR cluster master nodes should not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether master nodes on Amazon EMR clusters have public IP addresses.
The control fails if the master node has public IP addresses that are associated with any of its instances. Public IP addresses are designated in the PublicIp field of the NetworkInterfaces configuration for the instance.
This control only checks Amazon EMR clusters that are in a RUNNING or WAITING state.\",\r\n \"remediationDescription\": \"During launch, you can control whether your instance in a default or nondefault subnet is assigned a public IPv4 address.
By default, default subnets have this attribute set to true. Nondefault subnets have the IPv4 public addressing attribute set to false, unless it was created by the Amazon EC2 launch instance wizard. In that case, the wizard sets the attribute to true.
You need to launch your cluster in a VPC with a private subnet that has the IPv4 public addressing attribute set to false.
After launch, you cannot manually disassociate a public IPv4 address from your instance.
To remediate this finding, you need to create a new cluster in VPC private subnet. For information on how to launch a cluster in into a VPC private subnet, see Launch clusters into a VPC in the Amazon EMR Management Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a0476c5-a14b-4195-8c31-633511234b38\",\r\n \"name\": \"5a0476c5-a14b-4195-8c31-633511234b38\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies that you create should not allow wildcard actions for services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the IAM identity-based policies that you create have Allow statements that use the * wildcard to grant permissions for all actions on any service. The control fails if any policy statement includes 'Effect': 'Allow' with 'Action': 'Service:*'.
For example, the following statement in a policy results in a failed finding.
'Statement': [
{
'Sid': 'EC2-Wildcard',
'Effect': 'Allow',
'Action': 'ec2:*',
'Resource': '*'
}
The control also fails if you use 'Effect': 'Allow' with 'NotAction': 'service:*'. In that case, the NotAction element provides access to all of the actions in an AWS service, except for the actions specified in NotAction.
This control only applies to customer managed IAM policies. It does not apply to IAM policies that are managed by AWS.
When you assign permissions to AWS services, it is important to scope the allowed IAM actions in your IAM policies. You should restrict IAM actions to only those actions that are needed. This helps you to provision least privilege permissions. Overly permissive policies might lead to privilege escalation if the policies are attached to an IAM principal that might not require the permission.
In some cases, you might want to allow IAM actions that have a similar prefix, such as DescribeFlowLogs and DescribeAvailabilityZones. In these authorized cases, you can add a suffixed wildcard to the common prefix. For example, ec2:Describe*.

This control passes if you use a prefixed IAM action with a suffixed wildcard. For example, the following statement in a policy results in a passed finding.
'Statement': [
{
'Sid': 'EC2-Wildcard',
'Effect': 'Allow',
'Action': 'ec2:Describe*',
'Resource': '*'
}
When you group related IAM actions in this way, you can also avoid exceeding the IAM policy size limits.\",\r\n \"remediationDescription\": \"To remediate this issue, update your IAM policies so that they do not allow full '*' administrative privileges.
For details on how to edit an IAM policy, see Editing IAM policies in the IAM User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bde343a-0681-4ee2-883a-027cc1e655b8\",\r\n \"name\": \"0bde343a-0681-4ee2-883a-027cc1e655b8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Attached EBS volumes should be encrypted at-rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check.
For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.
To learn more about Amazon EBS encryption, see Amazon EBS encryption in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"remediationDescription\": \"There is no direct way to encrypt an existing unencrypted volume or snapshot. You can only encrypt a new volume or snapshot when you create it.
If you enabled encryption by default, Amazon EBS encrypts the resulting new volume or snapshot using your default key for Amazon EBS encryption. Even if you have not enabled encryption by default, you can enable encryption when you create an individual volume or snapshot. In both cases, you can override the default key for Amazon EBS encryption and choose a symmetric customer managed CMK.
For more information, see Creating an Amazon EBS volume and Copying an Amazon EBS snapshot in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a3340b3-8916-40fe-942d-a937e60f5d4c\",\r\n \"name\": \"1a3340b3-8916-40fe-942d-a937e60f5d4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Stopped EC2 instances should be removed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days.
A failed finding indicates that an EC2 instance has not run for a significant period of time. This creates a security risk because the EC2 instance is not being actively maintained (analyzed, patched, updated). If it is later launched, the lack of proper maintenance could result in unexpected issues in your AWS environment. To safely maintain an EC2 instance over time in a nonrunning state, start it periodically for maintenance and then stop it after maintenance. Ideally this is an automated process.\",\r\n \"remediationDescription\": \"You can terminate an EC2 instance using either the console or the command line.
Before you terminate the EC2 instance, verify that you won't lose any data:
* Check that your Amazon EBS volumes will not be deleted on termination.
* Copy any data that you need from your EC2 instance store volumes to Amazon EBS or Amazon S3.
To terminate an EC2 instance (console)
1. Open the Amazon EC2 console.
2. In the navigation pane, under Instances, choose \\\"Instances\\\".
3. Select the instance, and then choose \\\"Actions\\\", \\\"Instance State\\\", \\\"Terminate\\\".
4. When prompted for confirmation, choose \\\"Yes, Terminate\\\".
To terminate an EC2 instance (AWS CLI, Tools for Windows PowerShell)
Use one of the following commands. For more information about the command line interface, see Accessing Amazon EC2 in the Amazon EC2 User Guide for Linux Instances.
- From the AWS CLI, use terminate-instances
- From the Tools for Windows PowerShell, use Stop-EC2Instance.
To learn more about terminating instances, see Terminating an instancein the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56406d4c-87b4-4aeb-b1cc-7f6312d78e0a\",\r\n \"name\": \"56406d4c-87b4-4aeb-b1cc-7f6312d78e0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS default encryption should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS).
The control fails if the account level encryption is not enabled.
When encryption is enabled for your account, Amazon EBS volumes and snapshot copies are encrypted at rest. This adds an additional layer of protection for your data.
For more information, see Encryption by default in the Amazon EC2 User Guide for Linux Instances.
Note that following instance types do not support encryption: R1, C1, and M1.\",\r\n \"remediationDescription\": \"You can use the Amazon EC2 console to enable default encryption for Amazon EBS volumes.

To configure the default encryption for Amazon EBS encryption for a Region
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
2. From the navigation pane, select \\\"EC2 Dashboard\\\".
3. In the upper-right corner of the page, choose \\\"Account Attributes\\\", \\\"EBS encryption\\\".
4. Choose \\\"Manage\\\".
5. Select \\\"Enable\\\". You can keep the AWS managed key with the alias alias/aws/ebs created on your behalf as the default encryption key, or choose a symmetric customer managed key.
6. Choose \\\"Update EBS encryption\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea3248a-8af5-4df3-8e08-f7d1925ea147\",\r\n \"name\": \"5ea3248a-8af5-4df3-8e08-f7d1925ea147\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should use IMDSv2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if \\\"HttpTokens\\\" is set to \\\"required\\\" for IMDSv2. The control fails if \\\"HttpTokens\\\" is set to \\\"optional\\\".
You use instance metadata to configure or manage the running instance. The IMDS provides access to temporary, frequently rotated credentials. These credentials remove the need to hard code or distribute sensitive credentials to instances manually or programmatically. The IMDS is attached locally to every EC2 instance. It runs on a special 'link local' IP address of 169.254.169.254. This IP address is only accessible by software that runs on the instance.
Version 2 of the IMDS adds new protections for the following types of vulnerabilities. These vulnerabilities could be used to try to access the IMDS.
* Open website application firewalls
* Open reverse proxies
* Server-side request forgery (SSRF) vulnerabilities
* Open Layer 3 firewalls and network address translation (NAT)
Security Hub recommends that you configure your EC2 instances with IMDSv2.\",\r\n \"remediationDescription\": \"To remediate an EC2 instance that is not configured with IMDSv2, you can require the use of IMDSv2.
To require IMDSv2 on an existing instance, when you request instance metadata, modify the Amazon EC2 metadata options. Follow the instructions in Configuring instance metadata options for existing instances in the Amazon EC2 User Guide for Linux Instances.
To require the use of IMDSv2 on a new instance when you launch it, follow the instructions in Configuring instance metadata options for new instances in the Amazon EC2 User Guide for Linux Instances.
To configure your new EC2 instance with IMDSv2 from the console
1. Open the Amazon EC2 console.
2. Choose \\\"Launch instance\\\" and then choose \\\"Launch instance\\\".
3. In the \\\"Configure Instance Details\\\" step, under \\\"Advanced Details\\\", for \\\"Metadata version\\\", choose \\\"V2 (token required)\\\".
4. Choose \\\"Review and Launch\\\".
If your software uses IMDSv1, you can reconfigure your software to use IMDSv2. For details, see Transitioning to using Instance Metadata Service Version 2 in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/63afb20c-4e8e-42ad-bc6d-dc48d4bebc5f\",\r\n \"name\": \"63afb20c-4e8e-42ad-bc6d-dc48d4bebc5f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not have a public IP address\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether EC2 instances have a public IP address. The control fails if the \\\"publicIp\\\" field is present in the EC2 instance configuration item. This control applies to IPv4 addresses only.
A public IPv4 address is an IP address that is reachable from the internet. If you launch your instance with a public IP address, then your EC2 instance is reachable from the internet. A private IPv4 address is an IP address that is not reachable from the internet. You can use private IPv4 addresses for communication between EC2 instances in the same VPC or in your connected private network.
IPv6 addresses are globally unique, and therefore are reachable from the internet. However, by default all subnets have the IPv6 addressing attribute set to false. For more information about IPv6, see IP addressing in your VPC in the Amazon VPC User Guide.
If you have a legitimate use case to maintain EC2 instances with public IP addresses, then you can suppress the findings from this control. For more information about front-end architecture options, see the AWS Architecture Blog or the This Is My Architecture series.\",\r\n \"remediationDescription\": \"Use a non-default VPC so that your instance is not assigned a public IP address by default.
When you launch an EC2 instance into a default VPC, it is assigned a public IP address. When you launch an EC2 instance into a non-default VPC, the subnet configuration determines whether it receives a public IP address. The subnet has an attribute to determine if new EC2 instances in the subnet receive a public IP address from the public IPv4 address pool.
You cannot manually associate or disassociate an automatically-assigned public IP address from your EC2 instance. To control whether your EC2 instance receives a public IP address, do one of the following:
- Modify the public IP addressing attribute of your subnet. For more information, see Modifying the public IPv4 addressing attribute for your subnet in the Amazon VPC User Guide.
- Enable or disable the public IP addressing feature during launch. This overrides the subnet's public IP addressing attribute. For more information, see Assign a public IPv4 address during instance launch in the Amazon EC2 User Guide for Linux Instances.
For more information, see Public IPv4 addresses and external DNS hostnames in the Amazon EC2 User Guide for Linux Instances.
If your EC2 instance is associated with an Elastic IP address, then your EC2 instance is reachable from the internet. You can disassociate an Elastic IP address from an instance or network interface at any time.
To disassociate an Elastic IP address
1. Open the Amazon EC2 console
2. In the navigation pane, choose \\\"Elastic IPs\\\".
3. Select the Elastic IP address to disassociate.
4. From \\\"Actions\\\", choose \\\"Disassociate Elastic IP address\\\".
5. Choose \\\"Disassociate\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e700ddd4-bb55-4602-b93a-d75895fbf7c6\",\r\n \"name\": \"e700ddd4-bb55-4602-b93a-d75895fbf7c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 should be configured to use VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service.
To improve the security posture of your VPC, you can configure Amazon EC2 to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to access Amazon EC2 API operations privately. It restricts all network traffic between your VPC and Amazon EC2 to the Amazon network. Because endpoints are supported within the same Region only, you cannot create an endpoint between a VPC and a service in a different Region. This prevents unintended Amazon EC2 API calls to other Regions.
To learn more about creating VPC endpoints for Amazon EC2, see Amazon EC2 and interface VPC endpoints in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"remediationDescription\": \"To remediate this issue, you can create an interface VPC endpoint to Amazon EC2.
To create an interface endpoint to Amazon EC2 from the Amazon VPC console
1. Open the Amazon VPC console
2. In the navigation pane, choose \\\"Endpoints\\\".
3. Choose \\\"Create Endpoint\\\".
4. For \\\"Service category\\\", choose \\\"AWS services\\\".
5. For \\\"Service Name\\\", choose \\\"com.amazonaws.<region>.ec2\\\".
6. For \\\"Type\\\", choose \\\"Interface\\\".
7. Complete the following information.
  1. For \\\"VPC\\\", select a VPC in which to create the endpoint.
  2. For \\\"Subnets\\\", select the subnets (Availability Zones) in which to create the endpoint network interfaces. Not all Availability Zones are supported for all AWS services.
  3. To enable private DNS for the interface endpoint, select the check box for \\\"Enable DNS Name\\\". This option is enabled by default.
    To use the private DNS option, the following attributes of your VPC must be set to true:
    - \\\"enableDnsHostnames\\\"
    - \\\"enableDnsSupport\\\"
    For more information, see Viewing and updating DNS support for your VPC in the Amazon VPC User Guide.
  4. For \\\"Security group\\\", select the security groups to associate with the endpoint network interfaces.
  5. (Optional) Add or remove a tag. To add a tag, choose \\\"Add tag\\\" and do the following:
    - For \\\"Key\\\", enter the tag name.
    - For \\\"Value\\\", enter the tag value.
  6.  To remove a tag, choose the delete button (x) to the right of the tag Key and Value.
8. Choose \\\"Create endpoint\\\".
To create an interface VPC endpoint policy
You can attach a policy to your VPC endpoint to control access to the Amazon EC2 API. The policy specifies the following:
- The principal that can perform actions
- The actions that can be performed
- The resource on which the actions can be performed
For more details on creating a VPC endpoint policy, see Amazon EC2 and interface VPC endpoints In the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ace790eb-39b9-4b4f-b53d-26d0f77d4ab8\",\r\n \"name\": \"ace790eb-39b9-4b4f-b53d-26d0f77d4ab8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 subnets should not automatically assign public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the assignment of public IPs in Amazon Virtual Private Cloud (Amazon VPC) subnets have \\\"MapPublicIpOnLaunch\\\" set to \\\"FALSE\\\". The control passes if the flag is set to \\\"FALSE\\\".
All subnets have an attribute that determines whether a network interface created in the subnet automatically receives a public IPv4 address. Instances that are launched into subnets that have this attribute enabled have a public IP address assigned to their primary network interface.\",\r\n \"remediationDescription\": \"You can configure a subnet from the Amazon VPC console.
To configure a subnet to not assign public IP addresses
1. Open the Amazon VPC console.
2. In the navigation pane, choose \\\"Subnets\\\".
3. Select your subnet and then choose \\\"Subnet Actions\\\", \\\"Modify auto-assign IP settings\\\".
4. Clear the \\\"Enable auto-assign public IPv4 address\\\" check box and then choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f9a7d87-ec2e-409a-991a-48c29484d6b5\",\r\n \"name\": \"5f9a7d87-ec2e-409a-991a-48c29484d6b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused network access control lists should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether there are any unused network access control lists (ACLs).
The control checks the item configuration of the resource \\\"AWS::EC2::NetworkAcl\\\" and determines the relationships of the network ACL.
If the only relationship is the VPC of the network ACL, then the control fails.
If other relationships are listed, then the control passes.\",\r\n \"remediationDescription\": \"For instructions on how to delete an unused network ACL, see Deleting a network ACL in the Amazon VPC User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fead4128-7325-4b82-beda-3fd42de36920\",\r\n \"name\": \"fead4128-7325-4b82-beda-3fd42de36920\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not use multiple ENIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs).This control passes if a single network adapter is used. The control includes an optional parameter list to identify the allowed ENIs.
Multiple ENIs can cause dual-homed instances, meaning instances that have multiple subnets. This can add network security complexity and introduce unintended network paths and access.\",\r\n \"remediationDescription\": \"To remediate this issue, detach the additional ENIs.
To detach a network interface
1. Open the Amazon EC2 console.
2. Under \\\"Network & Security\\\", choose \\\"Network Interfaces\\\".
3. Filter the list by the noncompliant instance IDs to see the associated ENIs.
4. Select the ENIs that you want to remove.
5. From the \\\"Actions\\\" menu, choose \\\"Detach\\\".
6. If you see the prompt \\\"Are you sure that you want to detach the following network interface?\\\", choose \\\"Detach\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8b328664-f3f1-45ab-976d-f6c66647b3b8\",\r\n \"name\": \"8b328664-f3f1-45ab-976d-f6c66647b3b8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should only allow unrestricted incoming traffic for authorized ports\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the security groups that are in use allow unrestricted incoming traffic. Optionally the rule checks whether the port numbers are listed in the \\\"authorizedTcpPorts\\\" parameter.
- If the security group rule port number allows unrestricted incoming traffic, but the port number is specified in \\\"authorizedTcpPorts\\\", then the control passes. The default value for \\\"authorizedTcpPorts\\\" is 80, 443.
- If the security group rule port number allows unrestricted incoming traffic, but the port number is not specified in authorizedTcpPorts input parameter, then the control fails.
- If the parameter is not used, then the control fails for any security group that has an unrestricted inbound rule.
Security groups provide stateful filtering of ingress and egress network traffic to AWS. Security group rules should follow the principal of least privileged access. Unrestricted access (IP address with a /0 suffix) increases the opportunity for malicious activity such as hacking, denial-of-service attacks, and loss of data.
Unless a port is specifically allowed, the port should deny unrestricted access.\",\r\n \"remediationDescription\": \"For information on how to modify a security group, see Add, remove, or update rules in the Amazon VPC User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/194fd099-90fa-43e1-8d06-6b4f5138e952\",\r\n \"name\": \"194fd099-90fa-43e1-8d06-6b4f5138e952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow unrestricted access to ports with high risk\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for those ports.
Unrestricted access (0.0.0.0/0) increases opportunities for malicious activity, such as hacking, denial-of-service attacks, and loss of data.
Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. No security group should allow unrestricted ingress access to the following ports:
- 3389 (RDP)
- 20, 21 (FTP)
- 22 (SSH)
- 23 (Telnet)
- 110 (POP3)
- 143 (IMAP)
- 3306 (mySQL)
- 8080 (proxy)
- 1433, 1434 (MSSQL)
- 9200 or 9300 (Elasticsearch)
- 5601 (Kibana)
- 25 (SMTP)
- 445 (CIFS)
- 135 (RPC)
- 4333 (ahsp)
- 5432 (postgresql)
- 5500 (fcp-addr-srvr1)\",\r\n \"remediationDescription\": \"For information on how to delete rules from a security group, see Delete rules from a security group in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bfa7d2aa-f362-11eb-9a03-0242ac130003\",\r\n \"name\": \"bfa7d2aa-f362-11eb-9a03-0242ac130003\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether storage encryption is enabled for your Amazon RDS DB instances.
This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
For an added layer of security for your sensitive data in RDS DB instances, you should configure your RDS DB instances to be encrypted at rest. To encrypt your RDS DB instances and snapshots at rest, enable the encryption option for your RDS DB instances. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots.
RDS encrypted DB instances use the open standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You do not need to modify your database client applications to use encryption.
Amazon RDS encryption is currently available for all database engines and storage types. Amazon RDS encryption is available for most DB instance classes. To learn about DB instance classes that do not support Amazon RDS encryption, see Encrypting Amazon RDS resources in the Amazon RDS User Guide.
\",\r\n \"remediationDescription\": \"For information about encrypting DB instances in Amazon RDS, see Encrypting Amazon RDS resources in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4f4fbc5e-0b10-4208-b52f-1f47f1c73b6a\",\r\n \"name\": \"4f4fbc5e-0b10-4208-b52f-1f47f1c73b6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS cluster snapshots and database snapshots should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB snapshots are encrypted.
This control is intended for RDS DB instances. However, it can also generate findings for snapshots of Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. Data in RDS snapshots should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"To encrypt an unencrypted RDS snapshot: 1. Open the  Amazon RDS console. 2. In the navigation pane, choose \\\"Snapshots\\\". 3. Find the snapshot to encrypt under \\\"Manual\\\" or \\\"System\\\". 4. Select the check box next to the snapshot to encrypt. 5. Choose \\\"Actions\\\", then choose \\\"Copy Snapshot\\\". 6. Under \\\"New DB Snapshot Identifier\\\", type a name for the new snapshot.7. Under \\\"Encryption\\\", select \\\"Enable Encryption\\\". 8. Choose the KMS key to use to encrypt the snapshot. 9. Choose \\\"Copy Snapshot\\\". 10. After the new snapshot is created, delete the original snapshot. 11. For \\\"Backup Retention Period\\\", choose a positive nonzero value. For example, 30 days.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/70ebbd01-cd79-4bc8-ae85-49f47ccdd5ad\",\r\n \"name\": \"70ebbd01-cd79-4bc8-ae85-49f47ccdd5ad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured with multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether high availability is enabled for your RDS DB instances.
RDS DB instances should be configured for multiple Availability Zones (AZs). This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover if there is an issue with Availability Zone availability and during regular RDS maintenance.\",\r\n \"remediationDescription\": \"To enable multiple Availability Zones for a DB instance: 1. Open the Amazon RDS console at Amazon RDS console. 2. In the navigation pane, choose \\\"Databases\\\", and then choose the DB instance that you want to modify.3. Choose \\\"Modify\\\". The \\\"Modify DB Instance\\\" page appears.4. Under Instance Specifications, set \\\"Multi-AZ deployment \\\" to \\\"Yes\\\" .5. Choose \\\"Continue\\\" and then check the summary of modifications. 6. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide. 7. On the confirmation page, review your changes. If they are correct, choose \\\"Modify DB Instance\\\" to save your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93e5a579-dd2f-4a56-b827-ebbfe7376b16\",\r\n \"name\": \"93e5a579-dd2f-4a56-b827-ebbfe7376b16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enhanced monitoring should be configured for RDS DB instances and clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced monitoring is enabled for your RDS DB instances.
In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer.
Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU. For more information, see Enhanced Monitoring in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable Enhanced Monitoring for your DB instance, see Setting up for and enabling Enhanced Monitoring in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e769650-868c-46f5-b8c0-1a8ba12a4c92\",\r\n \"name\": \"9e769650-868c-46f5-b8c0-1a8ba12a4c92\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS clusters should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS clusters have deletion protection enabled.
This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
Enabling cluster deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity.
When deletion protection is enabled, an RDS cluster cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"To enable deletion protection for an RDS DB cluster:
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/. 2. In the navigation pane, choose \\\"Databases\\\", then choose the DB cluster that you want to modify. 3. Choose \\\"Modify\\\". 4. Under \\\"Deletion protection\\\", choose \\\"Enable deletion protection\\\".5. Choose \\\"Continue\\\" 6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\". 7. Choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e1f7933-faa9-4379-a9bd-697740dedac8\",\r\n \"name\": \"8e1f7933-faa9-4379-a9bd-697740dedac8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your RDS DB instances that use one of the listed database engines have deletion protection enabled.
Enabling instance deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity.
While deletion protection is enabled, an RDS DB instance cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"To enable deletion protection for an RDS DB instance: 1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/. 2. In the navigation pane, choose \\\"Databases\\\", then choose the DB instance that you want to modify. 3. Choose \\\"Modify\\\". 4. Under \\\"Deletion protection\\\", choose \\\"Enable deletion protection\\\". 5. Choose \\\"Continue\\\". 6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\". 7. Choose \\\"Modify DB Instance\\\"\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdf441dd-0ab7-4ef2-a643-de12725e5d5d\",\r\n \"name\": \"cdf441dd-0ab7-4ef2-a643-de12725e5d5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB clusters should be configured for multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"RDS DB clusters should be configured for multiple the data that is stored.
Deployment to multiple Availability Zones allows for automate Availability Zones to ensure availability of ed failover in the event of an Availability Zone availability issue and during regular RDS maintenance events.\",\r\n \"remediationDescription\": \"To enable multi-AZ for a DB cluster (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Databases\\\", and then choose the DB instance to modify.
3. choose \\\"Modify\\\", The \\\"Modify DB Instance\\\" page appears.
4. Under \\\"Instance Specifications\\\", set \\\"Multi-AZ deploymen\\\" to \\\"Yes\\\".
5. Choose \\\"Continue\\\" and check the summary of modifications.
6. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide.
On the confirmation page, review your changes. If they are correct, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b9ed02d0-afca-4bed-838d-70bf31ecf19a\",\r\n \"name\": \"b9ed02d0-afca-4bed-838d-70bf31ecf19a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB clusters should be configured to copy tags to snapshots\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identification and inventory of your IT assets is a crucial aspect of governance and security.
You need to have visibility of all your RDS DB clusters so that you can assess their security posture and act on potential areas of weakness.
Snapshots should be tagged in the same way as their parent RDS database clusters.
Enabling this setting ensures that snapshots inherit the tags of their parent database clusters.\",\r\n \"remediationDescription\": \"To enable automatic tag copying to snapshots for a DB cluster
1. Open theAmazon RDS console at https://console.aws.amazon.com/rds/.
2. Choose \\\"Databases\\\"
3. Select the DB cluster to modify.
4. choose \\\"Modify\\\".
5. Under \\\"Backup\\\", select \\\"Copy tags to snapshots\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fcd891e5-c6a2-41ce-bca6-f49ec582f3ce\",\r\n \"name\": \"fcd891e5-c6a2-41ce-bca6-f49ec582f3ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured to copy tags to snapshots\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created.
Identification and inventory of your IT assets is a crucial aspect of governance and security.
You need to have visibility of all your RDS DB instances so that you can assess their security posture and take action on potential areas of weakness.
Snapshots should be tagged in the same way as their parent RDS database instances. Enabling this setting ensures that snapshots inherit the tags of their parent database instances.\",\r\n \"remediationDescription\": \"To enable automatic tag copying to snapshots for a DB instance
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Databases\\\".
3. Select the DB instance to modify.
4. Under \\\"Backup\\\", select \\\"Copy tags to snapshots\\\".
5. Choose \\\"Continue\\\".
6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9a84b879-8aab-4b82-80f2-22e637a26813\",\r\n \"name\": \"9a84b879-8aab-4b82-80f2-22e637a26813\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS instances should be deployed in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPCs provide a number of network controls to secure access to RDS resources.
These controls include VPC Endpoints, network ACLs, and security groups.
To take advantage of these controls, we recommend that you move EC2-Classic RDS instances to EC2-VPC.\",\r\n \"remediationDescription\": \"For detailed instructions on how to move RDS instances to VPC, see Updating the VPC for a DB instance in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\",\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/65659c22-6588-405b-b118-614c2b4ead5b\",\r\n \"name\": \"65659c22-6588-405b-b118-614c2b4ead5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical cluster events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists that has notifications enabled for the following source type,
event category key-value pairs. DBCluster: [\\\"maintenance\\\" and \\\"failure\\\"].
RDS event notifications uses Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \" To subscribe to RDS cluster event notifications.
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Clusters\\\".
  d. Under \\\"Instances to include\\\", select \\\"All Clusters\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"maintenance\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff4f3ab3-8ed7-4b4f-a721-4c3b66a59140\",\r\n \"name\": \"ff4f3ab3-8ed7-4b4f-a721-4c3b66a59140\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database instance events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type.
event category key-value pairs. DBInstance: [\\\"maintenance\\\", \\\"configuration change\\\" and \\\"failure\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Instances\\\".
  d. Under \\\"Instances to include\\\", select \\\"All Instances\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"maintenance\\\", \\\"configuration change\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6f24bb0-b696-451c-a26e-0cc9ea8e97e3\",\r\n \"name\": \"c6f24bb0-b696-451c-a26e-0cc9ea8e97e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database parameter group events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type.
event category key-value pairs. DBParameterGroup: [\\\"configuration\\\",\\\"change\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create \\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Parameter groups\\\".
  d. Under \\\"Instances to include\\\", select \\\"All parameter groups\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"configuration change\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ab5c51fb-ecdb-46de-b8df-c28ae46ce5bc\",\r\n \"name\": \"ab5c51fb-ecdb-46de-b8df-c28ae46ce5bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database security group events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.DBSecurityGroup: [\\\"configuration\\\",\\\"change\\\",\\\"failure\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for a rapid response.
For additional information about RDS event notifications , see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event\\\",\\\"subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Security groups\\\".
  d. Under \\\"Instances to include\\\", select \\\"All security groups\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"configuration change\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47476790-2527-4bdb-b839-3b48ed18dccf\",\r\n \"name\": \"47476790-2527-4bdb-b839-3b48ed18dccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should automatically scale capacity with demand\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured.
Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications.\",\r\n \"remediationDescription\": \"For detailed instructions on enabling DynamoDB automatic scaling on existing tables in capacity mode, see Enabling DynamoDB auto scaling on existing tables. in the Amazon DynamoDB Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc873508-40c1-41b6-8507-8a431d74f831\",\r\n \"name\": \"cc873508-40c1-41b6-8507-8a431d74f831\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should have point-in-time recovery enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table.
Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. DynamoDB point-in-time recovery automates backups for DynamoDB tables. It reduces the time to recover from accidental delete or write operations.
DynamoDB tables that have PITR enabled can be restored to any point in time in the last 35 days.\",\r\n \"remediationDescription\": \"To remediate this issue, add point-in-time recovery to your DynamoDB table.
To enable DynamoDB \\\"point-in-time recovery\\\" for an existing table:
1. Open the DynamoDB console at https://console.aws.amazon.com/dynamodb/. 2. Choose the table that you want to work with, and then choose \\\"Backups\\\". 3. In the Point-in-time Recovery section, under Status, choose \\\"Enable\\\". 4. Choose \\\"Enable\\\" again to confirm the change.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58e67d3d-8b17-4c1c-9bc4-550b10f0328a\",\r\n \"name\": \"58e67d3d-8b17-4c1c-9bc4-550b10f0328a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB Accelerator (DAX) clusters should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a DAX cluster is encrypted at rest.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data.
For example, API permissions are required to decrypt the data before it can be read.\",\r\n \"remediationDescription\": \"You cannot enable or disable encryption at rest after a cluster is created. You must recreate the cluster in order to enable encryption at rest.
For detailed instructions on how to create a DAX cluster with encryption at rest enabled, see Enabling encryption at rest using the AWS Management Console in the Amazon DynamoDB Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e482075-311f-401e-adc7-f8a8affc5635\",\r\n \"name\": \"4e482075-311f-401e-adc7-f8a8affc5635\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be configured to encrypt file data at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. The check fails in the following cases:
*\\\"Encrypted\\\" is set to \\\"false\\\" in the DescribeFileSystems response.
The \\\"KmsKeyId\\\" key in the DescribeFileSystems response does not match the KmsKeyId parameter for efs-encrypted-check.
Note that this control does not use the \\\"KmsKeyId\\\" parameter for efs-encrypted-check. It only checks the value of \\\"Encrypted\\\". For an added layer of security for your sensitive data in Amazon EFS, you should create encrypted file systems.
Amazon EFS supports encryption for file systems at-rest. You can enable encryption of data at rest when you create an Amazon EFS file system.
To learn more about Amazon EFS encryption, see Data encryption in Amazon EFS in the Amazon Elastic File System User Guide.\",\r\n \"remediationDescription\": \"For details on how to encrypt a new Amazon EFS file system, see Encrypting data at rest in the Amazon Elastic File System User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e864e460-158b-4a4a-beb9-16ebc25c1240\",\r\n \"name\": \"e864e460-158b-4a4a-beb9-16ebc25c1240\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS volumes should be in backup plans\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup. The control fails if Amazon EFS file systems are not included in the backup plans.
Including EFS file systems in the backup plans helps you to protect your data from deletion and data loss.\",\r\n \"remediationDescription\": \"To remediate this issue, update your file system to enable automatic backups.
To enable automatic backups for an existing file system:
1.Open the Amazon Elastic File System console. 2. On the \\\"File systems\\\" page, choose the file system for which to enable automatic backups. The \\\"File system details\\\" page is displayed. 3. Under \\\"General\\\", choose \\\"Edit\\\". 4. To enable automatic backups, select \\\"Enable automatic backups\\\". 5. Choose \\\"Save changes\\\".
To learn more, visit Using AWS Backup with Amazon EFS in the Amazon Elastic File System User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e656e5b7-130c-4fb4-be90-9bdd4f82fdfb\",\r\n \"name\": \"e656e5b7-130c-4fb4-be90-9bdd4f82fdfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should use supported runtimes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the Lambda function settings for runtimes match the expected values set for the supported runtimes for each language. This control checks for the following runtimes:
nodejs14.x, nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, ruby2.7, ruby2.5, java11, java8, java8.al2, go1.x, dotnetcore3.1, dotnetcore2.1
Lambda runtimes are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When a runtime component is no longer supported for security updates, Lambda deprecates the runtime. Even though you cannot create functions that use the deprecated runtime, the function is still available to process invocation events. Make sure that your Lambda functions are current and do not use out-of-date runtime environments.
To learn more about the supported runtimes that this control checks for the supported languages, see AWS Lambda runtimes in the AWS Lambda Developer Guide.\",\r\n \"remediationDescription\": \"For more information on supported runtimes and deprecation schedules, see the Runtime support policy section of the AWS Lambda Developer Guide.
When you migrate your runtimes to the latest version, follow the syntax and guidance from the publishers of the language.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Persistence\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Proxy\",\r\n \"Account Manipulation\",\r\n \"Scheduled Task/Job\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dcf10b98-798f-4734-9afd-800916bf1e65\",\r\n \"name\": \"dcf10b98-798f-4734-9afd-800916bf1e65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should have a dead-letter queue configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is configured with a dead-letter queue. The control fails if the Lambda function is not configured with a dead-letter queue.
As an alternative to an on-failure destination, you can configure your function with a dead-letter queue to save discarded events for further processing.
A dead-letter queue acts the same as an on-failure destination. It is used when an event fails all processing attempts or expires without being processed.
A dead-letter queue allows you to look back at errors or failed requests to your Lambda function to debug or identify unusual behavior.
From a security perspective, it is important to understand why your function failed and to ensure that your function does not drop data or compromise data security as a result.
For example, if your function cannot communicate to an underlying resource, that could be a symptom of a denial of service (DoS) attack elsewhere in the network.\",\r\n \"remediationDescription\": \"You can configure a dead-letter queue from the AWS Lambda console.
To configure a dead-letter queue
1. Open the AWS Lambda console.
2. In the navigation pane, choose \\\"Functions\\\".
3. Choose a function.
4. Choose \\\"Configuration\\\" and then choose \\\"Asynchronous invocation\\\".
5. Under \\\"Asynchronous invocation\\\", choose \\\"Edit\\\".
6. Set \\\"DLQ resource\\\" to Amazon SQS or Amazon SNS.
7. Choose the target queue or topic.
8. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"plannedDeprecationDate\": \"12/2022\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90917e06-2781-4857-9d74-9043c6475d03\",\r\n \"name\": \"90917e06-2781-4857-9d74-9043c6475d03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SNS topics should be encrypted at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an SNS topic is encrypted at rest using AWS KMS.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It also adds another set of access controls to limit the ability of unauthorized users to access the data.
For example, API permissions are required to decrypt the data before it can be read. SNS topics should be encrypted at-rest for an added layer of security. For more information, see Encryption at rest in the Amazon Simple Notification Service Developer Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your SNS topic to enable encryption.
To encrypt an unencrypted SNS topic
1. Open the Amazon SNS console.
2. In the navigation pane, choose \\\"Topics\\\".
4. Choose the name of the topic to encrypt.
5. Choose \\\"Edit\\\".
6. Under \\\"Encryption\\\", choose Enable Encryption.
7. Choose the KMS key to use to encrypt the topic.
8. Choose \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"File and Directory Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/773667f7-6511-4aec-ae9c-e3286c56a254\",\r\n \"name\": \"773667f7-6511-4aec-ae9c-e3286c56a254\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancer listeners should be configured with HTTPS or TLS termination\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. The control is applicable if a Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the control does not report any findings.
The control passes if the Classic Load Balancer listeners are configured with TLS or HTTPS for front-end connections.
The control fails if the listener is not configured with TLS or HTTPS for front-end connections.
Before you start to use a load balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners can support both HTTP and HTTPS/TLS protocols. You should always use an HTTPS or TLS listener, so that the load balancer does the work of encryption and decryption in transit.\",\r\n \"remediationDescription\": \"To remediate this issue, update your listeners to use the TLS or HTTPS protocol.
To change all noncompliant listeners to TLS/HTTPS listeners
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load Balancers. Then choose your Classic Load Balancer.
3. Choose the Listeners tab, and then choose Edit.
4. For all listeners where Load Balancer Protocol is not set to HTTPS or SSL, change the setting to HTTPS or SSL.
5. For all modified listeners, under SSL Certificate, choose Change.
6. For all modified listeners, select Choose a certificate from ACM.
7. Select the certificate from the Certificates drop-down list. Then choose Saveb.
8. After you update all of the listeners, choose Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca924610-5a8e-4c5e-9f17-8dff1ab1757b\",\r\n \"name\": \"ca924610-5a8e-4c5e-9f17-8dff1ab1757b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application load balancers should be configured to drop HTTP headers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop invalid HTTP headers. The control fails if the value of routing.http.drop_invalid_header_fields.enabled is set to false.
By default, ALBs are not configured to drop invalid HTTP header values. Removing these header values prevents HTTP desync attacks.\",\r\n \"remediationDescription\": \"To remediate this issue, configure your load balancer to drop invalid header fields.
To configure the load balancer to drop invalid header fields
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load balancers.
3. Choose an Application Load Balancer.
4. From Actions, choose Edit attributes.
5. Under Drop Invalid Header Fields, choose Enable.
6. Choose Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ba5c359-495f-4ba6-9897-7fdbc0aed675\",\r\n \"name\": \"4ba5c359-495f-4ba6-9897-7fdbc0aed675\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application and Classic Load Balancers logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if access_logs.s3.enabled is false.
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.
To learn more, see Access logs for your Classic Load Balancer in User Guide for Classic Load Balancers.
\",\r\n \"remediationDescription\": \"To remediate this issue, configure your load balancer to drop invalid header fields.
To configure the load balancer to drop invalid header fields
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load balancers.
3. Choose an Application Load Balancer.
4. From Actions, choose Edit attributes.
5. Under Access logs, choose Enable.
6. Enter your S3 location. This location can exist or it can be created for you. If you do not specify a prefix, the access logs are stored in the root of the S3 bucket.
7. Choose Save\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5c508bf1-26f9-4696-bb61-8341d395e3de\",\r\n \"name\": \"5c508bf1-26f9-4696-bb61-8341d395e3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer deletion protection should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured.
Enable deletion protection to protect your Application Load Balancer from deletion.\",\r\n \"remediationDescription\": \"To prevent your load balancer from being deleted accidentally, you can enable deletion protection. By default, deletion protection is disabled for your load balancer.
If you enable deletion protection for your load balancer, you must disable delete protection before you can delete the load balancer.
To enable deletion protection from the console
1. Open the Amazon EC2 console.
2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.
3. Choose the load balancer.
4. On the Description tab, choose Edit attributes.
5. On the Edit load balancer attributes page, select Enable for Delete Protection, and then choose Save.
6. Choose Save.
To learn more, see Deletion protection in User Guide for Application Load Balancers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dd60e31e-073a-42b6-9b23-db7ca86fd5e0\",\r\n \"name\": \"dd60e31e-073a-42b6-9b23-db7ca86fd5e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancers should have connection draining enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Classic Load Balancers have connection draining enabled.
Enabling connection draining on Classic Load Balancers ensures that the load balancer stops sending requests to instances that are de-registering or unhealthy. It keeps the existing connections open. This is particularly useful for instances in Auto Scaling groups, to ensure that connections aren't severed abruptly.\",\r\n \"remediationDescription\": \"To enable connection draining on Classic Load Balancers, following the steps in Configure connection draining for your Classic Load Balancer in User Guide for Classic Load Balancers.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b63a099-6c0c-4354-848b-17de1f3c8ae3\",\r\n \"name\": \"9b63a099-6c0c-4354-848b-17de1f3c8ae3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should encrypt data sent between nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have node-to-node encryption enabled. HTTPS (TLS) can be used to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. Only encrypted connections over HTTPS (TLS) should be allowed. Enabling node-to-node encryption for Amazon ES domains ensures that intra-cluster communications are encrypted in transit. There can be a performance penalty associated with this configuration. You should be aware of and test the performance trade-off before enabling this option.\",\r\n \"remediationDescription\": \"Node-to-node encryption can only be enabled on a new domain. To remediate this finding, first create a new domain with the Node-to-node encryption check box selected. Then follow Using a snapshot to migrate data to migrate your data to the new domain.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/de8ae504-ec39-4ffb-b3ef-6e36fdcbb455\",\r\n \"name\": \"de8ae504-ec39-4ffb-b3ef-6e36fdcbb455\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker. The 'blacklistedactionpatterns' parameter allows for successful evaluation of the rule for S3 buckets. The parameter grants access to external accounts for action patterns that are not included in the 'blacklistedactionpatterns' list.\",\r\n \"remediationDescription\": \"To remediate this issue, edit the S3 bucket policy to remove the permissions.

To edit an S3 bucket policy

1. Open the Amazon S3 console.
2. In the Bucket name list, choose the name of the S3 bucket for which you want to edit the policy.
3. Choose Permissions, and then choose Bucket Policy.
4. In the Bucket policy editor text box, do one of the following:
* Remove the statements that grant access to denied actions to other AWS accounts
* Remove the permitted denied actions from the statements
5. Choose Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11d0f4af-6924-4a2e-8b66-781a4553c828\",\r\n \"name\": \"11d0f4af-6924-4a2e-8b66-781a4553c828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled on AWS connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides real-time threat protection for containerized environments and generates alerts about suspicious activities.
Use this information to harden the security of Kubernetes clusters and remediate security issues.

Important: When you've enabled Microsoft Defender for Containers and deployed Azure Arc to your EKS clusters, the protections - and charges - will begin. If you don't deploy Azure Arc on a cluster, Defender for Containers will not protect it and no charges will be incurred for this Microsoft Defender plan for that cluster.\",\r\n \"remediationDescription\": \"To enable Defender for Containers on all EKS clusters in an AWS account connected to Microsoft Defender for Cloud:
1. From the Azure portal, open Microsoft Defender for Cloud.
2. Open the \\\"Environment settings\\\" page and select the relevant AWS account.
3. Under \\\"Select plans\\\", set \\\"Containers\\\" to \\\"On\\\".
4. Select \\\"Next: Configure access\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/38307993-84fb-4636-8ce7-3a64466bb5cc\",\r\n \"name\": \"38307993-84fb-4636-8ce7-3a64466bb5cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EKS clusters should have Microsoft Defender's extension for Azure Arc installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender's cluster extension provides security capabilities for your EKS clusters. The extension collects data from a cluster and its nodes to identify security vulnerabilities and threats.
The extension works with Azure Arc-enabled Kubernetes.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct EKS cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
Note: When the process completes, it may take up to 12 hours until your resource moves to the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d3a977e-46f1-419a-9046-4bd44db80aac\",\r\n \"name\": \"7d3a977e-46f1-419a-9046-4bd44db80aac\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EKS clusters should grant the required AWS permissions to Microsoft Defender for Cloud\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides protections for your EKS clusters.
To monitor your cluster for security vulnerabilities and threats, Defender for Containers needs permissions for your AWS account. These permissions will be used to enable Kubernetes control plane logging on your cluster and establish a reliable pipeline between your cluster and Defender for Cloud's backend in the cloud.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"To grant the required permissions:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. 2. Open the \\\"Environment settings\\\" page and select the relevant AWS account.
  3. In the edit connector wizard, skip to step 3, \\\"Configure access\\\".
  4. Download the CloudFormation template.
  5. Open the template and copy the ARNs for the following roles:
    AzureDefenderKubernetesRole
    AzureDefenderKubernetesScubaReaderRole
    AzureDefenderCloudWatchToKinesisRole
    AzureDefenderKinesisToS3Role
  6. Folow the steps in \\\"Create Stack in AWS\\\" for those roles.
  7. In the connector wizard, update the role ARNs with the ARNs copied from the template.
  8. Save the changes.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4aa0f6dc-40be-43b2-92f1-3a52ad9d68d1\",\r\n \"name\": \"4aa0f6dc-40be-43b2-92f1-3a52ad9d68d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should have automatic rotation enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation.
Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically.
Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently. To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, you enable automatic rotation for your secrets.
To enable automatic rotation for secrets
1. Open the Secrets Manager console.
2. To find the secret that requires rotating, enter the secret name in the search field.
3. Choose the secret you want to rotate, which displays the secrets details page.
4. Under Rotation configuration, choose Edit rotation.
5. From Edit rotation configuration, choose Enable automatic rotation.
6. For Select Rotation Interval, choose a rotation interval.
7. Choose a Lambda function for rotation. For information about customizing your Lambda rotation function, see Understanding and customizing your Lambda rotation function in the AWS Secrets Manager User Guide.
8. To configure the secret for rotation, choose Next.
To learn more about Secrets Manager rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bec42e2d-956b-4940-a37d-7c1b1e8c525f\",\r\n \"name\": \"bec42e2d-956b-4940-a37d-7c1b1e8c525f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets configured with automatic rotation should rotate successfully\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The control fails if RotationOccurringAsScheduled is false. The control does not evaluate secrets that do not have rotation configured.
Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically.
Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently.
In addition to configuring secrets to rotate automatically, you should ensure that those secrets rotate successfully based on the rotation schedule.
To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"If the automatic rotation fails, then Secrets Manager might have encountered errors with the configuration.
To rotate secrets in Secrets Manager, you use a Lambda function that defines how to interact with the database or service that owns the secret.
For help on how to diagnose and fix common errors related to secrets rotation, see Troubleshooting AWS Secrets Manager rotation of secrets in the AWS Secrets Manager User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bfa82db5-c112-44f0-89e6-a9adfb9a4028\",\r\n \"name\": \"bfa82db5-c112-44f0-89e6-a9adfb9a4028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remove unused Secrets Manager secrets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your secrets have been accessed within a specified number of days. The default value is 90 days. If a secret was not accessed within the defined number of days, this control fails.
Deleting unused secrets is as important as rotating secrets. Unused secrets can be abused by their former users, who no longer need access to these secrets. Also, as more users get access to a secret, someone might have mishandled and leaked it to an unauthorized entity, which increases the risk of abuse. Deleting unused secrets helps revoke secret access from users who no longer need it. It also helps to reduce the cost of using Secrets Manager. Therefore, it is essential to routinely delete unused secrets.\",\r\n \"remediationDescription\": \"You can delete inactive secrets from the Secrets Manager console.
To delete inactive secrets
1. Open the Secrets Manager console
2. To locate the secret, enter the secret name in the search box.
3. Choose the secret to delete.
4. Under Secret details, from Actions, choose Delete secret.
5. Under Schedule secret deletion, enter the number of days to wait before the secret is deleted.
6. Choose Schedule deletion.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/323f0eb4-ea19-4b55-83e9-d104009616b4\",\r\n \"name\": \"323f0eb4-ea19-4b55-83e9-d104009616b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should be rotated within a specified number of days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your secrets have been rotated at least once within 90 days.
Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised.
As more users get access to a secret, it can become more likely that someone mishandled and leaked it to an unauthorized entity. Secrets can be leaked through logs and cache data. They can be shared for debugging purposes and not changed or revoked once the debugging completes. For all these reasons, secrets should be rotated frequently.
You can configure your secrets for automatic rotation in AWS Secrets Manager. With automatic rotation, you can replace long-term secrets with short-term ones, significantly reducing the risk of compromise.
Security Hub recommends that you enable rotation for your Secrets Manager secrets. To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"You can enable automatic secret rotation in the Secrets Manager console.
To enable secret rotation
1. Open the Secrets Manager console.
2. To locate the secret, enter the secret name in the search box.
3. Choose the secret to display.
4. Under Rotation configuration, choose Edit rotation.
5. From Edit rotation configuration, choose Enable automatic rotation.
6. From Select Rotation Interval, choose the rotation interval.
7. Choose a Lambda function to use for rotation.
8. Choose Next.
After you configure the secret for automatic rotation, under Rotation Configuration, choose Rotate secret immediately.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad593449-a095-47b5-91b8-894396a1aa7f\",\r\n \"name\": \"ad593449-a095-47b5-91b8-894396a1aa7f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS WAF Classic global web ACL logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether logging is enabled for an AWS WAF global Web ACL. This control fails if logging is not enabled for the web ACL.
Logging is an important part of maintaining the reliability, availability, and performance of AWS WAF globally. It is a business and compliance requirement in many organizations, and allows you to troubleshoot application behavior. It also provides detailed information about the traffic that is analyzed by the web ACL that is attached to AWS WAF.\",\r\n \"remediationDescription\": \"You can enable logging for a web ACL from the Kinesis Data Firehose console.
To enable logging for a web ACL
1. Open the Kinesis Data Firehose console.
2. Create a Kinesis Data Firehose delivery stream.
The name must start with the prefix aws-waf-logs-. For example, aws-waf-logs-us-east-2-analytics.
Create the Kinesis Data Firehose delivery stream with a PUT source and in the Region where you operate. If you capture logs for Amazon CloudFront, create the delivery stream in US East (N. Virginia). For more information, see Creating an Amazon Kinesis Data Firehose delivery stream in the Amazon Kinesis Data Firehose Developer Guide.
3. From \\\"Services\\\", choose \\\"WAF & Shield\\\". Then choose \\\"Switch to AWS WAF Classic\\\".
4. From \\\"Filter\\\", choose \\\"Global (CloudFront)\\\".
5. Choose the web ACL to enable logging for.
6. Under \\\"Logging\\\", choose \\\"Enable logging\\\".
7. Choose the Kinesis Data Firehose delivery stream that you created earlier. You must choose a delivery stream that has a name that begins with aws-waf-logs-.
8. Choose \\\"Enable logging\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/678b2afa-7fc7-45e5-ad4e-2c49efb57ac8\",\r\n \"name\": \"678b2afa-7fc7-45e5-ad4e-2c49efb57ac8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following logs of Amazon RDS are enabled and sent to CloudWatch Logs:
- Oracle: (Alert, Audit, Trace, Listener)
- PostgreSQL: (Postgresql, Upgrade)
- MySQL: (Audit, Error, General, SlowQuery)
- MariaDB: (Audit, Error, General, SlowQuery)
- SQL Server: (Error, Agent)
- Aurora: (Audit, Error, General, SlowQuery)
- Aurora-MySQL: (Audit, Error, General, SlowQuery)
- Aurora-PostgreSQL: (Postgresql, Upgrade).
RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"Logging options are contained in the DB parameter group associated with the RDS DB cluster or instance. To enable logging when the default parameter group for the database engine is used, you must create a new DB parameter group that has the required parameter values. You must then associate the customer DB parameter group with the DB cluster or instance.
To enable and publish MariaDB, MySQL, or PostgreSQL logs to CloudWatch Logs from the AWS Management Console, set the following parameters in a custom DB Parameter Group:

Database engineParameters
MariaDBgeneral_log=1
slow_query_log=1
log_output = FILE
- MariaDB also requires a custom options group, explained below.
MySQLgeneral_log=1
slow_query_log=1
log_output = FILE
PostgreSQLlog_statement=all
log_min_duration_statement=minimum query duration (ms) to log

To create a custom DB parameter group
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Parameter groups\\\".
3. Choose \\\"Create parameter group\\\". The \\\"Create parameter group\\\" window appears.
4. In the \\\"Parameter group\\\" family list, choose a DB parameter group family.
5. In the \\\"Type\\\" list, choose \\\"DB Parameter Group\\\".
6. In \\\"Group name\\\", enter the name of the new DB parameter group.
7. In \\\"Description\\\", enter a description for the new DB parameter group.
8. Choose \\\"Create\\\".

To create a new option group for MariaDB logging by using the console
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Option groups\\\".
3. Choose \\\"Create group\\\".
4. In the \\\"Create option group\\\" window, do the following:
  • For \\\"Name\\\", type a name for the option group that is unique within your AWS account. The name can contain only letters, digits, and hyphens.
  • For \\\"Description\\\", type a brief description of the option group. The description is used for display purposes.
  • For \\\"Engine\\\", choose the DB engine that you want.
  • For \\\"Major engine version\\\", choose the major version of the DB engine that you want.
5. To continue, choose \\\"Create\\\".
6. Choose the name of the option group you just created.
7. Choose \\\"Add option\\\".
8. Choose \\\"MARIADB_AUDIT_PLUGIN\\\" from the \\\"Option name\\\" list.
9. Set \\\"SERVER_AUDIT_EVENTS\\\" to \\\"CONNECT\\\", \\\"QUERY\\\", \\\"TABLE\\\", \\\"QUERY_DDL\\\", \\\"QUERY_DML\\\", \\\"QUERY_DCL\\\".
10. Choose Add option.

To publish SQL Server DB, Oracle DB, or PostgreSQL logs to CloudWatch Logs from the AWS Management Console
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Databases\\\".
3. Choose the DB instance that you want to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Log exports\\\", choose all of the log files to start publishing to CloudWatch Logs.
\\\"Log exports\\\" is available only for database engine versions that support publishing to CloudWatch Logs.
6. Choose \\\"Continue\\\". Then on the summary page, choose \\\"Modify DB Instance\\\".

To apply a new DB parameter group or DB options group to an RDS DB instance
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Databases\\\".
3. Choose the DB instance that you want to modify.
4. Choose \\\"Modify\\\". The \\\"Modify DB Instance\\\" page appears.
5. Under \\\"Database options\\\", change the DB parameter group and DB options group as needed.
6. When you finish you changes, choose \\\"Continue\\\". Check the summary of modifications.
7. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide.
8. Choose \\\"Modify DB Instance\\\" to save your changes.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cd307f02-2ca7-44b4-8c1b-b580251d613c\",\r\n \"name\": \"cd307f02-2ca7-44b4-8c1b-b580251d613c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB instance has IAM database authentication enabled.
IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL. For more information, see IAM database authentication in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your DB instance to enable IAM authentication.
To enable IAM authentication for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Select the DB instance to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", choose \\\"Enable IAM DB authentication\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ac30502-52e5-4fc6-af40-095dddfbc8b9\",\r\n \"name\": \"3ac30502-52e5-4fc6-af40-095dddfbc8b9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB cluster has IAM database authentication enabled.
IAM database authentication allows for password-free authentication to database instances. The authentication uses an authentication token. Network traffic to and from the database is encrypted using SSL. For more information, see IAM database authentication in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your DB instance to enable IAM authentication.
To enable IAM authentication for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Select the DB cluster to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", choose \\\"Enable IAM DB authentication\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d352afac-cebc-4e02-b474-7ef402fb1d65\",\r\n \"name\": \"d352afac-cebc-4e02-b474-7ef402fb1d65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS automatic minor version upgrades should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic minor version upgrades are enabled for the RDS database instance.
Enabling automatic minor version upgrades ensures that the latest minor version updates to the relational database management system (RDBMS) are installed. These upgrades might include security patches and bug fixes. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"You can enable minor version upgrades for a DB instance from the Amazon RDS console.
To enable automatic minor version upgrades for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Choose the DB instance to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Maintenance\\\", select \\\"Yes\\\" for \\\"Auto minor version upgrade\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications: \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. Choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d0ef47dc-95aa-4765-a075-72c07df8acff\",\r\n \"name\": \"d0ef47dc-95aa-4765-a075-72c07df8acff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Aurora clusters should have backtracking enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Aurora clusters have backtracking enabled.
Backups help you to recover more quickly from a security incident. They also strengthens the resilience of your systems. Aurora backtracking reduces the time to recover a database to a point in time. It does not require a database restore to do so.
For more information about backtracking in Aurora, see Backtracking an Aurora DB cluster in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable Aurora backtracking, see Configuring backtracking in the Amazon Aurora User Guide.
Note that you cannot enable backtracking on an existing cluster. Instead, you can create a clone that has backtracking enabled. For more information about the limitations of Aurora backtracking, see the list of limitations in Overview of backtracking.For information about pricing for backtracking, see the Aurora pricing page.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/176f9062-64d0-4edd-bb0f-915012a6ef16\",\r\n \"name\": \"176f9062-64d0-4edd-bb0f-915012a6ef16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift should have automatic upgrades to major versions enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster.
Enabling automatic major version upgrades ensures that the latest major version updates to Amazon Redshift clusters are installed during the maintenance window.
These updates might include security patches and bug fixes. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"To remediate this issue from the AWS CLI, use the Amazon Redshift modify-cluster command to set the --allow-version-upgrade attribute.
Copy the following command aws redshift modify-cluster --cluster-identifier clustername --allow-version-upgrade Where clustername is the name of your Amazon Redshift cluster.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ee72ceb-2cb7-4686-84e6-0e1ac1c27241\",\r\n \"name\": \"1ee72ceb-2cb7-4686-84e6-0e1ac1c27241\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should use enhanced VPC routing\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon Redshift cluster has EnhancedVpcRouting enabled.
Enhanced VPC routing forces all COPY and UNLOAD traffic between the cluster and data repositories to go through your VPC. You can then use VPC features such as security groups and network access control lists to secure network traffic. You can also use VPC Flow Logs to monitor network traffic.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Enabling enhanced VPC routing in the Amazon Redshift Cluster Management Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/036bb56b-c442-4352-bb4c-5bd0353ad314\",\r\n \"name\": \"036bb56b-c442-4352-bb4c-5bd0353ad314\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Amazon Redshift clusters should be encrypted in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit. The check fails if the Amazon Redshift cluster parameter require_SSL is not set to '1'.
TLS can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over TLS should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"To remediate this issue, update the parameter group to require encryption.
To modify a parameter group
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose Config, then choose Workload management to display the Workload management page.
3. Choose the parameter group that you want to modify.
4. Choose Parameters.
5. Choose Edit parameters then set require_ssl to '1'.
6. Enter your changes and then choose Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a152832-6600-49d1-89be-82e474190e13\",\r\n \"name\": \"7a152832-6600-49d1-89be-82e474190e13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have automatic snapshots enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven.
Backups help you to recover more quickly from a security incident. They strengthen the resilience of your systems. Amazon Redshift takes periodic snapshots by default. This control checks whether automatic snapshots are enabled and retained for at least seven days. For more details on Amazon Redshift automated snapshots, see Automated snapshots in the Amazon Redshift Cluster Management Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update the snapshot retention period to at least 7.
To modify the snapshot retention period
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose \\\"Clusters\\\", then choose the name of the cluster to modify.
3. Choose \\\"Edit\\\".
4. Under \\\"Backup\\\", set \\\"Snapshot retention\\\" to a value of 7 or greater.
5. Choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e2a0ec17-447b-44b6-8646-c0b5584b6b0a\",\r\n \"name\": \"e2a0ec17-447b-44b6-8646-c0b5584b6b0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have audit logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon Redshift cluster has audit logging enabled.
Amazon Redshift audit logging provides additional information about connections and user activities in your cluster. This data can be stored and secured in Amazon S3 and can be helpful in security audits and investigations. For more information, see Database audit logging in the Amazon Redshift Cluster Management Guide.\",\r\n \"remediationDescription\": \"To enable cluster audit logging
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose \\\"Clusters\\\", then choose the name of the cluster to modify.
3. Choose \\\"Maintenance and monitoring\\\"
4. Under \\\"Audit logging\\\", choose \\\"Edit\\\".
5. Set \\\"Enable audit logging\\\" to \\\"yes\\\", then enter the log destination bucket details.
6. Choose \\\"Confirm\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4170067b-345d-47ed-ab4a-c6b6046881f1\",\r\n \"name\": \"4170067b-345d-47ed-ab4a-c6b6046881f1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Beanstalk environments should have enhanced health reporting enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced health reporting is enabled for your AWS Elastic Beanstalk environments.
Elastic Beanstalk enhanced health reporting enables a more rapid response to changes in the health of the underlying infrastructure. These changes could result in a lack of availability of the application.
Elastic Beanstalk enhanced health reporting provides a status descriptor to gauge the severity of the identified issues and identify possible causes to investigate. The Elastic Beanstalk health agent, included in supported Amazon Machine Images (AMIs), evaluates logs and metrics of environment EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to enable enhanced health reporting, see Enabling enhanced health reporting using the Elastic Beanstalk console in the AWS Elastic Beanstalk Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"10/04/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/820f6c6e-f73f-432c-8c60-cae1794ea150\",\r\n \"name\": \"820f6c6e-f73f-432c-8c60-cae1794ea150\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Beanstalk managed platform updates should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"his control checks whether managed platform updates are enabled for the Elastic Beanstalk environment.
Enabling managed platform updates ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"For instructions on how to enable managed platform updates, see To configure managed platform updates under Managed platform updates in the AWS Elastic Beanstalk Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"10/04/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f48af569-2e67-464b-9a62-b8df0f85bc5e\",\r\n \"name\": \"f48af569-2e67-464b-9a62-b8df0f85bc5e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domain error logging to CloudWatch Logs should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs.
You should enable error logs for Elasticsearch domains and send those logs to CloudWatch Logs for retention and response. Domain error logs can assist with security and access audits, and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"For information on how to enable log publishing, see Enabling log publishing (console) in the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12ebb4cd-34b6-4c3a-bee9-7e35f4f6caff\",\r\n \"name\": \"12ebb4cd-34b6-4c3a-bee9-7e35f4f6caff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have audit logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled.
Audit logs are highly customizable. They allow you to track user activity on your Elasticsearch clusters, including authentication successes and failures, requests to OpenSearch, index changes, and incoming search queries.\",\r\n \"remediationDescription\": \"For detailed instructions on enabling audit logs, see Enabling audit logs in the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/994cbcb3-43d4-419d-b5c4-9adc558f3ca2\",\r\n \"name\": \"994cbcb3-43d4-419d-b5c4-9adc558f3ca2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have at least three data nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true.
An Elasticsearch domain requires at least three data nodes for high availability and fault-tolerance. Deploying an Elasticsearch domain with at least three data nodes ensures cluster operations if a node fails.\",\r\n \"remediationDescription\": \"To modify the number of data nodes in an Elasticsearch domain
1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/es/.
2. Under \\\"My domains\\\", choose the name of the domain to edit.
3. Choose \\\"Edit domain\\\".
4. Under \\\"Data nodes\\\", set \\\"Number of nodes\\\" to a number greater than or equal to three. For three Availability Zone deployments, set to a multiple of three to ensure equal distribution across Availability Zones.
5. Choose \\\"Submit\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b4b9a67c-c315-4f9b-b06b-04867a453aab\",\r\n \"name\": \"b4b9a67c-c315-4f9b-b06b-04867a453aab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should be configured with at least three dedicated master nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. This control passes if Elasticsearch domains have five dedicated master nodes. However, using more than three master nodes might be unnecessary to mitigate the availability risk, and will result in additional cost.
An Elasticsearch domain requires at least three dedicated master nodes for high availability and fault-tolerance. Dedicated master node resources can be strained during data node blue/green deployments because there are additional nodes to manage. Deploying an Elasticsearch domain with at least three dedicated master nodes ensures sufficient master node resource capacity and cluster operations if a node fails.\",\r\n \"remediationDescription\": \"To modify the number of dedicated master nodes in an OpenSearch domain
1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/es/.
2. Under \\\"My domains\\\", choose the name of the domain to edit.
3. Choose \\\"Edit domain\\\".
4. Under \\\"Dedicated master nodes\\\", set \\\"Instance type\\\" to the desired instance type.
5. Set \\\"Number of master nodes\\\" equal to three or greater.
6. Choose \\\"Submit\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/effb5011-f8db-45ac-b981-b5bdfd7beb88\",\r\n \"name\": \"effb5011-f8db-45ac-b981-b5bdfd7beb88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Elasticsearch domains should be encrypted using TLS 1.2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07.
HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS. TLS 1.2 provides several security enhancements over previous versions of TLS.\",\r\n \"remediationDescription\": \"To enable TLS encryption, use the UpdateDomainConfig API operation to configure the DomainEndpointOptions in order to set the TLSSecurityPolicy. For more information, see the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f16376-e2dd-487d-b5ee-ba67fef4c5c0\",\r\n \"name\": \"83f16376-e2dd-487d-b5ee-ba67fef4c5c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled at the bucket level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether S3 buckets have bucket-level public access blocks applied. This control fails is if any of the following settings are set to false:
* ignorePublicAcls
* blockPublicPolicy
* blockPublicAcls
* restrictPublicBuckets
Block Public Access at the S3 bucket level provides controls to ensure that objects never have public access. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both.
Unless you intend to have your S3 buckets publicly accessible, you should configure the bucket level Amazon S3 Block Public Access feature.\",\r\n \"remediationDescription\": \"For information on how to remove public access at a bucket level, see Blocking public access to your Amazon S3 storage in the Amazon S3 User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/340a07a1-7d68-4562-ac25-df77c214fe13\",\r\n \"name\": \"340a07a1-7d68-4562-ac25-df77c214fe13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SQS queues should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon SQS queues are encrypted at rest.
Server-side encryption (SSE) allows you to transmit sensitive data in encrypted queues. To protect the content of messages in queues, SSE uses keys managed in AWS KMS.
For more information, see Encryption at rest in the Amazon Simple Queue Service Developer Guide.\",\r\n \"remediationDescription\": \"For information about managing SSE using the AWS Management Console, see  Configuring server-side encryption (SSE) for a queue (console) in the Amazon Simple Queue Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/882a80f0-943f-473e-b6d7-40c7a625540e\",\r\n \"name\": \"882a80f0-943f-473e-b6d7-40c7a625540e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS accounts should have Azure Arc auto provisioning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For full visibility of the security content from Microsoft Defender for servers, EC2 instances should be connected to Azure Arc. To ensure that all eligible EC2 instances automatically receive Azure Arc, enable auto-provisioning from Defender for Cloud at the AWS account level. Learn more about Azure Arc, and Microsoft Defender for Servers.\",\r\n \"remediationDescription\": \"1. From the Defender for Cloud, open \\\"Environment settings\\\".
2. For the relevant AWS account, select the three dots at the end of the row, and select \\\"Edit settings\\\".
3. For the \\\"Servers\\\" plan, select \\\"View configuration\\\".
4. Enable auto-provisioning for the Azure Arc agent and click on the \\\"Save\\\" button.
5. Select \\\"Next\\\" and follow the instructions.
Note: To enable auto-provisioning, you'll need owner permissions for the relevant subscription.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"25/10/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/231dee23-84db-44d2-bd9d-c32fbcfb42a3\",\r\n \"name\": \"231dee23-84db-44d2-bd9d-c32fbcfb42a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be connected to Azure Arc\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Connect your EC2 instances to Azure Arc in order to have full visibility to Microsoft Defender for Servers security content. Learn more about Azure Arc, and about Microsoft Defender for Servers on hybrid-cloud environment.\",\r\n \"remediationDescription\": \"1. From the Azure portal, open \\\"Servers - Azure Arc\\\".
2. From the top left corner, select \\\"Add\\\".
3. From \\\"Add a single server\\\", select \\\"Generate script\\\".
4. In the \\\"Resource details\\\" page, select the subscription and resource group to which you have connected the machine's AWS account.
5. Select \\\"Next\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"25/10/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1736090-65fc-454f-a437-af58fd91ad1e\",\r\n \"name\": \"f1736090-65fc-454f-a437-af58fd91ad1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS databases and clusters should not use a database engine default port\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the RDS cluster or instance uses a port other than the default port of the database engine.
If you use a known port to deploy an RDS cluster or instance, an attacker can guess information about the cluster or instance.
The attacker can use this information in conjunction with other information to connect to an RDS cluster or instance or gain additional information about your application.
When you change the port, you must also update the existing connection strings that were used to connect to the old port.
You should also check the security group of the DB instance to ensure that it includes an ingress rule that allows connectivity on the new port.\",\r\n \"remediationDescription\": \"To modify the default port of an existing DB instance
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/
2. Choose \\\"Databases\\\".
3. Select the DB instance to modify
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", change \\\"Database port\\\" to a non-default value.
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify cluster\\\". For instances, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0dc124a8-2a69-47c5-a4e1-678d725a33ab\",\r\n \"name\": \"0dc124a8-2a69-47c5-a4e1-678d725a33ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon ECS task definitions should have secure networking modes and user definitions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an active Amazon ECS task definition that has host networking mode also has privileged or user container definitions.
The control fails for task definitions that have host network mode and container definitions where privileged=false or is empty and user=root or is empty.
If a task definition has elevated privileges, it is because the customer has specifically opted in to that configuration.
This control checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted in to elevated privileges.\",\r\n \"remediationDescription\": \"For information on how to update a task definition, see Updating a task definition in the Amazon Elastic Container Service Developer Guide.
Note that when you update a task definition, it does not update running tasks that were launched from the previous task definition. To update a running task, you must redeploy the task with the new task definition.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9bb205cd-a931-4f77-a620-0a263479732b\",\r\n \"name\": \"9bb205cd-a931-4f77-a620-0a263479732b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon ECS services should not have public IP addresses assigned to them automatically\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A public IP address is an IP address that is reachable from the internet.
If you launch your Amazon ECS instances with a public IP address, then your Amazon ECS instances are reachable from the internet.
Amazon ECS services should not be publicly accessible, as this may allow unintended access to your container application servers.\",\r\n \"remediationDescription\": \"To disable automatic public IP assignment, see To configure VPC and security group settings for your service in the Amazon Elastic Container Service Developer Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e68b4d8-1a5e-47fc-a3eb-b3542fea43f1\",\r\n \"name\": \"0e68b4d8-1a5e-47fc-a3eb-b3542fea43f1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Imported ACM certificates should be renewed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager.
ACM can automatically renew certificates that use DNS validation. For certificates that use email validation, you must respond to a domain validation email.
ACM also does not automatically renew certificates that you import. You must renew imported certificates manually.
For more information about managed renewal for ACM certificates, see Managed renewal for ACM certificates in the AWS Certificate Manager User Guide.\",\r\n \"remediationDescription\": \"ACM provides managed renewal for your Amazon-issued SSL/TLS certificates.
This means that ACM either renews your certificates automatically (if you use DNS validation), or it sends you email notices when the certificate expiration approaches. These services are provided for both public and private ACM certificates.
\\\"For domains validated by email\\\"
When a certificate is 45 days from expiration, ACM sends to the domain owner an email for each domain name.
To validate the domains and complete the renewal, you must respond to the email notifications.
For more information, see Renewal for domains validated by email in the AWS Certificate Manager User Guide.
\\\"For domains validated by DNS\\\"
ACM automatically renews certificates that use DNS validation. 60 days before the expiration, ACM verifies that the certificate can be renewed.
If it cannot validate a domain name, then ACM sends a notification that manual validation is required.
It sends these notifications 45 days, 30 days, 7days, and 1 day before the expiration.
For more information, see Renewal for domains validated by DNS in the AWS Certificate Manager User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aad436f2-f0a2-46d8-acf1-19452fb732d2\",\r\n \"name\": \"aad436f2-f0a2-46d8-acf1-19452fb732d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC subnets should not allow automatic public IP assignment\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC subnets which allow automatic public IP assignment.
VPC subnet is a part of the VPC having its own rules for traffic.
Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. In the console, select the specific region from \\\"region drop down\\\" on the top right corner, for which the alert is generated. 3. Navigate to the \\\"VPC\\\" service. 4. In the navigation pane, click on \\\"Subnets\\\". 5. Select the identified Subnet and choose the option \\\"Modify auto-assign IP settings\\\" under the Subnet Actions. 6. Disable the \\\"Auto-Assign IP\\\" option and save it.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a3697e4-d854-41a5-a3df-d6a5fc664689\",\r\n \"name\": \"1a3697e4-d854-41a5-a3df-d6a5fc664689\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 bucket should not be configured with policy overly permissive to VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies S3 buckets that have the bucket policy overly permissive to VPC endpoints. It is a leading practice to follow the principle of least privileges ensuring that the VPC endpoints have only necessary permissions instead of full permission on S3 operations.
NOTE: When working with Amazon S3 bucket policies for VPC endpoints, you might block your access to that bucket without intending to do so.
Bucket permissions that are intended to specifically limit bucket access to connections originating from your VPC endpoint can block all connections to the bucket.
Additionally, The Amazon S3 bucket policy might disable console access to the specified bucket because console requests don't originate from the specified VPC endpoint.
Hence, additional care should be taken while remediating any such overly permissive policies.
For more details refer https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the S3 dashboard. 3. Choose the reported S3 bucket. 4. In the \\\"Permissions\\\" tab, click on the \\\"Bucket Policy\\\". 5. Update the S3 bucket policy for the VPC endpoint so that it has only required permissions instead of full S3 permission.
Refer for example: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ca6e24c-b113-429c-83e1-38e8c4b91396\",\r\n \"name\": \"0ca6e24c-b113-429c-83e1-38e8c4b91396\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC enpoint should not be configured with policy overly permissive to any principal\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC endpoints that have a VPC endpoint (VPCE) policy that is overly permissive.
When the Principal element value is set to '*' within the access policy, the VPC endpoint allows full access to any IAM user or service within the VPC using credentials from any AWS accounts.
It is a leading practice to follow the principle of least privileged VPCE policy ensuring security against any data leakage and unauthorized access.

For more details refer:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. In the console, select the specific region from the region drop-down on the top right corner, for which the alert is generated. 3. Navigate to the \\\"VPC dashboard\\\". 4. Go to \\\"Endpoints\\\", from the left panel VIRTUAL PRIVATE CLOUD section. 5. Select the reported VPC endpoint. 6. On the \\\"Actions\\\" drop-down button, click on the \\\"Edit policy\\\". 7. On the \\\"Edit Policy\\\" page, Choose \\\"Custom\\\" policy.
a. Then add policy, without the \\\"Everyone\\\" grantee (i.e. '*' or 'AWS': '*') from the Principal element value with an AWS account ID (e.g. '123456789'), an AWS account ARN (e.g. 'arn:aws:iam::123456789:root') or an IAM user ARN (e.g. 'arn:aws:iam::123456789:user/vpce-admin').
b. Add a Condition clause to the policy statement to filter the endpoint access to specific entities. 8. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ed36584a-91d9-4639-ae8d-893d0f2cb462\",\r\n \"name\": \"ed36584a-91d9-4639-ae8d-893d0f2cb462\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cloudfront distribution should have WAF enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Amazon CloudFront web distributions which don't have AWS Web Application Firewall (AWS WAF) protection enabled.
it is a leading practice to enable the AWS WAF service on CloudFront web distributions to protect web applications from common web exploits, application layer attacks that could affect application availability, compromise security, or consume excessive resources.
To block malicious requests to your Cloudfront Content Delivery Network you should define the 'block' criteria in the WAF web access control list (web ACL).\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Go to the CloudFront Distributions Dashboard. 3. Click on the reported web distribution. 4. On \\\"General\\\" tab, Click on \\\"Edit\\\" button. 5. On \\\"Edit Distribution\\\" page, Choose a \\\"AWS WAF Web ACL\\\" from dropdown. 6. Click on \\\"Yes, Edit\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45f50501-deed-438b-b931-340078d0022f\",\r\n \"name\": \"45f50501-deed-438b-b931-340078d0022f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cloudfront should have AWS WAF V2 enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS cloudfront distribution not configured with AWS WAF V2 web acl.
As a leading practice it is recommended to configure AWS WAF v2 on the cloudfront to protect against application-layer attacks.
To block malicious requests to your cloudfront, define the block criteria in the WAFv2 web acl.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Go to the CloudFront Distributions Dashboard. 3. Click on the reported web distribution. 4. On \\\"General\\\" tab, Click on \\\"Edit\\\" button under \\\"Settings\\\". 5. On \\\"Edit Distribution\\\" page, from \\\"AWS WAF Web ACL\\\" dropdown select WAFv2 ACL which you want to apply.
Note: In case no WAFv2 ACL found from \\\"AWS WAF Web ACL\\\" dropdown list, Please follow below URL to create WAFv2 ACL:
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-creating.html. 6. Click on \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b288b879-d5e3-49d0-9bad-a9ddf738838a\",\r\n \"name\": \"b288b879-d5e3-49d0-9bad-a9ddf738838a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API should have AWS WAF V2 enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS API Gateway REST API which is not configured with AWS Web Application Firewall protection.
As a leading practice, you should enable the AWS WAF service on API Gateway REST API to protect against common web exploits, application layer attacks.
To block malicious requests to your API Gateway REST API, define the block criteria in the WAF web access control list (web ACL).\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Make sure your the reported API Gateway REST API requires WAF based on your requirement and Note down the API Gateway REST API name Follow steps given in below URL to associate API Gateway REST API to WAF Web ACL ,
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eb2a1621-6fe5-4b17-be36-082897f04987\",\r\n \"name\": \"eb2a1621-6fe5-4b17-be36-082897f04987\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"ELB v2 should not have SSL negotiation policy configured with weak cipher\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers v2 (ELBv2) which are configured with SSL negotiation policy containing weak ciphers.
To simplify, An SSL cipher, or an SSL cipher suite, is a set of algorithms or a set of instructions/steps that uses encryption keys to establish a secure connection between two entities usually the client (a user's browser) and the web server they are connecting to (your website).
As many of the other ciphers are not secure as per industry standards, it is recommended to use only the ciphers recommended in the following AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Go to the EC2 Dashboard, and select \\\"Load Balancers\\\". 4. Click on the reported Load Balancer. 5. On the 'Listeners' tab, Choose the \\\"HTTPS\\\" or 'SSL' rule; Click on \\\"Edit\\\", Change 'Security policy' to other than \\\"ELBSecurityPolicy-TLS-1-0-2015-04\\\" as it contains DES-CBC3-SHA cipher, which is a weak cipher. 6. Click on \\\"Update\\\" to save your changes.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d13e510-5e69-43ec-921f-fe52e2ecc36b\",\r\n \"name\": \"9d13e510-5e69-43ec-921f-fe52e2ecc36b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC route table should not allow VPC peering overly permissive to all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC route tables with overly permissive peering connection to all traffic.
It is a leading practice to ensure selective peering connection route tables to reduce the attack surface as resources outside of these routes are inaccessible to the peered VPC.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to \\\"VPC\\\" dashboard from \\\"Services\\\" dropdown. 4. From left menu, select \\\"Route Tables\\\". 5. Click on the alerted route table. 6. From top click on \\\"Action\\\" button. 7. From the Action menu dropdown, select \\\"Edit routes\\\". 8. From the list of destination remove the extra permissive destination by clicking the cross symbol available for that destination. 9. Add a destination with \\\"least access\\\". 10. Click on \\\"Save Routes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5e4503df-e4f7-4055-a38e-ff8ae44dfd1e\",\r\n \"name\": \"5e4503df-e4f7-4055-a38e-ff8ae44dfd1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS key automatic rotation is not enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS KMS key that are not enabled with key rotation.
As a security leading practice, it is important to rotate the keys periodically so that if the keys are compromised, the data in the underlying service is still secure with the new keys.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Key Management Service (KMS). 4. Click on \\\"Customer managed keys\\\" (Left Panel). 5. Select reported KMS Customer managed key. 6. Under the \\\"Key Rotation\\\" tab, Enable \\\"Automatically rotate this KMS every year\\\". 7. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c548e51-ca15-4b21-92b7-80acef51da37\",\r\n \"name\": \"4c548e51-ca15-4b21-92b7-80acef51da37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrails logs should be encrypted using AWS KMS key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check ensures that CloudTrail logs are encrypted using AWS KMS key.
AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account.
It is a compliance and security leading practice to encrypt the CloudTrail data with AWS KMS key as it may contain sensitive information.\",\r\n \"remediationDescription\": \"1. Login to AWS Console and navigate to the \\\"CloudTrail\\\" service. 2. For each trail, under Configuration > Storage Location, select \\\"Yes\\\" to \\\"Encrypt log files\\\" setting. 3.Choose and existing KMS key or create a new one to encrypt the logs with.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a102936-e0ab-4ab6-ab05-0cb15a6587f6\",\r\n \"name\": \"2a102936-e0ab-4ab6-ab05-0cb15a6587f6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RedShift cluster should be encrypted using customer-managed keys (CMKs)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Redshift Clusters which are encrypted with default KMS keys and not with customer-managed key.
It is a leading practice to use customer managed KMS Keys to encrypt your Redshift databases data.
Customer-managed CMKs give you more flexibility, including the ability to create, rotate, disable, define access control for,
and audit the encryption keys used to help protect your data.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift. 2. On the navigation menu, choose \\\"Clusters\\\", then choose the cluster that you want to modify encryption. 3. Choose \\\"Properties\\\". 4. In the Database configurations section, choose \\\"Edit\\\" then choose \\\"Edit encryption\\\". 5. Choose \\\"customer-managed key encryption options\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/885a3b62-d0de-4e54-aaba-f58875fb7888\",\r\n \"name\": \"885a3b62-d0de-4e54-aaba-f58875fb7888\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be encrypted using CMK\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic File Systems (EFSs) which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your EFS data. It gives you full control over the encrypted data.\",\r\n \"remediationDescription\": \"AWS EFS Encryption of data at rest can only be enabled during file system creation. In order to resolve this alert, create a new EFS with encryption enabled with the customer-managed key, then migrate all required data from the reported EFS to this newly created EFS and delete reported EFS.

To create new EFS with encryption enabled, perform the following:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to EFS dashboard and click on \\\"File systems\\\" on the left panel. 4. Click on \\\"Create file system\\\" button. 5. On the \\\"Configure file system access\\\" step, specify EFS details as per your requirements and Click on \\\"Next Step\\\". 6. On the \\\"Configure optional settings\\\" step, Under \\\"Enable encryption\\\" Choose \\\"Enable encryption of data at rest\\\" and Select customer managed key from \\\"Select KMS master key\\\" dropdown list along with other parameters and Click on \\\"Next Step\\\". 7. On the \\\"Review and create\\\" step, Review all your setting and Click on \\\"Create File System\\\" button.

To delete reported EFS which does not has encryption, perform the following:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to EFS dashboard and click on \\\"File systems\\\" on the left panel. 4. Select the reported file system. 5. Click on \\\"Actions\\\" drop-down. 6. Click on \\\"Delete file system\\\". 7. In the \\\"Permanently delete file system\\\" popup box, To confirm the deletion enter the file system's ID and Click on \\\"Delete File System\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/db0cfb9d-c281-4301-92aa-3d6d12837d8d\",\r\n \"name\": \"db0cfb9d-c281-4301-92aa-3d6d12837d8d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policy should not allow assume role permission across all services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS IAM policy which allows assume role permission across all services. Typically, AssumeRole is used if you have multiple accounts and need to access resources from each account then you can create long term credentials in one account and then use temporary security credentials to access all the other accounts by assuming roles in those accounts.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Navigate to the \\\"IAM\\\" service. 3. Identify the reported policy. 4. Change the Service element of the policy document to be more restrictive so that it only allows AssumeRole permission on select services.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/894259c2-c1d5-47dc-b5c6-b242d5c76fdf\",\r\n \"name\": \"894259c2-c1d5-47dc-b5c6-b242d5c76fdf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon RDS instance should be configured with automatic backup settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies RDS instances which are not set with the automatic backup setting. If Automatic Backup is set, RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases which provide for point-in-time recovery. The automatic backup will happen during the specified backup window time and keeps the backups for a limited period of time as defined in the retention period. It is recommended to set automatic backups for your critical RDS servers that will help in the data restoration process.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated. 3. Navigate to \\\"Amazon RDS\\\" console. 4. Choose \\\"DB Instances\\\", and then select the \\\"reported DB\\\" instance. 5. On \\\"Instance Actions\\\" drop-down list, choose \\\"Modify\\\". 6. In \\\"Backup\\\" section,
a. From the \\\"Backup Retention Period\\\" drop-down list, select the number of days you want RDS should retain automatic backups of this DB instance. b. Choose \\\"Start Time\\\" and \\\"Duration\\\" in \\\"Backup window\\\" which is the daily time range (in UTC) during which automated backups created. 7. Click on \\\"Continue\\\". 8. On the confirmation page, choose \\\"Modify DB Instance\\\" to save your changes\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a5e0d700-3de1-469a-96d2-6536d9a92604\",\r\n \"name\": \"a5e0d700-3de1-469a-96d2-6536d9a92604\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Load Balancer should not have ACM certificate expired or expiring in 90 days.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (ELB) which are using ACM certificates expired or expiring in 90 days. AWS Certificate Manager (ACM) is the preferred tool to provision, manage, and deploy your server certificates. With ACM you can request a certificate or deploy an existing ACM or external certificate to AWS resources. As a best practice, it is recommended to reimport expiring/expired certificates while preserving the ELB associations of the original certificate.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service dashboard. 4. Choose the reported certificate. 5. Under \\\"Actions\\\" drop-down click on 'Reimport certificate'. 6. On the \\\"Import a certificate\\\" page:
6a. For \\\"Certificate body*\\\", paste the PEM-encoded certificate to import. 6b. For \\\"Certificate private key*\\\", paste the PEM-encoded, unencrypted private key that matches the SSL/TLS certificate public key. 6c. (Optional) For \\\"Certificate chain\\\", paste the PEM-encoded certificate chain delivered. 6d. Click Review and import button to continue the process. 7. On the \\\"Review and import\\\" page, review the imported certificate details then click on \\\"Import\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9137f5de-aac8-4cee-a22f-8d81f19be67f\",\r\n \"name\": \"9137f5de-aac8-4cee-a22f-8d81f19be67f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon RDS database should be encrypted using customer managed key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies RDS databases that are encrypted with default KMS keys and not with customer managed keys. As a leading practice, use customer managed keys to encrypt the data on your RDS databases and maintain control of your keys and data on sensitive workloads.\",\r\n \"remediationDescription\": \"You can set AWS RDS database encryption only during database creation. Thus, the steps for resolving this alert requires you to create a new RDS database with a customer managed key for encryption, migrate the data from the identified database to this newly created database, and delete the RDS database identified in the alert.

To create a new RDS database with encryption using a customer managed key:
1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the Amazon RDS Dashboard. 4. Select \\\"Create database\\\". 5. On the \\\"Select engine\\\" page, select \\\"Engine options\\\" and \\\"Next\\\". 6. On the \\\"Choose use case\\\" page, select \\\"Use case\\\" of database and \\\"Next\\\". 7. On the \\\"Specify DB details\\\" page, specify the database details you need and click \\\"Next\\\". 8. On the \\\"Configure advanced settings\\\" page, Under \\\"Encryption\\\", select \\\"Enable encryption\\\" and select the customer managed key from \\\"Master key\\\" dropdown list. 9. Select \\\"Create database\\\".

To delete the RDS database that uses the default KMS keys, which triggered the alert:
1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the Amazon RDS Dashboard. 4. Click on Instances, and select the reported RDS database. 5. Select the \\\"Instance actions\\\" drop-down and click \\\"Delete\\\". 6. In the \\\"Delete\\\" dialog, select the \\\"Create final snapshot?\\\" checkbox, if you want a backup. Provide a name for the final snapshot, confirm deletion and select \\\"Delete\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03a8f33c-b01c-4dfc-b627-f98114715ae0\",\r\n \"name\": \"03a8f33c-b01c-4dfc-b627-f98114715ae0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM should not have expired SSL/TLS certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies expired SSL/TLS certificates. To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. This check generates alerts if there are any expired SSL/TLS certificates stored in AWS IAM. As a best practice, it is recommended to delete expired certificates.\",\r\n \"remediationDescription\": \"Removing invalid certificates through AWS Management Console is currently not supported. To delete SSL/TLS certificates stored in IAM through the AWS API i.e. the Command Line Interface (CLI).

Remediation CLI:
1. Run describe-load-balancers command to make sure that the expired server certificate is not currently used by any active load balancer.
aws elb describe-load-balancers --region 'COMPUTE_REGION' --load-balancer-names 'ELB_NAME' --query 'LoadBalancerDescriptions[*].ListenerDescriptions [*].Listener.SSLCertificateId'

- This command output will return the Amazon Resource Name (ARN) for the SSL certificate currently used by the selected ELB:
arn:aws:iam::1234567890:server-certificate/MyCertificate

- If the load balancer listener using the reported expired certificate is not removed before the certificate, the ELB may continue to use the same certificate and work improperly. Thus, to delete the ELB listener that is using the expired SSL certificate, run following command:
aws elb delete-load-balancer-listeners --region 'COMPUTE_REGION' --load-balancer-name 'ELB_NAME' --load-balancer-ports 443

2. Now that is safe to remove the expired SSL/TLS certificate from AWS IAM, To delete it run:
aws iam delete-server-certificate --server-certificate-name 'CERTIFICATE_NAME'\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0cd8771b-44a7-46bd-b8ba-2fb84d20d8d1\",\r\n \"name\": \"0cd8771b-44a7-46bd-b8ba-2fb84d20d8d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 Classic instance should be configured with VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS EC2 instances which are still using EC2 Classic. With EC2-Classic(if your AWS Account supports it), your instances run in a single, flat network that you share with other customers.
Where as with Amazon VPC, your instances run in a virtual private cloud (VPC) that's logically isolated to your AWS account.
It is a security good practice that deploying VPCs will enable you to leverage enhanced infrastructure security controls.
Note: This alert only triggers in regions that support launching into AWS Classic\",\r\n \"remediationDescription\": \"1. Open the AWS Systems Manager console, and then choose \\\"Automation\\\" from the navigation pane. 2. Choose \\\"Execute automation\\\". 3. On the Owned by \\\"Amazon tab\\\", in the \\\"Automation document search box\\\", enter MigrateEC2Classic. 4. Select the \\\"radio button\\\" for the AWSSupport-MigrateEC2ClassicToVPC document, and then choose \\\"Next\\\". 5. Under Input parameters, for \\\"InstanceId\\\", enter your source \\\"EC2-Classic instance ID\\\". 6. For \\\"AutomationAssumeRole\\\" and \\\"TargetInstanceType\\\", choose your required parameters. By default, \\\"TargetInstanceType\\\" is set to t2.xlarge.
Note:: For more information about the AWS Identity and Access Management (IAM) permissions that are required for AutomationAssumeRole to successfully run the Automation, see AWSSupport-MigrateEC2ClassicToVPC. 7. For \\\"MigrationType\\\", select \\\"Test\\\" or \\\"CutOver\\\". 8. If you select \\\"CutOver\\\" for \\\"MigrationType\\\", then \\\"set\\\" the following parameters:
\\\"SNSNotificationARNForApproval\\\": Enter the ARN of the SNS topic used to send Approval notifications to stop the source instance.
\\\"ApproverIAM\\\": Enter the ARN of the IAM users or roles that can approve or reject the action to stop the source instance. 9. Choose \\\"Execute\\\".
Note: You should also consider disable EC2 Classic in the region to prevent further use.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04bf6bba-7661-45b7-8d81-a25d34330b7a\",\r\n \"name\": \"04bf6bba-7661-45b7-8d81-a25d34330b7a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AppSync should be configured with AWS WAF V2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS AppSync which is not configured with AWS Web Application Firewall V2.
As a leading practice, enable the AWS WAF service on AppSync to protect against application layer attacks.
To block malicious requests to your AppSync, you can define the block criteria in the WAF web access control list (web ACL) for granular control.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console and open the \\\"AppSync Console\\\". 2. Choose the \\\"API\\\" that you want to associate with a \\\"web ACL\\\". 3. In the navigation \\\"pane\\\", choose \\\"Settings\\\". 4. In the \\\"Web application firewall\\\" section, turn on \\\"Enable AWS WAF\\\". 5. In the \\\"Web ACL\\\" dropdown list, choose the \\\"name\\\" of the \\\"web ACL\\\" to associate with your API. 6. Choose \\\"Save\\\" to associate the web ACL with your API.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9a947ba-7d72-482d-9a73-f426e931d4ff\",\r\n \"name\": \"f9a947ba-7d72-482d-9a73-f426e931d4ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Application Load Balancer should be configured with AWS WAF V2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS ALB(Application Load Balancer) which is not configured with AWS Web Application Firewall V2.
As a leading practice, enable the AWS WAF service on AWS ALB to protect against application layer attacks.
To block malicious requests to your AppSync, you can define the block criteria in the WAF web access control list (web ACL) for granular control.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Make sure your the reported \\\"Application Load Balancer\\\" requires \\\"WAF\\\" based on your requirement and Note down the load balancer name. 3. Navigate to \\\"WAF & Shield\\\" dashboard. 4. Click on \\\"Web ACLs\\\", under \\\"AWS WAF\\\" section from left panel. 5. If Web ACL is not created; create a new \\\"Web ACL\\\" and add reported \\\"Application Load Balancer\\\" to \\\"Associated AWS resources\\\". 6. If you have Web ACL already created; Click on \\\"Web ACL\\\" and add your reported Application \\\"Load Balancer\\\" to \\\"Associated AWS resources\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ab12a85-37fc-47f3-a570-4688945ac7c8\",\r\n \"name\": \"2ab12a85-37fc-47f3-a570-4688945ac7c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Classic Load Balancer should not have SSL negotiation configured with vulnerable SSL protocol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (Classic) which are configured with SSL negotiation policy containing vulnerable SSL protocol.
The SSL protocol establishes a secure connection between a client and a server and ensures that all the data passed between the client and your load balancer is private.
As a security leading practice, it is important to use the latest version SSL protocol.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to \\\"EC2 Dashboard\\\" and click on \\\"Load Balancers\\\" (Left Panel). 4. Click on the reported Load Balancer's \\\"Listeners\\\" tab and Click on \\\"Edit\\\" button. 5. On \\\"Edit Listeners\\\" popup for rule \\\"HTTPS/SSL\\\", - If your cipher is \\\"Predefined Security Policy\\\", change \\\"Cipher\\\" to \\\"ELBSecurityPolicy-TLS-1-2-2017-01 or latest\\\" (OR) - If your cipher is \\\"Custom Security Policy\\\", Choose \\\"Protocol-TLSv1.2\\\" only on \\\"SSL Protocols\\\" section. 6. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e44dfbce-8551-4935-8016-ccad8701ad12\",\r\n \"name\": \"e44dfbce-8551-4935-8016-ccad8701ad12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Classic Load Balancer should not have SSL negotiation policy configured with weak cipher\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (Classic) which are configured with SSL negotiation policy containing insecure ciphers.
An SSL cipher is an encryption algorithm that uses encryption keys to create a coded message.
SSL protocols use several SSL ciphers to encrypt data over the Internet.
As many of the other ciphers are not secure, it is a leading practice to use only the ciphers recommended in the following AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Go to the \\\"EC2 Dashboard\\\", and select \\\"Load Balancers\\\". 4. Click on the reported \\\"Load Balancer\\\". 5. On \\\"Listeners\\\" tab, Change the cipher for the \\\"HTTPS/SSL\\\" rule. - For a \\\"Predefined Security Policy', change \\\"Cipher\\\" to \\\"ELBSecurityPolicy-TLS-1-2-2017-01' or latest\\\" - For a \\\"Custom Security Policy\\\", select from the secure ciphers as recommended in the below AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html. 6. \\\"Save\\\" your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fef14c73-c63f-4bcb-883b-113288b6d77b\",\r\n \"name\": \"fef14c73-c63f-4bcb-883b-113288b6d77b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC should not allow unauthorized peering connection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the VPCs which have unauthorized peering. The leading practice is to disallow VPC peering between two VPCs from different AWS accounts, as this potentially enables unauthorized access to private resources.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS Console and navigate to AWS VPC service console. 2. In the left navigation panel, select \\\"Peering Connection\\\". 3. Choose the reported \\\"Peering Connection\\\". 4. Click on \\\"Actions\\\" and select \\\"Delete VPC Peering Connection\\\". 5. click on \\\"Yes, Delete\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/470dc8a8-f118-40a1-96ed-a30f026c3d01\",\r\n \"name\": \"470dc8a8-f118-40a1-96ed-a30f026c3d01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Route53 having public hosted zone with private records\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A hosted zone is a container for records (An object in a hosted zone that you use to define how you want to route traffic for the domain or a subdomain), which include information about how you want to route traffic for a domain (such as example.com) and all of its subdomains (such as www.example.com, retail.example.com, and seattle.accounting.example.com). A hosted zone has the same name as the corresponding domain. A public hosted zone is a container that holds information about how you want to route traffic on the internet for a specific domain. It is best practice to avoid AWS Route 53 Public Hosted Zones containing DNS records for private IPs or resources within your AWS account to overcome information leakage of your internal network and resources.\",\r\n \"remediationDescription\": \"You can not convert a public hosted zone into a private hosted zone. Hence, it is a leading practice to create and configure a Private Hosted Zone to manage private IPs within your Virtual Private Cloud (VPC) as Amazon Route 53 service will only return your private DNS records when queried from within the associated VPC, and delete the associated public hosted zone once the Private hosted zone is configured with all the records.

To create a private hosted zone using the Route 53 console:
1. Sign into the AWS console and navigate to Route53 console. 2. choose Hosted Zones in the navigation pane. 3. Choose \\\"Create Hosted Zone\\\". 4. In the Create Private Hosted Zone pane, enter a \\\"domain name\\\". 5. In the Type list, choose \\\"Private Hosted Zone\\\" for Amazon VPC. 6. In the VPC ID list, choose the \\\"VPC\\\" that you want to associate with the hosted zone. If you want to associate more than one VPC with the hosted zone, you can add VPCs after you create the hosted zone. 7. Choose \\\"Create\\\".

To delete a public hosted zone using the Route 53 console:

1. Sign into the AWS console and navigate to Route53 console. 2. Confirm that the hosted zone that you want to delete contains only an NS and an \\\"SOA record\\\". If it contains additional records, \\\"delete\\\" them. 3. On the Hosted Zones page, choose the \\\"row for the hosted zone\\\" that you want to delete. 4. Choose \\\"Delete Hosted Zone\\\". 5. Choose \\\"OK\\\" to confirm.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a5f791e6-be98-47ed-a865-538c759c62b4\",\r\n \"name\": \"a5f791e6-be98-47ed-a865-538c759c62b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Certificate Manager certificate should not have wildcard domain name\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies ACM Certificates which are using wildcard certificates for wildcard domain name instead of single domain name certificates. ACM allows you to use an asterisk (*) in the domain name to create an ACM Certificate containing a wildcard name that can protect several sites in the same domain. For example, a wildcard certificate issued for *.prismacloud.io can match both www.prismacloud.io and images.prismacloud.io. When you use wildcard certificates, if the private key of a certificate is compromised, then all domain and subdomains that use the compromised certificate are potentially impacted. So it is recommended to use single domain name certificates instead of wildcard certificates to reduce the associated risks with a compromised domain or subdomain.\",\r\n \"remediationDescription\": \"To remediate this finding, you have to replace the reported wildcard certificate with single domain name certificate for all the first-level subdomains resulted from the domain name of the website secured with the wildcard certificate and delete the reported wildcard domain certificate.

To create a new certificate with a single domain:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service. 4. In \\\"Request a certificate\\\" page enter the information requested:
a. On Step 1: \\\"Add domain names\\\" page, in the \\\"Domain name\\\" box, type the fully qualified domain name. Click on \\\"Next\\\". b. On Step 2: \\\"Select validation method\\\" page, Select the validation method. Click on \\\"Review\\\". c. On Step 3: \\\"Review\\\" page, review the domain name and validation method details. click on \\\"Confirm\\\". d. On Step 4: \\\"Validation\\\" page, validate the certificate request based on the validation method selected. then click on \\\"Continue\\\".

The certificate status should change from \\\"Pending validation\\\" to \\\"Issued\\\". Now access your application's web server configuration and replace the wildcard certificate with the newly issued single domain name certificate.

To delete the reported wildcard certificate:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service. 4. Choose the reported certificate. 5. Under \\\"Actions\\\" drop-down click on \\\"Delete\\\". 6. On \\\"Delete certificate\\\" popup windows, Click on \\\"Delete\\\" button.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad7b369-2c97-406d-ac70-5d9f22bfcbd9\",\r\n \"name\": \"0ad7b369-2c97-406d-ac70-5d9f22bfcbd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM Access Analyzer should be configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS regions in which the IAM Access Analyzer is not configured. AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity and identify unintended access to your resources and data. So it is recommended to configure the Access analyzer in all regions in your account.\\n\\nNOTE: Access Analyzer analyzes only policies that are applied to resources in the same AWS Region that it's enabled in. To monitor all resources in your AWS environment, you must create an analyzer to enable Access Analyzer in each Region where you're using supported AWS resources.

For more details:
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the IAM dashboard. 4. Go to \\\"Access analyzer\\\", from the left panel. 5. Click on the \\\"Create analyzer\\\" button. 6. On the Create analyzer page, enter the parameters as per your requirements. 7. Click on the \\\"Create analyzer\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/851c1c56-3a4a-422d-b86b-efa629b043b0\",\r\n \"name\": \"851c1c56-3a4a-422d-b86b-efa629b043b0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon private ECR repository policy should not be overly permissive\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS Private ECR repositories that have overly permissive registry policies. An ECR(Elastic Container Registry) repository is a collection of Docker images available on the AWS cloud. These images might contain sensitive information which should be restricted to unauthorized users.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the AWS ECR Repository service dashboard. 4. Go to \\\"Repository\\\", from the left panel. 5. Select the repository for which alert is being generated. 6. Select the \\\"Permissions\\\" option from left menu below 'repositories'. 7. Click on \\\"Edit policy JSON\\\" to modify the JSON so that Principal is restrictive. 8. After modifications, click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e4dc63-ee46-405b-a02a-2a8395fe233d\",\r\n \"name\": \"04e4dc63-ee46-405b-a02a-2a8395fe233d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS ECR Repository should not be publicly accessible through IAM policies.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS ECR Repository resources which are publicly accessible through IAM policies. Ensure that the AWS ECR Repository resources provisioned in your AWS account are not publicly accessible from the Internet to avoid sensitive data exposure and minimize security risks.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the AWS ECR Repository service dashboard. 3. Find resource-based policy of the AWS ECR Repository resource. 4. Update the \\\"Principal\\\" section of the policy to avoid public access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1bd970e0-1d18-4aed-8216-d0005f6595c2\",\r\n \"name\": \"1bd970e0-1d18-4aed-8216-d0005f6595c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFormation template should not contain globally open resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This alert triggers if a CloudFormation template that when launched will result in resources allowing global network access. Below are three common causes:\\n\\n- Security Group with a {0.0.0.0/0, ::/0} rule\\n- Network Access Control List with a {0.0.0.0/0, ::/0} rule\\n- Network Access Control List with -1 IpProtocol\",\r\n \"remediationDescription\": \"It is a leading practice to review the template and ensure this is the intended behavior.
1. Goto the AWS CloudFormation dashboard. 2. Click on the Stack you want to modify. 3. Select the \\\"Template\\\" tab and then View in \\\"Designer\\\". 4. Make your template modifications. 5. Check for \\\"syntax errors\\\" in your template by choosing \\\"Validate template\\\" near the top of the page and save. 6. Choose \\\"Amazon S3 bucket\\\", name your template and Save. 7. Copy the bucket URL and click OK. 8. Select \\\"Close\\\" to close Designer. 9. Click on the \\\"Stack\\\" you want to modify. 10. From the \\\"Actions\\\" pull down menu, select \\\"Update stack\\\". 11. Choose \\\"Replace current template\\\" and paste the URL from Designer into the Amazon S3 URL field. Then click on \\\"Next\\\". 12. Specify stack details, then click on \\\"Next\\\". 13. Configure stack options, then click on \\\"Next\\\". 14. Review, then select \\\"Update\\\" stack near the bottom of the page.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/baad8309-83f2-437a-a131-6e357c8db91f\",\r\n \"name\": \"baad8309-83f2-437a-a131-6e357c8db91f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Secret Manager resource IAM policy allow secret publically accessible.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS Secret Manager Secret resources which are publicly accessible through IAM policies. Ensure that the AWS Secret Manager Secret resources provisioned in your AWS account are not publicly accessible from the Internet to avoid sensitive data exposure and minimize security risks.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the AWS Secret Manager Secret service. 3. Find resource-based policy of the AWS Secret Manager Secret resource. 4. Update the \\\"Principal\\\" section of the policy to avoid public access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7b076bd-9747-490f-b04d-1cf0418bc428\",\r\n \"name\": \"f7b076bd-9747-490f-b04d-1cf0418bc428\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Domain transfer lock is not enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The domain registries for all generic TLDs and many geographic TLDs let you lock a domain to prevent someone from transferring the domain to another registrar without your permission.
It is a leading practice to lock your domain.\",\r\n \"remediationDescription\": \"To lock a domain to prevent unauthorized transfer to another registrar:

1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/. 2. In the navigation pane, choose \\\"Registered Domains\\\". 3. Choose the name of the domain that you want to update. 4. Choose \\\"Enable\\\" (to lock the domain) or \\\"Disable\\\" (to unlock the domain). 5. Choose \\\"Save\\\". \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/06ee058b-9ba9-4a54-a6d3-7214703d309f\",\r\n \"name\": \"06ee058b-9ba9-4a54-a6d3-7214703d309f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open CASSANDRA port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:7000-7001, 7199, 8888, 9042, 9160, 61620-61621.\",\r\n \"remediationDescription\": \"Configuring firewall rules to allow any IP address to connect to Cassandra ports can expose Cassandra services to attackers.
For more information, see VPC firewall rules overview.

This recommendation is generated for vulnerable firewall rules, even if they were intentionally disabled. Disabled firewall rules alert you to unsafe configurations which could allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87cb47d9-eb93-4413-be7f-2f89112d3e22\",\r\n \"name\": \"87cb47d9-eb93-4413-be7f-2f89112d3e22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open CISCOSECURE_WEBSM port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:9090.\",\r\n \"remediationDescription\": \"Configuring Firewall rules to allow any IP address to connect to CiscoSecure/WebSM ports can expose your CiscoSecure/WebSM services to attackers. For more information, see VPC firewall rules overview

This recommendation is generated for vulnerable firewall rules, even if they were intentionally disabled. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c59d6ae-79c9-4f74-bacd-9bb8d2b05576\",\r\n \"name\": \"9c59d6ae-79c9-4f74-bacd-9bb8d2b05576\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open DIRECTORY_SERVICES port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:445 and UDP:445.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Directory ports might expose your Directory services to attackers. For more information, see VPC firewall rules overview.
The Directory service ports are:
TCP - 445
UDP - 445

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/99fa8cd5-10fc-4051-909c-62a6d1272956\",\r\n \"name\": \"99fa8cd5-10fc-4051-909c-62a6d1272956\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open DNS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:53 and UDP:53.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to DNS ports might expose your DNS services to attackers.
For more information, see VPC firewall rules overview.
The DNS service ports are:
TCP - 53
UDP - 53

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c39d3a7-a11d-4f1e-a5b8-8c3be23fe0d1\",\r\n \"name\": \"9c39d3a7-a11d-4f1e-a5b8-8c3be23fe0d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open ELASTICSEARCH port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:9200, 9300.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Elasticsearch ports might expose your Elasticsearch services to attackers. For more information, see VPC firewall rules overview.

The Elasticsearch service ports are:
TCP - 9200, 9300

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/98c71657-9a57-4a9c-8cc0-e69136b9ec13\",\r\n \"name\": \"98c71657-9a57-4a9c-8cc0-e69136b9ec13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to be open to public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the sourceRanges and allowed properties for one of two configurations:

The sourceRanges property contains 0.0.0.0/0 and the allowed property contains a combination of rules that includes any protocol or protocol:port, except the following:
icmp
tcp:22
tcp:443
tcp:3389
udp:3389
sctp:22

The sourceRanges property contains a combination of IP ranges that includes any non-private IP address and the allowed property contains a combination of rules that permit either all tcp ports or all udp ports.\",\r\n \"remediationDescription\": \"Firewall rules that allow connections from all IP addresses, like 0.0.0.0/0, or from all ports can unnecessarily expose resources to attacks from unintended sources. These rules should be removed or scoped explicitly to the intended source IP ranges or ports.
For example, in applications intended to be public, consider restricting allowed ports to those needed for the application, like 80 and 443. If your application needs to allow connections from all IP addresses or ports, consider adding the asset to an allowlist. Learn more about Updating firewall rules.

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. Click the firewall rule listed in the Security Health Analytics finding, and then click \\\"Edit\\\". 3. Under \\\"Source IP ranges\\\", \\\"edit\\\" the IP values to restrict the range of IPs that is allowed. 4. Under \\\"Protocols and ports\\\", \\\"select\\\" \\\"Specified protocols and ports\\\", \\\"select\\\" the allowed protocols, and enter ports that are allowed. 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14dae408-be1b-4ab9-8645-1d9eba885a3e\",\r\n \"name\": \"14dae408-be1b-4ab9-8645-1d9eba885a3e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open FTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:21.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to FTP ports might expose your FTP services to attackers. For more information, see VPC firewall rules overview.

The FTP service ports are:
TCP - 21

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d6e19ca8-7446-4b1a-87e9-fb0bee876c80\",\r\n \"name\": \"d6e19ca8-7446-4b1a-87e9-fb0bee876c80\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open HTTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:80.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to HTTP ports might expose your HTTP services to attackers. For more information, see VPC firewall rules overview.

The HTTP service ports are:
TCP - 80

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/114491f8-1760-40b9-ad56-04be9c0be1d6\",\r\n \"name\": \"114491f8-1760-40b9-ad56-04be9c0be1d6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open LDAP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:389, 636 and UDP:389.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to LDAP ports might expose your LDAP services to attackers. For more information, see VPC firewall rules overview.

The LDAP service ports are:
TCP - 389, 636
UDP - 389

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dcbfebbd-0d89-4605-b29c-a8b94a11ca4c\",\r\n \"name\": \"dcbfebbd-0d89-4605-b29c-a8b94a11ca4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MEMCACHED port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:11211, 11214-11215 and UDP:11211, 11214-11215.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Memcached ports might expose your Memcached services to attackers. For more information, see VPC firewall rules overview.

The Memcached service ports are:
TCP - 11211, 11214, 11215
UDP - 11211, 11214, 11215

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0088a052-38cd-4ef3-80bc-982871756481\",\r\n \"name\": \"0088a052-38cd-4ef3-80bc-982871756481\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MONGODB port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:27017-27019.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to MongoDB ports might expose your MongoDB services to attackers. For more information, see VPC firewall rules overview.

The MongoDB service ports are:
TCP - 27017, 27018, 27019

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/184a6210-9eb3-4d41-9453-84fd7f01186e\",\r\n \"name\": \"184a6210-9eb3-4d41-9453-84fd7f01186e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MYSQL port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:3306.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to MySQL ports might expose your MySQL services to attackers. For more information, see VPC firewall rules overview.

The MySQL service ports are:
TCP - 3306

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f39b9212-7c2e-4265-85ad-14701b0209e3\",\r\n \"name\": \"f39b9212-7c2e-4265-85ad-14701b0209e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open NETBIOS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:137-139 and UDP:137-139.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to NetBIOS ports might expose your NetBIOS services to attackers. For more information, see VPC firewall rules overview.

The NetBIOS service ports are:
TCP - 137, 138, 139
UDP - 137, 138, 139

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802bc806-5136-461f-a95d-dd65f8725af0\",\r\n \"name\": \"802bc806-5136-461f-a95d-dd65f8725af0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open ORACLEDB port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:1521, 2483-2484 and UDP:2483-2484.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to OracleDB ports might expose your OracleDB services to attackers. SeFor more information, see VPC firewall rules overview.

The OracleDB service ports are:
TCP - 1521, 2483, 2484
UDP - 2483, 2484

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4f5e97a0-d563-4c0a-8aca-958753dfbeb6\",\r\n \"name\": \"4f5e97a0-d563-4c0a-8aca-958753dfbeb6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open POP3 port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:110.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to POP3 ports might expose your POP3 services to attackers. For more information, see VPC firewall rules overview.

The POP3 service ports are:
TCP - 110

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d1143d-a7ab-405c-a80c-8b9da25bc5e4\",\r\n \"name\": \"27d1143d-a7ab-405c-a80c-8b9da25bc5e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open PostgreSQL port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:5432 and UDP:5432.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to PostgreSQL ports might expose your PostgreSQL services to attackers. For more information, see VPC firewall rules overview.

The PostgreSQL service ports are:
TCP - 5432
UDP - 5432

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9a7b9056-30af-476f-bdc8-8b421d29b5e3\",\r\n \"name\": \"9a7b9056-30af-476f-bdc8-8b421d29b5e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open REDIS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:6379.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Redis ports might expose your Redis services to attackers. For more information, see VPC firewall rules overview.

The Redis service ports are:
TCP - 6379

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5855b7ce-fded-464c-894c-d34bd834f17e\",\r\n \"name\": \"5855b7ce-fded-464c-894c-d34bd834f17e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open SMTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:25.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to SMTP ports might expose your SMTP services to attackers. For more information, see VPC firewall rules overview.

The SMTP service ports are:
TCP - 25

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c8753af-c7d5-404f-abdf-8e8bef018dc9\",\r\n \"name\": \"4c8753af-c7d5-404f-abdf-8e8bef018dc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open SSH port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocols and ports: TCP:22 and SCTP:22.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to SSH ports might expose your SSH services to attackers. For more information, see VPC firewall rules overview.

The SSH service ports are:
SCTP - 22
TCP - 22

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bdb01af7-e42a-49c6-952f-b83ce13914a7\",\r\n \"name\": \"bdb01af7-e42a-49c6-952f-b83ce13914a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open TELNET port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:23.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Telnet ports might expose your Telnet services to attackers. For more information, see VPC firewall rules overview.

The Telnet service ports are:
TCP - 23

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3be77f6-6fa9-45bd-9bdb-420484420235\",\r\n \"name\": \"c3be77f6-6fa9-45bd-9bdb-420484420235\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Compute instances should use a load balancer that is configured to use a target HTTPS proxy\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates if the selfLink property of the targetHttpProxy resource matches the target attribute in the forwarding rule, and if the forwarding rule contains a loadBalancingScheme field set to External.\",\r\n \"remediationDescription\": \"A Compute Engine instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy.

To protect the integrity of your data and prevent intruders from tampering with your communications, configure your HTTP(S) load balancers to allow only HTTPS traffic. For more information, see External HTTP(S) Load Balancing overview.

To remediate this finding, complete the following steps:
1. Go to the \\\"Target proxies\\\" page in the GCP Cloud Console. Go to Target proxies. 2. In the list of target proxies, click the name of the target proxy in the finding. 3. Click the link under the \\\"URL map\\\". 4. Click \\\"Edit\\\". 5. Click \\\"Frontend configuration\\\". 6. Delete all \\\"Frontend IP\\\" and port configurations that allow HTTP traffic and create new ones that allow HTTPS traffic.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6aeb69dc-0d01-4228-88e9-7e610891d5dd\",\r\n \"name\": \"6aeb69dc-0d01-4228-88e9-7e610891d5dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE cluster's auto repair feature should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the management property of a node pool for the key-value pair, 'key': 'autoRepair', 'value': true.\",\r\n \"remediationDescription\": \"A Google Kubernetes Engine (GKE) cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled.

When enabled, GKE makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, GKE initiates a repair process for that node. For more information, see Auto-repairing nodes.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Click the \\\"Nodes\\\" tab. 3. For each node pool:
1. Click the name of the node pool to go to its detail page. 2. Click \\\"Edit\\\". 3. Under \\\"Management\\\", select \\\"Enable auto-repair\\\". 4. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1680e053-2e9b-4e77-a1c7-793ae286155e\",\r\n \"name\": \"1680e053-2e9b-4e77-a1c7-793ae286155e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE cluster's auto upgrade feature should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the management property of a node pool for the key-value pair, 'key': 'autoUpgrade', 'value': true.\",\r\n \"remediationDescription\": \"A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled.

For more information, see Auto-upgrading nodes.

To remediate this finding, complete the following steps:
1. Go to the Kubernetes clusters page in the GCP Cloud Console. Go to Kubernetes clusters
2. In the list of clusters, click the name of the cluster.
3. Click the Nodes tab.
For each node pool:
1. Click the name of the node pool to go to its detail page.
2. Click \\\"Edit\\\".
3. Under \\\"Management\\\", select \\\"Enable auto-upgrade\\\".
4. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa160a2c-e976-41cb-acff-1e1e3f1ed032\",\r\n \"name\": \"fa160a2c-e976-41cb-acff-1e1e3f1ed032\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Logging for GKE clusters should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the loggingService property of a cluster contains the location Cloud Logging should use to write logs.\",\r\n \"remediationDescription\": \"Logging isn't enabled for a GKE cluster.

To help investigate security issues and monitor usage, enable Cloud Logging on your clusters.

Depending on the quantity of information, Cloud Logging costs can be significant. To understand your usage of the service and its cost,
see Cost optimization for Google Cloud's operations suite.

To remediate this finding, complete the following steps:
1. Go to the Kubernetes clusters page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Stackdriver Logging\\\" or \\\"Stackdriver Kubernetes Engine Monitoring\\\" drop-down list, select \\\"Enabled\\\".
These options aren't compatible. Make sure that you use either \\\"Stackdriver Kubernetes Engine Monitoring\\\" alone, or \\\"Legacy Stackdriver Logging\\\" with \\\"Legacy Stackdriver Monitoring\\\". 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a7b7361-5100-4a8c-b23e-f712d7dad39b\",\r\n \"name\": \"6a7b7361-5100-4a8c-b23e-f712d7dad39b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring on GKE clusters should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the monitoringService property of a cluster contains the location Cloud Monitoring should use to write metrics.\",\r\n \"remediationDescription\": \"Monitoring is disabled on GKE clusters.

To help investigate security issues and monitor usage, enable Cloud Monitoring on your clusters.

Depending on the quantity of information, Cloud Monitoring costs can be significant. To understand your usage of the service and its costs, see Cost optimization for Google Cloud's operations suite.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Stackdriver Monitoring\\\" or \\\"Stackdriver Kubernetes Engine Monitoring\\\" drop-down list, select \\\"Enabled\\\".
These options aren't compatible. Make sure that you use either \\\"Stackdriver Kubernetes Engine Monitoring\\\" alone, or \\\"Legacy Stackdriver Monitoring\\\" with \\\"Legacy Stackdriver Logging\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fae39f34-d931-4026-b09c-b0a785bb1ff9\",\r\n \"name\": \"fae39f34-d931-4026-b09c-b0a785bb1ff9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cluster hosts should be configured to use only private, internal IP addresses to access Google APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the privateIpGoogleAccess property of a subnetwork is set to false.\",\r\n \"remediationDescription\": \"Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs.

Private Google Access enables virtual machine (VM) instances with only private, internal IP addresses to reach the public IP addresses of Google APIs and services. For more information, see Configuring Google Private Access.

To remediate this finding, complete the following steps:
1. Go to the \\\"Virtual Private Cloud networks\\\" page in the GCP Cloud Console. Go to VPC networks . 2. In the list of networks, click the name of the desired network. 3. On the \\\"VPC network details\\\" page, click the \\\"Subnets\\\" tab. 4. In the list of subnets, click the name of the subnet associated with the Kubernetes cluster in the finding. 5. On the \\\"Subnet details\\\" page, click \\\"Edit\\\". 6. Under \\\"Private Google Access\\\", select \\\"On\\\". 7. Click \\\"Save\\\". 8. To remove public (external) IPs from VM instances whose only external traffic is to Google APIs, see Unassigning a static external IP address.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3e33004b-f0b8-488d-85ed-61336c7ad4ca\",\r\n \"name\": \"3e33004b-f0b8-488d-85ed-61336c7ad4ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Compute Engine VMs should use the Container-Optimized OS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the config property of a node pool for the key-value pair, 'imageType': 'COS'.\",\r\n \"remediationDescription\": \"Compute Engine VMs aren't using the Container-Optimized OS, which is designed to run Docker containers on Google Cloud securely.

Container-Optimized OS is Google's recommended OS for hosting and running containers on Google Cloud. Its small OS footprint minimizes security exposure, while automatic updates patch security vulnerabilities in a timely manner. For more information, see Container-Optimized OS Overview.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters 2. In the list of clusters, click the name of the cluster in the finding. 3. Click the \\\"Nodes\\\" tab. 4. For each node pool:
1. Click the name of the node pool to go to its detail page. 2. Click \\\"Edit\\\". 3. Under \\\"Nodes\\\" -> \\\"Image type\\\", click \\\"Change\\\". 4. Select \\\"Container-Optimized OS\\\", and then click \\\"Change\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/49016ecd-d4d6-4f48-a64f-42af93e15120\",\r\n \"name\": \"49016ecd-d4d6-4f48-a64f-42af93e15120\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have alias IP ranges enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the useIPAliases field of the ipAllocationPolicy in a cluster is set to false.\",\r\n \"remediationDescription\": \"A GKE cluster was created with alias IP ranges disabled.

When you enable alias IP ranges, GKE clusters allocate IP addresses from a known CIDR block, so your cluster is scalable and interacts better with Google Cloud products and entities. For more information, see Alias IP ranges overview .

To remediate this finding, complete the following steps:
You cannot migrate an existing cluster to use alias IPs. To create a new cluster with alias IPs enabled, do the following:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Click \\\"Create\\\". 3. From the navigation pane, under \\\"Cluster\\\", click \\\"Networking\\\". 4. Under \\\"Advanced networking options\\\", select \\\"Enable VPC-native traffic routing (uses alias IP)\\\". 5. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd1096e1-73cf-41ab-8f2a-257b78aed9dc\",\r\n \"name\": \"bd1096e1-73cf-41ab-8f2a-257b78aed9dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Legacy Authorization should be disabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the legacyAbac property of a cluster for the key-value pair, 'enabled': true.\",\r\n \"remediationDescription\": \"Legacy Authorization is enabled on GKE clusters.

In Kubernetes, role-based access control (RBAC) lets you define roles with rules containing a set of permissions, and grant permissions at the cluster and namespace level. This feature provides better security by ensuring that users only have access to specific resources. Consider disabling legacy attribute-based access control (ABAC).

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Authorization\\\" drop-down list, select \\\"Disabled\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24df9ba4-8c98-42f2-9f64-50b095eca06f\",\r\n \"name\": \"24df9ba4-8c98-42f2-9f64-50b095eca06f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Control Plane Authorized Networks should be enabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the masterAuthorizedNetworksConfig property of a cluster for the key-value pair, 'enabled': false.\",\r\n \"remediationDescription\": \"Control Plane Authorized Networks is not enabled on GKE clusters.

Control Plane Authorized Networks improves security for your container cluster by blocking specified IP addresses from accessing your cluster's control plane.
For more information, see Adding authorized networks for control plane access.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Control Plane Authorized Networks\\\" drop-down list, select \\\"Enabled\\\". 5. Click \\\"Add authorized network\\\". 6. Specify the authorized networks you want to use.
7. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd06513a-1e03-4d40-9159-243f76dcdcb7\",\r\n \"name\": \"fd06513a-1e03-4d40-9159-243f76dcdcb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network policy should be enabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the networkPolicy field of the addonsConfig property for the key-value pair, 'disabled': true.\",\r\n \"remediationDescription\": \"Network policy is disabled on GKE clusters.

By default, pod to pod communication is open. Open communication allows pods to connect directly across nodes, with or without network address translation. A NetworkPolicy resource is like a pod-level firewall that restricts connections between pods, unless the NetworkPolicy resource explicitly allows the connection. Learn how to define a network policy.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Click the name of the cluster listed in the Security Health Analytics finding. 3. Under \\\"Networking\\\", in the row for \\\"Network policy\\\", click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. In the dialog, select \\\"Enable network policy for control plane\\\" and \\\"Enable network policy for nodes\\\". 5. Click \\\"Save Changes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b73bad4f-4ea7-4d04-bab0-d400cb3ad639\",\r\n \"name\": \"b73bad4f-4ea7-4d04-bab0-d400cb3ad639\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service accounts should have restricted project access in a cluster\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the config property of a node pool to check if no service account is specified or if the default service account is used.\",\r\n \"remediationDescription\": \"A GKE node is using the Compute Engine default service node, which has broad access by default and might be over-privileged for running your GKE cluster.

To remediate this finding, complete the following steps:
Follow the instructions to Use least privilege Google service accounts.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d3e70cff-e4db-47b1-b646-0ac5ed8ada36\",\r\n \"name\": \"d3e70cff-e4db-47b1-b646-0ac5ed8ada36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have Private clusters enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the enablePrivateNodes field of the privateClusterConfig property is set to false.\",\r\n \"remediationDescription\": \"A GKE cluster has a private cluster disabled.

Private clusters allow nodes to only have private IP addresses. This feature limits outbound internet access for nodes. If a cluster node doesn't have a public IP address, it isn't discoverable or exposed to the public internet. You can still route traffic to a node by using an internal load balancer. For more information, see Private clusters

You can't make an existing cluster private. To remediate this finding, create a new private cluster:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters 2. Click \\\"Create Cluster\\\". 3. In the navigation menu, under \\\"Cluster\\\", select \\\"Networking\\\". 4. Select the radio button for \\\"Private cluster\\\". 5. Under \\\"Advanced networking options\\\", select the checkbox for \\\"Enable VPC-native traffic routing (uses alias IP)\\\". 6. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8fa5c03-a8e8-467b-992c-ad8b2db0f55e\",\r\n \"name\": \"d8fa5c03-a8e8-467b-992c-ad8b2db0f55e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE web dashboard should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the kubernetesDashboard field of the addonsConfig property for the key-value pair, 'disabled': false.\",\r\n \"remediationDescription\": \"The GKE web UI (dashboard) is enabled.

A highly privileged Kubernetes Service Accounts backs the Kubernetes web interface. If compromised, the service account can be abused. If you are already using the Cloud Console, the Kubernetes web interface extends your attack surface unnecessarily. Learn about Disabling the Kubernetes web interface.

To remediate this finding, disable the Kubernetes web interface:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Click the name of the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. Click \\\"Add-ons\\\". The section expands to display available add-ons. 5. On the \\\"Kubernetes dashboard\\\" drop-down list, select \\\"Disabled\\\". 6. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc6ce9-c9a7-4d91-b7c8-f2314ecbf8af\",\r\n \"name\": \"2acc6ce9-c9a7-4d91-b7c8-f2314ecbf8af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Egress deny rule should be set on a firewall to block unwanted outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the destinationRanges property in the firewall is set to 0.0.0.0/0 and the denied property contains the key-value pair, 'IPProtocol': 'all'.\",\r\n \"remediationDescription\": \"An egress deny rule is not set on a firewall.

A firewall that denies all egress network traffic prevents any unwanted outbound network connections, except those connections other firewalls explicitly authorize. For more information, see Egress cases.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. Click \\\"Create Firewall Rule\\\". 3. Give the firewall a name and, optionally, a description. 4. Under \\\"Direction of traffic\\\", select \\\"Egress\\\". 5. Under \\\"Action on match\\\", select \\\"Deny\\\". 6. In the \\\"Targets\\\" drop-down menu, select \\\"All instances in the network\\\". 7. In the \\\"Destination filter\\\" drop-down menu, select \\\"IP ranges\\\", and then type 0.0.0.0/0 into the \\\"Destination IP ranges\\\" box. 8. Under \\\"Protocols and ports\\\", select \\\"Deny all\\\". 9. Click \\\"Disable Rule\\\" then, under \\\"Enforcement\\\", select \\\"Enabled\\\". 10. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37e5206e-a928-416b-9851-3689f506f73f\",\r\n \"name\": \"37e5206e-a928-416b-9851-3689f506f73f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall rule logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the logConfig property in firewall metadata to see if it's empty or contains the key-value pair 'enable': false.\",\r\n \"remediationDescription\": \"Firewall rules logging is disabled.

Firewall rules logging lets you audit, verify, and analyze the effects of your firewall rules. It can be useful for auditing network access or providing early warning that the network is being used in an unapproved manner. The cost of logs can be significant. For more information on Firewall Rules Logging and its cost, see Using Firewall Rules Logging.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, click the name of the desired firewall rule. 3. Click \\\"Edit\\\". 4. Under \\\"Logs\\\", select \\\"On\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a7771a9-a2dd-40e8-87a2-921259d68667\",\r\n \"name\": \"4a7771a9-a2dd-40e8-87a2-921259d68667\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Users should have least privilege access with granular IAM roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM policy in resource metadata for any principals assigned roles/Owner, roles/Writer, or roles/Reader.\",\r\n \"remediationDescription\": \"A user has one of the following IAM basic roles: roles/owner, roles/editor, or roles/viewer.
These roles are too permissive and shouldn't be used. Instead, they should be assigned per project only.

For more information, see Understanding roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM policy\\\" page in the GCP Cloud Console. Go to IAM policy. 2. For each user assigned a primitive role, consider using more granular roles instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24eb0365-d63d-43c0-b11f-8b0a1a0842f7\",\r\n \"name\": \"24eb0365-d63d-43c0-b11f-8b0a1a0842f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cryptographic keys should not have more than three users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates IAM policies for key rings, projects, and organizations, and retrieves principals with roles that allow them to encrypt, decrypt or sign data using Cloud KMS keys: roles/owner, roles/cloudkms.cryptoKeyEncrypterDecrypter, roles/cloudkms.cryptoKeyEncrypter, roles/cloudkms.cryptoKeyDecrypter, roles/cloudkms.signer, and roles/cloudkms.signerVerifier.\",\r\n \"remediationDescription\": \"Limit the number of principal users that can use cryptographic keys to three.

The following predefined roles grant permissions to encrypt, decrypt, or sign data using cryptographic keys:
1. roles/owner 2. roles/cloudkms.cryptoKeyEncrypterDecrypter 3. roles/cloudkms.cryptoKeyEncrypter 4. roles/cloudkms.cryptoKeyDecrypter 5. roles/cloudkms.signer
6. roles/cloudkms.signerVerifier

For more information, see Permissions and roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"Cloud KMS keys\\\" page in the GCP Cloud Console. Go to Cloud KMS keys. 2. Click the \\\"name\\\" of the key ring indicated in the finding. 3. Click the \\\"name\\\" of the key indicated in the finding. 4. Select the box next to the primary version, and then click \\\"Show Info Panel\\\". 5. Reduce the number of principals having permissions to encrypt, decrypt, or sign data to three or fewer.
To revoke permissions, click \\\"Delete\\\" delete next to each principal.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e836b239-c7dc-476a-9a85-829b565cbc59\",\r\n \"name\": \"e836b239-c7dc-476a-9a85-829b565cbc59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Object versioning should be enabled on storage buckets where sinks are configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the enabled field in the bucket's versioning property is set to true.\",\r\n \"remediationDescription\": \"Object versioning isn't enabled on a storage bucket where sinks are configured.

To support the retrieval of objects that are deleted or overwritten, GCP Cloud Storage offers the Object Versioning feature. Enable Object Versioning to protect your Cloud Storage data from being overwritten or accidentally deleted. Learn how to Enable Object Versioning.

To remediate this finding, use the gsutil versioning set on command with the appropriate value:
gsutil versioning set on gs://finding.assetDisplayName
Replace finding.assetDisplayName with the name of the relevant bucket.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76261631-76ea-4bd4-b064-34a619be1de0\",\r\n \"name\": \"76261631-76ea-4bd4-b064-34a619be1de0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage buckets used as a log sink should not be publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM policy of a bucket for the principals allUsers or allAuthenticatedUsers, which grant public access.\",\r\n \"remediationDescription\": \"A storage bucket is public and used as a log sink, meaning that anyone on the internet can access logs stored in this bucket.
allUsers represents anyone on the internet and allAuthenticatedUsers represents anyone who is logged into a Google service;
neither is constrained to users within your organization.

For more information, see Overview of access control.

To remediate this finding, complete the following steps:
1. Go to the \\\"Cloud Storage browser\\\" page in the GCP Cloud Console. Go to Cloud Storage browser . 2. In the list of buckets, click the name of the bucket indicated in the finding. 3. Click the \\\"Permissions\\\" tab. 4. Remove \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" from the list of principals.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7c20b7aa-be3d-4a4b-af45-1b432c02f86b\",\r\n \"name\": \"7c20b7aa-be3d-4a4b-af45-1b432c02f86b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redis IAM role should not be assigned at the organization or folder level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM allow policy in resource metadata for principals assigned roles/redis.admin, roles/redis.editor, roles/redis.viewer at the organization or folder level.\",\r\n \"remediationDescription\": \"A Redis IAM role is assigned at the organization or folder level.

The following Redis IAM roles should be assigned per project only, not at the organization or folder level:
1. roles/redis.admin
2. roles/redis.viewer
3. roles/redis.editor

For more information, see Access control and permissions.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM policy\\\" page in the GCP Cloud Console. Go to IAM policy. 2. Remove the \\\"Redis IAM roles\\\" indicated in the finding and add them on the individual projects instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/986fe72e-466a-462d-a06e-c77b439c53c0\",\r\n \"name\": \"986fe72e-466a-462d-a06e-c77b439c53c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Projects that have cryptographic keys should not have users with Owner permissions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM allow policy in project metadata for principals assigned roles/Owner.\",\r\n \"remediationDescription\": \"A user has roles/Owner permissions on a project that has cryptographic keys. For more information, see Permissions and roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM page\\\" in the GCP Cloud Console. Go IAM page. 2. If necessary, select the project in the finding. 3. For each principal assigned the \\\"Owner\\\" role:
1. Click \\\"Edit\\\". 2. In the \\\"Edit permissions\\\" panel, next to the \\\"Owner\\\" role, click \\\"Delete\\\". 3. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67ebdf6b-6197-4e42-bbbf-eaf4e6c20b4c\",\r\n \"name\": \"67ebdf6b-6197-4e42-bbbf-eaf4e6c20b4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Use corporate login credentials instead of personal accounts, such as Gmail accounts.
It is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources.
Gmail accounts based outside of the user's organization, such as personal accounts, should not be used for business purposes.\",\r\n \"remediationDescription\": \"Follow the documentation and setup corporate login accounts Manage Identities.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6991b2e9-ae9e-4e99-acb6-037c4b575215\",\r\n \"name\": \"6991b2e9-ae9e-4e99-acb6-037c4b575215\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that there are only GCP-managed service account keys for each service account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"User managed service accounts should not have user-managed keys.
Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis.
User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.
For user-managed keys, the user has to take ownership of key management activities which include:
  • Key storage
  • Key distribution
  • Key revocation
  • Key rotation
  • Protecting the keys from unauthorized users
  • Key recovery
Even with key owner precautions, keys can be easily leaked by common development malpractices like checking keys into the source code or leaving them in the Downloads directory, or accidentally leaving them on support blogs/channels. It is recommended to prevent user-managed service account keys.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the IAM page in the GCP Console using https://console.cloud.google.com/apis/credentials. 2. In the left navigation pane, click \\\"Service accounts\\\". All service accounts and their corresponding keys are listed. 3. Click the service account. 4. Click the \\\"edit\\\" and delete the keys.

From CLI:
To delete a user managed Service Account Key, run gcloud iam service-accounts keys delete --iam-account=<user-managed-service-account-EMAIL> <KEY-ID>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/54c381fe-a80a-4038-8a9d-c166d2922ea9\",\r\n \"name\": \"54c381fe-a80a-4038-8a9d-c166d2922ea9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to assign the \\\"Service Account User (iam.serviceAccountUser)\\\" and \\\"Service Account Token Creator (iam.serviceAccountTokenCreator)\\\" roles to a user for a specific service account rather than assigning the role to a user at project level.
A service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end-user.
Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved.
In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.
Users with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access.
Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/Service account.
Based on business needs, there could be multiple user-managed service accounts configured for a project.
Granting the \\\"iam.serviceAccountUser\\\" or \\\"iam.serviceAserviceAccountTokenCreatorccountUser\\\" roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future.
This can result in elevation of privileges by using service accounts and corresponding \\\"Compute Engine instances\\\".
In order to implement \\\"least privileges\\\" best practices, IAM users should not be assigned the \\\"Service Account User\\\" or \\\"Service Account Token Creator\\\" roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The \\\"Service Account User\\\" allows a user to bind a service account to a long-running job service, whereas the \\\"Service Account Token Creator\\\" role allows a user to directly impersonate (or assert) the identity of a service account.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the IAM page in the GCP Console by visiting: GCP Console IAM. 2. Click on the filter table text bar. Type \\\"Role: Service Account User\\\" 3. Click the \\\"Delete Bin\\\" icon in front of the role \\\"Service Account User\\\" for every user listed as a result of a filter. 4. Click on the filter table text bar. Type \\\"Role: Service Account Token Creator\\\" 5. Click the \\\"Delete Bin\\\" icon in front of the role \\\"Service Account Token Creator\\\" for every user listed as a result of a filter.

From Command Line:
1. Using a text editor, remove the bindings with the \\\"roles/iam.serviceAccountUser\\\" or \\\"roles/iam.serviceAccountTokenCreator\\\".
For example, you can use the iam.json file shown below as follows:
{ "bindings": [ { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", ], "role": "roles/appengine.appViewer" }, { "members": [ "user:email1@gmail.com" ], "role": "roles/owner" }, { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", "serviceAccount:123456789012-compute@developer.gserviceaccount.com" ], "role": "roles/editor" } ], "etag": "BwUjMhCsNvY=" }
2. Update the project's IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0007dd31-9e95-460d-82bd-ae3e9e623161\",\r\n \"name\": \"0007dd31-9e95-460d-82bd-ae3e9e623161\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests users make to Google cloud services accessible to that particular service account.
It is recommended that all Service Account keys are regularly rotated.
Rotating Service Account keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.
Each service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.
GCP provides the option to create one or more user-managed (also called external key pairs) key pairs for use from outside GCP (for example, for use with Application Default Credentials). When a new key pair is created, the user is required to download the private key (which is not retained by Google).
With external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, gcloud command-line tool, or the Service Accounts page in the Google Cloud Platform Console.
GCP facilitates up to 10 external service account keys per service account to facilitate key rotation.\",\r\n \"remediationDescription\": \"From Console:
Delete any external (user-managed) Service Account Key older than 90 days: 1. Go to APIs & Services\\\\Credentials using https://console.cloud.google.com/apis/credentials
2. In the Section \\\"Service Account Keys\\\", for every external (user-managed) service account key where \\\"creation date is\\\" greater than or equal to the past 90 days, click \\\"Delete Bin Icon\\\" to Delete Service Account key.
Create a new external (user-managed) Service Account Key for a Service Account:
1. Go to \\\"APIs & Services\\\\Credentials\\\" using https://console.cloud.google.com/apis/credentials
2. Click \\\"Create Credentials\\\" and Select \\\"Service Account Key\\\". 3. Choose the service account in the drop-down list for which an External (user-anaged) Service Account key needs to be created. 4. Select the desired key type format among \\\"JSON\\\" or \\\"P12\\\". 5. Click \\\"Create\\\". It will download the private key. Keep it safe. 6. Click \\\"Close\\\" if prompted. 7. The site will redirect to the \\\"APIs & Services\\\\Credentials\\\" page. Make a note of the new ID displayed in the Service account keys section.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e8cb9ac-87ee-424b-a9d2-0d41e411d18f\",\r\n \"name\": \"9e8cb9ac-87ee-424b-a9d2-0d41e411d18f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users.
The built-in/predefined IAM role \\\"Service Account admin\\\" allows the user/identity to create, delete, and manage service account(s).
The built-in/predefined IAM role \\\"Service Account User\\\" allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances.
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action.
In Cloud IAM - service accounts, this could be an action such as using a service account to access resources that user should not normally have access to.
Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.
No user should have \\\"Service Account Admin\\\" and \\\"Service Account User\\\" roles assigned at the same time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to IAM & Admin/IAM. 2. For any member having both \\\"Service Account Admin\\\" and \\\"Service account User\\\" roles granted/assigned, click the \\\"Delete Bin icon\\\" to remove either role from the member.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fcbcaef9-4bb0-49db-a932-afd64ed221d4\",\r\n \"name\": \"fcbcaef9-4bb0-49db-a932-afd64ed221d4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the IAM policy on Cloud KMS \\\"cryptokeys\\\" should restrict anonymous and/or public access.
Granting permissions to \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\" allows anyone to access the dataset.
Such access might not be desirable if sensitive data is stored at the location.
In this case, ensure that anonymous and/or public access to a Cloud KMS \\\"cryptokey\\\" is not allowed.\",\r\n \"remediationDescription\": \"From Command Line:
1. List all Cloud KMS \\\"Cryptokeys\\\".
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'. 2. Remove IAM policy binding for a KMS key to remove access to \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" using the below command.
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f756937d-b790-4718-8dd7-fa995930c4a1\",\r\n \"name\": \"f756937d-b790-4718-8dd7-fa995930c4a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.
The format for the rotation schedule depends on the client library that is used.
For the gcloud command-line tool, the next rotation time must be in \\\"ISO\\\" or \\\"RFC3339\\\" format, and the rotation period must be in the form \\\"INTEGER[UNIT]\\\", where units can be one of seconds (s), minutes (m), hours (h) or days (d).
Set a key rotation period and starting time. A key can be created with a specified \\\"rotation period\\\", which is the time between when new key versions are generated automatically.
A key can also be created with a specified next rotation time.
A key is a named object representing a \\\"cryptographic key\\\" used for a specific purpose.
The key material, the actual bits used for \\\"encryption\\\", can change over time as new key versions are created.
A key is used to protect some \\\"corpus of data\\\". A collection of files could be encrypted with the same key and people with \\\"decrypt\\\" permissions on that key would be able to decrypt those files.
Therefore, it's necessary to make sure the \\\"rotation period\\\" is set to a specific time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to Cryptographic Keys. 2. Click on the specific key ring. 3. From the list of keys, choose the specific key and Click on \\\"Right side pop up the blade (3 dots)\\\". 4. Click on \\\"Edit rotation period\\\". 5. On the pop-up window, \\\"Select a new rotation period\\\" in days which should be less than 90 and then choose \\\"Starting on\\\" date (date from which the rotation period begins).

From Command Line:
1. Update and schedule rotation by \\\"ROTATION_PERIOD\\\" and \\\"NEXT_ROTATION_TIME\\\" for each key:
gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next-rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14007242-eadd-4d15-ad54-97201351c0ec\",\r\n \"name\": \"14007242-eadd-4d15-ad54-97201351c0ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.
The built-in/predefined IAM role \\\"Cloud KMS Admin\\\" allows the user/identity to create, delete, and manage service account(s).
The built-in/predefined IAM role \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\" allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).
The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).
The built-in/predefined IAM role \\\"Cloud KMS CryptoKey Decrypter\\\" allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action.
In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to.
Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors.
It is considered best practice. No user(s) should have Cloud KMS Admin and any of the \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\", \\\"Cloud KMS CryptoKey Encrypter\\\", \\\"Cloud KMS CryptoKey Decrypter\\\" roles assigned at the same time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to IAM & Admin/IAM. 2. For any member having \\\"Cloud KMS Admin\\\" and any of the \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\", \\\"Cloud KMS CryptoKey Encrypter\\\", \\\"Cloud KMS CryptoKey Decrypter\\\" roles granted/assigned, click the \\\"Delete Bin\\\" icon to remove the role from the member.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b9173aa-68d9-4581-814f-fab4a91aa9af\",\r\n \"name\": \"0b9173aa-68d9-4581-814f-fab4a91aa9af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that Cloud Audit Logging is configured to track all admin activities and read, write access to user data.
Cloud Audit Logging maintains two audit logs for each project, folder, and organization: Admin Activity and Data Access.
1. Admin Activity logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources.
Admin Activity audit logs are enabled for all services and cannot be configured. 2. Data Access audit logs record API calls that create, modify, or read user-provided data. These are disabled by default and should be enabled.
There are three kinds of Data Access audit log information:
  • Admin read: Records operations that read metadata or configuration information. Admin Activity audit logs record writes of metadata and configuration information that cannot be disabled.
  • Data read: Records operations that read user-provided data.
  • Data write: Records operations that write user-provided data.
It is recommended to have an effective default audit config configured in such a way that:
1. logtype is set to DATA_READ (to log user activity tracking) and DATA_WRITES (to log changes/tampering to user data). 2. audit config is enabled for all the services supported by the Data Access audit logs feature. 3. Logs should be captured for all users, i.e., there are no exempted users in any of the audit config sections. This will ensure overriding the audit config will not contradict the requirement.\",\r\n \"remediationDescription\": \"From Console:
1. Go to Audit Logs. 2. Follow the steps at Configure Data Access to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.

From Command Line:
1. To read the project's IAM policy and store it in a file run a command:
gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml
Alternatively, the policy can be set at the organization or folder level. If setting the policy at the organization level, it is not necessary to also set it for each folder or project.
gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml
gcloud resource-manager folders get-iam-policy FOLDER_ID > /tmp/folder_policy.yaml
2. Edit policy in /tmp/policy.yaml, adding or changing only the audit logs configuration to:
auditConfigs: - auditLogConfigs: - logType: DATA_WRITE - logType: DATA_READ service: allServices

Note: \\\"exemptedMembers\\\": is not set as audit logging should be enabled for all the users
3. To write new IAM policy run command:
gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml
gcloud resource-manager folders set-iam-policy FOLDER_ID /tmp/folder_policy.yaml
gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml

If the preceding command reports a conflict with another change, then repeat these steps, starting with the first step.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/194b473e-7c5a-4754-b1ae-76591fe11b5c\",\r\n \"name\": \"194b473e-7c5a-4754-b1ae-76591fe11b5c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).
Log entries are held in Stackdriver Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. Exporting involves writing a filter that selects the log entries to export, and choosing a destination in Cloud Storage, BigQuery, or Cloud Pub/Sub.
The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts. \",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"Logging/Logs\\\" by visiting: GCP Logs explorer. 2. Click the down arrow symbol on \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. This step converts \\\"Filter Bar\\\" to \\\"Advanced Filter Bar\\\".4.Clear any text from the \\\"Advanced Filter\\\" field. This ensures that the \\\"log-filter\\\" is set to empty and captures all the logs. 5. Click \\\"Submit Filter\\\" and the result should display all logs. 6. Click \\\"Create Sink\\\", which opens a menu on the right. 7. Fill out the fields and click \\\"Create Sink\\\".
For more information, see GCP Logging Documentation.

From Command Line:
To create a sink to export all log entries in a Google Cloud Storage bucket:
gcloud logging sinks create <sink-name>
storage.googleapis.com/DESTINATION_BUCKET_NAME
Sinks can be created for a folder or organization, which will include all projects.
gcloud logging sinks create <sink-name>
storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children --folder=FOLDER_ID | --organization=ORGANIZATION_ID \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/07ca1398-d477-400a-a9fc-4cfc78f723f9\",\r\n \"name\": \"07ca1398-d477-400a-a9fc-4cfc78f723f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that retention policies on log buckets are configured using Bucket Lock\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted.
It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.
Logs can be exported by creating one or more sinks that include a log filter and a destination. As Stackdriver Logging receives new log entries, they are compared against each sink.
If a log entry matches a sink's filter, then a copy of the log entry is written to the destination.
Sinks can be configured to export logs in storage buckets.
It is recommended to configure a data retention policy for these cloud storage buckets and to lock the data retention policy; thus permanently preventing the policy from being reduced or removed.
This way, if the system is ever compromised by an attacker or a malicious insider who wants to cover their tracks, the activity logs are definitely preserved for forensics and security investigations.\",\r\n \"remediationDescription\": \" From the Console:
1. If sinks are not configured, first follow the instructions in the recommendation: \\\"Ensure that sinks are configured for all Log entries\\\". 2. For each storage bucket configured as a sink, go to the Cloud Storage browser at \\\"https://console.cloud.google.com/storage/browser/<BUCKET_NAME>\\\". 3. Select the Bucket Lock tab near the top of the page. 4. In the Retention policy entry, click the Add Duration link. The \\\"Set a retention policy\\\" dialog box appears. 5. Enter the desired length of time for the retention period and click \\\"Save policy\\\". 6. Set the \\\"Lock status\\\" for this retention policy to \\\"Locked\\\".

From Command Line:
1.To list all sinks destined to storage buckets:
gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID | --project=PROJECT_ID
2. For each storage bucket listed above, set a retention policy and lock it:
gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]
gsutil retention lock gs://[BUCKET_NAME]
For more information, see Bucket lock retention policy.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f42c20a6-8012-4e1e-bf4d-19b977e8c8d7\",\r\n \"name\": \"f42c20a6-8012-4e1e-bf4d-19b977e8c8d7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all \\\"roles/Owner\\\" assignments should be monitored.
Members (users/Service-Accounts) with a role assignment to primitive role \\\"roles/Owner\\\" are project owners.
The project owner has all the privileges on the project the role belongs to. These are summarized below:
- All viewer permissions on all GCP Services within the project
- Permissions for actions that modify the state of all GCP services within the project
- Manage roles and permissions for a project and all resources within the project
- Set up billing for a project
Granting the owner role to a member (user/Service-Account) will allow that member to modify the Identity and Access Management (IAM) policy. Therefore, grant the owner role only if the member has a legitimate purpose to manage the IAM policy. This is because the project IAM policy contains sensitive access control data. Having a minimal set of users allowed to manage IAM policy will simplify any auditing that may be necessary.
Project ownership has the highest level of privileges on a project. To avoid misuse of project resources, the project ownership assignment/change actions mentioned above should be monitored and alerted to concerned recipients.
- Sending project ownership invites
- Acceptance/Rejection of project ownership invite by user
- Adding `role\\\\Owner` to a user/service-account
- Removing a user/Service account from `role\\\\Owner`\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
(protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\")
AND (ProjectOwnership OR projectOwnerInvitee)
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\")
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\")
 4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/34ed4dfb-fc6d-498f-b2b0-d1099704775d\",\r\n \"name\": \"34ed4dfb-fc6d-498f-b2b0-d1099704775d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data Access logs to help answer the questions of, \\\"who did what, where, and when?\\\" within GCP projects.
Cloud audit logging records information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by GCP services. Cloud audit logging provides a history of GCP API calls for an account, including API calls made via the console, SDKs, command-line tools, and other GCP services.
Admin activity and data access logs produced by cloud audit logging enable security analysis, resource change tracking, and compliance auditing.
Configuring the metric filter and alerts for audit configuration changes ensures the recommended state of audit configuration is maintained so that all activities in the project are audit-able at any point in time.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
protoPayload.methodName=\\\"SetIamPolicy\\\" AND
protoPayload.serviceData.policyDelta.auditConfigDeltas:*
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba27e90d-311d-409d-8c69-7dfac0a1351c\",\r\n \"name\": \"ba27e90d-311d-409d-8c69-7dfac0a1351c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for changes to Identity and Access Management (IAM) role creation, deletion and updating activities.
Google Cloud IAM provides predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources. However, to cater to organization-specific needs, Cloud IAM also provides the ability to create custom roles. Project owners and administrators with the Organization Role Administrator role or the IAM Role Administrator role can create custom roles. Monitoring role creation, deletion and updating activities will help in identifying any over-privileged role at early stages.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"iam_role\\\"
AND protoPayload.methodName=\\\"google.iam.admin.v1.CreateRole\\\"
OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\"
OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a7723f9-ee51-4a2b-a4e5-2497a20c1964\",\r\n \"name\": \"4a7723f9-ee51-4a2b-a4e5-2497a20c1964\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes.
Monitoring for Create or Update Firewall rule events gives insight to network access changes and may reduce the time it takes to detect suspicious activity.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"gce_firewall_rule\\\"
AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\"
OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b5c8e32b-a400-4d4b-8d2d-c5afbd4a6997\",\r\n \"name\": \"b5c8e32b-a400-4d4b-8d2d-c5afbd4a6997\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network route changes.
Google Cloud Platform (GCP) routes define the paths network traffic takes from a VM instance to another destination. The other destination can be inside the organization VPC network (such as another VM) or outside of it. Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop for delivery.
Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"gce_route\\\"
AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\"
OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/59aef38a-19c2-4663-97a7-4c82a98dbab5\",\r\n \"name\": \"59aef38a-19c2-4663-97a7-4c82a98dbab5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network changes.
It is possible to have more than one VPC within a project. In addition, it is also possible to create a peer connection between two VPCs enabling network traffic to route between VPCs.
Monitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=gce_network
AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2e14266c-76ea-4479-915e-4edaae7d78ec\",\r\n \"name\": \"2e14266c-76ea-4479-915e-4edaae7d78ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.
Monitoring changes to cloud storage bucket permissions may reduce the time needed to detect and correct permissions on sensitive cloud storage buckets and objects inside the bucket.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=gcs_bucket
AND protoPayload.methodName=\\\"storage.setIamPermissions\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dce022e-f7f9-4725-8a63-c0d4a868b4d3\",\r\n \"name\": \"9dce022e-f7f9-4725-8a63-c0d4a868b4d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for SQL instance configuration changes.
Monitoring changes to SQL instance configuration changes may reduce the time needed to detect and correct misconfigurations done on the SQL server.
Below are a few of the configurable options which may the impact security posture of an SQL instance:
* Enable auto backups and high availability: Misconfiguration may adversely impact business continuity, disaster recovery, and high availability
* Authorize networks: Misconfiguration may increase exposure to untrusted networks\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
protoPayload.methodName=\\\"cloudsql.instances.update\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9f88a5b8-2853-4b3f-a4c7-33f225cae99a\",\r\n \"name\": \"9f88a5b8-2853-4b3f-a4c7-33f225cae99a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic.
When specifying a source for an ingress rule or a destination for an egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using SSH on Port 22 can be avoided.
GCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network.
Egress and ingresstraffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication).
For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified.
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default Port '22'.
Generic access from the Internet to a specific IP Range needs to be restricted.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to VPC Network. 2. Go to the Firewall Rules. 3. Click the Firewall Rule you want to modify. 4. Click Edit. 5. Modify Source IP ranges to specific IP. 6. Click Save.

From Command Line:
gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[- PORT]],...] --source-ranges=[CIDR_RANGE,...] \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc8464f-f32a-4b3c-954e-48f9db2d9bcf\",\r\n \"name\": \"8bc8464f-f32a-4b3c-954e-48f9db2d9bcf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic.
When specifying a source for an ingress rule or a destination for an egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming raffic from the Internet to a VPC or VM instance using RDP on Port 3389 can be avoided.
GCP Firewall Rules within a VPC Network. These rules apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network.
Egress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication). For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified.
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default Port 3389. Generic access from the Internet to a specific IP Range should be restricted.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to VPC Network. 2. Go to the Firewall Rules. 3. Click the Firewall Rule to be modified. 4. Click Edit. 5. Modify Source IP ranges to specific IP. 6. Click Save.

From Command Line:
1.Update RDP Firewall rule with new SOURCE_RANGE from the below command:
gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ea1989f3-de6c-4389-8b6c-c8b9a3df1595\",\r\n \"name\": \"ea1989f3-de6c-4389-8b6c-c8b9a3df1595\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent use of \\\"default\\\" network, a project should not have a \\\"default\\\" network.
The default network has a preconfigured network configuration and automatically generates the following insecure firewall rules:
  • default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.
  • default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.
  • default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.
  • default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.
These automatically created firewall rules do not get audit logged and cannot be configured to enable firewall rule logging.
Furthermore, the default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses, and as a result, it's not possible to use Cloud VPN or VPC Network Peering with the default network.
Based on organization security and networking requirements, the organization should create a new network and delete the default network.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the \\\"VPC networks\\\" page by visiting:
VPC networks. 2. Click the network named default. 3. On the network detail page, click \\\"EDIT\\\". 4. Click \\\"DELETE VPC NETWORK\\\". 5. If needed, create a new network to replace the default network.

From Command Line:
For each Google Cloud Platform project,
1. Delete the default network:
gcloud compute networks delete default
2. If needed, create a new network to replace it:
gcloud compute networks create NETWORK_NAME\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/44995f9b-5963-4a92-8e99-6d68acbc187c\",\r\n \"name\": \"44995f9b-5963-4a92-8e99-6d68acbc187c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In order to prevent use of legacy networks, a project should not have a legacy network configured.
Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions.
Subnetworks cannot be created in a legacy network and are unable to switch from legacy to auto or custom subnet networks. Legacy networks can have an impact for high network traffic projects and are subject to a single point of contention or failure.\",\r\n \"remediationDescription\": \"For each Google Cloud Platform project,
1. Follow the documentation and create a non-legacy network suitable for the organization's requirements. 2. Follow the documentation and delete the networks in the \\\"legacy\\\" mode.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33509176-9e4d-4238-84ec-984ba67019fa\",\r\n \"name\": \"33509176-9e4d-4238-84ec-984ba67019fa\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet.
Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.
Domain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling DNS responses to be validated.
Having a trustworthy DNS that translates a domain name like www.example.com into its associated IP address is an increasingly important building block of today's web-based applications.
Attackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks.
DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records.
As a result, it prevents attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"Cloud DNS\\\" by visiting Cloud DNS. 2. For each zone of Type Public, set DNSSEC to \\\"On\\\".

From Command Line:
Use the below command to enable \\\"DNSSEC\\\" for Cloud DNS Zone Name.
gcloud dns managed-zones update ZONE_NAME --dnssec-state on \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87356ecc-b718-442d-af22-677bceaeae06\",\r\n \"name\": \"87356ecc-b718-442d-af22-677bceaeae06\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
Domain Name System Security Extensions (DNSSEC) algorithm numbers in this registry may be used in CERT RRs.
Zonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the user can select the DNSSEC signing algorithms and the denial-of-existence type.
Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled.
If there is a need to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.\",\r\n \"remediationDescription\": \"1. If it is necessary to change the settings for a managed zone where it has been enabled, NSSEC must be turned off and re-enabled with different settings.
To turn off DNSSEC, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state off
2. To update key-signing for a reported managed DNS Zone, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM - -zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE

Algorithm KSK Length ZSK Length
RSASHA1 1024,2048 1024,2048
RSASHA256 1024,2048 1024,2048
RSASHA512 1024,2048 1024,2048
ECDSAP256SHA256 256 256
ECDSAP384SHA384 384 384
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/117ad72e-fed7-4dc8-995d-39919b9ba2d9\",\r\n \"name\": \"117ad72e-fed7-4dc8-995d-39919b9ba2d9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the DNSSEC signing algorithms and the denial-of-existence type can be selected.
Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled.
If the need exists to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.\",\r\n \"remediationDescription\": \"1. If it is necessary to change the settings for a managed zone where it has been enabled, DNSSEC must be turned off and re-enabled with different settings.
To turn off DNSSEC, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state off
2. To update zone-signing for a reported managed DNS Zone, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM - -zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE

Algorithm KSK Length ZSK Length
RSASHA1 1024,2048 1024,2048
RSASHA256 1024,2048 1024,2048
RSASHA512 1024,2048 1024,2048
ECDSAP256SHA256 256 256
ECDSAP384SHA384 384 384
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a107c44c-75e4-4607-b1b0-cd5cfcf249e0\",\r\n \"name\": \"a107c44c-75e4-4607-b1b0-cd5cfcf249e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.
The default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services.
To defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended to not use the default Compute Engine service account.
Instead, you should create a new service account and assigning only the permissions needed by your instance.
The default Compute Engine service account is named [PROJECT_NUMBER]- compute@developer.gserviceaccount.com.
VMs created by GKE should be excluded. These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to go to its \\\"VM instance details\\\" page. 3. Click \\\"STOP\\\" and then click \\\"EDIT\\\". 4. Under the section \\\"Service Account\\\", select a service account other that the default Compute Engine service account. You may first need to create a new service account. 5. Click \\\"Save\\\" and then click \\\"START\\\".

From Command Line:
1. Stop the instance: gcloud compute instances stop INSTANCE_NAME
2. Update the instance: gcloud compute instances set-service-account INSTANCE_NAME --serviceaccount=SERVICE_ACCOUNT
3. Restart the instance: gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c1fcf1-ca66-4fc1-b5e6-51d7f4f76782\",\r\n \"name\": \"a8c1fcf1-ca66-4fc1-b5e6-51d7f4f76782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account \\\"Compute Engine default service account\\\" with Scope \\\"Allow full access to all Cloud APIs\\\".
Along with ability to optionally create, manage and use user managed custom service accounts, Google Compute Engine provides default service account \\\"Compute Engine default service account\\\" for an instances to access necessary cloud services.
\\\"Project Editor\\\" role is assigned to \\\"Compute Engine default service account\\\" hence, This service account has almost all capabilities over all cloud services except billing.
However, when \\\"Compute Engine default service account\\\" assigned to an instance it can operate in 3 scopes.
1. Allow default access: Allows only minimum access required to run an Instance (Least Privileges) 2. Allow full access to all Cloud APIs: Allow full access to all the cloud APIs/Services (Too much access) 3. Set access for each API: Allows Instance administrator to choose only those APIs that are needed to perform specific business functionality expected by instance
When an instance is configured with \\\"Compute Engine default service account\\\" with Scope \\\"Allow full access to all Cloud APIs\\\", based on IAM roles assigned to the user(s) accessing Instance,
it may allow user to perform cloud operations/API calls that user is not supposed to perform leading to successful privilege escalation.
VMs created by GKE should be excluded. These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the impacted VM instance. 3. If the instance is not stopped, click the \\\"Stop\\\" button. Wait for the instance to be stopped. 4. Next, click the \\\"Edit\\\" button. 5. Scroll down to the \\\"Service Account\\\" section. 6. Select a different service account or ensure that \\\"Allow full access to all Cloud APIs\\\" is not selected.  7. Click the \\\"Save\\\" button to save your changes and then click \\\"START\\\".

From Command Line:
1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
2. Update the instance:
gcloud compute instances set-service-account INSTANCE_NAME --serviceaccount=SERVICE_ACCOUNT --scopes [SCOPE1, SCOPE2...]
3. Restart the instance:
gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/49cb12f0-3dd3-4220-9cfb-5c3fd514a6d8\",\r\n \"name\": \"49cb12f0-3dd3-4220-9cfb-5c3fd514a6d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user.
It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.
To find out which instance causes the project to be unhealthy see recommendation \\\"Ensure oslogin is enabled for all instances\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM compute metadata page. 2. Click \\\"Edit\\\". 3. Add a metadata entry where the key is \\\"enable-oslogin\\\" and the value is \\\"TRUE\\\". 4. Click \\\"Save\\\" to apply the changes. 5. For every instance that overrides the project setting, go to the VM instances page. 6. Click the name of the instance on which you want to remove the metadata value. 7. At the top of the instance details page, click \\\"Edit\\\" to edit the instance settings. 8. Under \\\"Custom metadata\\\", remove any entry with key \\\"enable-oslogin\\\" and the value is \\\"FALSE\\\" 9. At the bottom of the instance details page, click \\\"Save\\\" to apply your changes to the instance.

From Command Line:
1. Configure oslogin on the project:
gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE
2. Remove instance metadata that overrides the project settings.
gcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin
Optionally, you can enable two factor authentication for OS login. For more information, see here.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/569ef64e-d7aa-4d7e-aa0b-5b3e045ca2c3\",\r\n \"name\": \"569ef64e-d7aa-4d7e-aa0b-5b3e045ca2c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for all instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user.
It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click the name of the instance on which you want to remove the metadata value. 3. At the top of the instance details page, click \\\"Edit\\\" to edit the instance settings. 4. Under \\\"Custom metadata\\\", remove any entry with key \\\"enable-oslogin\\\" and the value is \\\"FALSE\\\" 5. At the bottom of the instance details page, click \\\"Save\\\" to apply your changes to the instance.

From Command Line:
Remove instance metadata that overrides the project settings.
gcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin
Optionally, you can enable two factor authentication for OS login. For more information, see here.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e060336-2c9e-4289-a2a6-8d301bad47bb\",\r\n \"name\": \"7e060336-2c9e-4289-a2a6-8d301bad47bb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.
If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.
A virtual machine instance has four virtual serial ports. Interacting with a serial port is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.
The instance's operating system, BIOS, and other system-level entities often write output to the serial ports, and can accept input such as commands or answers to prompts.
Typically, these system-level entities use the first serial port (port 1) and serial port 1 is often referred to as the serial console.
The interactive serial console does not support IP-based access restrictions such as IP whitelists. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address.
This allows anybody to connect to that instance if they know the correct SSH key, username, project ID, zone, and instance name.
Therefore interactive serial console support should be disabled.\",\r\n \"remediationDescription\": \"From Console:
1. Login to Google Cloud console 2. Go to Computer Engine 3. Go to VM instances 4. Click on the Specific VM 5. Click \\\"EDIT\\\" 6. Unselect \\\"Enable connecting to serial ports\\\" below \\\"Remote access\\\" block. 7. Click \\\"Save\\\".

From Command Line:
Use the below command to disable
gcloud compute instances add-metadata INSTANCE_NAME --zone=ZONE --metadata=serial-port-enable=false
or
gcloud compute instances add-metadata INSTANCE_NAME --zone=ZONE --metadata=serial-port-enable=0\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a4b3b3a-7de9-4aa4-a29b-580d59b43f79\",\r\n \"name\": \"1a4b3b3a-7de9-4aa4-a29b-580d59b43f79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To defend against against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.
Shielded VMs are virtual machines (VMs) on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits.
Shielded VM offers verifiable integrity of your Compute Engine VM instances, so you can be confident your instances haven't been compromised by boot- or kernel-level malware or rootkits.
Shielded VM's verifiable integrity is achieved through the use of Secure Boot, virtual trusted platform module (vTPM)-enabled Measured Boot, and integrity monitoring.
Shielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishing the root of trust for Secure Boot.
Integrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, called the integrity policy baseline.
The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.
Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to see its \\\"VM instance details\\\" page. 3. Click \\\"STOP\\\" to stop the instance. 4. When the instance has stopped, click \\\"EDIT\\\". 5. In the Shielded VM section, select \\\"Turn on vTPM\\\" and \\\"Turn on Integrity Monitoring\\\". 6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select \\\"Turn on Secure Boot\\\". 7. Click the \\\"Save\\\" button to modify the instance and then click \\\"START\\\" to restart it.

From Command Line:
You can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:
gcloud compute images list --project gce-uefi-images --no-standard-images
1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
2. Update the instance:
gcloud compute instances update INSTANCE_NAME --shielded-vtpm --shielded-vmintegrity-monitoring
3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on secure boot.
gcloud compute instances update INSTANCE_NAME --shielded-vm-secure-boot
4. Restart the instance:
gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bdd13ad-a9d2-4910-8b06-9c4cddb55abb\",\r\n \"name\": \"8bdd13ad-a9d2-4910-8b06-9c4cddb55abb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances should not be configured to have external IP addresses.
To reduce your attack surface, Compute instances should not have public IP addresses. Instead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.
Instances created by GKE should be excluded because some of them have external IP addresses and cannot be changed by editing the instance settings.
These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to go the the Instance detail page. 3. Click \\\"Edit\\\". 4. For each Network interface, ensure that External IP is set to None. 5. Click \\\"Done\\\" and then click \\\"Save\\\".

From Command Line:
1. Describe the instance properties: gcloud compute instances describe INSTANCE_NAME --zone=ZONE
2. Identify the access config name that contains the external IP address. This access config appears in the following format:
networkInterfaces: - accessConfigs: - kind: compute#accessConfig name: External NAT natIP: 130.211.181.55 type: ONE_TO_ONE_NAT
3. Delete the access config.
gcloud compute instances delete-access-config INSTANCE_NAME --zone=ZONE --access-config-name \\\"ACCESS_CONFIG_NAME\\\"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8305d96-2aa5-458d-92b7-f8418f5f3328\",\r\n \"name\": \"d8305d96-2aa5-458d-92b7-f8418f5f3328\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.
Allowing anonymous or public access grants permissions to anyone to access bucket content.
Such access might not be desired if you are storing any sensitive data.
Hence, ensure that anonymous or public access to a bucket is not allowed.\",\r\n \"remediationDescription\": \"From Console:
1. Go to \\\"Storage browser\\\" by visiting GCP Storage browser. 2. Click on the bucket name to go to its \\\"Bucket details\\\" page. 3. Click on the \\\"Permissions\\\" tab. 4. Click \\\"Delete\\\" button in front of \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" to remove that particular role assignment.
From Command Line:
Remove \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" access.
gsutil iam ch -d allUsers gs://BUCKET_NAME
gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b5cdbc-0633-49af-b63d-a9dc90560196\",\r\n \"name\": \"64b5cdbc-0633-49af-b63d-a9dc90560196\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.
It is recommended to use uniform bucket-level access to unify and simplify how you grant access to your Cloud Storage resources.
Cloud Storage offers two systems for granting users permission to access your buckets and objects:
Cloud Identity and Access Management (Cloud IAM) and Access Control Lists (ACLs).
These systems act in parallel - in order for a user to access a Cloud Storage resource, only one of the systems needs to grant the user permission.
Cloud IAM is used throughout Google Cloud and allows you to grant a variety of permissions at the bucket and project levels.
ACLs are used only by Cloud Storage and have limited permission options, but they allow you to grant permissions on a per-object basis.

In order to support a uniform permissioning system, Cloud Storage has uniform bucket-level access.
Using this feature disables ACLs for all Cloud Storage resources:
access to Cloud Storage resources then is granted exclusively through Cloud IAM.
Enabling uniform bucket-level access guarantees that if a Storage bucket is not publicly accessible,
no object in the bucket is publicly accessible either.\",\r\n \"remediationDescription\": \"From Console:
1. Open the \\\"Cloud Storage browser\\\" in the Google Cloud Console by visiting: GCP Storage browser. 2. In the list of buckets, click on the name of the desired bucket. 3. Select the \\\"Permissions\\\" tab near the top of the page. 4. In the text box that starts with \\\"This bucket uses fine-grained access control...\\\", click \\\"Edit\\\". 5. In the pop-up menu that appears, select \\\"Uniform\\\". 6. Click \\\"Save\\\".
From Command Line:
Use the \\\"on\\\" option in a uniformbucketlevelaccess set command:
gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dab1eea3-7693-4da3-af1b-2f73832655fa\",\r\n \"name\": \"dab1eea3-7693-4da3-af1b-2f73832655fa\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.
Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset.
Such access might not be desirable if sensitive data is being stored in the dataset.
Therefore, ensure that anonymous and/or public access to a dataset is not allowed.\",\r\n \"remediationDescription\": \"From Console:
1. Go to \\\"BigQuery\\\" by visiting: BigQuery. 2. Select the dataset from \\\"Resources\\\". 3. Click \\\"SHARE DATASET\\\" near the right side of the window. 4. Review each attached role. 5. Click the \\\"delete\\\" icon for each member \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\". On the popup click \\\"Remove\\\".
From Command Line:
1. Retrieve the data set information:
bq show --format=prettyjson PROJECT_ID:DATASET_NAME > PATH_TO_FILE
2. In the access section of the JSON file, update the dataset information to remove all roles containing \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\". 3. Update the dataset:
bq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8191f530-fde7-4177-827a-43ce0f69ffe7\",\r\n \"name\": \"8191f530-fde7-4177-827a-43ce0f69ffe7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the \\\"log_lock_waits\\\" flag for a PostgreSQL instance creates a log for any session waits that take longer than the alloted \\\"deadlock_timeout\\\" time to acquire a lock.
The deadlock timeout defines the time to wait on a lock before checking for any conditions. Frequent run overs on deadlock timeout can be an indication of an underlying issue.
Logging such waits on locks by enabling the log_lock_waits flag can be used to identify poor performance due to locking delays or if a specially-crafted SQL is attempting to starve resources through holding locks for excessive amounts of time.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_lock_waits\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_lock_waits\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_lock_waits=on

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/492fed4e-1871-4c12-948d-074ee0f07559\",\r\n \"name\": \"492fed4e-1871-4c12-948d-074ee0f07559\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_error_statement\\\" flag defines the minimum message severity level that is considered as an error statement.
Messages for error statements are logged with the SQL statement.
Valid values include \\\"DEBUG5\\\", \\\"DEBUG4\\\", \\\"DEBUG3\\\", \\\"DEBUG2\\\", \\\"DEBUG1\\\", \\\"INFO\\\", \\\"NOTICE\\\", \\\"WARNING\\\", \\\"ERROR\\\", \\\"LOG\\\", \\\"FATAL\\\", and \\\"PANIC\\\".
Each severity level includes the subsequent levels mentioned above.
Note: To effectively turn off logging failing statements, set this parameter to PANIC.
ERROR is considered the best practice setting. Changes should only be made in accordance with the organization's logging policy.
Auditing helps in troubleshooting operational problems and also permits forensic analysis.
If \\\"log_min_error_statement\\\" is not set to the correct value, messages may not be classified as error messages appropriately.
Considering general log messages as error messages would make it difficult to find actual errors, while considering only stricter severity levels as error messages may skip actual errors to log their SQL statements.
The \\\"log_min_error_statement\\\" flag should be set in accordance with the organization's logging policy.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_error_statement\\\" from the drop-down menu and set appropriate value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_min_error_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_error_statement=

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/29622fc0-14dc-4d65-a5a8-e9a39ffc4b62\",\r\n \"name\": \"29622fc0-14dc-4d65-a5a8-e9a39ffc4b62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' \",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"PostgreSQL can create a temporary file for actions such as sorting, hashing and temporary query results when these operations exceed \\\"work_mem\\\".
The \\\"log_temp_files\\\" flag controls logging names and the file size when it is deleted.
Configuring \\\"log_temp_files\\\" to 0 causes all temporary file information to be logged, while positive values log only files whose size is greater than or equal to the specified number of kilobytes.
A value of \\\"-1\\\" disables temporary file information logging.
If all temporary files are not logged, it may be more difficult to identify potential performance issues that may be due to either poor application coding or deliberate resource starvation attempts.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_temp_files\\\" from the drop-down menu and set the value as 0. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_temp_files\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_temp_files=`0`

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c9e237b-419f-4e73-b43a-94b5863dd73e\",\r\n \"name\": \"1c9e237b-419f-4e73-b43a-94b5863dd73e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_duration_statement\\\" flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that \\\"log_min_duration_statement\\\" is disabled, i.e., a value of -1 is set.
Logging SQL statements may include sensitive information that should not be recorded in logs. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_duration_statement\\\" from the drop-down menu and set the value of \\\"-1\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Configure the \\\"log_min_duration_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_duration_statement=-1

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/26973a34-79a6-46a0-874f-358c8c00af05\",\r\n \"name\": \"26973a34-79a6-46a0-874f-358c8c00af05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"cross db ownership chaining\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
Use the \\\"cross db ownership\\\" for chaining option to configure cross-database ownership chaining for an instance of Microsoft SQL Server.
This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases.
Enabling \\\"cross db ownership\\\" is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining and you are aware of the security implications of this setting.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance for which you want to enable to database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"cross db ownership chaining\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"cross db ownership chaining\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"cross db ownership chaining=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/658ce98f-ecf1-4c14-967f-3c4faf130fbf\",\r\n \"name\": \"658ce98f-ecf1-4c14-967f-3c4faf130fbf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"contained database authentication\\\" database flag for Cloud SQL on the SQL Server instance is set to \\\"off\\\".
A contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed.
Users can connect to the database without authenticating a login at the Database Engine level.
Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server.
Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators.
Most of the threats are related to the USER WITH PASSWORD authentication process, which moves the authentication boundary from the Database Engine level to the database level, hence this is recommended to disable this flag.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance for which you want to enable to database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"contained database authentication\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Configure the \\\"contained database authentication\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"contained database authentication=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/13872d43-aac6-4018-9c89-507b8fe9be54\",\r\n \"name\": \"13872d43-aac6-4018-9c89-507b8fe9be54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to enforce all incoming connections to SQL database instance to use SSL.
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc.
For security, it is recommended to always use SSL encryption when connecting to your instance.
This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to Cloud SQL Instances. 2. Click on an instance name to see its configuration overview. 3. In the left-side panel, select \\\"Connections\\\". 4. In the \\\"SSL connections\\\" section, click \\\"Allow only SSL connections\\\". 5. Under \\\"Configure SSL server certificates\\\" click \\\"Create new certificate\\\". 6. Under \\\"Configure SSL client certificates\\\" click \\\"Create a client certificate\\\". 7. Follow the instructions shown to learn how to connect to your instance.

From Command Line:
To enforce SSL encryption for an instance run the command:
gcloud sql instances patch INSTANCE_NAME --require-ssl

Note:
\\\"RESTART\\\" is required for type MySQL Generation 1 Instances (\\\"backendType: FIRST_GEN\\\") to get this configuration in effect.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/de78ebca-1ec6-4872-8061-8fcfb27752fc\",\r\n \"name\": \"de78ebca-1ec6-4872-8061-8fcfb27752fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from the world.
To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it.
An authorized network should not have IPs/networks configured to \\\"0.0.0.0/0\\\" which will allow access to the instance from anywhere in the world. Note that authorized networks apply only to instances with public IPs.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Click the instance name to open its \\\"Instance details\\\" page. 3. Under the \\\"Configuration\\\" section click \\\"Edit configurations\\\". 4. Under \\\"Configuration options\\\" expand the \\\"Connectivity\\\" section. 5. Click the \\\"delete\\\" icon for the authorized network \\\"0.0.0.0/0\\\". 6. Click \\\"Save\\\" to update the instance.

From Command Line:
Update the authorized network list by dropping off any addresses.
oud sql instances patch INSTANCE_NAME --authorized-networks=IP_ADDR1,IP_ADDR2... \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1658239d-caf7-471d-83c5-2e4c44afdcff\",\r\n \"name\": \"1658239d-caf7-471d-83c5-2e4c44afdcff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.
To lower the organization's attack surface, Cloud SQL databases should not have public IPs.
Private IPs provide improved network security and lower latency for your application.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Click the instance name to open its Instance details page. 3. Select the \\\"Connections\\\" tab. 4. Deselect the \\\"Public IP\\\" checkbox. 5. Click \\\"Save\\\" to update the instance.

From Command Line:
1. For every instance remove its public IP and assign a private IP instead:
gcloud beta sql instances patch INSTANCE_NAME --network=VPC_NETWOR_NAME --no-assign-ip 2. Confirm the changes using the following command:
gcloud sql instances describe INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/afaac6e6-6240-48a2-9f62-4e257b851311\",\r\n \"name\": \"afaac6e6-6240-48a2-9f62-4e257b851311\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to have all SQL database instances set to enable automated backups.
Backups provide a way to restore a Cloud SQL instance to recover lost data or recover from a problem with that instance.
Automated backups need to be set for any instance that contains data that should be protected from loss or damage.
This recommendation is applicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2 instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the instance where the backups need to be configured. 3. Click \\\"Edit\\\". 4. In the \\\"Backups\\\" section, check \\\"Enable automated backups\\\", and choose a backup window. 5. Click \\\"Save\\\".
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Enable \\\"Automated backups\\\" for every Cloud SQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --backup-start-time [HH:MM] The \\\"backup-start-time\\\" parameter is specified in 24-hour time, in the UTC+00 time zone, and specifies the start of a 4-hour backup window. Backups can start any time during the backup window.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/633a87f4-bd71-45ce-9eca-c6bb8cbe8b21\",\r\n \"name\": \"633a87f4-bd71-45ce-9eca-c6bb8cbe8b21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.
The local_infile flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the local_infile setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.
To explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with local_infile disabled. local_infile can also be set at runtime.
Due to security issues associated with the local_infile flag, it is recommended to disable it. This recommendation is applicable to MySQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the MySQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"local_infile\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the local_infile database flag for every Cloud SQL Mysql database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off
Note:
This command will overwrite all database flags that were previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2404629-0132-4ab3-839e-8389dbe9fe98\",\r\n \"name\": \"a2404629-0132-4ab3-839e-8389dbe9fe98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log_checkpoints database flag for the Cloud SQL PostgreSQL instance is set to on.
Enabling log_checkpoints causes checkpoints and restart points to be logged in the server log. Some statistics are included in the log messages, including the number of buffers written and the time spent writing them.
This parameter can only be set in the postgresql.conf file or on the server command line. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_checkpoints\\\" from the drop-down menu, and set its value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_checkpoints database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_checkpoints=on
Note: This command will overwrite all previously set database flags. To keep those and add new ones, include the values for all flags to be set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4016e27f-a451-4e24-9222-39d7d107ad74\",\r\n \"name\": \"4016e27f-a451-4e24-9222-39d7d107ad74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.
PostgreSQL does not log attempted connections by default. Enabling the log_connections setting will create log entries for each attempted connection as well as successful completion of client authentication which can be useful in troubleshooting issues and to determine any unusual connection attempts to the server.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance for which you want to enable the database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_connections\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_connections database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_connections=on
Note:
This command will overwrite all previously set database flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a86f62be-7402-4797-91dc-8ba2b976cb74\",\r\n \"name\": \"a86f62be-7402-4797-91dc-8ba2b976cb74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_disconnections setting logs the end of each session, including the session duration.
PostgreSQL does not log session details such as duration and session end by default. Enabling the log_disconnections setting will create log entries at the end of each session which can be useful in troubleshooting issues and determine any unusual activity across a time period.
The log_disconnections and log_connections work hand in hand and generally, the pair would be enabled/disabled together. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_disconnections\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_disconnections database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_disconnections=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ae77cb8b-0b43-4e86-8b5c-f5afcf95766a\",\r\n \"name\": \"ae77cb8b-0b43-4e86-8b5c-f5afcf95766a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user.
The application uses the service account to call the service's Google API so that users aren't directly involved.
It's recommended not to use admin access for ServiceAccount.
Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it.
Enrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM.
A ServiceAccount Access holder can perform critical actions like delete, update change settings, etc.
without user intervention.
For this reason, it's recommended that service accounts not have Admin rights.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to IAM & admin/IAM. 2. Go to the \\\"Members\\\". 3. Identify \\\"User-Managed user created\\\" service account with roles containing \\\"*Admin\\\" or \\\"*admin\\\" or role matching \\\"Editor\\\" or role matching \\\"Owner\\\". 4. Click the \\\"Delete bin\\\" icon to remove the role from the member (service account in this case)
From Command Line:
1. Using a text editor, Remove \\\"Role\\\" which contains \\\"roles/*Admin\\\" or \\\"roles/*admin\\\" or matched \\\"roles/editor\\\" or matches \\\"roles/owner\\\". Add a role to the bindings array that defines the group members and the role for those members.
For example, to grant the role roles/appengine.appViewer to the \\\"ServiceAccount\\\" which is roles/editor, you would change the example shown below as follows:
{ 'bindings': [ { 'members': [ 'serviceAccount:our-project-123@appspot.gserviceaccount.com', ], 'role': 'roles/appengine.appViewer' }, { 'members': [ 'user:email1@gmail.com' ], 'role': 'roles/owner' }, { 'members': [ 'serviceAccount:our-project-123@appspot.gserviceaccount.com', 'serviceAccount:123456789012-compute@developer.gserviceaccount.com' ], 'role': 'roles/editor' } ], 'etag': 'BwUjMhCsNvY=' }
2. Update the project's IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e5b33de-bcfa-4044-93ce-4937bf8f0bbd\",\r\n \"name\": \"9e5b33de-bcfa-4044-93ce-4937bf8f0bbd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"skip_show_database\\\" database flag for Cloud SQL Mysql instance to \\\"on\\\".
'skip_show_database' database flag prevents people from using the SHOW DATABASES statement if they do not have the SHOW DATABASES privilege.
This can improve security if you have concerns about users being able to see databases belonging to other users.
Its effect depends on the SHOW DATABASES privilege: If the variable value is ON, the SHOW DATABASES statement is permitted only to users who have the SHOW DATABASES privilege, and the statement displays all database names.
If the value is OFF, SHOW DATABASES is permitted to all users, but displays the names of only those databases for which the user has the SHOW DATABASES or other privilege.
This recommendation is applicable to Mysql database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the Mysql instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"skip_show_database\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"skip_show_database\\\" database flag for every Cloud SQL Mysql database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags skip_show_database=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/272820a7-06ce-44b3-8318-4ec1f82237dc\",\r\n \"name\": \"272820a7-06ce-44b3-8318-4ec1f82237dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_hostname setting causes the duration of each completed statement to be logged.
This does not logs the text of the query and thus behaves different from the log_min_duration_statement flag.
This parameter cannot be changed after session start.
Monitoring the time taken to execute the queries can be crucial in identifying any resource hogging queries and assessing the performance of the server.
Further steps such as load balancing and use of optimized queries can be taken to ensure the performance and stability of the server.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_duration\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_duration\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_duration=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/989db7d6-71d5-4928-a9a6-c9ab7b8044e9\",\r\n \"name\": \"989db7d6-71d5-4928-a9a6-c9ab7b8044e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"PostgreSQL logs only the IP address of the connecting hosts.
The \\\"log_hostname\\\" flag controls the logging of \\\"hostnames\\\" in addition to the IP addresses logged.
The performance hit is dependent on the configuration of the environment and the host name resolution setup.
This parameter can only be set in the \\\"postgresql.conf\\\" file or on the server command line.
Logging hostnames can incur overhead on server performance as for each statement logged, DNS resolution will be required to convert IP address to hostname.
Depending on the setup, this may be non-negligible.
Additionally, the IP addresses that are logged can be resolved to their DNS names later when reviewing the logs excluding the cases where dynamic hostnames are used.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_hostname\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_hostname\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_hostname=
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Gather Victim Host Information\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a6efc275-b1c1-4003-8e85-2f30b2eb56e6\",\r\n \"name\": \"a6efc275-b1c1-4003-8e85-2f30b2eb56e6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The PostgreSQL planner/optimizer is responsible to parse and verify the syntax of each query received by the server.
If the syntax is correct a \\\"parse tree\\\" is built up else an error is generated.
The \\\"log_parser_stats\\\" flag controls the inclusion of parser performance statistics in the PostgreSQL logs for each query.
The \\\"log_parser_stats\\\" flag enables a crude profiling method for logging parser performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_parser_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_parser_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_parser_stats=off
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/25631aaa-3866-43ac-860f-22c12bff1a4b\",\r\n \"name\": \"25631aaa-3866-43ac-860f-22c12bff1a4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging.
It is recommended that Flow Logs be enabled for every business-critical VPC subnet.
VPC networks and subnetworks provide logically isolated and secure network partitions where GCP resources can be launched. When Flow Logs is enabled for a subnet, VMs within that subnet start reporting on all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows.
Each VM samples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or from another VM, a host in the on-premises datacenter, a Google service, or a host on the Internet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow Logs enabled, both VMs report the flows.
Flow Logs supports the following use cases: 1. Network monitoring. 2. Understanding network usage and optimizing network traffic expenses. 3. Network forensics. 4. Real-time security analysis
Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the VPC network GCP Console visiting https://console.cloud.google.com/networking/networks/list. 2. Click the \\\"name\\\" of a subnet, The Subnet details page displays. 3. Click the \\\"EDIT\\\" button. 4. Set \\\"Flow Logs\\\" to On. 5. Click \\\"Save\\\".

From Command Line:
To set Private Google access for a network subnet, run the following command::
gcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --enable-flow-logs \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00f8a6a6-cf69-4c11-822e-3ebf4910e545\",\r\n \"name\": \"00f8a6a6-cf69-4c11-822e-3ebf4910e545\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Block Project-wide SSH keys' is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project.
It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.It will list all the instances in your project. 2. Click on the \\\"name\\\" of the Impacted instance. 3. Click \\\"Edit\\\" in the toolbar. 4. Under \\\"SSH Keys\\\", go to the \\\"Block project-wide\\\" SSH keys checkbox. 5. To block users with project-wide SSH keys from connecting to this instance, select \\\"Block project-wide\\\" SSH keys. 6. Click \\\"Save\\\" at the bottom of the page. 7. Repeat steps for every impacted Instance.

From Command Line:
Block project-wide public SSH keys, set the metadata value to TRUE:
gcloud compute instances add-metadata INSTANCE_NAME --metadata block-project-ssh-keys=TRUE \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ba588a6-4539-4e67-bc62-d7b2b51300fb\",\r\n \"name\": \"0ba588a6-4539-4e67-bc62-d7b2b51300fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet.
However, both capabilities are required if you want to use instances to help route packets.
Forwarding of data packets should be disabled to prevent data loss or information disclosure.
Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet.
However, both capabilities are required if you want to use instances to help route packets. To enable this source and destination IP check, disable the canIpForward field, which allows an instance to send and receive packets with non-matching destination or source IPs.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the \\\"VM Instances\\\" page by visiting: https://console.cloud.google.com/compute/instances. 2. Select the \\\"VM Instance\\\" you want to remediate 3. Click the \\\"Delete\\\" button. 4. On the \\\"VM Instances\\\" page, click \\\"CREATE INSTANCE\\\". 5. Create a new instance with the desired configuration. By default, the instance is configured to not allow IP forwarding.

From Command Line:
Delete the instance
gcloud compute instances delete INSTANCE_NAME
Create a new instance to replace it, with IP forwarding set to Off
gcloud compute instances create \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"techniques\": [\r\n \"Exfiltration over C2 Channel\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d87879a-d498-4e61-b552-b34463f87f83\",\r\n \"name\": \"7d87879a-d498-4e61-b552-b34463f87f83\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The same SQL query can be excuted in multiple ways and still produce different results.
The PostgreSQL planner/optimizer is responsible to create an optimal execution plan for each query.
The \\\"log_planner_stats\\\" flag controls the inclusion of PostgreSQL planner performance statistics in the PostgreSQL logs for each query.
The \\\"log_planner_stats\\\" flag enables a crude profiling method for logging PostgreSQL planner performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_planner_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_planner_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_planner_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19711549-76eb-4f1f-b43b-b1048e66c1f0\",\r\n \"name\": \"19711549-76eb-4f1f-b43b-b1048e66c1f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The PostgreSQL executor is responsible to execute the plan handed over by the PostgreSQL planner.
The executor processes the plan recursively to extract the required set of rows.
The \\\"log_executor_stats\\\" flag controls the inclusion of PostgreSQL executor performance statistics in the PostgreSQL logs for each query.
The \\\"log_executor_stats\\\" flag enables a crude profiling method for logging PostgreSQL executor performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_executor_stats\\\" from the drop-down menu and set appropriate value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_executor_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_executor_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c36e73b7-ee30-4684-a1ad-2b878d2b10bf\",\r\n \"name\": \"c36e73b7-ee30-4684-a1ad-2b878d2b10bf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_statement_stats\\\" flag controls the inclusion of end to end performance statistics of a SQL query in the PostgreSQL logs for each query.
This cannot be enabled with other module statistics (\\\"log_parser_stats\\\", \\\"log_planner_stats\\\", \\\"log_executor_stats\\\").
The \\\"log_statement_stats\\\" flag enables a crude profiling method for logging end to end performance statistics of a SQL query.
This can be useful for troubleshooting but may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_statement_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_statement_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_statement_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/50a1058e-925b-4998-9d93-5eaa8f7021a3\",\r\n \"name\": \"50a1058e-925b-4998-9d93-5eaa8f7021a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_error_statement\\\" flag defines the minimum message severity level that are considered as an error statement.
Messages for error statements are logged with the SQL statement.
Valid values include \\\"DEBUG5\\\", \\\"DEBUG4\\\", \\\"DEBUG3\\\", \\\"DEBUG2\\\", \\\"DEBUG1\\\", \\\"INFO\\\", \\\"NOTICE\\\", \\\"WARNING\\\", \\\"ERROR\\\", \\\"LOG\\\", \\\"FATAL\\\", and \\\"PANIC\\\".
Each severity level includes the subsequent levels mentioned above.
Ensure a value of ERROR or stricter is set.
Auditing helps in troubleshooting operational problems and also permits forensic analysis.
If \\\"log_min_error_statement\\\" is not set to the correct value, messages may not be classified as error messages appropriately.
Considering general log messages as error messages would make is difficult to find actual errors and considering only stricter severity levels as error messages may skip actual errors to log their SQL statements.
The \\\"log_min_error_statement\\\" flag should be set to \\\"ERROR\\\" or stricter.
This recommendation is applicable to PostgreSQL database instances. \",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_error_statement\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_min_error_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_error_statement=

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/98b8908a-18b9-46ea-8c52-3f8db1da996f\",\r\n \"name\": \"98b8908a-18b9-46ea-8c52-3f8db1da996f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"external scripts enabled\\\" database flag for Cloud SQL SQL Server instance to off.
\\\"external scripts enabled\\\" enable the execution of scripts with certain remote language extensions.
This property is OFF by default.
When Advanced Analytics Services is installed, setup can optionally set this property to true.
As the \\\"External Scripts Enabled\\\" feature allows scripts external to SQL such as files located in an R library to be executed, which could adversely affect the security of the system, hence this should be disabled.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"external scripts enabled\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"external scripts enabled\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"external scripts enabled=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91f55b07-083c-4ec5-a2be-4b52bbc2e2df\",\r\n \"name\": \"91f55b07-083c-4ec5-a2be-4b52bbc2e2df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"user connections\\\" database flag for Cloud SQL SQL Server instance according organization-defined value.
The \\\"user connections\\\" option specifies the maximum number of simultaneous user connections that are allowed on an instance of SQL Server.
The actual number of user connections allowed also depends on the version of SQL Server that you are using, and also the limits of your application or applications and hardware.
SQL Server allows a maximum of 32,767 user connections.
Because user connections is a dynamic (self-configuring) option, SQL Server adjusts the maximum number of user connections automatically as needed, up to the maximum value allowable.
For example, if only 10 users are logged in, 10 user connection objects are allocated.
In most cases, you do not have to change the value for this option.
The default is 0, which means that the maximum (32,767) user connections are allowed.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"user connections\\\" from the drop-down menu and set the value as organization recommended value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"user connections\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"user connections=[0-32,767]\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fab1e680-86f0-4616-bee9-1b7394e49ade\",\r\n \"name\": \"fab1e680-86f0-4616-bee9-1b7394e49ade\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that, \\\"user options\\\" database flag for Cloud SQL SQL Server instance should not be configured.
The \\\"user options\\\" option specifies global defaults for all users.
A list of default query processing options is established for the duration of a user's work session.
The user options option allows you to change the default values of the SET options (if the server's default settings are not appropriate).
A user can override these defaults by using the SET statement.
You can configure user options dynamically for new logins.
After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. Click the X next \\\"user options\\\" flag shown. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands:
1.Clearing all flags to their default value:
gcloud sql instances patch [INSTANCE_NAME] --clear-database-flags
OR
2. To clear only \\\"user options\\\" database flag, configure the database flag by overriding the \\\"user options\\\". Exclude \\\"user options\\\" flag and its value, and keep all other flags you want to configure:
gcloud sql instances patch [INSTANCE_NAME] --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dddbbe7d-7e32-47d8-b319-39cbb70b8f88\",\r\n \"name\": \"dddbbe7d-7e32-47d8-b319-39cbb70b8f88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"remote access\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
The \\\"remote access\\\" option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running.
This default value for this option is 1.
This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server.
To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled.
The Remote Access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server.
'Remote access' functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, hence this should be disabled.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"remote access\\\" from the drop-down menu and set the value as \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"remote access\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"remote access=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/631246fb-7192-4709-a0b3-b83e65e6b550\",\r\n \"name\": \"631246fb-7192-4709-a0b3-b83e65e6b550\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"3625 (trace flag)\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
Trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload.
All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed.
\\\"3625(trace log)\\\" Limits the amount of information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'.
This can help prevent disclosure of sensitive information, hence this is recommended to disable this flag.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"3625\\\" from the drop-down menu and set the value as \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"3625\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"3625=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"System Information Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58c07fca-9c6e-46fa-84a7-642f224a1d18\",\r\n \"name\": \"58c07fca-9c6e-46fa-84a7-642f224a1d18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Secure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS) features clients are permitted to use when connecting to load balancers.
To prevent usage of insecure features, SSL policies should use (a) at least TLS 1.2 with the MODERN profile;
or (b) the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version;
or (3) a CUSTOM profile that does not support any of the following features:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

Load balancers are used to efficiently distribute traffic across multiple servers.
Both SSL proxy and HTTPS load balancers are external load balancers, meaning they distribute traffic from the Internet to a GCP network.
GCP customers can configure load balancer SSL policies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a connection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies permissible cipher suites.
To comply with users using outdated protocols, GCP load balancers can be configured to permit insecure cipher suites.
In fact, the GCP default SSL policy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the widest range of insecure cipher suites.
As a result, it is easy for customers to configure a load balancer without even knowing that they are permitting outdated cipher suites.\",\r\n \"remediationDescription\": \" From the Console:
1. If the \\\"TargetSSLProxy\\\" or \\\"TargetHttpsProxy\\\" does not have an SSL policy configured, create a new \\\"SSL policy\\\". Otherwise, modify the existing insecure policy. 2. Navigate to the \\\"SSL Policies\\\" page by visiting: https://console.cloud.google.com/net-security/sslpolicies. 3. Click on the name of the \\\"insecure policy\\\" to go to its \\\"SSL policy\\\" details page. 4. Click \\\"EDIT\\\". 5. Set \\\"Minimum TLS version\\\" to \\\"TLS 1.2\\\". 6. Set \\\"Profile\\\" to \\\"Modern\\\" or \\\"Restricted\\\". 7. Alternatively, if teh user selects the profile \\\"Custom\\\", make sure that the following features are disabled:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

From Command Line:
For each insecure SSL policy, update it to use secure cyphers:
gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]
If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it:
gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME
gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ca40f30-2508-4c90-85b6-36564b909364\",\r\n \"name\": \"6ca40f30-2508-4c90-85b6-36564b909364\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine.
If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data.
By default, Google Compute Engine encrypts all data at rest.
Compute Engine handles and manages this encryption for you without any additional actions on your part.
However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.
By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part.
However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.
If you provide your own encryption keys, Compute Engine uses your key to protect the Google-generated keys used to encrypt and decrypt your data.
Only users who can provide the correct key can use resources protected by a customer-supplied encryption key.
Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.
At least business critical VMs should have VM disks encrypted with CSEK.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to Compute Engine \\\"Disks\\\" by visiting: https://console.cloud.google.com/compute/disks. 2. Click \\\"CREATE DISK\\\". 3. Set \\\"Encryption\\\" type to \\\"Customer supplied\\\". 4. Provide the \\\"Key\\\" in the box. 5. Select \\\"Wrapped key\\\". 6. Click \\\"Create\\\".

From Command Line:
In the gcloud compute tool, encrypt a disk using the --csek-key-file flag during instance creation. If you are using an RSA-wrapped key, use the gcloud beta component:
gcloud (beta) compute instances create INSTANCE_NAME --csek-key-file example-file.json
To encrypt a standalone persistent disk:
gcloud (beta) compute disks create DISK_NAME --csek-key-file example-file.json \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Collection\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\",\r\n \"Data from Local System\",\r\n \"Data Encrypted for Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c10bad5f-cd86-4ea0-a40c-5d31510da525\",\r\n \"name\": \"c10bad5f-cd86-4ea0-a40c-5d31510da525\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud DNS logging is enabled for all VPC networks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver.
Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.
Security monitoring and forensics cannot depend solely on IP addresses from VPC flow logs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual host routing,
and other technology that can obscure the DNS name used by a client from the IP address.
Monitoring of Cloud DNS logs provides visibility to DNS names requested by the clients within the VPC.
These logs can be monitored for anomalous domain names, evaluated against threat intelligence, and
Note: For full capture of DNS, firewall must block egress UDP/53 (DNS)
and TCP/443 (DNS over HTTPS) to prevent client from using external DNS name server for resolution.\",\r\n \"remediationDescription\": \" From Command Line:
Add New DNS Policy With Logging Enabled
For each VPC network that needs a DNS policy with logging enabled:
gcloud dns policies create enable-dns-logging --enable-logging --description='Enable DNS Logging' --networks=VPC_NETWORK_NAME The VPC_NETWORK_NAME can be one or more networks in comma-separated list
Enable Logging for Existing DNS Policy For each VPC network that has an existing DNS policy that needs logging enabled:
gcloud dns policies update POLICY_NAME --enable-logging --networks=VPC_NETWORK_NAME
The VPC_NETWORK_NAME can be one or more networks in comma-separated list\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/814c3346-91c9-4e70-90b6-985cfd3e0478\",\r\n \"name\": \"814c3346-91c9-4e70-90b6-985cfd3e0478\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access to VMs should be restricted by firewall rules that allow only IAP traffic by ensuring only connections proxied by the IAP are allowed.
To ensure that load balancing works correctly health checks should also be allowed.
IAP ensure that access to VMs is controlled by authenticating incoming requests.
However if the VM is still accessible from IP addresses other than the IAP it may still be possible to send unauthenticated requests to the instance.
Care must be taken to ensure that loadblancer health checks are not blocked as this would stop the loadbalancer from correctly knowing the health of the VM and loadbalancing correctly.\",\r\n \"remediationDescription\": \" From the Console: 1. Go to the Cloud Console VPC network > Firewall rules. 2. Select the \\\"checkbox\\\" next to the following rules:
default-allow-http
default-allow-https
default-allow-internal. 3. Click \\\"Delete\\\". 4. Click \\\"Create\\\" firewall rule and set the following values:
\\\"Name:\\\" allow-iap-traffic
\\\"Targets:\\\" All instances in the network
\\\"Source IP ranges\\\" (press Enter after you paste each value in the box):
130.211.0.0/22
35.191.0.0/16
\\\"Protocols and ports:\\\"
Specified protocols and ports
tcp:80 5. When you're finished updating values, click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/171e9492-73a7-43de-adce-6bd0a3cf6045\",\r\n \"name\": \"171e9492-73a7-43de-adce-6bd0a3cf6045\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances have Confidential Computing enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use-while it is being processed.
Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).
Confidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD EPYC CPUs.
Customer data will stay encrypted while it is used, indexed, queried, or trained on.
Encryption keys are generated in hardware, per VM, and not exportable. Thanks to built-in hardware optimizations of both performance and security, there is no significant performance penalty to Confidential Computing workloads.
Confidential Computing enables customers' sensitive code and other data encrypted in memory during processing. Google does not have access to the encryption keys.
Confidential VM can help alleviate concerns about risk related to either dependency on Google infrastructure or Google insiders' access to customer data in the clear.\",\r\n \"remediationDescription\": \" From the Console: 1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances. 2. Click \\\"DCREATE INSTANCE\\\". 3. Fill out the desired \\\"configuration\\\" for your instance. 4. Under the \\\"Confidential VM service\\\" section, check the option \\\"Enable the Confidential Computing service on this VM instance\\\". 5. Click \\\"Create\\\".

From Command Line:
Create a new instance with Confidential Compute enabled.
gcloud beta compute instances create INSTANCE_NAME --zone ZONE --confidential-compute --maintenance-policy=TERMINATE \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f4cfc689-cac8-4f45-8355-652dcda3ec55\",\r\n \"name\": \"f4cfc689-cac8-4f45-8355-652dcda3ec55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys.
This is seamless and do not require any additional input from the user.
However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
This is seamless and does not require any additional input from the user.
For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery tables.
The CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.
BigQuery stores the table and CMEK association and the encryption/decryption is done automatically.
Applying the Default Customer-managed keys on BigQuery data sets ensures that all the new tables created in the future will be encrypted using CMEK but existing tables need to be updated to use CMEK individually.
Note: Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.\",\r\n \"remediationDescription\": \"Currently, there is no way to update the encryption of existing data in the table.
The data needs to be copied to either an original table or another table while specifying the customer managed encryption key (CMEK).
From Command Line:
Use the following command to copy the data. The source and the destination needs to be same in case copying to the original table.
bq cp --destination_kms_key 'customer_managed_key' source_dataset.source_table destination_dataset.destination_table \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f024ea22-7e48-4b3b-a824-d61794c14bb4\",\r\n \"name\": \"f024ea22-7e48-4b3b-a824-d61794c14bb4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys.
This is seamless and do not require any additional input from the user.
However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
This is seamless and does not require any additional input from the user.
For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
Setting a Default Customer-managed encryption key (CMEK) for a data set ensure any tables created in future will use the specified CMEK if none other is provided.
Note: Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.\",\r\n \"remediationDescription\": \"The default CMEK for existing data sets can be updated by specifying the default key in the EncryptionConfiguration.kmsKeyName field when calling the datasets.insert or datasets.patch methods\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0faf27b6-f1d5-4f50-b22a-5d129cba0113\",\r\n \"name\": \"0faf27b6-f1d5-4f50-b22a-5d129cba0113\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have Microsoft Defender's extension for Azure Arc installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender's cluster extension provides security capabilities for your GKE clusters. The extension collects data from a cluster and its nodes to identify security vulnerabilities and threats.
The extension works with Azure Arc-enabled Kubernetes.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct GKE cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6273e20b-8814-4fda-a297-42a70b16fcbf\",\r\n \"name\": \"6273e20b-8814-4fda-a297-42a70b16fcbf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have the Azure Policy extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Azure Policy extension for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
The extension works with Azure Arc-enabled Kubernetes.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct GKE cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9bbe2f0f-d6c6-48e8-b4d0-cf25d2c50206\",\r\n \"name\": \"9bbe2f0f-d6c6-48e8-b4d0-cf25d2c50206\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP VM instances should be connected to Azure Arc\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Connect your GCP Virtual Machines to Azure Arc in order to have full visibility to Microsoft Defender for Servers security content. Learn more about Azure Arc, and about Microsoft Defender for Servers on hybrid-cloud environment.\",\r\n \"remediationDescription\": \"1. From the Azure portal, open \\\"Servers - Azure Arc\\\". 2. From the top left corner, select \\\"Add\\\". 3. From \\\"Add a single server\\\", select \\\"Generate script\\\". 4. In the \\\"Resource details\\\" page, select the subscription and resource group to which you have connected the machine's GCP Project. 5. Select \\\"Next\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20622d8c-2a4f-4a03-9896-a5f2f7ede717\",\r\n \"name\": \"20622d8c-2a4f-4a03-9896-a5f2f7ede717\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP VM instances should have OS config agent installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To receive the full Defender for Servers capabilities using Azure Arc auto-provisioning, GCP VMs should have OS config agent enabled\",\r\n \"remediationDescription\": \"Follow the steps described in GCP documentation to install the OS config agent. Learn more\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1716d754-8d50-4b90-87b6-0404cad9b4e3\",\r\n \"name\": \"1716d754-8d50-4b90-87b6-0404cad9b4e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP projects should have Azure Arc auto provisioning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For full visibility of the security content from Microsoft Defender for servers, GCP VM instances should be connected to Azure Arc. To ensure that all eligible VM instances automatically receive Azure Arc, enable auto-provisioning from Defender for Cloud at the GCP project level. Learn more about Azure Arc, and Microsoft Defender for Servers.\",\r\n \"remediationDescription\": \"1. From the Defender for Cloud, open \\\"Environment settings\\\". 2. For the relevant GCP project, select the three dots at the end of the row, and select \\\"Edit settings\\\". 3. For the \\\"Servers\\\" plan, select \\\"View configuration\\\". 4. Enable auto-provisioning for the Azure Arc agent and click on the \\\"Save\\\" button. 5. Select \\\"Next\\\" and follow the instructions.
Note: To enable auto-provisioning, you'll need owner permissions for the relevant subscription.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/29ed3416-2035-4d44-986e-0bcbb7de172e\",\r\n \"name\": \"29ed3416-2035-4d44-986e-0bcbb7de172e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead.

Security risks involved in using API-Keys appear below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

To avoid the security risk in using API keys, it is recommended to use standard authentication flow instead.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", to delete API Keys: Click the \\\"Delete Bin Icon\\\" in front of every \\\"API Key Name\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/63e0e2db-70c3-4edc-becf-93961d3156ed\",\r\n \"name\": \"63e0e2db-70c3-4edc-becf-93961d3156ed\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API key usage to trusted hosts, HTTP referrers and apps.

Security risks involved in using API-Keys appear below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

In light of these potential risks, Google recommends using the standard authentication flow instead of API keys. However, there are limited cases where API keys are more appropriat.
For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

In order to reduce attack vectors, API-Keys can be restricted only to trusted hosts, HTTP referrers and applications.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. In the \\\"Key restrictions\\\" section, set the application restrictions to any of \\\"HTTP referrers\\\", \\\"IP Adresses\\\", \\\"Android Apps\\\", \\\"iOs Apps\\\". 4. Click \\\"Save\\\". 5. Repeat steps 2,3,4 for every unrestricted API key.

\\\"Note\\\": Do not set \\\"HTTP referrers\\\" to wild-cards (* or *.[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s).
Do not set \\\"IP addresses\\\" and referrer to any host \\\"(0.0.0.0 or 0.0.0.0/0 or ::0)\\\"\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Steal Application Access Token\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/54d3b0ae-67b3-4fee-9ac4-f6c784b9d16b\",\r\n \"name\": \"54d3b0ae-67b3-4fee-9ac4-f6c784b9d16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"API keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API keys to use (call) only APIs required by an application.

Security risks involved in using API-Keys are below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

In light of these potential risks, Google recommends using the standard authentication flow instead of API-Keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

In order to reduce attack surfaces by providing least privileges, API-Keys can be restricted to use (call) only APIs required by an application.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. In the \\\"Key restrictions\\\" section go to \\\"API restrictions\\\". 4. Click the \\\"Select API\\\" drop-down to choose an API. 5. Click \\\"Save\\\". 6. Repeat steps 2,3,4,5 for every unrestricted API key.

\\\"Note\\\": Do not set API restrictions to Google Cloud APIs, as this option allows access to all services offered by Google cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Steal Application Access Token\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fbc1ef5d-989e-4b64-8e9d-221b422f9c43\",\r\n \"name\": \"fbc1ef5d-989e-4b64-8e9d-221b422f9c43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to rotate API keys every 90 days.

Security risks involved in using API-Keys are listed below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

Because of these potential risks, Google recommends using the standard authentication flow instead of API Keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

Once a key is stolen, it has no expiration, meaning it may be used indefinitely unless the project owner revokes or regenerates the key. Rotating API keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.

API keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. Click \\\"REGENERATE KEY\\\" to rotate API key. 4. Click \\\"Save\\\". 5. Repeat steps 2,3,4 for every API key that has not been rotated in the last 90 days.

\\\"Note\\\": Do not set \\\"HTTP referrers\\\" to wild-cards (* or *.[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s).
Do not set \\\"IP addresses\\\" and referrer to \\\"any host (0.0.0.0 or 0.0.0.0/0 or ::0)\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a47a6c3b-0629-406c-ad09-d91f7d9f78a3\",\r\n \"name\": \"a47a6c3b-0629-406c-ad09-d91f7d9f78a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"root\\\" account has unrestricted access to all resources in the AWS account. It is highly recommend that the use of this account be avoided.
The \\\"root\\\" account is the most privileged AWS account. Minimizing the use of this account and adopting the principle of least privilege for access management will reduce the risk of accidental changes and unintended disclosure of highly privileged credentials.\",\r\n \"remediationDescription\": \"Follow the remediation instructions of the \\\"Ensure IAM policies are attached only to groups or roles\\\" recommendation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b73d3c97-01e1-43b4-bf01-a459e5eed3de\",\r\n \"name\": \"b73d3c97-01e1-43b4-bf01-a459e5eed3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password.
With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.
It is recommended that MFA be enabled for all accounts that have a console password.
Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.\",\r\n \"remediationDescription\": \"Perform the following to enable MFA: 1. Sign in to the AWS Management Console and open the IAM console. 2. In the navigation pane, choose Users. 3. In the User Name list, choose the name of the intended MFA user. 4. Choose the Security Credentials tab, and then choose Manage MFA Device. 5. In the Manage MFA Device wizard, choose A virtual MFA device, and then chooseNext Step. IAM generates and displays configuration information for the virtual MFA device, includinga QR code graphic. The graphic is a representation of the 'secret configuration key' that isavailable for manual entry on devices that do not support QR codes. 6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications.) If the virtual MFA application support smultiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following:
* Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.
* In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.
When you are finished, the virtual MFA device starts generating one-time passwords. 8. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Active Virtual MFA.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f13dc885-79aa-456b-ba28-3428147ecf55\",\r\n \"name\": \"f13dc885-79aa-456b-ba28-3428147ecf55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys.
It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated.
Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.\",\r\n \"remediationDescription\": \"Perform the following to remove or deactivate credentials:
1. Login to the AWS Management Console:
2. Click \\\"Services\\\"
3. Click \\\"IAM\\\"
4. Click on \\\"Users\\\"
5. Click on \\\"Security Credentials\\\"
6. As an Administrator: Click on \\\"Make Inactive\\\" for credentials that have not been used in 90 Days
7. As an IAM User: Click on \\\"Make Inactive\\\" or \\\"Delete\\\" for credentials which have not been used in 90 Days\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d72f547e-c011-4cdb-9dda-8c4d6dc09bf2\",\r\n \"name\": \"d72f547e-c011-4cdb-9dda-8c4d6dc09bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS.
AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services.
It is recommended that all access keys be regularly rotated.
Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.
Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"Perform the following to rotate access keys:
1. Login to the AWS Management Console:
2. Click \\\"Services\\\"
3. Click \\\"IAM\\\"
4.Click on \\\"Users\\\"
5. Click on \\\"Security Credentials\\\"
6. As an Administrator: Click on \\\"Make Inactive\\\" for keys that have not been rotated in 90 Days
7. As an IAM User: Click on \\\"MakeInactive\\\" or \\\"Delete\\\" for keys which have not been rotated or used in 90 Days
8. Click on \\\"Create Access Key\\\"
9. Update programmatic call with new Access Key credentials
Via CLI:
aws iam update-access-key
aws iam create-access-key
aws iam delete-access-key \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6e5ebe18-e026-4c26-875c-fcbea8089071\",\r\n \"name\": \"6e5ebe18-e026-4c26-875c-fcbea8089071\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one uppercase letter.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one uppercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-uppercase-characters
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c420241-9bec-4af8-afb7-038a711b7d22\",\r\n \"name\": \"1c420241-9bec-4af8-afb7-038a711b7d22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one lowercase letter.
Setting a password complexity policy increases account resiliency against brute force login attempts\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via the AWS Console
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one lowercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-lowercase-characters
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1919c309-1c8b-4fab-bd8c-7ff77521db40\",\r\n \"name\": \"1919c309-1c8b-4fab-bd8c-7ff77521db40\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements.
IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one symbol.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via the AWS Console
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one lowercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-symbols
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/84fb0ae8-4785-449c-b9ac-e106a2509540\",\r\n \"name\": \"84fb0ae8-4785-449c-b9ac-e106a2509540\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one number.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Require at least one number\\\" 5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-numbers
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e109af9f-128b-4774-a40c-aab8eff3934c\",\r\n \"name\": \"e109af9f-128b-4774-a40c-aab8eff3934c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length.
It is recommended that the password policy require a minimum password length '14'.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Set \\\"Minimum password length\\\" to 14 or greater.
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --minimum-password-length 14
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e99393-671c-4979-a08a-cd1533da9ece\",\r\n \"name\": \"22e99393-671c-4979-a08a-cd1533da9ece\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can prevent the reuse of a given password by the same user.
It is recommended that the password policy prevent the reuse of passwords.
Preventing password reuse increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Prevent password reuse\\\" 5. Set \\\"Number of passwords to remember\\\" is set to '24'.
Via CLI:
aws iam update-account-password-policy --password-reuse-prevention 24
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/729c20d1-fe7c-4e1b-8c9c-ab5ad56d7f96\",\r\n \"name\": \"729c20d1-fe7c-4e1b-8c9c-ab5ad56d7f96\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can require passwords to be rotated or expired after a given number of days.
It is recommended that the password policy expire passwords after 90 days or less.
Reducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help in the following scenarios:
* Passwords can be stolen or compromised sometimes without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat.
* Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted.
* Many people use the same password for many systems such as work, email, and personal.
* Compromised end user workstations might have a keystroke logger.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Enable password expiration\\\" 5. Set \\\"Password expiration period (in days):\\\" to 90 or less
Via CLI:
aws iam update-account-password-policy --max-password-age 90
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/412835f5-0339-4180-9c22-ea8735dc6c24\",\r\n \"name\": \"412835f5-0339-4180-9c22-ea8735dc6c24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Root account access key shouldn't exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account.
It is recommended that all access keys associated with the root account be removed.
Removing access keys associated with the root account limits vectors by which the account can be compromised.
Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.\",\r\n \"remediationDescription\": \"To delete access keys:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\".
4. Select \\\"Access keys (access key ID and secret access key)\\\".
5. To permanently delete the key, select \\\"Delete\\\" and then select \\\"Yes\\\". You cannot recover deleted keys.
6. If there is more than one root user access key, then repeat steps 4 and 5 for each key.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c9ea4ef-3bb5-4f02-b8b9-55e788e1a21a\",\r\n \"name\": \"1c9ea4ef-3bb5-4f02-b8b9-55e788e1a21a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.
When you use virtual MFA for root accounts, it is recommended that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices.
This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\",\r\n \"remediationDescription\": \"To enable MFA for the root account:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\".
4. Select \\\"Multi-factor authentication (MFA)\\\".
\\t5. Select \\\"Activate MFA\\\".
6. Select the type of device to use for MFA and then select \\\"Continue\\\".
7. Complete the steps to configure the device type appropriate to your selection.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eb39e935-38fc-4b0c-8cf2-d6affab0306a\",\r\n \"name\": \"eb39e935-38fc-4b0c-8cf2-d6affab0306a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.
For Level 2, it is recommended that you protect the root account with a hardware MFA. A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA doesn't suffer the attack surface introduced by the mobile smartphone that a virtual MFA resides on.
Using hardware MFA for many, many accounts might create a logistical device management issue. If this occurs, consider implementing this Level 2 recommendation selectively to the highest security accounts. You can then apply the Level 1 recommendation to the remaining accounts.\",\r\n \"remediationDescription\": \"To enable hardware-based MFA for the root account:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\". 4. Select \\\"Multi-factor authentication (MFA)\\\".
5. Select \\\"Activate MFA\\\".
6. Select a hardware-based (not virtual) device to use for MFA and then select \\\"Continue\\\".
7. Complete the steps to configure the device type appropriate to your selection.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a773f81a-0b2d-4f8e-826a-77fc432416c3\",\r\n \"name\": \"a773f81a-0b2d-4f8e-826a-77fc432416c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should be attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles.
It is recommended that IAM policies be applied directly to groups and roles but not users.
Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow.
Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.\",\r\n \"remediationDescription\": \"To remediate, create an IAM group, assign the policy to the group, and then add the users to the group. The policy is applied to each user in the group.

To create an IAM group:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Groups\\\" and then select \\\"Create New Group\\\".
\\t3. Enter a name for the group to create and then select \\\"Next Step\\\".
4. Select each policy to assign to the group and then select \\\"Next Step\\\".
The policies that you Select should include any policies currently attached directly to a user account.
The next step to resolve a failed check is to add users to a group and then assign the policies to that group.
Each user in the group gets assigned the policies assigned to the group.
5. Confirm the details on the \\\"Review\\\" page and then select \\\"Create Group\\\".
For more information about creating groups, see Creating IAM groups [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_create.html] in the IAM User Guide.

To add users to an IAM group:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Groups\\\".
3. select \\\"Group Actions\\\" and then select \\\"Add Users to Group\\\".
4. Select the users to add to the group and then select \\\"Add Users\\\".
For more information about adding users to groups, see Adding and removing users in an IAM group [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_add-remove-users.html].

To remove a policy attached directly to a user:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Users\\\".
3. For the user to detach a policy from, select the name in the \\\"User name\\\" column.
4. For each policy listed under \\\"Attached directly\\\", select the \\\"X\\\" on the right side of the page to remove the policy from the user and then select \\\"Remove\\\".
5. Confirm that the user can still use AWS services as expected.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6614c30d-c9f3-4acd-8371-c8f362148398\",\r\n \"name\": \"6614c30d-c9f3-4acd-8371-c8f362148398\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services.
Create an IAM Role to allow authorized users to manage incidents with AWS Support.
By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.\",\r\n \"remediationDescription\": \"Using the Amazon unified command line interface:
Create an IAM role for managing incidents with AWS:
* Create a trust relationship policy document that allows \\\"iam_user\\\" to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:
{ \\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [ { \\\"Effect\\\": \\\"Allow\\\", \\\"Principal\\\": { \\\"AWS\\\": \\\"<span style=\\\"font-style: italic;\\\"><iam_user></span>\\\" }, \\\"Action\\\": \\\"sts:AssumeRole\\\" } ] }
* Create the IAM role using the above trust policy:
aws iam create-role --role-name <aws_support_iam_role> --assume-rolepolicy-document file:///tmp/TrustPolicy.json
* Attach \\\"AWSSupportAccess\\\" managed policy to the created IAM role:
aws iam attach-role-policy --policy-arn <iam_policy_arn> --role-name<aws_support_iam_role>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/655f9340-184f-4b6e-8214-b835003ab0b1\",\r\n \"name\": \"655f9340-184f-4b6e-8214-b835003ab0b1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Do not setup access keys during initial user setup for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily.
In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys.
Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization\",\r\n \"remediationDescription\": \"Perform the following to delete access keys that do not pass the audit: 1. Login to the AWS Management Console: 2. Click \\\"Services\\\" 3. Click \\\"IAM\\\" 4. Click on \\\"Users\\\" 5. Click on \\\"Security Credentials\\\" 6. As an Administrator
* Click on \\\"Delete\\\" for keys that were created at the same time as the user profile but have not been used. 7. As an IAM User
* Click on \\\"Delete\\\" for keys that were created at the same time as the user profile but have not been used.
Via CLI:
aws iam delete-access-key\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Persistence\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1d08b362-7e24-46b0-bed1-4a6c1d1526a5\",\r\n \"name\": \"1d08b362-7e24-46b0-bed1-4a6c1d1526a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies that allow full \\\"*:*\\\" administrative privileges should not be created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies are the means by which privileges are granted to users, groups, or roles.
It is recommended and considered a standard security advice to grant least privilege-that is, granting only the permissions required to perform a task.
Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.
It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.
Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.
IAM policies that have a statement with \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\" should be removed.\",\r\n \"remediationDescription\": \"To modify an IAM policy:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Policies\\\".
3. Select the radio button next to the policy to remove. 4. From the \\\"Policy actions\\\" drop-down menu, select \\\"Detach\\\".
5. On the \\\"Detach policy\\\" page, select the radio button next to each user to detach the policy from and then select \\\"Detach policy\\\".
Confirm that the user that you detached the policy from can still access AWS services and resources as expected.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3d8e09b-83a6-417a-ae1e-3f5b54576965\",\r\n \"name\": \"b3d8e09b-83a6-417a-ae1e-3f5b54576965\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you.
The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).
The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally,
* ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected
* ensuring that a multi-regions trail exists will ensure that \\\"Global Service Logging\\\" is enabled for a trail by default to capture recording of events generated on AWS global services
* for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account.\",\r\n \"remediationDescription\": \"Perform the following to enable global (Multi-region) CloudTrail logging:
Via the management Console:
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
2. Click on \\\"Trails\\\" on the left navigation pane.
3. Click \\\"Get Started Now\\\", if presented
* Click \\\"Add new trail\\\"
* Enter a trail name in the \\\"Trail name\\\" box.
* Set the \\\"Apply trail to all regions\\\" option to \\\"Yes\\\".
* Specify an S3 bucket name in the \\\"S3 bucket\\\" box.
* Click \\\"Create\\\".
4. If 1 or more trails already exist, select the target trail to enable for global logging.
5. Click the edit icon (pencil) next to \\\"Apply trail to all regions\\\", Click \\\"Yes\\\" and Click \\\"Save\\\". 6. Click the edit icon (pencil) next to \\\"Management Events\\\", click \\\"All\\\" for setting \\\"Read/Write Events\\\" and Click \\\"Save\\\".
Via CLI:
aws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail

Note: Creating CloudTrail via CLI without providing any overriding options configures
Management Events to set All type of Read/Writes by default.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/324ec96c-9719-46ce-b6a9-e7f4fed7dd6e\",\r\n \"name\": \"324ec96c-9719-46ce-b6a9-e7f4fed7dd6e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure additional integrity checking of CloudTrail logs, we recommend enabling file validation on all CloudTrails.\",\r\n \"remediationDescription\": \"Enable log file validation on a given trail:
Via the management Console
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
2. Select on \\\"Trails\\\" on the left navigation pane
3. Select the target trail
4. Within the \\\"S3\\\" section select the edit icon (pencil)
5. Select \\\"Advanced\\\"
6. Select \\\"Yes\\\" radio button in section \\\"Enable log file validation\\\"
7. Click \\\"Save\\\"
Via CLI
aws cloudtrail update-trail --name --enable-log-file-validation

Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn --start-time --end-time\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a41f2846-4a59-44e9-89bb-1f62d4b03a85\",\r\n \"name\": \"a41f2846-4a59-44e9-89bb-1f62d4b03a85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs a record of every API call made in your AWS account. These log files are stored in an S3 bucket.
It is recommended that the bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs.
Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.\",\r\n \"remediationDescription\": \"Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:
1. Go to Amazon S3 console at https://console.aws.amazon.com/s3/home
2. Right-click on the bucket and click Properties.
3. In the \\\"Properties\\\" pane, click the \\\"Permissions\\\" tab.
4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.
5. Select the row that grants permission to \\\"Everyone\\\" or \\\"Any Authenticated User\\\".
6. Uncheck all the permissions granted to \\\"Everyone\\\" or \\\"Any Authenticated User\\\" (click x to delete the row).
7. Click \\\"Save\\\" to save the ACL.
8. If the \\\"Edit bucket policy\\\" button is present, click it.
9. Remove any \\\"Statement\\\" having an \\\"Effect\\\" set to \\\"Allow\\\" and a \\\"Principal\\\" set to \\\"*\\\" or {\\\"AWS\\\" : \\\"*\\\"}.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/842be2e5-2cd8-420f-969a-6d6b4096c580\",\r\n \"name\": \"842be2e5-2cd8-420f-969a-6d6b4096c580\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, real-time analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs.
For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. We recommended that CloudTrail logs will be sent to CloudWatch Logs to ensure AWS account activity is being captured, monitored, and appropriately alarmed on.
Sending CloudTrail logs to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.\",\r\n \"remediationDescription\": \"Via the AWS management Console:
1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/
2. Under All Buckets, select the target bucket you wish to evaluate.
3. Select Properties on the top right of the console.
4. Select Trails\\\" in the left menu.
5. Click on each trail where no \\\"CloudWatch Logs\\\" are defined.
6. Go to the \\\"CloudWatch Logs\\\" section and then select \\\"Configure\\\".
7. Define a new or select an existing log group.
8. Click on \\\"Continue\\\".
9. Configure \\\"IAM Role\\\" which will deliver CloudTrail events to CloudWatch Logs
* Create/Select an \\\"IAM Role\\\" and \\\"Policy Name\\\".
* Select \\\"Allow\\\" to continue.
Note that it can also be enabled via CLI:
aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-grouparn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff06f36-f8fd-4af5-bd02-5195593423fb\",\r\n \"name\": \"3ff06f36-f8fd-4af5-bd02-5195593423fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you.
The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources.
It is recommended to enable AWS Config be enabled in all regions.

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"To implement AWS Config configuration:
Via AWS Management Console:
1. Select the region you want to focus on in the top right of the console.
2. Click \\\"Services\\\".
3. Click \\\"Config\\\".
4. Define which resources you want to record in the selected region.
5. Choose to include global resources (IAM resources).
6. Specify an S3 bucket in the same account or in another managed AWS account.
7. Create an SNS Topic from the same AWS account or another managed AWS account.

Via AWS Command Line Interface:
1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.
2. Run this command to set up the configuration recorder:
aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole
3. Run this command to start the configuration recorder:
start-configuration-recorder --configuration-recorder-name <value>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/759e80dc-92c2-4afd-afa3-c01294999363\",\r\n \"name\": \"759e80dc-92c2-4afd-afa3-c01294999363\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 Bucket Access Logging generates a log that contains access records Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket for each request made to your S3 bucket.
An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed.
It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.
By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within an target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.\",\r\n \"remediationDescription\": \"Perform the following to enable S3 bucket logging:
Via the Management Console.
1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.
2. Under \\\"All Buckets\\\" click on the target S3 bucket.
3. Click on \\\"Properties\\\" in the top right of the console.
4. Under \\\"Bucket\\\": <s3_bucket_for_cloudtrail> click on \\\"Logging\\\".
5. Configure bucket logging.
* Click on \\\"Enabled\\\" checkbox.
* Select Target Bucket from list.
* Enter a Target Prefix.
6. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/190f732b-c68e-4816-9961-aba074272627\",\r\n \"name\": \"190f732b-c68e-4816-9961-aba074272627\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommended to configure CloudTrail use SSE-KMS.
Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.\",\r\n \"remediationDescription\": \"To configure CloudTrail SSE-KMS:
Via the Management Console:
1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail.
2. In the left navigation pane, select \\\"Trails\\\".
3. Click on a Trail.
4. Under the \\\"S3\\\"section click on the edit button (pencil icon).
5. Click \\\"Advanced\\\".
6. Select an existing CMK from the \\\"KMS key Id\\\" drop-down menu.
* Note: Ensure the CMK is located in the same region as the S3 bucket
* Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided here for editing the selected CMK Key policy.
7. Click \\\"Save\\\".
8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files.
9. Click \\\"Yes\\\".

Via CLI:
aws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key> aws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66748314-d51c-4d9c-b789-eebef29a7039\",\r\n \"name\": \"66748314-d51c-4d9c-b789-eebef29a7039\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK).
It is the backing key that is used to perform cryptographic operations such as encryption and decryption.
Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled.
Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\",\r\n \"remediationDescription\": \"Via the Management Console:
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam.
2. In the left navigation pane, choose \\\"Encryption Keys\\\".
3. Select a customer created master key (CMK).
4. Under the \\\"Key Policy\\\" section, move down to \\\"Key Rotation\\\".
5. Check the \\\"Rotate this key every year\\\" checkbox.

Via CLI
Run the following command to enable key rotation:
aws kms enable-key-rotation --key-id <kms_key_id>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3428e584-0fa6-48c0-817e-6d689d7bb879\",\r\n \"name\": \"3428e584-0fa6-48c0-817e-6d689d7bb879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC Flow Logs provide visibility into network traffic that passes through the VPC and can be used to detect anomalous traffic or insight during security events.\",\r\n \"remediationDescription\": \"1. Sign into the management console.
2. Select \\\"Services\\\" then \\\"VPC\\\".
3. In the left navigation pane, select \\\"Your VPCs\\\".
4. Select a VPC.
5. In the right pane, select the \\\"Flow Logs\\\" tab.
6. If no Flow Log exists, select \\\"Create Flow Log\\\".
7. For Filter, select Reject.
8. Enter in a \\\"Role\\\" and \\\"Destination Log Group\\\".
9. Select \\\"Create Log Flow\\\".
10. Select \\\"CloudWatch Logs Group\\\".

Note: Setting the filter to \\\"Reject\\\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/231951ea-e9db-41cd-a7d0-611105fa4fb9\",\r\n \"name\": \"231951ea-e9db-41cd-a7d0-611105fa4fb9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for unauthorized API calls.
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<unauthorized_api_calls_metric>` --metric-transformations metricName= `<unauthorized_api_calls_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.errorCode = \\\"*UnauthorizedOperation\\\") || ($.errorCode = \\\"AccessDenied*\\\")}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<unauthorized_api_calls_alarm>` --metric-name `<unauthorized_api_calls_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/001ddfe0-1b98-443f-819d-99f060fd67d5\",\r\n \"name\": \"001ddfe0-1b98-443f-819d-99f060fd67d5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).
Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>`,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = \\\"ConsoleLogin\\\") && ($.additionalEventData.MFAUsed != \\\"Yes\\\") }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<no_mfa_console_signin_alarm>` --metric-name `<no_mfa_console_signin_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/59f84fbd-7946-41b3-88b1-d899dcac92bc\",\r\n \"name\": \"59f84fbd-7946-41b3-88b1-d899dcac92bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of 'root' account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for root login attempts.

Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for \\\"Root\\\" account usage and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<root_usage_metric>` --metric-transformations metricName= `<root_usage_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filterpattern '{ $.userIdentity.type = \\\"Root\\\" && $.userIdentity.invokedBy NOTEXISTS && $.eventType != \\\"AwsServiceEvent\\\" }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<root_usage_alarm>` --metricname `<root_usage_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e5ad1a9-3803-4399-baf2-a7eb9483b954\",\r\n \"name\": \"8e5ad1a9-3803-4399-baf2-a7eb9483b954\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.
Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<iam_changes_metric>` --metric-transformations metricName=`<iam_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name `<iam_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0dc3b824-092a-4fc6-b8b4-31d5c2403024\",\r\n \"name\": \"0dc3b824-092a-4fc6-b8b4-31d5c2403024\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.

Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<cloudtrail_cfg_changes_metric>` --metric-transformations metricName= `<cloudtrail_cfg_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging)}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name aws cloudwatch put-metric-alarm --alarm-name `<cloudtrail_cfg_changes_alarm>` --metric-name `<cloudtrail_cfg_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e09bb35-54a3-48a1-855d-9fd3239deaf7\",\r\n \"name\": \"0e09bb35-54a3-48a1-855d-9fd3239deaf7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for failed console authentication attempts.
Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<console_signin_failure_metric>` --metric-transformations metricName= `<console_signin_failure_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = ConsoleLogin) && ($.errorMessage = \\\"Failed authentication\\\") }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<console_signin_failure_alarm>` --metric-name `<console_signin_failure_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d12e97c1-1f3e-4c69-8cc1-6e4cc6a9b167\",\r\n \"name\": \"d12e97c1-1f3e-4c69-8cc1-6e4cc6a9b167\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.
Data encrypted with disabled or deleted keys will no longer be accessible.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<disable_or_delete_cmk_changes_metric>` --metrictransformations metricName= `<disable_or_delete_cmk_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<disable_or_delete_cmk_changes_alarm>` --metric-name `<disable_or_delete_cmk_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69ed2dc0-6f39-4a33-a747-20a28f85b33c\",\r\n \"name\": \"69ed2dc0-6f39-4a33-a747-20a28f85b33c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.
Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<s3_bucket_policy_changes_metric>` --metric-transformations metricName= `<s3_bucket_policy_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<s3_bucket_policy_changes_alarm>` --metric-name `<s3_bucket_policy_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/965a7c7f-e6da-4062-83f4-9c1800e51e44\",\r\n \"name\": \"965a7c7f-e6da-4062-83f4-9c1800e51e44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.
Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<aws_config_changes_metric>` --metric-transformations metricName= `<aws_config_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel) ||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `` - -metric-name `` --statistic Sum --period 300 -- threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aedabb63-8bdb-47f9-955c-72b652a75e2a\",\r\n \"name\": \"aedabb63-8bdb-47f9-955c-72b652a75e2a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC.
It is recommended that a metric filter and alarm be established changes to Security Groups.
Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for security groups changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<security_group_changes_metric>` --metric-transformations metricName= `<security_group_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<security_group_changes_alarm>` --metric-name `<security_group_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec356185-75b9-4ff2-a284-9f64fc885e72\",\r\n \"name\": \"ec356185-75b9-4ff2-a284-9f64fc885e72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC.
It is recommended that a metric filter and alarm be established for changes made to NACLs.
Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for NACL changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<nacl_changes_metric>` --metric-transformations metricName = `<nacl_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<nacl_changes_alarm>` --metric-name `<nacl_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c7156050-6f51-4d3f-a880-9f2363648cfb\",\r\n \"name\": \"c7156050-6f51-4d3f-a880-9f2363648cfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC.
It is recommended that a metric filter and alarm be established for changes to network gateways.
Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<network_gw_changes_metric>` --metric-transformations metricName= `<network_gw_changes_metric>`,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<network_gw_changes_alarm>` --metric-name `<network_gw_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e70666f-4bec-4ca0-8b59-c6c8b9b3cc1e\",\r\n \"name\": \"7e70666f-4bec-4ca0-8b59-c6c8b9b3cc1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways.
It is recommended that a metric filter and alarm be established for changes to route tables.
Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for route table changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<route_table_changes_metric>` --metric-transformations metricName= `<route_table_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<route_table_changes_alarm>` --metric-name `<route_table_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4b4bfa9b-fd2a-43f1-961f-654b9d5c9a60\",\r\n \"name\": \"4b4bfa9b-fd2a-43f1-961f-654b9d5c9a60\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.
Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact. \",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for VPC changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<vpc_changes_metric>` --metric-transformations metricName = `<vpc_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<vpc_changes_alarm>` --metric-name `<vpc_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e1f4bba6-5f43-4dc5-ab15-f2a9f5807fea\",\r\n \"name\": \"e1f4bba6-5f43-4dc5-ab15-f2a9f5807fea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To reduce the server's exposure, it is recommended not to allow unrestricted ingress access to port '22'.\",\r\n \"remediationDescription\": \"1. Login to the AWS Management Console at VPC
2. In the left pane, select \\\"Security Groups\\\"
3. For each security group, perform the following:
4. Select the security group
5. Select the \\\"Inbound Rules\\\" tab
6. Identify the rules to be removed
7. Select the \\\"x\\\" in the \\\"Remove\\\" column
8. Select \\\"Save\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79082bbe-34fc-480a-a7fc-3aad94954609\",\r\n \"name\": \"79082bbe-34fc-480a-a7fc-3aad94954609\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389.
Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"Perform the following to implement the prescribed state:
1. Login to the AWS Management Console at VPC
2. In the left pane, click \\\"Security Groups\\\"
3. For each security group, perform the following:
4. Select the security group
5.Click the \\\"Inbound Rules\\\" tab
6. Identify the rules to be removed
7. Click the \\\"x\\\" in the \\\"Remove\\\" column
8. Click \\\"Save\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/500c4d2e-9baf-4081-b8a8-936ac85771a5\",\r\n \"name\": \"500c4d2e-9baf-4081-b8a8-936ac85771a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC's default security group should restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security group should restrict all traffic to reduce resource exposure.\",\r\n \"remediationDescription\": \"1. Identify AWS resources that exist within the default security group 2. Create a set of least privilege security groups for those resources 3. Place the resources in those security groups 4. Remove the resources noted in #1 from the default security group

Security Group State:
1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:
3. In the left pane, select \\\"Security Groups\\\"
4. For each default security group, perform the following:
5. Select the \\\"default\\\" security group
6. Select the \\\"Inbound Rules\\\" tab
7. Remove any inbound rules
8. Select the \\\"Outbound Rules\\\" tab
9. Remove any outbound rules\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/837d6a45-503f-4c95-bf42-323763960b62\",\r\n \"name\": \"837d6a45-503f-4c95-bf42-323763960b62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto Scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.
PCI DSS does not require load balancing or highly available configurations. This is recommended by AWS best practices.\",\r\n \"remediationDescription\": \"To enable Elastic Load Balancing health checks:
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. On the navigation pane, under \\\"Auto Scaling\\\", choose \\\"Auto Scaling Groups\\\".
3. To select the group from the list, choose the right box.
4. From \\\"Actions\\\", choose \\\"Edit\\\"
5. For \\\"Health Check Type\\\", choose \\\"ELB\\\".
6. For \\\"Health Check Grace Period\\\", enter \\\"300\\\".
7. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2917bcec-6991-4ea4-9e73-156e6ef831e4\",\r\n \"name\": \"2917bcec-6991-4ea4-9e73-156e6ef831e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. Not all services enable logging by default for all APIs and events.
You should implement any additional audit trails other than CloudTrail and review the documentation for each service in CloudTrail Supported Services and Integrations.\",\r\n \"remediationDescription\": \"To create a new trail in CloudTrail
1. Sign in to the AWS Management Console using the IAM user you configured for CloudTrail administration.
2. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
3. Select the AWS Region where you want your trail to be created.
4. In the navigation pane, select \\\"Trails\\\".
5. On the \\\"Trails\\\" page, select \\\"Get Started Now\\\". If you do not see that option, select \\\"Create Trail\\\".
6. In\\\" Trail name\\\", provide your trail a name, such as My-Management-Events-Trail. As a best practice, use a name that quickly identifies the purpose of the trail. In this case, you're creating a trail that logs management events.
7. In \\\"Management Events\\\", make sure \\\"Read/Write\\\" events is set to \\\"All\\\".
8. In \\\"Data Events\\\", do not make any changes. This trail will not log any data events.
9. Create a new S3 bucket for the logs:
a. In \\\"Storage Location\\\", in \\\"Create a new S3 bucket\\\", select \\\"Yes\\\".
b. In \\\"S3 bucket\\\", provide your bucket a name.
c. Under \\\"Advanced\\\", choose \\\"Yes\\\" for both \\\"Encrypt log files with SSE-KMS\\\" and \\\"Enable log file validation\\\".
10. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/132a70b8-ffda-457a-b7a3-e6f2e01fc0af\",\r\n \"name\": \"132a70b8-ffda-457a-b7a3-e6f2e01fc0af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect your replicated instances from threats. A private replication instance should have a private IP address that you cannot access outside of the replication network.
A replication instance should have a private IP address when the source and target databases are in the same network, and the network is connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering.
You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users.
To do this, restrict users' IAM permissions to modify AWS DMS settings and resources.\",\r\n \"remediationDescription\": \"To configure the AWS DMS replication instances setting to be not publicly accessible:
1. Open the AWS Database Migration Service console at https://console.aws.amazon.com/dms/.
2. In the left navigation pane, under \\\"Resource management\\\", navigate to \\\"Replication instances\\\".
3. To delete the public instance, select the check box for the instance, choose \\\"Actions\\\", then choose \\\"delete\\\".
4. Choose \\\"Create replication instance\\\". Provide the configuration details.
5.To disable public access, make sure that \\\"Publicly accessible\\\" is not selected.
6. Choose \\\"Create\\\",
Note: public access setting cannot be changed once a replication instance is created. It must be deleted and recreated.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/02e8de17-1a01-45cb-b906-6d07a78f4b3c\",\r\n \"name\": \"02e8de17-1a01-45cb-b906-6d07a78f4b3c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Amazon EBS snapshots should not be publicly restorable by everyone unless explicitly allowed, to avoid accidental exposure of data. Additionally, permission to change Amazon EBS configurations should be restricted to authorized AWS accounts only.\",\r\n \"remediationDescription\": \"Make a public Amazon EBS snapshot private
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Elastic Block Store\\\", select \\\"Snapshots\\\" and then select your public snapshot.
3. Select \\\"Actions\\\", then select \\\"Modify permissions\\\".
4. Select \\\"Private\\\".
5. (Optional) Add AWS account numbers for authorized accounts to share your snapshot with.
6. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f065cc7b-f63b-4865-b8ff-4a1292e1a5cb\",\r\n \"name\": \"f065cc7b-f63b-4865-b8ff-4a1292e1a5cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups should be attached to Amazon EC2 instances or to an ENI.
healthy finding can indicate there are unused Amazon EC2 security groups.\",\r\n \"remediationDescription\": \"The following steps should be applied to each security group not attached to an ENI.
To delete a security group:
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, under \\\"Security\\\", select \\\"Security groups\\\".
3. Select the check box for the security group to delete.
4. From \\\"Actions\\\", select \\\"Delete security group\\\".
5. Select \\\"Delete\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/601406b5-110c-41be-ad69-9c5661ba5f7c\",\r\n \"name\": \"601406b5-110c-41be-ad69-9c5661ba5f7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Elastic IP addresses that are allocated to a VPC should be attached to Amazon EC2 instances or in-use elastic network interfaces (ENIs).\",\r\n \"remediationDescription\": \"To release an Elastic IP address follow the following steps. Note that in oder to release an address, it shouldn't be associated with an instance
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Network & Security\\\", select \\\"Elastic IPs\\\".
3. Select the Elastic IP address, select \\\"Actions\\\", and then select \\\"Release Elastic IP address\\\".
4. When prompted, select \\\"Release\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fce0daac-96e4-47ab-ab35-18ac6b7dcc70\",\r\n \"name\": \"fce0daac-96e4-47ab-ab35-18ac6b7dcc70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To enforce encryption in transit, you should use redirect actions with Application Load Balancers to redirect client HTTP requests to an HTTPS request on port 443.\",\r\n \"remediationDescription\": \"To redirect HTTP requests to HTTPS on an Application Load Balancer:
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Load Balancing\\\", select \\\"Load balancers\\\".
3. Select an Application Load Balancer.
4. Select \\\"Listeners\\\".
5. Enable the check box for an HTTP listener (port 80 TCP) and then select \\\"Edit\\\".
6. If there is an existing rule, you must delete it. Otherwise, select \\\"Add action\\\" and then select \\\"Redirect to...\\\".
7. Select \\\"HTTPS\\\" and then enter 443.
8. Select the check mark in a circle symbol and then select \\\"Update\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df952171-786d-44b5-b309-9c982bddeb7c\",\r\n \"name\": \"df952171-786d-44b5-b309-9c982bddeb7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC cannot contain domains with a public endpoint.
Note: this does not evaluate the VPC subnet routing configuration to determine public reachability.\",\r\n \"remediationDescription\": \"If you create a domain with a public endpoint, you cannot later place it within a VPC. Instead, you must create a new domain and migrate your data.
The reverse is also true. If you create a domain within a VPC, it cannot have a public endpoint. Instead, you must either create another domain or disable this control.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cf747c91-14f3-4b30-aafe-eb12c18fd030\",\r\n \"name\": \"cf747c91-14f3-4b30-aafe-eb12c18fd030\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is important to enable encryptions rest of Amazon ES domains to protect sensitive data\",\r\n \"remediationDescription\": \"By default, domains do not encrypt data at rest.
To enable the feature, you must create another domain and migrate your data.
Note: existing domains cannot be configured to use the feature.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4b32e0a4-44a7-4f18-ad92-549f7d219061\",\r\n \"name\": \"4b32e0a4-44a7-4f18-ad92-549f7d219061\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To provide additional protection against intrusions, GuardDuty should be enabled on your AWS account and region.
Note: GuardDuty might not be a complete solution for every environment\",\r\n \"remediationDescription\": \"To enable GuardDuty:
1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/ \\t
2. Choose \\\"Get Started\\\".
Choose \\\"Enable GuardDuty\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c676d6f-60cb-4c7b-a484-17164c598016\",\r\n \"name\": \"9c676d6f-60cb-4c7b-a484-17164c598016\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"All IAM users should have multi-factor authentication (MFA) enabled.\",\r\n \"remediationDescription\": \"To configure MFA for a user:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Users\\\".
3. Select the user name of the user to configure MFA for.
4. Select \\\"Security credentials\\\" and then Select \\\"Manage\\\" next to \\\"Assigned MFA device\\\".
5. Follow the \\\"Manage MFA Device\\\" wizard to assign the type of device appropriate for your environments.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd751d04-8378-4cf8-8f1b-594ee340ae08\",\r\n \"name\": \"fd751d04-8378-4cf8-8f1b-594ee340ae08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the account password policy for IAM users uses the following minimum configurations.
* RequireUppercaseCharacters- Require at least one uppercase character in password. (Default = true)
* RequireLowercaseCharacters- Require at least one lowercase character in password. (Default = true)
* RequireNumbers- Require at least one number in password. (Default = true)
* MinimumPasswordLength- Password minimum length. (Default = 7 or longer)
* PasswordReusePrevention- Number of passwords before allowing reuse. (Default = 4)
* MaxPasswordAge- Number of days before password expiration. (Default = 90)\",\r\n \"remediationDescription\": \"To modify the password policy:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Under \\\"Access management\\\", select \\\"Account settings\\\".
3. Select \\\"Prevent password reuse\\\". For \\\"Number of passwords to remember\\\", enter \\\"24\\\".
\\t4. Select \\\"Change password policy\\\".
5. Select \\\"Require at least one uppercase letter from Latin alphabet (A-Z)\\\".
6. Select \\\"Require at least one lowercase letter from Latin alphabet (a-z)\\\".
7. Select \\\"Require at least one non-alphanumeric character (!@#$%^&*()_+-=[]{}|')\\\".
8. Select \\\"Require at least one number\\\".
9. For \\\"Enforce minimum password length\\\", enter \\\"14\\\".
10. Select \\\"Enable password expiration\\\". For \\\"Expire passwords in day(s)\\\", enter \\\"90\\\".
11. Select \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b236a0-f9d7-454a-942a-8c2ba3943cf7\",\r\n \"name\": \"64b236a0-f9d7-454a-942a-8c2ba3943cf7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should restrict public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Lambda function resource-based policy should restrict public access. This recommendation does not check access by internal principals.
Ensure access to the function is restricted to authorized principals only by using least privilege resource-based policies.\",\r\n \"remediationDescription\": \"To use the AWS CLI to revoke function-use permission from an AWS service or another account:
1. Get the statement ID from the output of GetPolicy, from the AWS CLI and run the following:
aws lambda get-policy --function-name yourfunctionname
This returns the policy string associated with the publicly accessible Lambda function.
2. From the policy statement returned by the get-policy command, copy the string value of the Sid field, and run from the AWS CLI, run
aws lambda remove-permission --function-name yourfunctionname --statement-id youridvalue

To use the Lambda console to restrict access to the Lambda function:
1. Open the AWS Lambda console at https://console.aws.amazon.com/lambda/, Navigate to \\\"Functions\\\" and then select your publicly accessible Lambda function.
2. Under \\\"Designer\\\" select the key icon at the top left, that has the tool-tip \\\"View permissions\\\".
3. Under \\\"Function policy\\\", Consider adding the following IAM condition to scope access to your account only.
\\\"Condition\\\":{\\\"StringEquals\\\":{\\\"AWS:SourceAccount\\\":\\\"account_id\\\"}}\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10445918-c305-4c6a-9851-250e8ec7b872\",\r\n \"name\": \"10445918-c305-4c6a-9851-250e8ec7b872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Configure Lambda functions to a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability.
Note that if Lambda@Edge is found in the account, then this control generates failed findings. To prevent these findings, you can disable this control.\",\r\n \"remediationDescription\": \"To configure a function to connect to private subnets in a virtual private cloud (VPC) in your account:
1. From the AWS Lambda console, https://console.aws.amazon.com/lambda/, open \\\"Functions\\\" and select your Lambda function.
2. From the \\\"Network\\\" section, select a VPC with the connectivity requirements of the function.
3. To run your functions in high availability mode, select at least two subnets.
4. Select at least one security group that has the connectivity requirements of the function.
5. Save your changes.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f64521fc-a9f1-4d43-b667-8d94b4a202af\",\r\n \"name\": \"f64521fc-a9f1-4d43-b667-8d94b4a202af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend only allowing authorized principals to access the snapshot and change Amazon RDS configuration.\",\r\n \"remediationDescription\": \"To remove public access for Amazon RDS Snapshots:
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Snapshots\\\" and select the public Snapshot to modify.
2. From the \\\"Actions\\\" list, select \\\"Share Snapshots\\\".
3. From \\\"DB snapshot visibility\\\", select \\\"Private\\\" and \\\"for all\\\".
4. Save your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/72f3b7f1-76b8-4cf5-8da5-4ba5745b512c\",\r\n \"name\": \"72f3b7f1-76b8-4cf5-8da5-4ba5745b512c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend that you also ensure that access to your RDS instance's configuration is limited to authorized users only, by restricting users' IAM permissions to modify RDS instances' settings and resources.\",\r\n \"remediationDescription\": \"To remove public access for an Amazon RDS Database, follow one of these procedures:

\\\"Modify the DB instance's publicly accessible configuration:\\\"
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Databases\\\" and select the public database.
2. Select \\\"Modify\\\".
3. Scroll to \\\"Network & Security\\\".
4. For the Public accessibility option, select \\\"No\\\".
5. Scroll to the bottom and select \\\"Continue\\\".
6. From \\\"Scheduling of modifications\\\", select \\\"Apply immediately\\\".
7. Select \\\"Modify DB Instance\\\".
\\\"Configure the VPC subnet security group to prohibit public access:\\\"
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Databases\\\" and select the public database.
2. From \\\"Connectivity & Security\\\", select the configured VPC security group.
3. From the \\\"Actions\\\" list, select \\\"Edit inbound rules\\\".
4. Define rules to prohibit public access (you can choose between specific IPs, ranges of IPs and security groups).
5. Select \\\"Save rules\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f5ac036-11e1-4cda-89b5-a115b9ae4f72\",\r\n \"name\": \"7f5ac036-11e1-4cda-89b5-a115b9ae4f72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend Amazon Redshift clusters to avoid public accessibility by evaluating the 'publiclyAccessible' field in the cluster configuration item.\",\r\n \"remediationDescription\": \"To disable public access for an Amazon Redshift cluster:
1. From the Amazon RDS console, https://console.aws.amazon.com/redshift/, open \\\"Clusters\\\" and select your public Amazon Redshift cluster.
2. From the \\\"Cluster\\\" drop-down menu, select \\\"Modify cluster\\\".
3. For the \\\"Publicly accessible\\\" option, select \\\"No\\\".
4. Select \\\"Modify\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/994d14f1-b8d7-4cb3-ad4e-a7ccb08065d5\",\r\n \"name\": \"994d14f1-b8d7-4cb3-ad4e-a7ccb08065d5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets public write access should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Allowing public write access to your S3 bucket can leave you vulnerable to malicious actions such as storing data at your expense, encrypting your files for ransom, or using your bucket to operate malware.\",\r\n \"remediationDescription\": \"To remove public write access for an S3 bucket
1. Open the AWS console at https://console.aws.amazon.com/s3/ and select the name of the bucket identified in the recommendation.
2. Select the \\\"Permissions\\\" tab and then select \\\"Public access settings\\\".
3. Select \\\"Edit\\\", select all four options, and then select \\\"save\\\".
4. If prompted, enter \\\"confirm\\\" and then choose \\\"confirm\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f65de27c-1b77-4a2d-bc89-8631ff9ee786\",\r\n \"name\": \"f65de27c-1b77-4a2d-bc89-8631ff9ee786\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets public read access should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Removing public read access to your S3 bucket can help protect your data and prevent a data breach.\",\r\n \"remediationDescription\": \"To remove public read access for an S3 bucket
1. Open the AWS console at https://console.aws.amazon.com/s3/, and select the name of the bucket identified in the recommendation.
2. Select the \\\"Permissions\\\" tab and then select \\\"Public access settings\\\".
3. Select \\\"Edit\\\", select all four options, and then select \\\"save\\\".
4. If prompted, enter \\\"confirm\\\" and then choose \\\"confirm\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35713036-bd12-4646-9b92-4c56a761a710\",\r\n \"name\": \"35713036-bd12-4646-9b92-4c56a761a710\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling S3 cross-region replication ensures that multiple versions of the data are available in different distinct Regions.
This allows you to protect your S3 bucket against DDoS attacks and data corruption events.\",\r\n \"remediationDescription\": \"To enable S3 bucket replication:
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and Select the name of the bucket identified in the recommendation.
2. Select \\\"Management\\\" and then select \\\"Replication\\\".
3. Select \\\"add rule\\\", and then select \\\"Entire bucket\\\" as your source bucket.
4. Select your destination bucket (Versioning should be enabled on the destination bucket as well).
5. Select an IAM role.
6. Enter a name for the rule, select \\\"Enabled\\\" for the status, then select \\\"Next\\\".
7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3cb793ab-20d3-4677-9723-024c8fed0c23\",\r\n \"name\": \"3cb793ab-20d3-4677-9723-024c8fed0c23\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enable server-side encryption to protect data in your S3 buckets.
Encrypting the data can prevent access to sensitive data in the event of a data breach.\",\r\n \"remediationDescription\": \"To enable default encryption on an S3 bucket
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and Select the name of the bucket identified in the recommendation.
2. Select \\\"Properties\\\" and then under the \\\"Default encryption\\\" section, select either \\\"AES-256\\\" to use keys that are managed by Amazon S3, or \\\"AWS-KMS\\\" to use keys that are managed by AWS-KMS.
*If you use AWS-KMS for default encryption, you need to choose a master key from the list of the AWS KMS master keys that you have created.
*Please note that if you use the AWS KMS you are subject to the requests per second limits. For more information about the AWS KMS limits, see the AWS Key Management Service Developer Guide.
3.Select \\\"save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fb7ea50-412e-4dd4-ac79-94d54bd8f21e\",\r\n \"name\": \"1fb7ea50-412e-4dd4-ac79-94d54bd8f21e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend to require requests to use Secure Socket Layer (SSL) on all Amazon S3 bucket.
S3 buckets should have policies that require all requests ('Action: S3:*') to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key 'aws:SecureTransport'.\",\r\n \"remediationDescription\": \"To configure an S3 bucket to deny nonsecure transport
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.
2. Navigate to the noncompliant bucket, and then choose the bucket name.
3. Choose \\\"Permissions\\\", then choose \\\"Bucket Policy\\\".
4. Add a similar policy statement to that in the policy below. Replace \\\"awsexamplebucket\\\" with the name of the bucket you are modifying.
{\\\"Id\\\":\\\"ExamplePolicy\\\",\\\"Version\\\":\\\"2012-10-17\\\",\\\"Statement\\\":[{\\\"Sid\\\":\\\"AllowSSLRequestsOnly\\\",\\\"Action\\\":\\\"s3:*\\\",\\\"Effect\\\":\\\"Deny\\\",\\\"Resource\\\":[\\\"arn:aws:s3:::awsexamplebucket\\\",\\\"arn:aws:s3:::awsexamplebucket/*\\\"],\\\"Condition\\\": {\\\"Bool\\\":{\\\"aws:SecureTransport\\\":\\\"false\\\"}},\\\"Principal\\\": \\\"*\\\"}]}
5. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ac66d910-ae29-4cab-967b-c3f0810b7642\",\r\n \"name\": \"ac66d910-ae29-4cab-967b-c3f0810b7642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling Block Public Access setting for your S3 bucket can help prevent sensitive data leaks and protect your bucket from malicious actions.\",\r\n \"remediationDescription\": \"To enable Amazon S3 Block Public Access:
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and then select \\\"Block public access\\\" under \\\"account settings\\\".
2. Select \\\"Edit\\\" and then select \\\"Block all public access\\\".
3. Select \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0991c64b-ccf5-4408-aee9-2ef03d460020\",\r\n \"name\": \"0991c64b-ccf5-4408-aee9-2ef03d460020\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disable direct internet access for Amazon SageMaker notebook instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Direct internet access should be disabled for an SageMaker notebook instance.
This checks whether the 'DirectInternetAccess' field is disabled for the notebook instance.
Your instance should be configured with a VPC and the default setting should be Disable - Access the internet through a VPC.
In order to enable internet access to train or host models from a notebook, make sure that your VPC has a NAT gateway and your security group allows outbound connections. Ensure access to your SageMaker configuration is limited to only authorized users, and restrict users' IAM permissions to modify SageMaker settings and resources.\",\r\n \"remediationDescription\": \"Note that you can't change the internet access setting after a notebook instance is created. It must be stopped, deleted, and recreated.
To configure an SageMaker notebook instance to deny direct internet access:
1. From the SageMaker console, https://console.aws.amazon.com/sagemaker/, open \\\"Notebook instances\\\" and delete the instance that has direct internet access enabled.
2. Select the instance, open \\\"Actions\\\", and select \\\"Stop\\\". When the instance has stopped, open \\\"Actions\\\", and select \\\"Delete\\\".
3. Select \\\"Create notebook instance\\\" and enter the configuration details.
4. Expand the \\\"Network\\\" section and select the VPC, subnet, and security group. Under \\\"Direct internet access\\\", select \\\"Disable — Access the internet through a VPC\\\".
5. Select \\\"Create notebook instance\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5b3c2887-d7b7-4887-b074-4e6057027709\",\r\n \"name\": \"5b3c2887-d7b7-4887-b074-4e6057027709\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance.
It only checks instances that are managed by AWS Systems Manager Patch Manager.
It does not check whether the patch was applied within the 30-day limit prescribed by PCI DSS requirement '6.2'.
It also does not validate whether the patches applied were classified as security patches.
You should create patching groups with the appropriate baseline settings and ensure in-scope systems are managed by those patch groups in Systems Manager. For more information about patch groups, see the AWS Systems Manager User Guide.\",\r\n \"remediationDescription\": \"\\\"To remediate noncompliant patches\\\"
This rule checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT. To find out more about patch compliance states, see the AWS Systems Manager User Guide.
1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
2. In the navigation pane, under \\\"Node Management\\\", choose \\\"Run Command\\\".
3. Choose \\\"Run command\\\".
4. Choose the radio button next to AWS-RunPatchBaseline and then change the \\\"Operation\\\" to \\\"Install\\\".
5. Choose \\\"Choose instances manually\\\" and then choose the noncompliant instance(s).
6. Scroll to the bottom and then choose \\\"Run\\\".
7. After the command has completed, to monitor the new compliance status of your patched instances, in the navigation pane, choose \\\"Compliance\\\".
See the AWS Systems Manager User Guide for more information about the following
* Using Systems Manager documents to patch a managed instance
* Running commands using the Systems Manager Run command\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67a90ae0-b3d1-44f0-9dcf-a03234ebeb65\",\r\n \"name\": \"67a90ae0-b3d1-44f0-9dcf-a03234ebeb65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association is run on an instance. The control passes if the association compliance status is COMPLIANT.
A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed.
After you create one or more State Manager associations, compliance status information is immediately available to you in the console or in response to AWS CLI commands or corresponding Systems Manager API operations. For associations, \\\"Configuration\\\" Compliance shows statuses of Compliant or Non-compliant and the severity level assigned to the association, such as \\\"Critical\\\" or \\\"Medium\\\". To learn more about State Manager association compliance, see About About State Manager association compliance in the AWS Systems Manager User Guide.
You must configure your in-scope EC2 instances for Systems Manager association. You must also configure the patch baseline for the security rating of the vendor of patches, and set the autoapproval date to meet PCI DSS '3.2.1' requirement '6.2'. For additional guidance on how to Create an association, see Create an association in the AWS Systems Manager User Guide. For additional information on working with patching in Systems Manager, see AWS Systems Manager Patch Manager in the AWS Systems Manager User Guide.\",\r\n \"remediationDescription\": \"A failed association can be related to different things, including targets and SSM document names. To remediate this issue, you must first identify and investigate the association. You can then update the association to correct the specific issue.
You can edit an association to specify a new name, schedule, severity level, or targets. After you edit an association, Systems Manager creates a new version.
\\\"To investigate and update a failed association\\\"
1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
2. In the navigation pane, under \\\"Node Management\\\", choose \\\"Fleet Manager\\\".
3. Choose the instance ID that has an \\\"Association status\\\" of \\\"Failed\\\".
4. Choose \\\"View details\\\".
5. Choose \\\"Associations\\\".
6. Note the name of the association that has an \\\"Association status\\\" of \\\"Failed\\\". This is the association that you need to investigate. You need to use the association name in the next step.
7. In the navigation pane,under \\\"Node Management\\\", choose \\\"State Manager\\\". Search for the association name, then select the association. After you determine the issue, edit the failed association to correct the problem. For information on how to edit an association, see Edit an association.
For more information on creating and editing State Manager associations, see Working with associations in Systems Manager in the AWS Systems Manager User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4be5393d-cc33-4ef7-acae-80295bc3ae35\",\r\n \"name\": \"4be5393d-cc33-4ef7-acae-80295bc3ae35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Status of the Amazon EC2 Systems Manager patch compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the patch installation on the instance.
Only instances that are managed by AWS Systems Manager Patch Manager are checked. Patches that were applied within the 30-day limit prescribed by PCI DSS requirement '6' are not checked. \",\r\n \"remediationDescription\": \"To ensure EC2 instances are managed by Systems Manager:
1. From the AWS Systems Manager console, https://console.aws.amazon.com/systems-manager/, select \\\"Quick setup\\\".
2. Leave the default options.
3. Select \\\"Set up Systems Manager\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9694d4ef-f21a-40b7-b535-618ac5c5d21e\",\r\n \"name\": \"9694d4ef-f21a-40b7-b535-618ac5c5d21e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.
Authentication credentials should never be stored or transmitted in clear text or appear in the repository URL. Instead of personal access tokens or user name and password, you should use OAuth to grant authorization for accessing GitHub or Bitbucket repositories.
Using personal access tokens or a user name and password could expose your credentials to unintended data exposure and unauthorized access.\",\r\n \"remediationDescription\": \"You can update your CodeBuild project to use OAuth.
To remove basic authentication / (GitHub) Personal Access Token from CodeBuild project source
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Choose the build project that contains personal access tokens or a user name and password.
3. From \\\"Edit\\\", choose \\\"Source\\\".
4. Choose \\\"Disconnect from GitHub / Bitbucket\\\".
5. Choose \\\"Connect using OAuth\\\", then choose \\\"Connect to GitHub / Bitbucket\\\".
6. When prompted, choose \\\"authorize as appropriate\\\".
7. Reconfigure your repository URL and additional configuration settings, as needed.
8. Choose \\\"Update source\\\".
For more information, refer to CodeBuild use case-based samples the AWS CodeBuild User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a88b4b72-b461-4b5e-b024-91da1cbe500f\",\r\n \"name\": \"a88b4b72-b461-4b5e-b024-91da1cbe500f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the project contains the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
Authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY should never be stored in clear text, as this could lead to unintended data exposure and unauthorized access.\",\r\n \"remediationDescription\": \"To remediate this issue, update your CodeBuild project to remove the environment variable.
To remove environment variables from a CodeBuild project
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Expand \\\"Build\\\".
3. Choose \\\"Build project\\\", and then choose the build project that contains plaintext credentials.
4. From \\\"Edit\\\", choose \\\"Environment\\\".
5. Expand \\\"Additional configuration\\\".
6. Choose \\\"Update environment\\\".

To store sensitive values in the Amazon EC2 Systems Manager Parameter Store and then retrieve them from your build spec
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Expand \\\"Build\\\".
3. Choose \\\"Build project\\\", and then choose the build project that contains plaintext credentials.
4. From \\\"Edit\\\", choose \\\"Environment\\\".
5. Expand \\\"Additional configuration\\\" and scroll to \\\"Environment variables\\\".
6. Follow this tutorial to create a Systems Manager parameter that contains your sensitive data.
7. After you create the parameter, copy the parameter name.
8. Back in the CodeBuild console, choose \\\"Create environmental variable\\\".
9. Enter the name of your variable as it appears in your build spec.
10. For \\\"Value\\\", paste the name of your parameter.
11. For \\\"Type\\\", choose \\\"Parameter\\\".
12. To remove your noncompliant environmental variable that contains plaintext credentials, choose \\\"Remove\\\".
13. Choose \\\"Update environment\\\".
For more information, see Environment variables in build environments in the AWS CodeBuild User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should use Secure Boot\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against the installation of malware-based rootkits and boot kits, enable Secure Boot on supported Linux virtual machines. Secure Boot ensures that only signed operating systems and drivers will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"Enabling Secure Boot will trigger an immediate system reboot. To enable it:
1. From Azure Virtual Machines, open your machine.
2. From the VM details page, open the 'Configuration' tab and select 'Secure boot'.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e2f798b8-621a-4d46-99d7-1310e09eba26\",\r\n \"name\": \"e2f798b8-621a-4d46-99d7-1310e09eba26\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should enforce kernel module signature validation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To help mitigate against the execution of malicious or unauthorized code in kernel mode, enforce kernel module signature validation on supported Linux virtual machines. Kernel module signature validation ensures that only trusted kernel modules will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"Enforcing kernel module signature validation requires a system reboot. To enforce it:
1. From Azure Virtual Machines, open your machine.
2. Run:
sudo azsecd remediate -r enforce-kernelmodule-ci
3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d79a60ef-d490-484e-91ed-f45ceb0e7cfb\",\r\n \"name\": \"d79a60ef-d490-484e-91ed-f45ceb0e7cfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be restarted to apply security configuration updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To apply security configuration updates and protect against vulnerabilities, restart your machines. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"To restart the machine:
1. From Azure Virtual Machines, open your machine.
2. Select 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b7604066-ed76-45f9-a5c1-c97e4812dc55\",\r\n \"name\": \"b7604066-ed76-45f9-a5c1-c97e4812dc55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines guest attestation status should be healthy\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Guest attestation is performed by sending a trusted log (TCGLog) to an attestation server. The server uses these logs to determine whether boot components are trustworthy. This assessment is intended to detect compromises of the boot chain which might be the result of a bootkit or rootkit infection.
This assessment applies to Trusted Launch and Confidential virtual machines that have the Guest Attestation extension installed.\",\r\n \"remediationDescription\": \"1. Scan your machine to ensure it isn't infected with malicious software.
2. Verify across your organization whether components of your operating system have been manually replaced.
3. Verify that a TPM device is installed on your machine: on Windows, run the PowerShell command \\\"Get-tpm\\\" as admin, and on Linux, use \\\"ls /dev/tpm0\\\" (with \\\"/dev/tpm0\\\" returning).
4. Remove any untrusted software or drivers with admin access.
5. Restart your machine in normal mode.
6. If all else fails, securely back up your data and create a new machine from a known-good image.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an Azure Function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Select Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access Function Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the Function App custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access API Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the API App custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys;
temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources.
For a comparison of different disk encryption technologies in Azure, see https://aka.ms/diskencryptioncomparison.
Use Azure Disk Encryption to encrypt all this data.
Disregard this recommendation if:
1. You're using the encryption-at-host feature, or 2. Server-side encryption on Managed Disks meets your security requirements.
Learn more in Server-side encryption of Azure Disk Storage.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Click any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Defender for Cloud protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Select Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases:
1. Select the SQL database.
2. Under Data encryption, select On.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
1. Go to 'SQL servers' page in the Azure portal and select your SQL server.
2. From the top left menu, select 'Auditing' and choose 'Enable Azure SQL Auditing'.
3. Select one of the options to store the Audit logs and follow the instructions.
4. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499\",\r\n \"description\": \"Defender for Cloud collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. This agent is also required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. We recommend configuring auto-provisioning to automatically deploy the agent. If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.\",\r\n \"remediationDescription\": \"For multiple ways to install and configure your Log Analytics agent see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"To reduce the potential for breaches by compromised owner accounts, we recommend limiting the number of owner accounts to a maximum of 3\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click the Role assignments tab and set the 'Role' filter to 'Owner'.
2. Select the owners you want to remove.
3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled
1. In the 'Role' drop-down list, select the Owner role.
2. In the Select list, select a user.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Signed Binary Proxy Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container hosts should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Privilege Escalation\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Local System\",\r\n \"Remote Services\",\r\n \"Network Sniffing\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"File and Directory Discovery\",\r\n \"Implant Container Image\",\r\n \"Abuse Elevation Control Mechanism\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers:
1. Select the SQL server.
2. Open 'Microsoft Defender for Cloud' under 'Security'
3. Make sure Microsoft Defender for Cloud's status is 'enabled at the server-level' or 'enabled at the subscription-level'
4. Open '(Configure)'
5. Under 'Vulnerability assessment settings', turn Periodic recurring scans to On, and configure a storage account for storing vulnerability assessment scan results.
6. Select 'Save'\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"SQL Stored Procedures\",\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on SQL servers: 1. Select the SQL server. 2. Under 'Defender for Cloud', set Microsoft Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Select 'Save'.
Note: Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.
Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.

To view all affected classic VMs make sure to select all your Azure subscriptions under 'directories + subscriptions' tab.

Available resources and information about this tool & migration:
Overview of Virtual machines (classic) deprecation, step by step process for migration & available Microsoft resources.
Details about Migrate to Azure Resource Manager migration tool.
Migrate to Azure Resource Manager migration tool using PowerShell.\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources:
1. Go to the Virtual machines (classic) Portal Blade.
2. Under Subscriptions, select all available subscriptions to get full list of affected classic VMs.
3. Click on Migrate to ARM.
4. Click on Validate. If validate failed, use the suggested methods in the error messages or at Migration Overview document to fix the errors.
5. Click on Prepare. If prepare failed, use the suggested methods in the error messages or at Migration Overview document to fix the errors.
6. View migrated virtual machines at Virtual Machines Portal Blade and Test their operation.
7. (Optional) Click on Abort to rollback migration.
8. Click on Commit. Commit finalizes the migration and cannot be rolled back.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics:
1. Go to Data Lake Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL managed instances should have vulnerability assessment configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance:
1. Select the SQL managed instance.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"SQL Stored Procedures\",\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected SQL Managed Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on managed SQL servers:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Microsoft Defender for SQL to On.
3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set Periodic recurring scans to On.4. Select Save.
Note: Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redis Cache should allow access only via SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps:
1. Go to the Redis Caches, and select your redis cache.
2. Select 'Advanced settings'.
3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics:
1. Go to Batch and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics:
1. Go to Stream Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics:
1. Go to the Service Bus.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"You should encrypt Automation Account Variables that store sensitive data. This step can only be taken at creation time.
If you have Automation Account Variables storing sensitive data that are not already encrypted, then you will need to delete them and recreate them as encrypted variables.
To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics:
1. Go to Data Lake Store and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics:
1. Go to Search and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign':
1. Go to the Service fabric cluster.
2. Click on 'Custom fabric settings'.
3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bb318338-de6a-42ff-8428-8274c897d564\",\r\n \"name\": \"bb318338-de6a-42ff-8428-8274c897d564\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Kubernetes services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c\",\r\n \"description\": \"Enable diagnostic logs in your Kubernetes services and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs.\",\r\n \"remediationDescription\": \"To enable diagnostics logs in one of your Kubernetes services: 1. Go to Kubernetes services and select one of your Kubernetes clusters. 2. From the left menu, open the diagnostic settings and select Add diagnostic setting. 3. Select one of the options to store the diagnostics logs and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"10/07/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"To ensure you can recreate activity trails for investigation purposes when a security incident occurs or your network is compromised, enable logging. If your diagnostic logs aren't being sent to a Log Analytics workspace, Azure Storage account, or Azure Event Hub, ensure you've configured diagnostic settings to send platform metrics and platform logs to the relevant destinations. Learn more in Create diagnostic settings to send platform logs and metrics to different destinations.\",\r\n \"remediationDescription\": \"To enable diagnostics for a logic app: 1. Open Azure Logic Apps and select the logic app. 2. From the menu, select Diagnostic settings. 3. Select Edit setting if you have an existing setting or select Add diagnostic setting to create a new configuration. 4. Select the options to define what to log and where to store it. 5. Save your settings.
Note : If you use storage accounts, we recommend setting a retention for the logs. To ensure the recommendation evaluates the retention dates across all resources, open the ASC default initiative assignment and set the parameter \\\"Required retention (in days) for logs..\\\" to the desired retention dates that you want the recommendation to evaluate.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"plannedDeprecationDate\": \"12/2022\",\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources :
1. Go to the Storage Account
2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics:
1. Go to Key Vault and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. We recommended configuring network rules so that only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"
1. In your storage account, go to 'Firewalls and virtual networks'.
2. Under 'Allow access from', choose 'Selected networks'.
3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account.
4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required:
1. In your storage account, go to the 'Configuration' page.
2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates:
1. Review the list of missing system updates.
2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Software Deployment Tools\",\r\n \"Exploit Public-Facing Application\",\r\n \"Supply Chain Compromise\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Drive-by Compromise\",\r\n \"Endpoint Denial of Service\",\r\n \"Compromise Client Software Binary\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b\",\r\n \"description\": \"Defender for Cloud collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. You'll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets. To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"For information on how to add the Log Analytics agent as an extension to your virtual machine scale set, see the following instructions. For information on how to deploy the log analytics agent at scale on virtual machine scale set using Azure Policy please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machine scale sets should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution:
1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on virtual machine scale sets should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Microsoft Defender for Cloud. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c\",\r\n \"description\": \"To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more.\",\r\n \"remediationDescription\": \"1. Register your subscription to Guest Configuration resource provider. 2. Install the Guest Configuration extension on your machine. 3. Enable a system-assigned managed identity, if one doesn't exist. Learn more in Enable Guest Configuration.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69133b6b-695a-43eb-a763-221e19556755\",\r\n \"name\": \"69133b6b-695a-43eb-a763-221e19556755\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a\",\r\n \"description\": \"The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more\",\r\n \"remediationDescription\": \"To enable a system-assigned managed identity, deploy the 'Enable a system-assigned managed identity' initiative: 1. Register the resource provider. 2. Deploy requirements for Azure virtual machines. Learn more about configuring the Guest Configuration prerequisites in Enable Guest Configuration.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"1. Enable controlled folder access.
2. Configure the following attack surface reduction rules: 'Block executable content from email client and webmail', 'Block untrusted and unsigned processes that run from USB', 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)', ' Block all Office applications from creating child processes', 'Block JavaScript or VBScript from launching downloaded executable content', 'Block execution of potentially obfuscated scripts ', 'Block Office applications from creating executable content', 'Block Office communication application from creating child processes', 'Block Win32 API calls from Office macros', 'Block Adobe Reader from creating child processes', 'Block Office applications from injecting code into other processes'.
Learn more in Use attack surface reduction rules to prevent malware infection.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Privilege Escalation\",\r\n \"Lateral Movement\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Taint Shared Content\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploit Public-Facing Application\",\r\n \"Drive-by Compromise\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4078e558-bda6-41fb-9b3c-361e8875200d\",\r\n \"description\": \"Defender for Cloud uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Windows.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on Linux-based Azure Arc-enabled machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/1e7fed80-8321-4605-b42c-65fc300f23a3\",\r\n \"description\": \"Defender for Cloud uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Linux.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"name\": \"fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Validity period of certificates stored in Azure Key Vault should not exceed 12 months\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\r\n \"description\": \"Ensure your certificates do not have a validity period that exceeds 12 months.\",\r\n \"remediationDescription\": \"To remediate you must create a new version of the certificate. Ensure that your application or service will be able to get a new version of the certificate before proceeding. Select a key vault from the list below. The list of certificates with a validity period that exceeds 12 months will appear. From the Azure Portal, open Azure Key Vault and select the vault with the certificate that needs to be replaced. Select the relevant certificate and the certificate details page opens. 1. On the certificate details page, select \\\"+ New Version\\\". The \\\"Create a Certificate\\\" pane opens. 2. Change the \\\"Validity period (in months)\\\" field to 12 or less. 3. Select \\\"Create\\\". 4. Ensure that you have set up auto-renewal, or have a process to renew your certificate prior to expiration.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Credentials from Password Stores\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\r\n \"description\": \"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.\",\r\n \"remediationDescription\": \"To prevent public access to containers and blobs in your storage account:
1. In the Azure portal, navigate to your storage account.
2. From the settings menu, select \\\"Configuration\\\".
3. Set \\\"Allow Blob public access\\\" to \\\"Disabled\\\".
Learn more about public access
Note: It might take several minutes after remediation completes until the resource appears in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for servers brings threat detection and advanced defenses for your Windows and Linux machines.
With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for servers but missing out on some of the benefits.
When you enable Microsoft Defender for servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for servers on the identified workspaces, select the workspaces and select Remediate.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for servers brings threat detection and advanced defenses for your Windows and Linux machines.
With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for servers but missing out on some of the benefits.
When you enable Microsoft Defender for servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on machines on the identified workspaces, select the workspaces and select Remediate.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"09/29/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"name\": \"14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\r\n \"description\": \"The best way to authenticate to Azure services is by using Role-Based Access Control (RBAC). RBAC allows you to maintain the minimum privilege principle and supports the ability to revoke permissions as an effective method of response when compromised. You can configure your Azure Cosmos DB account to enforce RBAC as the only authentication method. When the enforcement is configured, all other methods of access will be denied (primary/secondary keys and access tokens).\",\r\n \"remediationDescription\": \"Change your resource authentication method to RBAC. After RBAC is enabled, edit the configuration settings to enforce RBAC as the only authentication method.
  1. Change the resources' authentication method from primary key to Azure Active Directory (AAD):

    1. Map all the resources that currently access to the Azure Cosmos DB account with keys or access tokens.
    2. Create an Azure Active Directory (AAD) identity for each of these resources:
      1. For Azure resources, you can create a managed identity . You may choose between system-assigned and user-assigned managed identities.
      2. For non-Azure resources, create an AAD identity.
    3. Grant each AAD identity the minimum permission it requires. When possible, we recommend you use one of the 2 built-in role definitions: Cosmos DB Built-in Data Reader or Cosmos DB Built-in Data Contributor.
    4. Validate that the new resource is functioning correctly. After new permissions are granted to identities, it may take a few hours until they propagate. When all resources are working correctly with the new identities, continue to the next step.

    You can read more about configuring role-based access control with Azure Active Directory for your Azure Cosmos DB account.

  2. Enforce RBAC as the only authentication method:
    You may choose one of the two options listed below:
    1. You can use the az resource update powershell command:
      $cosmosdbname = \\\"cosmos-db-account-name\\\"
      $resourcegroup = \\\"resource-group-name\\\"
      $cosmosdb = az cosmosdb show --name $cosmosdbname --resource-group $resourcegroup | ConvertFrom-Json

      az resource update --ids $cosmosdb.id --set properties.disableLocalAuth=true --latest-include-preview

    2. Deploy these changes in your ARM template to enforce RBAC as the only authentication method.

      You can read more about using ARM templates on existing resources.

    After these changes have been implemented, all access attempts that use primary/secondary key or access tokens authentication will be denied.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2482620f-f324-4add-af68-2e01e27485e9\",\r\n \"name\": \"2482620f-f324-4add-af68-2e01e27485e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d103537b-9f3d-4658-a568-31dd66eb05cb\",\r\n \"name\": \"d103537b-9f3d-4658-a568-31dd66eb05cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in subscription should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a6cd9b98-3b29-4213-b880-43f0b0897b83\",\r\n \"name\": \"a6cd9b98-3b29-4213-b880-43f0b0897b83\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in projects should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in projects should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\r\n \"description\": \"Protect the data on your Azure virtual machines with Azure Backup.
Azure Backup is an Azure-native, cost-effective, data protection solution.
It creates recovery points that are stored in geo-redundant recovery vaults.
When you restore from a recovery point, you can restore the whole VM or specific files.\",\r\n \"remediationDescription\": \"1. To enable Azure Backup for a virtual machine, navigate to the virtual machine on the Azure portal and select 'Backup' from the menu. In the screen that appears, choose whether to backup the machine to a new or existing Recovery Services vault in the same location and subscription. Learn more at https://aka.ms/AzureVMBackupDoc 2. To enable Azure Backup for multiple virtual machines, assign the policy 'Configure backup on VMs of a location to an existing central Vault in the same location' to the relevant scope. This policy can be assigned to one subscription-location pair at a time. Learn more at http://aka.ms/AzureBackupVMGovernance. Charges are based on the number and size of VMs being protected. Learn more about pricing at https://azure.microsoft.com/pricing/details/backup/\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Disk Wipe\",\r\n \"Defacement\",\r\n \"Data Encrypted for Impact\",\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your function app:
1. Go to the App Service for your API app 2. Navigate to Platform features 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"name\": \"2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MariaDB\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\r\n \"description\": \"Azure Database for MariaDB allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MariaDB server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=2086853\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your web app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"name\": \"95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for PostgreSQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\r\n \"description\": \"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for PostgreSQL server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867615\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests.
Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Web App:
1. Navigate to Azure App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require.
For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"name\": \"8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MySQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\r\n \"description\": \"Azure Database for MySQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MySQL server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867608\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"name\": \"5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your API app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/91a78b24-f231-4a8a-8da9-02c35b2b6510\",\r\n \"description\": \"Audit enabling of diagnostic logs on the app.
This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised\",\r\n \"remediationDescription\": \"To enable resource logs for an App Service: 1. Navigate to your App Service. 2. Go to 'Diagnostic Settings' tab. 3. Enable necessary auditing services for your specified apps. For more information, please go to https://aka.ms/enabling-diagnostic-settings.\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"name\": \"cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your API app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"name\": \"1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for PostgreSQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\r\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for PostgreSQL:
1. Select your Azure Database for PostgreSQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848213\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"name\": \"1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for MySQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\r\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for MySQL:
1. Select your Azure Database for MySQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848211\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your web app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your function app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"name\": \"6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"name\": \"7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"name\": \"39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your web app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"name\": \"f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your function app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"name\": \"08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\r\n \"description\": \"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your API app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"name\": \"e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"name\": \"96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your function app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"name\": \"c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"name\": \"c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for PostgreSQL:
1. Navigate to your Azure Database for PostgreSQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/postgresql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/pgprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"name\": \"ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MariaDB:
1. Navigate to your Azure Database for MariaDB. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mariadbprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"name\": \"cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MySQL:
1. Navigate to your Azure Database for MySQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mysql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mysqlprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\r\n \"description\": \"Audit SQL servers configured with an auditing retention period of less than 90 days.\",\r\n \"remediationDescription\": \"To configure auditing retention on your Azure SQL server or Azure Synapse server:
1.From the Azure portal, select the Azure SQL Server or Azure Synapse resource. 2.From the menu, select Auditing. 3.Select Storage details. 4.To set a new retention period of 90 days or higher, manually enter a value or move the slider for Retention (Days). 5.Select OK.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your function app:
1. Navigate to the Configurations for your Function app.
2. Select Configuration, and go to the General Settings tab.
3. Select the General Settings tab.
4. Under the FTP state section, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp
Learn more about Azure Functions Deployment Technology Availability\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your web app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"name\": \"67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your API app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"name\": \"c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function apps should have Client Certificates (Incoming client certificates) enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Function App: 1. Navigate to your App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"name\": \"4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key vaults should have purge protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\r\n \"description\": \"Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.\",\r\n \"remediationDescription\": \"To enable purge protection for your key vault: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Properties' tab. 3. Select the radio button corresponding to \\\"Enable purge protection\\\". 4. Select 'Save'. Soft delete is a pre-requisite for purge protection, if you have not already enabled this option, please select the radio button corresponding to \\\"Enable soft delete\\\" first. Please visit https://aka.ms/keyvaultsoftdelete for detailed configuration steps.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"name\": \"9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Email notification to subscription owner for high severity alerts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d\",\r\n \"description\": \"To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Defender for Cloud.\",\r\n \"remediationDescription\": \"To configure email notifications: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/13e7d036-6903-821c-6018-962938929bf0\",\r\n \"name\": \"13e7d036-6903-821c-6018-962938929bf0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registries should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.\",\r\n \"remediationDescription\": \"To enable private links for a registry: 1. Ensure the registry's SKU is set to Premium (SKUs can be upgraded) 2. In the Private endpoints tab, under Network Settings, add basic endpoint information such as name and region 3. On the next page, add registry resource information (such as: name, resource type and subscription) 4. On the next page, add networking and private dns configuration. 5. Create the private endpoint resource. For more information, see: https://aka.ms/acr/privatelink\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/d85c6833-7d33-4cf5-a915-aaa2de84405f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5d090f1-7d5c-9b38-7344-0ede8343276d\",\r\n \"name\": \"d5d090f1-7d5c-9b38-7344-0ede8343276d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for MySQL is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for MySQL server to deny all public network access and allow connections ONLY through private endpoints: 1. Select the Azure Database for MySQL. 2. In Connection security, set deny public network access to 'Yes'. For details, see: https://go.microsoft.com/fwlink/?linkid=2120014.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/06ac6ef4-1e66-1334-5418-6e79ab444ce0\",\r\n \"name\": \"06ac6ef4-1e66-1334-5418-6e79ab444ce0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] SQL managed instances should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\r\n \"remediationDescription\": \"To configure your own encryption key for SQL Server Transparent Data encryption: 1. Select the SQL server. 2. On the Transparent data encryption page, select Customer-managed key. 3. For Key selection method, choose Select a key or Enter a key identifier if you have one. 4. If you chose Select a key, configure the desired Key vault and Key. For more information, see this article: https://docs.microsoft.com/azure/sql-database/transparent-data-encryption-byok-azure-sql\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b51b7f7-cbed-75bf-8a02-43384bf47562\",\r\n \"name\": \"6b51b7f7-cbed-75bf-8a02-43384bf47562\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] MySQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\r\n \"remediationDescription\": \"Azure automatically encrypts data at rest with service-managed keys. To use a customer-managed key to protect and control access to the key that encrypts your data: 1. Create a key vault with soft delete and purge protection enabled. 2. Create your own encryption key or use the Azure Key Vault API to generate a key. 3. Grant the Azure Database for MySQL access to the key vault with the get, wrapKey, and unwrapKey permissions by using its unique managed identity. 4. Select the Azure Database for MySQL, go to data encryption, and pass the key vault and key information. Learn more https://aka.ms/mysqlbyok\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19d45f8f-245c-852e-dbf9-d4aab4758b1f\",\r\n \"name\": \"19d45f8f-245c-852e-dbf9-d4aab4758b1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\r\n \"remediationDescription\": \"Azure automatically encrypts data at rest with service-managed keys. To use a customer-managed key to protect and control access to the key that encrypts your data: 1. Create a key vault with soft delete and purge protection enabled. 2. Create your own encryption key or use the Azure Key Vault API to generate a key. 3. Grant the Azure Database for PostgreSQL access to the key vault with the get, wrapKey, and unwrapKey permissions by using its unique managed identity. 4. Select the Azure Database for PostgreSQL, go to data encryption, and pass the key vault and key information. Learn more https://aka.ms/postgresqlbyok\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ab153e43-2fb5-0670-2117-70340851ea9b\",\r\n \"name\": \"ab153e43-2fb5-0670-2117-70340851ea9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for MariaDB is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for MariaDB server to deny all public network access and allow connections ONLY through private endpoints: 1. Select the Azure Database for MariaDB. 2. In Connection security, set deny public network access to 'Yes'. For more information, see: https://go.microsoft.com/fwlink/?linkid=2119542\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a93e945-3675-aef6-075d-c661498e1046\",\r\n \"name\": \"1a93e945-3675-aef6-075d-c661498e1046\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] SQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\r\n \"remediationDescription\": \"To configure your own encryption key for SQL Server Transparent Data encryption: 1. Select the SQL server. 2. On the Transparent data encryption page, select Customer-managed key. 3. For Key selection method, choose Select a key or Enter a key identifier if you have one. 4. If you chose Select a key, configure the desired Key vault and Key. For more information, see this article: https://docs.microsoft.com/azure/sql-database/transparent-data-encryption-byok-azure-sql\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/be264018-593c-1162-bd5e-b74a39396652\",\r\n \"name\": \"be264018-593c-1162-bd5e-b74a39396652\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cache for Redis should reside within a virtual network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d092e0a-7acd-40d2-a975-dca21cae48c4\",\r\n \"description\": \"Azure Virtual Network (VNet) deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access. When an Azure Cache for Redis instance is configured with a VNet, it is not publicly addressable and can only be accessed from virtual machines and applications within the VNet.\",\r\n \"remediationDescription\": \"Injection into your custom Virtual Network/Subnet can only be done at cache creation time, so take these steps to mitigate: 1. Create and configure a new VNet-injected cache into your custom subnet for the Azure Cache for Redis. 2. Either embed your client application into the same virtual network or allow access for your client application to communicate with the cache instance within your subnet using NSG rules. Follow the guidance here: https://aka.ms/redis/vnet-faq 3. If necessary, export the data from your instance and import it into the new Azure Cache for Redis instance. Learn more about the import/export feature here: https://aka.ms/redis/import-export.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"name\": \"af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto provisioning of the Log Analytics agent should be enabled on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17\",\r\n \"description\": \"To monitor for security vulnerabilities and threats, Microsoft Defender for Cloud collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.\",\r\n \"remediationDescription\": \"To configure auto provisioning:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. Open the Auto provisioning page and set the toggle to On for the Log Analytics agent.
3. Select the workspace to receive the data from the machines.
Learn more in Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"name\": \"77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subscriptions should have a contact email address for security issues\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\",\r\n \"description\": \"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Defender for Cloud.\",\r\n \"remediationDescription\": \"To set up a security contact:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/af560c4d-9c05-e073-b9f1-f7a94958ff25\",\r\n \"name\": \"af560c4d-9c05-e073-b9f1-f7a94958ff25\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Container registries should be encrypted with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\",\r\n \"remediationDescription\": \"Azure automatically encrypts registry Contents. To encrypt a registry using a customer-managed key (CMK): 1. Create a user-assigned managed identity. 2. Create a Key Vault with soft delete and purge protection enabled. 3. Give the Managed Identity (Get, Unwrap and Wrap) Key Permissions to the key vault by adding a key vault Access Policy. 4. Create a key for encryption. 5. Create the registry: enable customer-managed key, add the managed identity, and provid the created key's version. For more information, see: https://aka.ms/acr/cmk\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8318c3a1-fcac-2e1d-9582-50912e5578e5\",\r\n \"name\": \"8318c3a1-fcac-2e1d-9582-50912e5578e5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"App Configuration should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint.\",\r\n \"remediationDescription\": \"To enable private link for Azure App Configuration: 1. In the Azure portal, open the App Configuration instance. 2. Navigate to Settings --> Private endpoint connections 3. Click on Add and configure the private endpoint. For details, see https://aka.ms/appconfig/private-endpoint\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/614ffa75-862c-456e-ad8b-eaa1b0844b07\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"name\": \"3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Email notification for high severity alerts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899\",\r\n \"description\": \"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Defender for Cloud.\",\r\n \"remediationDescription\": \"To configure email notifications: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. In the 'Notification type' area, ensure mails are sent regarding security alerts from severity 'high'.
4. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b34f9fe7-80cd-6fb3-2c5b-951993746ca8\",\r\n \"name\": \"b34f9fe7-80cd-6fb3-2c5b-951993746ca8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for PostgreSQL is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for PostgreSQL server to deny all public network access and allow connections only through private endpoints: 1. Select the Azure Database for PostgreSQL. 2. In Connection security, set deny public network access to 'Yes'. For more information, see: https://go.microsoft.com/fwlink/?linkid=2120015.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"name\": \"9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registries should not allow unrestricted network access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\r\n \"description\": \"Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet.\",\r\n \"remediationDescription\": \"To enable VNet/Firewall rules for a registry: 1. In the Azure Portal, navigate to your registry in the Azure portal 2. Under Networking settings, on the Public access tab, select allow public access from 'Selected networks' instead of 'All Networks' 3. Under Firewall, enter a public IP address, such as the public IP address of a VM in a virtual network. Or, enter an address range in CIDR notation that contains the VM's IP address 4. Select save. For more information, see: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bef092f5-bea7-3df3-1ee8-4376dd9c111e\",\r\n \"name\": \"bef092f5-bea7-3df3-1ee8-4376dd9c111e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Event Grid domains should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domains instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure Event Grid Domain resource: 1. In the Azure portal, find your Event Grid Domain resource. 2. Navigate to Settings --> Networking, 3. Select \\\"+ Public network access\\\" and choose \\\"+ Private endpoints only\\\" to restrict access only via private endpoint connections, 4. Select \\\"+ Private endpoint connections\\\" to configure the values. For details, see https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/36f4658a-848a-467b-881c-e6fa20cf75fc\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bdac9c7b-b9b8-f572-0450-f161c430861c\",\r\n \"name\": \"bdac9c7b-b9b8-f572-0450-f161c430861c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Event Grid topics should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your topics instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure Event Grid Topic resource: 1. In the Azure portal, find your Event Grid Topic resource. 2. Navigate to Settings --> Networking, 3. Select \\\"+ Public network access\\\" and choose \\\"+ Private endpoints only\\\" to restrict access only via private endpoint connections, 4. Select \\\"+ Private endpoint connections\\\" to configure the values. For details, see https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6fcec95c-fbdf-45e8-91e1-e3175d9c9eca\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/18bf29b3-a844-e170-2826-4e95d0ba4dc9\",\r\n \"name\": \"18bf29b3-a844-e170-2826-4e95d0ba4dc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\r\n \"remediationDescription\": \"To enable customer-managed keys for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using customer-managed keys. Learn more about configuring customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b6f84d18-0137-3176-6aa1-f4d9ac95155c\",\r\n \"name\": \"b6f84d18-0137-3176-6aa1-f4d9ac95155c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure SignalR Service should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/53503636-bcc9-4748-9663-5348217f160f\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your SignalR resources instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/asrs/privatelink.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure SignalR service resource: 1.. Find your SignalR resource in the Azure portal, 2. Navigate to Settings --> Private endpoint connections, 3 Click \\\"+ Private endpoint\\\" to configure the values. Learn more here: https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/ef45854f-b33f-49a3-8041-9057e915d88f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/814df446-7128-eff0-9177-fa52ac035b74\",\r\n \"name\": \"814df446-7128-eff0-9177-fa52ac035b74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\r\n \"remediationDescription\": \"To enable customer-managed keys on an Azure Cosmos DB account, create an encryption key in Azure Key Vault then pass the key identifier when creating the account. For details, see https://aka.ms/cosmosdb-cmk.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\r\n \"description\": \"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.\",\r\n \"remediationDescription\": \"Azure Web Application Firewall is a paid solution, refer to https://aka.ms/applicationgateway-pricing for full pricing details. To manually add an Azure Web Application Firewall to Azure Application Gateway: 1. If you want to use an existing Azure Web Application Firewall for Azure Application Gateway policy, proceed to Step 2. Otherwise, open the Azure Web Application Firewall service and select 'add'. 3. On the Basics tab, in 'Policy for', select 'Regional WAF (Application Gateway)'. Customize the Azure Web Application Firewall as required. To finish, select 'Review + create' and 'create' the Azure Web Application Firewall. 4. Go to the Azure Application Gateway and select the Azure Application Gateway that does not have an Azure Web Application Firewall. 5. From the left sidebar, select settings, and select 'Web application firewall'. If your current tier is not 'WAF V2' change your tier to 'WAF V2'. There are differences in pricing when changing WAF tiers, refer to https://aka.ms/applicationgateway-pricing for full details. 6. Return to the Web Application Firewall created earlier. Select 'Associated application gateways on the sidebar'. 7. Select 'Associate an application gateway' and add your application gateway. To save the changes, Select 'Save'. An Azure Web Application Firewall is now protecting your application gateway resource. For details, see https://aka.ms/applicationgateway-waf.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Reconnaissance\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Scanning\",\r\n \"Application Layer Protocol\",\r\n \"Active Scanning\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0c02a769-03f1-c4d7-85a5-db5dca505c49\",\r\n \"name\": \"0c02a769-03f1-c4d7-85a5-db5dca505c49\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Azure Front Door Service service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\r\n \"description\": \"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.\",\r\n \"remediationDescription\": \"Azure Web Application Firewall is a paid solution, refer to https://aka.ms/frontdoor-pricing for full pricing details. To manually add an Azure Web Application Firewall to your Azure Front Door Service 1. If you want to use an existing Azure Web Application Firewall for Azure Front Door Service policy, proceed to Step 2. Otherwise, open the Azure Web Application Firewall service and select 'add'. 3. On the Basics tab, in 'Policy for', select 'Global WAF (Front Door)' and in 'Policy state' select 'Enabled'. Customize the Azure Web Application Firewall as required. To finish, select 'Review + create' and 'create' the Azure Web Application Firewall. 4. Go to the Front Door service and select the Front Door service that does not have an Azure Web Application Firewall. 5. From the left sidebar, select 'Web application firewall'. 6. Select the frontend to which you're adding an Azure Web Application Firewall policy. Select 'Apply policy'. From the dropdown, select the Azure Web Application Firewall policy. Select 'Add'. 7. To save the Azure Web Application Firewall for the chosen frontend, select 'Save'. An Azure Web Application Firewall will now be applied to the Azure Front Door Service. For details, see https://aka.ms/waf-frontdoor-tutorial\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Reconnaissance\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Scanning\",\r\n \"Application Layer Protocol\",\r\n \"Active Scanning\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f6b0e473-eb23-c3be-fe61-2ae3e8309530\",\r\n \"name\": \"f6b0e473-eb23-c3be-fe61-2ae3e8309530\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VM Image Builder templates should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa\",\r\n \"description\": \"Audit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead, which may directly expose resources to the internet and increase the potential attack surface.\",\r\n \"remediationDescription\": \"To enable private link connection when building VM Image Builder templates, add vnetConfig to templates. For details, see http://aka.ms/azvmimagebuildertmplref.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9\",\r\n \"description\": \"Private links enforce secure communication, by providing private connectivity to the storage account\",\r\n \"remediationDescription\": \"To enforce secure communications for your storage accounts, add a private endpoint as described here: https://aka.ms/connectprivatelytostorageaccount.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/9f766f00-8d11-464e-80e1-4091d7874074\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca98bba7-719e-48ee-e193-0b76766cdb07\",\r\n \"name\": \"ca98bba7-719e-48ee-e193-0b76766cdb07\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Storage accounts should use customer-managed key (CMK) for encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\",\r\n \"remediationDescription\": \"To enable customer-managed keys on your storage accounts, create an encryption key in your key vault then pass the key identifier to the storage account. For details, see https://aka.ms/storageencryptionkeys.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c768356-5ad2-e3cc-c799-252b27d3865a\",\r\n \"name\": \"4c768356-5ad2-e3cc-c799-252b27d3865a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Spring Cloud should use network injection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4\",\r\n \"description\": \"Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.\",\r\n \"remediationDescription\": \"Virtual network injection brings the following benefits to your Azure Spring Cloud instances: 1. Isolates Azure Spring Cloud from the internet. 2. Enables Azure Spring Cloud to interact with systems in either on- premises data centers or Azure services in other virtual networks. 3. Provides greater control over inbound and outbound network communications for Azure Spring Cloud.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Trusted Relationship\",\r\n \"Exploitation of Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Non-Standard Port\",\r\n \"Lateral Tool Transfer\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\r\n \"description\": \"Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.\",\r\n \"remediationDescription\": \"To protect your storage account from potential threats using virtual network rules: 1. In the Azure portal, open your storage account. 2. From the left sidebar, select 'Networking'. 3. From the 'Allow access from' section, select 'Selected networks'. 4. Add a Virtual network under the 'Virtual networks' section. Do not add allowed IP ranges/ or addresses in the firewall. This is to prevent public IPs from accessing your storage account. For details, see: https://aka.ms/storagenetworksecurity.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbd14f11-6228-4588-82a4-517b8d77b23f\",\r\n \"name\": \"bbd14f11-6228-4588-82a4-517b8d77b23f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\",\r\n \"remediationDescription\": \"To setup CMK on Azure Machine Learning workspaces, follow the instructions. here: https://aka.ms/azureml-workspaces-cmk\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/692343df-7e70-b082-7b0e-67f97146cea3\",\r\n \"name\": \"692343df-7e70-b082-7b0e-67f97146cea3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Machine Learning workspaces should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Machine Learning workspaces instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/azureml-workspaces-privatelink.\",\r\n \"remediationDescription\": \"To enable private link on Azure Machine Learning workspaces, follow the instructions here: https://aka.ms/azureml-workspaces-privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/7838fd83-5cbb-4b5d-888c-bfa240972597\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"name\": \"2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be configured for Key Vault\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0bc445-3935-4915-9981-011aa2b46147\",\r\n \"description\": \"Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.\",\r\n \"remediationDescription\": \"For detailed steps, see https://aka.ms/akvprivatelink.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"name\": \"52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should be enabled on Key Vault\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\r\n \"description\": \"Key vault's firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the firewall to make sure that only traffic from allowed networks can access your key vault.\",\r\n \"remediationDescription\": \"To enable the key vault firewall: 1. In the Azure portal, open your key vault. 2.From the left sidebar, select Networking (located under the \\\"Settings\\\" section). 3. Set the radio button to Private endpoint and selected networks and select Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1aabfa0d-7585-f9f5-1d92-ecb40291d9f2\",\r\n \"name\": \"1aabfa0d-7585-f9f5-1d92-ecb40291d9f2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key Vault keys should have an expiration date\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\r\n \"description\": \"Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.\",\r\n \"remediationDescription\": \"To enable an expiration date on your key: 1. Log in to the Azure portal and select your key vault. 2. Open the 'Keys' tab. 3. Find all keys in the table that do not have an expiration date. 4. Select a key. 5. Select the current version of the key. 6. Select the box corresponding to 'Set expiration date'. 7. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Credentials from Password Stores\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"name\": \"14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key Vault secrets should have an expiration date\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\r\n \"description\": \"Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.\",\r\n \"remediationDescription\": \"To enable an expiration date on your secret: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Secrets' tab. 3. Find all secrets in the table that do not have an expiration date. 4. Click on a secret. 5. Click the current version of the secret. 6. Check the box corresponding to 'Set expiration date'. 7. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Credentials from Password Stores\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"name\": \"78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key vaults should have soft delete enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\r\n \"description\": \"Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.\",\r\n \"remediationDescription\": \"To enable soft delete protection for your key vault: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Properties' tab. 3. Select the radio button corresponding to \\\"Enable soft delete\\\". 4. Enter a retention period in days. Select 'Save'. Please visit https://aka.ms/keyvaultsoftdelete for detailed configuration steps.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6\",\r\n \"description\": \"Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more in Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure.\",\r\n \"remediationDescription\": \"To use SSH for authentication to your Linux virtual machine: 1. Create an SSH key pair for the Linux virtual machine. 2. Disable password authentication in the Linux virtual machine's configuration. 3. Update the SSH key in your Azure Resource Manager template (replace the admin password with the adminSSHKey parameter) or via the Azure CLI (with the --generate-ssh-keys command). Learn more in Create and use an SSH public-private key pair for Linux VMs in Azure.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.\",\r\n \"remediationDescription\": \"To enable Private Endpoint Connections: 1. Open Azure SQL Database and browse to the server blade 2. Navigate to Security --> Private endpoint connections blade via the navigation menu 3. Select the \\\"+ Private Endpoint\\\" button 4. Follow the instructions here: https://docs.microsoft.com/azure/azure-sql/database/private-endpoint-overview#how-to-set-up-private-link-for-azure-sql-database.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\r\n \"description\": \"Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.\",\r\n \"remediationDescription\": \"To disable Public Network Access: 1. Open Azure SQL Database and browse to the server blade 2. Navigate to Security --> Firewalls and virtual networks blade via the navigation menu on the left. 3. Select Deny Public Network Access control and change the value to Yes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce2768c3-a7c7-1bbf-22cd-f9db675a9807\",\r\n \"name\": \"ce2768c3-a7c7-1bbf-22cd-f9db675a9807\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API app has Client Certificates Incoming client certificates set to On\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your API App: 1. Navigate to your App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112\",\r\n \"description\": \"To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.\",\r\n \"remediationDescription\": \"To ensure your windows web server is using secure communication protocol: 1. Enable Guest Configuration extension and system assigned identity: https://docs.microsoft.com/azure/virtual-machines/extensions/guest-configuration 2. Enable TLS on your machine. For Windows Server 2008 R2, Windows Server 2012, or Windows 7, install the update at https://support.microsoft.com/help/3140245. For Windows 2012 R2 Server or later, no updates are necessary. 3. Update the Windows and WinHTTP registry keys (or verify that they're correct) according to the information here: https://docs.microsoft.com/dotnet/framework/network-programming/tls#configuring-schannel-protocols-in-the-windows-registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f738efb8-005f-680d-3d43-b3db762d6243\",\r\n \"name\": \"f738efb8-005f-680d-3d43-b3db762d6243\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should restrict network access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\r\n \"description\": \"Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"To restrict access for Cognitive Services from public networks: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"Networking\\\" page, 3. In \\\"Firewalls and virtual networks\\\" select \\\"Selected Networks and Private Endpoints\\\" or \\\"Disabled\\\". Learn more about Private Endpoints in https://go.microsoft.com/fwlink/?linkid=2129800. Learn more about configuration Virtual Networks for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2110097.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Trusted Relationship\",\r\n \"Exploitation of Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Non-Standard Port\",\r\n \"Lateral Tool Transfer\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aa395469-1687-78a7-bf76-f4614ef72977\",\r\n \"name\": \"aa395469-1687-78a7-bf76-f4614ef72977\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should use customer owned storage or enable data encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11566b39-f7f7-4b82-ab06-68d8700eb0a4\",\r\n \"description\": \"This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption.\",\r\n \"remediationDescription\": \"To enable encryption for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using either Microsoft-managed keys or customer-managed keys. Learn more about configuration customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321. To request access to bring your own storage, fill out and submit the request form from https://aka.ms/cogsvc-cmk.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684a5b6d-a270-61ce-306e-5cea400dc3a7\",\r\n \"name\": \"684a5b6d-a270-61ce-306e-5cea400dc3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for Cognitive Services accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\r\n \"description\": \"This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed.\",\r\n \"remediationDescription\": \"To only allow access for Cognitive Services from Private Endpoints: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"Networking\\\" page, 3. In \\\"Firewalls and virtual networks\\\" select \\\"Disabled\\\". Learn more about Private Endpoints in https://go.microsoft.com/fwlink/?linkid=2129800.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdcf4f71-60d3-540b-91e3-aa19792da364\",\r\n \"name\": \"cdcf4f71-60d3-540b-91e3-aa19792da364\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should enable data encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2bdd0062-9d75-436e-89df-487dd8e4b3c7\",\r\n \"description\": \"This policy audits any Cognitive Services account not using data encryption. For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key.\",\r\n \"remediationDescription\": \"To enable encryption for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using either Microsoft-managed keys or customer-managed keys. Learn more about configuration customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/74e7dcff-317f-9635-41d2-ead5019acc99\",\r\n \"name\": \"74e7dcff-317f-9635-41d2-ead5019acc99\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Management services should use a virtual network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\r\n \"description\": \"Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.\",\r\n \"remediationDescription\": \"To enable Virtual Network on API Management Service: 1. In the Azure portal, open API Management services, 2. Select the desired service from the list, and open the \\\"Virtual Network\\\" page, 3. Setup virtual network along with desired type of virtual network. Learn more about configuring virtual network for API Management Services at https://aka.ms/apim-vnet\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Create Account\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"name\": \"276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cosmos DB accounts should have firewall rules\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\r\n \"description\": \"Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.\",\r\n \"remediationDescription\": \"To configure your Azure Cosmos DB firewall and add IP rules: 1. Go to the \\\"Firewall and virtual networks\\\" section of your Cosmos DB account. 2. Select \\\"Selected networks\\\". 3. Add the IP addresses or ranges you want to allow. For more details, follow the instructions in https://aka.ms/cosmosdb-firewall\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Initial Access\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Fallback Channels\",\r\n \"Remote System Discovery\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Non-Standard Port\",\r\n \"Gather Victim Network Information\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\",\r\n \"description\": \"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end-to-end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure.\",\r\n \"remediationDescription\": \"To enable Network Watcher: 1. Navigate to the Network Watcher page on the Azure portal 2. Select the relevant subscription and click on the region drop down 3. For any regions that are listed as Disabled, enable them by selecting \\\"Enable network watcher\\\" in the context menu For more information, visit here: https://docs.microsoft.com/azure/network-watcher/network-watcher-create\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"name\": \"f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Resource Manager should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99\",\r\n \"description\": \"Microsoft Defender for Resource Manager automatically monitors the resource management operations in your organization. Defender for Cloud detects threats and alerts you about suspicious activity. Learn more in Introduction to Microsoft Defender for Resource Manager. Enabling this Defender plan results in charges. Learn about the pricing details per region on Defender for Cloud's pricing page: https://azure.microsoft.com/services/defender-for-cloud/#pricing.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for Resource Manager on your subscription: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Resource Manager to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\",\r\n \"Permission Groups Discovery\",\r\n \"Account Discovery\",\r\n \"Cloud Service Discovery\",\r\n \"Credentials from Password Stores\",\r\n \"Impair Defenses\",\r\n \"Cloud Infrastructure Discovery\",\r\n \"Cloud Service Dashboard\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"name\": \"aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for DNS should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bdc59948-5574-49b3-bb91-76b7c986428d\",\r\n \"description\": \"Microsoft Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Defender for DNS alerts you about suspicious activity at the DNS layer. Learn more in Introduction to Microsoft Defender for DNS. Enabling this Defender plan results in charges. Learn about the pricing details per region on Defender for Cloud's pricing page: https://azure.microsoft.com/services/defender-for-cloud/#pricing.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for DNS on your subscription: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set DNS to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Exfiltration\",\r\n \"Command and Control\"\r\n ],\r\n \"techniques\": [\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Application Layer Protocol\",\r\n \"Proxy\",\r\n \"Dynamic Resolution\",\r\n \"Protocol Tunneling\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3\",\r\n \"description\": \"Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.\",\r\n \"remediationDescription\": \"Enabling vTPM will trigger an immediate SYSTEM REBOOT. To enable it: 1. Select the VM. 2. On the VM page, navigate to the 'Configuration' tab. 3. On the 'Configuration' page, check 'vTPM'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/e494853f-93c3-4e44-9210-d12f61a64b34\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121\",\r\n \"description\": \"Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.\",\r\n \"remediationDescription\": \"Enabling Secure Boot will trigger an immediate SYSTEM REBOOT. To enable it: 1. Select the VM. 2. On the VM page, navigate to the 'Configuration' tab. 3. On the 'Configuration' page, check 'Secure boot'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/7cb1b219-61c6-47e0-b80c-4472cadeeb5f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e94a7421-fc27-7a4d-e9ba-2ba01384cacd\",\r\n \"name\": \"e94a7421-fc27-7a4d-e9ba-2ba01384cacd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/672fe5a1-2fcd-42d7-b85d-902b6e28c6ff\",\r\n \"description\": \"Install Guest Attestation extension on supported Linux virtual machines to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Linux virtual machines: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vm extension set --name GuestAttestation --publisher Microsoft.Azure.Security.LinuxAttestation --vm-name MyVM --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6074e9a3-c711-4856-976d-24d51f9e065b\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a53f4f-26b6-3d68-33f3-2ec1f2452b5d\",\r\n \"name\": \"a9a53f4f-26b6-3d68-33f3-2ec1f2452b5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Linux virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a21f8c92-9e22-4f09-b759-50500d1d2dda\",\r\n \"description\": \"Install Guest Attestation extension on supported Linux virtual machine scale sets to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Linux virtual machine scale sets: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vmss extension set --name GuestAttestation --publisher Microsoft.Azure.Security.LinuxAttestation' --vmss-name MyVMSS --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/874b14bd-b49e-495a-88c6-46acb89b0a33\",\r\n \"name\": \"874b14bd-b49e-495a-88c6-46acb89b0a33\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cb4d9c2-f88f-4069-bee0-dba239a57b09\",\r\n \"description\": \"Install Guest Attestation extension on supported virtual machines to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Windows virtual machines: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vm extension set --name GuestAttestation --publisher Microsoft.Azure.Security.WindowsAttestation --vm-name MyVM --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/98ea2fc7-6fc6-4fd1-9d8d-6331154da071\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/02e8ca50-0e7e-cc34-0b91-215af2904248\",\r\n \"name\": \"02e8ca50-0e7e-cc34-0b91-215af2904248\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Windows virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f655e522-adff-494d-95c2-52d4f6d56a42\",\r\n \"description\": \"Install Guest Attestation extension on supported virtual machine scale sets to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Windows virtual machine scale sets: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vmss extension set --name GuestAttestation --publisher Microsoft.Azure.Security.WindowsAttestation' --vmss-name MyVMSS --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"name\": \"506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The control fails if any of the HTTP listeners of Application Load Balancers do not have HTTP to HTTPS redirection configured. Before you start to use your Application Load Balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners support both the HTTP and HTTPS protocols. You can use an HTTPS listener to offload the work of encryption and decryption to your load balancer. To enforce encryption in transit, you should use redirect actions with Application Load Balancers to redirect client HTTP requests to an HTTPS request on port 443.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"name\": \"4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon S3 buckets have policies that require requests to use Secure Socket Layer (SSL). S3 buckets should have policies that require all requests ('Action: S3:*') to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key 'aws:SecureTransport'. This does not check the SSL or TLS version. You should not allow early versions of SSL or TLS (SSLv3, TLS1.0) per PCI DSS requirements.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"name\": \"b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server-side encryption. When you set default encryption on a bucket, all new objects stored in the bucket are encrypted when they are stored, including clear text PAN data. Server-side encryption for all of the objects stored in a bucket can also be enforced using a bucket policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"name\": \"c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Config should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS Config is enabled in the account for the local Region and is recording all resources. It does not check for change detection for all critical system files and content files, as AWS Config supports only a subset of resource types. The AWS Config service performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items, and any configuration changes between resources. Security Hub recommends that you enable AWS Config in all Regions. The AWS configuration item history that AWS Config captures enables security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"name\": \"bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root user credentials. It does not check whether you are using virtual MFA. To address PCI DSS requirement 8.3.1, you can choose between hardware MFA (this control) or virtual MFA.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"name\": \"9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the IAM users have multi-factor authentication (MFA) enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"name\": \"b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root user credentials. It does not check whether you are using hardware MFA. To address PCI DSS requirement 8.3.1, you can choose between virtual MFA (this control) or hardware MFA.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"name\": \"5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public write access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your S3 buckets allow public write access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). It does not check for write access to the bucket by internal principals, such as IAM roles. You should ensure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"name\": \"7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public read access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). Unless you explicitly require everyone on the internet to be able to write to your S3 bucket, you should ensure that your S3 bucket is not publicly writable. It does not check for read access to the bucket by internal principals, such as IAM roles. You should ensure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"name\": \"7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM user credentials should be disabled if not used within a pre-defined number days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your IAM users have passwords or active access keys that have not been used within a specified number of days. The default is 90 days. Security Hub strongly recommends that you do not generate and remove all access keys in your account. Instead, the recommended best practice is to either create one or more IAM roles or to use federation. These practices allow your users to use their existing corporate credentials to sign in to the AWS Management Console console and AWS CLI. Each approach has its use cases. Federation is generally better for enterprises that have an existing central directory or who plan to need more than the current quota of IAM users. Applications running outside of an AWS environment need access keys for programmatic access to AWS resources. However, if the resources that need programmatic access run inside AWS, the best practice is to use IAM roles. You can use roles to grant a resource access without hardcoding an access key ID and secret access key into the configuration. If you already have an access key, we recommend that you remove or deactivate unused user credentials that are inactive for 90 days or longer. This control only checks for inactive passwords or active access keys. It does not disable the account from use after 90 days. Customers are responsible for taking action and disabling the unused credentials.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"name\": \"d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the account password policy for IAM users uses the following minimum PCI DSS configurations: 'RequireUppercaseCharacters' - Require at least one uppercase character in password. (Default = 'true'); 'RequireLowercaseCharacters' - Require at least one lowercase character in password. (Default = 'true'); 'RequireNumbers' - Require at least one number in password. (Default = 'true'); 'MinimumPasswordLength' - Password minimum length. (Default = 7 or longer); 'PasswordReusePrevention' - Number of passwords before allowing reuse. (Default = 4); MaxPasswordAge - Number of days before password expiration. (Default = 90).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"name\": \"d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM root user access key should not exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether user access keys exist for the root user.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"name\": \"7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users should not have IAM policies attached\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles. It does not check whether least privileged policies are applied to IAM roles and groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"name\": \"c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should not allow full \\\"*\\\" administrative privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the default version of AWS Identity and Access Management policies (also known as customer managed policies) do not have administrator access with a statement that has \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\". It only checks for the customer managed policies that you created, but does not check for full access to individual services, such as \\\"S3:*\\\". It does not check for inline and AWS managed policies.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"name\": \"a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer master key (CMK) rotation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that key rotation is enabled for each customer master key (CMK). It does not check CMKs that have imported key material. You should ensure keys that have imported material and those that are not stored in AWS KMS are rotated. AWS managed customer master keys are rotated once every 3 years.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"name\": \"b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Lambda function resource-based policy prohibits public access. It does not check for access to the Lambda function by internal principals, such as IAM roles. You should ensure that access to the Lambda function is restricted to authorized principals only by using least privilege Lambda resource-based policies.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"name\": \"e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS DB snapshots prohibit access by other accounts. You should also ensure that access to the snapshot and permission to change Amazon RDS configuration is restricted to authorized principals only. Note that if the configuration is changed to allow public access, the AWS Config rule may not be able to detect the change for up to 12 hours. Until the AWS Config rule detects the change, the check passes even though the configuration violates the rule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"name\": \"ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS instances are publicly accessible by evaluating the publiclyAccessible field in the instance configuration item. The value of publiclyAccessible indicates whether the DB instance is publicly accessible. When the DB instance is publicly accessible, it is an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. When the DB instance isn't publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. The control does not check VPC subnet routing settings or the Security Group rules. You should also ensure VPC subnet routing does not allow public access, and that the security group inbound rule associated with the RDS instance does not allow unrestricted access (0.0.0.0/0). You should also ensure that access to your RDS instance configuration is limited to only authorized users by restricting users' IAM permissions to modify RDS instances settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"name\": \"d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters are publicly accessible by evaluating the 'publiclyAccessible' field in the cluster configuration item.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"name\": \"529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"name\": \"8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS DMS replication instances are public. To do this, it examines the value of the PubliclyAccessible field. A private replication instance has a private IP address that you cannot access outside of the replication network. A replication instance should have a private IP address when the source and target databases are in the same network, and the network is connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering. You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users. To do this, restrict users' IAM permissions to modify AWS DMS settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"name\": \"b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic Block Store snapshots are not publicly restorable by everyone, which makes them public. Amazon EBS snapshots should not be publicly restorable by everyone unless you explicitly allow it, to avoid accidental exposure of your company's sensitive data. You should also ensure that permission to change Amazon EBS configurations are restricted to authorized AWS accounts only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"name\": \"3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following public access block settings are configured at the account level: 'ignorePublicAcls': 'true'; 'blockPublicPolicy': 'true'; 'blockPublicAcls': 'true'; 'restrictPublicBuckets': 'true'. As an AWS best practice, S3 buckets should block public access. Unless you explicitly require everyone on the internet to be able to access your S3 bucket, you should ensure that your S3 bucket is not publicly accessible.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"name\": \"93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC default security group should prohibit inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the default security group of a VPC does not allow inbound or outbound traffic. It does not check for access restrictions for other security groups that are not default, and other VPC configurations.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"name\": \"390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether security groups in use disallow unrestricted incoming SSH traffic. It does not evaluate outbound traffic. Note that security groups are stateful. If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out regardless of outbound rules.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"name\": \"86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control helps you maintain an accurate asset inventory of needed security groups in your cardholder data environment (CDE). It does so by checking that security groups are attached to Amazon EC2 instances or to an ENI. A failed finding indicates you may have unused Amazon EC2 security groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/099e9ded-7834-43ad-be02-30114c800211\",\r\n \"name\": \"099e9ded-7834-43ad-be02-30114c800211\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability. This AWS control also does not check whether the Amazon ES resource-based policy permits public access by other accounts or external entities. You should ensure that Amazon ES domains are not attached to public subnets. You should also ensure that your VPC is configured according to the recommended best practices.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"name\": \"40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability. Note that if Lambda@Edge is found in the account, then this control generates failed findings. To prevent these findings, you can disable this control.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"name\": \"5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain clear text credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the project contains environment variables 'AWS_ACCESS_KEY_ID' and 'AWS_SECRET_ACCESS_KEY'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"name\": \"ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elastic IP addresses that are allocated to a VPC are attached to Amazon EC2 instances or in-use elastic network interfaces (ENIs). A failed finding indicates you may have unused Amazon EC2 EIPs. This will help you maintain an accurate asset inventory of EIPs in your cardholder data environment (CDE).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"name\": \"023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SageMaker notebook instances should not have direct internet access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether direct internet access is disabled for an SageMaker notebook instance. To do this, it checks whether the 'DirectInternetAccess' field is disabled for the notebook instance. If you configure your SageMaker instance without a VPC, then by default direct internet access is enabled on your instance. You should configure your instance with a VPC and change the default setting to Disable - Access the internet through a VPC. To train or host models from a notebook, you need internet access. To enable internet access, make sure that your VPC has a NAT gateway and your security group allows outbound connections. You should also ensure that access to your SageMaker configuration is limited to only authorized users. Restrict users' IAM permissions to modify SageMaker settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"name\": \"0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS CloudTrail is configured to use the server-side encryption (SSE) AWS KMS customer master key (CMK) encryption. If you are only using the default encryption option, you can choose to disable this check.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"name\": \"f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have encryption at rest configuration enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"name\": \"336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A log metric filter and alarm should exist for usage of the \\\"root\\\" user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks for the CloudWatch metric filters using the following pattern: '{ $.userIdentity.type = \\\"Root\\\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \\\"AwsServiceEvent\\\" }'. It checks the following: The log group name is configured for use with active multi-Region CloudTrail; There is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All; There is at least one active subscriber to an Amazon SNS topic associated with the alarm.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"name\": \"5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether VPC flow logs are found and enabled for VPCs. The traffic type is set to REJECT. With VPC Flow Logs, you can capture information about the IP address traffic to and from network interfaces in your VPC. After you create a flow log, you can use CloudWatch Logs to view and retrieve the log data. Security Hub recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC. They can detect anomalous traffic and provide insight into security workflows. By default, the record includes values for the different components of the IP address flow, including the source, destination, and protocol.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"name\": \"4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail trails are configured to send logs to CloudWatch Logs. It does not check for user permissions to alter logs or log groups. You should create specific CloudWatch rules to alert when CloudTrail logs are altered. This control also does not check for any additional audit log sources other than CloudTrail being sent to a CloudWatch Logs group.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"name\": \"6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail is enabled in your AWS account. However, some AWS services do not enable logging of all APIs and events. You should implement any additional audit trails other than CloudTrail and review the documentation for each service in CloudTrail Supported Services and Integrations.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"name\": \"21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail log file validation is enabled. It does not check when configurations are altered. To monitor and alert on log file changes, you can use Amazon EventBridge or CloudWatch metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"name\": \"75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the patch installation on the instance. It only checks instances that are managed by AWS Systems Manager Patch Manager. It does not check whether the patch was applied within the 30-day limit prescribed by PCI DSS requirement 6.2. It also does not validate whether the patches applied were classified as security patches. You should create patching groups with the appropriate baseline settings and ensure in-scope systems are managed by those patch groups in Systems Manager.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"name\": \"6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EC2 instances in your account are managed by Systems Manager. AWS Systems Manager is an AWS service that you can use to view and control your AWS infrastructure. To help you to maintain security and compliance, Systems Manager scans your managed instances. A managed instance is a machine that is configured for use with Systems Manager. Systems Manager then reports or takes corrective action on any policy violations that it detects. Systems Manager also helps you to configure and maintain your managed instances. Additional configuration is needed in Systems Manager for patch deployment to managed EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"name\": \"32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the status of the AWS Systems Manager association compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the association is run on an instance. The control passes if the association compliance status is COMPLIANT. A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed. After you create one or more State Manager associations, compliance status information is immediately available to you in the console or in response to AWS CLI commands or corresponding Systems Manager API operations. For associations, Configuration Compliance shows statuses of Compliant or Non-compliant and the severity level assigned to the association, such as Critical or Medium. You must configure your in-scope EC2 instances for Systems Manager association. You must also configure the patch baseline for the security rating of the vendor of patches, and set the autoapproval date to meet PCI DSS 3.2.1 requirement 6.2.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"name\": \"5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether S3 buckets have cross-region replication enabled. PCI DSS does not require data replication or highly available configurations. However, this check aligns with AWS best practices for this control. In addition to availability, you should consider other systems hardening settings.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"name\": \"94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. PCI DSS does not require load balancing or highly available configurations. However, this check aligns with AWS best practices.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"name\": \"d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon GuardDuty is enabled in your AWS account and Region. While GuardDuty can be effective against attacks that an intrusion detection system would typically protect, it might not be a complete solution for every environment. This rule also does not check for the generation of alerts to personnel.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"name\": \"bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SSM agent should be installed on your AWS EC2 instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Systems Manager is an AWS service that can be used to control and view your AWS infrastructure. The AWS Systems Manager Agent (SSM Agent) is a software that can be installed and configured on a machine and makes it possible for Systems Manager to update and configure these resources. Defender for Cloud leverages the SSM Agent for automatic installation of Azure Arc, that enables greater parity for AWS instances to Azure VMs.\",\r\n \"remediationDescription\": \"First, Make sure EC2 instances are managed by Systems Manager: 1.Open AWS System Manager.
2. Choose Quick setup
3. keep the default options on the configuration screen.
4. Choose Set up Systems Manager.
For directions on installing and configuring the SSM Agent on Windows instances visit this page For directions on installing and configuring the SSM Agent on Linux instances visit this page \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"name\": \"a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled in every region in your AWS accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub is a regional service and customer must enable Security Hub in each region to view findings in that region. You should continuously monitor all regions across all of your AWS accounts for unauthorized behavior or misconfigurations, including regions you don't use heavily.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"name\": \"20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled for all AWS member accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. Integrating it into Defender for Cloud enables a comprehensive view across multiple cloud environments. any AWS member account related to an onboarded account should have Security Hub enabled as well.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"name\": \"726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Make sure to log in using the credentials of a fully-managed corporate account and not a personal account.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select the checkbox next to non-corporate users, and then click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"name\": \"4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that multi-factor authentication is enabled for all non-service accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) must be enabled for all Google Cloud Platform accounts, excluding service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP Security Settings and set up multi-factor authentication for all non-service accounts within the project.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"name\": \"0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service accounts are not configured with administrative roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select Members and make sure that there aren't any 'User-Managed user created service account' accounts with one of the following roles: admin, editor, or owner.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"name\": \"90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the 'Service Account User' and 'Service Account Token Creator' roles are not granted to users at a project level. Instead, grant these roles to users in the context of specific service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. In the filter table field, enter 'Role: Service Account User' and click 'Delete' (bin icon) for every user listed. Similarly, filter using 'Role: Service Account Token Creator' and delete every user listed.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"name\": \"ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service account keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'Service Account Keys', for every External (user-managed) service account where the creation date is 90 days or more, delete the service account key and create a new one instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"name\": \"f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties. Also, make sure that users are not assigned with both 'Service Account Admin' and other 'Service Account User' roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Edit members with both 'Service Account Admin' and 'Service Account User', delete one of the roles, and then click 'Save'. \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"name\": \"3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud KMS encryption keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to GCP Security Kms. For every key ring, for every key in the key ring, do the following: Select 'Right side pop up the blade' > 'Edit rotation period' > 'Select a new rotation period' and specify a period of less than 90 days, and then specify a 'Starting on' date.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"name\": \"3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties and that there are no users assigned with both the 'Cloud KMS Admin' role and any of the following roles: 'Cloud KMS CryptoKey', 'Cloud KMS Encrypter/Decrypter', 'Cloud KMS CryptoKey Encrypter' or 'Cloud KMS CryptoKey Decrypterer'.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. For the member that is listed at the recommendation, click 'Edit'. For the 'Cloud KMS Admin' role, click 'Delete', and then Click 'Save'. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"name\": \"52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all API keys are not used within the scope of projects. The standard authentication flow should be implemented, since the use of API keys presents many security risks.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', delete the relevant API Keys. These API keys should be replaced by a standard authentication flow as described In the Authentication overview [GCP docs authentication]\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"name\": \"76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted, and used only by trusted hosts, HTTP referrers, or applications.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. Under 'Key restrictions', set application restriction to HTTP referrers, IP Addresses, Android Apps, or iOS Apps, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"name\": \"0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted to only access API endpoints that are essential to the calling application.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. For every API key, make sure that the 'Key restrictions' parameter 'API restrictions' is not set to 'None'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"name\": \"5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys'. Select 'API Key Name'. Click 'REGENERATE KEY' to rotate the API key, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"name\": \"f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud Audit Logging is configured to track read and write activities across all supported services and for all users. Configured this way, all administrative activities, or attempts to access user data, will be tracked.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin Audit. On the 'Audit Log' page, select the 'Log type' tab. Select 'Admin read', 'Data read', and 'Data write', and then click 'Save'. Make sure there are no exemptions.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"name\": \"cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all resource have a log sink configured, exporting copies of all the log entries to a centralized location such as a SIEM.\",\r\n \"remediationDescription\": \"Browse to GCP Logs viewer. Switch to the 'Advanced' filter bar, clear any text from the filter field, and then click 'Submit Filter'. Click 'Create Sink', fill out the required details, and then click 'Create Sink'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"name\": \"bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filters and alerts are configured to monitor project ownership assignment/change actions.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browse to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, and run the following query: (protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'. Finally, edit the alert policy and update the 'Target Aggregation' option to 'Count'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"name\": \"3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filter and alerts are configured for Audit Configuration changes. Audit logging data is required for security analysis. Tracking the log metric filters and alerts is important to ensure that all activities in the projects are being audited as planned.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"SetIamPolicy\\\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*. In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"name\": \"f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Custom Role changes. Monitoring role creation, update, or deletion may help to identify over-privileged or misused roles. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"iam_role\\\" AND protoPayload.methodName = \\\"google.iam.admin.v1.CreateRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"name\": \"c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Virtual Private Cloud (VPC) Network Firewall rule changes. Firewall create or update rule events indicate network access changes, which may indicate suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_firewall_rule\\\" AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\" OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to https://console.cloud.google.com/logs/metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"name\": \"7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network route changes. Monitoring network route changes to route tables may indicate of a suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_route\\\" AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\" OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Creat Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"name\": \"0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network changes. Monitoring network changes to the VPC is important to make sure it is not compromised.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gce_network AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\" OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\" OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\" OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\" OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add 'Alert Triggers', and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"name\": \"46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"\\\"Ensure that the log metric filter and alerts are configured for Cloud Storage IAM permission changes. Monitoring changes to a storage bucket permissions can help identify malicious attempts to access a sensitive storage buckets and objects inside buckets.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gcs_bucket AND protoPayload.methodName=\\\"storage.setIamPermissions\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"name\": \"b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for SQL instance configuration changes. Monitoring changes to an SQL instance can help identify malicious attempts to access a sensitive data stored in an SQL instance. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"cloudsql.instances.update\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"name\": \"ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that projects do not have a default network. A default predefined network generates multiple unsecure firewall rules that are not audit logged, cannot be configured to enable firewall rule logging, and do not allow the use of a Cloud VPN or VPC Network Peering with the default network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the 'default' network. On the network detail page, click 'edit', and then click 'Delete VPC network'. If required, you can to create a new network with custom firewall rules to replace the 'default' network.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"name\": \"3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all projects do not have a legacy network. Legacy networks may have an impact for high network traffic projects and pose a single point of contention or failure.\",\r\n \"remediationDescription\": \"Create a non-legacy network and then delete the legacy networks using the following command: 'gcloud compute networks delete my-legacy-network'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"name\": \"e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Domain Name System Security Extensions (DNSSEC) is enabled for Cloud DNS zones. DNSSEC helps mitigate the risk of a DNS hijacking and man-in-the-middle attacks, by preventing attackers from issuing fake DNS responses that may misdirect browsers to malicious websites.\",\r\n \"remediationDescription\": \"Browse to GCP DNS zones. For each zone of type 'Public', set DNSSEC to 'On'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"name\": \"049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the key-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the key-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"name\": \"cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the zone-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the zone-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"name\": \"0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that SSH access is restricted from the internet because it can be used as initial access to the network. Prevent inbound traffic via SSH (port 22) from the internet using the generic IP address (0.0.0.0/0).\",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"name\": \"684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RDP access is restricted from the internet, as is may be used for initial access to the network. Prevent inbound traffic via RDP (port 3389) from the internet using the generic IP address (0.0.0.0/0). \",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"name\": \"3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all VPC Flow Logs are enabled, for every subnet in a VPC Network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the relevant subnet, click 'Edit', set 'Flow Logs' to 'On', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"name\": \"c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there are no HTTPS or SSL Proxy Load Balancers that use weak SSL policies with TLS or 1.1.\",\r\n \"remediationDescription\": \"Browser to GCP SSL Policies. Select the relevant policy, click 'Edit', set 'Minimum TLS version' to 'TLS 1.2', set 'Profile' to 'Modern' or 'Restricted', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"name\": \"233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all instances are not configured to use the default service account with full access to all Google Cloud APIs.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant VM instance, stop the instance if it is currently started, and then click 'Edit'. Under 'Service Account', select 'Compute Engine default service account', make sure that 'Allow full access to all Cloud APIs' is not selected, click 'Save' and then 'Start'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"name\": \"1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure \\\"Block Project-wide SSH keys\\\" is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that no project-wide SSH keys are used for VM instances, as they enable login to all instances in the project.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the impacted instance, click 'Edit', under 'SSH Keys', select 'Block project-wide SSH keys', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"name\": \"fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that OS login is enabled for all projects, as this pairs the SSH keys in use with IAM users. \",\r\n \"remediationDescription\": \"Browse to GCP Compute metadata. Click 'Edit', add metadata key for 'enable-oslogin' with value 'TRUE', and then click 'Save'. For every instances that overrides the project setting, browse to GCP Compute instances. Select the relevant instance name, click 'Edit', under 'custom metadata', remove 'enable-oslogin' keys with the value 'FALSE', and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"name\": \"c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that 'Enable connecting to serial ports' is not enabled for all VM Instance. When the interactive serial console is enabled for an instance, clients can connect to the instance from any IP address using the proper username and SSH key.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Remote access', make sure that 'Enable connecting to serial ports' is not selected.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"name\": \"3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent data loss, forwarding of data packets should not be enabled on instances.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Network interfaces', make sure that 'IP forwarding' is set to 'Off' for every network interface.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"name\": \"6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, all data at rest is encrypted by Google Compute Engine. Make sure that VM disks are encrypted using Customer-Supplied Encryption Keys (CSEK) enabling you to control and manage the encryption keys yourself.\",\r\n \"remediationDescription\": \"Browse to GCP Compute disks. Select the relevant disk and make sure that the 'Encryption type' is set to 'Customer supplied'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"name\": \"9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against advanced threats, a Compute Engine instance using a public image and must be launched with a Shielded VM. It is also important to verify that the boot loader and firmware on the VMs are signed and untampered.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Shielded VM', make sure that 'Turn on vTPM' and 'Turn on Integrity Monitoring' are enabled.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"name\": \"0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances must not be configured with public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"name\": \"79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that an IAM policy on Cloud Storage buckets does not allow anonymous or public access so sensitive data.\",\r\n \"remediationDescription\": \"To restrict access to Cloud Storage Buckets: Browse to GCP Storage browser. Select the relevant bucket, select 'Permissions', and then under 'Role(s)', remove all Cloud IAM permissions that were granted to 'allUsers' and 'allAuthenticatedUsers'. To restrict access from public addresses: browse to GCP Firewalls List.. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP adress values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"name\": \"a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For simple and unified resource access, ensure that Cloud Storage buckets have uniform bucket-level access enabled.\",\r\n \"remediationDescription\": \"Browse to GCP Storage browser. Edit the relevant bucket, under 'Access Control', select 'Uniform', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"name\": \"a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the Cloud SQL Database instance requires all incoming connections to always use SSL encryption.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances, select the relevant instance and under 'Connections', select 'Allow only SSL connections'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"name\": \"1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to only accept connections from trustworthy networks and/or IP addresses and restrict all other access. \",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"name\": \"2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to use private IP addresses, and not public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"name\": \"664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL database instances must be configured with automated backups.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances. Select the relevant instance, and under 'Backups', make sure that 'Automated backups' is set to 'Enabled' and that the 'Backup time' is set.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"name\": \"5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure that sensitive data is not compromised, IAM policies on BigQuery datasets must not allow anonymous or public access.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"name\": \"582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account has unrestricted access to all resources in the AWS account. We highly recommend that you avoid using this account. The root account is the most privileged account. Minimizing the use of this account and adopting the principle of least privilege for access management reduces the risk of accidental changes and unintended disclosure of highly privileged credentials. As a best practice, use your root credentials only when required to perform account and service management tasks. Apply IAM policies directly to groups and roles but not users. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.3 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"name\": \"1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-factor authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password as well as for an authentication code from their AWS MFA device. Security Hub recommends enabling MFA for all accounts that have a console password. Enabling MFA provides increased security for console access because it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"name\": \"8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM users can access AWS resources using different types of credentials, such as passwords or access keys. Security Hub recommends that you remove or deactivate all credentials that have been unused in 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used. The AWS Config rule for this control uses the 'GetCredentialReport; and 'GenerateCredentialReport' API operations, which are only updated every four hours. Changes to IAM users can take up to four hours to be visible to this control.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"name\": \"9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. Security Hub recommends that you regularly rotate all access keys. Rotating access keys reduces the chance for an access key that is associated with a compromised or terminated account to be used. Rotate access keys to ensure that data can't be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"name\": \"554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one uppercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"name\": \"66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one lowercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"name\": \"b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one symbol. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5425052d-cc0d-4424-af71-050311f99634\",\r\n \"name\": \"5425052d-cc0d-4424-af71-050311f99634\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one number. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"name\": \"09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum password length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords are at least a given length. Security Hub recommends that the password policy require a minimum password length of 14 characters. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"name\": \"01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the number of passwords to remember is set to 24. The control fails if the value is not 24. IAM password policies can prevent the reuse of a given password by the same user. Security Hub recommends that the password policy prevent the reuse of passwords. Preventing password reuse increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"name\": \"0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can require passwords to be rotated or expired after a given number of days. Security Hub recommends that the password policy expire passwords after 90 days or less. Reducing the password lifetime increases account resiliency against brute force login attempts. Requiring regular password changes also helps in the following scenarios: Passwords can be stolen or compromised without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat; Certain corporate and government web filters or proxy servers can intercept and record traffic even if it's encrypted; Many people use the same password for many systems such as work, email, and personal; Compromised end-user workstations might have a keystroke logger.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"name\": \"8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no root account access key exists\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given account. Security Hub recommends that all access keys be associated with the root account be removed. Removing access keys associated with the root account limits vectors that the account can be compromised by. Removing the root access keys also encourages the creation and use of role-based accounts that are least privileged.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"name\": \"8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device. When you use virtual MFA for root accounts, Security Hub recommends that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices. This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"name\": \"8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure hardware MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device. For Level 2, Security Hub recommends that you protect the root account with a hardware MFA. A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA doesn't suffer the attack surface introduced by the mobile smartphone that a virtual MFA resides on. Using hardware MFA for many, many accounts might create a logistical device management issue. If this occurs, consider implementing this Level 2 recommendation selectively to the highest security accounts. You can then apply the Level 1 recommendation to the remaining accounts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"name\": \"c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies are attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. Security Hub recommends that you apply IAM policies directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity might in turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"name\": \"bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM role to allow authorized users to manage incidents with AWS Support. By implementing least privilege for access control, an IAM role will require an appropriate IAM policy to allow support center access in order to manage incidents with AWS Support.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"name\": \"9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies define a set of privileges granted to users, groups, or roles. It's recommended and considered a standard security advice to grant least privilege-that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges. It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. You should remove IAM policies that have a statement with '\\\"Effect\\\": \\\"Allow\\\"' with '\\\"Action\\\": \\\"*\\\"' over '\\\"Resource\\\": \\\"*\\\"'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"name\": \"22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the AWS Management Console, AWS SDKs, command-line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally: Ensuring that a multi-Region trail exists ensures that unexpected activity occurring in otherwise unused Regions is detected; Ensuring that a multi-Region trail exists ensures that Global Service Logging is enabled for a trail by default to capture recording of events generated on AWS global services; For a multi-Region trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"name\": \"fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail log file validation is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. You can use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. Security Hub recommends that you enable file validation on all trails. Enabling log file validation provides additional integrity checking of CloudTrail logs.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"name\": \"0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket CloudTrail logs to is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. Security Hub recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account's use or configuration. To run this check, Security Hub first uses custom logic to look for the S3 bucket where your CloudTrail logs are stored. It then uses the AWS Config managed rules to check that bucket is publicly accessible. If you aggregate your logs into a single centralized S3 bucket, then Security Hub only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is 'No data'. If the bucket is publicly accessible, the check generates a failed finding.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"name\": \"5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a web service that records AWS API calls made in a given account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs in a specified Amazon S3 bucket for long-term analysis, you can perform real-time analysis by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all Regions in an account, CloudTrail sends log files from all those Regions to a CloudWatch Logs log group. Security Hub recommends that you send CloudTrail logs to CloudWatch Logs.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"name\": \"dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. Security Hub recommends that you enable AWS Config in all Regions. The AWS configuration item history that AWS Config captures enables security analysis, resource change tracking, and compliance auditing. To run this check, Security Hub performs custom logic to perform the audit steps prescribed for it in the CIS AWS Foundations Benchmark v1.2. Security Hub also requires that global resources are recorded in each Region, because Security Hub is a regional service and performs its security checks on a Region-by-Region basis.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"name\": \"30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Amazon S3 bucket access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. Security Hub recommends that you enable bucket access logging on the CloudTrail S3 bucket. By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows. To run this check, Security Hub first uses custom logic to look for the bucket where your CloudTrail logs are stored and then uses the AWS Config managed rule to check if logging is enabled. If you aggregate your logs into a single centralized S3 bucket, then Security Hub only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is 'No data'. If the bucket is publicly accessible, the check generates a failed finding.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"name\": \"c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (AWS KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses hardware security modules (HSMs) to protect the security of encryption keys. You can configure CloudTrail logs to leverage server-side encryption (SSE) and AWS KMS customer-created master keys (CMKs) to further protect CloudTrail logs. Security Hub recommends that you configure CloudTrail to use SSE-KMS. Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data because a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"name\": \"23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS KMS enables customers to rotate the backing key, which is key material stored in AWS KMS and is tied to the key ID of the CMK. It's the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all previous backing keys so that decryption of encrypted data can take place transparently. Security Hub recommends that you enable CMK key rotation. Rotating encryption keys helps reduce the potential impact of a compromised key because data encrypted with a new key can't be accessed with a previous key that might have been exposed.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"name\": \"a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VPC flow logging is enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC flow logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you have created a flow log, you can view and retrieve its data in CloudWatch Logs. Security Hub recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC and can detect anomalous traffic or insight during security workflows.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"name\": \"00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm unauthorized API calls. Monitoring unauthorized API calls helps reveal application errors and might reduce time to detect malicious activity. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.1 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"name\": \"83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm console logins that aren't protected by MFA. Monitoring for single-factor console logins increases visibility into accounts that aren't protected by MFA. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.2 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"name\": \"a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for root login attempts. Monitoring for root account logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.3 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"name\": \"5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes made to IAM policies. Monitoring these changes helps ensure that authentication and authorization controls remain intact. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.4 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"name\": \"011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to CloudTrail configuration settings. Monitoring these changes helps ensure sustained visibility to activities in the account. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.5 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"name\": \"c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for failed console authentication attempts. Monitoring failed console logins might decrease lead time to detect an attempt to brute-force a credential, which might provide an indicator, such as source IP, that you can use in other event correlations. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.6 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"name\": \"293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for customer-created CMKs that have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys is no longer accessible. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.7 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"name\": \"0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to S3 bucket policies. Monitoring these changes might reduce time to detect and correct permissive policies on sensitive S3 buckets. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.8 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"name\": \"7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to AWS Config configuration settings. Monitoring these changes helps ensure sustained visibility of configuration items in the account. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.9 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"name\": \"b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security groups are a stateful packet filter that controls ingress and egress traffic in a VPC. Security Hub recommends that you create a metric filter and alarm for changes to security groups. Monitoring these changes helps ensure that resources and services aren't unintentionally exposed. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.10 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"name\": \"022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets in a VPC. Security Hub recommends that you create a metric filter and alarm for changes to NACLs. Monitoring these changes helps ensure that AWS resources and services aren't unintentionally exposed. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.11 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"name\": \"3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send and receive traffic to a destination outside a VPC. Security Hub recommends that you create a metric filter and alarm for changes to network gateways. Monitoring these changes helps ensure that all ingress and egress traffic traverses the VPC border via a controlled path. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.12 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"name\": \"33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables route network traffic between subnets and to network gateways. Security Hub recommends that you create a metric filter and alarm for changes to route tables. Monitoring these changes helps ensure that all VPC traffic flows through an expected path. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.13 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"name\": \"9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs. Security Hub recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.14 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"name\": \"b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that no security group allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"name\": \"9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that no security group allow unrestricted ingress access to port 3389. Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"name\": \"ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the default security group of every VPC restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A VPC comes with a default security group with initial settings that deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that the default security group restrict all traffic. Update the default security group for the default VPC in every Region to comply. Any new VPCs automatically contain a default security group that you need to remediate to comply with this recommendation. Configuring all VPC default security groups to restrict all traffic encourages least-privilege security group development and mindful placement of AWS resources into security groups, which in turn reduces the exposure of those resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47a6d30e-79c4-411b-920a-06a7eab22bad\",\r\n \"name\": \"47a6d30e-79c4-411b-920a-06a7eab22bad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Imported ACM certificates should be renewed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager. Certificates provided by ACM are automatically renewed. If you're using certificates provided by ACM, you do not need to rotate SSL/TLS certificates. ACM manages certificate renewals for you. ACM does not automatically renew certificates that you import. You must renew imported certificates manually.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f74c50e7-84a3-4e64-ac2b-c4ec74e0cb71\",\r\n \"name\": \"f74c50e7-84a3-4e64-ac2b-c4ec74e0cb71\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST and HTTP API logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all methods of an Amazon API Gateway REST or HTTP API stage have logging enabled. The control fails if logging is not enabled for all methods of a stage or if 'loggingLevel' is neither 'ERROR' nor 'INFO'. API Gateway REST or HTTP API stages should have relevant logs enabled. API Gateway REST API execution logging provides detailed records of requests made to API Gateway REST API stages. The stages include API integration backend responses, Lambda authorizer responses, and the 'requestId' for AWS integration endpoints. HTTP API access logs include information about requests made to the HTTP API. The information includes the IP address of the caller, the method of the request, the time of the request, and the HTTP status code response. Logs can assist with security and access audits, power additional threat detections, and aid in diagnosing availability issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8127ddad-f29f-4207-a9d3-9bb3ba3f1485\",\r\n \"name\": \"8127ddad-f29f-4207-a9d3-9bb3ba3f1485\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto Scaling groups associated with a load balancer should use load balancer health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. This ensures that the group can determine an instance's health based on additional tests provided by the load balancer. Using Elastic Load Balancing health checks can help support the availability of applications that use EC2 Auto Scaling groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/73c17f13-ba0c-4227-84ee-f34eb85431ca\",\r\n \"name\": \"73c17f13-ba0c-4227-84ee-f34eb85431ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have a default root object configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured. A user might sometimes request the distribution's root URL instead of an object in the distribution. When this happens, specifying a default root object can help you to avoid exposing the contents of your web distribution.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1fb3f16-5849-4b9d-a7e6-03df4a2235bb\",\r\n \"name\": \"c1fb3f16-5849-4b9d-a7e6-03df4a2235bb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin access identity enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured. CloudFront OAI prevents users from accessing S3 bucket content directly. When users access an S3 bucket directly, they effectively bypass the CloudFront distribution and any permissions that are applied to the underlying S3 bucket content.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbadae9a-7672-4ab2-821a-71f13d319b3b\",\r\n \"name\": \"bbadae9a-7672-4ab2-821a-71f13d319b3b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should require encryption in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if 'ViewerProtocolPolicy' is set to 'allow-all' for 'defaultCacheBehavior' or for 'cacheBehaviors'. HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7196e4f7-7136-4003-b3e5-a8156d160a3f\",\r\n \"name\": \"7196e4f7-7136-4003-b3e5-a8156d160a3f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin failover configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins. CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ce0c201-fc34-43ba-85ef-d47406a9ca05\",\r\n \"name\": \"3ce0c201-fc34-43ba-85ef-d47406a9ca05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled and configured with at least one multi-Region trail\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that there is at least one multi-Region CloudTrail trail.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4788ce7d-f39d-40e4-8a46-4308a5bd80ea\",\r\n \"name\": \"4788ce7d-f39d-40e4-8a46-4308a5bd80ea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should have encryption at-rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail is configured to use the server-side encryption (SSE) AWS Key Management Service customer master key (CMK) encryption. The check passes if the 'KmsKeyId' is defined. For an added layer of security for your sensitive CloudTrail log files, you should use server-side encryption with AWS KMS-managed keys (SSE-KMS) for your CloudTrail log files for encryption at rest. Note that by default, the log files delivered by CloudTrail to your buckets are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03c0e8b8-fcb4-48d1-ae1a-d35e08748340\",\r\n \"name\": \"03c0e8b8-fcb4-48d1-ae1a-d35e08748340\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should automatically scale capacity with demand\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured. Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cf8a0486-5ef6-42f1-8403-35ecd324153f\",\r\n \"name\": \"cf8a0486-5ef6-42f1-8403-35ecd324153f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should have point-in-time recovery enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. DynamoDB point-in-time recovery automates backups for DynamoDB tables. It reduces the time to recover from accidental delete or write operations. DynamoDB tables that have PITR enabled can be restored to any point in time in the last 35 days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ae2524f-9c45-49d6-af31-ec19df32bbe4\",\r\n \"name\": \"5ae2524f-9c45-49d6-af31-ec19df32bbe4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB Accelerator (DAX) clusters should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a DAX cluster is encrypted at rest. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data. For example, API permissions are required to decrypt the data before it can be read.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eaca2aff-0681-4c41-8d7f-04c71577f298\",\r\n \"name\": \"eaca2aff-0681-4c41-8d7f-04c71577f298\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that Amazon Elastic Block Store snapshots are not public, as determined by the ability to be restorable by anyone. EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a specific point in time. You can use the snapshots to restore previous states of EBS volumes. It is rarely acceptable to share a snapshot with the public. Typically the decision to share a snapshot publicly was made in error or without a complete understanding of the implications. This check helps ensure that all such sharing was fully planned and intentional.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b31e09dd-677c-4e14-8ab1-0a9f13e54218\",\r\n \"name\": \"b31e09dd-677c-4e14-8ab1-0a9f13e54218\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"The VPC default security group should not allow inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the default security group of a VPC does not allow inbound or outbound traffic. The rules for the default security group allow all outbound and inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. We do not recommend using the default security group. Because the default security group cannot be deleted, you should change the default security group rules setting to restrict inbound and outbound traffic. This prevents unintended traffic if the default security group is accidentally configured for resources such as EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d828e79-c441-43c3-807e-38ce88a728a5\",\r\n \"name\": \"5d828e79-c441-43c3-807e-38ce88a728a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Attached EBS volumes should be encrypted at-rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check. For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1a7dd27-bb23-4de0-a249-adc3c14aa144\",\r\n \"name\": \"f1a7dd27-bb23-4de0-a249-adc3c14aa144\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Stopped EC2 instances should be removed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days. A failed finding indicates that an EC2 instance has not run for a significant period of time. This creates a security risk because the EC2 instance is not being actively maintained (analyzed, patched, updated). If it is later launched, the lack of proper maintenance could result in unexpected issues in your AWS environment. To safely maintain an EC2 instance over time in a nonrunning state, start it periodically for maintenance and then stop it after maintenance. Ideally this is an automated process.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3f15179b-8414-407a-9432-2b0c131695f3\",\r\n \"name\": \"3f15179b-8414-407a-9432-2b0c131695f3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS default encryption should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS). The control fails if the account level encryption is not enabled. When encryption is enabled for your account, Amazon EBS volumes and snapshot copies are encrypted at rest. This adds an additional layer of protection for your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91ffef5d-42a9-4e34-b1d0-68cdc160748d\",\r\n \"name\": \"91ffef5d-42a9-4e34-b1d0-68cdc160748d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should use IMDSv2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if 'HttpTokens' is set to required for IMDSv2. The control fails if 'HttpTokens' is set to 'optional'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f53022b-ffee-44cc-b84e-6bcc1bcef11f\",\r\n \"name\": \"6f53022b-ffee-44cc-b84e-6bcc1bcef11f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not have a public IP address\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether EC2 instances have a public IP address. The control fails if the publicIp field is present in the EC2 instance configuration item. This control applies to IPv4 addresses only. A public IPv4 address is an IP address that is reachable from the internet. If you launch your instance with a public IP address, then your EC2 instance is reachable from the internet. A private IPv4 address is an IP address that is not reachable from the internet. You can use private IPv4 addresses for communication between EC2 instances in the same VPC or in your connected private network. IPv6 addresses are globally unique, and therefore are reachable from the internet. However, by default all subnets have the IPv6 addressing attribute set to false.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aa3fb42f-04c9-4e17-b05b-e4e4f1f90f15\",\r\n \"name\": \"aa3fb42f-04c9-4e17-b05b-e4e4f1f90f15\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 should be configured to use VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service. To improve the security posture of your VPC, you can configure Amazon EC2 to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to access Amazon EC2 APIs privately. It restricts all network traffic between your VPC and Amazon EC2 to the Amazon network. Because endpoints are supported within the same Region only, you cannot create an endpoint between a VPC and a service in a different Region. This prevents unintended Amazon EC2 API calls to other Regions.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d9e95363-3a8a-498b-bef3-b869869b20b5\",\r\n \"name\": \"d9e95363-3a8a-498b-bef3-b869869b20b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be configured to encrypt file data at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. The check fails in the following cases: 'Encrypted' is set to 'false' in the 'DescribeFileSystems' response; The 'KmsKeyId' key in the 'DescribeFileSystems' response does not match the 'KmsKeyId' parameter for 'efs-encrypted-check'. Note that this control does not use the 'KmsKeyId' parameter for 'efs-encrypted-check'. It only checks the value of 'Encrypted'. For an added layer of security for your sensitive data in Amazon EFS, you should create encrypted file systems. Amazon EFS supports encryption for file systems at-rest. You can enable encryption of data at rest when you create an Amazon EFS file system.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f5375c36-4d39-436b-a5fc-42576f9c4c24\",\r\n \"name\": \"f5375c36-4d39-436b-a5fc-42576f9c4c24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS volumes should be in backup plans\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup. The control fails if Amazon EFS file systems are not included in the backup plans. Including EFS file systems in the backup plans helps you to protect your data from deletion and data loss.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10b9bd1a-d845-4d29-a8f0-aa9386f93226\",\r\n \"name\": \"10b9bd1a-d845-4d29-a8f0-aa9386f93226\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancer listeners should be configured with HTTPS or TLS termination\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. The control is applicable if a Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the control does not report any findings. The control passes if the Classic Load Balancer listeners are configured with TLS or HTTPS for front-end connections. The control fails if the listener is not configured with TLS or HTTPS for front-end connections. Before you start to use a load balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners can support both HTTP and HTTPS/TLS protocols. You should always use an HTTPS or TLS listener, so that the load balancer does the work of encryption and decryption in transit.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4d75936d-e541-4a75-a183-99cc54462cf1\",\r\n \"name\": \"4d75936d-e541-4a75-a183-99cc54462cf1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application load balancers should be configured to drop HTTP headers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop invalid HTTP headers. The control fails if the value of 'routing.http.drop_invalid_header_fields.enabled' is set to 'false'. By default, ALBs are not configured to drop invalid HTTP header values. Removing these header values prevents HTTP desync attacks.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cbc0dd46-9b4b-4078-8340-b20283037770\",\r\n \"name\": \"cbc0dd46-9b4b-4078-8340-b20283037770\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application and Classic Load Balancers logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if 'access_logs.s3.enabled' is 'false'. Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fbec0eb1-0e7e-4df0-8f3c-bf9ac1601927\",\r\n \"name\": \"fbec0eb1-0e7e-4df0-8f3c-bf9ac1601927\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer deletion protection should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured. Enable deletion protection to protect your Application Load Balancer from deletion.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f4705af2-9651-47f1-8797-2050c0870f35\",\r\n \"name\": \"f4705af2-9651-47f1-8797-2050c0870f35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EMR cluster master nodes should not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether master nodes on Amazon EMR clusters have public IP addresses. The control fails if the master node has public IP addresses that are associated with any of its instances. Public IP addresses are designated in the 'PublicIp' field of the 'NetworkInterfaces' configuration for the instance. This control only checks Amazon EMR clusters that are in a 'RUNNING' or 'WAITING' state.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c459de6-4a24-4f24-93bb-6533935019f5\",\r\n \"name\": \"4c459de6-4a24-4f24-93bb-6533935019f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have encryption at-rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled. The check fails if encryption at rest is not enabled. For an added layer of security for your sensitive data in Elasticsearch, you should configure your Elasticsearch to be encrypted at rest. Elasticsearch domains offer encryption of data at rest. The feature uses AWS KMS to store and manage your encryption keys. To perform the encryption, it uses the Advanced Encryption Standard algorithm with 256-bit keys (AES-256).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ecae3088-3cc5-4b7a-bc19-2c20719ab4fb\",\r\n \"name\": \"ecae3088-3cc5-4b7a-bc19-2c20719ab4fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. You should ensure that Amazon ES domains are not attached to public subnets. You should also ensure that your VPC is configured according to the recommended best practices. Amazon ES domains deployed within a VPC can communicate with VPC resources over the private AWS network, without the need to traverse the public internet. This configuration increases the security posture by limiting access to the data in transit. VPCs provide a number of network controls to secure access to Amazon ES domains, including network ACL and security groups. Security Hub recommends that you migrate public Amazon ES domains to VPCs to take advantage of these controls.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1518211b-17f4-46bc-9538-d6ccd8efa3c4\",\r\n \"name\": \"1518211b-17f4-46bc-9538-d6ccd8efa3c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should encrypt data sent between nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have node-to-node encryption enabled. HTTPS (TLS) can be used to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. Only encrypted connections over HTTPS (TLS) should be allowed. Enabling node-to-node encryption for Amazon ES domains ensures that intra-cluster communications are encrypted in transit. There can be a performance penalty associated with this configuration. You should be aware of and test the performance trade-off before enabling this option.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233d2b0e-27cd-4589-aed5-b76e73744071\",\r\n \"name\": \"233d2b0e-27cd-4589-aed5-b76e73744071\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users' access keys should be rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the active access keys are rotated within 90 days. We highly recommend that you do not generate and remove all access keys in your account. Instead, the recommended best practice is to either create one or more IAM roles or to use federation. You can use these methods to allow your users to use their existing corporate credentials to log into the AWS Management Console and AWS CLI. Each approach has its use cases. Federation is generally better for enterprises that have an existing central directory or plan to need more than the current limit IAM users. Applications that run outside of an AWS environment need access keys for programmatic access to AWS resources. However, if the resources that need programmatic access run inside AWS, the best practice is to use IAM roles. Roles allow you to grant a resource access without hardcoding an access key ID and secret access key into the configuration. If you already have an access key, Security Hub recommends that you rotate the access keys every 90 days. Rotating access keys reduces the chance that an access key that is associated with a compromised or terminated account is used. It also ensures that data cannot be accessed with an old key that might have been lost, cracked, or stolen. Always update your applications after you rotate access keys. Access keys consist of an access key ID and a secret access key. They are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS CLI, Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. If your organization uses AWS Single Sign-On (AWS SSO), your users can sign in to Active Directory, a built-in AWS SSO directory, or another identity provider (IdP) connected to AWS SSO. They can then be mapped to an IAM role that enables them to run AWS CLI commands or call AWS APIs without the need for IAM user access keys.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e5c918c8-d7f6-4d5d-b91f-9b9736457ce9\",\r\n \"name\": \"e5c918c8-d7f6-4d5d-b91f-9b9736457ce9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS Multi-Factor Authentication (MFA) is enabled for all IAM users that use a console password. Multi-factor authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password. In addition, they are prompted for an authentication code from their AWS MFA device. We recommend that you enable MFA for all accounts that have a console password. MFA is designed to provide increased security for console access. The authenticating principal must possess a device that emits a time-sensitive key and must have knowledge of a credential.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2af5aa8e-6e0a-4cf4-82e7-ad17ba327c3c\",\r\n \"name\": \"2af5aa8e-6e0a-4cf4-82e7-ad17ba327c3c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused IAM user credentials should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your IAM users have passwords or active access keys that have not been used for 90 days. IAM users can access AWS resources using different types of credentials, such as passwords or access keys. Security Hub recommends that you remove or deactivate all credentials that were unused for 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d945fb4-6cf1-431b-8e96-66dba76ab2b1\",\r\n \"name\": \"9d945fb4-6cf1-431b-8e96-66dba76ab2b1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies should not allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if the 'kms:Decrypt' or 'kms:ReEncryptFrom' actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies. With AWS KMS, you control who can use your customer master keys (CMKs) and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the 'kms:Decrypt' or 'kms:ReEncryptFrom' permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data. Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, do not allow 'kms:Decrypt' permission on all KMS keys. Instead, allow 'kms:Decrypt' only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d3746ffb-51b3-4cc9-8b5d-2ac1f9192d37\",\r\n \"name\": \"d3746ffb-51b3-4cc9-8b5d-2ac1f9192d37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if 'kms:Decrypt' or 'kms:ReEncryptFrom' actions are allowed on all KMS keys in an inline policy. With AWS KMS, you control who can use your customer master keys (CMKs) and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the permissions they need and only for keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data. Instead of granting permission for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow the users to use only those keys. For example, do not allow 'kms:Decrypt' permission on all KMS keys. Instead, allow them only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91b8d230-94ad-4df8-b737-f585df30fa30\",\r\n \"name\": \"91b8d230-94ad-4df8-b737-f585df30fa30\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS keys should not be unintentionally deleted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS KMS customer managed keys (CMK) are scheduled for deletion. The control fails if a CMK is scheduled for deletion. CMKs cannot be recovered once deleted. Data encrypted under a KMS CMK is also permanently unrecoverable if the CMK is deleted. If meaningful data has been encrypted under a CMK scheduled for deletion, consider decrypting the data or re-encrypting the data under a new CMK unless you are intentionally performing a cryptographic erasure. When a CMK is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS CMK is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS CMK will not be deleted.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/706a0138-900e-4c53-8114-bb5f19eccd09\",\r\n \"name\": \"706a0138-900e-4c53-8114-bb5f19eccd09\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda function policies should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Lambda function resource-based policy prohibits public access outside of your account. The Lambda function should not be publicly accessible, as this may allow unintended access to your code stored in the function.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ac49a0a5-db33-4be7-9738-301783b6bba9\",\r\n \"name\": \"ac49a0a5-db33-4be7-9738-301783b6bba9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should use latest runtimes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the Lambda function settings for runtimes match the expected values set for the latest runtimes for each supported language. This control checks for the following runtimes: nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, ruby2.5, ruby2.7,java11, java8, go1.x, dotnetcore2.1, dotnetcore3.1 Lambda runtimes are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When a runtime component is no longer supported for security updates, Lambda deprecates the runtime. Even though you cannot create functions that use the deprecated runtime, the function is still available to process invocation events. Make sure that your Lambda functions are current and do not use out-of-date runtime environments.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/480c2cd4-467d-4ea5-8ffa-c459cf8503c0\",\r\n \"name\": \"480c2cd4-467d-4ea5-8ffa-c459cf8503c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should be private\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS snapshots are public. RDS snapshots are used to back up the data on your RDS instances at a specific point in time. They can be used to restore previous states of RDS instances. An RDS snapshot must not be public unless intended. If you share an unencrypted manual snapshot as public, this makes the snapshot available to all AWS accounts. This may result in unintended data exposure of your RDS instance. Note that if the configuration is changed to allow public access, the AWS Config rule may not be able to detect the change for up to 12 hours. Until the AWS Config rule detects the change, the check passes even though the configuration violates the rule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/efe6ff8c-8247-4705-9a06-097d57b93305\",\r\n \"name\": \"efe6ff8c-8247-4705-9a06-097d57b93305\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS instances are publicly accessible by evaluating the 'PubliclyAccessible' field in the instance configuration item. The 'PubliclyAccessible' value in the RDS instance configuration indicates whether the DB instance is publicly accessible. When the DB instance is configured with 'PubliclyAccessible', it is an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. When the DB instance isn't publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your RDS instance to be publicly accessible, the RDS instance should not be configured with 'PubliclyAccessible' value. Doing so might allow unnecessary traffic to your database instance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52a194fc-4cc6-4bc3-92c0-7c2454dd1043\",\r\n \"name\": \"52a194fc-4cc6-4bc3-92c0-7c2454dd1043\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether storage encryption is enabled for your Amazon RDS DB instances. For an added layer of security for your sensitive data in RDS DB instances, you should configure your RDS DB instances to be encrypted at rest. To encrypt your RDS DB instances and snapshots at rest, enable the encryption option for your RDS DB instances. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots. RDS encrypted DB instances use the open standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You do not need to modify your database client applications to use encryption. Amazon RDS encryption is currently available for all database engines and storage types. Amazon RDS encryption is available for most DB instance classes.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a9abb2d-5fdd-4264-8770-91c66cf58ecf\",\r\n \"name\": \"5a9abb2d-5fdd-4264-8770-91c66cf58ecf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS cluster snapshots and database snapshots should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB snapshots are encrypted. Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. Data in RDS snapshots should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f3b277d1-0c86-445b-acf1-bc0a405b193b\",\r\n \"name\": \"f3b277d1-0c86-445b-acf1-bc0a405b193b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured with multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether high availability is enabled for your RDS DB instances. RDS DB instances should be configured for multiple Availability Zones (AZs). This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover if there is an issue with Availability Zone availability and during regular RDS maintenance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e91ce41-1c19-4950-8a76-cfe3c6596250\",\r\n \"name\": \"7e91ce41-1c19-4950-8a76-cfe3c6596250\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enhanced monitoring should be configured for RDS DB instances and clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced monitoring is enabled for your RDS DB instances. In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer. Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1d16fd74-7014-464b-b981-6242a4c2be32\",\r\n \"name\": \"1d16fd74-7014-464b-b981-6242a4c2be32\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS clusters should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS clusters have deletion protection enabled. Enabling cluster deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity. When deletion protection is enabled, an RDS cluster cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1831430a-6cf6-4341-b2cc-1e66168bdd21\",\r\n \"name\": \"1831430a-6cf6-4341-b2cc-1e66168bdd21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your RDS DB instances have deletion protection enabled. Enabling instance deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity. While deletion protection is enabled, an RDS DB instance cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3c0f7022-8906-4a8c-b993-9675f89d8d3e\",\r\n \"name\": \"3c0f7022-8906-4a8c-b993-9675f89d8d3e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following logs of Amazon RDS are enabled and sent to CloudWatch Logs: Oracle: (Alert, Audit, Trace, Listener), PostgreSQL: (Postgresql, Upgrade), MySQL: (Audit, Error, General, SlowQuery), MariaDB: (Audit, Error, General, SlowQuery), SQL Server: (Error, Agent), Aurora: (Audit, Error, General, SlowQuery), Aurora-MySQL: (Audit, Error, General, SlowQuery), Aurora-PostgreSQL: (Postgresql, Upgrade). RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a9c7f5-85ba-4091-b15a-c06bec33faf8\",\r\n \"name\": \"66a9c7f5-85ba-4091-b15a-c06bec33faf8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB instance has IAM database authentication enabled. IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b948796-172f-426e-a3bd-3f0b1999d0e0\",\r\n \"name\": \"7b948796-172f-426e-a3bd-3f0b1999d0e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS instances should have automatic backups enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB instances have automated backups enabled and whether the backup retention period is greater than or equal to seven. Optionally, you can supply a 'retentionPeriod' to compare against. The control passes if all of the following are true: Backups are enabled, The backup retention period is greater than or equal to retentionPeriod, The retention period is greater than or equal to seven. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. Amazon RDS provides an easy way to configure daily full instance volume snapshots. This control checks that backups are enabled and retained for at least seven days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/53af35b0-2338-4783-9ba9-8399f610a783\",\r\n \"name\": \"53af35b0-2338-4783-9ba9-8399f610a783\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters are publicly accessible. It evaluates the 'PubliclyAccessible' field in the cluster configuration item. The 'PubliclyAccessible' attribute of the Amazon Redshift cluster configuration indicates whether the cluster is publicly accessible. When the cluster is configured with 'PubliclyAccessible' set to 'true', it is an Internet-facing instance that has a publicly resolvable DNS name, which resolves to a public IP address. When the cluster is not publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your cluster to be publicly accessible, the cluster should not be configured with 'PubliclyAccessible' set to 'true'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4bd4c29c-8565-4052-96b4-5405e68f51ba\",\r\n \"name\": \"4bd4c29c-8565-4052-96b4-5405e68f51ba\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Amazon Redshift clusters should be encrypted in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit. The check fails if the Amazon Redshift cluster parameter require_SSL is not set to 1. TLS can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over TLS should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b032ed58-d158-401f-b820-424a48414f93\",\r\n \"name\": \"b032ed58-d158-401f-b820-424a48414f93\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have automatic snapshots enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven. Backups help you to recover more quickly from a security incident. They strengthen the resilience of your systems. Amazon Redshift takes periodic snapshots by default. This control checks whether automatic snapshots are enabled and retained for at least seven days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/643a00cb-3da3-43ef-b523-15a0f3198e45\",\r\n \"name\": \"643a00cb-3da3-43ef-b523-15a0f3198e45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift should have automatic upgrades to major versions enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster. Enabling automatic major version upgrades ensures that the latest major version updates to Amazon Redshift clusters are installed during the maintenance window. These updates might include security patches and bug fixes. Keeping up-to-date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c816f41-886f-4e31-87f2-41cfb091d59b\",\r\n \"name\": \"2c816f41-886f-4e31-87f2-41cfb091d59b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker. The 'blacklistedactionpatterns' parameter allows for successful evaluation of the rule for S3 buckets. The parameter grants access to external accounts for action patterns that are not included in the 'blacklistedactionpatterns' list.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df8e8066-1415-40c7-9844-f495a1ad179e\",\r\n \"name\": \"df8e8066-1415-40c7-9844-f495a1ad179e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should have automatic rotation enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically. Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5110f9f8-2bf7-444f-81d7-321bfeceec06\",\r\n \"name\": \"5110f9f8-2bf7-444f-81d7-321bfeceec06\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets configured with automatic rotation should rotate successfully\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The control fails if 'RotationOccurringAsScheduled' is 'false'. The control does not evaluate secrets that do not have rotation configured. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically. Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently. In addition to configuring secrets to rotate automatically, you should ensure that those secrets rotate successfully based on the rotation schedule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad8217e9-5e93-4be2-88bc-3e538960209d\",\r\n \"name\": \"ad8217e9-5e93-4be2-88bc-3e538960209d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SNS topics should be encrypted at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an SNS topic is encrypted at rest using AWS KMS. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It also adds another set of access controls to limit the ability of unauthorized users to access the data. For example, API permissions are required to decrypt the data before it can be read. SNS topics should be encrypted at-rest for an added layer of security.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c3f3c8-3c13-48be-9ee5-67b6865e7462\",\r\n \"name\": \"11c3f3c8-3c13-48be-9ee5-67b6865e7462\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All EC2 instances managed by Systems Manager should be compliant with patching requirements\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. It only checks instances that are managed by Systems Manager Patch Manager. Having your EC2 instances fully patched as required by your organization reduces the attack surface of your AWS accounts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.
Note that the following subnet types will be listed as not applicable: GatewaySubnet, AzureFirewallSubnet, AzureBastionSubnet.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your subnets:
1. Select a subnet to enable NSG on.
2. Click the 'Network security group' section.
3. Follow the steps and select an existing network security group to attach to this specific subnet.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Defender for Cloud has discovered virtual networks with Application Gateway resources unprotected by the DDoS protection service. These resources contain public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"
1. Select a virtual network to enable the DDoS protection service standard on.
2. Select the Standard option.
3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\",\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Defender for Cloud uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls:
1. Open the Workload protections dashboard and from the advanced protection area, select Adaptive application controls.
2. To see the groups of machines that Defender for Cloud recommends protecting with adaptive application controls, select the Recommended3. Create a new applications control policy according to the instructions in Defender for Cloud's documentation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Defender for Cloud's adaptive application controls. Defender for Cloud uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your list of known-safe applications:
1. From the portal, open Defender for Cloud.
2. Select \\\"Adaptive application controls\\\" from Defender for Cloud's sidebar.
3. To see the groups of machines for which Defender for Cloud recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines.
4. The current policy will be displayed together with the new rules that Defender for Cloud recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Defender for Cloud has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly-permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Defender for Cloud's threat intelligence sources. Learn more in Improve your network security posture with adaptive network hardening.\",\r\n \"remediationDescription\": \"To review the recommended changes to the traffic rules for your network security groups, select a machine or select 'Take action'\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"Defender for Cloud has identified some overly-permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks. Learn more in Understanding just-in-time (JIT) VM access.\",\r\n \"remediationDescription\": \"To enable just-in-time VM access:
  • Select one or more VMs from the list below and select \\\"Remediate\\\", or select \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
  • On the \\\"JIT VM access configuration\\\" page, define the ports for which the just-in-time VM access will be applicable.
    • To add additional ports, select the \\\"Add\\\" button on the top left, or select an existing port and edit it.
    • On the \\\"Add port configuration\\\" pane, enter the required parameters.
  • Select \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click on each of the rules that allow management ports (for example, RDP-3389, WINRM-5985, SSH-22).
3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges.
4. Click 'Save'.
Use Defender for Cloud's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Learn more in Understanding just-in-time (JIT) VM access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Defender for Cloud has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding:
1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade.
2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left).
3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'.
4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Defender for Cloud has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click the Network Security Group with overly permissive rules.
3. In the 'Network security group' blade, click on each of the rules that are overly permissive.
4. Improve the rule by applying less permissive source IP ranges.
5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
To keep your machine as secure as possible, the VM access to the internet must be restricted and an NSG should be enabled on the subnet.
VMs with 'High' severity are internet-facing VMs.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a Network Security Group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the Network Security Group to assign to the subnet and click \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Click 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the Network Security Group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a network security group:
1. Select a VM from the list below, or select \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the network security group to assign to the subnet and select \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Select 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the network security group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Defender for Cloud regularly checks your connected machines to ensure they're running vulnerability assessment tools. Use this recommendation to deploy a vulnerability assessment solution.\",\r\n \"remediationDescription\": \"To deploy a vulnerability assessment solution, in the \\\"Unhealthy resources\\\" tab, select the resources, then select \\\"Remediate\\\". Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several hours after remediation completes to see the resources in the 'Healthy resources' tab\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c\",\r\n \"description\": \"Some of your virtual networks aren't protected with a firewall. Use Azure Firewall to restrict access to your virtual networks and prevent potential threats. Learn more about Azure Firewall.\",\r\n \"remediationDescription\": \"To protect your virtual networks with Azure Firewall:
1. From the list below, select a network. Or select Take action if you've arrived here from a specific virtual network page.
2. Follow the Azure Firewall deployment instructions. Make sure to configure all default routes properly.
Important: Azure Firewall is billed separately from Defender for Cloud. Learn more about Azure Firewall pricing.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Initial Access\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Fallback Channels\",\r\n \"Remote System Discovery\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Non-Standard Port\",\r\n \"Gather Victim Network Information\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for Cloud has identified machines that are missing a file integrity monitoring solution. To monitor changes to critical files, registry keys, and more on your servers, enable file integrity monitoring.
When the file integrity monitoring solution is enabled, a data collection rule is assigned to your machines, and defines the files to be monitored. To edit rules, or see the files changed on machines with existing rules, go to the file integrity monitoring management page\",\r\n \"remediationDescription\": \"To enable file integrity monitoring:
From the list below, select one or more virtual machines and select Remediate\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Privilege Escalation\",\r\n \"Execution\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"OS Credential Dumping\",\r\n \"Boot or Logon Initialization Scripts\",\r\n \"Scheduled Task/Job\",\r\n \"Account Manipulation\",\r\n \"Office Application Startup\",\r\n \"File and Directory Permissions Modification\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Subvert Trust Controls\",\r\n \"Modify Authentication Process\",\r\n \"Impair Defenses\",\r\n \"Hijack Execution Flow\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047\",\r\n \"description\": \"Microsoft Defender for Cloud includes Microsoft Defender for Key Vault, providing an additional layer of security intelligence.
Microsoft Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any key vaults in this subscription, you won't be charged. If you later create key vaults on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for Key Vault.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for Key Vault on all key vaults in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Key Vault to On.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Credentials from Password Stores\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Azure SQL Database servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any Azure SQL Database servers in this subscription, you won't be charged. If you later create Azure SQL Database servers on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for SQL.\",\r\n \"remediationDescription\": \"To enable this plan on all Azure SQL Database servers in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Azure SQL Database servers to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Defense Evasion\",\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Modify Registry\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL servers on machines should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.

Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. If you don't have any SQL servers on machines in this subscription, no charges will be incurred.
If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Microsoft Defender for SQL servers on machines.\",\r\n \"remediationDescription\": \"To enable this plan on all SQL servers on machines in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set SQL servers on machines to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Defense Evasion\",\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Modify Registry\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Storage should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa\",\r\n \"description\": \"Microsoft Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any Azure Storage accounts in this subscription, you won't be charged. If you later create Azure Storage accounts on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for Storage.\",\r\n \"remediationDescription\": \"To enable this plan on all Azure Storage accounts in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Storage to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Lateral Movement\",\r\n \"Command and Control\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Taint Shared Content\",\r\n \"Ingress Tool Transfer\",\r\n \"Data Destruction\",\r\n \"Data from Cloud Storage Object\",\r\n \"Transfer Data to Cloud Account\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb\",\r\n \"description\": \"Microsoft Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
Microsoft Defender for App Service can discover attacks on your applications and identify emerging attacks.

Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred.
If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Protect your web apps and APIs.\",\r\n \"remediationDescription\": \"To enable this plan on all App Service plans in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set App Service to On.\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Collection\",\r\n \"Discovery\",\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Privilege Escalation\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Resource Development\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"OS Credential Dumping\",\r\n \"Data from Local System\",\r\n \"Query Registry\",\r\n \"Obfuscated Files or Information\",\r\n \"Masquerading\",\r\n \"Windows Management Instrumentation\",\r\n \"Scheduled Task/Job\",\r\n \"Process Injection\",\r\n \"Input Capture\",\r\n \"Process Discovery\",\r\n \"Command and Scripting Interpreter\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Account Discovery\",\r\n \"Ingress Tool Transfer\",\r\n \"Screen Capture\",\r\n \"Audio Capture\",\r\n \"Access Token Manipulation\",\r\n \"Deobfuscate/Decode Files or Information\",\r\n \"Drive-by Compromise\",\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"User Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Domain Trust Discovery\",\r\n \"Resource Hijacking\",\r\n \"Create or Modify System Process\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Unsecured Credentials\",\r\n \"Steal or Forge Kerberos Tickets\",\r\n \"Inter-Process Communication\",\r\n \"Phishing\",\r\n \"Hijack Execution Flow\",\r\n \"Compromise Infrastructure\",\r\n \"Search Victim-Owned Websites\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"name\": \"e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38\",\r\n \"description\": \"Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.
You can use this information to quickly remediate security issues and improve the security of your containers.

Important: Remediating this recommendation will result in charges for protecting your Kubernetes clusters. If you don't have any Kubernetes clusters in this subscription, no charges will be incurred.
If you create any Kubernetes clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Introduction to Microsoft Defender for Containers.\",\r\n \"remediationDescription\": \"To enable this plan on all Kubernetes clusters in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Containers to On.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"DenialOfService\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"11/01/2021\",\r\n \"public\": \"11/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Indicator Removal on Host\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Implant Container Image\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d\",\r\n \"description\": \"Microsoft Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your servers.

Important: Remediating this recommendation will result in charges for protecting your servers. If you don't have any servers in this subscription, no charges will be incurred.
If you create any servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable this plan on all servers in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Servers to On.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\",\r\n \"Execution\",\r\n \"Defense Evasion\",\r\n \"Exfiltration\",\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Hijack Execution Flow\",\r\n \"Modify Authentication Process\",\r\n \"Boot or Logon Initialization Scripts\",\r\n \"Scheduled Task/Job\",\r\n \"Account Manipulation\",\r\n \"Office Application Startup\",\r\n \"OS Credential Dumping\",\r\n \"Obfuscated Files or Information\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Process Injection\",\r\n \"Command and Scripting Interpreter\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Indicator Removal on Host\",\r\n \"Valid Accounts\",\r\n \"System Information Discovery\",\r\n \"Account Discovery\",\r\n \"Ingress Tool Transfer\",\r\n \"Modify Registry\",\r\n \"Create Account\",\r\n \"Deobfuscate/Decode Files or Information\",\r\n \"Drive-by Compromise\",\r\n \"Indirect Command Execution\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Signed Binary Proxy Execution\",\r\n \"File and Directory Permissions Modification\",\r\n \"Service Stop\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Steal or Forge Kerberos Tickets\",\r\n \"Impair Defenses\",\r\n \"Remote Service Session Hijacking\",\r\n \"Hide Artifacts\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Brute Force\",\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"name\": \"b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for open-source relational databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835\",\r\n \"description\": \"Microsoft Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more in Introduction to Microsoft Defender for open-source relational databases.

Important: Enabling this plan will result in charges for protecting your open-source relational databases. If you don't have any open-source relational databases in this subscription, no charges will be incurred. If you create any open-source relational databases on this subscription in the future, they will automatically be protected and charges will begin at that time.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for open-source relational databases on your subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Open-source relational databases to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"09/19/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ebc815f-7bc7-4573-994d-e1cc46fb4a35\",\r\n \"name\": \"2ebc815f-7bc7-4573-994d-e1cc46fb4a35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have infrastructure as code scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found infrastructure as code security configuration issues in repositories. The issues shown below have been detected in template files. To improve the security posture of the related cloud resources, it is highly recommended to remediate these issues.\",\r\n \"remediationDescription\": \"Security issues and vulnerabilities in infrastructure as code can lead to compliance violations and data breaches in production environments. It is recommended to improve the security posture by remediating and fixing these findings to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c68a8c2a-6ed4-454b-9e37-4b7654f2165f\",\r\n \"name\": \"c68a8c2a-6ed4-454b-9e37-4b7654f2165f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have code scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found vulnerabilities in code repositories. To improve the security posture of the repositories, it is highly recommended to remediate these vulnerabilities.\",\r\n \"remediationDescription\": \"The vulnerabilities detected in code repositories can lead to compliance violations and data breaches. It is highly recommended to remediate these vulnerabilities to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27\",\r\n \"name\": \"4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have secret scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found a secret in code repositories. This should be remediated immediately to prevent a security breach. Secrets found in repositories can be leaked or discovered by adversaries, leading to compromise of an application or service. For Azure DevOps, the Microsoft Security DevOps CredScan tool only scans builds on which it has been configured to run. Therefore, results may not reflect the complete status of secrets in your repositories.\",\r\n \"remediationDescription\": \"Invalidate the secrets, tokens, and/or passwords that were found by the secret scanner.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/822425e3-827f-4f35-bc33-33749257f851\",\r\n \"name\": \"822425e3-827f-4f35-bc33-33749257f851\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have Dependabot scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found vulnerabilities in code repositories. To improve the security posture of the repositories, it is highly recommended to remediate these vulnerabilities.\",\r\n \"remediationDescription\": \"The vulnerabilities detected in the code repositories can lead to compliance violations and data breaches. It is recommended to remediate these vulnerabilities to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dbf49ec-ce06-476d-ab70-7bd612c4a52c\",\r\n \"name\": \"9dbf49ec-ce06-476d-ab70-7bd612c4a52c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DevOps security posture findings should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps security posture checks helps you keep your ADO artifacts such as various org/project settings, build/release configurations, service connections, agent pools, etc., configured securely.\",\r\n \"remediationDescription\": \"The security posture checks found can lead to compliance violations and data breaches. It is recommended to improve the security posture by remediating and fixing these configuration findings to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MissingCoverage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"02/06/2023\",\r\n \"public\": \"10/01/2022\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Reconnaissance\",\r\n \"Exfiltration\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Application Layer Protocol\",\r\n \"Compromise Infrastructure\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03587042-5d4b-44ff-af42-ae99e3c71c87\",\r\n \"name\": \"03587042-5d4b-44ff-af42-ae99e3c71c87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic container registry images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"23/06/2022\",\r\n \"public\": \"23/06/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registry images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Resolve the findings from the vulnerability assessment solutions on your virtual machines.\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by the vulnerability assessment solutions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77a4a140-e051-481a-84cc-d4bf2109bd65\",\r\n \"name\": \"77a4a140-e051-481a-84cc-d4bf2109bd65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Resolve the findings from the vulnerability assessment solutions on your EC2 instances.\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by the vulnerability assessment solutions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/14/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL databases should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. Learn more\",\r\n \"remediationDescription\": \"To remediate SQL vulnerabilities and mitigate risks:
1. Navigate to a database in the Unhealthy databases list.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Valid Accounts\",\r\n \"Modify Registry\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers on machines should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. Learn more\",\r\n \"remediationDescription\": \"To remediate SQL vulnerabilities and mitigate risks:
1. Navigate to a database in the Unhealthy databases list.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Valid Accounts\",\r\n \"Modify Registry\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your Windows machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Select any of the findings below.
2. On the right pane opened, follow the instructions under 'Remediation' if exist.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Lateral Movement\",\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your Linux machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Select any of the findings below.
2. On the right pane opened, follow the instructions under 'Remediation' if exist.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Lateral Movement\",\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"
1. Click an identified outstanding update.
2. In the Missing system updates pane, click the support link (when exists) and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Software Deployment Tools\",\r\n \"Exploit Public-Facing Application\",\r\n \"Supply Chain Compromise\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Drive-by Compromise\",\r\n \"Endpoint Denial of Service\",\r\n \"Compromise Client Software Binary\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b\",\r\n \"description\": \"Ensure your machines are up to date by installing missing security and critical OS updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install missing system updates on a selected machine: 1. From \\\"Affected resources\\\", select a virtual machine. 2. Select the \\\"Fix\\\" button. This will redirect you to Update management center (preview). 3. In update management center (preview), select \\\"One-time update\\\" or \\\"Schedule updates\\\", and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Click any of the configuration vulnerability rules 2. In the Vulnerability details pane, see the remediation description and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"10/24/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2\",\r\n \"description\": \"Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. See the documentation for the endpoint protection solutions supported by Defender for Cloud and the endpoint protection assessments.\",\r\n \"remediationDescription\": \"
1. Confirm that your solution is on the list of tools supported by Defender for Cloud.
2. For a list of possible health issues with your solution and advice on how to resolve the health issues, consult this page of the Defender for Cloud documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad50b498-f90c-451f-886f-d0a169cc5002\",\r\n \"name\": \"ad50b498-f90c-451f-886f-d0a169cc5002\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should use only signed and trusted boot components\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"With Secure Boot enabled, all OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Defender for Cloud has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allow list or remove the identified components.\",\r\n \"remediationDescription\": \"Investigate the untrusted boot components. If they are legitimate, add them to the allow list. Otherwise, remove them.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"name\": \"dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with read permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have read permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"name\": \"c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with write permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/931e118d-50a1-4457-a5e4-78550e086c52\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have write permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"name\": \"6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with owner permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have owner permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"name\": \"fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with read permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52\",\r\n \"description\": \"Accounts with read permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"name\": \"0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with write permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87\",\r\n \"description\": \"Accounts with write permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"name\": \"20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with owner permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/339353f6-2387-4a45-abe4-7f529d121046\",\r\n \"description\": \"Accounts with owner permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"name\": \"1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Blocked accounts with read and write permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be\",\r\n \"description\": \"Accounts that have been blocked from signing in on Active Directory, should be removed from your Azure resources.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of accounts that are blocked from signing in on the Accounts section. Click on each account to view its role definitions and locate the source scope. If you accept the risk for specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the blocked user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"name\": \"050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Blocked accounts with owner permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5\",\r\n \"description\": \"Accounts that have been blocked from signing in on Active Directory, should be removed from your Azure resources.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of accounts that are blocked from signing in on the Accounts section. Click on each account to view its role definitions and locate the source scope. If you accept the risk for specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the blocked user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af99038c-02fd-4a2f-ac24-386b62bf32de\",\r\n \"description\": \" Azure's terms of use prohibit the use of Azure services in ways that could damage, disable, overburden, or impair any Microsoft server or the network. This recommendation lists exposed ports that need to be closed for your continued security. It also illustrates the potential threat to each port.\",\r\n \"remediationDescription\": \"Review the findings and evaluate if any ports need to remain open for your service to function or if they can be closed to protect your resources. Please, opt out of the recommendation by using the exemption workflow for any ports that need to remain open.
For all other findings, remediate per instructions below:
• Need to secure network traffic for a single VNet, please follow instruction to setup Network Security Groups (NSG).
• Need to secure network traffic for one or more peered VNet, please follow instruction to setup Azure Firewall.
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"04/04/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/41503391-efa5-47ee-9282-4eff6131462c\",\r\n \"name\": \"41503391-efa5-47ee-9282-4eff6131462c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running container images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fc39691-5a3f-4e3e-94ee-2e6447309ad9\",\r\n \"description\": \"Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.
7. Use the new image across all pods where it is currently being used.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ElevationOfPrivilege\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"12/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/afd071f0-ebaa-422b-bb2f-8a772a31db75\",\r\n \"name\": \"afd071f0-ebaa-422b-bb2f-8a772a31db75\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function apps should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Runtime vulnerability scanning for functions scans your function apps for security vulnerabilities and exposes detailed findings. Resolving the vulnerabilities can greatly improve your serverless applications security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve function app vulnerabilities:
1. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
2. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [],\r\n \"publishDates\": {\r\n \"public\": \"03/18/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"name\": \"08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d\",\r\n \"description\": \"Azure Policy add-on for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.

Defender for Cloud requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. Learn more.

Requires Kubernetes v1.14.0 or later.

\",\r\n \"remediationDescription\": \"To configure the Azure Policy Add-on for use with your Azure Kubernetes Service cluster, follow the instructions in Install Azure Policy Add-on for AKS.

Auto provisioning:
You can also auto deploy this add-on as explained in Enable auto provisioning of extensions.
When auto provisioning for the add-on is set to On, the extension is enabled by default in all existing and future clusters (that meet the add-on installation requirements).\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0642d770-b189-42ef-a2ce-9dcc3ec6c169\",\r\n \"name\": \"0642d770-b189-42ef-a2ce-9dcc3ec6c169\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b2122c1-8120-4ff5-801b-17625a355590\",\r\n \"description\": \"Azure Policy extension for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.\",\r\n \"remediationDescription\": \"To configure the Azure Policy extension for use with your Azure Arc-enabled Kubernetes cluster, follow the instructions in #Install Azure Policy Extension for Azure Arc-enabled Kubernetes.

Auto provisioning:
You can also auto deploy this extension as explained in Enable auto provisioning of extensions .
When auto provisioning for the extension is set to \\\"on\\\", the extension is enabled by default in all existing and future clusters (that meet the extension installation requirements).\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2022\",\r\n \"public\": \"06/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/0adc5395-9169-4b9b-8687-af838d69410a\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"name\": \"405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container CPU and memory limits should be enforced\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\r\n \"description\": \"Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).

We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods without CPU and memory limits. To control a pod's limits, set quotas at the container level. Each container of a pod can specify one or both of the following:
  • spec.containers[].resources.limits.cpu
  • spec.containers[].resources.limits.memory

After making your changes, redeploy the pod with the new limits.

Note: Although requests and limits can only be specified on individual containers, it is convenient to talk about pod resource limits. A Pod resource limit is the sum of the resource limits for all the containers in the pod. Learn more.

\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"DenialOfService\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"name\": \"5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Privileged containers should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\r\n \"description\": \"To prevent unrestricted host access, avoid privileged containers whenever possible.

Privileged containers have all of the root capabilities of a host machine. They can be used as entry points for attacks and to spread malicious code or malware to compromised applications, hosts and networks.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods running privileged containers.

For these pods, set the privileged flag to 'false' or remove this property on the security context of the container's spec. After making your changes, redeploy the pod with the updated spec.

\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"name\": \"8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container images should be deployed from trusted registries only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\r\n \"description\": \"Images running on your Kubernetes cluster should come from known and monitored container image registries. Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.\",\r\n \"remediationDescription\": \"
  1. Ensure a regex, defining your organization private registries is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods running images from untrusted registries. If you see a pod running an unfamiliar image, remove it and report the incident to your security admin. Otherwise, move all images to a trusted private registry and redeploy the pods with the updated registry.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"name\": \"add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Services should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services access to the configured ports.\",\r\n \"remediationDescription\": \"
  1. Ensure a list of ports on which your services are allowed to listen, is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the services which listen on ports outside the configured list.
  3. Limit the services' ports. After making your changes, redeploy the services with the updated ports.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\",\r\n \"Non-Standard Port\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"name\": \"11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Least privileged Linux capabilities should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\r\n \"description\": \"To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user. We recommend dropping all capabilities, then adding those that are required\",\r\n \"remediationDescription\": \"
1. Make sure lists of dropped capabilities and allowed capabilities are configured, via the security policy parameters. Recommend to set parameter 'Required drop capabilities' as [\\\"ALL\\\"] to enforce to drop all capabilities. The recommendation by default will only block to add capacities.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the running containers with capabilities outside the configured list.
3. Limit the containers' Linux capabilities. To add or remove Linux capabilities for a container, include a capabilities section in the securityContext section of the container manifest with the relevant capabilities set e.g. Drop: ALL ; add: [\\\"NET_ADMIN\\\", \\\"SYS_TIME\\\"].
4. After making your changes, redeploy the pod with the updated capabilities.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"name\": \"27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Immutable (read-only) root filesystem should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80\",\r\n \"description\": \"Containers should run with a read only root file system in your Kubernetes cluster. Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers without read only root file system.
2. For these pods, set the readOnlyRootFilesystem flag to 'true' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Collection\",\r\n \"Lateral Movement\",\r\n \"Persistence\",\r\n \"Defense Evasion\",\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Scheduled Task/Job\",\r\n \"Data Staged\",\r\n \"Taint Shared Content\",\r\n \"Account Manipulation\",\r\n \"Create Account\",\r\n \"File and Directory Permissions Modification\",\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Server Software Component\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Compromise Client Software Binary\",\r\n \"Modify Authentication Process\",\r\n \"Hide Artifacts\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"name\": \"f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75\",\r\n \"description\": \"We recommend limiting pod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths. If there's a compromise, the container node access from the containers should be restricted.\",\r\n \"remediationDescription\": \"
1. Ensure a list of allowed host paths is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running pods with hostPath volume violating the configured list.
3. Update hostPath and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Taint Shared Content\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"name\": \"9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running containers as root user should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042\",\r\n \"description\": \"Containers shouldn't run as root users in your Kubernetes cluster. Running a process as the root user inside a container runs it as root on the host. If there's a compromise, an attacker has root in the container, and any misconfigurations become easier to exploit.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the relevant pods.
2. For these pods, ensure the runAsUser property is set to a non-zero value or set property runAsNonRoot=true.
3. After making your changes, redeploy the pod with the updated rule.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"name\": \"ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of host networking and ports should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe\",\r\n \"description\": \"Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. Pods created with the hostNetwork attribute enabled will share the node's network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node's network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.\",\r\n \"remediationDescription\": \"
1. Ensure the following are all configured in the security policy parameters: allow host network usage, and min and max host ports.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers with host networking violating the configured list.
3. Validate the host networking using the hostNetwork and hostPort attributes (when applicable) of the container's spec.
4. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"name\": \"802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers sharing sensitive host namespaces should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\r\n \"description\": \"To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods sharing host process ID or host IPC.
2. Set the host process ID and host IPC to 'false' on the pod's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"name\": \"43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container with privilege escalation should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\r\n \"description\": \"Containers shouldn't run with privilege escalation to root in your Kubernetes cluster.
The AllowPrivilegeEscalation attribute controls whether a process can gain more privileges than its parent process.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers with privilege escalation to root in your Kubernetes cluster.
2. For these pods, set the AllowPrivilegeEscalation flag to 'false' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"name\": \"86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers should only use allowed AppArmor profiles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e\",\r\n \"description\": \"Containers running on Kubernetes clusters should be limited to allowed AppArmor profiles only.
;AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program.\",\r\n \"remediationDescription\": \"
1. Ensure a list of AppArmor profiles containers are allowed to use is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the running pods with AppArmor profile violating the configured list.
3. Update AppArmor annotation in the Pod's metadata and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Process Injection\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/111cb068-89df-48bd-9493-2e6773444af8\",\r\n \"name\": \"111cb068-89df-48bd-9493-2e6773444af8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should gate deployment of vulnerable images\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759\",\r\n \"description\": \"Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Defender for Cloud's CI/CD scanning and Microsoft Defender for container registries to identify and patch vulnerabilities prior to deployment.
Evaluation prerequisite: Azure policy add-on/extension and the Defender profile/extension.
Applicable only for private preview customers.\",\r\n \"remediationDescription\": \"Configuration

Use the Settings tab to ensure the recommendation policy meets your requirement.

Monitor and resolve violations in audit mode
  1. Click on a cluster to see violating pods.
  2. For each non-compliant pod, extract used images using 'kubectl get pods <pod name> -n <pod namespace> -o json'
  3. Retrieve list of vulnerabilities per pod using the 'Container registry images should have vulnerability findings resolved' recommendation:
    1. If an image is unscanned, push/import image to registry protected by Defender for Containers and re-deploy pod.
    2. If scan result violates security policy, follow scan findings remediation steps to remediate image and re-deploy pod.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"10/25/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes API server should be configured with restricted access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes API server. You can restrict access by defining authorized IP ranges, or by setting up your API servers as private clusters as explained inCreate a private Azure Kubernetes Service cluster.\",\r\n \"remediationDescription\": \"To manually configure authorized IP ranges, follow the steps in Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS). If your existing cluster uses a Basic SKU Load Balancer, you'll need to redeploy or migrate to a new AKS cluster using the Standard SKU Load Balancer as explained in Moving from a basic SKU load balancer to standard SKU. If you decide not to redeploy, and you want to move these clusters to the 'not applicable' tab, follow the steps in Define an exemption.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Container and Resource Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows:
1. Go to Azure Kubernetes Services.
2. Select 'Add' and enter your cluster's configuration.
3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6d87087-9ebe-b31f-b452-0bf3bbbaccd2\",\r\n \"name\": \"c6d87087-9ebe-b31f-b452-0bf3bbbaccd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should be accessible only over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\r\n \"description\": \"Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc-enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc\",\r\n \"remediationDescription\": \"From the unhealthy resources tab, select the cluster. Defender for Cloud lists the ingress objects that are accessible without HTTPS. 1. If the ingress controlled by nginx ingress controller, must first set annotation \\\"nginx.ingress.kubernetes.io/force-ssl-redirect\\\"=true. 2. Add the Transport Layer Security (TLS) configuration to your ingress manifest. After making your changes, redeploy the updated ingress object.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6\",\r\n \"name\": \"3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Arc-enabled Kubernetes clusters should have the Defender extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8dfab9c4-fe7b-49ad-85e4-1e9be085358f\",\r\n \"description\": \"Defender's extension for Azure Arc provides threat protection for your Arc-enabled Kubernetes clusters. The extension collects data from all control plane (master) nodes in the cluster and sends it to the Microsoft Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-kubernetes-azure-arc?wt.mc_id=defenderforcloud_inproduct_portal_recoremediation.\",\r\n \"remediationDescription\": \"To install the Defender extension on your Arc-enabled Kubernetes clusters, select an unhealthy cluster and select Remediate.
To manually deploy the extension with Azure Resource Manager, Azure CLI, or the REST API, see the instructions in Microsoft Defender for Arc-enabled Kubernetes.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/708b60a6-d253-4fe0-9114-4be4c00f012c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a83a6e-c417-42ec-b567-1e6fcb3d09a9\",\r\n \"name\": \"56a83a6e-c417-42ec-b567-1e6fcb3d09a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Kubernetes Service clusters should have Defender profile enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1840de2-8088-4ea8-b153-b4c723e9cb01\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection.
When you enable the SecurityProfile.AzureDefender profile on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data.
Learn more about [Microsoft Defender for Containers](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks#architecture-overview).\",\r\n \"remediationDescription\": \"To enable the profile using Azure CLI, Azure Resource Manager, or the REST API, follow the instructions in Enable the SecurityProfile.AzureDefender profile.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"12/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff87e0b4-17df-d338-5b19-80e71e0dcc9d\",\r\n \"name\": \"ff87e0b4-17df-d338-5b19-80e71e0dcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should not use the default namespace\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\r\n \"description\": \"Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"Defender for Cloud lists the components using the default namespace.
1. From the unhealthy resources tab, select a cluster.
2. Define a namespace for the components.
3. After making your changes, redeploy the components with the updated namespace. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/namespaces/#creating-a-new-namespace\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32060ac3-f17f-4848-db8e-e7cf2c9a53eb\",\r\n \"name\": \"32060ac3-f17f-4848-db8e-e7cf2c9a53eb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should disable automounting API credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/423dd1ba-798e-40e4-9c4d-b6902674b423\",\r\n \"description\": \"Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"From the unhealthy resources tab, select the cluster. Defender for Cloud lists the pods missing the automountServiceAccountToken: false flag. There are multiple ways to opt out of automounting API credentials for a service account. To opt out of automounting API credentials for a single pod, set automountServiceAccountToken: false in PodSpec. After making your changes, redeploy your updated pod or service account.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aba14f78-27c5-af84-848e-9105d18dfd92\",\r\n \"name\": \"aba14f78-27c5-af84-848e-9105d18dfd92\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should not grant CAPSYSADMIN security capabilities\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d2e7ea85-6b44-4317-a0be-1b951587f626\",\r\n \"description\": \"To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"Defender for Cloud lists the pods running containers that have the CAP_SYS_ADMIN Linux security capability. To remove containers' CAP_SYS_ADMIN Linux security capabilities: 1. From the unhealthy resources tab, select the cluster. 2. Insert a capabilities section in the securityContext section of the container manifest with Drop: SYS_ADMIN. 3. After making your changes, redeploy the pod with the updated capabilities\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b7683ca3-3a11-49b6-b9d4-a112713edfa3\",\r\n \"name\": \"b7683ca3-3a11-49b6-b9d4-a112713edfa3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced configuration of Defender for Containers should be enabled on GCP connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. To ensure you the solution is provisioned properly, and the full set of capabilities are available, enable all advanced configuration settings.\",\r\n \"remediationDescription\": \"To enable advanced configuration of the Containers plan for a GCP account connected to Microsoft Defender for Cloud:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. Navigate to the \\\"Environment settings\\\" page, and select the relevant GCP account.
  3. Navigate to \\\"Select plans\\\"> \\\"Containers\\\" row, and select \\\"Configure >\\\".
  4. Enable the missing auto provision features and select Save.
  5. Select \\\"Next: Configure access\\\" and follow the instructions.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"03/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d42ac63d-0592-43b2-8bfa-ff9199da595e\",\r\n \"name\": \"d42ac63d-0592-43b2-8bfa-ff9199da595e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled on GCP connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. Enable Containers plan on your GCP connector, to harden the security of Kubernetes clusters and remediate security issues. Learn more about Microsoft Defender for Containers.\",\r\n \"remediationDescription\": \"To enable Defender for Containers on all GKE clusters in an GCP project connected to Microsoft Defender for Cloud:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. Navigate to the \\\"Environment settings\\\" page, and select the relevant GCP account.
  3. Navigate to \\\"Select plans\\\", and toggle \\\"Containers\\\" to \\\"On\\\".
  4. Select \\\"Next: Configure access\\\" and follow the instructions.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"03/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6672df26-ff2e-4282-83c3-e2f20571bd11\",\r\n \"name\": \"6672df26-ff2e-4282-83c3-e2f20571bd11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have code scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub uses code scanning to analyze code in order to find security vulnerabilities and errors in code. Code scanning can be used to find, triage, and prioritize fixes for existing problems in your code. Code scanning can also prevent developers from introducing new problems. Scans can be scheduled for specific days and times, or scans can be triggered when a specific event occurs in the repository, such as a push. If code scanning finds a potential vulnerability or error in code, GitHub displays an alert in the repository. A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project.\",\r\n \"remediationDescription\": \"1. On GitHub.com, navigate to the main page of the repository. 2. Under your repository name, click Security. 3. To the right of Code scanning alerts, click Set up code scanning. If code scanning is missing, you need to ask an organization owner or repository administrator to enable GitHub Advanced Security. 4. Under 'Get started with code scanning', click Set up this workflow on the CodeQL analysis workflow or on a third-party workflow. 5.To customize how code scanning scans your code, edit the workflow. 6. Use the Start commit drop-down, and type a commit message. 7. Click Commit new file or Propose new file\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/92643c1f-1a95-4b68-bbd2-5117f92d6e35\",\r\n \"name\": \"92643c1f-1a95-4b68-bbd2-5117f92d6e35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have Dependabot scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub sends Dependabot alerts when it detects vulnerabilities in code dependencies that affect repositories. A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. Vulnerabilities vary in type, severity, and method of attack. When code depends on a package that has a security vulnerability, this vulnerable dependency can cause a range of problems.\",\r\n \"remediationDescription\": \"1. Browse to a GitHub repository. 2. Click on the Settings. 3. Click 'Security & analysis'. 4. Enable Dependabot alerts\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a600c61-6443-4ab4-bd28-7a6b6fb4691d\",\r\n \"name\": \"1a600c61-6443-4ab4-bd28-7a6b6fb4691d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have secret scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were accidentally committed to repositories. Secret scanning will scan the entire Git history on all branches present in the GitHub repository for any secrets. Examples of secrets are tokens and private keys that a service provider can issue for authentication. If a secret is checked into a repository, anyone who has read access to the repository can use the secret to access the external service with those privileges. Secrets should be stored in a dedicated, secure location outside the repository for the project.\",\r\n \"remediationDescription\": \"1. On GitHub.com, navigate to the main page of the repository. 2. Under your repository name, click Settings. 3.In the left sidebar, click Security and analysis. 4. If Advanced Security is not already enabled for the repository, to the right of GitHub Advanced Security, click Enable. 5. Review the impact of enabling Advanced Security, then click Enable GitHub Advanced Security for this repository. 6. When you enable Advanced Security, secret scanning may automatically be enabled for the repository due to the organization's settings. If Secret scanning is shown with an Enable button, you still need to enable secret scanning by clicking Enable. If you see a Disable button, secret scanning is already enabled\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c0ba94f-e732-43c7-bf3a-05e80f45d642\",\r\n \"name\": \"1c0ba94f-e732-43c7-bf3a-05e80f45d642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure API Management APIs should be onboarded to Defender for APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfiguration.
In order to enable security monitoring & coverage on your APIs within Azure API Management, please remediate this recommendation through steps below.
Important: Enabling Defender for APIs monitoring coverage will require compute & memory utilization on the Azure API Management service.
Please monitor the performance of your Azure API Management service while onboarding APIs, and scale out your Azure API Managment resources when needed.\",\r\n \"remediationDescription\": \"Select the unhealthy resources and click \\\"Fix\\\" to launch \\\"Quick fix\\\" remediation. Note: After the process completes, it may take up 3 hurs until your resources move to the \\\"Healthy resources\\\" tab.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e8c00a2-e8bc-42a8-9e12-99584a51ad10\",\r\n \"name\": \"4e8c00a2-e8bc-42a8-9e12-99584a51ad10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API endpoints that are unused should be disabled and removed from the Azure API Management service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"API endpoints that are no longer in use should be removed from the Azure API Management service as a best practice. API endpoints that are unused (haven't received traffic for a threshold of 30 days) may pose a risk to an organization. These may be APIs that should have been deprecated from the Azure API Management service, but may have been accidently left as active and they may not be receiving the most up to date security coverage.\",\r\n \"remediationDescription\": \"Note: Manually verify that the API endpoint is unused and consider any potential impact this may cause before removing the API endpoint from the Azure API Management service.
1. Navigate to the Azure API Management resource to locate the unhealthy resources within the Azure Portal.
2. In the left pane, select APIs.
3. Select the API with the associated API collection name that is hosting the affected API endpoint (in Azure API Management, known as \\\"API operation\\\").
4. Select the ellipses next to the endpoint and select \\\"Delete\\\" to remove the unused API endpoint.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91af2040-7874-4659-abf0-578e1f8d07dc\",\r\n \"name\": \"91af2040-7874-4659-abf0-578e1f8d07dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API endpoints in Azure API Management should be authenticated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Authentication mechanisms are often implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. API endpoints published within Azure API Management should enforce authentication to help minimize this risk. Learn More\",\r\n \"remediationDescription\": \"1. Verify the configuration of the authentication on the API endpoint. For APIs published in Azure API Management, this recommendation assesses the execution of authentication via the Subscription Keys, JWT and Client Certificate configured within Azure API Management. If none of these authentication mechanisms are present, or if none of these authentication mechanisms are executed, the API will receive this recommendation.
2. After the assessment, if the API is verified and is missing or incorrectly configured authentication, enable & ensure the proper configuration of authentication for the API endpoint. For Azure API Management, steps and a reference example regarding how to enable authentication can be found here in this document: API Management authentication policies\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer managed metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Customer managed description\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"[elgrady] custom assessment metadata description\",\r\n \"remediationDescription\": \"[elgrady] custom assessment remediationDescription\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"name\": \"9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer managed metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Customer managed description\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"[elgrady] custom assessment metadata description\",\r\n \"remediationDescription\": \"[elgrady] custom assessment remediationDescription\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n }\r\n ]\r\n}", "StatusCode": 200 } ], diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentTests/GetAllAssessments.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentTests/GetAllAssessments.json index f99b8981ef1f..630c68ee64e1 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentTests/GetAllAssessments.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentTests/GetAllAssessments.json @@ -1,24 +1,24 @@ { "Entries": [ { - "RequestUri": "//subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments?api-version=2020-01-01", - "EncodedRequestUri": "Ly9zdWJzY3JpcHRpb25zLzQ4N2JiNDg1LWI1YjAtNDcxZS05YzBkLTEwNzE3NjEyZjg2OS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2Fzc2Vzc21lbnRzP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", + "RequestUri": "//subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments?api-version=2021-06-01", + "EncodedRequestUri": "Ly9zdWJzY3JpcHRpb25zLzQ4N2JiNDg1LWI1YjAtNDcxZS05YzBkLTEwNzE3NjEyZjg2OS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2Fzc2Vzc21lbnRzP2FwaS12ZXJzaW9uPTIwMjEtMDYtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "ea1b34fd-58bb-4cde-b406-3f98615ce510" + "eb4ca80f-3c43-4dc4-92bf-208dad8b6f69" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.29321.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.19042.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.2.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -30,13 +30,73 @@ "749" ], "x-ms-request-id": [ - "e25b6f5d-54c6-4dbf-84c7-59d5683a425b" + "484a37f8-59d2-48a0-aea8-e2373168f41b" + ], + "x-ms-correlation-request-id": [ + "484a37f8-59d2-48a0-aea8-e2373168f41b" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T081838Z:484a37f8-59d2-48a0-aea8-e2373168f41b" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 08:18:38 GMT" + ], + "Content-Length": [ + "250467" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.4533293Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.4533293Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOrFwOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group or Azure Firewall\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"VmHasNoPublicIp\",\r\n \"description\": \"This VM has no public IP address.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"DdosStandardIsDisabled\",\r\n \"description\": \"DDoS Protection Standard is currently disabled for your virtual network.\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"ddosProtectionState\": \"False\",\r\n \"appGatewaysCount\": \"1\",\r\n \"appGatewaysHasPublicIp\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VmIsNotProtectedWithNsg\",\r\n \"description\": \"Your virtual machine is not protected with a network security group.\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:00.4811551Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:00.4811551Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:00.4818625Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:00.4818625Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:00.6892204Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:00.6892204Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:01.2728369Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:01.2728369Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-10-06T23:44:54.5781061Z\",\r\n \"firstEvaluationDate\": \"2022-10-06T23:44:54.5781061Z\"\r\n },\r\n \"additionalData\": {\r\n \"OSName\": \"Linux\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"TouViolationAssessments.Models.Port\",\r\n \"description\": \"Open TOU ports\",\r\n \"statusChangeDate\": \"2022-10-15T03:31:10.6183747Z\",\r\n \"firstEvaluationDate\": \"2022-10-15T03:31:10.6183747Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"\",\r\n \"statusChangeDate\": \"2022-10-15T03:31:11.5779799Z\",\r\n \"firstEvaluationDate\": \"2022-10-15T03:31:11.5779799Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"\",\r\n \"statusChangeDate\": \"2022-10-15T03:31:15.7293508Z\",\r\n \"firstEvaluationDate\": \"2022-10-15T03:31:15.7293508Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"2\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"2\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/sdk-iothub-la-cus/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/sdk-iothub-la-cus\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/iothubworkspace-centralus-1604511146608/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/iothubworkspace-centralus-1604511146608\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/virtualmachines/0/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/virtualmachines/0\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"TouViolationAssessments.Models.Port\",\r\n \"description\": \"Open TOU ports\",\r\n \"statusChangeDate\": \"2022-11-16T16:10:02.1122669Z\",\r\n \"firstEvaluationDate\": \"2022-11-16T16:10:02.1122669Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/virtualmachines/0/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef\"\r\n },\r\n \"displayName\": \"Container registry images should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NetworkPortsAreOpenToAllSources\",\r\n \"description\": \"Network ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.8875999Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"3389\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"3389\": \"TCP\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.4533293Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6777114Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NetworkPortsAreOpenToAllSources\",\r\n \"description\": \"Network ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6844124Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"22\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"ManagementPortsAreOpenToAllSources\",\r\n \"description\": \"Management ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6787472Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"22\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VmProtectedByNsgWithAllowRules\",\r\n \"description\": \"This VM is protected by an NSG that allows access to management ports.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"22\": \"TCP\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-10T11:56:00.5211587Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6767401Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.882145Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.2218279Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.2218279Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-10T11:56:00.5390737Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.2218279Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The machine doesn’t have data from Microsoft defender vulnerability management. Make sure it’s properly onboarded to Microsoft Defender for Endpoint.\",\r\n \"statusChangeDate\": \"2022-10-27T07:17:56.9155832Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"default\",\r\n \"description\": \"The machine is onboarded to built-in Qualys vulnerability assessment.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:42.0548709Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"default\",\r\n \"description\": \"The machine is onboarded to built-in Qualys vulnerability assessment.\",\r\n \"statusChangeDate\": \"2022-11-15T12:28:56.517978Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The machine doesn’t have data from Microsoft defender vulnerability management. Make sure it’s properly onboarded to Microsoft Defender for Endpoint.\",\r\n \"statusChangeDate\": \"2022-10-27T07:17:56.9155832Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"SQL databases should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"Unknown\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-15T12:29:02.5041539Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.8830869Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"ManagementPortsAreOpenToAllSources\",\r\n \"description\": \"Management ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.8845246Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"3389\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VmProtectedByNsgWithAllowRules\",\r\n \"description\": \"This VM is protected by an NSG that allows access to management ports.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"statusChangeDate\": \"2022-09-11T13:44:18.5950886Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:46.2425828Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2021-06-13T20:23:45.125409Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2022-07-13T05:44:10.0183321Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T04:43:55.3024919Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Virtual machine scale sets should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"OS Offer\": \"UbuntuServer\",\r\n \"OS Type\": \"Linux\",\r\n \"Location\": \"southcentralus\",\r\n \"UpgradePolicyMode\": \"Manual\",\r\n \"Has Oms extension\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on virtual machine scale sets should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AssessmentModeNotSetToAuto\",\r\n \"description\": \"Patch settings assessment mode not set to AutomaticByPlatform\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7166784Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/onPremiseMachines/machineName_b53988df-1137-41f2-99ff-52d49d7f53e1_ec2ad76a-fc72-bc3a-f0d7-017756d33d5e/providers/Microsoft.Security/assessments/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"OnPremise\",\r\n \"WorkspaceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\",\r\n \"VMUUID\": \"ec2ad76a-fc72-bc3a-f0d7-017756d33d5e\",\r\n \"SourceComputerId\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"MachineName\": \"machineName\"\r\n },\r\n \"displayName\": \"Customer managed metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/providers/Microsoft.Security/assessments/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\"\r\n },\r\n \"displayName\": \"Customer managed metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/onPremiseMachines/machineName_b53988df-1137-41f2-99ff-52d49d7f53e1_ec2ad76a-fc72-bc3a-f0d7-017756d33d5e/providers/Microsoft.Security/assessments/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"OnPremise\",\r\n \"WorkspaceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\",\r\n \"VMUUID\": \"ec2ad76a-fc72-bc3a-f0d7-017756d33d5e\",\r\n \"SourceComputerId\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"MachineName\": \"machineName\"\r\n },\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/providers/Microsoft.Security/assessments/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\"\r\n },\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/providers/Microsoft.Security/assessments/9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"name\": \"9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\"\r\n },\r\n \"displayName\": \"Customer managed metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/onPremiseMachines/machineName_b53988df-1137-41f2-99ff-52d49d7f53e1_ec2ad76a-fc72-bc3a-f0d7-017756d33d5e/providers/Microsoft.Security/assessments/d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"OnPremise\",\r\n \"WorkspaceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\",\r\n \"VMUUID\": \"ec2ad76a-fc72-bc3a-f0d7-017756d33d5e\",\r\n \"SourceComputerId\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"MachineName\": \"machineName\"\r\n },\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk/providers/Microsoft.Security/assessments/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk\"\r\n },\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk/providers/Microsoft.Security/assessments/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk\"\r\n },\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NotSupported\",\r\n \"description\": \"Machine image is not supported\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7235019Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NotSupported\",\r\n \"description\": \"Machine image is not supported\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7049485Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AssessmentModeNotSetToAuto\",\r\n \"description\": \"Patch settings assessment mode not set to AutomaticByPlatform\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7356778Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2021-04-07T20:23:43.7791199Z\",\r\n \"firstEvaluationDate\": \"2021-04-07T08:23:44.5057723Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.7856736Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.7856736Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.8319806Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.8319806Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.904596Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.904596Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.9081607Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.9081607Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpn6jwnse6quxirlinxqb6pagnzj7alb4oa5xqk7und7r6k3f24lspime5xux7s3e3/providers/microsoft.devices/iothubs/azurecli-hubewmywoze2j7v/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpn6jwnse6quxirlinxqb6pagnzj7alb4oa5xqk7und7r6k3f24lspime5xux7s3e3/providers/microsoft.devices/iothubs/azurecli-hubewmywoze2j7v\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-07T19:10:41.5574318Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T19:10:41.5574318Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4145442Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-07T21:11:34.4149759Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4149759Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-07T21:11:34.4167636Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4167636Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-07T21:11:34.4930056Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4930056Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Azure SQL Database servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7142889Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8298256Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8581944Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8581944Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access Function Apps\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8666851Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8666851Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8740455Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8740455Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8740455Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8740455Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8746476Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8746476Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore/providers/Microsoft.Security/assessments/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore\"\r\n },\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8875094Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8875094Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8860867Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8860867Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg7exkn4sm4v24amnub5nzbmik37myxeusxwwyn2jpxwhdbbzlofsr5agedmwfjvoxv/providers/microsoft.devices/iothubs/azurecli-hubuksphkbt3lhh/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg7exkn4sm4v24amnub5nzbmik37myxeusxwwyn2jpxwhdbbzlofsr5agedmwfjvoxv/providers/microsoft.devices/iothubs/azurecli-hubuksphkbt3lhh\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8860867Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8860867Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8860867Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8860867Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7383486Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8906885Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7383486Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8906885Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8929336Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8929336Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8975097Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8975097Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9096544Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9096544Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9096544Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9096544Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/providers/Microsoft.Security/assessments/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9191943Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9191943Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9221325Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9221325Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for web apps\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9231178Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9231178Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"name\": \"9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Email notification to subscription owner for high severity alerts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-07-25T02:41:11.1822655Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9235482Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Managed identity should be used in web apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9322509Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9322509Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for function apps\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.930854Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.930854Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"name\": \"af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Auto provisioning of the Log Analytics agent should be enabled on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-02T09:11:15.2514377Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9332772Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9342255Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9342255Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9342255Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9342255Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9355025Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9355025Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf/providers/Microsoft.Security/assessments/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf\"\r\n },\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9334498Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9334498Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9355025Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9355025Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf2/providers/Microsoft.Security/assessments/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf2\"\r\n },\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9334498Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9334498Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9358898Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9358898Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-08T23:46:51.7978842Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9358898Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9387806Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9387806Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9387806Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9387806Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9420744Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9420744Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9420744Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9420744Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"name\": \"4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Key vaults should have purge protection enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9477277Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9477277Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref/providers/Microsoft.Security/assessments/9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"name\": \"9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref\"\r\n },\r\n \"displayName\": \"Container registries should not allow unrestricted network access\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.949715Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.949715Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"name\": \"e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7163231Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9565898Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"name\": \"c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Function apps should have Client Certificates (Incoming client certificates) enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9491743Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9491743Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"name\": \"3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Email notification for high severity alerts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-10-27T17:20:54.0073419Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9543908Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9544101Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9544101Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Storage should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7151166Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9812709Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9549978Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9549978Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9549978Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9549978Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"name\": \"78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Key vaults should have soft delete enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9590469Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9590469Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"name\": \"b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for open-source relational databases should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7131706Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0015183Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"name\": \"2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Private endpoint should be configured for Key Vault\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9573802Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9573802Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-20T00:11:24.8912186Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0601859Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"name\": \"f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Resource Manager should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7239542Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9773946Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL servers on machines should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7106928Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0875362Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.1203455Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.1203455Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"name\": \"77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Subscriptions should have a contact email address for security issues\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-27T17:20:54.0006966Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0114652Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"FTPS should be required in function apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.2272624Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.2272624Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"name\": \"52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Firewall should be enabled on Key Vault\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.2339538Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.2339538Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"name\": \"aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for DNS should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7058846Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9599789Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Diagnostic logs in App Service should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9636939Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9636939Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref/providers/Microsoft.Security/assessments/13e7d036-6903-821c-6018-962938929bf0\",\r\n \"name\": \"13e7d036-6903-821c-6018-962938929bf0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref\"\r\n },\r\n \"displayName\": \"Container registries should use private link\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9629274Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9629274Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/syslogmyservice1net/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1vnet657/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1vnet657\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.network/virtualnetworks/iotsi-fdi-vnet/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.network/virtualnetworks/iotsi-fdi-vnet\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1-vnet/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1-vnet\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet/providers/Microsoft.Security/assessments/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.4767439Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.4767439Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i/providers/Microsoft.Security/assessments/276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"name\": \"276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i\"\r\n },\r\n \"displayName\": \"Azure Cosmos DB accounts should have firewall rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9663621Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9663621Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7117138Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9702185Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9670169Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9670169Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9670169Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9670169Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"FTPS should be required in web apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541097Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541097Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for App Service should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7178395Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9808591Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Managed identity should be used in function apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.982548Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.982548Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-07T22:10:39.4248444Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T22:10:39.4248444Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg2uj7i3dl7bafl4qshuh57m3xmurngdysabbunhnhvcasj7o35vqz4fwgf5zwi6ujr/providers/microsoft.devices/iothubs/azurecli-hub7eff4pwjmjgi/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg2uj7i3dl7bafl4qshuh57m3xmurngdysabbunhnhvcasj7o35vqz4fwgf5zwi6ujr/providers/microsoft.devices/iothubs/azurecli-hub7eff4pwjmjgi\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-10T20:32:13.2897309Z\",\r\n \"firstEvaluationDate\": \"2022-04-10T20:32:13.2897309Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpkgony4xu2tfaw7mrinetpjdcbi35gy5wxlb2db4fkia4df224ibyul2g6e7ovciv/providers/microsoft.devices/iothubs/azurecli-hubdkzwzwckbu5v/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpkgony4xu2tfaw7mrinetpjdcbi35gy5wxlb2db4fkia4df224ibyul2g6e7ovciv/providers/microsoft.devices/iothubs/azurecli-hubdkzwzwckbu5v\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-10T20:32:13.2897309Z\",\r\n \"firstEvaluationDate\": \"2022-04-10T20:32:13.2897309Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgc7vaaluva526rdtaam5rafgbc2m7xmrvi472iiekfgzjvdqkpwzub343jj6a4k4ov/providers/microsoft.devices/iothubs/azurecli-hub222uswluq4fe/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgc7vaaluva526rdtaam5rafgbc2m7xmrvi472iiekfgzjvdqkpwzub343jj6a4k4ov/providers/microsoft.devices/iothubs/azurecli-hub222uswluq4fe\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-27T08:35:36.3477504Z\",\r\n \"firstEvaluationDate\": \"2022-04-27T08:35:36.3477504Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"name\": \"050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Blocked accounts with owner permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4699617Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4699617Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/050ac097-3dda-4d24-ab6d-82568e7a50cf/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"name\": \"20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Guest accounts with owner permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4741787Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4741787Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/20606e75-05c4-48c0-9d97-add6daa2109a/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"name\": \"dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Accounts with read permissions on Azure resources should be MFA enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4722197Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4722197Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"name\": \"1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Blocked accounts with read and write permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-08-16T05:44:34.6117426Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4736264Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1ff0b4c9-ed56-4de6-be9c-d7ab39645926/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"name\": \"0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Guest accounts with write permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4727997Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4727997Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"name\": \"fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Guest accounts with read permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4802849Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4802849Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"name\": \"c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Accounts with write permissions on Azure resources should be MFA enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4810803Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4810803Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c0cb17b2-0607-48a7-b0e0-903ed22de39b/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"name\": \"6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Accounts with owner permissions on Azure resources should be MFA enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.5129783Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.5129783Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6240402e-f77c-46fa-9060-a7ce53997754/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i/providers/Microsoft.Security/assessments/14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"name\": \"14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i\"\r\n },\r\n \"displayName\": \"Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-07-06T07:46:47.0916979Z\",\r\n \"firstEvaluationDate\": \"2022-07-06T07:46:47.0916979Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"name\": \"14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Key Vault secrets should have an expiration date\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-07-28T06:11:40.1653432Z\",\r\n \"firstEvaluationDate\": \"2022-07-28T06:11:40.1653432Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-07-25T09:35:32.8936019Z\",\r\n \"firstEvaluationDate\": \"2022-07-25T09:35:32.8936019Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-07-26T08:35:38.2437985Z\",\r\n \"firstEvaluationDate\": \"2022-07-26T08:35:38.2437985Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"There should be more than one owner assigned to subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.2948643Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.2948643Z\"\r\n },\r\n \"additionalData\": {}\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3111617Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3111617Z\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with owner permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3049262Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3049262Z\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.305783Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.305783Z\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3002478Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3002478Z\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3034825Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3034825Z\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with write permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3045813Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3045813Z\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithWritePermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"A maximum of 3 owners should be designated for subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-14T04:44:15.3211291Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.2991388Z\"\r\n },\r\n \"additionalData\": {\r\n \"identityDesignateLessThanXOwnersObjectIdList\": \"[\\\"56b8f04c-b471-415a-bbc2-74570bd022de\\\",\\\"af29e494-977e-4749-acb6-6fe3a10c56aa\\\",\\\"25b2be9f-65f7-491e-9e53-61fa1b39fa8a\\\"]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3005516Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3005516Z\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with read permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3056507Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3056507Z\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithReadPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-10-19T12:47:53.4001303Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2022-11-17T00:58:05.683Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212024Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212024Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212024Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-07T07:02:26.3021545Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.919619Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"FailureDueToAgentNotResponding\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.919619Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"Off\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"FailureDueToAgentNotResponding\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.919619Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"False\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2022-11-17T03:42:33.784Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n }\r\n ],\r\n \"nextLink\": \"https://management.azure.com/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments?api-version=2021-06-01&NextLink=_dynamic\"\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments?api-version=2021-06-01&NextLink=_dynamic", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudHM/YXBpLXZlcnNpb249MjAyMS0wNi0wMSZOZXh0TGluaz1fZHluYW1pYw==", + "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "eb4ca80f-3c43-4dc4-92bf-208dad8b6f69" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "748" + ], + "x-ms-request-id": [ + "44c216af-3e59-4dcb-a53e-87723034be5b" ], "x-ms-correlation-request-id": [ - "e25b6f5d-54c6-4dbf-84c7-59d5683a425b" + "44c216af-3e59-4dcb-a53e-87723034be5b" ], "x-ms-routing-request-id": [ - "UKSOUTH:20201130T144739Z:e25b6f5d-54c6-4dbf-84c7-59d5683a425b" + "FRANCESOUTH:20221117T081840Z:44c216af-3e59-4dcb-a53e-87723034be5b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -45,10 +105,10 @@ "nosniff" ], "Date": [ - "Mon, 30 Nov 2020 14:47:38 GMT" + "Thu, 17 Nov 2022 08:18:39 GMT" ], "Content-Length": [ - "128278" + "12" ], "Content-Type": [ "application/json; charset=utf-8" @@ -57,7 +117,7 @@ "-1" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOrFwOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group or Azure Firewall\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"JitIsEnabled\",\r\n \"description\": \"JIT is enabled.\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"ddosProtectionState\": \"False\",\r\n \"appGatewaysCount\": \"1\",\r\n \"appGatewaysHasPublicIp\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/databases/dataStore/providers/Microsoft.Security/assessments/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/databases/dataStore\"\r\n },\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"ReportTimeUtc\": \"11/26/2020 4:48:59 PM\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore/providers/Microsoft.Security/assessments/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore\"\r\n },\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {}\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"identityDesignateLessThanXOwnersObjectIdList\": \"[\\\"56b8f04c-b471-415a-bbc2-74570bd022de\\\",\\\"c0debf7b-d214-46d6-915f-095bd45f3843\\\",\\\"af29e494-977e-4749-acb6-6fe3a10c56aa\\\"]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithWritePermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithReadPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef\"\r\n },\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for Azure SQL Database servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for SQL servers on machines should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/53572822-d3fc-4363-bfb9-248645841612\",\r\n \"name\": \"53572822-d3fc-4363-bfb9-248645841612\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for container registries should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"name\": \"86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for Kubernetes should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for Storage should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for App Service should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"JitIsEnabled\",\r\n \"description\": \"JIT is enabled.\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The extension might be corrupted, please try to remove it and deploy again\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Vulnerability assessment findings on your SQL databases should be remediated\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"Unknown\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"JitIsEnabled\",\r\n \"description\": \"JIT is enabled.\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"The extension might be corrupted, please try to remove it and deploy again\",\r\n \"description\": \"The extension might be corrupted, please try to remove it and deploy again\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"This resource does not report System Updates to any workspace\",\r\n \"description\": \"This resource does not report System Updates to any workspace\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"This resource does not report System Updates to any workspace\",\r\n \"description\": \"This resource does not report System Updates to any workspace\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"This resource does not report System Updates to any workspace\",\r\n \"description\": \"This resource does not report System Updates to any workspace\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet/providers/Microsoft.Security/assessments/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-cus/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-cus\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Offer\": \"UbuntuServer\",\r\n \"OS Type\": \"Linux\",\r\n \"Location\": \"southcentralus\",\r\n \"UpgradePolicyMode\": \"Manual\",\r\n \"Has Oms extension\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"Off\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"NoHeartbeat\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"NoHeartbeat\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NoHeartbeat\",\r\n \"description\": \"Agent not responsive or missing ID - Security Center is unable to retrieve security data from the VM, even though the agent is installed.\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"Off\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"NoHeartbeat\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NoHeartbeat\",\r\n \"description\": \"Agent not responsive or missing ID - Security Center is unable to retrieve security data from the VM, even though the agent is installed.\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"NoHeartbeat\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2020-11-30T10:33:59.707Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"False\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2020-11-29T18:44:13.58Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/providers/Microsoft.Security/assessments/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Managed identity should be used in your web app\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Managed identity should be used in your function app\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Diagnostic logs should be enabled in App Service\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for your web app\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for your function app\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"FTPS should be required in your web App\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"FTPS should be required in your function App\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": []\r\n}", "StatusCode": 200 } ], From 708bc33a5f898f27fdcac8dadeeb9b3f3879a715 Mon Sep 17 00:00:00 2001 From: yifat Date: Thu, 17 Nov 2022 11:31:00 +0200 Subject: [PATCH 07/18] Fix Alerts code and tests record and coverage --- .../ScenarioTests/SecurityAlertTests.ps1 | 85 ++- .../GetResourceGroupLevelResource.json | 115 +++- .../GetResourceGroupScope.json | 89 +++- .../GetResourceId.json | 113 +++- .../GetSubscriptionLevelResource.json | 117 +++- .../GetSubscriptionScope.json | 26 +- .../SetResourceGroupLevelResource.json | 500 ++++++++++++++++-- .../SetResourceId.json | 498 +++++++++++++++-- .../SetSubscriptionLevelResource.json | 498 +++++++++++++++-- .../Security/Cmdlets/Alerts/GetAlerts.cs | 4 +- .../Security/Cmdlets/Alerts/SetAlerts.cs | 17 +- 11 files changed, 1832 insertions(+), 230 deletions(-) diff --git a/src/Security/Security.Test/ScenarioTests/SecurityAlertTests.ps1 b/src/Security/Security.Test/ScenarioTests/SecurityAlertTests.ps1 index ac3c3496526e..9922aee1ae96 100644 --- a/src/Security/Security.Test/ScenarioTests/SecurityAlertTests.ps1 +++ b/src/Security/Security.Test/ScenarioTests/SecurityAlertTests.ps1 @@ -89,11 +89,25 @@ function Set-AzureRmSecurityAlert-ResourceGroupLevelResource $location = Extract-ResourceLocation -ResourceId $alert.Id $rgName = Extract-ResourceGroup -ResourceId $alert.Id + # Validate Active status Set-AzSecurityAlert -ResourceGroupName $rgName -Location $location -Name $alert.Name -ActionType "Activate" + $fetchedAlert = Get-AzSecurityAlert -ResourceGroupName $rgName -Location $location -Name $alert.Name + Validate-AlertActivity -alert $fetchedAlert + # Validate Dismissed status + Set-AzSecurityAlert -ResourceGroupName $rgName -Location $location -Name $alert.Name -ActionType "Dismiss" $fetchedAlert = Get-AzSecurityAlert -ResourceGroupName $rgName -Location $location -Name $alert.Name + Validate-AlertDismissed -alert $fetchedAlert - Validate-AlertActivity -alert $fetchedAlert + # Validate Resolved status + Set-AzSecurityAlert -ResourceGroupName $rgName -Location $location -Name $alert.Name -ActionType "Resolve" + $fetchedAlert = Get-AzSecurityAlert -ResourceGroupName $rgName -Location $location -Name $alert.Name + Validate-AlertResolved -alert $fetchedAlert + + # Validate InProgress status + Set-AzSecurityAlert -ResourceGroupName $rgName -Location $location -Name $alert.Name -ActionType "InProgress" + $fetchedAlert = Get-AzSecurityAlert -ResourceGroupName $rgName -Location $location -Name $alert.Name + Validate-AlertInProgress -alert $fetchedAlert } <# @@ -106,11 +120,25 @@ function Set-AzureRmSecurityAlert-SubscriptionLevelResource $alert = $alerts | where { $_.Id -notlike "*resourceGroups*" } | Select -First 1 $location = Extract-ResourceLocation -ResourceId $alert.Id + # Validate Active status Set-AzSecurityAlert -Location $location -Name $alert.Name -ActionType "Activate" + $fetchedAlert = Get-AzSecurityAlert -Location $location -Name $alert.Name + Validate-AlertActivity -alert $fetchedAlert + # Validate Dismissed status + Set-AzSecurityAlert -Location $location -Name $alert.Name -ActionType "Dismiss" $fetchedAlert = Get-AzSecurityAlert -Location $location -Name $alert.Name + Validate-AlertDismissed -alert $fetchedAlert - Validate-AlertActivity -alert $fetchedAlert + # Validate Resolved status + Set-AzSecurityAlert -Location $location -Name $alert.Name -ActionType "Resolve" + $fetchedAlert = Get-AzSecurityAlert -Location $location -Name $alert.Name + Validate-AlertResolved -alert $fetchedAlert + + # Validate InProgress status + Set-AzSecurityAlert -Location $location -Name $alert.Name -ActionType "InProgress" + $fetchedAlert = Get-AzSecurityAlert -Location $location -Name $alert.Name + Validate-AlertInProgress -alert $fetchedAlert } <# @@ -122,10 +150,25 @@ function Set-AzureRmSecurityAlert-ResourceId $alerts = Get-AzSecurityAlert $alert = $alerts | Select -First 1 + # Validate Active status Set-AzSecurityAlert -ResourceId $alert.Id -ActionType "Activate" $fetchedAlert = Get-AzSecurityAlert -ResourceId $alert.Id - Validate-AlertActivity -alert $fetchedAlert + + # Validate Dismissed status + Set-AzSecurityAlert -ResourceId $alert.Id -ActionType "Dismiss" + $fetchedAlert = Get-AzSecurityAlert -ResourceId $alert.Id + Validate-AlertDismissed -alert $fetchedAlert + + # Validate Resolved status + Set-AzSecurityAlert -ResourceId $alert.Id -ActionType "Resolve" + $fetchedAlert = Get-AzSecurityAlert -ResourceId $alert.Id + Validate-AlertResolved -alert $fetchedAlert + + # Validate InProgress status + Set-AzSecurityAlert -ResourceId $alert.Id -ActionType "InProgress" + $fetchedAlert = Get-AzSecurityAlert -ResourceId $alert.Id + Validate-AlertInProgress -alert $fetchedAlert } <# @@ -166,4 +209,40 @@ function Validate-AlertActivity Assert-NotNull $alert Assert-True { $alert.Status -eq "Active" } +} + +<# +.SYNOPSIS +Validates a single alert +#> +function Validate-AlertDismissed +{ + param($alert) + + Assert-NotNull $alert + Assert-True { $alert.Status -eq "Dismissed" } +} + +<# +.SYNOPSIS +Validates a single alert +#> +function Validate-AlertResolved +{ + param($alert) + + Assert-NotNull $alert + Assert-True { $alert.Status -eq "Resolved" } +} + +<# +.SYNOPSIS +Validates a single alert +#> +function Validate-AlertInProgress +{ + param($alert) + + Assert-NotNull $alert + Assert-True { $alert.Status -eq "InProgress" } } \ No newline at end of file diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetResourceGroupLevelResource.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetResourceGroupLevelResource.json index 49069aa0155d..d21743e94940 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetResourceGroupLevelResource.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetResourceGroupLevelResource.json @@ -1,24 +1,24 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2021-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjEtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjItMDEtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "467b18a9-4318-4aee-bbc3-c0454a754895" + "170e45a1-d935-4605-ab50-1b6ee72a8338" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -31,16 +31,16 @@ "" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "748" + "749" ], "x-ms-request-id": [ - "9b90f98b-af9c-4940-8ecc-e17563fdc1c1" + "875ea08f-ed1f-4b3f-8bcd-69bbd838a366" ], "x-ms-correlation-request-id": [ - "9b90f98b-af9c-4940-8ecc-e17563fdc1c1" + "875ea08f-ed1f-4b3f-8bcd-69bbd838a366" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210831T190955Z:9b90f98b-af9c-4940-8ecc-e17563fdc1c1" + "FRANCESOUTH:20221117T092007Z:875ea08f-ed1f-4b3f-8bcd-69bbd838a366" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -49,7 +49,7 @@ "nosniff" ], "Date": [ - "Tue, 31 Aug 2021 19:09:55 GMT" + "Thu, 17 Nov 2022 09:20:07 GMT" ], "Content-Type": [ "application/json; charset=utf-8" @@ -58,31 +58,94 @@ "-1" ], "Content-Length": [ - "143561" + "706133" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"name\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4121044Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"name\": \"2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:13.877204Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_MaliciousContent-AzureWebApps\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:58.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:58.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Phishing content hosted on Azure Webapps\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to O365 customers. The content typically lure visitors into entering their corporate credentials or financial information into a legitimate looking website.\",\r\n \"remediationSteps\": [\r\n \"1. Use Azure Web Sites Process Explorer and try to identify unknown running processes (see https://blogs.msdn.microsoft.com/waws/2014/11/14/viewing-process-information-for-microsoft-azure-web-sites/)\",\r\n \"2. Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"resourceType\": \"App Service\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"type\": \"url\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"name\": \"2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3609448Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_OperationVolumeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:56.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:56.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] User accessed high volume of Key Vaults\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a larger volume of Key Vault operations has been performed compared to past historical data. Key Vaults typical exhibit the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:56\",\r\n \"all vault operations in last 24 hours\": \"[SecretSet:1, SecretGet:5, Authentication:2, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultGet:2]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:56\",\r\n \"client Information\": \"Microsoft.Azure.Management.Resources.ResourceManagementClient/2.0.0.0, \",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) performed more operations than usual, The user(objid) does not usually come from this IP, The user(objid) performed more operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"name\": \"2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3557186Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_AccountVolumeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:54.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:54.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] High volume of operations in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the number of vaults that a user or application accesses has changed compared to past historical data. Key Vault activity typically exhibits the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:54\",\r\n \"all vault operations in last 24 hours\": \"[AfterAuthentication:1, SecretGet:345545, EventGridGetAllSubscriptions:19, Authentication:169, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:64]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:54\",\r\n \"alert Reasons\": \"[The application(appid) accessed more vaults than usual, The application(appid) does not usually come from this IP, The user(objid) accessed more vaults than usual, The user(objid) does not usually come from this IP, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"name\": \"2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3095755Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_ListGetAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:52.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:52.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious secret listing and query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Secret List operation was followed by numerous Secret Get operations. In addition, this operation pattern is not normally performed by the user on this vault. This is likely indicative that someone is dumping the This is sample alert: secrets stored in the Key Vault for potentially malicious purposes.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:52\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:1, SecretGet:3, VaultGet:1, SecretList:5]\",\r\n \"suspicious Operations\": \"[SecretGet:3, SecretList:5]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:52\",\r\n \"client Information\": \"FxVersion/4.8.4075.0 OSName/Windows10Enterprise OSVersion/6.3.18363 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"alert Reasons\": \"[The application(appid) does not usually access this vault, The application(appid) does not usually come from this IP, The application(appid) does not usually perform a credential list operation followed by a get operation, The application(appid) does not usually perform this operation, The number of applications which accessed this vault is more than usual, The number of users(objid) who accessed this vault is more than usual, The user(objid) does not usually access this vault, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a credential list operation followed by a get operation, The user(objid) does not usually perform this operation, This vault does not usually have a credential list operation followed by a get operation, This vault does not usually have this operation, This vault had more operations than usual, This vault had more types of operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"name\": \"2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4678019Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_PutGetAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:50.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:50.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious policy change and secret query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Key Vault policy change has been made and operations to list and/or get secrets occurred shortly thereafter. In addition, this operation pattern is not normally performed by the user on this vault. This is highly indicative that the Key Vault has been compromised and the secrets within have been stolen by a malicious actor.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:50\",\r\n \"all vault operations in last 24 hours\": \"[VaultGet:14, CertificateImport:1, CertificateGet:479, VaultPut:4, SecretGet:760, Authentication:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultPut:4, VaultGet:5, CertificateGet:24]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"FxVersion/4.8.4121.0, FxVersion/4.8.4121.0 OSName/Windows10Enterprise OSVersion/6.3.17763 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"result Signature\": \"OK\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"start Time UTC\": \"08/12/2021 15:26:50\",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) does not usually perform a policy change operation followed by a credential get operation, The application(appid) does not usually perform this operation, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a policy change operation followed by a credential get operation, The user(objid) does not usually perform this operation, This vault does not usually have a policy change operation followed by a credential get operation, This vault does not usually have this operation, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"name\": \"2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3452444Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_TORAccess\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:48.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:48.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a TOR exit node to a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. This is suspicious because malicious actors will often try to mask their source location when attempting to gain unauthorized access to internet-connected resources.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:48\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:777440, SecretSet:1, SecretGet:777399]\",\r\n \"suspicious Operations\": \"[Authentication:1, SecretGet:1]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"Not Found, Unauthorized\",\r\n \"start Time UTC\": \"08/12/2021 15:26:48\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"python/3.8.0 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 azure-keyvault/7.0 Azure-SDK-For-Python\",\r\n \"alert Reasons\": \"[The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location.]\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"name\": \"2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4494527Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_AKS_SensitiveMount\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:46.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:46.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"intent\": \"PrivilegeEscalation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Container with a sensitive volume mount detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.\",\r\n \"remediationSteps\": [\r\n \"Review the container and the path in the alert details.\",\r\n \"If possible, consider mounting only specific folders or files that are necessary to the container operation.\",\r\n \"If the container is not legitimate, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"Sample\",\r\n \"container image\": \"sample-image\",\r\n \"container name\": \"sample-container\",\r\n \"pod name\": \"sample-pod\",\r\n \"sensitive mount name\": \"sample-mount\",\r\n \"sensitive mount path\": \"/Sample\",\r\n \"killChainIntent\": \"PrivilegeEscalation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"name\": \"2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5732381Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_ExposedService\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:44.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:44.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Exposed Kubernetes service detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Kubernetes audit log analysis detected exposure of a service by a load balancer. This service is related to a sensitive application that allows high impact operations in the cluster such as running processes on the node or creating new containers.\\nIn some cases, this service doesn't require authentication. If the service doesn't require authentication, exposing it to the internet poses a security risk.\",\r\n \"remediationSteps\": [\r\n \"1. Find the external IP address of the service with the command: kubectl get service [service name] -n [namespace]. The service name and namespace are in the alert details.\\\\n2. Check whether the service is exposed to the internet by trying to access to its IP address with the port listed in the alert details.\\\\n3. If the service is exposed to the internet and is not protected by an authentication mechanism, escalate the alert to your security information team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"sample-namespace\",\r\n \"username\": \"sample-user\",\r\n \"service name\": \"sample-service\",\r\n \"target port\": \"8080\",\r\n \"port\": \"8080\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"name\": \"2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4746809Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_BruteForce\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:40.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:40.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Brute Force attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone is attempting to brute force credentials to your SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Brute force attack, penetration testing.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"data Center\": \"East US 2\",\r\n \"failed Logins\": \"0\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\\\"}}\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"name\": \"2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.262894Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_HarmfulApplication\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:38.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:38.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Penetration testing, malicious activity\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"data Center\": \"East US 2\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"name\": \"2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3698246Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:36.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:36.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database elitronix-com on server Sample-SQL\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/www.microsoft.com\\\\/en-us\\\\/download\\\\/details.aspx?id=13759\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements.\",\r\n \"threat ID\": \"30\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"principal name\": \"Sample-account\",\r\n \"application\": \"Internet Information Services\",\r\n \"database\": \"Sample-DB\",\r\n \"server\": \"Sample-SQL\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"name\": \"2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4494527Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:34.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:34.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"intent\": \"Exploitation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Logon from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone logged on to your SQL server Sample-SQL from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Unauthorized access that exploits an opening in the firewall; legitimate access from a new location.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Microsoft SQL Server Management Studio\",\r\n \"client IP Location\": \"US\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"client Hostname\": \"Sample-VM\",\r\n \"killChainIntent\": \"Exploitation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"name\": \"2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2741282Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_DataExfiltration.ImportExportLocationAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:32.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:32.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual export location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted a massive amount of data from your SQL Server 'Sample-SQL' to an unusual location.\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Be sure to secure the new copy of your SQL server in the unusual storage account and follow the principle of \\\\\\\"least privilege\\\\\\\" for your SQL server\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/docs.microsoft.com\\\\/en-us\\\\/dotnet\\\\/framework\\\\/data\\\\/adonet\\\\/sql\\\\/authorization-and-permissions-in-sql-server\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"storage Name\": \"Sample-storage\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"isValid\": false,\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_39\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"name\": \"2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3713443Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:30.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:30.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Perform an undelete if the delete operation was a soft delete. See how to configure soft deletion and more information: https://go.microsoft.com/fwlink/?linkid=2078042\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Wasington_Virginia United States\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"Sample agent\",\r\n \"storage container(s) accessed\": \"SampleContainer\",\r\n \"container\": \"eicarContainerName1, eicarContainerName2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteBlob\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:30\",\r\n \"test: Pipeline name\": \"1.0.4656.1_sample\",\r\n \"storage file path(s) deleted\": \"eicarRequestedObjectKeyFilePath1.vhd, eicarRequestedObjectKeyFilePath2.pfx\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"name\": \"2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5019361Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:28.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:28.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a container in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage container permissions are configured correctly.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"• Confirm whether the storage container permissions change was performed for a legitimate purpose.\\r\\n• Review the storage container's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this storage container have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed container permissions to weaken its security.\\r\\n• A legitimate user has changed container permissions.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"TestAgent 2021-08-12T15:26:28.9846650Z\",\r\n \"storage container(s) accessed\": \"eicarContainerName\",\r\n \"container\": \"eicarContainerName1, eicarContainerName2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"SetContainerACL\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:28\",\r\n \"test: Pipeline name\": \"1.0.4656.1_test\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"name\": \"2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_TorAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:26.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:26.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure Storage account 'Sample-Storage' from a suspicious IP address (active Tor exit node).\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access. \\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using Tor.\\r\\n• A legitimate user has accessed your storage account using Tor.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Azure Data Center: East Us\",\r\n \"authentication type\": \"Anonymous\",\r\n \"operations types\": \"GetBlob\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"dummyAgent\",\r\n \"container\": \"eicarTestStorageContainer\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:26\",\r\n \"test: Pipeline name\": \"1.0.4656.1_storagetd-brs-a3\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"name\": \"2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4209361Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:24.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:24.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure Storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage container (for example: maintenance activity).\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Azure Data Center: East Us\",\r\n \"authentication type\": \"Anonymous\",\r\n \"operations types\": \"GetBlob\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"dummyAgent\",\r\n \"container\": \"eicarTestStorageContainer\",\r\n \"extracted data\": \"140 MB\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:24\",\r\n \"test: Pipeline name\": \"1.0.4656.1_storagetd-brs-a3\",\r\n \"extracted blobs\": \"500\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"name\": \"2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_SuspectExecutablePath\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Executable found running from a suspicious location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data detected an executable file on Sample-VM that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.\",\r\n \"remediationSteps\": [\r\n \"Review with %{User Name} the suspicious process in this alert to see if you recognise this as legitimate administrative activity. If not, Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Process Id\": \"0x1eec\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"account Session Id\": \"0x3e7\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"suspicious Command Line\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"user Name\": \"WORKGROUP\\\\Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"directory\": \"c:\\\\windows\\\\inf\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"name\": \"SAMPLE-account\",\r\n \"ntDomain\": \"SAMPLE\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"sid\": \"S-0-0-00\",\r\n \"isDomainJoined\": true,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x3e7\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"processId\": \"0x1038\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"processId\": \"0x1eec\",\r\n \"commandLine\": \"\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_54\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_55\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"sessionId\": \"0x3e7\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_54\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"name\": \"2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2358642Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected the execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with Sample-account the suspicious command process and command line to confirm that this is legitimate activity that you expect to see on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"user Name\": \"Sample-account\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Command Line\": \"\\\\sample.exe -t 4\",\r\n \"suspicious Process Id\": \"0x1640\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x427d8dd9\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"directory\": \"c:\\\\temp\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"processId\": \"0x1020\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"name\": \"Sample-account\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"sid\": \"S-1-5-21-3061399664-1673012318-3185014992-20022\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x427d8dd9\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"processId\": \"0x1640\",\r\n \"commandLine\": \".\\\\sample.exe -t 4\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_61\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_63\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_62\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"sessionId\": \"0x427d8dd9\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_63\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"name\": \"2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3545059Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_SuspectPhp\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious PHP execution detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Machine logs indicate a that a suspicious PHP process is running. The action included an attempt to run OS commands or PHP code from the command line using the PHP process.\\r\\nWhile this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\",\r\n \"2. Make sure that the web application is up-to-date.\",\r\n \"3. If possible, disable the sensitive PHP commands (see: http://php.net/manual/ini.core.php#ini.disable-functions).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Command Line\": \"php\",\r\n \"suspicious Process Id\": \"0x1e99b\",\r\n \"account Session Id\": \"0xbd6e\",\r\n \"suspicious Process\": \"php\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"user Name\": \"Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"php\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"processId\": \"0x1e49a\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"name\": \"Sample-account\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"sid\": \"\",\r\n \"type\": \"account\",\r\n \"LogonId\": \"0xbd6e\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"processId\": \"0x1e99b\",\r\n \"commandLine\": \"php\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_69\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_71\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_70\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"sessionId\": \"0xbd6e\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_71\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"name\": \"2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3385797Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM.Windows_GoldFileCleanup\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected suspicious file cleanup commands\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.\",\r\n \"remediationSteps\": [\r\n \"Review with user Sample-account the 'sample.exe executions and delete commands flagged in this alert to confirm that they are legitimate and expected on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"OMS-AGENT-2\",\r\n \"suspicious Process Id\": \"0x4a8\",\r\n \"suspicious Command Line\": \"cmd /c echo \\\" systeminfo && systeminfo && del \\\"\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\cmd.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"OMS-AGENT-2\\\\DnzmNhMdW96g7j3\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: GOLD\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2020-06-05T06%3a24%3a18&reportName=MSTI-AGP-GOLD.pdf&tenantId=7bf32e19-dc11-416d-85e8-2cff75271e2a&urlCreateDateTime=2020-06-05T06%3a24%3a18&token=%2083e9In2MDZfBKT5aMOejPcfhpNovCKiidxcnKaBGnQ=\\\"}}\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"cmd.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"processId\": \"0x4a8\",\r\n \"commandLine\": \"cmd /c echo Hi\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_77\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_79\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_78\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_79\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"name\": \"2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2246537Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM.Windows_PetyaRansomware\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected Petya ransomware indicators\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on OMS-AGENT-2 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the command line associated in this alert and escalate this alert to your security team.\",\r\n \"remediationSteps\": [\r\n \"1. Run a full anti-malware scan and verify that the threat was removed\",\r\n \"2. Install and run Microsoft’s Malicious Software Removal Tool (see http://www.microsoft.com/security/pc-security/malware-removal.aspx)\",\r\n \"3. Perform these actions pre-emptively on other hosts in your network.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x1574\",\r\n \"suspicious Command Line\": \"sample\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\sample.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"Sample-account\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Petya\\\":\\\"\\\"}}\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"processId\": \"0x1574\",\r\n \"commandLine\": \"sample\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_85\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_87\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_86\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_87\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"name\": \"2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5800635Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:10.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:10.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"name\": \"2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2313959Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AmRealtimeProtectionDisabled\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:08.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:08.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Antimalware real-time protection was disabled in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.\",\r\n \"remediationSteps\": [\r\n \"1. Determine if the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional - dismiss the alert. Otherwise, enable the antimalware real-time threat protection and treat the user account, subscription and virtual machine as compromised and continue with the next steps.\\n3. Remediate the compromised user account – change the password, review all activities performed by the user via Azure Activity Logs and locate suspicious activities\\n4. Remediate the compromised subscription - Review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, review all activities performed in this subscription via Azure Activity Logs and locate suspicious activities.\\n5. Remediate the compromised virtual machine – change the password of all users, run full antimalware scan on your virtual machine.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample Principal\",\r\n \"antimalware enabled\": \"true\",\r\n \"real time antimalware protection enabled\": \"false\",\r\n \"scheduled antimalware scan enabled\": \"\",\r\n \"extension Name\": \"IaasAntimalware\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"name\": \"2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5249506Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_CustomScriptExtensionSuspiciousCmd\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:06.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:06.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Custom script extension with suspicious command in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.\",\r\n \"remediationSteps\": [\r\n \"1. Contact the account owner to determine whether the activity was intentional. If the activity was intentional, dismiss the alert.\\n2. If the activity was unexpected, treat the user account, subscription, and virtual machine as compromised.\\n3. To remediate compromised user accounts, delete them if they’re unfamiliar (as they may have been created by a threat actor), otherwise change their authentication credentials. Use Azure Activity Logs to review all activities performed by the user and identify any that are suspicious.\\n4. To remediate compromised subscriptions, remove any unfamiliar Runbooks from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources in the subscription (delete any that are unfamiliar), review and investigate any security alerts for the subscription in Azure Security Center, and use Azure Activity Logs to review all activities performed in the subscription and identify any that are suspicious.\\n5. To remediate the compromised virtual machine, change the passwords for all users, run a full antimalware scan on the machine, and reimage the virtual machine from a malware-free source.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample user\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"identity address\": \"\",\r\n \"suspicious command\": \"powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"name\": \"2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3545059Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DarkWeb\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:04.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:04.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Anonymity network activity (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected anonymity network activity. Such activity, while possibly legitimate user behaviour, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_95\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_95\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"name\": \"2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.292004Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DataExfiltration\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:02.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:02.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Possible data exfiltration via DNS tunnel (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behaviour, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_100\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_100\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"name\": \"2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4550558Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_PhishingDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:00.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:00.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Communication with possible phishing domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.\",\r\n \"remediationSteps\": [\r\n \"Investigate the domain (using whois), validating that the registration belongs to the expected owner.\",\r\n \"If ownership is suspect, contact the machine owner to highlight the discrepancy and verify the degree of interaction, suggesting user log into any account(s) potentially exposed during suspicious session, validate recent activity and change compromised password(s).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_105\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_105\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"name\": \"2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3210584Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_SinkholedDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:58.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:58.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted communication with suspicious sinkholed domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected request for sinkholed domain. Such activity, while possibly legitimate user behaviour, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_109\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_109\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"name\": \"2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4807428Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_HighPrivilegeCommand\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempt to run high privilege command detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of App Service processes detected an attempt to run a command that requires high privileges.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x4680\",\r\n \"suspicious Command Line\": \"sample.exe\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"parent Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x15c0644\",\r\n \"user Name\": \"Sample-account\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"directory\": \"sample\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"processId\": \"0x39a8\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"processId\": \"0x4680\",\r\n \"commandLine\": \"sample.exe\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_114\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"name\": \"2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2316532Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_DanglingDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:54.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:54.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Dangling DNS record for an App Service resource detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A DNS record that points to a recently deleted App Service resource (also known as \\\"dangling DNS\\\" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.\",\r\n \"remediationSteps\": [\r\n \"From your DNS zone, remove all CNAME records that point to the deleted App Service resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"domain\": \"sample-domain.com\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"name\": \"2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_TI_Proxy\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:52.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:52.9690718Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] AKS API requests from proxy IP address detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected API requests to your cluster from an IP address that is associated with proxy services, such as TOR.\\r\\nWhile this behavior can be legitimate, it's often seen in malicious activities, when attackers try to hide their source IP.\",\r\n \"remediationSteps\": [\r\n \"1. Review the IP address in the alert details. If your organization uses proxy services such as TOR for managing the AKS cluster and the IP is recognized, you can ignore the alert.\",\r\n \"2. Consider securing the API server by using authorized IP address ranges (https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"username\": \"sample-user\",\r\n \"ip Address\": \"00.00.00.00\",\r\n \"threat Type\": \"Proxy\",\r\n \"threat Description\": \"Tor exit node\",\r\n \"sample URI\": \"sample-URI\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"name\": \"2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5146535Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_DeleteEvents\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:50.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:50.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Kubernetes events deleted (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Security Center detected that some Kubernetes events have been deleted. Kubernetes events are objects in Kubernetes which contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster.\",\r\n \"remediationSteps\": [\r\n \"Verify the legitimacy of the objects that the deleted events are related to.\\\\nIn case the object is suspicious, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"namespace\": \"sample-namespace\",\r\n \"username\": \"sample-user\",\r\n \"ip Address\": \"00.00.00.00\",\r\n \"status\": \"200\",\r\n \"deleted events\": \"sample-event1, sample-event2, sample-event3\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"name\": \"2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2959781Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_MaliciousContainerImage\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:48.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:48.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining container detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool.\",\r\n \"remediationSteps\": [\r\n \"Review the container in the alert details.\",\r\n \"If malicious, remove the container and escalate the alert to the information security team.\",\r\n \"Be sure to also remove the correlating Deployments \\\\\\\\ ReplicaSets \\\\\\\\ DaemonSets.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"namespace\": \"sample-namespace\",\r\n \"container name\": \"sample-container\",\r\n \"container image\": \"sample-image\",\r\n \"pod name\": \"sample-pod\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"name\": \"2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2763918Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_CoreDnsModification\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:46.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:46.9690718Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] CoreDNS modification in Kubernetes detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a modification of the CoreDNS configuration. The configuration of CoreDNS can be modified by overriding its configmap. While this activity can be legitimate, if attackers have permissions to modify the configmap, they can change the behavior of the cluster’s DNS server and poison it.\",\r\n \"remediationSteps\": [\r\n \"Review the configmap in the alert details. Specifically, search for Forward or Hosts configurations that can change the desired DNS behavior. The details of the configuration can be retrieved by the command:\\\\nkubectl get cm coredns-custom -n kube-system -o json\\\\nIf the configuration is intended, you can ignore the alert.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"sample-namespace\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"username\": \"sample-user\",\r\n \"configmap name\": \"coredns-custom\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"name\": \"2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3496523Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_BruteForce\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:44.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:44.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspected successful brute force attack\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful login occurred after an apparent brute force attack on your resource\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Brute force attack; penetration testing.\",\r\n \"client principal name\": \"Sample-account\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"san antonio, united states\",\r\n \"client application\": \"Sample-app\",\r\n \"successful logins\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"failed logins\": \"0\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\\\"}}\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_129\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_128\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"name\": \"2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:13.9865839Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:42.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:42.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database Sample-DB on server Sample-VM\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2106894\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"threat ID\": \"1\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"vulnerable statement\": \"*** Anonymized ***\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"name\": \"Sample-SA\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_135\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"name\": \"2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2090318Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_HarmfulApplication\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:40.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:40.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access your resource.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"Penetration testing; malicious activity\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client application\": \"Sample-app\",\r\n \"client IP location\": \"Sample\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"name\": \"2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5175386Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_SuspiciousIpAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:38.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:38.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Login from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.\",\r\n \"client principal name\": \"Sample-user\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Sample-Provider\",\r\n \"threatType\": \"Sample-Threat\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 0.8,\r\n \"threatDescription\": \"Sample-Threat\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_147\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_146\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"name\": \"2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4347524Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousRBACRoleAssignment\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:36.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:36.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for an RBAC role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected an RBAC role assignment that's unusual when compared with other assignments, performed by the same assigner.\\n The following components were anomalous:\\n -Assigner Authentication Method \\n This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to grant permissions to an additional user account they own.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below.\\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user. \\n5. Change the credentials for all resources that the user had permissions to access.\\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review all activities performed in this resource via Azure Activity Logs and investigate suspicious activities.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"scope of assignment\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"assigned role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assigner principal ID\": \"Sample user\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_153\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188630153349_32cad962-43a0-4691-8c14-443890eccece/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"name\": \"2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4166987Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_PrivilegedRoleDefinitionCreation\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:34.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:34.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"intent\": \"PrivilegeEscalation, DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Privileged custom role created for your subscription in a suspicious way (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the principal user that created the role.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user account as compromised and continue with the steps below.\\n3. Change the passwords of the user account or block the account entirely.\\n4. Delete the privileged role.\\n5. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n6. Change the credentials for all resources that the user had permissions to access.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"role definition creator principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"role definition creator IP address\": \"0.0.0.0\",\r\n \"role definition creator principal name\": \"Sample user\",\r\n \"role definition name\": \"sample\",\r\n \"role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"PrivilegeEscalation, DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Security/locations/centralus/alerts/2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"name\": \"2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-06-12T19:40:33.8308539Z\",\r\n \"processingEndTimeUtc\": \"2021-06-12T19:40:32.548439Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"Storage.Blob_AnonymousScan.Containers\",\r\n \"startTimeUtc\": \"2021-06-12T18:11:54.456Z\",\r\n \"endTimeUtc\": \"2021-06-12T18:11:54.456Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"correlationKey\": \"eQXuNbERVh6e/t+5e+8g+5PLuHGkeLWBAAjR80eo/KQ=\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Storage/storageAccounts/storagefdi4i\",\r\n \"type\": \"AzureResource\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"storagefdi4i\",\r\n \"alertDisplayName\": \"PREVIEW - Anonymous scan of public storage containers\",\r\n \"description\": \"There were 94 failed attempts to anonymously identify publicly accessible containers in your storage account `storagefdi4i`. This might indicate a reconnaissance attack, where the attacker scans your storage account to identify publicly accessible containers and then tries to find sensitive data inside them. In many cases, attackers might successfully access data after a series of failed attempts. It’s therefore important to act on this alert.\",\r\n \"remediationSteps\": [\r\n \"• If public access is not needed for the Azure Storage containers, consider disallowing it on the entire storage account or limiting it selectively on specific containers or blobs (https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent).\",\r\n \"• We recommend that you always follow the least privilege principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• To prevent breaches of sensitive data, please review your Azure Storage containers and make sure no sensitive data is stored in them.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"alert Id\": \"c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"azure AD user\": \"N/A (Azure AD authentication was not used)\",\r\n \"user agent\": \"Go-http-client/1.1\",\r\n \"api type\": \"Blob\",\r\n \"client location\": \"N/A\",\r\n \"number of failed access attempts\": \"94\",\r\n \"among the enumeration terms used\": \"app, bin, blog, deploy, confidential, crm, builds, doc, customers, images, attachments, intranet, backups, customer, exports, img, data, blob, downloads, build, azure, export, files, bucket, database, dev, admin, emails, dist, development, documents, debug, assets, cdn, devops, download, backup, code, erp, logs, cache, iso, creds, bak, credentials, config, file, administrator, attachment, exe\",\r\n \"number of containers successfully accessed\": \"0\",\r\n \"list of containers successfully accessed\": \"\",\r\n \"authentication type\": \"Anonymous\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"operations types\": \"GetContainerProperties\",\r\n \"service type\": \"Azure Blobs\",\r\n \"potential causes\": \"\",\r\n \"resourceType\": \"Storage\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Storage/storageAccounts/storagefdi4i\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"address\": \"78.46.106.254\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Nuernberg\",\r\n \"longitude\": 11.0768,\r\n \"latitude\": 49.452,\r\n \"asn\": 24940\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_159\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/iotsimulator/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"name\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.869602Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"name\": \"2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.8636228Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_MaliciousContent-AzureWebApps\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:59.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:59.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Phishing content hosted on Azure Webapps\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to O365 customers. The content typically lure visitors into entering their corporate credentials or financial information into a legitimate looking website.\",\r\n \"remediationSteps\": [\r\n \"1. Use Azure Web Sites Process Explorer and try to identify unknown running processes (see https://blogs.msdn.microsoft.com/waws/2014/11/14/viewing-process-information-for-microsoft-azure-web-sites/)\",\r\n \"2. Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"resourceType\": \"App Service\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"type\": \"url\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"name\": \"2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3642739Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_OperationVolumeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:57.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] User accessed high volume of Key Vaults\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a larger volume of Key Vault operations has been performed compared to past historical data. Key Vaults typical exhibit the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:57\",\r\n \"all vault operations in last 24 hours\": \"[SecretSet:1, SecretGet:5, Authentication:2, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultGet:2]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:57\",\r\n \"client Information\": \"Microsoft.Azure.Management.Resources.ResourceManagementClient/2.0.0.0, \",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) performed more operations than usual, The user(objid) does not usually come from this IP, The user(objid) performed more operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"name\": \"2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.174761Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_AccountVolumeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:55.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] High volume of operations in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the number of vaults that a user or application accesses has changed compared to past historical data. Key Vault activity typically exhibits the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:55\",\r\n \"all vault operations in last 24 hours\": \"[AfterAuthentication:1, SecretGet:345545, EventGridGetAllSubscriptions:19, Authentication:169, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:64]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:55\",\r\n \"alert Reasons\": \"[The application(appid) accessed more vaults than usual, The application(appid) does not usually come from this IP, The user(objid) accessed more vaults than usual, The user(objid) does not usually come from this IP, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"name\": \"2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.0812111Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_ListGetAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:53.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious secret listing and query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Secret List operation was followed by numerous Secret Get operations. In addition, this operation pattern is not normally performed by the user on this vault. This is likely indicative that someone is dumping the This is sample alert: secrets stored in the Key Vault for potentially malicious purposes.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:53\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:1, SecretGet:3, VaultGet:1, SecretList:5]\",\r\n \"suspicious Operations\": \"[SecretGet:3, SecretList:5]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:53\",\r\n \"client Information\": \"FxVersion/4.8.4075.0 OSName/Windows10Enterprise OSVersion/6.3.18363 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"alert Reasons\": \"[The application(appid) does not usually access this vault, The application(appid) does not usually come from this IP, The application(appid) does not usually perform a credential list operation followed by a get operation, The application(appid) does not usually perform this operation, The number of applications which accessed this vault is more than usual, The number of users(objid) who accessed this vault is more than usual, The user(objid) does not usually access this vault, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a credential list operation followed by a get operation, The user(objid) does not usually perform this operation, This vault does not usually have a credential list operation followed by a get operation, This vault does not usually have this operation, This vault had more operations than usual, This vault had more types of operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"name\": \"2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.1952593Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_PutGetAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious policy change and secret query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Key Vault policy change has been made and operations to list and/or get secrets occurred shortly thereafter. In addition, this operation pattern is not normally performed by the user on this vault. This is highly indicative that the Key Vault has been compromised and the secrets within have been stolen by a malicious actor.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:51\",\r\n \"all vault operations in last 24 hours\": \"[VaultGet:14, CertificateImport:1, CertificateGet:479, VaultPut:4, SecretGet:760, Authentication:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultPut:4, VaultGet:5, CertificateGet:24]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"FxVersion/4.8.4121.0, FxVersion/4.8.4121.0 OSName/Windows10Enterprise OSVersion/6.3.17763 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"result Signature\": \"OK\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"start Time UTC\": \"11/17/2022 09:17:51\",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) does not usually perform a policy change operation followed by a credential get operation, The application(appid) does not usually perform this operation, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a policy change operation followed by a credential get operation, The user(objid) does not usually perform this operation, This vault does not usually have a policy change operation followed by a credential get operation, This vault does not usually have this operation, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"name\": \"2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:14.9914481Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_TORAccess\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:49.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a TOR exit node to a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. This is suspicious because malicious actors will often try to mask their source location when attempting to gain unauthorized access to internet-connected resources.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:49\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:777440, SecretSet:1, SecretGet:777399]\",\r\n \"suspicious Operations\": \"[Authentication:1, SecretGet:1]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"Not Found, Unauthorized\",\r\n \"start Time UTC\": \"11/17/2022 09:17:49\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"python/3.8.0 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 azure-keyvault/7.0 Azure-SDK-For-Python\",\r\n \"alert Reasons\": \"[The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location.]\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"name\": \"2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.2261751Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_K8S_SensitiveMount\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:47.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"intent\": \"PrivilegeEscalation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Container with a sensitive volume mount detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.\",\r\n \"remediationSteps\": [\r\n \"Review the container and the path in the alert details.\",\r\n \"If possible, consider mounting only specific folders or files that are necessary to the container operation.\",\r\n \"If the container is not legitimate, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"namespace\": \"Sample-namespace\",\r\n \"container image\": \"sample-image\",\r\n \"container name\": \"sample-container\",\r\n \"pod name\": \"sample-pod\",\r\n \"sensitive mount name\": \"sample-mount\",\r\n \"sensitive mount path\": \"/Sample\",\r\n \"resourceType\": \"GKE Cluster\",\r\n \"killChainIntent\": \"PrivilegeEscalation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"projectId\": \"012345678901\",\r\n \"resourceType\": \"GKE\",\r\n \"resourceName\": \"Sample-Cluster\",\r\n \"location\": \"us-central1-c\",\r\n \"locationType\": \"Zonal\",\r\n \"type\": \"gcp-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_26\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"name\": \"Sample-namespace\",\r\n \"cluster\": {\r\n \"$ref\": \"centralus_29\"\r\n },\r\n \"type\": \"K8s-namespace\"\r\n },\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"name\": \"sample-pod\",\r\n \"namespace\": {\r\n \"$ref\": \"centralus_30\"\r\n },\r\n \"type\": \"K8s-pod\"\r\n },\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"name\": \"sample-container\",\r\n \"image\": {\r\n \"$ref\": \"centralus_27\"\r\n },\r\n \"pod\": {\r\n \"$ref\": \"centralus_31\"\r\n },\r\n \"type\": \"container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"name\": \"2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.1277565Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_AdmissionController\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:45.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:45.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"intent\": \"Persistence, CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Creation of admission webhook configuration detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new admission webhook configuration. Kubernetes has two built-in generic admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster. The usage of such admission controllers can be legitimate, however attackers can use such webhooks for modifying the requests (in case of MutatingAdmissionWebhook) or inspecting the requests and gain sensitive information (in case of ValidatingAdmissionWebhook).\",\r\n \"remediationSteps\": [\r\n \"Review the admission controller webhook associated with this configuration. The details of the webhook configuration can be retrieved by the command:\",\r\n \"kubectl get mutatingwebhookconfigurations sample -o json\",\r\n \"If this configuration belongs to a legitimate admission controller in the cluster, you can ignore the alert.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resource type\": \"mutatingwebhookconfigurations\",\r\n \"resource name\": \"sample\",\r\n \"webhook configuration rules\": \"[{\\\"apiGroups\\\":[\\\"*\\\"],\\\"resources\\\":[\\\"pods\\\"],\\\"apiVersions\\\":[\\\"*\\\"],\\\"operations\\\":[\\\"CREATE\\\"],\\\"scope\\\":\\\"*\\\"}]\",\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"killChainIntent\": \"Persistence, CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_34\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"name\": \"2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.650249Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_BruteForce\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:41.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:41.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Brute Force attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone is attempting to brute force credentials to your SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Brute force attack, penetration testing.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"data Center\": \"East US 2\",\r\n \"failed Logins\": \"0\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\\\"}}\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"name\": \"2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4246385Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_HarmfulApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:39.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:39.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Penetration testing, malicious activity\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"data Center\": \"East US 2\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"name\": \"2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.5120779Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:37.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:37.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database elitronix-com on server Sample-SQL\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/www.microsoft.com\\\\/en-us\\\\/download\\\\/details.aspx?id=13759\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements.\",\r\n \"threat ID\": \"30\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"principal name\": \"Sample-account\",\r\n \"application\": \"Internet Information Services\",\r\n \"database\": \"Sample-DB\",\r\n \"server\": \"Sample-SQL\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"name\": \"2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4739185Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:35.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:35.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"intent\": \"Exploitation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Logon from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone logged on to your SQL server Sample-SQL from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Unauthorized access that exploits an opening in the firewall; legitimate access from a new location.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Microsoft SQL Server Management Studio\",\r\n \"client IP Location\": \"US\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"client Hostname\": \"Sample-VM\",\r\n \"killChainIntent\": \"Exploitation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"name\": \"2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.508384Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_DataExfiltration.ImportExportLocationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:33.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:33.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual export location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted a massive amount of data from your SQL Server 'Sample-SQL' to an unusual location.\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Be sure to secure the new copy of your SQL server in the unusual storage account and follow the principle of \\\\\\\"least privilege\\\\\\\" for your SQL server\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/docs.microsoft.com\\\\/en-us\\\\/dotnet\\\\/framework\\\\/data\\\\/adonet\\\\/sql\\\\/authorization-and-permissions-in-sql-server\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"storage Name\": \"Sample-storage\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"isValid\": false,\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_46\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"name\": \"2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.793991Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_SuspectExecutablePath\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Executable found running from a suspicious location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data detected an executable file on Sample-VM that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.\",\r\n \"remediationSteps\": [\r\n \"Review with %{User Name} the suspicious process in this alert to see if you recognise this as legitimate administrative activity. If not, Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Process Id\": \"0x1eec\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"account Session Id\": \"0x3e7\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"suspicious Command Line\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"user Name\": \"WORKGROUP\\\\Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"directory\": \"c:\\\\windows\\\\inf\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"name\": \"SAMPLE-account\",\r\n \"ntDomain\": \"SAMPLE\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"sid\": \"S-0-0-00\",\r\n \"isDomainJoined\": true,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x3e7\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"processId\": \"0x1038\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"processId\": \"0x1eec\",\r\n \"commandLine\": \"\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_54\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"sessionId\": \"0x3e7\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_53\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"name\": \"2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.802386Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected the execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with Sample-account the suspicious command process and command line to confirm that this is legitimate activity that you expect to see on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"user Name\": \"Sample-account\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Command Line\": \"\\\\sample.exe -t 4\",\r\n \"suspicious Process Id\": \"0x1640\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x427d8dd9\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"directory\": \"c:\\\\temp\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"processId\": \"0x1020\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"name\": \"Sample-account\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"sid\": \"S-1-5-21-3061399664-1673012318-3185014992-20022\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x427d8dd9\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"processId\": \"0x1640\",\r\n \"commandLine\": \".\\\\sample.exe -t 4\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_62\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_61\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"sessionId\": \"0x427d8dd9\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_62\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"name\": \"2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.0348941Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_SuspectPhp\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious PHP execution detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Machine logs indicate a that a suspicious PHP process is running. The action included an attempt to run OS commands or PHP code from the command line using the PHP process.\\r\\nWhile this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\",\r\n \"2. Make sure that the web application is up-to-date.\",\r\n \"3. If possible, disable the sensitive PHP commands (see: http://php.net/manual/ini.core.php#ini.disable-functions).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Command Line\": \"php\",\r\n \"suspicious Process Id\": \"0x1e99b\",\r\n \"account Session Id\": \"0xbd6e\",\r\n \"suspicious Process\": \"php\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"user Name\": \"Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"php\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"processId\": \"0x1e49a\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"name\": \"Sample-account\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"sid\": \"\",\r\n \"type\": \"account\",\r\n \"logonId\": \"0xbd6e\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"processId\": \"0x1e99b\",\r\n \"commandLine\": \"php\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_70\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_69\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"sessionId\": \"0xbd6e\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_70\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"name\": \"2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.8902381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM.Windows_GoldFileCleanup\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected suspicious file cleanup commands\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.\",\r\n \"remediationSteps\": [\r\n \"Review with user Sample-account the 'sample.exe executions and delete commands flagged in this alert to confirm that they are legitimate and expected on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"OMS-AGENT-2\",\r\n \"suspicious Process Id\": \"0x4a8\",\r\n \"suspicious Command Line\": \"cmd /c echo \\\" systeminfo && systeminfo && del \\\"\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\cmd.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"OMS-AGENT-2\\\\DnzmNhMdW96g7j3\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: GOLD\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2020-06-05T06%3a24%3a18&reportName=MSTI-AGP-GOLD.pdf&tenantId=7bf32e19-dc11-416d-85e8-2cff75271e2a&urlCreateDateTime=2020-06-05T06%3a24%3a18&token=%2083e9In2MDZfBKT5aMOejPcfhpNovCKiidxcnKaBGnQ=\\\"}}\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"cmd.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"processId\": \"0x4a8\",\r\n \"commandLine\": \"cmd /c echo Hi\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_78\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_77\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_78\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"name\": \"2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.9525043Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM.Windows_PetyaRansomware\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected Petya ransomware indicators\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on OMS-AGENT-2 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the command line associated in this alert and escalate this alert to your security team.\",\r\n \"remediationSteps\": [\r\n \"1. Run a full anti-malware scan and verify that the threat was removed\",\r\n \"2. Install and run Microsoft’s Malicious Software Removal Tool (see http://www.microsoft.com/security/pc-security/malware-removal.aspx)\",\r\n \"3. Perform these actions pre-emptively on other hosts in your network.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x1574\",\r\n \"suspicious Command Line\": \"sample\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\sample.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"Sample-account\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Petya\\\":\\\"\\\"}}\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"processId\": \"0x1574\",\r\n \"commandLine\": \"sample\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_86\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_85\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_86\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"name\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.2039067Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"name\": \"2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.2780047Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AmRealtimeProtectionDisabled\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:09.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:09.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Antimalware real-time protection was disabled in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.\",\r\n \"remediationSteps\": [\r\n \"1. Determine if the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional - dismiss the alert. Otherwise, enable the antimalware real-time threat protection and treat the user account, subscription and virtual machine as compromised and continue with the next steps.\\n3. Remediate the compromised user account – change the password, review all activities performed by the user via Azure Activity Logs and locate suspicious activities\\n4. Remediate the compromised subscription - Review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, review all activities performed in this subscription via Azure Activity Logs and locate suspicious activities.\\n5. Remediate the compromised virtual machine – change the password of all users, run full antimalware scan on your virtual machine.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample Principal\",\r\n \"antimalware enabled\": \"true\",\r\n \"real time antimalware protection enabled\": \"false\",\r\n \"scheduled antimalware scan enabled\": \"\",\r\n \"extension Name\": \"IaasAntimalware\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"name\": \"2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.3561453Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_CustomScriptExtensionSuspiciousCmd\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:07.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:07.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Custom script extension with suspicious command in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.\",\r\n \"remediationSteps\": [\r\n \"1. Contact the account owner to determine whether the activity was intentional. If the activity was intentional, dismiss the alert.\\n2. If the activity was unexpected, treat the user account, subscription, and virtual machine as compromised.\\n3. To remediate compromised user accounts, delete them if they’re unfamiliar (as they may have been created by a threat actor), otherwise change their authentication credentials. Use Azure Activity Logs to review all activities performed by the user and identify any that are suspicious.\\n4. To remediate compromised subscriptions, remove any unfamiliar Runbooks from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources in the subscription (delete any that are unfamiliar), review and investigate any security alerts for the subscription in Azure Security Center, and use Azure Activity Logs to review all activities performed in the subscription and identify any that are suspicious.\\n5. To remediate the compromised virtual machine, change the passwords for all users, run a full antimalware scan on the machine, and reimage the virtual machine from a malware-free source.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample user\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"identity address\": \"\",\r\n \"suspicious command\": \"powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"name\": \"2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DarkWeb\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:05.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:05.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Anonymity network activity (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected anonymity network activity. Such activity, while possibly legitimate user behaviour, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_94\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_94\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"name\": \"2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.358978Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DataExfiltration\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:03.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:03.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Possible data exfiltration via DNS tunnel (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected a possible DNS tunnel. Such activity, while possibly legitimate user behaviour, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_99\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_99\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"name\": \"2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.1504496Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_PhishingDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:01.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:01.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Communication with possible phishing domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.\",\r\n \"remediationSteps\": [\r\n \"Investigate the domain (using whois), validating that the registration belongs to the expected owner.\",\r\n \"If ownership is suspect, contact the machine owner to highlight the discrepancy and verify the degree of interaction, suggesting user log into any account(s) potentially exposed during suspicious session, validate recent activity and change compromised password(s).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_104\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_104\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"name\": \"2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.1876995Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_SinkholedDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:59.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:59.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted communication with suspicious sinkholed domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected request for sinkholed domain. Such activity, while possibly legitimate user behaviour, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_108\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_108\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"name\": \"2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.0653492Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_HighPrivilegeCommand\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempt to run high privilege command detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of App Service processes detected an attempt to run a command that requires high privileges.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x4680\",\r\n \"suspicious Command Line\": \"sample.exe\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"parent Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x15c0644\",\r\n \"user Name\": \"Sample-account\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"directory\": \"sample\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"processId\": \"0x39a8\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"processId\": \"0x4680\",\r\n \"commandLine\": \"sample.exe\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_113\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"name\": \"2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.9104498Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_DanglingDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:55.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Dangling DNS record for an App Service resource detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A DNS record that points to a recently deleted App Service resource (also known as \\\"dangling DNS\\\" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.\",\r\n \"remediationSteps\": [\r\n \"From your DNS zone, remove all CNAME records that point to the deleted App Service resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"domain\": \"sample-domain.com\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"name\": \"2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3436878Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container or directly on a Kubernetes node, has detected an execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with the specified user the suspicious command process and command line to confirm that this is legitimate activity. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"compromised Host\": \"AKS-AGENTPOOL-00171883-vmss000000\",\r\n \"suspicious Process\": \"/tmp/gcc\",\r\n \"suspicious Command Line\": \"/tmp/gcc -T -o stratum+tcp://stratum.slushpool:3333 -u foobar -p baz -o stratum+tcp://stratum.f2pool.com:3333 -u foobar -p baz -o stratum+tcp://stratum.antpool.com:3333 -u foobar -p baz\",\r\n \"parent Process\": \"bash\",\r\n \"suspicious Process Id\": \"0x2dc8\",\r\n \"imageName\": \":\",\r\n \"process Origin\": \"Pod Container\",\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"directory\": \"\",\r\n \"name\": \"bash\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"isValid\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"isValid\": false,\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"directory\": \"/tmp\",\r\n \"name\": \"gcc\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"hostName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"netBiosName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"isValid\": false,\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"name\": \"sample-cluster\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_118\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"containerId\": \"cc8ec8580f4c\",\r\n \"image\": {\r\n \"$ref\": \"centralus_119\"\r\n },\r\n \"type\": \"container\"\r\n },\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"processId\": \"0x2dc3\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_122\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_121\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"processId\": \"0x2dc8\",\r\n \"commandLine\": \"/tmp/gcc -T -o stratum+tcp://stratum.slushpool:3333 -u foobar -p baz -o stratum+tcp://stratum.f2pool.com:3333 -u foobar -p baz -o stratum+tcp://stratum.antpool.com:3333 -u foobar -p baz\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_123\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_125\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_124\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"name\": \"2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3309137Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_ImdsCall\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/AWS-Master-Connector_012345678901/securityentitydata/aws-eks-cluster-sample-cluster-ap-us-east-2\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access to cloud metadata service detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container detected access to the cloud metadata service for acquiring identity token. The container doesn't normally perform such operation. While this behavior might be legitimate, attackers might use this technique to access cloud resources after gaining initial access to a running container.\",\r\n \"remediationSteps\": [\r\n \"Review the command line in the alert details. If the container should acquire identity tokens, you can ignore the alert.\",\r\n \"If this behavior isnt expected, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"username\": \"sample-user\",\r\n \"process Name\": \"/usr/bin/curl\",\r\n \"command\": \"curl -s -H Metadata: true http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net\",\r\n \"process Id\": \"18775\",\r\n \"container ID\": \"cc8ec8580f4c\",\r\n \"image Name\": \"sample-image:v1\",\r\n \"resourceType\": \"EKS Cluster\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/AWS-Master-Connector_012345678901/securityentitydata/aws-eks-cluster-sample-cluster-ap-us-east-2\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"isValid\": false,\r\n \"type\": \"amazon-resource\",\r\n \"amazonResourceId\": \"arn:aws:eks:us-east-2:012345678901:cluster/sample-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"containerId\": \"cc8ec8580f4c\",\r\n \"image\": {\r\n \"$ref\": \"centralus_132\"\r\n },\r\n \"type\": \"container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"name\": \"2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4027022Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_SuspectProcessTermination\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:49.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Security-related process termination detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container or directly on a Kubernetes node, has detected an attempt to terminate processes related to security monitoring on the container. Attackers will often try to terminate such processes using predefined scripts post-compromise.\",\r\n \"remediationSteps\": [\r\n \"Review and confirm that this was legitimate activity that you expect to see on this container or pod. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"compromised Host\": \"aks-agentpool-00171883-vmss000000\",\r\n \"user Name\": \"root\",\r\n \"suspicious Process\": \"/usr/bin/pkill\",\r\n \"suspicious Command Line\": \"/usr/bin/pkill -KILL -x -U 0 auoms\",\r\n \"suspicious Process Id\": \"0x2dc8\",\r\n \"parent Process\": \"auomsctl\",\r\n \"process Origin\": \"Kubernetes Node\",\r\n \"account Session Id\": \"0xd5a\",\r\n \"resourceType\": \"GKE Cluster\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"hostName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"netBiosName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\",\r\n \"containerId\": \"cc8ec8580f4c\"\r\n },\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"pkill\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"directory\": \"\",\r\n \"name\": \"auomsctl\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"isValid\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"isValid\": false,\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"name\": \"root\",\r\n \"isValid\": false,\r\n \"id\": \"3418\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"isValid\": false,\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"projectId\": \"012345678901\",\r\n \"resourceType\": \"GKE\",\r\n \"resourceName\": \"Sample-Cluster\",\r\n \"location\": \"us-central1-c\",\r\n \"locationType\": \"Zonal\",\r\n \"type\": \"gcp-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"name\": \"sample-cluster\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_136\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"processId\": \"0x2dc3\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"processId\": \"0x2dc8\",\r\n \"commandLine\": \"/usr/bin/pkill -KILL -x -U 0 auoms\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_138\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_142\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_143\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"name\": \"2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3269355Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_ExposedDashboard\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:47.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Exposed Kubernetes dashboard detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service.\\nExposed dashboard allows an unauthenticated access to the cluster management and poses a security threat.\",\r\n \"remediationSteps\": [\r\n \"Review the LoadBalancer service in the alert details. In case the dashboard is exposed to the Internet, delete the LoadBalancer service immediately and escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"username\": \"alias@domain.com\",\r\n \"namespace\": \"kubernetes-dashboard\",\r\n \"service name\": \"kubernetes-dashboard\",\r\n \"port\": \"443\",\r\n \"target port\": \"8443\",\r\n \"resourceType\": \"Kubernetes - Azure Arc\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_149\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"name\": \"kubernetes-dashboard\",\r\n \"cluster\": {\r\n \"$ref\": \"centralus_150\"\r\n },\r\n \"type\": \"K8s-namespace\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"name\": \"kubernetes-dashboard\",\r\n \"namespace\": {\r\n \"$ref\": \"centralus_151\"\r\n },\r\n \"type\": \"K8s-service\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"name\": \"2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5211367Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_BruteForce\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:45.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:45.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspected successful brute force attack\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful login occurred after an apparent brute force attack on your resource\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Brute force attack; penetration testing.\",\r\n \"client principal name\": \"Sample-account\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"san antonio, united states\",\r\n \"client application\": \"Sample-app\",\r\n \"successful logins\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"failed logins\": \"0\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\\\"}}\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_156\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_155\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"name\": \"2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5596257Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:43.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:43.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database Sample-DB on server Sample-VM\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2106894\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"threat ID\": \"1\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"vulnerable statement\": \"*** Anonymized ***\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_161\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_162\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_163\",\r\n \"name\": \"Sample-SA\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_162\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"name\": \"2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5620796Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_HarmfulApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:41.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:41.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_165\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_166\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access your resource.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"Penetration testing; malicious activity\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client application\": \"Sample-app\",\r\n \"client IP location\": \"Sample\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_167\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_168\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_168\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_170\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_167\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"name\": \"2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5777053Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_SuspiciousIpAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:39.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:39.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_171\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_172\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Login from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.\",\r\n \"client principal name\": \"Sample-user\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_173\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_174\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Sample-Provider\",\r\n \"threatType\": \"Sample-Threat\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 0.8,\r\n \"threatDescription\": \"Sample-Threat\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_175\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_174\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_176\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_173\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72\",\r\n \"name\": \"2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.3749955Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousRBACRoleAssignment\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:37.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:37.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_177\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for an RBAC role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected an RBAC role assignment that's unusual when compared with other assignments, performed by the same assigner.\\n The following components were anomalous:\\n -Assigner Authentication Method \\n This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to grant permissions to an additional user account they own.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below.\\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user. \\n5. Change the credentials for all resources that the user had permissions to access.\\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review all activities performed in this resource via Azure Activity Logs and investigate suspicious activities.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"scope of assignment\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"assigned role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assigner principal ID\": \"Sample user\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_178\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_179\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_180\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_181\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_180\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f\",\r\n \"name\": \"2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.4527017Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_PrivilegedRoleDefinitionCreation\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:35.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:35.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f\",\r\n \"intent\": \"PrivilegeEscalation, DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_182\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Privileged custom role created for your subscription in a suspicious way (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the principal user that created the role.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user account as compromised and continue with the steps below.\\n3. Change the passwords of the user account or block the account entirely.\\n4. Delete the privileged role.\\n5. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n6. Change the credentials for all resources that the user had permissions to access.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"role definition creator principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"role definition creator IP address\": \"0.0.0.0\",\r\n \"role definition creator principal name\": \"Sample user\",\r\n \"role definition name\": \"sample\",\r\n \"role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"PrivilegeEscalation, DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_183\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86\",\r\n \"name\": \"2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.4942936Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousClassicRoleAssignment\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:29.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:29.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_184\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for a classic role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Microsoft Defender for Resource Manager detected a role assignment that's unusual when compared with other assignments performed by the same assigner / performed for the same assignee / in the tenant due to the following anomalies: \\nassignment time, assigner location, assigner, authentication method, assigned entities, client software used, assignment extent. \\nThis operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to escalate privileges to a different user account.\",\r\n \"remediationSteps\": [\r\n \"1.To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below. \\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n5. Change the credentials for all resources that the user had permissions to access. \\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review Azure Activity Logs for activities performed in this resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"assigner principal ID\": \"sample\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"scope of assignment\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"role\": \"CoAdmin\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_185\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_186\",\r\n \"name\": \"sample\",\r\n \"upnSuffix\": \"contoso.com\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_187\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_188\",\r\n \"name\": \"azureadmin\",\r\n \"upnSuffix\": \"contoso.com\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_187\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"name\": \"2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:19:41.7936291Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:25.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:25.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_190\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An IP that is a known Tor exit node accessed Storage file share 'Sample-fileShare' in storage account 'Sample-Storage'. \",\r\n \"remediationSteps\": [\r\n \"• Revoke all credentials that may be compromised and ensure that they're only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access.\\r\\nPotential causes:\\r\\n• An attacker has accessed the storage account using Tor and is trying to hide their identity (true positive).\\r\\n• A legitimate user has accessed the storage account using Tor, perhaps for penetration testing (benign positive).\",\r\n \"investigation steps\": \"• Check if this actor is legitimate. Examine the authentication method and credentials used, as well as the actor's history of actions on this storage account and other resources in this subscription.\\r\\n• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_191\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_192\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_192\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"name\": \"2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.7087609Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:23.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:23.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_194\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from a suspicious IP address.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is considered suspicious.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your storage account from a potentially suspicious IP.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_195\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_196\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"AlertSimulator\",\r\n \"threatType\": \"Sample-Type\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 1.0,\r\n \"threatDescription\": \"\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_196\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"name\": \"2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.8953381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_SMBExeOverwriteAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:21.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:21.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_198\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual overwrite of .exe in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual overwrite of an executable file in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unexpected overwrite of an executable (.exe file) has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has overwritten an executable file with a potentially malicious one in your storage account.\\r\\n• A legitimate user has overwritten an executable file.\",\r\n \"investigation steps\": \"• Determine who overwrote the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Kerberos\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files SMB\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"\",\r\n \"activity type\": \"OverwriteFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) overwritten\": \"Sample-File\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_199\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_200\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_200\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"name\": \"2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:19.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:19.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_202\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a directory or a file in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage directory or file permissions are configured correctly.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this directory or file have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed directory or file permissions to weaken its security.\\r\\n• A legitimate user has changed directory or file permissions.\",\r\n \"investigation steps\": \"• Confirm whether the directory or file permissions change was performed for a legitimate purpose.\\r\\n• Review the directory's or file's access permissions to make sure they are expected. NTFS permissions can be assigned at the directory or file level: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable#3-configure-ntfs-permissions-over-smb .\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Kerberos\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"Files SMB\",\r\n \"request status\": \"\",\r\n \"activity type\": \"SetSecurityInformation\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) accessed\": \"\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_203\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_204\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_204\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"name\": \"2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.6133961Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_MalwareHashReputation\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:17.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:17.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_206\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential malware uploaded to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has uploaded potential malware to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Remove the malicious file from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that a blob containing potential malware has been uploaded to your storage account.\\r\\nPotential causes:\\r\\n• An attacker has gained access to the storage account and has intentionally uploaded a malicious blob.\\r\\n• A legitimate user has unintentionally uploaded a malicious blob.\\r\\n• A legitimate user is performing tests on the system (e.g. penetration testing).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"PutRange\",\r\n \"file\": \"dummy/path/to/maliciousFile.exe\",\r\n \"api type\": \"Files REST\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"malware description\": \"File was identified as malicious, MalwareFamily = Virus:DOS/EICAR_Test_File\",\r\n \"threat report summary\": \"The European Institute for Computer Antivirus Research (EICAR) and the Computer Antivirus Research Organization (CARO) jointly developed a standard test file protocol called the “EICAR test file” which allows users to test their antivirus solution. The EICAR file is completely benign; however, when scanned, compliant antivirus solutions report the file in the same way as an actual malicious file. This does not mean that the computer is infected with malware, but rather it shows that the computer’s antivirus is functioning as expected.\",\r\n \"detection source\": \"Team Cymru\",\r\n \"threat report\": \"Sample-Report\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_207\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_208\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_209\",\r\n \"algorithm\": \"MD5\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_208\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_211\",\r\n \"directory\": \"Sample-fileShare/dummy/path/to\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_209\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_212\",\r\n \"name\": \"Sample-Name\",\r\n \"category\": \"Virus\",\r\n \"files\": [\r\n {\r\n \"$ref\": \"centralus_211\"\r\n }\r\n ],\r\n \"type\": \"malware\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"name\": \"2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.6367188Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:15.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:15.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_213\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is unfamiliar and unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account.\\r\\n• A legitimate user has accessed your storage account from a new location.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetShareProperties\",\r\n \"api type\": \"Files REST\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_214\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_215\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_215\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242244862413_43689788-9247-4044-b258-6093d62ba45c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"name\": \"2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.7708984Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_ExeUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:13.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:13.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .exe to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of an executable file to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an executable (.exe file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has uploaded a malicious executable file to your storage account.\\r\\n• A legitimate user has uploaded an executable file.\",\r\n \"investigation steps\": \"• Determine who uploaded the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Kerberos\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"Files SMB\",\r\n \"request status\": \"\",\r\n \"activity type\": \"CreateFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_218\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_219\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_219\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"name\": \"2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.5509007Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:11.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:11.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_221\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) deleted\": \"Sample-File1, Sample-File2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_222\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_223\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_224\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_223\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"name\": \"2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.599286Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExplorationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:09.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:09.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_225\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual data exploration in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual data exploration operation in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that files in a file share of a storage account have been enumerated in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user or application logic has explored data within the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"ListFiles\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_226\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_227\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_227\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"name\": \"2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:19:41.7936291Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExfiltration.NumberOfFilesAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:07.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:07.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_229\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual number of files extracted from a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual number of files from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large number of files has been extracted compared to recent activity on this Storage file share.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large number of files from a Storage file share (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual number of files from a Storage file share (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"5 MB\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"extracted files\": \"150\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_230\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_231\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_231\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"name\": \"2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.435833Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:05.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:05.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_233\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage file share.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage file share (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage file share (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"150 MB\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"extracted files\": \"5\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_234\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_235\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_235\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"name\": \"2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.5055333Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_ApplicationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:03.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:03.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_237\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual application accessed a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' using an unexpected application.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusual application has accessed this storage account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using a new application.\\r\\n• A legitimate user has used a new application/browser to access your storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"CreateFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_238\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_239\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_239\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"name\": \"2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.4988057Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_AccessInspectionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:01.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_241\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual access inspection in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual access inspection in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user has performed maintenance on the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the access policy inspection was performed for a legitimate purpose: https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy.\\r\\n• Review the file share's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"GetShareAcl\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_242\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_243\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_243\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"name\": \"2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2964395Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:59.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:59.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_245\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An IP that is a known Tor exit node accessed Storage container 'Sample-Container' in storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Revoke all credentials that may be compromised and ensure that they're only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access.\\r\\nPotential causes:\\r\\n• An attacker has accessed the storage account using Tor and is trying to hide their identity (true positive).\\r\\n• A legitimate user has accessed the storage account using Tor, perhaps for penetration testing (benign positive).\",\r\n \"investigation steps\": \"• Check if this actor is legitimate. Examine the authentication method and credentials used, as well as the actor's history of actions on this storage account and other resources in this subscription.\\r\\n• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"CreatePathDir\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_246\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_247\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_247\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_249\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_246\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"name\": \"2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2427463Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:57.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_250\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from a suspicious IP address.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is considered suspicious.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your storage account from a potentially suspicious IP.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"335.88 KB\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_251\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_252\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"AlertSimulator\",\r\n \"threatType\": \"Sample-Type\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 1.0,\r\n \"threatDescription\": \"\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_252\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"name\": \"2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1804085Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_SuspiciousApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:55.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_254\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] PREVIEW - Access from a suspicious application \",\r\n \"description\": \"THIS IS A SAMPLE ALERT: There was a failed attempt to anonymously access the blob container `Sample-Container` in your storage account `Sample-Storage`. This might indicate that an attacker is trying to exploit a vulnerability or access data in your storage account, or it could be the result of a penetration test carried out in your organization. The suspicious application detected was `eicarDummyApp`. For more details, please see the user-agent string in the alert fields. In many cases, attackers might successfully access data after a series of failed attempts. It’s therefore important to act on this alert.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"140 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"application name \": \"eicarDummyApp\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_255\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_256\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_256\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_258\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_255\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"name\": \"2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2482588Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PhishingContent\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:53.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_259\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] PREVIEW - Phishing content hosted on a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A URL used in a phishing attack points to your Azure Storage account. This URL was part of a phishing attack affecting users of Microsoft 365. Typically, content hosted on such pages is designed to trick visitors into entering their corporate credentials or financial information into a web form that looks legitimate.\",\r\n \"remediationSteps\": [\r\n \"• Review the content of the Azure Storage account to identify and remove phishing content. The URL in the alert may indicate a starting point for your investigation.\",\r\n \"• If you suspect that your Storage credentials have been compromised, revoke all storage access tokens that may have been compromised and implement the following security best practices:\",\r\n \" 2.1.\\\\tEnsure that your access tokens are only shared with authorized users.\",\r\n \"2.2. Limit access to your Storage account, following the 'least privilege' principle. (https://aka.ms/StorageAccountSecureAccess)\",\r\n \"2.3. Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Disallow anonymous public access to blobs in your Storage account, unless required for your scenario. (https://aka.ms/StorageAccountPublicAccess)\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_260\",\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"type\": \"url\"\r\n },\r\n {\r\n \"$id\": \"centralus_261\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"name\": \"2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1081657Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_262\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a directory or a file in your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Use Azure AD security groups: https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#what-is-the-best-way-to-apply-acls.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage directory or file permissions are configured correctly.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this directory or file have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed directory or file permissions to weaken its security.\\r\\n• A legitimate user has changed directory or file permissions.\",\r\n \"investigation steps\": \"• Confirm whether the directory or file permissions change was performed for a legitimate purpose: https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#access-control-lists-on-files-and-directories.\\r\\n• Review the directory's or file's access permissions to make sure they are expected.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"SetPathAccessControl\",\r\n \"storage file path(s) accessed\": \"\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_263\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_264\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_264\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"name\": \"2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.0980315Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenContainersScanning.SuccessfulDiscovery\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:49.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_266\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Publicly accessible storage containers successfully discovered\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful discovery of 3 publicly open storage containers in storage account 'Sample-Storage' was performed in the last hour by a scanning script or tool.\\r\\n\\r\\nScanned containers include: static, images, backups.\\r\\n\\r\\nThis usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storagecontainers with sensitive data in them.\\r\\nThe threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.\\r\\n\\r\\nAfter a threat actor successfully discovers a container, they usually continue by reading and exfiltrating the data.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\",\r\n \"• When allowing anonymous access to containers, consider adding a random suffix to its name (or use a randomly generated name) to limit these types of scans in the future. For example, use 'salesshare-4536-7836-8967'.\",\r\n \"• If this is a recurring alert from the same IP, consider blocking the source IP address (see how to block an IP address: https://go.microsoft.com/fwlink/?linkid=2179709).\",\r\n \"This can be done at the storage account level using the 'networking' configuration or at the subscription level using the networking 'access restrictions' configuration.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"• Reconnaisance attack (True Positive)\\r\\n• Penetration testing\\r\\n• A bug in an application is causing it to perform serial attempts to read different blobs (False Positive).\",\r\n \"investigation steps\": \"• Check this account for publicly open containers with sensitive data. If such containers exist, immediately change their access policy to private (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708).\\r\\n\\r\\nLook at diagnostic logs to see all sensitive data that may have leaked, and escalate the alert and information.\\r\\n• To list all containers that are publicly accessible in a storage account, use the PowerShell script in this link: https://go.microsoft.com/fwlink/?linkid=2180103.\\r\\n\\r\\n• Check whether the user that performed this scan is legitimate. Look at IP, location, user agent, and their history.\\r\\n• This alert may be triggered by a coding issue in the application accessing the storage container. If you've validated that the actor is legitimate, identified the coding issue, and ruled out a possible leak of sensitive content, this alert can be considered benign.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"140 MB\",\r\n \"among the enumeration terms used\": \"erp, exe, export, exports, file, files, firmware, git, img, iso, jenkins, logs, media, mobile, photos, pics, private, prod, production, products, projects, public, release, repo, reports, resources, script, scripts, services, snapshots, source, src, staging, stats, storage, tenant, tmp, upload, uploads, user, userdata, users, usr, vhd, vhdx, video, videos, web, www, xslx\",\r\n \"number of failed access attempts\": \"1232\",\r\n \"number of containers successfully accessed\": \"3\",\r\n \"list of containers successfully accessed\": \"Sample-1, Sample-2, Sample-3\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_267\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_268\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_269\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_268\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_270\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_267\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"name\": \"2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:15.6989769Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenContainersScanning.FailedAttempt\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:47.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_271\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Publicly accessible storage containers unsuccessfully scanned\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: 1232 failed attempts to scan for publicly open storage containers in storage account 'Sample-Storage' were performed in the last hour.\\r\\n\\r\\nScanned containers include: erp, exe, export, exports, file.\\r\\n\\r\\nThis usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storage containers with sensitive data in them.\\r\\nThe threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\",\r\n \"• When allowing anonymous access to containers, consider adding a random suffix to its name (or use a randomly generated name) to limit these types of scans in the future. For example, use 'salesshare-4536-7836-8967'.\",\r\n \"• If this is a recurring alert from the same IP, consider blocking the source IP address (see how to block an IP address: https://go.microsoft.com/fwlink/?linkid=2179709).\",\r\n \"This can be done at the storage account level using the 'networking' configuration or at the subscription level using the networking 'access restrictions' configuration.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"• Reconnaisance attack (True Positive)\\r\\n• Penetration testing\\r\\n• A bug in an application is causing it to perform serial attempts to read different blobs (False Positive).\",\r\n \"investigation steps\": \"• Check this account for publicly open containers with sensitive data. If such containers exist, immediately change their access policy to private (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708).\\r\\n\\r\\nThis is necessary despite the fact that the observed attempts failed, because reconnaissance has taken place and there might have been some successful activity.\\r\\n• To list all containers that are publicly accessible in a storage account, use the PowerShell script in this link: https://go.microsoft.com/fwlink/?linkid=2180103.\\r\\n\\r\\n• Check whether the user that performed the scanning is legitimate. Look at IP, location, user agent, and their history. Scanning operations read blob URIs and/or use \\\"list blobs\\\".\\r\\n• Check whether data was exfiltrated from containers in this storage account and/or by this actor.\\r\\n• This alert may be triggered by a coding issue in the application accessing the storage container. If you've validated that the actor is legitimate, identified the coding issue, and ruled out a possible leak of sensitive content, this alert can be considered benign.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"among the enumeration terms used\": \"erp, exe, export, exports, file, files, firmware, git, img, iso, jenkins, logs, media, mobile, photos, pics, private, prod, production, products, projects, public, release, repo, reports, resources, script, scripts, services, snapshots, source, src, staging, stats, storage, tenant, tmp, upload, uploads, user, userdata, users, usr, vhd, vhdx, video, videos, web, www, xslx\",\r\n \"number of failed access attempts\": \"1232\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_272\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_273\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_273\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"name\": \"2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9581337Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenACL\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:45.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:45.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_275\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Storage account with potentially sensitive data has been detected with a publicly exposed container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The access policy of a container in your storage account was modified to allow anonymous access. This might lead to a data breach if the container holds any sensitive data. This alert is based on analysis of Azure activity log.\",\r\n \"remediationSteps\": [\r\n \"• Check the access level of the container listed in the alert details. If the access level is set to 'anonymous' and this behavior is not intended, change the access level to 'private' and escalate the alert to your information security team.\",\r\n \"• Where possible, we recommend using shared access signature tokens instead of granting public access to storage containers and blobs.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"container name\": \"Sample-Container\",\r\n \"sensitive name\": \"Sample-Container\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_276\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"name\": \"2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.0277068Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_MalwareHashReputation\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:43.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:43.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_277\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential malware uploaded to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has uploaded potential malware to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Remove the malicious blob from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that a blob containing potential malware has been uploaded to your storage account.\\r\\nPotential causes:\\r\\n• An attacker has gained access to the storage account and has intentionally uploaded a malicious blob.\\r\\n• A legitimate user has unintentionally uploaded a malicious blob.\\r\\n• A legitimate user is performing tests on the system (e.g. penetration testing).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"PutBlob\",\r\n \"api type\": \"Blob\",\r\n \"container\": \"Sample-Container\",\r\n \"malware description\": \"Indicator related to a known malware campaign\",\r\n \"detection source\": \"A Microsoft Partner\",\r\n \"blob\": \"Sample-Blob\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_278\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_279\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_280\",\r\n \"algorithm\": \"MD5\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_279\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_282\",\r\n \"directory\": \"Sample-fileShare/dummy/path/to\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_280\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"name\": \"2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9214203Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:41.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:41.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_283\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is unfamiliar and unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account.\\r\\n• A legitimate user has accessed your storage account from a new location.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Azure AD\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"operations types\": \"GetContainerProperties\",\r\n \"api type\": \"Blob\",\r\n \"container\": \"Sample-Container\",\r\n \"azure AD application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_284\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_285\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_286\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"objectGuid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_285\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_288\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_284\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"name\": \"2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:15.4758611Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_ExeUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:39.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:39.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_289\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .exe to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of an executable file to your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an executable (.exe file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has uploaded a malicious executable file to your storage account.\\r\\n• A legitimate user has uploaded an executable file.\",\r\n \"investigation steps\": \"• Determine who uploaded the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Azure AD\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"eicar@microsoft.com\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"FlushFile\",\r\n \"azure AD application ID\": \"12345\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"containers\": \"Sample-Container1, Sample-Container2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_290\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_291\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_292\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_291\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"name\": \"2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9519418Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:37.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:37.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_293\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Perform an undelete if the delete operation was a soft delete. See how to configure soft deletion and more information: https://go.microsoft.com/fwlink/?linkid=2078042\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Account key\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteDirectory\",\r\n \"access key used\": \"key2\",\r\n \"storage file path(s) deleted\": \"Sample-File1, Sample-File2\",\r\n \"containers\": \"Sample-Container1, Sample-Container2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_294\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_295\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_295\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"name\": \"2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2482588Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExplorationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:35.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:35.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_297\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual data exploration in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual data exploration operation in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \" Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that blobs or containers in a storage account have been enumerated in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user or application logic has explored data within the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"ListBlobs\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_298\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_299\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_299\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"name\": \"2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.7896151Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:33.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:33.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_301\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual number of blobs extracted from a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual number of blobs from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large number of blobs has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large number of blobs from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual number of blobs from a Storage container (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"66.58 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"extracted blobs\": \"41084\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_302\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_303\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_303\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_305\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_302\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"name\": \"2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.8245787Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:31.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:31.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_306\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage container (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"254.47 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"extracted blobs\": \"2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_307\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_308\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_308\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_310\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_307\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"name\": \"2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1388808Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_CspkgUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:29.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:29.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_311\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .cspkg to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of a Cloud Service deployment package to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Determine if the cloud service package has been deployed to your subscription, and if so, delete the corresponding service.\",\r\n \"• Delete the .cspkg from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an Azure Cloud Service package (.cspkg file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has been preparing to deploy malicious code from your storage account to an Azure cloud service.\\r\\n• A legitimate user has been preparing for a legitimate service deployment.\",\r\n \"investigation steps\": \"• Determine who uploaded the cloud service package, and whether it is for a legitimate service.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"PutBlockList\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_312\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_313\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_313\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"name\": \"2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6456194Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_ApplicationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:27.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:27.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_315\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual application accessed a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' using an unexpected application.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusual application has accessed this storage account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using a new application.\\r\\n• A legitimate user has used a new application/browser to access your storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"PutBlob\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_316\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_317\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_317\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"name\": \"2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6977555Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AnonymousAccessAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:25.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:25.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_319\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unauthenticated access to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Container 'Sample-Container' in storage account 'Sample-Storage' from an IP address located in Azure Data Center: Central Us.\\r\\n\\r\\nThere may have been additional unauthenticated access to this storage account.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed anonymously (i.e. without any authentication), which is unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has exploited public read access to a container.\\r\\n• A legitimate user or application has used public read access to a container.\",\r\n \"investigation steps\": \"• Check if you have sensitive data on this publicly open container. If you do, immediately change the access policy to private, review diagnostic logs for sensitive data that may have leaked, and escalate the alert and information. (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708)).\\r\\n\\r\\nThis is necessary despite the fact that the observed attempts failed, because reconnaissance has taken place and there might have been some successful activity.\\r\\n• Check if this actor is legitimate. Review IP, location, user agent, and their history.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlobProperties, GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"22.96 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_320\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_321\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_321\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_323\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_320\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"name\": \"2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6177881Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AccessInspectionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:23.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:23.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_324\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual access inspection in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual access inspection in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user has performed maintenance on the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the access policy inspection was performed for a legitimate purpose: https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy.\\r\\n• Review the storage container's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Azure AD\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"GetContainerACL\",\r\n \"azure AD application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_325\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_326\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_327\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"objectGuid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_326\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"name\": \"2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.614246Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AM.MalwareFound\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:21.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:21.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_329\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Malicious file uploaded to storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A malicious file was uploaded to your storage account 'Sample-Storage'.\\r\\nThe malware detection is based on Microsoft antimalware scanning.\\r\\nPotential causes may include an intentional upload of malware by a threat actor, or an unintentional upload of a malicious file by a legitimate user.\",\r\n \"remediationSteps\": [\r\n \"Remove the malicious blob from your storage account. You may move it to a designated storage container for quarantine, or delete it.\",\r\n \"It is advisable to enable \\\\\\\"soft delete\\\\\\\" before deleting malware, to support the ability to undo the deletion. Learn more about enabling soft delete on Azure storage: https://docs.microsoft.com/azure/storage/blobs/soft-delete-blob-overview.\\\",\\\"If you have diagnostic logs enabled, query them to see if any other applications or users accessed this file. Trace their actions and contain the blast radius.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential Causes\": \"1. Intentional upload of malware by a malicious actor (true positive)\\r\\n\\r\\n2. Unintentional upload of malware by a legitimate user (true positive)\\r\\n\\r\\n3. A false positive detection by Microsoft antimalware scanning. You can submit a file for analysis if you suspect it may be a false positive: \\r\\n(https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/submission-guide)\",\r\n \"shA-256\": \"Sample-SHA\",\r\n \"investigation Steps\": \"• Learn more about the malware type by reading the report on the identified malware in Microsoft Security Intelligence:\\r\\n(https ://www.microsoft.com/wdsi/threats/threat-search?query=DOS/EICAR_Test_File)\\r\\n\\r\\n• If you have diagnostic logs enabled, go to them and query to see if any other applications or users accessed this file. Trace their actions and contain the blast radius.\\r\\n\\r\\n• Review the credentials used to perform the upload, to track back and find the user who uploaded the file.\\r\\n\\r\\n• If you performed an investigation and suspect the this might be a false positive, you can submit a file for analysis\\r\\n(https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).\\r\\nEnsure you enter the provider name \\\"Defender for Storage\\\".\\r\\n\\r\\n• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"malware types detected\": \"DOS/EICAR_Test_File\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_330\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_331\",\r\n \"algorithm\": \"SHA256\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_332\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_330\"\r\n },\r\n \"type\": \"blob-container\"\r\n },\r\n {\r\n \"$id\": \"centralus_333\",\r\n \"directory\": \"https://Sample-Storage.blob.core.windows.net/Sample\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_331\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_334\",\r\n \"name\": \"Sample-Name\",\r\n \"blobContainer\": {\r\n \"$ref\": \"centralus_332\"\r\n },\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"etag\": \"Sample-Tag\",\r\n \"type\": \"blob\"\r\n },\r\n {\r\n \"$id\": \"centralus_335\",\r\n \"name\": \"Sample-Name\",\r\n \"category\": \"Virus\",\r\n \"files\": [\r\n {\r\n \"$ref\": \"centralus_333\"\r\n }\r\n ],\r\n \"type\": \"malware\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"name\": \"2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.9503127Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5606644Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:17.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_336\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' was successfully accessed from an IP address known to be an active exit node of Tor, an anonymizing proxy.\\r\\nThe threat actor's access was authenticated using Aad.\\r\\nAuthenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Check for credential theft by reviewing the authentication method.\",\r\n \"potential causes\": \"• A legitimate user has accessed your Azure Cosmos DB account using Tor.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_337\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_338\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_338\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"name\": \"2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.7672167Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:15.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_340\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' was successfully accessed from an IP address that was identified as a threat by Microsoft Threat Intelligence.\\r\\nThe threat actor's access was authenticated using Aad.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Check for credential theft by reviewing the authentication method.\",\r\n \"potential causes\": \"• An attacker has accessed your Azure Cosmos DB account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your Azure Cosmos DB account from a potentially suspicious IP.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_341\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_342\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_342\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"name\": \"2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.9003843Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SqlInjection.Fuzzing\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:13.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:13.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"intent\": \"Discovery\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_344\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] SQL injection: failed fuzzing attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious SQL statement was used to query container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'.\\r\\nLike other well-known SQL injection attacks, this statement won’t succeed in Azure Cosmos DB. Nevertheless, it’s an indication that a threat actor is trying to attack the resources in this account.\\r\\nSome SQL injection attacks can succeed and be used to exfiltrate data. This means that if the attacker continues performing SQL injection attempts, they may be able to compromise your Azure Cosmos DB account and exfiltrate data.\\r\\nYou can prevent this threat by using parameterized queries (for more information, see the remediation steps).\",\r\n \"remediationSteps\": [\r\n \"• This alert may indicate this subscription is being targeted. To harden your environment, resolve any outstanding Defender for Cloud security recommendations for this resource and any others on this Azure subscription.\",\r\n \"• To prevent similar attacks in the future, use Azure Cosmos DB parameterized queries in all your apps.\",\r\n \"How to use parameterized queries: https://go.microsoft.com/fwlink/?linkid=2177214.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Search for other alerts on this subscription that might indicate that this is part of a larger attack.\\r\\n• Inspect the application that is connected to this Azure Cosmos DB account. It may be vulnerable to this fuzzing attack.\",\r\n \"potential causes\": \"• Failed attack attempt, part of an enumeration, reconnaissance or command injection attempt.\\r\\n• Pen testing.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"collection name\": \"Sample-Collection\",\r\n \"database name\": \"Sample-DataBase\",\r\n \"top suspicious queries\": \"• [1 rows returned] SELECT VALUE [{\\\"item\\\": COUNT(1)}]\\nFROM root\\nWHERE ((root[\\\"creation_datetime\\\"] = \\\"2022-07-06T00:00:00+00:00\\\") AND (root[\\\"camera_id\\\"] IN (\\\"javascript:alert(_SCAN-@126032-951533-1926@-);\\\")))\\nORDER BY root[\\\"order\\\"] ASC, root[\\\"_ts\\\"] ASC\\r\\n• [0 rows returned] SELECT root._rid, [{\\\"item\\\": root[\\\"order\\\"]}, {\\\"item\\\": root[\\\"_ts\\\"]}] AS orderByItems, root AS payload\\nFROM root\\nWHERE ((((root[\\\"creation_datetime\\\"] = \\\"2022-07-06T00:00:00+00:00\\\") AND (root[\\\"camera_id\\\"] IN (\\\"javascript:alert(_SCAN-@126032-951533-1926@-);\\\"))) AND (true)) AND IS_DEFINED(root))\\nORDER BY root[\\\"order\\\"] ASC, root[\\\"_ts\\\"] ASC\\nOFFSET 0 LIMIT 100\",\r\n \"total suspicious queries\": \"2\",\r\n \"killChainIntent\": \"Discovery\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_345\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_346\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_346\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"name\": \"2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.803451Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SqlInjection.DataExfiltration\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:11.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:11.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_348\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] SQL injection: potential data exfiltration\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious SQL statement was used to query container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'.\\r\\nThe injected statement might have succeeded in exfiltrating data the user wasn’t authorized to access.\\r\\nDue to the structure and capabilities of Azure Cosmos DB queries, many known SQL injection attacks on Azure Cosmos DB accounts cannot work. However, the variation used in this attack may work and threat actors can exfiltrate data.\",\r\n \"remediationSteps\": [\r\n \"• To prevent similar attacks in the future, use Azure Cosmos DB parameterized queries in all your apps.\",\r\n \"How to use parameterized queries: https://go.microsoft.com/fwlink/?linkid=2177214.\",\r\n \"• If, for some reason, you can’t use parameterized queries, perform another form of input validation to protect against SQL injection attacks.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Investigate the query and the user. For details of the user, review the audit logs of your application. Check which user ran the query.\\r\\n• If the action appears malicious, continue investigating the blast radius. You may run the query (shown in the field \\\"Top suspicious queries\\\") to see what data was exfiltrated.\",\r\n \"potential causes\": \"• Successful data exfiltration (True Positive).\\r\\n• Pen testing.\\r\\n• A legitimate actor is trying to see all of the data, bypassing the application's access control methods. In this case, this can be considered a False Positive, however this is unsafe and should be blocked (see remediation steps on blocking).\",\r\n \"user agent\": \"dummySqlAgent\",\r\n \"connection mode\": \"\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"\",\r\n \"total anomalous queries\": \"1\",\r\n \"top anomalous queries\": \"• SELECT * FROM root WHERE (root[\\\\\\\"userId\\\\\\\"] = \\\\\\\"123' OR '1'='1'\\\\\\\")\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_349\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_350\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_350\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"name\": \"2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.6843414Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:09.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:09.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_352\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: One or more containers in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' were accessed from a location considered unfamiliar, based on the usual access pattern.\\r\\nEither a threat actor has gained access to the account, or a legitimate user has connected from a new or unusual geographic location.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Contact the user to validate whether this is known and expected activity.\",\r\n \"potential causes\": \"• An attacker has accessed your Azure Cosmos DB account.\\r\\n• A legitimate user has accessed your Azure Cosmos DB account from a new location.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_353\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_354\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_354\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"name\": \"2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.671875Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_DataExfiltrationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:07.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:07.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_356\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual volume of data extracted\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An unusually large amount of data has been extracted from container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'. This might indicate that a threat actor exfiltrated data.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Check whether this Azure Cosmos DB account holds sensitive data. Look at diagnostic logs for any sensitive data that may have leaked and escalate the alert and information. If it appears sensitive data may have leaked, immediately review access permissions to the account and consider rotating keys.\",\r\n \"potential causes\": \"• An attacker has extracted a large amount of data from an account.\\r\\n• A legitimate user or application has extracted an unusual amount of data from an account.\",\r\n \"collection name\": \"Sample-Collection\",\r\n \"database name\": \"Sample-DataBase\",\r\n \"key type\": \"Aad\",\r\n \"connection mode\": \"Gateway\",\r\n \"impacted region\": \"EUS\",\r\n \"extracted data\": \"5.37 GB\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_357\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_358\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_358\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"name\": \"2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5606644Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousListKeys.SuspiciousPrincipal\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:05.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:05.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_360\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Preview - Suspicious extraction of Azure Cosmos DB account keys was detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious source extracted Azure Cosmos DB account access keys from your subscription. If this source is not a legitimate source, this may be a high impact issue. The access key that was extracted provides full control over the associated databases and the data stored within.\\r\\nThe key extraction is suspicious for the following reasons:\\r\\n- Key listing operations are rarely invoked by this principal on Azure Cosmos DB accounts in this subscription.\\r\\n\\r\\nThis can indicate that the identity performed this operation is compromised and is being used with malicious intent.\",\r\n \"remediationSteps\": [\r\n \"• Determine whether the activity was intentional by contacting the account owner. If the activity was intentional and legitimate, dismiss the alert. Otherwise, treat the user account, involved Azure Cosmos DB accounts and Azure subscription as compromised and continue with the next remediation steps.\",\r\n \"• Remediate the compromised principal account : delete the account if it’s an unfamiliar account (the attacker may have created it). Otherwise, change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\",\r\n \"• Remediate the compromised Azure Cosmos DB account: rotate Azure Cosmos DB account keys that were previously listed by the threat actor.\",\r\n \"• Remediate the compromised subscription: review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in the Microsoft Defender for Cloud portal to the subscription and investigate them, use Azure Activity Logs to locate any suspicious activities and review all activities that were performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Resource\",\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"source IP address\": \"00.00.00.00\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_361\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_362\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_362\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432\",\r\n \"name\": \"2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.8379753Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousListKeys.MaliciousScript\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:03.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:03.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_364\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Extraction of Azure Cosmos DB accounts keys via a potentially malicious script\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A Powershell script was run in your subscription and performed a suspicious pattern of key-listing operations to get the keys of Azure Cosmos DB accounts in your subscription.\\r\\nThreat actors use automated scripts, like Microburst, to list keys and find Azure Cosmos DB accounts they can access.\\r\\n\\r\\nThis operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise Azure Cosmos DB accounts in your environment for malicious intentions.\\r\\nAlternatively, a malicious insider could be trying to access sensitive data and perform lateral movement.\",\r\n \"remediationSteps\": [\r\n \"• Remediate the compromised user identity: If it’s an unfamiliar, new identity (the threat actor may have created it), then delete the user identity.\",\r\n \"Otherwise, change the user’s authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\",\r\n \"• Remediate the compromised Azure Cosmos DB account: rotate Azure Cosmos DB accounts keys that were previously listed by the threat actor.\",\r\n \"• Remediate the compromised subscription: review IAM permissions for the subscription and remove permissions for any unfamiliar user identity.\",\r\n \"Review all Azure resources and delete any unfamiliar Azure resources.\",\r\n \"Review all alerts in Microsoft Defender for Cloud related to the subscription and investigate them.\",\r\n \"Use Azure Activity Logs to find suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"ARM\",\r\n \"investigation steps\": \"Investigate whether the identity that performed the list-key operations is compromised:\\r\\n• Contact the Azure Cosmos DB account owner to understand their intentions and actions.\\r\\n• Look at the authentication method of this user and the actions they performed across the Azure subscription.\\r\\nUse Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\r\\n• If you have diagnostic logs enabled, inspect the actions this identity performed in the Azure Cosmos DB account/s.\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"username\": \"Sample-Username\",\r\n \"aad user ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_365\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_366\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_366\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"name\": \"2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-16T21:52:53.8710364Z\",\r\n \"processingEndTimeUtc\": \"2022-11-16T21:52:53.6916675Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-15T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-15T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_368\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.160 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_369\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_370\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_371\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"name\": \"2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-12T21:47:11.3785021Z\",\r\n \"processingEndTimeUtc\": \"2022-11-12T21:47:10.8521763Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_373\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_374\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_375\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_376\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"name\": \"2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-13T20:54:26.3966011Z\",\r\n \"processingEndTimeUtc\": \"2022-11-13T20:54:26.1755194Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_378\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_379\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_380\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_381\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"name\": \"2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-12T21:47:11.7084868Z\",\r\n \"processingEndTimeUtc\": \"2022-11-12T21:47:10.8520084Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_383\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 137.184.84.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_384\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_385\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_386\",\r\n \"address\": \"137.184.84.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Jose\",\r\n \"longitude\": -121.83823,\r\n \"latitude\": 37.33053,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_386\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"name\": \"2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-13T20:54:26.3624463Z\",\r\n \"processingEndTimeUtc\": \"2022-11-13T20:54:26.1754203Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_388\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 137.184.84.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_389\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_390\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_391\",\r\n \"address\": \"137.184.84.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Jose\",\r\n \"longitude\": -121.83823,\r\n \"latitude\": 37.33053,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_392\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_391\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"name\": \"2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-11T21:04:29.5102358Z\",\r\n \"processingEndTimeUtc\": \"2022-11-11T21:04:28.8368795Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-10T14:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-10T14:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_393\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_394\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_395\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_396\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_397\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"name\": \"2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-04T21:03:19.814381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-04T21:03:12.9864236Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-03T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-03T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_398\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_399\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_400\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_401\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"name\": \"2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-03T20:56:42.8912983Z\",\r\n \"processingEndTimeUtc\": \"2022-11-03T20:56:39.5149213Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-02T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-02T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_403\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\\r\\nIP: 176.222.18.110 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_404\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_405\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_406\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_407\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"name\": \"2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-01T21:58:15.540622Z\",\r\n \"processingEndTimeUtc\": \"2022-11-01T21:58:14.9043034Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_410\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.128 [1]\\r\\nIP: 176.222.18.110 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_411\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_412\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_413\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_414\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"name\": \"2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-02T22:45:37.72398Z\",\r\n \"processingEndTimeUtc\": \"2022-11-02T22:45:37.2820909Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_417\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 176.222.18.110 [1]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_418\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_419\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_420\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_421\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_422\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"name\": \"2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-30T20:43:32.8362319Z\",\r\n \"processingEndTimeUtc\": \"2022-10-30T20:43:32.2666649Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-29T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-29T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_426\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 149.18.60.6 [1]\\r\\nIP: 148.75.113.72 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_427\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_428\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_429\",\r\n \"address\": \"149.18.60.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 396998,\r\n \"carrier\": \"Path Network Inc.\",\r\n \"organization\": \"Logicweb Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_430\",\r\n \"address\": \"148.75.113.72\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Newton\",\r\n \"longitude\": -74.80559,\r\n \"latitude\": 41.08337,\r\n \"asn\": 6128,\r\n \"carrier\": \"Cablevision Systems Corp.\",\r\n \"organization\": \"Optimum Online (Cablevision Systems)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"name\": \"2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-29T19:50:46.7836038Z\",\r\n \"processingEndTimeUtc\": \"2022-10-29T19:50:46.6002852Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-28T07:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-28T07:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_433\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 71.178.215.234 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_434\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_435\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_436\",\r\n \"address\": \"71.178.215.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Fairfax\",\r\n \"longitude\": -77.2891,\r\n \"latitude\": 38.81818,\r\n \"asn\": 701,\r\n \"carrier\": \"Verizon\",\r\n \"organization\": \"Verizon\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"name\": \"2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-28T21:21:50.4934572Z\",\r\n \"processingEndTimeUtc\": \"2022-10-28T21:21:50.1558349Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-27T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-27T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_438\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 12.13.191.67 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 194.28.112.140 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_439\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_440\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_441\",\r\n \"address\": \"12.13.191.67\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Louisiana\",\r\n \"city\": \"New Orleans\",\r\n \"longitude\": -90.06568,\r\n \"latitude\": 29.96582,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Marriott Corporationattn Joh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_442\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_443\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_444\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"name\": \"2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-28T01:00:14.0366672Z\",\r\n \"processingEndTimeUtc\": \"2022-10-28T01:00:13.8635731Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-26T17:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-26T17:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_449\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 8.30.197.172 [1]\\r\\nIP: 12.157.53.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_450\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_451\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_452\",\r\n \"address\": \"8.30.197.172\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Paramus\",\r\n \"longitude\": -74.07017,\r\n \"latitude\": 40.94459,\r\n \"asn\": 12025,\r\n \"carrier\": \"Iron Mountain Data Center\",\r\n \"organization\": \"Groundwidgets Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_453\",\r\n \"address\": \"12.157.53.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Long Beach\",\r\n \"longitude\": -118.1589,\r\n \"latitude\": 33.7808,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Velocity Bre\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"name\": \"2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Dismissed\",\r\n \"timeGeneratedUtc\": \"2022-10-25T22:59:24.7258494Z\",\r\n \"processingEndTimeUtc\": \"2022-10-25T22:59:24.4099152Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_456\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 147.78.47.29 [1]\\r\\nIP: 198.12.89.41 [1]\\r\\nIP: 173.249.187.107 [1]\\r\\nIP: 24.18.46.38 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_457\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_458\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_459\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_460\",\r\n \"address\": \"198.12.89.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.8854,\r\n \"latitude\": 42.8883,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_461\",\r\n \"address\": \"173.249.187.107\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Denver\",\r\n \"longitude\": -104.99809,\r\n \"latitude\": 39.75263,\r\n \"asn\": 133744,\r\n \"carrier\": \"Better Cloud Limited\",\r\n \"organization\": \"Global Link Communications Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_462\",\r\n \"address\": \"24.18.46.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Edmonds\",\r\n \"longitude\": -122.34664,\r\n \"latitude\": 47.80392,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_459\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_460\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_461\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_462\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"name\": \"2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-23T20:55:55.6554453Z\",\r\n \"processingEndTimeUtc\": \"2022-10-23T20:55:55.0986682Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-22T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-22T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_467\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 173.201.17.86 [1]\\r\\nIP: 72.215.237.211 [2]\\r\\nIP: 69.28.75.137 [2]\\r\\nIP: 8.30.197.172 [1]\\r\\nIP: 141.98.83.131 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_468\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_469\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_470\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_471\",\r\n \"address\": \"72.215.237.211\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Rhode Island\",\r\n \"city\": \"Warwick\",\r\n \"longitude\": -71.38996,\r\n \"latitude\": 41.71237,\r\n \"asn\": 22773,\r\n \"carrier\": \"Cox Communications Inc.\",\r\n \"organization\": \"Cox Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_472\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_473\",\r\n \"address\": \"8.30.197.172\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Paramus\",\r\n \"longitude\": -74.07017,\r\n \"latitude\": 40.94459,\r\n \"asn\": 12025,\r\n \"carrier\": \"Iron Mountain Data Center\",\r\n \"organization\": \"Groundwidgets Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_474\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"name\": \"2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-22T20:37:45.3670215Z\",\r\n \"processingEndTimeUtc\": \"2022-10-22T20:37:34.4184682Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-21T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-21T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_480\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_481\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_482\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_483\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"name\": \"2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-22T20:37:34.6106772Z\",\r\n \"processingEndTimeUtc\": \"2022-10-22T20:37:34.4182771Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-21T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-21T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_485\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.147 [3]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_486\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_487\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_488\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_488\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"name\": \"2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T20:55:36.9527631Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T20:55:36.5859747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_490\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 69.202.183.90 [3]\\r\\nIP: 195.133.20.78 [99]\\r\\nIP: 141.95.145.187 [3]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 193.29.13.169 [9]\\r\\nIP: 147.78.47.36 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 147.78.47.147 [6]\\r\\nIP: 150.95.29.64 [2]\\r\\nIP: 45.141.87.2 [9]\\r\\nIP: 147.78.47.35 [7]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 173.254.223.125 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 92.255.85.152 [5]\\r\\nIP: 89.248.163.228 [3]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 179.60.150.115 [12]\\r\\nIP: 191.96.168.93 [9]\\r\\nIP: 147.78.47.69 [9]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 171.244.50.243 [2]\\r\\nIP: 94.26.229.154 [2]\\r\\nIP: 45.227.254.20 [10]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 94.26.248.176 [5]\\r\\nIP: 88.214.25.14 [3]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 45.141.87.9 [3]\\r\\nIP: 31.43.185.3 [22]\\r\\nIP: 45.141.87.10 [6]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 194.165.17.12 [4]\\r\\nIP: 147.78.47.154 [9]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 89.250.82.36 [1]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 193.29.13.170 [16]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 179.60.150.58 [8]\\r\\nIP: 45.226.126.252 [1]\\r\\nIP: 45.141.87.6 [6]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 45.227.254.49 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_491\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_492\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_493\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_494\",\r\n \"address\": \"195.133.20.78\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_495\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_496\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_497\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_498\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_499\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_500\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_501\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_502\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_503\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_504\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_505\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_506\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_507\",\r\n \"address\": \"173.254.223.125\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Tarzana\",\r\n \"longitude\": -118.54625,\r\n \"latitude\": 34.15501,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Quadranet Enterprises Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_508\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_509\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_510\",\r\n \"address\": \"89.248.163.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_511\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_512\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_513\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_514\",\r\n \"address\": \"147.78.47.69\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_515\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_516\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_517\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_518\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_519\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_520\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_521\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_522\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_523\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_524\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_525\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_526\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_527\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_528\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_529\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_530\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_531\",\r\n \"address\": \"89.250.82.36\",\r\n \"location\": {\r\n \"countryCode\": \"KZ\",\r\n \"countryName\": \"Kazakhstan\",\r\n \"state\": \"Almaty City\",\r\n \"city\": \"Almaty\",\r\n \"longitude\": 76.94999,\r\n \"latitude\": 43.24999,\r\n \"asn\": 41419,\r\n \"carrier\": \"Kazrena\",\r\n \"organization\": \"Kazrena\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_532\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_533\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_534\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_535\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_536\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_537\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_538\",\r\n \"address\": \"45.226.126.252\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Pernambuco\",\r\n \"city\": \"Olinda\",\r\n \"longitude\": -34.90666,\r\n \"latitude\": -7.98953,\r\n \"asn\": 266962,\r\n \"carrier\": \"G M Da Costa Internet\",\r\n \"organization\": \"G M Da Costa Internet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_539\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_540\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_541\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_557\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_558\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_559\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_560\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_511\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_561\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_512\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_562\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_513\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_563\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_514\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_564\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_515\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_565\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_516\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_566\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_517\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_567\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_518\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_568\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_519\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_569\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_520\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_570\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_521\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_571\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_522\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_572\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_523\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_573\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_524\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_574\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_525\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_575\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_526\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_576\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_527\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_577\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_528\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_578\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_529\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_579\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_530\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_580\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_531\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_581\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_532\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_582\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_585\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_536\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_586\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_537\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_587\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"name\": \"2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-21T22:30:30.848069Z\",\r\n \"processingEndTimeUtc\": \"2022-10-21T22:30:29.9442537Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_591\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.104 [1]\\r\\nIP: 207.154.207.116 [1]\\r\\nIP: 61.177.172.147 [1]\\r\\nIP: 152.136.192.58 [1]\\r\\nIP: 124.221.214.54 [98]\\r\\nIP: 135.148.104.183 [1]\\r\\nIP: 80.76.51.230 [1]\\r\\nIP: 185.51.61.82 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_592\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_593\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_594\",\r\n \"address\": \"61.177.172.104\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_595\",\r\n \"address\": \"207.154.207.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_596\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_597\",\r\n \"address\": \"152.136.192.58\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_598\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_599\",\r\n \"address\": \"135.148.104.183\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Reston\",\r\n \"longitude\": -77.34247,\r\n \"latitude\": 38.96097,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_600\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Zuid-Holland\",\r\n \"city\": \"Brielle\",\r\n \"longitude\": 4.16122,\r\n \"latitude\": 51.89596,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\",\r\n \"organization\": \"Des Capital B.V.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_601\",\r\n \"address\": \"185.51.61.82\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 42065,\r\n \"carrier\": \"Zao Electrontelecom\",\r\n \"organization\": \"Global Network Management Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_594\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_595\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_596\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_597\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_598\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_599\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_600\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_601\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"name\": \"2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-19T09:12:15.1238208Z\",\r\n \"processingEndTimeUtc\": \"2022-10-19T09:12:12.7612332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-19T08:43:11.7850829Z\",\r\n \"endTimeUtc\": \"2022-10-19T08:46:18.8210573Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_1\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_2\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/19 08:43:11.7850829\",\r\n \"activity end time (UTC)\": \"2022/10/19 08:46:18.8210573\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"74\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"47\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (23), user (3), administrador (2), admin (2), distant1 (1), asp.net (1), escaner (1), dator (1), faraz (1), chris (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-19T08:46:18.8210573Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_3\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"name\": \"2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-19T09:12:15.7506308Z\",\r\n \"processingEndTimeUtc\": \"2022-10-19T09:12:12.7612332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-19T08:34:16.9189969Z\",\r\n \"endTimeUtc\": \"2022-10-19T08:35:36.0841961Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_4\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_5\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/19 08:34:16.9189969\",\r\n \"activity end time (UTC)\": \"2022/10/19 08:35:36.0841961\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"19\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (15), administrador (2), admin (2), reception (1), scanner (1), root (1), user (1), utente (1), bokforing (1), admin 3 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-19T08:35:36.0841961Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_6\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"name\": \"2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T08:12:21.5799147Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T08:12:17.8716581Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-18T07:01:04.8124138Z\",\r\n \"endTimeUtc\": \"2022-10-18T07:59:23.7067193Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_7\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_8\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/18 07:01:04.8124138\",\r\n \"activity end time (UTC)\": \"2022/10/18 07:59:23.7067193\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.129\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"31\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"24\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEFAULTACCOUNT (6), DATA CENTER USER (2), DSNVSUSER (1), DONALD E. BETTIS (1), FUELDISP (1), GP (1), CONTRAUSER (1), DEAFULTUSER (1), FULTON (1), EXACTIVEUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-18T07:59:23.7067193Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_9\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"name\": \"2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T04:12:02.5218294Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T04:11:58.4521214Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-17T03:00:40.7373365Z\",\r\n \"endTimeUtc\": \"2022-10-17T03:58:42.8075611Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_10\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_11\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/17 03:00:40.7373365\",\r\n \"activity end time (UTC)\": \"2022/10/17 03:58:42.8075611\",\r\n \"attacker source IP\": \"IP Address: 20.216.185.188\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"46\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"12\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (12), AZUREUSER (11), ADMINUSER (11), VMADMIN (2), SUPERUSER (2), AZADMIN (1), USERADMIN (1), AZUSER (1), AZURE (1), DEMOUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-17T03:58:42.8075611Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_12\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"name\": \"2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T03:11:56.1105452Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T03:11:51.6770359Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-16T02:31:21.2161162Z\",\r\n \"endTimeUtc\": \"2022-10-16T02:32:30.6331048Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_13\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_14\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/16 02:31:21.2161162\",\r\n \"activity end time (UTC)\": \"2022/10/16 02:32:30.6331048\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.215\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"26\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (6), user1 (2), admin (2), defaultaccount (2), administrador (2), principal (1), test666 (1), adminportal (1), reports (1), pop10 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-16T02:32:30.6331048Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_15\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"name\": \"2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T02:11:59.5981045Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T02:11:53.2828004Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-15T01:00:15.0973756Z\",\r\n \"endTimeUtc\": \"2022-10-15T01:59:46.8790817Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_16\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_17\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/15 01:00:15.0973756\",\r\n \"activity end time (UTC)\": \"2022/10/15 01:59:46.8790817\",\r\n \"attacker source IP\": \"IP Address: 91.240.118.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"35\",\r\n \"top accounts with failed sign in attempts (count)\": \"MACROLAN (2), MITEV (1), DEPJIVE (1), KIM (1), DEV (1), CTZ9 (1), CUBE (1), CREATIVES-SERVER (1), KOLECO (1), MONITOR (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-15T01:59:46.8790817Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_18\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"name\": \"2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T23:12:20.0982221Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T23:12:13.5169181Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-13T22:00:01.4482685Z\",\r\n \"endTimeUtc\": \"2022-10-13T22:59:53.5475957Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_19\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_20\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/13 22:00:01.4482685\",\r\n \"activity end time (UTC)\": \"2022/10/13 22:59:53.5475957\",\r\n \"attacker source IP\": \"IP Address: 191.96.168.246\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"289\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"288\",\r\n \"top accounts with failed sign in attempts (count)\": \"SCANSIONI (1), ALPHA (1), RCLARK (1), AD (1), RETAIL (1), CALIDAD (1), CONSULTANT (1), OSPITE (1), Z (1), CS1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-13T22:59:53.5475957Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_21\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"name\": \"2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T08:12:07.7636221Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T08:12:02.9681269Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-12T07:03:03.4902548Z\",\r\n \"endTimeUtc\": \"2022-10-12T07:58:25.9885039Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_22\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_23\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/12 07:03:03.4902548\",\r\n \"activity end time (UTC)\": \"2022/10/12 07:58:25.9885039\",\r\n \"attacker source IP\": \"IP Address: 20.127.38.151\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"19\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEMOADMIN (2), USERADMIN (2), AZUREADMIN (1), DEMO (1), VADMIN (1), AZUREUSER (1), SQLADMIN (1), ROOTADMIN (1), SUPERVISOR (1), ITADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-12T07:58:25.9885039Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_24\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"name\": \"2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T07:12:15.7469577Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T07:12:12.3009079Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-11T06:24:25.9159134Z\",\r\n \"endTimeUtc\": \"2022-10-11T06:25:34.0915332Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_25\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_26\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/11 06:24:25.9159134\",\r\n \"activity end time (UTC)\": \"2022/10/11 06:25:34.0915332\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"25\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (12), shipping (1), test3 (1), contabilidad (1), usuario (1), serveur-bacnet (1), phonix (1), iusrplesk_smwebmail (1), defaultaccount (1), administrateur (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-11T06:25:34.0915332Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_27\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"name\": \"2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T07:12:26.2282804Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T07:12:12.3164432Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-11T06:01:14.9169493Z\",\r\n \"endTimeUtc\": \"2022-10-11T06:56:30.497614Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_28\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_29\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/11 06:01:14.9169493\",\r\n \"activity end time (UTC)\": \"2022/10/11 06:56:30.4976140\",\r\n \"attacker source IP\": \"IP Address: 20.127.38.151\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"12\",\r\n \"top accounts with failed sign in attempts (count)\": \"USERADMIN (2), DEMOADMIN (1), SUPERVISOR (1), VDIADMIN (1), VMADMIN (1), DEMO (1), SUPERUSER (1), VADMIN (1), AZUREADMIN (1), AZUREUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-11T06:56:30.497614Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_30\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"name\": \"2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T05:12:25.7328319Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T05:12:22.9501113Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-10T04:39:37.8316652Z\",\r\n \"endTimeUtc\": \"2022-10-10T04:40:46.9760933Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_31\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_32\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/10 04:39:37.8316652\",\r\n \"activity end time (UTC)\": \"2022/10/10 04:40:46.9760933\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"25\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (10), test (2), presale (1), ricoh (1), hma (1), user1 (1), t1_buero (1), labor (1), caps (1), nashua (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-10T04:40:46.9760933Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_33\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"name\": \"2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T00:12:35.8969216Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T00:12:32.7404871Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-08T23:01:26.3028246Z\",\r\n \"endTimeUtc\": \"2022-10-08T23:02:34.9154571Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_34\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_35\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/08 23:01:26.3028246\",\r\n \"activity end time (UTC)\": \"2022/10/08 23:02:34.9154571\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.204\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (7), usuario (3), default (2), barbara (1), defaultaccount (1), mikuo (1), uzak1 (1), opc (1), tnt1 (1), agora_service (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-08T23:02:34.9154571Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_36\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/westeurope/alerts/2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"name\": \"2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T17:11:57.3573487Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T17:11:55.7883406Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_SshBruteForceFailed\",\r\n \"startTimeUtc\": \"2022-10-08T16:13:32.805Z\",\r\n \"endTimeUtc\": \"2022-10-08T16:59:53.736Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_37\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_38\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"2b613470-a780-4991-a9f5-7894862c213b\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testService1\",\r\n \"alertDisplayName\": \"Failed SSH brute force attack\",\r\n \"description\": \"Failed SSH brute force attacks were detected on testService1\",\r\n \"remediationSteps\": [\r\n \"1. In case this is an Azure virtual machine, add the source IP to NSG block list for 24 hours (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/) \",\r\n \"2. Enforce the use of strong passwords and do not re-use them across multiple resources and services (see http://windows.microsoft.com/en-us/Windows7/Tips-for-creating-strong-passwords-and-passphrases)\",\r\n \"3. In case this is an Azure virtual machine, Create an allow list for SSH access in NSG (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"number of failed authentication attempts to host\": \"63\",\r\n \"accounts used on failed sign in to host attempts\": \"[\\\"root\\\"]\",\r\n \"was SSH session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-08T16:59:53.736Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_39\",\r\n \"hostName\": \"testService1\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"omsAgentID\": \"2b613470-a780-4991-a9f5-7894862c213b\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"westeurope_40\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"westeurope_41\",\r\n \"name\": \" root\",\r\n \"ntDomain\": \" root\",\r\n \"host\": {\r\n \"$ref\": \"westeurope_39\"\r\n },\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"westeurope_42\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"westeurope_40\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myService1/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"name\": \"2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-07T12:12:12.6540563Z\",\r\n \"processingEndTimeUtc\": \"2022-10-07T12:12:10.2351107Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-07T11:04:11.9286049Z\",\r\n \"endTimeUtc\": \"2022-10-07T11:58:08.5153711Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_43\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_44\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/07 11:04:11.9286049\",\r\n \"activity end time (UTC)\": \"2022/10/07 11:58:08.5153711\",\r\n \"attacker source IP\": \"IP Address: 36.95.205.132\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (1), DEMOUSER (1), ADMINISTRATOR (1), TEST (1), AZUREUSER (1), SUPERVISOR (1), DEMOADMIN (1), ADMIN (1), SUPERUSER (1), TEST1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-07T11:58:08.5153711Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_45\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"name\": \"2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-06T05:12:05.9972706Z\",\r\n \"processingEndTimeUtc\": \"2022-10-06T05:12:01.8802104Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-06T04:23:26.0454432Z\",\r\n \"endTimeUtc\": \"2022-10-06T04:24:35.8466979Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_46\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_47\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/06 04:23:26.0454432\",\r\n \"activity end time (UTC)\": \"2022/10/06 04:24:35.8466979\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.202\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"29\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (3), scanner (3), test (2), server (2), user2 (2), ppp (1), max04 (1), acronis (1), windows11 (1), pc (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-06T04:24:35.8466979Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_48\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"name\": \"2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-05T03:12:04.1411263Z\",\r\n \"processingEndTimeUtc\": \"2022-10-05T03:12:00.6268144Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-05T02:50:46.5034967Z\",\r\n \"endTimeUtc\": \"2022-10-05T02:51:57.2848574Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_49\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_50\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/05 02:50:46.5034967\",\r\n \"activity end time (UTC)\": \"2022/10/05 02:51:57.2848574\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.211\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"32\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (3), info (2), temp (2), pos (1), 1 (1), ventas (1), spadmin (1), supervisor (1), infoworld (1), account (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-05T02:51:57.2848574Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_51\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517373625534965032_759ca676-028f-4204-8957-de649b3e6562/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"name\": \"2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T22:12:05.1705693Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T22:12:04.1268393Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-03T21:02:04.491411Z\",\r\n \"endTimeUtc\": \"2022-10-03T21:59:45.9038559Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_52\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_53\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/03 21:02:04.4914110\",\r\n \"activity end time (UTC)\": \"2022/10/03 21:59:45.9038559\",\r\n \"attacker source IP\": \"IP Address: 91.240.118.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"42\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"35\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (5), KSTURGEON (2), ADMIN (2), WADMIN (1), XAFSERVICEACCNT (1), SIADAD (1), YSMITH (1), KRUSS (1), VNIUSER-DONOTDELETE (1), KOTT.# (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-03T21:59:45.9038559Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_54\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"name\": \"2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-02T21:11:58.5816299Z\",\r\n \"processingEndTimeUtc\": \"2022-10-02T21:11:54.3443174Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-02T20:00:01.9149954Z\",\r\n \"endTimeUtc\": \"2022-10-02T20:59:52.1082032Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_55\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_56\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/02 20:00:01.9149954\",\r\n \"activity end time (UTC)\": \"2022/10/02 20:59:52.1082032\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"431\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"LOCALADMIN (30), SYSADMIN (29), VMADMIN (29), ADADMIN (29), DEMOUSER (29), ADMIN01 (29), DADMIN (29), SERVERADMIN (29), AZUREUSER (29), SADMIN (29)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-02T20:59:52.1082032Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_57\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"name\": \"2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-01T20:12:00.2987738Z\",\r\n \"processingEndTimeUtc\": \"2022-10-01T20:11:58.0659196Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-01T19:00:03.9085601Z\",\r\n \"endTimeUtc\": \"2022-10-01T19:59:57.4159824Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_58\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_59\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/01 19:00:03.9085601\",\r\n \"activity end time (UTC)\": \"2022/10/01 19:59:57.4159824\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"426\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (30), ADMINUSER (30), ADMIN123 (29), AZUREUSER (29), TESTUSER (28), SUPERADMIN (28), SYSADMIN (28), VMADMIN (28), LOCALADMIN (28), SERVERADMIN (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-01T19:59:57.4159824Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_60\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"name\": \"2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-30T19:12:00.7770747Z\",\r\n \"processingEndTimeUtc\": \"2022-09-30T19:11:57.5373519Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-30T18:00:04.3960635Z\",\r\n \"endTimeUtc\": \"2022-09-30T18:59:54.1716651Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_61\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_62\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/30 18:00:04.3960635\",\r\n \"activity end time (UTC)\": \"2022/09/30 18:59:54.1716651\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"422\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"SYSADMIN (29), VMADMIN (29), DEMOUSER (28), ADMIN01 (28), DADMIN (28), SADMIN (28), TESTUSER (28), SUPERADMIN (28), LOCALADMIN (28), SERVERADMIN (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-30T18:59:54.1716651Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_63\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"name\": \"2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-29T18:12:10.264524Z\",\r\n \"processingEndTimeUtc\": \"2022-09-29T18:12:04.7435178Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-29T17:00:02.5605584Z\",\r\n \"endTimeUtc\": \"2022-09-29T17:59:57.0286763Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_64\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_65\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/29 17:00:02.5605584\",\r\n \"activity end time (UTC)\": \"2022/09/29 17:59:57.0286763\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"419\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (29), LOCALADMIN (28), SERVERADMIN (28), ADADMIN (28), TESTUSER (28), SUPERADMIN (28), AZUREUSER (28), ADMINUSER (28), AZUREADMIN (28), ADMIN01 (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-29T17:59:57.0286763Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_66\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"name\": \"2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T17:12:10.505636Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T17:12:04.9963951Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-28T16:00:05.5258206Z\",\r\n \"endTimeUtc\": \"2022-09-28T16:59:37.992094Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_67\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_68\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/28 16:00:05.5258206\",\r\n \"activity end time (UTC)\": \"2022/09/28 16:59:37.9920940\",\r\n \"attacker source IP\": \"IP Address: 20.25.4.51\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"81\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"9\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (9), VMADMIN (9), AZUREUSER (9), DEMOADMIN (8), ADMINUSER (8), USERADMIN (8), DEMO (8), DEMOAZURE (8), SUPERUSER (7), AZURE (7)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-28T16:59:37.992094Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_69\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"name\": \"2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T17:12:09.9085237Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T17:12:04.9963951Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-28T16:00:00.9053856Z\",\r\n \"endTimeUtc\": \"2022-09-28T16:59:59.2397348Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_70\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_71\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/28 16:00:00.9053856\",\r\n \"activity end time (UTC)\": \"2022/09/28 16:59:59.2397348\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"1415\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"1263\",\r\n \"top accounts with failed sign in attempts (count)\": \"MYTHTV (2), NAGIOS (2), ACCOUNTS (2), ADMINISTRAREUR (2), ADMINSERVER (2), MICROSOFT (2), BACKUPEXEC (2), NOBODY (2), CYBER (2), AAA (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-28T16:59:59.2397348Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_72\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"name\": \"2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-27T16:11:58.2117895Z\",\r\n \"processingEndTimeUtc\": \"2022-09-27T16:11:55.1500289Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-27T15:00:34.6903888Z\",\r\n \"endTimeUtc\": \"2022-09-27T15:59:16.3833641Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_73\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_74\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/27 15:00:34.6903888\",\r\n \"activity end time (UTC)\": \"2022/09/27 15:59:16.3833641\",\r\n \"attacker source IP\": \"IP Address: 20.216.185.188\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"74\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (19), AZUREUSER (10), DEMOADMIN (7), DEMOUSER (6), AZURE (5), SUPERUSER (4), AZUREADMIN (4), DEMO (4), ADMINUSER (4), STUDENT (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-27T15:59:16.3833641Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_75\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"name\": \"2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-26T15:12:12.2955906Z\",\r\n \"processingEndTimeUtc\": \"2022-09-26T15:12:10.3345847Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-26T14:19:33.6913949Z\",\r\n \"endTimeUtc\": \"2022-09-26T14:58:23.8234441Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_76\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_77\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/26 14:19:33.6913949\",\r\n \"activity end time (UTC)\": \"2022/09/26 14:58:23.8234441\",\r\n \"attacker source IP\": \"IP Address: 20.245.85.81\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"13\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (3), WINADMIN (1), USERADMIN (1), DEMOADMIN (1), VMADMIN (1), NETADMIN (1), DEMO (1), DEMOUSER (1), AZUREADMIN (1), SUPERUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-26T14:58:23.8234441Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_78\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"name\": \"2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-25T13:11:53.1202057Z\",\r\n \"processingEndTimeUtc\": \"2022-09-25T13:11:49.5869519Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-25T12:00:01.1997686Z\",\r\n \"endTimeUtc\": \"2022-09-25T12:59:57.1598611Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_79\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_80\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/25 12:00:01.1997686\",\r\n \"activity end time (UTC)\": \"2022/09/25 12:59:57.1598611\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"632\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"628\",\r\n \"top accounts with failed sign in attempts (count)\": \"REINALDO (2), RAJU (2), PULSE (2), KIM (1), KENT (1), TESTE2 (1), TEST_FTP (1), TECHNO (1), SERVER2 (1), SERVER1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-25T12:59:57.1598611Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_81\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"name\": \"2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-24T12:11:59.378581Z\",\r\n \"processingEndTimeUtc\": \"2022-09-24T12:11:56.1933205Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-24T11:00:18.5763676Z\",\r\n \"endTimeUtc\": \"2022-09-24T11:58:49.6929962Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_82\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_83\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/24 11:00:18.5763676\",\r\n \"activity end time (UTC)\": \"2022/09/24 11:58:49.6929962\",\r\n \"attacker source IP\": \"IP Address: 181.30.28.175\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEFAULTACCOUNT (4), DADMIN (2), DPEREZ (1), DIYANA (1), DATACOM (1), DAWWRAY (1), DCDC (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-24T11:58:49.6929962Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_84\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"name\": \"2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-23T11:12:04.8132808Z\",\r\n \"processingEndTimeUtc\": \"2022-09-23T11:12:02.7422157Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-23T10:00:00.8274366Z\",\r\n \"endTimeUtc\": \"2022-09-23T10:59:59.507462Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_85\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_86\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/23 10:00:00.8274366\",\r\n \"activity end time (UTC)\": \"2022/09/23 10:59:59.5074620\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"634\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"601\",\r\n \"top accounts with failed sign in attempts (count)\": \"MENU (2), MAYA (2), MORGAN (2), MONITORING (2), MONGOUSER (2), MAURICIO (2), GEOMETRY (2), GERENTE (2), THIERRY1129 (2), TESTE2 (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-23T10:59:59.507462Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_87\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"name\": \"2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T05:12:05.8349115Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T05:12:03.3099425Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-22T04:00:04.6046565Z\",\r\n \"endTimeUtc\": \"2022-09-22T04:59:56.0312542Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_88\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_89\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/22 04:00:04.6046565\",\r\n \"activity end time (UTC)\": \"2022/09/22 04:59:56.0312542\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"478\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"477\",\r\n \"top accounts with failed sign in attempts (count)\": \"CHAT (1), AXIS (1), AWS (1), DEEPTHI (1), DEBORA (1), USERS1 (1), USER001 (1), USBMUX (1), UPLINK (1), SVT (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-22T04:59:56.0312542Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_90\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"name\": \"2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-21T02:11:54.213474Z\",\r\n \"processingEndTimeUtc\": \"2022-09-21T02:11:49.8007199Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-21T01:09:51.5862915Z\",\r\n \"endTimeUtc\": \"2022-09-21T01:11:21.0264894Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_91\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_92\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/21 01:09:51.5862915\",\r\n \"activity end time (UTC)\": \"2022/09/21 01:11:21.0264894\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"21\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (16), defaultaccount (1), asd (1), vpn07 (1), it (1), iusrplesk_smwebmail (1), asad (1), admin (1), takip (1), serv (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-21T01:11:21.0264894Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_93\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"name\": \"2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T00:12:55.5762868Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T00:12:52.7861694Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-19T23:45:22.3822188Z\",\r\n \"endTimeUtc\": \"2022-09-19T23:46:30.4248487Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_94\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_95\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/19 23:45:22.3822188\",\r\n \"activity end time (UTC)\": \"2022/09/19 23:46:30.4248487\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (13), admn (1), foats (1), admin (1), emanuel (1), user (1), support_388945a0 (1), slawek (1), defaultaccount (1), alvand.01 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-19T23:46:30.4248487Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_96\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"name\": \"2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T00:12:54.3199684Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T00:12:52.7866698Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-19T23:33:59.3779873Z\",\r\n \"endTimeUtc\": \"2022-09-19T23:35:26.6505374Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_97\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_98\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/19 23:33:59.3779873\",\r\n \"activity end time (UTC)\": \"2022/09/19 23:35:26.6505374\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"20\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (17), gh-11 (1), training (1), admin (1), vss (1), scanner (1), yousef (1), pointex (1), user (1), usuario (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-19T23:35:26.6505374Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_99\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517386703606220126_a816319c-5320-41db-a249-385660ee22f8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"name\": \"2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-18T16:12:00.3085599Z\",\r\n \"processingEndTimeUtc\": \"2022-09-18T16:11:57.4880747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-18T15:25:13.0131394Z\",\r\n \"endTimeUtc\": \"2022-09-18T15:26:21.8162231Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_100\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_101\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/18 15:25:13.0131394\",\r\n \"activity end time (UTC)\": \"2022/09/18 15:26:21.8162231\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"20\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (17), toshiba (1), admin (1), ntp (1), utente (1), accounting (1), remoto (1), user01 (1), sales-new (1), server t (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-18T15:26:21.8162231Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_102\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"name\": \"2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-18T16:12:05.4874397Z\",\r\n \"processingEndTimeUtc\": \"2022-09-18T16:11:57.4880747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-18T15:11:42.6615962Z\",\r\n \"endTimeUtc\": \"2022-09-18T15:12:51.457454Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_103\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_104\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/18 15:11:42.6615962\",\r\n \"activity end time (UTC)\": \"2022/09/18 15:12:51.4574540\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.207\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"18\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (18), win7 (2), terminal (1), markku.virtanen (1), admin (1), eng7 (1), xmetasr (1), hd (1), adm (1), vcenteno (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-18T15:12:51.457454Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_105\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"name\": \"2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-17T07:12:00.0473808Z\",\r\n \"processingEndTimeUtc\": \"2022-09-17T07:11:56.5511934Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-17T06:16:10.2702205Z\",\r\n \"endTimeUtc\": \"2022-09-17T06:17:19.8910018Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_106\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_107\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/17 06:16:10.2702205\",\r\n \"activity end time (UTC)\": \"2022/09/17 06:17:19.8910018\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"28\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (8), test (2), sys (1), principal (1), imran (1), almira (1), contabilidad (1), admin801 (1), peggy (1), tranquoclong (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-17T06:17:19.8910018Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_108\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"name\": \"2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-17T07:11:59.8011657Z\",\r\n \"processingEndTimeUtc\": \"2022-09-17T07:11:56.5511934Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-17T06:14:58.8904498Z\",\r\n \"endTimeUtc\": \"2022-09-17T06:56:27.7122183Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_109\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_110\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/17 06:14:58.8904498\",\r\n \"activity end time (UTC)\": \"2022/09/17 06:56:27.7122183\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"73\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"56\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (15), user (2), defaultaccount (2), jola (1), compta (1), ghost (1), zvnc2066 (1), morisita (1), mj (1), lucero (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-17T06:56:27.7122183Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_111\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"name\": \"2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-16T06:12:23.9923865Z\",\r\n \"processingEndTimeUtc\": \"2022-09-16T06:12:21.6042797Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-16T05:08:11.5262962Z\",\r\n \"endTimeUtc\": \"2022-09-16T05:18:17.0502097Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_112\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_113\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/16 05:08:11.5262962\",\r\n \"activity end time (UTC)\": \"2022/09/16 05:18:17.0502097\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.11\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"260\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"terminal1 (2), silvia (2), daniel (2), mari (2), natalia (2), francisco (2), ricoh (2), vp (2), acer (2), luiz (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-16T05:18:17.0502097Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_114\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"name\": \"2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-15T05:12:02.1262444Z\",\r\n \"processingEndTimeUtc\": \"2022-09-15T05:11:59.7844316Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-15T04:13:32.7545248Z\",\r\n \"endTimeUtc\": \"2022-09-15T04:44:44.3710273Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_115\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_116\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/15 04:13:32.7545248\",\r\n \"activity end time (UTC)\": \"2022/09/15 04:44:44.3710273\",\r\n \"attacker source IP\": \"IP Address: 194.28.112.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"102\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"85\",\r\n \"top accounts with failed sign in attempts (count)\": \"Administrator (10), admin (6), SvcCOPSSH (2), Support (2), ntp_CFKADS2226 (1), Administracao (1), Userstd01 (1), rebecca (1), suporte (1), MP (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-15T04:44:44.3710273Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_117\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"name\": \"2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-15T05:12:02.1782121Z\",\r\n \"processingEndTimeUtc\": \"2022-09-15T05:11:59.7844316Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-15T04:01:15.447908Z\",\r\n \"endTimeUtc\": \"2022-09-15T04:59:18.4256783Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_118\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_119\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/15 04:01:15.4479080\",\r\n \"activity end time (UTC)\": \"2022/09/15 04:59:18.4256783\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"40\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"SERVER (3), TEST (3), TESTUSER (3), USER (3), LOCALUSER (2), AZUREADMIN (2), AZUREUSER (2), ADMINISTRATOR (2), REMOTE (2), SYSADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-15T04:59:18.4256783Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_120\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"name\": \"2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-14T04:12:18.2784408Z\",\r\n \"processingEndTimeUtc\": \"2022-09-14T04:12:13.5856632Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-14T03:16:06.3695856Z\",\r\n \"endTimeUtc\": \"2022-09-14T03:28:53.2546631Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_121\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_122\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/14 03:16:06.3695856\",\r\n \"activity end time (UTC)\": \"2022/09/14 03:28:53.2546631\",\r\n \"attacker source IP\": \"IP Address: 45.141.84.119\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"267\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"leo (4), nathalia (4), emerson (4), francisco (3), usuario1 (2), user02 (2), terminal1 (2), billing (2), soporte (2), controller (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-14T03:28:53.2546631Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_123\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"name\": \"2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-14T04:12:17.5289904Z\",\r\n \"processingEndTimeUtc\": \"2022-09-14T04:12:13.5856632Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-14T03:00:09.0721606Z\",\r\n \"endTimeUtc\": \"2022-09-14T03:58:48.0506045Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_124\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_125\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/14 03:00:09.0721606\",\r\n \"activity end time (UTC)\": \"2022/09/14 03:58:48.0506045\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"47\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (3), AZUREADMIN (3), IME_USER (3), REMOTE (3), IME_ADMIN (3), ADMIN (3), RDP (3), HP (3), PC (3), AZUREUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-14T03:58:48.0506045Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_126\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"name\": \"2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:04.1627812Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5440471Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:06:33.966198Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:59:16.2352367Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_127\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_128\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:06:33.9661980\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:59:16.2352367\",\r\n \"attacker source IP\": \"IP Address: 94.68.140.243\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"15\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"11\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), SERVER (2), SYSADMIN (2), IME_ADMIN (1), RDP (1), LOCALUSER (1), LOCALADMIN (1), TEST (1), AZUREUSER (1), TESTUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:59:16.2352367Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_129\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"name\": \"2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:04.3606094Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5435472Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:01:06.5351616Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:59:02.3354809Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_130\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_131\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:01:06.5351616\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:59:02.3354809\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"45\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"REMOTE (3), LOCALUSER (3), SERVER (3), SYSADMIN (3), AZUREADMIN (3), TEST (3), LOCALADMIN (3), USER (3), TESTUSER (3), IME_ADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:59:02.3354809Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_132\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"name\": \"2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:03.911237Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5430516Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:01:02.6571238Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:58:26.9865062Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_133\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_134\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:01:02.6571238\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:58:26.9865062\",\r\n \"attacker source IP\": \"IP Address: 202.53.137.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (7), STUDENT (6), ADMIN (6), SUPPORT (6), BAT (6), AZUREUSER (6)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:58:26.9865062Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_135\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"name\": \"2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.729702Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1435668Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:03:00.0345939Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:58:17.2623523Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_136\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_137\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:03:00.0345939\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:58:17.2623523\",\r\n \"attacker source IP\": \"IP Address: 94.68.140.243\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"20\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"11\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (3), AZUREUSER (2), IME_USER (2), IME_ADMIN (2), TEST (2), PC (2), USER (2), ADMIN (1), REMOTE (1), RDP (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:58:17.2623523Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_138\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"name\": \"2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.292184Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1430669Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:02:01.5569515Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:59:42.6611129Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_139\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_140\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:02:01.5569515\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:59:42.6611129\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"69\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"7\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (16), AZUREADMIN (16), ADMINISTRATOR (11), ADMINUSER (6), AZURE (5), STUDENT (5), USERADMIN (5), VMADMIN (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:59:42.6611129Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_141\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"name\": \"2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:08.6726842Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1420668Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:01:14.3047487Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:58:35.508169Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_142\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_143\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:01:14.3047487\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:58:35.5081690\",\r\n \"attacker source IP\": \"IP Address: 202.53.137.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (6), AZUREUSER (6), SUPPORT (6), BAT (6), ADMIN (6), ADMINISTRATOR (6)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:58:35.508169Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_144\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"name\": \"2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.6088372Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1440671Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:00:33.1405851Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:59:46.8333262Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_145\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_146\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:00:33.1405851\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:59:46.8333262\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"94\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (6), RDP (6), REMOTE (6), HP (6), IME_USER (5), USER (5), AZURE (5), TESTUSER (5), ADMIN (5), ADMINISTRATOR (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:59:46.8333262Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_147\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393563668594148_38360230-c781-41cf-874b-7c504030a950/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"name\": \"2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-11T01:12:50.4913968Z\",\r\n \"processingEndTimeUtc\": \"2022-09-11T01:12:48.881971Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-11T00:00:12.8945794Z\",\r\n \"endTimeUtc\": \"2022-09-11T00:58:59.500311Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_148\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_149\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/11 00:00:12.8945794\",\r\n \"activity end time (UTC)\": \"2022/09/11 00:58:59.5003110\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"64\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (20), AZUREUSER (18), AZURE (6), STUDENT (6), USERADMIN (5), VMADMIN (5), ADMINUSER (4)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-11T00:58:59.500311Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_150\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"name\": \"2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-11T01:12:50.4969246Z\",\r\n \"processingEndTimeUtc\": \"2022-09-11T01:12:48.881971Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-11T00:00:01.3462764Z\",\r\n \"endTimeUtc\": \"2022-09-11T00:59:39.874272Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_151\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_152\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/11 00:00:01.3462764\",\r\n \"activity end time (UTC)\": \"2022/09/11 00:59:39.8742720\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"91\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (6), IME_ADMIN (5), IME_USER (5), USER (5), TEST (5), RDP (5), REMOTE (5), AZUREADMIN (5), SERVER (5), AZURE (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-11T00:59:39.874272Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_153\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"name\": \"2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:40.3691071Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:19:55.8595416Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:21:04.4330469Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_154\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_155\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:19:55.8595416\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:21:04.4330469\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (10), temp (1), tmitschke (1), pharmacie (1), utente1 (1), ime_user (1), sqli (1), sebastian (1), dave (1), user1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:21:04.4330469Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_156\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"name\": \"2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:41.2660094Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:02:03.6672061Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:59:12.4900011Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_157\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_158\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:02:03.6672061\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:59:12.4900011\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"50\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (19), AZUREUSER (18), AZURE (3), STUDENT (3), VMADMIN (3), USERADMIN (2), ADMINUSER (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:59:12.4900011Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_159\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"name\": \"2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:41.1471468Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:00:19.7258321Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:59:49.9335078Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_160\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_161\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:00:19.7258321\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:59:49.9335078\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"96\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"REMOTE (6), RDP (6), SERVER (6), TEST (6), TESTUSER (6), SYSADMIN (6), AZUREADMIN (5), LOCALADMIN (5), IME_USER (5), LOCALUSER (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:59:49.9335078Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_162\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395363802741678_e264f637-15f0-418f-aff8-27395309810c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"name\": \"2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-08T23:12:05.5813341Z\",\r\n \"processingEndTimeUtc\": \"2022-09-08T23:12:03.6043992Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-08T22:20:29.5893543Z\",\r\n \"endTimeUtc\": \"2022-09-08T22:29:58.4893361Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_163\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_164\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/08 22:20:29.5893543\",\r\n \"activity end time (UTC)\": \"2022/09/08 22:29:58.4893361\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"260\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"scans (2), gateway (2), tempadmin (2), visitor (2), bill (2), xavier (2), printer (2), destek (2), sqlagent (2), local (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-08T22:29:58.4893361Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_165\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"name\": \"2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-07T22:11:55.5454551Z\",\r\n \"processingEndTimeUtc\": \"2022-09-07T22:11:53.7318471Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-07T21:00:23.8352224Z\",\r\n \"endTimeUtc\": \"2022-09-07T21:58:54.9798418Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_166\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_167\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/07 21:00:23.8352224\",\r\n \"activity end time (UTC)\": \"2022/09/07 21:58:54.9798418\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"15\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (3), ADMINISTRATOR (2), ADMIN (2), STUDENT (2), AZUREUSER (2), USER (2), AZUREADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-07T21:58:54.9798418Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_168\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"name\": \"2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-06T21:11:57.5563617Z\",\r\n \"processingEndTimeUtc\": \"2022-09-06T21:11:55.6952354Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-06T20:03:04.4809494Z\",\r\n \"endTimeUtc\": \"2022-09-06T20:56:55.9879319Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_169\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_170\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/06 20:03:04.4809494\",\r\n \"activity end time (UTC)\": \"2022/09/06 20:56:55.9879319\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (2), USER (2), STUDENT (2), ADMIN (2), AZURE (2), AZUREADMIN (2), ADMINISTRATOR (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-06T20:56:55.9879319Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_171\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517398062155190505_da781582-764a-4262-a50c-a147df275b36/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"name\": \"2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T20:12:10.1745649Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T20:12:08.6252181Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-05T19:02:51.6994995Z\",\r\n \"endTimeUtc\": \"2022-09-05T19:58:21.2436919Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_172\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_173\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/05 19:02:51.6994995\",\r\n \"activity end time (UTC)\": \"2022/09/05 19:58:21.2436919\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), STUDENT (2), AZURE (2), AZUREUSER (2), ADMINISTRATOR (2), USER (2), ADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-05T19:58:21.2436919Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_174\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"name\": \"2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.5988845Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.193431Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:15:18.1240752Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:16:28.2863719Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_175\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_176\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:15:18.1240752\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:16:28.2863719\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (14), ioana (1), agora_service (1), defaultaccount (1), admimistrator (1), print (1), sctsupport (1), 020 (1), kaiin (1), tsinternetuser (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:16:28.2863719Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_177\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"name\": \"2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.6848188Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.1939306Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:03:27.5688076Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:59:07.7762063Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_178\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_179\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:03:27.5688076\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:59:07.7762063\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (2), AZUREADMIN (2), STUDENT (2), ADMIN (2), USER (2), ADMINISTRATOR (2), AZURE (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:59:07.7762063Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_180\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"name\": \"2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.5867761Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.1929306Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:00:05.4957014Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:59:55.0115416Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_181\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_182\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:00:05.4957014\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:59:55.0115416\",\r\n \"attacker source IP\": \"IP Address: 5.253.204.134\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"332\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"325\",\r\n \"top accounts with failed sign in attempts (count)\": \"LLOPEZ (1), JHALL (1), NATALIE (1), METRO (1), KUECHE (1), SICHERUNG (1), EMPFANG (1), JMORALES (1), SHAHID (1), MAGAZZINO (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:59:55.0115416Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_183\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"name\": \"2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-03T18:12:52.8145915Z\",\r\n \"processingEndTimeUtc\": \"2022-09-03T18:12:46.2244456Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-03T17:01:26.5171211Z\",\r\n \"endTimeUtc\": \"2022-09-03T17:59:43.2673099Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_184\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_185\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/03 17:01:26.5171211\",\r\n \"activity end time (UTC)\": \"2022/09/03 17:59:43.2673099\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (2), ADMINISTRATOR (2), ADMIN (2), AZUREADMIN (2), AZURE (2), USER (2), AZUREUSER (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-03T17:59:43.2673099Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_186\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"name\": \"2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-02T17:12:17.721054Z\",\r\n \"processingEndTimeUtc\": \"2022-09-02T17:12:02.1616332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-02T16:00:11.6214787Z\",\r\n \"endTimeUtc\": \"2022-09-02T16:59:51.9962096Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_187\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_188\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/02 16:00:11.6214787\",\r\n \"activity end time (UTC)\": \"2022/09/02 16:59:51.9962096\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (2), ADMIN (2), AZUREUSER (2), USER (2), ADMINISTRATOR (2), STUDENT (2), AZUREADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-02T16:59:51.9962096Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_189\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"name\": \"2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.3497998Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:01:01.3410856Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:59:56.7385647Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_190\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_191\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:01:01.3410856\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:59:56.7385647\",\r\n \"attacker source IP\": \"IP Address: 20.12.208.47\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"71\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"7\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (14), AZUREADMIN (14), AZUREUSER (14), USERADMIN (7), ADMINUSER (7), STUDENT (7), VMADMIN (7), ARASH (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:59:56.7385647Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_192\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"name\": \"2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.5178447Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:00:46.9534839Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:59:59.840547Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_193\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_194\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:00:46.9534839\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:59:59.8405470\",\r\n \"attacker source IP\": \"IP Address: 104.46.123.212\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"166\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (29), AZUREADMIN (29), VMADMIN (27), AZURE (27), AZUREUSER (26), USERADMIN (14), ADMINUSER (14)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:59:59.840547Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_195\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"name\": \"2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.1847762Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:00:25.7943636Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:57:07.2573856Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_196\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_197\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:00:25.7943636\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:57:07.2573856\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"13\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (2), AZUREADMIN (2), AZUREUSER (2), ADMINISTRATOR (2), ADMIN (2), USER (2), STUDENT (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:57:07.2573856Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_198\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"name\": \"2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-31T15:12:10.1524427Z\",\r\n \"processingEndTimeUtc\": \"2022-08-31T15:12:06.8390816Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-31T14:04:17.6514064Z\",\r\n \"endTimeUtc\": \"2022-08-31T14:56:42.6476761Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_199\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_200\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/31 14:04:17.6514064\",\r\n \"activity end time (UTC)\": \"2022/08/31 14:56:42.6476761\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (2), AZUREADMIN (2), STUDENT (2), AZUREUSER (2), ADMIN (1), USER (1), AZURE (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-31T14:56:42.6476761Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_201\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"name\": \"2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-30T14:12:13.7508035Z\",\r\n \"processingEndTimeUtc\": \"2022-08-30T14:12:13.3313494Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-30T13:00:10.0241762Z\",\r\n \"endTimeUtc\": \"2022-08-30T13:55:29.9649978Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_202\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_203\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/30 13:00:10.0241762\",\r\n \"activity end time (UTC)\": \"2022/08/30 13:55:29.9649978\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"USER (2), AZUREUSER (2), AZURE (2), ADMIN (2), ADMINISTRATOR (1), STUDENT (1), AZUREADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-30T13:55:29.9649978Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_204\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"name\": \"2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T12:12:08.8517839Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T12:12:07.531903Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-29T11:02:48.6404207Z\",\r\n \"endTimeUtc\": \"2022-08-29T11:58:11.789608Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_205\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_206\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/29 11:02:48.6404207\",\r\n \"activity end time (UTC)\": \"2022/08/29 11:58:11.7896080\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (2), AZUREUSER (2), AZUREADMIN (2), AZURE (2), ADMIN (1), ADMINISTRATOR (1), USER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-29T11:58:11.789608Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_207\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"name\": \"2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-28T06:11:54.9445211Z\",\r\n \"processingEndTimeUtc\": \"2022-08-28T06:11:53.4719546Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-28T05:01:43.073242Z\",\r\n \"endTimeUtc\": \"2022-08-28T05:57:10.0252952Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_208\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_209\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/28 05:01:43.0732420\",\r\n \"activity end time (UTC)\": \"2022/08/28 05:57:10.0252952\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), AZURE (2), AZUREUSER (2), STUDENT (2), ADMINISTRATOR (1), USER (1), ADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-28T05:57:10.0252952Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_210\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"name\": \"2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-26T23:13:05.4395068Z\",\r\n \"processingEndTimeUtc\": \"2022-08-26T23:13:04.9885857Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-26T22:01:04.6704718Z\",\r\n \"endTimeUtc\": \"2022-08-26T22:59:05.9404545Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_211\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_212\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/26 22:01:04.6704718\",\r\n \"activity end time (UTC)\": \"2022/08/26 22:59:05.9404545\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"33\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"8\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (4), LOCALADMIN (4), AZURE (4), AZUREUSER (4), AZUREADMIN (4), ADMIN (4), TEST (3), USER (3), LOCALUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-26T22:59:05.9404545Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_213\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"name\": \"2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T22:12:05.22952Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T22:12:03.1251328Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-25T21:16:17.9627546Z\",\r\n \"endTimeUtc\": \"2022-08-25T21:17:47.2384739Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_214\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_215\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/25 21:16:17.9627546\",\r\n \"activity end time (UTC)\": \"2022/08/25 21:17:47.2384739\",\r\n \"attacker source IP\": \"IP Address: 109.107.166.20\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"41\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"34\",\r\n \"top accounts with failed sign in attempts (count)\": \"Administrator (6), administrator (2), LogMeInRemoteUser (1), KastleRVM (1), AMDService (1), admin (1), stg (1), karla (1), SQLAgent (1), admini (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-25T21:17:47.2384739Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_216\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"name\": \"2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T22:12:13.9841697Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T22:12:03.1251328Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-25T21:00:41.0152726Z\",\r\n \"endTimeUtc\": \"2022-08-25T21:58:24.4497285Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_218\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/25 21:00:41.0152726\",\r\n \"activity end time (UTC)\": \"2022/08/25 21:58:24.4497285\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"33\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"8\",\r\n \"top accounts with failed sign in attempts (count)\": \"LOCALUSER (4), USER (4), AZURE (4), LOCALADMIN (4), TEST (4), AZUREADMIN (4), ADMIN (3), ADMINISTRATOR (3), AZUREUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-25T21:58:24.4497285Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_219\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"name\": \"2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-24T21:11:57.4592913Z\",\r\n \"processingEndTimeUtc\": \"2022-08-24T21:11:53.3866485Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-24T20:01:10.4816659Z\",\r\n \"endTimeUtc\": \"2022-08-24T20:58:39.6095585Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_220\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_221\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/24 20:01:10.4816659\",\r\n \"activity end time (UTC)\": \"2022/08/24 20:58:39.6095585\",\r\n \"attacker source IP\": \"IP Address: 52.180.252.174\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"35\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"USERADMIN (6), AZUREUSER (6), AZURE (6), VMADMIN (6), ADMINUSER (6), AZUREADMIN (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-24T20:58:39.6095585Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_222\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"name\": \"2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-23T20:12:09.1962911Z\",\r\n \"processingEndTimeUtc\": \"2022-08-23T20:12:08.070395Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-23T19:00:08.8459776Z\",\r\n \"endTimeUtc\": \"2022-08-23T19:01:18.0275781Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_223\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_224\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/23 19:00:08.8459776\",\r\n \"activity end time (UTC)\": \"2022/08/23 19:01:18.0275781\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (19), admin (3), user (1), test (1), defaultaccount (1), sys32 (1), localadmin (1), ferra (1), doctor (1), teste (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-23T19:01:18.0275781Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_225\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"name\": \"2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-22T19:12:00.8153763Z\",\r\n \"processingEndTimeUtc\": \"2022-08-22T19:11:59.130347Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-22T18:52:43.9086436Z\",\r\n \"endTimeUtc\": \"2022-08-22T18:53:53.491231Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_226\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_227\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/22 18:52:43.9086436\",\r\n \"activity end time (UTC)\": \"2022/08/22 18:53:53.4912310\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (12), administrateur (2), david (2), hehe (1), yunus (1), defaultaccount (1), dispatch (1), usuari (1), owner (1), caijiwugongzhen (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-22T18:53:53.491231Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_228\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"name\": \"2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-21T17:11:57.4816361Z\",\r\n \"processingEndTimeUtc\": \"2022-08-21T17:11:55.7633835Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-21T16:02:06.1108851Z\",\r\n \"endTimeUtc\": \"2022-08-21T16:58:30.0357074Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_229\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_230\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/21 16:02:06.1108851\",\r\n \"activity end time (UTC)\": \"2022/08/21 16:58:30.0357074\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"9\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (10), AZUREUSER (10), AZUREADMIN (10), AZURE (1), DADMIN (1), DEMOUSER (1), STUDENT (1), ADMINUSER (1), NFCADMIN (1), DEMO (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-21T16:58:30.0357074Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_231\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"name\": \"2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-20T16:12:20.2020498Z\",\r\n \"processingEndTimeUtc\": \"2022-08-20T16:12:16.5659301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-20T15:34:42.624038Z\",\r\n \"endTimeUtc\": \"2022-08-20T15:35:52.7204668Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_232\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_233\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/20 15:34:42.6240380\",\r\n \"activity end time (UTC)\": \"2022/08/20 15:35:52.7204668\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (7), admin (3), administrador (2), user24 (1), ctb-daniele (1), defaultaccount (1), quesia.fernandes (1), jms (1), iusrplesk_smwebmail (1), user4 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-20T15:35:52.7204668Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_234\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"name\": \"2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-20T16:12:28.0240769Z\",\r\n \"processingEndTimeUtc\": \"2022-08-20T16:12:16.5659301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-20T15:00:27.7591355Z\",\r\n \"endTimeUtc\": \"2022-08-20T15:59:05.698473Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_235\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_236\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/20 15:00:27.7591355\",\r\n \"activity end time (UTC)\": \"2022/08/20 15:59:05.6984730\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"40\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (9), AZUREADMIN (8), AZUREUSER (8), ADMINUSER (5), USERADMIN (4), DADMIN (1), SQLUSER (1), NFCADMIN (1), SUPERVISOR (1), DEMOADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-20T15:59:05.698473Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_237\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"name\": \"2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-19T15:12:34.699902Z\",\r\n \"processingEndTimeUtc\": \"2022-08-19T15:12:33.4163413Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-19T14:01:57.6464956Z\",\r\n \"endTimeUtc\": \"2022-08-19T14:57:10.3279386Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_238\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_239\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/19 14:01:57.6464956\",\r\n \"activity end time (UTC)\": \"2022/08/19 14:57:10.3279386\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"12\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINUSER (2), AZUREUSER (2), USERADMIN (2), AZUREADMIN (2), AZURE (2), STUDENT (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-19T14:57:10.3279386Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_240\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n }\r\n ],\r\n \"nextLink\": \"https://management.azure.com/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01&%24skiptoken=TVHLjpswAPwXVPVUgk3Ig0irKkkJyjZA49gmy82AN3Fig4udzWO1%2f1602kOlOc5DM%2fPuNPxmN6I5G2f27iyjFKP5huycmXO0VpuZ5ynWsANXvLED9rh0fFC1ahYEQ89cSlN1QlvRNsYLppOyDKYjtxyVwA0mkLthBWoXggmcjKH%2fOh2Hnu7aN1HzzniJqLrWtK92sOPVpRP27jHJO2t%2bMi3ct57Suz75wPddAHt8%2f2bOQuP2zJsnfn%2fOiv0RkHh1r2MJWB5edj4drU%2btSHYRyJarDMXVI8%2fhcxKFEd2jgslCY5Jck2g0RuqW0Pj2F5Ma1REkW5ymNE7umKLfJQmjHBOxWX5lqHD4n%2fcwFauUSRrgRqfJGZJ8r3utgRiiLiUhYQ%2f6h56kxnu9ZFJbhGm2fSwCrGDKoxshSmZcWZDnOmcAjpJftODy%2fMCyzhiU4y1eZAgSuxZXgRUN6hU6vqibxGpli916XDbUlMuroH33wqcAx%2bHpZY906QciOy1C5%2bOHwzo1Pxw6fmCW15%2bT9XfOUeJ8%2fAM%3d\"\r\n}", "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a?api-version=2021-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTc3MzUxODc3OTAzMDkyODFfZDU5ODk5NDEtYzk3OS00MDk2LWExZTktZDVkY2Y2ZmIxMzJhP2FwaS12ZXJzaW9uPTIwMjEtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01&%24skiptoken=TVHLjpswAPwXVPVUgk3Ig0irKkkJyjZA49gmy82AN3Fig4udzWO1%2f1602kOlOc5DM%2fPuNPxmN6I5G2f27iyjFKP5huycmXO0VpuZ5ynWsANXvLED9rh0fFC1ahYEQ89cSlN1QlvRNsYLppOyDKYjtxyVwA0mkLthBWoXggmcjKH%2fOh2Hnu7aN1HzzniJqLrWtK92sOPVpRP27jHJO2t%2bMi3ct57Suz75wPddAHt8%2f2bOQuP2zJsnfn%2fOiv0RkHh1r2MJWB5edj4drU%2btSHYRyJarDMXVI8%2fhcxKFEd2jgslCY5Jck2g0RuqW0Pj2F5Ma1REkW5ymNE7umKLfJQmjHBOxWX5lqHD4n%2fcwFauUSRrgRqfJGZJ8r3utgRiiLiUhYQ%2f6h56kxnu9ZFJbhGm2fSwCrGDKoxshSmZcWZDnOmcAjpJftODy%2fMCyzhiU4y1eZAgSuxZXgRUN6hU6vqibxGpli916XDbUlMuroH33wqcAx%2bHpZY906QciOy1C5%2bOHwzo1Pxw6fmCW15%2bT9XfOUeJ8%2fAM%3d", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjItMDEtMDEmJTI0c2tpcHRva2VuPVRWSExqcHN3QVB3WFZQVlVnazNJZzBpcktra0p5alpBNDlnbXk4MkFOM0ZpZzR1ZHpXTzElMmYxNjAya09sT2M1RE0lMmZQdU5QeG1ONkk1RzJmMjdpeWpGS1A1aHV5Y21YTzBWcHVaNXluV3NBTlh2TEVEOXJoMGZGQzFhaFlFUTg5Y1NsTjFRbHZSTnNZTHBwT3lES1lqdHh5VndBMG1rTHRoQldvWGdnbWNqS0glMmZPaDJIbnU3YU4xSHp6bmlKcUxyV3RLOTJzT1BWcFJQMjdqSEpPMnQlMmJNaTNjdDU3U3V6NzV3UGRkQUh0OCUyZjJiT1F1UDJ6SnNuZm4lMmZPaXYwUmtIaDFyMk1KV0I1ZWRqNGRyVSUyYnRTSFlSeUphckRNWFZJOCUyZmhjeEtGRWQyamdzbENZNUpjazJnMFJ1cVcwUGoyRjVNYTFSRWtXNXltTkU3dW1LTGZKUW1qSEJPeFdYNWxxSEQ0biUyZmN3RmF1VVNScmdScWZKR1pKOHIzdXRnUmlpTGlVaFlRJTJmNmg1Nmt4bnU5WkZKYmhHbTJmU3dDckdES294c2hTbVpjV1pEbk9tY0FqcEpmdE9EeSUyZk1DeXpoaVU0eTFlWkFnU3V4WlhnUlVONmhVNnZxaWJ4R3BsaTkxNlhEYlVsTXVyb0gzM3dxY0F4JTJiSHBaWTkwNlFjaU95MUM1JTJiT0h3em8xUHh3NmZtQ1cxNSUyYlQ5WGZPVWVKOCUyZkFNJTNk", "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "170e45a1-d935-4605-ab50-1b6ee72a8338" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-original-request-ids": [ + "" + ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "748" + ], + "x-ms-request-id": [ + "ab565077-9cac-415a-8d66-cf58507ef898" + ], + "x-ms-correlation-request-id": [ + "ab565077-9cac-415a-8d66-cf58507ef898" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092009Z:ab565077-9cac-415a-8d66-cf58507ef898" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:20:09 GMT" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ], + "Content-Length": [ + "1233144" + ] + }, + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"name\": \"2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-21T22:30:30.4576566Z\",\r\n \"processingEndTimeUtc\": \"2022-10-21T22:30:29.9447325Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.87.6 [6]\\r\\nIP: 171.244.50.243 [2]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 45.141.87.2 [9]\\r\\nIP: 45.141.87.9 [3]\\r\\nIP: 141.95.145.187 [3]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 31.43.185.3 [22]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 150.95.29.64 [2]\\r\\nIP: 45.226.126.252 [2]\\r\\nIP: 193.29.13.169 [9]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 45.227.254.49 [2]\\r\\nIP: 72.18.147.142 [1]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 195.133.20.78 [116]\\r\\nIP: 69.202.183.90 [3]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 147.78.47.147 [6]\\r\\nIP: 147.78.47.69 [9]\\r\\nIP: 45.141.87.10 [6]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 191.96.168.93 [9]\\r\\nIP: 45.227.254.20 [10]\\r\\nIP: 92.255.85.152 [5]\\r\\nIP: 89.250.82.36 [2]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 88.214.25.14 [3]\\r\\nIP: 194.165.17.12 [4]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 173.254.223.125 [1]\\r\\nIP: 179.60.150.115 [16]\\r\\nIP: 193.29.13.170 [16]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 179.60.150.58 [8]\\r\\nIP: 94.26.248.176 [5]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 94.26.229.154 [2]\\r\\nIP: 147.78.47.154 [14]\\r\\nIP: 147.78.47.35 [7]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 147.78.47.36 [3]\\r\\n4 more attempts by 2 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"address\": \"45.226.126.252\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Pernambuco\",\r\n \"city\": \"Recife\",\r\n \"longitude\": -34.9141,\r\n \"latitude\": -8.00264,\r\n \"asn\": 266962,\r\n \"carrier\": \"G M Da Costa Internet\",\r\n \"organization\": \"G M Da Costa Internet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"72.18.147.142\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Englewood\",\r\n \"longitude\": -104.87196,\r\n \"latitude\": 39.62401,\r\n \"asn\": 30475,\r\n \"carrier\": \"Handy Networks Llc\",\r\n \"organization\": \"Handy Networks Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"address\": \"195.133.20.78\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"address\": \"147.78.47.69\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"address\": \"89.250.82.36\",\r\n \"location\": {\r\n \"countryCode\": \"KZ\",\r\n \"countryName\": \"Kazakhstan\",\r\n \"state\": \"Almaty City\",\r\n \"city\": \"Almaty\",\r\n \"longitude\": 76.94999,\r\n \"latitude\": 43.24999,\r\n \"asn\": 41419,\r\n \"carrier\": \"Kazrena\",\r\n \"organization\": \"Kazrena\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"address\": \"173.254.223.125\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Tarzana\",\r\n \"longitude\": -118.54625,\r\n \"latitude\": 34.15501,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Quadranet Enterprises Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_6\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_7\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_8\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_9\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_10\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_11\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_12\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_13\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_14\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_15\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_16\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_17\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_18\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_19\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_20\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_21\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_22\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_23\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_24\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_25\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_26\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_27\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_28\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_29\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_30\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_31\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_32\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_33\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_34\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_35\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_36\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_37\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_38\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_39\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_40\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_41\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_42\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_43\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_44\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_45\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_46\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_47\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_48\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_49\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_50\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"name\": \"2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T20:55:37.293538Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T20:55:36.5852719Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 124.221.214.54 [85]\\r\\nIP: 61.177.172.104 [1]\\r\\nIP: 135.148.104.183 [1]\\r\\nIP: 152.136.192.58 [1]\\r\\nIP: 185.51.61.82 [1]\\r\\nIP: 61.177.172.147 [1]\\r\\nIP: 80.76.51.230 [1]\\r\\nIP: 207.154.207.116 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"address\": \"61.177.172.104\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"address\": \"135.148.104.183\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Reston\",\r\n \"longitude\": -77.34247,\r\n \"latitude\": 38.96097,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"address\": \"152.136.192.58\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"address\": \"185.51.61.82\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 42065,\r\n \"carrier\": \"Zao Electrontelecom\",\r\n \"organization\": \"Global Network Management Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"address\": \"207.154.207.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_107\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_108\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_109\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_110\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_113\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_114\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"name\": \"2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T03:55:32.6921658Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T03:55:32.383882Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-18T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-18T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 46.182.223.130 [1]\\r\\nIP: 197.26.19.254 [1]\\r\\nIP: 61.177.172.19 [1]\\r\\nIP: 182.61.13.82 [1]\\r\\nIP: 80.76.51.230 [2]\\r\\nIP: 35.245.223.130 [1]\\r\\nIP: 124.220.28.59 [1]\\r\\nIP: 61.177.173.35 [1]\\r\\nIP: 69.40.195.236 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 34.159.251.125 [1]\\r\\nIP: 40.72.187.176 [1]\\r\\nIP: 84.181.121.1 [1]\\r\\nIP: 121.5.105.147 [4]\\r\\nIP: 185.209.179.41 [1]\\r\\nIP: 35.246.78.205 [1]\\r\\nIP: 61.177.172.124 [1]\\r\\nIP: 124.221.214.54 [28]\\r\\nIP: 61.177.172.147 [2]\\r\\nIP: 34.83.98.1 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"address\": \"46.182.223.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Groningen\",\r\n \"city\": \"Groningen\",\r\n \"longitude\": 6.5696,\r\n \"latitude\": 53.21686,\r\n \"asn\": 39704,\r\n \"carrier\": \"Cj2 Hosting B.V.\",\r\n \"organization\": \"Synatix Netblock # 2\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"address\": \"197.26.19.254\",\r\n \"location\": {\r\n \"countryCode\": \"TN\",\r\n \"countryName\": \"Tunisia\",\r\n \"state\": \"Tunis\",\r\n \"city\": \"Tunis\",\r\n \"longitude\": 10.1717,\r\n \"latitude\": 36.798,\r\n \"asn\": 37492,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Agence Tunisienne Internet - Ati\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"address\": \"182.61.13.82\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Zhongguancun\",\r\n \"longitude\": 116.31,\r\n \"latitude\": 39.978,\r\n \"asn\": 38365,\r\n \"carrier\": \"Beijing Baidu Netcom Science And Technology Co. Ltd.\",\r\n \"organization\": \"Beijing Baidu Netcom Science And Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"address\": \"35.245.223.130\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"District Of Columbia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -77.0284,\r\n \"latitude\": 38.9069,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"address\": \"124.220.28.59\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"address\": \"61.177.173.35\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"address\": \"69.40.195.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"North Carolina\",\r\n \"city\": \"Concord\",\r\n \"longitude\": -80.55684,\r\n \"latitude\": 35.4009,\r\n \"asn\": 7029,\r\n \"carrier\": \"Windstream Communications Llc\",\r\n \"organization\": \"Hudson Internet Pop - Dynamic Dsl Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"address\": \"34.159.251.125\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"address\": \"40.72.187.176\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanghai Shi\",\r\n \"city\": \"Shanghai\",\r\n \"longitude\": 121.47021,\r\n \"latitude\": 31.22847,\r\n \"asn\": 58593,\r\n \"carrier\": \"Shanghai Blue Cloud Technology Co. Ltd\",\r\n \"organization\": \"Shanghai Blue Cloud Technology Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"address\": \"84.181.121.1\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Baden-Wuerttemberg\",\r\n \"city\": \"Tuellingen\",\r\n \"longitude\": 7.668,\r\n \"latitude\": 47.615,\r\n \"asn\": 3320,\r\n \"carrier\": \"Deutsche Telekom Ag\",\r\n \"organization\": \"Deutsche Telekom Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"address\": \"121.5.105.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"address\": \"185.209.179.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Valley Cottage\",\r\n \"longitude\": -73.92899,\r\n \"latitude\": 41.12222,\r\n \"asn\": 396356,\r\n \"carrier\": \"Maxihost Llc\",\r\n \"organization\": \"Latitude.Sh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"address\": \"35.246.78.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Camden\",\r\n \"longitude\": -0.16861,\r\n \"latitude\": 51.54,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"address\": \"61.177.172.124\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"address\": \"34.83.98.1\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_126\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_127\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_128\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_129\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_130\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_131\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_132\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_133\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_134\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_135\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_136\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_137\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_138\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_139\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_161\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_162\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_142\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_163\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_143\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_144\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_165\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_145\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"name\": \"2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T03:55:33.4948297Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T03:55:32.3866334Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-18T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-18T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_166\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 62.204.41.152 [2]\\r\\nIP: 144.172.126.192 [2]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 194.165.17.24 [5]\\r\\nIP: 91.240.242.3 [4]\\r\\nIP: 147.78.47.36 [10]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 88.214.25.14 [17]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 147.78.47.147 [4]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 193.29.13.169 [14]\\r\\nIP: 191.96.168.93 [6]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 91.240.242.201 [8]\\r\\nIP: 45.227.254.8 [2]\\r\\nIP: 94.26.229.169 [1]\\r\\nIP: 141.98.83.89 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.137.233.50 [1]\\r\\nIP: 50.63.15.157 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 91.240.242.87 [17]\\r\\nIP: 45.141.87.10 [4]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 45.141.84.83 [5]\\r\\nIP: 94.232.43.155 [2]\\r\\nIP: 194.165.17.12 [8]\\r\\nIP: 171.244.50.243 [3]\\r\\nIP: 141.98.83.132 [7]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 64.251.14.96 [1]\\r\\nIP: 92.255.85.186 [1]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 80.66.88.204 [2]\\r\\nIP: 147.78.47.42 [8]\\r\\nIP: 46.161.27.101 [1]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 45.141.87.6 [5]\\r\\nIP: 179.60.147.204 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\n91 more attempts by 19 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_167\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_168\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_169\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_170\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_171\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_172\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_173\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_174\",\r\n \"address\": \"91.240.242.3\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_175\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_176\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_177\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_178\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_179\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_180\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_181\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_182\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_183\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_184\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_185\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_186\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_187\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_188\",\r\n \"address\": \"91.240.242.201\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_189\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_190\",\r\n \"address\": \"94.26.229.169\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_191\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_192\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_193\",\r\n \"address\": \"185.137.233.50\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Permskiy Kray\",\r\n \"city\": \"Perm\",\r\n \"longitude\": 56.25184,\r\n \"latitude\": 58.02006,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_194\",\r\n \"address\": \"50.63.15.157\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_195\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_196\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_197\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_198\",\r\n \"address\": \"91.240.242.87\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_199\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_200\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_201\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_202\",\r\n \"address\": \"94.232.43.155\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_203\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_204\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_205\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_206\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_207\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_208\",\r\n \"address\": \"64.251.14.96\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Fort Lauderdale\",\r\n \"longitude\": -80.12723,\r\n \"latitude\": 26.12112,\r\n \"asn\": 15083,\r\n \"carrier\": \"Infolink Global Corporation\",\r\n \"organization\": \"Serverpronto\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_209\",\r\n \"address\": \"92.255.85.186\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_210\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_211\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_212\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_213\",\r\n \"address\": \"147.78.47.42\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_214\",\r\n \"address\": \"46.161.27.101\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Vps And Shared Hosting Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_215\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_216\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_217\",\r\n \"address\": \"179.60.147.204\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_218\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_221\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_222\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_223\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_224\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_225\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_226\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_227\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_256\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_206\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_207\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_258\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_208\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_259\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_209\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_260\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_210\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_261\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_211\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_262\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_212\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_263\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_213\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_264\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_214\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_215\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_266\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_216\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_267\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_217\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_268\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_218\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"name\": \"2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T21:29:26.5199798Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T21:29:26.1229647Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-17T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-17T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_269\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.53 [1]\\r\\nIP: 43.142.245.166 [1]\\r\\nIP: 82.139.180.236 [1]\\r\\nIP: 39.91.166.121 [1]\\r\\nIP: 45.95.55.235 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 35.164.70.114 [1]\\r\\nIP: 61.177.172.19 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_270\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_271\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_272\",\r\n \"address\": \"61.177.173.53\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_273\",\r\n \"address\": \"43.142.245.166\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_274\",\r\n \"address\": \"82.139.180.236\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Podlaskie\",\r\n \"city\": \"Bialystok\",\r\n \"longitude\": 23.1482,\r\n \"latitude\": 53.11679,\r\n \"asn\": 8865,\r\n \"carrier\": \"Politechnika Bialostocka\",\r\n \"organization\": \"Politechnika Bialostocka\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_275\",\r\n \"address\": \"39.91.166.121\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shandong\",\r\n \"city\": \"Jinan\",\r\n \"longitude\": 117.0,\r\n \"latitude\": 36.683,\r\n \"asn\": 4837,\r\n \"carrier\": \"China Unicom China169 Backbone\",\r\n \"organization\": \"China Unicom Shandong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_276\",\r\n \"address\": \"45.95.55.235\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Rheinland-Pfalz\",\r\n \"city\": \"Koblenz\",\r\n \"longitude\": 7.5741,\r\n \"latitude\": 50.3849,\r\n \"asn\": 200303,\r\n \"carrier\": \"Jan Philipp Waldecker Trading As Lumaserv Systems\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_277\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_278\",\r\n \"address\": \"35.164.70.114\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Boardman\",\r\n \"longitude\": -119.81143,\r\n \"latitude\": 45.73723,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon.Com Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_279\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_280\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_272\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_273\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_282\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_274\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_283\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_275\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_284\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_276\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_285\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_277\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_286\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_278\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_279\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"name\": \"2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T21:29:26.5332876Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T21:29:26.1234563Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-17T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-17T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_288\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.122 [1]\\r\\nIP: 80.66.76.137 [1]\\r\\nIP: 80.66.76.151 [1]\\r\\nIP: 80.66.76.168 [2]\\r\\nIP: 147.78.47.35 [5]\\r\\nIP: 80.66.76.159 [4]\\r\\nIP: 80.66.76.136 [1]\\r\\nIP: 12.168.189.21 [1]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 103.43.177.129 [1]\\r\\nIP: 152.89.196.94 [5]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 80.66.76.141 [2]\\r\\nIP: 94.232.47.170 [8]\\r\\nIP: 80.66.76.161 [5]\\r\\nIP: 141.98.83.84 [11]\\r\\nIP: 141.98.83.133 [6]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 87.251.67.236 [3]\\r\\nIP: 80.66.76.126 [6]\\r\\nIP: 147.78.47.36 [2]\\r\\nIP: 12.233.48.50 [1]\\r\\nIP: 80.66.76.132 [3]\\r\\nIP: 80.66.76.184 [2]\\r\\nIP: 80.66.76.153 [4]\\r\\nIP: 193.29.13.170 [5]\\r\\nIP: 45.141.87.6 [3]\\r\\nIP: 141.98.83.164 [4]\\r\\nIP: 87.251.67.238 [3]\\r\\nIP: 80.66.76.173 [1]\\r\\nIP: 80.66.76.139 [2]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 87.251.67.223 [5]\\r\\nIP: 80.66.76.129 [5]\\r\\nIP: 147.78.47.149 [3]\\r\\nIP: 185.73.125.100 [4]\\r\\nIP: 87.251.67.230 [1]\\r\\nIP: 80.66.76.165 [4]\\r\\nIP: 152.89.196.74 [2]\\r\\nIP: 80.66.76.181 [1]\\r\\nIP: 194.165.17.24 [12]\\r\\nIP: 80.66.76.162 [3]\\r\\nIP: 194.165.17.12 [12]\\r\\nIP: 80.66.76.169 [1]\\r\\nIP: 80.66.76.124 [4]\\r\\nIP: 94.26.248.179 [2]\\r\\nIP: 45.227.254.29 [1]\\r\\nIP: 141.98.83.128 [3]\\r\\n505 more attempts by 101 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_289\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_290\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_291\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_292\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_293\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_294\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_295\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_296\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_297\",\r\n \"address\": \"80.66.76.136\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_298\",\r\n \"address\": \"12.168.189.21\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Germantown\",\r\n \"longitude\": -89.79201,\r\n \"latitude\": 35.08422,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"The Village At Germantown\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_299\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_300\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_301\",\r\n \"address\": \"103.43.177.129\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"Western Australia\",\r\n \"city\": \"Perth\",\r\n \"longitude\": 115.85859,\r\n \"latitude\": -31.9554,\r\n \"asn\": 133863,\r\n \"carrier\": \"Probax Pty Ltd\",\r\n \"organization\": \"Probax Pty Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_302\",\r\n \"address\": \"152.89.196.94\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_303\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_304\",\r\n \"address\": \"80.66.76.141\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_305\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_306\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_307\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_308\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_309\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_310\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_311\",\r\n \"address\": \"87.251.67.236\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_312\",\r\n \"address\": \"80.66.76.126\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_313\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_314\",\r\n \"address\": \"12.233.48.50\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Kansas City\",\r\n \"longitude\": -94.50542,\r\n \"latitude\": 39.131,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Frontier Schools System\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_315\",\r\n \"address\": \"80.66.76.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_316\",\r\n \"address\": \"80.66.76.184\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_317\",\r\n \"address\": \"80.66.76.153\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_318\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_319\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_320\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_321\",\r\n \"address\": \"87.251.67.238\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_322\",\r\n \"address\": \"80.66.76.173\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_323\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_324\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_325\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_326\",\r\n \"address\": \"80.66.76.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_327\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_328\",\r\n \"address\": \"185.73.125.100\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_329\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_330\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_331\",\r\n \"address\": \"152.89.196.74\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_332\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_333\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_334\",\r\n \"address\": \"80.66.76.162\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_335\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_336\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_337\",\r\n \"address\": \"80.66.76.124\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_338\",\r\n \"address\": \"94.26.248.179\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_339\",\r\n \"address\": \"45.227.254.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_340\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_309\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_360\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_310\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_361\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_311\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_362\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_312\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_313\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_364\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_314\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_365\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_315\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_366\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_316\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_317\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_368\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_318\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_369\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_319\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_370\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_320\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_371\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_321\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_322\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_373\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_323\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_374\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_324\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_375\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_325\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_376\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_326\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_381\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_331\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_332\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_383\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_333\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_384\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_334\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_385\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_335\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_386\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_336\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_337\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_388\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_338\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_389\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_339\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_390\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_340\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"name\": \"2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T20:18:57.7305267Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T20:18:57.239572Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-16T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-16T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_391\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.52 [1]\\r\\nIP: 61.177.173.36 [1]\\r\\nIP: 85.214.209.12 [1]\\r\\nIP: 195.19.96.168 [1]\\r\\nIP: 137.184.37.59 [1]\\r\\nIP: 165.22.248.214 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_392\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_393\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_394\",\r\n \"address\": \"61.177.173.52\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_395\",\r\n \"address\": \"61.177.173.36\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_396\",\r\n \"address\": \"85.214.209.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.3195,\r\n \"latitude\": 52.5184,\r\n \"asn\": 6724,\r\n \"carrier\": \"Strato Ag\",\r\n \"organization\": \"Strato Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_397\",\r\n \"address\": \"195.19.96.168\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60778,\r\n \"latitude\": 55.81834,\r\n \"asn\": 12389,\r\n \"carrier\": \"Pjsc Rostelecom\",\r\n \"organization\": \"Pjsc Rostelecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_398\",\r\n \"address\": \"137.184.37.59\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Palo Alto\",\r\n \"longitude\": -122.1512,\r\n \"latitude\": 37.44296,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_399\",\r\n \"address\": \"165.22.248.214\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.34738,\r\n \"latitude\": 47.61348,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_400\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_394\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_401\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_395\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_396\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_403\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_397\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_404\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_398\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_399\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"name\": \"2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T20:18:57.600268Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T20:18:57.2399048Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-16T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-16T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_406\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.124 [4]\\r\\nIP: 94.26.229.154 [1]\\r\\nIP: 185.73.124.23 [9]\\r\\nIP: 45.141.87.10 [4]\\r\\nIP: 80.66.76.138 [3]\\r\\nIP: 87.251.64.140 [2]\\r\\nIP: 80.66.76.179 [2]\\r\\nIP: 64.251.14.96 [1]\\r\\nIP: 194.165.16.18 [7]\\r\\nIP: 87.251.67.238 [7]\\r\\nIP: 94.232.47.15 [3]\\r\\nIP: 80.66.76.159 [5]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 152.89.196.73 [9]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 80.66.76.178 [3]\\r\\nIP: 147.78.47.29 [3]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 171.244.50.243 [7]\\r\\nIP: 12.168.189.21 [1]\\r\\nIP: 141.98.83.132 [10]\\r\\nIP: 80.66.76.168 [6]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 80.66.76.169 [5]\\r\\nIP: 147.78.47.39 [15]\\r\\nIP: 181.214.218.32 [1]\\r\\nIP: 80.66.76.177 [2]\\r\\nIP: 80.66.76.137 [3]\\r\\nIP: 193.29.13.169 [10]\\r\\nIP: 185.73.125.21 [5]\\r\\nIP: 80.66.76.130 [6]\\r\\nIP: 152.89.196.96 [5]\\r\\nIP: 80.66.76.136 [3]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.76.176 [10]\\r\\nIP: 152.89.196.99 [7]\\r\\nIP: 185.73.124.17 [8]\\r\\nIP: 188.124.36.118 [1]\\r\\nIP: 94.26.248.190 [1]\\r\\nIP: 80.66.76.181 [6]\\r\\nIP: 152.89.196.72 [9]\\r\\nIP: 45.227.254.20 [9]\\r\\nIP: 50.206.89.210 [1]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 80.66.76.126 [4]\\r\\nIP: 147.78.47.149 [8]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 94.26.248.176 [2]\\r\\nIP: 80.66.76.152 [3]\\r\\nIP: 80.66.76.160 [2]\\r\\n558 more attempts by 123 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_407\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_408\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_409\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_410\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_411\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_412\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_413\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_414\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_415\",\r\n \"address\": \"80.66.76.179\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_416\",\r\n \"address\": \"64.251.14.96\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Fort Lauderdale\",\r\n \"longitude\": -80.12723,\r\n \"latitude\": 26.12112,\r\n \"asn\": 15083,\r\n \"carrier\": \"Infolink Global Corporation\",\r\n \"organization\": \"Serverpronto\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_417\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_418\",\r\n \"address\": \"87.251.67.238\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_419\",\r\n \"address\": \"94.232.47.15\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_420\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_421\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_422\",\r\n \"address\": \"152.89.196.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_423\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_424\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_425\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_426\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_427\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_428\",\r\n \"address\": \"12.168.189.21\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Germantown\",\r\n \"longitude\": -89.79201,\r\n \"latitude\": 35.08422,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"The Village At Germantown\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_429\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_430\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_431\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_432\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_433\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_434\",\r\n \"address\": \"181.214.218.32\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_435\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_436\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_437\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_438\",\r\n \"address\": \"185.73.125.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_439\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_440\",\r\n \"address\": \"152.89.196.96\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_441\",\r\n \"address\": \"80.66.76.136\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_442\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_443\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_444\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_445\",\r\n \"address\": \"185.73.124.17\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_446\",\r\n \"address\": \"188.124.36.118\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Dzerzhinskiy\",\r\n \"longitude\": 37.8445,\r\n \"latitude\": 55.638,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_447\",\r\n \"address\": \"94.26.248.190\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_448\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_449\",\r\n \"address\": \"152.89.196.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_450\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_451\",\r\n \"address\": \"50.206.89.210\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Maryland\",\r\n \"city\": \"Gambrills\",\r\n \"longitude\": -76.66528,\r\n \"latitude\": 39.02566,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_452\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_453\",\r\n \"address\": \"80.66.76.126\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_454\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_455\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_456\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_457\",\r\n \"address\": \"80.66.76.152\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_458\",\r\n \"address\": \"80.66.76.160\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_412\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_415\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_416\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_467\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_417\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_468\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_418\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_469\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_419\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_470\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_471\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_472\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_473\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_423\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_474\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_424\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_425\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_426\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_427\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_428\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_434\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_485\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_435\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_486\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_487\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_437\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_488\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_438\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_439\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_490\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_440\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_491\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_492\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_493\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_494\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_495\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_445\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_496\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_446\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_497\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_447\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_498\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_448\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_499\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_449\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_500\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_450\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_501\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_451\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_502\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_503\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_504\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_454\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_505\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_455\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_506\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_456\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_507\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_457\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_508\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_458\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"name\": \"2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T19:58:11.5931492Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T19:58:10.6757317Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_509\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.90 [1]\\r\\nIP: 205.185.113.42 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 34.168.149.255 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_510\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_511\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_512\",\r\n \"address\": \"61.177.172.90\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_513\",\r\n \"address\": \"205.185.113.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Nevada\",\r\n \"city\": \"Las Vegas\",\r\n \"longitude\": -115.22485,\r\n \"latitude\": 36.1424,\r\n \"asn\": 53667,\r\n \"carrier\": \"Frantech Solutions\",\r\n \"organization\": \"Frantech Solutions\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_514\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_515\",\r\n \"address\": \"34.168.149.255\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_512\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_513\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_514\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_515\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"name\": \"2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T21:15:16.6149243Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T21:15:16.2347122Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_520\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 34.168.149.255 [1]\\r\\nIP: 34.67.85.236 [1]\\r\\nIP: 61.177.172.90 [1]\\r\\nIP: 205.185.113.42 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 69.40.195.236 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_521\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_522\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_523\",\r\n \"address\": \"34.168.149.255\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_524\",\r\n \"address\": \"34.67.85.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Council Bluffs\",\r\n \"longitude\": -95.87736,\r\n \"latitude\": 41.23296,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_525\",\r\n \"address\": \"61.177.172.90\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_526\",\r\n \"address\": \"205.185.113.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Nevada\",\r\n \"city\": \"Las Vegas\",\r\n \"longitude\": -115.22485,\r\n \"latitude\": 36.1424,\r\n \"asn\": 53667,\r\n \"carrier\": \"Frantech Solutions\",\r\n \"organization\": \"Frantech Solutions\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_527\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_528\",\r\n \"address\": \"69.40.195.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"North Carolina\",\r\n \"city\": \"Concord\",\r\n \"longitude\": -80.55684,\r\n \"latitude\": 35.4009,\r\n \"asn\": 7029,\r\n \"carrier\": \"Windstream Communications Llc\",\r\n \"organization\": \"Hudson Internet Pop - Dynamic Dsl Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_523\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_524\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_525\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_526\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_527\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_528\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365663999999999_fe707616-4570-429b-9e73-790a3918e776/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"name\": \"2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T19:58:11.565147Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T19:58:10.6760538Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_535\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.164 [8]\\r\\nIP: 141.98.83.165 [8]\\r\\nIP: 194.165.16.18 [10]\\r\\nIP: 20.87.218.172 [3]\\r\\nIP: 147.78.47.35 [17]\\r\\nIP: 62.233.50.123 [34]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 141.98.83.130 [8]\\r\\nIP: 87.251.67.99 [7]\\r\\nIP: 71.178.215.234 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 122.160.141.216 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 141.98.83.83 [8]\\r\\nIP: 98.217.4.181 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 104.161.77.173 [1]\\r\\nIP: 141.98.83.84 [6]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 141.98.83.166 [12]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 162.142.125.219 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 88.214.25.14 [15]\\r\\nIP: 45.141.87.10 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 141.98.83.85 [9]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 171.244.50.243 [1]\\r\\nIP: 212.103.60.106 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 45.141.87.2 [5]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.124 [15]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 185.156.72.31 [1]\\r\\nIP: 147.78.47.39 [4]\\r\\nIP: 194.165.16.29 [2]\\r\\nIP: 45.227.254.20 [12]\\r\\nIP: 179.60.150.115 [9]\\r\\n55 more attempts by 15 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_536\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_537\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_538\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_539\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_540\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_541\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_542\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_543\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_544\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_545\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_546\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_547\",\r\n \"address\": \"71.178.215.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Fairfax\",\r\n \"longitude\": -77.2891,\r\n \"latitude\": 38.81818,\r\n \"asn\": 701,\r\n \"carrier\": \"Verizon\",\r\n \"organization\": \"Verizon\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_548\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_549\",\r\n \"address\": \"122.160.141.216\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.1428,\r\n \"latitude\": 28.6907,\r\n \"asn\": 24560,\r\n \"carrier\": \"Bharti Airtel Ltd.\",\r\n \"organization\": \"Abts Delhi \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_550\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_551\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_552\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_553\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_554\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_555\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_556\",\r\n \"address\": \"98.217.4.181\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Hopkinton\",\r\n \"longitude\": -71.53711,\r\n \"latitude\": 42.22023,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_557\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_558\",\r\n \"address\": \"104.161.77.173\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.01242,\r\n \"latitude\": 33.43202,\r\n \"asn\": 53755,\r\n \"carrier\": \"Input Output Flood Llc\",\r\n \"organization\": \"Input Output Flood Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_559\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_560\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_561\",\r\n \"address\": \"141.98.83.166\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_562\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_563\",\r\n \"address\": \"162.142.125.219\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_564\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_565\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_566\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_567\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_568\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_569\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_570\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_571\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_572\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_573\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_574\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_575\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_576\",\r\n \"address\": \"212.103.60.106\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Nuernberg\",\r\n \"longitude\": 11.0384,\r\n \"latitude\": 49.4358,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Tt1 Datacenter Ug (Haftungsbeschraenkt)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_577\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_578\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_579\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_580\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_581\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_582\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_583\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_584\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_585\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_586\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_587\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_591\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_592\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_542\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_593\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_543\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_594\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_544\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_595\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_545\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_596\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_546\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_597\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_547\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_548\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_549\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_550\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_551\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"name\": \"2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T21:15:16.6618617Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T21:15:16.2350129Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_638\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 171.244.50.243 [1]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 191.96.168.246 [10]\\r\\nIP: 194.165.16.29 [2]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 89.44.9.29 [2]\\r\\nIP: 185.156.72.31 [1]\\r\\nIP: 141.98.83.165 [8]\\r\\nIP: 179.60.150.58 [7]\\r\\nIP: 141.98.83.125 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 20.87.218.172 [3]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 141.98.83.164 [8]\\r\\nIP: 45.141.87.6 [7]\\r\\nIP: 104.161.77.173 [1]\\r\\nIP: 141.98.83.89 [2]\\r\\nIP: 98.217.4.181 [1]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 122.160.141.216 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.17.24 [5]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 141.95.145.187 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 141.98.83.123 [2]\\r\\nIP: 24.18.46.38 [1]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 87.251.67.99 [7]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 144.172.126.192 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 62.233.50.123 [34]\\r\\nIP: 45.141.87.10 [1]\\r\\nIP: 147.78.47.35 [17]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 45.141.87.9 [8]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 162.142.125.219 [1]\\r\\nIP: 147.78.47.39 [4]\\r\\nIP: 88.214.25.14 [15]\\r\\nIP: 45.227.254.20 [12]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 45.141.87.2 [5]\\r\\n104 more attempts by 21 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_639\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_640\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_641\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_642\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_643\",\r\n \"address\": \"191.96.168.246\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_644\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_645\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_646\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_647\",\r\n \"address\": \"89.44.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Seine-Saint-Denis\",\r\n \"city\": \"Saint-Denis\",\r\n \"longitude\": 2.36488,\r\n \"latitude\": 48.93607,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd Paris\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_648\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_649\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_650\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_651\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_652\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_653\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_654\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_655\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_656\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_657\",\r\n \"address\": \"104.161.77.173\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.01242,\r\n \"latitude\": 33.43202,\r\n \"asn\": 53755,\r\n \"carrier\": \"Input Output Flood Llc\",\r\n \"organization\": \"Input Output Flood Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_658\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_659\",\r\n \"address\": \"98.217.4.181\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Hopkinton\",\r\n \"longitude\": -71.53711,\r\n \"latitude\": 42.22023,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_660\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_661\",\r\n \"address\": \"122.160.141.216\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.1428,\r\n \"latitude\": 28.6907,\r\n \"asn\": 24560,\r\n \"carrier\": \"Bharti Airtel Ltd.\",\r\n \"organization\": \"Abts Delhi \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_662\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_663\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_664\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_665\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_666\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_667\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_668\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_669\",\r\n \"address\": \"24.18.46.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Shoreline\",\r\n \"longitude\": -122.34728,\r\n \"latitude\": 47.75721,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_670\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_671\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_672\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_673\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_674\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_675\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_676\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_677\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_678\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_679\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_680\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_681\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_682\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_683\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_684\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_685\",\r\n \"address\": \"162.142.125.219\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_686\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_687\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_688\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_689\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_690\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_641\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_642\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_643\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_644\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_645\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_646\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_736\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_686\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_737\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_687\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_738\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_688\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_739\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_689\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_740\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_690\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"name\": \"2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-14T21:17:43.9805433Z\",\r\n \"processingEndTimeUtc\": \"2022-10-14T21:17:42.8602187Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-13T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-13T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_741\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.36 [1]\\r\\nIP: 61.177.172.19 [1]\\r\\nIP: 66.70.176.28 [1]\\r\\nIP: 43.140.205.176 [1]\\r\\nIP: 84.201.177.42 [1]\\r\\nIP: 176.31.240.226 [1]\\r\\nIP: 45.139.105.58 [1]\\r\\nIP: 61.177.172.147 [3]\\r\\nIP: 31.172.70.163 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_742\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_743\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_744\",\r\n \"address\": \"61.177.173.36\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_745\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_746\",\r\n \"address\": \"66.70.176.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_747\",\r\n \"address\": \"43.140.205.176\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_748\",\r\n \"address\": \"84.201.177.42\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.58903,\r\n \"latitude\": 55.73491,\r\n \"asn\": 200350,\r\n \"carrier\": \"Yandex.Cloud Llc\",\r\n \"organization\": \"Yandex Enterprise Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_749\",\r\n \"address\": \"176.31.240.226\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Nord\",\r\n \"city\": \"Roubaix\",\r\n \"longitude\": 3.17321,\r\n \"latitude\": 50.69127,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_750\",\r\n \"address\": \"45.139.105.58\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 138687,\r\n \"carrier\": \"Xdeer Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_751\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_752\",\r\n \"address\": \"31.172.70.163\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt-Ostend\",\r\n \"longitude\": 8.72751,\r\n \"latitude\": 50.11671,\r\n \"asn\": 44066,\r\n \"carrier\": \"Accelerated It Services & Consulting Gmbh\",\r\n \"organization\": \"Www.Fornex.Com Fornex Hosting S.L.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_744\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_745\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_746\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_747\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_748\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_749\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_750\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_751\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_752\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"name\": \"2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-14T21:17:43.9755639Z\",\r\n \"processingEndTimeUtc\": \"2022-10-14T21:17:42.8608101Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-13T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-13T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_762\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.87.6 [9]\\r\\nIP: 141.98.83.125 [11]\\r\\nIP: 141.98.83.165 [9]\\r\\nIP: 94.232.43.155 [1]\\r\\nIP: 147.78.47.40 [2]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 80.66.88.215 [2]\\r\\nIP: 141.98.83.132 [4]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 194.165.17.12 [14]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 45.141.87.10 [12]\\r\\nIP: 147.78.47.29 [9]\\r\\nIP: 89.248.163.228 [1]\\r\\nIP: 45.141.84.87 [13]\\r\\nIP: 45.227.255.55 [2]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 20.87.218.172 [1]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.89 [8]\\r\\nIP: 62.204.41.152 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 69.202.183.90 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 212.102.35.135 [26]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 193.29.13.170 [18]\\r\\nIP: 147.78.47.36 [6]\\r\\nIP: 194.165.16.18 [4]\\r\\nIP: 141.98.83.164 [1]\\r\\nIP: 91.240.118.113 [3]\\r\\nIP: 144.172.126.192 [1]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 193.29.13.169 [14]\\r\\nIP: 92.255.85.151 [12]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 147.78.47.42 [6]\\r\\nIP: 147.78.47.39 [12]\\r\\nIP: 147.78.47.35 [3]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 141.98.83.87 [5]\\r\\nIP: 87.251.64.160 [3]\\r\\n29 more attempts by 7 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_763\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_764\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_765\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_766\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_767\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_768\",\r\n \"address\": \"94.232.43.155\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_769\",\r\n \"address\": \"147.78.47.40\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_770\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_771\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_772\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_773\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_774\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_775\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_776\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_777\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_778\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_779\",\r\n \"address\": \"89.248.163.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_780\",\r\n \"address\": \"45.141.84.87\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_781\",\r\n \"address\": \"45.227.255.55\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_782\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_783\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_784\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_785\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_786\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_787\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_788\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_789\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_790\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_791\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_792\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_793\",\r\n \"address\": \"212.102.35.135\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_794\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_795\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_796\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_797\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_798\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_799\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_800\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_801\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_802\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_803\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_804\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_805\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_806\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_807\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_808\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_809\",\r\n \"address\": \"147.78.47.42\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_810\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_811\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_812\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_813\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_814\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_839\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_789\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_840\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_790\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_841\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_791\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_842\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_792\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_793\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"name\": \"2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T21:02:46.33272Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T21:02:45.807019Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-12T15:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-12T15:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_865\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.46 [1]\\r\\nIP: 211.210.79.220 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_866\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_867\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_868\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_869\",\r\n \"address\": \"211.210.79.220\",\r\n \"location\": {\r\n \"countryCode\": \"KR\",\r\n \"countryName\": \"Korea (South)\",\r\n \"state\": \"Seoul Teukbyeolsi\",\r\n \"city\": \"Seoul\",\r\n \"longitude\": 126.98265,\r\n \"latitude\": 37.561,\r\n \"asn\": 9318,\r\n \"carrier\": \"Sk Broadband Co Ltd\",\r\n \"organization\": \"Danal\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_870\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_868\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_871\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_869\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"name\": \"2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T21:03:57.9379168Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T21:02:45.8071653Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-12T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-12T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_872\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.158 [4]\\r\\nIP: 45.227.254.20 [14]\\r\\nIP: 80.66.76.178 [3]\\r\\nIP: 87.251.67.223 [3]\\r\\nIP: 185.73.124.20 [3]\\r\\nIP: 194.165.17.12 [10]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 80.66.76.151 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 80.66.76.143 [1]\\r\\nIP: 193.169.255.78 [1]\\r\\nIP: 80.66.76.174 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 80.66.76.161 [1]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 20.87.218.172 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 80.66.76.142 [3]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 87.251.67.230 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 80.66.76.139 [1]\\r\\nIP: 87.251.67.229 [1]\\r\\nIP: 80.66.76.164 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 212.102.35.135 [17]\\r\\nIP: 45.141.87.6 [6]\\r\\nIP: 80.66.76.131 [2]\\r\\nIP: 80.66.76.186 [2]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 194.165.16.16 [2]\\r\\nIP: 87.251.67.232 [4]\\r\\nIP: 80.66.76.159 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 87.251.67.226 [2]\\r\\nIP: 80.66.76.138 [2]\\r\\nIP: 80.66.76.127 [1]\\r\\nIP: 80.66.76.165 [2]\\r\\nIP: 80.66.76.175 [2]\\r\\nIP: 80.66.76.140 [2]\\r\\nIP: 159.242.227.27 [1]\\r\\nIP: 193.29.13.170 [12]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 185.73.124.19 [1]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 45.141.87.2 [2]\\r\\n152 more attempts by 42 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_873\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_874\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_875\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_876\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_877\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_878\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_879\",\r\n \"address\": \"185.73.124.20\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_880\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_881\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_882\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_883\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_884\",\r\n \"address\": \"80.66.76.143\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_885\",\r\n \"address\": \"193.169.255.78\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Pomorskie\",\r\n \"city\": \"Zelkowko\",\r\n \"longitude\": 17.0936,\r\n \"latitude\": 54.34198,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_886\",\r\n \"address\": \"80.66.76.174\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_887\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_888\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_889\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_890\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_891\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_892\",\r\n \"address\": \"80.66.76.142\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_893\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_894\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_895\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_896\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_897\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_898\",\r\n \"address\": \"87.251.67.229\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_899\",\r\n \"address\": \"80.66.76.164\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_900\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_901\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_902\",\r\n \"address\": \"212.102.35.135\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_903\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_904\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_905\",\r\n \"address\": \"80.66.76.186\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_906\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_907\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_908\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_909\",\r\n \"address\": \"87.251.67.232\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_910\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_911\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_912\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_913\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_914\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_915\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_916\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_917\",\r\n \"address\": \"80.66.76.175\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_918\",\r\n \"address\": \"80.66.76.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_919\",\r\n \"address\": \"159.242.227.27\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Wandsworth\",\r\n \"longitude\": -0.18333,\r\n \"latitude\": 51.45,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Prcdn Consumer Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_920\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_921\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_922\",\r\n \"address\": \"185.73.124.19\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_923\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_924\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_892\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_893\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_894\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_969\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_919\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_970\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_920\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_971\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_921\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_972\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_922\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_973\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_923\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_974\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_924\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"name\": \"2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T21:25:11.5033705Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T21:25:11.2368114Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-11T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-11T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_975\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 62.210.205.240 [1]\\r\\nIP: 219.130.135.190 [8]\\r\\nIP: 77.232.100.220 [1]\\r\\nIP: 167.99.49.113 [1]\\r\\nIP: 61.177.172.147 [3]\\r\\nIP: 54.200.70.29 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_976\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_977\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_978\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_979\",\r\n \"address\": \"219.130.135.190\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Jiangmen\",\r\n \"longitude\": 113.08611,\r\n \"latitude\": 22.58388,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Jiangmen Global Eyes Police Bureau\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_980\",\r\n \"address\": \"77.232.100.220\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Makkah\",\r\n \"city\": \"Jiddah\",\r\n \"longitude\": 39.184,\r\n \"latitude\": 21.538,\r\n \"asn\": 43766,\r\n \"carrier\": \"Mtc Ksa\",\r\n \"organization\": \"Mtc Ksa\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_981\",\r\n \"address\": \"167.99.49.113\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_982\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_983\",\r\n \"address\": \"54.200.70.29\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Boardman\",\r\n \"longitude\": -119.81143,\r\n \"latitude\": 45.73723,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon.Com Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_984\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_978\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_985\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_979\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_986\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_980\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_987\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_981\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_988\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_982\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_989\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_983\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"name\": \"2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T21:27:02.3321686Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T21:25:11.237187Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-11T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-11T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_990\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.88.129 [1]\\r\\nIP: 80.66.88.207 [5]\\r\\nIP: 194.165.16.29 [9]\\r\\nIP: 147.78.47.149 [6]\\r\\nIP: 87.251.67.236 [2]\\r\\nIP: 80.66.76.186 [2]\\r\\nIP: 80.66.76.153 [4]\\r\\nIP: 91.240.118.113 [6]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 45.141.87.9 [5]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 80.66.76.163 [2]\\r\\nIP: 80.66.76.142 [4]\\r\\nIP: 141.98.83.130 [2]\\r\\nIP: 152.89.196.94 [3]\\r\\nIP: 80.66.76.120 [1]\\r\\nIP: 80.66.76.174 [5]\\r\\nIP: 194.165.16.10 [1]\\r\\nIP: 185.73.124.17 [2]\\r\\nIP: 80.66.76.183 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 80.66.76.181 [1]\\r\\nIP: 80.66.76.130 [2]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 80.66.76.168 [2]\\r\\nIP: 185.73.124.14 [1]\\r\\nIP: 80.66.76.173 [1]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 152.89.196.99 [2]\\r\\nIP: 80.66.76.172 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 185.73.124.20 [1]\\r\\nIP: 45.141.87.2 [4]\\r\\nIP: 80.66.76.154 [2]\\r\\nIP: 152.89.196.92 [2]\\r\\nIP: 80.66.76.137 [1]\\r\\nIP: 80.66.76.127 [1]\\r\\nIP: 152.89.196.86 [2]\\r\\nIP: 194.165.16.158 [3]\\r\\nIP: 141.98.83.128 [3]\\r\\nIP: 185.73.124.23 [5]\\r\\nIP: 45.141.87.6 [9]\\r\\nIP: 80.66.76.176 [4]\\r\\nIP: 141.95.145.187 [1]\\r\\nIP: 80.66.76.125 [1]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 80.66.76.175 [1]\\r\\nIP: 80.66.76.129 [3]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 45.141.84.86 [4]\\r\\n148 more attempts by 47 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_991\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_992\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_993\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_994\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_995\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_996\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_997\",\r\n \"address\": \"87.251.67.236\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_998\",\r\n \"address\": \"80.66.76.186\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_999\",\r\n \"address\": \"80.66.76.153\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1000\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1001\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1002\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1003\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1004\",\r\n \"address\": \"80.66.76.163\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1005\",\r\n \"address\": \"80.66.76.142\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1006\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1007\",\r\n \"address\": \"152.89.196.94\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1008\",\r\n \"address\": \"80.66.76.120\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1009\",\r\n \"address\": \"80.66.76.174\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1010\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1011\",\r\n \"address\": \"185.73.124.17\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1012\",\r\n \"address\": \"80.66.76.183\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1013\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1014\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1015\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1016\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1017\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1018\",\r\n \"address\": \"185.73.124.14\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1019\",\r\n \"address\": \"80.66.76.173\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1020\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1021\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1022\",\r\n \"address\": \"80.66.76.172\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1023\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1024\",\r\n \"address\": \"185.73.124.20\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1025\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1026\",\r\n \"address\": \"80.66.76.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1027\",\r\n \"address\": \"152.89.196.92\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1028\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1029\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1030\",\r\n \"address\": \"152.89.196.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1031\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1032\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1033\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1034\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1035\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1036\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1037\",\r\n \"address\": \"80.66.76.125\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1038\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1039\",\r\n \"address\": \"80.66.76.175\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1040\",\r\n \"address\": \"80.66.76.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1041\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1042\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1072\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1022\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1073\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1023\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1074\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1024\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1075\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1025\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1076\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1026\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1077\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1027\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1078\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1028\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1079\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1029\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1080\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1030\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1081\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1031\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1082\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1032\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1083\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1033\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1084\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1034\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1085\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1035\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1086\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1036\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1087\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1037\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1088\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1038\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1089\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1039\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1090\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1040\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1091\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1041\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1092\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1042\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"name\": \"2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T20:11:22.6254055Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T20:11:22.3353053Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-10T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-10T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1093\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.147 [4]\\r\\nIP: 117.33.157.42 [1]\\r\\nIP: 44.203.254.12 [1]\\r\\nIP: 62.210.205.240 [1]\\r\\nIP: 218.92.0.221 [1]\\r\\nIP: 61.177.173.52 [1]\\r\\nIP: 61.177.173.46 [1]\\r\\nIP: 61.177.172.143 [2]\\r\\nIP: 61.177.172.98 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1094\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1095\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1096\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1097\",\r\n \"address\": \"117.33.157.42\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Yunnan\",\r\n \"city\": \"Ruili\",\r\n \"longitude\": 97.85808,\r\n \"latitude\": 23.99516,\r\n \"asn\": 134768,\r\n \"carrier\": \"Chinanet Shaanxi Province Cloud Base Network\",\r\n \"organization\": \"Chinanet Shanxi(Sn) Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1098\",\r\n \"address\": \"44.203.254.12\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 14618,\r\n \"carrier\": \"Amazon.Com Inc.\",\r\n \"organization\": \"Amazon Data Services Nova\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1099\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1100\",\r\n \"address\": \"218.92.0.221\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1101\",\r\n \"address\": \"61.177.173.52\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1102\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1103\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1104\",\r\n \"address\": \"61.177.172.98\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1096\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1097\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1098\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1099\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1100\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1101\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1102\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1103\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1104\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"name\": \"2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T20:11:23.0830696Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T20:11:22.335884Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-10T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-10T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1114\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.76.131 [3]\\r\\nIP: 147.78.47.154 [8]\\r\\nIP: 80.66.76.139 [2]\\r\\nIP: 141.98.83.130 [12]\\r\\nIP: 176.111.174.130 [16]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 80.66.76.140 [1]\\r\\nIP: 152.89.196.86 [3]\\r\\nIP: 80.66.76.177 [3]\\r\\nIP: 87.251.67.226 [2]\\r\\nIP: 80.66.76.178 [1]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 80.66.76.166 [1]\\r\\nIP: 152.89.196.99 [1]\\r\\nIP: 176.111.174.116 [28]\\r\\nIP: 194.165.16.18 [6]\\r\\nIP: 71.27.142.134 [1]\\r\\nIP: 45.227.254.29 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 152.89.196.83 [1]\\r\\nIP: 80.66.76.182 [4]\\r\\nIP: 141.98.83.166 [3]\\r\\nIP: 147.78.47.149 [7]\\r\\nIP: 80.66.76.187 [2]\\r\\nIP: 194.165.17.12 [6]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 152.89.196.81 [1]\\r\\nIP: 87.251.67.230 [2]\\r\\nIP: 94.232.47.170 [3]\\r\\nIP: 80.66.76.159 [3]\\r\\nIP: 87.251.67.229 [1]\\r\\nIP: 80.66.76.122 [1]\\r\\nIP: 185.73.124.23 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 179.60.150.58 [4]\\r\\nIP: 94.232.47.15 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 191.96.168.102 [23]\\r\\nIP: 80.66.76.181 [3]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 80.66.76.162 [1]\\r\\nIP: 80.66.76.121 [2]\\r\\nIP: 87.251.67.231 [1]\\r\\nIP: 87.251.67.228 [2]\\r\\nIP: 80.66.76.185 [2]\\r\\n244 more attempts by 54 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1115\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1116\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1117\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1118\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1119\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1120\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1121\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1122\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1123\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1124\",\r\n \"address\": \"80.66.76.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1125\",\r\n \"address\": \"152.89.196.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1126\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1127\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1128\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1129\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1130\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1131\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1132\",\r\n \"address\": \"80.66.76.166\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1133\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1134\",\r\n \"address\": \"176.111.174.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1135\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1136\",\r\n \"address\": \"71.27.142.134\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Westland\",\r\n \"longitude\": -83.37131,\r\n \"latitude\": 42.33206,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1137\",\r\n \"address\": \"45.227.254.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1138\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1139\",\r\n \"address\": \"152.89.196.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1140\",\r\n \"address\": \"80.66.76.182\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1141\",\r\n \"address\": \"141.98.83.166\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1142\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1143\",\r\n \"address\": \"80.66.76.187\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1144\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1145\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1146\",\r\n \"address\": \"152.89.196.81\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1147\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1148\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1149\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1150\",\r\n \"address\": \"87.251.67.229\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1151\",\r\n \"address\": \"80.66.76.122\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1152\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1153\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1154\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1155\",\r\n \"address\": \"94.232.47.15\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1156\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1157\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1158\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1159\",\r\n \"address\": \"191.96.168.102\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1160\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1161\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1162\",\r\n \"address\": \"80.66.76.162\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1163\",\r\n \"address\": \"80.66.76.121\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1164\",\r\n \"address\": \"87.251.67.231\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1165\",\r\n \"address\": \"87.251.67.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1166\",\r\n \"address\": \"80.66.76.185\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1167\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1117\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1168\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1118\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1119\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1170\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1120\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1171\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1121\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1172\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1122\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1173\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1123\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1174\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1124\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1175\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1125\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1176\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1126\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1177\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1127\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1178\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1128\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1179\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1129\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1180\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1130\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1181\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1131\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1182\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1132\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1183\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1133\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1184\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1134\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1185\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1135\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1186\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1136\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1187\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1137\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1188\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1138\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1139\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1190\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1140\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1191\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1141\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1192\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1142\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1143\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1194\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1144\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1195\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1145\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1196\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1146\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1147\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1198\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1148\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1199\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1149\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1200\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1150\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1151\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1202\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1152\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1203\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1153\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1204\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1154\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1155\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"name\": \"2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T20:02:27.764174Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T20:02:26.032772Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-09T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-09T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.209.179.41 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 61.177.172.143 [10]\\r\\nIP: 128.199.192.230 [1]\\r\\nIP: 61.177.172.108 [1]\\r\\nIP: 61.177.173.37 [1]\\r\\nIP: 62.210.209.36 [1]\\r\\nIP: 218.75.136.139 [25]\\r\\nIP: 194.5.193.132 [3]\\r\\nIP: 162.142.125.213 [1]\\r\\nIP: 124.220.16.45 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1218\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1219\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1220\",\r\n \"address\": \"185.209.179.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Valley Cottage\",\r\n \"longitude\": -73.92899,\r\n \"latitude\": 41.12222,\r\n \"asn\": 396356,\r\n \"carrier\": \"Maxihost Llc\",\r\n \"organization\": \"Latitude.Sh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1221\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1222\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1223\",\r\n \"address\": \"128.199.192.230\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1224\",\r\n \"address\": \"61.177.172.108\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1225\",\r\n \"address\": \"61.177.173.37\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1226\",\r\n \"address\": \"62.210.209.36\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1227\",\r\n \"address\": \"218.75.136.139\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Hunan\",\r\n \"city\": \"Changde\",\r\n \"longitude\": 111.71167,\r\n \"latitude\": 29.04722,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet-Hn Changde Node Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1228\",\r\n \"address\": \"194.5.193.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208006,\r\n \"carrier\": \"Softqloud Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1229\",\r\n \"address\": \"162.142.125.213\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1230\",\r\n \"address\": \"124.220.16.45\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1220\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1221\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1222\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1223\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1224\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1225\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1226\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1227\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1228\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1229\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1230\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"name\": \"2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T20:02:27.4002488Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T20:02:26.0336346Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-09T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-09T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1242\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.76.123 [2]\\r\\nIP: 87.251.67.226 [1]\\r\\nIP: 80.66.76.170 [3]\\r\\nIP: 80.66.76.151 [1]\\r\\nIP: 80.66.76.138 [1]\\r\\nIP: 103.168.205.209 [1]\\r\\nIP: 147.78.47.146 [7]\\r\\nIP: 80.66.76.121 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 80.66.76.132 [2]\\r\\nIP: 80.66.76.127 [2]\\r\\nIP: 152.89.196.96 [4]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 92.255.85.192 [8]\\r\\nIP: 80.66.76.167 [2]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 152.89.196.73 [1]\\r\\nIP: 80.66.76.176 [1]\\r\\nIP: 147.78.47.149 [3]\\r\\nIP: 195.78.54.73 [17]\\r\\nIP: 80.66.76.131 [1]\\r\\nIP: 176.111.174.73 [25]\\r\\nIP: 185.73.125.21 [3]\\r\\nIP: 80.66.76.165 [1]\\r\\nIP: 80.66.76.124 [1]\\r\\nIP: 87.251.67.223 [2]\\r\\nIP: 141.98.83.127 [7]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 80.66.76.130 [1]\\r\\nIP: 80.66.76.125 [1]\\r\\nIP: 94.232.47.170 [2]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 185.73.125.225 [1]\\r\\nIP: 207.244.72.33 [1]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 162.244.33.16 [4]\\r\\nIP: 152.89.196.81 [3]\\r\\nIP: 139.59.109.139 [1]\\r\\nIP: 80.66.76.185 [2]\\r\\nIP: 80.66.76.161 [1]\\r\\nIP: 80.66.76.137 [2]\\r\\nIP: 80.66.76.177 [1]\\r\\nIP: 80.66.76.169 [1]\\r\\nIP: 185.73.124.23 [1]\\r\\nIP: 87.251.67.239 [1]\\r\\nIP: 152.89.196.92 [4]\\r\\nIP: 113.190.245.2 [1]\\r\\n88 more attempts by 42 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1243\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1244\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1245\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1246\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1247\",\r\n \"address\": \"80.66.76.170\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1248\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1249\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1250\",\r\n \"address\": \"103.168.205.209\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"longitude\": 77.0,\r\n \"latitude\": 20.0,\r\n \"asn\": 132925,\r\n \"carrier\": \"Ideastack Solutions Private Limited\",\r\n \"organization\": \"Blue Space Technology\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1251\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1252\",\r\n \"address\": \"80.66.76.121\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1253\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1254\",\r\n \"address\": \"80.66.76.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1255\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1256\",\r\n \"address\": \"152.89.196.96\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1257\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1258\",\r\n \"address\": \"92.255.85.192\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1259\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1260\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1261\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1262\",\r\n \"address\": \"152.89.196.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1263\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1264\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1265\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1266\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1267\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1268\",\r\n \"address\": \"185.73.125.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1269\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1270\",\r\n \"address\": \"80.66.76.124\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1271\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1272\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1273\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1274\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1275\",\r\n \"address\": \"80.66.76.125\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1276\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1277\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1278\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1279\",\r\n \"address\": \"185.73.125.225\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1280\",\r\n \"address\": \"207.244.72.33\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"District Of Columbia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -77.0284,\r\n \"latitude\": 38.9069,\r\n \"asn\": 30633,\r\n \"carrier\": \"Leaseweb Usa Inc.\",\r\n \"organization\": \"Leaseweb Usa Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1281\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1282\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1283\",\r\n \"address\": \"162.244.33.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Fremont\",\r\n \"longitude\": -121.91032,\r\n \"latitude\": 37.52879,\r\n \"asn\": 14576,\r\n \"carrier\": \"Hosting Solution Ltd.\",\r\n \"organization\": \"Hosting Solution Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1284\",\r\n \"address\": \"152.89.196.81\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1285\",\r\n \"address\": \"139.59.109.139\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1286\",\r\n \"address\": \"80.66.76.185\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1287\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1288\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1289\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1290\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1291\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1292\",\r\n \"address\": \"87.251.67.239\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1293\",\r\n \"address\": \"152.89.196.92\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1294\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1295\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1245\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1246\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1297\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1247\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1298\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1248\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1299\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1249\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1250\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1301\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1251\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1302\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1252\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1303\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1253\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1254\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1305\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1255\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1306\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1256\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1307\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1257\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1308\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1258\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1324\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1274\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1325\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1275\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1326\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1276\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1327\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1277\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1278\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1329\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1279\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1330\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1280\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"name\": \"2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T19:56:07.1561879Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T19:56:06.5371227Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-08T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-08T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1345\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.143 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 61.177.173.51 [1]\\r\\nIP: 14.215.48.214 [3]\\r\\nIP: 61.177.173.46 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1346\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1347\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1348\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1349\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1350\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1351\",\r\n \"address\": \"61.177.173.51\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1352\",\r\n \"address\": \"14.215.48.214\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Yunnan\",\r\n \"city\": \"Ruili\",\r\n \"longitude\": 97.85808,\r\n \"latitude\": 23.99516,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Guangdong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1353\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1348\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1349\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1350\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1351\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1352\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1353\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"name\": \"2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T19:56:07.4442606Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T19:56:06.5374986Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-08T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-08T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1360\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 91.240.118.113 [5]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.132 [5]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 194.165.16.73 [3]\\r\\nIP: 194.165.16.37 [2]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 162.244.33.16 [1]\\r\\nIP: 62.233.50.123 [7]\\r\\nIP: 194.165.16.17 [8]\\r\\nIP: 116.58.22.75 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 92.255.85.186 [1]\\r\\nIP: 176.111.174.200 [3]\\r\\nIP: 96.93.214.186 [1]\\r\\nIP: 194.165.16.29 [10]\\r\\nIP: 141.98.9.35 [1]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 185.221.134.42 [1]\\r\\nIP: 176.111.174.71 [13]\\r\\nIP: 92.255.85.192 [3]\\r\\nIP: 20.168.51.145 [1]\\r\\nIP: 194.165.16.18 [6]\\r\\nIP: 195.78.54.73 [13]\\r\\nIP: 147.78.47.149 [7]\\r\\nIP: 192.99.233.28 [1]\\r\\nIP: 87.251.67.64 [6]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 176.111.174.73 [21]\\r\\nIP: 80.66.88.205 [3]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1361\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1362\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1363\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1364\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1365\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1366\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1367\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1368\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1369\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1370\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1371\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1372\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1373\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1374\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1375\",\r\n \"address\": \"162.244.33.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Fremont\",\r\n \"longitude\": -121.91032,\r\n \"latitude\": 37.52879,\r\n \"asn\": 14576,\r\n \"carrier\": \"Hosting Solution Ltd.\",\r\n \"organization\": \"Hosting Solution Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1376\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1377\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1378\",\r\n \"address\": \"116.58.22.75\",\r\n \"location\": {\r\n \"countryCode\": \"PK\",\r\n \"countryName\": \"Pakistan\",\r\n \"state\": \"Punjab\",\r\n \"city\": \"Lahore\",\r\n \"longitude\": 74.31333,\r\n \"latitude\": 31.56333,\r\n \"asn\": 17563,\r\n \"carrier\": \"Nexlinx\",\r\n \"organization\": \"Nexlinx Isp Pakistan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1379\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1380\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1381\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1382\",\r\n \"address\": \"92.255.85.186\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1383\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1384\",\r\n \"address\": \"96.93.214.186\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Denver\",\r\n \"longitude\": -104.98564,\r\n \"latitude\": 39.74249,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1385\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1386\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1387\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1388\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1389\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1390\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1391\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1392\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1393\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1394\",\r\n \"address\": \"92.255.85.192\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1395\",\r\n \"address\": \"20.168.51.145\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1396\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1397\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1398\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1399\",\r\n \"address\": \"192.99.233.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1400\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1401\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1402\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1403\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1404\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1406\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1407\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1410\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1411\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1377\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1378\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1379\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1380\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1382\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1383\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1427\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1428\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1429\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1430\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1433\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"name\": \"2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T19:27:10.8559195Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T19:27:10.200106Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-07T07:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-07T07:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1447\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 179.43.155.133 [2]\\r\\nIP: 62.210.205.240 [1]\\r\\nIP: 34.105.172.112 [1]\\r\\nIP: 61.177.172.143 [2]\\r\\nIP: 107.152.46.102 [2]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 49.88.112.109 [1]\\r\\nIP: 47.108.112.40 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1448\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1449\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1450\",\r\n \"address\": \"179.43.155.133\",\r\n \"location\": {\r\n \"countryCode\": \"CH\",\r\n \"countryName\": \"Switzerland\",\r\n \"state\": \"Zuerich\",\r\n \"city\": \"Zuerich\",\r\n \"longitude\": 8.53695,\r\n \"latitude\": 47.37417,\r\n \"asn\": 51852,\r\n \"carrier\": \"Private Layer Inc\",\r\n \"organization\": \"Private Layer Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1451\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1452\",\r\n \"address\": \"34.105.172.112\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Enfield\",\r\n \"longitude\": -0.10639,\r\n \"latitude\": 51.64694,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1453\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1454\",\r\n \"address\": \"107.152.46.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Illinois\",\r\n \"city\": \"Glenview\",\r\n \"longitude\": -87.82326,\r\n \"latitude\": 42.08015,\r\n \"asn\": 46844,\r\n \"carrier\": \"Sharktech\",\r\n \"organization\": \"Servercheap Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1455\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1456\",\r\n \"address\": \"49.88.112.109\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanghai Shi\",\r\n \"city\": \"Xuhui Qu\",\r\n \"longitude\": 121.41498,\r\n \"latitude\": 31.17389,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1457\",\r\n \"address\": \"47.108.112.40\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Zhejiang\",\r\n \"city\": \"Hangzhou\",\r\n \"longitude\": 120.15889,\r\n \"latitude\": 30.23556,\r\n \"asn\": 37963,\r\n \"carrier\": \"Hangzhou Alibaba Advertising Co. Ltd.\",\r\n \"organization\": \"Aliyun Computing Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1450\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1451\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1452\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1453\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1454\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1455\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1456\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1457\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"name\": \"2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T19:27:10.7887447Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T19:27:10.2008025Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-07T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-07T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1466\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 94.232.47.4 [13]\\r\\nIP: 193.37.69.219 [25]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 176.111.174.73 [3]\\r\\nIP: 141.98.9.37 [12]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 36.95.205.132 [1]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 80.66.88.129 [3]\\r\\nIP: 87.251.64.140 [5]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 173.15.245.6 [1]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 181.214.218.55 [5]\\r\\nIP: 194.165.16.16 [5]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 91.240.118.184 [8]\\r\\nIP: 116.58.22.75 [3]\\r\\nIP: 176.111.174.71 [9]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 176.111.174.130 [13]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 147.78.47.146 [7]\\r\\nIP: 45.227.254.25 [5]\\r\\nIP: 176.111.174.200 [10]\\r\\nIP: 141.98.83.125 [1]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 103.30.29.29 [1]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 141.98.9.35 [10]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 194.165.16.158 [4]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1467\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1468\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1469\",\r\n \"address\": \"94.232.47.4\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1470\",\r\n \"address\": \"193.37.69.219\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1471\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1472\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1473\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1474\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1475\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1476\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1477\",\r\n \"address\": \"36.95.205.132\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jakarta Raya\",\r\n \"city\": \"Jakarta\",\r\n \"longitude\": 106.8311,\r\n \"latitude\": -6.1851,\r\n \"asn\": 7713,\r\n \"carrier\": \"Pt Telekomunikasi Indonesia\",\r\n \"organization\": \"Pt Telekomunikasi Indonesia\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1478\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1479\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1480\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1481\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1482\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1483\",\r\n \"address\": \"173.15.245.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Commerce Charter Township\",\r\n \"longitude\": -83.5449,\r\n \"latitude\": 42.60315,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1484\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1485\",\r\n \"address\": \"181.214.218.55\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1486\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1487\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1488\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1489\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1490\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1491\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1492\",\r\n \"address\": \"116.58.22.75\",\r\n \"location\": {\r\n \"countryCode\": \"PK\",\r\n \"countryName\": \"Pakistan\",\r\n \"state\": \"Punjab\",\r\n \"city\": \"Lahore\",\r\n \"longitude\": 74.31333,\r\n \"latitude\": 31.56333,\r\n \"asn\": 17563,\r\n \"carrier\": \"Nexlinx\",\r\n \"organization\": \"Nexlinx Isp Pakistan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1493\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1494\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1495\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1496\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1497\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1498\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1499\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1500\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1501\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1502\",\r\n \"address\": \"103.30.29.29\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Chittagong\",\r\n \"city\": \"Chittagong\",\r\n \"longitude\": 91.8123,\r\n \"latitude\": 22.3475,\r\n \"asn\": 45326,\r\n \"carrier\": \"Broad Band Telecom Services Ltd\",\r\n \"organization\": \"Bbts Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1503\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1504\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1505\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1506\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1507\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1508\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1509\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1510\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1480\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1481\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1482\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1484\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1485\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1486\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1535\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"name\": \"2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-07T20:45:09.4714645Z\",\r\n \"processingEndTimeUtc\": \"2022-10-07T20:45:08.5306227Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-06T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-06T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1549\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.123 [1]\\r\\nIP: 185.156.72.25 [5]\\r\\nIP: 45.227.254.48 [1]\\r\\nIP: 181.214.218.55 [1]\\r\\nIP: 141.98.83.132 [8]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 192.99.233.28 [1]\\r\\nIP: 194.165.16.17 [3]\\r\\nIP: 141.98.83.126 [12]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 91.240.118.202 [2]\\r\\nIP: 45.227.254.25 [128]\\r\\nIP: 147.78.47.146 [1]\\r\\nIP: 176.111.174.130 [12]\\r\\nIP: 144.91.117.64 [1]\\r\\nIP: 194.165.16.158 [13]\\r\\nIP: 92.255.85.151 [4]\\r\\nIP: 176.9.52.56 [1]\\r\\nIP: 193.169.255.78 [1]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 185.221.134.42 [1]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 176.111.174.143 [14]\\r\\nIP: 92.255.85.194 [3]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 176.111.174.200 [21]\\r\\nIP: 77.121.215.0 [1]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 45.141.87.2 [34]\\r\\nIP: 45.141.84.86 [7]\\r\\nIP: 94.232.47.4 [25]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 91.240.118.113 [3]\\r\\nIP: 141.98.9.37 [6]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 216.131.112.27 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 195.78.54.194 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 45.227.254.26 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1550\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1551\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1552\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1553\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1554\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1555\",\r\n \"address\": \"181.214.218.55\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1556\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1557\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1558\",\r\n \"address\": \"192.99.233.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1559\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1560\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1561\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1562\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1563\",\r\n \"address\": \"91.240.118.202\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1564\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1565\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1566\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1567\",\r\n \"address\": \"144.91.117.64\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Muenchen\",\r\n \"longitude\": 11.6074,\r\n \"latitude\": 48.1089,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1568\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1569\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1570\",\r\n \"address\": \"176.9.52.56\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Gunzenhausen\",\r\n \"longitude\": 10.7534,\r\n \"latitude\": 49.11594,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1571\",\r\n \"address\": \"193.169.255.78\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Pomorskie\",\r\n \"city\": \"Zelkowko\",\r\n \"longitude\": 17.0936,\r\n \"latitude\": 54.34198,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1572\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1573\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1574\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1575\",\r\n \"address\": \"176.111.174.143\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1576\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1577\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1578\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1579\",\r\n \"address\": \"77.121.215.0\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Cherkas'ka Oblast'\",\r\n \"city\": \"Cherkasy\",\r\n \"longitude\": 32.0621,\r\n \"latitude\": 49.4285,\r\n \"asn\": 25229,\r\n \"carrier\": \"Kyivski Telekomunikatsiyni Merezhi Llc\",\r\n \"organization\": \"Volia Cherkassy\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1580\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1581\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1582\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1583\",\r\n \"address\": \"94.232.47.4\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1584\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1585\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1586\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1587\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1588\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1589\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1590\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1591\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1592\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1593\",\r\n \"address\": \"216.131.112.27\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 62651,\r\n \"carrier\": \"Strong Technology Llc.\",\r\n \"organization\": \"Netprotect\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1594\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1595\",\r\n \"address\": \"195.78.54.194\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1596\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1597\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"name\": \"2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-06T20:18:25.6741094Z\",\r\n \"processingEndTimeUtc\": \"2022-10-06T20:18:25.2845591Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-05T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-05T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1644\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 201.165.54.53 [1]\\r\\nIP: 194.165.16.158 [9]\\r\\nIP: 141.98.9.29 [9]\\r\\nIP: 195.78.54.194 [1]\\r\\nIP: 162.247.74.27 [1]\\r\\nIP: 147.78.47.146 [5]\\r\\nIP: 147.78.47.154 [8]\\r\\nIP: 91.240.118.113 [5]\\r\\nIP: 92.255.85.181 [4]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.120 [7]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.87 [4]\\r\\nIP: 141.98.83.123 [11]\\r\\nIP: 193.37.69.213 [12]\\r\\nIP: 141.98.81.137 [13]\\r\\nIP: 91.240.118.184 [14]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.204 [2]\\r\\nIP: 24.154.71.234 [2]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 45.141.84.85 [9]\\r\\nIP: 45.227.254.25 [29]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 176.111.174.116 [10]\\r\\nIP: 94.232.47.157 [33]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 23.83.131.85 [1]\\r\\nIP: 176.111.174.143 [29]\\r\\nIP: 193.37.69.212 [20]\\r\\nIP: 151.80.113.215 [1]\\r\\nIP: 91.240.242.8 [7]\\r\\nIP: 91.240.242.3 [5]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.141.84.86 [12]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1645\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1646\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1647\",\r\n \"address\": \"201.165.54.53\",\r\n \"location\": {\r\n \"countryCode\": \"MX\",\r\n \"countryName\": \"Mexico\",\r\n \"state\": \"Sinaloa\",\r\n \"city\": \"Los Mochis\",\r\n \"longitude\": -108.98835,\r\n \"latitude\": 25.79161,\r\n \"asn\": 13999,\r\n \"carrier\": \"Mega Cable S.A. De C.V.\",\r\n \"organization\": \"Mega Cable S.A. De C.V.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1648\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1649\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1650\",\r\n \"address\": \"195.78.54.194\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1651\",\r\n \"address\": \"162.247.74.27\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -74.00287,\r\n \"latitude\": 40.65724,\r\n \"asn\": 4224,\r\n \"carrier\": \"The Calyx Institute\",\r\n \"organization\": \"The Calyx Institute\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1652\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1653\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1654\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1655\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1656\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1657\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1658\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1659\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1660\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1661\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1662\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1663\",\r\n \"address\": \"193.37.69.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1664\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1665\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1666\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1667\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1668\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1669\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1670\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1671\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1672\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1673\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1674\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1675\",\r\n \"address\": \"176.111.174.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1676\",\r\n \"address\": \"94.232.47.157\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1677\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1678\",\r\n \"address\": \"23.83.131.85\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Scottsdale\",\r\n \"longitude\": -111.8085,\r\n \"latitude\": 33.66364,\r\n \"asn\": 19148,\r\n \"carrier\": \"Leaseweb Usa Inc.\",\r\n \"organization\": \"Leaseweb Usa Inc. Pheonix\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1679\",\r\n \"address\": \"176.111.174.143\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1680\",\r\n \"address\": \"193.37.69.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1681\",\r\n \"address\": \"151.80.113.215\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Nord\",\r\n \"city\": \"Roubaix\",\r\n \"longitude\": 3.17321,\r\n \"latitude\": 50.69127,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1682\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1683\",\r\n \"address\": \"91.240.242.3\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1684\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1685\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1688\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1689\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1690\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"name\": \"2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-05T20:06:02.9429652Z\",\r\n \"processingEndTimeUtc\": \"2022-10-05T20:06:01.9820349Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1725\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.26 [3]\\r\\nIP: 176.111.174.71 [20]\\r\\nIP: 141.98.83.120 [7]\\r\\nIP: 45.227.254.55 [2]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 193.148.61.116 [1]\\r\\nIP: 45.141.84.85 [6]\\r\\nIP: 141.98.9.29 [12]\\r\\nIP: 20.163.11.154 [1]\\r\\nIP: 80.66.88.202 [2]\\r\\nIP: 20.226.32.246 [1]\\r\\nIP: 147.78.47.154 [5]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 141.98.9.37 [9]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 141.98.83.123 [2]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.88 [2]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 141.98.83.125 [6]\\r\\nIP: 194.165.16.11 [3]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 176.111.174.200 [6]\\r\\nIP: 94.232.47.150 [33]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 94.232.47.151 [19]\\r\\nIP: 141.98.83.87 [6]\\r\\nIP: 5.62.43.223 [1]\\r\\nIP: 92.255.85.181 [1]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 94.232.47.155 [29]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 141.98.83.122 [4]\\r\\nIP: 141.98.9.34 [9]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 94.232.47.8 [26]\\r\\nIP: 91.240.118.184 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 80.66.88.215 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1726\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1727\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1728\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1729\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1730\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1731\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1732\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1733\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1734\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1735\",\r\n \"address\": \"193.148.61.116\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Los Angeles Ca\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1736\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1737\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1738\",\r\n \"address\": \"20.163.11.154\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1739\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1740\",\r\n \"address\": \"20.226.32.246\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Campinas\",\r\n \"longitude\": -47.0453,\r\n \"latitude\": -22.89177,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1741\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1742\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1743\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1744\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1745\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1746\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1747\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1748\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1749\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1750\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1751\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1752\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1753\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1754\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1755\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1756\",\r\n \"address\": \"94.232.47.150\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1757\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1758\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1759\",\r\n \"address\": \"94.232.47.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1760\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1761\",\r\n \"address\": \"5.62.43.223\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Camden\",\r\n \"longitude\": -0.16861,\r\n \"latitude\": 51.54,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Avast Software S.R.O.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1762\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1763\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1764\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1765\",\r\n \"address\": \"94.232.47.155\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1766\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1767\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1768\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1769\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1770\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1771\",\r\n \"address\": \"94.232.47.8\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1772\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1773\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1774\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1775\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1776\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1777\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1728\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1778\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1729\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1779\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1730\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1780\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1731\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1781\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1732\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1782\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1733\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1783\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1734\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1784\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1735\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1785\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1736\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1786\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1737\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1787\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1738\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1788\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1741\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1791\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1742\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1792\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1743\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1793\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1744\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1794\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1745\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1795\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1746\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1796\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1747\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1797\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1748\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1798\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1749\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1799\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1750\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1800\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1751\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1801\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1752\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1802\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1753\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1803\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1754\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1804\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1755\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1805\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1756\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1806\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1757\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1807\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1758\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1808\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1759\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1809\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1760\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1810\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1761\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1811\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1762\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1812\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1763\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1813\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1764\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1814\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"name\": \"2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-04T20:20:17.6238006Z\",\r\n \"processingEndTimeUtc\": \"2022-10-04T20:20:16.6615502Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-03T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-03T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1826\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 181.214.206.211 [12]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 141.98.83.83 [2]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 141.98.9.29 [11]\\r\\nIP: 192.227.168.178 [1]\\r\\nIP: 193.37.69.220 [23]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 62.204.41.152 [6]\\r\\nIP: 38.242.213.49 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 45.141.84.83 [6]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 194.165.16.17 [4]\\r\\nIP: 179.60.147.32 [7]\\r\\nIP: 66.195.201.152 [1]\\r\\nIP: 141.98.83.120 [6]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 113.88.234.130 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 94.232.47.151 [22]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 58.186.205.49 [1]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 195.78.54.174 [11]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 92.255.85.181 [5]\\r\\nIP: 176.111.174.73 [9]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 176.111.174.72 [19]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 15.237.104.62 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.89 [3]\\r\\nIP: 192.210.149.230 [1]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.9.36 [18]\\r\\nIP: 185.190.24.61 [4]\\r\\nIP: 5.181.86.11 [8]\\r\\nIP: 147.78.47.149 [10]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 191.242.227.11 [2]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 176.111.174.130 [12]\\r\\n36 more attempts by 5 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1827\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1828\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1829\",\r\n \"address\": \"181.214.206.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1830\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1831\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1832\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1833\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1834\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1835\",\r\n \"address\": \"192.227.168.178\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.8854,\r\n \"latitude\": 42.8883,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1836\",\r\n \"address\": \"193.37.69.220\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1837\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1838\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1839\",\r\n \"address\": \"38.242.213.49\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1840\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1841\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1842\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1843\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1844\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1845\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1846\",\r\n \"address\": \"66.195.201.152\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Memphis\",\r\n \"longitude\": -89.94812,\r\n \"latitude\": 35.11012,\r\n \"asn\": 3356,\r\n \"carrier\": \"Level 3 Parent Llc\",\r\n \"organization\": \"Level 3 Parent Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1847\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1848\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1849\",\r\n \"address\": \"113.88.234.130\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Henggang\",\r\n \"longitude\": 114.19833,\r\n \"latitude\": 22.64204,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Guangdong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1850\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1851\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1852\",\r\n \"address\": \"94.232.47.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1853\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1854\",\r\n \"address\": \"58.186.205.49\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Cau Giay\",\r\n \"longitude\": 105.79176,\r\n \"latitude\": 21.03714,\r\n \"asn\": 18403,\r\n \"carrier\": \"Fpt Telecom Company\",\r\n \"organization\": \"Fpt Telecom Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1855\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1856\",\r\n \"address\": \"195.78.54.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1857\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1858\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1859\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1860\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1861\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1862\",\r\n \"address\": \"176.111.174.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1863\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1864\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1865\",\r\n \"address\": \"15.237.104.62\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.34107,\r\n \"latitude\": 48.86023,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon Data Services France\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1866\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1867\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1868\",\r\n \"address\": \"192.210.149.230\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1869\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1870\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1871\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1872\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1873\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1874\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1875\",\r\n \"address\": \"191.242.227.11\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sorocaba\",\r\n \"longitude\": -47.44229,\r\n \"latitude\": -23.4971,\r\n \"asn\": 263483,\r\n \"carrier\": \"Direct Lan Telecomunicaes Sorocaba Ltda\",\r\n \"organization\": \"Direct Lan Telecomunica Es Sorocaba Ltda\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1876\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1877\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1878\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1879\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1829\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1880\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1830\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1881\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1831\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1882\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1832\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1883\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1833\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1884\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1834\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1885\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1835\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1886\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1836\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1887\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1837\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1888\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1838\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1889\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1839\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1890\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1840\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1891\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1841\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1892\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1893\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1843\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1894\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1844\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1895\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1845\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1896\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1846\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1897\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1847\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1898\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1848\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1899\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1849\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1900\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1850\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1901\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1851\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1902\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1852\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1903\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1853\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1904\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1854\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1905\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1855\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1906\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1856\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1907\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1857\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1908\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1858\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1909\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1859\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1910\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1860\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1911\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1861\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1912\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1862\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1913\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1863\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1914\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1864\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1915\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1865\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1916\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1866\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1917\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1867\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1918\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1868\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"name\": \"2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T19:49:12.0431333Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T19:49:11.6506508Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-02T18:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-02T18:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1929\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 183.146.30.163 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1930\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1931\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1932\",\r\n \"address\": \"183.146.30.163\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Zhejiang\",\r\n \"city\": \"Jinhua\",\r\n \"longitude\": 119.65083,\r\n \"latitude\": 29.11611,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet-Zj Jinhua Node Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1932\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"name\": \"2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T19:49:12.8041976Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T19:49:11.650774Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1934\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.140 [2]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 185.190.24.61 [3]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 147.78.47.147 [5]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 179.60.147.31 [12]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 179.60.147.32 [7]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 94.232.47.5 [47]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 194.165.17.7 [10]\\r\\nIP: 141.98.83.122 [7]\\r\\nIP: 176.111.174.200 [10]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 195.78.54.174 [17]\\r\\nIP: 69.172.78.13 [1]\\r\\nIP: 141.98.83.84 [12]\\r\\nIP: 138.199.18.131 [14]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 5.181.86.11 [2]\\r\\nIP: 185.156.72.27 [2]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 179.60.147.33 [17]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 141.98.83.88 [5]\\r\\nIP: 141.98.83.85 [2]\\r\\nIP: 147.78.47.149 [8]\\r\\nIP: 94.232.47.158 [30]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 45.141.84.83 [2]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 194.165.16.6 [4]\\r\\nIP: 176.111.174.72 [11]\\r\\nIP: 20.163.11.154 [1]\\r\\nIP: 91.240.118.184 [14]\\r\\nIP: 141.98.83.86 [14]\\r\\nIP: 141.98.9.37 [18]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 94.232.47.9 [21]\\r\\nIP: 141.98.83.89 [1]\\r\\n82 more attempts by 17 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1935\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1936\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1937\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1938\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1939\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1940\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1941\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1942\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1943\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1944\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1945\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1946\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1947\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1948\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1949\",\r\n \"address\": \"94.232.47.5\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1950\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1951\",\r\n \"address\": \"194.165.17.7\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1952\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1953\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1954\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1955\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1956\",\r\n \"address\": \"195.78.54.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1957\",\r\n \"address\": \"69.172.78.13\",\r\n \"location\": {\r\n \"countryCode\": \"HK\",\r\n \"countryName\": \"Hong Kong\",\r\n \"state\": \"Hong Kong\",\r\n \"city\": \"Aberdeen\",\r\n \"longitude\": 114.1524,\r\n \"latitude\": 22.24831,\r\n \"asn\": 132585,\r\n \"carrier\": \"Skyexchange Internet Access\",\r\n \"organization\": \"Skyexchange Internet Access\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1958\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1959\",\r\n \"address\": \"138.199.18.131\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1960\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1961\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1962\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1963\",\r\n \"address\": \"185.156.72.27\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1964\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1965\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1966\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1967\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1968\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1969\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1970\",\r\n \"address\": \"94.232.47.158\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1971\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1972\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1973\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1974\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1975\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1976\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1977\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1978\",\r\n \"address\": \"176.111.174.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1979\",\r\n \"address\": \"20.163.11.154\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1980\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1981\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1982\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1983\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1984\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1985\",\r\n \"address\": \"94.232.47.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1986\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1987\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1937\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1988\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1938\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1989\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1939\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1990\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1940\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1991\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1941\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1992\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1942\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1993\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1943\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1994\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1944\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1995\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1945\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1996\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1946\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1997\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1947\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1998\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1948\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1999\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1949\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2000\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1950\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2001\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1951\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2002\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1952\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2003\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1953\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2004\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1954\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2005\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1955\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2006\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1956\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2007\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1957\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2008\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1958\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2009\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1959\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2010\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1960\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2011\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1961\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2012\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1962\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2013\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1963\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2014\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1964\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2015\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1965\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2016\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1966\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2017\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1967\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2018\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1968\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2019\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1969\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2020\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1970\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2021\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1971\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"name\": \"2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-02T19:30:06.9299257Z\",\r\n \"processingEndTimeUtc\": \"2022-10-02T19:30:06.0289442Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-01T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-01T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2037\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.125 [6]\\r\\nIP: 179.60.147.31 [9]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.83.131 [8]\\r\\nIP: 193.37.69.211 [23]\\r\\nIP: 176.111.174.73 [8]\\r\\nIP: 179.60.150.115 [7]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 147.78.47.146 [3]\\r\\nIP: 147.78.47.147 [5]\\r\\nIP: 141.98.83.83 [5]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 5.181.86.11 [5]\\r\\nIP: 45.141.84.86 [1]\\r\\nIP: 94.232.47.152 [24]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 198.235.24.38 [1]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 193.37.69.209 [25]\\r\\nIP: 94.232.47.156 [33]\\r\\nIP: 147.78.47.149 [13]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 185.190.24.17 [5]\\r\\nIP: 141.98.83.132 [4]\\r\\nIP: 141.98.83.122 [8]\\r\\nIP: 141.98.83.89 [10]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 141.98.9.34 [35]\\r\\nIP: 176.111.174.71 [14]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 91.240.118.113 [6]\\r\\nIP: 20.226.32.246 [1]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 176.111.173.75 [1]\\r\\nIP: 138.199.18.131 [15]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 185.156.72.31 [5]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 91.240.242.8 [35]\\r\\n55 more attempts by 8 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2038\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2039\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2040\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2041\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2042\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2043\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2044\",\r\n \"address\": \"193.37.69.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2045\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2046\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2047\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2048\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2049\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2050\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2051\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2052\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2053\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2054\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2055\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2056\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2057\",\r\n \"address\": \"94.232.47.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2058\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2059\",\r\n \"address\": \"198.235.24.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Team Cymru\",\r\n \"threatType\": \"Botnet\",\r\n \"threatName\": \"Conficker\",\r\n \"confidence\": 0.75,\r\n \"reportLink\": \"https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Botnets.pdf?sv=2021-08-06&spr=https&st=2022-10-02T19%3a15%3a06Z&se=2022-12-31T19%3a30%3a06Z&sr=b&sp=r&sig=R3tc8ii2u2BkwkqvR1vAhwzjf7fD%2bjUJICU%2fnOP2CxM%3d&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa\",\r\n \"threatDescription\": \"Address is a known Botnet indicator.\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2060\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2061\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2062\",\r\n \"address\": \"193.37.69.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2063\",\r\n \"address\": \"94.232.47.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2064\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2065\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2066\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2067\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2068\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2069\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2070\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2071\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2072\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2073\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2074\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2075\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2076\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2077\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2078\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2079\",\r\n \"address\": \"20.226.32.246\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Campinas\",\r\n \"longitude\": -47.0453,\r\n \"latitude\": -22.89177,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2080\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2081\",\r\n \"address\": \"176.111.173.75\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2082\",\r\n \"address\": \"138.199.18.131\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2083\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2084\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2085\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2086\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2087\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2088\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2089\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2090\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2040\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2091\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2041\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2092\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2042\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2093\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2043\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2094\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2044\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2095\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2045\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2096\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2046\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2097\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2047\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2098\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2048\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2099\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2049\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2100\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2050\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2101\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2051\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2102\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2052\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2053\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2104\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2054\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2055\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2056\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2057\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2058\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2059\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2060\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2061\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2062\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2063\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2114\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2064\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2065\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2066\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2067\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2068\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2069\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2070\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2071\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2072\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2123\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2073\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2124\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2074\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"name\": \"2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-01T19:36:37.5737773Z\",\r\n \"processingEndTimeUtc\": \"2022-10-01T19:36:37.1669158Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-30T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-30T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2140\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.54 [3]\\r\\nIP: 194.165.16.29 [3]\\r\\nIP: 194.165.16.73 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 94.232.47.13 [30]\\r\\nIP: 141.98.83.126 [5]\\r\\nIP: 141.98.83.85 [6]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 5.181.86.11 [11]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 45.141.84.87 [19]\\r\\nIP: 91.240.242.15 [3]\\r\\nIP: 141.98.83.84 [5]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 179.60.150.115 [13]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 45.140.210.61 [1]\\r\\nIP: 141.98.9.35 [5]\\r\\nIP: 141.98.10.124 [8]\\r\\nIP: 94.232.47.11 [30]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 194.165.16.16 [5]\\r\\nIP: 194.165.16.158 [4]\\r\\nIP: 78.128.113.138 [6]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 141.98.9.37 [4]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 91.240.242.5 [22]\\r\\nIP: 20.163.30.220 [1]\\r\\nIP: 20.163.46.69 [1]\\r\\nIP: 45.227.254.51 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2141\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2142\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2143\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2144\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2145\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2146\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2147\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2148\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2149\",\r\n \"address\": \"94.232.47.13\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2150\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2151\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2152\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2153\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2154\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2155\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2156\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2157\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2158\",\r\n \"address\": \"45.141.84.87\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2159\",\r\n \"address\": \"91.240.242.15\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2160\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2161\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2162\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2163\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2164\",\r\n \"address\": \"45.140.210.61\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2165\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2166\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2167\",\r\n \"address\": \"94.232.47.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2168\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2169\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2170\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2171\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2172\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2173\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2174\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2175\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2176\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2177\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2178\",\r\n \"address\": \"91.240.242.5\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2179\",\r\n \"address\": \"20.163.30.220\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2180\",\r\n \"address\": \"20.163.46.69\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2181\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2182\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2143\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2183\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2144\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2184\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2145\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2185\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2146\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2186\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2147\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2187\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2148\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2188\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2149\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2150\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2190\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2151\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2191\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2152\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2192\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2153\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2154\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2194\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2155\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2195\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2196\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2198\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2199\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2200\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2202\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2203\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2204\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2167\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2168\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2217\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2218\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"name\": \"2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-30T19:55:09.682631Z\",\r\n \"processingEndTimeUtc\": \"2022-09-30T19:55:09.1843919Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2221\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 181.30.28.175 [1]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 141.98.83.127 [12]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 92.255.85.151 [5]\\r\\nIP: 45.227.255.79 [7]\\r\\nIP: 147.78.47.149 [6]\\r\\nIP: 141.98.9.34 [16]\\r\\nIP: 181.214.206.251 [6]\\r\\nIP: 141.98.83.131 [3]\\r\\nIP: 141.98.83.128 [8]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 179.60.147.32 [19]\\r\\nIP: 91.240.242.8 [2]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 43.230.156.26 [1]\\r\\nIP: 194.165.16.158 [10]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 141.98.83.125 [6]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 141.98.9.37 [8]\\r\\nIP: 5.188.206.230 [10]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 147.78.47.154 [1]\\r\\nIP: 194.165.16.78 [1]\\r\\nIP: 141.98.9.35 [15]\\r\\nIP: 141.98.83.123 [4]\\r\\nIP: 129.146.85.184 [1]\\r\\nIP: 192.3.110.166 [1]\\r\\nIP: 45.141.84.90 [30]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.29 [14]\\r\\nIP: 45.141.87.9 [24]\\r\\nIP: 141.98.10.204 [19]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 141.98.83.88 [1]\\r\\nIP: 194.165.17.22 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 20.168.105.212 [1]\\r\\n72 more attempts by 9 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2222\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2223\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2224\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2225\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2226\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2227\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2228\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2229\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2230\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2231\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2232\",\r\n \"address\": \"181.214.206.251\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2233\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2234\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2235\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2236\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2237\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2238\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2239\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2240\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2241\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2242\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2243\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2244\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2245\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2246\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2247\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2248\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2249\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2250\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2251\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2252\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2253\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2254\",\r\n \"address\": \"129.146.85.184\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2255\",\r\n \"address\": \"192.3.110.166\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2256\",\r\n \"address\": \"45.141.84.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2257\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2258\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2259\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2260\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2261\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2262\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2263\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2264\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2265\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2266\",\r\n \"address\": \"194.165.17.22\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2267\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2268\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2269\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2270\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2271\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2272\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2273\",\r\n \"address\": \"20.168.105.212\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2224\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2275\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2225\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2276\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2226\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2277\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2227\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2278\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2228\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2279\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2229\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2280\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2230\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2231\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2282\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2232\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2283\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2233\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2284\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2234\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2285\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2235\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2286\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2236\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2237\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2288\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2238\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2289\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2239\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2290\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2240\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2291\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2241\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2292\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2242\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2293\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2243\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2294\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2244\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2295\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2245\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2246\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2297\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2247\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2298\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2248\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2299\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2249\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2250\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2301\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2251\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2302\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2252\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2303\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2253\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2254\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2305\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2255\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2306\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2256\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2307\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2257\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2308\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2258\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"name\": \"2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-29T19:51:37.1590955Z\",\r\n \"processingEndTimeUtc\": \"2022-09-29T19:51:34.0584565Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-28T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-28T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2324\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.26.29.113 [52]\\r\\nIP: 141.98.10.124 [5]\\r\\nIP: 179.60.150.111 [2]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 5.181.86.51 [2]\\r\\nIP: 141.98.83.89 [1]\\r\\nIP: 24.154.71.234 [2]\\r\\nIP: 141.98.9.34 [1]\\r\\nIP: 141.98.10.207 [5]\\r\\nIP: 179.60.147.31 [9]\\r\\nIP: 20.163.30.220 [1]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 152.89.198.133 [1]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 45.141.84.86 [7]\\r\\nIP: 179.60.150.113 [3]\\r\\nIP: 45.227.253.130 [8]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 5.181.86.85 [2]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 5.181.86.61 [6]\\r\\nIP: 80.66.88.209 [2]\\r\\nIP: 45.227.254.26 [2]\\r\\nIP: 141.98.83.130 [7]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 92.255.85.152 [9]\\r\\nIP: 179.60.150.116 [2]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 107.181.178.109 [1]\\r\\nIP: 185.190.24.17 [12]\\r\\nIP: 141.98.9.29 [13]\\r\\nIP: 141.98.83.131 [6]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 94.232.47.12 [25]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 115.242.152.158 [2]\\r\\nIP: 193.37.69.207 [27]\\r\\nIP: 194.165.17.12 [13]\\r\\nIP: 193.37.69.210 [40]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 179.60.150.115 [10]\\r\\nIP: 185.190.24.32 [5]\\r\\nIP: 5.181.86.44 [1]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 141.98.83.122 [3]\\r\\n142 more attempts by 24 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2325\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2326\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2327\",\r\n \"address\": \"194.26.29.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2328\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2329\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2330\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2331\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2332\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2333\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2334\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2335\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2336\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2337\",\r\n \"address\": \"20.163.30.220\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2338\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2339\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2340\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2341\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2342\",\r\n \"address\": \"152.89.198.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.81472,\r\n \"latitude\": 55.71376,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2343\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2344\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2345\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2346\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2347\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2348\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2349\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2350\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2351\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2352\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2353\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2354\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2355\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2356\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2357\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2358\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2359\",\r\n \"address\": \"107.181.178.109\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Georgia\",\r\n \"city\": \"Marietta\",\r\n \"longitude\": -84.4629,\r\n \"latitude\": 33.93318,\r\n \"asn\": 46562,\r\n \"carrier\": \"Performive Llc\",\r\n \"organization\": \"Performive Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2360\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2361\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2362\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2363\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2364\",\r\n \"address\": \"94.232.47.12\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2365\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2366\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2367\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2368\",\r\n \"address\": \"193.37.69.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2369\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2370\",\r\n \"address\": \"193.37.69.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2371\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2372\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2373\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2374\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2375\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2376\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2381\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2331\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2332\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2383\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2333\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2384\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2334\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2385\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2335\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2386\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2336\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2337\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2388\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2338\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2389\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2339\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2390\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2340\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2391\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2341\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2392\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2342\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2393\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2343\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2394\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2344\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2395\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2345\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2396\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2346\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2397\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2347\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2398\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2348\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2399\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2349\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2400\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2350\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2401\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2351\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2352\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2403\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2353\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2404\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2354\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2355\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2406\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2356\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2407\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2357\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2358\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2359\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2410\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2360\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2411\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2361\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2362\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"name\": \"2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T20:06:40.3720303Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T20:06:39.6960251Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2427\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 147.78.47.147 [3]\\r\\nIP: 206.72.198.134 [1]\\r\\nIP: 179.60.150.111 [1]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 141.98.10.204 [5]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 141.98.83.122 [8]\\r\\nIP: 121.229.22.196 [2]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 5.188.206.10 [10]\\r\\nIP: 80.66.76.145 [5]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 107.172.93.17 [1]\\r\\nIP: 194.165.16.16 [10]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 45.227.254.54 [4]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 92.255.85.194 [19]\\r\\nIP: 193.32.126.158 [1]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 194.165.16.17 [6]\\r\\nIP: 185.161.69.10 [1]\\r\\nIP: 141.98.83.124 [6]\\r\\nIP: 141.98.9.34 [11]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 185.190.24.17 [18]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 115.242.152.158 [3]\\r\\nIP: 141.98.9.35 [7]\\r\\nIP: 179.60.147.33 [9]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 147.78.47.149 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 45.141.87.21 [4]\\r\\nIP: 141.98.83.87 [11]\\r\\nIP: 195.78.54.97 [55]\\r\\nIP: 141.98.9.29 [4]\\r\\nIP: 45.227.254.53 [2]\\r\\n97 more attempts by 19 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2428\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2429\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2430\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2431\",\r\n \"address\": \"206.72.198.134\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Secaucus\",\r\n \"longitude\": -74.06453,\r\n \"latitude\": 40.77826,\r\n \"asn\": 19318,\r\n \"carrier\": \"Interserver Inc\",\r\n \"organization\": \"Interserver Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2432\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2433\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2434\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2435\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2436\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2437\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2438\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2439\",\r\n \"address\": \"121.229.22.196\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2440\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2441\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2442\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2443\",\r\n \"address\": \"5.188.206.10\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2444\",\r\n \"address\": \"80.66.76.145\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2445\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2446\",\r\n \"address\": \"107.172.93.17\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2447\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2448\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2449\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2450\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2451\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2452\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2453\",\r\n \"address\": \"193.32.126.158\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Seine-Saint-Denis\",\r\n \"city\": \"Aubervilliers\",\r\n \"longitude\": 2.38121,\r\n \"latitude\": 48.91482,\r\n \"asn\": 39351,\r\n \"carrier\": \"31173 Services Ab\",\r\n \"organization\": \"31173 Services France\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2454\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2455\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2456\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2457\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2458\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2459\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2460\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2461\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2462\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2463\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2464\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2465\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2466\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2467\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2468\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2469\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2470\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2471\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2472\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2473\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2474\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2475\",\r\n \"address\": \"45.141.87.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2476\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2477\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2478\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2479\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2434\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2485\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2435\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2486\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2487\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2437\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2488\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2438\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2439\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2490\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2440\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2491\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2492\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2493\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2494\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2495\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2445\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2496\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2446\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2497\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2447\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2498\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2448\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2499\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2449\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2500\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2450\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2501\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2451\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2502\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2503\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2504\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2454\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2505\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2455\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2506\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2456\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2507\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2457\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2508\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2458\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2509\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2459\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2510\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2460\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2461\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2462\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2463\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2464\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2465\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2466\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2467\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2468\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"name\": \"2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-27T20:12:39.5796058Z\",\r\n \"processingEndTimeUtc\": \"2022-09-27T20:12:38.7743954Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-26T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-26T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2530\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.84.83 [29]\\r\\nIP: 141.98.9.34 [12]\\r\\nIP: 141.98.9.36 [8]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 194.165.16.6 [3]\\r\\nIP: 179.60.150.115 [10]\\r\\nIP: 5.181.86.11 [8]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 194.165.17.14 [2]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 194.165.16.37 [3]\\r\\nIP: 5.181.86.44 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 147.78.47.147 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 185.195.232.248 [3]\\r\\nIP: 5.188.206.10 [3]\\r\\nIP: 123.30.210.197 [3]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 45.141.84.119 [2]\\r\\nIP: 141.98.83.89 [3]\\r\\nIP: 185.156.72.25 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 5.181.86.88 [1]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 185.156.72.31 [3]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.83 [10]\\r\\nIP: 141.98.10.207 [4]\\r\\nIP: 185.156.72.29 [4]\\r\\nIP: 115.242.152.158 [1]\\r\\nIP: 179.60.150.113 [4]\\r\\nIP: 179.60.147.32 [10]\\r\\nIP: 141.98.83.127 [4]\\r\\nIP: 45.227.253.130 [7]\\r\\nIP: 147.78.47.149 [4]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 195.78.54.97 [34]\\r\\nIP: 179.60.150.116 [2]\\r\\n15 more attempts by 5 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2531\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2532\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2533\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2534\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2535\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2536\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2537\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2538\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2539\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2540\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2541\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2542\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2543\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2544\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2545\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2546\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2547\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2548\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2549\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2550\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2551\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2552\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2553\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2554\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2555\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2556\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2557\",\r\n \"address\": \"185.195.232.248\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 39351,\r\n \"carrier\": \"31173 Services Ab\",\r\n \"organization\": \"31173 Services United Kingdom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2558\",\r\n \"address\": \"5.188.206.10\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2559\",\r\n \"address\": \"123.30.210.197\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2560\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2561\",\r\n \"address\": \"45.141.84.119\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2562\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2563\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2564\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2565\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2566\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2567\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2568\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2569\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2570\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2571\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2572\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2573\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2574\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2575\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2576\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2577\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2578\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2579\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2580\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2581\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2582\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2585\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2586\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2536\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2587\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2537\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2591\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2592\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2542\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2593\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2543\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2594\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2544\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2595\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2545\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2596\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2546\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2597\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2547\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2548\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2549\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2550\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2551\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"name\": \"2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-26T19:58:54.397306Z\",\r\n \"processingEndTimeUtc\": \"2022-09-26T19:58:53.5738114Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2633\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 5.181.86.44 [2]\\r\\nIP: 186.249.36.154 [1]\\r\\nIP: 5.188.206.230 [5]\\r\\nIP: 194.165.16.38 [2]\\r\\nIP: 78.128.113.138 [8]\\r\\nIP: 194.165.17.14 [4]\\r\\nIP: 179.60.150.116 [6]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 87.251.64.160 [3]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 185.190.24.32 [1]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 38.122.130.162 [6]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 185.190.24.50 [2]\\r\\nIP: 198.235.24.156 [1]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 62.204.41.152 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 45.227.254.27 [1]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 216.19.1.14 [8]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 185.190.24.48 [4]\\r\\nIP: 45.227.253.130 [23]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 13.71.103.48 [1]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 141.98.83.120 [5]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 80.66.88.202 [2]\\r\\n164 more attempts by 29 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2634\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2635\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2636\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2637\",\r\n \"address\": \"186.249.36.154\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Franca\",\r\n \"longitude\": -47.40563,\r\n \"latitude\": -20.54751,\r\n \"asn\": 28195,\r\n \"carrier\": \"Com4 Data Center Eireli\",\r\n \"organization\": \"Com4 Data Center Eireli\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2638\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2639\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2640\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2641\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2642\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2643\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2644\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2645\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2646\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2647\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2648\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2649\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2650\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2651\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2652\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2653\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2654\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2655\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2656\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2657\",\r\n \"address\": \"198.235.24.156\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2658\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2659\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2660\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2661\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2662\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2663\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2664\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2665\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2666\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2667\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2668\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2669\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2670\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2671\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2672\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2673\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2674\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2675\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2676\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2677\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2678\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2679\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2680\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2681\",\r\n \"address\": \"13.71.103.48\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Tamil Nadu\",\r\n \"city\": \"Chennai\",\r\n \"longitude\": 80.2508,\r\n \"latitude\": 13.0524,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2682\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2683\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2684\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2685\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2636\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2637\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2688\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2638\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2689\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2639\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2690\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2640\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2641\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2642\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2643\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2644\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2645\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2646\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"name\": \"2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-25T19:28:48.9427258Z\",\r\n \"processingEndTimeUtc\": \"2022-09-25T19:28:48.1928389Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2736\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.4 [3]\\r\\nIP: 5.181.86.44 [2]\\r\\nIP: 192.3.110.166 [1]\\r\\nIP: 185.190.24.32 [1]\\r\\nIP: 194.165.17.14 [4]\\r\\nIP: 185.190.24.50 [2]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 141.98.9.34 [16]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 87.251.64.160 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 198.235.24.156 [1]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 179.60.150.113 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.81.137 [5]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 78.128.113.138 [8]\\r\\nIP: 87.251.67.98 [5]\\r\\nIP: 195.78.54.97 [32]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 141.98.10.204 [8]\\r\\nIP: 179.60.150.116 [6]\\r\\nIP: 80.66.88.202 [2]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 185.190.24.17 [6]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 45.141.87.18 [4]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 38.122.130.162 [6]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 186.249.36.154 [1]\\r\\nIP: 92.255.85.194 [25]\\r\\n99 more attempts by 26 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2737\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2738\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2739\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2740\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2741\",\r\n \"address\": \"192.3.110.166\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2742\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2743\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2744\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2745\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2746\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2747\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2748\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2749\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2750\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2751\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2752\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2753\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2754\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2755\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2756\",\r\n \"address\": \"198.235.24.156\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2757\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2758\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2759\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2760\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2761\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2762\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2763\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2764\",\r\n \"address\": \"87.251.67.98\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2765\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2766\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2767\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2768\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2769\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2770\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2771\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2772\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2773\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2774\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2775\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2776\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2777\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2778\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2779\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2780\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2781\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2782\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2783\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2784\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2785\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2786\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2787\",\r\n \"address\": \"186.249.36.154\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Franca\",\r\n \"longitude\": -47.40563,\r\n \"latitude\": -20.54751,\r\n \"asn\": 28195,\r\n \"carrier\": \"Com4 Data Center Eireli\",\r\n \"organization\": \"Com4 Data Center Eireli\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2788\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2791\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2741\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2792\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2742\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2793\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2743\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2794\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2744\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2795\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2745\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2796\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2746\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2797\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2747\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2798\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2748\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2799\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2749\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2800\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2750\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2801\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2751\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2802\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2752\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2803\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2753\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2804\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2754\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2805\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2755\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2806\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2756\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2807\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2757\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2808\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2758\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2809\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2759\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2810\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2760\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2811\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2761\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2812\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2762\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2813\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2763\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2814\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2764\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"name\": \"2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-24T19:25:53.91713Z\",\r\n \"processingEndTimeUtc\": \"2022-09-24T19:25:53.5050508Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-23T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-23T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2839\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.124 [2]\\r\\nIP: 62.233.50.123 [24]\\r\\nIP: 141.98.10.124 [10]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 216.19.1.14 [23]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 78.128.113.138 [6]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 5.188.206.230 [6]\\r\\nIP: 5.181.86.51 [3]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 87.251.67.98 [4]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 141.98.83.131 [7]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 45.227.254.27 [1]\\r\\nIP: 5.181.86.85 [4]\\r\\nIP: 194.165.16.38 [1]\\r\\nIP: 147.78.47.154 [4]\\r\\nIP: 45.227.254.4 [5]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 179.60.150.113 [1]\\r\\nIP: 179.60.150.116 [1]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 5.181.86.44 [4]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 141.98.10.181 [10]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 194.165.17.12 [7]\\r\\nIP: 185.190.24.61 [7]\\r\\nIP: 194.165.16.29 [4]\\r\\nIP: 141.98.81.137 [10]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 179.60.150.114 [1]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 179.60.147.31 [6]\\r\\nIP: 59.49.43.217 [1]\\r\\nIP: 141.98.10.207 [7]\\r\\nIP: 113.190.245.2 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 88.214.25.12 [1]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\n187 more attempts by 32 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2840\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2841\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2842\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2843\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2844\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2845\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2846\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2847\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2848\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2849\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2850\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2851\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2852\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2853\",\r\n \"address\": \"87.251.67.98\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2854\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2855\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2856\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2857\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2858\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2859\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2860\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2861\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2862\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2863\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2864\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2865\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2866\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2867\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2868\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2869\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2870\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2871\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2872\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2873\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2874\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2875\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2876\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2877\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2878\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2879\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2880\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2881\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2882\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2883\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2884\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2885\",\r\n \"address\": \"59.49.43.217\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanxi\",\r\n \"city\": \"Taiyuan\",\r\n \"longitude\": 112.56167,\r\n \"latitude\": 37.84667,\r\n \"asn\": 132147,\r\n \"carrier\": \"Ct-Shanxi-Man\",\r\n \"organization\": \"Shanxi Telecom Taiyuan Branch Broadband Adsl Port Ip Address\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2886\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2887\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2888\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2889\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2890\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2891\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2892\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2893\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2843\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2894\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2844\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2895\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2845\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2896\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2846\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2897\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2847\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2898\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2848\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2899\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2849\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2900\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2850\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2901\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2851\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2902\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2852\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2903\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2853\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2904\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2854\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2905\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2855\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2906\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2856\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2907\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2857\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2908\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2858\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2909\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2859\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2910\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2860\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2911\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2861\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2912\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2862\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2913\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2863\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2914\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2864\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2915\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2865\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2916\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2866\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2917\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2867\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2918\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2868\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"name\": \"2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-23T20:00:31.1607186Z\",\r\n \"processingEndTimeUtc\": \"2022-09-23T20:00:30.596124Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-22T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-22T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2942\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.78 [1]\\r\\nIP: 195.78.54.97 [33]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 103.104.168.36 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 179.60.150.116 [1]\\r\\nIP: 88.214.25.13 [5]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 38.122.130.162 [11]\\r\\nIP: 194.165.16.38 [3]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 216.19.1.14 [15]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 185.156.72.27 [2]\\r\\nIP: 179.60.147.31 [19]\\r\\nIP: 194.165.16.10 [1]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 5.181.86.88 [2]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 46.29.10.30 [1]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 185.190.24.32 [2]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 5.181.86.85 [3]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 5.181.86.61 [4]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 45.227.253.130 [6]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 51.178.4.205 [3]\\r\\nIP: 179.60.150.113 [2]\\r\\nIP: 45.227.254.27 [4]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 194.165.17.12 [13]\\r\\nIP: 43.157.17.13 [1]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 179.60.150.114 [2]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 185.190.24.50 [5]\\r\\nIP: 141.98.10.181 [5]\\r\\nIP: 80.66.88.201 [1]\\r\\n106 more attempts by 26 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2943\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2944\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2945\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2946\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2947\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2948\",\r\n \"address\": \"103.104.168.36\",\r\n \"location\": {\r\n \"countryCode\": \"HK\",\r\n \"countryName\": \"Hong Kong\",\r\n \"longitude\": 114.1,\r\n \"latitude\": 22.15,\r\n \"asn\": 136897,\r\n \"carrier\": \"Enjoyvc Cloud Group Limited.\",\r\n \"organization\": \"Cyit-Hk\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2949\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2950\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2951\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2952\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2953\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2954\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2955\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2956\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2957\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2958\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2959\",\r\n \"address\": \"185.156.72.27\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2960\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2961\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2962\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2963\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2964\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2965\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2966\",\r\n \"address\": \"46.29.10.30\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Krasnodarskiy Kray\",\r\n \"city\": \"Krasnodar\",\r\n \"longitude\": 38.9454,\r\n \"latitude\": 45.0749,\r\n \"asn\": 197204,\r\n \"carrier\": \"Telemaks Ltd\",\r\n \"organization\": \"Telemaks Ptp Static Routing Clients.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2967\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2968\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2969\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2970\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2971\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2972\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2973\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2974\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2975\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2976\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2977\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2978\",\r\n \"address\": \"51.178.4.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Waltham Forest\",\r\n \"longitude\": -0.0166,\r\n \"latitude\": 51.5833,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Failover Ips\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2979\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2980\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2981\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2982\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2983\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2984\",\r\n \"address\": \"43.157.17.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2985\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2986\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2987\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2988\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2989\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2990\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2991\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2992\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2993\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2994\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2995\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2945\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2996\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2946\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2997\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2947\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2998\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2948\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2999\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2949\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3000\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2950\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3001\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2951\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3002\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2952\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3003\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2953\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3004\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2954\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3005\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2955\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3006\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2956\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3007\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2957\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3008\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2958\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3009\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2959\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3010\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2960\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3011\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2961\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3012\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2962\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3013\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2963\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3014\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2964\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3015\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2965\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3016\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2966\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3017\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2967\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3018\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2968\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3019\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2969\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3020\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2970\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3021\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2971\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"name\": \"2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T20:37:27.9077468Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T20:37:26.8898617Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-21T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-21T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3045\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.76.51.230 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3046\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3047\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3048\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3048\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"name\": \"2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T20:37:28.3862144Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T20:37:26.8900314Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-21T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-21T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3050\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.140 [1]\\r\\nIP: 185.190.24.32 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.9.35 [2]\\r\\nIP: 80.153.67.94 [1]\\r\\nIP: 23.236.144.243 [1]\\r\\nIP: 91.240.242.15 [3]\\r\\nIP: 193.37.69.215 [24]\\r\\nIP: 174.108.172.27 [2]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 5.181.86.51 [2]\\r\\nIP: 45.141.84.116 [2]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 5.181.86.11 [17]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 38.122.130.162 [5]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 45.227.254.27 [8]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 141.98.10.181 [16]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 195.78.54.97 [17]\\r\\nIP: 141.98.81.137 [3]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 51.178.4.205 [6]\\r\\nIP: 5.181.86.85 [4]\\r\\nIP: 195.78.54.73 [17]\\r\\nIP: 141.98.83.124 [3]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 179.60.147.182 [2]\\r\\nIP: 179.60.147.32 [11]\\r\\nIP: 141.98.83.126 [1]\\r\\nIP: 5.181.86.88 [2]\\r\\nIP: 88.214.25.12 [3]\\r\\nIP: 87.251.64.35 [1]\\r\\nIP: 179.60.150.116 [3]\\r\\nIP: 141.98.9.34 [15]\\r\\n136 more attempts by 30 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3051\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3052\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3053\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3054\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3055\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3056\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3057\",\r\n \"address\": \"80.153.67.94\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.4061,\r\n \"latitude\": 52.5192,\r\n \"asn\": 3320,\r\n \"carrier\": \"Deutsche Telekom Ag\",\r\n \"organization\": \"Deutsche Telekom Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3058\",\r\n \"address\": \"23.236.144.243\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 55081,\r\n \"carrier\": \"24 Shells\",\r\n \"organization\": \"B2 Net Solutions Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3059\",\r\n \"address\": \"91.240.242.15\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3060\",\r\n \"address\": \"193.37.69.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3061\",\r\n \"address\": \"174.108.172.27\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"South Carolina\",\r\n \"city\": \"Sumter\",\r\n \"longitude\": -80.35409,\r\n \"latitude\": 33.87458,\r\n \"asn\": 11426,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3062\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3063\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3064\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3065\",\r\n \"address\": \"45.141.84.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3066\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3067\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3068\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3069\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3070\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3071\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3072\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3073\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3074\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3075\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3076\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3077\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3078\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3079\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3080\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3081\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3082\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3083\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3084\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3085\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3086\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3087\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3088\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3089\",\r\n \"address\": \"51.178.4.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Waltham Forest\",\r\n \"longitude\": -0.0166,\r\n \"latitude\": 51.5833,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Failover Ips\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3090\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3091\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3092\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3093\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3094\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3095\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3096\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3097\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3098\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3099\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3100\",\r\n \"address\": \"87.251.64.35\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3101\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3102\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3053\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3104\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3054\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3055\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3056\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3057\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3058\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3059\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3060\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3061\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3062\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3063\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3114\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3064\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3065\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3066\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3067\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3068\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3069\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3070\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3071\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3072\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3123\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3073\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3124\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3074\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3140\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3090\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3141\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3091\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3092\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3143\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3093\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3144\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3094\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3145\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3095\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3096\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3097\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3098\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3099\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3100\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3101\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3102\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"name\": \"2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-21T19:41:38.1643149Z\",\r\n \"processingEndTimeUtc\": \"2022-09-21T19:41:37.0449995Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3153\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.130 [2]\\r\\nIP: 141.98.83.89 [6]\\r\\nIP: 20.172.39.252 [1]\\r\\nIP: 141.98.83.127 [9]\\r\\nIP: 5.181.86.11 [10]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 181.214.206.176 [32]\\r\\nIP: 129.146.85.184 [1]\\r\\nIP: 5.181.86.85 [8]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 91.240.118.99 [4]\\r\\nIP: 92.255.85.151 [7]\\r\\nIP: 185.190.24.17 [10]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 179.60.147.32 [3]\\r\\nIP: 176.113.115.141 [25]\\r\\nIP: 194.26.29.11 [1]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 179.60.150.111 [12]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 38.122.130.162 [13]\\r\\nIP: 195.78.54.73 [15]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.81.137 [4]\\r\\nIP: 89.248.168.54 [1]\\r\\nIP: 147.78.47.147 [2]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 147.78.47.149 [9]\\r\\nIP: 194.165.16.29 [5]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.36 [2]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 5.181.86.61 [9]\\r\\n138 more attempts by 22 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3154\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3155\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3156\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3157\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3158\",\r\n \"address\": \"20.172.39.252\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3159\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3160\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3161\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3162\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3163\",\r\n \"address\": \"129.146.85.184\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3164\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3165\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3166\",\r\n \"address\": \"91.240.118.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3167\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3168\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3169\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3170\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3171\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3172\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3173\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3174\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57678,\r\n \"carrier\": \"Red Bytes Llc\",\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3175\",\r\n \"address\": \"194.26.29.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3176\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3177\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3178\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3179\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3180\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3181\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3182\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3183\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3184\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3185\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3186\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3187\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3188\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3189\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3190\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3191\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3192\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3193\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3194\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3195\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3196\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3197\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3198\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3199\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3200\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3201\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3202\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3203\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3204\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3205\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3217\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3167\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3218\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3168\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3221\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3222\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3223\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3224\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3225\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3226\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3227\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"name\": \"2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T19:33:13.4506209Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T19:33:12.2309742Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3256\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.37 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 92.255.85.151 [7]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 41.169.98.196 [1]\\r\\nIP: 5.181.86.61 [9]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.35 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 179.60.147.33 [1]\\r\\nIP: 179.60.150.111 [12]\\r\\nIP: 181.214.206.176 [32]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 147.78.47.147 [2]\\r\\nIP: 141.98.9.36 [2]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 45.227.254.49 [1]\\r\\nIP: 141.98.83.85 [7]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 179.60.147.32 [3]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 141.98.83.121 [9]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 185.190.24.61 [9]\\r\\nIP: 141.98.83.84 [5]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 91.240.118.99 [4]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 141.98.83.89 [6]\\r\\nIP: 45.141.87.10 [10]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 5.181.86.85 [8]\\r\\nIP: 45.141.87.9 [4]\\r\\nIP: 141.98.83.130 [2]\\r\\nIP: 5.181.86.11 [9]\\r\\nIP: 38.122.130.162 [13]\\r\\nIP: 195.78.54.73 [13]\\r\\nIP: 45.141.87.2 [13]\\r\\nIP: 89.248.168.54 [1]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 141.98.83.125 [3]\\r\\n135 more attempts by 20 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3257\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3258\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3259\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3260\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3261\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3262\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3263\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3264\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3265\",\r\n \"address\": \"41.169.98.196\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 36937,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Liquid Telecommunications Operations Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3266\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3267\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3268\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3269\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3270\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3271\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3272\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3273\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3274\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3275\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3276\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3277\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3278\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3279\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3280\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3281\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3282\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3283\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3284\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3285\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3286\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3287\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3288\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3289\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3290\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3291\",\r\n \"address\": \"91.240.118.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3292\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3293\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3294\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3295\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3296\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3297\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3298\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3299\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3300\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3301\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3302\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3303\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3304\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3305\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3306\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3307\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3308\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3324\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3274\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3325\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3275\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3326\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3276\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3327\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3277\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3278\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3329\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3279\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3330\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3280\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"name\": \"2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-19T20:03:27.0439222Z\",\r\n \"processingEndTimeUtc\": \"2022-09-19T20:03:26.2194939Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-18T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-18T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3359\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.190.24.17 [7]\\r\\nIP: 45.72.99.139 [1]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 181.214.206.176 [41]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 141.98.83.124 [3]\\r\\nIP: 141.98.9.37 [10]\\r\\nIP: 88.214.25.12 [1]\\r\\nIP: 141.98.9.35 [10]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 80.66.88.206 [2]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 45.227.254.48 [3]\\r\\nIP: 194.165.16.17 [3]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 141.98.9.34 [19]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 95.142.121.53 [1]\\r\\nIP: 194.165.16.38 [7]\\r\\nIP: 194.26.29.48 [1]\\r\\nIP: 194.165.16.37 [2]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 92.255.85.174 [3]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 5.181.86.11 [4]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 179.60.150.114 [15]\\r\\nIP: 20.106.123.242 [1]\\r\\nIP: 141.98.9.29 [2]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 45.141.87.21 [5]\\r\\nIP: 91.240.242.16 [1]\\r\\nIP: 45.227.254.55 [3]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 38.122.130.162 [1]\\r\\nIP: 45.141.84.85 [2]\\r\\nIP: 141.98.83.131 [6]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 141.98.83.84 [4]\\r\\nIP: 141.98.83.83 [9]\\r\\nIP: 45.227.255.13 [1]\\r\\n130 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3360\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3361\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3362\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3363\",\r\n \"address\": \"45.72.99.139\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 55286,\r\n \"carrier\": \"B2 Net Solutions Inc.\",\r\n \"organization\": \"B2 Net Solutions Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3364\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3365\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3366\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3367\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3368\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3369\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3370\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3371\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3372\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3373\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3374\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3375\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3376\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3377\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3378\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3379\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3380\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3381\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3382\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3383\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3384\",\r\n \"address\": \"95.142.121.53\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Prcdn Consumer Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3385\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3386\",\r\n \"address\": \"194.26.29.48\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3387\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3388\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3389\",\r\n \"address\": \"92.255.85.174\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3390\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3391\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3392\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3393\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3394\",\r\n \"address\": \"20.106.123.242\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3395\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3396\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3397\",\r\n \"address\": \"45.141.87.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3398\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3399\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3400\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3401\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3402\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3403\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3404\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3405\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3406\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3407\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3408\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3409\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3410\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3411\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3362\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3427\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3377\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3428\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3378\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3429\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3379\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3430\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3380\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3382\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3433\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3383\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3449\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3450\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3451\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3452\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3453\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3405\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3456\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3457\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3408\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"name\": \"2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-07T18:49:32.3154277Z\",\r\n \"processingEndTimeUtc\": \"2022-09-07T18:49:31.3026032Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-05T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-05T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3462\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 179.60.147.182 [1]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 141.98.83.89 [5]\\r\\nIP: 209.126.5.42 [1]\\r\\nIP: 141.98.9.36 [14]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 103.15.50.155 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 80.66.88.214 [3]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 77.83.36.225 [4]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.123 [6]\\r\\nIP: 141.98.83.132 [1]\\r\\nIP: 138.199.19.135 [7]\\r\\nIP: 141.98.83.133 [11]\\r\\nIP: 194.165.16.6 [3]\\r\\nIP: 141.98.81.137 [9]\\r\\nIP: 194.165.16.17 [4]\\r\\nIP: 141.98.83.130 [4]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 141.98.10.207 [29]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 91.240.242.5 [8]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 194.165.16.71 [3]\\r\\nIP: 45.227.254.52 [6]\\r\\nIP: 141.98.9.37 [11]\\r\\nIP: 45.141.87.11 [2]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 141.98.83.120 [4]\\r\\nIP: 141.98.9.34 [29]\\r\\nIP: 62.233.50.113 [2]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 5.253.204.134 [22]\\r\\nIP: 92.255.85.151 [1]\\r\\nIP: 45.227.253.254 [12]\\r\\nIP: 194.165.16.73 [3]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 45.227.254.55 [3]\\r\\nIP: 141.98.83.83 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3463\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3464\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3465\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3466\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3467\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3468\",\r\n \"address\": \"209.126.5.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Saint Louis\",\r\n \"longitude\": -90.19238,\r\n \"latitude\": 38.63137,\r\n \"asn\": 40021,\r\n \"carrier\": \"Contabo Inc.\",\r\n \"organization\": \"Contabo Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3469\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3470\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3471\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3472\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3473\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3474\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3475\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3476\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3477\",\r\n \"address\": \"77.83.36.225\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 35042,\r\n \"carrier\": \"Ip Interactive Ug (Haftungsbeschraenkt)\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3478\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3479\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3480\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3481\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3482\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3483\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3484\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3485\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3486\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3487\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3488\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3489\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3490\",\r\n \"address\": \"91.240.242.5\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3491\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3492\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3493\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3494\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3495\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3496\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3497\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3498\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3499\",\r\n \"address\": \"62.233.50.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3500\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3501\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3502\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3503\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3504\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3505\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3506\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3507\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3508\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3509\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3510\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3465\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3466\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3467\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3468\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3480\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3481\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3482\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3484\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3485\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3486\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3535\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"name\": \"2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T19:15:31.2420982Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T19:15:30.4547628Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3557\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 72.167.37.199 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 103.79.140.234 [5]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 185.170.144.135 [53]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 141.98.9.199 [2]\\r\\nIP: 92.255.85.40 [4]\\r\\nIP: 129.226.34.77 [1]\\r\\nIP: 194.165.16.17 [10]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 188.190.42.60 [1]\\r\\nIP: 27.71.226.103 [3]\\r\\nIP: 5.253.204.134 [27]\\r\\nIP: 138.199.19.135 [2]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 141.98.81.137 [8]\\r\\nIP: 193.122.114.185 [1]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 87.251.67.99 [3]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 92.255.85.151 [13]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 194.165.16.77 [3]\\r\\nIP: 147.78.47.146 [12]\\r\\nIP: 45.227.254.26 [2]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 141.98.83.130 [4]\\r\\nIP: 96.60.188.241 [1]\\r\\nIP: 194.165.16.29 [4]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 103.75.187.224 [1]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.83.132 [5]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 194.165.16.6 [4]\\r\\n72 more attempts by 6 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3558\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3559\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3560\",\r\n \"address\": \"72.167.37.199\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3561\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3562\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3563\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3564\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3565\",\r\n \"address\": \"185.170.144.135\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3566\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3567\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3568\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3569\",\r\n \"address\": \"129.226.34.77\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Maharashtra\",\r\n \"city\": \"Mumbai\",\r\n \"longitude\": 72.8777,\r\n \"latitude\": 19.076,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3570\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3571\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3572\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3573\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3574\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3575\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3576\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3577\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3578\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3579\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3580\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3581\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3582\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3583\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3584\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3585\",\r\n \"address\": \"193.122.114.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.33352,\r\n \"latitude\": 47.61101,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Public Cloud\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3586\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3587\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3588\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3589\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3590\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3591\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3592\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3593\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3594\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3595\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3596\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3597\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3598\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3599\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3600\",\r\n \"address\": \"96.60.188.241\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wisconsin\",\r\n \"city\": \"Junction City\",\r\n \"longitude\": -89.747,\r\n \"latitude\": 44.59457,\r\n \"asn\": 4181,\r\n \"carrier\": \"Tds Telecom\",\r\n \"organization\": \"Tds Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3601\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3602\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3603\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3604\",\r\n \"address\": \"103.75.187.224\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Inet Software One Member Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3605\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3606\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3607\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3608\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3609\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3644\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3645\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3646\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3647\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3648\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3598\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3649\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3599\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3650\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3600\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3651\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3601\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3652\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3602\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3653\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3603\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3654\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3604\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3655\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3605\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3656\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3606\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3657\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3607\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3658\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3608\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3659\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3609\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"name\": \"2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-06T20:06:49.6557309Z\",\r\n \"processingEndTimeUtc\": \"2022-09-06T20:06:49.179497Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3660\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.125 [7]\\r\\nIP: 72.167.37.199 [1]\\r\\nIP: 141.98.9.199 [2]\\r\\nIP: 103.75.187.224 [2]\\r\\nIP: 92.255.85.151 [32]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 188.190.42.60 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 141.98.81.137 [8]\\r\\nIP: 138.199.19.135 [2]\\r\\nIP: 141.98.9.34 [12]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 96.60.188.241 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 147.78.47.146 [12]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 194.165.16.16 [1]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 45.227.253.254 [16]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 194.165.16.29 [10]\\r\\nIP: 194.165.16.17 [10]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 141.98.83.130 [7]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 194.165.16.77 [3]\\r\\nIP: 141.98.83.128 [6]\\r\\nIP: 141.98.83.120 [4]\\r\\nIP: 185.170.144.135 [53]\\r\\nIP: 129.226.34.77 [1]\\r\\nIP: 41.169.98.196 [1]\\r\\nIP: 87.251.67.99 [3]\\r\\nIP: 45.227.254.49 [4]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 103.79.140.234 [5]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 27.71.226.103 [3]\\r\\nIP: 193.122.114.185 [1]\\r\\nIP: 5.253.204.134 [28]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 92.255.85.40 [4]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 141.98.9.29 [13]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 141.98.83.131 [4]\\r\\n45 more attempts by 10 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3661\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3662\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3663\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3664\",\r\n \"address\": \"72.167.37.199\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3665\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3666\",\r\n \"address\": \"103.75.187.224\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Inet Software One Member Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3667\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3668\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3669\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3670\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3671\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3672\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3673\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3674\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3675\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3676\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3677\",\r\n \"address\": \"96.60.188.241\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wisconsin\",\r\n \"city\": \"Junction City\",\r\n \"longitude\": -89.747,\r\n \"latitude\": 44.59457,\r\n \"asn\": 4181,\r\n \"carrier\": \"Tds Telecom\",\r\n \"organization\": \"Tds Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3678\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3679\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3680\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3681\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3682\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3683\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3684\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3685\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3686\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3687\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3688\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3689\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3690\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3691\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3692\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3693\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3694\",\r\n \"address\": \"185.170.144.135\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3695\",\r\n \"address\": \"129.226.34.77\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Maharashtra\",\r\n \"city\": \"Mumbai\",\r\n \"longitude\": 72.8777,\r\n \"latitude\": 19.076,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3696\",\r\n \"address\": \"41.169.98.196\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 36937,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Liquid Telecommunications Operations Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3697\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3698\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3699\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3700\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3701\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3702\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3703\",\r\n \"address\": \"193.122.114.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.33352,\r\n \"latitude\": 47.61101,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Public Cloud\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3704\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3705\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3706\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3707\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3708\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3709\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3710\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3711\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3712\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3736\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3686\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3737\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3687\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3738\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3688\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3739\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3689\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3740\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3690\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3741\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3691\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3742\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3692\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3743\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3693\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3744\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3694\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3745\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3695\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3746\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3696\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3747\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3697\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3748\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3698\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3749\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3699\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3750\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3700\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3751\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3701\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3752\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3702\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3703\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3704\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3705\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3706\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3707\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3708\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3709\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3710\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3711\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3762\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3712\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"name\": \"2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-03T19:41:58.5199865Z\",\r\n \"processingEndTimeUtc\": \"2022-09-03T19:41:57.422375Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3763\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 188.190.42.60 [1]\\r\\nIP: 92.255.85.168 [4]\\r\\nIP: 141.98.83.87 [5]\\r\\nIP: 185.190.24.61 [1]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 103.15.50.155 [4]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 87.251.67.99 [1]\\r\\nIP: 5.253.204.134 [29]\\r\\nIP: 141.98.9.36 [1]\\r\\nIP: 194.28.112.140 [5]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 45.227.253.130 [18]\\r\\nIP: 141.98.9.35 [4]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 185.190.24.102 [10]\\r\\nIP: 202.40.179.78 [1]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 134.209.148.16 [1]\\r\\nIP: 93.43.27.126 [1]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 141.98.83.121 [6]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 141.98.81.137 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.125 [4]\\r\\nIP: 141.98.83.173 [1]\\r\\nIP: 92.255.85.166 [3]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 45.227.254.5 [9]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 92.255.85.151 [36]\\r\\nIP: 51.81.210.3 [1]\\r\\nIP: 141.98.9.29 [5]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 185.190.24.101 [4]\\r\\n41 more attempts by 14 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3764\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3765\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3766\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3767\",\r\n \"address\": \"92.255.85.168\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3768\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3769\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3770\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3771\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3772\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3773\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3774\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3775\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3776\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3777\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3778\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3779\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3780\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3781\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3782\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3783\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3784\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3785\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3786\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3787\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3788\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3789\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3790\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3791\",\r\n \"address\": \"202.40.179.78\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Dhaka\",\r\n \"city\": \"Dhaka\",\r\n \"longitude\": 90.4125,\r\n \"latitude\": 23.8103,\r\n \"asn\": 23991,\r\n \"carrier\": \"Ranks Itt Ltd.\",\r\n \"organization\": \"Nationwide Isp & Iptsp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3792\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3793\",\r\n \"address\": \"134.209.148.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Mansfield\",\r\n \"longitude\": -71.22189,\r\n \"latitude\": 42.01698,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3794\",\r\n \"address\": \"93.43.27.126\",\r\n \"location\": {\r\n \"countryCode\": \"IT\",\r\n \"countryName\": \"Italy\",\r\n \"state\": \"Roma\",\r\n \"city\": \"Roma\",\r\n \"longitude\": 12.3063,\r\n \"latitude\": 41.7755,\r\n \"asn\": 12874,\r\n \"carrier\": \"Fastweb Spa\",\r\n \"organization\": \"Ibc-001 Public Subnet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3795\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3796\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3797\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3798\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3799\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3800\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3801\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3802\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3803\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3804\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3805\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3806\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3807\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3808\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3809\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3810\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3811\",\r\n \"address\": \"51.81.210.3\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Hillsboro\",\r\n \"longitude\": -122.95607,\r\n \"latitude\": 45.59054,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3812\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3813\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3814\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3815\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3839\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3789\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3840\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3790\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3841\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3791\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3842\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3792\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3793\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3865\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3815\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"name\": \"2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T01:45:32.5912419Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T01:45:31.6805301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3866\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.9.36 [1]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 185.190.24.61 [1]\\r\\nIP: 5.253.204.134 [29]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.81.137 [1]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 141.98.83.125 [4]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 185.190.24.101 [4]\\r\\nIP: 93.43.27.126 [1]\\r\\nIP: 185.156.72.29 [4]\\r\\nIP: 87.251.67.99 [1]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 134.209.148.16 [1]\\r\\nIP: 141.98.9.35 [4]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.156.72.25 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 79.175.151.178 [3]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 103.79.140.234 [2]\\r\\nIP: 141.98.83.84 [7]\\r\\nIP: 141.98.83.172 [4]\\r\\nIP: 141.98.83.87 [7]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 45.227.254.5 [9]\\r\\nIP: 141.98.10.37 [8]\\r\\nIP: 202.40.179.78 [1]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 141.98.83.121 [6]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 92.255.85.166 [3]\\r\\nIP: 92.255.85.152 [6]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 103.15.50.155 [4]\\r\\nIP: 141.98.9.29 [5]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 194.28.112.140 [5]\\r\\nIP: 27.71.226.103 [1]\\r\\nIP: 185.190.24.102 [10]\\r\\n87 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3867\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3868\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3869\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3870\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3871\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3872\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3873\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3874\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3875\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3876\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3877\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3878\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3879\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3880\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3881\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3882\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3883\",\r\n \"address\": \"93.43.27.126\",\r\n \"location\": {\r\n \"countryCode\": \"IT\",\r\n \"countryName\": \"Italy\",\r\n \"state\": \"Roma\",\r\n \"city\": \"Roma\",\r\n \"longitude\": 12.3063,\r\n \"latitude\": 41.7755,\r\n \"asn\": 12874,\r\n \"carrier\": \"Fastweb Spa\",\r\n \"organization\": \"Ibc-001 Public Subnet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3884\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3885\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3886\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3887\",\r\n \"address\": \"134.209.148.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Mansfield\",\r\n \"longitude\": -71.22189,\r\n \"latitude\": 42.01698,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3888\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3889\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3890\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3891\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3892\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3893\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3894\",\r\n \"address\": \"79.175.151.178\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 25184,\r\n \"carrier\": \"Afranet\",\r\n \"organization\": \"Afranet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3895\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3896\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3897\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3898\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3899\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3900\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3901\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3902\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3903\",\r\n \"address\": \"141.98.10.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3904\",\r\n \"address\": \"202.40.179.78\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Dhaka\",\r\n \"city\": \"Dhaka\",\r\n \"longitude\": 90.4125,\r\n \"latitude\": 23.8103,\r\n \"asn\": 23991,\r\n \"carrier\": \"Ranks Itt Ltd.\",\r\n \"organization\": \"Nationwide Isp & Iptsp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3905\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3906\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3907\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3908\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3909\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3910\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3911\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3912\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3913\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3914\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3915\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3916\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3917\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3918\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3892\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3893\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3894\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"name\": \"2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-02T19:26:44.4857834Z\",\r\n \"processingEndTimeUtc\": \"2022-09-02T19:26:43.9850649Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-01T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-01T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3969\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.6 [4]\\r\\nIP: 193.142.147.67 [26]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.81.137 [5]\\r\\nIP: 45.227.254.5 [39]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 147.78.47.147 [9]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 103.15.50.155 [1]\\r\\nIP: 92.255.85.40 [6]\\r\\nIP: 213.226.123.66 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 194.165.16.158 [5]\\r\\nIP: 196.44.131.147 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 212.22.187.98 [7]\\r\\nIP: 141.98.83.131 [1]\\r\\nIP: 185.190.24.102 [11]\\r\\nIP: 147.78.47.149 [10]\\r\\nIP: 165.227.225.29 [2]\\r\\nIP: 92.255.85.195 [2]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 185.190.24.61 [9]\\r\\nIP: 45.227.254.49 [3]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 80.66.88.209 [5]\\r\\nIP: 141.98.9.35 [6]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 141.98.83.123 [7]\\r\\nIP: 185.190.24.103 [2]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 89.248.168.54 [2]\\r\\nIP: 79.175.151.178 [6]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 213.226.123.35 [2]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 141.98.9.37 [2]\\r\\nIP: 141.98.83.89 [2]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 5.253.204.134 [27]\\r\\nIP: 179.60.147.32 [19]\\r\\n92 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3970\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3971\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3972\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3973\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3974\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3975\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3976\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3977\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3978\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3979\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3980\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3981\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3982\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3983\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3984\",\r\n \"address\": \"213.226.123.66\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49943,\r\n \"carrier\": \"It Resheniya Llc\",\r\n \"organization\": \"It Resheniya Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3985\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3986\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3987\",\r\n \"address\": \"196.44.131.147\",\r\n \"location\": {\r\n \"countryCode\": \"NA\",\r\n \"countryName\": \"Namibia\",\r\n \"state\": \"Khomas\",\r\n \"city\": \"Windhoek\",\r\n \"longitude\": 17.0875,\r\n \"latitude\": -22.57056,\r\n \"asn\": 36996,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Telecom Namibia\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3988\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3989\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3990\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3991\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3992\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3993\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3994\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3995\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3996\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3997\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3998\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3999\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4000\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4001\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4002\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4003\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4004\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4005\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4006\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4007\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4008\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4009\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4010\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4011\",\r\n \"address\": \"79.175.151.178\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 25184,\r\n \"carrier\": \"Afranet\",\r\n \"organization\": \"Afranet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4012\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4013\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4014\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4015\",\r\n \"address\": \"213.226.123.35\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49943,\r\n \"carrier\": \"It Resheniya Llc\",\r\n \"organization\": \"It Resheniya Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4016\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4017\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4018\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4019\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4020\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4021\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"name\": \"2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-30T19:51:55.8070313Z\",\r\n \"processingEndTimeUtc\": \"2022-08-30T19:51:55.0291097Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4072\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.81.137 [6]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 45.227.254.48 [5]\\r\\nIP: 141.98.9.29 [10]\\r\\nIP: 98.102.248.102 [1]\\r\\nIP: 45.227.254.5 [26]\\r\\nIP: 178.18.241.15 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 194.165.16.78 [3]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 194.26.29.48 [5]\\r\\nIP: 141.98.9.34 [3]\\r\\nIP: 5.253.204.134 [12]\\r\\nIP: 147.78.47.154 [4]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 80.66.88.207 [3]\\r\\nIP: 74.174.144.6 [1]\\r\\nIP: 194.165.16.17 [6]\\r\\nIP: 196.188.171.249 [2]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 179.60.150.113 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 80.66.88.208 [3]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 87.251.75.119 [36]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 85.172.1.54 [2]\\r\\nIP: 162.62.14.97 [1]\\r\\nIP: 88.214.25.13 [2]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 162.246.21.206 [1]\\r\\nIP: 45.227.254.4 [2]\\r\\nIP: 185.221.134.42 [2]\\r\\nIP: 179.60.147.32 [20]\\r\\nIP: 103.15.50.155 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 92.255.85.181 [2]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 5.181.86.88 [3]\\r\\n175 more attempts by 35 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4073\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4074\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4075\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4076\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4077\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4078\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4079\",\r\n \"address\": \"98.102.248.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Cleveland\",\r\n \"longitude\": -81.82835,\r\n \"latitude\": 41.37197,\r\n \"asn\": 10796,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4080\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4081\",\r\n \"address\": \"178.18.241.15\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Baden-Wuerttemberg\",\r\n \"city\": \"Karlsruhe-Weststadt\",\r\n \"longitude\": 8.37933,\r\n \"latitude\": 49.015,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4082\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4083\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4084\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4085\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4086\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4087\",\r\n \"address\": \"194.26.29.48\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4088\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4089\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4090\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4091\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4092\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4093\",\r\n \"address\": \"74.174.144.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Kentucky\",\r\n \"city\": \"Corbin\",\r\n \"longitude\": -84.11583,\r\n \"latitude\": 36.92363,\r\n \"asn\": 2386,\r\n \"carrier\": \"At&T Data Communications Services\",\r\n \"organization\": \"Eastern Cable Corp - Bgk Lan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4094\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4095\",\r\n \"address\": \"196.188.171.249\",\r\n \"location\": {\r\n \"countryCode\": \"ET\",\r\n \"countryName\": \"Ethiopia\",\r\n \"state\": \"Adis Abeba\",\r\n \"city\": \"Addis Ababa\",\r\n \"longitude\": 38.7468,\r\n \"latitude\": 9.0227,\r\n \"asn\": 24757,\r\n \"carrier\": \"Ethionet\",\r\n \"organization\": \"To__Bras_Dhcp_Oa-10800E\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4096\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4097\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4098\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4099\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4100\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4101\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4102\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4103\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4104\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4105\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4106\",\r\n \"address\": \"87.251.75.119\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4107\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4108\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4109\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4110\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4111\",\r\n \"address\": \"85.172.1.54\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Krasnodarskiy Kray\",\r\n \"city\": \"Krasnodar\",\r\n \"longitude\": 38.98064,\r\n \"latitude\": 45.04215,\r\n \"asn\": 25490,\r\n \"carrier\": \"Pjsc Rostelecom\",\r\n \"organization\": \"Ojsc Rostelecom Macroregional Branch South\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4112\",\r\n \"address\": \"162.62.14.97\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4113\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4114\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4115\",\r\n \"address\": \"162.246.21.206\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Secaucus\",\r\n \"longitude\": -74.06453,\r\n \"latitude\": 40.77826,\r\n \"asn\": 19318,\r\n \"carrier\": \"Interserver Inc\",\r\n \"organization\": \"Interserver Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4116\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4117\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4118\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4119\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4120\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4121\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4122\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4123\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4124\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4140\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4090\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4141\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4091\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4092\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4143\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4093\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4144\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4094\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4145\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4095\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4096\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4097\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4098\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4099\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4100\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4101\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4102\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4153\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4103\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4104\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4155\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4105\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4156\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4106\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4107\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4158\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4108\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4159\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4109\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4110\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4161\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4111\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4162\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4112\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4163\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4113\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4114\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4165\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4115\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4166\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4116\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4167\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4117\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4168\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4118\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4119\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4170\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4120\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4171\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4121\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4172\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4122\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4173\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4123\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4174\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4124\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"name\": \"2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-31T19:26:52.5249315Z\",\r\n \"processingEndTimeUtc\": \"2022-08-31T19:26:52.1218206Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4175\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 98.102.248.102 [1]\\r\\nIP: 179.60.150.116 [2]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 162.62.14.97 [1]\\r\\nIP: 5.253.204.134 [13]\\r\\nIP: 185.190.24.61 [2]\\r\\nIP: 212.22.187.98 [8]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 191.96.168.250 [10]\\r\\nIP: 80.66.88.212 [4]\\r\\nIP: 88.214.25.13 [2]\\r\\nIP: 74.174.144.6 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 185.190.24.17 [51]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 5.181.86.44 [5]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 193.142.147.66 [36]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 45.141.84.116 [7]\\r\\nIP: 152.89.196.90 [2]\\r\\nIP: 141.98.9.29 [10]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 196.188.171.249 [2]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 194.93.58.59 [1]\\r\\nIP: 87.251.75.119 [59]\\r\\nIP: 179.60.147.32 [20]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 185.190.24.32 [3]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 80.66.88.207 [3]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 194.165.16.4 [3]\\r\\nIP: 80.66.88.208 [3]\\r\\n135 more attempts by 44 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4176\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4177\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4178\",\r\n \"address\": \"98.102.248.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Cleveland\",\r\n \"longitude\": -81.82835,\r\n \"latitude\": 41.37197,\r\n \"asn\": 10796,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4179\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4180\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4181\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4182\",\r\n \"address\": \"162.62.14.97\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4183\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4184\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4185\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4186\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4187\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4188\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4189\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4190\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4191\",\r\n \"address\": \"74.174.144.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Kentucky\",\r\n \"city\": \"Corbin\",\r\n \"longitude\": -84.11583,\r\n \"latitude\": 36.92363,\r\n \"asn\": 2386,\r\n \"carrier\": \"At&T Data Communications Services\",\r\n \"organization\": \"Eastern Cable Corp - Bgk Lan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4192\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4193\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4194\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4195\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4196\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4197\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4198\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4199\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4200\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4201\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4202\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4203\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4204\",\r\n \"address\": \"45.141.84.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4205\",\r\n \"address\": \"152.89.196.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4206\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4207\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4208\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4209\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4210\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4211\",\r\n \"address\": \"196.188.171.249\",\r\n \"location\": {\r\n \"countryCode\": \"ET\",\r\n \"countryName\": \"Ethiopia\",\r\n \"state\": \"Adis Abeba\",\r\n \"city\": \"Addis Ababa\",\r\n \"longitude\": 38.7468,\r\n \"latitude\": 9.0227,\r\n \"asn\": 24757,\r\n \"carrier\": \"Ethionet\",\r\n \"organization\": \"To__Bras_Dhcp_Oa-10800E\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4212\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4213\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4214\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4215\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4216\",\r\n \"address\": \"194.93.58.59\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.81423,\r\n \"latitude\": 32.80543,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Dallas Tx\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4217\",\r\n \"address\": \"87.251.75.119\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4218\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4219\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4220\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4221\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4222\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4223\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4224\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4225\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4226\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4227\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4256\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4206\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4207\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4258\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4208\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4259\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4209\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4260\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4210\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4261\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4211\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4262\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4212\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4263\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4213\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4264\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4214\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4215\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4266\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4216\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4267\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4217\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4268\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4218\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4269\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4219\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4270\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4220\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4271\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4221\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4272\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4222\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4273\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4223\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4224\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4275\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4225\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4276\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4226\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4277\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4227\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"name\": \"2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T19:20:02.815682Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T19:20:02.1041712Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4278\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.156.72.31 [5]\\r\\nIP: 179.60.147.31 [28]\\r\\nIP: 213.6.148.83 [2]\\r\\nIP: 113.161.87.179 [1]\\r\\nIP: 185.190.24.103 [11]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 141.98.83.130 [5]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 185.190.24.101 [3]\\r\\nIP: 118.123.105.85 [1]\\r\\nIP: 194.28.112.149 [1]\\r\\nIP: 45.227.253.124 [18]\\r\\nIP: 193.142.147.53 [12]\\r\\nIP: 198.23.221.162 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 194.165.17.12 [30]\\r\\nIP: 191.96.168.250 [75]\\r\\nIP: 194.165.16.16 [1]\\r\\nIP: 92.51.70.138 [1]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 185.156.72.29 [2]\\r\\nIP: 5.61.60.26 [3]\\r\\nIP: 87.251.75.45 [11]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.36 [1]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 141.98.83.172 [7]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 45.227.254.51 [2]\\r\\nIP: 103.99.2.225 [1]\\r\\nIP: 141.98.9.35 [2]\\r\\nIP: 185.196.220.52 [10]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 194.165.16.72 [3]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 31.214.141.3 [1]\\r\\nIP: 45.143.201.62 [2]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 141.98.9.34 [5]\\r\\nIP: 212.22.187.98 [4]\\r\\n182 more attempts by 33 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4279\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4280\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4281\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4282\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4283\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4284\",\r\n \"address\": \"113.161.87.179\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4285\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4286\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4287\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4288\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4289\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4290\",\r\n \"address\": \"118.123.105.85\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Sichuan\",\r\n \"city\": \"Chengdu\",\r\n \"longitude\": 104.0675,\r\n \"latitude\": 30.65306,\r\n \"asn\": 38283,\r\n \"carrier\": \"Chinanet Sichuan Telecom Internet Data Center\",\r\n \"organization\": \"Chinanet Sichuan Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4291\",\r\n \"address\": \"194.28.112.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4292\",\r\n \"address\": \"45.227.253.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4293\",\r\n \"address\": \"193.142.147.53\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4294\",\r\n \"address\": \"198.23.221.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4295\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4296\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4297\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4298\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4299\",\r\n \"address\": \"92.51.70.138\",\r\n \"location\": {\r\n \"countryCode\": \"GE\",\r\n \"countryName\": \"Georgia\",\r\n \"state\": \"Tbilisi\",\r\n \"city\": \"Tbilisi\",\r\n \"longitude\": 44.83368,\r\n \"latitude\": 41.69411,\r\n \"asn\": 44327,\r\n \"carrier\": \"Delta Comm Llc\",\r\n \"organization\": \"Infra-Aw\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4300\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4301\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4302\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4303\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4304\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4305\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4306\",\r\n \"address\": \"87.251.75.45\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4307\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4308\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4309\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4310\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4311\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4312\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4313\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4314\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4315\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4316\",\r\n \"address\": \"185.196.220.52\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4317\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4318\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4319\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4320\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4321\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4322\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4323\",\r\n \"address\": \"31.214.141.3\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hamburg\",\r\n \"city\": \"Hamburg\",\r\n \"longitude\": 10.0819,\r\n \"latitude\": 53.6423,\r\n \"asn\": 30823,\r\n \"carrier\": \"Combahton Gmbh\",\r\n \"organization\": \"Zap-Hosting Gmbh & Co. Kg\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4324\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4325\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4326\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4327\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4328\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4329\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4330\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4309\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4360\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4310\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4361\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4311\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4362\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4312\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4313\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4364\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4314\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4365\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4315\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4366\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4316\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4317\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4368\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4318\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4369\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4319\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4370\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4320\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4371\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4321\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4322\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4373\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4323\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4374\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4324\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4375\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4325\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4376\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4326\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"name\": \"2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T03:10:05.3539329Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T03:10:03.616463Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4381\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.9.36 [1]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 45.227.254.5 [19]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 45.227.253.124 [15]\\r\\nIP: 141.98.83.132 [6]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 45.227.254.55 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 185.156.72.29 [2]\\r\\nIP: 179.60.147.31 [28]\\r\\nIP: 5.61.60.26 [2]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 31.214.141.3 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 97.106.89.92 [2]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.125 [2]\\r\\nIP: 52.172.27.33 [1]\\r\\nIP: 179.60.150.114 [6]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 92.255.85.151 [30]\\r\\nIP: 185.190.24.103 [11]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 45.227.253.254 [15]\\r\\nIP: 194.165.16.73 [2]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 185.190.24.102 [7]\\r\\nIP: 179.60.147.182 [2]\\r\\nIP: 103.99.2.225 [1]\\r\\nIP: 185.196.220.34 [35]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.172 [7]\\r\\nIP: 212.22.187.98 [4]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 191.96.168.250 [67]\\r\\nIP: 118.123.105.85 [1]\\r\\nIP: 141.98.83.131 [3]\\r\\nIP: 80.69.56.151 [1]\\r\\nIP: 20.163.56.75 [2]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.156.72.25 [3]\\r\\n118 more attempts by 27 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4382\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4383\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4384\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4385\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4386\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4387\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4388\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4389\",\r\n \"address\": \"45.227.253.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4390\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4391\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4392\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4393\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4394\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4395\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4396\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4397\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4398\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4399\",\r\n \"address\": \"31.214.141.3\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hamburg\",\r\n \"city\": \"Hamburg\",\r\n \"longitude\": 10.0819,\r\n \"latitude\": 53.6423,\r\n \"asn\": 30823,\r\n \"carrier\": \"Combahton Gmbh\",\r\n \"organization\": \"Zap-Hosting Gmbh & Co. Kg\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4400\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4401\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4402\",\r\n \"address\": \"97.106.89.92\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Tampa\",\r\n \"longitude\": -82.46379,\r\n \"latitude\": 27.98598,\r\n \"asn\": 33363,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4403\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4404\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4405\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4406\",\r\n \"address\": \"52.172.27.33\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Tamil Nadu\",\r\n \"city\": \"Chennai\",\r\n \"longitude\": 80.2508,\r\n \"latitude\": 13.0524,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4407\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4408\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4409\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4410\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4411\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4412\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4413\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4414\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4415\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4416\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4417\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4418\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4419\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4420\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4421\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4422\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4423\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4424\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4425\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4426\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4427\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4428\",\r\n \"address\": \"118.123.105.85\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Sichuan\",\r\n \"city\": \"Chengdu\",\r\n \"longitude\": 104.0675,\r\n \"latitude\": 30.65306,\r\n \"asn\": 38283,\r\n \"carrier\": \"Chinanet Sichuan Telecom Internet Data Center\",\r\n \"organization\": \"Chinanet Sichuan Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4429\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4430\",\r\n \"address\": \"80.69.56.151\",\r\n \"location\": {\r\n \"countryCode\": \"AZ\",\r\n \"countryName\": \"Azerbaijan\",\r\n \"state\": \"Naftalan\",\r\n \"city\": \"Naftalan\",\r\n \"longitude\": 46.825,\r\n \"latitude\": 40.5067,\r\n \"asn\": 34170,\r\n \"carrier\": \"Aztelekom\",\r\n \"organization\": \"Aztelekom.Net Ip Segment\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4431\",\r\n \"address\": \"20.163.56.75\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4432\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4433\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4449\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4450\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4451\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4452\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4453\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4405\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4456\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4457\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4408\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4412\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4415\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4416\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4467\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4417\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4468\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4418\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4469\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4419\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4470\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4471\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4472\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4473\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4423\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4474\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4424\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4425\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4426\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4427\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4428\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"name\": \"2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-27T19:18:23.4694672Z\",\r\n \"processingEndTimeUtc\": \"2022-08-27T19:18:22.6090964Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-26T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-26T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4484\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.255.99 [2]\\r\\nIP: 185.196.220.28 [1]\\r\\nIP: 103.124.137.161 [1]\\r\\nIP: 87.251.75.45 [125]\\r\\nIP: 212.122.84.86 [4]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 103.99.2.225 [6]\\r\\nIP: 185.196.220.59 [2]\\r\\nIP: 194.165.16.34 [1]\\r\\nIP: 212.22.187.98 [3]\\r\\nIP: 191.96.168.250 [51]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 139.99.135.225 [1]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 80.66.88.209 [2]\\r\\nIP: 152.89.196.90 [4]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 141.98.83.172 [3]\\r\\nIP: 179.60.150.114 [2]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 104.156.55.56 [1]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.190.24.101 [3]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 184.105.5.195 [1]\\r\\nIP: 185.190.24.103 [2]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 193.142.147.55 [1]\\r\\nIP: 193.142.147.50 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 193.142.147.65 [27]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 193.142.147.57 [1]\\r\\nIP: 43.156.58.184 [1]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 213.6.148.83 [3]\\r\\nIP: 193.142.147.66 [3]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 185.73.124.216 [13]\\r\\nIP: 20.168.26.32 [1]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 185.196.220.34 [12]\\r\\nIP: 92.255.85.183 [2]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 5.61.60.26 [1]\\r\\nIP: 185.196.220.58 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4485\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4486\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4487\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4488\",\r\n \"address\": \"185.196.220.28\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4489\",\r\n \"address\": \"103.124.137.161\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jawa Timur\",\r\n \"city\": \"Paciran\",\r\n \"longitude\": 112.34,\r\n \"latitude\": -6.8707,\r\n \"asn\": 138089,\r\n \"carrier\": \"Pt.Global Media Data Prima\",\r\n \"organization\": \"Pt.Global Media Data Prima\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4490\",\r\n \"address\": \"87.251.75.45\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4491\",\r\n \"address\": \"212.122.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 12539,\r\n \"carrier\": \"Penki Kontinentia Ltd\",\r\n \"organization\": \"Penkiu Kontinentu Komunikaciju Centras Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4492\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4493\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4494\",\r\n \"address\": \"185.196.220.59\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4495\",\r\n \"address\": \"194.165.16.34\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4496\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4497\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4498\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4499\",\r\n \"address\": \"139.99.135.225\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Waverton\",\r\n \"longitude\": 151.19581,\r\n \"latitude\": -33.83997,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Australia Pty Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4500\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4501\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4502\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4503\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4504\",\r\n \"address\": \"152.89.196.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4505\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4506\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4507\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4508\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4509\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4510\",\r\n \"address\": \"104.156.55.56\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Tampa\",\r\n \"longitude\": -82.50581,\r\n \"latitude\": 28.00488,\r\n \"asn\": 29802,\r\n \"carrier\": \"Hivelocity Inc.\",\r\n \"organization\": \"Hivelocity Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4511\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4512\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4513\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4514\",\r\n \"address\": \"184.105.5.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.99064,\r\n \"latitude\": 40.6946,\r\n \"asn\": 394996,\r\n \"carrier\": \"47-2339071\",\r\n \"organization\": \"47-2339071\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4515\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4516\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4517\",\r\n \"address\": \"193.142.147.55\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4518\",\r\n \"address\": \"193.142.147.50\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4519\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4520\",\r\n \"address\": \"193.142.147.65\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4521\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4522\",\r\n \"address\": \"193.142.147.57\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4523\",\r\n \"address\": \"43.156.58.184\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4524\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4525\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4526\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4527\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4528\",\r\n \"address\": \"185.73.124.216\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4529\",\r\n \"address\": \"20.168.26.32\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4530\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4531\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4532\",\r\n \"address\": \"92.255.85.183\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4533\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4534\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4535\",\r\n \"address\": \"185.196.220.58\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4557\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4558\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4559\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4560\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4511\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4561\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4512\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4562\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4513\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4563\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4514\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4564\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4515\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4565\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4516\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4566\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4517\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4567\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4518\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4568\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4519\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4569\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4520\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4570\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4521\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4571\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4522\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4572\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4523\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4573\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4524\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4574\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4525\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4575\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4526\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4576\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4527\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4577\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4528\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4578\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4529\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4579\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4530\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4580\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4531\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4581\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4532\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4582\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"name\": \"2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-26T19:51:08.2299434Z\",\r\n \"processingEndTimeUtc\": \"2022-08-26T19:51:07.7693809Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-25T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-25T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4585\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.255.59 [2]\\r\\nIP: 41.216.179.69 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 185.190.24.48 [8]\\r\\nIP: 193.142.147.65 [37]\\r\\nIP: 167.172.149.14 [1]\\r\\nIP: 193.148.61.176 [1]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.196.220.34 [26]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 179.60.150.116 [8]\\r\\nIP: 185.190.24.103 [4]\\r\\nIP: 149.57.252.78 [1]\\r\\nIP: 103.109.52.111 [6]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 5.181.86.11 [18]\\r\\nIP: 141.98.83.172 [1]\\r\\nIP: 52.180.252.174 [4]\\r\\nIP: 193.142.147.66 [22]\\r\\nIP: 5.181.86.51 [4]\\r\\nIP: 193.142.147.52 [11]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 183.90.168.19 [14]\\r\\nIP: 185.190.24.102 [5]\\r\\nIP: 107.172.93.5 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 179.60.147.31 [25]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 103.124.137.161 [2]\\r\\nIP: 5.181.86.7 [1]\\r\\nIP: 103.9.156.60 [1]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 141.98.83.173 [5]\\r\\nIP: 195.3.221.15 [4]\\r\\nIP: 191.96.168.250 [44]\\r\\nIP: 179.60.147.33 [23]\\r\\nIP: 103.99.2.225 [4]\\r\\nIP: 91.240.118.113 [11]\\r\\nIP: 88.214.25.13 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 107.175.218.26 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 185.190.24.50 [7]\\r\\nIP: 80.69.56.151 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 141.98.10.37 [3]\\r\\nIP: 185.190.24.17 [16]\\r\\nIP: 45.227.254.48 [2]\\r\\n61 more attempts by 15 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4586\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4587\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4588\",\r\n \"address\": \"45.227.255.59\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4589\",\r\n \"address\": \"41.216.179.69\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"longitude\": -2.0,\r\n \"latitude\": 54.0,\r\n \"asn\": 136175,\r\n \"carrier\": \"Serverhosh Internet Service\",\r\n \"organization\": \"Serverhosh Internet Service\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4590\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4591\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4592\",\r\n \"address\": \"193.142.147.65\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4593\",\r\n \"address\": \"167.172.149.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4594\",\r\n \"address\": \"193.148.61.176\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Los Angeles Ca\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4595\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4596\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4597\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4598\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4599\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4600\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4601\",\r\n \"address\": \"149.57.252.78\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Edison\",\r\n \"longitude\": -74.3806,\r\n \"latitude\": 40.5247,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Logicweb Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4602\",\r\n \"address\": \"103.109.52.111\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"longitude\": 90.0,\r\n \"latitude\": 24.0,\r\n \"asn\": 134790,\r\n \"carrier\": \"United International University\",\r\n \"organization\": \"United International University\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4603\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4604\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4605\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4606\",\r\n \"address\": \"52.180.252.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\",\r\n \"longitude\": -93.6151,\r\n \"latitude\": 41.589,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4607\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4608\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4609\",\r\n \"address\": \"193.142.147.52\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4610\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4611\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4612\",\r\n \"address\": \"183.90.168.19\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bang Rak\",\r\n \"longitude\": 100.52114,\r\n \"latitude\": 13.72804,\r\n \"asn\": 45328,\r\n \"carrier\": \"Nipa Technology Co. Ltd\",\r\n \"organization\": \"Nipa Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4613\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4614\",\r\n \"address\": \"107.172.93.5\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4615\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4616\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4617\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4618\",\r\n \"address\": \"103.124.137.161\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jawa Timur\",\r\n \"city\": \"Paciran\",\r\n \"longitude\": 112.34,\r\n \"latitude\": -6.8707,\r\n \"asn\": 138089,\r\n \"carrier\": \"Pt.Global Media Data Prima\",\r\n \"organization\": \"Pt.Global Media Data Prima\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4619\",\r\n \"address\": \"5.181.86.7\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4620\",\r\n \"address\": \"103.9.156.60\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 63730,\r\n \"carrier\": \"Vnso Technology Company\",\r\n \"organization\": \"Vnso Technology Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4621\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4622\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4623\",\r\n \"address\": \"195.3.221.15\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Mokotow\",\r\n \"longitude\": 21.00167,\r\n \"latitude\": 52.19392,\r\n \"asn\": 201814,\r\n \"carrier\": \"Meverywhere Sp. Z O.O.\",\r\n \"organization\": \"Innowacyjne Rozwiazania Informatyczne.Pl Sp. Z O.O.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4624\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4625\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4626\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4627\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4628\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4629\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4630\",\r\n \"address\": \"107.175.218.26\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wyoming\",\r\n \"city\": \"Casper\",\r\n \"longitude\": -106.39396,\r\n \"latitude\": 43.06622,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Global Cloud Line\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4631\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4632\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4633\",\r\n \"address\": \"80.69.56.151\",\r\n \"location\": {\r\n \"countryCode\": \"AZ\",\r\n \"countryName\": \"Azerbaijan\",\r\n \"state\": \"Naftalan\",\r\n \"city\": \"Naftalan\",\r\n \"longitude\": 46.825,\r\n \"latitude\": 40.5067,\r\n \"asn\": 34170,\r\n \"carrier\": \"Aztelekom\",\r\n \"organization\": \"Aztelekom.Net Ip Segment\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4634\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4635\",\r\n \"address\": \"141.98.10.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4636\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4637\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4644\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4645\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4646\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4647\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4648\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4598\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4649\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4599\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4650\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4600\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4651\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4601\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4652\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4602\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4653\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4603\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4654\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4604\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4655\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4605\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4656\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4606\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4657\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4607\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4658\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4608\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4659\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4609\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4660\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4610\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4661\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4611\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4662\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4612\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4663\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4613\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4664\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4614\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4665\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4615\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4666\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4616\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4667\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4617\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4668\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4618\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4669\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4619\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4670\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4620\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4671\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4621\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4672\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4622\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4673\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4623\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4674\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4624\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4675\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4625\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4676\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4626\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4677\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4627\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4678\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4628\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4679\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4629\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4680\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4630\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4681\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4631\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4682\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4632\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4683\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4633\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4684\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4634\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4685\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4635\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4636\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4637\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"name\": \"2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T20:24:32.6189324Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T20:24:17.1477549Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4688\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.72 [1]\\r\\nIP: 181.30.28.144 [1]\\r\\nIP: 43.131.49.246 [2]\\r\\nIP: 27.71.226.103 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.86.65.236 [1]\\r\\nIP: 5.181.86.88 [6]\\r\\nIP: 192.210.230.185 [1]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 31.43.185.3 [49]\\r\\nIP: 183.90.168.19 [1]\\r\\nIP: 194.165.16.78 [2]\\r\\nIP: 167.172.149.14 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 212.41.8.46 [1]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 5.181.86.44 [4]\\r\\nIP: 141.98.83.171 [5]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 194.165.16.71 [2]\\r\\nIP: 46.161.27.101 [2]\\r\\nIP: 173.201.17.86 [1]\\r\\nIP: 5.61.60.26 [1]\\r\\nIP: 179.60.150.115 [12]\\r\\nIP: 92.154.96.99 [1]\\r\\nIP: 141.98.83.172 [4]\\r\\nIP: 179.60.147.182 [4]\\r\\nIP: 149.102.131.247 [1]\\r\\nIP: 193.142.147.67 [33]\\r\\nIP: 73.104.247.50 [1]\\r\\nIP: 185.190.24.61 [22]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 185.190.24.17 [24]\\r\\nIP: 191.96.168.250 [30]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 193.142.146.209 [1]\\r\\nIP: 185.170.144.134 [70]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 147.78.245.142 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 179.60.150.113 [6]\\r\\nIP: 78.180.183.122 [1]\\r\\nIP: 85.215.173.128 [1]\\r\\nIP: 109.86.104.112 [1]\\r\\nIP: 146.20.225.190 [1]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 45.227.255.79 [2]\\r\\nIP: 185.190.24.102 [6]\\r\\nIP: 194.28.112.148 [1]\\r\\n63 more attempts by 14 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4689\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4690\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4691\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4692\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4693\",\r\n \"address\": \"43.131.49.246\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4694\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4695\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4696\",\r\n \"address\": \"45.86.65.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4697\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4698\",\r\n \"address\": \"192.210.230.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4699\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4700\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Donets'ka Oblast'\",\r\n \"city\": \"Krasnoarmiis'k\",\r\n \"longitude\": 37.1734,\r\n \"latitude\": 48.281,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4701\",\r\n \"address\": \"183.90.168.19\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bang Rak\",\r\n \"longitude\": 100.52114,\r\n \"latitude\": 13.72804,\r\n \"asn\": 45328,\r\n \"carrier\": \"Nipa Technology Co. Ltd\",\r\n \"organization\": \"Nipa Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4702\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4703\",\r\n \"address\": \"167.172.149.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4704\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4705\",\r\n \"address\": \"212.41.8.46\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4706\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4707\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4708\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4709\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4710\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4711\",\r\n \"address\": \"46.161.27.101\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Vps And Shared Hosting Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4712\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4713\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4714\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4715\",\r\n \"address\": \"92.154.96.99\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Hauts-De-Seine\",\r\n \"city\": \"Puteaux\",\r\n \"longitude\": 2.23762,\r\n \"latitude\": 48.88328,\r\n \"asn\": 3215,\r\n \"carrier\": \"Orange S.A.\",\r\n \"organization\": \"Lnmso655 Montsouris\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4716\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4717\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4718\",\r\n \"address\": \"149.102.131.247\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Manchester\",\r\n \"city\": \"Manchester\",\r\n \"longitude\": -2.24083,\r\n \"latitude\": 53.44222,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4719\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4720\",\r\n \"address\": \"73.104.247.50\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Jacksonville\",\r\n \"longitude\": -81.56225,\r\n \"latitude\": 30.21981,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4721\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4722\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4723\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4724\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4725\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4726\",\r\n \"address\": \"193.142.146.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Hostslick Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4727\",\r\n \"address\": \"185.170.144.134\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4728\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Gunzenhausen\",\r\n \"longitude\": 10.7534,\r\n \"latitude\": 49.11594,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4729\",\r\n \"address\": \"147.78.245.142\",\r\n \"location\": {\r\n \"countryCode\": \"JP\",\r\n \"countryName\": \"Japan\",\r\n \"state\": \"Tokyo\",\r\n \"city\": \"Tokyo\",\r\n \"longitude\": 139.73856,\r\n \"latitude\": 35.69628,\r\n \"asn\": 23959,\r\n \"carrier\": \"Owl Limited\",\r\n \"organization\": \"Virtual Machine Solutions Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4730\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4731\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4732\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4733\",\r\n \"address\": \"78.180.183.122\",\r\n \"location\": {\r\n \"countryCode\": \"TR\",\r\n \"countryName\": \"Turkey\",\r\n \"state\": \"Istanbul\",\r\n \"city\": \"Sisli\",\r\n \"longitude\": 28.9521,\r\n \"latitude\": 41.0483,\r\n \"asn\": 9121,\r\n \"carrier\": \"Turk Telekomunikasyon Anonim Sirketi\",\r\n \"organization\": \"Tt Adsl-Ttnet_Dynamic_Gay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4734\",\r\n \"address\": \"85.215.173.128\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.3195,\r\n \"latitude\": 52.5184,\r\n \"asn\": 6724,\r\n \"carrier\": \"Strato Ag\",\r\n \"organization\": \"Strato Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4735\",\r\n \"address\": \"109.86.104.112\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 13188,\r\n \"carrier\": \"Content Delivery Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4736\",\r\n \"address\": \"146.20.225.190\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 27357,\r\n \"carrier\": \"Rackspace Hosting\",\r\n \"organization\": \"Rackspace Hosting\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4737\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4738\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4739\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4740\",\r\n \"address\": \"194.28.112.148\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4741\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4691\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4742\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4692\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4743\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4693\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4744\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4694\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4745\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4695\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4746\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4696\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4747\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4697\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4748\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4698\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4749\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4699\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4750\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4700\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4751\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4701\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4752\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4702\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4703\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4704\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4705\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4706\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4707\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4708\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4709\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4710\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4711\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4762\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4712\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4763\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4713\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4764\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4714\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4765\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4715\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4766\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4716\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4767\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4717\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4768\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4718\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4769\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4719\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4770\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4720\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4771\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4721\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4772\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4722\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4773\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4723\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4774\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4724\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4775\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4725\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4776\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4726\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4777\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4727\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4778\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4728\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4779\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4729\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4780\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4730\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4781\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4731\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4782\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4732\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4783\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4733\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4784\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4734\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4785\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4735\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4786\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4736\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4787\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4737\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4788\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4738\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"name\": \"2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-24T19:41:11.3106136Z\",\r\n \"processingEndTimeUtc\": \"2022-08-24T19:41:10.6263724Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-23T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-23T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4791\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 23.224.230.146 [1]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 5.181.86.85 [14]\\r\\nIP: 131.153.178.70 [1]\\r\\nIP: 91.240.118.113 [24]\\r\\nIP: 146.70.117.116 [2]\\r\\nIP: 193.142.147.58 [27]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 179.60.150.114 [5]\\r\\nIP: 141.98.83.173 [3]\\r\\nIP: 191.96.168.250 [38]\\r\\nIP: 194.165.16.78 [1]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 193.142.147.59 [30]\\r\\nIP: 185.190.24.101 [5]\\r\\nIP: 45.227.254.4 [2]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 104.254.233.2 [2]\\r\\nIP: 5.181.86.61 [7]\\r\\nIP: 141.98.83.172 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 181.30.28.144 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 135.181.194.54 [1]\\r\\nIP: 80.13.124.200 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 5.181.86.11 [10]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 194.165.16.38 [5]\\r\\nIP: 34.75.15.244 [2]\\r\\nIP: 185.190.24.102 [8]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 45.227.254.5 [6]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 113.190.245.2 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 213.6.148.83 [3]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 103.231.188.130 [1]\\r\\nIP: 193.142.147.67 [30]\\r\\nIP: 62.233.50.113 [1]\\r\\nIP: 185.170.144.133 [19]\\r\\nIP: 179.60.150.111 [5]\\r\\nIP: 144.91.117.64 [1]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 194.165.16.11 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4792\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4793\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4794\",\r\n \"address\": \"23.224.230.146\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.25227,\r\n \"latitude\": 34.04303,\r\n \"asn\": 40065,\r\n \"carrier\": \"Cnservers Llc\",\r\n \"organization\": \"Cloudradium L.L.C\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4795\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4796\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4797\",\r\n \"address\": \"131.153.178.70\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.92784,\r\n \"latitude\": 33.4357,\r\n \"asn\": 19437,\r\n \"carrier\": \"Secured Servers Llc\",\r\n \"organization\": \"Secured Servers Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4798\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4799\",\r\n \"address\": \"146.70.117.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.7119,\r\n \"latitude\": 50.1137,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd Frankfurt\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4800\",\r\n \"address\": \"193.142.147.58\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4801\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4802\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4803\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4804\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4805\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4806\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4807\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4808\",\r\n \"address\": \"193.142.147.59\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4809\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4810\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4811\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4812\",\r\n \"address\": \"104.254.233.2\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 19437,\r\n \"carrier\": \"Secured Servers Llc\",\r\n \"organization\": \"Pnap-Ashdc5\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4813\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4814\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4815\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4816\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4817\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4818\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4819\",\r\n \"address\": \"135.181.194.54\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4820\",\r\n \"address\": \"80.13.124.200\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Hauts-De-Seine\",\r\n \"city\": \"Puteaux\",\r\n \"longitude\": 2.23762,\r\n \"latitude\": 48.88328,\r\n \"asn\": 3215,\r\n \"carrier\": \"Orange S.A.\",\r\n \"organization\": \"Lnput658 Puteaux Bloc 1\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4821\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4822\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4823\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4824\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4825\",\r\n \"address\": \"34.75.15.244\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"South Carolina\",\r\n \"city\": \"North Charleston\",\r\n \"longitude\": -80.05894,\r\n \"latitude\": 32.89008,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4826\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4827\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4828\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4829\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4830\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4831\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4832\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4833\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4834\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4835\",\r\n \"address\": \"103.231.188.130\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 17831,\r\n \"carrier\": \"8 Burn Road # 15-13 Trivex\",\r\n \"organization\": \"Vhost Holdings Pte Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4836\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4837\",\r\n \"address\": \"62.233.50.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4838\",\r\n \"address\": \"185.170.144.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4839\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4840\",\r\n \"address\": \"144.91.117.64\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Muenchen\",\r\n \"longitude\": 11.6074,\r\n \"latitude\": 48.1089,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4841\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4842\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4815\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4865\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4816\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4866\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4817\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4867\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4818\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4868\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4819\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4869\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4820\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4870\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4821\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4871\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4822\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4872\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4823\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4873\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4824\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4874\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4825\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4875\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4826\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4876\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4827\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4877\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4828\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4878\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4829\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4879\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4830\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4880\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4831\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4881\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4832\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4882\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4833\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4883\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4834\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4884\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4835\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4885\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4836\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4886\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4837\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4887\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4838\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4888\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4839\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4889\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4840\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4890\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4841\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4891\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"name\": \"2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-23T19:47:46.0119964Z\",\r\n \"processingEndTimeUtc\": \"2022-08-23T19:47:45.0676912Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-22T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-22T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4892\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.172 [5]\\r\\nIP: 185.190.24.50 [8]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 43.131.49.246 [1]\\r\\nIP: 185.190.24.101 [4]\\r\\nIP: 191.96.168.250 [22]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 5.181.86.88 [5]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 91.240.118.113 [9]\\r\\nIP: 179.60.150.116 [4]\\r\\nIP: 173.201.17.86 [1]\\r\\nIP: 196.22.249.27 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 116.206.231.59 [1]\\r\\nIP: 185.190.24.102 [7]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 194.135.24.55 [2]\\r\\nIP: 5.181.86.85 [3]\\r\\nIP: 152.89.217.238 [1]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 176.113.115.141 [4]\\r\\nIP: 86.106.121.74 [1]\\r\\nIP: 185.190.24.32 [5]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 185.190.24.103 [6]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 70.183.29.58 [1]\\r\\nIP: 185.170.144.133 [38]\\r\\nIP: 194.165.16.38 [8]\\r\\nIP: 112.78.168.114 [5]\\r\\nIP: 194.165.16.4 [6]\\r\\nIP: 194.165.17.14 [6]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 181.30.28.144 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4893\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4894\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4895\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4896\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4897\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4898\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4899\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4900\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4901\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4902\",\r\n \"address\": \"43.131.49.246\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4903\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4904\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4905\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4906\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4907\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4908\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4909\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4910\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4911\",\r\n \"address\": \"196.22.249.27\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Western Cape\",\r\n \"city\": \"Cape Town\",\r\n \"longitude\": 18.4241,\r\n \"latitude\": -33.9249,\r\n \"asn\": 36874,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"72 Canterbury Street\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4912\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4913\",\r\n \"address\": \"116.206.231.59\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"South Australia\",\r\n \"city\": \"Adelaide\",\r\n \"longitude\": 138.59973,\r\n \"latitude\": -34.92577,\r\n \"asn\": 133480,\r\n \"carrier\": \"Intergrid Group Pty Ltd\",\r\n \"organization\": \"Intergrid Group Pty. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4914\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4915\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4916\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4917\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4918\",\r\n \"address\": \"152.89.217.238\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 56694,\r\n \"carrier\": \"Llc Smart Ape\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4919\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4920\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4921\",\r\n \"address\": \"86.106.121.74\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -74.00888,\r\n \"latitude\": 40.72092,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd New York\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4922\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4923\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4924\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4925\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4926\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4927\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4928\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4929\",\r\n \"address\": \"70.183.29.58\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Rancho Santa Margarita\",\r\n \"longitude\": -117.60826,\r\n \"latitude\": 33.62295,\r\n \"asn\": 22773,\r\n \"carrier\": \"Cox Communications Inc.\",\r\n \"organization\": \"Cox Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4930\",\r\n \"address\": \"185.170.144.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4931\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4932\",\r\n \"address\": \"112.78.168.114\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jakarta Raya\",\r\n \"city\": \"Jakarta\",\r\n \"longitude\": 106.8267,\r\n \"latitude\": -6.1738,\r\n \"asn\": 17451,\r\n \"carrier\": \"Biznet Networks\",\r\n \"organization\": \"Biznet Networks\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4933\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4934\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4935\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4936\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4919\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4920\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4921\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4922\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4923\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4924\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4925\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4926\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4969\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4927\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4970\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4928\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4971\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4929\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4972\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4930\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4973\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4931\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4974\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4932\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4975\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4933\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4976\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4934\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4977\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4935\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4978\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4936\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"name\": \"2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-22T19:47:25.0250698Z\",\r\n \"processingEndTimeUtc\": \"2022-08-22T19:47:23.7684919Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-20T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-20T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4979\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.171 [3]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 194.165.16.4 [8]\\r\\nIP: 192.210.149.232 [1]\\r\\nIP: 179.60.150.115 [4]\\r\\nIP: 212.102.35.30 [45]\\r\\nIP: 136.32.204.105 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.173 [3]\\r\\nIP: 194.165.16.73 [2]\\r\\nIP: 45.227.254.5 [13]\\r\\nIP: 141.98.83.172 [3]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 66.115.189.143 [1]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 179.60.147.32 [29]\\r\\nIP: 185.190.24.101 [5]\\r\\nIP: 185.190.24.93 [10]\\r\\nIP: 176.113.115.141 [2]\\r\\nIP: 185.190.24.103 [9]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 194.135.24.55 [2]\\r\\nIP: 45.227.254.51 [3]\\r\\nIP: 45.227.254.49 [2]\\r\\nIP: 45.227.255.55 [1]\\r\\nIP: 203.115.110.73 [1]\\r\\nIP: 194.165.16.78 [2]\\r\\nIP: 92.255.85.166 [9]\\r\\nIP: 67.225.40.73 [1]\\r\\nIP: 45.227.255.79 [4]\\r\\nIP: 141.98.83.123 [5]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 45.227.254.27 [9]\\r\\nIP: 207.246.67.121 [1]\\r\\nIP: 92.114.153.67 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 141.98.83.126 [4]\\r\\nIP: 5.181.86.44 [5]\\r\\nIP: 37.32.30.41 [2]\\r\\nIP: 62.8.12.230 [1]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 60.208.6.75 [25]\\r\\nIP: 194.165.17.14 [7]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4980\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4981\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4982\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4983\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4984\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4985\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4986\",\r\n \"address\": \"192.210.149.232\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4987\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4988\",\r\n \"address\": \"212.102.35.30\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4989\",\r\n \"address\": \"136.32.204.105\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Kansas City\",\r\n \"longitude\": -94.53961,\r\n \"latitude\": 39.10771,\r\n \"asn\": 16591,\r\n \"carrier\": \"Google Fiber Inc.\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4990\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.66719,\r\n \"latitude\": 41.02253,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4991\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4992\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4993\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4994\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4995\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4996\",\r\n \"address\": \"66.115.189.143\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Georgia\",\r\n \"city\": \"Marietta\",\r\n \"longitude\": -84.4629,\r\n \"latitude\": 33.93318,\r\n \"asn\": 46562,\r\n \"carrier\": \"Performive Llc\",\r\n \"organization\": \"Performive Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4997\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4998\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4999\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5000\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5001\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5002\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5003\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5004\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5005\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5006\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5007\",\r\n \"address\": \"45.227.255.55\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5008\",\r\n \"address\": \"203.115.110.73\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.225,\r\n \"latitude\": 28.6353,\r\n \"asn\": 17426,\r\n \"carrier\": \"Primesoftex Ltd\",\r\n \"organization\": \"Primenet Global Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5009\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5010\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5011\",\r\n \"address\": \"67.225.40.73\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Saskatchewan\",\r\n \"city\": \"Regina\",\r\n \"longitude\": -104.61298,\r\n \"latitude\": 50.44894,\r\n \"asn\": 803,\r\n \"carrier\": \"Saskatchewan Telecommunications\",\r\n \"organization\": \"Sasktel Wide Area Network Engineering Center\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5012\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5013\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5014\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5015\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5016\",\r\n \"address\": \"207.246.67.121\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Miami\",\r\n \"longitude\": -80.24044,\r\n \"latitude\": 25.81253,\r\n \"asn\": 20473,\r\n \"carrier\": \"The Constant Company Llc\",\r\n \"organization\": \"Vultr Holdings Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5017\",\r\n \"address\": \"92.114.153.67\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 8926,\r\n \"carrier\": \"Moldtelecom Sa\",\r\n \"organization\": \"Jsc Moldtelecom S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5018\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5019\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5020\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5021\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5022\",\r\n \"address\": \"37.32.30.41\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 202468,\r\n \"carrier\": \"Noyan Abr Arvan Co. ( Private Joint Stock)\",\r\n \"organization\": \"Noyan Abr Arvan Co. ( Private Joint Stock)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5023\",\r\n \"address\": \"62.8.12.230\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Loire-Atlantique\",\r\n \"city\": \"Nantes\",\r\n \"longitude\": -1.55674,\r\n \"latitude\": 47.21684,\r\n \"asn\": 15557,\r\n \"carrier\": \"Sfr Sa\",\r\n \"organization\": \"Entreprise\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5024\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5025\",\r\n \"address\": \"60.208.6.75\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shandong\",\r\n \"city\": \"Jinan\",\r\n \"longitude\": 117.0,\r\n \"latitude\": 36.683,\r\n \"asn\": 4837,\r\n \"carrier\": \"China Unicom China169 Backbone\",\r\n \"organization\": \"Jinan Yingte Net Bar\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5026\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5022\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5023\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5024\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5025\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5026\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n }\r\n ]\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTczMzYyNDExODQ4NjI0MTNfOGRlMDkyNzAtZGM1My00MGQ0LWJlZWQtZjI5ZDQ3NWI1ZDVhP2FwaS12ZXJzaW9uPTIwMjItMDEtMDE=", + "RequestMethod": "GET", "RequestHeaders": { "x-ms-client-request-id": [ - "b3849937-3fb3-4d3d-b825-2282e081c41a" + "3995b8ec-8471-42ca-8391-df7fca85b069" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -100,22 +163,22 @@ "Kestrel" ], "x-ms-request-id": [ - "3ba10a63-49b9-4697-8eb1-603b5934016f" + "d69cce34-b915-425f-954a-8d1ceef16783" ], "x-ms-correlation-request-id": [ - "3ba10a63-49b9-4697-8eb1-603b5934016f" + "d69cce34-b915-425f-954a-8d1ceef16783" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210831T190956Z:3ba10a63-49b9-4697-8eb1-603b5934016f" + "FRANCESOUTH:20221117T092011Z:d69cce34-b915-425f-954a-8d1ceef16783" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Tue, 31 Aug 2021 19:09:56 GMT" + "Thu, 17 Nov 2022 09:20:11 GMT" ], "Content-Length": [ - "2795" + "2847" ], "Content-Type": [ "application/json; charset=utf-8" @@ -124,7 +187,7 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"name\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4121044Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"name\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.869602Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", "StatusCode": 200 } ], diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetResourceGroupScope.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetResourceGroupScope.json index 0ac6867e88b6..1f804c6586d4 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetResourceGroupScope.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetResourceGroupScope.json @@ -1,24 +1,24 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/alerts?api-version=2021-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2FsZXJ0cz9hcGktdmVyc2lvbj0yMDIxLTAxLTAx", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/alerts?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2FsZXJ0cz9hcGktdmVyc2lvbj0yMDIyLTAxLTAx", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "b3cb771e-0d99-4480-b0c4-5c34253a72ba" + "21a2d495-5243-4d41-938f-22e702edf581" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -30,17 +30,80 @@ "", "" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "749" + ], + "x-ms-request-id": [ + "fe845507-c33b-4dab-a5e6-45254221e27c" + ], + "x-ms-correlation-request-id": [ + "fe845507-c33b-4dab-a5e6-45254221e27c" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T091950Z:fe845507-c33b-4dab-a5e6-45254221e27c" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:19:49 GMT" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ], + "Content-Length": [ + "294062" + ] + }, + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"name\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.869602Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"name\": \"2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.8636228Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_MaliciousContent-AzureWebApps\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:59.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:59.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Phishing content hosted on Azure Webapps\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to O365 customers. The content typically lure visitors into entering their corporate credentials or financial information into a legitimate looking website.\",\r\n \"remediationSteps\": [\r\n \"1. Use Azure Web Sites Process Explorer and try to identify unknown running processes (see https://blogs.msdn.microsoft.com/waws/2014/11/14/viewing-process-information-for-microsoft-azure-web-sites/)\",\r\n \"2. Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"resourceType\": \"App Service\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"type\": \"url\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"name\": \"2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3642739Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_OperationVolumeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:57.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] User accessed high volume of Key Vaults\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a larger volume of Key Vault operations has been performed compared to past historical data. Key Vaults typical exhibit the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:57\",\r\n \"all vault operations in last 24 hours\": \"[SecretSet:1, SecretGet:5, Authentication:2, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultGet:2]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:57\",\r\n \"client Information\": \"Microsoft.Azure.Management.Resources.ResourceManagementClient/2.0.0.0, \",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) performed more operations than usual, The user(objid) does not usually come from this IP, The user(objid) performed more operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"name\": \"2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.174761Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_AccountVolumeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:55.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] High volume of operations in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the number of vaults that a user or application accesses has changed compared to past historical data. Key Vault activity typically exhibits the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:55\",\r\n \"all vault operations in last 24 hours\": \"[AfterAuthentication:1, SecretGet:345545, EventGridGetAllSubscriptions:19, Authentication:169, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:64]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:55\",\r\n \"alert Reasons\": \"[The application(appid) accessed more vaults than usual, The application(appid) does not usually come from this IP, The user(objid) accessed more vaults than usual, The user(objid) does not usually come from this IP, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"name\": \"2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.0812111Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_ListGetAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:53.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious secret listing and query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Secret List operation was followed by numerous Secret Get operations. In addition, this operation pattern is not normally performed by the user on this vault. This is likely indicative that someone is dumping the This is sample alert: secrets stored in the Key Vault for potentially malicious purposes.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:53\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:1, SecretGet:3, VaultGet:1, SecretList:5]\",\r\n \"suspicious Operations\": \"[SecretGet:3, SecretList:5]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:53\",\r\n \"client Information\": \"FxVersion/4.8.4075.0 OSName/Windows10Enterprise OSVersion/6.3.18363 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"alert Reasons\": \"[The application(appid) does not usually access this vault, The application(appid) does not usually come from this IP, The application(appid) does not usually perform a credential list operation followed by a get operation, The application(appid) does not usually perform this operation, The number of applications which accessed this vault is more than usual, The number of users(objid) who accessed this vault is more than usual, The user(objid) does not usually access this vault, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a credential list operation followed by a get operation, The user(objid) does not usually perform this operation, This vault does not usually have a credential list operation followed by a get operation, This vault does not usually have this operation, This vault had more operations than usual, This vault had more types of operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"name\": \"2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.1952593Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_PutGetAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious policy change and secret query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Key Vault policy change has been made and operations to list and/or get secrets occurred shortly thereafter. In addition, this operation pattern is not normally performed by the user on this vault. This is highly indicative that the Key Vault has been compromised and the secrets within have been stolen by a malicious actor.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:51\",\r\n \"all vault operations in last 24 hours\": \"[VaultGet:14, CertificateImport:1, CertificateGet:479, VaultPut:4, SecretGet:760, Authentication:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultPut:4, VaultGet:5, CertificateGet:24]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"FxVersion/4.8.4121.0, FxVersion/4.8.4121.0 OSName/Windows10Enterprise OSVersion/6.3.17763 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"result Signature\": \"OK\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"start Time UTC\": \"11/17/2022 09:17:51\",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) does not usually perform a policy change operation followed by a credential get operation, The application(appid) does not usually perform this operation, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a policy change operation followed by a credential get operation, The user(objid) does not usually perform this operation, This vault does not usually have a policy change operation followed by a credential get operation, This vault does not usually have this operation, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"name\": \"2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:14.9914481Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_TORAccess\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:49.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a TOR exit node to a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. This is suspicious because malicious actors will often try to mask their source location when attempting to gain unauthorized access to internet-connected resources.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:49\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:777440, SecretSet:1, SecretGet:777399]\",\r\n \"suspicious Operations\": \"[Authentication:1, SecretGet:1]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"Not Found, Unauthorized\",\r\n \"start Time UTC\": \"11/17/2022 09:17:49\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"python/3.8.0 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 azure-keyvault/7.0 Azure-SDK-For-Python\",\r\n \"alert Reasons\": \"[The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location.]\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"name\": \"2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.2261751Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_K8S_SensitiveMount\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:47.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"intent\": \"PrivilegeEscalation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Container with a sensitive volume mount detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.\",\r\n \"remediationSteps\": [\r\n \"Review the container and the path in the alert details.\",\r\n \"If possible, consider mounting only specific folders or files that are necessary to the container operation.\",\r\n \"If the container is not legitimate, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"namespace\": \"Sample-namespace\",\r\n \"container image\": \"sample-image\",\r\n \"container name\": \"sample-container\",\r\n \"pod name\": \"sample-pod\",\r\n \"sensitive mount name\": \"sample-mount\",\r\n \"sensitive mount path\": \"/Sample\",\r\n \"resourceType\": \"GKE Cluster\",\r\n \"killChainIntent\": \"PrivilegeEscalation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"projectId\": \"012345678901\",\r\n \"resourceType\": \"GKE\",\r\n \"resourceName\": \"Sample-Cluster\",\r\n \"location\": \"us-central1-c\",\r\n \"locationType\": \"Zonal\",\r\n \"type\": \"gcp-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_26\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"name\": \"Sample-namespace\",\r\n \"cluster\": {\r\n \"$ref\": \"centralus_29\"\r\n },\r\n \"type\": \"K8s-namespace\"\r\n },\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"name\": \"sample-pod\",\r\n \"namespace\": {\r\n \"$ref\": \"centralus_30\"\r\n },\r\n \"type\": \"K8s-pod\"\r\n },\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"name\": \"sample-container\",\r\n \"image\": {\r\n \"$ref\": \"centralus_27\"\r\n },\r\n \"pod\": {\r\n \"$ref\": \"centralus_31\"\r\n },\r\n \"type\": \"container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"name\": \"2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.1277565Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_AdmissionController\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:45.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:45.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"intent\": \"Persistence, CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Creation of admission webhook configuration detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new admission webhook configuration. Kubernetes has two built-in generic admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster. The usage of such admission controllers can be legitimate, however attackers can use such webhooks for modifying the requests (in case of MutatingAdmissionWebhook) or inspecting the requests and gain sensitive information (in case of ValidatingAdmissionWebhook).\",\r\n \"remediationSteps\": [\r\n \"Review the admission controller webhook associated with this configuration. The details of the webhook configuration can be retrieved by the command:\",\r\n \"kubectl get mutatingwebhookconfigurations sample -o json\",\r\n \"If this configuration belongs to a legitimate admission controller in the cluster, you can ignore the alert.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resource type\": \"mutatingwebhookconfigurations\",\r\n \"resource name\": \"sample\",\r\n \"webhook configuration rules\": \"[{\\\"apiGroups\\\":[\\\"*\\\"],\\\"resources\\\":[\\\"pods\\\"],\\\"apiVersions\\\":[\\\"*\\\"],\\\"operations\\\":[\\\"CREATE\\\"],\\\"scope\\\":\\\"*\\\"}]\",\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"killChainIntent\": \"Persistence, CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_34\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"name\": \"2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.650249Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_BruteForce\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:41.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:41.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Brute Force attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone is attempting to brute force credentials to your SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Brute force attack, penetration testing.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"data Center\": \"East US 2\",\r\n \"failed Logins\": \"0\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\\\"}}\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"name\": \"2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4246385Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_HarmfulApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:39.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:39.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Penetration testing, malicious activity\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"data Center\": \"East US 2\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"name\": \"2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.5120779Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:37.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:37.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database elitronix-com on server Sample-SQL\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/www.microsoft.com\\\\/en-us\\\\/download\\\\/details.aspx?id=13759\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements.\",\r\n \"threat ID\": \"30\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"principal name\": \"Sample-account\",\r\n \"application\": \"Internet Information Services\",\r\n \"database\": \"Sample-DB\",\r\n \"server\": \"Sample-SQL\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"name\": \"2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4739185Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:35.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:35.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"intent\": \"Exploitation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Logon from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone logged on to your SQL server Sample-SQL from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Unauthorized access that exploits an opening in the firewall; legitimate access from a new location.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Microsoft SQL Server Management Studio\",\r\n \"client IP Location\": \"US\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"client Hostname\": \"Sample-VM\",\r\n \"killChainIntent\": \"Exploitation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"name\": \"2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.508384Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_DataExfiltration.ImportExportLocationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:33.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:33.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual export location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted a massive amount of data from your SQL Server 'Sample-SQL' to an unusual location.\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Be sure to secure the new copy of your SQL server in the unusual storage account and follow the principle of \\\\\\\"least privilege\\\\\\\" for your SQL server\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/docs.microsoft.com\\\\/en-us\\\\/dotnet\\\\/framework\\\\/data\\\\/adonet\\\\/sql\\\\/authorization-and-permissions-in-sql-server\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"storage Name\": \"Sample-storage\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"isValid\": false,\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_46\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"name\": \"2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.793991Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_SuspectExecutablePath\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Executable found running from a suspicious location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data detected an executable file on Sample-VM that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.\",\r\n \"remediationSteps\": [\r\n \"Review with %{User Name} the suspicious process in this alert to see if you recognise this as legitimate administrative activity. If not, Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Process Id\": \"0x1eec\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"account Session Id\": \"0x3e7\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"suspicious Command Line\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"user Name\": \"WORKGROUP\\\\Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"directory\": \"c:\\\\windows\\\\inf\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"name\": \"SAMPLE-account\",\r\n \"ntDomain\": \"SAMPLE\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"sid\": \"S-0-0-00\",\r\n \"isDomainJoined\": true,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x3e7\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"processId\": \"0x1038\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"processId\": \"0x1eec\",\r\n \"commandLine\": \"\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_54\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"sessionId\": \"0x3e7\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_53\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"name\": \"2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.802386Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected the execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with Sample-account the suspicious command process and command line to confirm that this is legitimate activity that you expect to see on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"user Name\": \"Sample-account\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Command Line\": \"\\\\sample.exe -t 4\",\r\n \"suspicious Process Id\": \"0x1640\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x427d8dd9\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"directory\": \"c:\\\\temp\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"processId\": \"0x1020\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"name\": \"Sample-account\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"sid\": \"S-1-5-21-3061399664-1673012318-3185014992-20022\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x427d8dd9\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"processId\": \"0x1640\",\r\n \"commandLine\": \".\\\\sample.exe -t 4\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_62\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_61\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"sessionId\": \"0x427d8dd9\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_62\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"name\": \"2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.0348941Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_SuspectPhp\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious PHP execution detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Machine logs indicate a that a suspicious PHP process is running. The action included an attempt to run OS commands or PHP code from the command line using the PHP process.\\r\\nWhile this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\",\r\n \"2. Make sure that the web application is up-to-date.\",\r\n \"3. If possible, disable the sensitive PHP commands (see: http://php.net/manual/ini.core.php#ini.disable-functions).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Command Line\": \"php\",\r\n \"suspicious Process Id\": \"0x1e99b\",\r\n \"account Session Id\": \"0xbd6e\",\r\n \"suspicious Process\": \"php\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"user Name\": \"Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"php\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"processId\": \"0x1e49a\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"name\": \"Sample-account\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"sid\": \"\",\r\n \"type\": \"account\",\r\n \"logonId\": \"0xbd6e\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"processId\": \"0x1e99b\",\r\n \"commandLine\": \"php\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_70\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_69\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"sessionId\": \"0xbd6e\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_70\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"name\": \"2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.8902381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM.Windows_GoldFileCleanup\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected suspicious file cleanup commands\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.\",\r\n \"remediationSteps\": [\r\n \"Review with user Sample-account the 'sample.exe executions and delete commands flagged in this alert to confirm that they are legitimate and expected on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"OMS-AGENT-2\",\r\n \"suspicious Process Id\": \"0x4a8\",\r\n \"suspicious Command Line\": \"cmd /c echo \\\" systeminfo && systeminfo && del \\\"\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\cmd.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"OMS-AGENT-2\\\\DnzmNhMdW96g7j3\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: GOLD\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2020-06-05T06%3a24%3a18&reportName=MSTI-AGP-GOLD.pdf&tenantId=7bf32e19-dc11-416d-85e8-2cff75271e2a&urlCreateDateTime=2020-06-05T06%3a24%3a18&token=%2083e9In2MDZfBKT5aMOejPcfhpNovCKiidxcnKaBGnQ=\\\"}}\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"cmd.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"processId\": \"0x4a8\",\r\n \"commandLine\": \"cmd /c echo Hi\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_78\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_77\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_78\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"name\": \"2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.9525043Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM.Windows_PetyaRansomware\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected Petya ransomware indicators\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on OMS-AGENT-2 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the command line associated in this alert and escalate this alert to your security team.\",\r\n \"remediationSteps\": [\r\n \"1. Run a full anti-malware scan and verify that the threat was removed\",\r\n \"2. Install and run Microsoft’s Malicious Software Removal Tool (see http://www.microsoft.com/security/pc-security/malware-removal.aspx)\",\r\n \"3. Perform these actions pre-emptively on other hosts in your network.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x1574\",\r\n \"suspicious Command Line\": \"sample\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\sample.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"Sample-account\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Petya\\\":\\\"\\\"}}\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"processId\": \"0x1574\",\r\n \"commandLine\": \"sample\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_86\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_85\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_86\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"name\": \"2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.2780047Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AmRealtimeProtectionDisabled\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:09.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:09.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Antimalware real-time protection was disabled in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.\",\r\n \"remediationSteps\": [\r\n \"1. Determine if the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional - dismiss the alert. Otherwise, enable the antimalware real-time threat protection and treat the user account, subscription and virtual machine as compromised and continue with the next steps.\\n3. Remediate the compromised user account – change the password, review all activities performed by the user via Azure Activity Logs and locate suspicious activities\\n4. Remediate the compromised subscription - Review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, review all activities performed in this subscription via Azure Activity Logs and locate suspicious activities.\\n5. Remediate the compromised virtual machine – change the password of all users, run full antimalware scan on your virtual machine.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample Principal\",\r\n \"antimalware enabled\": \"true\",\r\n \"real time antimalware protection enabled\": \"false\",\r\n \"scheduled antimalware scan enabled\": \"\",\r\n \"extension Name\": \"IaasAntimalware\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"name\": \"2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.3561453Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_CustomScriptExtensionSuspiciousCmd\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:07.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:07.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Custom script extension with suspicious command in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.\",\r\n \"remediationSteps\": [\r\n \"1. Contact the account owner to determine whether the activity was intentional. If the activity was intentional, dismiss the alert.\\n2. If the activity was unexpected, treat the user account, subscription, and virtual machine as compromised.\\n3. To remediate compromised user accounts, delete them if they’re unfamiliar (as they may have been created by a threat actor), otherwise change their authentication credentials. Use Azure Activity Logs to review all activities performed by the user and identify any that are suspicious.\\n4. To remediate compromised subscriptions, remove any unfamiliar Runbooks from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources in the subscription (delete any that are unfamiliar), review and investigate any security alerts for the subscription in Azure Security Center, and use Azure Activity Logs to review all activities performed in the subscription and identify any that are suspicious.\\n5. To remediate the compromised virtual machine, change the passwords for all users, run a full antimalware scan on the machine, and reimage the virtual machine from a malware-free source.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample user\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"identity address\": \"\",\r\n \"suspicious command\": \"powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"name\": \"2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DarkWeb\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:05.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:05.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Anonymity network activity (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected anonymity network activity. Such activity, while possibly legitimate user behaviour, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_93\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_93\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"name\": \"2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.358978Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DataExfiltration\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:03.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:03.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Possible data exfiltration via DNS tunnel (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected a possible DNS tunnel. Such activity, while possibly legitimate user behaviour, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_98\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_98\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"name\": \"2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.1504496Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_PhishingDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:01.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:01.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Communication with possible phishing domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.\",\r\n \"remediationSteps\": [\r\n \"Investigate the domain (using whois), validating that the registration belongs to the expected owner.\",\r\n \"If ownership is suspect, contact the machine owner to highlight the discrepancy and verify the degree of interaction, suggesting user log into any account(s) potentially exposed during suspicious session, validate recent activity and change compromised password(s).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_103\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_103\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"name\": \"2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.1876995Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_SinkholedDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:59.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:59.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted communication with suspicious sinkholed domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected request for sinkholed domain. Such activity, while possibly legitimate user behaviour, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_107\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_107\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"name\": \"2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.0653492Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_HighPrivilegeCommand\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempt to run high privilege command detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of App Service processes detected an attempt to run a command that requires high privileges.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x4680\",\r\n \"suspicious Command Line\": \"sample.exe\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"parent Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x15c0644\",\r\n \"user Name\": \"Sample-account\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"directory\": \"sample\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"processId\": \"0x39a8\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_110\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"processId\": \"0x4680\",\r\n \"commandLine\": \"sample.exe\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_110\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"name\": \"2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.9104498Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_DanglingDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:55.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Dangling DNS record for an App Service resource detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A DNS record that points to a recently deleted App Service resource (also known as \\\"dangling DNS\\\" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.\",\r\n \"remediationSteps\": [\r\n \"From your DNS zone, remove all CNAME records that point to the deleted App Service resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"domain\": \"sample-domain.com\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"name\": \"2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3436878Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container or directly on a Kubernetes node, has detected an execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with the specified user the suspicious command process and command line to confirm that this is legitimate activity. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"compromised Host\": \"AKS-AGENTPOOL-00171883-vmss000000\",\r\n \"suspicious Process\": \"/tmp/gcc\",\r\n \"suspicious Command Line\": \"/tmp/gcc -T -o stratum+tcp://stratum.slushpool:3333 -u foobar -p baz -o stratum+tcp://stratum.f2pool.com:3333 -u foobar -p baz -o stratum+tcp://stratum.antpool.com:3333 -u foobar -p baz\",\r\n \"parent Process\": \"bash\",\r\n \"suspicious Process Id\": \"0x2dc8\",\r\n \"imageName\": \":\",\r\n \"process Origin\": \"Pod Container\",\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"directory\": \"\",\r\n \"name\": \"bash\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"isValid\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"isValid\": false,\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"directory\": \"/tmp\",\r\n \"name\": \"gcc\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"hostName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"netBiosName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"isValid\": false,\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"name\": \"sample-cluster\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_117\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"containerId\": \"cc8ec8580f4c\",\r\n \"image\": {\r\n \"$ref\": \"centralus_118\"\r\n },\r\n \"type\": \"container\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"processId\": \"0x2dc3\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_121\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_120\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"processId\": \"0x2dc8\",\r\n \"commandLine\": \"/tmp/gcc -T -o stratum+tcp://stratum.slushpool:3333 -u foobar -p baz -o stratum+tcp://stratum.f2pool.com:3333 -u foobar -p baz -o stratum+tcp://stratum.antpool.com:3333 -u foobar -p baz\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_122\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_124\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_123\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"name\": \"2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3309137Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_ImdsCall\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/AWS-Master-Connector_012345678901/securityentitydata/aws-eks-cluster-sample-cluster-ap-us-east-2\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access to cloud metadata service detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container detected access to the cloud metadata service for acquiring identity token. The container doesn't normally perform such operation. While this behavior might be legitimate, attackers might use this technique to access cloud resources after gaining initial access to a running container.\",\r\n \"remediationSteps\": [\r\n \"Review the command line in the alert details. If the container should acquire identity tokens, you can ignore the alert.\",\r\n \"If this behavior isnt expected, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"username\": \"sample-user\",\r\n \"process Name\": \"/usr/bin/curl\",\r\n \"command\": \"curl -s -H Metadata: true http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net\",\r\n \"process Id\": \"18775\",\r\n \"container ID\": \"cc8ec8580f4c\",\r\n \"image Name\": \"sample-image:v1\",\r\n \"resourceType\": \"EKS Cluster\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/AWS-Master-Connector_012345678901/securityentitydata/aws-eks-cluster-sample-cluster-ap-us-east-2\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"isValid\": false,\r\n \"type\": \"amazon-resource\",\r\n \"amazonResourceId\": \"arn:aws:eks:us-east-2:012345678901:cluster/sample-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"containerId\": \"cc8ec8580f4c\",\r\n \"image\": {\r\n \"$ref\": \"centralus_131\"\r\n },\r\n \"type\": \"container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"name\": \"2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4027022Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_SuspectProcessTermination\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:49.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Security-related process termination detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container or directly on a Kubernetes node, has detected an attempt to terminate processes related to security monitoring on the container. Attackers will often try to terminate such processes using predefined scripts post-compromise.\",\r\n \"remediationSteps\": [\r\n \"Review and confirm that this was legitimate activity that you expect to see on this container or pod. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"compromised Host\": \"aks-agentpool-00171883-vmss000000\",\r\n \"user Name\": \"root\",\r\n \"suspicious Process\": \"/usr/bin/pkill\",\r\n \"suspicious Command Line\": \"/usr/bin/pkill -KILL -x -U 0 auoms\",\r\n \"suspicious Process Id\": \"0x2dc8\",\r\n \"parent Process\": \"auomsctl\",\r\n \"process Origin\": \"Kubernetes Node\",\r\n \"account Session Id\": \"0xd5a\",\r\n \"resourceType\": \"GKE Cluster\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"hostName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"netBiosName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\",\r\n \"containerId\": \"cc8ec8580f4c\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"pkill\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"directory\": \"\",\r\n \"name\": \"auomsctl\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"isValid\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"isValid\": false,\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"name\": \"root\",\r\n \"isValid\": false,\r\n \"id\": \"3418\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"isValid\": false,\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"projectId\": \"012345678901\",\r\n \"resourceType\": \"GKE\",\r\n \"resourceName\": \"Sample-Cluster\",\r\n \"location\": \"us-central1-c\",\r\n \"locationType\": \"Zonal\",\r\n \"type\": \"gcp-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"name\": \"sample-cluster\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_135\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"processId\": \"0x2dc3\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_139\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"processId\": \"0x2dc8\",\r\n \"commandLine\": \"/usr/bin/pkill -KILL -x -U 0 auoms\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_137\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_142\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_139\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"name\": \"2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3269355Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_ExposedDashboard\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:47.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Exposed Kubernetes dashboard detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service.\\nExposed dashboard allows an unauthenticated access to the cluster management and poses a security threat.\",\r\n \"remediationSteps\": [\r\n \"Review the LoadBalancer service in the alert details. In case the dashboard is exposed to the Internet, delete the LoadBalancer service immediately and escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"username\": \"alias@domain.com\",\r\n \"namespace\": \"kubernetes-dashboard\",\r\n \"service name\": \"kubernetes-dashboard\",\r\n \"port\": \"443\",\r\n \"target port\": \"8443\",\r\n \"resourceType\": \"Kubernetes - Azure Arc\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_148\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"name\": \"kubernetes-dashboard\",\r\n \"cluster\": {\r\n \"$ref\": \"centralus_149\"\r\n },\r\n \"type\": \"K8s-namespace\"\r\n },\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"name\": \"kubernetes-dashboard\",\r\n \"namespace\": {\r\n \"$ref\": \"centralus_150\"\r\n },\r\n \"type\": \"K8s-service\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"name\": \"2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5211367Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_BruteForce\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:45.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:45.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspected successful brute force attack\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful login occurred after an apparent brute force attack on your resource\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Brute force attack; penetration testing.\",\r\n \"client principal name\": \"Sample-account\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"san antonio, united states\",\r\n \"client application\": \"Sample-app\",\r\n \"successful logins\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"failed logins\": \"0\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\\\"}}\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_155\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_154\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"name\": \"2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5596257Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:43.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:43.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database Sample-DB on server Sample-VM\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2106894\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"threat ID\": \"1\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"vulnerable statement\": \"*** Anonymized ***\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_161\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_162\",\r\n \"name\": \"Sample-SA\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_163\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_161\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"name\": \"2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5620796Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_HarmfulApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:41.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:41.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_164\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_165\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access your resource.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"Penetration testing; malicious activity\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client application\": \"Sample-app\",\r\n \"client IP location\": \"Sample\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_166\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_167\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_168\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_167\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_169\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_166\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"name\": \"2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5777053Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_SuspiciousIpAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:39.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:39.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_170\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_171\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Login from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.\",\r\n \"client principal name\": \"Sample-user\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_172\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_173\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Sample-Provider\",\r\n \"threatType\": \"Sample-Threat\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 0.8,\r\n \"threatDescription\": \"Sample-Threat\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_174\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_173\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_175\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_172\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"name\": \"2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:19:41.7936291Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:25.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:25.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_176\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An IP that is a known Tor exit node accessed Storage file share 'Sample-fileShare' in storage account 'Sample-Storage'. \",\r\n \"remediationSteps\": [\r\n \"• Revoke all credentials that may be compromised and ensure that they're only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access.\\r\\nPotential causes:\\r\\n• An attacker has accessed the storage account using Tor and is trying to hide their identity (true positive).\\r\\n• A legitimate user has accessed the storage account using Tor, perhaps for penetration testing (benign positive).\",\r\n \"investigation steps\": \"• Check if this actor is legitimate. Examine the authentication method and credentials used, as well as the actor's history of actions on this storage account and other resources in this subscription.\\r\\n• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_177\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_178\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_179\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_178\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"name\": \"2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.7087609Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:23.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:23.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_180\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from a suspicious IP address.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is considered suspicious.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your storage account from a potentially suspicious IP.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_181\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_182\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"AlertSimulator\",\r\n \"threatType\": \"Sample-Type\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 1.0,\r\n \"threatDescription\": \"\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_183\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_182\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"name\": \"2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.8953381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_SMBExeOverwriteAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:21.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:21.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_184\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual overwrite of .exe in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual overwrite of an executable file in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unexpected overwrite of an executable (.exe file) has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has overwritten an executable file with a potentially malicious one in your storage account.\\r\\n• A legitimate user has overwritten an executable file.\",\r\n \"investigation steps\": \"• Determine who overwrote the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Kerberos\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files SMB\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"\",\r\n \"activity type\": \"OverwriteFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) overwritten\": \"Sample-File\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_185\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_186\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_187\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_186\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"name\": \"2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:19.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:19.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_188\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a directory or a file in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage directory or file permissions are configured correctly.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this directory or file have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed directory or file permissions to weaken its security.\\r\\n• A legitimate user has changed directory or file permissions.\",\r\n \"investigation steps\": \"• Confirm whether the directory or file permissions change was performed for a legitimate purpose.\\r\\n• Review the directory's or file's access permissions to make sure they are expected. NTFS permissions can be assigned at the directory or file level: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable#3-configure-ntfs-permissions-over-smb .\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Kerberos\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"Files SMB\",\r\n \"request status\": \"\",\r\n \"activity type\": \"SetSecurityInformation\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) accessed\": \"\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_189\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_190\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_191\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_190\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"name\": \"2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.6133961Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_MalwareHashReputation\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:17.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:17.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_192\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential malware uploaded to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has uploaded potential malware to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Remove the malicious file from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that a blob containing potential malware has been uploaded to your storage account.\\r\\nPotential causes:\\r\\n• An attacker has gained access to the storage account and has intentionally uploaded a malicious blob.\\r\\n• A legitimate user has unintentionally uploaded a malicious blob.\\r\\n• A legitimate user is performing tests on the system (e.g. penetration testing).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"PutRange\",\r\n \"file\": \"dummy/path/to/maliciousFile.exe\",\r\n \"api type\": \"Files REST\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"malware description\": \"File was identified as malicious, MalwareFamily = Virus:DOS/EICAR_Test_File\",\r\n \"threat report summary\": \"The European Institute for Computer Antivirus Research (EICAR) and the Computer Antivirus Research Organization (CARO) jointly developed a standard test file protocol called the “EICAR test file” which allows users to test their antivirus solution. The EICAR file is completely benign; however, when scanned, compliant antivirus solutions report the file in the same way as an actual malicious file. This does not mean that the computer is infected with malware, but rather it shows that the computer’s antivirus is functioning as expected.\",\r\n \"detection source\": \"Team Cymru\",\r\n \"threat report\": \"Sample-Report\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_193\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_194\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_195\",\r\n \"algorithm\": \"MD5\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_196\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_194\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_197\",\r\n \"directory\": \"Sample-fileShare/dummy/path/to\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_195\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_198\",\r\n \"name\": \"Sample-Name\",\r\n \"category\": \"Virus\",\r\n \"files\": [\r\n {\r\n \"$ref\": \"centralus_197\"\r\n }\r\n ],\r\n \"type\": \"malware\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"name\": \"2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.6367188Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:15.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:15.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_199\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is unfamiliar and unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account.\\r\\n• A legitimate user has accessed your storage account from a new location.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetShareProperties\",\r\n \"api type\": \"Files REST\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_200\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_201\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_202\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_201\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242244862413_43689788-9247-4044-b258-6093d62ba45c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"name\": \"2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.7708984Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_ExeUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:13.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:13.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_203\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .exe to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of an executable file to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an executable (.exe file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has uploaded a malicious executable file to your storage account.\\r\\n• A legitimate user has uploaded an executable file.\",\r\n \"investigation steps\": \"• Determine who uploaded the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Kerberos\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"Files SMB\",\r\n \"request status\": \"\",\r\n \"activity type\": \"CreateFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_204\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_205\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_205\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"name\": \"2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.5509007Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:11.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:11.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_207\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) deleted\": \"Sample-File1, Sample-File2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_208\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_209\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_209\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"name\": \"2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.599286Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExplorationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:09.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:09.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_211\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual data exploration in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual data exploration operation in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that files in a file share of a storage account have been enumerated in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user or application logic has explored data within the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"ListFiles\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_212\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_213\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_213\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"name\": \"2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:19:41.7936291Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExfiltration.NumberOfFilesAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:07.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:07.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_215\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual number of files extracted from a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual number of files from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large number of files has been extracted compared to recent activity on this Storage file share.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large number of files from a Storage file share (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual number of files from a Storage file share (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"5 MB\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"extracted files\": \"150\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_216\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_217\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_218\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_217\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"name\": \"2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.435833Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:05.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:05.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_219\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage file share.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage file share (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage file share (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"150 MB\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"extracted files\": \"5\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_220\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_221\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_222\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_221\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"name\": \"2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.5055333Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_ApplicationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:03.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:03.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_223\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual application accessed a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' using an unexpected application.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusual application has accessed this storage account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using a new application.\\r\\n• A legitimate user has used a new application/browser to access your storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"CreateFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_224\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_225\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_226\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_225\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"name\": \"2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.4988057Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_AccessInspectionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:01.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_227\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual access inspection in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual access inspection in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user has performed maintenance on the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the access policy inspection was performed for a legitimate purpose: https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy.\\r\\n• Review the file share's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"GetShareAcl\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_228\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_229\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_229\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"name\": \"2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2964395Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:59.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:59.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_231\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An IP that is a known Tor exit node accessed Storage container 'Sample-Container' in storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Revoke all credentials that may be compromised and ensure that they're only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access.\\r\\nPotential causes:\\r\\n• An attacker has accessed the storage account using Tor and is trying to hide their identity (true positive).\\r\\n• A legitimate user has accessed the storage account using Tor, perhaps for penetration testing (benign positive).\",\r\n \"investigation steps\": \"• Check if this actor is legitimate. Examine the authentication method and credentials used, as well as the actor's history of actions on this storage account and other resources in this subscription.\\r\\n• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"CreatePathDir\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_232\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_233\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_233\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_235\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_232\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"name\": \"2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2427463Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:57.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_236\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from a suspicious IP address.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is considered suspicious.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your storage account from a potentially suspicious IP.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"335.88 KB\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_237\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_238\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"AlertSimulator\",\r\n \"threatType\": \"Sample-Type\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 1.0,\r\n \"threatDescription\": \"\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_238\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"name\": \"2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1804085Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_SuspiciousApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:55.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_240\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] PREVIEW - Access from a suspicious application \",\r\n \"description\": \"THIS IS A SAMPLE ALERT: There was a failed attempt to anonymously access the blob container `Sample-Container` in your storage account `Sample-Storage`. This might indicate that an attacker is trying to exploit a vulnerability or access data in your storage account, or it could be the result of a penetration test carried out in your organization. The suspicious application detected was `eicarDummyApp`. For more details, please see the user-agent string in the alert fields. In many cases, attackers might successfully access data after a series of failed attempts. It’s therefore important to act on this alert.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"140 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"application name \": \"eicarDummyApp\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_241\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_242\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_242\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_244\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_241\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"name\": \"2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2482588Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PhishingContent\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:53.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_245\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] PREVIEW - Phishing content hosted on a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A URL used in a phishing attack points to your Azure Storage account. This URL was part of a phishing attack affecting users of Microsoft 365. Typically, content hosted on such pages is designed to trick visitors into entering their corporate credentials or financial information into a web form that looks legitimate.\",\r\n \"remediationSteps\": [\r\n \"• Review the content of the Azure Storage account to identify and remove phishing content. The URL in the alert may indicate a starting point for your investigation.\",\r\n \"• If you suspect that your Storage credentials have been compromised, revoke all storage access tokens that may have been compromised and implement the following security best practices:\",\r\n \" 2.1.\\\\tEnsure that your access tokens are only shared with authorized users.\",\r\n \"2.2. Limit access to your Storage account, following the 'least privilege' principle. (https://aka.ms/StorageAccountSecureAccess)\",\r\n \"2.3. Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Disallow anonymous public access to blobs in your Storage account, unless required for your scenario. (https://aka.ms/StorageAccountPublicAccess)\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_246\",\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"type\": \"url\"\r\n },\r\n {\r\n \"$id\": \"centralus_247\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"name\": \"2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1081657Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_248\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a directory or a file in your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Use Azure AD security groups: https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#what-is-the-best-way-to-apply-acls.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage directory or file permissions are configured correctly.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this directory or file have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed directory or file permissions to weaken its security.\\r\\n• A legitimate user has changed directory or file permissions.\",\r\n \"investigation steps\": \"• Confirm whether the directory or file permissions change was performed for a legitimate purpose: https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#access-control-lists-on-files-and-directories.\\r\\n• Review the directory's or file's access permissions to make sure they are expected.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"SetPathAccessControl\",\r\n \"storage file path(s) accessed\": \"\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_249\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_250\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_250\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"name\": \"2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.0980315Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenContainersScanning.SuccessfulDiscovery\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:49.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_252\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Publicly accessible storage containers successfully discovered\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful discovery of 3 publicly open storage containers in storage account 'Sample-Storage' was performed in the last hour by a scanning script or tool.\\r\\n\\r\\nScanned containers include: static, images, backups.\\r\\n\\r\\nThis usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storagecontainers with sensitive data in them.\\r\\nThe threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.\\r\\n\\r\\nAfter a threat actor successfully discovers a container, they usually continue by reading and exfiltrating the data.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\",\r\n \"• When allowing anonymous access to containers, consider adding a random suffix to its name (or use a randomly generated name) to limit these types of scans in the future. For example, use 'salesshare-4536-7836-8967'.\",\r\n \"• If this is a recurring alert from the same IP, consider blocking the source IP address (see how to block an IP address: https://go.microsoft.com/fwlink/?linkid=2179709).\",\r\n \"This can be done at the storage account level using the 'networking' configuration or at the subscription level using the networking 'access restrictions' configuration.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"• Reconnaisance attack (True Positive)\\r\\n• Penetration testing\\r\\n• A bug in an application is causing it to perform serial attempts to read different blobs (False Positive).\",\r\n \"investigation steps\": \"• Check this account for publicly open containers with sensitive data. If such containers exist, immediately change their access policy to private (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708).\\r\\n\\r\\nLook at diagnostic logs to see all sensitive data that may have leaked, and escalate the alert and information.\\r\\n• To list all containers that are publicly accessible in a storage account, use the PowerShell script in this link: https://go.microsoft.com/fwlink/?linkid=2180103.\\r\\n\\r\\n• Check whether the user that performed this scan is legitimate. Look at IP, location, user agent, and their history.\\r\\n• This alert may be triggered by a coding issue in the application accessing the storage container. If you've validated that the actor is legitimate, identified the coding issue, and ruled out a possible leak of sensitive content, this alert can be considered benign.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"140 MB\",\r\n \"among the enumeration terms used\": \"erp, exe, export, exports, file, files, firmware, git, img, iso, jenkins, logs, media, mobile, photos, pics, private, prod, production, products, projects, public, release, repo, reports, resources, script, scripts, services, snapshots, source, src, staging, stats, storage, tenant, tmp, upload, uploads, user, userdata, users, usr, vhd, vhdx, video, videos, web, www, xslx\",\r\n \"number of failed access attempts\": \"1232\",\r\n \"number of containers successfully accessed\": \"3\",\r\n \"list of containers successfully accessed\": \"Sample-1, Sample-2, Sample-3\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_253\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_254\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_254\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_256\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_253\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"name\": \"2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:15.6989769Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenContainersScanning.FailedAttempt\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:47.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_257\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Publicly accessible storage containers unsuccessfully scanned\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: 1232 failed attempts to scan for publicly open storage containers in storage account 'Sample-Storage' were performed in the last hour.\\r\\n\\r\\nScanned containers include: erp, exe, export, exports, file.\\r\\n\\r\\nThis usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storage containers with sensitive data in them.\\r\\nThe threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\",\r\n \"• When allowing anonymous access to containers, consider adding a random suffix to its name (or use a randomly generated name) to limit these types of scans in the future. For example, use 'salesshare-4536-7836-8967'.\",\r\n \"• If this is a recurring alert from the same IP, consider blocking the source IP address (see how to block an IP address: https://go.microsoft.com/fwlink/?linkid=2179709).\",\r\n \"This can be done at the storage account level using the 'networking' configuration or at the subscription level using the networking 'access restrictions' configuration.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"• Reconnaisance attack (True Positive)\\r\\n• Penetration testing\\r\\n• A bug in an application is causing it to perform serial attempts to read different blobs (False Positive).\",\r\n \"investigation steps\": \"• Check this account for publicly open containers with sensitive data. If such containers exist, immediately change their access policy to private (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708).\\r\\n\\r\\nThis is necessary despite the fact that the observed attempts failed, because reconnaissance has taken place and there might have been some successful activity.\\r\\n• To list all containers that are publicly accessible in a storage account, use the PowerShell script in this link: https://go.microsoft.com/fwlink/?linkid=2180103.\\r\\n\\r\\n• Check whether the user that performed the scanning is legitimate. Look at IP, location, user agent, and their history. Scanning operations read blob URIs and/or use \\\"list blobs\\\".\\r\\n• Check whether data was exfiltrated from containers in this storage account and/or by this actor.\\r\\n• This alert may be triggered by a coding issue in the application accessing the storage container. If you've validated that the actor is legitimate, identified the coding issue, and ruled out a possible leak of sensitive content, this alert can be considered benign.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"among the enumeration terms used\": \"erp, exe, export, exports, file, files, firmware, git, img, iso, jenkins, logs, media, mobile, photos, pics, private, prod, production, products, projects, public, release, repo, reports, resources, script, scripts, services, snapshots, source, src, staging, stats, storage, tenant, tmp, upload, uploads, user, userdata, users, usr, vhd, vhdx, video, videos, web, www, xslx\",\r\n \"number of failed access attempts\": \"1232\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_258\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_259\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_260\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_259\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"name\": \"2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9581337Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenACL\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:45.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:45.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_261\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Storage account with potentially sensitive data has been detected with a publicly exposed container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The access policy of a container in your storage account was modified to allow anonymous access. This might lead to a data breach if the container holds any sensitive data. This alert is based on analysis of Azure activity log.\",\r\n \"remediationSteps\": [\r\n \"• Check the access level of the container listed in the alert details. If the access level is set to 'anonymous' and this behavior is not intended, change the access level to 'private' and escalate the alert to your information security team.\",\r\n \"• Where possible, we recommend using shared access signature tokens instead of granting public access to storage containers and blobs.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"container name\": \"Sample-Container\",\r\n \"sensitive name\": \"Sample-Container\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_262\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"name\": \"2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.0277068Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_MalwareHashReputation\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:43.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:43.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_263\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential malware uploaded to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has uploaded potential malware to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Remove the malicious blob from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that a blob containing potential malware has been uploaded to your storage account.\\r\\nPotential causes:\\r\\n• An attacker has gained access to the storage account and has intentionally uploaded a malicious blob.\\r\\n• A legitimate user has unintentionally uploaded a malicious blob.\\r\\n• A legitimate user is performing tests on the system (e.g. penetration testing).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"PutBlob\",\r\n \"api type\": \"Blob\",\r\n \"container\": \"Sample-Container\",\r\n \"malware description\": \"Indicator related to a known malware campaign\",\r\n \"detection source\": \"A Microsoft Partner\",\r\n \"blob\": \"Sample-Blob\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_264\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_265\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_266\",\r\n \"algorithm\": \"MD5\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_267\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_265\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_268\",\r\n \"directory\": \"Sample-fileShare/dummy/path/to\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_266\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"name\": \"2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9214203Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:41.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:41.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_269\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is unfamiliar and unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account.\\r\\n• A legitimate user has accessed your storage account from a new location.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Azure AD\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"operations types\": \"GetContainerProperties\",\r\n \"api type\": \"Blob\",\r\n \"container\": \"Sample-Container\",\r\n \"azure AD application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_270\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_271\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_272\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"objectGuid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_273\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_271\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_274\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_270\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"name\": \"2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:15.4758611Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_ExeUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:39.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:39.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_275\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .exe to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of an executable file to your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an executable (.exe file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has uploaded a malicious executable file to your storage account.\\r\\n• A legitimate user has uploaded an executable file.\",\r\n \"investigation steps\": \"• Determine who uploaded the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Azure AD\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"eicar@microsoft.com\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"FlushFile\",\r\n \"azure AD application ID\": \"12345\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"containers\": \"Sample-Container1, Sample-Container2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_276\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_277\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_278\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_277\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"name\": \"2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9519418Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:37.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:37.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_279\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Perform an undelete if the delete operation was a soft delete. See how to configure soft deletion and more information: https://go.microsoft.com/fwlink/?linkid=2078042\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Account key\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteDirectory\",\r\n \"access key used\": \"key2\",\r\n \"storage file path(s) deleted\": \"Sample-File1, Sample-File2\",\r\n \"containers\": \"Sample-Container1, Sample-Container2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_280\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_281\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_282\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_281\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"name\": \"2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2482588Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExplorationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:35.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:35.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_283\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual data exploration in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual data exploration operation in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \" Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that blobs or containers in a storage account have been enumerated in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user or application logic has explored data within the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"ListBlobs\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_284\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_285\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_286\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_285\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"name\": \"2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.7896151Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:33.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:33.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_287\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual number of blobs extracted from a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual number of blobs from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large number of blobs has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large number of blobs from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual number of blobs from a Storage container (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"66.58 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"extracted blobs\": \"41084\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_288\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_289\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_290\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_289\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_291\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_288\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"name\": \"2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.8245787Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:31.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:31.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_292\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage container (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"254.47 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"extracted blobs\": \"2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_293\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_294\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_295\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_294\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_296\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_293\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"name\": \"2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1388808Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_CspkgUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:29.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:29.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_297\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .cspkg to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of a Cloud Service deployment package to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Determine if the cloud service package has been deployed to your subscription, and if so, delete the corresponding service.\",\r\n \"• Delete the .cspkg from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an Azure Cloud Service package (.cspkg file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has been preparing to deploy malicious code from your storage account to an Azure cloud service.\\r\\n• A legitimate user has been preparing for a legitimate service deployment.\",\r\n \"investigation steps\": \"• Determine who uploaded the cloud service package, and whether it is for a legitimate service.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"PutBlockList\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_298\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_299\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_299\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"name\": \"2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6456194Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_ApplicationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:27.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:27.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_301\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual application accessed a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' using an unexpected application.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusual application has accessed this storage account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using a new application.\\r\\n• A legitimate user has used a new application/browser to access your storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"PutBlob\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_302\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_303\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_303\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"name\": \"2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6977555Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AnonymousAccessAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:25.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:25.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_305\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unauthenticated access to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Container 'Sample-Container' in storage account 'Sample-Storage' from an IP address located in Azure Data Center: Central Us.\\r\\n\\r\\nThere may have been additional unauthenticated access to this storage account.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed anonymously (i.e. without any authentication), which is unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has exploited public read access to a container.\\r\\n• A legitimate user or application has used public read access to a container.\",\r\n \"investigation steps\": \"• Check if you have sensitive data on this publicly open container. If you do, immediately change the access policy to private, review diagnostic logs for sensitive data that may have leaked, and escalate the alert and information. (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708)).\\r\\n\\r\\nThis is necessary despite the fact that the observed attempts failed, because reconnaissance has taken place and there might have been some successful activity.\\r\\n• Check if this actor is legitimate. Review IP, location, user agent, and their history.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlobProperties, GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"22.96 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_306\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_307\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_308\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_307\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_309\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_306\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"name\": \"2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6177881Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AccessInspectionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:23.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:23.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_310\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual access inspection in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual access inspection in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user has performed maintenance on the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the access policy inspection was performed for a legitimate purpose: https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy.\\r\\n• Review the storage container's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Azure AD\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"GetContainerACL\",\r\n \"azure AD application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_311\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_312\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_313\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"objectGuid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_312\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"name\": \"2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.614246Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AM.MalwareFound\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:21.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:21.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_315\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Malicious file uploaded to storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A malicious file was uploaded to your storage account 'Sample-Storage'.\\r\\nThe malware detection is based on Microsoft antimalware scanning.\\r\\nPotential causes may include an intentional upload of malware by a threat actor, or an unintentional upload of a malicious file by a legitimate user.\",\r\n \"remediationSteps\": [\r\n \"Remove the malicious blob from your storage account. You may move it to a designated storage container for quarantine, or delete it.\",\r\n \"It is advisable to enable \\\\\\\"soft delete\\\\\\\" before deleting malware, to support the ability to undo the deletion. Learn more about enabling soft delete on Azure storage: https://docs.microsoft.com/azure/storage/blobs/soft-delete-blob-overview.\\\",\\\"If you have diagnostic logs enabled, query them to see if any other applications or users accessed this file. Trace their actions and contain the blast radius.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential Causes\": \"1. Intentional upload of malware by a malicious actor (true positive)\\r\\n\\r\\n2. Unintentional upload of malware by a legitimate user (true positive)\\r\\n\\r\\n3. A false positive detection by Microsoft antimalware scanning. You can submit a file for analysis if you suspect it may be a false positive: \\r\\n(https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/submission-guide)\",\r\n \"shA-256\": \"Sample-SHA\",\r\n \"investigation Steps\": \"• Learn more about the malware type by reading the report on the identified malware in Microsoft Security Intelligence:\\r\\n(https ://www.microsoft.com/wdsi/threats/threat-search?query=DOS/EICAR_Test_File)\\r\\n\\r\\n• If you have diagnostic logs enabled, go to them and query to see if any other applications or users accessed this file. Trace their actions and contain the blast radius.\\r\\n\\r\\n• Review the credentials used to perform the upload, to track back and find the user who uploaded the file.\\r\\n\\r\\n• If you performed an investigation and suspect the this might be a false positive, you can submit a file for analysis\\r\\n(https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).\\r\\nEnsure you enter the provider name \\\"Defender for Storage\\\".\\r\\n\\r\\n• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"malware types detected\": \"DOS/EICAR_Test_File\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_316\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_317\",\r\n \"algorithm\": \"SHA256\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_318\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_316\"\r\n },\r\n \"type\": \"blob-container\"\r\n },\r\n {\r\n \"$id\": \"centralus_319\",\r\n \"directory\": \"https://Sample-Storage.blob.core.windows.net/Sample\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_317\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_320\",\r\n \"name\": \"Sample-Name\",\r\n \"blobContainer\": {\r\n \"$ref\": \"centralus_318\"\r\n },\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"etag\": \"Sample-Tag\",\r\n \"type\": \"blob\"\r\n },\r\n {\r\n \"$id\": \"centralus_321\",\r\n \"name\": \"Sample-Name\",\r\n \"category\": \"Virus\",\r\n \"files\": [\r\n {\r\n \"$ref\": \"centralus_319\"\r\n }\r\n ],\r\n \"type\": \"malware\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"name\": \"2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.9503127Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5606644Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:17.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_322\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' was successfully accessed from an IP address known to be an active exit node of Tor, an anonymizing proxy.\\r\\nThe threat actor's access was authenticated using Aad.\\r\\nAuthenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Check for credential theft by reviewing the authentication method.\",\r\n \"potential causes\": \"• A legitimate user has accessed your Azure Cosmos DB account using Tor.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_323\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_324\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_325\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_324\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"name\": \"2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.7672167Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:15.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_326\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' was successfully accessed from an IP address that was identified as a threat by Microsoft Threat Intelligence.\\r\\nThe threat actor's access was authenticated using Aad.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Check for credential theft by reviewing the authentication method.\",\r\n \"potential causes\": \"• An attacker has accessed your Azure Cosmos DB account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your Azure Cosmos DB account from a potentially suspicious IP.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_327\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_328\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_329\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_328\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"name\": \"2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.9003843Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SqlInjection.Fuzzing\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:13.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:13.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"intent\": \"Discovery\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_330\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] SQL injection: failed fuzzing attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious SQL statement was used to query container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'.\\r\\nLike other well-known SQL injection attacks, this statement won’t succeed in Azure Cosmos DB. Nevertheless, it’s an indication that a threat actor is trying to attack the resources in this account.\\r\\nSome SQL injection attacks can succeed and be used to exfiltrate data. This means that if the attacker continues performing SQL injection attempts, they may be able to compromise your Azure Cosmos DB account and exfiltrate data.\\r\\nYou can prevent this threat by using parameterized queries (for more information, see the remediation steps).\",\r\n \"remediationSteps\": [\r\n \"• This alert may indicate this subscription is being targeted. To harden your environment, resolve any outstanding Defender for Cloud security recommendations for this resource and any others on this Azure subscription.\",\r\n \"• To prevent similar attacks in the future, use Azure Cosmos DB parameterized queries in all your apps.\",\r\n \"How to use parameterized queries: https://go.microsoft.com/fwlink/?linkid=2177214.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Search for other alerts on this subscription that might indicate that this is part of a larger attack.\\r\\n• Inspect the application that is connected to this Azure Cosmos DB account. It may be vulnerable to this fuzzing attack.\",\r\n \"potential causes\": \"• Failed attack attempt, part of an enumeration, reconnaissance or command injection attempt.\\r\\n• Pen testing.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"collection name\": \"Sample-Collection\",\r\n \"database name\": \"Sample-DataBase\",\r\n \"top suspicious queries\": \"• [1 rows returned] SELECT VALUE [{\\\"item\\\": COUNT(1)}]\\nFROM root\\nWHERE ((root[\\\"creation_datetime\\\"] = \\\"2022-07-06T00:00:00+00:00\\\") AND (root[\\\"camera_id\\\"] IN (\\\"javascript:alert(_SCAN-@126032-951533-1926@-);\\\")))\\nORDER BY root[\\\"order\\\"] ASC, root[\\\"_ts\\\"] ASC\\r\\n• [0 rows returned] SELECT root._rid, [{\\\"item\\\": root[\\\"order\\\"]}, {\\\"item\\\": root[\\\"_ts\\\"]}] AS orderByItems, root AS payload\\nFROM root\\nWHERE ((((root[\\\"creation_datetime\\\"] = \\\"2022-07-06T00:00:00+00:00\\\") AND (root[\\\"camera_id\\\"] IN (\\\"javascript:alert(_SCAN-@126032-951533-1926@-);\\\"))) AND (true)) AND IS_DEFINED(root))\\nORDER BY root[\\\"order\\\"] ASC, root[\\\"_ts\\\"] ASC\\nOFFSET 0 LIMIT 100\",\r\n \"total suspicious queries\": \"2\",\r\n \"killChainIntent\": \"Discovery\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_331\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_332\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_332\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"name\": \"2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.803451Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SqlInjection.DataExfiltration\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:11.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:11.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_334\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] SQL injection: potential data exfiltration\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious SQL statement was used to query container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'.\\r\\nThe injected statement might have succeeded in exfiltrating data the user wasn’t authorized to access.\\r\\nDue to the structure and capabilities of Azure Cosmos DB queries, many known SQL injection attacks on Azure Cosmos DB accounts cannot work. However, the variation used in this attack may work and threat actors can exfiltrate data.\",\r\n \"remediationSteps\": [\r\n \"• To prevent similar attacks in the future, use Azure Cosmos DB parameterized queries in all your apps.\",\r\n \"How to use parameterized queries: https://go.microsoft.com/fwlink/?linkid=2177214.\",\r\n \"• If, for some reason, you can’t use parameterized queries, perform another form of input validation to protect against SQL injection attacks.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Investigate the query and the user. For details of the user, review the audit logs of your application. Check which user ran the query.\\r\\n• If the action appears malicious, continue investigating the blast radius. You may run the query (shown in the field \\\"Top suspicious queries\\\") to see what data was exfiltrated.\",\r\n \"potential causes\": \"• Successful data exfiltration (True Positive).\\r\\n• Pen testing.\\r\\n• A legitimate actor is trying to see all of the data, bypassing the application's access control methods. In this case, this can be considered a False Positive, however this is unsafe and should be blocked (see remediation steps on blocking).\",\r\n \"user agent\": \"dummySqlAgent\",\r\n \"connection mode\": \"\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"\",\r\n \"total anomalous queries\": \"1\",\r\n \"top anomalous queries\": \"• SELECT * FROM root WHERE (root[\\\\\\\"userId\\\\\\\"] = \\\\\\\"123' OR '1'='1'\\\\\\\")\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_335\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_336\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_336\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"name\": \"2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.6843414Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:09.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:09.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_338\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: One or more containers in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' were accessed from a location considered unfamiliar, based on the usual access pattern.\\r\\nEither a threat actor has gained access to the account, or a legitimate user has connected from a new or unusual geographic location.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Contact the user to validate whether this is known and expected activity.\",\r\n \"potential causes\": \"• An attacker has accessed your Azure Cosmos DB account.\\r\\n• A legitimate user has accessed your Azure Cosmos DB account from a new location.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_339\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_340\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_340\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"name\": \"2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.671875Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_DataExfiltrationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:07.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:07.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_342\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual volume of data extracted\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An unusually large amount of data has been extracted from container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'. This might indicate that a threat actor exfiltrated data.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Check whether this Azure Cosmos DB account holds sensitive data. Look at diagnostic logs for any sensitive data that may have leaked and escalate the alert and information. If it appears sensitive data may have leaked, immediately review access permissions to the account and consider rotating keys.\",\r\n \"potential causes\": \"• An attacker has extracted a large amount of data from an account.\\r\\n• A legitimate user or application has extracted an unusual amount of data from an account.\",\r\n \"collection name\": \"Sample-Collection\",\r\n \"database name\": \"Sample-DataBase\",\r\n \"key type\": \"Aad\",\r\n \"connection mode\": \"Gateway\",\r\n \"impacted region\": \"EUS\",\r\n \"extracted data\": \"5.37 GB\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_343\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_344\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_344\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"name\": \"2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5606644Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousListKeys.SuspiciousPrincipal\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:05.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:05.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_346\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Preview - Suspicious extraction of Azure Cosmos DB account keys was detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious source extracted Azure Cosmos DB account access keys from your subscription. If this source is not a legitimate source, this may be a high impact issue. The access key that was extracted provides full control over the associated databases and the data stored within.\\r\\nThe key extraction is suspicious for the following reasons:\\r\\n- Key listing operations are rarely invoked by this principal on Azure Cosmos DB accounts in this subscription.\\r\\n\\r\\nThis can indicate that the identity performed this operation is compromised and is being used with malicious intent.\",\r\n \"remediationSteps\": [\r\n \"• Determine whether the activity was intentional by contacting the account owner. If the activity was intentional and legitimate, dismiss the alert. Otherwise, treat the user account, involved Azure Cosmos DB accounts and Azure subscription as compromised and continue with the next remediation steps.\",\r\n \"• Remediate the compromised principal account : delete the account if it’s an unfamiliar account (the attacker may have created it). Otherwise, change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\",\r\n \"• Remediate the compromised Azure Cosmos DB account: rotate Azure Cosmos DB account keys that were previously listed by the threat actor.\",\r\n \"• Remediate the compromised subscription: review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in the Microsoft Defender for Cloud portal to the subscription and investigate them, use Azure Activity Logs to locate any suspicious activities and review all activities that were performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Resource\",\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"source IP address\": \"00.00.00.00\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_347\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_348\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_348\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n }\r\n ],\r\n \"nextLink\": \"https://management.azure.com/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/alerts?api-version=2022-01-01&%24skiptoken=TVHLjpswAPwXVPVUAibkQaRVlaQEZbtA49gmy82AN3Fig2ubzWO1%2f15U9VBpjvPQzHw4LbvZF95ejLP4cNZxhuDyBe%2bdhXOyVpmF50na0iOTrLUj%2bug1G9WdXITh2DN9ZWrNleVda7xwPquqcD5xq0nlu%2bEMMDeq%2fcYF%2fgzMpiB4m08jTzPT9bpmie56Zbw9lUowFyae0t07b5g2Xspr3ZnuzY72rO41t3ePCqat%2bU4Vd98HyhD3FPhB4PpgwNcv5sIV6i6sfWL357w8nHycbO5NInxaRP0%2bIJPtuePpPvbz9SaHSf0oCvCcxlFMDrCkolQIp9c0nkyhvKUkuf1GuIFNDPAOZRlJ0jsi8GeFo7hAmL%2bs%2f2XIaPyf9zjjm4wKEqJWZekF4OKgBq0BCECd4QjTB%2flFzkKhg1pToSxEJN89ViGSIGPxDWMpciatXxSqoD6YpD9IycTlgUSTUyCmO7TKIcB2y68cSRI2G3h6lTeB5MaW%2b%2b20aomp1ldOhu5lQHyUROfXA1RVEPL8vIqcz28O1XJ5PGp2pJY1fycbfl7C1Pn8Aw%3d%3d\"\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/alerts?api-version=2022-01-01&%24skiptoken=TVHLjpswAPwXVPVUAibkQaRVlaQEZbtA49gmy82AN3Fig2ubzWO1%2f15U9VBpjvPQzHw4LbvZF95ejLP4cNZxhuDyBe%2bdhXOyVpmF50na0iOTrLUj%2bug1G9WdXITh2DN9ZWrNleVda7xwPquqcD5xq0nlu%2bEMMDeq%2fcYF%2fgzMpiB4m08jTzPT9bpmie56Zbw9lUowFyae0t07b5g2Xspr3ZnuzY72rO41t3ePCqat%2bU4Vd98HyhD3FPhB4PpgwNcv5sIV6i6sfWL357w8nHycbO5NInxaRP0%2bIJPtuePpPvbz9SaHSf0oCvCcxlFMDrCkolQIp9c0nkyhvKUkuf1GuIFNDPAOZRlJ0jsi8GeFo7hAmL%2bs%2f2XIaPyf9zjjm4wKEqJWZekF4OKgBq0BCECd4QjTB%2flFzkKhg1pToSxEJN89ViGSIGPxDWMpciatXxSqoD6YpD9IycTlgUSTUyCmO7TKIcB2y68cSRI2G3h6lTeB5MaW%2b%2b20aomp1ldOhu5lQHyUROfXA1RVEPL8vIqcz28O1XJ5PGp2pJY1fycbfl7C1Pn8Aw%3d%3d", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2FsZXJ0cz9hcGktdmVyc2lvbj0yMDIyLTAxLTAxJiUyNHNraXB0b2tlbj1UVkhManBzd0FQd1hWUFZVQWlia1FhUlZsYVFFWmJ0QTQ5Z215ODJBTjNGaWcydWJ6V08xJTJmMTVVOVZCcGp2UFF6SHc0TGJ2WkY5NWVqTFA0Y05aeGh1RHlCZSUyYmRoWE95VnBtRjUwbmEwaU9UckxVaiUyYnVnMUc5V2RYSVRoMkROOVpXck5sZVZkYTd4d1BxdXFjRDV4cTBubHUlMmJFTU1EZXElMmZjWUYlMmZnek1waUI0bTA4alR6UFQ5YnBtaWU1NlpidzlsVW93RnlhZTB0MDdiNWcyWHNwcjNabnV6WTcyck80MXQzZVBDcWF0JTJiVTRWZDk4SHloRDNGUGhCNFBwZ3dOY3Y1c0lWNmk2c2ZXTDM1N3c4bkh5Y2JPNU5JbnhhUlAwJTJiSUpQdHVlUHBQdmJ6OVNhSFNmMG9DdkNjeGxGTURyQ2tvbFFJcDljMG5reWh2S1VrdWYxR3VJRk5EUEFPWlJsSjBqc2k4R2VGbzdoQW1MJTJicyUyZjJYSWFQeWY5empqbTR3S0VxSldaZWtGNE9LZ0JxMEJDRUNkNFFqVEIlMmZsRnprS2hnMXBUb1N4RUpOODlWaUdTSUdQeERXTXBjaWF0WHhTcW9ENllwRDlJeWNUbGdVU1RVeUNtTzdUS0ljQjJ5NjhjU1JJMkczaDZsVGVCNU1hVyUyYiUyYjIwYW9tcDFsZE9odTVsUUh5VVJPZlhBMVJWRVBMOHZJcWN6MjhPMVhKNVBHcDJwSlkxZnljYmZsN0MxUG44QXclM2QlM2Q=", + "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "21a2d495-5243-4d41-938f-22e702edf581" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-original-request-ids": [ + "" + ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "748" ], "x-ms-request-id": [ - "bddf216f-c642-4b4c-b101-f5c172faf96e" + "481c8094-cfce-4cd6-8c3f-bfa0733aca3f" ], "x-ms-correlation-request-id": [ - "bddf216f-c642-4b4c-b101-f5c172faf96e" + "481c8094-cfce-4cd6-8c3f-bfa0733aca3f" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210831T190904Z:bddf216f-c642-4b4c-b101-f5c172faf96e" + "FRANCESOUTH:20221117T091951Z:481c8094-cfce-4cd6-8c3f-bfa0733aca3f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -49,7 +112,7 @@ "nosniff" ], "Date": [ - "Tue, 31 Aug 2021 19:09:03 GMT" + "Thu, 17 Nov 2022 09:19:50 GMT" ], "Content-Type": [ "application/json; charset=utf-8" @@ -58,10 +121,10 @@ "-1" ], "Content-Length": [ - "128915" + "12" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"name\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4121044Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"name\": \"2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:13.877204Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_MaliciousContent-AzureWebApps\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:58.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:58.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Phishing content hosted on Azure Webapps\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to O365 customers. The content typically lure visitors into entering their corporate credentials or financial information into a legitimate looking website.\",\r\n \"remediationSteps\": [\r\n \"1. Use Azure Web Sites Process Explorer and try to identify unknown running processes (see https://blogs.msdn.microsoft.com/waws/2014/11/14/viewing-process-information-for-microsoft-azure-web-sites/)\",\r\n \"2. Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"resourceType\": \"App Service\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"type\": \"url\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"name\": \"2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3609448Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_OperationVolumeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:56.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:56.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] User accessed high volume of Key Vaults\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a larger volume of Key Vault operations has been performed compared to past historical data. Key Vaults typical exhibit the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:56\",\r\n \"all vault operations in last 24 hours\": \"[SecretSet:1, SecretGet:5, Authentication:2, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultGet:2]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:56\",\r\n \"client Information\": \"Microsoft.Azure.Management.Resources.ResourceManagementClient/2.0.0.0, \",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) performed more operations than usual, The user(objid) does not usually come from this IP, The user(objid) performed more operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"name\": \"2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3557186Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_AccountVolumeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:54.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:54.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] High volume of operations in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the number of vaults that a user or application accesses has changed compared to past historical data. Key Vault activity typically exhibits the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:54\",\r\n \"all vault operations in last 24 hours\": \"[AfterAuthentication:1, SecretGet:345545, EventGridGetAllSubscriptions:19, Authentication:169, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:64]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:54\",\r\n \"alert Reasons\": \"[The application(appid) accessed more vaults than usual, The application(appid) does not usually come from this IP, The user(objid) accessed more vaults than usual, The user(objid) does not usually come from this IP, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"name\": \"2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3095755Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_ListGetAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:52.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:52.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious secret listing and query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Secret List operation was followed by numerous Secret Get operations. In addition, this operation pattern is not normally performed by the user on this vault. This is likely indicative that someone is dumping the This is sample alert: secrets stored in the Key Vault for potentially malicious purposes.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:52\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:1, SecretGet:3, VaultGet:1, SecretList:5]\",\r\n \"suspicious Operations\": \"[SecretGet:3, SecretList:5]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:52\",\r\n \"client Information\": \"FxVersion/4.8.4075.0 OSName/Windows10Enterprise OSVersion/6.3.18363 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"alert Reasons\": \"[The application(appid) does not usually access this vault, The application(appid) does not usually come from this IP, The application(appid) does not usually perform a credential list operation followed by a get operation, The application(appid) does not usually perform this operation, The number of applications which accessed this vault is more than usual, The number of users(objid) who accessed this vault is more than usual, The user(objid) does not usually access this vault, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a credential list operation followed by a get operation, The user(objid) does not usually perform this operation, This vault does not usually have a credential list operation followed by a get operation, This vault does not usually have this operation, This vault had more operations than usual, This vault had more types of operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"name\": \"2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4678019Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_PutGetAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:50.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:50.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious policy change and secret query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Key Vault policy change has been made and operations to list and/or get secrets occurred shortly thereafter. In addition, this operation pattern is not normally performed by the user on this vault. This is highly indicative that the Key Vault has been compromised and the secrets within have been stolen by a malicious actor.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:50\",\r\n \"all vault operations in last 24 hours\": \"[VaultGet:14, CertificateImport:1, CertificateGet:479, VaultPut:4, SecretGet:760, Authentication:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultPut:4, VaultGet:5, CertificateGet:24]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"FxVersion/4.8.4121.0, FxVersion/4.8.4121.0 OSName/Windows10Enterprise OSVersion/6.3.17763 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"result Signature\": \"OK\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"start Time UTC\": \"08/12/2021 15:26:50\",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) does not usually perform a policy change operation followed by a credential get operation, The application(appid) does not usually perform this operation, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a policy change operation followed by a credential get operation, The user(objid) does not usually perform this operation, This vault does not usually have a policy change operation followed by a credential get operation, This vault does not usually have this operation, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"name\": \"2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3452444Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_TORAccess\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:48.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:48.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a TOR exit node to a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. This is suspicious because malicious actors will often try to mask their source location when attempting to gain unauthorized access to internet-connected resources.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:48\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:777440, SecretSet:1, SecretGet:777399]\",\r\n \"suspicious Operations\": \"[Authentication:1, SecretGet:1]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"Not Found, Unauthorized\",\r\n \"start Time UTC\": \"08/12/2021 15:26:48\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"python/3.8.0 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 azure-keyvault/7.0 Azure-SDK-For-Python\",\r\n \"alert Reasons\": \"[The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location.]\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"name\": \"2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4494527Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_AKS_SensitiveMount\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:46.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:46.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"intent\": \"PrivilegeEscalation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Container with a sensitive volume mount detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.\",\r\n \"remediationSteps\": [\r\n \"Review the container and the path in the alert details.\",\r\n \"If possible, consider mounting only specific folders or files that are necessary to the container operation.\",\r\n \"If the container is not legitimate, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"Sample\",\r\n \"container image\": \"sample-image\",\r\n \"container name\": \"sample-container\",\r\n \"pod name\": \"sample-pod\",\r\n \"sensitive mount name\": \"sample-mount\",\r\n \"sensitive mount path\": \"/Sample\",\r\n \"killChainIntent\": \"PrivilegeEscalation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"name\": \"2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5732381Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_ExposedService\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:44.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:44.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Exposed Kubernetes service detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Kubernetes audit log analysis detected exposure of a service by a load balancer. This service is related to a sensitive application that allows high impact operations in the cluster such as running processes on the node or creating new containers.\\nIn some cases, this service doesn't require authentication. If the service doesn't require authentication, exposing it to the internet poses a security risk.\",\r\n \"remediationSteps\": [\r\n \"1. Find the external IP address of the service with the command: kubectl get service [service name] -n [namespace]. The service name and namespace are in the alert details.\\\\n2. Check whether the service is exposed to the internet by trying to access to its IP address with the port listed in the alert details.\\\\n3. If the service is exposed to the internet and is not protected by an authentication mechanism, escalate the alert to your security information team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"sample-namespace\",\r\n \"username\": \"sample-user\",\r\n \"service name\": \"sample-service\",\r\n \"target port\": \"8080\",\r\n \"port\": \"8080\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"name\": \"2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4746809Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_BruteForce\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:40.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:40.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Brute Force attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone is attempting to brute force credentials to your SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Brute force attack, penetration testing.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"data Center\": \"East US 2\",\r\n \"failed Logins\": \"0\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\\\"}}\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"name\": \"2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.262894Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_HarmfulApplication\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:38.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:38.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Penetration testing, malicious activity\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"data Center\": \"East US 2\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"name\": \"2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3698246Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:36.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:36.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database elitronix-com on server Sample-SQL\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/www.microsoft.com\\\\/en-us\\\\/download\\\\/details.aspx?id=13759\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements.\",\r\n \"threat ID\": \"30\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"principal name\": \"Sample-account\",\r\n \"application\": \"Internet Information Services\",\r\n \"database\": \"Sample-DB\",\r\n \"server\": \"Sample-SQL\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"name\": \"2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4494527Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:34.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:34.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"intent\": \"Exploitation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Logon from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone logged on to your SQL server Sample-SQL from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Unauthorized access that exploits an opening in the firewall; legitimate access from a new location.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Microsoft SQL Server Management Studio\",\r\n \"client IP Location\": \"US\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"client Hostname\": \"Sample-VM\",\r\n \"killChainIntent\": \"Exploitation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"name\": \"2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2741282Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_DataExfiltration.ImportExportLocationAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:32.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:32.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual export location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted a massive amount of data from your SQL Server 'Sample-SQL' to an unusual location.\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Be sure to secure the new copy of your SQL server in the unusual storage account and follow the principle of \\\\\\\"least privilege\\\\\\\" for your SQL server\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/docs.microsoft.com\\\\/en-us\\\\/dotnet\\\\/framework\\\\/data\\\\/adonet\\\\/sql\\\\/authorization-and-permissions-in-sql-server\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"storage Name\": \"Sample-storage\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"isValid\": false,\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_39\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"name\": \"2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3713443Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:30.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:30.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Perform an undelete if the delete operation was a soft delete. See how to configure soft deletion and more information: https://go.microsoft.com/fwlink/?linkid=2078042\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Wasington_Virginia United States\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"Sample agent\",\r\n \"storage container(s) accessed\": \"SampleContainer\",\r\n \"container\": \"eicarContainerName1, eicarContainerName2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteBlob\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:30\",\r\n \"test: Pipeline name\": \"1.0.4656.1_sample\",\r\n \"storage file path(s) deleted\": \"eicarRequestedObjectKeyFilePath1.vhd, eicarRequestedObjectKeyFilePath2.pfx\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"name\": \"2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5019361Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:28.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:28.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a container in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage container permissions are configured correctly.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"• Confirm whether the storage container permissions change was performed for a legitimate purpose.\\r\\n• Review the storage container's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this storage container have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed container permissions to weaken its security.\\r\\n• A legitimate user has changed container permissions.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"TestAgent 2021-08-12T15:26:28.9846650Z\",\r\n \"storage container(s) accessed\": \"eicarContainerName\",\r\n \"container\": \"eicarContainerName1, eicarContainerName2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"SetContainerACL\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:28\",\r\n \"test: Pipeline name\": \"1.0.4656.1_test\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"name\": \"2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_TorAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:26.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:26.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure Storage account 'Sample-Storage' from a suspicious IP address (active Tor exit node).\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access. \\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using Tor.\\r\\n• A legitimate user has accessed your storage account using Tor.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Azure Data Center: East Us\",\r\n \"authentication type\": \"Anonymous\",\r\n \"operations types\": \"GetBlob\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"dummyAgent\",\r\n \"container\": \"eicarTestStorageContainer\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:26\",\r\n \"test: Pipeline name\": \"1.0.4656.1_storagetd-brs-a3\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"name\": \"2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4209361Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:24.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:24.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure Storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage container (for example: maintenance activity).\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Azure Data Center: East Us\",\r\n \"authentication type\": \"Anonymous\",\r\n \"operations types\": \"GetBlob\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"dummyAgent\",\r\n \"container\": \"eicarTestStorageContainer\",\r\n \"extracted data\": \"140 MB\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:24\",\r\n \"test: Pipeline name\": \"1.0.4656.1_storagetd-brs-a3\",\r\n \"extracted blobs\": \"500\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"name\": \"2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_SuspectExecutablePath\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Executable found running from a suspicious location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data detected an executable file on Sample-VM that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.\",\r\n \"remediationSteps\": [\r\n \"Review with %{User Name} the suspicious process in this alert to see if you recognise this as legitimate administrative activity. If not, Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Process Id\": \"0x1eec\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"account Session Id\": \"0x3e7\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"suspicious Command Line\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"user Name\": \"WORKGROUP\\\\Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"directory\": \"c:\\\\windows\\\\inf\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"name\": \"SAMPLE-account\",\r\n \"ntDomain\": \"SAMPLE\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"sid\": \"S-0-0-00\",\r\n \"isDomainJoined\": true,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x3e7\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"processId\": \"0x1038\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"processId\": \"0x1eec\",\r\n \"commandLine\": \"\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_54\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_55\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"sessionId\": \"0x3e7\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_54\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"name\": \"2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2358642Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected the execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with Sample-account the suspicious command process and command line to confirm that this is legitimate activity that you expect to see on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"user Name\": \"Sample-account\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Command Line\": \"\\\\sample.exe -t 4\",\r\n \"suspicious Process Id\": \"0x1640\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x427d8dd9\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"directory\": \"c:\\\\temp\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"processId\": \"0x1020\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"name\": \"Sample-account\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"sid\": \"S-1-5-21-3061399664-1673012318-3185014992-20022\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x427d8dd9\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"processId\": \"0x1640\",\r\n \"commandLine\": \".\\\\sample.exe -t 4\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_61\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_63\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_62\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"sessionId\": \"0x427d8dd9\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_63\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"name\": \"2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3545059Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_SuspectPhp\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious PHP execution detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Machine logs indicate a that a suspicious PHP process is running. The action included an attempt to run OS commands or PHP code from the command line using the PHP process.\\r\\nWhile this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\",\r\n \"2. Make sure that the web application is up-to-date.\",\r\n \"3. If possible, disable the sensitive PHP commands (see: http://php.net/manual/ini.core.php#ini.disable-functions).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Command Line\": \"php\",\r\n \"suspicious Process Id\": \"0x1e99b\",\r\n \"account Session Id\": \"0xbd6e\",\r\n \"suspicious Process\": \"php\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"user Name\": \"Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"php\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"processId\": \"0x1e49a\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"name\": \"Sample-account\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"sid\": \"\",\r\n \"type\": \"account\",\r\n \"LogonId\": \"0xbd6e\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"processId\": \"0x1e99b\",\r\n \"commandLine\": \"php\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_69\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_71\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_70\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"sessionId\": \"0xbd6e\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_71\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"name\": \"2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3385797Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM.Windows_GoldFileCleanup\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected suspicious file cleanup commands\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.\",\r\n \"remediationSteps\": [\r\n \"Review with user Sample-account the 'sample.exe executions and delete commands flagged in this alert to confirm that they are legitimate and expected on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"OMS-AGENT-2\",\r\n \"suspicious Process Id\": \"0x4a8\",\r\n \"suspicious Command Line\": \"cmd /c echo \\\" systeminfo && systeminfo && del \\\"\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\cmd.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"OMS-AGENT-2\\\\DnzmNhMdW96g7j3\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: GOLD\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2020-06-05T06%3a24%3a18&reportName=MSTI-AGP-GOLD.pdf&tenantId=7bf32e19-dc11-416d-85e8-2cff75271e2a&urlCreateDateTime=2020-06-05T06%3a24%3a18&token=%2083e9In2MDZfBKT5aMOejPcfhpNovCKiidxcnKaBGnQ=\\\"}}\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"cmd.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"processId\": \"0x4a8\",\r\n \"commandLine\": \"cmd /c echo Hi\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_77\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_79\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_78\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_79\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"name\": \"2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2246537Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM.Windows_PetyaRansomware\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected Petya ransomware indicators\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on OMS-AGENT-2 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the command line associated in this alert and escalate this alert to your security team.\",\r\n \"remediationSteps\": [\r\n \"1. Run a full anti-malware scan and verify that the threat was removed\",\r\n \"2. Install and run Microsoft’s Malicious Software Removal Tool (see http://www.microsoft.com/security/pc-security/malware-removal.aspx)\",\r\n \"3. Perform these actions pre-emptively on other hosts in your network.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x1574\",\r\n \"suspicious Command Line\": \"sample\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\sample.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"Sample-account\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Petya\\\":\\\"\\\"}}\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"processId\": \"0x1574\",\r\n \"commandLine\": \"sample\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_85\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_87\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_86\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_87\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"name\": \"2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2313959Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AmRealtimeProtectionDisabled\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:08.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:08.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Antimalware real-time protection was disabled in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.\",\r\n \"remediationSteps\": [\r\n \"1. Determine if the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional - dismiss the alert. Otherwise, enable the antimalware real-time threat protection and treat the user account, subscription and virtual machine as compromised and continue with the next steps.\\n3. Remediate the compromised user account – change the password, review all activities performed by the user via Azure Activity Logs and locate suspicious activities\\n4. Remediate the compromised subscription - Review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, review all activities performed in this subscription via Azure Activity Logs and locate suspicious activities.\\n5. Remediate the compromised virtual machine – change the password of all users, run full antimalware scan on your virtual machine.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample Principal\",\r\n \"antimalware enabled\": \"true\",\r\n \"real time antimalware protection enabled\": \"false\",\r\n \"scheduled antimalware scan enabled\": \"\",\r\n \"extension Name\": \"IaasAntimalware\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"name\": \"2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5249506Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_CustomScriptExtensionSuspiciousCmd\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:06.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:06.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Custom script extension with suspicious command in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.\",\r\n \"remediationSteps\": [\r\n \"1. Contact the account owner to determine whether the activity was intentional. If the activity was intentional, dismiss the alert.\\n2. If the activity was unexpected, treat the user account, subscription, and virtual machine as compromised.\\n3. To remediate compromised user accounts, delete them if they’re unfamiliar (as they may have been created by a threat actor), otherwise change their authentication credentials. Use Azure Activity Logs to review all activities performed by the user and identify any that are suspicious.\\n4. To remediate compromised subscriptions, remove any unfamiliar Runbooks from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources in the subscription (delete any that are unfamiliar), review and investigate any security alerts for the subscription in Azure Security Center, and use Azure Activity Logs to review all activities performed in the subscription and identify any that are suspicious.\\n5. To remediate the compromised virtual machine, change the passwords for all users, run a full antimalware scan on the machine, and reimage the virtual machine from a malware-free source.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample user\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"identity address\": \"\",\r\n \"suspicious command\": \"powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"name\": \"2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3545059Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DarkWeb\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:04.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:04.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Anonymity network activity (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected anonymity network activity. Such activity, while possibly legitimate user behaviour, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_94\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_94\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"name\": \"2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.292004Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DataExfiltration\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:02.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:02.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Possible data exfiltration via DNS tunnel (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behaviour, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_99\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_99\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"name\": \"2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4550558Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_PhishingDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:00.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:00.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Communication with possible phishing domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.\",\r\n \"remediationSteps\": [\r\n \"Investigate the domain (using whois), validating that the registration belongs to the expected owner.\",\r\n \"If ownership is suspect, contact the machine owner to highlight the discrepancy and verify the degree of interaction, suggesting user log into any account(s) potentially exposed during suspicious session, validate recent activity and change compromised password(s).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_104\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_104\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"name\": \"2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3210584Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_SinkholedDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:58.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:58.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted communication with suspicious sinkholed domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected request for sinkholed domain. Such activity, while possibly legitimate user behaviour, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_108\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_108\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"name\": \"2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4807428Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_HighPrivilegeCommand\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempt to run high privilege command detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of App Service processes detected an attempt to run a command that requires high privileges.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x4680\",\r\n \"suspicious Command Line\": \"sample.exe\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"parent Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x15c0644\",\r\n \"user Name\": \"Sample-account\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"directory\": \"sample\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"processId\": \"0x39a8\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"processId\": \"0x4680\",\r\n \"commandLine\": \"sample.exe\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_113\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"name\": \"2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2316532Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_DanglingDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:54.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:54.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Dangling DNS record for an App Service resource detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A DNS record that points to a recently deleted App Service resource (also known as \\\"dangling DNS\\\" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.\",\r\n \"remediationSteps\": [\r\n \"From your DNS zone, remove all CNAME records that point to the deleted App Service resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"domain\": \"sample-domain.com\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"name\": \"2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_TI_Proxy\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:52.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:52.9690718Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] AKS API requests from proxy IP address detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected API requests to your cluster from an IP address that is associated with proxy services, such as TOR.\\r\\nWhile this behavior can be legitimate, it's often seen in malicious activities, when attackers try to hide their source IP.\",\r\n \"remediationSteps\": [\r\n \"1. Review the IP address in the alert details. If your organization uses proxy services such as TOR for managing the AKS cluster and the IP is recognized, you can ignore the alert.\",\r\n \"2. Consider securing the API server by using authorized IP address ranges (https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"username\": \"sample-user\",\r\n \"ip Address\": \"00.00.00.00\",\r\n \"threat Type\": \"Proxy\",\r\n \"threat Description\": \"Tor exit node\",\r\n \"sample URI\": \"sample-URI\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"name\": \"2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5146535Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_DeleteEvents\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:50.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:50.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Kubernetes events deleted (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Security Center detected that some Kubernetes events have been deleted. Kubernetes events are objects in Kubernetes which contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster.\",\r\n \"remediationSteps\": [\r\n \"Verify the legitimacy of the objects that the deleted events are related to.\\\\nIn case the object is suspicious, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"namespace\": \"sample-namespace\",\r\n \"username\": \"sample-user\",\r\n \"ip Address\": \"00.00.00.00\",\r\n \"status\": \"200\",\r\n \"deleted events\": \"sample-event1, sample-event2, sample-event3\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"name\": \"2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2959781Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_MaliciousContainerImage\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:48.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:48.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining container detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool.\",\r\n \"remediationSteps\": [\r\n \"Review the container in the alert details.\",\r\n \"If malicious, remove the container and escalate the alert to the information security team.\",\r\n \"Be sure to also remove the correlating Deployments \\\\\\\\ ReplicaSets \\\\\\\\ DaemonSets.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"namespace\": \"sample-namespace\",\r\n \"container name\": \"sample-container\",\r\n \"container image\": \"sample-image\",\r\n \"pod name\": \"sample-pod\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"name\": \"2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2763918Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_CoreDnsModification\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:46.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:46.9690718Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] CoreDNS modification in Kubernetes detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a modification of the CoreDNS configuration. The configuration of CoreDNS can be modified by overriding its configmap. While this activity can be legitimate, if attackers have permissions to modify the configmap, they can change the behavior of the cluster’s DNS server and poison it.\",\r\n \"remediationSteps\": [\r\n \"Review the configmap in the alert details. Specifically, search for Forward or Hosts configurations that can change the desired DNS behavior. The details of the configuration can be retrieved by the command:\\\\nkubectl get cm coredns-custom -n kube-system -o json\\\\nIf the configuration is intended, you can ignore the alert.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"sample-namespace\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"username\": \"sample-user\",\r\n \"configmap name\": \"coredns-custom\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"name\": \"2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3496523Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_BruteForce\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:44.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:44.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspected successful brute force attack\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful login occurred after an apparent brute force attack on your resource\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Brute force attack; penetration testing.\",\r\n \"client principal name\": \"Sample-account\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"san antonio, united states\",\r\n \"client application\": \"Sample-app\",\r\n \"successful logins\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"failed logins\": \"0\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\\\"}}\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_128\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_127\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"name\": \"2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:13.9865839Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:42.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:42.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database Sample-DB on server Sample-VM\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2106894\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"threat ID\": \"1\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"vulnerable statement\": \"*** Anonymized ***\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"name\": \"Sample-SA\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_134\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"name\": \"2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2090318Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_HarmfulApplication\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:40.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:40.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access your resource.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"Penetration testing; malicious activity\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client application\": \"Sample-app\",\r\n \"client IP location\": \"Sample\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_139\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"name\": \"2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5175386Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_SuspiciousIpAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:38.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:38.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Login from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.\",\r\n \"client principal name\": \"Sample-user\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Sample-Provider\",\r\n \"threatType\": \"Sample-Threat\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 0.8,\r\n \"threatDescription\": \"Sample-Threat\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_146\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_145\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": []\r\n}", "StatusCode": 200 } ], diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetResourceId.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetResourceId.json index ccdd4a8360e0..7b239fdb0e8d 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetResourceId.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetResourceId.json @@ -1,24 +1,24 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2021-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjEtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjItMDEtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "db3e2dc0-dd2e-4ebc-be2e-b78300f10654" + "5236b1a4-7075-4e4c-80ae-6faa3839d1a8" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -34,13 +34,13 @@ "749" ], "x-ms-request-id": [ - "8409baae-d7ad-407c-97cc-1406e5ae4b18" + "621d3c29-8ae9-4084-a21f-a9baf8105959" ], "x-ms-correlation-request-id": [ - "8409baae-d7ad-407c-97cc-1406e5ae4b18" + "621d3c29-8ae9-4084-a21f-a9baf8105959" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210831T190929Z:8409baae-d7ad-407c-97cc-1406e5ae4b18" + "FRANCESOUTH:20221117T091957Z:621d3c29-8ae9-4084-a21f-a9baf8105959" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -49,7 +49,7 @@ "nosniff" ], "Date": [ - "Tue, 31 Aug 2021 19:09:28 GMT" + "Thu, 17 Nov 2022 09:19:56 GMT" ], "Content-Type": [ "application/json; charset=utf-8" @@ -58,31 +58,94 @@ "-1" ], "Content-Length": [ - "143561" + "706133" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"name\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4121044Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"name\": \"2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:13.877204Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_MaliciousContent-AzureWebApps\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:58.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:58.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Phishing content hosted on Azure Webapps\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to O365 customers. The content typically lure visitors into entering their corporate credentials or financial information into a legitimate looking website.\",\r\n \"remediationSteps\": [\r\n \"1. Use Azure Web Sites Process Explorer and try to identify unknown running processes (see https://blogs.msdn.microsoft.com/waws/2014/11/14/viewing-process-information-for-microsoft-azure-web-sites/)\",\r\n \"2. Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"resourceType\": \"App Service\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"type\": \"url\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"name\": \"2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3609448Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_OperationVolumeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:56.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:56.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] User accessed high volume of Key Vaults\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a larger volume of Key Vault operations has been performed compared to past historical data. Key Vaults typical exhibit the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:56\",\r\n \"all vault operations in last 24 hours\": \"[SecretSet:1, SecretGet:5, Authentication:2, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultGet:2]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:56\",\r\n \"client Information\": \"Microsoft.Azure.Management.Resources.ResourceManagementClient/2.0.0.0, \",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) performed more operations than usual, The user(objid) does not usually come from this IP, The user(objid) performed more operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"name\": \"2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3557186Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_AccountVolumeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:54.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:54.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] High volume of operations in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the number of vaults that a user or application accesses has changed compared to past historical data. Key Vault activity typically exhibits the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:54\",\r\n \"all vault operations in last 24 hours\": \"[AfterAuthentication:1, SecretGet:345545, EventGridGetAllSubscriptions:19, Authentication:169, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:64]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:54\",\r\n \"alert Reasons\": \"[The application(appid) accessed more vaults than usual, The application(appid) does not usually come from this IP, The user(objid) accessed more vaults than usual, The user(objid) does not usually come from this IP, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"name\": \"2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3095755Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_ListGetAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:52.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:52.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious secret listing and query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Secret List operation was followed by numerous Secret Get operations. In addition, this operation pattern is not normally performed by the user on this vault. This is likely indicative that someone is dumping the This is sample alert: secrets stored in the Key Vault for potentially malicious purposes.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:52\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:1, SecretGet:3, VaultGet:1, SecretList:5]\",\r\n \"suspicious Operations\": \"[SecretGet:3, SecretList:5]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:52\",\r\n \"client Information\": \"FxVersion/4.8.4075.0 OSName/Windows10Enterprise OSVersion/6.3.18363 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"alert Reasons\": \"[The application(appid) does not usually access this vault, The application(appid) does not usually come from this IP, The application(appid) does not usually perform a credential list operation followed by a get operation, The application(appid) does not usually perform this operation, The number of applications which accessed this vault is more than usual, The number of users(objid) who accessed this vault is more than usual, The user(objid) does not usually access this vault, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a credential list operation followed by a get operation, The user(objid) does not usually perform this operation, This vault does not usually have a credential list operation followed by a get operation, This vault does not usually have this operation, This vault had more operations than usual, This vault had more types of operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"name\": \"2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4678019Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_PutGetAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:50.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:50.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious policy change and secret query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Key Vault policy change has been made and operations to list and/or get secrets occurred shortly thereafter. In addition, this operation pattern is not normally performed by the user on this vault. This is highly indicative that the Key Vault has been compromised and the secrets within have been stolen by a malicious actor.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:50\",\r\n \"all vault operations in last 24 hours\": \"[VaultGet:14, CertificateImport:1, CertificateGet:479, VaultPut:4, SecretGet:760, Authentication:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultPut:4, VaultGet:5, CertificateGet:24]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"FxVersion/4.8.4121.0, FxVersion/4.8.4121.0 OSName/Windows10Enterprise OSVersion/6.3.17763 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"result Signature\": \"OK\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"start Time UTC\": \"08/12/2021 15:26:50\",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) does not usually perform a policy change operation followed by a credential get operation, The application(appid) does not usually perform this operation, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a policy change operation followed by a credential get operation, The user(objid) does not usually perform this operation, This vault does not usually have a policy change operation followed by a credential get operation, This vault does not usually have this operation, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"name\": \"2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3452444Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_TORAccess\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:48.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:48.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a TOR exit node to a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. This is suspicious because malicious actors will often try to mask their source location when attempting to gain unauthorized access to internet-connected resources.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:48\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:777440, SecretSet:1, SecretGet:777399]\",\r\n \"suspicious Operations\": \"[Authentication:1, SecretGet:1]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"Not Found, Unauthorized\",\r\n \"start Time UTC\": \"08/12/2021 15:26:48\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"python/3.8.0 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 azure-keyvault/7.0 Azure-SDK-For-Python\",\r\n \"alert Reasons\": \"[The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location.]\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"name\": \"2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4494527Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_AKS_SensitiveMount\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:46.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:46.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"intent\": \"PrivilegeEscalation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Container with a sensitive volume mount detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.\",\r\n \"remediationSteps\": [\r\n \"Review the container and the path in the alert details.\",\r\n \"If possible, consider mounting only specific folders or files that are necessary to the container operation.\",\r\n \"If the container is not legitimate, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"Sample\",\r\n \"container image\": \"sample-image\",\r\n \"container name\": \"sample-container\",\r\n \"pod name\": \"sample-pod\",\r\n \"sensitive mount name\": \"sample-mount\",\r\n \"sensitive mount path\": \"/Sample\",\r\n \"killChainIntent\": \"PrivilegeEscalation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"name\": \"2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5732381Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_ExposedService\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:44.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:44.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Exposed Kubernetes service detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Kubernetes audit log analysis detected exposure of a service by a load balancer. This service is related to a sensitive application that allows high impact operations in the cluster such as running processes on the node or creating new containers.\\nIn some cases, this service doesn't require authentication. If the service doesn't require authentication, exposing it to the internet poses a security risk.\",\r\n \"remediationSteps\": [\r\n \"1. Find the external IP address of the service with the command: kubectl get service [service name] -n [namespace]. The service name and namespace are in the alert details.\\\\n2. Check whether the service is exposed to the internet by trying to access to its IP address with the port listed in the alert details.\\\\n3. If the service is exposed to the internet and is not protected by an authentication mechanism, escalate the alert to your security information team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"sample-namespace\",\r\n \"username\": \"sample-user\",\r\n \"service name\": \"sample-service\",\r\n \"target port\": \"8080\",\r\n \"port\": \"8080\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"name\": \"2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4746809Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_BruteForce\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:40.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:40.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Brute Force attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone is attempting to brute force credentials to your SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Brute force attack, penetration testing.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"data Center\": \"East US 2\",\r\n \"failed Logins\": \"0\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\\\"}}\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"name\": \"2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.262894Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_HarmfulApplication\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:38.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:38.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Penetration testing, malicious activity\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"data Center\": \"East US 2\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"name\": \"2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3698246Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:36.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:36.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database elitronix-com on server Sample-SQL\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/www.microsoft.com\\\\/en-us\\\\/download\\\\/details.aspx?id=13759\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements.\",\r\n \"threat ID\": \"30\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"principal name\": \"Sample-account\",\r\n \"application\": \"Internet Information Services\",\r\n \"database\": \"Sample-DB\",\r\n \"server\": \"Sample-SQL\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"name\": \"2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4494527Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:34.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:34.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"intent\": \"Exploitation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Logon from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone logged on to your SQL server Sample-SQL from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Unauthorized access that exploits an opening in the firewall; legitimate access from a new location.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Microsoft SQL Server Management Studio\",\r\n \"client IP Location\": \"US\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"client Hostname\": \"Sample-VM\",\r\n \"killChainIntent\": \"Exploitation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"name\": \"2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2741282Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_DataExfiltration.ImportExportLocationAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:32.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:32.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual export location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted a massive amount of data from your SQL Server 'Sample-SQL' to an unusual location.\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Be sure to secure the new copy of your SQL server in the unusual storage account and follow the principle of \\\\\\\"least privilege\\\\\\\" for your SQL server\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/docs.microsoft.com\\\\/en-us\\\\/dotnet\\\\/framework\\\\/data\\\\/adonet\\\\/sql\\\\/authorization-and-permissions-in-sql-server\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"storage Name\": \"Sample-storage\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"isValid\": false,\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_39\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"name\": \"2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3713443Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:30.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:30.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Perform an undelete if the delete operation was a soft delete. See how to configure soft deletion and more information: https://go.microsoft.com/fwlink/?linkid=2078042\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Wasington_Virginia United States\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"Sample agent\",\r\n \"storage container(s) accessed\": \"SampleContainer\",\r\n \"container\": \"eicarContainerName1, eicarContainerName2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteBlob\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:30\",\r\n \"test: Pipeline name\": \"1.0.4656.1_sample\",\r\n \"storage file path(s) deleted\": \"eicarRequestedObjectKeyFilePath1.vhd, eicarRequestedObjectKeyFilePath2.pfx\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"name\": \"2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5019361Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:28.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:28.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a container in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage container permissions are configured correctly.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"• Confirm whether the storage container permissions change was performed for a legitimate purpose.\\r\\n• Review the storage container's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this storage container have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed container permissions to weaken its security.\\r\\n• A legitimate user has changed container permissions.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"TestAgent 2021-08-12T15:26:28.9846650Z\",\r\n \"storage container(s) accessed\": \"eicarContainerName\",\r\n \"container\": \"eicarContainerName1, eicarContainerName2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"SetContainerACL\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:28\",\r\n \"test: Pipeline name\": \"1.0.4656.1_test\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"name\": \"2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_TorAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:26.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:26.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure Storage account 'Sample-Storage' from a suspicious IP address (active Tor exit node).\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access. \\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using Tor.\\r\\n• A legitimate user has accessed your storage account using Tor.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Azure Data Center: East Us\",\r\n \"authentication type\": \"Anonymous\",\r\n \"operations types\": \"GetBlob\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"dummyAgent\",\r\n \"container\": \"eicarTestStorageContainer\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:26\",\r\n \"test: Pipeline name\": \"1.0.4656.1_storagetd-brs-a3\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"name\": \"2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4209361Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:24.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:24.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure Storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage container (for example: maintenance activity).\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Azure Data Center: East Us\",\r\n \"authentication type\": \"Anonymous\",\r\n \"operations types\": \"GetBlob\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"dummyAgent\",\r\n \"container\": \"eicarTestStorageContainer\",\r\n \"extracted data\": \"140 MB\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:24\",\r\n \"test: Pipeline name\": \"1.0.4656.1_storagetd-brs-a3\",\r\n \"extracted blobs\": \"500\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"name\": \"2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_SuspectExecutablePath\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Executable found running from a suspicious location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data detected an executable file on Sample-VM that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.\",\r\n \"remediationSteps\": [\r\n \"Review with %{User Name} the suspicious process in this alert to see if you recognise this as legitimate administrative activity. If not, Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Process Id\": \"0x1eec\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"account Session Id\": \"0x3e7\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"suspicious Command Line\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"user Name\": \"WORKGROUP\\\\Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"directory\": \"c:\\\\windows\\\\inf\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"name\": \"SAMPLE-account\",\r\n \"ntDomain\": \"SAMPLE\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"sid\": \"S-0-0-00\",\r\n \"isDomainJoined\": true,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x3e7\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"processId\": \"0x1038\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"processId\": \"0x1eec\",\r\n \"commandLine\": \"\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_54\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_55\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"sessionId\": \"0x3e7\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_54\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"name\": \"2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2358642Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected the execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with Sample-account the suspicious command process and command line to confirm that this is legitimate activity that you expect to see on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"user Name\": \"Sample-account\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Command Line\": \"\\\\sample.exe -t 4\",\r\n \"suspicious Process Id\": \"0x1640\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x427d8dd9\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"directory\": \"c:\\\\temp\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"processId\": \"0x1020\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"name\": \"Sample-account\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"sid\": \"S-1-5-21-3061399664-1673012318-3185014992-20022\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x427d8dd9\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"processId\": \"0x1640\",\r\n \"commandLine\": \".\\\\sample.exe -t 4\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_61\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_63\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_62\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"sessionId\": \"0x427d8dd9\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_63\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"name\": \"2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3545059Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_SuspectPhp\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious PHP execution detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Machine logs indicate a that a suspicious PHP process is running. The action included an attempt to run OS commands or PHP code from the command line using the PHP process.\\r\\nWhile this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\",\r\n \"2. Make sure that the web application is up-to-date.\",\r\n \"3. If possible, disable the sensitive PHP commands (see: http://php.net/manual/ini.core.php#ini.disable-functions).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Command Line\": \"php\",\r\n \"suspicious Process Id\": \"0x1e99b\",\r\n \"account Session Id\": \"0xbd6e\",\r\n \"suspicious Process\": \"php\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"user Name\": \"Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"php\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"processId\": \"0x1e49a\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"name\": \"Sample-account\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"sid\": \"\",\r\n \"type\": \"account\",\r\n \"LogonId\": \"0xbd6e\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"processId\": \"0x1e99b\",\r\n \"commandLine\": \"php\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_69\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_71\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_70\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"sessionId\": \"0xbd6e\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_71\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"name\": \"2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3385797Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM.Windows_GoldFileCleanup\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected suspicious file cleanup commands\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.\",\r\n \"remediationSteps\": [\r\n \"Review with user Sample-account the 'sample.exe executions and delete commands flagged in this alert to confirm that they are legitimate and expected on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"OMS-AGENT-2\",\r\n \"suspicious Process Id\": \"0x4a8\",\r\n \"suspicious Command Line\": \"cmd /c echo \\\" systeminfo && systeminfo && del \\\"\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\cmd.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"OMS-AGENT-2\\\\DnzmNhMdW96g7j3\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: GOLD\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2020-06-05T06%3a24%3a18&reportName=MSTI-AGP-GOLD.pdf&tenantId=7bf32e19-dc11-416d-85e8-2cff75271e2a&urlCreateDateTime=2020-06-05T06%3a24%3a18&token=%2083e9In2MDZfBKT5aMOejPcfhpNovCKiidxcnKaBGnQ=\\\"}}\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"cmd.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"processId\": \"0x4a8\",\r\n \"commandLine\": \"cmd /c echo Hi\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_77\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_79\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_78\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_79\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"name\": \"2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2246537Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM.Windows_PetyaRansomware\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected Petya ransomware indicators\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on OMS-AGENT-2 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the command line associated in this alert and escalate this alert to your security team.\",\r\n \"remediationSteps\": [\r\n \"1. Run a full anti-malware scan and verify that the threat was removed\",\r\n \"2. Install and run Microsoft’s Malicious Software Removal Tool (see http://www.microsoft.com/security/pc-security/malware-removal.aspx)\",\r\n \"3. Perform these actions pre-emptively on other hosts in your network.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x1574\",\r\n \"suspicious Command Line\": \"sample\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\sample.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"Sample-account\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Petya\\\":\\\"\\\"}}\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"processId\": \"0x1574\",\r\n \"commandLine\": \"sample\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_85\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_87\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_86\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_87\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"name\": \"2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5800635Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:10.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:10.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"name\": \"2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2313959Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AmRealtimeProtectionDisabled\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:08.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:08.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Antimalware real-time protection was disabled in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.\",\r\n \"remediationSteps\": [\r\n \"1. Determine if the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional - dismiss the alert. Otherwise, enable the antimalware real-time threat protection and treat the user account, subscription and virtual machine as compromised and continue with the next steps.\\n3. Remediate the compromised user account – change the password, review all activities performed by the user via Azure Activity Logs and locate suspicious activities\\n4. Remediate the compromised subscription - Review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, review all activities performed in this subscription via Azure Activity Logs and locate suspicious activities.\\n5. Remediate the compromised virtual machine – change the password of all users, run full antimalware scan on your virtual machine.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample Principal\",\r\n \"antimalware enabled\": \"true\",\r\n \"real time antimalware protection enabled\": \"false\",\r\n \"scheduled antimalware scan enabled\": \"\",\r\n \"extension Name\": \"IaasAntimalware\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"name\": \"2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5249506Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_CustomScriptExtensionSuspiciousCmd\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:06.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:06.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Custom script extension with suspicious command in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.\",\r\n \"remediationSteps\": [\r\n \"1. Contact the account owner to determine whether the activity was intentional. If the activity was intentional, dismiss the alert.\\n2. If the activity was unexpected, treat the user account, subscription, and virtual machine as compromised.\\n3. To remediate compromised user accounts, delete them if they’re unfamiliar (as they may have been created by a threat actor), otherwise change their authentication credentials. Use Azure Activity Logs to review all activities performed by the user and identify any that are suspicious.\\n4. To remediate compromised subscriptions, remove any unfamiliar Runbooks from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources in the subscription (delete any that are unfamiliar), review and investigate any security alerts for the subscription in Azure Security Center, and use Azure Activity Logs to review all activities performed in the subscription and identify any that are suspicious.\\n5. To remediate the compromised virtual machine, change the passwords for all users, run a full antimalware scan on the machine, and reimage the virtual machine from a malware-free source.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample user\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"identity address\": \"\",\r\n \"suspicious command\": \"powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"name\": \"2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3545059Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DarkWeb\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:04.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:04.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Anonymity network activity (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected anonymity network activity. Such activity, while possibly legitimate user behaviour, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_95\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_95\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"name\": \"2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.292004Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DataExfiltration\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:02.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:02.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Possible data exfiltration via DNS tunnel (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behaviour, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_100\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_100\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"name\": \"2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4550558Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_PhishingDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:00.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:00.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Communication with possible phishing domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.\",\r\n \"remediationSteps\": [\r\n \"Investigate the domain (using whois), validating that the registration belongs to the expected owner.\",\r\n \"If ownership is suspect, contact the machine owner to highlight the discrepancy and verify the degree of interaction, suggesting user log into any account(s) potentially exposed during suspicious session, validate recent activity and change compromised password(s).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_105\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_105\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"name\": \"2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3210584Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_SinkholedDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:58.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:58.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted communication with suspicious sinkholed domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected request for sinkholed domain. Such activity, while possibly legitimate user behaviour, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_109\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_109\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"name\": \"2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4807428Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_HighPrivilegeCommand\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempt to run high privilege command detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of App Service processes detected an attempt to run a command that requires high privileges.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x4680\",\r\n \"suspicious Command Line\": \"sample.exe\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"parent Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x15c0644\",\r\n \"user Name\": \"Sample-account\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"directory\": \"sample\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"processId\": \"0x39a8\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"processId\": \"0x4680\",\r\n \"commandLine\": \"sample.exe\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_114\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"name\": \"2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2316532Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_DanglingDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:54.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:54.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Dangling DNS record for an App Service resource detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A DNS record that points to a recently deleted App Service resource (also known as \\\"dangling DNS\\\" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.\",\r\n \"remediationSteps\": [\r\n \"From your DNS zone, remove all CNAME records that point to the deleted App Service resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"domain\": \"sample-domain.com\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"name\": \"2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_TI_Proxy\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:52.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:52.9690718Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] AKS API requests from proxy IP address detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected API requests to your cluster from an IP address that is associated with proxy services, such as TOR.\\r\\nWhile this behavior can be legitimate, it's often seen in malicious activities, when attackers try to hide their source IP.\",\r\n \"remediationSteps\": [\r\n \"1. Review the IP address in the alert details. If your organization uses proxy services such as TOR for managing the AKS cluster and the IP is recognized, you can ignore the alert.\",\r\n \"2. Consider securing the API server by using authorized IP address ranges (https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"username\": \"sample-user\",\r\n \"ip Address\": \"00.00.00.00\",\r\n \"threat Type\": \"Proxy\",\r\n \"threat Description\": \"Tor exit node\",\r\n \"sample URI\": \"sample-URI\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"name\": \"2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5146535Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_DeleteEvents\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:50.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:50.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Kubernetes events deleted (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Security Center detected that some Kubernetes events have been deleted. Kubernetes events are objects in Kubernetes which contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster.\",\r\n \"remediationSteps\": [\r\n \"Verify the legitimacy of the objects that the deleted events are related to.\\\\nIn case the object is suspicious, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"namespace\": \"sample-namespace\",\r\n \"username\": \"sample-user\",\r\n \"ip Address\": \"00.00.00.00\",\r\n \"status\": \"200\",\r\n \"deleted events\": \"sample-event1, sample-event2, sample-event3\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"name\": \"2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2959781Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_MaliciousContainerImage\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:48.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:48.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining container detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool.\",\r\n \"remediationSteps\": [\r\n \"Review the container in the alert details.\",\r\n \"If malicious, remove the container and escalate the alert to the information security team.\",\r\n \"Be sure to also remove the correlating Deployments \\\\\\\\ ReplicaSets \\\\\\\\ DaemonSets.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"namespace\": \"sample-namespace\",\r\n \"container name\": \"sample-container\",\r\n \"container image\": \"sample-image\",\r\n \"pod name\": \"sample-pod\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"name\": \"2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2763918Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_CoreDnsModification\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:46.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:46.9690718Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] CoreDNS modification in Kubernetes detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a modification of the CoreDNS configuration. The configuration of CoreDNS can be modified by overriding its configmap. While this activity can be legitimate, if attackers have permissions to modify the configmap, they can change the behavior of the cluster’s DNS server and poison it.\",\r\n \"remediationSteps\": [\r\n \"Review the configmap in the alert details. Specifically, search for Forward or Hosts configurations that can change the desired DNS behavior. The details of the configuration can be retrieved by the command:\\\\nkubectl get cm coredns-custom -n kube-system -o json\\\\nIf the configuration is intended, you can ignore the alert.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"sample-namespace\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"username\": \"sample-user\",\r\n \"configmap name\": \"coredns-custom\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"name\": \"2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3496523Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_BruteForce\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:44.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:44.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspected successful brute force attack\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful login occurred after an apparent brute force attack on your resource\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Brute force attack; penetration testing.\",\r\n \"client principal name\": \"Sample-account\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"san antonio, united states\",\r\n \"client application\": \"Sample-app\",\r\n \"successful logins\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"failed logins\": \"0\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\\\"}}\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_129\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_128\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"name\": \"2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:13.9865839Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:42.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:42.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database Sample-DB on server Sample-VM\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2106894\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"threat ID\": \"1\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"vulnerable statement\": \"*** Anonymized ***\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"name\": \"Sample-SA\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_135\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"name\": \"2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2090318Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_HarmfulApplication\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:40.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:40.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access your resource.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"Penetration testing; malicious activity\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client application\": \"Sample-app\",\r\n \"client IP location\": \"Sample\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"name\": \"2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5175386Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_SuspiciousIpAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:38.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:38.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Login from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.\",\r\n \"client principal name\": \"Sample-user\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Sample-Provider\",\r\n \"threatType\": \"Sample-Threat\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 0.8,\r\n \"threatDescription\": \"Sample-Threat\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_147\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_146\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"name\": \"2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4347524Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousRBACRoleAssignment\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:36.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:36.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for an RBAC role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected an RBAC role assignment that's unusual when compared with other assignments, performed by the same assigner.\\n The following components were anomalous:\\n -Assigner Authentication Method \\n This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to grant permissions to an additional user account they own.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below.\\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user. \\n5. Change the credentials for all resources that the user had permissions to access.\\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review all activities performed in this resource via Azure Activity Logs and investigate suspicious activities.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"scope of assignment\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"assigned role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assigner principal ID\": \"Sample user\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_153\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188630153349_32cad962-43a0-4691-8c14-443890eccece/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"name\": \"2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4166987Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_PrivilegedRoleDefinitionCreation\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:34.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:34.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"intent\": \"PrivilegeEscalation, DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Privileged custom role created for your subscription in a suspicious way (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the principal user that created the role.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user account as compromised and continue with the steps below.\\n3. Change the passwords of the user account or block the account entirely.\\n4. Delete the privileged role.\\n5. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n6. Change the credentials for all resources that the user had permissions to access.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"role definition creator principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"role definition creator IP address\": \"0.0.0.0\",\r\n \"role definition creator principal name\": \"Sample user\",\r\n \"role definition name\": \"sample\",\r\n \"role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"PrivilegeEscalation, DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Security/locations/centralus/alerts/2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"name\": \"2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-06-12T19:40:33.8308539Z\",\r\n \"processingEndTimeUtc\": \"2021-06-12T19:40:32.548439Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"Storage.Blob_AnonymousScan.Containers\",\r\n \"startTimeUtc\": \"2021-06-12T18:11:54.456Z\",\r\n \"endTimeUtc\": \"2021-06-12T18:11:54.456Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"correlationKey\": \"eQXuNbERVh6e/t+5e+8g+5PLuHGkeLWBAAjR80eo/KQ=\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Storage/storageAccounts/storagefdi4i\",\r\n \"type\": \"AzureResource\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"storagefdi4i\",\r\n \"alertDisplayName\": \"PREVIEW - Anonymous scan of public storage containers\",\r\n \"description\": \"There were 94 failed attempts to anonymously identify publicly accessible containers in your storage account `storagefdi4i`. This might indicate a reconnaissance attack, where the attacker scans your storage account to identify publicly accessible containers and then tries to find sensitive data inside them. In many cases, attackers might successfully access data after a series of failed attempts. It’s therefore important to act on this alert.\",\r\n \"remediationSteps\": [\r\n \"• If public access is not needed for the Azure Storage containers, consider disallowing it on the entire storage account or limiting it selectively on specific containers or blobs (https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent).\",\r\n \"• We recommend that you always follow the least privilege principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• To prevent breaches of sensitive data, please review your Azure Storage containers and make sure no sensitive data is stored in them.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"alert Id\": \"c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"azure AD user\": \"N/A (Azure AD authentication was not used)\",\r\n \"user agent\": \"Go-http-client/1.1\",\r\n \"api type\": \"Blob\",\r\n \"client location\": \"N/A\",\r\n \"number of failed access attempts\": \"94\",\r\n \"among the enumeration terms used\": \"app, bin, blog, deploy, confidential, crm, builds, doc, customers, images, attachments, intranet, backups, customer, exports, img, data, blob, downloads, build, azure, export, files, bucket, database, dev, admin, emails, dist, development, documents, debug, assets, cdn, devops, download, backup, code, erp, logs, cache, iso, creds, bak, credentials, config, file, administrator, attachment, exe\",\r\n \"number of containers successfully accessed\": \"0\",\r\n \"list of containers successfully accessed\": \"\",\r\n \"authentication type\": \"Anonymous\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"operations types\": \"GetContainerProperties\",\r\n \"service type\": \"Azure Blobs\",\r\n \"potential causes\": \"\",\r\n \"resourceType\": \"Storage\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Storage/storageAccounts/storagefdi4i\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"address\": \"78.46.106.254\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Nuernberg\",\r\n \"longitude\": 11.0768,\r\n \"latitude\": 49.452,\r\n \"asn\": 24940\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_159\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/iotsimulator/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"name\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.869602Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"name\": \"2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.8636228Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_MaliciousContent-AzureWebApps\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:59.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:59.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Phishing content hosted on Azure Webapps\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to O365 customers. The content typically lure visitors into entering their corporate credentials or financial information into a legitimate looking website.\",\r\n \"remediationSteps\": [\r\n \"1. Use Azure Web Sites Process Explorer and try to identify unknown running processes (see https://blogs.msdn.microsoft.com/waws/2014/11/14/viewing-process-information-for-microsoft-azure-web-sites/)\",\r\n \"2. Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"resourceType\": \"App Service\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"type\": \"url\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"name\": \"2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3642739Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_OperationVolumeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:57.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] User accessed high volume of Key Vaults\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a larger volume of Key Vault operations has been performed compared to past historical data. Key Vaults typical exhibit the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:57\",\r\n \"all vault operations in last 24 hours\": \"[SecretSet:1, SecretGet:5, Authentication:2, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultGet:2]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:57\",\r\n \"client Information\": \"Microsoft.Azure.Management.Resources.ResourceManagementClient/2.0.0.0, \",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) performed more operations than usual, The user(objid) does not usually come from this IP, The user(objid) performed more operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"name\": \"2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.174761Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_AccountVolumeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:55.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] High volume of operations in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the number of vaults that a user or application accesses has changed compared to past historical data. Key Vault activity typically exhibits the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:55\",\r\n \"all vault operations in last 24 hours\": \"[AfterAuthentication:1, SecretGet:345545, EventGridGetAllSubscriptions:19, Authentication:169, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:64]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:55\",\r\n \"alert Reasons\": \"[The application(appid) accessed more vaults than usual, The application(appid) does not usually come from this IP, The user(objid) accessed more vaults than usual, The user(objid) does not usually come from this IP, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"name\": \"2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.0812111Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_ListGetAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:53.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious secret listing and query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Secret List operation was followed by numerous Secret Get operations. In addition, this operation pattern is not normally performed by the user on this vault. This is likely indicative that someone is dumping the This is sample alert: secrets stored in the Key Vault for potentially malicious purposes.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:53\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:1, SecretGet:3, VaultGet:1, SecretList:5]\",\r\n \"suspicious Operations\": \"[SecretGet:3, SecretList:5]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:53\",\r\n \"client Information\": \"FxVersion/4.8.4075.0 OSName/Windows10Enterprise OSVersion/6.3.18363 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"alert Reasons\": \"[The application(appid) does not usually access this vault, The application(appid) does not usually come from this IP, The application(appid) does not usually perform a credential list operation followed by a get operation, The application(appid) does not usually perform this operation, The number of applications which accessed this vault is more than usual, The number of users(objid) who accessed this vault is more than usual, The user(objid) does not usually access this vault, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a credential list operation followed by a get operation, The user(objid) does not usually perform this operation, This vault does not usually have a credential list operation followed by a get operation, This vault does not usually have this operation, This vault had more operations than usual, This vault had more types of operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"name\": \"2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.1952593Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_PutGetAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious policy change and secret query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Key Vault policy change has been made and operations to list and/or get secrets occurred shortly thereafter. In addition, this operation pattern is not normally performed by the user on this vault. This is highly indicative that the Key Vault has been compromised and the secrets within have been stolen by a malicious actor.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:51\",\r\n \"all vault operations in last 24 hours\": \"[VaultGet:14, CertificateImport:1, CertificateGet:479, VaultPut:4, SecretGet:760, Authentication:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultPut:4, VaultGet:5, CertificateGet:24]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"FxVersion/4.8.4121.0, FxVersion/4.8.4121.0 OSName/Windows10Enterprise OSVersion/6.3.17763 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"result Signature\": \"OK\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"start Time UTC\": \"11/17/2022 09:17:51\",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) does not usually perform a policy change operation followed by a credential get operation, The application(appid) does not usually perform this operation, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a policy change operation followed by a credential get operation, The user(objid) does not usually perform this operation, This vault does not usually have a policy change operation followed by a credential get operation, This vault does not usually have this operation, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"name\": \"2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:14.9914481Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_TORAccess\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:49.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a TOR exit node to a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. This is suspicious because malicious actors will often try to mask their source location when attempting to gain unauthorized access to internet-connected resources.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:49\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:777440, SecretSet:1, SecretGet:777399]\",\r\n \"suspicious Operations\": \"[Authentication:1, SecretGet:1]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"Not Found, Unauthorized\",\r\n \"start Time UTC\": \"11/17/2022 09:17:49\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"python/3.8.0 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 azure-keyvault/7.0 Azure-SDK-For-Python\",\r\n \"alert Reasons\": \"[The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location.]\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"name\": \"2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.2261751Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_K8S_SensitiveMount\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:47.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"intent\": \"PrivilegeEscalation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Container with a sensitive volume mount detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.\",\r\n \"remediationSteps\": [\r\n \"Review the container and the path in the alert details.\",\r\n \"If possible, consider mounting only specific folders or files that are necessary to the container operation.\",\r\n \"If the container is not legitimate, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"namespace\": \"Sample-namespace\",\r\n \"container image\": \"sample-image\",\r\n \"container name\": \"sample-container\",\r\n \"pod name\": \"sample-pod\",\r\n \"sensitive mount name\": \"sample-mount\",\r\n \"sensitive mount path\": \"/Sample\",\r\n \"resourceType\": \"GKE Cluster\",\r\n \"killChainIntent\": \"PrivilegeEscalation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"projectId\": \"012345678901\",\r\n \"resourceType\": \"GKE\",\r\n \"resourceName\": \"Sample-Cluster\",\r\n \"location\": \"us-central1-c\",\r\n \"locationType\": \"Zonal\",\r\n \"type\": \"gcp-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_26\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"name\": \"Sample-namespace\",\r\n \"cluster\": {\r\n \"$ref\": \"centralus_29\"\r\n },\r\n \"type\": \"K8s-namespace\"\r\n },\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"name\": \"sample-pod\",\r\n \"namespace\": {\r\n \"$ref\": \"centralus_30\"\r\n },\r\n \"type\": \"K8s-pod\"\r\n },\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"name\": \"sample-container\",\r\n \"image\": {\r\n \"$ref\": \"centralus_27\"\r\n },\r\n \"pod\": {\r\n \"$ref\": \"centralus_31\"\r\n },\r\n \"type\": \"container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"name\": \"2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.1277565Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_AdmissionController\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:45.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:45.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"intent\": \"Persistence, CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Creation of admission webhook configuration detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new admission webhook configuration. Kubernetes has two built-in generic admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster. The usage of such admission controllers can be legitimate, however attackers can use such webhooks for modifying the requests (in case of MutatingAdmissionWebhook) or inspecting the requests and gain sensitive information (in case of ValidatingAdmissionWebhook).\",\r\n \"remediationSteps\": [\r\n \"Review the admission controller webhook associated with this configuration. The details of the webhook configuration can be retrieved by the command:\",\r\n \"kubectl get mutatingwebhookconfigurations sample -o json\",\r\n \"If this configuration belongs to a legitimate admission controller in the cluster, you can ignore the alert.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resource type\": \"mutatingwebhookconfigurations\",\r\n \"resource name\": \"sample\",\r\n \"webhook configuration rules\": \"[{\\\"apiGroups\\\":[\\\"*\\\"],\\\"resources\\\":[\\\"pods\\\"],\\\"apiVersions\\\":[\\\"*\\\"],\\\"operations\\\":[\\\"CREATE\\\"],\\\"scope\\\":\\\"*\\\"}]\",\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"killChainIntent\": \"Persistence, CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_34\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"name\": \"2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.650249Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_BruteForce\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:41.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:41.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Brute Force attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone is attempting to brute force credentials to your SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Brute force attack, penetration testing.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"data Center\": \"East US 2\",\r\n \"failed Logins\": \"0\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\\\"}}\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"name\": \"2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4246385Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_HarmfulApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:39.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:39.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Penetration testing, malicious activity\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"data Center\": \"East US 2\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"name\": \"2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.5120779Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:37.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:37.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database elitronix-com on server Sample-SQL\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/www.microsoft.com\\\\/en-us\\\\/download\\\\/details.aspx?id=13759\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements.\",\r\n \"threat ID\": \"30\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"principal name\": \"Sample-account\",\r\n \"application\": \"Internet Information Services\",\r\n \"database\": \"Sample-DB\",\r\n \"server\": \"Sample-SQL\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"name\": \"2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4739185Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:35.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:35.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"intent\": \"Exploitation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Logon from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone logged on to your SQL server Sample-SQL from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Unauthorized access that exploits an opening in the firewall; legitimate access from a new location.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Microsoft SQL Server Management Studio\",\r\n \"client IP Location\": \"US\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"client Hostname\": \"Sample-VM\",\r\n \"killChainIntent\": \"Exploitation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"name\": \"2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.508384Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_DataExfiltration.ImportExportLocationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:33.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:33.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual export location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted a massive amount of data from your SQL Server 'Sample-SQL' to an unusual location.\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Be sure to secure the new copy of your SQL server in the unusual storage account and follow the principle of \\\\\\\"least privilege\\\\\\\" for your SQL server\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/docs.microsoft.com\\\\/en-us\\\\/dotnet\\\\/framework\\\\/data\\\\/adonet\\\\/sql\\\\/authorization-and-permissions-in-sql-server\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"storage Name\": \"Sample-storage\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"isValid\": false,\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_46\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"name\": \"2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.793991Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_SuspectExecutablePath\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Executable found running from a suspicious location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data detected an executable file on Sample-VM that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.\",\r\n \"remediationSteps\": [\r\n \"Review with %{User Name} the suspicious process in this alert to see if you recognise this as legitimate administrative activity. If not, Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Process Id\": \"0x1eec\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"account Session Id\": \"0x3e7\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"suspicious Command Line\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"user Name\": \"WORKGROUP\\\\Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"directory\": \"c:\\\\windows\\\\inf\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"name\": \"SAMPLE-account\",\r\n \"ntDomain\": \"SAMPLE\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"sid\": \"S-0-0-00\",\r\n \"isDomainJoined\": true,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x3e7\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"processId\": \"0x1038\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"processId\": \"0x1eec\",\r\n \"commandLine\": \"\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_54\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"sessionId\": \"0x3e7\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_53\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"name\": \"2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.802386Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected the execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with Sample-account the suspicious command process and command line to confirm that this is legitimate activity that you expect to see on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"user Name\": \"Sample-account\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Command Line\": \"\\\\sample.exe -t 4\",\r\n \"suspicious Process Id\": \"0x1640\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x427d8dd9\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"directory\": \"c:\\\\temp\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"processId\": \"0x1020\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"name\": \"Sample-account\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"sid\": \"S-1-5-21-3061399664-1673012318-3185014992-20022\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x427d8dd9\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"processId\": \"0x1640\",\r\n \"commandLine\": \".\\\\sample.exe -t 4\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_62\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_61\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"sessionId\": \"0x427d8dd9\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_62\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"name\": \"2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.0348941Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_SuspectPhp\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious PHP execution detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Machine logs indicate a that a suspicious PHP process is running. The action included an attempt to run OS commands or PHP code from the command line using the PHP process.\\r\\nWhile this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\",\r\n \"2. Make sure that the web application is up-to-date.\",\r\n \"3. If possible, disable the sensitive PHP commands (see: http://php.net/manual/ini.core.php#ini.disable-functions).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Command Line\": \"php\",\r\n \"suspicious Process Id\": \"0x1e99b\",\r\n \"account Session Id\": \"0xbd6e\",\r\n \"suspicious Process\": \"php\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"user Name\": \"Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"php\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"processId\": \"0x1e49a\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"name\": \"Sample-account\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"sid\": \"\",\r\n \"type\": \"account\",\r\n \"logonId\": \"0xbd6e\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"processId\": \"0x1e99b\",\r\n \"commandLine\": \"php\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_70\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_69\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"sessionId\": \"0xbd6e\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_70\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"name\": \"2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.8902381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM.Windows_GoldFileCleanup\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected suspicious file cleanup commands\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.\",\r\n \"remediationSteps\": [\r\n \"Review with user Sample-account the 'sample.exe executions and delete commands flagged in this alert to confirm that they are legitimate and expected on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"OMS-AGENT-2\",\r\n \"suspicious Process Id\": \"0x4a8\",\r\n \"suspicious Command Line\": \"cmd /c echo \\\" systeminfo && systeminfo && del \\\"\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\cmd.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"OMS-AGENT-2\\\\DnzmNhMdW96g7j3\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: GOLD\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2020-06-05T06%3a24%3a18&reportName=MSTI-AGP-GOLD.pdf&tenantId=7bf32e19-dc11-416d-85e8-2cff75271e2a&urlCreateDateTime=2020-06-05T06%3a24%3a18&token=%2083e9In2MDZfBKT5aMOejPcfhpNovCKiidxcnKaBGnQ=\\\"}}\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"cmd.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"processId\": \"0x4a8\",\r\n \"commandLine\": \"cmd /c echo Hi\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_78\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_77\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_78\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"name\": \"2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.9525043Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM.Windows_PetyaRansomware\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected Petya ransomware indicators\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on OMS-AGENT-2 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the command line associated in this alert and escalate this alert to your security team.\",\r\n \"remediationSteps\": [\r\n \"1. Run a full anti-malware scan and verify that the threat was removed\",\r\n \"2. Install and run Microsoft’s Malicious Software Removal Tool (see http://www.microsoft.com/security/pc-security/malware-removal.aspx)\",\r\n \"3. Perform these actions pre-emptively on other hosts in your network.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x1574\",\r\n \"suspicious Command Line\": \"sample\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\sample.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"Sample-account\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Petya\\\":\\\"\\\"}}\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"processId\": \"0x1574\",\r\n \"commandLine\": \"sample\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_86\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_85\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_86\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"name\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.2039067Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"name\": \"2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.2780047Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AmRealtimeProtectionDisabled\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:09.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:09.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Antimalware real-time protection was disabled in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.\",\r\n \"remediationSteps\": [\r\n \"1. Determine if the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional - dismiss the alert. Otherwise, enable the antimalware real-time threat protection and treat the user account, subscription and virtual machine as compromised and continue with the next steps.\\n3. Remediate the compromised user account – change the password, review all activities performed by the user via Azure Activity Logs and locate suspicious activities\\n4. Remediate the compromised subscription - Review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, review all activities performed in this subscription via Azure Activity Logs and locate suspicious activities.\\n5. Remediate the compromised virtual machine – change the password of all users, run full antimalware scan on your virtual machine.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample Principal\",\r\n \"antimalware enabled\": \"true\",\r\n \"real time antimalware protection enabled\": \"false\",\r\n \"scheduled antimalware scan enabled\": \"\",\r\n \"extension Name\": \"IaasAntimalware\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"name\": \"2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.3561453Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_CustomScriptExtensionSuspiciousCmd\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:07.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:07.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Custom script extension with suspicious command in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.\",\r\n \"remediationSteps\": [\r\n \"1. Contact the account owner to determine whether the activity was intentional. If the activity was intentional, dismiss the alert.\\n2. If the activity was unexpected, treat the user account, subscription, and virtual machine as compromised.\\n3. To remediate compromised user accounts, delete them if they’re unfamiliar (as they may have been created by a threat actor), otherwise change their authentication credentials. Use Azure Activity Logs to review all activities performed by the user and identify any that are suspicious.\\n4. To remediate compromised subscriptions, remove any unfamiliar Runbooks from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources in the subscription (delete any that are unfamiliar), review and investigate any security alerts for the subscription in Azure Security Center, and use Azure Activity Logs to review all activities performed in the subscription and identify any that are suspicious.\\n5. To remediate the compromised virtual machine, change the passwords for all users, run a full antimalware scan on the machine, and reimage the virtual machine from a malware-free source.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample user\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"identity address\": \"\",\r\n \"suspicious command\": \"powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"name\": \"2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DarkWeb\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:05.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:05.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Anonymity network activity (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected anonymity network activity. Such activity, while possibly legitimate user behaviour, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_94\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_94\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"name\": \"2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.358978Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DataExfiltration\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:03.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:03.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Possible data exfiltration via DNS tunnel (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected a possible DNS tunnel. Such activity, while possibly legitimate user behaviour, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_99\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_99\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"name\": \"2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.1504496Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_PhishingDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:01.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:01.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Communication with possible phishing domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.\",\r\n \"remediationSteps\": [\r\n \"Investigate the domain (using whois), validating that the registration belongs to the expected owner.\",\r\n \"If ownership is suspect, contact the machine owner to highlight the discrepancy and verify the degree of interaction, suggesting user log into any account(s) potentially exposed during suspicious session, validate recent activity and change compromised password(s).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_104\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_104\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"name\": \"2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.1876995Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_SinkholedDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:59.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:59.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted communication with suspicious sinkholed domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected request for sinkholed domain. Such activity, while possibly legitimate user behaviour, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_108\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_108\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"name\": \"2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.0653492Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_HighPrivilegeCommand\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempt to run high privilege command detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of App Service processes detected an attempt to run a command that requires high privileges.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x4680\",\r\n \"suspicious Command Line\": \"sample.exe\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"parent Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x15c0644\",\r\n \"user Name\": \"Sample-account\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"directory\": \"sample\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"processId\": \"0x39a8\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"processId\": \"0x4680\",\r\n \"commandLine\": \"sample.exe\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_113\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"name\": \"2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.9104498Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_DanglingDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:55.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Dangling DNS record for an App Service resource detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A DNS record that points to a recently deleted App Service resource (also known as \\\"dangling DNS\\\" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.\",\r\n \"remediationSteps\": [\r\n \"From your DNS zone, remove all CNAME records that point to the deleted App Service resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"domain\": \"sample-domain.com\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"name\": \"2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3436878Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container or directly on a Kubernetes node, has detected an execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with the specified user the suspicious command process and command line to confirm that this is legitimate activity. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"compromised Host\": \"AKS-AGENTPOOL-00171883-vmss000000\",\r\n \"suspicious Process\": \"/tmp/gcc\",\r\n \"suspicious Command Line\": \"/tmp/gcc -T -o stratum+tcp://stratum.slushpool:3333 -u foobar -p baz -o stratum+tcp://stratum.f2pool.com:3333 -u foobar -p baz -o stratum+tcp://stratum.antpool.com:3333 -u foobar -p baz\",\r\n \"parent Process\": \"bash\",\r\n \"suspicious Process Id\": \"0x2dc8\",\r\n \"imageName\": \":\",\r\n \"process Origin\": \"Pod Container\",\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"directory\": \"\",\r\n \"name\": \"bash\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"isValid\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"isValid\": false,\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"directory\": \"/tmp\",\r\n \"name\": \"gcc\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"hostName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"netBiosName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"isValid\": false,\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"name\": \"sample-cluster\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_118\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"containerId\": \"cc8ec8580f4c\",\r\n \"image\": {\r\n \"$ref\": \"centralus_119\"\r\n },\r\n \"type\": \"container\"\r\n },\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"processId\": \"0x2dc3\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_122\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_121\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"processId\": \"0x2dc8\",\r\n \"commandLine\": \"/tmp/gcc -T -o stratum+tcp://stratum.slushpool:3333 -u foobar -p baz -o stratum+tcp://stratum.f2pool.com:3333 -u foobar -p baz -o stratum+tcp://stratum.antpool.com:3333 -u foobar -p baz\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_123\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_125\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_124\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"name\": \"2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3309137Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_ImdsCall\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/AWS-Master-Connector_012345678901/securityentitydata/aws-eks-cluster-sample-cluster-ap-us-east-2\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access to cloud metadata service detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container detected access to the cloud metadata service for acquiring identity token. The container doesn't normally perform such operation. While this behavior might be legitimate, attackers might use this technique to access cloud resources after gaining initial access to a running container.\",\r\n \"remediationSteps\": [\r\n \"Review the command line in the alert details. If the container should acquire identity tokens, you can ignore the alert.\",\r\n \"If this behavior isnt expected, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"username\": \"sample-user\",\r\n \"process Name\": \"/usr/bin/curl\",\r\n \"command\": \"curl -s -H Metadata: true http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net\",\r\n \"process Id\": \"18775\",\r\n \"container ID\": \"cc8ec8580f4c\",\r\n \"image Name\": \"sample-image:v1\",\r\n \"resourceType\": \"EKS Cluster\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/AWS-Master-Connector_012345678901/securityentitydata/aws-eks-cluster-sample-cluster-ap-us-east-2\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"isValid\": false,\r\n \"type\": \"amazon-resource\",\r\n \"amazonResourceId\": \"arn:aws:eks:us-east-2:012345678901:cluster/sample-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"containerId\": \"cc8ec8580f4c\",\r\n \"image\": {\r\n \"$ref\": \"centralus_132\"\r\n },\r\n \"type\": \"container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"name\": \"2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4027022Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_SuspectProcessTermination\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:49.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Security-related process termination detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container or directly on a Kubernetes node, has detected an attempt to terminate processes related to security monitoring on the container. Attackers will often try to terminate such processes using predefined scripts post-compromise.\",\r\n \"remediationSteps\": [\r\n \"Review and confirm that this was legitimate activity that you expect to see on this container or pod. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"compromised Host\": \"aks-agentpool-00171883-vmss000000\",\r\n \"user Name\": \"root\",\r\n \"suspicious Process\": \"/usr/bin/pkill\",\r\n \"suspicious Command Line\": \"/usr/bin/pkill -KILL -x -U 0 auoms\",\r\n \"suspicious Process Id\": \"0x2dc8\",\r\n \"parent Process\": \"auomsctl\",\r\n \"process Origin\": \"Kubernetes Node\",\r\n \"account Session Id\": \"0xd5a\",\r\n \"resourceType\": \"GKE Cluster\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"hostName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"netBiosName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\",\r\n \"containerId\": \"cc8ec8580f4c\"\r\n },\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"pkill\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"directory\": \"\",\r\n \"name\": \"auomsctl\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"isValid\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"isValid\": false,\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"name\": \"root\",\r\n \"isValid\": false,\r\n \"id\": \"3418\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"isValid\": false,\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"projectId\": \"012345678901\",\r\n \"resourceType\": \"GKE\",\r\n \"resourceName\": \"Sample-Cluster\",\r\n \"location\": \"us-central1-c\",\r\n \"locationType\": \"Zonal\",\r\n \"type\": \"gcp-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"name\": \"sample-cluster\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_136\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"processId\": \"0x2dc3\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"processId\": \"0x2dc8\",\r\n \"commandLine\": \"/usr/bin/pkill -KILL -x -U 0 auoms\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_138\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_142\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_143\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"name\": \"2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3269355Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_ExposedDashboard\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:47.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Exposed Kubernetes dashboard detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service.\\nExposed dashboard allows an unauthenticated access to the cluster management and poses a security threat.\",\r\n \"remediationSteps\": [\r\n \"Review the LoadBalancer service in the alert details. In case the dashboard is exposed to the Internet, delete the LoadBalancer service immediately and escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"username\": \"alias@domain.com\",\r\n \"namespace\": \"kubernetes-dashboard\",\r\n \"service name\": \"kubernetes-dashboard\",\r\n \"port\": \"443\",\r\n \"target port\": \"8443\",\r\n \"resourceType\": \"Kubernetes - Azure Arc\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_149\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"name\": \"kubernetes-dashboard\",\r\n \"cluster\": {\r\n \"$ref\": \"centralus_150\"\r\n },\r\n \"type\": \"K8s-namespace\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"name\": \"kubernetes-dashboard\",\r\n \"namespace\": {\r\n \"$ref\": \"centralus_151\"\r\n },\r\n \"type\": \"K8s-service\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"name\": \"2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5211367Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_BruteForce\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:45.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:45.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspected successful brute force attack\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful login occurred after an apparent brute force attack on your resource\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Brute force attack; penetration testing.\",\r\n \"client principal name\": \"Sample-account\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"san antonio, united states\",\r\n \"client application\": \"Sample-app\",\r\n \"successful logins\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"failed logins\": \"0\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\\\"}}\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_156\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_155\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"name\": \"2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5596257Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:43.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:43.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database Sample-DB on server Sample-VM\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2106894\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"threat ID\": \"1\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"vulnerable statement\": \"*** Anonymized ***\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_161\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_162\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_163\",\r\n \"name\": \"Sample-SA\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_162\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"name\": \"2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5620796Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_HarmfulApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:41.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:41.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_165\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_166\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access your resource.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"Penetration testing; malicious activity\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client application\": \"Sample-app\",\r\n \"client IP location\": \"Sample\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_167\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_168\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_168\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_170\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_167\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"name\": \"2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5777053Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_SuspiciousIpAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:39.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:39.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_171\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_172\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Login from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.\",\r\n \"client principal name\": \"Sample-user\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_173\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_174\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Sample-Provider\",\r\n \"threatType\": \"Sample-Threat\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 0.8,\r\n \"threatDescription\": \"Sample-Threat\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_175\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_174\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_176\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_173\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72\",\r\n \"name\": \"2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.3749955Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousRBACRoleAssignment\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:37.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:37.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_177\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for an RBAC role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected an RBAC role assignment that's unusual when compared with other assignments, performed by the same assigner.\\n The following components were anomalous:\\n -Assigner Authentication Method \\n This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to grant permissions to an additional user account they own.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below.\\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user. \\n5. Change the credentials for all resources that the user had permissions to access.\\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review all activities performed in this resource via Azure Activity Logs and investigate suspicious activities.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"scope of assignment\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"assigned role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assigner principal ID\": \"Sample user\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_178\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_179\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_180\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_181\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_180\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f\",\r\n \"name\": \"2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.4527017Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_PrivilegedRoleDefinitionCreation\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:35.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:35.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f\",\r\n \"intent\": \"PrivilegeEscalation, DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_182\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Privileged custom role created for your subscription in a suspicious way (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the principal user that created the role.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user account as compromised and continue with the steps below.\\n3. Change the passwords of the user account or block the account entirely.\\n4. Delete the privileged role.\\n5. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n6. Change the credentials for all resources that the user had permissions to access.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"role definition creator principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"role definition creator IP address\": \"0.0.0.0\",\r\n \"role definition creator principal name\": \"Sample user\",\r\n \"role definition name\": \"sample\",\r\n \"role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"PrivilegeEscalation, DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_183\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86\",\r\n \"name\": \"2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.4942936Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousClassicRoleAssignment\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:29.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:29.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_184\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for a classic role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Microsoft Defender for Resource Manager detected a role assignment that's unusual when compared with other assignments performed by the same assigner / performed for the same assignee / in the tenant due to the following anomalies: \\nassignment time, assigner location, assigner, authentication method, assigned entities, client software used, assignment extent. \\nThis operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to escalate privileges to a different user account.\",\r\n \"remediationSteps\": [\r\n \"1.To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below. \\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n5. Change the credentials for all resources that the user had permissions to access. \\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review Azure Activity Logs for activities performed in this resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"assigner principal ID\": \"sample\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"scope of assignment\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"role\": \"CoAdmin\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_185\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_186\",\r\n \"name\": \"sample\",\r\n \"upnSuffix\": \"contoso.com\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_187\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_188\",\r\n \"name\": \"azureadmin\",\r\n \"upnSuffix\": \"contoso.com\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_187\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"name\": \"2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:19:41.7936291Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:25.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:25.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_190\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An IP that is a known Tor exit node accessed Storage file share 'Sample-fileShare' in storage account 'Sample-Storage'. \",\r\n \"remediationSteps\": [\r\n \"• Revoke all credentials that may be compromised and ensure that they're only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access.\\r\\nPotential causes:\\r\\n• An attacker has accessed the storage account using Tor and is trying to hide their identity (true positive).\\r\\n• A legitimate user has accessed the storage account using Tor, perhaps for penetration testing (benign positive).\",\r\n \"investigation steps\": \"• Check if this actor is legitimate. Examine the authentication method and credentials used, as well as the actor's history of actions on this storage account and other resources in this subscription.\\r\\n• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_191\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_192\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_192\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"name\": \"2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.7087609Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:23.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:23.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_194\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from a suspicious IP address.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is considered suspicious.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your storage account from a potentially suspicious IP.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_195\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_196\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"AlertSimulator\",\r\n \"threatType\": \"Sample-Type\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 1.0,\r\n \"threatDescription\": \"\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_196\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"name\": \"2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.8953381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_SMBExeOverwriteAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:21.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:21.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_198\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual overwrite of .exe in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual overwrite of an executable file in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unexpected overwrite of an executable (.exe file) has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has overwritten an executable file with a potentially malicious one in your storage account.\\r\\n• A legitimate user has overwritten an executable file.\",\r\n \"investigation steps\": \"• Determine who overwrote the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Kerberos\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files SMB\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"\",\r\n \"activity type\": \"OverwriteFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) overwritten\": \"Sample-File\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_199\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_200\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_200\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"name\": \"2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:19.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:19.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_202\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a directory or a file in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage directory or file permissions are configured correctly.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this directory or file have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed directory or file permissions to weaken its security.\\r\\n• A legitimate user has changed directory or file permissions.\",\r\n \"investigation steps\": \"• Confirm whether the directory or file permissions change was performed for a legitimate purpose.\\r\\n• Review the directory's or file's access permissions to make sure they are expected. NTFS permissions can be assigned at the directory or file level: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable#3-configure-ntfs-permissions-over-smb .\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Kerberos\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"Files SMB\",\r\n \"request status\": \"\",\r\n \"activity type\": \"SetSecurityInformation\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) accessed\": \"\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_203\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_204\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_204\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"name\": \"2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.6133961Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_MalwareHashReputation\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:17.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:17.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_206\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential malware uploaded to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has uploaded potential malware to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Remove the malicious file from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that a blob containing potential malware has been uploaded to your storage account.\\r\\nPotential causes:\\r\\n• An attacker has gained access to the storage account and has intentionally uploaded a malicious blob.\\r\\n• A legitimate user has unintentionally uploaded a malicious blob.\\r\\n• A legitimate user is performing tests on the system (e.g. penetration testing).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"PutRange\",\r\n \"file\": \"dummy/path/to/maliciousFile.exe\",\r\n \"api type\": \"Files REST\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"malware description\": \"File was identified as malicious, MalwareFamily = Virus:DOS/EICAR_Test_File\",\r\n \"threat report summary\": \"The European Institute for Computer Antivirus Research (EICAR) and the Computer Antivirus Research Organization (CARO) jointly developed a standard test file protocol called the “EICAR test file” which allows users to test their antivirus solution. The EICAR file is completely benign; however, when scanned, compliant antivirus solutions report the file in the same way as an actual malicious file. This does not mean that the computer is infected with malware, but rather it shows that the computer’s antivirus is functioning as expected.\",\r\n \"detection source\": \"Team Cymru\",\r\n \"threat report\": \"Sample-Report\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_207\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_208\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_209\",\r\n \"algorithm\": \"MD5\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_208\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_211\",\r\n \"directory\": \"Sample-fileShare/dummy/path/to\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_209\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_212\",\r\n \"name\": \"Sample-Name\",\r\n \"category\": \"Virus\",\r\n \"files\": [\r\n {\r\n \"$ref\": \"centralus_211\"\r\n }\r\n ],\r\n \"type\": \"malware\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"name\": \"2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.6367188Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:15.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:15.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_213\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is unfamiliar and unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account.\\r\\n• A legitimate user has accessed your storage account from a new location.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetShareProperties\",\r\n \"api type\": \"Files REST\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_214\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_215\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_215\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242244862413_43689788-9247-4044-b258-6093d62ba45c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"name\": \"2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.7708984Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_ExeUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:13.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:13.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .exe to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of an executable file to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an executable (.exe file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has uploaded a malicious executable file to your storage account.\\r\\n• A legitimate user has uploaded an executable file.\",\r\n \"investigation steps\": \"• Determine who uploaded the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Kerberos\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"Files SMB\",\r\n \"request status\": \"\",\r\n \"activity type\": \"CreateFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_218\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_219\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_219\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"name\": \"2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.5509007Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:11.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:11.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_221\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) deleted\": \"Sample-File1, Sample-File2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_222\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_223\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_224\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_223\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"name\": \"2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.599286Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExplorationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:09.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:09.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_225\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual data exploration in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual data exploration operation in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that files in a file share of a storage account have been enumerated in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user or application logic has explored data within the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"ListFiles\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_226\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_227\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_227\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"name\": \"2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:19:41.7936291Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExfiltration.NumberOfFilesAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:07.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:07.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_229\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual number of files extracted from a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual number of files from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large number of files has been extracted compared to recent activity on this Storage file share.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large number of files from a Storage file share (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual number of files from a Storage file share (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"5 MB\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"extracted files\": \"150\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_230\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_231\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_231\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"name\": \"2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.435833Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:05.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:05.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_233\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage file share.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage file share (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage file share (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"150 MB\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"extracted files\": \"5\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_234\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_235\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_235\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"name\": \"2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.5055333Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_ApplicationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:03.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:03.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_237\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual application accessed a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' using an unexpected application.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusual application has accessed this storage account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using a new application.\\r\\n• A legitimate user has used a new application/browser to access your storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"CreateFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_238\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_239\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_239\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"name\": \"2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.4988057Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_AccessInspectionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:01.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_241\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual access inspection in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual access inspection in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user has performed maintenance on the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the access policy inspection was performed for a legitimate purpose: https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy.\\r\\n• Review the file share's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"GetShareAcl\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_242\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_243\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_243\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"name\": \"2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2964395Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:59.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:59.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_245\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An IP that is a known Tor exit node accessed Storage container 'Sample-Container' in storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Revoke all credentials that may be compromised and ensure that they're only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access.\\r\\nPotential causes:\\r\\n• An attacker has accessed the storage account using Tor and is trying to hide their identity (true positive).\\r\\n• A legitimate user has accessed the storage account using Tor, perhaps for penetration testing (benign positive).\",\r\n \"investigation steps\": \"• Check if this actor is legitimate. Examine the authentication method and credentials used, as well as the actor's history of actions on this storage account and other resources in this subscription.\\r\\n• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"CreatePathDir\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_246\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_247\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_247\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_249\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_246\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"name\": \"2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2427463Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:57.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_250\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from a suspicious IP address.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is considered suspicious.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your storage account from a potentially suspicious IP.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"335.88 KB\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_251\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_252\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"AlertSimulator\",\r\n \"threatType\": \"Sample-Type\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 1.0,\r\n \"threatDescription\": \"\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_252\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"name\": \"2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1804085Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_SuspiciousApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:55.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_254\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] PREVIEW - Access from a suspicious application \",\r\n \"description\": \"THIS IS A SAMPLE ALERT: There was a failed attempt to anonymously access the blob container `Sample-Container` in your storage account `Sample-Storage`. This might indicate that an attacker is trying to exploit a vulnerability or access data in your storage account, or it could be the result of a penetration test carried out in your organization. The suspicious application detected was `eicarDummyApp`. For more details, please see the user-agent string in the alert fields. In many cases, attackers might successfully access data after a series of failed attempts. It’s therefore important to act on this alert.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"140 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"application name \": \"eicarDummyApp\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_255\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_256\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_256\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_258\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_255\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"name\": \"2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2482588Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PhishingContent\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:53.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_259\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] PREVIEW - Phishing content hosted on a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A URL used in a phishing attack points to your Azure Storage account. This URL was part of a phishing attack affecting users of Microsoft 365. Typically, content hosted on such pages is designed to trick visitors into entering their corporate credentials or financial information into a web form that looks legitimate.\",\r\n \"remediationSteps\": [\r\n \"• Review the content of the Azure Storage account to identify and remove phishing content. The URL in the alert may indicate a starting point for your investigation.\",\r\n \"• If you suspect that your Storage credentials have been compromised, revoke all storage access tokens that may have been compromised and implement the following security best practices:\",\r\n \" 2.1.\\\\tEnsure that your access tokens are only shared with authorized users.\",\r\n \"2.2. Limit access to your Storage account, following the 'least privilege' principle. (https://aka.ms/StorageAccountSecureAccess)\",\r\n \"2.3. Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Disallow anonymous public access to blobs in your Storage account, unless required for your scenario. (https://aka.ms/StorageAccountPublicAccess)\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_260\",\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"type\": \"url\"\r\n },\r\n {\r\n \"$id\": \"centralus_261\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"name\": \"2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1081657Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_262\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a directory or a file in your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Use Azure AD security groups: https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#what-is-the-best-way-to-apply-acls.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage directory or file permissions are configured correctly.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this directory or file have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed directory or file permissions to weaken its security.\\r\\n• A legitimate user has changed directory or file permissions.\",\r\n \"investigation steps\": \"• Confirm whether the directory or file permissions change was performed for a legitimate purpose: https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#access-control-lists-on-files-and-directories.\\r\\n• Review the directory's or file's access permissions to make sure they are expected.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"SetPathAccessControl\",\r\n \"storage file path(s) accessed\": \"\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_263\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_264\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_264\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"name\": \"2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.0980315Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenContainersScanning.SuccessfulDiscovery\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:49.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_266\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Publicly accessible storage containers successfully discovered\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful discovery of 3 publicly open storage containers in storage account 'Sample-Storage' was performed in the last hour by a scanning script or tool.\\r\\n\\r\\nScanned containers include: static, images, backups.\\r\\n\\r\\nThis usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storagecontainers with sensitive data in them.\\r\\nThe threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.\\r\\n\\r\\nAfter a threat actor successfully discovers a container, they usually continue by reading and exfiltrating the data.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\",\r\n \"• When allowing anonymous access to containers, consider adding a random suffix to its name (or use a randomly generated name) to limit these types of scans in the future. For example, use 'salesshare-4536-7836-8967'.\",\r\n \"• If this is a recurring alert from the same IP, consider blocking the source IP address (see how to block an IP address: https://go.microsoft.com/fwlink/?linkid=2179709).\",\r\n \"This can be done at the storage account level using the 'networking' configuration or at the subscription level using the networking 'access restrictions' configuration.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"• Reconnaisance attack (True Positive)\\r\\n• Penetration testing\\r\\n• A bug in an application is causing it to perform serial attempts to read different blobs (False Positive).\",\r\n \"investigation steps\": \"• Check this account for publicly open containers with sensitive data. If such containers exist, immediately change their access policy to private (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708).\\r\\n\\r\\nLook at diagnostic logs to see all sensitive data that may have leaked, and escalate the alert and information.\\r\\n• To list all containers that are publicly accessible in a storage account, use the PowerShell script in this link: https://go.microsoft.com/fwlink/?linkid=2180103.\\r\\n\\r\\n• Check whether the user that performed this scan is legitimate. Look at IP, location, user agent, and their history.\\r\\n• This alert may be triggered by a coding issue in the application accessing the storage container. If you've validated that the actor is legitimate, identified the coding issue, and ruled out a possible leak of sensitive content, this alert can be considered benign.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"140 MB\",\r\n \"among the enumeration terms used\": \"erp, exe, export, exports, file, files, firmware, git, img, iso, jenkins, logs, media, mobile, photos, pics, private, prod, production, products, projects, public, release, repo, reports, resources, script, scripts, services, snapshots, source, src, staging, stats, storage, tenant, tmp, upload, uploads, user, userdata, users, usr, vhd, vhdx, video, videos, web, www, xslx\",\r\n \"number of failed access attempts\": \"1232\",\r\n \"number of containers successfully accessed\": \"3\",\r\n \"list of containers successfully accessed\": \"Sample-1, Sample-2, Sample-3\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_267\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_268\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_269\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_268\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_270\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_267\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"name\": \"2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:15.6989769Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenContainersScanning.FailedAttempt\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:47.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_271\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Publicly accessible storage containers unsuccessfully scanned\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: 1232 failed attempts to scan for publicly open storage containers in storage account 'Sample-Storage' were performed in the last hour.\\r\\n\\r\\nScanned containers include: erp, exe, export, exports, file.\\r\\n\\r\\nThis usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storage containers with sensitive data in them.\\r\\nThe threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\",\r\n \"• When allowing anonymous access to containers, consider adding a random suffix to its name (or use a randomly generated name) to limit these types of scans in the future. For example, use 'salesshare-4536-7836-8967'.\",\r\n \"• If this is a recurring alert from the same IP, consider blocking the source IP address (see how to block an IP address: https://go.microsoft.com/fwlink/?linkid=2179709).\",\r\n \"This can be done at the storage account level using the 'networking' configuration or at the subscription level using the networking 'access restrictions' configuration.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"• Reconnaisance attack (True Positive)\\r\\n• Penetration testing\\r\\n• A bug in an application is causing it to perform serial attempts to read different blobs (False Positive).\",\r\n \"investigation steps\": \"• Check this account for publicly open containers with sensitive data. If such containers exist, immediately change their access policy to private (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708).\\r\\n\\r\\nThis is necessary despite the fact that the observed attempts failed, because reconnaissance has taken place and there might have been some successful activity.\\r\\n• To list all containers that are publicly accessible in a storage account, use the PowerShell script in this link: https://go.microsoft.com/fwlink/?linkid=2180103.\\r\\n\\r\\n• Check whether the user that performed the scanning is legitimate. Look at IP, location, user agent, and their history. Scanning operations read blob URIs and/or use \\\"list blobs\\\".\\r\\n• Check whether data was exfiltrated from containers in this storage account and/or by this actor.\\r\\n• This alert may be triggered by a coding issue in the application accessing the storage container. If you've validated that the actor is legitimate, identified the coding issue, and ruled out a possible leak of sensitive content, this alert can be considered benign.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"among the enumeration terms used\": \"erp, exe, export, exports, file, files, firmware, git, img, iso, jenkins, logs, media, mobile, photos, pics, private, prod, production, products, projects, public, release, repo, reports, resources, script, scripts, services, snapshots, source, src, staging, stats, storage, tenant, tmp, upload, uploads, user, userdata, users, usr, vhd, vhdx, video, videos, web, www, xslx\",\r\n \"number of failed access attempts\": \"1232\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_272\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_273\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_273\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"name\": \"2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9581337Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenACL\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:45.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:45.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_275\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Storage account with potentially sensitive data has been detected with a publicly exposed container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The access policy of a container in your storage account was modified to allow anonymous access. This might lead to a data breach if the container holds any sensitive data. This alert is based on analysis of Azure activity log.\",\r\n \"remediationSteps\": [\r\n \"• Check the access level of the container listed in the alert details. If the access level is set to 'anonymous' and this behavior is not intended, change the access level to 'private' and escalate the alert to your information security team.\",\r\n \"• Where possible, we recommend using shared access signature tokens instead of granting public access to storage containers and blobs.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"container name\": \"Sample-Container\",\r\n \"sensitive name\": \"Sample-Container\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_276\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"name\": \"2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.0277068Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_MalwareHashReputation\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:43.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:43.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_277\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential malware uploaded to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has uploaded potential malware to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Remove the malicious blob from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that a blob containing potential malware has been uploaded to your storage account.\\r\\nPotential causes:\\r\\n• An attacker has gained access to the storage account and has intentionally uploaded a malicious blob.\\r\\n• A legitimate user has unintentionally uploaded a malicious blob.\\r\\n• A legitimate user is performing tests on the system (e.g. penetration testing).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"PutBlob\",\r\n \"api type\": \"Blob\",\r\n \"container\": \"Sample-Container\",\r\n \"malware description\": \"Indicator related to a known malware campaign\",\r\n \"detection source\": \"A Microsoft Partner\",\r\n \"blob\": \"Sample-Blob\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_278\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_279\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_280\",\r\n \"algorithm\": \"MD5\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_279\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_282\",\r\n \"directory\": \"Sample-fileShare/dummy/path/to\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_280\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"name\": \"2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9214203Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:41.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:41.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_283\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is unfamiliar and unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account.\\r\\n• A legitimate user has accessed your storage account from a new location.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Azure AD\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"operations types\": \"GetContainerProperties\",\r\n \"api type\": \"Blob\",\r\n \"container\": \"Sample-Container\",\r\n \"azure AD application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_284\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_285\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_286\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"objectGuid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_285\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_288\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_284\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"name\": \"2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:15.4758611Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_ExeUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:39.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:39.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_289\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .exe to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of an executable file to your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an executable (.exe file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has uploaded a malicious executable file to your storage account.\\r\\n• A legitimate user has uploaded an executable file.\",\r\n \"investigation steps\": \"• Determine who uploaded the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Azure AD\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"eicar@microsoft.com\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"FlushFile\",\r\n \"azure AD application ID\": \"12345\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"containers\": \"Sample-Container1, Sample-Container2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_290\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_291\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_292\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_291\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"name\": \"2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9519418Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:37.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:37.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_293\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Perform an undelete if the delete operation was a soft delete. See how to configure soft deletion and more information: https://go.microsoft.com/fwlink/?linkid=2078042\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Account key\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteDirectory\",\r\n \"access key used\": \"key2\",\r\n \"storage file path(s) deleted\": \"Sample-File1, Sample-File2\",\r\n \"containers\": \"Sample-Container1, Sample-Container2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_294\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_295\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_295\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"name\": \"2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2482588Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExplorationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:35.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:35.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_297\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual data exploration in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual data exploration operation in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \" Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that blobs or containers in a storage account have been enumerated in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user or application logic has explored data within the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"ListBlobs\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_298\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_299\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_299\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"name\": \"2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.7896151Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:33.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:33.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_301\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual number of blobs extracted from a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual number of blobs from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large number of blobs has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large number of blobs from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual number of blobs from a Storage container (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"66.58 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"extracted blobs\": \"41084\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_302\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_303\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_303\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_305\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_302\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"name\": \"2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.8245787Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:31.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:31.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_306\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage container (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"254.47 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"extracted blobs\": \"2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_307\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_308\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_308\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_310\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_307\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"name\": \"2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1388808Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_CspkgUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:29.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:29.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_311\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .cspkg to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of a Cloud Service deployment package to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Determine if the cloud service package has been deployed to your subscription, and if so, delete the corresponding service.\",\r\n \"• Delete the .cspkg from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an Azure Cloud Service package (.cspkg file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has been preparing to deploy malicious code from your storage account to an Azure cloud service.\\r\\n• A legitimate user has been preparing for a legitimate service deployment.\",\r\n \"investigation steps\": \"• Determine who uploaded the cloud service package, and whether it is for a legitimate service.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"PutBlockList\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_312\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_313\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_313\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"name\": \"2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6456194Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_ApplicationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:27.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:27.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_315\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual application accessed a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' using an unexpected application.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusual application has accessed this storage account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using a new application.\\r\\n• A legitimate user has used a new application/browser to access your storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"PutBlob\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_316\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_317\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_317\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"name\": \"2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6977555Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AnonymousAccessAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:25.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:25.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_319\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unauthenticated access to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Container 'Sample-Container' in storage account 'Sample-Storage' from an IP address located in Azure Data Center: Central Us.\\r\\n\\r\\nThere may have been additional unauthenticated access to this storage account.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed anonymously (i.e. without any authentication), which is unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has exploited public read access to a container.\\r\\n• A legitimate user or application has used public read access to a container.\",\r\n \"investigation steps\": \"• Check if you have sensitive data on this publicly open container. If you do, immediately change the access policy to private, review diagnostic logs for sensitive data that may have leaked, and escalate the alert and information. (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708)).\\r\\n\\r\\nThis is necessary despite the fact that the observed attempts failed, because reconnaissance has taken place and there might have been some successful activity.\\r\\n• Check if this actor is legitimate. Review IP, location, user agent, and their history.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlobProperties, GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"22.96 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_320\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_321\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_321\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_323\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_320\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"name\": \"2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6177881Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AccessInspectionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:23.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:23.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_324\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual access inspection in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual access inspection in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user has performed maintenance on the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the access policy inspection was performed for a legitimate purpose: https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy.\\r\\n• Review the storage container's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Azure AD\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"GetContainerACL\",\r\n \"azure AD application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_325\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_326\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_327\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"objectGuid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_326\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"name\": \"2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.614246Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AM.MalwareFound\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:21.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:21.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_329\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Malicious file uploaded to storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A malicious file was uploaded to your storage account 'Sample-Storage'.\\r\\nThe malware detection is based on Microsoft antimalware scanning.\\r\\nPotential causes may include an intentional upload of malware by a threat actor, or an unintentional upload of a malicious file by a legitimate user.\",\r\n \"remediationSteps\": [\r\n \"Remove the malicious blob from your storage account. You may move it to a designated storage container for quarantine, or delete it.\",\r\n \"It is advisable to enable \\\\\\\"soft delete\\\\\\\" before deleting malware, to support the ability to undo the deletion. Learn more about enabling soft delete on Azure storage: https://docs.microsoft.com/azure/storage/blobs/soft-delete-blob-overview.\\\",\\\"If you have diagnostic logs enabled, query them to see if any other applications or users accessed this file. Trace their actions and contain the blast radius.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential Causes\": \"1. Intentional upload of malware by a malicious actor (true positive)\\r\\n\\r\\n2. Unintentional upload of malware by a legitimate user (true positive)\\r\\n\\r\\n3. A false positive detection by Microsoft antimalware scanning. You can submit a file for analysis if you suspect it may be a false positive: \\r\\n(https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/submission-guide)\",\r\n \"shA-256\": \"Sample-SHA\",\r\n \"investigation Steps\": \"• Learn more about the malware type by reading the report on the identified malware in Microsoft Security Intelligence:\\r\\n(https ://www.microsoft.com/wdsi/threats/threat-search?query=DOS/EICAR_Test_File)\\r\\n\\r\\n• If you have diagnostic logs enabled, go to them and query to see if any other applications or users accessed this file. Trace their actions and contain the blast radius.\\r\\n\\r\\n• Review the credentials used to perform the upload, to track back and find the user who uploaded the file.\\r\\n\\r\\n• If you performed an investigation and suspect the this might be a false positive, you can submit a file for analysis\\r\\n(https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).\\r\\nEnsure you enter the provider name \\\"Defender for Storage\\\".\\r\\n\\r\\n• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"malware types detected\": \"DOS/EICAR_Test_File\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_330\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_331\",\r\n \"algorithm\": \"SHA256\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_332\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_330\"\r\n },\r\n \"type\": \"blob-container\"\r\n },\r\n {\r\n \"$id\": \"centralus_333\",\r\n \"directory\": \"https://Sample-Storage.blob.core.windows.net/Sample\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_331\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_334\",\r\n \"name\": \"Sample-Name\",\r\n \"blobContainer\": {\r\n \"$ref\": \"centralus_332\"\r\n },\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"etag\": \"Sample-Tag\",\r\n \"type\": \"blob\"\r\n },\r\n {\r\n \"$id\": \"centralus_335\",\r\n \"name\": \"Sample-Name\",\r\n \"category\": \"Virus\",\r\n \"files\": [\r\n {\r\n \"$ref\": \"centralus_333\"\r\n }\r\n ],\r\n \"type\": \"malware\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"name\": \"2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.9503127Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5606644Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:17.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_336\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' was successfully accessed from an IP address known to be an active exit node of Tor, an anonymizing proxy.\\r\\nThe threat actor's access was authenticated using Aad.\\r\\nAuthenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Check for credential theft by reviewing the authentication method.\",\r\n \"potential causes\": \"• A legitimate user has accessed your Azure Cosmos DB account using Tor.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_337\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_338\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_338\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"name\": \"2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.7672167Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:15.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_340\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' was successfully accessed from an IP address that was identified as a threat by Microsoft Threat Intelligence.\\r\\nThe threat actor's access was authenticated using Aad.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Check for credential theft by reviewing the authentication method.\",\r\n \"potential causes\": \"• An attacker has accessed your Azure Cosmos DB account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your Azure Cosmos DB account from a potentially suspicious IP.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_341\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_342\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_342\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"name\": \"2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.9003843Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SqlInjection.Fuzzing\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:13.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:13.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"intent\": \"Discovery\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_344\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] SQL injection: failed fuzzing attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious SQL statement was used to query container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'.\\r\\nLike other well-known SQL injection attacks, this statement won’t succeed in Azure Cosmos DB. Nevertheless, it’s an indication that a threat actor is trying to attack the resources in this account.\\r\\nSome SQL injection attacks can succeed and be used to exfiltrate data. This means that if the attacker continues performing SQL injection attempts, they may be able to compromise your Azure Cosmos DB account and exfiltrate data.\\r\\nYou can prevent this threat by using parameterized queries (for more information, see the remediation steps).\",\r\n \"remediationSteps\": [\r\n \"• This alert may indicate this subscription is being targeted. To harden your environment, resolve any outstanding Defender for Cloud security recommendations for this resource and any others on this Azure subscription.\",\r\n \"• To prevent similar attacks in the future, use Azure Cosmos DB parameterized queries in all your apps.\",\r\n \"How to use parameterized queries: https://go.microsoft.com/fwlink/?linkid=2177214.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Search for other alerts on this subscription that might indicate that this is part of a larger attack.\\r\\n• Inspect the application that is connected to this Azure Cosmos DB account. It may be vulnerable to this fuzzing attack.\",\r\n \"potential causes\": \"• Failed attack attempt, part of an enumeration, reconnaissance or command injection attempt.\\r\\n• Pen testing.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"collection name\": \"Sample-Collection\",\r\n \"database name\": \"Sample-DataBase\",\r\n \"top suspicious queries\": \"• [1 rows returned] SELECT VALUE [{\\\"item\\\": COUNT(1)}]\\nFROM root\\nWHERE ((root[\\\"creation_datetime\\\"] = \\\"2022-07-06T00:00:00+00:00\\\") AND (root[\\\"camera_id\\\"] IN (\\\"javascript:alert(_SCAN-@126032-951533-1926@-);\\\")))\\nORDER BY root[\\\"order\\\"] ASC, root[\\\"_ts\\\"] ASC\\r\\n• [0 rows returned] SELECT root._rid, [{\\\"item\\\": root[\\\"order\\\"]}, {\\\"item\\\": root[\\\"_ts\\\"]}] AS orderByItems, root AS payload\\nFROM root\\nWHERE ((((root[\\\"creation_datetime\\\"] = \\\"2022-07-06T00:00:00+00:00\\\") AND (root[\\\"camera_id\\\"] IN (\\\"javascript:alert(_SCAN-@126032-951533-1926@-);\\\"))) AND (true)) AND IS_DEFINED(root))\\nORDER BY root[\\\"order\\\"] ASC, root[\\\"_ts\\\"] ASC\\nOFFSET 0 LIMIT 100\",\r\n \"total suspicious queries\": \"2\",\r\n \"killChainIntent\": \"Discovery\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_345\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_346\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_346\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"name\": \"2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.803451Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SqlInjection.DataExfiltration\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:11.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:11.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_348\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] SQL injection: potential data exfiltration\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious SQL statement was used to query container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'.\\r\\nThe injected statement might have succeeded in exfiltrating data the user wasn’t authorized to access.\\r\\nDue to the structure and capabilities of Azure Cosmos DB queries, many known SQL injection attacks on Azure Cosmos DB accounts cannot work. However, the variation used in this attack may work and threat actors can exfiltrate data.\",\r\n \"remediationSteps\": [\r\n \"• To prevent similar attacks in the future, use Azure Cosmos DB parameterized queries in all your apps.\",\r\n \"How to use parameterized queries: https://go.microsoft.com/fwlink/?linkid=2177214.\",\r\n \"• If, for some reason, you can’t use parameterized queries, perform another form of input validation to protect against SQL injection attacks.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Investigate the query and the user. For details of the user, review the audit logs of your application. Check which user ran the query.\\r\\n• If the action appears malicious, continue investigating the blast radius. You may run the query (shown in the field \\\"Top suspicious queries\\\") to see what data was exfiltrated.\",\r\n \"potential causes\": \"• Successful data exfiltration (True Positive).\\r\\n• Pen testing.\\r\\n• A legitimate actor is trying to see all of the data, bypassing the application's access control methods. In this case, this can be considered a False Positive, however this is unsafe and should be blocked (see remediation steps on blocking).\",\r\n \"user agent\": \"dummySqlAgent\",\r\n \"connection mode\": \"\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"\",\r\n \"total anomalous queries\": \"1\",\r\n \"top anomalous queries\": \"• SELECT * FROM root WHERE (root[\\\\\\\"userId\\\\\\\"] = \\\\\\\"123' OR '1'='1'\\\\\\\")\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_349\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_350\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_350\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"name\": \"2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.6843414Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:09.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:09.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_352\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: One or more containers in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' were accessed from a location considered unfamiliar, based on the usual access pattern.\\r\\nEither a threat actor has gained access to the account, or a legitimate user has connected from a new or unusual geographic location.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Contact the user to validate whether this is known and expected activity.\",\r\n \"potential causes\": \"• An attacker has accessed your Azure Cosmos DB account.\\r\\n• A legitimate user has accessed your Azure Cosmos DB account from a new location.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_353\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_354\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_354\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"name\": \"2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.671875Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_DataExfiltrationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:07.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:07.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_356\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual volume of data extracted\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An unusually large amount of data has been extracted from container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'. This might indicate that a threat actor exfiltrated data.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Check whether this Azure Cosmos DB account holds sensitive data. Look at diagnostic logs for any sensitive data that may have leaked and escalate the alert and information. If it appears sensitive data may have leaked, immediately review access permissions to the account and consider rotating keys.\",\r\n \"potential causes\": \"• An attacker has extracted a large amount of data from an account.\\r\\n• A legitimate user or application has extracted an unusual amount of data from an account.\",\r\n \"collection name\": \"Sample-Collection\",\r\n \"database name\": \"Sample-DataBase\",\r\n \"key type\": \"Aad\",\r\n \"connection mode\": \"Gateway\",\r\n \"impacted region\": \"EUS\",\r\n \"extracted data\": \"5.37 GB\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_357\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_358\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_358\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"name\": \"2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5606644Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousListKeys.SuspiciousPrincipal\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:05.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:05.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_360\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Preview - Suspicious extraction of Azure Cosmos DB account keys was detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious source extracted Azure Cosmos DB account access keys from your subscription. If this source is not a legitimate source, this may be a high impact issue. The access key that was extracted provides full control over the associated databases and the data stored within.\\r\\nThe key extraction is suspicious for the following reasons:\\r\\n- Key listing operations are rarely invoked by this principal on Azure Cosmos DB accounts in this subscription.\\r\\n\\r\\nThis can indicate that the identity performed this operation is compromised and is being used with malicious intent.\",\r\n \"remediationSteps\": [\r\n \"• Determine whether the activity was intentional by contacting the account owner. If the activity was intentional and legitimate, dismiss the alert. Otherwise, treat the user account, involved Azure Cosmos DB accounts and Azure subscription as compromised and continue with the next remediation steps.\",\r\n \"• Remediate the compromised principal account : delete the account if it’s an unfamiliar account (the attacker may have created it). Otherwise, change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\",\r\n \"• Remediate the compromised Azure Cosmos DB account: rotate Azure Cosmos DB account keys that were previously listed by the threat actor.\",\r\n \"• Remediate the compromised subscription: review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in the Microsoft Defender for Cloud portal to the subscription and investigate them, use Azure Activity Logs to locate any suspicious activities and review all activities that were performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Resource\",\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"source IP address\": \"00.00.00.00\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_361\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_362\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_362\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432\",\r\n \"name\": \"2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.8379753Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousListKeys.MaliciousScript\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:03.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:03.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_364\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Extraction of Azure Cosmos DB accounts keys via a potentially malicious script\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A Powershell script was run in your subscription and performed a suspicious pattern of key-listing operations to get the keys of Azure Cosmos DB accounts in your subscription.\\r\\nThreat actors use automated scripts, like Microburst, to list keys and find Azure Cosmos DB accounts they can access.\\r\\n\\r\\nThis operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise Azure Cosmos DB accounts in your environment for malicious intentions.\\r\\nAlternatively, a malicious insider could be trying to access sensitive data and perform lateral movement.\",\r\n \"remediationSteps\": [\r\n \"• Remediate the compromised user identity: If it’s an unfamiliar, new identity (the threat actor may have created it), then delete the user identity.\",\r\n \"Otherwise, change the user’s authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\",\r\n \"• Remediate the compromised Azure Cosmos DB account: rotate Azure Cosmos DB accounts keys that were previously listed by the threat actor.\",\r\n \"• Remediate the compromised subscription: review IAM permissions for the subscription and remove permissions for any unfamiliar user identity.\",\r\n \"Review all Azure resources and delete any unfamiliar Azure resources.\",\r\n \"Review all alerts in Microsoft Defender for Cloud related to the subscription and investigate them.\",\r\n \"Use Azure Activity Logs to find suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"ARM\",\r\n \"investigation steps\": \"Investigate whether the identity that performed the list-key operations is compromised:\\r\\n• Contact the Azure Cosmos DB account owner to understand their intentions and actions.\\r\\n• Look at the authentication method of this user and the actions they performed across the Azure subscription.\\r\\nUse Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\r\\n• If you have diagnostic logs enabled, inspect the actions this identity performed in the Azure Cosmos DB account/s.\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"username\": \"Sample-Username\",\r\n \"aad user ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_365\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_366\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_366\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"name\": \"2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-16T21:52:53.8710364Z\",\r\n \"processingEndTimeUtc\": \"2022-11-16T21:52:53.6916675Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-15T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-15T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_368\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.160 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_369\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_370\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_371\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"name\": \"2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-12T21:47:11.3785021Z\",\r\n \"processingEndTimeUtc\": \"2022-11-12T21:47:10.8521763Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_373\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_374\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_375\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_376\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"name\": \"2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-13T20:54:26.3966011Z\",\r\n \"processingEndTimeUtc\": \"2022-11-13T20:54:26.1755194Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_378\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_379\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_380\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_381\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"name\": \"2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-12T21:47:11.7084868Z\",\r\n \"processingEndTimeUtc\": \"2022-11-12T21:47:10.8520084Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_383\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 137.184.84.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_384\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_385\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_386\",\r\n \"address\": \"137.184.84.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Jose\",\r\n \"longitude\": -121.83823,\r\n \"latitude\": 37.33053,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_386\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"name\": \"2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-13T20:54:26.3624463Z\",\r\n \"processingEndTimeUtc\": \"2022-11-13T20:54:26.1754203Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_388\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 137.184.84.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_389\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_390\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_391\",\r\n \"address\": \"137.184.84.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Jose\",\r\n \"longitude\": -121.83823,\r\n \"latitude\": 37.33053,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_392\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_391\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"name\": \"2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-11T21:04:29.5102358Z\",\r\n \"processingEndTimeUtc\": \"2022-11-11T21:04:28.8368795Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-10T14:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-10T14:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_393\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_394\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_395\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_396\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_397\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"name\": \"2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-04T21:03:19.814381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-04T21:03:12.9864236Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-03T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-03T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_398\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_399\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_400\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_401\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"name\": \"2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-03T20:56:42.8912983Z\",\r\n \"processingEndTimeUtc\": \"2022-11-03T20:56:39.5149213Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-02T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-02T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_403\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\\r\\nIP: 176.222.18.110 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_404\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_405\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_406\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_407\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"name\": \"2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-01T21:58:15.540622Z\",\r\n \"processingEndTimeUtc\": \"2022-11-01T21:58:14.9043034Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_410\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.128 [1]\\r\\nIP: 176.222.18.110 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_411\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_412\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_413\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_414\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"name\": \"2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-02T22:45:37.72398Z\",\r\n \"processingEndTimeUtc\": \"2022-11-02T22:45:37.2820909Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_417\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 176.222.18.110 [1]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_418\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_419\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_420\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_421\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_422\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"name\": \"2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-30T20:43:32.8362319Z\",\r\n \"processingEndTimeUtc\": \"2022-10-30T20:43:32.2666649Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-29T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-29T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_426\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 149.18.60.6 [1]\\r\\nIP: 148.75.113.72 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_427\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_428\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_429\",\r\n \"address\": \"149.18.60.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 396998,\r\n \"carrier\": \"Path Network Inc.\",\r\n \"organization\": \"Logicweb Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_430\",\r\n \"address\": \"148.75.113.72\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Newton\",\r\n \"longitude\": -74.80559,\r\n \"latitude\": 41.08337,\r\n \"asn\": 6128,\r\n \"carrier\": \"Cablevision Systems Corp.\",\r\n \"organization\": \"Optimum Online (Cablevision Systems)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"name\": \"2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-29T19:50:46.7836038Z\",\r\n \"processingEndTimeUtc\": \"2022-10-29T19:50:46.6002852Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-28T07:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-28T07:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_433\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 71.178.215.234 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_434\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_435\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_436\",\r\n \"address\": \"71.178.215.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Fairfax\",\r\n \"longitude\": -77.2891,\r\n \"latitude\": 38.81818,\r\n \"asn\": 701,\r\n \"carrier\": \"Verizon\",\r\n \"organization\": \"Verizon\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"name\": \"2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-28T21:21:50.4934572Z\",\r\n \"processingEndTimeUtc\": \"2022-10-28T21:21:50.1558349Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-27T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-27T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_438\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 12.13.191.67 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 194.28.112.140 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_439\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_440\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_441\",\r\n \"address\": \"12.13.191.67\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Louisiana\",\r\n \"city\": \"New Orleans\",\r\n \"longitude\": -90.06568,\r\n \"latitude\": 29.96582,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Marriott Corporationattn Joh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_442\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_443\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_444\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"name\": \"2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-28T01:00:14.0366672Z\",\r\n \"processingEndTimeUtc\": \"2022-10-28T01:00:13.8635731Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-26T17:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-26T17:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_449\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 8.30.197.172 [1]\\r\\nIP: 12.157.53.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_450\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_451\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_452\",\r\n \"address\": \"8.30.197.172\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Paramus\",\r\n \"longitude\": -74.07017,\r\n \"latitude\": 40.94459,\r\n \"asn\": 12025,\r\n \"carrier\": \"Iron Mountain Data Center\",\r\n \"organization\": \"Groundwidgets Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_453\",\r\n \"address\": \"12.157.53.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Long Beach\",\r\n \"longitude\": -118.1589,\r\n \"latitude\": 33.7808,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Velocity Bre\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"name\": \"2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Dismissed\",\r\n \"timeGeneratedUtc\": \"2022-10-25T22:59:24.7258494Z\",\r\n \"processingEndTimeUtc\": \"2022-10-25T22:59:24.4099152Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_456\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 147.78.47.29 [1]\\r\\nIP: 198.12.89.41 [1]\\r\\nIP: 173.249.187.107 [1]\\r\\nIP: 24.18.46.38 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_457\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_458\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_459\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_460\",\r\n \"address\": \"198.12.89.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.8854,\r\n \"latitude\": 42.8883,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_461\",\r\n \"address\": \"173.249.187.107\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Denver\",\r\n \"longitude\": -104.99809,\r\n \"latitude\": 39.75263,\r\n \"asn\": 133744,\r\n \"carrier\": \"Better Cloud Limited\",\r\n \"organization\": \"Global Link Communications Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_462\",\r\n \"address\": \"24.18.46.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Edmonds\",\r\n \"longitude\": -122.34664,\r\n \"latitude\": 47.80392,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_459\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_460\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_461\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_462\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"name\": \"2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-23T20:55:55.6554453Z\",\r\n \"processingEndTimeUtc\": \"2022-10-23T20:55:55.0986682Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-22T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-22T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_467\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 173.201.17.86 [1]\\r\\nIP: 72.215.237.211 [2]\\r\\nIP: 69.28.75.137 [2]\\r\\nIP: 8.30.197.172 [1]\\r\\nIP: 141.98.83.131 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_468\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_469\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_470\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_471\",\r\n \"address\": \"72.215.237.211\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Rhode Island\",\r\n \"city\": \"Warwick\",\r\n \"longitude\": -71.38996,\r\n \"latitude\": 41.71237,\r\n \"asn\": 22773,\r\n \"carrier\": \"Cox Communications Inc.\",\r\n \"organization\": \"Cox Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_472\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_473\",\r\n \"address\": \"8.30.197.172\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Paramus\",\r\n \"longitude\": -74.07017,\r\n \"latitude\": 40.94459,\r\n \"asn\": 12025,\r\n \"carrier\": \"Iron Mountain Data Center\",\r\n \"organization\": \"Groundwidgets Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_474\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"name\": \"2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-22T20:37:45.3670215Z\",\r\n \"processingEndTimeUtc\": \"2022-10-22T20:37:34.4184682Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-21T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-21T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_480\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_481\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_482\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_483\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"name\": \"2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-22T20:37:34.6106772Z\",\r\n \"processingEndTimeUtc\": \"2022-10-22T20:37:34.4182771Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-21T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-21T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_485\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.147 [3]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_486\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_487\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_488\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_488\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"name\": \"2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T20:55:36.9527631Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T20:55:36.5859747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_490\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 69.202.183.90 [3]\\r\\nIP: 195.133.20.78 [99]\\r\\nIP: 141.95.145.187 [3]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 193.29.13.169 [9]\\r\\nIP: 147.78.47.36 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 147.78.47.147 [6]\\r\\nIP: 150.95.29.64 [2]\\r\\nIP: 45.141.87.2 [9]\\r\\nIP: 147.78.47.35 [7]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 173.254.223.125 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 92.255.85.152 [5]\\r\\nIP: 89.248.163.228 [3]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 179.60.150.115 [12]\\r\\nIP: 191.96.168.93 [9]\\r\\nIP: 147.78.47.69 [9]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 171.244.50.243 [2]\\r\\nIP: 94.26.229.154 [2]\\r\\nIP: 45.227.254.20 [10]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 94.26.248.176 [5]\\r\\nIP: 88.214.25.14 [3]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 45.141.87.9 [3]\\r\\nIP: 31.43.185.3 [22]\\r\\nIP: 45.141.87.10 [6]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 194.165.17.12 [4]\\r\\nIP: 147.78.47.154 [9]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 89.250.82.36 [1]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 193.29.13.170 [16]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 179.60.150.58 [8]\\r\\nIP: 45.226.126.252 [1]\\r\\nIP: 45.141.87.6 [6]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 45.227.254.49 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_491\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_492\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_493\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_494\",\r\n \"address\": \"195.133.20.78\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_495\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_496\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_497\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_498\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_499\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_500\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_501\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_502\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_503\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_504\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_505\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_506\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_507\",\r\n \"address\": \"173.254.223.125\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Tarzana\",\r\n \"longitude\": -118.54625,\r\n \"latitude\": 34.15501,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Quadranet Enterprises Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_508\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_509\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_510\",\r\n \"address\": \"89.248.163.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_511\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_512\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_513\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_514\",\r\n \"address\": \"147.78.47.69\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_515\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_516\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_517\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_518\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_519\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_520\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_521\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_522\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_523\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_524\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_525\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_526\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_527\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_528\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_529\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_530\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_531\",\r\n \"address\": \"89.250.82.36\",\r\n \"location\": {\r\n \"countryCode\": \"KZ\",\r\n \"countryName\": \"Kazakhstan\",\r\n \"state\": \"Almaty City\",\r\n \"city\": \"Almaty\",\r\n \"longitude\": 76.94999,\r\n \"latitude\": 43.24999,\r\n \"asn\": 41419,\r\n \"carrier\": \"Kazrena\",\r\n \"organization\": \"Kazrena\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_532\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_533\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_534\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_535\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_536\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_537\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_538\",\r\n \"address\": \"45.226.126.252\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Pernambuco\",\r\n \"city\": \"Olinda\",\r\n \"longitude\": -34.90666,\r\n \"latitude\": -7.98953,\r\n \"asn\": 266962,\r\n \"carrier\": \"G M Da Costa Internet\",\r\n \"organization\": \"G M Da Costa Internet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_539\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_540\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_541\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_557\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_558\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_559\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_560\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_511\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_561\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_512\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_562\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_513\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_563\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_514\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_564\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_515\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_565\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_516\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_566\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_517\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_567\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_518\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_568\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_519\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_569\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_520\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_570\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_521\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_571\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_522\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_572\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_523\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_573\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_524\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_574\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_525\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_575\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_526\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_576\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_527\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_577\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_528\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_578\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_529\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_579\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_530\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_580\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_531\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_581\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_532\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_582\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_585\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_536\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_586\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_537\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_587\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"name\": \"2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-21T22:30:30.848069Z\",\r\n \"processingEndTimeUtc\": \"2022-10-21T22:30:29.9442537Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_591\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.104 [1]\\r\\nIP: 207.154.207.116 [1]\\r\\nIP: 61.177.172.147 [1]\\r\\nIP: 152.136.192.58 [1]\\r\\nIP: 124.221.214.54 [98]\\r\\nIP: 135.148.104.183 [1]\\r\\nIP: 80.76.51.230 [1]\\r\\nIP: 185.51.61.82 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_592\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_593\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_594\",\r\n \"address\": \"61.177.172.104\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_595\",\r\n \"address\": \"207.154.207.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_596\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_597\",\r\n \"address\": \"152.136.192.58\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_598\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_599\",\r\n \"address\": \"135.148.104.183\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Reston\",\r\n \"longitude\": -77.34247,\r\n \"latitude\": 38.96097,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_600\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Zuid-Holland\",\r\n \"city\": \"Brielle\",\r\n \"longitude\": 4.16122,\r\n \"latitude\": 51.89596,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\",\r\n \"organization\": \"Des Capital B.V.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_601\",\r\n \"address\": \"185.51.61.82\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 42065,\r\n \"carrier\": \"Zao Electrontelecom\",\r\n \"organization\": \"Global Network Management Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_594\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_595\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_596\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_597\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_598\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_599\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_600\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_601\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"name\": \"2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-19T09:12:15.1238208Z\",\r\n \"processingEndTimeUtc\": \"2022-10-19T09:12:12.7612332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-19T08:43:11.7850829Z\",\r\n \"endTimeUtc\": \"2022-10-19T08:46:18.8210573Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_1\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_2\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/19 08:43:11.7850829\",\r\n \"activity end time (UTC)\": \"2022/10/19 08:46:18.8210573\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"74\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"47\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (23), user (3), administrador (2), admin (2), distant1 (1), asp.net (1), escaner (1), dator (1), faraz (1), chris (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-19T08:46:18.8210573Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_3\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"name\": \"2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-19T09:12:15.7506308Z\",\r\n \"processingEndTimeUtc\": \"2022-10-19T09:12:12.7612332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-19T08:34:16.9189969Z\",\r\n \"endTimeUtc\": \"2022-10-19T08:35:36.0841961Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_4\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_5\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/19 08:34:16.9189969\",\r\n \"activity end time (UTC)\": \"2022/10/19 08:35:36.0841961\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"19\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (15), administrador (2), admin (2), reception (1), scanner (1), root (1), user (1), utente (1), bokforing (1), admin 3 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-19T08:35:36.0841961Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_6\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"name\": \"2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T08:12:21.5799147Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T08:12:17.8716581Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-18T07:01:04.8124138Z\",\r\n \"endTimeUtc\": \"2022-10-18T07:59:23.7067193Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_7\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_8\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/18 07:01:04.8124138\",\r\n \"activity end time (UTC)\": \"2022/10/18 07:59:23.7067193\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.129\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"31\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"24\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEFAULTACCOUNT (6), DATA CENTER USER (2), DSNVSUSER (1), DONALD E. BETTIS (1), FUELDISP (1), GP (1), CONTRAUSER (1), DEAFULTUSER (1), FULTON (1), EXACTIVEUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-18T07:59:23.7067193Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_9\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"name\": \"2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T04:12:02.5218294Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T04:11:58.4521214Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-17T03:00:40.7373365Z\",\r\n \"endTimeUtc\": \"2022-10-17T03:58:42.8075611Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_10\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_11\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/17 03:00:40.7373365\",\r\n \"activity end time (UTC)\": \"2022/10/17 03:58:42.8075611\",\r\n \"attacker source IP\": \"IP Address: 20.216.185.188\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"46\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"12\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (12), AZUREUSER (11), ADMINUSER (11), VMADMIN (2), SUPERUSER (2), AZADMIN (1), USERADMIN (1), AZUSER (1), AZURE (1), DEMOUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-17T03:58:42.8075611Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_12\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"name\": \"2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T03:11:56.1105452Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T03:11:51.6770359Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-16T02:31:21.2161162Z\",\r\n \"endTimeUtc\": \"2022-10-16T02:32:30.6331048Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_13\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_14\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/16 02:31:21.2161162\",\r\n \"activity end time (UTC)\": \"2022/10/16 02:32:30.6331048\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.215\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"26\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (6), user1 (2), admin (2), defaultaccount (2), administrador (2), principal (1), test666 (1), adminportal (1), reports (1), pop10 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-16T02:32:30.6331048Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_15\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"name\": \"2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T02:11:59.5981045Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T02:11:53.2828004Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-15T01:00:15.0973756Z\",\r\n \"endTimeUtc\": \"2022-10-15T01:59:46.8790817Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_16\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_17\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/15 01:00:15.0973756\",\r\n \"activity end time (UTC)\": \"2022/10/15 01:59:46.8790817\",\r\n \"attacker source IP\": \"IP Address: 91.240.118.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"35\",\r\n \"top accounts with failed sign in attempts (count)\": \"MACROLAN (2), MITEV (1), DEPJIVE (1), KIM (1), DEV (1), CTZ9 (1), CUBE (1), CREATIVES-SERVER (1), KOLECO (1), MONITOR (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-15T01:59:46.8790817Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_18\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"name\": \"2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T23:12:20.0982221Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T23:12:13.5169181Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-13T22:00:01.4482685Z\",\r\n \"endTimeUtc\": \"2022-10-13T22:59:53.5475957Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_19\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_20\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/13 22:00:01.4482685\",\r\n \"activity end time (UTC)\": \"2022/10/13 22:59:53.5475957\",\r\n \"attacker source IP\": \"IP Address: 191.96.168.246\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"289\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"288\",\r\n \"top accounts with failed sign in attempts (count)\": \"SCANSIONI (1), ALPHA (1), RCLARK (1), AD (1), RETAIL (1), CALIDAD (1), CONSULTANT (1), OSPITE (1), Z (1), CS1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-13T22:59:53.5475957Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_21\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"name\": \"2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T08:12:07.7636221Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T08:12:02.9681269Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-12T07:03:03.4902548Z\",\r\n \"endTimeUtc\": \"2022-10-12T07:58:25.9885039Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_22\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_23\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/12 07:03:03.4902548\",\r\n \"activity end time (UTC)\": \"2022/10/12 07:58:25.9885039\",\r\n \"attacker source IP\": \"IP Address: 20.127.38.151\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"19\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEMOADMIN (2), USERADMIN (2), AZUREADMIN (1), DEMO (1), VADMIN (1), AZUREUSER (1), SQLADMIN (1), ROOTADMIN (1), SUPERVISOR (1), ITADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-12T07:58:25.9885039Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_24\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"name\": \"2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T07:12:15.7469577Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T07:12:12.3009079Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-11T06:24:25.9159134Z\",\r\n \"endTimeUtc\": \"2022-10-11T06:25:34.0915332Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_25\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_26\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/11 06:24:25.9159134\",\r\n \"activity end time (UTC)\": \"2022/10/11 06:25:34.0915332\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"25\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (12), shipping (1), test3 (1), contabilidad (1), usuario (1), serveur-bacnet (1), phonix (1), iusrplesk_smwebmail (1), defaultaccount (1), administrateur (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-11T06:25:34.0915332Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_27\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"name\": \"2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T07:12:26.2282804Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T07:12:12.3164432Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-11T06:01:14.9169493Z\",\r\n \"endTimeUtc\": \"2022-10-11T06:56:30.497614Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_28\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_29\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/11 06:01:14.9169493\",\r\n \"activity end time (UTC)\": \"2022/10/11 06:56:30.4976140\",\r\n \"attacker source IP\": \"IP Address: 20.127.38.151\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"12\",\r\n \"top accounts with failed sign in attempts (count)\": \"USERADMIN (2), DEMOADMIN (1), SUPERVISOR (1), VDIADMIN (1), VMADMIN (1), DEMO (1), SUPERUSER (1), VADMIN (1), AZUREADMIN (1), AZUREUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-11T06:56:30.497614Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_30\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"name\": \"2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T05:12:25.7328319Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T05:12:22.9501113Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-10T04:39:37.8316652Z\",\r\n \"endTimeUtc\": \"2022-10-10T04:40:46.9760933Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_31\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_32\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/10 04:39:37.8316652\",\r\n \"activity end time (UTC)\": \"2022/10/10 04:40:46.9760933\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"25\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (10), test (2), presale (1), ricoh (1), hma (1), user1 (1), t1_buero (1), labor (1), caps (1), nashua (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-10T04:40:46.9760933Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_33\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"name\": \"2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T00:12:35.8969216Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T00:12:32.7404871Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-08T23:01:26.3028246Z\",\r\n \"endTimeUtc\": \"2022-10-08T23:02:34.9154571Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_34\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_35\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/08 23:01:26.3028246\",\r\n \"activity end time (UTC)\": \"2022/10/08 23:02:34.9154571\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.204\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (7), usuario (3), default (2), barbara (1), defaultaccount (1), mikuo (1), uzak1 (1), opc (1), tnt1 (1), agora_service (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-08T23:02:34.9154571Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_36\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/westeurope/alerts/2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"name\": \"2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T17:11:57.3573487Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T17:11:55.7883406Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_SshBruteForceFailed\",\r\n \"startTimeUtc\": \"2022-10-08T16:13:32.805Z\",\r\n \"endTimeUtc\": \"2022-10-08T16:59:53.736Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_37\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_38\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"2b613470-a780-4991-a9f5-7894862c213b\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testService1\",\r\n \"alertDisplayName\": \"Failed SSH brute force attack\",\r\n \"description\": \"Failed SSH brute force attacks were detected on testService1\",\r\n \"remediationSteps\": [\r\n \"1. In case this is an Azure virtual machine, add the source IP to NSG block list for 24 hours (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/) \",\r\n \"2. Enforce the use of strong passwords and do not re-use them across multiple resources and services (see http://windows.microsoft.com/en-us/Windows7/Tips-for-creating-strong-passwords-and-passphrases)\",\r\n \"3. In case this is an Azure virtual machine, Create an allow list for SSH access in NSG (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"number of failed authentication attempts to host\": \"63\",\r\n \"accounts used on failed sign in to host attempts\": \"[\\\"root\\\"]\",\r\n \"was SSH session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-08T16:59:53.736Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_39\",\r\n \"hostName\": \"testService1\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"omsAgentID\": \"2b613470-a780-4991-a9f5-7894862c213b\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"westeurope_40\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"westeurope_41\",\r\n \"name\": \" root\",\r\n \"ntDomain\": \" root\",\r\n \"host\": {\r\n \"$ref\": \"westeurope_39\"\r\n },\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"westeurope_42\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"westeurope_40\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myService1/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"name\": \"2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-07T12:12:12.6540563Z\",\r\n \"processingEndTimeUtc\": \"2022-10-07T12:12:10.2351107Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-07T11:04:11.9286049Z\",\r\n \"endTimeUtc\": \"2022-10-07T11:58:08.5153711Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_43\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_44\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/07 11:04:11.9286049\",\r\n \"activity end time (UTC)\": \"2022/10/07 11:58:08.5153711\",\r\n \"attacker source IP\": \"IP Address: 36.95.205.132\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (1), DEMOUSER (1), ADMINISTRATOR (1), TEST (1), AZUREUSER (1), SUPERVISOR (1), DEMOADMIN (1), ADMIN (1), SUPERUSER (1), TEST1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-07T11:58:08.5153711Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_45\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"name\": \"2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-06T05:12:05.9972706Z\",\r\n \"processingEndTimeUtc\": \"2022-10-06T05:12:01.8802104Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-06T04:23:26.0454432Z\",\r\n \"endTimeUtc\": \"2022-10-06T04:24:35.8466979Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_46\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_47\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/06 04:23:26.0454432\",\r\n \"activity end time (UTC)\": \"2022/10/06 04:24:35.8466979\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.202\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"29\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (3), scanner (3), test (2), server (2), user2 (2), ppp (1), max04 (1), acronis (1), windows11 (1), pc (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-06T04:24:35.8466979Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_48\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"name\": \"2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-05T03:12:04.1411263Z\",\r\n \"processingEndTimeUtc\": \"2022-10-05T03:12:00.6268144Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-05T02:50:46.5034967Z\",\r\n \"endTimeUtc\": \"2022-10-05T02:51:57.2848574Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_49\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_50\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/05 02:50:46.5034967\",\r\n \"activity end time (UTC)\": \"2022/10/05 02:51:57.2848574\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.211\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"32\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (3), info (2), temp (2), pos (1), 1 (1), ventas (1), spadmin (1), supervisor (1), infoworld (1), account (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-05T02:51:57.2848574Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_51\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517373625534965032_759ca676-028f-4204-8957-de649b3e6562/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"name\": \"2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T22:12:05.1705693Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T22:12:04.1268393Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-03T21:02:04.491411Z\",\r\n \"endTimeUtc\": \"2022-10-03T21:59:45.9038559Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_52\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_53\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/03 21:02:04.4914110\",\r\n \"activity end time (UTC)\": \"2022/10/03 21:59:45.9038559\",\r\n \"attacker source IP\": \"IP Address: 91.240.118.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"42\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"35\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (5), KSTURGEON (2), ADMIN (2), WADMIN (1), XAFSERVICEACCNT (1), SIADAD (1), YSMITH (1), KRUSS (1), VNIUSER-DONOTDELETE (1), KOTT.# (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-03T21:59:45.9038559Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_54\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"name\": \"2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-02T21:11:58.5816299Z\",\r\n \"processingEndTimeUtc\": \"2022-10-02T21:11:54.3443174Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-02T20:00:01.9149954Z\",\r\n \"endTimeUtc\": \"2022-10-02T20:59:52.1082032Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_55\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_56\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/02 20:00:01.9149954\",\r\n \"activity end time (UTC)\": \"2022/10/02 20:59:52.1082032\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"431\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"LOCALADMIN (30), SYSADMIN (29), VMADMIN (29), ADADMIN (29), DEMOUSER (29), ADMIN01 (29), DADMIN (29), SERVERADMIN (29), AZUREUSER (29), SADMIN (29)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-02T20:59:52.1082032Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_57\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"name\": \"2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-01T20:12:00.2987738Z\",\r\n \"processingEndTimeUtc\": \"2022-10-01T20:11:58.0659196Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-01T19:00:03.9085601Z\",\r\n \"endTimeUtc\": \"2022-10-01T19:59:57.4159824Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_58\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_59\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/01 19:00:03.9085601\",\r\n \"activity end time (UTC)\": \"2022/10/01 19:59:57.4159824\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"426\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (30), ADMINUSER (30), ADMIN123 (29), AZUREUSER (29), TESTUSER (28), SUPERADMIN (28), SYSADMIN (28), VMADMIN (28), LOCALADMIN (28), SERVERADMIN (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-01T19:59:57.4159824Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_60\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"name\": \"2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-30T19:12:00.7770747Z\",\r\n \"processingEndTimeUtc\": \"2022-09-30T19:11:57.5373519Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-30T18:00:04.3960635Z\",\r\n \"endTimeUtc\": \"2022-09-30T18:59:54.1716651Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_61\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_62\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/30 18:00:04.3960635\",\r\n \"activity end time (UTC)\": \"2022/09/30 18:59:54.1716651\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"422\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"SYSADMIN (29), VMADMIN (29), DEMOUSER (28), ADMIN01 (28), DADMIN (28), SADMIN (28), TESTUSER (28), SUPERADMIN (28), LOCALADMIN (28), SERVERADMIN (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-30T18:59:54.1716651Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_63\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"name\": \"2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-29T18:12:10.264524Z\",\r\n \"processingEndTimeUtc\": \"2022-09-29T18:12:04.7435178Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-29T17:00:02.5605584Z\",\r\n \"endTimeUtc\": \"2022-09-29T17:59:57.0286763Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_64\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_65\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/29 17:00:02.5605584\",\r\n \"activity end time (UTC)\": \"2022/09/29 17:59:57.0286763\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"419\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (29), LOCALADMIN (28), SERVERADMIN (28), ADADMIN (28), TESTUSER (28), SUPERADMIN (28), AZUREUSER (28), ADMINUSER (28), AZUREADMIN (28), ADMIN01 (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-29T17:59:57.0286763Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_66\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"name\": \"2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T17:12:10.505636Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T17:12:04.9963951Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-28T16:00:05.5258206Z\",\r\n \"endTimeUtc\": \"2022-09-28T16:59:37.992094Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_67\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_68\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/28 16:00:05.5258206\",\r\n \"activity end time (UTC)\": \"2022/09/28 16:59:37.9920940\",\r\n \"attacker source IP\": \"IP Address: 20.25.4.51\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"81\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"9\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (9), VMADMIN (9), AZUREUSER (9), DEMOADMIN (8), ADMINUSER (8), USERADMIN (8), DEMO (8), DEMOAZURE (8), SUPERUSER (7), AZURE (7)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-28T16:59:37.992094Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_69\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"name\": \"2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T17:12:09.9085237Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T17:12:04.9963951Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-28T16:00:00.9053856Z\",\r\n \"endTimeUtc\": \"2022-09-28T16:59:59.2397348Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_70\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_71\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/28 16:00:00.9053856\",\r\n \"activity end time (UTC)\": \"2022/09/28 16:59:59.2397348\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"1415\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"1263\",\r\n \"top accounts with failed sign in attempts (count)\": \"MYTHTV (2), NAGIOS (2), ACCOUNTS (2), ADMINISTRAREUR (2), ADMINSERVER (2), MICROSOFT (2), BACKUPEXEC (2), NOBODY (2), CYBER (2), AAA (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-28T16:59:59.2397348Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_72\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"name\": \"2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-27T16:11:58.2117895Z\",\r\n \"processingEndTimeUtc\": \"2022-09-27T16:11:55.1500289Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-27T15:00:34.6903888Z\",\r\n \"endTimeUtc\": \"2022-09-27T15:59:16.3833641Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_73\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_74\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/27 15:00:34.6903888\",\r\n \"activity end time (UTC)\": \"2022/09/27 15:59:16.3833641\",\r\n \"attacker source IP\": \"IP Address: 20.216.185.188\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"74\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (19), AZUREUSER (10), DEMOADMIN (7), DEMOUSER (6), AZURE (5), SUPERUSER (4), AZUREADMIN (4), DEMO (4), ADMINUSER (4), STUDENT (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-27T15:59:16.3833641Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_75\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"name\": \"2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-26T15:12:12.2955906Z\",\r\n \"processingEndTimeUtc\": \"2022-09-26T15:12:10.3345847Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-26T14:19:33.6913949Z\",\r\n \"endTimeUtc\": \"2022-09-26T14:58:23.8234441Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_76\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_77\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/26 14:19:33.6913949\",\r\n \"activity end time (UTC)\": \"2022/09/26 14:58:23.8234441\",\r\n \"attacker source IP\": \"IP Address: 20.245.85.81\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"13\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (3), WINADMIN (1), USERADMIN (1), DEMOADMIN (1), VMADMIN (1), NETADMIN (1), DEMO (1), DEMOUSER (1), AZUREADMIN (1), SUPERUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-26T14:58:23.8234441Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_78\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"name\": \"2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-25T13:11:53.1202057Z\",\r\n \"processingEndTimeUtc\": \"2022-09-25T13:11:49.5869519Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-25T12:00:01.1997686Z\",\r\n \"endTimeUtc\": \"2022-09-25T12:59:57.1598611Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_79\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_80\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/25 12:00:01.1997686\",\r\n \"activity end time (UTC)\": \"2022/09/25 12:59:57.1598611\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"632\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"628\",\r\n \"top accounts with failed sign in attempts (count)\": \"REINALDO (2), RAJU (2), PULSE (2), KIM (1), KENT (1), TESTE2 (1), TEST_FTP (1), TECHNO (1), SERVER2 (1), SERVER1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-25T12:59:57.1598611Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_81\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"name\": \"2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-24T12:11:59.378581Z\",\r\n \"processingEndTimeUtc\": \"2022-09-24T12:11:56.1933205Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-24T11:00:18.5763676Z\",\r\n \"endTimeUtc\": \"2022-09-24T11:58:49.6929962Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_82\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_83\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/24 11:00:18.5763676\",\r\n \"activity end time (UTC)\": \"2022/09/24 11:58:49.6929962\",\r\n \"attacker source IP\": \"IP Address: 181.30.28.175\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEFAULTACCOUNT (4), DADMIN (2), DPEREZ (1), DIYANA (1), DATACOM (1), DAWWRAY (1), DCDC (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-24T11:58:49.6929962Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_84\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"name\": \"2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-23T11:12:04.8132808Z\",\r\n \"processingEndTimeUtc\": \"2022-09-23T11:12:02.7422157Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-23T10:00:00.8274366Z\",\r\n \"endTimeUtc\": \"2022-09-23T10:59:59.507462Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_85\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_86\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/23 10:00:00.8274366\",\r\n \"activity end time (UTC)\": \"2022/09/23 10:59:59.5074620\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"634\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"601\",\r\n \"top accounts with failed sign in attempts (count)\": \"MENU (2), MAYA (2), MORGAN (2), MONITORING (2), MONGOUSER (2), MAURICIO (2), GEOMETRY (2), GERENTE (2), THIERRY1129 (2), TESTE2 (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-23T10:59:59.507462Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_87\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"name\": \"2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T05:12:05.8349115Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T05:12:03.3099425Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-22T04:00:04.6046565Z\",\r\n \"endTimeUtc\": \"2022-09-22T04:59:56.0312542Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_88\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_89\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/22 04:00:04.6046565\",\r\n \"activity end time (UTC)\": \"2022/09/22 04:59:56.0312542\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"478\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"477\",\r\n \"top accounts with failed sign in attempts (count)\": \"CHAT (1), AXIS (1), AWS (1), DEEPTHI (1), DEBORA (1), USERS1 (1), USER001 (1), USBMUX (1), UPLINK (1), SVT (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-22T04:59:56.0312542Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_90\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"name\": \"2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-21T02:11:54.213474Z\",\r\n \"processingEndTimeUtc\": \"2022-09-21T02:11:49.8007199Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-21T01:09:51.5862915Z\",\r\n \"endTimeUtc\": \"2022-09-21T01:11:21.0264894Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_91\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_92\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/21 01:09:51.5862915\",\r\n \"activity end time (UTC)\": \"2022/09/21 01:11:21.0264894\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"21\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (16), defaultaccount (1), asd (1), vpn07 (1), it (1), iusrplesk_smwebmail (1), asad (1), admin (1), takip (1), serv (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-21T01:11:21.0264894Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_93\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"name\": \"2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T00:12:55.5762868Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T00:12:52.7861694Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-19T23:45:22.3822188Z\",\r\n \"endTimeUtc\": \"2022-09-19T23:46:30.4248487Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_94\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_95\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/19 23:45:22.3822188\",\r\n \"activity end time (UTC)\": \"2022/09/19 23:46:30.4248487\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (13), admn (1), foats (1), admin (1), emanuel (1), user (1), support_388945a0 (1), slawek (1), defaultaccount (1), alvand.01 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-19T23:46:30.4248487Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_96\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"name\": \"2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T00:12:54.3199684Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T00:12:52.7866698Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-19T23:33:59.3779873Z\",\r\n \"endTimeUtc\": \"2022-09-19T23:35:26.6505374Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_97\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_98\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/19 23:33:59.3779873\",\r\n \"activity end time (UTC)\": \"2022/09/19 23:35:26.6505374\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"20\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (17), gh-11 (1), training (1), admin (1), vss (1), scanner (1), yousef (1), pointex (1), user (1), usuario (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-19T23:35:26.6505374Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_99\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517386703606220126_a816319c-5320-41db-a249-385660ee22f8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"name\": \"2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-18T16:12:00.3085599Z\",\r\n \"processingEndTimeUtc\": \"2022-09-18T16:11:57.4880747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-18T15:25:13.0131394Z\",\r\n \"endTimeUtc\": \"2022-09-18T15:26:21.8162231Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_100\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_101\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/18 15:25:13.0131394\",\r\n \"activity end time (UTC)\": \"2022/09/18 15:26:21.8162231\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"20\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (17), toshiba (1), admin (1), ntp (1), utente (1), accounting (1), remoto (1), user01 (1), sales-new (1), server t (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-18T15:26:21.8162231Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_102\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"name\": \"2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-18T16:12:05.4874397Z\",\r\n \"processingEndTimeUtc\": \"2022-09-18T16:11:57.4880747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-18T15:11:42.6615962Z\",\r\n \"endTimeUtc\": \"2022-09-18T15:12:51.457454Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_103\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_104\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/18 15:11:42.6615962\",\r\n \"activity end time (UTC)\": \"2022/09/18 15:12:51.4574540\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.207\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"18\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (18), win7 (2), terminal (1), markku.virtanen (1), admin (1), eng7 (1), xmetasr (1), hd (1), adm (1), vcenteno (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-18T15:12:51.457454Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_105\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"name\": \"2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-17T07:12:00.0473808Z\",\r\n \"processingEndTimeUtc\": \"2022-09-17T07:11:56.5511934Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-17T06:16:10.2702205Z\",\r\n \"endTimeUtc\": \"2022-09-17T06:17:19.8910018Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_106\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_107\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/17 06:16:10.2702205\",\r\n \"activity end time (UTC)\": \"2022/09/17 06:17:19.8910018\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"28\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (8), test (2), sys (1), principal (1), imran (1), almira (1), contabilidad (1), admin801 (1), peggy (1), tranquoclong (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-17T06:17:19.8910018Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_108\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"name\": \"2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-17T07:11:59.8011657Z\",\r\n \"processingEndTimeUtc\": \"2022-09-17T07:11:56.5511934Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-17T06:14:58.8904498Z\",\r\n \"endTimeUtc\": \"2022-09-17T06:56:27.7122183Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_109\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_110\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/17 06:14:58.8904498\",\r\n \"activity end time (UTC)\": \"2022/09/17 06:56:27.7122183\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"73\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"56\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (15), user (2), defaultaccount (2), jola (1), compta (1), ghost (1), zvnc2066 (1), morisita (1), mj (1), lucero (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-17T06:56:27.7122183Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_111\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"name\": \"2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-16T06:12:23.9923865Z\",\r\n \"processingEndTimeUtc\": \"2022-09-16T06:12:21.6042797Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-16T05:08:11.5262962Z\",\r\n \"endTimeUtc\": \"2022-09-16T05:18:17.0502097Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_112\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_113\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/16 05:08:11.5262962\",\r\n \"activity end time (UTC)\": \"2022/09/16 05:18:17.0502097\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.11\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"260\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"terminal1 (2), silvia (2), daniel (2), mari (2), natalia (2), francisco (2), ricoh (2), vp (2), acer (2), luiz (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-16T05:18:17.0502097Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_114\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"name\": \"2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-15T05:12:02.1262444Z\",\r\n \"processingEndTimeUtc\": \"2022-09-15T05:11:59.7844316Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-15T04:13:32.7545248Z\",\r\n \"endTimeUtc\": \"2022-09-15T04:44:44.3710273Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_115\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_116\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/15 04:13:32.7545248\",\r\n \"activity end time (UTC)\": \"2022/09/15 04:44:44.3710273\",\r\n \"attacker source IP\": \"IP Address: 194.28.112.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"102\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"85\",\r\n \"top accounts with failed sign in attempts (count)\": \"Administrator (10), admin (6), SvcCOPSSH (2), Support (2), ntp_CFKADS2226 (1), Administracao (1), Userstd01 (1), rebecca (1), suporte (1), MP (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-15T04:44:44.3710273Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_117\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"name\": \"2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-15T05:12:02.1782121Z\",\r\n \"processingEndTimeUtc\": \"2022-09-15T05:11:59.7844316Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-15T04:01:15.447908Z\",\r\n \"endTimeUtc\": \"2022-09-15T04:59:18.4256783Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_118\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_119\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/15 04:01:15.4479080\",\r\n \"activity end time (UTC)\": \"2022/09/15 04:59:18.4256783\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"40\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"SERVER (3), TEST (3), TESTUSER (3), USER (3), LOCALUSER (2), AZUREADMIN (2), AZUREUSER (2), ADMINISTRATOR (2), REMOTE (2), SYSADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-15T04:59:18.4256783Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_120\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"name\": \"2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-14T04:12:18.2784408Z\",\r\n \"processingEndTimeUtc\": \"2022-09-14T04:12:13.5856632Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-14T03:16:06.3695856Z\",\r\n \"endTimeUtc\": \"2022-09-14T03:28:53.2546631Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_121\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_122\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/14 03:16:06.3695856\",\r\n \"activity end time (UTC)\": \"2022/09/14 03:28:53.2546631\",\r\n \"attacker source IP\": \"IP Address: 45.141.84.119\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"267\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"leo (4), nathalia (4), emerson (4), francisco (3), usuario1 (2), user02 (2), terminal1 (2), billing (2), soporte (2), controller (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-14T03:28:53.2546631Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_123\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"name\": \"2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-14T04:12:17.5289904Z\",\r\n \"processingEndTimeUtc\": \"2022-09-14T04:12:13.5856632Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-14T03:00:09.0721606Z\",\r\n \"endTimeUtc\": \"2022-09-14T03:58:48.0506045Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_124\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_125\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/14 03:00:09.0721606\",\r\n \"activity end time (UTC)\": \"2022/09/14 03:58:48.0506045\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"47\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (3), AZUREADMIN (3), IME_USER (3), REMOTE (3), IME_ADMIN (3), ADMIN (3), RDP (3), HP (3), PC (3), AZUREUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-14T03:58:48.0506045Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_126\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"name\": \"2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:04.1627812Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5440471Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:06:33.966198Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:59:16.2352367Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_127\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_128\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:06:33.9661980\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:59:16.2352367\",\r\n \"attacker source IP\": \"IP Address: 94.68.140.243\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"15\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"11\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), SERVER (2), SYSADMIN (2), IME_ADMIN (1), RDP (1), LOCALUSER (1), LOCALADMIN (1), TEST (1), AZUREUSER (1), TESTUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:59:16.2352367Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_129\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"name\": \"2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:04.3606094Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5435472Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:01:06.5351616Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:59:02.3354809Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_130\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_131\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:01:06.5351616\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:59:02.3354809\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"45\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"REMOTE (3), LOCALUSER (3), SERVER (3), SYSADMIN (3), AZUREADMIN (3), TEST (3), LOCALADMIN (3), USER (3), TESTUSER (3), IME_ADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:59:02.3354809Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_132\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"name\": \"2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:03.911237Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5430516Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:01:02.6571238Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:58:26.9865062Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_133\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_134\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:01:02.6571238\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:58:26.9865062\",\r\n \"attacker source IP\": \"IP Address: 202.53.137.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (7), STUDENT (6), ADMIN (6), SUPPORT (6), BAT (6), AZUREUSER (6)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:58:26.9865062Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_135\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"name\": \"2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.729702Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1435668Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:03:00.0345939Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:58:17.2623523Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_136\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_137\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:03:00.0345939\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:58:17.2623523\",\r\n \"attacker source IP\": \"IP Address: 94.68.140.243\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"20\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"11\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (3), AZUREUSER (2), IME_USER (2), IME_ADMIN (2), TEST (2), PC (2), USER (2), ADMIN (1), REMOTE (1), RDP (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:58:17.2623523Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_138\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"name\": \"2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.292184Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1430669Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:02:01.5569515Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:59:42.6611129Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_139\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_140\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:02:01.5569515\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:59:42.6611129\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"69\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"7\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (16), AZUREADMIN (16), ADMINISTRATOR (11), ADMINUSER (6), AZURE (5), STUDENT (5), USERADMIN (5), VMADMIN (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:59:42.6611129Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_141\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"name\": \"2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:08.6726842Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1420668Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:01:14.3047487Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:58:35.508169Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_142\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_143\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:01:14.3047487\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:58:35.5081690\",\r\n \"attacker source IP\": \"IP Address: 202.53.137.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (6), AZUREUSER (6), SUPPORT (6), BAT (6), ADMIN (6), ADMINISTRATOR (6)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:58:35.508169Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_144\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"name\": \"2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.6088372Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1440671Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:00:33.1405851Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:59:46.8333262Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_145\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_146\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:00:33.1405851\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:59:46.8333262\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"94\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (6), RDP (6), REMOTE (6), HP (6), IME_USER (5), USER (5), AZURE (5), TESTUSER (5), ADMIN (5), ADMINISTRATOR (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:59:46.8333262Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_147\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393563668594148_38360230-c781-41cf-874b-7c504030a950/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"name\": \"2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-11T01:12:50.4913968Z\",\r\n \"processingEndTimeUtc\": \"2022-09-11T01:12:48.881971Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-11T00:00:12.8945794Z\",\r\n \"endTimeUtc\": \"2022-09-11T00:58:59.500311Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_148\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_149\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/11 00:00:12.8945794\",\r\n \"activity end time (UTC)\": \"2022/09/11 00:58:59.5003110\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"64\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (20), AZUREUSER (18), AZURE (6), STUDENT (6), USERADMIN (5), VMADMIN (5), ADMINUSER (4)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-11T00:58:59.500311Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_150\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"name\": \"2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-11T01:12:50.4969246Z\",\r\n \"processingEndTimeUtc\": \"2022-09-11T01:12:48.881971Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-11T00:00:01.3462764Z\",\r\n \"endTimeUtc\": \"2022-09-11T00:59:39.874272Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_151\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_152\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/11 00:00:01.3462764\",\r\n \"activity end time (UTC)\": \"2022/09/11 00:59:39.8742720\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"91\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (6), IME_ADMIN (5), IME_USER (5), USER (5), TEST (5), RDP (5), REMOTE (5), AZUREADMIN (5), SERVER (5), AZURE (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-11T00:59:39.874272Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_153\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"name\": \"2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:40.3691071Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:19:55.8595416Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:21:04.4330469Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_154\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_155\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:19:55.8595416\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:21:04.4330469\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (10), temp (1), tmitschke (1), pharmacie (1), utente1 (1), ime_user (1), sqli (1), sebastian (1), dave (1), user1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:21:04.4330469Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_156\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"name\": \"2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:41.2660094Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:02:03.6672061Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:59:12.4900011Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_157\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_158\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:02:03.6672061\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:59:12.4900011\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"50\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (19), AZUREUSER (18), AZURE (3), STUDENT (3), VMADMIN (3), USERADMIN (2), ADMINUSER (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:59:12.4900011Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_159\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"name\": \"2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:41.1471468Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:00:19.7258321Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:59:49.9335078Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_160\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_161\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:00:19.7258321\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:59:49.9335078\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"96\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"REMOTE (6), RDP (6), SERVER (6), TEST (6), TESTUSER (6), SYSADMIN (6), AZUREADMIN (5), LOCALADMIN (5), IME_USER (5), LOCALUSER (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:59:49.9335078Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_162\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395363802741678_e264f637-15f0-418f-aff8-27395309810c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"name\": \"2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-08T23:12:05.5813341Z\",\r\n \"processingEndTimeUtc\": \"2022-09-08T23:12:03.6043992Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-08T22:20:29.5893543Z\",\r\n \"endTimeUtc\": \"2022-09-08T22:29:58.4893361Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_163\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_164\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/08 22:20:29.5893543\",\r\n \"activity end time (UTC)\": \"2022/09/08 22:29:58.4893361\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"260\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"scans (2), gateway (2), tempadmin (2), visitor (2), bill (2), xavier (2), printer (2), destek (2), sqlagent (2), local (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-08T22:29:58.4893361Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_165\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"name\": \"2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-07T22:11:55.5454551Z\",\r\n \"processingEndTimeUtc\": \"2022-09-07T22:11:53.7318471Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-07T21:00:23.8352224Z\",\r\n \"endTimeUtc\": \"2022-09-07T21:58:54.9798418Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_166\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_167\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/07 21:00:23.8352224\",\r\n \"activity end time (UTC)\": \"2022/09/07 21:58:54.9798418\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"15\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (3), ADMINISTRATOR (2), ADMIN (2), STUDENT (2), AZUREUSER (2), USER (2), AZUREADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-07T21:58:54.9798418Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_168\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"name\": \"2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-06T21:11:57.5563617Z\",\r\n \"processingEndTimeUtc\": \"2022-09-06T21:11:55.6952354Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-06T20:03:04.4809494Z\",\r\n \"endTimeUtc\": \"2022-09-06T20:56:55.9879319Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_169\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_170\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/06 20:03:04.4809494\",\r\n \"activity end time (UTC)\": \"2022/09/06 20:56:55.9879319\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (2), USER (2), STUDENT (2), ADMIN (2), AZURE (2), AZUREADMIN (2), ADMINISTRATOR (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-06T20:56:55.9879319Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_171\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517398062155190505_da781582-764a-4262-a50c-a147df275b36/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"name\": \"2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T20:12:10.1745649Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T20:12:08.6252181Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-05T19:02:51.6994995Z\",\r\n \"endTimeUtc\": \"2022-09-05T19:58:21.2436919Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_172\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_173\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/05 19:02:51.6994995\",\r\n \"activity end time (UTC)\": \"2022/09/05 19:58:21.2436919\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), STUDENT (2), AZURE (2), AZUREUSER (2), ADMINISTRATOR (2), USER (2), ADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-05T19:58:21.2436919Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_174\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"name\": \"2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.5988845Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.193431Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:15:18.1240752Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:16:28.2863719Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_175\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_176\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:15:18.1240752\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:16:28.2863719\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (14), ioana (1), agora_service (1), defaultaccount (1), admimistrator (1), print (1), sctsupport (1), 020 (1), kaiin (1), tsinternetuser (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:16:28.2863719Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_177\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"name\": \"2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.6848188Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.1939306Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:03:27.5688076Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:59:07.7762063Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_178\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_179\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:03:27.5688076\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:59:07.7762063\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (2), AZUREADMIN (2), STUDENT (2), ADMIN (2), USER (2), ADMINISTRATOR (2), AZURE (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:59:07.7762063Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_180\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"name\": \"2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.5867761Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.1929306Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:00:05.4957014Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:59:55.0115416Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_181\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_182\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:00:05.4957014\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:59:55.0115416\",\r\n \"attacker source IP\": \"IP Address: 5.253.204.134\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"332\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"325\",\r\n \"top accounts with failed sign in attempts (count)\": \"LLOPEZ (1), JHALL (1), NATALIE (1), METRO (1), KUECHE (1), SICHERUNG (1), EMPFANG (1), JMORALES (1), SHAHID (1), MAGAZZINO (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:59:55.0115416Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_183\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"name\": \"2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-03T18:12:52.8145915Z\",\r\n \"processingEndTimeUtc\": \"2022-09-03T18:12:46.2244456Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-03T17:01:26.5171211Z\",\r\n \"endTimeUtc\": \"2022-09-03T17:59:43.2673099Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_184\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_185\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/03 17:01:26.5171211\",\r\n \"activity end time (UTC)\": \"2022/09/03 17:59:43.2673099\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (2), ADMINISTRATOR (2), ADMIN (2), AZUREADMIN (2), AZURE (2), USER (2), AZUREUSER (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-03T17:59:43.2673099Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_186\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"name\": \"2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-02T17:12:17.721054Z\",\r\n \"processingEndTimeUtc\": \"2022-09-02T17:12:02.1616332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-02T16:00:11.6214787Z\",\r\n \"endTimeUtc\": \"2022-09-02T16:59:51.9962096Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_187\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_188\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/02 16:00:11.6214787\",\r\n \"activity end time (UTC)\": \"2022/09/02 16:59:51.9962096\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (2), ADMIN (2), AZUREUSER (2), USER (2), ADMINISTRATOR (2), STUDENT (2), AZUREADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-02T16:59:51.9962096Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_189\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"name\": \"2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.3497998Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:01:01.3410856Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:59:56.7385647Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_190\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_191\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:01:01.3410856\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:59:56.7385647\",\r\n \"attacker source IP\": \"IP Address: 20.12.208.47\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"71\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"7\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (14), AZUREADMIN (14), AZUREUSER (14), USERADMIN (7), ADMINUSER (7), STUDENT (7), VMADMIN (7), ARASH (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:59:56.7385647Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_192\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"name\": \"2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.5178447Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:00:46.9534839Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:59:59.840547Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_193\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_194\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:00:46.9534839\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:59:59.8405470\",\r\n \"attacker source IP\": \"IP Address: 104.46.123.212\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"166\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (29), AZUREADMIN (29), VMADMIN (27), AZURE (27), AZUREUSER (26), USERADMIN (14), ADMINUSER (14)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:59:59.840547Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_195\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"name\": \"2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.1847762Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:00:25.7943636Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:57:07.2573856Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_196\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_197\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:00:25.7943636\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:57:07.2573856\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"13\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (2), AZUREADMIN (2), AZUREUSER (2), ADMINISTRATOR (2), ADMIN (2), USER (2), STUDENT (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:57:07.2573856Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_198\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"name\": \"2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-31T15:12:10.1524427Z\",\r\n \"processingEndTimeUtc\": \"2022-08-31T15:12:06.8390816Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-31T14:04:17.6514064Z\",\r\n \"endTimeUtc\": \"2022-08-31T14:56:42.6476761Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_199\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_200\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/31 14:04:17.6514064\",\r\n \"activity end time (UTC)\": \"2022/08/31 14:56:42.6476761\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (2), AZUREADMIN (2), STUDENT (2), AZUREUSER (2), ADMIN (1), USER (1), AZURE (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-31T14:56:42.6476761Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_201\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"name\": \"2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-30T14:12:13.7508035Z\",\r\n \"processingEndTimeUtc\": \"2022-08-30T14:12:13.3313494Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-30T13:00:10.0241762Z\",\r\n \"endTimeUtc\": \"2022-08-30T13:55:29.9649978Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_202\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_203\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/30 13:00:10.0241762\",\r\n \"activity end time (UTC)\": \"2022/08/30 13:55:29.9649978\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"USER (2), AZUREUSER (2), AZURE (2), ADMIN (2), ADMINISTRATOR (1), STUDENT (1), AZUREADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-30T13:55:29.9649978Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_204\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"name\": \"2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T12:12:08.8517839Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T12:12:07.531903Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-29T11:02:48.6404207Z\",\r\n \"endTimeUtc\": \"2022-08-29T11:58:11.789608Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_205\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_206\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/29 11:02:48.6404207\",\r\n \"activity end time (UTC)\": \"2022/08/29 11:58:11.7896080\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (2), AZUREUSER (2), AZUREADMIN (2), AZURE (2), ADMIN (1), ADMINISTRATOR (1), USER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-29T11:58:11.789608Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_207\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"name\": \"2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-28T06:11:54.9445211Z\",\r\n \"processingEndTimeUtc\": \"2022-08-28T06:11:53.4719546Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-28T05:01:43.073242Z\",\r\n \"endTimeUtc\": \"2022-08-28T05:57:10.0252952Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_208\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_209\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/28 05:01:43.0732420\",\r\n \"activity end time (UTC)\": \"2022/08/28 05:57:10.0252952\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), AZURE (2), AZUREUSER (2), STUDENT (2), ADMINISTRATOR (1), USER (1), ADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-28T05:57:10.0252952Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_210\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"name\": \"2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-26T23:13:05.4395068Z\",\r\n \"processingEndTimeUtc\": \"2022-08-26T23:13:04.9885857Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-26T22:01:04.6704718Z\",\r\n \"endTimeUtc\": \"2022-08-26T22:59:05.9404545Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_211\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_212\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/26 22:01:04.6704718\",\r\n \"activity end time (UTC)\": \"2022/08/26 22:59:05.9404545\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"33\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"8\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (4), LOCALADMIN (4), AZURE (4), AZUREUSER (4), AZUREADMIN (4), ADMIN (4), TEST (3), USER (3), LOCALUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-26T22:59:05.9404545Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_213\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"name\": \"2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T22:12:05.22952Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T22:12:03.1251328Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-25T21:16:17.9627546Z\",\r\n \"endTimeUtc\": \"2022-08-25T21:17:47.2384739Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_214\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_215\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/25 21:16:17.9627546\",\r\n \"activity end time (UTC)\": \"2022/08/25 21:17:47.2384739\",\r\n \"attacker source IP\": \"IP Address: 109.107.166.20\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"41\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"34\",\r\n \"top accounts with failed sign in attempts (count)\": \"Administrator (6), administrator (2), LogMeInRemoteUser (1), KastleRVM (1), AMDService (1), admin (1), stg (1), karla (1), SQLAgent (1), admini (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-25T21:17:47.2384739Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_216\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"name\": \"2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T22:12:13.9841697Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T22:12:03.1251328Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-25T21:00:41.0152726Z\",\r\n \"endTimeUtc\": \"2022-08-25T21:58:24.4497285Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_218\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/25 21:00:41.0152726\",\r\n \"activity end time (UTC)\": \"2022/08/25 21:58:24.4497285\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"33\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"8\",\r\n \"top accounts with failed sign in attempts (count)\": \"LOCALUSER (4), USER (4), AZURE (4), LOCALADMIN (4), TEST (4), AZUREADMIN (4), ADMIN (3), ADMINISTRATOR (3), AZUREUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-25T21:58:24.4497285Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_219\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"name\": \"2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-24T21:11:57.4592913Z\",\r\n \"processingEndTimeUtc\": \"2022-08-24T21:11:53.3866485Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-24T20:01:10.4816659Z\",\r\n \"endTimeUtc\": \"2022-08-24T20:58:39.6095585Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_220\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_221\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/24 20:01:10.4816659\",\r\n \"activity end time (UTC)\": \"2022/08/24 20:58:39.6095585\",\r\n \"attacker source IP\": \"IP Address: 52.180.252.174\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"35\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"USERADMIN (6), AZUREUSER (6), AZURE (6), VMADMIN (6), ADMINUSER (6), AZUREADMIN (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-24T20:58:39.6095585Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_222\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"name\": \"2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-23T20:12:09.1962911Z\",\r\n \"processingEndTimeUtc\": \"2022-08-23T20:12:08.070395Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-23T19:00:08.8459776Z\",\r\n \"endTimeUtc\": \"2022-08-23T19:01:18.0275781Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_223\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_224\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/23 19:00:08.8459776\",\r\n \"activity end time (UTC)\": \"2022/08/23 19:01:18.0275781\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (19), admin (3), user (1), test (1), defaultaccount (1), sys32 (1), localadmin (1), ferra (1), doctor (1), teste (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-23T19:01:18.0275781Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_225\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"name\": \"2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-22T19:12:00.8153763Z\",\r\n \"processingEndTimeUtc\": \"2022-08-22T19:11:59.130347Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-22T18:52:43.9086436Z\",\r\n \"endTimeUtc\": \"2022-08-22T18:53:53.491231Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_226\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_227\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/22 18:52:43.9086436\",\r\n \"activity end time (UTC)\": \"2022/08/22 18:53:53.4912310\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (12), administrateur (2), david (2), hehe (1), yunus (1), defaultaccount (1), dispatch (1), usuari (1), owner (1), caijiwugongzhen (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-22T18:53:53.491231Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_228\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"name\": \"2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-21T17:11:57.4816361Z\",\r\n \"processingEndTimeUtc\": \"2022-08-21T17:11:55.7633835Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-21T16:02:06.1108851Z\",\r\n \"endTimeUtc\": \"2022-08-21T16:58:30.0357074Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_229\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_230\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/21 16:02:06.1108851\",\r\n \"activity end time (UTC)\": \"2022/08/21 16:58:30.0357074\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"9\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (10), AZUREUSER (10), AZUREADMIN (10), AZURE (1), DADMIN (1), DEMOUSER (1), STUDENT (1), ADMINUSER (1), NFCADMIN (1), DEMO (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-21T16:58:30.0357074Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_231\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"name\": \"2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-20T16:12:20.2020498Z\",\r\n \"processingEndTimeUtc\": \"2022-08-20T16:12:16.5659301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-20T15:34:42.624038Z\",\r\n \"endTimeUtc\": \"2022-08-20T15:35:52.7204668Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_232\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_233\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/20 15:34:42.6240380\",\r\n \"activity end time (UTC)\": \"2022/08/20 15:35:52.7204668\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (7), admin (3), administrador (2), user24 (1), ctb-daniele (1), defaultaccount (1), quesia.fernandes (1), jms (1), iusrplesk_smwebmail (1), user4 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-20T15:35:52.7204668Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_234\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"name\": \"2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-20T16:12:28.0240769Z\",\r\n \"processingEndTimeUtc\": \"2022-08-20T16:12:16.5659301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-20T15:00:27.7591355Z\",\r\n \"endTimeUtc\": \"2022-08-20T15:59:05.698473Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_235\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_236\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/20 15:00:27.7591355\",\r\n \"activity end time (UTC)\": \"2022/08/20 15:59:05.6984730\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"40\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (9), AZUREADMIN (8), AZUREUSER (8), ADMINUSER (5), USERADMIN (4), DADMIN (1), SQLUSER (1), NFCADMIN (1), SUPERVISOR (1), DEMOADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-20T15:59:05.698473Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_237\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"name\": \"2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-19T15:12:34.699902Z\",\r\n \"processingEndTimeUtc\": \"2022-08-19T15:12:33.4163413Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-19T14:01:57.6464956Z\",\r\n \"endTimeUtc\": \"2022-08-19T14:57:10.3279386Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_238\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_239\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/19 14:01:57.6464956\",\r\n \"activity end time (UTC)\": \"2022/08/19 14:57:10.3279386\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"12\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINUSER (2), AZUREUSER (2), USERADMIN (2), AZUREADMIN (2), AZURE (2), STUDENT (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-19T14:57:10.3279386Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_240\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n }\r\n ],\r\n \"nextLink\": \"https://management.azure.com/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01&%24skiptoken=TVHLjpswAPwXVPVUgk3Ig0irKkkJyjZA49gmy82AN3Fig4udzWO1%2f1602kOlOc5DM%2fPuNPxmN6I5G2f27iyjFKP5huycmXO0VpuZ5ynWsANXvLED9rh0fFC1ahYEQ89cSlN1QlvRNsYLppOyDKYjtxyVwA0mkLthBWoXggmcjKH%2fOh2Hnu7aN1HzzniJqLrWtK92sOPVpRP27jHJO2t%2bMi3ct57Suz75wPddAHt8%2f2bOQuP2zJsnfn%2fOiv0RkHh1r2MJWB5edj4drU%2btSHYRyJarDMXVI8%2fhcxKFEd2jgslCY5Jck2g0RuqW0Pj2F5Ma1REkW5ymNE7umKLfJQmjHBOxWX5lqHD4n%2fcwFauUSRrgRqfJGZJ8r3utgRiiLiUhYQ%2f6h56kxnu9ZFJbhGm2fSwCrGDKoxshSmZcWZDnOmcAjpJftODy%2fMCyzhiU4y1eZAgSuxZXgRUN6hU6vqibxGpli916XDbUlMuroH33wqcAx%2bHpZY906QciOy1C5%2bOHwzo1Pxw6fmCW15%2bT9XfOUeJ8%2fAM%3d\"\r\n}", "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a?api-version=2021-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTc3MzUxODc3OTAzMDkyODFfZDU5ODk5NDEtYzk3OS00MDk2LWExZTktZDVkY2Y2ZmIxMzJhP2FwaS12ZXJzaW9uPTIwMjEtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01&%24skiptoken=TVHLjpswAPwXVPVUgk3Ig0irKkkJyjZA49gmy82AN3Fig4udzWO1%2f1602kOlOc5DM%2fPuNPxmN6I5G2f27iyjFKP5huycmXO0VpuZ5ynWsANXvLED9rh0fFC1ahYEQ89cSlN1QlvRNsYLppOyDKYjtxyVwA0mkLthBWoXggmcjKH%2fOh2Hnu7aN1HzzniJqLrWtK92sOPVpRP27jHJO2t%2bMi3ct57Suz75wPddAHt8%2f2bOQuP2zJsnfn%2fOiv0RkHh1r2MJWB5edj4drU%2btSHYRyJarDMXVI8%2fhcxKFEd2jgslCY5Jck2g0RuqW0Pj2F5Ma1REkW5ymNE7umKLfJQmjHBOxWX5lqHD4n%2fcwFauUSRrgRqfJGZJ8r3utgRiiLiUhYQ%2f6h56kxnu9ZFJbhGm2fSwCrGDKoxshSmZcWZDnOmcAjpJftODy%2fMCyzhiU4y1eZAgSuxZXgRUN6hU6vqibxGpli916XDbUlMuroH33wqcAx%2bHpZY906QciOy1C5%2bOHwzo1Pxw6fmCW15%2bT9XfOUeJ8%2fAM%3d", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjItMDEtMDEmJTI0c2tpcHRva2VuPVRWSExqcHN3QVB3WFZQVlVnazNJZzBpcktra0p5alpBNDlnbXk4MkFOM0ZpZzR1ZHpXTzElMmYxNjAya09sT2M1RE0lMmZQdU5QeG1ONkk1RzJmMjdpeWpGS1A1aHV5Y21YTzBWcHVaNXluV3NBTlh2TEVEOXJoMGZGQzFhaFlFUTg5Y1NsTjFRbHZSTnNZTHBwT3lES1lqdHh5VndBMG1rTHRoQldvWGdnbWNqS0glMmZPaDJIbnU3YU4xSHp6bmlKcUxyV3RLOTJzT1BWcFJQMjdqSEpPMnQlMmJNaTNjdDU3U3V6NzV3UGRkQUh0OCUyZjJiT1F1UDJ6SnNuZm4lMmZPaXYwUmtIaDFyMk1KV0I1ZWRqNGRyVSUyYnRTSFlSeUphckRNWFZJOCUyZmhjeEtGRWQyamdzbENZNUpjazJnMFJ1cVcwUGoyRjVNYTFSRWtXNXltTkU3dW1LTGZKUW1qSEJPeFdYNWxxSEQ0biUyZmN3RmF1VVNScmdScWZKR1pKOHIzdXRnUmlpTGlVaFlRJTJmNmg1Nmt4bnU5WkZKYmhHbTJmU3dDckdES294c2hTbVpjV1pEbk9tY0FqcEpmdE9EeSUyZk1DeXpoaVU0eTFlWkFnU3V4WlhnUlVONmhVNnZxaWJ4R3BsaTkxNlhEYlVsTXVyb0gzM3dxY0F4JTJiSHBaWTkwNlFjaU95MUM1JTJiT0h3em8xUHh3NmZtQ1cxNSUyYlQ5WGZPVWVKOCUyZkFNJTNk", "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "5236b1a4-7075-4e4c-80ae-6faa3839d1a8" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-original-request-ids": [ + "" + ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "748" + ], + "x-ms-request-id": [ + "a674a6e0-8b92-4990-a113-4c3755158efb" + ], + "x-ms-correlation-request-id": [ + "a674a6e0-8b92-4990-a113-4c3755158efb" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T091958Z:a674a6e0-8b92-4990-a113-4c3755158efb" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:19:58 GMT" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ], + "Content-Length": [ + "1233144" + ] + }, + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"name\": \"2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-21T22:30:30.4576566Z\",\r\n \"processingEndTimeUtc\": \"2022-10-21T22:30:29.9447325Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.87.6 [6]\\r\\nIP: 171.244.50.243 [2]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 45.141.87.2 [9]\\r\\nIP: 45.141.87.9 [3]\\r\\nIP: 141.95.145.187 [3]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 31.43.185.3 [22]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 150.95.29.64 [2]\\r\\nIP: 45.226.126.252 [2]\\r\\nIP: 193.29.13.169 [9]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 45.227.254.49 [2]\\r\\nIP: 72.18.147.142 [1]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 195.133.20.78 [116]\\r\\nIP: 69.202.183.90 [3]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 147.78.47.147 [6]\\r\\nIP: 147.78.47.69 [9]\\r\\nIP: 45.141.87.10 [6]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 191.96.168.93 [9]\\r\\nIP: 45.227.254.20 [10]\\r\\nIP: 92.255.85.152 [5]\\r\\nIP: 89.250.82.36 [2]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 88.214.25.14 [3]\\r\\nIP: 194.165.17.12 [4]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 173.254.223.125 [1]\\r\\nIP: 179.60.150.115 [16]\\r\\nIP: 193.29.13.170 [16]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 179.60.150.58 [8]\\r\\nIP: 94.26.248.176 [5]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 94.26.229.154 [2]\\r\\nIP: 147.78.47.154 [14]\\r\\nIP: 147.78.47.35 [7]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 147.78.47.36 [3]\\r\\n4 more attempts by 2 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"address\": \"45.226.126.252\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Pernambuco\",\r\n \"city\": \"Recife\",\r\n \"longitude\": -34.9141,\r\n \"latitude\": -8.00264,\r\n \"asn\": 266962,\r\n \"carrier\": \"G M Da Costa Internet\",\r\n \"organization\": \"G M Da Costa Internet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"72.18.147.142\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Englewood\",\r\n \"longitude\": -104.87196,\r\n \"latitude\": 39.62401,\r\n \"asn\": 30475,\r\n \"carrier\": \"Handy Networks Llc\",\r\n \"organization\": \"Handy Networks Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"address\": \"195.133.20.78\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"address\": \"147.78.47.69\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"address\": \"89.250.82.36\",\r\n \"location\": {\r\n \"countryCode\": \"KZ\",\r\n \"countryName\": \"Kazakhstan\",\r\n \"state\": \"Almaty City\",\r\n \"city\": \"Almaty\",\r\n \"longitude\": 76.94999,\r\n \"latitude\": 43.24999,\r\n \"asn\": 41419,\r\n \"carrier\": \"Kazrena\",\r\n \"organization\": \"Kazrena\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"address\": \"173.254.223.125\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Tarzana\",\r\n \"longitude\": -118.54625,\r\n \"latitude\": 34.15501,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Quadranet Enterprises Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_6\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_7\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_8\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_9\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_10\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_11\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_12\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_13\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_14\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_15\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_16\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_17\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_18\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_19\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_20\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_21\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_22\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_23\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_24\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_25\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_26\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_27\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_28\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_29\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_30\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_31\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_32\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_33\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_34\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_35\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_36\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_37\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_38\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_39\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_40\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_41\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_42\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_43\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_44\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_45\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_46\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_47\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_48\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_49\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_50\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"name\": \"2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T20:55:37.293538Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T20:55:36.5852719Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 124.221.214.54 [85]\\r\\nIP: 61.177.172.104 [1]\\r\\nIP: 135.148.104.183 [1]\\r\\nIP: 152.136.192.58 [1]\\r\\nIP: 185.51.61.82 [1]\\r\\nIP: 61.177.172.147 [1]\\r\\nIP: 80.76.51.230 [1]\\r\\nIP: 207.154.207.116 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"address\": \"61.177.172.104\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"address\": \"135.148.104.183\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Reston\",\r\n \"longitude\": -77.34247,\r\n \"latitude\": 38.96097,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"address\": \"152.136.192.58\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"address\": \"185.51.61.82\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 42065,\r\n \"carrier\": \"Zao Electrontelecom\",\r\n \"organization\": \"Global Network Management Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"address\": \"207.154.207.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_107\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_108\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_109\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_110\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_113\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_114\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"name\": \"2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T03:55:32.6921658Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T03:55:32.383882Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-18T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-18T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 46.182.223.130 [1]\\r\\nIP: 197.26.19.254 [1]\\r\\nIP: 61.177.172.19 [1]\\r\\nIP: 182.61.13.82 [1]\\r\\nIP: 80.76.51.230 [2]\\r\\nIP: 35.245.223.130 [1]\\r\\nIP: 124.220.28.59 [1]\\r\\nIP: 61.177.173.35 [1]\\r\\nIP: 69.40.195.236 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 34.159.251.125 [1]\\r\\nIP: 40.72.187.176 [1]\\r\\nIP: 84.181.121.1 [1]\\r\\nIP: 121.5.105.147 [4]\\r\\nIP: 185.209.179.41 [1]\\r\\nIP: 35.246.78.205 [1]\\r\\nIP: 61.177.172.124 [1]\\r\\nIP: 124.221.214.54 [28]\\r\\nIP: 61.177.172.147 [2]\\r\\nIP: 34.83.98.1 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"address\": \"46.182.223.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Groningen\",\r\n \"city\": \"Groningen\",\r\n \"longitude\": 6.5696,\r\n \"latitude\": 53.21686,\r\n \"asn\": 39704,\r\n \"carrier\": \"Cj2 Hosting B.V.\",\r\n \"organization\": \"Synatix Netblock # 2\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"address\": \"197.26.19.254\",\r\n \"location\": {\r\n \"countryCode\": \"TN\",\r\n \"countryName\": \"Tunisia\",\r\n \"state\": \"Tunis\",\r\n \"city\": \"Tunis\",\r\n \"longitude\": 10.1717,\r\n \"latitude\": 36.798,\r\n \"asn\": 37492,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Agence Tunisienne Internet - Ati\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"address\": \"182.61.13.82\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Zhongguancun\",\r\n \"longitude\": 116.31,\r\n \"latitude\": 39.978,\r\n \"asn\": 38365,\r\n \"carrier\": \"Beijing Baidu Netcom Science And Technology Co. Ltd.\",\r\n \"organization\": \"Beijing Baidu Netcom Science And Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"address\": \"35.245.223.130\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"District Of Columbia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -77.0284,\r\n \"latitude\": 38.9069,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"address\": \"124.220.28.59\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"address\": \"61.177.173.35\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"address\": \"69.40.195.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"North Carolina\",\r\n \"city\": \"Concord\",\r\n \"longitude\": -80.55684,\r\n \"latitude\": 35.4009,\r\n \"asn\": 7029,\r\n \"carrier\": \"Windstream Communications Llc\",\r\n \"organization\": \"Hudson Internet Pop - Dynamic Dsl Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"address\": \"34.159.251.125\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"address\": \"40.72.187.176\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanghai Shi\",\r\n \"city\": \"Shanghai\",\r\n \"longitude\": 121.47021,\r\n \"latitude\": 31.22847,\r\n \"asn\": 58593,\r\n \"carrier\": \"Shanghai Blue Cloud Technology Co. Ltd\",\r\n \"organization\": \"Shanghai Blue Cloud Technology Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"address\": \"84.181.121.1\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Baden-Wuerttemberg\",\r\n \"city\": \"Tuellingen\",\r\n \"longitude\": 7.668,\r\n \"latitude\": 47.615,\r\n \"asn\": 3320,\r\n \"carrier\": \"Deutsche Telekom Ag\",\r\n \"organization\": \"Deutsche Telekom Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"address\": \"121.5.105.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"address\": \"185.209.179.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Valley Cottage\",\r\n \"longitude\": -73.92899,\r\n \"latitude\": 41.12222,\r\n \"asn\": 396356,\r\n \"carrier\": \"Maxihost Llc\",\r\n \"organization\": \"Latitude.Sh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"address\": \"35.246.78.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Camden\",\r\n \"longitude\": -0.16861,\r\n \"latitude\": 51.54,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"address\": \"61.177.172.124\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"address\": \"34.83.98.1\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_126\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_127\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_128\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_129\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_130\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_131\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_132\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_133\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_134\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_135\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_136\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_137\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_138\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_139\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_161\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_162\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_142\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_163\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_143\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_144\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_165\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_145\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"name\": \"2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T03:55:33.4948297Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T03:55:32.3866334Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-18T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-18T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_166\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 62.204.41.152 [2]\\r\\nIP: 144.172.126.192 [2]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 194.165.17.24 [5]\\r\\nIP: 91.240.242.3 [4]\\r\\nIP: 147.78.47.36 [10]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 88.214.25.14 [17]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 147.78.47.147 [4]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 193.29.13.169 [14]\\r\\nIP: 191.96.168.93 [6]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 91.240.242.201 [8]\\r\\nIP: 45.227.254.8 [2]\\r\\nIP: 94.26.229.169 [1]\\r\\nIP: 141.98.83.89 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.137.233.50 [1]\\r\\nIP: 50.63.15.157 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 91.240.242.87 [17]\\r\\nIP: 45.141.87.10 [4]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 45.141.84.83 [5]\\r\\nIP: 94.232.43.155 [2]\\r\\nIP: 194.165.17.12 [8]\\r\\nIP: 171.244.50.243 [3]\\r\\nIP: 141.98.83.132 [7]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 64.251.14.96 [1]\\r\\nIP: 92.255.85.186 [1]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 80.66.88.204 [2]\\r\\nIP: 147.78.47.42 [8]\\r\\nIP: 46.161.27.101 [1]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 45.141.87.6 [5]\\r\\nIP: 179.60.147.204 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\n91 more attempts by 19 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_167\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_168\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_169\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_170\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_171\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_172\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_173\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_174\",\r\n \"address\": \"91.240.242.3\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_175\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_176\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_177\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_178\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_179\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_180\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_181\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_182\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_183\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_184\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_185\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_186\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_187\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_188\",\r\n \"address\": \"91.240.242.201\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_189\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_190\",\r\n \"address\": \"94.26.229.169\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_191\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_192\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_193\",\r\n \"address\": \"185.137.233.50\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Permskiy Kray\",\r\n \"city\": \"Perm\",\r\n \"longitude\": 56.25184,\r\n \"latitude\": 58.02006,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_194\",\r\n \"address\": \"50.63.15.157\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_195\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_196\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_197\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_198\",\r\n \"address\": \"91.240.242.87\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_199\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_200\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_201\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_202\",\r\n \"address\": \"94.232.43.155\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_203\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_204\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_205\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_206\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_207\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_208\",\r\n \"address\": \"64.251.14.96\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Fort Lauderdale\",\r\n \"longitude\": -80.12723,\r\n \"latitude\": 26.12112,\r\n \"asn\": 15083,\r\n \"carrier\": \"Infolink Global Corporation\",\r\n \"organization\": \"Serverpronto\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_209\",\r\n \"address\": \"92.255.85.186\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_210\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_211\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_212\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_213\",\r\n \"address\": \"147.78.47.42\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_214\",\r\n \"address\": \"46.161.27.101\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Vps And Shared Hosting Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_215\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_216\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_217\",\r\n \"address\": \"179.60.147.204\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_218\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_221\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_222\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_223\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_224\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_225\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_226\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_227\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_256\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_206\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_207\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_258\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_208\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_259\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_209\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_260\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_210\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_261\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_211\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_262\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_212\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_263\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_213\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_264\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_214\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_215\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_266\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_216\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_267\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_217\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_268\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_218\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"name\": \"2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T21:29:26.5199798Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T21:29:26.1229647Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-17T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-17T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_269\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.53 [1]\\r\\nIP: 43.142.245.166 [1]\\r\\nIP: 82.139.180.236 [1]\\r\\nIP: 39.91.166.121 [1]\\r\\nIP: 45.95.55.235 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 35.164.70.114 [1]\\r\\nIP: 61.177.172.19 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_270\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_271\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_272\",\r\n \"address\": \"61.177.173.53\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_273\",\r\n \"address\": \"43.142.245.166\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_274\",\r\n \"address\": \"82.139.180.236\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Podlaskie\",\r\n \"city\": \"Bialystok\",\r\n \"longitude\": 23.1482,\r\n \"latitude\": 53.11679,\r\n \"asn\": 8865,\r\n \"carrier\": \"Politechnika Bialostocka\",\r\n \"organization\": \"Politechnika Bialostocka\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_275\",\r\n \"address\": \"39.91.166.121\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shandong\",\r\n \"city\": \"Jinan\",\r\n \"longitude\": 117.0,\r\n \"latitude\": 36.683,\r\n \"asn\": 4837,\r\n \"carrier\": \"China Unicom China169 Backbone\",\r\n \"organization\": \"China Unicom Shandong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_276\",\r\n \"address\": \"45.95.55.235\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Rheinland-Pfalz\",\r\n \"city\": \"Koblenz\",\r\n \"longitude\": 7.5741,\r\n \"latitude\": 50.3849,\r\n \"asn\": 200303,\r\n \"carrier\": \"Jan Philipp Waldecker Trading As Lumaserv Systems\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_277\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_278\",\r\n \"address\": \"35.164.70.114\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Boardman\",\r\n \"longitude\": -119.81143,\r\n \"latitude\": 45.73723,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon.Com Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_279\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_280\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_272\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_273\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_282\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_274\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_283\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_275\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_284\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_276\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_285\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_277\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_286\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_278\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_279\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"name\": \"2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T21:29:26.5332876Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T21:29:26.1234563Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-17T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-17T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_288\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.122 [1]\\r\\nIP: 80.66.76.137 [1]\\r\\nIP: 80.66.76.151 [1]\\r\\nIP: 80.66.76.168 [2]\\r\\nIP: 147.78.47.35 [5]\\r\\nIP: 80.66.76.159 [4]\\r\\nIP: 80.66.76.136 [1]\\r\\nIP: 12.168.189.21 [1]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 103.43.177.129 [1]\\r\\nIP: 152.89.196.94 [5]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 80.66.76.141 [2]\\r\\nIP: 94.232.47.170 [8]\\r\\nIP: 80.66.76.161 [5]\\r\\nIP: 141.98.83.84 [11]\\r\\nIP: 141.98.83.133 [6]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 87.251.67.236 [3]\\r\\nIP: 80.66.76.126 [6]\\r\\nIP: 147.78.47.36 [2]\\r\\nIP: 12.233.48.50 [1]\\r\\nIP: 80.66.76.132 [3]\\r\\nIP: 80.66.76.184 [2]\\r\\nIP: 80.66.76.153 [4]\\r\\nIP: 193.29.13.170 [5]\\r\\nIP: 45.141.87.6 [3]\\r\\nIP: 141.98.83.164 [4]\\r\\nIP: 87.251.67.238 [3]\\r\\nIP: 80.66.76.173 [1]\\r\\nIP: 80.66.76.139 [2]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 87.251.67.223 [5]\\r\\nIP: 80.66.76.129 [5]\\r\\nIP: 147.78.47.149 [3]\\r\\nIP: 185.73.125.100 [4]\\r\\nIP: 87.251.67.230 [1]\\r\\nIP: 80.66.76.165 [4]\\r\\nIP: 152.89.196.74 [2]\\r\\nIP: 80.66.76.181 [1]\\r\\nIP: 194.165.17.24 [12]\\r\\nIP: 80.66.76.162 [3]\\r\\nIP: 194.165.17.12 [12]\\r\\nIP: 80.66.76.169 [1]\\r\\nIP: 80.66.76.124 [4]\\r\\nIP: 94.26.248.179 [2]\\r\\nIP: 45.227.254.29 [1]\\r\\nIP: 141.98.83.128 [3]\\r\\n505 more attempts by 101 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_289\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_290\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_291\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_292\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_293\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_294\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_295\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_296\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_297\",\r\n \"address\": \"80.66.76.136\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_298\",\r\n \"address\": \"12.168.189.21\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Germantown\",\r\n \"longitude\": -89.79201,\r\n \"latitude\": 35.08422,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"The Village At Germantown\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_299\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_300\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_301\",\r\n \"address\": \"103.43.177.129\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"Western Australia\",\r\n \"city\": \"Perth\",\r\n \"longitude\": 115.85859,\r\n \"latitude\": -31.9554,\r\n \"asn\": 133863,\r\n \"carrier\": \"Probax Pty Ltd\",\r\n \"organization\": \"Probax Pty Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_302\",\r\n \"address\": \"152.89.196.94\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_303\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_304\",\r\n \"address\": \"80.66.76.141\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_305\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_306\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_307\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_308\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_309\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_310\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_311\",\r\n \"address\": \"87.251.67.236\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_312\",\r\n \"address\": \"80.66.76.126\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_313\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_314\",\r\n \"address\": \"12.233.48.50\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Kansas City\",\r\n \"longitude\": -94.50542,\r\n \"latitude\": 39.131,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Frontier Schools System\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_315\",\r\n \"address\": \"80.66.76.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_316\",\r\n \"address\": \"80.66.76.184\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_317\",\r\n \"address\": \"80.66.76.153\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_318\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_319\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_320\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_321\",\r\n \"address\": \"87.251.67.238\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_322\",\r\n \"address\": \"80.66.76.173\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_323\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_324\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_325\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_326\",\r\n \"address\": \"80.66.76.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_327\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_328\",\r\n \"address\": \"185.73.125.100\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_329\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_330\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_331\",\r\n \"address\": \"152.89.196.74\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_332\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_333\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_334\",\r\n \"address\": \"80.66.76.162\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_335\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_336\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_337\",\r\n \"address\": \"80.66.76.124\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_338\",\r\n \"address\": \"94.26.248.179\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_339\",\r\n \"address\": \"45.227.254.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_340\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_309\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_360\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_310\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_361\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_311\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_362\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_312\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_313\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_364\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_314\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_365\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_315\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_366\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_316\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_317\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_368\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_318\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_369\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_319\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_370\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_320\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_371\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_321\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_322\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_373\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_323\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_374\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_324\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_375\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_325\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_376\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_326\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_381\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_331\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_332\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_383\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_333\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_384\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_334\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_385\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_335\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_386\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_336\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_337\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_388\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_338\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_389\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_339\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_390\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_340\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"name\": \"2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T20:18:57.7305267Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T20:18:57.239572Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-16T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-16T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_391\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.52 [1]\\r\\nIP: 61.177.173.36 [1]\\r\\nIP: 85.214.209.12 [1]\\r\\nIP: 195.19.96.168 [1]\\r\\nIP: 137.184.37.59 [1]\\r\\nIP: 165.22.248.214 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_392\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_393\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_394\",\r\n \"address\": \"61.177.173.52\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_395\",\r\n \"address\": \"61.177.173.36\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_396\",\r\n \"address\": \"85.214.209.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.3195,\r\n \"latitude\": 52.5184,\r\n \"asn\": 6724,\r\n \"carrier\": \"Strato Ag\",\r\n \"organization\": \"Strato Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_397\",\r\n \"address\": \"195.19.96.168\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60778,\r\n \"latitude\": 55.81834,\r\n \"asn\": 12389,\r\n \"carrier\": \"Pjsc Rostelecom\",\r\n \"organization\": \"Pjsc Rostelecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_398\",\r\n \"address\": \"137.184.37.59\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Palo Alto\",\r\n \"longitude\": -122.1512,\r\n \"latitude\": 37.44296,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_399\",\r\n \"address\": \"165.22.248.214\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.34738,\r\n \"latitude\": 47.61348,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_400\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_394\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_401\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_395\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_396\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_403\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_397\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_404\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_398\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_399\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"name\": \"2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T20:18:57.600268Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T20:18:57.2399048Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-16T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-16T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_406\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.124 [4]\\r\\nIP: 94.26.229.154 [1]\\r\\nIP: 185.73.124.23 [9]\\r\\nIP: 45.141.87.10 [4]\\r\\nIP: 80.66.76.138 [3]\\r\\nIP: 87.251.64.140 [2]\\r\\nIP: 80.66.76.179 [2]\\r\\nIP: 64.251.14.96 [1]\\r\\nIP: 194.165.16.18 [7]\\r\\nIP: 87.251.67.238 [7]\\r\\nIP: 94.232.47.15 [3]\\r\\nIP: 80.66.76.159 [5]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 152.89.196.73 [9]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 80.66.76.178 [3]\\r\\nIP: 147.78.47.29 [3]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 171.244.50.243 [7]\\r\\nIP: 12.168.189.21 [1]\\r\\nIP: 141.98.83.132 [10]\\r\\nIP: 80.66.76.168 [6]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 80.66.76.169 [5]\\r\\nIP: 147.78.47.39 [15]\\r\\nIP: 181.214.218.32 [1]\\r\\nIP: 80.66.76.177 [2]\\r\\nIP: 80.66.76.137 [3]\\r\\nIP: 193.29.13.169 [10]\\r\\nIP: 185.73.125.21 [5]\\r\\nIP: 80.66.76.130 [6]\\r\\nIP: 152.89.196.96 [5]\\r\\nIP: 80.66.76.136 [3]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.76.176 [10]\\r\\nIP: 152.89.196.99 [7]\\r\\nIP: 185.73.124.17 [8]\\r\\nIP: 188.124.36.118 [1]\\r\\nIP: 94.26.248.190 [1]\\r\\nIP: 80.66.76.181 [6]\\r\\nIP: 152.89.196.72 [9]\\r\\nIP: 45.227.254.20 [9]\\r\\nIP: 50.206.89.210 [1]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 80.66.76.126 [4]\\r\\nIP: 147.78.47.149 [8]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 94.26.248.176 [2]\\r\\nIP: 80.66.76.152 [3]\\r\\nIP: 80.66.76.160 [2]\\r\\n558 more attempts by 123 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_407\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_408\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_409\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_410\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_411\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_412\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_413\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_414\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_415\",\r\n \"address\": \"80.66.76.179\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_416\",\r\n \"address\": \"64.251.14.96\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Fort Lauderdale\",\r\n \"longitude\": -80.12723,\r\n \"latitude\": 26.12112,\r\n \"asn\": 15083,\r\n \"carrier\": \"Infolink Global Corporation\",\r\n \"organization\": \"Serverpronto\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_417\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_418\",\r\n \"address\": \"87.251.67.238\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_419\",\r\n \"address\": \"94.232.47.15\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_420\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_421\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_422\",\r\n \"address\": \"152.89.196.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_423\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_424\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_425\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_426\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_427\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_428\",\r\n \"address\": \"12.168.189.21\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Germantown\",\r\n \"longitude\": -89.79201,\r\n \"latitude\": 35.08422,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"The Village At Germantown\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_429\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_430\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_431\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_432\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_433\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_434\",\r\n \"address\": \"181.214.218.32\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_435\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_436\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_437\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_438\",\r\n \"address\": \"185.73.125.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_439\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_440\",\r\n \"address\": \"152.89.196.96\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_441\",\r\n \"address\": \"80.66.76.136\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_442\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_443\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_444\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_445\",\r\n \"address\": \"185.73.124.17\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_446\",\r\n \"address\": \"188.124.36.118\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Dzerzhinskiy\",\r\n \"longitude\": 37.8445,\r\n \"latitude\": 55.638,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_447\",\r\n \"address\": \"94.26.248.190\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_448\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_449\",\r\n \"address\": \"152.89.196.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_450\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_451\",\r\n \"address\": \"50.206.89.210\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Maryland\",\r\n \"city\": \"Gambrills\",\r\n \"longitude\": -76.66528,\r\n \"latitude\": 39.02566,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_452\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_453\",\r\n \"address\": \"80.66.76.126\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_454\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_455\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_456\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_457\",\r\n \"address\": \"80.66.76.152\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_458\",\r\n \"address\": \"80.66.76.160\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_412\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_415\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_416\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_467\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_417\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_468\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_418\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_469\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_419\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_470\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_471\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_472\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_473\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_423\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_474\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_424\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_425\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_426\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_427\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_428\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_434\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_485\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_435\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_486\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_487\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_437\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_488\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_438\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_439\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_490\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_440\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_491\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_492\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_493\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_494\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_495\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_445\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_496\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_446\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_497\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_447\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_498\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_448\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_499\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_449\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_500\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_450\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_501\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_451\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_502\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_503\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_504\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_454\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_505\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_455\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_506\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_456\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_507\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_457\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_508\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_458\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"name\": \"2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T19:58:11.5931492Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T19:58:10.6757317Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_509\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.90 [1]\\r\\nIP: 205.185.113.42 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 34.168.149.255 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_510\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_511\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_512\",\r\n \"address\": \"61.177.172.90\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_513\",\r\n \"address\": \"205.185.113.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Nevada\",\r\n \"city\": \"Las Vegas\",\r\n \"longitude\": -115.22485,\r\n \"latitude\": 36.1424,\r\n \"asn\": 53667,\r\n \"carrier\": \"Frantech Solutions\",\r\n \"organization\": \"Frantech Solutions\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_514\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_515\",\r\n \"address\": \"34.168.149.255\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_512\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_513\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_514\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_515\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"name\": \"2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T21:15:16.6149243Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T21:15:16.2347122Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_520\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 34.168.149.255 [1]\\r\\nIP: 34.67.85.236 [1]\\r\\nIP: 61.177.172.90 [1]\\r\\nIP: 205.185.113.42 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 69.40.195.236 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_521\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_522\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_523\",\r\n \"address\": \"34.168.149.255\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_524\",\r\n \"address\": \"34.67.85.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Council Bluffs\",\r\n \"longitude\": -95.87736,\r\n \"latitude\": 41.23296,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_525\",\r\n \"address\": \"61.177.172.90\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_526\",\r\n \"address\": \"205.185.113.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Nevada\",\r\n \"city\": \"Las Vegas\",\r\n \"longitude\": -115.22485,\r\n \"latitude\": 36.1424,\r\n \"asn\": 53667,\r\n \"carrier\": \"Frantech Solutions\",\r\n \"organization\": \"Frantech Solutions\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_527\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_528\",\r\n \"address\": \"69.40.195.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"North Carolina\",\r\n \"city\": \"Concord\",\r\n \"longitude\": -80.55684,\r\n \"latitude\": 35.4009,\r\n \"asn\": 7029,\r\n \"carrier\": \"Windstream Communications Llc\",\r\n \"organization\": \"Hudson Internet Pop - Dynamic Dsl Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_523\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_524\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_525\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_526\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_527\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_528\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365663999999999_fe707616-4570-429b-9e73-790a3918e776/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"name\": \"2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T19:58:11.565147Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T19:58:10.6760538Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_535\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.164 [8]\\r\\nIP: 141.98.83.165 [8]\\r\\nIP: 194.165.16.18 [10]\\r\\nIP: 20.87.218.172 [3]\\r\\nIP: 147.78.47.35 [17]\\r\\nIP: 62.233.50.123 [34]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 141.98.83.130 [8]\\r\\nIP: 87.251.67.99 [7]\\r\\nIP: 71.178.215.234 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 122.160.141.216 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 141.98.83.83 [8]\\r\\nIP: 98.217.4.181 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 104.161.77.173 [1]\\r\\nIP: 141.98.83.84 [6]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 141.98.83.166 [12]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 162.142.125.219 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 88.214.25.14 [15]\\r\\nIP: 45.141.87.10 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 141.98.83.85 [9]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 171.244.50.243 [1]\\r\\nIP: 212.103.60.106 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 45.141.87.2 [5]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.124 [15]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 185.156.72.31 [1]\\r\\nIP: 147.78.47.39 [4]\\r\\nIP: 194.165.16.29 [2]\\r\\nIP: 45.227.254.20 [12]\\r\\nIP: 179.60.150.115 [9]\\r\\n55 more attempts by 15 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_536\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_537\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_538\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_539\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_540\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_541\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_542\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_543\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_544\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_545\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_546\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_547\",\r\n \"address\": \"71.178.215.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Fairfax\",\r\n \"longitude\": -77.2891,\r\n \"latitude\": 38.81818,\r\n \"asn\": 701,\r\n \"carrier\": \"Verizon\",\r\n \"organization\": \"Verizon\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_548\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_549\",\r\n \"address\": \"122.160.141.216\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.1428,\r\n \"latitude\": 28.6907,\r\n \"asn\": 24560,\r\n \"carrier\": \"Bharti Airtel Ltd.\",\r\n \"organization\": \"Abts Delhi \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_550\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_551\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_552\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_553\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_554\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_555\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_556\",\r\n \"address\": \"98.217.4.181\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Hopkinton\",\r\n \"longitude\": -71.53711,\r\n \"latitude\": 42.22023,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_557\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_558\",\r\n \"address\": \"104.161.77.173\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.01242,\r\n \"latitude\": 33.43202,\r\n \"asn\": 53755,\r\n \"carrier\": \"Input Output Flood Llc\",\r\n \"organization\": \"Input Output Flood Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_559\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_560\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_561\",\r\n \"address\": \"141.98.83.166\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_562\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_563\",\r\n \"address\": \"162.142.125.219\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_564\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_565\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_566\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_567\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_568\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_569\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_570\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_571\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_572\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_573\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_574\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_575\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_576\",\r\n \"address\": \"212.103.60.106\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Nuernberg\",\r\n \"longitude\": 11.0384,\r\n \"latitude\": 49.4358,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Tt1 Datacenter Ug (Haftungsbeschraenkt)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_577\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_578\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_579\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_580\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_581\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_582\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_583\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_584\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_585\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_586\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_587\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_591\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_592\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_542\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_593\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_543\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_594\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_544\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_595\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_545\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_596\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_546\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_597\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_547\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_548\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_549\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_550\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_551\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"name\": \"2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T21:15:16.6618617Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T21:15:16.2350129Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_638\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 171.244.50.243 [1]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 191.96.168.246 [10]\\r\\nIP: 194.165.16.29 [2]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 89.44.9.29 [2]\\r\\nIP: 185.156.72.31 [1]\\r\\nIP: 141.98.83.165 [8]\\r\\nIP: 179.60.150.58 [7]\\r\\nIP: 141.98.83.125 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 20.87.218.172 [3]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 141.98.83.164 [8]\\r\\nIP: 45.141.87.6 [7]\\r\\nIP: 104.161.77.173 [1]\\r\\nIP: 141.98.83.89 [2]\\r\\nIP: 98.217.4.181 [1]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 122.160.141.216 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.17.24 [5]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 141.95.145.187 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 141.98.83.123 [2]\\r\\nIP: 24.18.46.38 [1]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 87.251.67.99 [7]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 144.172.126.192 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 62.233.50.123 [34]\\r\\nIP: 45.141.87.10 [1]\\r\\nIP: 147.78.47.35 [17]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 45.141.87.9 [8]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 162.142.125.219 [1]\\r\\nIP: 147.78.47.39 [4]\\r\\nIP: 88.214.25.14 [15]\\r\\nIP: 45.227.254.20 [12]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 45.141.87.2 [5]\\r\\n104 more attempts by 21 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_639\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_640\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_641\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_642\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_643\",\r\n \"address\": \"191.96.168.246\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_644\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_645\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_646\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_647\",\r\n \"address\": \"89.44.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Seine-Saint-Denis\",\r\n \"city\": \"Saint-Denis\",\r\n \"longitude\": 2.36488,\r\n \"latitude\": 48.93607,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd Paris\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_648\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_649\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_650\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_651\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_652\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_653\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_654\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_655\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_656\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_657\",\r\n \"address\": \"104.161.77.173\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.01242,\r\n \"latitude\": 33.43202,\r\n \"asn\": 53755,\r\n \"carrier\": \"Input Output Flood Llc\",\r\n \"organization\": \"Input Output Flood Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_658\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_659\",\r\n \"address\": \"98.217.4.181\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Hopkinton\",\r\n \"longitude\": -71.53711,\r\n \"latitude\": 42.22023,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_660\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_661\",\r\n \"address\": \"122.160.141.216\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.1428,\r\n \"latitude\": 28.6907,\r\n \"asn\": 24560,\r\n \"carrier\": \"Bharti Airtel Ltd.\",\r\n \"organization\": \"Abts Delhi \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_662\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_663\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_664\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_665\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_666\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_667\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_668\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_669\",\r\n \"address\": \"24.18.46.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Shoreline\",\r\n \"longitude\": -122.34728,\r\n \"latitude\": 47.75721,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_670\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_671\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_672\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_673\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_674\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_675\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_676\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_677\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_678\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_679\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_680\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_681\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_682\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_683\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_684\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_685\",\r\n \"address\": \"162.142.125.219\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_686\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_687\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_688\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_689\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_690\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_641\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_642\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_643\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_644\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_645\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_646\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_736\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_686\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_737\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_687\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_738\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_688\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_739\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_689\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_740\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_690\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"name\": \"2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-14T21:17:43.9805433Z\",\r\n \"processingEndTimeUtc\": \"2022-10-14T21:17:42.8602187Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-13T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-13T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_741\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.36 [1]\\r\\nIP: 61.177.172.19 [1]\\r\\nIP: 66.70.176.28 [1]\\r\\nIP: 43.140.205.176 [1]\\r\\nIP: 84.201.177.42 [1]\\r\\nIP: 176.31.240.226 [1]\\r\\nIP: 45.139.105.58 [1]\\r\\nIP: 61.177.172.147 [3]\\r\\nIP: 31.172.70.163 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_742\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_743\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_744\",\r\n \"address\": \"61.177.173.36\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_745\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_746\",\r\n \"address\": \"66.70.176.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_747\",\r\n \"address\": \"43.140.205.176\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_748\",\r\n \"address\": \"84.201.177.42\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.58903,\r\n \"latitude\": 55.73491,\r\n \"asn\": 200350,\r\n \"carrier\": \"Yandex.Cloud Llc\",\r\n \"organization\": \"Yandex Enterprise Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_749\",\r\n \"address\": \"176.31.240.226\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Nord\",\r\n \"city\": \"Roubaix\",\r\n \"longitude\": 3.17321,\r\n \"latitude\": 50.69127,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_750\",\r\n \"address\": \"45.139.105.58\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 138687,\r\n \"carrier\": \"Xdeer Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_751\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_752\",\r\n \"address\": \"31.172.70.163\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt-Ostend\",\r\n \"longitude\": 8.72751,\r\n \"latitude\": 50.11671,\r\n \"asn\": 44066,\r\n \"carrier\": \"Accelerated It Services & Consulting Gmbh\",\r\n \"organization\": \"Www.Fornex.Com Fornex Hosting S.L.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_744\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_745\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_746\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_747\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_748\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_749\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_750\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_751\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_752\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"name\": \"2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-14T21:17:43.9755639Z\",\r\n \"processingEndTimeUtc\": \"2022-10-14T21:17:42.8608101Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-13T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-13T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_762\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.87.6 [9]\\r\\nIP: 141.98.83.125 [11]\\r\\nIP: 141.98.83.165 [9]\\r\\nIP: 94.232.43.155 [1]\\r\\nIP: 147.78.47.40 [2]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 80.66.88.215 [2]\\r\\nIP: 141.98.83.132 [4]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 194.165.17.12 [14]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 45.141.87.10 [12]\\r\\nIP: 147.78.47.29 [9]\\r\\nIP: 89.248.163.228 [1]\\r\\nIP: 45.141.84.87 [13]\\r\\nIP: 45.227.255.55 [2]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 20.87.218.172 [1]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.89 [8]\\r\\nIP: 62.204.41.152 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 69.202.183.90 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 212.102.35.135 [26]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 193.29.13.170 [18]\\r\\nIP: 147.78.47.36 [6]\\r\\nIP: 194.165.16.18 [4]\\r\\nIP: 141.98.83.164 [1]\\r\\nIP: 91.240.118.113 [3]\\r\\nIP: 144.172.126.192 [1]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 193.29.13.169 [14]\\r\\nIP: 92.255.85.151 [12]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 147.78.47.42 [6]\\r\\nIP: 147.78.47.39 [12]\\r\\nIP: 147.78.47.35 [3]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 141.98.83.87 [5]\\r\\nIP: 87.251.64.160 [3]\\r\\n29 more attempts by 7 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_763\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_764\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_765\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_766\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_767\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_768\",\r\n \"address\": \"94.232.43.155\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_769\",\r\n \"address\": \"147.78.47.40\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_770\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_771\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_772\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_773\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_774\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_775\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_776\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_777\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_778\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_779\",\r\n \"address\": \"89.248.163.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_780\",\r\n \"address\": \"45.141.84.87\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_781\",\r\n \"address\": \"45.227.255.55\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_782\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_783\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_784\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_785\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_786\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_787\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_788\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_789\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_790\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_791\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_792\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_793\",\r\n \"address\": \"212.102.35.135\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_794\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_795\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_796\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_797\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_798\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_799\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_800\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_801\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_802\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_803\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_804\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_805\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_806\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_807\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_808\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_809\",\r\n \"address\": \"147.78.47.42\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_810\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_811\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_812\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_813\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_814\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_839\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_789\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_840\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_790\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_841\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_791\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_842\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_792\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_793\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"name\": \"2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T21:02:46.33272Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T21:02:45.807019Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-12T15:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-12T15:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_865\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.46 [1]\\r\\nIP: 211.210.79.220 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_866\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_867\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_868\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_869\",\r\n \"address\": \"211.210.79.220\",\r\n \"location\": {\r\n \"countryCode\": \"KR\",\r\n \"countryName\": \"Korea (South)\",\r\n \"state\": \"Seoul Teukbyeolsi\",\r\n \"city\": \"Seoul\",\r\n \"longitude\": 126.98265,\r\n \"latitude\": 37.561,\r\n \"asn\": 9318,\r\n \"carrier\": \"Sk Broadband Co Ltd\",\r\n \"organization\": \"Danal\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_870\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_868\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_871\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_869\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"name\": \"2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T21:03:57.9379168Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T21:02:45.8071653Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-12T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-12T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_872\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.158 [4]\\r\\nIP: 45.227.254.20 [14]\\r\\nIP: 80.66.76.178 [3]\\r\\nIP: 87.251.67.223 [3]\\r\\nIP: 185.73.124.20 [3]\\r\\nIP: 194.165.17.12 [10]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 80.66.76.151 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 80.66.76.143 [1]\\r\\nIP: 193.169.255.78 [1]\\r\\nIP: 80.66.76.174 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 80.66.76.161 [1]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 20.87.218.172 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 80.66.76.142 [3]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 87.251.67.230 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 80.66.76.139 [1]\\r\\nIP: 87.251.67.229 [1]\\r\\nIP: 80.66.76.164 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 212.102.35.135 [17]\\r\\nIP: 45.141.87.6 [6]\\r\\nIP: 80.66.76.131 [2]\\r\\nIP: 80.66.76.186 [2]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 194.165.16.16 [2]\\r\\nIP: 87.251.67.232 [4]\\r\\nIP: 80.66.76.159 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 87.251.67.226 [2]\\r\\nIP: 80.66.76.138 [2]\\r\\nIP: 80.66.76.127 [1]\\r\\nIP: 80.66.76.165 [2]\\r\\nIP: 80.66.76.175 [2]\\r\\nIP: 80.66.76.140 [2]\\r\\nIP: 159.242.227.27 [1]\\r\\nIP: 193.29.13.170 [12]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 185.73.124.19 [1]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 45.141.87.2 [2]\\r\\n152 more attempts by 42 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_873\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_874\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_875\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_876\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_877\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_878\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_879\",\r\n \"address\": \"185.73.124.20\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_880\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_881\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_882\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_883\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_884\",\r\n \"address\": \"80.66.76.143\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_885\",\r\n \"address\": \"193.169.255.78\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Pomorskie\",\r\n \"city\": \"Zelkowko\",\r\n \"longitude\": 17.0936,\r\n \"latitude\": 54.34198,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_886\",\r\n \"address\": \"80.66.76.174\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_887\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_888\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_889\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_890\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_891\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_892\",\r\n \"address\": \"80.66.76.142\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_893\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_894\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_895\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_896\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_897\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_898\",\r\n \"address\": \"87.251.67.229\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_899\",\r\n \"address\": \"80.66.76.164\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_900\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_901\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_902\",\r\n \"address\": \"212.102.35.135\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_903\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_904\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_905\",\r\n \"address\": \"80.66.76.186\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_906\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_907\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_908\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_909\",\r\n \"address\": \"87.251.67.232\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_910\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_911\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_912\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_913\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_914\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_915\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_916\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_917\",\r\n \"address\": \"80.66.76.175\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_918\",\r\n \"address\": \"80.66.76.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_919\",\r\n \"address\": \"159.242.227.27\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Wandsworth\",\r\n \"longitude\": -0.18333,\r\n \"latitude\": 51.45,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Prcdn Consumer Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_920\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_921\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_922\",\r\n \"address\": \"185.73.124.19\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_923\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_924\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_892\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_893\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_894\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_969\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_919\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_970\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_920\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_971\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_921\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_972\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_922\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_973\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_923\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_974\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_924\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"name\": \"2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T21:25:11.5033705Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T21:25:11.2368114Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-11T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-11T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_975\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 62.210.205.240 [1]\\r\\nIP: 219.130.135.190 [8]\\r\\nIP: 77.232.100.220 [1]\\r\\nIP: 167.99.49.113 [1]\\r\\nIP: 61.177.172.147 [3]\\r\\nIP: 54.200.70.29 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_976\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_977\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_978\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_979\",\r\n \"address\": \"219.130.135.190\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Jiangmen\",\r\n \"longitude\": 113.08611,\r\n \"latitude\": 22.58388,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Jiangmen Global Eyes Police Bureau\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_980\",\r\n \"address\": \"77.232.100.220\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Makkah\",\r\n \"city\": \"Jiddah\",\r\n \"longitude\": 39.184,\r\n \"latitude\": 21.538,\r\n \"asn\": 43766,\r\n \"carrier\": \"Mtc Ksa\",\r\n \"organization\": \"Mtc Ksa\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_981\",\r\n \"address\": \"167.99.49.113\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_982\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_983\",\r\n \"address\": \"54.200.70.29\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Boardman\",\r\n \"longitude\": -119.81143,\r\n \"latitude\": 45.73723,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon.Com Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_984\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_978\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_985\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_979\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_986\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_980\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_987\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_981\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_988\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_982\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_989\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_983\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"name\": \"2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T21:27:02.3321686Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T21:25:11.237187Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-11T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-11T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_990\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.88.129 [1]\\r\\nIP: 80.66.88.207 [5]\\r\\nIP: 194.165.16.29 [9]\\r\\nIP: 147.78.47.149 [6]\\r\\nIP: 87.251.67.236 [2]\\r\\nIP: 80.66.76.186 [2]\\r\\nIP: 80.66.76.153 [4]\\r\\nIP: 91.240.118.113 [6]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 45.141.87.9 [5]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 80.66.76.163 [2]\\r\\nIP: 80.66.76.142 [4]\\r\\nIP: 141.98.83.130 [2]\\r\\nIP: 152.89.196.94 [3]\\r\\nIP: 80.66.76.120 [1]\\r\\nIP: 80.66.76.174 [5]\\r\\nIP: 194.165.16.10 [1]\\r\\nIP: 185.73.124.17 [2]\\r\\nIP: 80.66.76.183 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 80.66.76.181 [1]\\r\\nIP: 80.66.76.130 [2]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 80.66.76.168 [2]\\r\\nIP: 185.73.124.14 [1]\\r\\nIP: 80.66.76.173 [1]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 152.89.196.99 [2]\\r\\nIP: 80.66.76.172 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 185.73.124.20 [1]\\r\\nIP: 45.141.87.2 [4]\\r\\nIP: 80.66.76.154 [2]\\r\\nIP: 152.89.196.92 [2]\\r\\nIP: 80.66.76.137 [1]\\r\\nIP: 80.66.76.127 [1]\\r\\nIP: 152.89.196.86 [2]\\r\\nIP: 194.165.16.158 [3]\\r\\nIP: 141.98.83.128 [3]\\r\\nIP: 185.73.124.23 [5]\\r\\nIP: 45.141.87.6 [9]\\r\\nIP: 80.66.76.176 [4]\\r\\nIP: 141.95.145.187 [1]\\r\\nIP: 80.66.76.125 [1]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 80.66.76.175 [1]\\r\\nIP: 80.66.76.129 [3]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 45.141.84.86 [4]\\r\\n148 more attempts by 47 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_991\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_992\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_993\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_994\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_995\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_996\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_997\",\r\n \"address\": \"87.251.67.236\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_998\",\r\n \"address\": \"80.66.76.186\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_999\",\r\n \"address\": \"80.66.76.153\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1000\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1001\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1002\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1003\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1004\",\r\n \"address\": \"80.66.76.163\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1005\",\r\n \"address\": \"80.66.76.142\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1006\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1007\",\r\n \"address\": \"152.89.196.94\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1008\",\r\n \"address\": \"80.66.76.120\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1009\",\r\n \"address\": \"80.66.76.174\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1010\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1011\",\r\n \"address\": \"185.73.124.17\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1012\",\r\n \"address\": \"80.66.76.183\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1013\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1014\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1015\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1016\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1017\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1018\",\r\n \"address\": \"185.73.124.14\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1019\",\r\n \"address\": \"80.66.76.173\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1020\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1021\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1022\",\r\n \"address\": \"80.66.76.172\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1023\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1024\",\r\n \"address\": \"185.73.124.20\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1025\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1026\",\r\n \"address\": \"80.66.76.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1027\",\r\n \"address\": \"152.89.196.92\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1028\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1029\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1030\",\r\n \"address\": \"152.89.196.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1031\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1032\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1033\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1034\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1035\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1036\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1037\",\r\n \"address\": \"80.66.76.125\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1038\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1039\",\r\n \"address\": \"80.66.76.175\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1040\",\r\n \"address\": \"80.66.76.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1041\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1042\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1072\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1022\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1073\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1023\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1074\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1024\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1075\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1025\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1076\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1026\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1077\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1027\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1078\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1028\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1079\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1029\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1080\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1030\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1081\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1031\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1082\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1032\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1083\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1033\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1084\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1034\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1085\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1035\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1086\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1036\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1087\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1037\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1088\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1038\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1089\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1039\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1090\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1040\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1091\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1041\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1092\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1042\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"name\": \"2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T20:11:22.6254055Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T20:11:22.3353053Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-10T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-10T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1093\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.147 [4]\\r\\nIP: 117.33.157.42 [1]\\r\\nIP: 44.203.254.12 [1]\\r\\nIP: 62.210.205.240 [1]\\r\\nIP: 218.92.0.221 [1]\\r\\nIP: 61.177.173.52 [1]\\r\\nIP: 61.177.173.46 [1]\\r\\nIP: 61.177.172.143 [2]\\r\\nIP: 61.177.172.98 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1094\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1095\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1096\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1097\",\r\n \"address\": \"117.33.157.42\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Yunnan\",\r\n \"city\": \"Ruili\",\r\n \"longitude\": 97.85808,\r\n \"latitude\": 23.99516,\r\n \"asn\": 134768,\r\n \"carrier\": \"Chinanet Shaanxi Province Cloud Base Network\",\r\n \"organization\": \"Chinanet Shanxi(Sn) Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1098\",\r\n \"address\": \"44.203.254.12\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 14618,\r\n \"carrier\": \"Amazon.Com Inc.\",\r\n \"organization\": \"Amazon Data Services Nova\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1099\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1100\",\r\n \"address\": \"218.92.0.221\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1101\",\r\n \"address\": \"61.177.173.52\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1102\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1103\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1104\",\r\n \"address\": \"61.177.172.98\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1096\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1097\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1098\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1099\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1100\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1101\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1102\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1103\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1104\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"name\": \"2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T20:11:23.0830696Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T20:11:22.335884Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-10T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-10T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1114\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.76.131 [3]\\r\\nIP: 147.78.47.154 [8]\\r\\nIP: 80.66.76.139 [2]\\r\\nIP: 141.98.83.130 [12]\\r\\nIP: 176.111.174.130 [16]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 80.66.76.140 [1]\\r\\nIP: 152.89.196.86 [3]\\r\\nIP: 80.66.76.177 [3]\\r\\nIP: 87.251.67.226 [2]\\r\\nIP: 80.66.76.178 [1]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 80.66.76.166 [1]\\r\\nIP: 152.89.196.99 [1]\\r\\nIP: 176.111.174.116 [28]\\r\\nIP: 194.165.16.18 [6]\\r\\nIP: 71.27.142.134 [1]\\r\\nIP: 45.227.254.29 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 152.89.196.83 [1]\\r\\nIP: 80.66.76.182 [4]\\r\\nIP: 141.98.83.166 [3]\\r\\nIP: 147.78.47.149 [7]\\r\\nIP: 80.66.76.187 [2]\\r\\nIP: 194.165.17.12 [6]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 152.89.196.81 [1]\\r\\nIP: 87.251.67.230 [2]\\r\\nIP: 94.232.47.170 [3]\\r\\nIP: 80.66.76.159 [3]\\r\\nIP: 87.251.67.229 [1]\\r\\nIP: 80.66.76.122 [1]\\r\\nIP: 185.73.124.23 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 179.60.150.58 [4]\\r\\nIP: 94.232.47.15 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 191.96.168.102 [23]\\r\\nIP: 80.66.76.181 [3]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 80.66.76.162 [1]\\r\\nIP: 80.66.76.121 [2]\\r\\nIP: 87.251.67.231 [1]\\r\\nIP: 87.251.67.228 [2]\\r\\nIP: 80.66.76.185 [2]\\r\\n244 more attempts by 54 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1115\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1116\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1117\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1118\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1119\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1120\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1121\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1122\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1123\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1124\",\r\n \"address\": \"80.66.76.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1125\",\r\n \"address\": \"152.89.196.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1126\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1127\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1128\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1129\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1130\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1131\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1132\",\r\n \"address\": \"80.66.76.166\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1133\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1134\",\r\n \"address\": \"176.111.174.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1135\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1136\",\r\n \"address\": \"71.27.142.134\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Westland\",\r\n \"longitude\": -83.37131,\r\n \"latitude\": 42.33206,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1137\",\r\n \"address\": \"45.227.254.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1138\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1139\",\r\n \"address\": \"152.89.196.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1140\",\r\n \"address\": \"80.66.76.182\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1141\",\r\n \"address\": \"141.98.83.166\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1142\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1143\",\r\n \"address\": \"80.66.76.187\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1144\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1145\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1146\",\r\n \"address\": \"152.89.196.81\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1147\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1148\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1149\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1150\",\r\n \"address\": \"87.251.67.229\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1151\",\r\n \"address\": \"80.66.76.122\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1152\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1153\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1154\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1155\",\r\n \"address\": \"94.232.47.15\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1156\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1157\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1158\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1159\",\r\n \"address\": \"191.96.168.102\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1160\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1161\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1162\",\r\n \"address\": \"80.66.76.162\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1163\",\r\n \"address\": \"80.66.76.121\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1164\",\r\n \"address\": \"87.251.67.231\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1165\",\r\n \"address\": \"87.251.67.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1166\",\r\n \"address\": \"80.66.76.185\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1167\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1117\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1168\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1118\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1119\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1170\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1120\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1171\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1121\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1172\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1122\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1173\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1123\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1174\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1124\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1175\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1125\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1176\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1126\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1177\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1127\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1178\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1128\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1179\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1129\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1180\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1130\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1181\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1131\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1182\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1132\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1183\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1133\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1184\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1134\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1185\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1135\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1186\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1136\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1187\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1137\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1188\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1138\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1139\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1190\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1140\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1191\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1141\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1192\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1142\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1143\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1194\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1144\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1195\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1145\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1196\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1146\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1147\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1198\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1148\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1199\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1149\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1200\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1150\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1151\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1202\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1152\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1203\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1153\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1204\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1154\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1155\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"name\": \"2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T20:02:27.764174Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T20:02:26.032772Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-09T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-09T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.209.179.41 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 61.177.172.143 [10]\\r\\nIP: 128.199.192.230 [1]\\r\\nIP: 61.177.172.108 [1]\\r\\nIP: 61.177.173.37 [1]\\r\\nIP: 62.210.209.36 [1]\\r\\nIP: 218.75.136.139 [25]\\r\\nIP: 194.5.193.132 [3]\\r\\nIP: 162.142.125.213 [1]\\r\\nIP: 124.220.16.45 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1218\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1219\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1220\",\r\n \"address\": \"185.209.179.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Valley Cottage\",\r\n \"longitude\": -73.92899,\r\n \"latitude\": 41.12222,\r\n \"asn\": 396356,\r\n \"carrier\": \"Maxihost Llc\",\r\n \"organization\": \"Latitude.Sh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1221\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1222\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1223\",\r\n \"address\": \"128.199.192.230\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1224\",\r\n \"address\": \"61.177.172.108\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1225\",\r\n \"address\": \"61.177.173.37\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1226\",\r\n \"address\": \"62.210.209.36\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1227\",\r\n \"address\": \"218.75.136.139\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Hunan\",\r\n \"city\": \"Changde\",\r\n \"longitude\": 111.71167,\r\n \"latitude\": 29.04722,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet-Hn Changde Node Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1228\",\r\n \"address\": \"194.5.193.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208006,\r\n \"carrier\": \"Softqloud Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1229\",\r\n \"address\": \"162.142.125.213\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1230\",\r\n \"address\": \"124.220.16.45\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1220\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1221\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1222\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1223\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1224\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1225\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1226\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1227\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1228\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1229\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1230\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"name\": \"2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T20:02:27.4002488Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T20:02:26.0336346Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-09T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-09T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1242\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.76.123 [2]\\r\\nIP: 87.251.67.226 [1]\\r\\nIP: 80.66.76.170 [3]\\r\\nIP: 80.66.76.151 [1]\\r\\nIP: 80.66.76.138 [1]\\r\\nIP: 103.168.205.209 [1]\\r\\nIP: 147.78.47.146 [7]\\r\\nIP: 80.66.76.121 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 80.66.76.132 [2]\\r\\nIP: 80.66.76.127 [2]\\r\\nIP: 152.89.196.96 [4]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 92.255.85.192 [8]\\r\\nIP: 80.66.76.167 [2]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 152.89.196.73 [1]\\r\\nIP: 80.66.76.176 [1]\\r\\nIP: 147.78.47.149 [3]\\r\\nIP: 195.78.54.73 [17]\\r\\nIP: 80.66.76.131 [1]\\r\\nIP: 176.111.174.73 [25]\\r\\nIP: 185.73.125.21 [3]\\r\\nIP: 80.66.76.165 [1]\\r\\nIP: 80.66.76.124 [1]\\r\\nIP: 87.251.67.223 [2]\\r\\nIP: 141.98.83.127 [7]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 80.66.76.130 [1]\\r\\nIP: 80.66.76.125 [1]\\r\\nIP: 94.232.47.170 [2]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 185.73.125.225 [1]\\r\\nIP: 207.244.72.33 [1]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 162.244.33.16 [4]\\r\\nIP: 152.89.196.81 [3]\\r\\nIP: 139.59.109.139 [1]\\r\\nIP: 80.66.76.185 [2]\\r\\nIP: 80.66.76.161 [1]\\r\\nIP: 80.66.76.137 [2]\\r\\nIP: 80.66.76.177 [1]\\r\\nIP: 80.66.76.169 [1]\\r\\nIP: 185.73.124.23 [1]\\r\\nIP: 87.251.67.239 [1]\\r\\nIP: 152.89.196.92 [4]\\r\\nIP: 113.190.245.2 [1]\\r\\n88 more attempts by 42 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1243\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1244\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1245\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1246\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1247\",\r\n \"address\": \"80.66.76.170\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1248\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1249\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1250\",\r\n \"address\": \"103.168.205.209\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"longitude\": 77.0,\r\n \"latitude\": 20.0,\r\n \"asn\": 132925,\r\n \"carrier\": \"Ideastack Solutions Private Limited\",\r\n \"organization\": \"Blue Space Technology\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1251\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1252\",\r\n \"address\": \"80.66.76.121\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1253\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1254\",\r\n \"address\": \"80.66.76.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1255\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1256\",\r\n \"address\": \"152.89.196.96\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1257\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1258\",\r\n \"address\": \"92.255.85.192\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1259\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1260\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1261\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1262\",\r\n \"address\": \"152.89.196.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1263\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1264\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1265\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1266\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1267\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1268\",\r\n \"address\": \"185.73.125.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1269\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1270\",\r\n \"address\": \"80.66.76.124\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1271\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1272\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1273\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1274\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1275\",\r\n \"address\": \"80.66.76.125\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1276\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1277\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1278\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1279\",\r\n \"address\": \"185.73.125.225\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1280\",\r\n \"address\": \"207.244.72.33\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"District Of Columbia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -77.0284,\r\n \"latitude\": 38.9069,\r\n \"asn\": 30633,\r\n \"carrier\": \"Leaseweb Usa Inc.\",\r\n \"organization\": \"Leaseweb Usa Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1281\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1282\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1283\",\r\n \"address\": \"162.244.33.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Fremont\",\r\n \"longitude\": -121.91032,\r\n \"latitude\": 37.52879,\r\n \"asn\": 14576,\r\n \"carrier\": \"Hosting Solution Ltd.\",\r\n \"organization\": \"Hosting Solution Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1284\",\r\n \"address\": \"152.89.196.81\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1285\",\r\n \"address\": \"139.59.109.139\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1286\",\r\n \"address\": \"80.66.76.185\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1287\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1288\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1289\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1290\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1291\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1292\",\r\n \"address\": \"87.251.67.239\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1293\",\r\n \"address\": \"152.89.196.92\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1294\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1295\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1245\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1246\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1297\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1247\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1298\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1248\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1299\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1249\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1250\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1301\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1251\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1302\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1252\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1303\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1253\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1254\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1305\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1255\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1306\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1256\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1307\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1257\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1308\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1258\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1324\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1274\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1325\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1275\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1326\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1276\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1327\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1277\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1278\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1329\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1279\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1330\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1280\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"name\": \"2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T19:56:07.1561879Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T19:56:06.5371227Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-08T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-08T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1345\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.143 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 61.177.173.51 [1]\\r\\nIP: 14.215.48.214 [3]\\r\\nIP: 61.177.173.46 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1346\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1347\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1348\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1349\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1350\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1351\",\r\n \"address\": \"61.177.173.51\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1352\",\r\n \"address\": \"14.215.48.214\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Yunnan\",\r\n \"city\": \"Ruili\",\r\n \"longitude\": 97.85808,\r\n \"latitude\": 23.99516,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Guangdong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1353\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1348\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1349\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1350\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1351\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1352\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1353\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"name\": \"2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T19:56:07.4442606Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T19:56:06.5374986Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-08T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-08T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1360\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 91.240.118.113 [5]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.132 [5]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 194.165.16.73 [3]\\r\\nIP: 194.165.16.37 [2]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 162.244.33.16 [1]\\r\\nIP: 62.233.50.123 [7]\\r\\nIP: 194.165.16.17 [8]\\r\\nIP: 116.58.22.75 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 92.255.85.186 [1]\\r\\nIP: 176.111.174.200 [3]\\r\\nIP: 96.93.214.186 [1]\\r\\nIP: 194.165.16.29 [10]\\r\\nIP: 141.98.9.35 [1]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 185.221.134.42 [1]\\r\\nIP: 176.111.174.71 [13]\\r\\nIP: 92.255.85.192 [3]\\r\\nIP: 20.168.51.145 [1]\\r\\nIP: 194.165.16.18 [6]\\r\\nIP: 195.78.54.73 [13]\\r\\nIP: 147.78.47.149 [7]\\r\\nIP: 192.99.233.28 [1]\\r\\nIP: 87.251.67.64 [6]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 176.111.174.73 [21]\\r\\nIP: 80.66.88.205 [3]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1361\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1362\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1363\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1364\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1365\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1366\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1367\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1368\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1369\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1370\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1371\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1372\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1373\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1374\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1375\",\r\n \"address\": \"162.244.33.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Fremont\",\r\n \"longitude\": -121.91032,\r\n \"latitude\": 37.52879,\r\n \"asn\": 14576,\r\n \"carrier\": \"Hosting Solution Ltd.\",\r\n \"organization\": \"Hosting Solution Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1376\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1377\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1378\",\r\n \"address\": \"116.58.22.75\",\r\n \"location\": {\r\n \"countryCode\": \"PK\",\r\n \"countryName\": \"Pakistan\",\r\n \"state\": \"Punjab\",\r\n \"city\": \"Lahore\",\r\n \"longitude\": 74.31333,\r\n \"latitude\": 31.56333,\r\n \"asn\": 17563,\r\n \"carrier\": \"Nexlinx\",\r\n \"organization\": \"Nexlinx Isp Pakistan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1379\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1380\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1381\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1382\",\r\n \"address\": \"92.255.85.186\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1383\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1384\",\r\n \"address\": \"96.93.214.186\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Denver\",\r\n \"longitude\": -104.98564,\r\n \"latitude\": 39.74249,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1385\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1386\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1387\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1388\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1389\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1390\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1391\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1392\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1393\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1394\",\r\n \"address\": \"92.255.85.192\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1395\",\r\n \"address\": \"20.168.51.145\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1396\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1397\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1398\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1399\",\r\n \"address\": \"192.99.233.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1400\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1401\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1402\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1403\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1404\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1406\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1407\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1410\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1411\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1377\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1378\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1379\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1380\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1382\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1383\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1427\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1428\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1429\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1430\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1433\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"name\": \"2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T19:27:10.8559195Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T19:27:10.200106Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-07T07:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-07T07:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1447\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 179.43.155.133 [2]\\r\\nIP: 62.210.205.240 [1]\\r\\nIP: 34.105.172.112 [1]\\r\\nIP: 61.177.172.143 [2]\\r\\nIP: 107.152.46.102 [2]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 49.88.112.109 [1]\\r\\nIP: 47.108.112.40 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1448\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1449\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1450\",\r\n \"address\": \"179.43.155.133\",\r\n \"location\": {\r\n \"countryCode\": \"CH\",\r\n \"countryName\": \"Switzerland\",\r\n \"state\": \"Zuerich\",\r\n \"city\": \"Zuerich\",\r\n \"longitude\": 8.53695,\r\n \"latitude\": 47.37417,\r\n \"asn\": 51852,\r\n \"carrier\": \"Private Layer Inc\",\r\n \"organization\": \"Private Layer Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1451\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1452\",\r\n \"address\": \"34.105.172.112\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Enfield\",\r\n \"longitude\": -0.10639,\r\n \"latitude\": 51.64694,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1453\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1454\",\r\n \"address\": \"107.152.46.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Illinois\",\r\n \"city\": \"Glenview\",\r\n \"longitude\": -87.82326,\r\n \"latitude\": 42.08015,\r\n \"asn\": 46844,\r\n \"carrier\": \"Sharktech\",\r\n \"organization\": \"Servercheap Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1455\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1456\",\r\n \"address\": \"49.88.112.109\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanghai Shi\",\r\n \"city\": \"Xuhui Qu\",\r\n \"longitude\": 121.41498,\r\n \"latitude\": 31.17389,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1457\",\r\n \"address\": \"47.108.112.40\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Zhejiang\",\r\n \"city\": \"Hangzhou\",\r\n \"longitude\": 120.15889,\r\n \"latitude\": 30.23556,\r\n \"asn\": 37963,\r\n \"carrier\": \"Hangzhou Alibaba Advertising Co. Ltd.\",\r\n \"organization\": \"Aliyun Computing Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1450\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1451\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1452\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1453\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1454\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1455\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1456\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1457\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"name\": \"2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T19:27:10.7887447Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T19:27:10.2008025Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-07T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-07T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1466\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 94.232.47.4 [13]\\r\\nIP: 193.37.69.219 [25]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 176.111.174.73 [3]\\r\\nIP: 141.98.9.37 [12]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 36.95.205.132 [1]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 80.66.88.129 [3]\\r\\nIP: 87.251.64.140 [5]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 173.15.245.6 [1]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 181.214.218.55 [5]\\r\\nIP: 194.165.16.16 [5]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 91.240.118.184 [8]\\r\\nIP: 116.58.22.75 [3]\\r\\nIP: 176.111.174.71 [9]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 176.111.174.130 [13]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 147.78.47.146 [7]\\r\\nIP: 45.227.254.25 [5]\\r\\nIP: 176.111.174.200 [10]\\r\\nIP: 141.98.83.125 [1]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 103.30.29.29 [1]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 141.98.9.35 [10]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 194.165.16.158 [4]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1467\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1468\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1469\",\r\n \"address\": \"94.232.47.4\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1470\",\r\n \"address\": \"193.37.69.219\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1471\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1472\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1473\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1474\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1475\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1476\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1477\",\r\n \"address\": \"36.95.205.132\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jakarta Raya\",\r\n \"city\": \"Jakarta\",\r\n \"longitude\": 106.8311,\r\n \"latitude\": -6.1851,\r\n \"asn\": 7713,\r\n \"carrier\": \"Pt Telekomunikasi Indonesia\",\r\n \"organization\": \"Pt Telekomunikasi Indonesia\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1478\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1479\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1480\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1481\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1482\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1483\",\r\n \"address\": \"173.15.245.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Commerce Charter Township\",\r\n \"longitude\": -83.5449,\r\n \"latitude\": 42.60315,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1484\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1485\",\r\n \"address\": \"181.214.218.55\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1486\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1487\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1488\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1489\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1490\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1491\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1492\",\r\n \"address\": \"116.58.22.75\",\r\n \"location\": {\r\n \"countryCode\": \"PK\",\r\n \"countryName\": \"Pakistan\",\r\n \"state\": \"Punjab\",\r\n \"city\": \"Lahore\",\r\n \"longitude\": 74.31333,\r\n \"latitude\": 31.56333,\r\n \"asn\": 17563,\r\n \"carrier\": \"Nexlinx\",\r\n \"organization\": \"Nexlinx Isp Pakistan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1493\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1494\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1495\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1496\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1497\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1498\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1499\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1500\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1501\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1502\",\r\n \"address\": \"103.30.29.29\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Chittagong\",\r\n \"city\": \"Chittagong\",\r\n \"longitude\": 91.8123,\r\n \"latitude\": 22.3475,\r\n \"asn\": 45326,\r\n \"carrier\": \"Broad Band Telecom Services Ltd\",\r\n \"organization\": \"Bbts Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1503\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1504\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1505\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1506\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1507\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1508\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1509\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1510\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1480\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1481\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1482\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1484\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1485\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1486\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1535\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"name\": \"2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-07T20:45:09.4714645Z\",\r\n \"processingEndTimeUtc\": \"2022-10-07T20:45:08.5306227Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-06T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-06T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1549\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.123 [1]\\r\\nIP: 185.156.72.25 [5]\\r\\nIP: 45.227.254.48 [1]\\r\\nIP: 181.214.218.55 [1]\\r\\nIP: 141.98.83.132 [8]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 192.99.233.28 [1]\\r\\nIP: 194.165.16.17 [3]\\r\\nIP: 141.98.83.126 [12]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 91.240.118.202 [2]\\r\\nIP: 45.227.254.25 [128]\\r\\nIP: 147.78.47.146 [1]\\r\\nIP: 176.111.174.130 [12]\\r\\nIP: 144.91.117.64 [1]\\r\\nIP: 194.165.16.158 [13]\\r\\nIP: 92.255.85.151 [4]\\r\\nIP: 176.9.52.56 [1]\\r\\nIP: 193.169.255.78 [1]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 185.221.134.42 [1]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 176.111.174.143 [14]\\r\\nIP: 92.255.85.194 [3]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 176.111.174.200 [21]\\r\\nIP: 77.121.215.0 [1]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 45.141.87.2 [34]\\r\\nIP: 45.141.84.86 [7]\\r\\nIP: 94.232.47.4 [25]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 91.240.118.113 [3]\\r\\nIP: 141.98.9.37 [6]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 216.131.112.27 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 195.78.54.194 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 45.227.254.26 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1550\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1551\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1552\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1553\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1554\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1555\",\r\n \"address\": \"181.214.218.55\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1556\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1557\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1558\",\r\n \"address\": \"192.99.233.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1559\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1560\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1561\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1562\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1563\",\r\n \"address\": \"91.240.118.202\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1564\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1565\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1566\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1567\",\r\n \"address\": \"144.91.117.64\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Muenchen\",\r\n \"longitude\": 11.6074,\r\n \"latitude\": 48.1089,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1568\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1569\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1570\",\r\n \"address\": \"176.9.52.56\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Gunzenhausen\",\r\n \"longitude\": 10.7534,\r\n \"latitude\": 49.11594,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1571\",\r\n \"address\": \"193.169.255.78\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Pomorskie\",\r\n \"city\": \"Zelkowko\",\r\n \"longitude\": 17.0936,\r\n \"latitude\": 54.34198,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1572\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1573\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1574\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1575\",\r\n \"address\": \"176.111.174.143\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1576\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1577\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1578\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1579\",\r\n \"address\": \"77.121.215.0\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Cherkas'ka Oblast'\",\r\n \"city\": \"Cherkasy\",\r\n \"longitude\": 32.0621,\r\n \"latitude\": 49.4285,\r\n \"asn\": 25229,\r\n \"carrier\": \"Kyivski Telekomunikatsiyni Merezhi Llc\",\r\n \"organization\": \"Volia Cherkassy\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1580\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1581\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1582\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1583\",\r\n \"address\": \"94.232.47.4\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1584\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1585\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1586\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1587\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1588\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1589\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1590\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1591\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1592\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1593\",\r\n \"address\": \"216.131.112.27\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 62651,\r\n \"carrier\": \"Strong Technology Llc.\",\r\n \"organization\": \"Netprotect\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1594\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1595\",\r\n \"address\": \"195.78.54.194\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1596\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1597\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"name\": \"2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-06T20:18:25.6741094Z\",\r\n \"processingEndTimeUtc\": \"2022-10-06T20:18:25.2845591Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-05T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-05T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1644\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 201.165.54.53 [1]\\r\\nIP: 194.165.16.158 [9]\\r\\nIP: 141.98.9.29 [9]\\r\\nIP: 195.78.54.194 [1]\\r\\nIP: 162.247.74.27 [1]\\r\\nIP: 147.78.47.146 [5]\\r\\nIP: 147.78.47.154 [8]\\r\\nIP: 91.240.118.113 [5]\\r\\nIP: 92.255.85.181 [4]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.120 [7]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.87 [4]\\r\\nIP: 141.98.83.123 [11]\\r\\nIP: 193.37.69.213 [12]\\r\\nIP: 141.98.81.137 [13]\\r\\nIP: 91.240.118.184 [14]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.204 [2]\\r\\nIP: 24.154.71.234 [2]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 45.141.84.85 [9]\\r\\nIP: 45.227.254.25 [29]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 176.111.174.116 [10]\\r\\nIP: 94.232.47.157 [33]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 23.83.131.85 [1]\\r\\nIP: 176.111.174.143 [29]\\r\\nIP: 193.37.69.212 [20]\\r\\nIP: 151.80.113.215 [1]\\r\\nIP: 91.240.242.8 [7]\\r\\nIP: 91.240.242.3 [5]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.141.84.86 [12]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1645\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1646\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1647\",\r\n \"address\": \"201.165.54.53\",\r\n \"location\": {\r\n \"countryCode\": \"MX\",\r\n \"countryName\": \"Mexico\",\r\n \"state\": \"Sinaloa\",\r\n \"city\": \"Los Mochis\",\r\n \"longitude\": -108.98835,\r\n \"latitude\": 25.79161,\r\n \"asn\": 13999,\r\n \"carrier\": \"Mega Cable S.A. De C.V.\",\r\n \"organization\": \"Mega Cable S.A. De C.V.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1648\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1649\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1650\",\r\n \"address\": \"195.78.54.194\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1651\",\r\n \"address\": \"162.247.74.27\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -74.00287,\r\n \"latitude\": 40.65724,\r\n \"asn\": 4224,\r\n \"carrier\": \"The Calyx Institute\",\r\n \"organization\": \"The Calyx Institute\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1652\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1653\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1654\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1655\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1656\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1657\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1658\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1659\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1660\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1661\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1662\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1663\",\r\n \"address\": \"193.37.69.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1664\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1665\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1666\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1667\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1668\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1669\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1670\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1671\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1672\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1673\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1674\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1675\",\r\n \"address\": \"176.111.174.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1676\",\r\n \"address\": \"94.232.47.157\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1677\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1678\",\r\n \"address\": \"23.83.131.85\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Scottsdale\",\r\n \"longitude\": -111.8085,\r\n \"latitude\": 33.66364,\r\n \"asn\": 19148,\r\n \"carrier\": \"Leaseweb Usa Inc.\",\r\n \"organization\": \"Leaseweb Usa Inc. Pheonix\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1679\",\r\n \"address\": \"176.111.174.143\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1680\",\r\n \"address\": \"193.37.69.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1681\",\r\n \"address\": \"151.80.113.215\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Nord\",\r\n \"city\": \"Roubaix\",\r\n \"longitude\": 3.17321,\r\n \"latitude\": 50.69127,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1682\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1683\",\r\n \"address\": \"91.240.242.3\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1684\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1685\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1688\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1689\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1690\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"name\": \"2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-05T20:06:02.9429652Z\",\r\n \"processingEndTimeUtc\": \"2022-10-05T20:06:01.9820349Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1725\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.26 [3]\\r\\nIP: 176.111.174.71 [20]\\r\\nIP: 141.98.83.120 [7]\\r\\nIP: 45.227.254.55 [2]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 193.148.61.116 [1]\\r\\nIP: 45.141.84.85 [6]\\r\\nIP: 141.98.9.29 [12]\\r\\nIP: 20.163.11.154 [1]\\r\\nIP: 80.66.88.202 [2]\\r\\nIP: 20.226.32.246 [1]\\r\\nIP: 147.78.47.154 [5]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 141.98.9.37 [9]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 141.98.83.123 [2]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.88 [2]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 141.98.83.125 [6]\\r\\nIP: 194.165.16.11 [3]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 176.111.174.200 [6]\\r\\nIP: 94.232.47.150 [33]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 94.232.47.151 [19]\\r\\nIP: 141.98.83.87 [6]\\r\\nIP: 5.62.43.223 [1]\\r\\nIP: 92.255.85.181 [1]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 94.232.47.155 [29]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 141.98.83.122 [4]\\r\\nIP: 141.98.9.34 [9]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 94.232.47.8 [26]\\r\\nIP: 91.240.118.184 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 80.66.88.215 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1726\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1727\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1728\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1729\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1730\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1731\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1732\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1733\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1734\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1735\",\r\n \"address\": \"193.148.61.116\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Los Angeles Ca\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1736\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1737\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1738\",\r\n \"address\": \"20.163.11.154\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1739\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1740\",\r\n \"address\": \"20.226.32.246\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Campinas\",\r\n \"longitude\": -47.0453,\r\n \"latitude\": -22.89177,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1741\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1742\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1743\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1744\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1745\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1746\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1747\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1748\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1749\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1750\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1751\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1752\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1753\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1754\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1755\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1756\",\r\n \"address\": \"94.232.47.150\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1757\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1758\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1759\",\r\n \"address\": \"94.232.47.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1760\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1761\",\r\n \"address\": \"5.62.43.223\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Camden\",\r\n \"longitude\": -0.16861,\r\n \"latitude\": 51.54,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Avast Software S.R.O.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1762\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1763\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1764\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1765\",\r\n \"address\": \"94.232.47.155\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1766\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1767\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1768\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1769\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1770\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1771\",\r\n \"address\": \"94.232.47.8\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1772\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1773\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1774\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1775\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1776\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1777\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1728\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1778\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1729\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1779\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1730\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1780\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1731\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1781\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1732\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1782\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1733\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1783\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1734\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1784\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1735\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1785\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1736\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1786\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1737\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1787\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1738\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1788\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1741\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1791\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1742\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1792\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1743\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1793\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1744\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1794\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1745\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1795\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1746\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1796\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1747\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1797\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1748\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1798\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1749\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1799\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1750\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1800\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1751\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1801\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1752\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1802\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1753\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1803\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1754\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1804\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1755\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1805\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1756\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1806\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1757\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1807\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1758\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1808\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1759\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1809\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1760\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1810\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1761\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1811\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1762\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1812\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1763\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1813\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1764\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1814\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"name\": \"2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-04T20:20:17.6238006Z\",\r\n \"processingEndTimeUtc\": \"2022-10-04T20:20:16.6615502Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-03T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-03T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1826\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 181.214.206.211 [12]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 141.98.83.83 [2]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 141.98.9.29 [11]\\r\\nIP: 192.227.168.178 [1]\\r\\nIP: 193.37.69.220 [23]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 62.204.41.152 [6]\\r\\nIP: 38.242.213.49 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 45.141.84.83 [6]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 194.165.16.17 [4]\\r\\nIP: 179.60.147.32 [7]\\r\\nIP: 66.195.201.152 [1]\\r\\nIP: 141.98.83.120 [6]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 113.88.234.130 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 94.232.47.151 [22]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 58.186.205.49 [1]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 195.78.54.174 [11]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 92.255.85.181 [5]\\r\\nIP: 176.111.174.73 [9]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 176.111.174.72 [19]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 15.237.104.62 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.89 [3]\\r\\nIP: 192.210.149.230 [1]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.9.36 [18]\\r\\nIP: 185.190.24.61 [4]\\r\\nIP: 5.181.86.11 [8]\\r\\nIP: 147.78.47.149 [10]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 191.242.227.11 [2]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 176.111.174.130 [12]\\r\\n36 more attempts by 5 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1827\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1828\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1829\",\r\n \"address\": \"181.214.206.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1830\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1831\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1832\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1833\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1834\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1835\",\r\n \"address\": \"192.227.168.178\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.8854,\r\n \"latitude\": 42.8883,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1836\",\r\n \"address\": \"193.37.69.220\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1837\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1838\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1839\",\r\n \"address\": \"38.242.213.49\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1840\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1841\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1842\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1843\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1844\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1845\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1846\",\r\n \"address\": \"66.195.201.152\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Memphis\",\r\n \"longitude\": -89.94812,\r\n \"latitude\": 35.11012,\r\n \"asn\": 3356,\r\n \"carrier\": \"Level 3 Parent Llc\",\r\n \"organization\": \"Level 3 Parent Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1847\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1848\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1849\",\r\n \"address\": \"113.88.234.130\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Henggang\",\r\n \"longitude\": 114.19833,\r\n \"latitude\": 22.64204,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Guangdong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1850\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1851\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1852\",\r\n \"address\": \"94.232.47.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1853\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1854\",\r\n \"address\": \"58.186.205.49\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Cau Giay\",\r\n \"longitude\": 105.79176,\r\n \"latitude\": 21.03714,\r\n \"asn\": 18403,\r\n \"carrier\": \"Fpt Telecom Company\",\r\n \"organization\": \"Fpt Telecom Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1855\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1856\",\r\n \"address\": \"195.78.54.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1857\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1858\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1859\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1860\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1861\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1862\",\r\n \"address\": \"176.111.174.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1863\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1864\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1865\",\r\n \"address\": \"15.237.104.62\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.34107,\r\n \"latitude\": 48.86023,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon Data Services France\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1866\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1867\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1868\",\r\n \"address\": \"192.210.149.230\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1869\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1870\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1871\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1872\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1873\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1874\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1875\",\r\n \"address\": \"191.242.227.11\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sorocaba\",\r\n \"longitude\": -47.44229,\r\n \"latitude\": -23.4971,\r\n \"asn\": 263483,\r\n \"carrier\": \"Direct Lan Telecomunicaes Sorocaba Ltda\",\r\n \"organization\": \"Direct Lan Telecomunica Es Sorocaba Ltda\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1876\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1877\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1878\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1879\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1829\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1880\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1830\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1881\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1831\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1882\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1832\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1883\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1833\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1884\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1834\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1885\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1835\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1886\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1836\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1887\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1837\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1888\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1838\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1889\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1839\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1890\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1840\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1891\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1841\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1892\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1893\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1843\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1894\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1844\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1895\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1845\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1896\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1846\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1897\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1847\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1898\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1848\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1899\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1849\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1900\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1850\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1901\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1851\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1902\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1852\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1903\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1853\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1904\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1854\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1905\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1855\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1906\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1856\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1907\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1857\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1908\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1858\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1909\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1859\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1910\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1860\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1911\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1861\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1912\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1862\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1913\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1863\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1914\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1864\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1915\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1865\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1916\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1866\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1917\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1867\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1918\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1868\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"name\": \"2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T19:49:12.0431333Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T19:49:11.6506508Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-02T18:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-02T18:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1929\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 183.146.30.163 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1930\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1931\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1932\",\r\n \"address\": \"183.146.30.163\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Zhejiang\",\r\n \"city\": \"Jinhua\",\r\n \"longitude\": 119.65083,\r\n \"latitude\": 29.11611,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet-Zj Jinhua Node Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1932\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"name\": \"2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T19:49:12.8041976Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T19:49:11.650774Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1934\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.140 [2]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 185.190.24.61 [3]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 147.78.47.147 [5]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 179.60.147.31 [12]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 179.60.147.32 [7]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 94.232.47.5 [47]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 194.165.17.7 [10]\\r\\nIP: 141.98.83.122 [7]\\r\\nIP: 176.111.174.200 [10]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 195.78.54.174 [17]\\r\\nIP: 69.172.78.13 [1]\\r\\nIP: 141.98.83.84 [12]\\r\\nIP: 138.199.18.131 [14]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 5.181.86.11 [2]\\r\\nIP: 185.156.72.27 [2]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 179.60.147.33 [17]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 141.98.83.88 [5]\\r\\nIP: 141.98.83.85 [2]\\r\\nIP: 147.78.47.149 [8]\\r\\nIP: 94.232.47.158 [30]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 45.141.84.83 [2]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 194.165.16.6 [4]\\r\\nIP: 176.111.174.72 [11]\\r\\nIP: 20.163.11.154 [1]\\r\\nIP: 91.240.118.184 [14]\\r\\nIP: 141.98.83.86 [14]\\r\\nIP: 141.98.9.37 [18]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 94.232.47.9 [21]\\r\\nIP: 141.98.83.89 [1]\\r\\n82 more attempts by 17 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1935\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1936\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1937\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1938\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1939\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1940\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1941\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1942\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1943\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1944\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1945\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1946\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1947\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1948\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1949\",\r\n \"address\": \"94.232.47.5\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1950\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1951\",\r\n \"address\": \"194.165.17.7\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1952\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1953\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1954\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1955\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1956\",\r\n \"address\": \"195.78.54.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1957\",\r\n \"address\": \"69.172.78.13\",\r\n \"location\": {\r\n \"countryCode\": \"HK\",\r\n \"countryName\": \"Hong Kong\",\r\n \"state\": \"Hong Kong\",\r\n \"city\": \"Aberdeen\",\r\n \"longitude\": 114.1524,\r\n \"latitude\": 22.24831,\r\n \"asn\": 132585,\r\n \"carrier\": \"Skyexchange Internet Access\",\r\n \"organization\": \"Skyexchange Internet Access\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1958\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1959\",\r\n \"address\": \"138.199.18.131\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1960\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1961\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1962\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1963\",\r\n \"address\": \"185.156.72.27\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1964\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1965\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1966\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1967\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1968\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1969\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1970\",\r\n \"address\": \"94.232.47.158\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1971\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1972\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1973\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1974\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1975\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1976\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1977\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1978\",\r\n \"address\": \"176.111.174.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1979\",\r\n \"address\": \"20.163.11.154\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1980\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1981\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1982\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1983\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1984\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1985\",\r\n \"address\": \"94.232.47.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1986\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1987\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1937\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1988\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1938\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1989\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1939\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1990\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1940\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1991\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1941\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1992\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1942\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1993\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1943\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1994\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1944\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1995\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1945\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1996\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1946\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1997\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1947\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1998\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1948\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1999\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1949\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2000\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1950\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2001\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1951\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2002\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1952\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2003\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1953\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2004\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1954\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2005\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1955\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2006\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1956\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2007\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1957\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2008\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1958\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2009\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1959\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2010\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1960\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2011\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1961\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2012\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1962\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2013\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1963\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2014\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1964\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2015\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1965\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2016\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1966\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2017\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1967\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2018\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1968\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2019\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1969\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2020\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1970\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2021\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1971\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"name\": \"2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-02T19:30:06.9299257Z\",\r\n \"processingEndTimeUtc\": \"2022-10-02T19:30:06.0289442Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-01T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-01T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2037\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.125 [6]\\r\\nIP: 179.60.147.31 [9]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.83.131 [8]\\r\\nIP: 193.37.69.211 [23]\\r\\nIP: 176.111.174.73 [8]\\r\\nIP: 179.60.150.115 [7]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 147.78.47.146 [3]\\r\\nIP: 147.78.47.147 [5]\\r\\nIP: 141.98.83.83 [5]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 5.181.86.11 [5]\\r\\nIP: 45.141.84.86 [1]\\r\\nIP: 94.232.47.152 [24]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 198.235.24.38 [1]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 193.37.69.209 [25]\\r\\nIP: 94.232.47.156 [33]\\r\\nIP: 147.78.47.149 [13]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 185.190.24.17 [5]\\r\\nIP: 141.98.83.132 [4]\\r\\nIP: 141.98.83.122 [8]\\r\\nIP: 141.98.83.89 [10]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 141.98.9.34 [35]\\r\\nIP: 176.111.174.71 [14]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 91.240.118.113 [6]\\r\\nIP: 20.226.32.246 [1]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 176.111.173.75 [1]\\r\\nIP: 138.199.18.131 [15]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 185.156.72.31 [5]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 91.240.242.8 [35]\\r\\n55 more attempts by 8 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2038\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2039\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2040\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2041\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2042\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2043\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2044\",\r\n \"address\": \"193.37.69.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2045\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2046\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2047\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2048\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2049\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2050\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2051\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2052\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2053\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2054\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2055\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2056\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2057\",\r\n \"address\": \"94.232.47.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2058\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2059\",\r\n \"address\": \"198.235.24.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Team Cymru\",\r\n \"threatType\": \"Botnet\",\r\n \"threatName\": \"Conficker\",\r\n \"confidence\": 0.75,\r\n \"reportLink\": \"https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Botnets.pdf?sv=2021-08-06&spr=https&st=2022-10-02T19%3a15%3a06Z&se=2022-12-31T19%3a30%3a06Z&sr=b&sp=r&sig=R3tc8ii2u2BkwkqvR1vAhwzjf7fD%2bjUJICU%2fnOP2CxM%3d&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa\",\r\n \"threatDescription\": \"Address is a known Botnet indicator.\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2060\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2061\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2062\",\r\n \"address\": \"193.37.69.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2063\",\r\n \"address\": \"94.232.47.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2064\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2065\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2066\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2067\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2068\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2069\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2070\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2071\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2072\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2073\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2074\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2075\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2076\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2077\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2078\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2079\",\r\n \"address\": \"20.226.32.246\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Campinas\",\r\n \"longitude\": -47.0453,\r\n \"latitude\": -22.89177,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2080\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2081\",\r\n \"address\": \"176.111.173.75\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2082\",\r\n \"address\": \"138.199.18.131\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2083\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2084\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2085\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2086\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2087\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2088\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2089\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2090\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2040\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2091\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2041\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2092\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2042\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2093\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2043\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2094\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2044\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2095\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2045\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2096\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2046\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2097\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2047\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2098\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2048\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2099\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2049\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2100\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2050\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2101\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2051\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2102\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2052\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2053\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2104\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2054\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2055\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2056\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2057\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2058\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2059\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2060\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2061\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2062\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2063\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2114\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2064\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2065\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2066\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2067\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2068\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2069\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2070\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2071\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2072\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2123\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2073\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2124\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2074\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"name\": \"2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-01T19:36:37.5737773Z\",\r\n \"processingEndTimeUtc\": \"2022-10-01T19:36:37.1669158Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-30T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-30T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2140\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.54 [3]\\r\\nIP: 194.165.16.29 [3]\\r\\nIP: 194.165.16.73 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 94.232.47.13 [30]\\r\\nIP: 141.98.83.126 [5]\\r\\nIP: 141.98.83.85 [6]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 5.181.86.11 [11]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 45.141.84.87 [19]\\r\\nIP: 91.240.242.15 [3]\\r\\nIP: 141.98.83.84 [5]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 179.60.150.115 [13]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 45.140.210.61 [1]\\r\\nIP: 141.98.9.35 [5]\\r\\nIP: 141.98.10.124 [8]\\r\\nIP: 94.232.47.11 [30]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 194.165.16.16 [5]\\r\\nIP: 194.165.16.158 [4]\\r\\nIP: 78.128.113.138 [6]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 141.98.9.37 [4]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 91.240.242.5 [22]\\r\\nIP: 20.163.30.220 [1]\\r\\nIP: 20.163.46.69 [1]\\r\\nIP: 45.227.254.51 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2141\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2142\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2143\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2144\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2145\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2146\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2147\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2148\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2149\",\r\n \"address\": \"94.232.47.13\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2150\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2151\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2152\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2153\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2154\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2155\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2156\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2157\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2158\",\r\n \"address\": \"45.141.84.87\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2159\",\r\n \"address\": \"91.240.242.15\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2160\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2161\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2162\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2163\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2164\",\r\n \"address\": \"45.140.210.61\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2165\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2166\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2167\",\r\n \"address\": \"94.232.47.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2168\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2169\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2170\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2171\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2172\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2173\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2174\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2175\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2176\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2177\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2178\",\r\n \"address\": \"91.240.242.5\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2179\",\r\n \"address\": \"20.163.30.220\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2180\",\r\n \"address\": \"20.163.46.69\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2181\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2182\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2143\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2183\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2144\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2184\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2145\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2185\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2146\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2186\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2147\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2187\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2148\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2188\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2149\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2150\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2190\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2151\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2191\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2152\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2192\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2153\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2154\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2194\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2155\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2195\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2196\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2198\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2199\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2200\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2202\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2203\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2204\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2167\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2168\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2217\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2218\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"name\": \"2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-30T19:55:09.682631Z\",\r\n \"processingEndTimeUtc\": \"2022-09-30T19:55:09.1843919Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2221\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 181.30.28.175 [1]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 141.98.83.127 [12]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 92.255.85.151 [5]\\r\\nIP: 45.227.255.79 [7]\\r\\nIP: 147.78.47.149 [6]\\r\\nIP: 141.98.9.34 [16]\\r\\nIP: 181.214.206.251 [6]\\r\\nIP: 141.98.83.131 [3]\\r\\nIP: 141.98.83.128 [8]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 179.60.147.32 [19]\\r\\nIP: 91.240.242.8 [2]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 43.230.156.26 [1]\\r\\nIP: 194.165.16.158 [10]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 141.98.83.125 [6]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 141.98.9.37 [8]\\r\\nIP: 5.188.206.230 [10]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 147.78.47.154 [1]\\r\\nIP: 194.165.16.78 [1]\\r\\nIP: 141.98.9.35 [15]\\r\\nIP: 141.98.83.123 [4]\\r\\nIP: 129.146.85.184 [1]\\r\\nIP: 192.3.110.166 [1]\\r\\nIP: 45.141.84.90 [30]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.29 [14]\\r\\nIP: 45.141.87.9 [24]\\r\\nIP: 141.98.10.204 [19]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 141.98.83.88 [1]\\r\\nIP: 194.165.17.22 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 20.168.105.212 [1]\\r\\n72 more attempts by 9 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2222\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2223\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2224\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2225\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2226\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2227\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2228\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2229\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2230\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2231\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2232\",\r\n \"address\": \"181.214.206.251\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2233\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2234\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2235\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2236\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2237\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2238\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2239\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2240\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2241\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2242\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2243\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2244\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2245\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2246\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2247\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2248\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2249\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2250\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2251\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2252\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2253\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2254\",\r\n \"address\": \"129.146.85.184\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2255\",\r\n \"address\": \"192.3.110.166\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2256\",\r\n \"address\": \"45.141.84.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2257\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2258\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2259\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2260\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2261\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2262\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2263\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2264\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2265\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2266\",\r\n \"address\": \"194.165.17.22\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2267\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2268\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2269\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2270\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2271\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2272\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2273\",\r\n \"address\": \"20.168.105.212\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2224\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2275\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2225\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2276\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2226\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2277\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2227\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2278\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2228\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2279\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2229\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2280\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2230\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2231\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2282\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2232\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2283\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2233\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2284\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2234\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2285\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2235\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2286\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2236\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2237\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2288\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2238\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2289\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2239\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2290\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2240\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2291\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2241\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2292\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2242\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2293\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2243\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2294\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2244\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2295\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2245\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2246\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2297\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2247\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2298\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2248\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2299\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2249\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2250\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2301\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2251\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2302\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2252\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2303\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2253\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2254\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2305\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2255\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2306\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2256\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2307\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2257\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2308\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2258\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"name\": \"2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-29T19:51:37.1590955Z\",\r\n \"processingEndTimeUtc\": \"2022-09-29T19:51:34.0584565Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-28T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-28T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2324\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.26.29.113 [52]\\r\\nIP: 141.98.10.124 [5]\\r\\nIP: 179.60.150.111 [2]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 5.181.86.51 [2]\\r\\nIP: 141.98.83.89 [1]\\r\\nIP: 24.154.71.234 [2]\\r\\nIP: 141.98.9.34 [1]\\r\\nIP: 141.98.10.207 [5]\\r\\nIP: 179.60.147.31 [9]\\r\\nIP: 20.163.30.220 [1]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 152.89.198.133 [1]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 45.141.84.86 [7]\\r\\nIP: 179.60.150.113 [3]\\r\\nIP: 45.227.253.130 [8]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 5.181.86.85 [2]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 5.181.86.61 [6]\\r\\nIP: 80.66.88.209 [2]\\r\\nIP: 45.227.254.26 [2]\\r\\nIP: 141.98.83.130 [7]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 92.255.85.152 [9]\\r\\nIP: 179.60.150.116 [2]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 107.181.178.109 [1]\\r\\nIP: 185.190.24.17 [12]\\r\\nIP: 141.98.9.29 [13]\\r\\nIP: 141.98.83.131 [6]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 94.232.47.12 [25]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 115.242.152.158 [2]\\r\\nIP: 193.37.69.207 [27]\\r\\nIP: 194.165.17.12 [13]\\r\\nIP: 193.37.69.210 [40]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 179.60.150.115 [10]\\r\\nIP: 185.190.24.32 [5]\\r\\nIP: 5.181.86.44 [1]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 141.98.83.122 [3]\\r\\n142 more attempts by 24 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2325\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2326\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2327\",\r\n \"address\": \"194.26.29.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2328\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2329\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2330\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2331\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2332\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2333\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2334\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2335\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2336\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2337\",\r\n \"address\": \"20.163.30.220\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2338\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2339\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2340\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2341\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2342\",\r\n \"address\": \"152.89.198.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.81472,\r\n \"latitude\": 55.71376,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2343\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2344\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2345\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2346\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2347\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2348\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2349\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2350\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2351\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2352\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2353\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2354\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2355\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2356\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2357\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2358\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2359\",\r\n \"address\": \"107.181.178.109\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Georgia\",\r\n \"city\": \"Marietta\",\r\n \"longitude\": -84.4629,\r\n \"latitude\": 33.93318,\r\n \"asn\": 46562,\r\n \"carrier\": \"Performive Llc\",\r\n \"organization\": \"Performive Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2360\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2361\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2362\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2363\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2364\",\r\n \"address\": \"94.232.47.12\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2365\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2366\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2367\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2368\",\r\n \"address\": \"193.37.69.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2369\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2370\",\r\n \"address\": \"193.37.69.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2371\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2372\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2373\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2374\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2375\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2376\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2381\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2331\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2332\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2383\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2333\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2384\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2334\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2385\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2335\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2386\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2336\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2337\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2388\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2338\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2389\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2339\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2390\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2340\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2391\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2341\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2392\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2342\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2393\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2343\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2394\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2344\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2395\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2345\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2396\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2346\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2397\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2347\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2398\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2348\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2399\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2349\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2400\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2350\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2401\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2351\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2352\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2403\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2353\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2404\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2354\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2355\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2406\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2356\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2407\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2357\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2358\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2359\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2410\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2360\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2411\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2361\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2362\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"name\": \"2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T20:06:40.3720303Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T20:06:39.6960251Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2427\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 147.78.47.147 [3]\\r\\nIP: 206.72.198.134 [1]\\r\\nIP: 179.60.150.111 [1]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 141.98.10.204 [5]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 141.98.83.122 [8]\\r\\nIP: 121.229.22.196 [2]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 5.188.206.10 [10]\\r\\nIP: 80.66.76.145 [5]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 107.172.93.17 [1]\\r\\nIP: 194.165.16.16 [10]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 45.227.254.54 [4]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 92.255.85.194 [19]\\r\\nIP: 193.32.126.158 [1]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 194.165.16.17 [6]\\r\\nIP: 185.161.69.10 [1]\\r\\nIP: 141.98.83.124 [6]\\r\\nIP: 141.98.9.34 [11]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 185.190.24.17 [18]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 115.242.152.158 [3]\\r\\nIP: 141.98.9.35 [7]\\r\\nIP: 179.60.147.33 [9]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 147.78.47.149 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 45.141.87.21 [4]\\r\\nIP: 141.98.83.87 [11]\\r\\nIP: 195.78.54.97 [55]\\r\\nIP: 141.98.9.29 [4]\\r\\nIP: 45.227.254.53 [2]\\r\\n97 more attempts by 19 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2428\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2429\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2430\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2431\",\r\n \"address\": \"206.72.198.134\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Secaucus\",\r\n \"longitude\": -74.06453,\r\n \"latitude\": 40.77826,\r\n \"asn\": 19318,\r\n \"carrier\": \"Interserver Inc\",\r\n \"organization\": \"Interserver Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2432\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2433\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2434\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2435\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2436\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2437\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2438\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2439\",\r\n \"address\": \"121.229.22.196\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2440\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2441\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2442\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2443\",\r\n \"address\": \"5.188.206.10\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2444\",\r\n \"address\": \"80.66.76.145\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2445\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2446\",\r\n \"address\": \"107.172.93.17\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2447\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2448\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2449\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2450\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2451\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2452\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2453\",\r\n \"address\": \"193.32.126.158\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Seine-Saint-Denis\",\r\n \"city\": \"Aubervilliers\",\r\n \"longitude\": 2.38121,\r\n \"latitude\": 48.91482,\r\n \"asn\": 39351,\r\n \"carrier\": \"31173 Services Ab\",\r\n \"organization\": \"31173 Services France\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2454\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2455\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2456\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2457\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2458\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2459\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2460\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2461\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2462\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2463\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2464\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2465\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2466\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2467\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2468\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2469\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2470\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2471\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2472\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2473\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2474\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2475\",\r\n \"address\": \"45.141.87.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2476\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2477\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2478\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2479\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2434\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2485\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2435\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2486\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2487\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2437\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2488\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2438\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2439\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2490\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2440\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2491\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2492\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2493\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2494\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2495\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2445\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2496\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2446\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2497\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2447\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2498\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2448\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2499\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2449\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2500\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2450\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2501\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2451\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2502\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2503\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2504\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2454\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2505\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2455\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2506\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2456\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2507\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2457\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2508\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2458\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2509\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2459\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2510\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2460\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2461\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2462\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2463\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2464\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2465\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2466\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2467\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2468\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"name\": \"2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-27T20:12:39.5796058Z\",\r\n \"processingEndTimeUtc\": \"2022-09-27T20:12:38.7743954Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-26T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-26T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2530\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.84.83 [29]\\r\\nIP: 141.98.9.34 [12]\\r\\nIP: 141.98.9.36 [8]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 194.165.16.6 [3]\\r\\nIP: 179.60.150.115 [10]\\r\\nIP: 5.181.86.11 [8]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 194.165.17.14 [2]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 194.165.16.37 [3]\\r\\nIP: 5.181.86.44 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 147.78.47.147 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 185.195.232.248 [3]\\r\\nIP: 5.188.206.10 [3]\\r\\nIP: 123.30.210.197 [3]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 45.141.84.119 [2]\\r\\nIP: 141.98.83.89 [3]\\r\\nIP: 185.156.72.25 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 5.181.86.88 [1]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 185.156.72.31 [3]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.83 [10]\\r\\nIP: 141.98.10.207 [4]\\r\\nIP: 185.156.72.29 [4]\\r\\nIP: 115.242.152.158 [1]\\r\\nIP: 179.60.150.113 [4]\\r\\nIP: 179.60.147.32 [10]\\r\\nIP: 141.98.83.127 [4]\\r\\nIP: 45.227.253.130 [7]\\r\\nIP: 147.78.47.149 [4]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 195.78.54.97 [34]\\r\\nIP: 179.60.150.116 [2]\\r\\n15 more attempts by 5 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2531\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2532\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2533\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2534\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2535\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2536\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2537\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2538\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2539\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2540\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2541\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2542\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2543\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2544\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2545\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2546\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2547\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2548\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2549\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2550\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2551\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2552\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2553\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2554\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2555\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2556\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2557\",\r\n \"address\": \"185.195.232.248\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 39351,\r\n \"carrier\": \"31173 Services Ab\",\r\n \"organization\": \"31173 Services United Kingdom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2558\",\r\n \"address\": \"5.188.206.10\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2559\",\r\n \"address\": \"123.30.210.197\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2560\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2561\",\r\n \"address\": \"45.141.84.119\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2562\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2563\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2564\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2565\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2566\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2567\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2568\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2569\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2570\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2571\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2572\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2573\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2574\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2575\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2576\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2577\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2578\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2579\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2580\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2581\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2582\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2585\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2586\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2536\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2587\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2537\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2591\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2592\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2542\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2593\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2543\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2594\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2544\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2595\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2545\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2596\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2546\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2597\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2547\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2548\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2549\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2550\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2551\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"name\": \"2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-26T19:58:54.397306Z\",\r\n \"processingEndTimeUtc\": \"2022-09-26T19:58:53.5738114Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2633\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 5.181.86.44 [2]\\r\\nIP: 186.249.36.154 [1]\\r\\nIP: 5.188.206.230 [5]\\r\\nIP: 194.165.16.38 [2]\\r\\nIP: 78.128.113.138 [8]\\r\\nIP: 194.165.17.14 [4]\\r\\nIP: 179.60.150.116 [6]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 87.251.64.160 [3]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 185.190.24.32 [1]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 38.122.130.162 [6]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 185.190.24.50 [2]\\r\\nIP: 198.235.24.156 [1]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 62.204.41.152 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 45.227.254.27 [1]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 216.19.1.14 [8]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 185.190.24.48 [4]\\r\\nIP: 45.227.253.130 [23]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 13.71.103.48 [1]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 141.98.83.120 [5]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 80.66.88.202 [2]\\r\\n164 more attempts by 29 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2634\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2635\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2636\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2637\",\r\n \"address\": \"186.249.36.154\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Franca\",\r\n \"longitude\": -47.40563,\r\n \"latitude\": -20.54751,\r\n \"asn\": 28195,\r\n \"carrier\": \"Com4 Data Center Eireli\",\r\n \"organization\": \"Com4 Data Center Eireli\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2638\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2639\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2640\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2641\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2642\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2643\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2644\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2645\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2646\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2647\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2648\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2649\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2650\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2651\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2652\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2653\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2654\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2655\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2656\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2657\",\r\n \"address\": \"198.235.24.156\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2658\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2659\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2660\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2661\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2662\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2663\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2664\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2665\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2666\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2667\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2668\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2669\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2670\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2671\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2672\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2673\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2674\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2675\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2676\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2677\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2678\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2679\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2680\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2681\",\r\n \"address\": \"13.71.103.48\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Tamil Nadu\",\r\n \"city\": \"Chennai\",\r\n \"longitude\": 80.2508,\r\n \"latitude\": 13.0524,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2682\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2683\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2684\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2685\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2636\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2637\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2688\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2638\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2689\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2639\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2690\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2640\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2641\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2642\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2643\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2644\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2645\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2646\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"name\": \"2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-25T19:28:48.9427258Z\",\r\n \"processingEndTimeUtc\": \"2022-09-25T19:28:48.1928389Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2736\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.4 [3]\\r\\nIP: 5.181.86.44 [2]\\r\\nIP: 192.3.110.166 [1]\\r\\nIP: 185.190.24.32 [1]\\r\\nIP: 194.165.17.14 [4]\\r\\nIP: 185.190.24.50 [2]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 141.98.9.34 [16]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 87.251.64.160 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 198.235.24.156 [1]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 179.60.150.113 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.81.137 [5]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 78.128.113.138 [8]\\r\\nIP: 87.251.67.98 [5]\\r\\nIP: 195.78.54.97 [32]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 141.98.10.204 [8]\\r\\nIP: 179.60.150.116 [6]\\r\\nIP: 80.66.88.202 [2]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 185.190.24.17 [6]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 45.141.87.18 [4]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 38.122.130.162 [6]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 186.249.36.154 [1]\\r\\nIP: 92.255.85.194 [25]\\r\\n99 more attempts by 26 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2737\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2738\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2739\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2740\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2741\",\r\n \"address\": \"192.3.110.166\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2742\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2743\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2744\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2745\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2746\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2747\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2748\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2749\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2750\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2751\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2752\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2753\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2754\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2755\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2756\",\r\n \"address\": \"198.235.24.156\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2757\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2758\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2759\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2760\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2761\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2762\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2763\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2764\",\r\n \"address\": \"87.251.67.98\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2765\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2766\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2767\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2768\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2769\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2770\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2771\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2772\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2773\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2774\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2775\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2776\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2777\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2778\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2779\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2780\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2781\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2782\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2783\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2784\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2785\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2786\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2787\",\r\n \"address\": \"186.249.36.154\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Franca\",\r\n \"longitude\": -47.40563,\r\n \"latitude\": -20.54751,\r\n \"asn\": 28195,\r\n \"carrier\": \"Com4 Data Center Eireli\",\r\n \"organization\": \"Com4 Data Center Eireli\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2788\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2791\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2741\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2792\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2742\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2793\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2743\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2794\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2744\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2795\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2745\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2796\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2746\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2797\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2747\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2798\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2748\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2799\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2749\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2800\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2750\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2801\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2751\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2802\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2752\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2803\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2753\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2804\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2754\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2805\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2755\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2806\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2756\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2807\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2757\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2808\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2758\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2809\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2759\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2810\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2760\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2811\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2761\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2812\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2762\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2813\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2763\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2814\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2764\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"name\": \"2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-24T19:25:53.91713Z\",\r\n \"processingEndTimeUtc\": \"2022-09-24T19:25:53.5050508Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-23T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-23T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2839\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.124 [2]\\r\\nIP: 62.233.50.123 [24]\\r\\nIP: 141.98.10.124 [10]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 216.19.1.14 [23]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 78.128.113.138 [6]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 5.188.206.230 [6]\\r\\nIP: 5.181.86.51 [3]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 87.251.67.98 [4]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 141.98.83.131 [7]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 45.227.254.27 [1]\\r\\nIP: 5.181.86.85 [4]\\r\\nIP: 194.165.16.38 [1]\\r\\nIP: 147.78.47.154 [4]\\r\\nIP: 45.227.254.4 [5]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 179.60.150.113 [1]\\r\\nIP: 179.60.150.116 [1]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 5.181.86.44 [4]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 141.98.10.181 [10]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 194.165.17.12 [7]\\r\\nIP: 185.190.24.61 [7]\\r\\nIP: 194.165.16.29 [4]\\r\\nIP: 141.98.81.137 [10]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 179.60.150.114 [1]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 179.60.147.31 [6]\\r\\nIP: 59.49.43.217 [1]\\r\\nIP: 141.98.10.207 [7]\\r\\nIP: 113.190.245.2 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 88.214.25.12 [1]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\n187 more attempts by 32 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2840\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2841\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2842\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2843\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2844\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2845\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2846\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2847\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2848\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2849\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2850\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2851\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2852\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2853\",\r\n \"address\": \"87.251.67.98\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2854\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2855\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2856\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2857\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2858\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2859\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2860\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2861\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2862\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2863\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2864\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2865\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2866\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2867\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2868\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2869\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2870\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2871\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2872\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2873\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2874\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2875\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2876\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2877\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2878\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2879\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2880\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2881\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2882\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2883\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2884\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2885\",\r\n \"address\": \"59.49.43.217\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanxi\",\r\n \"city\": \"Taiyuan\",\r\n \"longitude\": 112.56167,\r\n \"latitude\": 37.84667,\r\n \"asn\": 132147,\r\n \"carrier\": \"Ct-Shanxi-Man\",\r\n \"organization\": \"Shanxi Telecom Taiyuan Branch Broadband Adsl Port Ip Address\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2886\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2887\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2888\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2889\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2890\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2891\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2892\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2893\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2843\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2894\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2844\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2895\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2845\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2896\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2846\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2897\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2847\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2898\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2848\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2899\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2849\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2900\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2850\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2901\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2851\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2902\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2852\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2903\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2853\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2904\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2854\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2905\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2855\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2906\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2856\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2907\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2857\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2908\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2858\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2909\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2859\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2910\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2860\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2911\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2861\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2912\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2862\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2913\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2863\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2914\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2864\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2915\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2865\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2916\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2866\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2917\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2867\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2918\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2868\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"name\": \"2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-23T20:00:31.1607186Z\",\r\n \"processingEndTimeUtc\": \"2022-09-23T20:00:30.596124Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-22T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-22T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2942\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.78 [1]\\r\\nIP: 195.78.54.97 [33]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 103.104.168.36 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 179.60.150.116 [1]\\r\\nIP: 88.214.25.13 [5]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 38.122.130.162 [11]\\r\\nIP: 194.165.16.38 [3]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 216.19.1.14 [15]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 185.156.72.27 [2]\\r\\nIP: 179.60.147.31 [19]\\r\\nIP: 194.165.16.10 [1]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 5.181.86.88 [2]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 46.29.10.30 [1]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 185.190.24.32 [2]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 5.181.86.85 [3]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 5.181.86.61 [4]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 45.227.253.130 [6]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 51.178.4.205 [3]\\r\\nIP: 179.60.150.113 [2]\\r\\nIP: 45.227.254.27 [4]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 194.165.17.12 [13]\\r\\nIP: 43.157.17.13 [1]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 179.60.150.114 [2]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 185.190.24.50 [5]\\r\\nIP: 141.98.10.181 [5]\\r\\nIP: 80.66.88.201 [1]\\r\\n106 more attempts by 26 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2943\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2944\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2945\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2946\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2947\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2948\",\r\n \"address\": \"103.104.168.36\",\r\n \"location\": {\r\n \"countryCode\": \"HK\",\r\n \"countryName\": \"Hong Kong\",\r\n \"longitude\": 114.1,\r\n \"latitude\": 22.15,\r\n \"asn\": 136897,\r\n \"carrier\": \"Enjoyvc Cloud Group Limited.\",\r\n \"organization\": \"Cyit-Hk\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2949\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2950\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2951\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2952\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2953\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2954\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2955\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2956\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2957\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2958\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2959\",\r\n \"address\": \"185.156.72.27\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2960\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2961\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2962\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2963\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2964\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2965\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2966\",\r\n \"address\": \"46.29.10.30\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Krasnodarskiy Kray\",\r\n \"city\": \"Krasnodar\",\r\n \"longitude\": 38.9454,\r\n \"latitude\": 45.0749,\r\n \"asn\": 197204,\r\n \"carrier\": \"Telemaks Ltd\",\r\n \"organization\": \"Telemaks Ptp Static Routing Clients.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2967\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2968\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2969\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2970\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2971\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2972\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2973\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2974\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2975\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2976\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2977\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2978\",\r\n \"address\": \"51.178.4.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Waltham Forest\",\r\n \"longitude\": -0.0166,\r\n \"latitude\": 51.5833,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Failover Ips\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2979\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2980\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2981\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2982\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2983\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2984\",\r\n \"address\": \"43.157.17.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2985\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2986\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2987\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2988\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2989\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2990\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2991\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2992\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2993\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2994\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2995\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2945\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2996\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2946\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2997\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2947\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2998\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2948\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2999\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2949\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3000\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2950\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3001\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2951\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3002\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2952\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3003\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2953\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3004\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2954\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3005\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2955\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3006\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2956\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3007\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2957\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3008\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2958\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3009\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2959\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3010\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2960\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3011\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2961\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3012\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2962\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3013\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2963\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3014\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2964\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3015\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2965\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3016\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2966\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3017\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2967\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3018\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2968\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3019\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2969\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3020\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2970\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3021\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2971\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"name\": \"2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T20:37:27.9077468Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T20:37:26.8898617Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-21T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-21T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3045\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.76.51.230 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3046\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3047\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3048\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3048\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"name\": \"2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T20:37:28.3862144Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T20:37:26.8900314Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-21T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-21T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3050\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.140 [1]\\r\\nIP: 185.190.24.32 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.9.35 [2]\\r\\nIP: 80.153.67.94 [1]\\r\\nIP: 23.236.144.243 [1]\\r\\nIP: 91.240.242.15 [3]\\r\\nIP: 193.37.69.215 [24]\\r\\nIP: 174.108.172.27 [2]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 5.181.86.51 [2]\\r\\nIP: 45.141.84.116 [2]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 5.181.86.11 [17]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 38.122.130.162 [5]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 45.227.254.27 [8]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 141.98.10.181 [16]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 195.78.54.97 [17]\\r\\nIP: 141.98.81.137 [3]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 51.178.4.205 [6]\\r\\nIP: 5.181.86.85 [4]\\r\\nIP: 195.78.54.73 [17]\\r\\nIP: 141.98.83.124 [3]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 179.60.147.182 [2]\\r\\nIP: 179.60.147.32 [11]\\r\\nIP: 141.98.83.126 [1]\\r\\nIP: 5.181.86.88 [2]\\r\\nIP: 88.214.25.12 [3]\\r\\nIP: 87.251.64.35 [1]\\r\\nIP: 179.60.150.116 [3]\\r\\nIP: 141.98.9.34 [15]\\r\\n136 more attempts by 30 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3051\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3052\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3053\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3054\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3055\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3056\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3057\",\r\n \"address\": \"80.153.67.94\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.4061,\r\n \"latitude\": 52.5192,\r\n \"asn\": 3320,\r\n \"carrier\": \"Deutsche Telekom Ag\",\r\n \"organization\": \"Deutsche Telekom Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3058\",\r\n \"address\": \"23.236.144.243\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 55081,\r\n \"carrier\": \"24 Shells\",\r\n \"organization\": \"B2 Net Solutions Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3059\",\r\n \"address\": \"91.240.242.15\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3060\",\r\n \"address\": \"193.37.69.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3061\",\r\n \"address\": \"174.108.172.27\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"South Carolina\",\r\n \"city\": \"Sumter\",\r\n \"longitude\": -80.35409,\r\n \"latitude\": 33.87458,\r\n \"asn\": 11426,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3062\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3063\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3064\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3065\",\r\n \"address\": \"45.141.84.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3066\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3067\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3068\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3069\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3070\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3071\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3072\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3073\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3074\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3075\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3076\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3077\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3078\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3079\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3080\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3081\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3082\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3083\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3084\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3085\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3086\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3087\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3088\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3089\",\r\n \"address\": \"51.178.4.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Waltham Forest\",\r\n \"longitude\": -0.0166,\r\n \"latitude\": 51.5833,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Failover Ips\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3090\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3091\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3092\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3093\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3094\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3095\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3096\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3097\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3098\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3099\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3100\",\r\n \"address\": \"87.251.64.35\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3101\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3102\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3053\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3104\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3054\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3055\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3056\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3057\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3058\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3059\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3060\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3061\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3062\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3063\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3114\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3064\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3065\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3066\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3067\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3068\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3069\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3070\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3071\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3072\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3123\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3073\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3124\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3074\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3140\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3090\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3141\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3091\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3092\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3143\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3093\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3144\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3094\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3145\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3095\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3096\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3097\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3098\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3099\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3100\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3101\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3102\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"name\": \"2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-21T19:41:38.1643149Z\",\r\n \"processingEndTimeUtc\": \"2022-09-21T19:41:37.0449995Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3153\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.130 [2]\\r\\nIP: 141.98.83.89 [6]\\r\\nIP: 20.172.39.252 [1]\\r\\nIP: 141.98.83.127 [9]\\r\\nIP: 5.181.86.11 [10]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 181.214.206.176 [32]\\r\\nIP: 129.146.85.184 [1]\\r\\nIP: 5.181.86.85 [8]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 91.240.118.99 [4]\\r\\nIP: 92.255.85.151 [7]\\r\\nIP: 185.190.24.17 [10]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 179.60.147.32 [3]\\r\\nIP: 176.113.115.141 [25]\\r\\nIP: 194.26.29.11 [1]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 179.60.150.111 [12]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 38.122.130.162 [13]\\r\\nIP: 195.78.54.73 [15]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.81.137 [4]\\r\\nIP: 89.248.168.54 [1]\\r\\nIP: 147.78.47.147 [2]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 147.78.47.149 [9]\\r\\nIP: 194.165.16.29 [5]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.36 [2]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 5.181.86.61 [9]\\r\\n138 more attempts by 22 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3154\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3155\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3156\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3157\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3158\",\r\n \"address\": \"20.172.39.252\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3159\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3160\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3161\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3162\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3163\",\r\n \"address\": \"129.146.85.184\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3164\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3165\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3166\",\r\n \"address\": \"91.240.118.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3167\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3168\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3169\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3170\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3171\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3172\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3173\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3174\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57678,\r\n \"carrier\": \"Red Bytes Llc\",\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3175\",\r\n \"address\": \"194.26.29.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3176\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3177\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3178\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3179\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3180\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3181\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3182\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3183\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3184\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3185\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3186\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3187\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3188\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3189\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3190\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3191\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3192\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3193\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3194\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3195\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3196\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3197\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3198\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3199\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3200\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3201\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3202\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3203\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3204\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3205\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3217\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3167\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3218\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3168\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3221\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3222\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3223\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3224\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3225\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3226\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3227\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"name\": \"2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T19:33:13.4506209Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T19:33:12.2309742Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3256\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.37 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 92.255.85.151 [7]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 41.169.98.196 [1]\\r\\nIP: 5.181.86.61 [9]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.35 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 179.60.147.33 [1]\\r\\nIP: 179.60.150.111 [12]\\r\\nIP: 181.214.206.176 [32]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 147.78.47.147 [2]\\r\\nIP: 141.98.9.36 [2]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 45.227.254.49 [1]\\r\\nIP: 141.98.83.85 [7]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 179.60.147.32 [3]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 141.98.83.121 [9]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 185.190.24.61 [9]\\r\\nIP: 141.98.83.84 [5]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 91.240.118.99 [4]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 141.98.83.89 [6]\\r\\nIP: 45.141.87.10 [10]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 5.181.86.85 [8]\\r\\nIP: 45.141.87.9 [4]\\r\\nIP: 141.98.83.130 [2]\\r\\nIP: 5.181.86.11 [9]\\r\\nIP: 38.122.130.162 [13]\\r\\nIP: 195.78.54.73 [13]\\r\\nIP: 45.141.87.2 [13]\\r\\nIP: 89.248.168.54 [1]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 141.98.83.125 [3]\\r\\n135 more attempts by 20 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3257\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3258\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3259\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3260\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3261\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3262\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3263\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3264\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3265\",\r\n \"address\": \"41.169.98.196\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 36937,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Liquid Telecommunications Operations Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3266\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3267\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3268\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3269\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3270\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3271\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3272\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3273\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3274\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3275\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3276\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3277\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3278\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3279\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3280\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3281\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3282\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3283\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3284\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3285\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3286\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3287\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3288\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3289\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3290\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3291\",\r\n \"address\": \"91.240.118.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3292\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3293\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3294\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3295\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3296\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3297\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3298\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3299\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3300\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3301\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3302\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3303\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3304\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3305\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3306\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3307\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3308\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3324\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3274\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3325\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3275\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3326\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3276\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3327\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3277\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3278\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3329\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3279\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3330\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3280\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"name\": \"2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-19T20:03:27.0439222Z\",\r\n \"processingEndTimeUtc\": \"2022-09-19T20:03:26.2194939Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-18T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-18T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3359\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.190.24.17 [7]\\r\\nIP: 45.72.99.139 [1]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 181.214.206.176 [41]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 141.98.83.124 [3]\\r\\nIP: 141.98.9.37 [10]\\r\\nIP: 88.214.25.12 [1]\\r\\nIP: 141.98.9.35 [10]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 80.66.88.206 [2]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 45.227.254.48 [3]\\r\\nIP: 194.165.16.17 [3]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 141.98.9.34 [19]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 95.142.121.53 [1]\\r\\nIP: 194.165.16.38 [7]\\r\\nIP: 194.26.29.48 [1]\\r\\nIP: 194.165.16.37 [2]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 92.255.85.174 [3]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 5.181.86.11 [4]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 179.60.150.114 [15]\\r\\nIP: 20.106.123.242 [1]\\r\\nIP: 141.98.9.29 [2]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 45.141.87.21 [5]\\r\\nIP: 91.240.242.16 [1]\\r\\nIP: 45.227.254.55 [3]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 38.122.130.162 [1]\\r\\nIP: 45.141.84.85 [2]\\r\\nIP: 141.98.83.131 [6]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 141.98.83.84 [4]\\r\\nIP: 141.98.83.83 [9]\\r\\nIP: 45.227.255.13 [1]\\r\\n130 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3360\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3361\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3362\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3363\",\r\n \"address\": \"45.72.99.139\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 55286,\r\n \"carrier\": \"B2 Net Solutions Inc.\",\r\n \"organization\": \"B2 Net Solutions Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3364\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3365\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3366\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3367\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3368\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3369\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3370\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3371\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3372\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3373\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3374\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3375\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3376\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3377\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3378\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3379\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3380\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3381\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3382\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3383\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3384\",\r\n \"address\": \"95.142.121.53\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Prcdn Consumer Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3385\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3386\",\r\n \"address\": \"194.26.29.48\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3387\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3388\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3389\",\r\n \"address\": \"92.255.85.174\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3390\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3391\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3392\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3393\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3394\",\r\n \"address\": \"20.106.123.242\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3395\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3396\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3397\",\r\n \"address\": \"45.141.87.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3398\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3399\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3400\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3401\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3402\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3403\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3404\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3405\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3406\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3407\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3408\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3409\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3410\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3411\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3362\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3427\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3377\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3428\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3378\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3429\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3379\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3430\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3380\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3382\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3433\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3383\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3449\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3450\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3451\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3452\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3453\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3405\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3456\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3457\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3408\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"name\": \"2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-07T18:49:32.3154277Z\",\r\n \"processingEndTimeUtc\": \"2022-09-07T18:49:31.3026032Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-05T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-05T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3462\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 179.60.147.182 [1]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 141.98.83.89 [5]\\r\\nIP: 209.126.5.42 [1]\\r\\nIP: 141.98.9.36 [14]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 103.15.50.155 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 80.66.88.214 [3]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 77.83.36.225 [4]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.123 [6]\\r\\nIP: 141.98.83.132 [1]\\r\\nIP: 138.199.19.135 [7]\\r\\nIP: 141.98.83.133 [11]\\r\\nIP: 194.165.16.6 [3]\\r\\nIP: 141.98.81.137 [9]\\r\\nIP: 194.165.16.17 [4]\\r\\nIP: 141.98.83.130 [4]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 141.98.10.207 [29]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 91.240.242.5 [8]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 194.165.16.71 [3]\\r\\nIP: 45.227.254.52 [6]\\r\\nIP: 141.98.9.37 [11]\\r\\nIP: 45.141.87.11 [2]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 141.98.83.120 [4]\\r\\nIP: 141.98.9.34 [29]\\r\\nIP: 62.233.50.113 [2]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 5.253.204.134 [22]\\r\\nIP: 92.255.85.151 [1]\\r\\nIP: 45.227.253.254 [12]\\r\\nIP: 194.165.16.73 [3]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 45.227.254.55 [3]\\r\\nIP: 141.98.83.83 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3463\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3464\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3465\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3466\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3467\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3468\",\r\n \"address\": \"209.126.5.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Saint Louis\",\r\n \"longitude\": -90.19238,\r\n \"latitude\": 38.63137,\r\n \"asn\": 40021,\r\n \"carrier\": \"Contabo Inc.\",\r\n \"organization\": \"Contabo Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3469\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3470\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3471\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3472\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3473\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3474\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3475\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3476\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3477\",\r\n \"address\": \"77.83.36.225\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 35042,\r\n \"carrier\": \"Ip Interactive Ug (Haftungsbeschraenkt)\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3478\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3479\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3480\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3481\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3482\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3483\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3484\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3485\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3486\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3487\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3488\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3489\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3490\",\r\n \"address\": \"91.240.242.5\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3491\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3492\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3493\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3494\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3495\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3496\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3497\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3498\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3499\",\r\n \"address\": \"62.233.50.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3500\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3501\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3502\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3503\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3504\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3505\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3506\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3507\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3508\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3509\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3510\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3465\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3466\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3467\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3468\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3480\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3481\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3482\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3484\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3485\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3486\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3535\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"name\": \"2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T19:15:31.2420982Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T19:15:30.4547628Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3557\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 72.167.37.199 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 103.79.140.234 [5]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 185.170.144.135 [53]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 141.98.9.199 [2]\\r\\nIP: 92.255.85.40 [4]\\r\\nIP: 129.226.34.77 [1]\\r\\nIP: 194.165.16.17 [10]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 188.190.42.60 [1]\\r\\nIP: 27.71.226.103 [3]\\r\\nIP: 5.253.204.134 [27]\\r\\nIP: 138.199.19.135 [2]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 141.98.81.137 [8]\\r\\nIP: 193.122.114.185 [1]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 87.251.67.99 [3]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 92.255.85.151 [13]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 194.165.16.77 [3]\\r\\nIP: 147.78.47.146 [12]\\r\\nIP: 45.227.254.26 [2]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 141.98.83.130 [4]\\r\\nIP: 96.60.188.241 [1]\\r\\nIP: 194.165.16.29 [4]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 103.75.187.224 [1]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.83.132 [5]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 194.165.16.6 [4]\\r\\n72 more attempts by 6 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3558\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3559\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3560\",\r\n \"address\": \"72.167.37.199\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3561\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3562\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3563\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3564\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3565\",\r\n \"address\": \"185.170.144.135\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3566\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3567\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3568\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3569\",\r\n \"address\": \"129.226.34.77\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Maharashtra\",\r\n \"city\": \"Mumbai\",\r\n \"longitude\": 72.8777,\r\n \"latitude\": 19.076,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3570\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3571\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3572\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3573\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3574\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3575\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3576\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3577\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3578\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3579\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3580\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3581\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3582\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3583\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3584\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3585\",\r\n \"address\": \"193.122.114.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.33352,\r\n \"latitude\": 47.61101,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Public Cloud\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3586\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3587\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3588\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3589\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3590\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3591\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3592\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3593\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3594\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3595\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3596\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3597\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3598\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3599\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3600\",\r\n \"address\": \"96.60.188.241\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wisconsin\",\r\n \"city\": \"Junction City\",\r\n \"longitude\": -89.747,\r\n \"latitude\": 44.59457,\r\n \"asn\": 4181,\r\n \"carrier\": \"Tds Telecom\",\r\n \"organization\": \"Tds Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3601\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3602\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3603\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3604\",\r\n \"address\": \"103.75.187.224\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Inet Software One Member Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3605\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3606\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3607\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3608\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3609\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3644\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3645\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3646\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3647\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3648\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3598\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3649\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3599\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3650\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3600\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3651\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3601\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3652\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3602\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3653\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3603\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3654\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3604\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3655\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3605\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3656\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3606\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3657\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3607\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3658\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3608\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3659\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3609\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"name\": \"2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-06T20:06:49.6557309Z\",\r\n \"processingEndTimeUtc\": \"2022-09-06T20:06:49.179497Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3660\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.125 [7]\\r\\nIP: 72.167.37.199 [1]\\r\\nIP: 141.98.9.199 [2]\\r\\nIP: 103.75.187.224 [2]\\r\\nIP: 92.255.85.151 [32]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 188.190.42.60 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 141.98.81.137 [8]\\r\\nIP: 138.199.19.135 [2]\\r\\nIP: 141.98.9.34 [12]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 96.60.188.241 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 147.78.47.146 [12]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 194.165.16.16 [1]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 45.227.253.254 [16]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 194.165.16.29 [10]\\r\\nIP: 194.165.16.17 [10]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 141.98.83.130 [7]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 194.165.16.77 [3]\\r\\nIP: 141.98.83.128 [6]\\r\\nIP: 141.98.83.120 [4]\\r\\nIP: 185.170.144.135 [53]\\r\\nIP: 129.226.34.77 [1]\\r\\nIP: 41.169.98.196 [1]\\r\\nIP: 87.251.67.99 [3]\\r\\nIP: 45.227.254.49 [4]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 103.79.140.234 [5]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 27.71.226.103 [3]\\r\\nIP: 193.122.114.185 [1]\\r\\nIP: 5.253.204.134 [28]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 92.255.85.40 [4]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 141.98.9.29 [13]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 141.98.83.131 [4]\\r\\n45 more attempts by 10 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3661\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3662\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3663\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3664\",\r\n \"address\": \"72.167.37.199\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3665\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3666\",\r\n \"address\": \"103.75.187.224\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Inet Software One Member Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3667\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3668\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3669\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3670\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3671\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3672\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3673\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3674\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3675\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3676\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3677\",\r\n \"address\": \"96.60.188.241\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wisconsin\",\r\n \"city\": \"Junction City\",\r\n \"longitude\": -89.747,\r\n \"latitude\": 44.59457,\r\n \"asn\": 4181,\r\n \"carrier\": \"Tds Telecom\",\r\n \"organization\": \"Tds Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3678\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3679\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3680\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3681\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3682\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3683\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3684\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3685\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3686\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3687\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3688\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3689\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3690\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3691\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3692\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3693\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3694\",\r\n \"address\": \"185.170.144.135\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3695\",\r\n \"address\": \"129.226.34.77\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Maharashtra\",\r\n \"city\": \"Mumbai\",\r\n \"longitude\": 72.8777,\r\n \"latitude\": 19.076,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3696\",\r\n \"address\": \"41.169.98.196\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 36937,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Liquid Telecommunications Operations Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3697\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3698\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3699\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3700\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3701\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3702\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3703\",\r\n \"address\": \"193.122.114.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.33352,\r\n \"latitude\": 47.61101,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Public Cloud\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3704\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3705\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3706\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3707\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3708\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3709\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3710\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3711\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3712\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3736\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3686\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3737\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3687\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3738\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3688\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3739\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3689\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3740\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3690\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3741\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3691\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3742\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3692\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3743\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3693\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3744\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3694\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3745\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3695\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3746\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3696\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3747\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3697\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3748\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3698\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3749\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3699\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3750\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3700\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3751\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3701\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3752\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3702\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3703\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3704\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3705\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3706\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3707\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3708\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3709\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3710\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3711\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3762\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3712\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"name\": \"2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-03T19:41:58.5199865Z\",\r\n \"processingEndTimeUtc\": \"2022-09-03T19:41:57.422375Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3763\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 188.190.42.60 [1]\\r\\nIP: 92.255.85.168 [4]\\r\\nIP: 141.98.83.87 [5]\\r\\nIP: 185.190.24.61 [1]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 103.15.50.155 [4]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 87.251.67.99 [1]\\r\\nIP: 5.253.204.134 [29]\\r\\nIP: 141.98.9.36 [1]\\r\\nIP: 194.28.112.140 [5]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 45.227.253.130 [18]\\r\\nIP: 141.98.9.35 [4]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 185.190.24.102 [10]\\r\\nIP: 202.40.179.78 [1]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 134.209.148.16 [1]\\r\\nIP: 93.43.27.126 [1]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 141.98.83.121 [6]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 141.98.81.137 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.125 [4]\\r\\nIP: 141.98.83.173 [1]\\r\\nIP: 92.255.85.166 [3]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 45.227.254.5 [9]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 92.255.85.151 [36]\\r\\nIP: 51.81.210.3 [1]\\r\\nIP: 141.98.9.29 [5]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 185.190.24.101 [4]\\r\\n41 more attempts by 14 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3764\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3765\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3766\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3767\",\r\n \"address\": \"92.255.85.168\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3768\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3769\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3770\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3771\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3772\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3773\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3774\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3775\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3776\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3777\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3778\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3779\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3780\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3781\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3782\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3783\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3784\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3785\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3786\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3787\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3788\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3789\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3790\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3791\",\r\n \"address\": \"202.40.179.78\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Dhaka\",\r\n \"city\": \"Dhaka\",\r\n \"longitude\": 90.4125,\r\n \"latitude\": 23.8103,\r\n \"asn\": 23991,\r\n \"carrier\": \"Ranks Itt Ltd.\",\r\n \"organization\": \"Nationwide Isp & Iptsp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3792\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3793\",\r\n \"address\": \"134.209.148.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Mansfield\",\r\n \"longitude\": -71.22189,\r\n \"latitude\": 42.01698,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3794\",\r\n \"address\": \"93.43.27.126\",\r\n \"location\": {\r\n \"countryCode\": \"IT\",\r\n \"countryName\": \"Italy\",\r\n \"state\": \"Roma\",\r\n \"city\": \"Roma\",\r\n \"longitude\": 12.3063,\r\n \"latitude\": 41.7755,\r\n \"asn\": 12874,\r\n \"carrier\": \"Fastweb Spa\",\r\n \"organization\": \"Ibc-001 Public Subnet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3795\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3796\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3797\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3798\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3799\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3800\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3801\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3802\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3803\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3804\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3805\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3806\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3807\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3808\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3809\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3810\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3811\",\r\n \"address\": \"51.81.210.3\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Hillsboro\",\r\n \"longitude\": -122.95607,\r\n \"latitude\": 45.59054,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3812\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3813\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3814\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3815\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3839\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3789\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3840\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3790\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3841\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3791\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3842\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3792\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3793\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3865\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3815\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"name\": \"2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T01:45:32.5912419Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T01:45:31.6805301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3866\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.9.36 [1]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 185.190.24.61 [1]\\r\\nIP: 5.253.204.134 [29]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.81.137 [1]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 141.98.83.125 [4]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 185.190.24.101 [4]\\r\\nIP: 93.43.27.126 [1]\\r\\nIP: 185.156.72.29 [4]\\r\\nIP: 87.251.67.99 [1]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 134.209.148.16 [1]\\r\\nIP: 141.98.9.35 [4]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.156.72.25 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 79.175.151.178 [3]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 103.79.140.234 [2]\\r\\nIP: 141.98.83.84 [7]\\r\\nIP: 141.98.83.172 [4]\\r\\nIP: 141.98.83.87 [7]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 45.227.254.5 [9]\\r\\nIP: 141.98.10.37 [8]\\r\\nIP: 202.40.179.78 [1]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 141.98.83.121 [6]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 92.255.85.166 [3]\\r\\nIP: 92.255.85.152 [6]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 103.15.50.155 [4]\\r\\nIP: 141.98.9.29 [5]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 194.28.112.140 [5]\\r\\nIP: 27.71.226.103 [1]\\r\\nIP: 185.190.24.102 [10]\\r\\n87 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3867\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3868\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3869\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3870\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3871\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3872\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3873\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3874\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3875\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3876\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3877\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3878\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3879\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3880\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3881\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3882\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3883\",\r\n \"address\": \"93.43.27.126\",\r\n \"location\": {\r\n \"countryCode\": \"IT\",\r\n \"countryName\": \"Italy\",\r\n \"state\": \"Roma\",\r\n \"city\": \"Roma\",\r\n \"longitude\": 12.3063,\r\n \"latitude\": 41.7755,\r\n \"asn\": 12874,\r\n \"carrier\": \"Fastweb Spa\",\r\n \"organization\": \"Ibc-001 Public Subnet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3884\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3885\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3886\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3887\",\r\n \"address\": \"134.209.148.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Mansfield\",\r\n \"longitude\": -71.22189,\r\n \"latitude\": 42.01698,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3888\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3889\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3890\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3891\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3892\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3893\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3894\",\r\n \"address\": \"79.175.151.178\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 25184,\r\n \"carrier\": \"Afranet\",\r\n \"organization\": \"Afranet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3895\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3896\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3897\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3898\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3899\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3900\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3901\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3902\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3903\",\r\n \"address\": \"141.98.10.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3904\",\r\n \"address\": \"202.40.179.78\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Dhaka\",\r\n \"city\": \"Dhaka\",\r\n \"longitude\": 90.4125,\r\n \"latitude\": 23.8103,\r\n \"asn\": 23991,\r\n \"carrier\": \"Ranks Itt Ltd.\",\r\n \"organization\": \"Nationwide Isp & Iptsp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3905\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3906\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3907\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3908\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3909\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3910\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3911\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3912\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3913\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3914\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3915\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3916\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3917\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3918\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3892\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3893\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3894\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"name\": \"2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-02T19:26:44.4857834Z\",\r\n \"processingEndTimeUtc\": \"2022-09-02T19:26:43.9850649Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-01T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-01T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3969\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.6 [4]\\r\\nIP: 193.142.147.67 [26]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.81.137 [5]\\r\\nIP: 45.227.254.5 [39]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 147.78.47.147 [9]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 103.15.50.155 [1]\\r\\nIP: 92.255.85.40 [6]\\r\\nIP: 213.226.123.66 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 194.165.16.158 [5]\\r\\nIP: 196.44.131.147 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 212.22.187.98 [7]\\r\\nIP: 141.98.83.131 [1]\\r\\nIP: 185.190.24.102 [11]\\r\\nIP: 147.78.47.149 [10]\\r\\nIP: 165.227.225.29 [2]\\r\\nIP: 92.255.85.195 [2]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 185.190.24.61 [9]\\r\\nIP: 45.227.254.49 [3]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 80.66.88.209 [5]\\r\\nIP: 141.98.9.35 [6]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 141.98.83.123 [7]\\r\\nIP: 185.190.24.103 [2]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 89.248.168.54 [2]\\r\\nIP: 79.175.151.178 [6]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 213.226.123.35 [2]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 141.98.9.37 [2]\\r\\nIP: 141.98.83.89 [2]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 5.253.204.134 [27]\\r\\nIP: 179.60.147.32 [19]\\r\\n92 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3970\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3971\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3972\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3973\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3974\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3975\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3976\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3977\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3978\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3979\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3980\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3981\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3982\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3983\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3984\",\r\n \"address\": \"213.226.123.66\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49943,\r\n \"carrier\": \"It Resheniya Llc\",\r\n \"organization\": \"It Resheniya Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3985\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3986\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3987\",\r\n \"address\": \"196.44.131.147\",\r\n \"location\": {\r\n \"countryCode\": \"NA\",\r\n \"countryName\": \"Namibia\",\r\n \"state\": \"Khomas\",\r\n \"city\": \"Windhoek\",\r\n \"longitude\": 17.0875,\r\n \"latitude\": -22.57056,\r\n \"asn\": 36996,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Telecom Namibia\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3988\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3989\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3990\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3991\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3992\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3993\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3994\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3995\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3996\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3997\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3998\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3999\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4000\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4001\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4002\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4003\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4004\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4005\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4006\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4007\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4008\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4009\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4010\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4011\",\r\n \"address\": \"79.175.151.178\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 25184,\r\n \"carrier\": \"Afranet\",\r\n \"organization\": \"Afranet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4012\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4013\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4014\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4015\",\r\n \"address\": \"213.226.123.35\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49943,\r\n \"carrier\": \"It Resheniya Llc\",\r\n \"organization\": \"It Resheniya Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4016\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4017\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4018\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4019\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4020\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4021\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"name\": \"2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-30T19:51:55.8070313Z\",\r\n \"processingEndTimeUtc\": \"2022-08-30T19:51:55.0291097Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4072\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.81.137 [6]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 45.227.254.48 [5]\\r\\nIP: 141.98.9.29 [10]\\r\\nIP: 98.102.248.102 [1]\\r\\nIP: 45.227.254.5 [26]\\r\\nIP: 178.18.241.15 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 194.165.16.78 [3]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 194.26.29.48 [5]\\r\\nIP: 141.98.9.34 [3]\\r\\nIP: 5.253.204.134 [12]\\r\\nIP: 147.78.47.154 [4]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 80.66.88.207 [3]\\r\\nIP: 74.174.144.6 [1]\\r\\nIP: 194.165.16.17 [6]\\r\\nIP: 196.188.171.249 [2]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 179.60.150.113 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 80.66.88.208 [3]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 87.251.75.119 [36]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 85.172.1.54 [2]\\r\\nIP: 162.62.14.97 [1]\\r\\nIP: 88.214.25.13 [2]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 162.246.21.206 [1]\\r\\nIP: 45.227.254.4 [2]\\r\\nIP: 185.221.134.42 [2]\\r\\nIP: 179.60.147.32 [20]\\r\\nIP: 103.15.50.155 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 92.255.85.181 [2]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 5.181.86.88 [3]\\r\\n175 more attempts by 35 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4073\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4074\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4075\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4076\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4077\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4078\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4079\",\r\n \"address\": \"98.102.248.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Cleveland\",\r\n \"longitude\": -81.82835,\r\n \"latitude\": 41.37197,\r\n \"asn\": 10796,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4080\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4081\",\r\n \"address\": \"178.18.241.15\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Baden-Wuerttemberg\",\r\n \"city\": \"Karlsruhe-Weststadt\",\r\n \"longitude\": 8.37933,\r\n \"latitude\": 49.015,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4082\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4083\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4084\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4085\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4086\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4087\",\r\n \"address\": \"194.26.29.48\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4088\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4089\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4090\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4091\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4092\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4093\",\r\n \"address\": \"74.174.144.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Kentucky\",\r\n \"city\": \"Corbin\",\r\n \"longitude\": -84.11583,\r\n \"latitude\": 36.92363,\r\n \"asn\": 2386,\r\n \"carrier\": \"At&T Data Communications Services\",\r\n \"organization\": \"Eastern Cable Corp - Bgk Lan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4094\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4095\",\r\n \"address\": \"196.188.171.249\",\r\n \"location\": {\r\n \"countryCode\": \"ET\",\r\n \"countryName\": \"Ethiopia\",\r\n \"state\": \"Adis Abeba\",\r\n \"city\": \"Addis Ababa\",\r\n \"longitude\": 38.7468,\r\n \"latitude\": 9.0227,\r\n \"asn\": 24757,\r\n \"carrier\": \"Ethionet\",\r\n \"organization\": \"To__Bras_Dhcp_Oa-10800E\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4096\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4097\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4098\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4099\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4100\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4101\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4102\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4103\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4104\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4105\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4106\",\r\n \"address\": \"87.251.75.119\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4107\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4108\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4109\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4110\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4111\",\r\n \"address\": \"85.172.1.54\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Krasnodarskiy Kray\",\r\n \"city\": \"Krasnodar\",\r\n \"longitude\": 38.98064,\r\n \"latitude\": 45.04215,\r\n \"asn\": 25490,\r\n \"carrier\": \"Pjsc Rostelecom\",\r\n \"organization\": \"Ojsc Rostelecom Macroregional Branch South\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4112\",\r\n \"address\": \"162.62.14.97\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4113\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4114\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4115\",\r\n \"address\": \"162.246.21.206\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Secaucus\",\r\n \"longitude\": -74.06453,\r\n \"latitude\": 40.77826,\r\n \"asn\": 19318,\r\n \"carrier\": \"Interserver Inc\",\r\n \"organization\": \"Interserver Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4116\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4117\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4118\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4119\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4120\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4121\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4122\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4123\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4124\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4140\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4090\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4141\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4091\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4092\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4143\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4093\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4144\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4094\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4145\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4095\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4096\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4097\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4098\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4099\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4100\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4101\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4102\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4153\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4103\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4104\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4155\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4105\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4156\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4106\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4107\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4158\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4108\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4159\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4109\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4110\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4161\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4111\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4162\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4112\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4163\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4113\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4114\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4165\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4115\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4166\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4116\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4167\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4117\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4168\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4118\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4119\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4170\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4120\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4171\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4121\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4172\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4122\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4173\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4123\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4174\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4124\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"name\": \"2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-31T19:26:52.5249315Z\",\r\n \"processingEndTimeUtc\": \"2022-08-31T19:26:52.1218206Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4175\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 98.102.248.102 [1]\\r\\nIP: 179.60.150.116 [2]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 162.62.14.97 [1]\\r\\nIP: 5.253.204.134 [13]\\r\\nIP: 185.190.24.61 [2]\\r\\nIP: 212.22.187.98 [8]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 191.96.168.250 [10]\\r\\nIP: 80.66.88.212 [4]\\r\\nIP: 88.214.25.13 [2]\\r\\nIP: 74.174.144.6 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 185.190.24.17 [51]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 5.181.86.44 [5]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 193.142.147.66 [36]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 45.141.84.116 [7]\\r\\nIP: 152.89.196.90 [2]\\r\\nIP: 141.98.9.29 [10]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 196.188.171.249 [2]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 194.93.58.59 [1]\\r\\nIP: 87.251.75.119 [59]\\r\\nIP: 179.60.147.32 [20]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 185.190.24.32 [3]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 80.66.88.207 [3]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 194.165.16.4 [3]\\r\\nIP: 80.66.88.208 [3]\\r\\n135 more attempts by 44 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4176\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4177\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4178\",\r\n \"address\": \"98.102.248.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Cleveland\",\r\n \"longitude\": -81.82835,\r\n \"latitude\": 41.37197,\r\n \"asn\": 10796,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4179\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4180\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4181\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4182\",\r\n \"address\": \"162.62.14.97\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4183\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4184\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4185\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4186\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4187\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4188\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4189\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4190\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4191\",\r\n \"address\": \"74.174.144.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Kentucky\",\r\n \"city\": \"Corbin\",\r\n \"longitude\": -84.11583,\r\n \"latitude\": 36.92363,\r\n \"asn\": 2386,\r\n \"carrier\": \"At&T Data Communications Services\",\r\n \"organization\": \"Eastern Cable Corp - Bgk Lan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4192\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4193\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4194\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4195\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4196\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4197\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4198\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4199\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4200\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4201\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4202\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4203\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4204\",\r\n \"address\": \"45.141.84.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4205\",\r\n \"address\": \"152.89.196.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4206\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4207\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4208\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4209\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4210\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4211\",\r\n \"address\": \"196.188.171.249\",\r\n \"location\": {\r\n \"countryCode\": \"ET\",\r\n \"countryName\": \"Ethiopia\",\r\n \"state\": \"Adis Abeba\",\r\n \"city\": \"Addis Ababa\",\r\n \"longitude\": 38.7468,\r\n \"latitude\": 9.0227,\r\n \"asn\": 24757,\r\n \"carrier\": \"Ethionet\",\r\n \"organization\": \"To__Bras_Dhcp_Oa-10800E\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4212\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4213\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4214\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4215\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4216\",\r\n \"address\": \"194.93.58.59\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.81423,\r\n \"latitude\": 32.80543,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Dallas Tx\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4217\",\r\n \"address\": \"87.251.75.119\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4218\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4219\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4220\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4221\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4222\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4223\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4224\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4225\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4226\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4227\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4256\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4206\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4207\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4258\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4208\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4259\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4209\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4260\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4210\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4261\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4211\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4262\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4212\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4263\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4213\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4264\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4214\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4215\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4266\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4216\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4267\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4217\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4268\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4218\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4269\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4219\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4270\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4220\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4271\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4221\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4272\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4222\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4273\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4223\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4224\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4275\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4225\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4276\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4226\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4277\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4227\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"name\": \"2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T19:20:02.815682Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T19:20:02.1041712Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4278\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.156.72.31 [5]\\r\\nIP: 179.60.147.31 [28]\\r\\nIP: 213.6.148.83 [2]\\r\\nIP: 113.161.87.179 [1]\\r\\nIP: 185.190.24.103 [11]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 141.98.83.130 [5]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 185.190.24.101 [3]\\r\\nIP: 118.123.105.85 [1]\\r\\nIP: 194.28.112.149 [1]\\r\\nIP: 45.227.253.124 [18]\\r\\nIP: 193.142.147.53 [12]\\r\\nIP: 198.23.221.162 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 194.165.17.12 [30]\\r\\nIP: 191.96.168.250 [75]\\r\\nIP: 194.165.16.16 [1]\\r\\nIP: 92.51.70.138 [1]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 185.156.72.29 [2]\\r\\nIP: 5.61.60.26 [3]\\r\\nIP: 87.251.75.45 [11]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.36 [1]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 141.98.83.172 [7]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 45.227.254.51 [2]\\r\\nIP: 103.99.2.225 [1]\\r\\nIP: 141.98.9.35 [2]\\r\\nIP: 185.196.220.52 [10]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 194.165.16.72 [3]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 31.214.141.3 [1]\\r\\nIP: 45.143.201.62 [2]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 141.98.9.34 [5]\\r\\nIP: 212.22.187.98 [4]\\r\\n182 more attempts by 33 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4279\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4280\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4281\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4282\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4283\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4284\",\r\n \"address\": \"113.161.87.179\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4285\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4286\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4287\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4288\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4289\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4290\",\r\n \"address\": \"118.123.105.85\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Sichuan\",\r\n \"city\": \"Chengdu\",\r\n \"longitude\": 104.0675,\r\n \"latitude\": 30.65306,\r\n \"asn\": 38283,\r\n \"carrier\": \"Chinanet Sichuan Telecom Internet Data Center\",\r\n \"organization\": \"Chinanet Sichuan Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4291\",\r\n \"address\": \"194.28.112.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4292\",\r\n \"address\": \"45.227.253.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4293\",\r\n \"address\": \"193.142.147.53\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4294\",\r\n \"address\": \"198.23.221.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4295\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4296\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4297\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4298\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4299\",\r\n \"address\": \"92.51.70.138\",\r\n \"location\": {\r\n \"countryCode\": \"GE\",\r\n \"countryName\": \"Georgia\",\r\n \"state\": \"Tbilisi\",\r\n \"city\": \"Tbilisi\",\r\n \"longitude\": 44.83368,\r\n \"latitude\": 41.69411,\r\n \"asn\": 44327,\r\n \"carrier\": \"Delta Comm Llc\",\r\n \"organization\": \"Infra-Aw\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4300\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4301\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4302\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4303\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4304\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4305\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4306\",\r\n \"address\": \"87.251.75.45\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4307\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4308\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4309\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4310\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4311\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4312\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4313\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4314\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4315\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4316\",\r\n \"address\": \"185.196.220.52\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4317\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4318\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4319\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4320\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4321\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4322\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4323\",\r\n \"address\": \"31.214.141.3\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hamburg\",\r\n \"city\": \"Hamburg\",\r\n \"longitude\": 10.0819,\r\n \"latitude\": 53.6423,\r\n \"asn\": 30823,\r\n \"carrier\": \"Combahton Gmbh\",\r\n \"organization\": \"Zap-Hosting Gmbh & Co. Kg\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4324\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4325\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4326\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4327\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4328\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4329\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4330\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4309\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4360\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4310\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4361\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4311\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4362\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4312\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4313\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4364\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4314\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4365\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4315\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4366\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4316\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4317\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4368\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4318\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4369\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4319\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4370\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4320\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4371\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4321\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4322\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4373\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4323\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4374\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4324\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4375\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4325\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4376\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4326\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"name\": \"2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T03:10:05.3539329Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T03:10:03.616463Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4381\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.9.36 [1]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 45.227.254.5 [19]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 45.227.253.124 [15]\\r\\nIP: 141.98.83.132 [6]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 45.227.254.55 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 185.156.72.29 [2]\\r\\nIP: 179.60.147.31 [28]\\r\\nIP: 5.61.60.26 [2]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 31.214.141.3 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 97.106.89.92 [2]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.125 [2]\\r\\nIP: 52.172.27.33 [1]\\r\\nIP: 179.60.150.114 [6]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 92.255.85.151 [30]\\r\\nIP: 185.190.24.103 [11]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 45.227.253.254 [15]\\r\\nIP: 194.165.16.73 [2]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 185.190.24.102 [7]\\r\\nIP: 179.60.147.182 [2]\\r\\nIP: 103.99.2.225 [1]\\r\\nIP: 185.196.220.34 [35]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.172 [7]\\r\\nIP: 212.22.187.98 [4]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 191.96.168.250 [67]\\r\\nIP: 118.123.105.85 [1]\\r\\nIP: 141.98.83.131 [3]\\r\\nIP: 80.69.56.151 [1]\\r\\nIP: 20.163.56.75 [2]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.156.72.25 [3]\\r\\n118 more attempts by 27 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4382\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4383\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4384\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4385\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4386\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4387\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4388\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4389\",\r\n \"address\": \"45.227.253.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4390\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4391\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4392\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4393\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4394\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4395\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4396\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4397\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4398\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4399\",\r\n \"address\": \"31.214.141.3\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hamburg\",\r\n \"city\": \"Hamburg\",\r\n \"longitude\": 10.0819,\r\n \"latitude\": 53.6423,\r\n \"asn\": 30823,\r\n \"carrier\": \"Combahton Gmbh\",\r\n \"organization\": \"Zap-Hosting Gmbh & Co. Kg\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4400\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4401\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4402\",\r\n \"address\": \"97.106.89.92\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Tampa\",\r\n \"longitude\": -82.46379,\r\n \"latitude\": 27.98598,\r\n \"asn\": 33363,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4403\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4404\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4405\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4406\",\r\n \"address\": \"52.172.27.33\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Tamil Nadu\",\r\n \"city\": \"Chennai\",\r\n \"longitude\": 80.2508,\r\n \"latitude\": 13.0524,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4407\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4408\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4409\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4410\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4411\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4412\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4413\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4414\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4415\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4416\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4417\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4418\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4419\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4420\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4421\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4422\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4423\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4424\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4425\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4426\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4427\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4428\",\r\n \"address\": \"118.123.105.85\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Sichuan\",\r\n \"city\": \"Chengdu\",\r\n \"longitude\": 104.0675,\r\n \"latitude\": 30.65306,\r\n \"asn\": 38283,\r\n \"carrier\": \"Chinanet Sichuan Telecom Internet Data Center\",\r\n \"organization\": \"Chinanet Sichuan Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4429\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4430\",\r\n \"address\": \"80.69.56.151\",\r\n \"location\": {\r\n \"countryCode\": \"AZ\",\r\n \"countryName\": \"Azerbaijan\",\r\n \"state\": \"Naftalan\",\r\n \"city\": \"Naftalan\",\r\n \"longitude\": 46.825,\r\n \"latitude\": 40.5067,\r\n \"asn\": 34170,\r\n \"carrier\": \"Aztelekom\",\r\n \"organization\": \"Aztelekom.Net Ip Segment\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4431\",\r\n \"address\": \"20.163.56.75\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4432\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4433\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4449\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4450\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4451\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4452\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4453\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4405\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4456\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4457\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4408\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4412\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4415\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4416\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4467\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4417\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4468\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4418\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4469\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4419\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4470\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4471\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4472\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4473\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4423\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4474\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4424\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4425\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4426\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4427\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4428\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"name\": \"2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-27T19:18:23.4694672Z\",\r\n \"processingEndTimeUtc\": \"2022-08-27T19:18:22.6090964Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-26T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-26T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4484\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.255.99 [2]\\r\\nIP: 185.196.220.28 [1]\\r\\nIP: 103.124.137.161 [1]\\r\\nIP: 87.251.75.45 [125]\\r\\nIP: 212.122.84.86 [4]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 103.99.2.225 [6]\\r\\nIP: 185.196.220.59 [2]\\r\\nIP: 194.165.16.34 [1]\\r\\nIP: 212.22.187.98 [3]\\r\\nIP: 191.96.168.250 [51]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 139.99.135.225 [1]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 80.66.88.209 [2]\\r\\nIP: 152.89.196.90 [4]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 141.98.83.172 [3]\\r\\nIP: 179.60.150.114 [2]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 104.156.55.56 [1]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.190.24.101 [3]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 184.105.5.195 [1]\\r\\nIP: 185.190.24.103 [2]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 193.142.147.55 [1]\\r\\nIP: 193.142.147.50 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 193.142.147.65 [27]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 193.142.147.57 [1]\\r\\nIP: 43.156.58.184 [1]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 213.6.148.83 [3]\\r\\nIP: 193.142.147.66 [3]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 185.73.124.216 [13]\\r\\nIP: 20.168.26.32 [1]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 185.196.220.34 [12]\\r\\nIP: 92.255.85.183 [2]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 5.61.60.26 [1]\\r\\nIP: 185.196.220.58 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4485\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4486\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4487\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4488\",\r\n \"address\": \"185.196.220.28\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4489\",\r\n \"address\": \"103.124.137.161\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jawa Timur\",\r\n \"city\": \"Paciran\",\r\n \"longitude\": 112.34,\r\n \"latitude\": -6.8707,\r\n \"asn\": 138089,\r\n \"carrier\": \"Pt.Global Media Data Prima\",\r\n \"organization\": \"Pt.Global Media Data Prima\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4490\",\r\n \"address\": \"87.251.75.45\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4491\",\r\n \"address\": \"212.122.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 12539,\r\n \"carrier\": \"Penki Kontinentia Ltd\",\r\n \"organization\": \"Penkiu Kontinentu Komunikaciju Centras Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4492\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4493\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4494\",\r\n \"address\": \"185.196.220.59\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4495\",\r\n \"address\": \"194.165.16.34\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4496\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4497\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4498\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4499\",\r\n \"address\": \"139.99.135.225\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Waverton\",\r\n \"longitude\": 151.19581,\r\n \"latitude\": -33.83997,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Australia Pty Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4500\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4501\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4502\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4503\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4504\",\r\n \"address\": \"152.89.196.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4505\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4506\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4507\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4508\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4509\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4510\",\r\n \"address\": \"104.156.55.56\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Tampa\",\r\n \"longitude\": -82.50581,\r\n \"latitude\": 28.00488,\r\n \"asn\": 29802,\r\n \"carrier\": \"Hivelocity Inc.\",\r\n \"organization\": \"Hivelocity Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4511\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4512\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4513\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4514\",\r\n \"address\": \"184.105.5.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.99064,\r\n \"latitude\": 40.6946,\r\n \"asn\": 394996,\r\n \"carrier\": \"47-2339071\",\r\n \"organization\": \"47-2339071\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4515\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4516\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4517\",\r\n \"address\": \"193.142.147.55\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4518\",\r\n \"address\": \"193.142.147.50\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4519\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4520\",\r\n \"address\": \"193.142.147.65\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4521\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4522\",\r\n \"address\": \"193.142.147.57\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4523\",\r\n \"address\": \"43.156.58.184\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4524\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4525\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4526\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4527\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4528\",\r\n \"address\": \"185.73.124.216\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4529\",\r\n \"address\": \"20.168.26.32\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4530\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4531\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4532\",\r\n \"address\": \"92.255.85.183\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4533\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4534\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4535\",\r\n \"address\": \"185.196.220.58\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4557\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4558\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4559\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4560\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4511\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4561\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4512\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4562\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4513\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4563\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4514\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4564\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4515\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4565\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4516\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4566\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4517\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4567\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4518\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4568\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4519\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4569\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4520\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4570\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4521\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4571\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4522\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4572\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4523\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4573\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4524\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4574\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4525\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4575\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4526\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4576\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4527\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4577\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4528\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4578\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4529\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4579\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4530\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4580\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4531\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4581\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4532\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4582\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"name\": \"2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-26T19:51:08.2299434Z\",\r\n \"processingEndTimeUtc\": \"2022-08-26T19:51:07.7693809Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-25T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-25T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4585\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.255.59 [2]\\r\\nIP: 41.216.179.69 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 185.190.24.48 [8]\\r\\nIP: 193.142.147.65 [37]\\r\\nIP: 167.172.149.14 [1]\\r\\nIP: 193.148.61.176 [1]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.196.220.34 [26]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 179.60.150.116 [8]\\r\\nIP: 185.190.24.103 [4]\\r\\nIP: 149.57.252.78 [1]\\r\\nIP: 103.109.52.111 [6]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 5.181.86.11 [18]\\r\\nIP: 141.98.83.172 [1]\\r\\nIP: 52.180.252.174 [4]\\r\\nIP: 193.142.147.66 [22]\\r\\nIP: 5.181.86.51 [4]\\r\\nIP: 193.142.147.52 [11]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 183.90.168.19 [14]\\r\\nIP: 185.190.24.102 [5]\\r\\nIP: 107.172.93.5 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 179.60.147.31 [25]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 103.124.137.161 [2]\\r\\nIP: 5.181.86.7 [1]\\r\\nIP: 103.9.156.60 [1]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 141.98.83.173 [5]\\r\\nIP: 195.3.221.15 [4]\\r\\nIP: 191.96.168.250 [44]\\r\\nIP: 179.60.147.33 [23]\\r\\nIP: 103.99.2.225 [4]\\r\\nIP: 91.240.118.113 [11]\\r\\nIP: 88.214.25.13 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 107.175.218.26 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 185.190.24.50 [7]\\r\\nIP: 80.69.56.151 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 141.98.10.37 [3]\\r\\nIP: 185.190.24.17 [16]\\r\\nIP: 45.227.254.48 [2]\\r\\n61 more attempts by 15 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4586\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4587\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4588\",\r\n \"address\": \"45.227.255.59\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4589\",\r\n \"address\": \"41.216.179.69\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"longitude\": -2.0,\r\n \"latitude\": 54.0,\r\n \"asn\": 136175,\r\n \"carrier\": \"Serverhosh Internet Service\",\r\n \"organization\": \"Serverhosh Internet Service\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4590\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4591\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4592\",\r\n \"address\": \"193.142.147.65\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4593\",\r\n \"address\": \"167.172.149.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4594\",\r\n \"address\": \"193.148.61.176\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Los Angeles Ca\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4595\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4596\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4597\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4598\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4599\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4600\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4601\",\r\n \"address\": \"149.57.252.78\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Edison\",\r\n \"longitude\": -74.3806,\r\n \"latitude\": 40.5247,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Logicweb Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4602\",\r\n \"address\": \"103.109.52.111\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"longitude\": 90.0,\r\n \"latitude\": 24.0,\r\n \"asn\": 134790,\r\n \"carrier\": \"United International University\",\r\n \"organization\": \"United International University\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4603\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4604\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4605\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4606\",\r\n \"address\": \"52.180.252.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\",\r\n \"longitude\": -93.6151,\r\n \"latitude\": 41.589,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4607\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4608\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4609\",\r\n \"address\": \"193.142.147.52\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4610\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4611\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4612\",\r\n \"address\": \"183.90.168.19\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bang Rak\",\r\n \"longitude\": 100.52114,\r\n \"latitude\": 13.72804,\r\n \"asn\": 45328,\r\n \"carrier\": \"Nipa Technology Co. Ltd\",\r\n \"organization\": \"Nipa Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4613\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4614\",\r\n \"address\": \"107.172.93.5\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4615\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4616\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4617\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4618\",\r\n \"address\": \"103.124.137.161\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jawa Timur\",\r\n \"city\": \"Paciran\",\r\n \"longitude\": 112.34,\r\n \"latitude\": -6.8707,\r\n \"asn\": 138089,\r\n \"carrier\": \"Pt.Global Media Data Prima\",\r\n \"organization\": \"Pt.Global Media Data Prima\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4619\",\r\n \"address\": \"5.181.86.7\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4620\",\r\n \"address\": \"103.9.156.60\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 63730,\r\n \"carrier\": \"Vnso Technology Company\",\r\n \"organization\": \"Vnso Technology Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4621\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4622\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4623\",\r\n \"address\": \"195.3.221.15\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Mokotow\",\r\n \"longitude\": 21.00167,\r\n \"latitude\": 52.19392,\r\n \"asn\": 201814,\r\n \"carrier\": \"Meverywhere Sp. Z O.O.\",\r\n \"organization\": \"Innowacyjne Rozwiazania Informatyczne.Pl Sp. Z O.O.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4624\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4625\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4626\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4627\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4628\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4629\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4630\",\r\n \"address\": \"107.175.218.26\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wyoming\",\r\n \"city\": \"Casper\",\r\n \"longitude\": -106.39396,\r\n \"latitude\": 43.06622,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Global Cloud Line\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4631\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4632\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4633\",\r\n \"address\": \"80.69.56.151\",\r\n \"location\": {\r\n \"countryCode\": \"AZ\",\r\n \"countryName\": \"Azerbaijan\",\r\n \"state\": \"Naftalan\",\r\n \"city\": \"Naftalan\",\r\n \"longitude\": 46.825,\r\n \"latitude\": 40.5067,\r\n \"asn\": 34170,\r\n \"carrier\": \"Aztelekom\",\r\n \"organization\": \"Aztelekom.Net Ip Segment\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4634\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4635\",\r\n \"address\": \"141.98.10.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4636\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4637\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4644\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4645\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4646\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4647\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4648\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4598\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4649\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4599\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4650\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4600\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4651\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4601\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4652\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4602\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4653\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4603\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4654\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4604\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4655\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4605\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4656\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4606\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4657\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4607\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4658\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4608\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4659\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4609\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4660\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4610\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4661\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4611\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4662\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4612\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4663\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4613\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4664\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4614\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4665\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4615\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4666\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4616\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4667\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4617\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4668\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4618\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4669\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4619\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4670\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4620\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4671\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4621\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4672\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4622\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4673\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4623\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4674\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4624\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4675\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4625\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4676\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4626\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4677\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4627\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4678\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4628\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4679\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4629\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4680\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4630\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4681\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4631\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4682\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4632\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4683\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4633\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4684\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4634\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4685\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4635\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4636\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4637\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"name\": \"2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T20:24:32.6189324Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T20:24:17.1477549Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4688\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.72 [1]\\r\\nIP: 181.30.28.144 [1]\\r\\nIP: 43.131.49.246 [2]\\r\\nIP: 27.71.226.103 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.86.65.236 [1]\\r\\nIP: 5.181.86.88 [6]\\r\\nIP: 192.210.230.185 [1]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 31.43.185.3 [49]\\r\\nIP: 183.90.168.19 [1]\\r\\nIP: 194.165.16.78 [2]\\r\\nIP: 167.172.149.14 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 212.41.8.46 [1]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 5.181.86.44 [4]\\r\\nIP: 141.98.83.171 [5]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 194.165.16.71 [2]\\r\\nIP: 46.161.27.101 [2]\\r\\nIP: 173.201.17.86 [1]\\r\\nIP: 5.61.60.26 [1]\\r\\nIP: 179.60.150.115 [12]\\r\\nIP: 92.154.96.99 [1]\\r\\nIP: 141.98.83.172 [4]\\r\\nIP: 179.60.147.182 [4]\\r\\nIP: 149.102.131.247 [1]\\r\\nIP: 193.142.147.67 [33]\\r\\nIP: 73.104.247.50 [1]\\r\\nIP: 185.190.24.61 [22]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 185.190.24.17 [24]\\r\\nIP: 191.96.168.250 [30]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 193.142.146.209 [1]\\r\\nIP: 185.170.144.134 [70]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 147.78.245.142 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 179.60.150.113 [6]\\r\\nIP: 78.180.183.122 [1]\\r\\nIP: 85.215.173.128 [1]\\r\\nIP: 109.86.104.112 [1]\\r\\nIP: 146.20.225.190 [1]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 45.227.255.79 [2]\\r\\nIP: 185.190.24.102 [6]\\r\\nIP: 194.28.112.148 [1]\\r\\n63 more attempts by 14 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4689\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4690\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4691\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4692\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4693\",\r\n \"address\": \"43.131.49.246\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4694\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4695\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4696\",\r\n \"address\": \"45.86.65.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4697\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4698\",\r\n \"address\": \"192.210.230.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4699\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4700\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Donets'ka Oblast'\",\r\n \"city\": \"Krasnoarmiis'k\",\r\n \"longitude\": 37.1734,\r\n \"latitude\": 48.281,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4701\",\r\n \"address\": \"183.90.168.19\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bang Rak\",\r\n \"longitude\": 100.52114,\r\n \"latitude\": 13.72804,\r\n \"asn\": 45328,\r\n \"carrier\": \"Nipa Technology Co. Ltd\",\r\n \"organization\": \"Nipa Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4702\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4703\",\r\n \"address\": \"167.172.149.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4704\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4705\",\r\n \"address\": \"212.41.8.46\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4706\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4707\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4708\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4709\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4710\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4711\",\r\n \"address\": \"46.161.27.101\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Vps And Shared Hosting Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4712\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4713\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4714\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4715\",\r\n \"address\": \"92.154.96.99\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Hauts-De-Seine\",\r\n \"city\": \"Puteaux\",\r\n \"longitude\": 2.23762,\r\n \"latitude\": 48.88328,\r\n \"asn\": 3215,\r\n \"carrier\": \"Orange S.A.\",\r\n \"organization\": \"Lnmso655 Montsouris\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4716\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4717\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4718\",\r\n \"address\": \"149.102.131.247\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Manchester\",\r\n \"city\": \"Manchester\",\r\n \"longitude\": -2.24083,\r\n \"latitude\": 53.44222,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4719\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4720\",\r\n \"address\": \"73.104.247.50\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Jacksonville\",\r\n \"longitude\": -81.56225,\r\n \"latitude\": 30.21981,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4721\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4722\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4723\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4724\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4725\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4726\",\r\n \"address\": \"193.142.146.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Hostslick Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4727\",\r\n \"address\": \"185.170.144.134\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4728\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Gunzenhausen\",\r\n \"longitude\": 10.7534,\r\n \"latitude\": 49.11594,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4729\",\r\n \"address\": \"147.78.245.142\",\r\n \"location\": {\r\n \"countryCode\": \"JP\",\r\n \"countryName\": \"Japan\",\r\n \"state\": \"Tokyo\",\r\n \"city\": \"Tokyo\",\r\n \"longitude\": 139.73856,\r\n \"latitude\": 35.69628,\r\n \"asn\": 23959,\r\n \"carrier\": \"Owl Limited\",\r\n \"organization\": \"Virtual Machine Solutions Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4730\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4731\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4732\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4733\",\r\n \"address\": \"78.180.183.122\",\r\n \"location\": {\r\n \"countryCode\": \"TR\",\r\n \"countryName\": \"Turkey\",\r\n \"state\": \"Istanbul\",\r\n \"city\": \"Sisli\",\r\n \"longitude\": 28.9521,\r\n \"latitude\": 41.0483,\r\n \"asn\": 9121,\r\n \"carrier\": \"Turk Telekomunikasyon Anonim Sirketi\",\r\n \"organization\": \"Tt Adsl-Ttnet_Dynamic_Gay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4734\",\r\n \"address\": \"85.215.173.128\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.3195,\r\n \"latitude\": 52.5184,\r\n \"asn\": 6724,\r\n \"carrier\": \"Strato Ag\",\r\n \"organization\": \"Strato Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4735\",\r\n \"address\": \"109.86.104.112\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 13188,\r\n \"carrier\": \"Content Delivery Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4736\",\r\n \"address\": \"146.20.225.190\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 27357,\r\n \"carrier\": \"Rackspace Hosting\",\r\n \"organization\": \"Rackspace Hosting\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4737\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4738\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4739\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4740\",\r\n \"address\": \"194.28.112.148\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4741\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4691\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4742\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4692\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4743\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4693\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4744\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4694\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4745\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4695\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4746\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4696\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4747\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4697\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4748\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4698\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4749\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4699\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4750\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4700\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4751\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4701\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4752\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4702\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4703\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4704\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4705\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4706\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4707\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4708\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4709\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4710\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4711\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4762\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4712\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4763\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4713\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4764\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4714\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4765\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4715\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4766\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4716\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4767\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4717\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4768\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4718\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4769\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4719\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4770\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4720\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4771\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4721\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4772\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4722\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4773\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4723\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4774\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4724\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4775\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4725\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4776\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4726\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4777\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4727\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4778\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4728\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4779\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4729\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4780\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4730\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4781\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4731\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4782\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4732\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4783\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4733\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4784\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4734\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4785\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4735\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4786\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4736\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4787\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4737\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4788\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4738\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"name\": \"2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-24T19:41:11.3106136Z\",\r\n \"processingEndTimeUtc\": \"2022-08-24T19:41:10.6263724Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-23T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-23T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4791\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 23.224.230.146 [1]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 5.181.86.85 [14]\\r\\nIP: 131.153.178.70 [1]\\r\\nIP: 91.240.118.113 [24]\\r\\nIP: 146.70.117.116 [2]\\r\\nIP: 193.142.147.58 [27]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 179.60.150.114 [5]\\r\\nIP: 141.98.83.173 [3]\\r\\nIP: 191.96.168.250 [38]\\r\\nIP: 194.165.16.78 [1]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 193.142.147.59 [30]\\r\\nIP: 185.190.24.101 [5]\\r\\nIP: 45.227.254.4 [2]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 104.254.233.2 [2]\\r\\nIP: 5.181.86.61 [7]\\r\\nIP: 141.98.83.172 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 181.30.28.144 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 135.181.194.54 [1]\\r\\nIP: 80.13.124.200 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 5.181.86.11 [10]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 194.165.16.38 [5]\\r\\nIP: 34.75.15.244 [2]\\r\\nIP: 185.190.24.102 [8]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 45.227.254.5 [6]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 113.190.245.2 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 213.6.148.83 [3]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 103.231.188.130 [1]\\r\\nIP: 193.142.147.67 [30]\\r\\nIP: 62.233.50.113 [1]\\r\\nIP: 185.170.144.133 [19]\\r\\nIP: 179.60.150.111 [5]\\r\\nIP: 144.91.117.64 [1]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 194.165.16.11 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4792\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4793\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4794\",\r\n \"address\": \"23.224.230.146\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.25227,\r\n \"latitude\": 34.04303,\r\n \"asn\": 40065,\r\n \"carrier\": \"Cnservers Llc\",\r\n \"organization\": \"Cloudradium L.L.C\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4795\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4796\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4797\",\r\n \"address\": \"131.153.178.70\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.92784,\r\n \"latitude\": 33.4357,\r\n \"asn\": 19437,\r\n \"carrier\": \"Secured Servers Llc\",\r\n \"organization\": \"Secured Servers Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4798\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4799\",\r\n \"address\": \"146.70.117.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.7119,\r\n \"latitude\": 50.1137,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd Frankfurt\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4800\",\r\n \"address\": \"193.142.147.58\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4801\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4802\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4803\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4804\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4805\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4806\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4807\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4808\",\r\n \"address\": \"193.142.147.59\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4809\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4810\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4811\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4812\",\r\n \"address\": \"104.254.233.2\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 19437,\r\n \"carrier\": \"Secured Servers Llc\",\r\n \"organization\": \"Pnap-Ashdc5\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4813\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4814\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4815\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4816\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4817\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4818\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4819\",\r\n \"address\": \"135.181.194.54\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4820\",\r\n \"address\": \"80.13.124.200\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Hauts-De-Seine\",\r\n \"city\": \"Puteaux\",\r\n \"longitude\": 2.23762,\r\n \"latitude\": 48.88328,\r\n \"asn\": 3215,\r\n \"carrier\": \"Orange S.A.\",\r\n \"organization\": \"Lnput658 Puteaux Bloc 1\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4821\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4822\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4823\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4824\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4825\",\r\n \"address\": \"34.75.15.244\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"South Carolina\",\r\n \"city\": \"North Charleston\",\r\n \"longitude\": -80.05894,\r\n \"latitude\": 32.89008,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4826\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4827\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4828\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4829\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4830\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4831\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4832\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4833\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4834\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4835\",\r\n \"address\": \"103.231.188.130\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 17831,\r\n \"carrier\": \"8 Burn Road # 15-13 Trivex\",\r\n \"organization\": \"Vhost Holdings Pte Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4836\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4837\",\r\n \"address\": \"62.233.50.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4838\",\r\n \"address\": \"185.170.144.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4839\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4840\",\r\n \"address\": \"144.91.117.64\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Muenchen\",\r\n \"longitude\": 11.6074,\r\n \"latitude\": 48.1089,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4841\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4842\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4815\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4865\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4816\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4866\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4817\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4867\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4818\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4868\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4819\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4869\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4820\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4870\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4821\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4871\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4822\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4872\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4823\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4873\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4824\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4874\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4825\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4875\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4826\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4876\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4827\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4877\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4828\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4878\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4829\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4879\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4830\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4880\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4831\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4881\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4832\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4882\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4833\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4883\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4834\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4884\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4835\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4885\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4836\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4886\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4837\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4887\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4838\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4888\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4839\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4889\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4840\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4890\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4841\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4891\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"name\": \"2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-23T19:47:46.0119964Z\",\r\n \"processingEndTimeUtc\": \"2022-08-23T19:47:45.0676912Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-22T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-22T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4892\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.172 [5]\\r\\nIP: 185.190.24.50 [8]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 43.131.49.246 [1]\\r\\nIP: 185.190.24.101 [4]\\r\\nIP: 191.96.168.250 [22]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 5.181.86.88 [5]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 91.240.118.113 [9]\\r\\nIP: 179.60.150.116 [4]\\r\\nIP: 173.201.17.86 [1]\\r\\nIP: 196.22.249.27 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 116.206.231.59 [1]\\r\\nIP: 185.190.24.102 [7]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 194.135.24.55 [2]\\r\\nIP: 5.181.86.85 [3]\\r\\nIP: 152.89.217.238 [1]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 176.113.115.141 [4]\\r\\nIP: 86.106.121.74 [1]\\r\\nIP: 185.190.24.32 [5]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 185.190.24.103 [6]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 70.183.29.58 [1]\\r\\nIP: 185.170.144.133 [38]\\r\\nIP: 194.165.16.38 [8]\\r\\nIP: 112.78.168.114 [5]\\r\\nIP: 194.165.16.4 [6]\\r\\nIP: 194.165.17.14 [6]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 181.30.28.144 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4893\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4894\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4895\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4896\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4897\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4898\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4899\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4900\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4901\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4902\",\r\n \"address\": \"43.131.49.246\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4903\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4904\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4905\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4906\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4907\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4908\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4909\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4910\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4911\",\r\n \"address\": \"196.22.249.27\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Western Cape\",\r\n \"city\": \"Cape Town\",\r\n \"longitude\": 18.4241,\r\n \"latitude\": -33.9249,\r\n \"asn\": 36874,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"72 Canterbury Street\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4912\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4913\",\r\n \"address\": \"116.206.231.59\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"South Australia\",\r\n \"city\": \"Adelaide\",\r\n \"longitude\": 138.59973,\r\n \"latitude\": -34.92577,\r\n \"asn\": 133480,\r\n \"carrier\": \"Intergrid Group Pty Ltd\",\r\n \"organization\": \"Intergrid Group Pty. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4914\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4915\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4916\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4917\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4918\",\r\n \"address\": \"152.89.217.238\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 56694,\r\n \"carrier\": \"Llc Smart Ape\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4919\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4920\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4921\",\r\n \"address\": \"86.106.121.74\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -74.00888,\r\n \"latitude\": 40.72092,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd New York\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4922\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4923\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4924\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4925\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4926\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4927\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4928\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4929\",\r\n \"address\": \"70.183.29.58\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Rancho Santa Margarita\",\r\n \"longitude\": -117.60826,\r\n \"latitude\": 33.62295,\r\n \"asn\": 22773,\r\n \"carrier\": \"Cox Communications Inc.\",\r\n \"organization\": \"Cox Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4930\",\r\n \"address\": \"185.170.144.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4931\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4932\",\r\n \"address\": \"112.78.168.114\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jakarta Raya\",\r\n \"city\": \"Jakarta\",\r\n \"longitude\": 106.8267,\r\n \"latitude\": -6.1738,\r\n \"asn\": 17451,\r\n \"carrier\": \"Biznet Networks\",\r\n \"organization\": \"Biznet Networks\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4933\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4934\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4935\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4936\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4919\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4920\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4921\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4922\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4923\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4924\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4925\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4926\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4969\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4927\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4970\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4928\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4971\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4929\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4972\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4930\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4973\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4931\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4974\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4932\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4975\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4933\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4976\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4934\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4977\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4935\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4978\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4936\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"name\": \"2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-22T19:47:25.0250698Z\",\r\n \"processingEndTimeUtc\": \"2022-08-22T19:47:23.7684919Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-20T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-20T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4979\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.171 [3]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 194.165.16.4 [8]\\r\\nIP: 192.210.149.232 [1]\\r\\nIP: 179.60.150.115 [4]\\r\\nIP: 212.102.35.30 [45]\\r\\nIP: 136.32.204.105 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.173 [3]\\r\\nIP: 194.165.16.73 [2]\\r\\nIP: 45.227.254.5 [13]\\r\\nIP: 141.98.83.172 [3]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 66.115.189.143 [1]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 179.60.147.32 [29]\\r\\nIP: 185.190.24.101 [5]\\r\\nIP: 185.190.24.93 [10]\\r\\nIP: 176.113.115.141 [2]\\r\\nIP: 185.190.24.103 [9]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 194.135.24.55 [2]\\r\\nIP: 45.227.254.51 [3]\\r\\nIP: 45.227.254.49 [2]\\r\\nIP: 45.227.255.55 [1]\\r\\nIP: 203.115.110.73 [1]\\r\\nIP: 194.165.16.78 [2]\\r\\nIP: 92.255.85.166 [9]\\r\\nIP: 67.225.40.73 [1]\\r\\nIP: 45.227.255.79 [4]\\r\\nIP: 141.98.83.123 [5]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 45.227.254.27 [9]\\r\\nIP: 207.246.67.121 [1]\\r\\nIP: 92.114.153.67 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 141.98.83.126 [4]\\r\\nIP: 5.181.86.44 [5]\\r\\nIP: 37.32.30.41 [2]\\r\\nIP: 62.8.12.230 [1]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 60.208.6.75 [25]\\r\\nIP: 194.165.17.14 [7]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4980\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4981\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4982\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4983\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4984\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4985\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4986\",\r\n \"address\": \"192.210.149.232\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4987\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4988\",\r\n \"address\": \"212.102.35.30\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4989\",\r\n \"address\": \"136.32.204.105\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Kansas City\",\r\n \"longitude\": -94.53961,\r\n \"latitude\": 39.10771,\r\n \"asn\": 16591,\r\n \"carrier\": \"Google Fiber Inc.\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4990\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.66719,\r\n \"latitude\": 41.02253,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4991\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4992\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4993\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4994\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4995\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4996\",\r\n \"address\": \"66.115.189.143\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Georgia\",\r\n \"city\": \"Marietta\",\r\n \"longitude\": -84.4629,\r\n \"latitude\": 33.93318,\r\n \"asn\": 46562,\r\n \"carrier\": \"Performive Llc\",\r\n \"organization\": \"Performive Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4997\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4998\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4999\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5000\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5001\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5002\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5003\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5004\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5005\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5006\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5007\",\r\n \"address\": \"45.227.255.55\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5008\",\r\n \"address\": \"203.115.110.73\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.225,\r\n \"latitude\": 28.6353,\r\n \"asn\": 17426,\r\n \"carrier\": \"Primesoftex Ltd\",\r\n \"organization\": \"Primenet Global Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5009\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5010\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5011\",\r\n \"address\": \"67.225.40.73\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Saskatchewan\",\r\n \"city\": \"Regina\",\r\n \"longitude\": -104.61298,\r\n \"latitude\": 50.44894,\r\n \"asn\": 803,\r\n \"carrier\": \"Saskatchewan Telecommunications\",\r\n \"organization\": \"Sasktel Wide Area Network Engineering Center\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5012\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5013\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5014\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5015\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5016\",\r\n \"address\": \"207.246.67.121\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Miami\",\r\n \"longitude\": -80.24044,\r\n \"latitude\": 25.81253,\r\n \"asn\": 20473,\r\n \"carrier\": \"The Constant Company Llc\",\r\n \"organization\": \"Vultr Holdings Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5017\",\r\n \"address\": \"92.114.153.67\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 8926,\r\n \"carrier\": \"Moldtelecom Sa\",\r\n \"organization\": \"Jsc Moldtelecom S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5018\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5019\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5020\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5021\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5022\",\r\n \"address\": \"37.32.30.41\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 202468,\r\n \"carrier\": \"Noyan Abr Arvan Co. ( Private Joint Stock)\",\r\n \"organization\": \"Noyan Abr Arvan Co. ( Private Joint Stock)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5023\",\r\n \"address\": \"62.8.12.230\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Loire-Atlantique\",\r\n \"city\": \"Nantes\",\r\n \"longitude\": -1.55674,\r\n \"latitude\": 47.21684,\r\n \"asn\": 15557,\r\n \"carrier\": \"Sfr Sa\",\r\n \"organization\": \"Entreprise\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5024\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5025\",\r\n \"address\": \"60.208.6.75\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shandong\",\r\n \"city\": \"Jinan\",\r\n \"longitude\": 117.0,\r\n \"latitude\": 36.683,\r\n \"asn\": 4837,\r\n \"carrier\": \"China Unicom China169 Backbone\",\r\n \"organization\": \"Jinan Yingte Net Bar\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5026\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5022\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5023\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5024\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5025\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5026\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n }\r\n ]\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTczMzYyNDExODQ4NjI0MTNfOGRlMDkyNzAtZGM1My00MGQ0LWJlZWQtZjI5ZDQ3NWI1ZDVhP2FwaS12ZXJzaW9uPTIwMjItMDEtMDE=", + "RequestMethod": "GET", "RequestHeaders": { "x-ms-client-request-id": [ - "f96a415a-1eb9-4105-9a23-b39e1e88bc61" + "c3344b03-d93d-4d40-ac7d-c6aee8fc5605" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -100,22 +163,22 @@ "Kestrel" ], "x-ms-request-id": [ - "ff5a475b-9969-4e6f-bc42-356d58b3475d" + "31ab4f32-d13d-4561-aee6-2cee724a074b" ], "x-ms-correlation-request-id": [ - "ff5a475b-9969-4e6f-bc42-356d58b3475d" + "31ab4f32-d13d-4561-aee6-2cee724a074b" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210831T190930Z:ff5a475b-9969-4e6f-bc42-356d58b3475d" + "FRANCESOUTH:20221117T092001Z:31ab4f32-d13d-4561-aee6-2cee724a074b" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Tue, 31 Aug 2021 19:09:29 GMT" + "Thu, 17 Nov 2022 09:20:00 GMT" ], "Content-Length": [ - "2795" + "2847" ], "Content-Type": [ "application/json; charset=utf-8" @@ -124,7 +187,7 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"name\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4121044Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"name\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.869602Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", "StatusCode": 200 } ], diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetSubscriptionLevelResource.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetSubscriptionLevelResource.json index 4881ecadde36..0a45c50e6641 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetSubscriptionLevelResource.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetSubscriptionLevelResource.json @@ -1,24 +1,24 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2021-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjEtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjItMDEtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "8e824f07-cd30-4c97-9074-df1aef5ee83a" + "8ecf6fd3-f06a-4cd4-9dd7-eaf1520408bf" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -31,16 +31,16 @@ "" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "747" + "749" ], "x-ms-request-id": [ - "e951cd8b-aa7f-4446-80c7-5b883d1c369a" + "f7ae4379-822b-4397-b333-b8fc83a368c1" ], "x-ms-correlation-request-id": [ - "e951cd8b-aa7f-4446-80c7-5b883d1c369a" + "f7ae4379-822b-4397-b333-b8fc83a368c1" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210831T191007Z:e951cd8b-aa7f-4446-80c7-5b883d1c369a" + "FRANCESOUTH:20221117T092027Z:f7ae4379-822b-4397-b333-b8fc83a368c1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -49,7 +49,7 @@ "nosniff" ], "Date": [ - "Tue, 31 Aug 2021 19:10:07 GMT" + "Thu, 17 Nov 2022 09:20:26 GMT" ], "Content-Type": [ "application/json; charset=utf-8" @@ -58,31 +58,31 @@ "-1" ], "Content-Length": [ - "143561" + "706133" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"name\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4121044Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"name\": \"2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:13.877204Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_MaliciousContent-AzureWebApps\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:58.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:58.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Phishing content hosted on Azure Webapps\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to O365 customers. The content typically lure visitors into entering their corporate credentials or financial information into a legitimate looking website.\",\r\n \"remediationSteps\": [\r\n \"1. Use Azure Web Sites Process Explorer and try to identify unknown running processes (see https://blogs.msdn.microsoft.com/waws/2014/11/14/viewing-process-information-for-microsoft-azure-web-sites/)\",\r\n \"2. Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"resourceType\": \"App Service\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"type\": \"url\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"name\": \"2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3609448Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_OperationVolumeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:56.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:56.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] User accessed high volume of Key Vaults\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a larger volume of Key Vault operations has been performed compared to past historical data. Key Vaults typical exhibit the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:56\",\r\n \"all vault operations in last 24 hours\": \"[SecretSet:1, SecretGet:5, Authentication:2, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultGet:2]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:56\",\r\n \"client Information\": \"Microsoft.Azure.Management.Resources.ResourceManagementClient/2.0.0.0, \",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) performed more operations than usual, The user(objid) does not usually come from this IP, The user(objid) performed more operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"name\": \"2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3557186Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_AccountVolumeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:54.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:54.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] High volume of operations in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the number of vaults that a user or application accesses has changed compared to past historical data. Key Vault activity typically exhibits the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:54\",\r\n \"all vault operations in last 24 hours\": \"[AfterAuthentication:1, SecretGet:345545, EventGridGetAllSubscriptions:19, Authentication:169, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:64]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:54\",\r\n \"alert Reasons\": \"[The application(appid) accessed more vaults than usual, The application(appid) does not usually come from this IP, The user(objid) accessed more vaults than usual, The user(objid) does not usually come from this IP, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"name\": \"2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3095755Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_ListGetAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:52.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:52.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious secret listing and query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Secret List operation was followed by numerous Secret Get operations. In addition, this operation pattern is not normally performed by the user on this vault. This is likely indicative that someone is dumping the This is sample alert: secrets stored in the Key Vault for potentially malicious purposes.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:52\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:1, SecretGet:3, VaultGet:1, SecretList:5]\",\r\n \"suspicious Operations\": \"[SecretGet:3, SecretList:5]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:52\",\r\n \"client Information\": \"FxVersion/4.8.4075.0 OSName/Windows10Enterprise OSVersion/6.3.18363 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"alert Reasons\": \"[The application(appid) does not usually access this vault, The application(appid) does not usually come from this IP, The application(appid) does not usually perform a credential list operation followed by a get operation, The application(appid) does not usually perform this operation, The number of applications which accessed this vault is more than usual, The number of users(objid) who accessed this vault is more than usual, The user(objid) does not usually access this vault, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a credential list operation followed by a get operation, The user(objid) does not usually perform this operation, This vault does not usually have a credential list operation followed by a get operation, This vault does not usually have this operation, This vault had more operations than usual, This vault had more types of operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"name\": \"2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4678019Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_PutGetAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:50.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:50.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious policy change and secret query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Key Vault policy change has been made and operations to list and/or get secrets occurred shortly thereafter. In addition, this operation pattern is not normally performed by the user on this vault. This is highly indicative that the Key Vault has been compromised and the secrets within have been stolen by a malicious actor.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:50\",\r\n \"all vault operations in last 24 hours\": \"[VaultGet:14, CertificateImport:1, CertificateGet:479, VaultPut:4, SecretGet:760, Authentication:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultPut:4, VaultGet:5, CertificateGet:24]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"FxVersion/4.8.4121.0, FxVersion/4.8.4121.0 OSName/Windows10Enterprise OSVersion/6.3.17763 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"result Signature\": \"OK\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"start Time UTC\": \"08/12/2021 15:26:50\",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) does not usually perform a policy change operation followed by a credential get operation, The application(appid) does not usually perform this operation, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a policy change operation followed by a credential get operation, The user(objid) does not usually perform this operation, This vault does not usually have a policy change operation followed by a credential get operation, This vault does not usually have this operation, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"name\": \"2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3452444Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_TORAccess\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:48.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:48.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a TOR exit node to a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. This is suspicious because malicious actors will often try to mask their source location when attempting to gain unauthorized access to internet-connected resources.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:48\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:777440, SecretSet:1, SecretGet:777399]\",\r\n \"suspicious Operations\": \"[Authentication:1, SecretGet:1]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"Not Found, Unauthorized\",\r\n \"start Time UTC\": \"08/12/2021 15:26:48\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"python/3.8.0 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 azure-keyvault/7.0 Azure-SDK-For-Python\",\r\n \"alert Reasons\": \"[The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location.]\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"name\": \"2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4494527Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_AKS_SensitiveMount\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:46.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:46.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"intent\": \"PrivilegeEscalation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Container with a sensitive volume mount detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.\",\r\n \"remediationSteps\": [\r\n \"Review the container and the path in the alert details.\",\r\n \"If possible, consider mounting only specific folders or files that are necessary to the container operation.\",\r\n \"If the container is not legitimate, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"Sample\",\r\n \"container image\": \"sample-image\",\r\n \"container name\": \"sample-container\",\r\n \"pod name\": \"sample-pod\",\r\n \"sensitive mount name\": \"sample-mount\",\r\n \"sensitive mount path\": \"/Sample\",\r\n \"killChainIntent\": \"PrivilegeEscalation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"name\": \"2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5732381Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_ExposedService\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:44.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:44.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Exposed Kubernetes service detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Kubernetes audit log analysis detected exposure of a service by a load balancer. This service is related to a sensitive application that allows high impact operations in the cluster such as running processes on the node or creating new containers.\\nIn some cases, this service doesn't require authentication. If the service doesn't require authentication, exposing it to the internet poses a security risk.\",\r\n \"remediationSteps\": [\r\n \"1. Find the external IP address of the service with the command: kubectl get service [service name] -n [namespace]. The service name and namespace are in the alert details.\\\\n2. Check whether the service is exposed to the internet by trying to access to its IP address with the port listed in the alert details.\\\\n3. If the service is exposed to the internet and is not protected by an authentication mechanism, escalate the alert to your security information team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"sample-namespace\",\r\n \"username\": \"sample-user\",\r\n \"service name\": \"sample-service\",\r\n \"target port\": \"8080\",\r\n \"port\": \"8080\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"name\": \"2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4746809Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_BruteForce\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:40.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:40.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Brute Force attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone is attempting to brute force credentials to your SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Brute force attack, penetration testing.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"data Center\": \"East US 2\",\r\n \"failed Logins\": \"0\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\\\"}}\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"name\": \"2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.262894Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_HarmfulApplication\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:38.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:38.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Penetration testing, malicious activity\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"data Center\": \"East US 2\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"name\": \"2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3698246Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:36.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:36.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database elitronix-com on server Sample-SQL\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/www.microsoft.com\\\\/en-us\\\\/download\\\\/details.aspx?id=13759\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements.\",\r\n \"threat ID\": \"30\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"principal name\": \"Sample-account\",\r\n \"application\": \"Internet Information Services\",\r\n \"database\": \"Sample-DB\",\r\n \"server\": \"Sample-SQL\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"name\": \"2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4494527Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:34.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:34.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"intent\": \"Exploitation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Logon from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone logged on to your SQL server Sample-SQL from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Unauthorized access that exploits an opening in the firewall; legitimate access from a new location.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Microsoft SQL Server Management Studio\",\r\n \"client IP Location\": \"US\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"client Hostname\": \"Sample-VM\",\r\n \"killChainIntent\": \"Exploitation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"name\": \"2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2741282Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_DataExfiltration.ImportExportLocationAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:32.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:32.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual export location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted a massive amount of data from your SQL Server 'Sample-SQL' to an unusual location.\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Be sure to secure the new copy of your SQL server in the unusual storage account and follow the principle of \\\\\\\"least privilege\\\\\\\" for your SQL server\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/docs.microsoft.com\\\\/en-us\\\\/dotnet\\\\/framework\\\\/data\\\\/adonet\\\\/sql\\\\/authorization-and-permissions-in-sql-server\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"storage Name\": \"Sample-storage\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"isValid\": false,\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_39\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"name\": \"2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3713443Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:30.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:30.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Perform an undelete if the delete operation was a soft delete. See how to configure soft deletion and more information: https://go.microsoft.com/fwlink/?linkid=2078042\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Wasington_Virginia United States\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"Sample agent\",\r\n \"storage container(s) accessed\": \"SampleContainer\",\r\n \"container\": \"eicarContainerName1, eicarContainerName2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteBlob\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:30\",\r\n \"test: Pipeline name\": \"1.0.4656.1_sample\",\r\n \"storage file path(s) deleted\": \"eicarRequestedObjectKeyFilePath1.vhd, eicarRequestedObjectKeyFilePath2.pfx\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"name\": \"2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5019361Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:28.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:28.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a container in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage container permissions are configured correctly.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"• Confirm whether the storage container permissions change was performed for a legitimate purpose.\\r\\n• Review the storage container's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this storage container have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed container permissions to weaken its security.\\r\\n• A legitimate user has changed container permissions.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"TestAgent 2021-08-12T15:26:28.9846650Z\",\r\n \"storage container(s) accessed\": \"eicarContainerName\",\r\n \"container\": \"eicarContainerName1, eicarContainerName2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"SetContainerACL\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:28\",\r\n \"test: Pipeline name\": \"1.0.4656.1_test\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"name\": \"2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_TorAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:26.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:26.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure Storage account 'Sample-Storage' from a suspicious IP address (active Tor exit node).\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access. \\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using Tor.\\r\\n• A legitimate user has accessed your storage account using Tor.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Azure Data Center: East Us\",\r\n \"authentication type\": \"Anonymous\",\r\n \"operations types\": \"GetBlob\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"dummyAgent\",\r\n \"container\": \"eicarTestStorageContainer\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:26\",\r\n \"test: Pipeline name\": \"1.0.4656.1_storagetd-brs-a3\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"name\": \"2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4209361Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:24.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:24.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure Storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage container (for example: maintenance activity).\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Azure Data Center: East Us\",\r\n \"authentication type\": \"Anonymous\",\r\n \"operations types\": \"GetBlob\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"dummyAgent\",\r\n \"container\": \"eicarTestStorageContainer\",\r\n \"extracted data\": \"140 MB\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:24\",\r\n \"test: Pipeline name\": \"1.0.4656.1_storagetd-brs-a3\",\r\n \"extracted blobs\": \"500\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"name\": \"2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_SuspectExecutablePath\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Executable found running from a suspicious location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data detected an executable file on Sample-VM that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.\",\r\n \"remediationSteps\": [\r\n \"Review with %{User Name} the suspicious process in this alert to see if you recognise this as legitimate administrative activity. If not, Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Process Id\": \"0x1eec\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"account Session Id\": \"0x3e7\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"suspicious Command Line\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"user Name\": \"WORKGROUP\\\\Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"directory\": \"c:\\\\windows\\\\inf\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"name\": \"SAMPLE-account\",\r\n \"ntDomain\": \"SAMPLE\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"sid\": \"S-0-0-00\",\r\n \"isDomainJoined\": true,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x3e7\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"processId\": \"0x1038\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"processId\": \"0x1eec\",\r\n \"commandLine\": \"\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_54\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_55\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"sessionId\": \"0x3e7\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_54\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"name\": \"2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2358642Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected the execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with Sample-account the suspicious command process and command line to confirm that this is legitimate activity that you expect to see on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"user Name\": \"Sample-account\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Command Line\": \"\\\\sample.exe -t 4\",\r\n \"suspicious Process Id\": \"0x1640\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x427d8dd9\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"directory\": \"c:\\\\temp\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"processId\": \"0x1020\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"name\": \"Sample-account\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"sid\": \"S-1-5-21-3061399664-1673012318-3185014992-20022\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x427d8dd9\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"processId\": \"0x1640\",\r\n \"commandLine\": \".\\\\sample.exe -t 4\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_61\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_63\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_62\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"sessionId\": \"0x427d8dd9\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_63\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"name\": \"2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3545059Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_SuspectPhp\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious PHP execution detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Machine logs indicate a that a suspicious PHP process is running. The action included an attempt to run OS commands or PHP code from the command line using the PHP process.\\r\\nWhile this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\",\r\n \"2. Make sure that the web application is up-to-date.\",\r\n \"3. If possible, disable the sensitive PHP commands (see: http://php.net/manual/ini.core.php#ini.disable-functions).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Command Line\": \"php\",\r\n \"suspicious Process Id\": \"0x1e99b\",\r\n \"account Session Id\": \"0xbd6e\",\r\n \"suspicious Process\": \"php\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"user Name\": \"Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"php\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"processId\": \"0x1e49a\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"name\": \"Sample-account\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"sid\": \"\",\r\n \"type\": \"account\",\r\n \"LogonId\": \"0xbd6e\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"processId\": \"0x1e99b\",\r\n \"commandLine\": \"php\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_69\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_71\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_70\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"sessionId\": \"0xbd6e\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_71\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"name\": \"2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3385797Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM.Windows_GoldFileCleanup\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected suspicious file cleanup commands\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.\",\r\n \"remediationSteps\": [\r\n \"Review with user Sample-account the 'sample.exe executions and delete commands flagged in this alert to confirm that they are legitimate and expected on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"OMS-AGENT-2\",\r\n \"suspicious Process Id\": \"0x4a8\",\r\n \"suspicious Command Line\": \"cmd /c echo \\\" systeminfo && systeminfo && del \\\"\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\cmd.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"OMS-AGENT-2\\\\DnzmNhMdW96g7j3\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: GOLD\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2020-06-05T06%3a24%3a18&reportName=MSTI-AGP-GOLD.pdf&tenantId=7bf32e19-dc11-416d-85e8-2cff75271e2a&urlCreateDateTime=2020-06-05T06%3a24%3a18&token=%2083e9In2MDZfBKT5aMOejPcfhpNovCKiidxcnKaBGnQ=\\\"}}\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"cmd.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"processId\": \"0x4a8\",\r\n \"commandLine\": \"cmd /c echo Hi\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_77\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_79\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_78\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_79\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"name\": \"2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2246537Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM.Windows_PetyaRansomware\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected Petya ransomware indicators\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on OMS-AGENT-2 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the command line associated in this alert and escalate this alert to your security team.\",\r\n \"remediationSteps\": [\r\n \"1. Run a full anti-malware scan and verify that the threat was removed\",\r\n \"2. Install and run Microsoft’s Malicious Software Removal Tool (see http://www.microsoft.com/security/pc-security/malware-removal.aspx)\",\r\n \"3. Perform these actions pre-emptively on other hosts in your network.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x1574\",\r\n \"suspicious Command Line\": \"sample\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\sample.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"Sample-account\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Petya\\\":\\\"\\\"}}\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"processId\": \"0x1574\",\r\n \"commandLine\": \"sample\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_85\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_87\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_86\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_87\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"name\": \"2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5800635Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:10.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:10.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"name\": \"2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2313959Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AmRealtimeProtectionDisabled\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:08.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:08.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Antimalware real-time protection was disabled in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.\",\r\n \"remediationSteps\": [\r\n \"1. Determine if the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional - dismiss the alert. Otherwise, enable the antimalware real-time threat protection and treat the user account, subscription and virtual machine as compromised and continue with the next steps.\\n3. Remediate the compromised user account – change the password, review all activities performed by the user via Azure Activity Logs and locate suspicious activities\\n4. Remediate the compromised subscription - Review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, review all activities performed in this subscription via Azure Activity Logs and locate suspicious activities.\\n5. Remediate the compromised virtual machine – change the password of all users, run full antimalware scan on your virtual machine.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample Principal\",\r\n \"antimalware enabled\": \"true\",\r\n \"real time antimalware protection enabled\": \"false\",\r\n \"scheduled antimalware scan enabled\": \"\",\r\n \"extension Name\": \"IaasAntimalware\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"name\": \"2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5249506Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_CustomScriptExtensionSuspiciousCmd\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:06.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:06.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Custom script extension with suspicious command in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.\",\r\n \"remediationSteps\": [\r\n \"1. Contact the account owner to determine whether the activity was intentional. If the activity was intentional, dismiss the alert.\\n2. If the activity was unexpected, treat the user account, subscription, and virtual machine as compromised.\\n3. To remediate compromised user accounts, delete them if they’re unfamiliar (as they may have been created by a threat actor), otherwise change their authentication credentials. Use Azure Activity Logs to review all activities performed by the user and identify any that are suspicious.\\n4. To remediate compromised subscriptions, remove any unfamiliar Runbooks from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources in the subscription (delete any that are unfamiliar), review and investigate any security alerts for the subscription in Azure Security Center, and use Azure Activity Logs to review all activities performed in the subscription and identify any that are suspicious.\\n5. To remediate the compromised virtual machine, change the passwords for all users, run a full antimalware scan on the machine, and reimage the virtual machine from a malware-free source.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample user\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"identity address\": \"\",\r\n \"suspicious command\": \"powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"name\": \"2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3545059Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DarkWeb\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:04.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:04.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Anonymity network activity (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected anonymity network activity. Such activity, while possibly legitimate user behaviour, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_95\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_95\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"name\": \"2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.292004Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DataExfiltration\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:02.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:02.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Possible data exfiltration via DNS tunnel (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behaviour, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_100\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_100\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"name\": \"2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4550558Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_PhishingDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:00.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:00.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Communication with possible phishing domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.\",\r\n \"remediationSteps\": [\r\n \"Investigate the domain (using whois), validating that the registration belongs to the expected owner.\",\r\n \"If ownership is suspect, contact the machine owner to highlight the discrepancy and verify the degree of interaction, suggesting user log into any account(s) potentially exposed during suspicious session, validate recent activity and change compromised password(s).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_105\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_105\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"name\": \"2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3210584Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_SinkholedDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:58.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:58.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted communication with suspicious sinkholed domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected request for sinkholed domain. Such activity, while possibly legitimate user behaviour, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_109\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_109\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"name\": \"2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4807428Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_HighPrivilegeCommand\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempt to run high privilege command detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of App Service processes detected an attempt to run a command that requires high privileges.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x4680\",\r\n \"suspicious Command Line\": \"sample.exe\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"parent Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x15c0644\",\r\n \"user Name\": \"Sample-account\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"directory\": \"sample\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"processId\": \"0x39a8\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"processId\": \"0x4680\",\r\n \"commandLine\": \"sample.exe\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_114\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"name\": \"2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2316532Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_DanglingDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:54.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:54.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Dangling DNS record for an App Service resource detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A DNS record that points to a recently deleted App Service resource (also known as \\\"dangling DNS\\\" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.\",\r\n \"remediationSteps\": [\r\n \"From your DNS zone, remove all CNAME records that point to the deleted App Service resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"domain\": \"sample-domain.com\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"name\": \"2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_TI_Proxy\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:52.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:52.9690718Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] AKS API requests from proxy IP address detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected API requests to your cluster from an IP address that is associated with proxy services, such as TOR.\\r\\nWhile this behavior can be legitimate, it's often seen in malicious activities, when attackers try to hide their source IP.\",\r\n \"remediationSteps\": [\r\n \"1. Review the IP address in the alert details. If your organization uses proxy services such as TOR for managing the AKS cluster and the IP is recognized, you can ignore the alert.\",\r\n \"2. Consider securing the API server by using authorized IP address ranges (https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"username\": \"sample-user\",\r\n \"ip Address\": \"00.00.00.00\",\r\n \"threat Type\": \"Proxy\",\r\n \"threat Description\": \"Tor exit node\",\r\n \"sample URI\": \"sample-URI\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"name\": \"2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5146535Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_DeleteEvents\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:50.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:50.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Kubernetes events deleted (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Security Center detected that some Kubernetes events have been deleted. Kubernetes events are objects in Kubernetes which contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster.\",\r\n \"remediationSteps\": [\r\n \"Verify the legitimacy of the objects that the deleted events are related to.\\\\nIn case the object is suspicious, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"namespace\": \"sample-namespace\",\r\n \"username\": \"sample-user\",\r\n \"ip Address\": \"00.00.00.00\",\r\n \"status\": \"200\",\r\n \"deleted events\": \"sample-event1, sample-event2, sample-event3\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"name\": \"2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2959781Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_MaliciousContainerImage\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:48.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:48.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining container detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool.\",\r\n \"remediationSteps\": [\r\n \"Review the container in the alert details.\",\r\n \"If malicious, remove the container and escalate the alert to the information security team.\",\r\n \"Be sure to also remove the correlating Deployments \\\\\\\\ ReplicaSets \\\\\\\\ DaemonSets.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"namespace\": \"sample-namespace\",\r\n \"container name\": \"sample-container\",\r\n \"container image\": \"sample-image\",\r\n \"pod name\": \"sample-pod\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"name\": \"2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2763918Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_CoreDnsModification\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:46.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:46.9690718Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] CoreDNS modification in Kubernetes detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a modification of the CoreDNS configuration. The configuration of CoreDNS can be modified by overriding its configmap. While this activity can be legitimate, if attackers have permissions to modify the configmap, they can change the behavior of the cluster’s DNS server and poison it.\",\r\n \"remediationSteps\": [\r\n \"Review the configmap in the alert details. Specifically, search for Forward or Hosts configurations that can change the desired DNS behavior. The details of the configuration can be retrieved by the command:\\\\nkubectl get cm coredns-custom -n kube-system -o json\\\\nIf the configuration is intended, you can ignore the alert.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"sample-namespace\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"username\": \"sample-user\",\r\n \"configmap name\": \"coredns-custom\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"name\": \"2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3496523Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_BruteForce\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:44.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:44.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspected successful brute force attack\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful login occurred after an apparent brute force attack on your resource\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Brute force attack; penetration testing.\",\r\n \"client principal name\": \"Sample-account\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"san antonio, united states\",\r\n \"client application\": \"Sample-app\",\r\n \"successful logins\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"failed logins\": \"0\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\\\"}}\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_129\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_128\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"name\": \"2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:13.9865839Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:42.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:42.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database Sample-DB on server Sample-VM\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2106894\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"threat ID\": \"1\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"vulnerable statement\": \"*** Anonymized ***\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"name\": \"Sample-SA\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_135\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"name\": \"2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2090318Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_HarmfulApplication\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:40.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:40.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access your resource.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"Penetration testing; malicious activity\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client application\": \"Sample-app\",\r\n \"client IP location\": \"Sample\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"name\": \"2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5175386Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_SuspiciousIpAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:38.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:38.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Login from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.\",\r\n \"client principal name\": \"Sample-user\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Sample-Provider\",\r\n \"threatType\": \"Sample-Threat\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 0.8,\r\n \"threatDescription\": \"Sample-Threat\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_147\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_146\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"name\": \"2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4347524Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousRBACRoleAssignment\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:36.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:36.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for an RBAC role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected an RBAC role assignment that's unusual when compared with other assignments, performed by the same assigner.\\n The following components were anomalous:\\n -Assigner Authentication Method \\n This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to grant permissions to an additional user account they own.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below.\\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user. \\n5. Change the credentials for all resources that the user had permissions to access.\\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review all activities performed in this resource via Azure Activity Logs and investigate suspicious activities.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"scope of assignment\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"assigned role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assigner principal ID\": \"Sample user\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_153\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188630153349_32cad962-43a0-4691-8c14-443890eccece/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"name\": \"2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4166987Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_PrivilegedRoleDefinitionCreation\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:34.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:34.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"intent\": \"PrivilegeEscalation, DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Privileged custom role created for your subscription in a suspicious way (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the principal user that created the role.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user account as compromised and continue with the steps below.\\n3. Change the passwords of the user account or block the account entirely.\\n4. Delete the privileged role.\\n5. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n6. Change the credentials for all resources that the user had permissions to access.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"role definition creator principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"role definition creator IP address\": \"0.0.0.0\",\r\n \"role definition creator principal name\": \"Sample user\",\r\n \"role definition name\": \"sample\",\r\n \"role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"PrivilegeEscalation, DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Security/locations/centralus/alerts/2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"name\": \"2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-06-12T19:40:33.8308539Z\",\r\n \"processingEndTimeUtc\": \"2021-06-12T19:40:32.548439Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"Storage.Blob_AnonymousScan.Containers\",\r\n \"startTimeUtc\": \"2021-06-12T18:11:54.456Z\",\r\n \"endTimeUtc\": \"2021-06-12T18:11:54.456Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"correlationKey\": \"eQXuNbERVh6e/t+5e+8g+5PLuHGkeLWBAAjR80eo/KQ=\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Storage/storageAccounts/storagefdi4i\",\r\n \"type\": \"AzureResource\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"storagefdi4i\",\r\n \"alertDisplayName\": \"PREVIEW - Anonymous scan of public storage containers\",\r\n \"description\": \"There were 94 failed attempts to anonymously identify publicly accessible containers in your storage account `storagefdi4i`. This might indicate a reconnaissance attack, where the attacker scans your storage account to identify publicly accessible containers and then tries to find sensitive data inside them. In many cases, attackers might successfully access data after a series of failed attempts. It’s therefore important to act on this alert.\",\r\n \"remediationSteps\": [\r\n \"• If public access is not needed for the Azure Storage containers, consider disallowing it on the entire storage account or limiting it selectively on specific containers or blobs (https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent).\",\r\n \"• We recommend that you always follow the least privilege principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• To prevent breaches of sensitive data, please review your Azure Storage containers and make sure no sensitive data is stored in them.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"alert Id\": \"c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"azure AD user\": \"N/A (Azure AD authentication was not used)\",\r\n \"user agent\": \"Go-http-client/1.1\",\r\n \"api type\": \"Blob\",\r\n \"client location\": \"N/A\",\r\n \"number of failed access attempts\": \"94\",\r\n \"among the enumeration terms used\": \"app, bin, blog, deploy, confidential, crm, builds, doc, customers, images, attachments, intranet, backups, customer, exports, img, data, blob, downloads, build, azure, export, files, bucket, database, dev, admin, emails, dist, development, documents, debug, assets, cdn, devops, download, backup, code, erp, logs, cache, iso, creds, bak, credentials, config, file, administrator, attachment, exe\",\r\n \"number of containers successfully accessed\": \"0\",\r\n \"list of containers successfully accessed\": \"\",\r\n \"authentication type\": \"Anonymous\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"operations types\": \"GetContainerProperties\",\r\n \"service type\": \"Azure Blobs\",\r\n \"potential causes\": \"\",\r\n \"resourceType\": \"Storage\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Storage/storageAccounts/storagefdi4i\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"address\": \"78.46.106.254\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Nuernberg\",\r\n \"longitude\": 11.0768,\r\n \"latitude\": 49.452,\r\n \"asn\": 24940\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_159\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/iotsimulator/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"name\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.869602Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"name\": \"2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.8636228Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_MaliciousContent-AzureWebApps\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:59.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:59.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Phishing content hosted on Azure Webapps\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to O365 customers. The content typically lure visitors into entering their corporate credentials or financial information into a legitimate looking website.\",\r\n \"remediationSteps\": [\r\n \"1. Use Azure Web Sites Process Explorer and try to identify unknown running processes (see https://blogs.msdn.microsoft.com/waws/2014/11/14/viewing-process-information-for-microsoft-azure-web-sites/)\",\r\n \"2. Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"resourceType\": \"App Service\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"type\": \"url\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"name\": \"2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3642739Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_OperationVolumeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:57.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] User accessed high volume of Key Vaults\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a larger volume of Key Vault operations has been performed compared to past historical data. Key Vaults typical exhibit the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:57\",\r\n \"all vault operations in last 24 hours\": \"[SecretSet:1, SecretGet:5, Authentication:2, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultGet:2]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:57\",\r\n \"client Information\": \"Microsoft.Azure.Management.Resources.ResourceManagementClient/2.0.0.0, \",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) performed more operations than usual, The user(objid) does not usually come from this IP, The user(objid) performed more operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"name\": \"2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.174761Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_AccountVolumeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:55.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] High volume of operations in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the number of vaults that a user or application accesses has changed compared to past historical data. Key Vault activity typically exhibits the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:55\",\r\n \"all vault operations in last 24 hours\": \"[AfterAuthentication:1, SecretGet:345545, EventGridGetAllSubscriptions:19, Authentication:169, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:64]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:55\",\r\n \"alert Reasons\": \"[The application(appid) accessed more vaults than usual, The application(appid) does not usually come from this IP, The user(objid) accessed more vaults than usual, The user(objid) does not usually come from this IP, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"name\": \"2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.0812111Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_ListGetAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:53.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious secret listing and query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Secret List operation was followed by numerous Secret Get operations. In addition, this operation pattern is not normally performed by the user on this vault. This is likely indicative that someone is dumping the This is sample alert: secrets stored in the Key Vault for potentially malicious purposes.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:53\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:1, SecretGet:3, VaultGet:1, SecretList:5]\",\r\n \"suspicious Operations\": \"[SecretGet:3, SecretList:5]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:53\",\r\n \"client Information\": \"FxVersion/4.8.4075.0 OSName/Windows10Enterprise OSVersion/6.3.18363 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"alert Reasons\": \"[The application(appid) does not usually access this vault, The application(appid) does not usually come from this IP, The application(appid) does not usually perform a credential list operation followed by a get operation, The application(appid) does not usually perform this operation, The number of applications which accessed this vault is more than usual, The number of users(objid) who accessed this vault is more than usual, The user(objid) does not usually access this vault, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a credential list operation followed by a get operation, The user(objid) does not usually perform this operation, This vault does not usually have a credential list operation followed by a get operation, This vault does not usually have this operation, This vault had more operations than usual, This vault had more types of operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"name\": \"2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.1952593Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_PutGetAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious policy change and secret query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Key Vault policy change has been made and operations to list and/or get secrets occurred shortly thereafter. In addition, this operation pattern is not normally performed by the user on this vault. This is highly indicative that the Key Vault has been compromised and the secrets within have been stolen by a malicious actor.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:51\",\r\n \"all vault operations in last 24 hours\": \"[VaultGet:14, CertificateImport:1, CertificateGet:479, VaultPut:4, SecretGet:760, Authentication:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultPut:4, VaultGet:5, CertificateGet:24]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"FxVersion/4.8.4121.0, FxVersion/4.8.4121.0 OSName/Windows10Enterprise OSVersion/6.3.17763 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"result Signature\": \"OK\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"start Time UTC\": \"11/17/2022 09:17:51\",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) does not usually perform a policy change operation followed by a credential get operation, The application(appid) does not usually perform this operation, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a policy change operation followed by a credential get operation, The user(objid) does not usually perform this operation, This vault does not usually have a policy change operation followed by a credential get operation, This vault does not usually have this operation, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"name\": \"2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:14.9914481Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_TORAccess\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:49.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a TOR exit node to a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. This is suspicious because malicious actors will often try to mask their source location when attempting to gain unauthorized access to internet-connected resources.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:49\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:777440, SecretSet:1, SecretGet:777399]\",\r\n \"suspicious Operations\": \"[Authentication:1, SecretGet:1]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"Not Found, Unauthorized\",\r\n \"start Time UTC\": \"11/17/2022 09:17:49\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"python/3.8.0 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 azure-keyvault/7.0 Azure-SDK-For-Python\",\r\n \"alert Reasons\": \"[The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location.]\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"name\": \"2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.2261751Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_K8S_SensitiveMount\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:47.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"intent\": \"PrivilegeEscalation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Container with a sensitive volume mount detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.\",\r\n \"remediationSteps\": [\r\n \"Review the container and the path in the alert details.\",\r\n \"If possible, consider mounting only specific folders or files that are necessary to the container operation.\",\r\n \"If the container is not legitimate, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"namespace\": \"Sample-namespace\",\r\n \"container image\": \"sample-image\",\r\n \"container name\": \"sample-container\",\r\n \"pod name\": \"sample-pod\",\r\n \"sensitive mount name\": \"sample-mount\",\r\n \"sensitive mount path\": \"/Sample\",\r\n \"resourceType\": \"GKE Cluster\",\r\n \"killChainIntent\": \"PrivilegeEscalation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"projectId\": \"012345678901\",\r\n \"resourceType\": \"GKE\",\r\n \"resourceName\": \"Sample-Cluster\",\r\n \"location\": \"us-central1-c\",\r\n \"locationType\": \"Zonal\",\r\n \"type\": \"gcp-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_26\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"name\": \"Sample-namespace\",\r\n \"cluster\": {\r\n \"$ref\": \"centralus_29\"\r\n },\r\n \"type\": \"K8s-namespace\"\r\n },\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"name\": \"sample-pod\",\r\n \"namespace\": {\r\n \"$ref\": \"centralus_30\"\r\n },\r\n \"type\": \"K8s-pod\"\r\n },\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"name\": \"sample-container\",\r\n \"image\": {\r\n \"$ref\": \"centralus_27\"\r\n },\r\n \"pod\": {\r\n \"$ref\": \"centralus_31\"\r\n },\r\n \"type\": \"container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"name\": \"2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.1277565Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_AdmissionController\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:45.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:45.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"intent\": \"Persistence, CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Creation of admission webhook configuration detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new admission webhook configuration. Kubernetes has two built-in generic admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster. The usage of such admission controllers can be legitimate, however attackers can use such webhooks for modifying the requests (in case of MutatingAdmissionWebhook) or inspecting the requests and gain sensitive information (in case of ValidatingAdmissionWebhook).\",\r\n \"remediationSteps\": [\r\n \"Review the admission controller webhook associated with this configuration. The details of the webhook configuration can be retrieved by the command:\",\r\n \"kubectl get mutatingwebhookconfigurations sample -o json\",\r\n \"If this configuration belongs to a legitimate admission controller in the cluster, you can ignore the alert.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resource type\": \"mutatingwebhookconfigurations\",\r\n \"resource name\": \"sample\",\r\n \"webhook configuration rules\": \"[{\\\"apiGroups\\\":[\\\"*\\\"],\\\"resources\\\":[\\\"pods\\\"],\\\"apiVersions\\\":[\\\"*\\\"],\\\"operations\\\":[\\\"CREATE\\\"],\\\"scope\\\":\\\"*\\\"}]\",\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"killChainIntent\": \"Persistence, CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_34\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"name\": \"2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.650249Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_BruteForce\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:41.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:41.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Brute Force attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone is attempting to brute force credentials to your SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Brute force attack, penetration testing.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"data Center\": \"East US 2\",\r\n \"failed Logins\": \"0\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\\\"}}\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"name\": \"2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4246385Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_HarmfulApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:39.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:39.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Penetration testing, malicious activity\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"data Center\": \"East US 2\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"name\": \"2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.5120779Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:37.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:37.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database elitronix-com on server Sample-SQL\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/www.microsoft.com\\\\/en-us\\\\/download\\\\/details.aspx?id=13759\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements.\",\r\n \"threat ID\": \"30\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"principal name\": \"Sample-account\",\r\n \"application\": \"Internet Information Services\",\r\n \"database\": \"Sample-DB\",\r\n \"server\": \"Sample-SQL\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"name\": \"2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4739185Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:35.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:35.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"intent\": \"Exploitation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Logon from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone logged on to your SQL server Sample-SQL from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Unauthorized access that exploits an opening in the firewall; legitimate access from a new location.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Microsoft SQL Server Management Studio\",\r\n \"client IP Location\": \"US\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"client Hostname\": \"Sample-VM\",\r\n \"killChainIntent\": \"Exploitation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"name\": \"2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.508384Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_DataExfiltration.ImportExportLocationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:33.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:33.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual export location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted a massive amount of data from your SQL Server 'Sample-SQL' to an unusual location.\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Be sure to secure the new copy of your SQL server in the unusual storage account and follow the principle of \\\\\\\"least privilege\\\\\\\" for your SQL server\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/docs.microsoft.com\\\\/en-us\\\\/dotnet\\\\/framework\\\\/data\\\\/adonet\\\\/sql\\\\/authorization-and-permissions-in-sql-server\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"storage Name\": \"Sample-storage\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"isValid\": false,\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_46\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"name\": \"2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.793991Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_SuspectExecutablePath\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Executable found running from a suspicious location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data detected an executable file on Sample-VM that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.\",\r\n \"remediationSteps\": [\r\n \"Review with %{User Name} the suspicious process in this alert to see if you recognise this as legitimate administrative activity. If not, Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Process Id\": \"0x1eec\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"account Session Id\": \"0x3e7\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"suspicious Command Line\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"user Name\": \"WORKGROUP\\\\Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"directory\": \"c:\\\\windows\\\\inf\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"name\": \"SAMPLE-account\",\r\n \"ntDomain\": \"SAMPLE\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"sid\": \"S-0-0-00\",\r\n \"isDomainJoined\": true,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x3e7\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"processId\": \"0x1038\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"processId\": \"0x1eec\",\r\n \"commandLine\": \"\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_54\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"sessionId\": \"0x3e7\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_53\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"name\": \"2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.802386Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected the execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with Sample-account the suspicious command process and command line to confirm that this is legitimate activity that you expect to see on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"user Name\": \"Sample-account\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Command Line\": \"\\\\sample.exe -t 4\",\r\n \"suspicious Process Id\": \"0x1640\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x427d8dd9\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"directory\": \"c:\\\\temp\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"processId\": \"0x1020\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"name\": \"Sample-account\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"sid\": \"S-1-5-21-3061399664-1673012318-3185014992-20022\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x427d8dd9\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"processId\": \"0x1640\",\r\n \"commandLine\": \".\\\\sample.exe -t 4\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_62\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_61\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"sessionId\": \"0x427d8dd9\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_62\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"name\": \"2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.0348941Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_SuspectPhp\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious PHP execution detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Machine logs indicate a that a suspicious PHP process is running. The action included an attempt to run OS commands or PHP code from the command line using the PHP process.\\r\\nWhile this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\",\r\n \"2. Make sure that the web application is up-to-date.\",\r\n \"3. If possible, disable the sensitive PHP commands (see: http://php.net/manual/ini.core.php#ini.disable-functions).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Command Line\": \"php\",\r\n \"suspicious Process Id\": \"0x1e99b\",\r\n \"account Session Id\": \"0xbd6e\",\r\n \"suspicious Process\": \"php\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"user Name\": \"Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"php\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"processId\": \"0x1e49a\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"name\": \"Sample-account\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"sid\": \"\",\r\n \"type\": \"account\",\r\n \"logonId\": \"0xbd6e\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"processId\": \"0x1e99b\",\r\n \"commandLine\": \"php\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_70\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_69\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"sessionId\": \"0xbd6e\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_70\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"name\": \"2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.8902381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM.Windows_GoldFileCleanup\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected suspicious file cleanup commands\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.\",\r\n \"remediationSteps\": [\r\n \"Review with user Sample-account the 'sample.exe executions and delete commands flagged in this alert to confirm that they are legitimate and expected on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"OMS-AGENT-2\",\r\n \"suspicious Process Id\": \"0x4a8\",\r\n \"suspicious Command Line\": \"cmd /c echo \\\" systeminfo && systeminfo && del \\\"\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\cmd.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"OMS-AGENT-2\\\\DnzmNhMdW96g7j3\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: GOLD\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2020-06-05T06%3a24%3a18&reportName=MSTI-AGP-GOLD.pdf&tenantId=7bf32e19-dc11-416d-85e8-2cff75271e2a&urlCreateDateTime=2020-06-05T06%3a24%3a18&token=%2083e9In2MDZfBKT5aMOejPcfhpNovCKiidxcnKaBGnQ=\\\"}}\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"cmd.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"processId\": \"0x4a8\",\r\n \"commandLine\": \"cmd /c echo Hi\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_78\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_77\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_78\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"name\": \"2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.9525043Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM.Windows_PetyaRansomware\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected Petya ransomware indicators\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on OMS-AGENT-2 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the command line associated in this alert and escalate this alert to your security team.\",\r\n \"remediationSteps\": [\r\n \"1. Run a full anti-malware scan and verify that the threat was removed\",\r\n \"2. Install and run Microsoft’s Malicious Software Removal Tool (see http://www.microsoft.com/security/pc-security/malware-removal.aspx)\",\r\n \"3. Perform these actions pre-emptively on other hosts in your network.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x1574\",\r\n \"suspicious Command Line\": \"sample\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\sample.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"Sample-account\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Petya\\\":\\\"\\\"}}\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"processId\": \"0x1574\",\r\n \"commandLine\": \"sample\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_86\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_85\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_86\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"name\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.2039067Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"name\": \"2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.2780047Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AmRealtimeProtectionDisabled\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:09.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:09.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Antimalware real-time protection was disabled in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.\",\r\n \"remediationSteps\": [\r\n \"1. Determine if the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional - dismiss the alert. Otherwise, enable the antimalware real-time threat protection and treat the user account, subscription and virtual machine as compromised and continue with the next steps.\\n3. Remediate the compromised user account – change the password, review all activities performed by the user via Azure Activity Logs and locate suspicious activities\\n4. Remediate the compromised subscription - Review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, review all activities performed in this subscription via Azure Activity Logs and locate suspicious activities.\\n5. Remediate the compromised virtual machine – change the password of all users, run full antimalware scan on your virtual machine.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample Principal\",\r\n \"antimalware enabled\": \"true\",\r\n \"real time antimalware protection enabled\": \"false\",\r\n \"scheduled antimalware scan enabled\": \"\",\r\n \"extension Name\": \"IaasAntimalware\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"name\": \"2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.3561453Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_CustomScriptExtensionSuspiciousCmd\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:07.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:07.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Custom script extension with suspicious command in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.\",\r\n \"remediationSteps\": [\r\n \"1. Contact the account owner to determine whether the activity was intentional. If the activity was intentional, dismiss the alert.\\n2. If the activity was unexpected, treat the user account, subscription, and virtual machine as compromised.\\n3. To remediate compromised user accounts, delete them if they’re unfamiliar (as they may have been created by a threat actor), otherwise change their authentication credentials. Use Azure Activity Logs to review all activities performed by the user and identify any that are suspicious.\\n4. To remediate compromised subscriptions, remove any unfamiliar Runbooks from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources in the subscription (delete any that are unfamiliar), review and investigate any security alerts for the subscription in Azure Security Center, and use Azure Activity Logs to review all activities performed in the subscription and identify any that are suspicious.\\n5. To remediate the compromised virtual machine, change the passwords for all users, run a full antimalware scan on the machine, and reimage the virtual machine from a malware-free source.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample user\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"identity address\": \"\",\r\n \"suspicious command\": \"powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"name\": \"2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DarkWeb\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:05.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:05.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Anonymity network activity (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected anonymity network activity. Such activity, while possibly legitimate user behaviour, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_94\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_94\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"name\": \"2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.358978Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DataExfiltration\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:03.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:03.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Possible data exfiltration via DNS tunnel (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected a possible DNS tunnel. Such activity, while possibly legitimate user behaviour, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_99\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_99\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"name\": \"2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.1504496Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_PhishingDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:01.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:01.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Communication with possible phishing domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.\",\r\n \"remediationSteps\": [\r\n \"Investigate the domain (using whois), validating that the registration belongs to the expected owner.\",\r\n \"If ownership is suspect, contact the machine owner to highlight the discrepancy and verify the degree of interaction, suggesting user log into any account(s) potentially exposed during suspicious session, validate recent activity and change compromised password(s).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_104\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_104\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"name\": \"2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.1876995Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_SinkholedDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:59.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:59.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted communication with suspicious sinkholed domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected request for sinkholed domain. Such activity, while possibly legitimate user behaviour, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_108\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_108\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"name\": \"2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.0653492Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_HighPrivilegeCommand\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempt to run high privilege command detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of App Service processes detected an attempt to run a command that requires high privileges.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x4680\",\r\n \"suspicious Command Line\": \"sample.exe\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"parent Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x15c0644\",\r\n \"user Name\": \"Sample-account\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"directory\": \"sample\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"processId\": \"0x39a8\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"processId\": \"0x4680\",\r\n \"commandLine\": \"sample.exe\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_113\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"name\": \"2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.9104498Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_DanglingDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:55.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Dangling DNS record for an App Service resource detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A DNS record that points to a recently deleted App Service resource (also known as \\\"dangling DNS\\\" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.\",\r\n \"remediationSteps\": [\r\n \"From your DNS zone, remove all CNAME records that point to the deleted App Service resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"domain\": \"sample-domain.com\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"name\": \"2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3436878Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container or directly on a Kubernetes node, has detected an execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with the specified user the suspicious command process and command line to confirm that this is legitimate activity. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"compromised Host\": \"AKS-AGENTPOOL-00171883-vmss000000\",\r\n \"suspicious Process\": \"/tmp/gcc\",\r\n \"suspicious Command Line\": \"/tmp/gcc -T -o stratum+tcp://stratum.slushpool:3333 -u foobar -p baz -o stratum+tcp://stratum.f2pool.com:3333 -u foobar -p baz -o stratum+tcp://stratum.antpool.com:3333 -u foobar -p baz\",\r\n \"parent Process\": \"bash\",\r\n \"suspicious Process Id\": \"0x2dc8\",\r\n \"imageName\": \":\",\r\n \"process Origin\": \"Pod Container\",\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"directory\": \"\",\r\n \"name\": \"bash\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"isValid\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"isValid\": false,\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"directory\": \"/tmp\",\r\n \"name\": \"gcc\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"hostName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"netBiosName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"isValid\": false,\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"name\": \"sample-cluster\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_118\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"containerId\": \"cc8ec8580f4c\",\r\n \"image\": {\r\n \"$ref\": \"centralus_119\"\r\n },\r\n \"type\": \"container\"\r\n },\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"processId\": \"0x2dc3\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_122\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_121\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"processId\": \"0x2dc8\",\r\n \"commandLine\": \"/tmp/gcc -T -o stratum+tcp://stratum.slushpool:3333 -u foobar -p baz -o stratum+tcp://stratum.f2pool.com:3333 -u foobar -p baz -o stratum+tcp://stratum.antpool.com:3333 -u foobar -p baz\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_123\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_125\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_124\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"name\": \"2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3309137Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_ImdsCall\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/AWS-Master-Connector_012345678901/securityentitydata/aws-eks-cluster-sample-cluster-ap-us-east-2\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access to cloud metadata service detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container detected access to the cloud metadata service for acquiring identity token. The container doesn't normally perform such operation. While this behavior might be legitimate, attackers might use this technique to access cloud resources after gaining initial access to a running container.\",\r\n \"remediationSteps\": [\r\n \"Review the command line in the alert details. If the container should acquire identity tokens, you can ignore the alert.\",\r\n \"If this behavior isnt expected, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"username\": \"sample-user\",\r\n \"process Name\": \"/usr/bin/curl\",\r\n \"command\": \"curl -s -H Metadata: true http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net\",\r\n \"process Id\": \"18775\",\r\n \"container ID\": \"cc8ec8580f4c\",\r\n \"image Name\": \"sample-image:v1\",\r\n \"resourceType\": \"EKS Cluster\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/AWS-Master-Connector_012345678901/securityentitydata/aws-eks-cluster-sample-cluster-ap-us-east-2\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"isValid\": false,\r\n \"type\": \"amazon-resource\",\r\n \"amazonResourceId\": \"arn:aws:eks:us-east-2:012345678901:cluster/sample-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"containerId\": \"cc8ec8580f4c\",\r\n \"image\": {\r\n \"$ref\": \"centralus_132\"\r\n },\r\n \"type\": \"container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"name\": \"2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4027022Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_SuspectProcessTermination\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:49.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Security-related process termination detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container or directly on a Kubernetes node, has detected an attempt to terminate processes related to security monitoring on the container. Attackers will often try to terminate such processes using predefined scripts post-compromise.\",\r\n \"remediationSteps\": [\r\n \"Review and confirm that this was legitimate activity that you expect to see on this container or pod. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"compromised Host\": \"aks-agentpool-00171883-vmss000000\",\r\n \"user Name\": \"root\",\r\n \"suspicious Process\": \"/usr/bin/pkill\",\r\n \"suspicious Command Line\": \"/usr/bin/pkill -KILL -x -U 0 auoms\",\r\n \"suspicious Process Id\": \"0x2dc8\",\r\n \"parent Process\": \"auomsctl\",\r\n \"process Origin\": \"Kubernetes Node\",\r\n \"account Session Id\": \"0xd5a\",\r\n \"resourceType\": \"GKE Cluster\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"hostName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"netBiosName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\",\r\n \"containerId\": \"cc8ec8580f4c\"\r\n },\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"pkill\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"directory\": \"\",\r\n \"name\": \"auomsctl\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"isValid\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"isValid\": false,\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"name\": \"root\",\r\n \"isValid\": false,\r\n \"id\": \"3418\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"isValid\": false,\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"projectId\": \"012345678901\",\r\n \"resourceType\": \"GKE\",\r\n \"resourceName\": \"Sample-Cluster\",\r\n \"location\": \"us-central1-c\",\r\n \"locationType\": \"Zonal\",\r\n \"type\": \"gcp-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"name\": \"sample-cluster\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_136\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"processId\": \"0x2dc3\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"processId\": \"0x2dc8\",\r\n \"commandLine\": \"/usr/bin/pkill -KILL -x -U 0 auoms\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_138\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_142\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_143\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"name\": \"2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3269355Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_ExposedDashboard\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:47.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Exposed Kubernetes dashboard detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service.\\nExposed dashboard allows an unauthenticated access to the cluster management and poses a security threat.\",\r\n \"remediationSteps\": [\r\n \"Review the LoadBalancer service in the alert details. In case the dashboard is exposed to the Internet, delete the LoadBalancer service immediately and escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"username\": \"alias@domain.com\",\r\n \"namespace\": \"kubernetes-dashboard\",\r\n \"service name\": \"kubernetes-dashboard\",\r\n \"port\": \"443\",\r\n \"target port\": \"8443\",\r\n \"resourceType\": \"Kubernetes - Azure Arc\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_149\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"name\": \"kubernetes-dashboard\",\r\n \"cluster\": {\r\n \"$ref\": \"centralus_150\"\r\n },\r\n \"type\": \"K8s-namespace\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"name\": \"kubernetes-dashboard\",\r\n \"namespace\": {\r\n \"$ref\": \"centralus_151\"\r\n },\r\n \"type\": \"K8s-service\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"name\": \"2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5211367Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_BruteForce\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:45.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:45.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspected successful brute force attack\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful login occurred after an apparent brute force attack on your resource\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Brute force attack; penetration testing.\",\r\n \"client principal name\": \"Sample-account\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"san antonio, united states\",\r\n \"client application\": \"Sample-app\",\r\n \"successful logins\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"failed logins\": \"0\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\\\"}}\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_156\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_155\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"name\": \"2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5596257Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:43.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:43.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database Sample-DB on server Sample-VM\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2106894\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"threat ID\": \"1\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"vulnerable statement\": \"*** Anonymized ***\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_161\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_162\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_163\",\r\n \"name\": \"Sample-SA\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_162\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"name\": \"2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5620796Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_HarmfulApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:41.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:41.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_165\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_166\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access your resource.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"Penetration testing; malicious activity\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client application\": \"Sample-app\",\r\n \"client IP location\": \"Sample\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_167\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_168\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_168\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_170\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_167\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"name\": \"2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5777053Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_SuspiciousIpAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:39.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:39.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_171\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_172\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Login from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.\",\r\n \"client principal name\": \"Sample-user\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_173\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_174\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Sample-Provider\",\r\n \"threatType\": \"Sample-Threat\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 0.8,\r\n \"threatDescription\": \"Sample-Threat\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_175\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_174\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_176\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_173\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72\",\r\n \"name\": \"2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.3749955Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousRBACRoleAssignment\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:37.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:37.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_177\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for an RBAC role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected an RBAC role assignment that's unusual when compared with other assignments, performed by the same assigner.\\n The following components were anomalous:\\n -Assigner Authentication Method \\n This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to grant permissions to an additional user account they own.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below.\\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user. \\n5. Change the credentials for all resources that the user had permissions to access.\\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review all activities performed in this resource via Azure Activity Logs and investigate suspicious activities.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"scope of assignment\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"assigned role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assigner principal ID\": \"Sample user\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_178\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_179\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_180\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_181\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_180\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f\",\r\n \"name\": \"2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.4527017Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_PrivilegedRoleDefinitionCreation\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:35.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:35.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f\",\r\n \"intent\": \"PrivilegeEscalation, DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_182\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Privileged custom role created for your subscription in a suspicious way (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the principal user that created the role.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user account as compromised and continue with the steps below.\\n3. Change the passwords of the user account or block the account entirely.\\n4. Delete the privileged role.\\n5. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n6. Change the credentials for all resources that the user had permissions to access.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"role definition creator principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"role definition creator IP address\": \"0.0.0.0\",\r\n \"role definition creator principal name\": \"Sample user\",\r\n \"role definition name\": \"sample\",\r\n \"role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"PrivilegeEscalation, DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_183\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86\",\r\n \"name\": \"2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.4942936Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousClassicRoleAssignment\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:29.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:29.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_184\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for a classic role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Microsoft Defender for Resource Manager detected a role assignment that's unusual when compared with other assignments performed by the same assigner / performed for the same assignee / in the tenant due to the following anomalies: \\nassignment time, assigner location, assigner, authentication method, assigned entities, client software used, assignment extent. \\nThis operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to escalate privileges to a different user account.\",\r\n \"remediationSteps\": [\r\n \"1.To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below. \\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n5. Change the credentials for all resources that the user had permissions to access. \\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review Azure Activity Logs for activities performed in this resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"assigner principal ID\": \"sample\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"scope of assignment\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"role\": \"CoAdmin\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_185\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_186\",\r\n \"name\": \"sample\",\r\n \"upnSuffix\": \"contoso.com\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_187\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_188\",\r\n \"name\": \"azureadmin\",\r\n \"upnSuffix\": \"contoso.com\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_187\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"name\": \"2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:19:41.7936291Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:25.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:25.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_190\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An IP that is a known Tor exit node accessed Storage file share 'Sample-fileShare' in storage account 'Sample-Storage'. \",\r\n \"remediationSteps\": [\r\n \"• Revoke all credentials that may be compromised and ensure that they're only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access.\\r\\nPotential causes:\\r\\n• An attacker has accessed the storage account using Tor and is trying to hide their identity (true positive).\\r\\n• A legitimate user has accessed the storage account using Tor, perhaps for penetration testing (benign positive).\",\r\n \"investigation steps\": \"• Check if this actor is legitimate. Examine the authentication method and credentials used, as well as the actor's history of actions on this storage account and other resources in this subscription.\\r\\n• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_191\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_192\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_192\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"name\": \"2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.7087609Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:23.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:23.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_194\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from a suspicious IP address.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is considered suspicious.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your storage account from a potentially suspicious IP.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_195\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_196\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"AlertSimulator\",\r\n \"threatType\": \"Sample-Type\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 1.0,\r\n \"threatDescription\": \"\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_196\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"name\": \"2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.8953381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_SMBExeOverwriteAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:21.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:21.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_198\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual overwrite of .exe in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual overwrite of an executable file in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unexpected overwrite of an executable (.exe file) has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has overwritten an executable file with a potentially malicious one in your storage account.\\r\\n• A legitimate user has overwritten an executable file.\",\r\n \"investigation steps\": \"• Determine who overwrote the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Kerberos\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files SMB\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"\",\r\n \"activity type\": \"OverwriteFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) overwritten\": \"Sample-File\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_199\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_200\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_200\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"name\": \"2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:19.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:19.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_202\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a directory or a file in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage directory or file permissions are configured correctly.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this directory or file have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed directory or file permissions to weaken its security.\\r\\n• A legitimate user has changed directory or file permissions.\",\r\n \"investigation steps\": \"• Confirm whether the directory or file permissions change was performed for a legitimate purpose.\\r\\n• Review the directory's or file's access permissions to make sure they are expected. NTFS permissions can be assigned at the directory or file level: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable#3-configure-ntfs-permissions-over-smb .\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Kerberos\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"Files SMB\",\r\n \"request status\": \"\",\r\n \"activity type\": \"SetSecurityInformation\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) accessed\": \"\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_203\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_204\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_204\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"name\": \"2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.6133961Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_MalwareHashReputation\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:17.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:17.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_206\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential malware uploaded to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has uploaded potential malware to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Remove the malicious file from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that a blob containing potential malware has been uploaded to your storage account.\\r\\nPotential causes:\\r\\n• An attacker has gained access to the storage account and has intentionally uploaded a malicious blob.\\r\\n• A legitimate user has unintentionally uploaded a malicious blob.\\r\\n• A legitimate user is performing tests on the system (e.g. penetration testing).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"PutRange\",\r\n \"file\": \"dummy/path/to/maliciousFile.exe\",\r\n \"api type\": \"Files REST\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"malware description\": \"File was identified as malicious, MalwareFamily = Virus:DOS/EICAR_Test_File\",\r\n \"threat report summary\": \"The European Institute for Computer Antivirus Research (EICAR) and the Computer Antivirus Research Organization (CARO) jointly developed a standard test file protocol called the “EICAR test file” which allows users to test their antivirus solution. The EICAR file is completely benign; however, when scanned, compliant antivirus solutions report the file in the same way as an actual malicious file. This does not mean that the computer is infected with malware, but rather it shows that the computer’s antivirus is functioning as expected.\",\r\n \"detection source\": \"Team Cymru\",\r\n \"threat report\": \"Sample-Report\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_207\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_208\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_209\",\r\n \"algorithm\": \"MD5\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_208\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_211\",\r\n \"directory\": \"Sample-fileShare/dummy/path/to\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_209\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_212\",\r\n \"name\": \"Sample-Name\",\r\n \"category\": \"Virus\",\r\n \"files\": [\r\n {\r\n \"$ref\": \"centralus_211\"\r\n }\r\n ],\r\n \"type\": \"malware\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"name\": \"2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.6367188Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:15.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:15.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_213\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is unfamiliar and unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account.\\r\\n• A legitimate user has accessed your storage account from a new location.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetShareProperties\",\r\n \"api type\": \"Files REST\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_214\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_215\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_215\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242244862413_43689788-9247-4044-b258-6093d62ba45c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"name\": \"2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.7708984Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_ExeUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:13.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:13.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .exe to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of an executable file to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an executable (.exe file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has uploaded a malicious executable file to your storage account.\\r\\n• A legitimate user has uploaded an executable file.\",\r\n \"investigation steps\": \"• Determine who uploaded the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Kerberos\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"Files SMB\",\r\n \"request status\": \"\",\r\n \"activity type\": \"CreateFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_218\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_219\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_219\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"name\": \"2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.5509007Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:11.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:11.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_221\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) deleted\": \"Sample-File1, Sample-File2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_222\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_223\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_224\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_223\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"name\": \"2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.599286Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExplorationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:09.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:09.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_225\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual data exploration in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual data exploration operation in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that files in a file share of a storage account have been enumerated in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user or application logic has explored data within the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"ListFiles\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_226\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_227\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_227\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"name\": \"2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:19:41.7936291Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExfiltration.NumberOfFilesAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:07.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:07.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_229\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual number of files extracted from a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual number of files from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large number of files has been extracted compared to recent activity on this Storage file share.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large number of files from a Storage file share (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual number of files from a Storage file share (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"5 MB\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"extracted files\": \"150\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_230\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_231\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_231\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"name\": \"2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.435833Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:05.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:05.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_233\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage file share.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage file share (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage file share (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"150 MB\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"extracted files\": \"5\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_234\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_235\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_235\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"name\": \"2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.5055333Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_ApplicationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:03.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:03.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_237\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual application accessed a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' using an unexpected application.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusual application has accessed this storage account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using a new application.\\r\\n• A legitimate user has used a new application/browser to access your storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"CreateFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_238\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_239\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_239\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"name\": \"2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.4988057Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_AccessInspectionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:01.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_241\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual access inspection in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual access inspection in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user has performed maintenance on the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the access policy inspection was performed for a legitimate purpose: https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy.\\r\\n• Review the file share's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"GetShareAcl\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_242\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_243\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_243\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"name\": \"2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2964395Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:59.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:59.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_245\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An IP that is a known Tor exit node accessed Storage container 'Sample-Container' in storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Revoke all credentials that may be compromised and ensure that they're only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access.\\r\\nPotential causes:\\r\\n• An attacker has accessed the storage account using Tor and is trying to hide their identity (true positive).\\r\\n• A legitimate user has accessed the storage account using Tor, perhaps for penetration testing (benign positive).\",\r\n \"investigation steps\": \"• Check if this actor is legitimate. Examine the authentication method and credentials used, as well as the actor's history of actions on this storage account and other resources in this subscription.\\r\\n• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"CreatePathDir\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_246\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_247\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_247\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_249\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_246\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"name\": \"2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2427463Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:57.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_250\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from a suspicious IP address.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is considered suspicious.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your storage account from a potentially suspicious IP.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"335.88 KB\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_251\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_252\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"AlertSimulator\",\r\n \"threatType\": \"Sample-Type\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 1.0,\r\n \"threatDescription\": \"\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_252\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"name\": \"2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1804085Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_SuspiciousApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:55.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_254\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] PREVIEW - Access from a suspicious application \",\r\n \"description\": \"THIS IS A SAMPLE ALERT: There was a failed attempt to anonymously access the blob container `Sample-Container` in your storage account `Sample-Storage`. This might indicate that an attacker is trying to exploit a vulnerability or access data in your storage account, or it could be the result of a penetration test carried out in your organization. The suspicious application detected was `eicarDummyApp`. For more details, please see the user-agent string in the alert fields. In many cases, attackers might successfully access data after a series of failed attempts. It’s therefore important to act on this alert.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"140 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"application name \": \"eicarDummyApp\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_255\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_256\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_256\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_258\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_255\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"name\": \"2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2482588Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PhishingContent\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:53.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_259\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] PREVIEW - Phishing content hosted on a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A URL used in a phishing attack points to your Azure Storage account. This URL was part of a phishing attack affecting users of Microsoft 365. Typically, content hosted on such pages is designed to trick visitors into entering their corporate credentials or financial information into a web form that looks legitimate.\",\r\n \"remediationSteps\": [\r\n \"• Review the content of the Azure Storage account to identify and remove phishing content. The URL in the alert may indicate a starting point for your investigation.\",\r\n \"• If you suspect that your Storage credentials have been compromised, revoke all storage access tokens that may have been compromised and implement the following security best practices:\",\r\n \" 2.1.\\\\tEnsure that your access tokens are only shared with authorized users.\",\r\n \"2.2. Limit access to your Storage account, following the 'least privilege' principle. (https://aka.ms/StorageAccountSecureAccess)\",\r\n \"2.3. Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Disallow anonymous public access to blobs in your Storage account, unless required for your scenario. (https://aka.ms/StorageAccountPublicAccess)\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_260\",\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"type\": \"url\"\r\n },\r\n {\r\n \"$id\": \"centralus_261\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"name\": \"2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1081657Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_262\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a directory or a file in your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Use Azure AD security groups: https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#what-is-the-best-way-to-apply-acls.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage directory or file permissions are configured correctly.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this directory or file have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed directory or file permissions to weaken its security.\\r\\n• A legitimate user has changed directory or file permissions.\",\r\n \"investigation steps\": \"• Confirm whether the directory or file permissions change was performed for a legitimate purpose: https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#access-control-lists-on-files-and-directories.\\r\\n• Review the directory's or file's access permissions to make sure they are expected.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"SetPathAccessControl\",\r\n \"storage file path(s) accessed\": \"\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_263\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_264\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_264\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"name\": \"2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.0980315Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenContainersScanning.SuccessfulDiscovery\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:49.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_266\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Publicly accessible storage containers successfully discovered\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful discovery of 3 publicly open storage containers in storage account 'Sample-Storage' was performed in the last hour by a scanning script or tool.\\r\\n\\r\\nScanned containers include: static, images, backups.\\r\\n\\r\\nThis usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storagecontainers with sensitive data in them.\\r\\nThe threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.\\r\\n\\r\\nAfter a threat actor successfully discovers a container, they usually continue by reading and exfiltrating the data.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\",\r\n \"• When allowing anonymous access to containers, consider adding a random suffix to its name (or use a randomly generated name) to limit these types of scans in the future. For example, use 'salesshare-4536-7836-8967'.\",\r\n \"• If this is a recurring alert from the same IP, consider blocking the source IP address (see how to block an IP address: https://go.microsoft.com/fwlink/?linkid=2179709).\",\r\n \"This can be done at the storage account level using the 'networking' configuration or at the subscription level using the networking 'access restrictions' configuration.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"• Reconnaisance attack (True Positive)\\r\\n• Penetration testing\\r\\n• A bug in an application is causing it to perform serial attempts to read different blobs (False Positive).\",\r\n \"investigation steps\": \"• Check this account for publicly open containers with sensitive data. If such containers exist, immediately change their access policy to private (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708).\\r\\n\\r\\nLook at diagnostic logs to see all sensitive data that may have leaked, and escalate the alert and information.\\r\\n• To list all containers that are publicly accessible in a storage account, use the PowerShell script in this link: https://go.microsoft.com/fwlink/?linkid=2180103.\\r\\n\\r\\n• Check whether the user that performed this scan is legitimate. Look at IP, location, user agent, and their history.\\r\\n• This alert may be triggered by a coding issue in the application accessing the storage container. If you've validated that the actor is legitimate, identified the coding issue, and ruled out a possible leak of sensitive content, this alert can be considered benign.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"140 MB\",\r\n \"among the enumeration terms used\": \"erp, exe, export, exports, file, files, firmware, git, img, iso, jenkins, logs, media, mobile, photos, pics, private, prod, production, products, projects, public, release, repo, reports, resources, script, scripts, services, snapshots, source, src, staging, stats, storage, tenant, tmp, upload, uploads, user, userdata, users, usr, vhd, vhdx, video, videos, web, www, xslx\",\r\n \"number of failed access attempts\": \"1232\",\r\n \"number of containers successfully accessed\": \"3\",\r\n \"list of containers successfully accessed\": \"Sample-1, Sample-2, Sample-3\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_267\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_268\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_269\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_268\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_270\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_267\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"name\": \"2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:15.6989769Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenContainersScanning.FailedAttempt\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:47.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_271\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Publicly accessible storage containers unsuccessfully scanned\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: 1232 failed attempts to scan for publicly open storage containers in storage account 'Sample-Storage' were performed in the last hour.\\r\\n\\r\\nScanned containers include: erp, exe, export, exports, file.\\r\\n\\r\\nThis usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storage containers with sensitive data in them.\\r\\nThe threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\",\r\n \"• When allowing anonymous access to containers, consider adding a random suffix to its name (or use a randomly generated name) to limit these types of scans in the future. For example, use 'salesshare-4536-7836-8967'.\",\r\n \"• If this is a recurring alert from the same IP, consider blocking the source IP address (see how to block an IP address: https://go.microsoft.com/fwlink/?linkid=2179709).\",\r\n \"This can be done at the storage account level using the 'networking' configuration or at the subscription level using the networking 'access restrictions' configuration.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"• Reconnaisance attack (True Positive)\\r\\n• Penetration testing\\r\\n• A bug in an application is causing it to perform serial attempts to read different blobs (False Positive).\",\r\n \"investigation steps\": \"• Check this account for publicly open containers with sensitive data. If such containers exist, immediately change their access policy to private (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708).\\r\\n\\r\\nThis is necessary despite the fact that the observed attempts failed, because reconnaissance has taken place and there might have been some successful activity.\\r\\n• To list all containers that are publicly accessible in a storage account, use the PowerShell script in this link: https://go.microsoft.com/fwlink/?linkid=2180103.\\r\\n\\r\\n• Check whether the user that performed the scanning is legitimate. Look at IP, location, user agent, and their history. Scanning operations read blob URIs and/or use \\\"list blobs\\\".\\r\\n• Check whether data was exfiltrated from containers in this storage account and/or by this actor.\\r\\n• This alert may be triggered by a coding issue in the application accessing the storage container. If you've validated that the actor is legitimate, identified the coding issue, and ruled out a possible leak of sensitive content, this alert can be considered benign.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"among the enumeration terms used\": \"erp, exe, export, exports, file, files, firmware, git, img, iso, jenkins, logs, media, mobile, photos, pics, private, prod, production, products, projects, public, release, repo, reports, resources, script, scripts, services, snapshots, source, src, staging, stats, storage, tenant, tmp, upload, uploads, user, userdata, users, usr, vhd, vhdx, video, videos, web, www, xslx\",\r\n \"number of failed access attempts\": \"1232\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_272\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_273\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_273\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"name\": \"2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9581337Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenACL\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:45.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:45.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_275\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Storage account with potentially sensitive data has been detected with a publicly exposed container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The access policy of a container in your storage account was modified to allow anonymous access. This might lead to a data breach if the container holds any sensitive data. This alert is based on analysis of Azure activity log.\",\r\n \"remediationSteps\": [\r\n \"• Check the access level of the container listed in the alert details. If the access level is set to 'anonymous' and this behavior is not intended, change the access level to 'private' and escalate the alert to your information security team.\",\r\n \"• Where possible, we recommend using shared access signature tokens instead of granting public access to storage containers and blobs.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"container name\": \"Sample-Container\",\r\n \"sensitive name\": \"Sample-Container\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_276\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"name\": \"2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.0277068Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_MalwareHashReputation\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:43.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:43.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_277\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential malware uploaded to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has uploaded potential malware to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Remove the malicious blob from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that a blob containing potential malware has been uploaded to your storage account.\\r\\nPotential causes:\\r\\n• An attacker has gained access to the storage account and has intentionally uploaded a malicious blob.\\r\\n• A legitimate user has unintentionally uploaded a malicious blob.\\r\\n• A legitimate user is performing tests on the system (e.g. penetration testing).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"PutBlob\",\r\n \"api type\": \"Blob\",\r\n \"container\": \"Sample-Container\",\r\n \"malware description\": \"Indicator related to a known malware campaign\",\r\n \"detection source\": \"A Microsoft Partner\",\r\n \"blob\": \"Sample-Blob\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_278\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_279\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_280\",\r\n \"algorithm\": \"MD5\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_279\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_282\",\r\n \"directory\": \"Sample-fileShare/dummy/path/to\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_280\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"name\": \"2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9214203Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:41.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:41.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_283\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is unfamiliar and unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account.\\r\\n• A legitimate user has accessed your storage account from a new location.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Azure AD\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"operations types\": \"GetContainerProperties\",\r\n \"api type\": \"Blob\",\r\n \"container\": \"Sample-Container\",\r\n \"azure AD application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_284\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_285\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_286\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"objectGuid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_285\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_288\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_284\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"name\": \"2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:15.4758611Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_ExeUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:39.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:39.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_289\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .exe to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of an executable file to your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an executable (.exe file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has uploaded a malicious executable file to your storage account.\\r\\n• A legitimate user has uploaded an executable file.\",\r\n \"investigation steps\": \"• Determine who uploaded the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Azure AD\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"eicar@microsoft.com\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"FlushFile\",\r\n \"azure AD application ID\": \"12345\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"containers\": \"Sample-Container1, Sample-Container2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_290\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_291\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_292\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_291\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"name\": \"2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9519418Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:37.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:37.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_293\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Perform an undelete if the delete operation was a soft delete. See how to configure soft deletion and more information: https://go.microsoft.com/fwlink/?linkid=2078042\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Account key\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteDirectory\",\r\n \"access key used\": \"key2\",\r\n \"storage file path(s) deleted\": \"Sample-File1, Sample-File2\",\r\n \"containers\": \"Sample-Container1, Sample-Container2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_294\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_295\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_295\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"name\": \"2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2482588Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExplorationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:35.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:35.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_297\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual data exploration in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual data exploration operation in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \" Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that blobs or containers in a storage account have been enumerated in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user or application logic has explored data within the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"ListBlobs\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_298\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_299\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_299\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"name\": \"2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.7896151Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:33.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:33.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_301\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual number of blobs extracted from a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual number of blobs from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large number of blobs has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large number of blobs from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual number of blobs from a Storage container (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"66.58 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"extracted blobs\": \"41084\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_302\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_303\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_303\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_305\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_302\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"name\": \"2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.8245787Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:31.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:31.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_306\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage container (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"254.47 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"extracted blobs\": \"2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_307\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_308\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_308\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_310\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_307\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"name\": \"2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1388808Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_CspkgUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:29.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:29.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_311\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .cspkg to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of a Cloud Service deployment package to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Determine if the cloud service package has been deployed to your subscription, and if so, delete the corresponding service.\",\r\n \"• Delete the .cspkg from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an Azure Cloud Service package (.cspkg file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has been preparing to deploy malicious code from your storage account to an Azure cloud service.\\r\\n• A legitimate user has been preparing for a legitimate service deployment.\",\r\n \"investigation steps\": \"• Determine who uploaded the cloud service package, and whether it is for a legitimate service.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"PutBlockList\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_312\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_313\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_313\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"name\": \"2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6456194Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_ApplicationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:27.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:27.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_315\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual application accessed a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' using an unexpected application.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusual application has accessed this storage account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using a new application.\\r\\n• A legitimate user has used a new application/browser to access your storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"PutBlob\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_316\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_317\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_317\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"name\": \"2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6977555Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AnonymousAccessAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:25.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:25.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_319\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unauthenticated access to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Container 'Sample-Container' in storage account 'Sample-Storage' from an IP address located in Azure Data Center: Central Us.\\r\\n\\r\\nThere may have been additional unauthenticated access to this storage account.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed anonymously (i.e. without any authentication), which is unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has exploited public read access to a container.\\r\\n• A legitimate user or application has used public read access to a container.\",\r\n \"investigation steps\": \"• Check if you have sensitive data on this publicly open container. If you do, immediately change the access policy to private, review diagnostic logs for sensitive data that may have leaked, and escalate the alert and information. (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708)).\\r\\n\\r\\nThis is necessary despite the fact that the observed attempts failed, because reconnaissance has taken place and there might have been some successful activity.\\r\\n• Check if this actor is legitimate. Review IP, location, user agent, and their history.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlobProperties, GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"22.96 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_320\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_321\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_321\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_323\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_320\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"name\": \"2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6177881Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AccessInspectionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:23.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:23.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_324\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual access inspection in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual access inspection in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user has performed maintenance on the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the access policy inspection was performed for a legitimate purpose: https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy.\\r\\n• Review the storage container's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Azure AD\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"GetContainerACL\",\r\n \"azure AD application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_325\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_326\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_327\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"objectGuid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_326\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"name\": \"2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.614246Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AM.MalwareFound\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:21.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:21.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_329\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Malicious file uploaded to storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A malicious file was uploaded to your storage account 'Sample-Storage'.\\r\\nThe malware detection is based on Microsoft antimalware scanning.\\r\\nPotential causes may include an intentional upload of malware by a threat actor, or an unintentional upload of a malicious file by a legitimate user.\",\r\n \"remediationSteps\": [\r\n \"Remove the malicious blob from your storage account. You may move it to a designated storage container for quarantine, or delete it.\",\r\n \"It is advisable to enable \\\\\\\"soft delete\\\\\\\" before deleting malware, to support the ability to undo the deletion. Learn more about enabling soft delete on Azure storage: https://docs.microsoft.com/azure/storage/blobs/soft-delete-blob-overview.\\\",\\\"If you have diagnostic logs enabled, query them to see if any other applications or users accessed this file. Trace their actions and contain the blast radius.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential Causes\": \"1. Intentional upload of malware by a malicious actor (true positive)\\r\\n\\r\\n2. Unintentional upload of malware by a legitimate user (true positive)\\r\\n\\r\\n3. A false positive detection by Microsoft antimalware scanning. You can submit a file for analysis if you suspect it may be a false positive: \\r\\n(https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/submission-guide)\",\r\n \"shA-256\": \"Sample-SHA\",\r\n \"investigation Steps\": \"• Learn more about the malware type by reading the report on the identified malware in Microsoft Security Intelligence:\\r\\n(https ://www.microsoft.com/wdsi/threats/threat-search?query=DOS/EICAR_Test_File)\\r\\n\\r\\n• If you have diagnostic logs enabled, go to them and query to see if any other applications or users accessed this file. Trace their actions and contain the blast radius.\\r\\n\\r\\n• Review the credentials used to perform the upload, to track back and find the user who uploaded the file.\\r\\n\\r\\n• If you performed an investigation and suspect the this might be a false positive, you can submit a file for analysis\\r\\n(https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).\\r\\nEnsure you enter the provider name \\\"Defender for Storage\\\".\\r\\n\\r\\n• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"malware types detected\": \"DOS/EICAR_Test_File\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_330\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_331\",\r\n \"algorithm\": \"SHA256\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_332\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_330\"\r\n },\r\n \"type\": \"blob-container\"\r\n },\r\n {\r\n \"$id\": \"centralus_333\",\r\n \"directory\": \"https://Sample-Storage.blob.core.windows.net/Sample\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_331\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_334\",\r\n \"name\": \"Sample-Name\",\r\n \"blobContainer\": {\r\n \"$ref\": \"centralus_332\"\r\n },\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"etag\": \"Sample-Tag\",\r\n \"type\": \"blob\"\r\n },\r\n {\r\n \"$id\": \"centralus_335\",\r\n \"name\": \"Sample-Name\",\r\n \"category\": \"Virus\",\r\n \"files\": [\r\n {\r\n \"$ref\": \"centralus_333\"\r\n }\r\n ],\r\n \"type\": \"malware\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"name\": \"2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.9503127Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5606644Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:17.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_336\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' was successfully accessed from an IP address known to be an active exit node of Tor, an anonymizing proxy.\\r\\nThe threat actor's access was authenticated using Aad.\\r\\nAuthenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Check for credential theft by reviewing the authentication method.\",\r\n \"potential causes\": \"• A legitimate user has accessed your Azure Cosmos DB account using Tor.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_337\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_338\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_338\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"name\": \"2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.7672167Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:15.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_340\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' was successfully accessed from an IP address that was identified as a threat by Microsoft Threat Intelligence.\\r\\nThe threat actor's access was authenticated using Aad.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Check for credential theft by reviewing the authentication method.\",\r\n \"potential causes\": \"• An attacker has accessed your Azure Cosmos DB account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your Azure Cosmos DB account from a potentially suspicious IP.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_341\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_342\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_342\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"name\": \"2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.9003843Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SqlInjection.Fuzzing\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:13.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:13.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"intent\": \"Discovery\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_344\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] SQL injection: failed fuzzing attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious SQL statement was used to query container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'.\\r\\nLike other well-known SQL injection attacks, this statement won’t succeed in Azure Cosmos DB. Nevertheless, it’s an indication that a threat actor is trying to attack the resources in this account.\\r\\nSome SQL injection attacks can succeed and be used to exfiltrate data. This means that if the attacker continues performing SQL injection attempts, they may be able to compromise your Azure Cosmos DB account and exfiltrate data.\\r\\nYou can prevent this threat by using parameterized queries (for more information, see the remediation steps).\",\r\n \"remediationSteps\": [\r\n \"• This alert may indicate this subscription is being targeted. To harden your environment, resolve any outstanding Defender for Cloud security recommendations for this resource and any others on this Azure subscription.\",\r\n \"• To prevent similar attacks in the future, use Azure Cosmos DB parameterized queries in all your apps.\",\r\n \"How to use parameterized queries: https://go.microsoft.com/fwlink/?linkid=2177214.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Search for other alerts on this subscription that might indicate that this is part of a larger attack.\\r\\n• Inspect the application that is connected to this Azure Cosmos DB account. It may be vulnerable to this fuzzing attack.\",\r\n \"potential causes\": \"• Failed attack attempt, part of an enumeration, reconnaissance or command injection attempt.\\r\\n• Pen testing.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"collection name\": \"Sample-Collection\",\r\n \"database name\": \"Sample-DataBase\",\r\n \"top suspicious queries\": \"• [1 rows returned] SELECT VALUE [{\\\"item\\\": COUNT(1)}]\\nFROM root\\nWHERE ((root[\\\"creation_datetime\\\"] = \\\"2022-07-06T00:00:00+00:00\\\") AND (root[\\\"camera_id\\\"] IN (\\\"javascript:alert(_SCAN-@126032-951533-1926@-);\\\")))\\nORDER BY root[\\\"order\\\"] ASC, root[\\\"_ts\\\"] ASC\\r\\n• [0 rows returned] SELECT root._rid, [{\\\"item\\\": root[\\\"order\\\"]}, {\\\"item\\\": root[\\\"_ts\\\"]}] AS orderByItems, root AS payload\\nFROM root\\nWHERE ((((root[\\\"creation_datetime\\\"] = \\\"2022-07-06T00:00:00+00:00\\\") AND (root[\\\"camera_id\\\"] IN (\\\"javascript:alert(_SCAN-@126032-951533-1926@-);\\\"))) AND (true)) AND IS_DEFINED(root))\\nORDER BY root[\\\"order\\\"] ASC, root[\\\"_ts\\\"] ASC\\nOFFSET 0 LIMIT 100\",\r\n \"total suspicious queries\": \"2\",\r\n \"killChainIntent\": \"Discovery\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_345\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_346\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_346\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"name\": \"2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.803451Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SqlInjection.DataExfiltration\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:11.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:11.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_348\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] SQL injection: potential data exfiltration\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious SQL statement was used to query container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'.\\r\\nThe injected statement might have succeeded in exfiltrating data the user wasn’t authorized to access.\\r\\nDue to the structure and capabilities of Azure Cosmos DB queries, many known SQL injection attacks on Azure Cosmos DB accounts cannot work. However, the variation used in this attack may work and threat actors can exfiltrate data.\",\r\n \"remediationSteps\": [\r\n \"• To prevent similar attacks in the future, use Azure Cosmos DB parameterized queries in all your apps.\",\r\n \"How to use parameterized queries: https://go.microsoft.com/fwlink/?linkid=2177214.\",\r\n \"• If, for some reason, you can’t use parameterized queries, perform another form of input validation to protect against SQL injection attacks.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Investigate the query and the user. For details of the user, review the audit logs of your application. Check which user ran the query.\\r\\n• If the action appears malicious, continue investigating the blast radius. You may run the query (shown in the field \\\"Top suspicious queries\\\") to see what data was exfiltrated.\",\r\n \"potential causes\": \"• Successful data exfiltration (True Positive).\\r\\n• Pen testing.\\r\\n• A legitimate actor is trying to see all of the data, bypassing the application's access control methods. In this case, this can be considered a False Positive, however this is unsafe and should be blocked (see remediation steps on blocking).\",\r\n \"user agent\": \"dummySqlAgent\",\r\n \"connection mode\": \"\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"\",\r\n \"total anomalous queries\": \"1\",\r\n \"top anomalous queries\": \"• SELECT * FROM root WHERE (root[\\\\\\\"userId\\\\\\\"] = \\\\\\\"123' OR '1'='1'\\\\\\\")\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_349\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_350\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_350\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"name\": \"2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.6843414Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:09.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:09.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_352\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: One or more containers in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' were accessed from a location considered unfamiliar, based on the usual access pattern.\\r\\nEither a threat actor has gained access to the account, or a legitimate user has connected from a new or unusual geographic location.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Contact the user to validate whether this is known and expected activity.\",\r\n \"potential causes\": \"• An attacker has accessed your Azure Cosmos DB account.\\r\\n• A legitimate user has accessed your Azure Cosmos DB account from a new location.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_353\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_354\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_354\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"name\": \"2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.671875Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_DataExfiltrationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:07.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:07.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_356\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual volume of data extracted\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An unusually large amount of data has been extracted from container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'. This might indicate that a threat actor exfiltrated data.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Check whether this Azure Cosmos DB account holds sensitive data. Look at diagnostic logs for any sensitive data that may have leaked and escalate the alert and information. If it appears sensitive data may have leaked, immediately review access permissions to the account and consider rotating keys.\",\r\n \"potential causes\": \"• An attacker has extracted a large amount of data from an account.\\r\\n• A legitimate user or application has extracted an unusual amount of data from an account.\",\r\n \"collection name\": \"Sample-Collection\",\r\n \"database name\": \"Sample-DataBase\",\r\n \"key type\": \"Aad\",\r\n \"connection mode\": \"Gateway\",\r\n \"impacted region\": \"EUS\",\r\n \"extracted data\": \"5.37 GB\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_357\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_358\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_358\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"name\": \"2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5606644Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousListKeys.SuspiciousPrincipal\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:05.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:05.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_360\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Preview - Suspicious extraction of Azure Cosmos DB account keys was detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious source extracted Azure Cosmos DB account access keys from your subscription. If this source is not a legitimate source, this may be a high impact issue. The access key that was extracted provides full control over the associated databases and the data stored within.\\r\\nThe key extraction is suspicious for the following reasons:\\r\\n- Key listing operations are rarely invoked by this principal on Azure Cosmos DB accounts in this subscription.\\r\\n\\r\\nThis can indicate that the identity performed this operation is compromised and is being used with malicious intent.\",\r\n \"remediationSteps\": [\r\n \"• Determine whether the activity was intentional by contacting the account owner. If the activity was intentional and legitimate, dismiss the alert. Otherwise, treat the user account, involved Azure Cosmos DB accounts and Azure subscription as compromised and continue with the next remediation steps.\",\r\n \"• Remediate the compromised principal account : delete the account if it’s an unfamiliar account (the attacker may have created it). Otherwise, change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\",\r\n \"• Remediate the compromised Azure Cosmos DB account: rotate Azure Cosmos DB account keys that were previously listed by the threat actor.\",\r\n \"• Remediate the compromised subscription: review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in the Microsoft Defender for Cloud portal to the subscription and investigate them, use Azure Activity Logs to locate any suspicious activities and review all activities that were performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Resource\",\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"source IP address\": \"00.00.00.00\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_361\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_362\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_362\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432\",\r\n \"name\": \"2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.8379753Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousListKeys.MaliciousScript\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:03.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:03.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_364\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Extraction of Azure Cosmos DB accounts keys via a potentially malicious script\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A Powershell script was run in your subscription and performed a suspicious pattern of key-listing operations to get the keys of Azure Cosmos DB accounts in your subscription.\\r\\nThreat actors use automated scripts, like Microburst, to list keys and find Azure Cosmos DB accounts they can access.\\r\\n\\r\\nThis operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise Azure Cosmos DB accounts in your environment for malicious intentions.\\r\\nAlternatively, a malicious insider could be trying to access sensitive data and perform lateral movement.\",\r\n \"remediationSteps\": [\r\n \"• Remediate the compromised user identity: If it’s an unfamiliar, new identity (the threat actor may have created it), then delete the user identity.\",\r\n \"Otherwise, change the user’s authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\",\r\n \"• Remediate the compromised Azure Cosmos DB account: rotate Azure Cosmos DB accounts keys that were previously listed by the threat actor.\",\r\n \"• Remediate the compromised subscription: review IAM permissions for the subscription and remove permissions for any unfamiliar user identity.\",\r\n \"Review all Azure resources and delete any unfamiliar Azure resources.\",\r\n \"Review all alerts in Microsoft Defender for Cloud related to the subscription and investigate them.\",\r\n \"Use Azure Activity Logs to find suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"ARM\",\r\n \"investigation steps\": \"Investigate whether the identity that performed the list-key operations is compromised:\\r\\n• Contact the Azure Cosmos DB account owner to understand their intentions and actions.\\r\\n• Look at the authentication method of this user and the actions they performed across the Azure subscription.\\r\\nUse Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\r\\n• If you have diagnostic logs enabled, inspect the actions this identity performed in the Azure Cosmos DB account/s.\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"username\": \"Sample-Username\",\r\n \"aad user ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_365\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_366\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_366\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"name\": \"2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-16T21:52:53.8710364Z\",\r\n \"processingEndTimeUtc\": \"2022-11-16T21:52:53.6916675Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-15T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-15T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_368\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.160 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_369\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_370\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_371\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"name\": \"2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-12T21:47:11.3785021Z\",\r\n \"processingEndTimeUtc\": \"2022-11-12T21:47:10.8521763Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_373\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_374\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_375\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_376\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"name\": \"2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-13T20:54:26.3966011Z\",\r\n \"processingEndTimeUtc\": \"2022-11-13T20:54:26.1755194Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_378\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_379\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_380\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_381\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"name\": \"2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-12T21:47:11.7084868Z\",\r\n \"processingEndTimeUtc\": \"2022-11-12T21:47:10.8520084Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_383\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 137.184.84.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_384\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_385\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_386\",\r\n \"address\": \"137.184.84.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Jose\",\r\n \"longitude\": -121.83823,\r\n \"latitude\": 37.33053,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_386\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"name\": \"2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-13T20:54:26.3624463Z\",\r\n \"processingEndTimeUtc\": \"2022-11-13T20:54:26.1754203Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_388\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 137.184.84.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_389\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_390\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_391\",\r\n \"address\": \"137.184.84.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Jose\",\r\n \"longitude\": -121.83823,\r\n \"latitude\": 37.33053,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_392\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_391\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"name\": \"2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-11T21:04:29.5102358Z\",\r\n \"processingEndTimeUtc\": \"2022-11-11T21:04:28.8368795Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-10T14:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-10T14:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_393\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_394\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_395\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_396\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_397\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"name\": \"2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-04T21:03:19.814381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-04T21:03:12.9864236Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-03T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-03T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_398\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_399\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_400\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_401\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"name\": \"2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-03T20:56:42.8912983Z\",\r\n \"processingEndTimeUtc\": \"2022-11-03T20:56:39.5149213Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-02T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-02T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_403\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\\r\\nIP: 176.222.18.110 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_404\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_405\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_406\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_407\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"name\": \"2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-01T21:58:15.540622Z\",\r\n \"processingEndTimeUtc\": \"2022-11-01T21:58:14.9043034Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_410\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.128 [1]\\r\\nIP: 176.222.18.110 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_411\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_412\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_413\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_414\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"name\": \"2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-02T22:45:37.72398Z\",\r\n \"processingEndTimeUtc\": \"2022-11-02T22:45:37.2820909Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_417\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 176.222.18.110 [1]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_418\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_419\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_420\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_421\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_422\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"name\": \"2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-30T20:43:32.8362319Z\",\r\n \"processingEndTimeUtc\": \"2022-10-30T20:43:32.2666649Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-29T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-29T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_426\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 149.18.60.6 [1]\\r\\nIP: 148.75.113.72 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_427\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_428\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_429\",\r\n \"address\": \"149.18.60.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 396998,\r\n \"carrier\": \"Path Network Inc.\",\r\n \"organization\": \"Logicweb Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_430\",\r\n \"address\": \"148.75.113.72\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Newton\",\r\n \"longitude\": -74.80559,\r\n \"latitude\": 41.08337,\r\n \"asn\": 6128,\r\n \"carrier\": \"Cablevision Systems Corp.\",\r\n \"organization\": \"Optimum Online (Cablevision Systems)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"name\": \"2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-29T19:50:46.7836038Z\",\r\n \"processingEndTimeUtc\": \"2022-10-29T19:50:46.6002852Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-28T07:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-28T07:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_433\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 71.178.215.234 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_434\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_435\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_436\",\r\n \"address\": \"71.178.215.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Fairfax\",\r\n \"longitude\": -77.2891,\r\n \"latitude\": 38.81818,\r\n \"asn\": 701,\r\n \"carrier\": \"Verizon\",\r\n \"organization\": \"Verizon\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"name\": \"2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-28T21:21:50.4934572Z\",\r\n \"processingEndTimeUtc\": \"2022-10-28T21:21:50.1558349Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-27T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-27T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_438\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 12.13.191.67 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 194.28.112.140 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_439\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_440\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_441\",\r\n \"address\": \"12.13.191.67\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Louisiana\",\r\n \"city\": \"New Orleans\",\r\n \"longitude\": -90.06568,\r\n \"latitude\": 29.96582,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Marriott Corporationattn Joh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_442\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_443\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_444\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"name\": \"2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-28T01:00:14.0366672Z\",\r\n \"processingEndTimeUtc\": \"2022-10-28T01:00:13.8635731Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-26T17:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-26T17:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_449\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 8.30.197.172 [1]\\r\\nIP: 12.157.53.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_450\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_451\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_452\",\r\n \"address\": \"8.30.197.172\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Paramus\",\r\n \"longitude\": -74.07017,\r\n \"latitude\": 40.94459,\r\n \"asn\": 12025,\r\n \"carrier\": \"Iron Mountain Data Center\",\r\n \"organization\": \"Groundwidgets Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_453\",\r\n \"address\": \"12.157.53.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Long Beach\",\r\n \"longitude\": -118.1589,\r\n \"latitude\": 33.7808,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Velocity Bre\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"name\": \"2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Dismissed\",\r\n \"timeGeneratedUtc\": \"2022-10-25T22:59:24.7258494Z\",\r\n \"processingEndTimeUtc\": \"2022-10-25T22:59:24.4099152Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_456\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 147.78.47.29 [1]\\r\\nIP: 198.12.89.41 [1]\\r\\nIP: 173.249.187.107 [1]\\r\\nIP: 24.18.46.38 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_457\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_458\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_459\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_460\",\r\n \"address\": \"198.12.89.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.8854,\r\n \"latitude\": 42.8883,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_461\",\r\n \"address\": \"173.249.187.107\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Denver\",\r\n \"longitude\": -104.99809,\r\n \"latitude\": 39.75263,\r\n \"asn\": 133744,\r\n \"carrier\": \"Better Cloud Limited\",\r\n \"organization\": \"Global Link Communications Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_462\",\r\n \"address\": \"24.18.46.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Edmonds\",\r\n \"longitude\": -122.34664,\r\n \"latitude\": 47.80392,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_459\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_460\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_461\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_462\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"name\": \"2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-23T20:55:55.6554453Z\",\r\n \"processingEndTimeUtc\": \"2022-10-23T20:55:55.0986682Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-22T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-22T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_467\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 173.201.17.86 [1]\\r\\nIP: 72.215.237.211 [2]\\r\\nIP: 69.28.75.137 [2]\\r\\nIP: 8.30.197.172 [1]\\r\\nIP: 141.98.83.131 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_468\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_469\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_470\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_471\",\r\n \"address\": \"72.215.237.211\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Rhode Island\",\r\n \"city\": \"Warwick\",\r\n \"longitude\": -71.38996,\r\n \"latitude\": 41.71237,\r\n \"asn\": 22773,\r\n \"carrier\": \"Cox Communications Inc.\",\r\n \"organization\": \"Cox Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_472\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_473\",\r\n \"address\": \"8.30.197.172\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Paramus\",\r\n \"longitude\": -74.07017,\r\n \"latitude\": 40.94459,\r\n \"asn\": 12025,\r\n \"carrier\": \"Iron Mountain Data Center\",\r\n \"organization\": \"Groundwidgets Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_474\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"name\": \"2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-22T20:37:45.3670215Z\",\r\n \"processingEndTimeUtc\": \"2022-10-22T20:37:34.4184682Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-21T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-21T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_480\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_481\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_482\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_483\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"name\": \"2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-22T20:37:34.6106772Z\",\r\n \"processingEndTimeUtc\": \"2022-10-22T20:37:34.4182771Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-21T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-21T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_485\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.147 [3]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_486\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_487\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_488\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_488\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"name\": \"2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T20:55:36.9527631Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T20:55:36.5859747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_490\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 69.202.183.90 [3]\\r\\nIP: 195.133.20.78 [99]\\r\\nIP: 141.95.145.187 [3]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 193.29.13.169 [9]\\r\\nIP: 147.78.47.36 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 147.78.47.147 [6]\\r\\nIP: 150.95.29.64 [2]\\r\\nIP: 45.141.87.2 [9]\\r\\nIP: 147.78.47.35 [7]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 173.254.223.125 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 92.255.85.152 [5]\\r\\nIP: 89.248.163.228 [3]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 179.60.150.115 [12]\\r\\nIP: 191.96.168.93 [9]\\r\\nIP: 147.78.47.69 [9]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 171.244.50.243 [2]\\r\\nIP: 94.26.229.154 [2]\\r\\nIP: 45.227.254.20 [10]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 94.26.248.176 [5]\\r\\nIP: 88.214.25.14 [3]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 45.141.87.9 [3]\\r\\nIP: 31.43.185.3 [22]\\r\\nIP: 45.141.87.10 [6]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 194.165.17.12 [4]\\r\\nIP: 147.78.47.154 [9]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 89.250.82.36 [1]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 193.29.13.170 [16]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 179.60.150.58 [8]\\r\\nIP: 45.226.126.252 [1]\\r\\nIP: 45.141.87.6 [6]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 45.227.254.49 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_491\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_492\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_493\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_494\",\r\n \"address\": \"195.133.20.78\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_495\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_496\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_497\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_498\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_499\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_500\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_501\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_502\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_503\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_504\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_505\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_506\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_507\",\r\n \"address\": \"173.254.223.125\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Tarzana\",\r\n \"longitude\": -118.54625,\r\n \"latitude\": 34.15501,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Quadranet Enterprises Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_508\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_509\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_510\",\r\n \"address\": \"89.248.163.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_511\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_512\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_513\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_514\",\r\n \"address\": \"147.78.47.69\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_515\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_516\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_517\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_518\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_519\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_520\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_521\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_522\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_523\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_524\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_525\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_526\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_527\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_528\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_529\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_530\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_531\",\r\n \"address\": \"89.250.82.36\",\r\n \"location\": {\r\n \"countryCode\": \"KZ\",\r\n \"countryName\": \"Kazakhstan\",\r\n \"state\": \"Almaty City\",\r\n \"city\": \"Almaty\",\r\n \"longitude\": 76.94999,\r\n \"latitude\": 43.24999,\r\n \"asn\": 41419,\r\n \"carrier\": \"Kazrena\",\r\n \"organization\": \"Kazrena\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_532\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_533\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_534\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_535\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_536\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_537\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_538\",\r\n \"address\": \"45.226.126.252\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Pernambuco\",\r\n \"city\": \"Olinda\",\r\n \"longitude\": -34.90666,\r\n \"latitude\": -7.98953,\r\n \"asn\": 266962,\r\n \"carrier\": \"G M Da Costa Internet\",\r\n \"organization\": \"G M Da Costa Internet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_539\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_540\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_541\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_557\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_558\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_559\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_560\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_511\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_561\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_512\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_562\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_513\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_563\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_514\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_564\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_515\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_565\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_516\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_566\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_517\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_567\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_518\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_568\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_519\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_569\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_520\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_570\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_521\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_571\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_522\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_572\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_523\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_573\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_524\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_574\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_525\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_575\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_526\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_576\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_527\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_577\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_528\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_578\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_529\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_579\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_530\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_580\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_531\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_581\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_532\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_582\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_585\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_536\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_586\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_537\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_587\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"name\": \"2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-21T22:30:30.848069Z\",\r\n \"processingEndTimeUtc\": \"2022-10-21T22:30:29.9442537Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_591\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.104 [1]\\r\\nIP: 207.154.207.116 [1]\\r\\nIP: 61.177.172.147 [1]\\r\\nIP: 152.136.192.58 [1]\\r\\nIP: 124.221.214.54 [98]\\r\\nIP: 135.148.104.183 [1]\\r\\nIP: 80.76.51.230 [1]\\r\\nIP: 185.51.61.82 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_592\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_593\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_594\",\r\n \"address\": \"61.177.172.104\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_595\",\r\n \"address\": \"207.154.207.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_596\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_597\",\r\n \"address\": \"152.136.192.58\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_598\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_599\",\r\n \"address\": \"135.148.104.183\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Reston\",\r\n \"longitude\": -77.34247,\r\n \"latitude\": 38.96097,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_600\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Zuid-Holland\",\r\n \"city\": \"Brielle\",\r\n \"longitude\": 4.16122,\r\n \"latitude\": 51.89596,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\",\r\n \"organization\": \"Des Capital B.V.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_601\",\r\n \"address\": \"185.51.61.82\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 42065,\r\n \"carrier\": \"Zao Electrontelecom\",\r\n \"organization\": \"Global Network Management Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_594\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_595\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_596\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_597\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_598\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_599\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_600\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_601\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"name\": \"2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-19T09:12:15.1238208Z\",\r\n \"processingEndTimeUtc\": \"2022-10-19T09:12:12.7612332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-19T08:43:11.7850829Z\",\r\n \"endTimeUtc\": \"2022-10-19T08:46:18.8210573Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_1\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_2\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/19 08:43:11.7850829\",\r\n \"activity end time (UTC)\": \"2022/10/19 08:46:18.8210573\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"74\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"47\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (23), user (3), administrador (2), admin (2), distant1 (1), asp.net (1), escaner (1), dator (1), faraz (1), chris (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-19T08:46:18.8210573Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_3\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"name\": \"2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-19T09:12:15.7506308Z\",\r\n \"processingEndTimeUtc\": \"2022-10-19T09:12:12.7612332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-19T08:34:16.9189969Z\",\r\n \"endTimeUtc\": \"2022-10-19T08:35:36.0841961Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_4\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_5\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/19 08:34:16.9189969\",\r\n \"activity end time (UTC)\": \"2022/10/19 08:35:36.0841961\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"19\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (15), administrador (2), admin (2), reception (1), scanner (1), root (1), user (1), utente (1), bokforing (1), admin 3 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-19T08:35:36.0841961Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_6\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"name\": \"2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T08:12:21.5799147Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T08:12:17.8716581Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-18T07:01:04.8124138Z\",\r\n \"endTimeUtc\": \"2022-10-18T07:59:23.7067193Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_7\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_8\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/18 07:01:04.8124138\",\r\n \"activity end time (UTC)\": \"2022/10/18 07:59:23.7067193\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.129\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"31\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"24\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEFAULTACCOUNT (6), DATA CENTER USER (2), DSNVSUSER (1), DONALD E. BETTIS (1), FUELDISP (1), GP (1), CONTRAUSER (1), DEAFULTUSER (1), FULTON (1), EXACTIVEUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-18T07:59:23.7067193Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_9\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"name\": \"2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T04:12:02.5218294Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T04:11:58.4521214Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-17T03:00:40.7373365Z\",\r\n \"endTimeUtc\": \"2022-10-17T03:58:42.8075611Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_10\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_11\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/17 03:00:40.7373365\",\r\n \"activity end time (UTC)\": \"2022/10/17 03:58:42.8075611\",\r\n \"attacker source IP\": \"IP Address: 20.216.185.188\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"46\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"12\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (12), AZUREUSER (11), ADMINUSER (11), VMADMIN (2), SUPERUSER (2), AZADMIN (1), USERADMIN (1), AZUSER (1), AZURE (1), DEMOUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-17T03:58:42.8075611Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_12\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"name\": \"2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T03:11:56.1105452Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T03:11:51.6770359Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-16T02:31:21.2161162Z\",\r\n \"endTimeUtc\": \"2022-10-16T02:32:30.6331048Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_13\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_14\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/16 02:31:21.2161162\",\r\n \"activity end time (UTC)\": \"2022/10/16 02:32:30.6331048\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.215\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"26\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (6), user1 (2), admin (2), defaultaccount (2), administrador (2), principal (1), test666 (1), adminportal (1), reports (1), pop10 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-16T02:32:30.6331048Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_15\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"name\": \"2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T02:11:59.5981045Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T02:11:53.2828004Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-15T01:00:15.0973756Z\",\r\n \"endTimeUtc\": \"2022-10-15T01:59:46.8790817Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_16\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_17\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/15 01:00:15.0973756\",\r\n \"activity end time (UTC)\": \"2022/10/15 01:59:46.8790817\",\r\n \"attacker source IP\": \"IP Address: 91.240.118.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"35\",\r\n \"top accounts with failed sign in attempts (count)\": \"MACROLAN (2), MITEV (1), DEPJIVE (1), KIM (1), DEV (1), CTZ9 (1), CUBE (1), CREATIVES-SERVER (1), KOLECO (1), MONITOR (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-15T01:59:46.8790817Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_18\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"name\": \"2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T23:12:20.0982221Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T23:12:13.5169181Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-13T22:00:01.4482685Z\",\r\n \"endTimeUtc\": \"2022-10-13T22:59:53.5475957Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_19\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_20\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/13 22:00:01.4482685\",\r\n \"activity end time (UTC)\": \"2022/10/13 22:59:53.5475957\",\r\n \"attacker source IP\": \"IP Address: 191.96.168.246\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"289\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"288\",\r\n \"top accounts with failed sign in attempts (count)\": \"SCANSIONI (1), ALPHA (1), RCLARK (1), AD (1), RETAIL (1), CALIDAD (1), CONSULTANT (1), OSPITE (1), Z (1), CS1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-13T22:59:53.5475957Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_21\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"name\": \"2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T08:12:07.7636221Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T08:12:02.9681269Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-12T07:03:03.4902548Z\",\r\n \"endTimeUtc\": \"2022-10-12T07:58:25.9885039Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_22\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_23\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/12 07:03:03.4902548\",\r\n \"activity end time (UTC)\": \"2022/10/12 07:58:25.9885039\",\r\n \"attacker source IP\": \"IP Address: 20.127.38.151\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"19\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEMOADMIN (2), USERADMIN (2), AZUREADMIN (1), DEMO (1), VADMIN (1), AZUREUSER (1), SQLADMIN (1), ROOTADMIN (1), SUPERVISOR (1), ITADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-12T07:58:25.9885039Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_24\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"name\": \"2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T07:12:15.7469577Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T07:12:12.3009079Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-11T06:24:25.9159134Z\",\r\n \"endTimeUtc\": \"2022-10-11T06:25:34.0915332Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_25\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_26\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/11 06:24:25.9159134\",\r\n \"activity end time (UTC)\": \"2022/10/11 06:25:34.0915332\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"25\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (12), shipping (1), test3 (1), contabilidad (1), usuario (1), serveur-bacnet (1), phonix (1), iusrplesk_smwebmail (1), defaultaccount (1), administrateur (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-11T06:25:34.0915332Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_27\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"name\": \"2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T07:12:26.2282804Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T07:12:12.3164432Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-11T06:01:14.9169493Z\",\r\n \"endTimeUtc\": \"2022-10-11T06:56:30.497614Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_28\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_29\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/11 06:01:14.9169493\",\r\n \"activity end time (UTC)\": \"2022/10/11 06:56:30.4976140\",\r\n \"attacker source IP\": \"IP Address: 20.127.38.151\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"12\",\r\n \"top accounts with failed sign in attempts (count)\": \"USERADMIN (2), DEMOADMIN (1), SUPERVISOR (1), VDIADMIN (1), VMADMIN (1), DEMO (1), SUPERUSER (1), VADMIN (1), AZUREADMIN (1), AZUREUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-11T06:56:30.497614Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_30\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"name\": \"2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T05:12:25.7328319Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T05:12:22.9501113Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-10T04:39:37.8316652Z\",\r\n \"endTimeUtc\": \"2022-10-10T04:40:46.9760933Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_31\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_32\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/10 04:39:37.8316652\",\r\n \"activity end time (UTC)\": \"2022/10/10 04:40:46.9760933\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"25\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (10), test (2), presale (1), ricoh (1), hma (1), user1 (1), t1_buero (1), labor (1), caps (1), nashua (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-10T04:40:46.9760933Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_33\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"name\": \"2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T00:12:35.8969216Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T00:12:32.7404871Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-08T23:01:26.3028246Z\",\r\n \"endTimeUtc\": \"2022-10-08T23:02:34.9154571Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_34\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_35\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/08 23:01:26.3028246\",\r\n \"activity end time (UTC)\": \"2022/10/08 23:02:34.9154571\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.204\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (7), usuario (3), default (2), barbara (1), defaultaccount (1), mikuo (1), uzak1 (1), opc (1), tnt1 (1), agora_service (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-08T23:02:34.9154571Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_36\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/westeurope/alerts/2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"name\": \"2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T17:11:57.3573487Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T17:11:55.7883406Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_SshBruteForceFailed\",\r\n \"startTimeUtc\": \"2022-10-08T16:13:32.805Z\",\r\n \"endTimeUtc\": \"2022-10-08T16:59:53.736Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_37\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_38\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"2b613470-a780-4991-a9f5-7894862c213b\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testService1\",\r\n \"alertDisplayName\": \"Failed SSH brute force attack\",\r\n \"description\": \"Failed SSH brute force attacks were detected on testService1\",\r\n \"remediationSteps\": [\r\n \"1. In case this is an Azure virtual machine, add the source IP to NSG block list for 24 hours (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/) \",\r\n \"2. Enforce the use of strong passwords and do not re-use them across multiple resources and services (see http://windows.microsoft.com/en-us/Windows7/Tips-for-creating-strong-passwords-and-passphrases)\",\r\n \"3. In case this is an Azure virtual machine, Create an allow list for SSH access in NSG (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"number of failed authentication attempts to host\": \"63\",\r\n \"accounts used on failed sign in to host attempts\": \"[\\\"root\\\"]\",\r\n \"was SSH session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-08T16:59:53.736Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_39\",\r\n \"hostName\": \"testService1\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"omsAgentID\": \"2b613470-a780-4991-a9f5-7894862c213b\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"westeurope_40\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"westeurope_41\",\r\n \"name\": \" root\",\r\n \"ntDomain\": \" root\",\r\n \"host\": {\r\n \"$ref\": \"westeurope_39\"\r\n },\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"westeurope_42\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"westeurope_40\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myService1/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"name\": \"2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-07T12:12:12.6540563Z\",\r\n \"processingEndTimeUtc\": \"2022-10-07T12:12:10.2351107Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-07T11:04:11.9286049Z\",\r\n \"endTimeUtc\": \"2022-10-07T11:58:08.5153711Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_43\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_44\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/07 11:04:11.9286049\",\r\n \"activity end time (UTC)\": \"2022/10/07 11:58:08.5153711\",\r\n \"attacker source IP\": \"IP Address: 36.95.205.132\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (1), DEMOUSER (1), ADMINISTRATOR (1), TEST (1), AZUREUSER (1), SUPERVISOR (1), DEMOADMIN (1), ADMIN (1), SUPERUSER (1), TEST1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-07T11:58:08.5153711Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_45\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"name\": \"2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-06T05:12:05.9972706Z\",\r\n \"processingEndTimeUtc\": \"2022-10-06T05:12:01.8802104Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-06T04:23:26.0454432Z\",\r\n \"endTimeUtc\": \"2022-10-06T04:24:35.8466979Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_46\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_47\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/06 04:23:26.0454432\",\r\n \"activity end time (UTC)\": \"2022/10/06 04:24:35.8466979\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.202\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"29\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (3), scanner (3), test (2), server (2), user2 (2), ppp (1), max04 (1), acronis (1), windows11 (1), pc (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-06T04:24:35.8466979Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_48\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"name\": \"2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-05T03:12:04.1411263Z\",\r\n \"processingEndTimeUtc\": \"2022-10-05T03:12:00.6268144Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-05T02:50:46.5034967Z\",\r\n \"endTimeUtc\": \"2022-10-05T02:51:57.2848574Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_49\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_50\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/05 02:50:46.5034967\",\r\n \"activity end time (UTC)\": \"2022/10/05 02:51:57.2848574\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.211\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"32\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (3), info (2), temp (2), pos (1), 1 (1), ventas (1), spadmin (1), supervisor (1), infoworld (1), account (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-05T02:51:57.2848574Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_51\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517373625534965032_759ca676-028f-4204-8957-de649b3e6562/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"name\": \"2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T22:12:05.1705693Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T22:12:04.1268393Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-03T21:02:04.491411Z\",\r\n \"endTimeUtc\": \"2022-10-03T21:59:45.9038559Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_52\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_53\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/03 21:02:04.4914110\",\r\n \"activity end time (UTC)\": \"2022/10/03 21:59:45.9038559\",\r\n \"attacker source IP\": \"IP Address: 91.240.118.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"42\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"35\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (5), KSTURGEON (2), ADMIN (2), WADMIN (1), XAFSERVICEACCNT (1), SIADAD (1), YSMITH (1), KRUSS (1), VNIUSER-DONOTDELETE (1), KOTT.# (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-03T21:59:45.9038559Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_54\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"name\": \"2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-02T21:11:58.5816299Z\",\r\n \"processingEndTimeUtc\": \"2022-10-02T21:11:54.3443174Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-02T20:00:01.9149954Z\",\r\n \"endTimeUtc\": \"2022-10-02T20:59:52.1082032Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_55\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_56\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/02 20:00:01.9149954\",\r\n \"activity end time (UTC)\": \"2022/10/02 20:59:52.1082032\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"431\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"LOCALADMIN (30), SYSADMIN (29), VMADMIN (29), ADADMIN (29), DEMOUSER (29), ADMIN01 (29), DADMIN (29), SERVERADMIN (29), AZUREUSER (29), SADMIN (29)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-02T20:59:52.1082032Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_57\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"name\": \"2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-01T20:12:00.2987738Z\",\r\n \"processingEndTimeUtc\": \"2022-10-01T20:11:58.0659196Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-01T19:00:03.9085601Z\",\r\n \"endTimeUtc\": \"2022-10-01T19:59:57.4159824Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_58\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_59\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/01 19:00:03.9085601\",\r\n \"activity end time (UTC)\": \"2022/10/01 19:59:57.4159824\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"426\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (30), ADMINUSER (30), ADMIN123 (29), AZUREUSER (29), TESTUSER (28), SUPERADMIN (28), SYSADMIN (28), VMADMIN (28), LOCALADMIN (28), SERVERADMIN (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-01T19:59:57.4159824Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_60\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"name\": \"2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-30T19:12:00.7770747Z\",\r\n \"processingEndTimeUtc\": \"2022-09-30T19:11:57.5373519Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-30T18:00:04.3960635Z\",\r\n \"endTimeUtc\": \"2022-09-30T18:59:54.1716651Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_61\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_62\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/30 18:00:04.3960635\",\r\n \"activity end time (UTC)\": \"2022/09/30 18:59:54.1716651\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"422\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"SYSADMIN (29), VMADMIN (29), DEMOUSER (28), ADMIN01 (28), DADMIN (28), SADMIN (28), TESTUSER (28), SUPERADMIN (28), LOCALADMIN (28), SERVERADMIN (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-30T18:59:54.1716651Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_63\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"name\": \"2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-29T18:12:10.264524Z\",\r\n \"processingEndTimeUtc\": \"2022-09-29T18:12:04.7435178Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-29T17:00:02.5605584Z\",\r\n \"endTimeUtc\": \"2022-09-29T17:59:57.0286763Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_64\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_65\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/29 17:00:02.5605584\",\r\n \"activity end time (UTC)\": \"2022/09/29 17:59:57.0286763\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"419\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (29), LOCALADMIN (28), SERVERADMIN (28), ADADMIN (28), TESTUSER (28), SUPERADMIN (28), AZUREUSER (28), ADMINUSER (28), AZUREADMIN (28), ADMIN01 (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-29T17:59:57.0286763Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_66\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"name\": \"2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T17:12:10.505636Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T17:12:04.9963951Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-28T16:00:05.5258206Z\",\r\n \"endTimeUtc\": \"2022-09-28T16:59:37.992094Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_67\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_68\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/28 16:00:05.5258206\",\r\n \"activity end time (UTC)\": \"2022/09/28 16:59:37.9920940\",\r\n \"attacker source IP\": \"IP Address: 20.25.4.51\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"81\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"9\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (9), VMADMIN (9), AZUREUSER (9), DEMOADMIN (8), ADMINUSER (8), USERADMIN (8), DEMO (8), DEMOAZURE (8), SUPERUSER (7), AZURE (7)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-28T16:59:37.992094Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_69\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"name\": \"2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T17:12:09.9085237Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T17:12:04.9963951Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-28T16:00:00.9053856Z\",\r\n \"endTimeUtc\": \"2022-09-28T16:59:59.2397348Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_70\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_71\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/28 16:00:00.9053856\",\r\n \"activity end time (UTC)\": \"2022/09/28 16:59:59.2397348\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"1415\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"1263\",\r\n \"top accounts with failed sign in attempts (count)\": \"MYTHTV (2), NAGIOS (2), ACCOUNTS (2), ADMINISTRAREUR (2), ADMINSERVER (2), MICROSOFT (2), BACKUPEXEC (2), NOBODY (2), CYBER (2), AAA (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-28T16:59:59.2397348Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_72\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"name\": \"2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-27T16:11:58.2117895Z\",\r\n \"processingEndTimeUtc\": \"2022-09-27T16:11:55.1500289Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-27T15:00:34.6903888Z\",\r\n \"endTimeUtc\": \"2022-09-27T15:59:16.3833641Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_73\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_74\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/27 15:00:34.6903888\",\r\n \"activity end time (UTC)\": \"2022/09/27 15:59:16.3833641\",\r\n \"attacker source IP\": \"IP Address: 20.216.185.188\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"74\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (19), AZUREUSER (10), DEMOADMIN (7), DEMOUSER (6), AZURE (5), SUPERUSER (4), AZUREADMIN (4), DEMO (4), ADMINUSER (4), STUDENT (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-27T15:59:16.3833641Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_75\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"name\": \"2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-26T15:12:12.2955906Z\",\r\n \"processingEndTimeUtc\": \"2022-09-26T15:12:10.3345847Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-26T14:19:33.6913949Z\",\r\n \"endTimeUtc\": \"2022-09-26T14:58:23.8234441Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_76\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_77\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/26 14:19:33.6913949\",\r\n \"activity end time (UTC)\": \"2022/09/26 14:58:23.8234441\",\r\n \"attacker source IP\": \"IP Address: 20.245.85.81\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"13\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (3), WINADMIN (1), USERADMIN (1), DEMOADMIN (1), VMADMIN (1), NETADMIN (1), DEMO (1), DEMOUSER (1), AZUREADMIN (1), SUPERUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-26T14:58:23.8234441Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_78\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"name\": \"2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-25T13:11:53.1202057Z\",\r\n \"processingEndTimeUtc\": \"2022-09-25T13:11:49.5869519Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-25T12:00:01.1997686Z\",\r\n \"endTimeUtc\": \"2022-09-25T12:59:57.1598611Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_79\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_80\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/25 12:00:01.1997686\",\r\n \"activity end time (UTC)\": \"2022/09/25 12:59:57.1598611\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"632\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"628\",\r\n \"top accounts with failed sign in attempts (count)\": \"REINALDO (2), RAJU (2), PULSE (2), KIM (1), KENT (1), TESTE2 (1), TEST_FTP (1), TECHNO (1), SERVER2 (1), SERVER1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-25T12:59:57.1598611Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_81\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"name\": \"2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-24T12:11:59.378581Z\",\r\n \"processingEndTimeUtc\": \"2022-09-24T12:11:56.1933205Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-24T11:00:18.5763676Z\",\r\n \"endTimeUtc\": \"2022-09-24T11:58:49.6929962Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_82\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_83\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/24 11:00:18.5763676\",\r\n \"activity end time (UTC)\": \"2022/09/24 11:58:49.6929962\",\r\n \"attacker source IP\": \"IP Address: 181.30.28.175\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEFAULTACCOUNT (4), DADMIN (2), DPEREZ (1), DIYANA (1), DATACOM (1), DAWWRAY (1), DCDC (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-24T11:58:49.6929962Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_84\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"name\": \"2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-23T11:12:04.8132808Z\",\r\n \"processingEndTimeUtc\": \"2022-09-23T11:12:02.7422157Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-23T10:00:00.8274366Z\",\r\n \"endTimeUtc\": \"2022-09-23T10:59:59.507462Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_85\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_86\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/23 10:00:00.8274366\",\r\n \"activity end time (UTC)\": \"2022/09/23 10:59:59.5074620\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"634\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"601\",\r\n \"top accounts with failed sign in attempts (count)\": \"MENU (2), MAYA (2), MORGAN (2), MONITORING (2), MONGOUSER (2), MAURICIO (2), GEOMETRY (2), GERENTE (2), THIERRY1129 (2), TESTE2 (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-23T10:59:59.507462Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_87\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"name\": \"2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T05:12:05.8349115Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T05:12:03.3099425Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-22T04:00:04.6046565Z\",\r\n \"endTimeUtc\": \"2022-09-22T04:59:56.0312542Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_88\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_89\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/22 04:00:04.6046565\",\r\n \"activity end time (UTC)\": \"2022/09/22 04:59:56.0312542\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"478\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"477\",\r\n \"top accounts with failed sign in attempts (count)\": \"CHAT (1), AXIS (1), AWS (1), DEEPTHI (1), DEBORA (1), USERS1 (1), USER001 (1), USBMUX (1), UPLINK (1), SVT (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-22T04:59:56.0312542Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_90\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"name\": \"2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-21T02:11:54.213474Z\",\r\n \"processingEndTimeUtc\": \"2022-09-21T02:11:49.8007199Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-21T01:09:51.5862915Z\",\r\n \"endTimeUtc\": \"2022-09-21T01:11:21.0264894Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_91\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_92\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/21 01:09:51.5862915\",\r\n \"activity end time (UTC)\": \"2022/09/21 01:11:21.0264894\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"21\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (16), defaultaccount (1), asd (1), vpn07 (1), it (1), iusrplesk_smwebmail (1), asad (1), admin (1), takip (1), serv (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-21T01:11:21.0264894Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_93\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"name\": \"2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T00:12:55.5762868Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T00:12:52.7861694Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-19T23:45:22.3822188Z\",\r\n \"endTimeUtc\": \"2022-09-19T23:46:30.4248487Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_94\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_95\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/19 23:45:22.3822188\",\r\n \"activity end time (UTC)\": \"2022/09/19 23:46:30.4248487\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (13), admn (1), foats (1), admin (1), emanuel (1), user (1), support_388945a0 (1), slawek (1), defaultaccount (1), alvand.01 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-19T23:46:30.4248487Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_96\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"name\": \"2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T00:12:54.3199684Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T00:12:52.7866698Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-19T23:33:59.3779873Z\",\r\n \"endTimeUtc\": \"2022-09-19T23:35:26.6505374Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_97\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_98\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/19 23:33:59.3779873\",\r\n \"activity end time (UTC)\": \"2022/09/19 23:35:26.6505374\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"20\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (17), gh-11 (1), training (1), admin (1), vss (1), scanner (1), yousef (1), pointex (1), user (1), usuario (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-19T23:35:26.6505374Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_99\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517386703606220126_a816319c-5320-41db-a249-385660ee22f8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"name\": \"2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-18T16:12:00.3085599Z\",\r\n \"processingEndTimeUtc\": \"2022-09-18T16:11:57.4880747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-18T15:25:13.0131394Z\",\r\n \"endTimeUtc\": \"2022-09-18T15:26:21.8162231Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_100\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_101\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/18 15:25:13.0131394\",\r\n \"activity end time (UTC)\": \"2022/09/18 15:26:21.8162231\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"20\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (17), toshiba (1), admin (1), ntp (1), utente (1), accounting (1), remoto (1), user01 (1), sales-new (1), server t (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-18T15:26:21.8162231Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_102\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"name\": \"2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-18T16:12:05.4874397Z\",\r\n \"processingEndTimeUtc\": \"2022-09-18T16:11:57.4880747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-18T15:11:42.6615962Z\",\r\n \"endTimeUtc\": \"2022-09-18T15:12:51.457454Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_103\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_104\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/18 15:11:42.6615962\",\r\n \"activity end time (UTC)\": \"2022/09/18 15:12:51.4574540\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.207\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"18\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (18), win7 (2), terminal (1), markku.virtanen (1), admin (1), eng7 (1), xmetasr (1), hd (1), adm (1), vcenteno (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-18T15:12:51.457454Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_105\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"name\": \"2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-17T07:12:00.0473808Z\",\r\n \"processingEndTimeUtc\": \"2022-09-17T07:11:56.5511934Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-17T06:16:10.2702205Z\",\r\n \"endTimeUtc\": \"2022-09-17T06:17:19.8910018Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_106\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_107\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/17 06:16:10.2702205\",\r\n \"activity end time (UTC)\": \"2022/09/17 06:17:19.8910018\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"28\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (8), test (2), sys (1), principal (1), imran (1), almira (1), contabilidad (1), admin801 (1), peggy (1), tranquoclong (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-17T06:17:19.8910018Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_108\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"name\": \"2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-17T07:11:59.8011657Z\",\r\n \"processingEndTimeUtc\": \"2022-09-17T07:11:56.5511934Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-17T06:14:58.8904498Z\",\r\n \"endTimeUtc\": \"2022-09-17T06:56:27.7122183Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_109\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_110\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/17 06:14:58.8904498\",\r\n \"activity end time (UTC)\": \"2022/09/17 06:56:27.7122183\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"73\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"56\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (15), user (2), defaultaccount (2), jola (1), compta (1), ghost (1), zvnc2066 (1), morisita (1), mj (1), lucero (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-17T06:56:27.7122183Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_111\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"name\": \"2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-16T06:12:23.9923865Z\",\r\n \"processingEndTimeUtc\": \"2022-09-16T06:12:21.6042797Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-16T05:08:11.5262962Z\",\r\n \"endTimeUtc\": \"2022-09-16T05:18:17.0502097Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_112\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_113\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/16 05:08:11.5262962\",\r\n \"activity end time (UTC)\": \"2022/09/16 05:18:17.0502097\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.11\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"260\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"terminal1 (2), silvia (2), daniel (2), mari (2), natalia (2), francisco (2), ricoh (2), vp (2), acer (2), luiz (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-16T05:18:17.0502097Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_114\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"name\": \"2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-15T05:12:02.1262444Z\",\r\n \"processingEndTimeUtc\": \"2022-09-15T05:11:59.7844316Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-15T04:13:32.7545248Z\",\r\n \"endTimeUtc\": \"2022-09-15T04:44:44.3710273Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_115\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_116\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/15 04:13:32.7545248\",\r\n \"activity end time (UTC)\": \"2022/09/15 04:44:44.3710273\",\r\n \"attacker source IP\": \"IP Address: 194.28.112.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"102\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"85\",\r\n \"top accounts with failed sign in attempts (count)\": \"Administrator (10), admin (6), SvcCOPSSH (2), Support (2), ntp_CFKADS2226 (1), Administracao (1), Userstd01 (1), rebecca (1), suporte (1), MP (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-15T04:44:44.3710273Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_117\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"name\": \"2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-15T05:12:02.1782121Z\",\r\n \"processingEndTimeUtc\": \"2022-09-15T05:11:59.7844316Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-15T04:01:15.447908Z\",\r\n \"endTimeUtc\": \"2022-09-15T04:59:18.4256783Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_118\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_119\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/15 04:01:15.4479080\",\r\n \"activity end time (UTC)\": \"2022/09/15 04:59:18.4256783\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"40\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"SERVER (3), TEST (3), TESTUSER (3), USER (3), LOCALUSER (2), AZUREADMIN (2), AZUREUSER (2), ADMINISTRATOR (2), REMOTE (2), SYSADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-15T04:59:18.4256783Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_120\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"name\": \"2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-14T04:12:18.2784408Z\",\r\n \"processingEndTimeUtc\": \"2022-09-14T04:12:13.5856632Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-14T03:16:06.3695856Z\",\r\n \"endTimeUtc\": \"2022-09-14T03:28:53.2546631Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_121\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_122\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/14 03:16:06.3695856\",\r\n \"activity end time (UTC)\": \"2022/09/14 03:28:53.2546631\",\r\n \"attacker source IP\": \"IP Address: 45.141.84.119\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"267\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"leo (4), nathalia (4), emerson (4), francisco (3), usuario1 (2), user02 (2), terminal1 (2), billing (2), soporte (2), controller (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-14T03:28:53.2546631Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_123\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"name\": \"2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-14T04:12:17.5289904Z\",\r\n \"processingEndTimeUtc\": \"2022-09-14T04:12:13.5856632Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-14T03:00:09.0721606Z\",\r\n \"endTimeUtc\": \"2022-09-14T03:58:48.0506045Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_124\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_125\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/14 03:00:09.0721606\",\r\n \"activity end time (UTC)\": \"2022/09/14 03:58:48.0506045\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"47\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (3), AZUREADMIN (3), IME_USER (3), REMOTE (3), IME_ADMIN (3), ADMIN (3), RDP (3), HP (3), PC (3), AZUREUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-14T03:58:48.0506045Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_126\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"name\": \"2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:04.1627812Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5440471Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:06:33.966198Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:59:16.2352367Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_127\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_128\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:06:33.9661980\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:59:16.2352367\",\r\n \"attacker source IP\": \"IP Address: 94.68.140.243\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"15\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"11\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), SERVER (2), SYSADMIN (2), IME_ADMIN (1), RDP (1), LOCALUSER (1), LOCALADMIN (1), TEST (1), AZUREUSER (1), TESTUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:59:16.2352367Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_129\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"name\": \"2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:04.3606094Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5435472Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:01:06.5351616Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:59:02.3354809Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_130\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_131\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:01:06.5351616\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:59:02.3354809\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"45\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"REMOTE (3), LOCALUSER (3), SERVER (3), SYSADMIN (3), AZUREADMIN (3), TEST (3), LOCALADMIN (3), USER (3), TESTUSER (3), IME_ADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:59:02.3354809Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_132\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"name\": \"2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:03.911237Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5430516Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:01:02.6571238Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:58:26.9865062Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_133\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_134\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:01:02.6571238\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:58:26.9865062\",\r\n \"attacker source IP\": \"IP Address: 202.53.137.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (7), STUDENT (6), ADMIN (6), SUPPORT (6), BAT (6), AZUREUSER (6)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:58:26.9865062Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_135\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"name\": \"2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.729702Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1435668Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:03:00.0345939Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:58:17.2623523Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_136\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_137\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:03:00.0345939\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:58:17.2623523\",\r\n \"attacker source IP\": \"IP Address: 94.68.140.243\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"20\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"11\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (3), AZUREUSER (2), IME_USER (2), IME_ADMIN (2), TEST (2), PC (2), USER (2), ADMIN (1), REMOTE (1), RDP (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:58:17.2623523Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_138\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"name\": \"2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.292184Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1430669Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:02:01.5569515Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:59:42.6611129Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_139\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_140\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:02:01.5569515\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:59:42.6611129\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"69\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"7\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (16), AZUREADMIN (16), ADMINISTRATOR (11), ADMINUSER (6), AZURE (5), STUDENT (5), USERADMIN (5), VMADMIN (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:59:42.6611129Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_141\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"name\": \"2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:08.6726842Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1420668Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:01:14.3047487Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:58:35.508169Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_142\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_143\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:01:14.3047487\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:58:35.5081690\",\r\n \"attacker source IP\": \"IP Address: 202.53.137.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (6), AZUREUSER (6), SUPPORT (6), BAT (6), ADMIN (6), ADMINISTRATOR (6)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:58:35.508169Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_144\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"name\": \"2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.6088372Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1440671Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:00:33.1405851Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:59:46.8333262Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_145\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_146\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:00:33.1405851\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:59:46.8333262\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"94\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (6), RDP (6), REMOTE (6), HP (6), IME_USER (5), USER (5), AZURE (5), TESTUSER (5), ADMIN (5), ADMINISTRATOR (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:59:46.8333262Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_147\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393563668594148_38360230-c781-41cf-874b-7c504030a950/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"name\": \"2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-11T01:12:50.4913968Z\",\r\n \"processingEndTimeUtc\": \"2022-09-11T01:12:48.881971Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-11T00:00:12.8945794Z\",\r\n \"endTimeUtc\": \"2022-09-11T00:58:59.500311Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_148\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_149\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/11 00:00:12.8945794\",\r\n \"activity end time (UTC)\": \"2022/09/11 00:58:59.5003110\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"64\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (20), AZUREUSER (18), AZURE (6), STUDENT (6), USERADMIN (5), VMADMIN (5), ADMINUSER (4)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-11T00:58:59.500311Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_150\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"name\": \"2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-11T01:12:50.4969246Z\",\r\n \"processingEndTimeUtc\": \"2022-09-11T01:12:48.881971Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-11T00:00:01.3462764Z\",\r\n \"endTimeUtc\": \"2022-09-11T00:59:39.874272Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_151\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_152\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/11 00:00:01.3462764\",\r\n \"activity end time (UTC)\": \"2022/09/11 00:59:39.8742720\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"91\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (6), IME_ADMIN (5), IME_USER (5), USER (5), TEST (5), RDP (5), REMOTE (5), AZUREADMIN (5), SERVER (5), AZURE (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-11T00:59:39.874272Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_153\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"name\": \"2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:40.3691071Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:19:55.8595416Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:21:04.4330469Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_154\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_155\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:19:55.8595416\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:21:04.4330469\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (10), temp (1), tmitschke (1), pharmacie (1), utente1 (1), ime_user (1), sqli (1), sebastian (1), dave (1), user1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:21:04.4330469Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_156\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"name\": \"2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:41.2660094Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:02:03.6672061Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:59:12.4900011Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_157\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_158\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:02:03.6672061\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:59:12.4900011\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"50\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (19), AZUREUSER (18), AZURE (3), STUDENT (3), VMADMIN (3), USERADMIN (2), ADMINUSER (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:59:12.4900011Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_159\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"name\": \"2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:41.1471468Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:00:19.7258321Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:59:49.9335078Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_160\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_161\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:00:19.7258321\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:59:49.9335078\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"96\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"REMOTE (6), RDP (6), SERVER (6), TEST (6), TESTUSER (6), SYSADMIN (6), AZUREADMIN (5), LOCALADMIN (5), IME_USER (5), LOCALUSER (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:59:49.9335078Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_162\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395363802741678_e264f637-15f0-418f-aff8-27395309810c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"name\": \"2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-08T23:12:05.5813341Z\",\r\n \"processingEndTimeUtc\": \"2022-09-08T23:12:03.6043992Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-08T22:20:29.5893543Z\",\r\n \"endTimeUtc\": \"2022-09-08T22:29:58.4893361Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_163\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_164\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/08 22:20:29.5893543\",\r\n \"activity end time (UTC)\": \"2022/09/08 22:29:58.4893361\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"260\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"scans (2), gateway (2), tempadmin (2), visitor (2), bill (2), xavier (2), printer (2), destek (2), sqlagent (2), local (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-08T22:29:58.4893361Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_165\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"name\": \"2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-07T22:11:55.5454551Z\",\r\n \"processingEndTimeUtc\": \"2022-09-07T22:11:53.7318471Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-07T21:00:23.8352224Z\",\r\n \"endTimeUtc\": \"2022-09-07T21:58:54.9798418Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_166\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_167\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/07 21:00:23.8352224\",\r\n \"activity end time (UTC)\": \"2022/09/07 21:58:54.9798418\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"15\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (3), ADMINISTRATOR (2), ADMIN (2), STUDENT (2), AZUREUSER (2), USER (2), AZUREADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-07T21:58:54.9798418Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_168\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"name\": \"2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-06T21:11:57.5563617Z\",\r\n \"processingEndTimeUtc\": \"2022-09-06T21:11:55.6952354Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-06T20:03:04.4809494Z\",\r\n \"endTimeUtc\": \"2022-09-06T20:56:55.9879319Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_169\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_170\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/06 20:03:04.4809494\",\r\n \"activity end time (UTC)\": \"2022/09/06 20:56:55.9879319\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (2), USER (2), STUDENT (2), ADMIN (2), AZURE (2), AZUREADMIN (2), ADMINISTRATOR (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-06T20:56:55.9879319Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_171\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517398062155190505_da781582-764a-4262-a50c-a147df275b36/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"name\": \"2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T20:12:10.1745649Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T20:12:08.6252181Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-05T19:02:51.6994995Z\",\r\n \"endTimeUtc\": \"2022-09-05T19:58:21.2436919Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_172\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_173\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/05 19:02:51.6994995\",\r\n \"activity end time (UTC)\": \"2022/09/05 19:58:21.2436919\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), STUDENT (2), AZURE (2), AZUREUSER (2), ADMINISTRATOR (2), USER (2), ADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-05T19:58:21.2436919Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_174\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"name\": \"2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.5988845Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.193431Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:15:18.1240752Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:16:28.2863719Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_175\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_176\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:15:18.1240752\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:16:28.2863719\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (14), ioana (1), agora_service (1), defaultaccount (1), admimistrator (1), print (1), sctsupport (1), 020 (1), kaiin (1), tsinternetuser (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:16:28.2863719Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_177\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"name\": \"2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.6848188Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.1939306Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:03:27.5688076Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:59:07.7762063Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_178\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_179\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:03:27.5688076\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:59:07.7762063\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (2), AZUREADMIN (2), STUDENT (2), ADMIN (2), USER (2), ADMINISTRATOR (2), AZURE (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:59:07.7762063Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_180\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"name\": \"2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.5867761Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.1929306Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:00:05.4957014Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:59:55.0115416Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_181\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_182\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:00:05.4957014\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:59:55.0115416\",\r\n \"attacker source IP\": \"IP Address: 5.253.204.134\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"332\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"325\",\r\n \"top accounts with failed sign in attempts (count)\": \"LLOPEZ (1), JHALL (1), NATALIE (1), METRO (1), KUECHE (1), SICHERUNG (1), EMPFANG (1), JMORALES (1), SHAHID (1), MAGAZZINO (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:59:55.0115416Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_183\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"name\": \"2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-03T18:12:52.8145915Z\",\r\n \"processingEndTimeUtc\": \"2022-09-03T18:12:46.2244456Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-03T17:01:26.5171211Z\",\r\n \"endTimeUtc\": \"2022-09-03T17:59:43.2673099Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_184\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_185\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/03 17:01:26.5171211\",\r\n \"activity end time (UTC)\": \"2022/09/03 17:59:43.2673099\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (2), ADMINISTRATOR (2), ADMIN (2), AZUREADMIN (2), AZURE (2), USER (2), AZUREUSER (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-03T17:59:43.2673099Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_186\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"name\": \"2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-02T17:12:17.721054Z\",\r\n \"processingEndTimeUtc\": \"2022-09-02T17:12:02.1616332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-02T16:00:11.6214787Z\",\r\n \"endTimeUtc\": \"2022-09-02T16:59:51.9962096Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_187\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_188\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/02 16:00:11.6214787\",\r\n \"activity end time (UTC)\": \"2022/09/02 16:59:51.9962096\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (2), ADMIN (2), AZUREUSER (2), USER (2), ADMINISTRATOR (2), STUDENT (2), AZUREADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-02T16:59:51.9962096Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_189\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"name\": \"2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.3497998Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:01:01.3410856Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:59:56.7385647Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_190\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_191\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:01:01.3410856\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:59:56.7385647\",\r\n \"attacker source IP\": \"IP Address: 20.12.208.47\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"71\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"7\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (14), AZUREADMIN (14), AZUREUSER (14), USERADMIN (7), ADMINUSER (7), STUDENT (7), VMADMIN (7), ARASH (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:59:56.7385647Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_192\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"name\": \"2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.5178447Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:00:46.9534839Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:59:59.840547Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_193\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_194\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:00:46.9534839\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:59:59.8405470\",\r\n \"attacker source IP\": \"IP Address: 104.46.123.212\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"166\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (29), AZUREADMIN (29), VMADMIN (27), AZURE (27), AZUREUSER (26), USERADMIN (14), ADMINUSER (14)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:59:59.840547Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_195\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"name\": \"2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.1847762Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:00:25.7943636Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:57:07.2573856Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_196\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_197\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:00:25.7943636\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:57:07.2573856\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"13\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (2), AZUREADMIN (2), AZUREUSER (2), ADMINISTRATOR (2), ADMIN (2), USER (2), STUDENT (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:57:07.2573856Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_198\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"name\": \"2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-31T15:12:10.1524427Z\",\r\n \"processingEndTimeUtc\": \"2022-08-31T15:12:06.8390816Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-31T14:04:17.6514064Z\",\r\n \"endTimeUtc\": \"2022-08-31T14:56:42.6476761Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_199\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_200\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/31 14:04:17.6514064\",\r\n \"activity end time (UTC)\": \"2022/08/31 14:56:42.6476761\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (2), AZUREADMIN (2), STUDENT (2), AZUREUSER (2), ADMIN (1), USER (1), AZURE (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-31T14:56:42.6476761Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_201\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"name\": \"2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-30T14:12:13.7508035Z\",\r\n \"processingEndTimeUtc\": \"2022-08-30T14:12:13.3313494Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-30T13:00:10.0241762Z\",\r\n \"endTimeUtc\": \"2022-08-30T13:55:29.9649978Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_202\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_203\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/30 13:00:10.0241762\",\r\n \"activity end time (UTC)\": \"2022/08/30 13:55:29.9649978\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"USER (2), AZUREUSER (2), AZURE (2), ADMIN (2), ADMINISTRATOR (1), STUDENT (1), AZUREADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-30T13:55:29.9649978Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_204\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"name\": \"2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T12:12:08.8517839Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T12:12:07.531903Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-29T11:02:48.6404207Z\",\r\n \"endTimeUtc\": \"2022-08-29T11:58:11.789608Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_205\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_206\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/29 11:02:48.6404207\",\r\n \"activity end time (UTC)\": \"2022/08/29 11:58:11.7896080\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (2), AZUREUSER (2), AZUREADMIN (2), AZURE (2), ADMIN (1), ADMINISTRATOR (1), USER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-29T11:58:11.789608Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_207\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"name\": \"2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-28T06:11:54.9445211Z\",\r\n \"processingEndTimeUtc\": \"2022-08-28T06:11:53.4719546Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-28T05:01:43.073242Z\",\r\n \"endTimeUtc\": \"2022-08-28T05:57:10.0252952Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_208\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_209\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/28 05:01:43.0732420\",\r\n \"activity end time (UTC)\": \"2022/08/28 05:57:10.0252952\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), AZURE (2), AZUREUSER (2), STUDENT (2), ADMINISTRATOR (1), USER (1), ADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-28T05:57:10.0252952Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_210\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"name\": \"2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-26T23:13:05.4395068Z\",\r\n \"processingEndTimeUtc\": \"2022-08-26T23:13:04.9885857Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-26T22:01:04.6704718Z\",\r\n \"endTimeUtc\": \"2022-08-26T22:59:05.9404545Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_211\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_212\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/26 22:01:04.6704718\",\r\n \"activity end time (UTC)\": \"2022/08/26 22:59:05.9404545\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"33\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"8\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (4), LOCALADMIN (4), AZURE (4), AZUREUSER (4), AZUREADMIN (4), ADMIN (4), TEST (3), USER (3), LOCALUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-26T22:59:05.9404545Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_213\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"name\": \"2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T22:12:05.22952Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T22:12:03.1251328Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-25T21:16:17.9627546Z\",\r\n \"endTimeUtc\": \"2022-08-25T21:17:47.2384739Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_214\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_215\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/25 21:16:17.9627546\",\r\n \"activity end time (UTC)\": \"2022/08/25 21:17:47.2384739\",\r\n \"attacker source IP\": \"IP Address: 109.107.166.20\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"41\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"34\",\r\n \"top accounts with failed sign in attempts (count)\": \"Administrator (6), administrator (2), LogMeInRemoteUser (1), KastleRVM (1), AMDService (1), admin (1), stg (1), karla (1), SQLAgent (1), admini (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-25T21:17:47.2384739Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_216\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"name\": \"2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T22:12:13.9841697Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T22:12:03.1251328Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-25T21:00:41.0152726Z\",\r\n \"endTimeUtc\": \"2022-08-25T21:58:24.4497285Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_218\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/25 21:00:41.0152726\",\r\n \"activity end time (UTC)\": \"2022/08/25 21:58:24.4497285\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"33\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"8\",\r\n \"top accounts with failed sign in attempts (count)\": \"LOCALUSER (4), USER (4), AZURE (4), LOCALADMIN (4), TEST (4), AZUREADMIN (4), ADMIN (3), ADMINISTRATOR (3), AZUREUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-25T21:58:24.4497285Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_219\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"name\": \"2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-24T21:11:57.4592913Z\",\r\n \"processingEndTimeUtc\": \"2022-08-24T21:11:53.3866485Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-24T20:01:10.4816659Z\",\r\n \"endTimeUtc\": \"2022-08-24T20:58:39.6095585Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_220\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_221\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/24 20:01:10.4816659\",\r\n \"activity end time (UTC)\": \"2022/08/24 20:58:39.6095585\",\r\n \"attacker source IP\": \"IP Address: 52.180.252.174\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"35\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"USERADMIN (6), AZUREUSER (6), AZURE (6), VMADMIN (6), ADMINUSER (6), AZUREADMIN (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-24T20:58:39.6095585Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_222\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"name\": \"2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-23T20:12:09.1962911Z\",\r\n \"processingEndTimeUtc\": \"2022-08-23T20:12:08.070395Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-23T19:00:08.8459776Z\",\r\n \"endTimeUtc\": \"2022-08-23T19:01:18.0275781Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_223\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_224\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/23 19:00:08.8459776\",\r\n \"activity end time (UTC)\": \"2022/08/23 19:01:18.0275781\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (19), admin (3), user (1), test (1), defaultaccount (1), sys32 (1), localadmin (1), ferra (1), doctor (1), teste (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-23T19:01:18.0275781Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_225\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"name\": \"2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-22T19:12:00.8153763Z\",\r\n \"processingEndTimeUtc\": \"2022-08-22T19:11:59.130347Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-22T18:52:43.9086436Z\",\r\n \"endTimeUtc\": \"2022-08-22T18:53:53.491231Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_226\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_227\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/22 18:52:43.9086436\",\r\n \"activity end time (UTC)\": \"2022/08/22 18:53:53.4912310\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (12), administrateur (2), david (2), hehe (1), yunus (1), defaultaccount (1), dispatch (1), usuari (1), owner (1), caijiwugongzhen (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-22T18:53:53.491231Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_228\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"name\": \"2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-21T17:11:57.4816361Z\",\r\n \"processingEndTimeUtc\": \"2022-08-21T17:11:55.7633835Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-21T16:02:06.1108851Z\",\r\n \"endTimeUtc\": \"2022-08-21T16:58:30.0357074Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_229\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_230\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/21 16:02:06.1108851\",\r\n \"activity end time (UTC)\": \"2022/08/21 16:58:30.0357074\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"9\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (10), AZUREUSER (10), AZUREADMIN (10), AZURE (1), DADMIN (1), DEMOUSER (1), STUDENT (1), ADMINUSER (1), NFCADMIN (1), DEMO (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-21T16:58:30.0357074Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_231\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"name\": \"2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-20T16:12:20.2020498Z\",\r\n \"processingEndTimeUtc\": \"2022-08-20T16:12:16.5659301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-20T15:34:42.624038Z\",\r\n \"endTimeUtc\": \"2022-08-20T15:35:52.7204668Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_232\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_233\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/20 15:34:42.6240380\",\r\n \"activity end time (UTC)\": \"2022/08/20 15:35:52.7204668\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (7), admin (3), administrador (2), user24 (1), ctb-daniele (1), defaultaccount (1), quesia.fernandes (1), jms (1), iusrplesk_smwebmail (1), user4 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-20T15:35:52.7204668Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_234\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"name\": \"2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-20T16:12:28.0240769Z\",\r\n \"processingEndTimeUtc\": \"2022-08-20T16:12:16.5659301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-20T15:00:27.7591355Z\",\r\n \"endTimeUtc\": \"2022-08-20T15:59:05.698473Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_235\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_236\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/20 15:00:27.7591355\",\r\n \"activity end time (UTC)\": \"2022/08/20 15:59:05.6984730\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"40\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (9), AZUREADMIN (8), AZUREUSER (8), ADMINUSER (5), USERADMIN (4), DADMIN (1), SQLUSER (1), NFCADMIN (1), SUPERVISOR (1), DEMOADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-20T15:59:05.698473Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_237\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"name\": \"2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-19T15:12:34.699902Z\",\r\n \"processingEndTimeUtc\": \"2022-08-19T15:12:33.4163413Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-19T14:01:57.6464956Z\",\r\n \"endTimeUtc\": \"2022-08-19T14:57:10.3279386Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_238\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_239\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/19 14:01:57.6464956\",\r\n \"activity end time (UTC)\": \"2022/08/19 14:57:10.3279386\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"12\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINUSER (2), AZUREUSER (2), USERADMIN (2), AZUREADMIN (2), AZURE (2), STUDENT (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-19T14:57:10.3279386Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_240\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n }\r\n ],\r\n \"nextLink\": \"https://management.azure.com/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01&%24skiptoken=TVHLjpswAPwXVPVUgk3Ig0irKkkJyjZA49gmy82AN3Fig4udzWO1%2f1602kOlOc5DM%2fPuNPxmN6I5G2f27iyjFKP5huycmXO0VpuZ5ynWsANXvLED9rh0fFC1ahYEQ89cSlN1QlvRNsYLppOyDKYjtxyVwA0mkLthBWoXggmcjKH%2fOh2Hnu7aN1HzzniJqLrWtK92sOPVpRP27jHJO2t%2bMi3ct57Suz75wPddAHt8%2f2bOQuP2zJsnfn%2fOiv0RkHh1r2MJWB5edj4drU%2btSHYRyJarDMXVI8%2fhcxKFEd2jgslCY5Jck2g0RuqW0Pj2F5Ma1REkW5ymNE7umKLfJQmjHBOxWX5lqHD4n%2fcwFauUSRrgRqfJGZJ8r3utgRiiLiUhYQ%2f6h56kxnu9ZFJbhGm2fSwCrGDKoxshSmZcWZDnOmcAjpJftODy%2fMCyzhiU4y1eZAgSuxZXgRUN6hU6vqibxGpli916XDbUlMuroH33wqcAx%2bHpZY906QciOy1C5%2bOHwzo1Pxw6fmCW15%2bT9XfOUeJ8%2fAM%3d\"\r\n}", "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6?api-version=2021-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvbG9jYXRpb25zL2NlbnRyYWx1cy9hbGVydHMvMjUxNzczNTE4ODI5MDE1MzM0OV9kMTRlOTVjMi00NTA4LTQyMWItOWYxYS0wMTdmNGU2ZGU1ZDY/YXBpLXZlcnNpb249MjAyMS0wMS0wMQ==", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01&%24skiptoken=TVHLjpswAPwXVPVUgk3Ig0irKkkJyjZA49gmy82AN3Fig4udzWO1%2f1602kOlOc5DM%2fPuNPxmN6I5G2f27iyjFKP5huycmXO0VpuZ5ynWsANXvLED9rh0fFC1ahYEQ89cSlN1QlvRNsYLppOyDKYjtxyVwA0mkLthBWoXggmcjKH%2fOh2Hnu7aN1HzzniJqLrWtK92sOPVpRP27jHJO2t%2bMi3ct57Suz75wPddAHt8%2f2bOQuP2zJsnfn%2fOiv0RkHh1r2MJWB5edj4drU%2btSHYRyJarDMXVI8%2fhcxKFEd2jgslCY5Jck2g0RuqW0Pj2F5Ma1REkW5ymNE7umKLfJQmjHBOxWX5lqHD4n%2fcwFauUSRrgRqfJGZJ8r3utgRiiLiUhYQ%2f6h56kxnu9ZFJbhGm2fSwCrGDKoxshSmZcWZDnOmcAjpJftODy%2fMCyzhiU4y1eZAgSuxZXgRUN6hU6vqibxGpli916XDbUlMuroH33wqcAx%2bHpZY906QciOy1C5%2bOHwzo1Pxw6fmCW15%2bT9XfOUeJ8%2fAM%3d", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjItMDEtMDEmJTI0c2tpcHRva2VuPVRWSExqcHN3QVB3WFZQVlVnazNJZzBpcktra0p5alpBNDlnbXk4MkFOM0ZpZzR1ZHpXTzElMmYxNjAya09sT2M1RE0lMmZQdU5QeG1ONkk1RzJmMjdpeWpGS1A1aHV5Y21YTzBWcHVaNXluV3NBTlh2TEVEOXJoMGZGQzFhaFlFUTg5Y1NsTjFRbHZSTnNZTHBwT3lES1lqdHh5VndBMG1rTHRoQldvWGdnbWNqS0glMmZPaDJIbnU3YU4xSHp6bmlKcUxyV3RLOTJzT1BWcFJQMjdqSEpPMnQlMmJNaTNjdDU3U3V6NzV3UGRkQUh0OCUyZjJiT1F1UDJ6SnNuZm4lMmZPaXYwUmtIaDFyMk1KV0I1ZWRqNGRyVSUyYnRTSFlSeUphckRNWFZJOCUyZmhjeEtGRWQyamdzbENZNUpjazJnMFJ1cVcwUGoyRjVNYTFSRWtXNXltTkU3dW1LTGZKUW1qSEJPeFdYNWxxSEQ0biUyZmN3RmF1VVNScmdScWZKR1pKOHIzdXRnUmlpTGlVaFlRJTJmNmg1Nmt4bnU5WkZKYmhHbTJmU3dDckdES294c2hTbVpjV1pEbk9tY0FqcEpmdE9EeSUyZk1DeXpoaVU0eTFlWkFnU3V4WlhnUlVONmhVNnZxaWJ4R3BsaTkxNlhEYlVsTXVyb0gzM3dxY0F4JTJiSHBaWTkwNlFjaU95MUM1JTJiT0h3em8xUHh3NmZtQ1cxNSUyYlQ5WGZPVWVKOCUyZkFNJTNk", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "5abcc18d-63a1-4b11-a9d6-fe5f2ec6af02" + "8ecf6fd3-f06a-4cd4-9dd7-eaf1520408bf" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -90,9 +90,72 @@ "Pragma": [ "no-cache" ], + "x-ms-original-request-ids": [ + "" + ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "748" ], + "x-ms-request-id": [ + "be07876c-9cef-41d4-ae3f-bcea7cbddd9c" + ], + "x-ms-correlation-request-id": [ + "be07876c-9cef-41d4-ae3f-bcea7cbddd9c" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092028Z:be07876c-9cef-41d4-ae3f-bcea7cbddd9c" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:20:28 GMT" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ], + "Content-Length": [ + "1233144" + ] + }, + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"name\": \"2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-21T22:30:30.4576566Z\",\r\n \"processingEndTimeUtc\": \"2022-10-21T22:30:29.9447325Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.87.6 [6]\\r\\nIP: 171.244.50.243 [2]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 45.141.87.2 [9]\\r\\nIP: 45.141.87.9 [3]\\r\\nIP: 141.95.145.187 [3]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 31.43.185.3 [22]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 150.95.29.64 [2]\\r\\nIP: 45.226.126.252 [2]\\r\\nIP: 193.29.13.169 [9]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 45.227.254.49 [2]\\r\\nIP: 72.18.147.142 [1]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 195.133.20.78 [116]\\r\\nIP: 69.202.183.90 [3]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 147.78.47.147 [6]\\r\\nIP: 147.78.47.69 [9]\\r\\nIP: 45.141.87.10 [6]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 191.96.168.93 [9]\\r\\nIP: 45.227.254.20 [10]\\r\\nIP: 92.255.85.152 [5]\\r\\nIP: 89.250.82.36 [2]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 88.214.25.14 [3]\\r\\nIP: 194.165.17.12 [4]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 173.254.223.125 [1]\\r\\nIP: 179.60.150.115 [16]\\r\\nIP: 193.29.13.170 [16]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 179.60.150.58 [8]\\r\\nIP: 94.26.248.176 [5]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 94.26.229.154 [2]\\r\\nIP: 147.78.47.154 [14]\\r\\nIP: 147.78.47.35 [7]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 147.78.47.36 [3]\\r\\n4 more attempts by 2 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"address\": \"45.226.126.252\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Pernambuco\",\r\n \"city\": \"Recife\",\r\n \"longitude\": -34.9141,\r\n \"latitude\": -8.00264,\r\n \"asn\": 266962,\r\n \"carrier\": \"G M Da Costa Internet\",\r\n \"organization\": \"G M Da Costa Internet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"72.18.147.142\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Englewood\",\r\n \"longitude\": -104.87196,\r\n \"latitude\": 39.62401,\r\n \"asn\": 30475,\r\n \"carrier\": \"Handy Networks Llc\",\r\n \"organization\": \"Handy Networks Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"address\": \"195.133.20.78\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"address\": \"147.78.47.69\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"address\": \"89.250.82.36\",\r\n \"location\": {\r\n \"countryCode\": \"KZ\",\r\n \"countryName\": \"Kazakhstan\",\r\n \"state\": \"Almaty City\",\r\n \"city\": \"Almaty\",\r\n \"longitude\": 76.94999,\r\n \"latitude\": 43.24999,\r\n \"asn\": 41419,\r\n \"carrier\": \"Kazrena\",\r\n \"organization\": \"Kazrena\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"address\": \"173.254.223.125\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Tarzana\",\r\n \"longitude\": -118.54625,\r\n \"latitude\": 34.15501,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Quadranet Enterprises Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_6\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_7\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_8\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_9\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_10\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_11\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_12\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_13\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_14\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_15\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_16\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_17\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_18\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_19\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_20\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_21\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_22\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_23\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_24\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_25\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_26\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_27\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_28\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_29\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_30\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_31\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_32\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_33\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_34\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_35\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_36\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_37\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_38\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_39\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_40\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_41\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_42\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_43\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_44\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_45\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_46\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_47\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_48\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_49\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_50\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"name\": \"2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T20:55:37.293538Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T20:55:36.5852719Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 124.221.214.54 [85]\\r\\nIP: 61.177.172.104 [1]\\r\\nIP: 135.148.104.183 [1]\\r\\nIP: 152.136.192.58 [1]\\r\\nIP: 185.51.61.82 [1]\\r\\nIP: 61.177.172.147 [1]\\r\\nIP: 80.76.51.230 [1]\\r\\nIP: 207.154.207.116 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"address\": \"61.177.172.104\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"address\": \"135.148.104.183\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Reston\",\r\n \"longitude\": -77.34247,\r\n \"latitude\": 38.96097,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"address\": \"152.136.192.58\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"address\": \"185.51.61.82\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 42065,\r\n \"carrier\": \"Zao Electrontelecom\",\r\n \"organization\": \"Global Network Management Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"address\": \"207.154.207.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_107\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_108\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_109\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_110\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_113\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_114\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"name\": \"2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T03:55:32.6921658Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T03:55:32.383882Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-18T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-18T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 46.182.223.130 [1]\\r\\nIP: 197.26.19.254 [1]\\r\\nIP: 61.177.172.19 [1]\\r\\nIP: 182.61.13.82 [1]\\r\\nIP: 80.76.51.230 [2]\\r\\nIP: 35.245.223.130 [1]\\r\\nIP: 124.220.28.59 [1]\\r\\nIP: 61.177.173.35 [1]\\r\\nIP: 69.40.195.236 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 34.159.251.125 [1]\\r\\nIP: 40.72.187.176 [1]\\r\\nIP: 84.181.121.1 [1]\\r\\nIP: 121.5.105.147 [4]\\r\\nIP: 185.209.179.41 [1]\\r\\nIP: 35.246.78.205 [1]\\r\\nIP: 61.177.172.124 [1]\\r\\nIP: 124.221.214.54 [28]\\r\\nIP: 61.177.172.147 [2]\\r\\nIP: 34.83.98.1 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"address\": \"46.182.223.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Groningen\",\r\n \"city\": \"Groningen\",\r\n \"longitude\": 6.5696,\r\n \"latitude\": 53.21686,\r\n \"asn\": 39704,\r\n \"carrier\": \"Cj2 Hosting B.V.\",\r\n \"organization\": \"Synatix Netblock # 2\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"address\": \"197.26.19.254\",\r\n \"location\": {\r\n \"countryCode\": \"TN\",\r\n \"countryName\": \"Tunisia\",\r\n \"state\": \"Tunis\",\r\n \"city\": \"Tunis\",\r\n \"longitude\": 10.1717,\r\n \"latitude\": 36.798,\r\n \"asn\": 37492,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Agence Tunisienne Internet - Ati\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"address\": \"182.61.13.82\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Zhongguancun\",\r\n \"longitude\": 116.31,\r\n \"latitude\": 39.978,\r\n \"asn\": 38365,\r\n \"carrier\": \"Beijing Baidu Netcom Science And Technology Co. Ltd.\",\r\n \"organization\": \"Beijing Baidu Netcom Science And Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"address\": \"35.245.223.130\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"District Of Columbia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -77.0284,\r\n \"latitude\": 38.9069,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"address\": \"124.220.28.59\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"address\": \"61.177.173.35\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"address\": \"69.40.195.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"North Carolina\",\r\n \"city\": \"Concord\",\r\n \"longitude\": -80.55684,\r\n \"latitude\": 35.4009,\r\n \"asn\": 7029,\r\n \"carrier\": \"Windstream Communications Llc\",\r\n \"organization\": \"Hudson Internet Pop - Dynamic Dsl Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"address\": \"34.159.251.125\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"address\": \"40.72.187.176\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanghai Shi\",\r\n \"city\": \"Shanghai\",\r\n \"longitude\": 121.47021,\r\n \"latitude\": 31.22847,\r\n \"asn\": 58593,\r\n \"carrier\": \"Shanghai Blue Cloud Technology Co. Ltd\",\r\n \"organization\": \"Shanghai Blue Cloud Technology Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"address\": \"84.181.121.1\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Baden-Wuerttemberg\",\r\n \"city\": \"Tuellingen\",\r\n \"longitude\": 7.668,\r\n \"latitude\": 47.615,\r\n \"asn\": 3320,\r\n \"carrier\": \"Deutsche Telekom Ag\",\r\n \"organization\": \"Deutsche Telekom Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"address\": \"121.5.105.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"address\": \"185.209.179.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Valley Cottage\",\r\n \"longitude\": -73.92899,\r\n \"latitude\": 41.12222,\r\n \"asn\": 396356,\r\n \"carrier\": \"Maxihost Llc\",\r\n \"organization\": \"Latitude.Sh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"address\": \"35.246.78.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Camden\",\r\n \"longitude\": -0.16861,\r\n \"latitude\": 51.54,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"address\": \"61.177.172.124\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"address\": \"34.83.98.1\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_126\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_127\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_128\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_129\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_130\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_131\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_132\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_133\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_134\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_135\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_136\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_137\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_138\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_139\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_161\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_162\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_142\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_163\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_143\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_144\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_165\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_145\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"name\": \"2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T03:55:33.4948297Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T03:55:32.3866334Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-18T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-18T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_166\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 62.204.41.152 [2]\\r\\nIP: 144.172.126.192 [2]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 194.165.17.24 [5]\\r\\nIP: 91.240.242.3 [4]\\r\\nIP: 147.78.47.36 [10]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 88.214.25.14 [17]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 147.78.47.147 [4]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 193.29.13.169 [14]\\r\\nIP: 191.96.168.93 [6]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 91.240.242.201 [8]\\r\\nIP: 45.227.254.8 [2]\\r\\nIP: 94.26.229.169 [1]\\r\\nIP: 141.98.83.89 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.137.233.50 [1]\\r\\nIP: 50.63.15.157 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 91.240.242.87 [17]\\r\\nIP: 45.141.87.10 [4]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 45.141.84.83 [5]\\r\\nIP: 94.232.43.155 [2]\\r\\nIP: 194.165.17.12 [8]\\r\\nIP: 171.244.50.243 [3]\\r\\nIP: 141.98.83.132 [7]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 64.251.14.96 [1]\\r\\nIP: 92.255.85.186 [1]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 80.66.88.204 [2]\\r\\nIP: 147.78.47.42 [8]\\r\\nIP: 46.161.27.101 [1]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 45.141.87.6 [5]\\r\\nIP: 179.60.147.204 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\n91 more attempts by 19 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_167\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_168\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_169\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_170\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_171\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_172\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_173\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_174\",\r\n \"address\": \"91.240.242.3\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_175\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_176\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_177\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_178\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_179\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_180\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_181\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_182\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_183\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_184\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_185\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_186\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_187\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_188\",\r\n \"address\": \"91.240.242.201\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_189\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_190\",\r\n \"address\": \"94.26.229.169\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_191\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_192\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_193\",\r\n \"address\": \"185.137.233.50\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Permskiy Kray\",\r\n \"city\": \"Perm\",\r\n \"longitude\": 56.25184,\r\n \"latitude\": 58.02006,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_194\",\r\n \"address\": \"50.63.15.157\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_195\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_196\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_197\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_198\",\r\n \"address\": \"91.240.242.87\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_199\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_200\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_201\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_202\",\r\n \"address\": \"94.232.43.155\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_203\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_204\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_205\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_206\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_207\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_208\",\r\n \"address\": \"64.251.14.96\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Fort Lauderdale\",\r\n \"longitude\": -80.12723,\r\n \"latitude\": 26.12112,\r\n \"asn\": 15083,\r\n \"carrier\": \"Infolink Global Corporation\",\r\n \"organization\": \"Serverpronto\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_209\",\r\n \"address\": \"92.255.85.186\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_210\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_211\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_212\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_213\",\r\n \"address\": \"147.78.47.42\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_214\",\r\n \"address\": \"46.161.27.101\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Vps And Shared Hosting Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_215\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_216\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_217\",\r\n \"address\": \"179.60.147.204\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_218\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_221\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_222\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_223\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_224\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_225\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_226\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_227\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_256\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_206\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_207\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_258\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_208\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_259\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_209\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_260\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_210\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_261\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_211\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_262\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_212\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_263\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_213\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_264\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_214\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_215\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_266\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_216\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_267\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_217\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_268\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_218\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"name\": \"2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T21:29:26.5199798Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T21:29:26.1229647Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-17T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-17T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_269\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.53 [1]\\r\\nIP: 43.142.245.166 [1]\\r\\nIP: 82.139.180.236 [1]\\r\\nIP: 39.91.166.121 [1]\\r\\nIP: 45.95.55.235 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 35.164.70.114 [1]\\r\\nIP: 61.177.172.19 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_270\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_271\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_272\",\r\n \"address\": \"61.177.173.53\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_273\",\r\n \"address\": \"43.142.245.166\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_274\",\r\n \"address\": \"82.139.180.236\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Podlaskie\",\r\n \"city\": \"Bialystok\",\r\n \"longitude\": 23.1482,\r\n \"latitude\": 53.11679,\r\n \"asn\": 8865,\r\n \"carrier\": \"Politechnika Bialostocka\",\r\n \"organization\": \"Politechnika Bialostocka\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_275\",\r\n \"address\": \"39.91.166.121\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shandong\",\r\n \"city\": \"Jinan\",\r\n \"longitude\": 117.0,\r\n \"latitude\": 36.683,\r\n \"asn\": 4837,\r\n \"carrier\": \"China Unicom China169 Backbone\",\r\n \"organization\": \"China Unicom Shandong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_276\",\r\n \"address\": \"45.95.55.235\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Rheinland-Pfalz\",\r\n \"city\": \"Koblenz\",\r\n \"longitude\": 7.5741,\r\n \"latitude\": 50.3849,\r\n \"asn\": 200303,\r\n \"carrier\": \"Jan Philipp Waldecker Trading As Lumaserv Systems\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_277\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_278\",\r\n \"address\": \"35.164.70.114\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Boardman\",\r\n \"longitude\": -119.81143,\r\n \"latitude\": 45.73723,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon.Com Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_279\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_280\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_272\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_273\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_282\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_274\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_283\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_275\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_284\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_276\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_285\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_277\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_286\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_278\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_279\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"name\": \"2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T21:29:26.5332876Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T21:29:26.1234563Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-17T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-17T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_288\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.122 [1]\\r\\nIP: 80.66.76.137 [1]\\r\\nIP: 80.66.76.151 [1]\\r\\nIP: 80.66.76.168 [2]\\r\\nIP: 147.78.47.35 [5]\\r\\nIP: 80.66.76.159 [4]\\r\\nIP: 80.66.76.136 [1]\\r\\nIP: 12.168.189.21 [1]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 103.43.177.129 [1]\\r\\nIP: 152.89.196.94 [5]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 80.66.76.141 [2]\\r\\nIP: 94.232.47.170 [8]\\r\\nIP: 80.66.76.161 [5]\\r\\nIP: 141.98.83.84 [11]\\r\\nIP: 141.98.83.133 [6]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 87.251.67.236 [3]\\r\\nIP: 80.66.76.126 [6]\\r\\nIP: 147.78.47.36 [2]\\r\\nIP: 12.233.48.50 [1]\\r\\nIP: 80.66.76.132 [3]\\r\\nIP: 80.66.76.184 [2]\\r\\nIP: 80.66.76.153 [4]\\r\\nIP: 193.29.13.170 [5]\\r\\nIP: 45.141.87.6 [3]\\r\\nIP: 141.98.83.164 [4]\\r\\nIP: 87.251.67.238 [3]\\r\\nIP: 80.66.76.173 [1]\\r\\nIP: 80.66.76.139 [2]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 87.251.67.223 [5]\\r\\nIP: 80.66.76.129 [5]\\r\\nIP: 147.78.47.149 [3]\\r\\nIP: 185.73.125.100 [4]\\r\\nIP: 87.251.67.230 [1]\\r\\nIP: 80.66.76.165 [4]\\r\\nIP: 152.89.196.74 [2]\\r\\nIP: 80.66.76.181 [1]\\r\\nIP: 194.165.17.24 [12]\\r\\nIP: 80.66.76.162 [3]\\r\\nIP: 194.165.17.12 [12]\\r\\nIP: 80.66.76.169 [1]\\r\\nIP: 80.66.76.124 [4]\\r\\nIP: 94.26.248.179 [2]\\r\\nIP: 45.227.254.29 [1]\\r\\nIP: 141.98.83.128 [3]\\r\\n505 more attempts by 101 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_289\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_290\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_291\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_292\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_293\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_294\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_295\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_296\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_297\",\r\n \"address\": \"80.66.76.136\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_298\",\r\n \"address\": \"12.168.189.21\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Germantown\",\r\n \"longitude\": -89.79201,\r\n \"latitude\": 35.08422,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"The Village At Germantown\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_299\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_300\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_301\",\r\n \"address\": \"103.43.177.129\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"Western Australia\",\r\n \"city\": \"Perth\",\r\n \"longitude\": 115.85859,\r\n \"latitude\": -31.9554,\r\n \"asn\": 133863,\r\n \"carrier\": \"Probax Pty Ltd\",\r\n \"organization\": \"Probax Pty Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_302\",\r\n \"address\": \"152.89.196.94\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_303\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_304\",\r\n \"address\": \"80.66.76.141\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_305\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_306\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_307\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_308\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_309\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_310\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_311\",\r\n \"address\": \"87.251.67.236\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_312\",\r\n \"address\": \"80.66.76.126\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_313\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_314\",\r\n \"address\": \"12.233.48.50\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Kansas City\",\r\n \"longitude\": -94.50542,\r\n \"latitude\": 39.131,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Frontier Schools System\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_315\",\r\n \"address\": \"80.66.76.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_316\",\r\n \"address\": \"80.66.76.184\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_317\",\r\n \"address\": \"80.66.76.153\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_318\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_319\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_320\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_321\",\r\n \"address\": \"87.251.67.238\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_322\",\r\n \"address\": \"80.66.76.173\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_323\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_324\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_325\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_326\",\r\n \"address\": \"80.66.76.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_327\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_328\",\r\n \"address\": \"185.73.125.100\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_329\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_330\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_331\",\r\n \"address\": \"152.89.196.74\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_332\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_333\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_334\",\r\n \"address\": \"80.66.76.162\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_335\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_336\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_337\",\r\n \"address\": \"80.66.76.124\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_338\",\r\n \"address\": \"94.26.248.179\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_339\",\r\n \"address\": \"45.227.254.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_340\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_309\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_360\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_310\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_361\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_311\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_362\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_312\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_313\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_364\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_314\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_365\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_315\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_366\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_316\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_317\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_368\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_318\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_369\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_319\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_370\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_320\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_371\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_321\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_322\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_373\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_323\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_374\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_324\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_375\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_325\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_376\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_326\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_381\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_331\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_332\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_383\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_333\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_384\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_334\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_385\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_335\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_386\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_336\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_337\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_388\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_338\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_389\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_339\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_390\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_340\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"name\": \"2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T20:18:57.7305267Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T20:18:57.239572Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-16T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-16T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_391\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.52 [1]\\r\\nIP: 61.177.173.36 [1]\\r\\nIP: 85.214.209.12 [1]\\r\\nIP: 195.19.96.168 [1]\\r\\nIP: 137.184.37.59 [1]\\r\\nIP: 165.22.248.214 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_392\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_393\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_394\",\r\n \"address\": \"61.177.173.52\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_395\",\r\n \"address\": \"61.177.173.36\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_396\",\r\n \"address\": \"85.214.209.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.3195,\r\n \"latitude\": 52.5184,\r\n \"asn\": 6724,\r\n \"carrier\": \"Strato Ag\",\r\n \"organization\": \"Strato Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_397\",\r\n \"address\": \"195.19.96.168\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60778,\r\n \"latitude\": 55.81834,\r\n \"asn\": 12389,\r\n \"carrier\": \"Pjsc Rostelecom\",\r\n \"organization\": \"Pjsc Rostelecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_398\",\r\n \"address\": \"137.184.37.59\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Palo Alto\",\r\n \"longitude\": -122.1512,\r\n \"latitude\": 37.44296,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_399\",\r\n \"address\": \"165.22.248.214\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.34738,\r\n \"latitude\": 47.61348,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_400\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_394\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_401\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_395\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_396\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_403\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_397\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_404\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_398\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_399\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"name\": \"2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T20:18:57.600268Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T20:18:57.2399048Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-16T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-16T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_406\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.124 [4]\\r\\nIP: 94.26.229.154 [1]\\r\\nIP: 185.73.124.23 [9]\\r\\nIP: 45.141.87.10 [4]\\r\\nIP: 80.66.76.138 [3]\\r\\nIP: 87.251.64.140 [2]\\r\\nIP: 80.66.76.179 [2]\\r\\nIP: 64.251.14.96 [1]\\r\\nIP: 194.165.16.18 [7]\\r\\nIP: 87.251.67.238 [7]\\r\\nIP: 94.232.47.15 [3]\\r\\nIP: 80.66.76.159 [5]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 152.89.196.73 [9]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 80.66.76.178 [3]\\r\\nIP: 147.78.47.29 [3]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 171.244.50.243 [7]\\r\\nIP: 12.168.189.21 [1]\\r\\nIP: 141.98.83.132 [10]\\r\\nIP: 80.66.76.168 [6]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 80.66.76.169 [5]\\r\\nIP: 147.78.47.39 [15]\\r\\nIP: 181.214.218.32 [1]\\r\\nIP: 80.66.76.177 [2]\\r\\nIP: 80.66.76.137 [3]\\r\\nIP: 193.29.13.169 [10]\\r\\nIP: 185.73.125.21 [5]\\r\\nIP: 80.66.76.130 [6]\\r\\nIP: 152.89.196.96 [5]\\r\\nIP: 80.66.76.136 [3]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.76.176 [10]\\r\\nIP: 152.89.196.99 [7]\\r\\nIP: 185.73.124.17 [8]\\r\\nIP: 188.124.36.118 [1]\\r\\nIP: 94.26.248.190 [1]\\r\\nIP: 80.66.76.181 [6]\\r\\nIP: 152.89.196.72 [9]\\r\\nIP: 45.227.254.20 [9]\\r\\nIP: 50.206.89.210 [1]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 80.66.76.126 [4]\\r\\nIP: 147.78.47.149 [8]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 94.26.248.176 [2]\\r\\nIP: 80.66.76.152 [3]\\r\\nIP: 80.66.76.160 [2]\\r\\n558 more attempts by 123 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_407\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_408\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_409\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_410\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_411\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_412\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_413\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_414\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_415\",\r\n \"address\": \"80.66.76.179\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_416\",\r\n \"address\": \"64.251.14.96\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Fort Lauderdale\",\r\n \"longitude\": -80.12723,\r\n \"latitude\": 26.12112,\r\n \"asn\": 15083,\r\n \"carrier\": \"Infolink Global Corporation\",\r\n \"organization\": \"Serverpronto\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_417\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_418\",\r\n \"address\": \"87.251.67.238\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_419\",\r\n \"address\": \"94.232.47.15\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_420\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_421\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_422\",\r\n \"address\": \"152.89.196.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_423\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_424\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_425\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_426\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_427\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_428\",\r\n \"address\": \"12.168.189.21\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Germantown\",\r\n \"longitude\": -89.79201,\r\n \"latitude\": 35.08422,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"The Village At Germantown\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_429\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_430\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_431\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_432\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_433\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_434\",\r\n \"address\": \"181.214.218.32\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_435\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_436\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_437\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_438\",\r\n \"address\": \"185.73.125.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_439\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_440\",\r\n \"address\": \"152.89.196.96\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_441\",\r\n \"address\": \"80.66.76.136\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_442\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_443\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_444\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_445\",\r\n \"address\": \"185.73.124.17\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_446\",\r\n \"address\": \"188.124.36.118\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Dzerzhinskiy\",\r\n \"longitude\": 37.8445,\r\n \"latitude\": 55.638,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_447\",\r\n \"address\": \"94.26.248.190\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_448\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_449\",\r\n \"address\": \"152.89.196.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_450\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_451\",\r\n \"address\": \"50.206.89.210\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Maryland\",\r\n \"city\": \"Gambrills\",\r\n \"longitude\": -76.66528,\r\n \"latitude\": 39.02566,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_452\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_453\",\r\n \"address\": \"80.66.76.126\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_454\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_455\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_456\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_457\",\r\n \"address\": \"80.66.76.152\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_458\",\r\n \"address\": \"80.66.76.160\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_412\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_415\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_416\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_467\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_417\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_468\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_418\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_469\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_419\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_470\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_471\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_472\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_473\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_423\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_474\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_424\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_425\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_426\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_427\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_428\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_434\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_485\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_435\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_486\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_487\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_437\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_488\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_438\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_439\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_490\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_440\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_491\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_492\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_493\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_494\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_495\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_445\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_496\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_446\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_497\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_447\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_498\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_448\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_499\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_449\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_500\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_450\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_501\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_451\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_502\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_503\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_504\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_454\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_505\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_455\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_506\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_456\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_507\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_457\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_508\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_458\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"name\": \"2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T19:58:11.5931492Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T19:58:10.6757317Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_509\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.90 [1]\\r\\nIP: 205.185.113.42 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 34.168.149.255 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_510\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_511\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_512\",\r\n \"address\": \"61.177.172.90\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_513\",\r\n \"address\": \"205.185.113.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Nevada\",\r\n \"city\": \"Las Vegas\",\r\n \"longitude\": -115.22485,\r\n \"latitude\": 36.1424,\r\n \"asn\": 53667,\r\n \"carrier\": \"Frantech Solutions\",\r\n \"organization\": \"Frantech Solutions\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_514\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_515\",\r\n \"address\": \"34.168.149.255\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_512\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_513\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_514\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_515\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"name\": \"2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T21:15:16.6149243Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T21:15:16.2347122Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_520\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 34.168.149.255 [1]\\r\\nIP: 34.67.85.236 [1]\\r\\nIP: 61.177.172.90 [1]\\r\\nIP: 205.185.113.42 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 69.40.195.236 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_521\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_522\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_523\",\r\n \"address\": \"34.168.149.255\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_524\",\r\n \"address\": \"34.67.85.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Council Bluffs\",\r\n \"longitude\": -95.87736,\r\n \"latitude\": 41.23296,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_525\",\r\n \"address\": \"61.177.172.90\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_526\",\r\n \"address\": \"205.185.113.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Nevada\",\r\n \"city\": \"Las Vegas\",\r\n \"longitude\": -115.22485,\r\n \"latitude\": 36.1424,\r\n \"asn\": 53667,\r\n \"carrier\": \"Frantech Solutions\",\r\n \"organization\": \"Frantech Solutions\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_527\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_528\",\r\n \"address\": \"69.40.195.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"North Carolina\",\r\n \"city\": \"Concord\",\r\n \"longitude\": -80.55684,\r\n \"latitude\": 35.4009,\r\n \"asn\": 7029,\r\n \"carrier\": \"Windstream Communications Llc\",\r\n \"organization\": \"Hudson Internet Pop - Dynamic Dsl Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_523\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_524\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_525\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_526\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_527\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_528\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365663999999999_fe707616-4570-429b-9e73-790a3918e776/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"name\": \"2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T19:58:11.565147Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T19:58:10.6760538Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_535\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.164 [8]\\r\\nIP: 141.98.83.165 [8]\\r\\nIP: 194.165.16.18 [10]\\r\\nIP: 20.87.218.172 [3]\\r\\nIP: 147.78.47.35 [17]\\r\\nIP: 62.233.50.123 [34]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 141.98.83.130 [8]\\r\\nIP: 87.251.67.99 [7]\\r\\nIP: 71.178.215.234 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 122.160.141.216 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 141.98.83.83 [8]\\r\\nIP: 98.217.4.181 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 104.161.77.173 [1]\\r\\nIP: 141.98.83.84 [6]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 141.98.83.166 [12]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 162.142.125.219 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 88.214.25.14 [15]\\r\\nIP: 45.141.87.10 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 141.98.83.85 [9]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 171.244.50.243 [1]\\r\\nIP: 212.103.60.106 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 45.141.87.2 [5]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.124 [15]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 185.156.72.31 [1]\\r\\nIP: 147.78.47.39 [4]\\r\\nIP: 194.165.16.29 [2]\\r\\nIP: 45.227.254.20 [12]\\r\\nIP: 179.60.150.115 [9]\\r\\n55 more attempts by 15 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_536\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_537\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_538\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_539\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_540\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_541\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_542\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_543\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_544\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_545\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_546\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_547\",\r\n \"address\": \"71.178.215.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Fairfax\",\r\n \"longitude\": -77.2891,\r\n \"latitude\": 38.81818,\r\n \"asn\": 701,\r\n \"carrier\": \"Verizon\",\r\n \"organization\": \"Verizon\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_548\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_549\",\r\n \"address\": \"122.160.141.216\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.1428,\r\n \"latitude\": 28.6907,\r\n \"asn\": 24560,\r\n \"carrier\": \"Bharti Airtel Ltd.\",\r\n \"organization\": \"Abts Delhi \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_550\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_551\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_552\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_553\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_554\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_555\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_556\",\r\n \"address\": \"98.217.4.181\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Hopkinton\",\r\n \"longitude\": -71.53711,\r\n \"latitude\": 42.22023,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_557\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_558\",\r\n \"address\": \"104.161.77.173\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.01242,\r\n \"latitude\": 33.43202,\r\n \"asn\": 53755,\r\n \"carrier\": \"Input Output Flood Llc\",\r\n \"organization\": \"Input Output Flood Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_559\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_560\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_561\",\r\n \"address\": \"141.98.83.166\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_562\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_563\",\r\n \"address\": \"162.142.125.219\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_564\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_565\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_566\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_567\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_568\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_569\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_570\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_571\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_572\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_573\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_574\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_575\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_576\",\r\n \"address\": \"212.103.60.106\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Nuernberg\",\r\n \"longitude\": 11.0384,\r\n \"latitude\": 49.4358,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Tt1 Datacenter Ug (Haftungsbeschraenkt)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_577\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_578\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_579\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_580\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_581\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_582\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_583\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_584\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_585\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_586\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_587\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_591\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_592\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_542\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_593\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_543\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_594\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_544\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_595\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_545\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_596\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_546\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_597\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_547\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_548\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_549\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_550\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_551\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"name\": \"2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T21:15:16.6618617Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T21:15:16.2350129Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_638\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 171.244.50.243 [1]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 191.96.168.246 [10]\\r\\nIP: 194.165.16.29 [2]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 89.44.9.29 [2]\\r\\nIP: 185.156.72.31 [1]\\r\\nIP: 141.98.83.165 [8]\\r\\nIP: 179.60.150.58 [7]\\r\\nIP: 141.98.83.125 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 20.87.218.172 [3]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 141.98.83.164 [8]\\r\\nIP: 45.141.87.6 [7]\\r\\nIP: 104.161.77.173 [1]\\r\\nIP: 141.98.83.89 [2]\\r\\nIP: 98.217.4.181 [1]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 122.160.141.216 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.17.24 [5]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 141.95.145.187 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 141.98.83.123 [2]\\r\\nIP: 24.18.46.38 [1]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 87.251.67.99 [7]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 144.172.126.192 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 62.233.50.123 [34]\\r\\nIP: 45.141.87.10 [1]\\r\\nIP: 147.78.47.35 [17]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 45.141.87.9 [8]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 162.142.125.219 [1]\\r\\nIP: 147.78.47.39 [4]\\r\\nIP: 88.214.25.14 [15]\\r\\nIP: 45.227.254.20 [12]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 45.141.87.2 [5]\\r\\n104 more attempts by 21 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_639\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_640\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_641\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_642\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_643\",\r\n \"address\": \"191.96.168.246\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_644\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_645\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_646\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_647\",\r\n \"address\": \"89.44.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Seine-Saint-Denis\",\r\n \"city\": \"Saint-Denis\",\r\n \"longitude\": 2.36488,\r\n \"latitude\": 48.93607,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd Paris\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_648\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_649\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_650\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_651\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_652\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_653\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_654\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_655\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_656\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_657\",\r\n \"address\": \"104.161.77.173\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.01242,\r\n \"latitude\": 33.43202,\r\n \"asn\": 53755,\r\n \"carrier\": \"Input Output Flood Llc\",\r\n \"organization\": \"Input Output Flood Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_658\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_659\",\r\n \"address\": \"98.217.4.181\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Hopkinton\",\r\n \"longitude\": -71.53711,\r\n \"latitude\": 42.22023,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_660\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_661\",\r\n \"address\": \"122.160.141.216\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.1428,\r\n \"latitude\": 28.6907,\r\n \"asn\": 24560,\r\n \"carrier\": \"Bharti Airtel Ltd.\",\r\n \"organization\": \"Abts Delhi \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_662\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_663\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_664\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_665\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_666\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_667\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_668\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_669\",\r\n \"address\": \"24.18.46.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Shoreline\",\r\n \"longitude\": -122.34728,\r\n \"latitude\": 47.75721,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_670\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_671\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_672\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_673\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_674\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_675\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_676\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_677\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_678\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_679\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_680\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_681\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_682\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_683\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_684\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_685\",\r\n \"address\": \"162.142.125.219\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_686\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_687\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_688\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_689\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_690\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_641\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_642\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_643\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_644\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_645\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_646\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_736\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_686\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_737\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_687\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_738\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_688\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_739\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_689\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_740\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_690\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"name\": \"2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-14T21:17:43.9805433Z\",\r\n \"processingEndTimeUtc\": \"2022-10-14T21:17:42.8602187Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-13T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-13T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_741\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.36 [1]\\r\\nIP: 61.177.172.19 [1]\\r\\nIP: 66.70.176.28 [1]\\r\\nIP: 43.140.205.176 [1]\\r\\nIP: 84.201.177.42 [1]\\r\\nIP: 176.31.240.226 [1]\\r\\nIP: 45.139.105.58 [1]\\r\\nIP: 61.177.172.147 [3]\\r\\nIP: 31.172.70.163 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_742\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_743\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_744\",\r\n \"address\": \"61.177.173.36\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_745\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_746\",\r\n \"address\": \"66.70.176.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_747\",\r\n \"address\": \"43.140.205.176\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_748\",\r\n \"address\": \"84.201.177.42\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.58903,\r\n \"latitude\": 55.73491,\r\n \"asn\": 200350,\r\n \"carrier\": \"Yandex.Cloud Llc\",\r\n \"organization\": \"Yandex Enterprise Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_749\",\r\n \"address\": \"176.31.240.226\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Nord\",\r\n \"city\": \"Roubaix\",\r\n \"longitude\": 3.17321,\r\n \"latitude\": 50.69127,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_750\",\r\n \"address\": \"45.139.105.58\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 138687,\r\n \"carrier\": \"Xdeer Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_751\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_752\",\r\n \"address\": \"31.172.70.163\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt-Ostend\",\r\n \"longitude\": 8.72751,\r\n \"latitude\": 50.11671,\r\n \"asn\": 44066,\r\n \"carrier\": \"Accelerated It Services & Consulting Gmbh\",\r\n \"organization\": \"Www.Fornex.Com Fornex Hosting S.L.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_744\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_745\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_746\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_747\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_748\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_749\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_750\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_751\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_752\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"name\": \"2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-14T21:17:43.9755639Z\",\r\n \"processingEndTimeUtc\": \"2022-10-14T21:17:42.8608101Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-13T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-13T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_762\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.87.6 [9]\\r\\nIP: 141.98.83.125 [11]\\r\\nIP: 141.98.83.165 [9]\\r\\nIP: 94.232.43.155 [1]\\r\\nIP: 147.78.47.40 [2]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 80.66.88.215 [2]\\r\\nIP: 141.98.83.132 [4]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 194.165.17.12 [14]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 45.141.87.10 [12]\\r\\nIP: 147.78.47.29 [9]\\r\\nIP: 89.248.163.228 [1]\\r\\nIP: 45.141.84.87 [13]\\r\\nIP: 45.227.255.55 [2]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 20.87.218.172 [1]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.89 [8]\\r\\nIP: 62.204.41.152 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 69.202.183.90 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 212.102.35.135 [26]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 193.29.13.170 [18]\\r\\nIP: 147.78.47.36 [6]\\r\\nIP: 194.165.16.18 [4]\\r\\nIP: 141.98.83.164 [1]\\r\\nIP: 91.240.118.113 [3]\\r\\nIP: 144.172.126.192 [1]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 193.29.13.169 [14]\\r\\nIP: 92.255.85.151 [12]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 147.78.47.42 [6]\\r\\nIP: 147.78.47.39 [12]\\r\\nIP: 147.78.47.35 [3]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 141.98.83.87 [5]\\r\\nIP: 87.251.64.160 [3]\\r\\n29 more attempts by 7 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_763\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_764\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_765\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_766\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_767\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_768\",\r\n \"address\": \"94.232.43.155\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_769\",\r\n \"address\": \"147.78.47.40\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_770\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_771\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_772\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_773\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_774\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_775\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_776\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_777\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_778\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_779\",\r\n \"address\": \"89.248.163.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_780\",\r\n \"address\": \"45.141.84.87\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_781\",\r\n \"address\": \"45.227.255.55\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_782\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_783\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_784\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_785\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_786\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_787\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_788\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_789\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_790\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_791\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_792\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_793\",\r\n \"address\": \"212.102.35.135\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_794\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_795\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_796\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_797\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_798\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_799\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_800\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_801\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_802\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_803\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_804\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_805\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_806\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_807\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_808\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_809\",\r\n \"address\": \"147.78.47.42\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_810\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_811\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_812\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_813\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_814\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_839\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_789\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_840\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_790\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_841\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_791\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_842\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_792\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_793\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"name\": \"2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T21:02:46.33272Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T21:02:45.807019Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-12T15:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-12T15:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_865\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.46 [1]\\r\\nIP: 211.210.79.220 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_866\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_867\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_868\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_869\",\r\n \"address\": \"211.210.79.220\",\r\n \"location\": {\r\n \"countryCode\": \"KR\",\r\n \"countryName\": \"Korea (South)\",\r\n \"state\": \"Seoul Teukbyeolsi\",\r\n \"city\": \"Seoul\",\r\n \"longitude\": 126.98265,\r\n \"latitude\": 37.561,\r\n \"asn\": 9318,\r\n \"carrier\": \"Sk Broadband Co Ltd\",\r\n \"organization\": \"Danal\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_870\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_868\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_871\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_869\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"name\": \"2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T21:03:57.9379168Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T21:02:45.8071653Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-12T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-12T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_872\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.158 [4]\\r\\nIP: 45.227.254.20 [14]\\r\\nIP: 80.66.76.178 [3]\\r\\nIP: 87.251.67.223 [3]\\r\\nIP: 185.73.124.20 [3]\\r\\nIP: 194.165.17.12 [10]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 80.66.76.151 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 80.66.76.143 [1]\\r\\nIP: 193.169.255.78 [1]\\r\\nIP: 80.66.76.174 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 80.66.76.161 [1]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 20.87.218.172 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 80.66.76.142 [3]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 87.251.67.230 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 80.66.76.139 [1]\\r\\nIP: 87.251.67.229 [1]\\r\\nIP: 80.66.76.164 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 212.102.35.135 [17]\\r\\nIP: 45.141.87.6 [6]\\r\\nIP: 80.66.76.131 [2]\\r\\nIP: 80.66.76.186 [2]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 194.165.16.16 [2]\\r\\nIP: 87.251.67.232 [4]\\r\\nIP: 80.66.76.159 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 87.251.67.226 [2]\\r\\nIP: 80.66.76.138 [2]\\r\\nIP: 80.66.76.127 [1]\\r\\nIP: 80.66.76.165 [2]\\r\\nIP: 80.66.76.175 [2]\\r\\nIP: 80.66.76.140 [2]\\r\\nIP: 159.242.227.27 [1]\\r\\nIP: 193.29.13.170 [12]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 185.73.124.19 [1]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 45.141.87.2 [2]\\r\\n152 more attempts by 42 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_873\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_874\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_875\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_876\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_877\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_878\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_879\",\r\n \"address\": \"185.73.124.20\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_880\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_881\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_882\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_883\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_884\",\r\n \"address\": \"80.66.76.143\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_885\",\r\n \"address\": \"193.169.255.78\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Pomorskie\",\r\n \"city\": \"Zelkowko\",\r\n \"longitude\": 17.0936,\r\n \"latitude\": 54.34198,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_886\",\r\n \"address\": \"80.66.76.174\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_887\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_888\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_889\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_890\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_891\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_892\",\r\n \"address\": \"80.66.76.142\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_893\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_894\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_895\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_896\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_897\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_898\",\r\n \"address\": \"87.251.67.229\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_899\",\r\n \"address\": \"80.66.76.164\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_900\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_901\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_902\",\r\n \"address\": \"212.102.35.135\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_903\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_904\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_905\",\r\n \"address\": \"80.66.76.186\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_906\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_907\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_908\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_909\",\r\n \"address\": \"87.251.67.232\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_910\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_911\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_912\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_913\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_914\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_915\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_916\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_917\",\r\n \"address\": \"80.66.76.175\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_918\",\r\n \"address\": \"80.66.76.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_919\",\r\n \"address\": \"159.242.227.27\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Wandsworth\",\r\n \"longitude\": -0.18333,\r\n \"latitude\": 51.45,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Prcdn Consumer Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_920\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_921\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_922\",\r\n \"address\": \"185.73.124.19\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_923\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_924\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_892\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_893\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_894\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_969\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_919\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_970\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_920\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_971\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_921\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_972\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_922\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_973\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_923\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_974\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_924\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"name\": \"2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T21:25:11.5033705Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T21:25:11.2368114Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-11T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-11T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_975\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 62.210.205.240 [1]\\r\\nIP: 219.130.135.190 [8]\\r\\nIP: 77.232.100.220 [1]\\r\\nIP: 167.99.49.113 [1]\\r\\nIP: 61.177.172.147 [3]\\r\\nIP: 54.200.70.29 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_976\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_977\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_978\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_979\",\r\n \"address\": \"219.130.135.190\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Jiangmen\",\r\n \"longitude\": 113.08611,\r\n \"latitude\": 22.58388,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Jiangmen Global Eyes Police Bureau\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_980\",\r\n \"address\": \"77.232.100.220\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Makkah\",\r\n \"city\": \"Jiddah\",\r\n \"longitude\": 39.184,\r\n \"latitude\": 21.538,\r\n \"asn\": 43766,\r\n \"carrier\": \"Mtc Ksa\",\r\n \"organization\": \"Mtc Ksa\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_981\",\r\n \"address\": \"167.99.49.113\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_982\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_983\",\r\n \"address\": \"54.200.70.29\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Boardman\",\r\n \"longitude\": -119.81143,\r\n \"latitude\": 45.73723,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon.Com Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_984\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_978\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_985\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_979\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_986\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_980\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_987\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_981\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_988\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_982\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_989\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_983\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"name\": \"2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T21:27:02.3321686Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T21:25:11.237187Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-11T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-11T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_990\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.88.129 [1]\\r\\nIP: 80.66.88.207 [5]\\r\\nIP: 194.165.16.29 [9]\\r\\nIP: 147.78.47.149 [6]\\r\\nIP: 87.251.67.236 [2]\\r\\nIP: 80.66.76.186 [2]\\r\\nIP: 80.66.76.153 [4]\\r\\nIP: 91.240.118.113 [6]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 45.141.87.9 [5]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 80.66.76.163 [2]\\r\\nIP: 80.66.76.142 [4]\\r\\nIP: 141.98.83.130 [2]\\r\\nIP: 152.89.196.94 [3]\\r\\nIP: 80.66.76.120 [1]\\r\\nIP: 80.66.76.174 [5]\\r\\nIP: 194.165.16.10 [1]\\r\\nIP: 185.73.124.17 [2]\\r\\nIP: 80.66.76.183 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 80.66.76.181 [1]\\r\\nIP: 80.66.76.130 [2]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 80.66.76.168 [2]\\r\\nIP: 185.73.124.14 [1]\\r\\nIP: 80.66.76.173 [1]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 152.89.196.99 [2]\\r\\nIP: 80.66.76.172 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 185.73.124.20 [1]\\r\\nIP: 45.141.87.2 [4]\\r\\nIP: 80.66.76.154 [2]\\r\\nIP: 152.89.196.92 [2]\\r\\nIP: 80.66.76.137 [1]\\r\\nIP: 80.66.76.127 [1]\\r\\nIP: 152.89.196.86 [2]\\r\\nIP: 194.165.16.158 [3]\\r\\nIP: 141.98.83.128 [3]\\r\\nIP: 185.73.124.23 [5]\\r\\nIP: 45.141.87.6 [9]\\r\\nIP: 80.66.76.176 [4]\\r\\nIP: 141.95.145.187 [1]\\r\\nIP: 80.66.76.125 [1]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 80.66.76.175 [1]\\r\\nIP: 80.66.76.129 [3]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 45.141.84.86 [4]\\r\\n148 more attempts by 47 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_991\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_992\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_993\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_994\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_995\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_996\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_997\",\r\n \"address\": \"87.251.67.236\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_998\",\r\n \"address\": \"80.66.76.186\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_999\",\r\n \"address\": \"80.66.76.153\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1000\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1001\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1002\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1003\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1004\",\r\n \"address\": \"80.66.76.163\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1005\",\r\n \"address\": \"80.66.76.142\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1006\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1007\",\r\n \"address\": \"152.89.196.94\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1008\",\r\n \"address\": \"80.66.76.120\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1009\",\r\n \"address\": \"80.66.76.174\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1010\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1011\",\r\n \"address\": \"185.73.124.17\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1012\",\r\n \"address\": \"80.66.76.183\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1013\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1014\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1015\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1016\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1017\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1018\",\r\n \"address\": \"185.73.124.14\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1019\",\r\n \"address\": \"80.66.76.173\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1020\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1021\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1022\",\r\n \"address\": \"80.66.76.172\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1023\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1024\",\r\n \"address\": \"185.73.124.20\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1025\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1026\",\r\n \"address\": \"80.66.76.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1027\",\r\n \"address\": \"152.89.196.92\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1028\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1029\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1030\",\r\n \"address\": \"152.89.196.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1031\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1032\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1033\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1034\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1035\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1036\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1037\",\r\n \"address\": \"80.66.76.125\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1038\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1039\",\r\n \"address\": \"80.66.76.175\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1040\",\r\n \"address\": \"80.66.76.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1041\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1042\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1072\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1022\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1073\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1023\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1074\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1024\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1075\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1025\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1076\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1026\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1077\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1027\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1078\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1028\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1079\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1029\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1080\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1030\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1081\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1031\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1082\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1032\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1083\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1033\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1084\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1034\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1085\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1035\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1086\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1036\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1087\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1037\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1088\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1038\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1089\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1039\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1090\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1040\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1091\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1041\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1092\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1042\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"name\": \"2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T20:11:22.6254055Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T20:11:22.3353053Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-10T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-10T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1093\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.147 [4]\\r\\nIP: 117.33.157.42 [1]\\r\\nIP: 44.203.254.12 [1]\\r\\nIP: 62.210.205.240 [1]\\r\\nIP: 218.92.0.221 [1]\\r\\nIP: 61.177.173.52 [1]\\r\\nIP: 61.177.173.46 [1]\\r\\nIP: 61.177.172.143 [2]\\r\\nIP: 61.177.172.98 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1094\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1095\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1096\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1097\",\r\n \"address\": \"117.33.157.42\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Yunnan\",\r\n \"city\": \"Ruili\",\r\n \"longitude\": 97.85808,\r\n \"latitude\": 23.99516,\r\n \"asn\": 134768,\r\n \"carrier\": \"Chinanet Shaanxi Province Cloud Base Network\",\r\n \"organization\": \"Chinanet Shanxi(Sn) Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1098\",\r\n \"address\": \"44.203.254.12\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 14618,\r\n \"carrier\": \"Amazon.Com Inc.\",\r\n \"organization\": \"Amazon Data Services Nova\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1099\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1100\",\r\n \"address\": \"218.92.0.221\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1101\",\r\n \"address\": \"61.177.173.52\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1102\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1103\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1104\",\r\n \"address\": \"61.177.172.98\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1096\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1097\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1098\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1099\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1100\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1101\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1102\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1103\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1104\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"name\": \"2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T20:11:23.0830696Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T20:11:22.335884Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-10T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-10T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1114\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.76.131 [3]\\r\\nIP: 147.78.47.154 [8]\\r\\nIP: 80.66.76.139 [2]\\r\\nIP: 141.98.83.130 [12]\\r\\nIP: 176.111.174.130 [16]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 80.66.76.140 [1]\\r\\nIP: 152.89.196.86 [3]\\r\\nIP: 80.66.76.177 [3]\\r\\nIP: 87.251.67.226 [2]\\r\\nIP: 80.66.76.178 [1]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 80.66.76.166 [1]\\r\\nIP: 152.89.196.99 [1]\\r\\nIP: 176.111.174.116 [28]\\r\\nIP: 194.165.16.18 [6]\\r\\nIP: 71.27.142.134 [1]\\r\\nIP: 45.227.254.29 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 152.89.196.83 [1]\\r\\nIP: 80.66.76.182 [4]\\r\\nIP: 141.98.83.166 [3]\\r\\nIP: 147.78.47.149 [7]\\r\\nIP: 80.66.76.187 [2]\\r\\nIP: 194.165.17.12 [6]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 152.89.196.81 [1]\\r\\nIP: 87.251.67.230 [2]\\r\\nIP: 94.232.47.170 [3]\\r\\nIP: 80.66.76.159 [3]\\r\\nIP: 87.251.67.229 [1]\\r\\nIP: 80.66.76.122 [1]\\r\\nIP: 185.73.124.23 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 179.60.150.58 [4]\\r\\nIP: 94.232.47.15 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 191.96.168.102 [23]\\r\\nIP: 80.66.76.181 [3]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 80.66.76.162 [1]\\r\\nIP: 80.66.76.121 [2]\\r\\nIP: 87.251.67.231 [1]\\r\\nIP: 87.251.67.228 [2]\\r\\nIP: 80.66.76.185 [2]\\r\\n244 more attempts by 54 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1115\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1116\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1117\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1118\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1119\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1120\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1121\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1122\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1123\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1124\",\r\n \"address\": \"80.66.76.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1125\",\r\n \"address\": \"152.89.196.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1126\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1127\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1128\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1129\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1130\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1131\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1132\",\r\n \"address\": \"80.66.76.166\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1133\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1134\",\r\n \"address\": \"176.111.174.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1135\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1136\",\r\n \"address\": \"71.27.142.134\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Westland\",\r\n \"longitude\": -83.37131,\r\n \"latitude\": 42.33206,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1137\",\r\n \"address\": \"45.227.254.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1138\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1139\",\r\n \"address\": \"152.89.196.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1140\",\r\n \"address\": \"80.66.76.182\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1141\",\r\n \"address\": \"141.98.83.166\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1142\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1143\",\r\n \"address\": \"80.66.76.187\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1144\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1145\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1146\",\r\n \"address\": \"152.89.196.81\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1147\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1148\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1149\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1150\",\r\n \"address\": \"87.251.67.229\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1151\",\r\n \"address\": \"80.66.76.122\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1152\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1153\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1154\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1155\",\r\n \"address\": \"94.232.47.15\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1156\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1157\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1158\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1159\",\r\n \"address\": \"191.96.168.102\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1160\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1161\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1162\",\r\n \"address\": \"80.66.76.162\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1163\",\r\n \"address\": \"80.66.76.121\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1164\",\r\n \"address\": \"87.251.67.231\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1165\",\r\n \"address\": \"87.251.67.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1166\",\r\n \"address\": \"80.66.76.185\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1167\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1117\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1168\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1118\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1119\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1170\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1120\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1171\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1121\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1172\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1122\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1173\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1123\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1174\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1124\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1175\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1125\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1176\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1126\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1177\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1127\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1178\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1128\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1179\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1129\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1180\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1130\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1181\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1131\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1182\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1132\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1183\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1133\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1184\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1134\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1185\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1135\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1186\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1136\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1187\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1137\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1188\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1138\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1139\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1190\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1140\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1191\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1141\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1192\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1142\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1143\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1194\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1144\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1195\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1145\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1196\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1146\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1147\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1198\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1148\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1199\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1149\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1200\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1150\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1151\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1202\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1152\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1203\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1153\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1204\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1154\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1155\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"name\": \"2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T20:02:27.764174Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T20:02:26.032772Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-09T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-09T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.209.179.41 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 61.177.172.143 [10]\\r\\nIP: 128.199.192.230 [1]\\r\\nIP: 61.177.172.108 [1]\\r\\nIP: 61.177.173.37 [1]\\r\\nIP: 62.210.209.36 [1]\\r\\nIP: 218.75.136.139 [25]\\r\\nIP: 194.5.193.132 [3]\\r\\nIP: 162.142.125.213 [1]\\r\\nIP: 124.220.16.45 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1218\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1219\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1220\",\r\n \"address\": \"185.209.179.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Valley Cottage\",\r\n \"longitude\": -73.92899,\r\n \"latitude\": 41.12222,\r\n \"asn\": 396356,\r\n \"carrier\": \"Maxihost Llc\",\r\n \"organization\": \"Latitude.Sh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1221\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1222\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1223\",\r\n \"address\": \"128.199.192.230\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1224\",\r\n \"address\": \"61.177.172.108\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1225\",\r\n \"address\": \"61.177.173.37\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1226\",\r\n \"address\": \"62.210.209.36\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1227\",\r\n \"address\": \"218.75.136.139\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Hunan\",\r\n \"city\": \"Changde\",\r\n \"longitude\": 111.71167,\r\n \"latitude\": 29.04722,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet-Hn Changde Node Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1228\",\r\n \"address\": \"194.5.193.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208006,\r\n \"carrier\": \"Softqloud Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1229\",\r\n \"address\": \"162.142.125.213\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1230\",\r\n \"address\": \"124.220.16.45\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1220\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1221\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1222\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1223\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1224\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1225\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1226\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1227\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1228\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1229\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1230\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"name\": \"2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T20:02:27.4002488Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T20:02:26.0336346Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-09T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-09T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1242\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.76.123 [2]\\r\\nIP: 87.251.67.226 [1]\\r\\nIP: 80.66.76.170 [3]\\r\\nIP: 80.66.76.151 [1]\\r\\nIP: 80.66.76.138 [1]\\r\\nIP: 103.168.205.209 [1]\\r\\nIP: 147.78.47.146 [7]\\r\\nIP: 80.66.76.121 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 80.66.76.132 [2]\\r\\nIP: 80.66.76.127 [2]\\r\\nIP: 152.89.196.96 [4]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 92.255.85.192 [8]\\r\\nIP: 80.66.76.167 [2]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 152.89.196.73 [1]\\r\\nIP: 80.66.76.176 [1]\\r\\nIP: 147.78.47.149 [3]\\r\\nIP: 195.78.54.73 [17]\\r\\nIP: 80.66.76.131 [1]\\r\\nIP: 176.111.174.73 [25]\\r\\nIP: 185.73.125.21 [3]\\r\\nIP: 80.66.76.165 [1]\\r\\nIP: 80.66.76.124 [1]\\r\\nIP: 87.251.67.223 [2]\\r\\nIP: 141.98.83.127 [7]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 80.66.76.130 [1]\\r\\nIP: 80.66.76.125 [1]\\r\\nIP: 94.232.47.170 [2]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 185.73.125.225 [1]\\r\\nIP: 207.244.72.33 [1]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 162.244.33.16 [4]\\r\\nIP: 152.89.196.81 [3]\\r\\nIP: 139.59.109.139 [1]\\r\\nIP: 80.66.76.185 [2]\\r\\nIP: 80.66.76.161 [1]\\r\\nIP: 80.66.76.137 [2]\\r\\nIP: 80.66.76.177 [1]\\r\\nIP: 80.66.76.169 [1]\\r\\nIP: 185.73.124.23 [1]\\r\\nIP: 87.251.67.239 [1]\\r\\nIP: 152.89.196.92 [4]\\r\\nIP: 113.190.245.2 [1]\\r\\n88 more attempts by 42 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1243\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1244\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1245\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1246\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1247\",\r\n \"address\": \"80.66.76.170\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1248\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1249\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1250\",\r\n \"address\": \"103.168.205.209\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"longitude\": 77.0,\r\n \"latitude\": 20.0,\r\n \"asn\": 132925,\r\n \"carrier\": \"Ideastack Solutions Private Limited\",\r\n \"organization\": \"Blue Space Technology\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1251\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1252\",\r\n \"address\": \"80.66.76.121\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1253\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1254\",\r\n \"address\": \"80.66.76.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1255\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1256\",\r\n \"address\": \"152.89.196.96\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1257\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1258\",\r\n \"address\": \"92.255.85.192\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1259\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1260\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1261\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1262\",\r\n \"address\": \"152.89.196.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1263\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1264\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1265\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1266\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1267\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1268\",\r\n \"address\": \"185.73.125.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1269\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1270\",\r\n \"address\": \"80.66.76.124\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1271\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1272\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1273\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1274\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1275\",\r\n \"address\": \"80.66.76.125\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1276\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1277\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1278\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1279\",\r\n \"address\": \"185.73.125.225\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1280\",\r\n \"address\": \"207.244.72.33\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"District Of Columbia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -77.0284,\r\n \"latitude\": 38.9069,\r\n \"asn\": 30633,\r\n \"carrier\": \"Leaseweb Usa Inc.\",\r\n \"organization\": \"Leaseweb Usa Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1281\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1282\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1283\",\r\n \"address\": \"162.244.33.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Fremont\",\r\n \"longitude\": -121.91032,\r\n \"latitude\": 37.52879,\r\n \"asn\": 14576,\r\n \"carrier\": \"Hosting Solution Ltd.\",\r\n \"organization\": \"Hosting Solution Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1284\",\r\n \"address\": \"152.89.196.81\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1285\",\r\n \"address\": \"139.59.109.139\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1286\",\r\n \"address\": \"80.66.76.185\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1287\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1288\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1289\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1290\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1291\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1292\",\r\n \"address\": \"87.251.67.239\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1293\",\r\n \"address\": \"152.89.196.92\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1294\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1295\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1245\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1246\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1297\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1247\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1298\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1248\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1299\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1249\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1250\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1301\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1251\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1302\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1252\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1303\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1253\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1254\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1305\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1255\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1306\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1256\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1307\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1257\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1308\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1258\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1324\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1274\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1325\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1275\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1326\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1276\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1327\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1277\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1278\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1329\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1279\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1330\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1280\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"name\": \"2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T19:56:07.1561879Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T19:56:06.5371227Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-08T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-08T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1345\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.143 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 61.177.173.51 [1]\\r\\nIP: 14.215.48.214 [3]\\r\\nIP: 61.177.173.46 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1346\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1347\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1348\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1349\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1350\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1351\",\r\n \"address\": \"61.177.173.51\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1352\",\r\n \"address\": \"14.215.48.214\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Yunnan\",\r\n \"city\": \"Ruili\",\r\n \"longitude\": 97.85808,\r\n \"latitude\": 23.99516,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Guangdong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1353\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1348\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1349\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1350\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1351\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1352\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1353\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"name\": \"2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T19:56:07.4442606Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T19:56:06.5374986Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-08T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-08T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1360\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 91.240.118.113 [5]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.132 [5]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 194.165.16.73 [3]\\r\\nIP: 194.165.16.37 [2]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 162.244.33.16 [1]\\r\\nIP: 62.233.50.123 [7]\\r\\nIP: 194.165.16.17 [8]\\r\\nIP: 116.58.22.75 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 92.255.85.186 [1]\\r\\nIP: 176.111.174.200 [3]\\r\\nIP: 96.93.214.186 [1]\\r\\nIP: 194.165.16.29 [10]\\r\\nIP: 141.98.9.35 [1]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 185.221.134.42 [1]\\r\\nIP: 176.111.174.71 [13]\\r\\nIP: 92.255.85.192 [3]\\r\\nIP: 20.168.51.145 [1]\\r\\nIP: 194.165.16.18 [6]\\r\\nIP: 195.78.54.73 [13]\\r\\nIP: 147.78.47.149 [7]\\r\\nIP: 192.99.233.28 [1]\\r\\nIP: 87.251.67.64 [6]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 176.111.174.73 [21]\\r\\nIP: 80.66.88.205 [3]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1361\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1362\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1363\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1364\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1365\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1366\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1367\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1368\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1369\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1370\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1371\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1372\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1373\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1374\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1375\",\r\n \"address\": \"162.244.33.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Fremont\",\r\n \"longitude\": -121.91032,\r\n \"latitude\": 37.52879,\r\n \"asn\": 14576,\r\n \"carrier\": \"Hosting Solution Ltd.\",\r\n \"organization\": \"Hosting Solution Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1376\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1377\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1378\",\r\n \"address\": \"116.58.22.75\",\r\n \"location\": {\r\n \"countryCode\": \"PK\",\r\n \"countryName\": \"Pakistan\",\r\n \"state\": \"Punjab\",\r\n \"city\": \"Lahore\",\r\n \"longitude\": 74.31333,\r\n \"latitude\": 31.56333,\r\n \"asn\": 17563,\r\n \"carrier\": \"Nexlinx\",\r\n \"organization\": \"Nexlinx Isp Pakistan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1379\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1380\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1381\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1382\",\r\n \"address\": \"92.255.85.186\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1383\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1384\",\r\n \"address\": \"96.93.214.186\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Denver\",\r\n \"longitude\": -104.98564,\r\n \"latitude\": 39.74249,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1385\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1386\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1387\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1388\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1389\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1390\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1391\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1392\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1393\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1394\",\r\n \"address\": \"92.255.85.192\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1395\",\r\n \"address\": \"20.168.51.145\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1396\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1397\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1398\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1399\",\r\n \"address\": \"192.99.233.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1400\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1401\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1402\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1403\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1404\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1406\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1407\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1410\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1411\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1377\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1378\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1379\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1380\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1382\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1383\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1427\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1428\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1429\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1430\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1433\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"name\": \"2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T19:27:10.8559195Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T19:27:10.200106Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-07T07:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-07T07:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1447\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 179.43.155.133 [2]\\r\\nIP: 62.210.205.240 [1]\\r\\nIP: 34.105.172.112 [1]\\r\\nIP: 61.177.172.143 [2]\\r\\nIP: 107.152.46.102 [2]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 49.88.112.109 [1]\\r\\nIP: 47.108.112.40 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1448\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1449\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1450\",\r\n \"address\": \"179.43.155.133\",\r\n \"location\": {\r\n \"countryCode\": \"CH\",\r\n \"countryName\": \"Switzerland\",\r\n \"state\": \"Zuerich\",\r\n \"city\": \"Zuerich\",\r\n \"longitude\": 8.53695,\r\n \"latitude\": 47.37417,\r\n \"asn\": 51852,\r\n \"carrier\": \"Private Layer Inc\",\r\n \"organization\": \"Private Layer Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1451\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1452\",\r\n \"address\": \"34.105.172.112\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Enfield\",\r\n \"longitude\": -0.10639,\r\n \"latitude\": 51.64694,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1453\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1454\",\r\n \"address\": \"107.152.46.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Illinois\",\r\n \"city\": \"Glenview\",\r\n \"longitude\": -87.82326,\r\n \"latitude\": 42.08015,\r\n \"asn\": 46844,\r\n \"carrier\": \"Sharktech\",\r\n \"organization\": \"Servercheap Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1455\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1456\",\r\n \"address\": \"49.88.112.109\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanghai Shi\",\r\n \"city\": \"Xuhui Qu\",\r\n \"longitude\": 121.41498,\r\n \"latitude\": 31.17389,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1457\",\r\n \"address\": \"47.108.112.40\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Zhejiang\",\r\n \"city\": \"Hangzhou\",\r\n \"longitude\": 120.15889,\r\n \"latitude\": 30.23556,\r\n \"asn\": 37963,\r\n \"carrier\": \"Hangzhou Alibaba Advertising Co. Ltd.\",\r\n \"organization\": \"Aliyun Computing Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1450\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1451\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1452\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1453\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1454\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1455\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1456\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1457\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"name\": \"2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T19:27:10.7887447Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T19:27:10.2008025Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-07T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-07T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1466\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 94.232.47.4 [13]\\r\\nIP: 193.37.69.219 [25]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 176.111.174.73 [3]\\r\\nIP: 141.98.9.37 [12]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 36.95.205.132 [1]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 80.66.88.129 [3]\\r\\nIP: 87.251.64.140 [5]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 173.15.245.6 [1]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 181.214.218.55 [5]\\r\\nIP: 194.165.16.16 [5]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 91.240.118.184 [8]\\r\\nIP: 116.58.22.75 [3]\\r\\nIP: 176.111.174.71 [9]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 176.111.174.130 [13]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 147.78.47.146 [7]\\r\\nIP: 45.227.254.25 [5]\\r\\nIP: 176.111.174.200 [10]\\r\\nIP: 141.98.83.125 [1]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 103.30.29.29 [1]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 141.98.9.35 [10]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 194.165.16.158 [4]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1467\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1468\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1469\",\r\n \"address\": \"94.232.47.4\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1470\",\r\n \"address\": \"193.37.69.219\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1471\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1472\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1473\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1474\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1475\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1476\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1477\",\r\n \"address\": \"36.95.205.132\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jakarta Raya\",\r\n \"city\": \"Jakarta\",\r\n \"longitude\": 106.8311,\r\n \"latitude\": -6.1851,\r\n \"asn\": 7713,\r\n \"carrier\": \"Pt Telekomunikasi Indonesia\",\r\n \"organization\": \"Pt Telekomunikasi Indonesia\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1478\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1479\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1480\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1481\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1482\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1483\",\r\n \"address\": \"173.15.245.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Commerce Charter Township\",\r\n \"longitude\": -83.5449,\r\n \"latitude\": 42.60315,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1484\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1485\",\r\n \"address\": \"181.214.218.55\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1486\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1487\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1488\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1489\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1490\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1491\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1492\",\r\n \"address\": \"116.58.22.75\",\r\n \"location\": {\r\n \"countryCode\": \"PK\",\r\n \"countryName\": \"Pakistan\",\r\n \"state\": \"Punjab\",\r\n \"city\": \"Lahore\",\r\n \"longitude\": 74.31333,\r\n \"latitude\": 31.56333,\r\n \"asn\": 17563,\r\n \"carrier\": \"Nexlinx\",\r\n \"organization\": \"Nexlinx Isp Pakistan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1493\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1494\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1495\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1496\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1497\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1498\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1499\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1500\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1501\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1502\",\r\n \"address\": \"103.30.29.29\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Chittagong\",\r\n \"city\": \"Chittagong\",\r\n \"longitude\": 91.8123,\r\n \"latitude\": 22.3475,\r\n \"asn\": 45326,\r\n \"carrier\": \"Broad Band Telecom Services Ltd\",\r\n \"organization\": \"Bbts Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1503\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1504\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1505\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1506\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1507\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1508\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1509\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1510\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1480\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1481\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1482\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1484\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1485\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1486\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1535\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"name\": \"2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-07T20:45:09.4714645Z\",\r\n \"processingEndTimeUtc\": \"2022-10-07T20:45:08.5306227Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-06T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-06T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1549\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.123 [1]\\r\\nIP: 185.156.72.25 [5]\\r\\nIP: 45.227.254.48 [1]\\r\\nIP: 181.214.218.55 [1]\\r\\nIP: 141.98.83.132 [8]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 192.99.233.28 [1]\\r\\nIP: 194.165.16.17 [3]\\r\\nIP: 141.98.83.126 [12]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 91.240.118.202 [2]\\r\\nIP: 45.227.254.25 [128]\\r\\nIP: 147.78.47.146 [1]\\r\\nIP: 176.111.174.130 [12]\\r\\nIP: 144.91.117.64 [1]\\r\\nIP: 194.165.16.158 [13]\\r\\nIP: 92.255.85.151 [4]\\r\\nIP: 176.9.52.56 [1]\\r\\nIP: 193.169.255.78 [1]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 185.221.134.42 [1]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 176.111.174.143 [14]\\r\\nIP: 92.255.85.194 [3]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 176.111.174.200 [21]\\r\\nIP: 77.121.215.0 [1]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 45.141.87.2 [34]\\r\\nIP: 45.141.84.86 [7]\\r\\nIP: 94.232.47.4 [25]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 91.240.118.113 [3]\\r\\nIP: 141.98.9.37 [6]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 216.131.112.27 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 195.78.54.194 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 45.227.254.26 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1550\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1551\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1552\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1553\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1554\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1555\",\r\n \"address\": \"181.214.218.55\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1556\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1557\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1558\",\r\n \"address\": \"192.99.233.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1559\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1560\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1561\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1562\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1563\",\r\n \"address\": \"91.240.118.202\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1564\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1565\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1566\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1567\",\r\n \"address\": \"144.91.117.64\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Muenchen\",\r\n \"longitude\": 11.6074,\r\n \"latitude\": 48.1089,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1568\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1569\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1570\",\r\n \"address\": \"176.9.52.56\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Gunzenhausen\",\r\n \"longitude\": 10.7534,\r\n \"latitude\": 49.11594,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1571\",\r\n \"address\": \"193.169.255.78\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Pomorskie\",\r\n \"city\": \"Zelkowko\",\r\n \"longitude\": 17.0936,\r\n \"latitude\": 54.34198,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1572\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1573\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1574\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1575\",\r\n \"address\": \"176.111.174.143\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1576\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1577\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1578\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1579\",\r\n \"address\": \"77.121.215.0\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Cherkas'ka Oblast'\",\r\n \"city\": \"Cherkasy\",\r\n \"longitude\": 32.0621,\r\n \"latitude\": 49.4285,\r\n \"asn\": 25229,\r\n \"carrier\": \"Kyivski Telekomunikatsiyni Merezhi Llc\",\r\n \"organization\": \"Volia Cherkassy\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1580\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1581\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1582\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1583\",\r\n \"address\": \"94.232.47.4\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1584\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1585\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1586\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1587\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1588\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1589\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1590\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1591\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1592\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1593\",\r\n \"address\": \"216.131.112.27\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 62651,\r\n \"carrier\": \"Strong Technology Llc.\",\r\n \"organization\": \"Netprotect\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1594\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1595\",\r\n \"address\": \"195.78.54.194\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1596\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1597\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"name\": \"2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-06T20:18:25.6741094Z\",\r\n \"processingEndTimeUtc\": \"2022-10-06T20:18:25.2845591Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-05T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-05T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1644\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 201.165.54.53 [1]\\r\\nIP: 194.165.16.158 [9]\\r\\nIP: 141.98.9.29 [9]\\r\\nIP: 195.78.54.194 [1]\\r\\nIP: 162.247.74.27 [1]\\r\\nIP: 147.78.47.146 [5]\\r\\nIP: 147.78.47.154 [8]\\r\\nIP: 91.240.118.113 [5]\\r\\nIP: 92.255.85.181 [4]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.120 [7]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.87 [4]\\r\\nIP: 141.98.83.123 [11]\\r\\nIP: 193.37.69.213 [12]\\r\\nIP: 141.98.81.137 [13]\\r\\nIP: 91.240.118.184 [14]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.204 [2]\\r\\nIP: 24.154.71.234 [2]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 45.141.84.85 [9]\\r\\nIP: 45.227.254.25 [29]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 176.111.174.116 [10]\\r\\nIP: 94.232.47.157 [33]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 23.83.131.85 [1]\\r\\nIP: 176.111.174.143 [29]\\r\\nIP: 193.37.69.212 [20]\\r\\nIP: 151.80.113.215 [1]\\r\\nIP: 91.240.242.8 [7]\\r\\nIP: 91.240.242.3 [5]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.141.84.86 [12]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1645\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1646\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1647\",\r\n \"address\": \"201.165.54.53\",\r\n \"location\": {\r\n \"countryCode\": \"MX\",\r\n \"countryName\": \"Mexico\",\r\n \"state\": \"Sinaloa\",\r\n \"city\": \"Los Mochis\",\r\n \"longitude\": -108.98835,\r\n \"latitude\": 25.79161,\r\n \"asn\": 13999,\r\n \"carrier\": \"Mega Cable S.A. De C.V.\",\r\n \"organization\": \"Mega Cable S.A. De C.V.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1648\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1649\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1650\",\r\n \"address\": \"195.78.54.194\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1651\",\r\n \"address\": \"162.247.74.27\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -74.00287,\r\n \"latitude\": 40.65724,\r\n \"asn\": 4224,\r\n \"carrier\": \"The Calyx Institute\",\r\n \"organization\": \"The Calyx Institute\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1652\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1653\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1654\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1655\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1656\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1657\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1658\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1659\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1660\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1661\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1662\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1663\",\r\n \"address\": \"193.37.69.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1664\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1665\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1666\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1667\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1668\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1669\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1670\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1671\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1672\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1673\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1674\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1675\",\r\n \"address\": \"176.111.174.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1676\",\r\n \"address\": \"94.232.47.157\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1677\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1678\",\r\n \"address\": \"23.83.131.85\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Scottsdale\",\r\n \"longitude\": -111.8085,\r\n \"latitude\": 33.66364,\r\n \"asn\": 19148,\r\n \"carrier\": \"Leaseweb Usa Inc.\",\r\n \"organization\": \"Leaseweb Usa Inc. Pheonix\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1679\",\r\n \"address\": \"176.111.174.143\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1680\",\r\n \"address\": \"193.37.69.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1681\",\r\n \"address\": \"151.80.113.215\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Nord\",\r\n \"city\": \"Roubaix\",\r\n \"longitude\": 3.17321,\r\n \"latitude\": 50.69127,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1682\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1683\",\r\n \"address\": \"91.240.242.3\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1684\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1685\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1688\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1689\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1690\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"name\": \"2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-05T20:06:02.9429652Z\",\r\n \"processingEndTimeUtc\": \"2022-10-05T20:06:01.9820349Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1725\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.26 [3]\\r\\nIP: 176.111.174.71 [20]\\r\\nIP: 141.98.83.120 [7]\\r\\nIP: 45.227.254.55 [2]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 193.148.61.116 [1]\\r\\nIP: 45.141.84.85 [6]\\r\\nIP: 141.98.9.29 [12]\\r\\nIP: 20.163.11.154 [1]\\r\\nIP: 80.66.88.202 [2]\\r\\nIP: 20.226.32.246 [1]\\r\\nIP: 147.78.47.154 [5]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 141.98.9.37 [9]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 141.98.83.123 [2]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.88 [2]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 141.98.83.125 [6]\\r\\nIP: 194.165.16.11 [3]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 176.111.174.200 [6]\\r\\nIP: 94.232.47.150 [33]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 94.232.47.151 [19]\\r\\nIP: 141.98.83.87 [6]\\r\\nIP: 5.62.43.223 [1]\\r\\nIP: 92.255.85.181 [1]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 94.232.47.155 [29]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 141.98.83.122 [4]\\r\\nIP: 141.98.9.34 [9]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 94.232.47.8 [26]\\r\\nIP: 91.240.118.184 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 80.66.88.215 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1726\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1727\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1728\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1729\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1730\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1731\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1732\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1733\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1734\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1735\",\r\n \"address\": \"193.148.61.116\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Los Angeles Ca\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1736\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1737\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1738\",\r\n \"address\": \"20.163.11.154\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1739\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1740\",\r\n \"address\": \"20.226.32.246\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Campinas\",\r\n \"longitude\": -47.0453,\r\n \"latitude\": -22.89177,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1741\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1742\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1743\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1744\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1745\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1746\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1747\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1748\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1749\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1750\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1751\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1752\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1753\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1754\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1755\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1756\",\r\n \"address\": \"94.232.47.150\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1757\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1758\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1759\",\r\n \"address\": \"94.232.47.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1760\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1761\",\r\n \"address\": \"5.62.43.223\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Camden\",\r\n \"longitude\": -0.16861,\r\n \"latitude\": 51.54,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Avast Software S.R.O.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1762\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1763\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1764\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1765\",\r\n \"address\": \"94.232.47.155\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1766\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1767\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1768\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1769\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1770\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1771\",\r\n \"address\": \"94.232.47.8\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1772\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1773\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1774\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1775\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1776\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1777\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1728\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1778\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1729\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1779\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1730\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1780\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1731\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1781\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1732\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1782\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1733\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1783\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1734\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1784\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1735\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1785\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1736\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1786\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1737\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1787\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1738\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1788\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1741\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1791\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1742\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1792\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1743\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1793\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1744\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1794\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1745\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1795\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1746\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1796\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1747\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1797\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1748\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1798\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1749\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1799\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1750\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1800\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1751\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1801\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1752\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1802\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1753\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1803\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1754\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1804\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1755\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1805\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1756\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1806\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1757\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1807\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1758\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1808\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1759\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1809\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1760\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1810\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1761\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1811\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1762\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1812\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1763\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1813\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1764\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1814\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"name\": \"2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-04T20:20:17.6238006Z\",\r\n \"processingEndTimeUtc\": \"2022-10-04T20:20:16.6615502Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-03T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-03T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1826\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 181.214.206.211 [12]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 141.98.83.83 [2]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 141.98.9.29 [11]\\r\\nIP: 192.227.168.178 [1]\\r\\nIP: 193.37.69.220 [23]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 62.204.41.152 [6]\\r\\nIP: 38.242.213.49 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 45.141.84.83 [6]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 194.165.16.17 [4]\\r\\nIP: 179.60.147.32 [7]\\r\\nIP: 66.195.201.152 [1]\\r\\nIP: 141.98.83.120 [6]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 113.88.234.130 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 94.232.47.151 [22]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 58.186.205.49 [1]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 195.78.54.174 [11]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 92.255.85.181 [5]\\r\\nIP: 176.111.174.73 [9]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 176.111.174.72 [19]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 15.237.104.62 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.89 [3]\\r\\nIP: 192.210.149.230 [1]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.9.36 [18]\\r\\nIP: 185.190.24.61 [4]\\r\\nIP: 5.181.86.11 [8]\\r\\nIP: 147.78.47.149 [10]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 191.242.227.11 [2]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 176.111.174.130 [12]\\r\\n36 more attempts by 5 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1827\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1828\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1829\",\r\n \"address\": \"181.214.206.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1830\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1831\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1832\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1833\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1834\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1835\",\r\n \"address\": \"192.227.168.178\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.8854,\r\n \"latitude\": 42.8883,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1836\",\r\n \"address\": \"193.37.69.220\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1837\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1838\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1839\",\r\n \"address\": \"38.242.213.49\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1840\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1841\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1842\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1843\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1844\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1845\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1846\",\r\n \"address\": \"66.195.201.152\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Memphis\",\r\n \"longitude\": -89.94812,\r\n \"latitude\": 35.11012,\r\n \"asn\": 3356,\r\n \"carrier\": \"Level 3 Parent Llc\",\r\n \"organization\": \"Level 3 Parent Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1847\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1848\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1849\",\r\n \"address\": \"113.88.234.130\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Henggang\",\r\n \"longitude\": 114.19833,\r\n \"latitude\": 22.64204,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Guangdong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1850\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1851\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1852\",\r\n \"address\": \"94.232.47.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1853\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1854\",\r\n \"address\": \"58.186.205.49\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Cau Giay\",\r\n \"longitude\": 105.79176,\r\n \"latitude\": 21.03714,\r\n \"asn\": 18403,\r\n \"carrier\": \"Fpt Telecom Company\",\r\n \"organization\": \"Fpt Telecom Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1855\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1856\",\r\n \"address\": \"195.78.54.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1857\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1858\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1859\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1860\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1861\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1862\",\r\n \"address\": \"176.111.174.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1863\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1864\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1865\",\r\n \"address\": \"15.237.104.62\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.34107,\r\n \"latitude\": 48.86023,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon Data Services France\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1866\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1867\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1868\",\r\n \"address\": \"192.210.149.230\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1869\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1870\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1871\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1872\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1873\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1874\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1875\",\r\n \"address\": \"191.242.227.11\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sorocaba\",\r\n \"longitude\": -47.44229,\r\n \"latitude\": -23.4971,\r\n \"asn\": 263483,\r\n \"carrier\": \"Direct Lan Telecomunicaes Sorocaba Ltda\",\r\n \"organization\": \"Direct Lan Telecomunica Es Sorocaba Ltda\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1876\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1877\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1878\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1879\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1829\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1880\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1830\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1881\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1831\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1882\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1832\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1883\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1833\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1884\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1834\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1885\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1835\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1886\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1836\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1887\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1837\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1888\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1838\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1889\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1839\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1890\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1840\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1891\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1841\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1892\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1893\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1843\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1894\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1844\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1895\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1845\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1896\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1846\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1897\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1847\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1898\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1848\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1899\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1849\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1900\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1850\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1901\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1851\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1902\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1852\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1903\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1853\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1904\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1854\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1905\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1855\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1906\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1856\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1907\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1857\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1908\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1858\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1909\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1859\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1910\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1860\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1911\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1861\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1912\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1862\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1913\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1863\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1914\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1864\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1915\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1865\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1916\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1866\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1917\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1867\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1918\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1868\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"name\": \"2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T19:49:12.0431333Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T19:49:11.6506508Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-02T18:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-02T18:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1929\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 183.146.30.163 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1930\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1931\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1932\",\r\n \"address\": \"183.146.30.163\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Zhejiang\",\r\n \"city\": \"Jinhua\",\r\n \"longitude\": 119.65083,\r\n \"latitude\": 29.11611,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet-Zj Jinhua Node Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1932\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"name\": \"2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T19:49:12.8041976Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T19:49:11.650774Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1934\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.140 [2]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 185.190.24.61 [3]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 147.78.47.147 [5]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 179.60.147.31 [12]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 179.60.147.32 [7]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 94.232.47.5 [47]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 194.165.17.7 [10]\\r\\nIP: 141.98.83.122 [7]\\r\\nIP: 176.111.174.200 [10]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 195.78.54.174 [17]\\r\\nIP: 69.172.78.13 [1]\\r\\nIP: 141.98.83.84 [12]\\r\\nIP: 138.199.18.131 [14]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 5.181.86.11 [2]\\r\\nIP: 185.156.72.27 [2]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 179.60.147.33 [17]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 141.98.83.88 [5]\\r\\nIP: 141.98.83.85 [2]\\r\\nIP: 147.78.47.149 [8]\\r\\nIP: 94.232.47.158 [30]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 45.141.84.83 [2]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 194.165.16.6 [4]\\r\\nIP: 176.111.174.72 [11]\\r\\nIP: 20.163.11.154 [1]\\r\\nIP: 91.240.118.184 [14]\\r\\nIP: 141.98.83.86 [14]\\r\\nIP: 141.98.9.37 [18]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 94.232.47.9 [21]\\r\\nIP: 141.98.83.89 [1]\\r\\n82 more attempts by 17 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1935\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1936\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1937\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1938\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1939\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1940\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1941\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1942\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1943\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1944\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1945\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1946\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1947\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1948\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1949\",\r\n \"address\": \"94.232.47.5\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1950\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1951\",\r\n \"address\": \"194.165.17.7\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1952\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1953\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1954\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1955\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1956\",\r\n \"address\": \"195.78.54.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1957\",\r\n \"address\": \"69.172.78.13\",\r\n \"location\": {\r\n \"countryCode\": \"HK\",\r\n \"countryName\": \"Hong Kong\",\r\n \"state\": \"Hong Kong\",\r\n \"city\": \"Aberdeen\",\r\n \"longitude\": 114.1524,\r\n \"latitude\": 22.24831,\r\n \"asn\": 132585,\r\n \"carrier\": \"Skyexchange Internet Access\",\r\n \"organization\": \"Skyexchange Internet Access\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1958\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1959\",\r\n \"address\": \"138.199.18.131\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1960\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1961\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1962\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1963\",\r\n \"address\": \"185.156.72.27\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1964\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1965\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1966\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1967\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1968\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1969\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1970\",\r\n \"address\": \"94.232.47.158\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1971\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1972\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1973\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1974\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1975\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1976\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1977\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1978\",\r\n \"address\": \"176.111.174.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1979\",\r\n \"address\": \"20.163.11.154\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1980\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1981\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1982\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1983\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1984\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1985\",\r\n \"address\": \"94.232.47.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1986\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1987\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1937\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1988\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1938\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1989\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1939\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1990\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1940\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1991\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1941\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1992\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1942\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1993\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1943\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1994\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1944\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1995\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1945\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1996\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1946\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1997\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1947\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1998\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1948\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1999\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1949\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2000\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1950\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2001\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1951\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2002\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1952\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2003\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1953\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2004\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1954\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2005\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1955\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2006\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1956\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2007\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1957\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2008\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1958\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2009\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1959\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2010\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1960\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2011\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1961\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2012\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1962\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2013\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1963\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2014\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1964\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2015\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1965\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2016\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1966\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2017\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1967\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2018\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1968\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2019\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1969\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2020\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1970\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2021\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1971\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"name\": \"2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-02T19:30:06.9299257Z\",\r\n \"processingEndTimeUtc\": \"2022-10-02T19:30:06.0289442Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-01T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-01T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2037\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.125 [6]\\r\\nIP: 179.60.147.31 [9]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.83.131 [8]\\r\\nIP: 193.37.69.211 [23]\\r\\nIP: 176.111.174.73 [8]\\r\\nIP: 179.60.150.115 [7]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 147.78.47.146 [3]\\r\\nIP: 147.78.47.147 [5]\\r\\nIP: 141.98.83.83 [5]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 5.181.86.11 [5]\\r\\nIP: 45.141.84.86 [1]\\r\\nIP: 94.232.47.152 [24]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 198.235.24.38 [1]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 193.37.69.209 [25]\\r\\nIP: 94.232.47.156 [33]\\r\\nIP: 147.78.47.149 [13]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 185.190.24.17 [5]\\r\\nIP: 141.98.83.132 [4]\\r\\nIP: 141.98.83.122 [8]\\r\\nIP: 141.98.83.89 [10]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 141.98.9.34 [35]\\r\\nIP: 176.111.174.71 [14]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 91.240.118.113 [6]\\r\\nIP: 20.226.32.246 [1]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 176.111.173.75 [1]\\r\\nIP: 138.199.18.131 [15]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 185.156.72.31 [5]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 91.240.242.8 [35]\\r\\n55 more attempts by 8 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2038\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2039\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2040\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2041\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2042\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2043\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2044\",\r\n \"address\": \"193.37.69.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2045\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2046\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2047\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2048\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2049\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2050\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2051\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2052\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2053\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2054\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2055\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2056\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2057\",\r\n \"address\": \"94.232.47.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2058\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2059\",\r\n \"address\": \"198.235.24.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Team Cymru\",\r\n \"threatType\": \"Botnet\",\r\n \"threatName\": \"Conficker\",\r\n \"confidence\": 0.75,\r\n \"reportLink\": \"https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Botnets.pdf?sv=2021-08-06&spr=https&st=2022-10-02T19%3a15%3a06Z&se=2022-12-31T19%3a30%3a06Z&sr=b&sp=r&sig=R3tc8ii2u2BkwkqvR1vAhwzjf7fD%2bjUJICU%2fnOP2CxM%3d&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa\",\r\n \"threatDescription\": \"Address is a known Botnet indicator.\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2060\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2061\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2062\",\r\n \"address\": \"193.37.69.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2063\",\r\n \"address\": \"94.232.47.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2064\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2065\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2066\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2067\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2068\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2069\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2070\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2071\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2072\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2073\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2074\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2075\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2076\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2077\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2078\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2079\",\r\n \"address\": \"20.226.32.246\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Campinas\",\r\n \"longitude\": -47.0453,\r\n \"latitude\": -22.89177,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2080\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2081\",\r\n \"address\": \"176.111.173.75\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2082\",\r\n \"address\": \"138.199.18.131\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2083\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2084\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2085\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2086\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2087\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2088\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2089\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2090\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2040\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2091\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2041\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2092\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2042\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2093\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2043\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2094\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2044\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2095\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2045\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2096\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2046\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2097\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2047\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2098\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2048\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2099\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2049\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2100\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2050\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2101\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2051\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2102\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2052\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2053\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2104\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2054\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2055\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2056\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2057\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2058\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2059\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2060\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2061\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2062\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2063\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2114\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2064\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2065\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2066\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2067\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2068\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2069\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2070\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2071\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2072\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2123\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2073\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2124\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2074\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"name\": \"2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-01T19:36:37.5737773Z\",\r\n \"processingEndTimeUtc\": \"2022-10-01T19:36:37.1669158Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-30T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-30T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2140\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.54 [3]\\r\\nIP: 194.165.16.29 [3]\\r\\nIP: 194.165.16.73 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 94.232.47.13 [30]\\r\\nIP: 141.98.83.126 [5]\\r\\nIP: 141.98.83.85 [6]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 5.181.86.11 [11]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 45.141.84.87 [19]\\r\\nIP: 91.240.242.15 [3]\\r\\nIP: 141.98.83.84 [5]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 179.60.150.115 [13]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 45.140.210.61 [1]\\r\\nIP: 141.98.9.35 [5]\\r\\nIP: 141.98.10.124 [8]\\r\\nIP: 94.232.47.11 [30]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 194.165.16.16 [5]\\r\\nIP: 194.165.16.158 [4]\\r\\nIP: 78.128.113.138 [6]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 141.98.9.37 [4]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 91.240.242.5 [22]\\r\\nIP: 20.163.30.220 [1]\\r\\nIP: 20.163.46.69 [1]\\r\\nIP: 45.227.254.51 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2141\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2142\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2143\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2144\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2145\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2146\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2147\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2148\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2149\",\r\n \"address\": \"94.232.47.13\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2150\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2151\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2152\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2153\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2154\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2155\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2156\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2157\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2158\",\r\n \"address\": \"45.141.84.87\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2159\",\r\n \"address\": \"91.240.242.15\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2160\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2161\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2162\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2163\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2164\",\r\n \"address\": \"45.140.210.61\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2165\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2166\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2167\",\r\n \"address\": \"94.232.47.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2168\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2169\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2170\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2171\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2172\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2173\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2174\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2175\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2176\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2177\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2178\",\r\n \"address\": \"91.240.242.5\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2179\",\r\n \"address\": \"20.163.30.220\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2180\",\r\n \"address\": \"20.163.46.69\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2181\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2182\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2143\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2183\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2144\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2184\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2145\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2185\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2146\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2186\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2147\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2187\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2148\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2188\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2149\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2150\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2190\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2151\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2191\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2152\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2192\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2153\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2154\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2194\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2155\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2195\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2196\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2198\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2199\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2200\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2202\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2203\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2204\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2167\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2168\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2217\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2218\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"name\": \"2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-30T19:55:09.682631Z\",\r\n \"processingEndTimeUtc\": \"2022-09-30T19:55:09.1843919Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2221\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 181.30.28.175 [1]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 141.98.83.127 [12]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 92.255.85.151 [5]\\r\\nIP: 45.227.255.79 [7]\\r\\nIP: 147.78.47.149 [6]\\r\\nIP: 141.98.9.34 [16]\\r\\nIP: 181.214.206.251 [6]\\r\\nIP: 141.98.83.131 [3]\\r\\nIP: 141.98.83.128 [8]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 179.60.147.32 [19]\\r\\nIP: 91.240.242.8 [2]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 43.230.156.26 [1]\\r\\nIP: 194.165.16.158 [10]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 141.98.83.125 [6]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 141.98.9.37 [8]\\r\\nIP: 5.188.206.230 [10]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 147.78.47.154 [1]\\r\\nIP: 194.165.16.78 [1]\\r\\nIP: 141.98.9.35 [15]\\r\\nIP: 141.98.83.123 [4]\\r\\nIP: 129.146.85.184 [1]\\r\\nIP: 192.3.110.166 [1]\\r\\nIP: 45.141.84.90 [30]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.29 [14]\\r\\nIP: 45.141.87.9 [24]\\r\\nIP: 141.98.10.204 [19]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 141.98.83.88 [1]\\r\\nIP: 194.165.17.22 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 20.168.105.212 [1]\\r\\n72 more attempts by 9 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2222\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2223\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2224\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2225\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2226\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2227\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2228\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2229\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2230\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2231\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2232\",\r\n \"address\": \"181.214.206.251\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2233\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2234\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2235\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2236\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2237\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2238\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2239\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2240\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2241\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2242\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2243\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2244\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2245\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2246\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2247\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2248\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2249\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2250\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2251\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2252\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2253\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2254\",\r\n \"address\": \"129.146.85.184\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2255\",\r\n \"address\": \"192.3.110.166\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2256\",\r\n \"address\": \"45.141.84.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2257\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2258\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2259\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2260\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2261\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2262\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2263\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2264\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2265\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2266\",\r\n \"address\": \"194.165.17.22\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2267\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2268\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2269\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2270\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2271\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2272\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2273\",\r\n \"address\": \"20.168.105.212\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2224\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2275\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2225\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2276\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2226\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2277\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2227\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2278\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2228\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2279\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2229\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2280\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2230\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2231\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2282\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2232\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2283\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2233\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2284\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2234\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2285\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2235\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2286\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2236\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2237\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2288\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2238\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2289\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2239\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2290\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2240\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2291\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2241\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2292\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2242\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2293\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2243\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2294\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2244\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2295\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2245\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2246\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2297\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2247\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2298\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2248\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2299\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2249\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2250\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2301\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2251\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2302\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2252\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2303\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2253\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2254\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2305\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2255\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2306\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2256\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2307\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2257\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2308\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2258\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"name\": \"2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-29T19:51:37.1590955Z\",\r\n \"processingEndTimeUtc\": \"2022-09-29T19:51:34.0584565Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-28T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-28T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2324\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.26.29.113 [52]\\r\\nIP: 141.98.10.124 [5]\\r\\nIP: 179.60.150.111 [2]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 5.181.86.51 [2]\\r\\nIP: 141.98.83.89 [1]\\r\\nIP: 24.154.71.234 [2]\\r\\nIP: 141.98.9.34 [1]\\r\\nIP: 141.98.10.207 [5]\\r\\nIP: 179.60.147.31 [9]\\r\\nIP: 20.163.30.220 [1]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 152.89.198.133 [1]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 45.141.84.86 [7]\\r\\nIP: 179.60.150.113 [3]\\r\\nIP: 45.227.253.130 [8]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 5.181.86.85 [2]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 5.181.86.61 [6]\\r\\nIP: 80.66.88.209 [2]\\r\\nIP: 45.227.254.26 [2]\\r\\nIP: 141.98.83.130 [7]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 92.255.85.152 [9]\\r\\nIP: 179.60.150.116 [2]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 107.181.178.109 [1]\\r\\nIP: 185.190.24.17 [12]\\r\\nIP: 141.98.9.29 [13]\\r\\nIP: 141.98.83.131 [6]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 94.232.47.12 [25]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 115.242.152.158 [2]\\r\\nIP: 193.37.69.207 [27]\\r\\nIP: 194.165.17.12 [13]\\r\\nIP: 193.37.69.210 [40]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 179.60.150.115 [10]\\r\\nIP: 185.190.24.32 [5]\\r\\nIP: 5.181.86.44 [1]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 141.98.83.122 [3]\\r\\n142 more attempts by 24 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2325\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2326\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2327\",\r\n \"address\": \"194.26.29.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2328\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2329\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2330\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2331\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2332\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2333\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2334\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2335\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2336\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2337\",\r\n \"address\": \"20.163.30.220\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2338\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2339\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2340\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2341\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2342\",\r\n \"address\": \"152.89.198.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.81472,\r\n \"latitude\": 55.71376,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2343\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2344\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2345\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2346\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2347\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2348\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2349\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2350\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2351\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2352\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2353\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2354\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2355\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2356\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2357\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2358\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2359\",\r\n \"address\": \"107.181.178.109\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Georgia\",\r\n \"city\": \"Marietta\",\r\n \"longitude\": -84.4629,\r\n \"latitude\": 33.93318,\r\n \"asn\": 46562,\r\n \"carrier\": \"Performive Llc\",\r\n \"organization\": \"Performive Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2360\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2361\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2362\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2363\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2364\",\r\n \"address\": \"94.232.47.12\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2365\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2366\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2367\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2368\",\r\n \"address\": \"193.37.69.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2369\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2370\",\r\n \"address\": \"193.37.69.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2371\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2372\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2373\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2374\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2375\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2376\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2381\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2331\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2332\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2383\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2333\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2384\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2334\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2385\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2335\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2386\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2336\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2337\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2388\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2338\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2389\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2339\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2390\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2340\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2391\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2341\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2392\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2342\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2393\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2343\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2394\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2344\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2395\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2345\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2396\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2346\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2397\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2347\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2398\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2348\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2399\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2349\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2400\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2350\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2401\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2351\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2352\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2403\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2353\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2404\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2354\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2355\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2406\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2356\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2407\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2357\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2358\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2359\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2410\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2360\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2411\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2361\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2362\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"name\": \"2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T20:06:40.3720303Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T20:06:39.6960251Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2427\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 147.78.47.147 [3]\\r\\nIP: 206.72.198.134 [1]\\r\\nIP: 179.60.150.111 [1]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 141.98.10.204 [5]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 141.98.83.122 [8]\\r\\nIP: 121.229.22.196 [2]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 5.188.206.10 [10]\\r\\nIP: 80.66.76.145 [5]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 107.172.93.17 [1]\\r\\nIP: 194.165.16.16 [10]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 45.227.254.54 [4]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 92.255.85.194 [19]\\r\\nIP: 193.32.126.158 [1]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 194.165.16.17 [6]\\r\\nIP: 185.161.69.10 [1]\\r\\nIP: 141.98.83.124 [6]\\r\\nIP: 141.98.9.34 [11]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 185.190.24.17 [18]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 115.242.152.158 [3]\\r\\nIP: 141.98.9.35 [7]\\r\\nIP: 179.60.147.33 [9]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 147.78.47.149 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 45.141.87.21 [4]\\r\\nIP: 141.98.83.87 [11]\\r\\nIP: 195.78.54.97 [55]\\r\\nIP: 141.98.9.29 [4]\\r\\nIP: 45.227.254.53 [2]\\r\\n97 more attempts by 19 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2428\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2429\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2430\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2431\",\r\n \"address\": \"206.72.198.134\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Secaucus\",\r\n \"longitude\": -74.06453,\r\n \"latitude\": 40.77826,\r\n \"asn\": 19318,\r\n \"carrier\": \"Interserver Inc\",\r\n \"organization\": \"Interserver Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2432\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2433\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2434\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2435\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2436\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2437\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2438\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2439\",\r\n \"address\": \"121.229.22.196\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2440\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2441\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2442\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2443\",\r\n \"address\": \"5.188.206.10\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2444\",\r\n \"address\": \"80.66.76.145\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2445\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2446\",\r\n \"address\": \"107.172.93.17\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2447\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2448\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2449\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2450\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2451\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2452\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2453\",\r\n \"address\": \"193.32.126.158\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Seine-Saint-Denis\",\r\n \"city\": \"Aubervilliers\",\r\n \"longitude\": 2.38121,\r\n \"latitude\": 48.91482,\r\n \"asn\": 39351,\r\n \"carrier\": \"31173 Services Ab\",\r\n \"organization\": \"31173 Services France\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2454\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2455\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2456\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2457\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2458\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2459\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2460\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2461\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2462\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2463\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2464\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2465\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2466\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2467\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2468\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2469\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2470\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2471\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2472\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2473\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2474\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2475\",\r\n \"address\": \"45.141.87.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2476\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2477\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2478\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2479\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2434\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2485\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2435\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2486\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2487\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2437\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2488\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2438\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2439\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2490\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2440\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2491\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2492\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2493\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2494\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2495\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2445\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2496\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2446\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2497\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2447\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2498\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2448\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2499\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2449\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2500\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2450\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2501\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2451\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2502\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2503\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2504\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2454\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2505\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2455\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2506\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2456\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2507\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2457\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2508\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2458\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2509\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2459\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2510\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2460\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2461\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2462\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2463\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2464\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2465\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2466\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2467\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2468\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"name\": \"2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-27T20:12:39.5796058Z\",\r\n \"processingEndTimeUtc\": \"2022-09-27T20:12:38.7743954Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-26T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-26T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2530\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.84.83 [29]\\r\\nIP: 141.98.9.34 [12]\\r\\nIP: 141.98.9.36 [8]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 194.165.16.6 [3]\\r\\nIP: 179.60.150.115 [10]\\r\\nIP: 5.181.86.11 [8]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 194.165.17.14 [2]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 194.165.16.37 [3]\\r\\nIP: 5.181.86.44 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 147.78.47.147 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 185.195.232.248 [3]\\r\\nIP: 5.188.206.10 [3]\\r\\nIP: 123.30.210.197 [3]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 45.141.84.119 [2]\\r\\nIP: 141.98.83.89 [3]\\r\\nIP: 185.156.72.25 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 5.181.86.88 [1]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 185.156.72.31 [3]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.83 [10]\\r\\nIP: 141.98.10.207 [4]\\r\\nIP: 185.156.72.29 [4]\\r\\nIP: 115.242.152.158 [1]\\r\\nIP: 179.60.150.113 [4]\\r\\nIP: 179.60.147.32 [10]\\r\\nIP: 141.98.83.127 [4]\\r\\nIP: 45.227.253.130 [7]\\r\\nIP: 147.78.47.149 [4]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 195.78.54.97 [34]\\r\\nIP: 179.60.150.116 [2]\\r\\n15 more attempts by 5 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2531\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2532\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2533\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2534\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2535\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2536\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2537\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2538\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2539\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2540\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2541\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2542\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2543\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2544\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2545\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2546\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2547\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2548\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2549\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2550\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2551\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2552\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2553\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2554\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2555\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2556\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2557\",\r\n \"address\": \"185.195.232.248\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 39351,\r\n \"carrier\": \"31173 Services Ab\",\r\n \"organization\": \"31173 Services United Kingdom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2558\",\r\n \"address\": \"5.188.206.10\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2559\",\r\n \"address\": \"123.30.210.197\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2560\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2561\",\r\n \"address\": \"45.141.84.119\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2562\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2563\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2564\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2565\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2566\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2567\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2568\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2569\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2570\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2571\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2572\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2573\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2574\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2575\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2576\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2577\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2578\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2579\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2580\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2581\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2582\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2585\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2586\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2536\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2587\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2537\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2591\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2592\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2542\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2593\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2543\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2594\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2544\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2595\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2545\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2596\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2546\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2597\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2547\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2548\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2549\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2550\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2551\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"name\": \"2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-26T19:58:54.397306Z\",\r\n \"processingEndTimeUtc\": \"2022-09-26T19:58:53.5738114Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2633\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 5.181.86.44 [2]\\r\\nIP: 186.249.36.154 [1]\\r\\nIP: 5.188.206.230 [5]\\r\\nIP: 194.165.16.38 [2]\\r\\nIP: 78.128.113.138 [8]\\r\\nIP: 194.165.17.14 [4]\\r\\nIP: 179.60.150.116 [6]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 87.251.64.160 [3]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 185.190.24.32 [1]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 38.122.130.162 [6]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 185.190.24.50 [2]\\r\\nIP: 198.235.24.156 [1]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 62.204.41.152 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 45.227.254.27 [1]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 216.19.1.14 [8]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 185.190.24.48 [4]\\r\\nIP: 45.227.253.130 [23]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 13.71.103.48 [1]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 141.98.83.120 [5]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 80.66.88.202 [2]\\r\\n164 more attempts by 29 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2634\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2635\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2636\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2637\",\r\n \"address\": \"186.249.36.154\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Franca\",\r\n \"longitude\": -47.40563,\r\n \"latitude\": -20.54751,\r\n \"asn\": 28195,\r\n \"carrier\": \"Com4 Data Center Eireli\",\r\n \"organization\": \"Com4 Data Center Eireli\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2638\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2639\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2640\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2641\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2642\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2643\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2644\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2645\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2646\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2647\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2648\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2649\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2650\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2651\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2652\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2653\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2654\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2655\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2656\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2657\",\r\n \"address\": \"198.235.24.156\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2658\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2659\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2660\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2661\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2662\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2663\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2664\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2665\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2666\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2667\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2668\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2669\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2670\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2671\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2672\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2673\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2674\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2675\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2676\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2677\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2678\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2679\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2680\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2681\",\r\n \"address\": \"13.71.103.48\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Tamil Nadu\",\r\n \"city\": \"Chennai\",\r\n \"longitude\": 80.2508,\r\n \"latitude\": 13.0524,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2682\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2683\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2684\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2685\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2636\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2637\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2688\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2638\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2689\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2639\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2690\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2640\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2641\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2642\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2643\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2644\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2645\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2646\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"name\": \"2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-25T19:28:48.9427258Z\",\r\n \"processingEndTimeUtc\": \"2022-09-25T19:28:48.1928389Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2736\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.4 [3]\\r\\nIP: 5.181.86.44 [2]\\r\\nIP: 192.3.110.166 [1]\\r\\nIP: 185.190.24.32 [1]\\r\\nIP: 194.165.17.14 [4]\\r\\nIP: 185.190.24.50 [2]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 141.98.9.34 [16]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 87.251.64.160 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 198.235.24.156 [1]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 179.60.150.113 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.81.137 [5]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 78.128.113.138 [8]\\r\\nIP: 87.251.67.98 [5]\\r\\nIP: 195.78.54.97 [32]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 141.98.10.204 [8]\\r\\nIP: 179.60.150.116 [6]\\r\\nIP: 80.66.88.202 [2]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 185.190.24.17 [6]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 45.141.87.18 [4]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 38.122.130.162 [6]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 186.249.36.154 [1]\\r\\nIP: 92.255.85.194 [25]\\r\\n99 more attempts by 26 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2737\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2738\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2739\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2740\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2741\",\r\n \"address\": \"192.3.110.166\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2742\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2743\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2744\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2745\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2746\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2747\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2748\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2749\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2750\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2751\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2752\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2753\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2754\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2755\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2756\",\r\n \"address\": \"198.235.24.156\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2757\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2758\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2759\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2760\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2761\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2762\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2763\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2764\",\r\n \"address\": \"87.251.67.98\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2765\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2766\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2767\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2768\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2769\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2770\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2771\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2772\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2773\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2774\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2775\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2776\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2777\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2778\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2779\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2780\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2781\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2782\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2783\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2784\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2785\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2786\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2787\",\r\n \"address\": \"186.249.36.154\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Franca\",\r\n \"longitude\": -47.40563,\r\n \"latitude\": -20.54751,\r\n \"asn\": 28195,\r\n \"carrier\": \"Com4 Data Center Eireli\",\r\n \"organization\": \"Com4 Data Center Eireli\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2788\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2791\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2741\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2792\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2742\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2793\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2743\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2794\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2744\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2795\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2745\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2796\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2746\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2797\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2747\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2798\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2748\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2799\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2749\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2800\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2750\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2801\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2751\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2802\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2752\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2803\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2753\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2804\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2754\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2805\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2755\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2806\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2756\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2807\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2757\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2808\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2758\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2809\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2759\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2810\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2760\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2811\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2761\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2812\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2762\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2813\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2763\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2814\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2764\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"name\": \"2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-24T19:25:53.91713Z\",\r\n \"processingEndTimeUtc\": \"2022-09-24T19:25:53.5050508Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-23T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-23T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2839\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.124 [2]\\r\\nIP: 62.233.50.123 [24]\\r\\nIP: 141.98.10.124 [10]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 216.19.1.14 [23]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 78.128.113.138 [6]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 5.188.206.230 [6]\\r\\nIP: 5.181.86.51 [3]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 87.251.67.98 [4]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 141.98.83.131 [7]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 45.227.254.27 [1]\\r\\nIP: 5.181.86.85 [4]\\r\\nIP: 194.165.16.38 [1]\\r\\nIP: 147.78.47.154 [4]\\r\\nIP: 45.227.254.4 [5]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 179.60.150.113 [1]\\r\\nIP: 179.60.150.116 [1]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 5.181.86.44 [4]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 141.98.10.181 [10]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 194.165.17.12 [7]\\r\\nIP: 185.190.24.61 [7]\\r\\nIP: 194.165.16.29 [4]\\r\\nIP: 141.98.81.137 [10]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 179.60.150.114 [1]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 179.60.147.31 [6]\\r\\nIP: 59.49.43.217 [1]\\r\\nIP: 141.98.10.207 [7]\\r\\nIP: 113.190.245.2 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 88.214.25.12 [1]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\n187 more attempts by 32 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2840\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2841\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2842\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2843\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2844\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2845\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2846\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2847\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2848\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2849\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2850\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2851\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2852\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2853\",\r\n \"address\": \"87.251.67.98\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2854\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2855\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2856\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2857\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2858\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2859\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2860\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2861\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2862\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2863\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2864\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2865\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2866\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2867\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2868\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2869\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2870\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2871\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2872\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2873\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2874\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2875\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2876\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2877\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2878\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2879\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2880\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2881\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2882\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2883\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2884\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2885\",\r\n \"address\": \"59.49.43.217\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanxi\",\r\n \"city\": \"Taiyuan\",\r\n \"longitude\": 112.56167,\r\n \"latitude\": 37.84667,\r\n \"asn\": 132147,\r\n \"carrier\": \"Ct-Shanxi-Man\",\r\n \"organization\": \"Shanxi Telecom Taiyuan Branch Broadband Adsl Port Ip Address\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2886\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2887\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2888\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2889\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2890\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2891\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2892\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2893\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2843\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2894\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2844\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2895\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2845\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2896\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2846\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2897\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2847\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2898\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2848\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2899\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2849\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2900\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2850\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2901\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2851\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2902\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2852\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2903\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2853\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2904\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2854\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2905\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2855\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2906\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2856\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2907\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2857\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2908\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2858\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2909\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2859\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2910\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2860\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2911\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2861\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2912\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2862\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2913\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2863\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2914\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2864\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2915\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2865\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2916\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2866\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2917\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2867\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2918\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2868\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"name\": \"2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-23T20:00:31.1607186Z\",\r\n \"processingEndTimeUtc\": \"2022-09-23T20:00:30.596124Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-22T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-22T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2942\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.78 [1]\\r\\nIP: 195.78.54.97 [33]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 103.104.168.36 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 179.60.150.116 [1]\\r\\nIP: 88.214.25.13 [5]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 38.122.130.162 [11]\\r\\nIP: 194.165.16.38 [3]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 216.19.1.14 [15]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 185.156.72.27 [2]\\r\\nIP: 179.60.147.31 [19]\\r\\nIP: 194.165.16.10 [1]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 5.181.86.88 [2]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 46.29.10.30 [1]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 185.190.24.32 [2]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 5.181.86.85 [3]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 5.181.86.61 [4]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 45.227.253.130 [6]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 51.178.4.205 [3]\\r\\nIP: 179.60.150.113 [2]\\r\\nIP: 45.227.254.27 [4]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 194.165.17.12 [13]\\r\\nIP: 43.157.17.13 [1]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 179.60.150.114 [2]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 185.190.24.50 [5]\\r\\nIP: 141.98.10.181 [5]\\r\\nIP: 80.66.88.201 [1]\\r\\n106 more attempts by 26 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2943\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2944\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2945\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2946\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2947\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2948\",\r\n \"address\": \"103.104.168.36\",\r\n \"location\": {\r\n \"countryCode\": \"HK\",\r\n \"countryName\": \"Hong Kong\",\r\n \"longitude\": 114.1,\r\n \"latitude\": 22.15,\r\n \"asn\": 136897,\r\n \"carrier\": \"Enjoyvc Cloud Group Limited.\",\r\n \"organization\": \"Cyit-Hk\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2949\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2950\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2951\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2952\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2953\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2954\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2955\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2956\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2957\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2958\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2959\",\r\n \"address\": \"185.156.72.27\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2960\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2961\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2962\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2963\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2964\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2965\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2966\",\r\n \"address\": \"46.29.10.30\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Krasnodarskiy Kray\",\r\n \"city\": \"Krasnodar\",\r\n \"longitude\": 38.9454,\r\n \"latitude\": 45.0749,\r\n \"asn\": 197204,\r\n \"carrier\": \"Telemaks Ltd\",\r\n \"organization\": \"Telemaks Ptp Static Routing Clients.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2967\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2968\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2969\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2970\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2971\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2972\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2973\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2974\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2975\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2976\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2977\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2978\",\r\n \"address\": \"51.178.4.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Waltham Forest\",\r\n \"longitude\": -0.0166,\r\n \"latitude\": 51.5833,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Failover Ips\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2979\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2980\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2981\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2982\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2983\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2984\",\r\n \"address\": \"43.157.17.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2985\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2986\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2987\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2988\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2989\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2990\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2991\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2992\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2993\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2994\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2995\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2945\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2996\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2946\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2997\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2947\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2998\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2948\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2999\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2949\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3000\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2950\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3001\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2951\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3002\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2952\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3003\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2953\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3004\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2954\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3005\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2955\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3006\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2956\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3007\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2957\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3008\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2958\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3009\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2959\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3010\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2960\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3011\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2961\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3012\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2962\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3013\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2963\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3014\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2964\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3015\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2965\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3016\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2966\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3017\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2967\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3018\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2968\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3019\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2969\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3020\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2970\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3021\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2971\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"name\": \"2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T20:37:27.9077468Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T20:37:26.8898617Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-21T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-21T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3045\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.76.51.230 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3046\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3047\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3048\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3048\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"name\": \"2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T20:37:28.3862144Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T20:37:26.8900314Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-21T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-21T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3050\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.140 [1]\\r\\nIP: 185.190.24.32 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.9.35 [2]\\r\\nIP: 80.153.67.94 [1]\\r\\nIP: 23.236.144.243 [1]\\r\\nIP: 91.240.242.15 [3]\\r\\nIP: 193.37.69.215 [24]\\r\\nIP: 174.108.172.27 [2]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 5.181.86.51 [2]\\r\\nIP: 45.141.84.116 [2]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 5.181.86.11 [17]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 38.122.130.162 [5]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 45.227.254.27 [8]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 141.98.10.181 [16]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 195.78.54.97 [17]\\r\\nIP: 141.98.81.137 [3]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 51.178.4.205 [6]\\r\\nIP: 5.181.86.85 [4]\\r\\nIP: 195.78.54.73 [17]\\r\\nIP: 141.98.83.124 [3]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 179.60.147.182 [2]\\r\\nIP: 179.60.147.32 [11]\\r\\nIP: 141.98.83.126 [1]\\r\\nIP: 5.181.86.88 [2]\\r\\nIP: 88.214.25.12 [3]\\r\\nIP: 87.251.64.35 [1]\\r\\nIP: 179.60.150.116 [3]\\r\\nIP: 141.98.9.34 [15]\\r\\n136 more attempts by 30 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3051\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3052\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3053\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3054\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3055\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3056\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3057\",\r\n \"address\": \"80.153.67.94\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.4061,\r\n \"latitude\": 52.5192,\r\n \"asn\": 3320,\r\n \"carrier\": \"Deutsche Telekom Ag\",\r\n \"organization\": \"Deutsche Telekom Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3058\",\r\n \"address\": \"23.236.144.243\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 55081,\r\n \"carrier\": \"24 Shells\",\r\n \"organization\": \"B2 Net Solutions Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3059\",\r\n \"address\": \"91.240.242.15\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3060\",\r\n \"address\": \"193.37.69.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3061\",\r\n \"address\": \"174.108.172.27\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"South Carolina\",\r\n \"city\": \"Sumter\",\r\n \"longitude\": -80.35409,\r\n \"latitude\": 33.87458,\r\n \"asn\": 11426,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3062\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3063\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3064\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3065\",\r\n \"address\": \"45.141.84.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3066\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3067\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3068\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3069\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3070\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3071\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3072\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3073\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3074\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3075\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3076\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3077\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3078\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3079\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3080\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3081\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3082\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3083\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3084\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3085\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3086\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3087\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3088\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3089\",\r\n \"address\": \"51.178.4.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Waltham Forest\",\r\n \"longitude\": -0.0166,\r\n \"latitude\": 51.5833,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Failover Ips\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3090\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3091\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3092\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3093\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3094\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3095\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3096\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3097\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3098\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3099\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3100\",\r\n \"address\": \"87.251.64.35\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3101\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3102\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3053\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3104\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3054\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3055\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3056\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3057\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3058\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3059\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3060\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3061\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3062\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3063\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3114\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3064\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3065\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3066\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3067\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3068\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3069\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3070\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3071\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3072\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3123\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3073\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3124\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3074\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3140\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3090\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3141\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3091\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3092\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3143\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3093\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3144\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3094\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3145\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3095\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3096\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3097\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3098\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3099\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3100\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3101\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3102\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"name\": \"2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-21T19:41:38.1643149Z\",\r\n \"processingEndTimeUtc\": \"2022-09-21T19:41:37.0449995Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3153\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.130 [2]\\r\\nIP: 141.98.83.89 [6]\\r\\nIP: 20.172.39.252 [1]\\r\\nIP: 141.98.83.127 [9]\\r\\nIP: 5.181.86.11 [10]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 181.214.206.176 [32]\\r\\nIP: 129.146.85.184 [1]\\r\\nIP: 5.181.86.85 [8]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 91.240.118.99 [4]\\r\\nIP: 92.255.85.151 [7]\\r\\nIP: 185.190.24.17 [10]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 179.60.147.32 [3]\\r\\nIP: 176.113.115.141 [25]\\r\\nIP: 194.26.29.11 [1]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 179.60.150.111 [12]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 38.122.130.162 [13]\\r\\nIP: 195.78.54.73 [15]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.81.137 [4]\\r\\nIP: 89.248.168.54 [1]\\r\\nIP: 147.78.47.147 [2]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 147.78.47.149 [9]\\r\\nIP: 194.165.16.29 [5]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.36 [2]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 5.181.86.61 [9]\\r\\n138 more attempts by 22 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3154\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3155\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3156\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3157\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3158\",\r\n \"address\": \"20.172.39.252\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3159\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3160\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3161\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3162\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3163\",\r\n \"address\": \"129.146.85.184\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3164\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3165\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3166\",\r\n \"address\": \"91.240.118.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3167\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3168\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3169\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3170\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3171\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3172\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3173\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3174\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57678,\r\n \"carrier\": \"Red Bytes Llc\",\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3175\",\r\n \"address\": \"194.26.29.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3176\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3177\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3178\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3179\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3180\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3181\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3182\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3183\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3184\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3185\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3186\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3187\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3188\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3189\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3190\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3191\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3192\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3193\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3194\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3195\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3196\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3197\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3198\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3199\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3200\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3201\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3202\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3203\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3204\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3205\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3217\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3167\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3218\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3168\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3221\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3222\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3223\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3224\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3225\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3226\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3227\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"name\": \"2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T19:33:13.4506209Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T19:33:12.2309742Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3256\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.37 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 92.255.85.151 [7]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 41.169.98.196 [1]\\r\\nIP: 5.181.86.61 [9]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.35 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 179.60.147.33 [1]\\r\\nIP: 179.60.150.111 [12]\\r\\nIP: 181.214.206.176 [32]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 147.78.47.147 [2]\\r\\nIP: 141.98.9.36 [2]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 45.227.254.49 [1]\\r\\nIP: 141.98.83.85 [7]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 179.60.147.32 [3]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 141.98.83.121 [9]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 185.190.24.61 [9]\\r\\nIP: 141.98.83.84 [5]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 91.240.118.99 [4]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 141.98.83.89 [6]\\r\\nIP: 45.141.87.10 [10]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 5.181.86.85 [8]\\r\\nIP: 45.141.87.9 [4]\\r\\nIP: 141.98.83.130 [2]\\r\\nIP: 5.181.86.11 [9]\\r\\nIP: 38.122.130.162 [13]\\r\\nIP: 195.78.54.73 [13]\\r\\nIP: 45.141.87.2 [13]\\r\\nIP: 89.248.168.54 [1]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 141.98.83.125 [3]\\r\\n135 more attempts by 20 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3257\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3258\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3259\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3260\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3261\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3262\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3263\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3264\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3265\",\r\n \"address\": \"41.169.98.196\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 36937,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Liquid Telecommunications Operations Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3266\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3267\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3268\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3269\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3270\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3271\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3272\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3273\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3274\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3275\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3276\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3277\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3278\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3279\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3280\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3281\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3282\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3283\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3284\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3285\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3286\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3287\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3288\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3289\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3290\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3291\",\r\n \"address\": \"91.240.118.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3292\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3293\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3294\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3295\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3296\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3297\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3298\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3299\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3300\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3301\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3302\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3303\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3304\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3305\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3306\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3307\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3308\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3324\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3274\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3325\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3275\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3326\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3276\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3327\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3277\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3278\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3329\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3279\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3330\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3280\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"name\": \"2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-19T20:03:27.0439222Z\",\r\n \"processingEndTimeUtc\": \"2022-09-19T20:03:26.2194939Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-18T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-18T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3359\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.190.24.17 [7]\\r\\nIP: 45.72.99.139 [1]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 181.214.206.176 [41]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 141.98.83.124 [3]\\r\\nIP: 141.98.9.37 [10]\\r\\nIP: 88.214.25.12 [1]\\r\\nIP: 141.98.9.35 [10]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 80.66.88.206 [2]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 45.227.254.48 [3]\\r\\nIP: 194.165.16.17 [3]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 141.98.9.34 [19]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 95.142.121.53 [1]\\r\\nIP: 194.165.16.38 [7]\\r\\nIP: 194.26.29.48 [1]\\r\\nIP: 194.165.16.37 [2]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 92.255.85.174 [3]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 5.181.86.11 [4]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 179.60.150.114 [15]\\r\\nIP: 20.106.123.242 [1]\\r\\nIP: 141.98.9.29 [2]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 45.141.87.21 [5]\\r\\nIP: 91.240.242.16 [1]\\r\\nIP: 45.227.254.55 [3]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 38.122.130.162 [1]\\r\\nIP: 45.141.84.85 [2]\\r\\nIP: 141.98.83.131 [6]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 141.98.83.84 [4]\\r\\nIP: 141.98.83.83 [9]\\r\\nIP: 45.227.255.13 [1]\\r\\n130 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3360\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3361\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3362\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3363\",\r\n \"address\": \"45.72.99.139\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 55286,\r\n \"carrier\": \"B2 Net Solutions Inc.\",\r\n \"organization\": \"B2 Net Solutions Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3364\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3365\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3366\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3367\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3368\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3369\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3370\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3371\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3372\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3373\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3374\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3375\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3376\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3377\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3378\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3379\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3380\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3381\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3382\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3383\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3384\",\r\n \"address\": \"95.142.121.53\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Prcdn Consumer Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3385\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3386\",\r\n \"address\": \"194.26.29.48\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3387\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3388\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3389\",\r\n \"address\": \"92.255.85.174\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3390\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3391\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3392\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3393\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3394\",\r\n \"address\": \"20.106.123.242\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3395\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3396\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3397\",\r\n \"address\": \"45.141.87.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3398\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3399\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3400\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3401\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3402\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3403\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3404\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3405\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3406\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3407\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3408\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3409\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3410\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3411\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3362\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3427\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3377\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3428\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3378\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3429\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3379\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3430\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3380\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3382\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3433\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3383\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3449\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3450\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3451\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3452\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3453\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3405\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3456\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3457\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3408\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"name\": \"2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-07T18:49:32.3154277Z\",\r\n \"processingEndTimeUtc\": \"2022-09-07T18:49:31.3026032Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-05T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-05T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3462\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 179.60.147.182 [1]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 141.98.83.89 [5]\\r\\nIP: 209.126.5.42 [1]\\r\\nIP: 141.98.9.36 [14]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 103.15.50.155 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 80.66.88.214 [3]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 77.83.36.225 [4]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.123 [6]\\r\\nIP: 141.98.83.132 [1]\\r\\nIP: 138.199.19.135 [7]\\r\\nIP: 141.98.83.133 [11]\\r\\nIP: 194.165.16.6 [3]\\r\\nIP: 141.98.81.137 [9]\\r\\nIP: 194.165.16.17 [4]\\r\\nIP: 141.98.83.130 [4]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 141.98.10.207 [29]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 91.240.242.5 [8]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 194.165.16.71 [3]\\r\\nIP: 45.227.254.52 [6]\\r\\nIP: 141.98.9.37 [11]\\r\\nIP: 45.141.87.11 [2]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 141.98.83.120 [4]\\r\\nIP: 141.98.9.34 [29]\\r\\nIP: 62.233.50.113 [2]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 5.253.204.134 [22]\\r\\nIP: 92.255.85.151 [1]\\r\\nIP: 45.227.253.254 [12]\\r\\nIP: 194.165.16.73 [3]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 45.227.254.55 [3]\\r\\nIP: 141.98.83.83 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3463\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3464\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3465\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3466\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3467\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3468\",\r\n \"address\": \"209.126.5.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Saint Louis\",\r\n \"longitude\": -90.19238,\r\n \"latitude\": 38.63137,\r\n \"asn\": 40021,\r\n \"carrier\": \"Contabo Inc.\",\r\n \"organization\": \"Contabo Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3469\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3470\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3471\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3472\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3473\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3474\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3475\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3476\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3477\",\r\n \"address\": \"77.83.36.225\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 35042,\r\n \"carrier\": \"Ip Interactive Ug (Haftungsbeschraenkt)\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3478\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3479\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3480\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3481\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3482\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3483\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3484\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3485\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3486\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3487\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3488\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3489\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3490\",\r\n \"address\": \"91.240.242.5\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3491\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3492\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3493\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3494\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3495\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3496\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3497\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3498\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3499\",\r\n \"address\": \"62.233.50.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3500\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3501\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3502\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3503\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3504\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3505\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3506\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3507\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3508\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3509\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3510\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3465\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3466\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3467\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3468\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3480\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3481\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3482\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3484\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3485\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3486\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3535\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"name\": \"2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T19:15:31.2420982Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T19:15:30.4547628Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3557\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 72.167.37.199 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 103.79.140.234 [5]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 185.170.144.135 [53]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 141.98.9.199 [2]\\r\\nIP: 92.255.85.40 [4]\\r\\nIP: 129.226.34.77 [1]\\r\\nIP: 194.165.16.17 [10]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 188.190.42.60 [1]\\r\\nIP: 27.71.226.103 [3]\\r\\nIP: 5.253.204.134 [27]\\r\\nIP: 138.199.19.135 [2]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 141.98.81.137 [8]\\r\\nIP: 193.122.114.185 [1]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 87.251.67.99 [3]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 92.255.85.151 [13]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 194.165.16.77 [3]\\r\\nIP: 147.78.47.146 [12]\\r\\nIP: 45.227.254.26 [2]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 141.98.83.130 [4]\\r\\nIP: 96.60.188.241 [1]\\r\\nIP: 194.165.16.29 [4]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 103.75.187.224 [1]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.83.132 [5]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 194.165.16.6 [4]\\r\\n72 more attempts by 6 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3558\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3559\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3560\",\r\n \"address\": \"72.167.37.199\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3561\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3562\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3563\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3564\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3565\",\r\n \"address\": \"185.170.144.135\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3566\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3567\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3568\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3569\",\r\n \"address\": \"129.226.34.77\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Maharashtra\",\r\n \"city\": \"Mumbai\",\r\n \"longitude\": 72.8777,\r\n \"latitude\": 19.076,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3570\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3571\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3572\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3573\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3574\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3575\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3576\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3577\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3578\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3579\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3580\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3581\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3582\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3583\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3584\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3585\",\r\n \"address\": \"193.122.114.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.33352,\r\n \"latitude\": 47.61101,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Public Cloud\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3586\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3587\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3588\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3589\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3590\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3591\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3592\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3593\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3594\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3595\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3596\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3597\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3598\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3599\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3600\",\r\n \"address\": \"96.60.188.241\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wisconsin\",\r\n \"city\": \"Junction City\",\r\n \"longitude\": -89.747,\r\n \"latitude\": 44.59457,\r\n \"asn\": 4181,\r\n \"carrier\": \"Tds Telecom\",\r\n \"organization\": \"Tds Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3601\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3602\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3603\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3604\",\r\n \"address\": \"103.75.187.224\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Inet Software One Member Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3605\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3606\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3607\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3608\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3609\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3644\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3645\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3646\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3647\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3648\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3598\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3649\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3599\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3650\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3600\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3651\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3601\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3652\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3602\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3653\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3603\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3654\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3604\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3655\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3605\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3656\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3606\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3657\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3607\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3658\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3608\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3659\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3609\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"name\": \"2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-06T20:06:49.6557309Z\",\r\n \"processingEndTimeUtc\": \"2022-09-06T20:06:49.179497Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3660\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.125 [7]\\r\\nIP: 72.167.37.199 [1]\\r\\nIP: 141.98.9.199 [2]\\r\\nIP: 103.75.187.224 [2]\\r\\nIP: 92.255.85.151 [32]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 188.190.42.60 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 141.98.81.137 [8]\\r\\nIP: 138.199.19.135 [2]\\r\\nIP: 141.98.9.34 [12]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 96.60.188.241 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 147.78.47.146 [12]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 194.165.16.16 [1]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 45.227.253.254 [16]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 194.165.16.29 [10]\\r\\nIP: 194.165.16.17 [10]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 141.98.83.130 [7]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 194.165.16.77 [3]\\r\\nIP: 141.98.83.128 [6]\\r\\nIP: 141.98.83.120 [4]\\r\\nIP: 185.170.144.135 [53]\\r\\nIP: 129.226.34.77 [1]\\r\\nIP: 41.169.98.196 [1]\\r\\nIP: 87.251.67.99 [3]\\r\\nIP: 45.227.254.49 [4]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 103.79.140.234 [5]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 27.71.226.103 [3]\\r\\nIP: 193.122.114.185 [1]\\r\\nIP: 5.253.204.134 [28]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 92.255.85.40 [4]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 141.98.9.29 [13]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 141.98.83.131 [4]\\r\\n45 more attempts by 10 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3661\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3662\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3663\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3664\",\r\n \"address\": \"72.167.37.199\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3665\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3666\",\r\n \"address\": \"103.75.187.224\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Inet Software One Member Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3667\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3668\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3669\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3670\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3671\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3672\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3673\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3674\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3675\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3676\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3677\",\r\n \"address\": \"96.60.188.241\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wisconsin\",\r\n \"city\": \"Junction City\",\r\n \"longitude\": -89.747,\r\n \"latitude\": 44.59457,\r\n \"asn\": 4181,\r\n \"carrier\": \"Tds Telecom\",\r\n \"organization\": \"Tds Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3678\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3679\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3680\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3681\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3682\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3683\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3684\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3685\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3686\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3687\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3688\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3689\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3690\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3691\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3692\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3693\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3694\",\r\n \"address\": \"185.170.144.135\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3695\",\r\n \"address\": \"129.226.34.77\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Maharashtra\",\r\n \"city\": \"Mumbai\",\r\n \"longitude\": 72.8777,\r\n \"latitude\": 19.076,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3696\",\r\n \"address\": \"41.169.98.196\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 36937,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Liquid Telecommunications Operations Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3697\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3698\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3699\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3700\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3701\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3702\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3703\",\r\n \"address\": \"193.122.114.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.33352,\r\n \"latitude\": 47.61101,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Public Cloud\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3704\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3705\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3706\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3707\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3708\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3709\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3710\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3711\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3712\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3736\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3686\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3737\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3687\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3738\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3688\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3739\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3689\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3740\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3690\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3741\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3691\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3742\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3692\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3743\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3693\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3744\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3694\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3745\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3695\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3746\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3696\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3747\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3697\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3748\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3698\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3749\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3699\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3750\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3700\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3751\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3701\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3752\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3702\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3703\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3704\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3705\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3706\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3707\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3708\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3709\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3710\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3711\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3762\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3712\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"name\": \"2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-03T19:41:58.5199865Z\",\r\n \"processingEndTimeUtc\": \"2022-09-03T19:41:57.422375Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3763\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 188.190.42.60 [1]\\r\\nIP: 92.255.85.168 [4]\\r\\nIP: 141.98.83.87 [5]\\r\\nIP: 185.190.24.61 [1]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 103.15.50.155 [4]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 87.251.67.99 [1]\\r\\nIP: 5.253.204.134 [29]\\r\\nIP: 141.98.9.36 [1]\\r\\nIP: 194.28.112.140 [5]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 45.227.253.130 [18]\\r\\nIP: 141.98.9.35 [4]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 185.190.24.102 [10]\\r\\nIP: 202.40.179.78 [1]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 134.209.148.16 [1]\\r\\nIP: 93.43.27.126 [1]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 141.98.83.121 [6]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 141.98.81.137 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.125 [4]\\r\\nIP: 141.98.83.173 [1]\\r\\nIP: 92.255.85.166 [3]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 45.227.254.5 [9]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 92.255.85.151 [36]\\r\\nIP: 51.81.210.3 [1]\\r\\nIP: 141.98.9.29 [5]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 185.190.24.101 [4]\\r\\n41 more attempts by 14 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3764\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3765\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3766\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3767\",\r\n \"address\": \"92.255.85.168\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3768\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3769\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3770\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3771\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3772\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3773\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3774\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3775\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3776\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3777\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3778\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3779\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3780\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3781\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3782\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3783\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3784\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3785\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3786\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3787\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3788\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3789\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3790\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3791\",\r\n \"address\": \"202.40.179.78\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Dhaka\",\r\n \"city\": \"Dhaka\",\r\n \"longitude\": 90.4125,\r\n \"latitude\": 23.8103,\r\n \"asn\": 23991,\r\n \"carrier\": \"Ranks Itt Ltd.\",\r\n \"organization\": \"Nationwide Isp & Iptsp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3792\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3793\",\r\n \"address\": \"134.209.148.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Mansfield\",\r\n \"longitude\": -71.22189,\r\n \"latitude\": 42.01698,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3794\",\r\n \"address\": \"93.43.27.126\",\r\n \"location\": {\r\n \"countryCode\": \"IT\",\r\n \"countryName\": \"Italy\",\r\n \"state\": \"Roma\",\r\n \"city\": \"Roma\",\r\n \"longitude\": 12.3063,\r\n \"latitude\": 41.7755,\r\n \"asn\": 12874,\r\n \"carrier\": \"Fastweb Spa\",\r\n \"organization\": \"Ibc-001 Public Subnet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3795\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3796\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3797\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3798\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3799\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3800\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3801\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3802\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3803\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3804\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3805\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3806\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3807\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3808\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3809\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3810\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3811\",\r\n \"address\": \"51.81.210.3\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Hillsboro\",\r\n \"longitude\": -122.95607,\r\n \"latitude\": 45.59054,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3812\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3813\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3814\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3815\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3839\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3789\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3840\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3790\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3841\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3791\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3842\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3792\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3793\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3865\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3815\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"name\": \"2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T01:45:32.5912419Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T01:45:31.6805301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3866\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.9.36 [1]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 185.190.24.61 [1]\\r\\nIP: 5.253.204.134 [29]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.81.137 [1]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 141.98.83.125 [4]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 185.190.24.101 [4]\\r\\nIP: 93.43.27.126 [1]\\r\\nIP: 185.156.72.29 [4]\\r\\nIP: 87.251.67.99 [1]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 134.209.148.16 [1]\\r\\nIP: 141.98.9.35 [4]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.156.72.25 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 79.175.151.178 [3]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 103.79.140.234 [2]\\r\\nIP: 141.98.83.84 [7]\\r\\nIP: 141.98.83.172 [4]\\r\\nIP: 141.98.83.87 [7]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 45.227.254.5 [9]\\r\\nIP: 141.98.10.37 [8]\\r\\nIP: 202.40.179.78 [1]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 141.98.83.121 [6]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 92.255.85.166 [3]\\r\\nIP: 92.255.85.152 [6]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 103.15.50.155 [4]\\r\\nIP: 141.98.9.29 [5]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 194.28.112.140 [5]\\r\\nIP: 27.71.226.103 [1]\\r\\nIP: 185.190.24.102 [10]\\r\\n87 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3867\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3868\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3869\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3870\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3871\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3872\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3873\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3874\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3875\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3876\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3877\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3878\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3879\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3880\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3881\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3882\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3883\",\r\n \"address\": \"93.43.27.126\",\r\n \"location\": {\r\n \"countryCode\": \"IT\",\r\n \"countryName\": \"Italy\",\r\n \"state\": \"Roma\",\r\n \"city\": \"Roma\",\r\n \"longitude\": 12.3063,\r\n \"latitude\": 41.7755,\r\n \"asn\": 12874,\r\n \"carrier\": \"Fastweb Spa\",\r\n \"organization\": \"Ibc-001 Public Subnet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3884\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3885\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3886\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3887\",\r\n \"address\": \"134.209.148.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Mansfield\",\r\n \"longitude\": -71.22189,\r\n \"latitude\": 42.01698,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3888\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3889\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3890\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3891\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3892\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3893\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3894\",\r\n \"address\": \"79.175.151.178\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 25184,\r\n \"carrier\": \"Afranet\",\r\n \"organization\": \"Afranet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3895\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3896\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3897\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3898\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3899\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3900\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3901\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3902\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3903\",\r\n \"address\": \"141.98.10.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3904\",\r\n \"address\": \"202.40.179.78\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Dhaka\",\r\n \"city\": \"Dhaka\",\r\n \"longitude\": 90.4125,\r\n \"latitude\": 23.8103,\r\n \"asn\": 23991,\r\n \"carrier\": \"Ranks Itt Ltd.\",\r\n \"organization\": \"Nationwide Isp & Iptsp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3905\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3906\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3907\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3908\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3909\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3910\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3911\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3912\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3913\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3914\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3915\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3916\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3917\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3918\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3892\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3893\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3894\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"name\": \"2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-02T19:26:44.4857834Z\",\r\n \"processingEndTimeUtc\": \"2022-09-02T19:26:43.9850649Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-01T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-01T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3969\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.6 [4]\\r\\nIP: 193.142.147.67 [26]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.81.137 [5]\\r\\nIP: 45.227.254.5 [39]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 147.78.47.147 [9]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 103.15.50.155 [1]\\r\\nIP: 92.255.85.40 [6]\\r\\nIP: 213.226.123.66 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 194.165.16.158 [5]\\r\\nIP: 196.44.131.147 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 212.22.187.98 [7]\\r\\nIP: 141.98.83.131 [1]\\r\\nIP: 185.190.24.102 [11]\\r\\nIP: 147.78.47.149 [10]\\r\\nIP: 165.227.225.29 [2]\\r\\nIP: 92.255.85.195 [2]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 185.190.24.61 [9]\\r\\nIP: 45.227.254.49 [3]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 80.66.88.209 [5]\\r\\nIP: 141.98.9.35 [6]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 141.98.83.123 [7]\\r\\nIP: 185.190.24.103 [2]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 89.248.168.54 [2]\\r\\nIP: 79.175.151.178 [6]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 213.226.123.35 [2]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 141.98.9.37 [2]\\r\\nIP: 141.98.83.89 [2]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 5.253.204.134 [27]\\r\\nIP: 179.60.147.32 [19]\\r\\n92 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3970\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3971\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3972\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3973\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3974\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3975\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3976\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3977\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3978\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3979\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3980\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3981\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3982\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3983\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3984\",\r\n \"address\": \"213.226.123.66\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49943,\r\n \"carrier\": \"It Resheniya Llc\",\r\n \"organization\": \"It Resheniya Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3985\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3986\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3987\",\r\n \"address\": \"196.44.131.147\",\r\n \"location\": {\r\n \"countryCode\": \"NA\",\r\n \"countryName\": \"Namibia\",\r\n \"state\": \"Khomas\",\r\n \"city\": \"Windhoek\",\r\n \"longitude\": 17.0875,\r\n \"latitude\": -22.57056,\r\n \"asn\": 36996,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Telecom Namibia\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3988\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3989\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3990\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3991\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3992\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3993\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3994\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3995\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3996\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3997\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3998\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3999\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4000\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4001\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4002\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4003\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4004\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4005\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4006\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4007\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4008\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4009\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4010\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4011\",\r\n \"address\": \"79.175.151.178\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 25184,\r\n \"carrier\": \"Afranet\",\r\n \"organization\": \"Afranet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4012\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4013\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4014\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4015\",\r\n \"address\": \"213.226.123.35\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49943,\r\n \"carrier\": \"It Resheniya Llc\",\r\n \"organization\": \"It Resheniya Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4016\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4017\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4018\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4019\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4020\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4021\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"name\": \"2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-30T19:51:55.8070313Z\",\r\n \"processingEndTimeUtc\": \"2022-08-30T19:51:55.0291097Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4072\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.81.137 [6]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 45.227.254.48 [5]\\r\\nIP: 141.98.9.29 [10]\\r\\nIP: 98.102.248.102 [1]\\r\\nIP: 45.227.254.5 [26]\\r\\nIP: 178.18.241.15 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 194.165.16.78 [3]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 194.26.29.48 [5]\\r\\nIP: 141.98.9.34 [3]\\r\\nIP: 5.253.204.134 [12]\\r\\nIP: 147.78.47.154 [4]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 80.66.88.207 [3]\\r\\nIP: 74.174.144.6 [1]\\r\\nIP: 194.165.16.17 [6]\\r\\nIP: 196.188.171.249 [2]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 179.60.150.113 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 80.66.88.208 [3]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 87.251.75.119 [36]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 85.172.1.54 [2]\\r\\nIP: 162.62.14.97 [1]\\r\\nIP: 88.214.25.13 [2]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 162.246.21.206 [1]\\r\\nIP: 45.227.254.4 [2]\\r\\nIP: 185.221.134.42 [2]\\r\\nIP: 179.60.147.32 [20]\\r\\nIP: 103.15.50.155 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 92.255.85.181 [2]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 5.181.86.88 [3]\\r\\n175 more attempts by 35 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4073\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4074\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4075\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4076\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4077\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4078\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4079\",\r\n \"address\": \"98.102.248.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Cleveland\",\r\n \"longitude\": -81.82835,\r\n \"latitude\": 41.37197,\r\n \"asn\": 10796,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4080\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4081\",\r\n \"address\": \"178.18.241.15\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Baden-Wuerttemberg\",\r\n \"city\": \"Karlsruhe-Weststadt\",\r\n \"longitude\": 8.37933,\r\n \"latitude\": 49.015,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4082\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4083\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4084\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4085\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4086\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4087\",\r\n \"address\": \"194.26.29.48\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4088\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4089\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4090\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4091\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4092\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4093\",\r\n \"address\": \"74.174.144.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Kentucky\",\r\n \"city\": \"Corbin\",\r\n \"longitude\": -84.11583,\r\n \"latitude\": 36.92363,\r\n \"asn\": 2386,\r\n \"carrier\": \"At&T Data Communications Services\",\r\n \"organization\": \"Eastern Cable Corp - Bgk Lan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4094\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4095\",\r\n \"address\": \"196.188.171.249\",\r\n \"location\": {\r\n \"countryCode\": \"ET\",\r\n \"countryName\": \"Ethiopia\",\r\n \"state\": \"Adis Abeba\",\r\n \"city\": \"Addis Ababa\",\r\n \"longitude\": 38.7468,\r\n \"latitude\": 9.0227,\r\n \"asn\": 24757,\r\n \"carrier\": \"Ethionet\",\r\n \"organization\": \"To__Bras_Dhcp_Oa-10800E\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4096\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4097\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4098\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4099\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4100\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4101\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4102\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4103\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4104\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4105\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4106\",\r\n \"address\": \"87.251.75.119\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4107\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4108\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4109\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4110\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4111\",\r\n \"address\": \"85.172.1.54\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Krasnodarskiy Kray\",\r\n \"city\": \"Krasnodar\",\r\n \"longitude\": 38.98064,\r\n \"latitude\": 45.04215,\r\n \"asn\": 25490,\r\n \"carrier\": \"Pjsc Rostelecom\",\r\n \"organization\": \"Ojsc Rostelecom Macroregional Branch South\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4112\",\r\n \"address\": \"162.62.14.97\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4113\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4114\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4115\",\r\n \"address\": \"162.246.21.206\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Secaucus\",\r\n \"longitude\": -74.06453,\r\n \"latitude\": 40.77826,\r\n \"asn\": 19318,\r\n \"carrier\": \"Interserver Inc\",\r\n \"organization\": \"Interserver Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4116\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4117\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4118\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4119\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4120\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4121\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4122\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4123\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4124\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4140\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4090\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4141\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4091\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4092\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4143\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4093\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4144\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4094\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4145\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4095\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4096\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4097\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4098\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4099\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4100\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4101\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4102\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4153\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4103\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4104\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4155\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4105\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4156\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4106\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4107\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4158\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4108\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4159\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4109\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4110\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4161\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4111\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4162\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4112\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4163\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4113\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4114\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4165\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4115\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4166\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4116\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4167\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4117\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4168\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4118\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4119\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4170\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4120\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4171\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4121\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4172\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4122\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4173\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4123\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4174\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4124\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"name\": \"2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-31T19:26:52.5249315Z\",\r\n \"processingEndTimeUtc\": \"2022-08-31T19:26:52.1218206Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4175\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 98.102.248.102 [1]\\r\\nIP: 179.60.150.116 [2]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 162.62.14.97 [1]\\r\\nIP: 5.253.204.134 [13]\\r\\nIP: 185.190.24.61 [2]\\r\\nIP: 212.22.187.98 [8]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 191.96.168.250 [10]\\r\\nIP: 80.66.88.212 [4]\\r\\nIP: 88.214.25.13 [2]\\r\\nIP: 74.174.144.6 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 185.190.24.17 [51]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 5.181.86.44 [5]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 193.142.147.66 [36]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 45.141.84.116 [7]\\r\\nIP: 152.89.196.90 [2]\\r\\nIP: 141.98.9.29 [10]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 196.188.171.249 [2]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 194.93.58.59 [1]\\r\\nIP: 87.251.75.119 [59]\\r\\nIP: 179.60.147.32 [20]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 185.190.24.32 [3]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 80.66.88.207 [3]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 194.165.16.4 [3]\\r\\nIP: 80.66.88.208 [3]\\r\\n135 more attempts by 44 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4176\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4177\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4178\",\r\n \"address\": \"98.102.248.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Cleveland\",\r\n \"longitude\": -81.82835,\r\n \"latitude\": 41.37197,\r\n \"asn\": 10796,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4179\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4180\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4181\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4182\",\r\n \"address\": \"162.62.14.97\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4183\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4184\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4185\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4186\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4187\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4188\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4189\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4190\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4191\",\r\n \"address\": \"74.174.144.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Kentucky\",\r\n \"city\": \"Corbin\",\r\n \"longitude\": -84.11583,\r\n \"latitude\": 36.92363,\r\n \"asn\": 2386,\r\n \"carrier\": \"At&T Data Communications Services\",\r\n \"organization\": \"Eastern Cable Corp - Bgk Lan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4192\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4193\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4194\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4195\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4196\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4197\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4198\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4199\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4200\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4201\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4202\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4203\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4204\",\r\n \"address\": \"45.141.84.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4205\",\r\n \"address\": \"152.89.196.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4206\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4207\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4208\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4209\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4210\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4211\",\r\n \"address\": \"196.188.171.249\",\r\n \"location\": {\r\n \"countryCode\": \"ET\",\r\n \"countryName\": \"Ethiopia\",\r\n \"state\": \"Adis Abeba\",\r\n \"city\": \"Addis Ababa\",\r\n \"longitude\": 38.7468,\r\n \"latitude\": 9.0227,\r\n \"asn\": 24757,\r\n \"carrier\": \"Ethionet\",\r\n \"organization\": \"To__Bras_Dhcp_Oa-10800E\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4212\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4213\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4214\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4215\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4216\",\r\n \"address\": \"194.93.58.59\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.81423,\r\n \"latitude\": 32.80543,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Dallas Tx\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4217\",\r\n \"address\": \"87.251.75.119\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4218\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4219\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4220\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4221\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4222\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4223\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4224\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4225\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4226\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4227\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4256\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4206\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4207\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4258\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4208\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4259\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4209\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4260\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4210\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4261\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4211\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4262\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4212\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4263\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4213\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4264\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4214\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4215\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4266\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4216\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4267\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4217\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4268\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4218\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4269\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4219\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4270\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4220\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4271\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4221\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4272\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4222\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4273\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4223\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4224\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4275\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4225\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4276\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4226\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4277\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4227\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"name\": \"2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T19:20:02.815682Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T19:20:02.1041712Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4278\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.156.72.31 [5]\\r\\nIP: 179.60.147.31 [28]\\r\\nIP: 213.6.148.83 [2]\\r\\nIP: 113.161.87.179 [1]\\r\\nIP: 185.190.24.103 [11]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 141.98.83.130 [5]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 185.190.24.101 [3]\\r\\nIP: 118.123.105.85 [1]\\r\\nIP: 194.28.112.149 [1]\\r\\nIP: 45.227.253.124 [18]\\r\\nIP: 193.142.147.53 [12]\\r\\nIP: 198.23.221.162 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 194.165.17.12 [30]\\r\\nIP: 191.96.168.250 [75]\\r\\nIP: 194.165.16.16 [1]\\r\\nIP: 92.51.70.138 [1]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 185.156.72.29 [2]\\r\\nIP: 5.61.60.26 [3]\\r\\nIP: 87.251.75.45 [11]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.36 [1]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 141.98.83.172 [7]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 45.227.254.51 [2]\\r\\nIP: 103.99.2.225 [1]\\r\\nIP: 141.98.9.35 [2]\\r\\nIP: 185.196.220.52 [10]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 194.165.16.72 [3]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 31.214.141.3 [1]\\r\\nIP: 45.143.201.62 [2]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 141.98.9.34 [5]\\r\\nIP: 212.22.187.98 [4]\\r\\n182 more attempts by 33 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4279\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4280\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4281\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4282\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4283\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4284\",\r\n \"address\": \"113.161.87.179\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4285\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4286\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4287\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4288\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4289\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4290\",\r\n \"address\": \"118.123.105.85\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Sichuan\",\r\n \"city\": \"Chengdu\",\r\n \"longitude\": 104.0675,\r\n \"latitude\": 30.65306,\r\n \"asn\": 38283,\r\n \"carrier\": \"Chinanet Sichuan Telecom Internet Data Center\",\r\n \"organization\": \"Chinanet Sichuan Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4291\",\r\n \"address\": \"194.28.112.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4292\",\r\n \"address\": \"45.227.253.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4293\",\r\n \"address\": \"193.142.147.53\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4294\",\r\n \"address\": \"198.23.221.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4295\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4296\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4297\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4298\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4299\",\r\n \"address\": \"92.51.70.138\",\r\n \"location\": {\r\n \"countryCode\": \"GE\",\r\n \"countryName\": \"Georgia\",\r\n \"state\": \"Tbilisi\",\r\n \"city\": \"Tbilisi\",\r\n \"longitude\": 44.83368,\r\n \"latitude\": 41.69411,\r\n \"asn\": 44327,\r\n \"carrier\": \"Delta Comm Llc\",\r\n \"organization\": \"Infra-Aw\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4300\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4301\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4302\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4303\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4304\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4305\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4306\",\r\n \"address\": \"87.251.75.45\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4307\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4308\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4309\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4310\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4311\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4312\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4313\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4314\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4315\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4316\",\r\n \"address\": \"185.196.220.52\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4317\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4318\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4319\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4320\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4321\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4322\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4323\",\r\n \"address\": \"31.214.141.3\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hamburg\",\r\n \"city\": \"Hamburg\",\r\n \"longitude\": 10.0819,\r\n \"latitude\": 53.6423,\r\n \"asn\": 30823,\r\n \"carrier\": \"Combahton Gmbh\",\r\n \"organization\": \"Zap-Hosting Gmbh & Co. Kg\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4324\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4325\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4326\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4327\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4328\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4329\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4330\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4309\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4360\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4310\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4361\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4311\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4362\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4312\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4313\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4364\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4314\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4365\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4315\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4366\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4316\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4317\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4368\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4318\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4369\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4319\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4370\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4320\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4371\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4321\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4322\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4373\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4323\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4374\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4324\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4375\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4325\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4376\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4326\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"name\": \"2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T03:10:05.3539329Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T03:10:03.616463Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4381\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.9.36 [1]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 45.227.254.5 [19]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 45.227.253.124 [15]\\r\\nIP: 141.98.83.132 [6]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 45.227.254.55 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 185.156.72.29 [2]\\r\\nIP: 179.60.147.31 [28]\\r\\nIP: 5.61.60.26 [2]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 31.214.141.3 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 97.106.89.92 [2]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.125 [2]\\r\\nIP: 52.172.27.33 [1]\\r\\nIP: 179.60.150.114 [6]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 92.255.85.151 [30]\\r\\nIP: 185.190.24.103 [11]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 45.227.253.254 [15]\\r\\nIP: 194.165.16.73 [2]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 185.190.24.102 [7]\\r\\nIP: 179.60.147.182 [2]\\r\\nIP: 103.99.2.225 [1]\\r\\nIP: 185.196.220.34 [35]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.172 [7]\\r\\nIP: 212.22.187.98 [4]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 191.96.168.250 [67]\\r\\nIP: 118.123.105.85 [1]\\r\\nIP: 141.98.83.131 [3]\\r\\nIP: 80.69.56.151 [1]\\r\\nIP: 20.163.56.75 [2]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.156.72.25 [3]\\r\\n118 more attempts by 27 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4382\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4383\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4384\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4385\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4386\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4387\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4388\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4389\",\r\n \"address\": \"45.227.253.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4390\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4391\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4392\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4393\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4394\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4395\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4396\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4397\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4398\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4399\",\r\n \"address\": \"31.214.141.3\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hamburg\",\r\n \"city\": \"Hamburg\",\r\n \"longitude\": 10.0819,\r\n \"latitude\": 53.6423,\r\n \"asn\": 30823,\r\n \"carrier\": \"Combahton Gmbh\",\r\n \"organization\": \"Zap-Hosting Gmbh & Co. Kg\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4400\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4401\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4402\",\r\n \"address\": \"97.106.89.92\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Tampa\",\r\n \"longitude\": -82.46379,\r\n \"latitude\": 27.98598,\r\n \"asn\": 33363,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4403\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4404\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4405\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4406\",\r\n \"address\": \"52.172.27.33\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Tamil Nadu\",\r\n \"city\": \"Chennai\",\r\n \"longitude\": 80.2508,\r\n \"latitude\": 13.0524,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4407\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4408\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4409\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4410\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4411\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4412\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4413\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4414\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4415\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4416\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4417\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4418\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4419\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4420\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4421\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4422\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4423\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4424\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4425\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4426\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4427\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4428\",\r\n \"address\": \"118.123.105.85\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Sichuan\",\r\n \"city\": \"Chengdu\",\r\n \"longitude\": 104.0675,\r\n \"latitude\": 30.65306,\r\n \"asn\": 38283,\r\n \"carrier\": \"Chinanet Sichuan Telecom Internet Data Center\",\r\n \"organization\": \"Chinanet Sichuan Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4429\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4430\",\r\n \"address\": \"80.69.56.151\",\r\n \"location\": {\r\n \"countryCode\": \"AZ\",\r\n \"countryName\": \"Azerbaijan\",\r\n \"state\": \"Naftalan\",\r\n \"city\": \"Naftalan\",\r\n \"longitude\": 46.825,\r\n \"latitude\": 40.5067,\r\n \"asn\": 34170,\r\n \"carrier\": \"Aztelekom\",\r\n \"organization\": \"Aztelekom.Net Ip Segment\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4431\",\r\n \"address\": \"20.163.56.75\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4432\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4433\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4449\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4450\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4451\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4452\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4453\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4405\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4456\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4457\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4408\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4412\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4415\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4416\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4467\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4417\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4468\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4418\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4469\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4419\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4470\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4471\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4472\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4473\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4423\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4474\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4424\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4425\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4426\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4427\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4428\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"name\": \"2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-27T19:18:23.4694672Z\",\r\n \"processingEndTimeUtc\": \"2022-08-27T19:18:22.6090964Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-26T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-26T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4484\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.255.99 [2]\\r\\nIP: 185.196.220.28 [1]\\r\\nIP: 103.124.137.161 [1]\\r\\nIP: 87.251.75.45 [125]\\r\\nIP: 212.122.84.86 [4]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 103.99.2.225 [6]\\r\\nIP: 185.196.220.59 [2]\\r\\nIP: 194.165.16.34 [1]\\r\\nIP: 212.22.187.98 [3]\\r\\nIP: 191.96.168.250 [51]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 139.99.135.225 [1]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 80.66.88.209 [2]\\r\\nIP: 152.89.196.90 [4]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 141.98.83.172 [3]\\r\\nIP: 179.60.150.114 [2]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 104.156.55.56 [1]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.190.24.101 [3]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 184.105.5.195 [1]\\r\\nIP: 185.190.24.103 [2]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 193.142.147.55 [1]\\r\\nIP: 193.142.147.50 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 193.142.147.65 [27]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 193.142.147.57 [1]\\r\\nIP: 43.156.58.184 [1]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 213.6.148.83 [3]\\r\\nIP: 193.142.147.66 [3]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 185.73.124.216 [13]\\r\\nIP: 20.168.26.32 [1]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 185.196.220.34 [12]\\r\\nIP: 92.255.85.183 [2]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 5.61.60.26 [1]\\r\\nIP: 185.196.220.58 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4485\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4486\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4487\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4488\",\r\n \"address\": \"185.196.220.28\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4489\",\r\n \"address\": \"103.124.137.161\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jawa Timur\",\r\n \"city\": \"Paciran\",\r\n \"longitude\": 112.34,\r\n \"latitude\": -6.8707,\r\n \"asn\": 138089,\r\n \"carrier\": \"Pt.Global Media Data Prima\",\r\n \"organization\": \"Pt.Global Media Data Prima\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4490\",\r\n \"address\": \"87.251.75.45\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4491\",\r\n \"address\": \"212.122.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 12539,\r\n \"carrier\": \"Penki Kontinentia Ltd\",\r\n \"organization\": \"Penkiu Kontinentu Komunikaciju Centras Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4492\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4493\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4494\",\r\n \"address\": \"185.196.220.59\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4495\",\r\n \"address\": \"194.165.16.34\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4496\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4497\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4498\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4499\",\r\n \"address\": \"139.99.135.225\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Waverton\",\r\n \"longitude\": 151.19581,\r\n \"latitude\": -33.83997,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Australia Pty Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4500\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4501\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4502\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4503\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4504\",\r\n \"address\": \"152.89.196.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4505\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4506\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4507\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4508\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4509\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4510\",\r\n \"address\": \"104.156.55.56\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Tampa\",\r\n \"longitude\": -82.50581,\r\n \"latitude\": 28.00488,\r\n \"asn\": 29802,\r\n \"carrier\": \"Hivelocity Inc.\",\r\n \"organization\": \"Hivelocity Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4511\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4512\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4513\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4514\",\r\n \"address\": \"184.105.5.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.99064,\r\n \"latitude\": 40.6946,\r\n \"asn\": 394996,\r\n \"carrier\": \"47-2339071\",\r\n \"organization\": \"47-2339071\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4515\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4516\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4517\",\r\n \"address\": \"193.142.147.55\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4518\",\r\n \"address\": \"193.142.147.50\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4519\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4520\",\r\n \"address\": \"193.142.147.65\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4521\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4522\",\r\n \"address\": \"193.142.147.57\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4523\",\r\n \"address\": \"43.156.58.184\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4524\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4525\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4526\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4527\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4528\",\r\n \"address\": \"185.73.124.216\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4529\",\r\n \"address\": \"20.168.26.32\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4530\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4531\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4532\",\r\n \"address\": \"92.255.85.183\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4533\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4534\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4535\",\r\n \"address\": \"185.196.220.58\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4557\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4558\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4559\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4560\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4511\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4561\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4512\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4562\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4513\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4563\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4514\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4564\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4515\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4565\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4516\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4566\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4517\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4567\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4518\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4568\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4519\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4569\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4520\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4570\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4521\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4571\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4522\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4572\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4523\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4573\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4524\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4574\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4525\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4575\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4526\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4576\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4527\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4577\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4528\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4578\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4529\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4579\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4530\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4580\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4531\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4581\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4532\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4582\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"name\": \"2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-26T19:51:08.2299434Z\",\r\n \"processingEndTimeUtc\": \"2022-08-26T19:51:07.7693809Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-25T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-25T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4585\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.255.59 [2]\\r\\nIP: 41.216.179.69 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 185.190.24.48 [8]\\r\\nIP: 193.142.147.65 [37]\\r\\nIP: 167.172.149.14 [1]\\r\\nIP: 193.148.61.176 [1]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.196.220.34 [26]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 179.60.150.116 [8]\\r\\nIP: 185.190.24.103 [4]\\r\\nIP: 149.57.252.78 [1]\\r\\nIP: 103.109.52.111 [6]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 5.181.86.11 [18]\\r\\nIP: 141.98.83.172 [1]\\r\\nIP: 52.180.252.174 [4]\\r\\nIP: 193.142.147.66 [22]\\r\\nIP: 5.181.86.51 [4]\\r\\nIP: 193.142.147.52 [11]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 183.90.168.19 [14]\\r\\nIP: 185.190.24.102 [5]\\r\\nIP: 107.172.93.5 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 179.60.147.31 [25]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 103.124.137.161 [2]\\r\\nIP: 5.181.86.7 [1]\\r\\nIP: 103.9.156.60 [1]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 141.98.83.173 [5]\\r\\nIP: 195.3.221.15 [4]\\r\\nIP: 191.96.168.250 [44]\\r\\nIP: 179.60.147.33 [23]\\r\\nIP: 103.99.2.225 [4]\\r\\nIP: 91.240.118.113 [11]\\r\\nIP: 88.214.25.13 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 107.175.218.26 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 185.190.24.50 [7]\\r\\nIP: 80.69.56.151 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 141.98.10.37 [3]\\r\\nIP: 185.190.24.17 [16]\\r\\nIP: 45.227.254.48 [2]\\r\\n61 more attempts by 15 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4586\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4587\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4588\",\r\n \"address\": \"45.227.255.59\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4589\",\r\n \"address\": \"41.216.179.69\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"longitude\": -2.0,\r\n \"latitude\": 54.0,\r\n \"asn\": 136175,\r\n \"carrier\": \"Serverhosh Internet Service\",\r\n \"organization\": \"Serverhosh Internet Service\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4590\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4591\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4592\",\r\n \"address\": \"193.142.147.65\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4593\",\r\n \"address\": \"167.172.149.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4594\",\r\n \"address\": \"193.148.61.176\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Los Angeles Ca\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4595\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4596\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4597\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4598\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4599\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4600\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4601\",\r\n \"address\": \"149.57.252.78\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Edison\",\r\n \"longitude\": -74.3806,\r\n \"latitude\": 40.5247,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Logicweb Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4602\",\r\n \"address\": \"103.109.52.111\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"longitude\": 90.0,\r\n \"latitude\": 24.0,\r\n \"asn\": 134790,\r\n \"carrier\": \"United International University\",\r\n \"organization\": \"United International University\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4603\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4604\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4605\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4606\",\r\n \"address\": \"52.180.252.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\",\r\n \"longitude\": -93.6151,\r\n \"latitude\": 41.589,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4607\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4608\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4609\",\r\n \"address\": \"193.142.147.52\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4610\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4611\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4612\",\r\n \"address\": \"183.90.168.19\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bang Rak\",\r\n \"longitude\": 100.52114,\r\n \"latitude\": 13.72804,\r\n \"asn\": 45328,\r\n \"carrier\": \"Nipa Technology Co. Ltd\",\r\n \"organization\": \"Nipa Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4613\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4614\",\r\n \"address\": \"107.172.93.5\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4615\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4616\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4617\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4618\",\r\n \"address\": \"103.124.137.161\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jawa Timur\",\r\n \"city\": \"Paciran\",\r\n \"longitude\": 112.34,\r\n \"latitude\": -6.8707,\r\n \"asn\": 138089,\r\n \"carrier\": \"Pt.Global Media Data Prima\",\r\n \"organization\": \"Pt.Global Media Data Prima\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4619\",\r\n \"address\": \"5.181.86.7\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4620\",\r\n \"address\": \"103.9.156.60\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 63730,\r\n \"carrier\": \"Vnso Technology Company\",\r\n \"organization\": \"Vnso Technology Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4621\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4622\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4623\",\r\n \"address\": \"195.3.221.15\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Mokotow\",\r\n \"longitude\": 21.00167,\r\n \"latitude\": 52.19392,\r\n \"asn\": 201814,\r\n \"carrier\": \"Meverywhere Sp. Z O.O.\",\r\n \"organization\": \"Innowacyjne Rozwiazania Informatyczne.Pl Sp. Z O.O.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4624\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4625\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4626\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4627\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4628\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4629\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4630\",\r\n \"address\": \"107.175.218.26\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wyoming\",\r\n \"city\": \"Casper\",\r\n \"longitude\": -106.39396,\r\n \"latitude\": 43.06622,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Global Cloud Line\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4631\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4632\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4633\",\r\n \"address\": \"80.69.56.151\",\r\n \"location\": {\r\n \"countryCode\": \"AZ\",\r\n \"countryName\": \"Azerbaijan\",\r\n \"state\": \"Naftalan\",\r\n \"city\": \"Naftalan\",\r\n \"longitude\": 46.825,\r\n \"latitude\": 40.5067,\r\n \"asn\": 34170,\r\n \"carrier\": \"Aztelekom\",\r\n \"organization\": \"Aztelekom.Net Ip Segment\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4634\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4635\",\r\n \"address\": \"141.98.10.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4636\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4637\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4644\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4645\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4646\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4647\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4648\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4598\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4649\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4599\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4650\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4600\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4651\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4601\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4652\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4602\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4653\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4603\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4654\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4604\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4655\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4605\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4656\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4606\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4657\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4607\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4658\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4608\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4659\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4609\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4660\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4610\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4661\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4611\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4662\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4612\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4663\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4613\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4664\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4614\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4665\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4615\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4666\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4616\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4667\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4617\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4668\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4618\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4669\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4619\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4670\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4620\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4671\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4621\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4672\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4622\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4673\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4623\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4674\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4624\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4675\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4625\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4676\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4626\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4677\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4627\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4678\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4628\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4679\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4629\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4680\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4630\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4681\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4631\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4682\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4632\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4683\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4633\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4684\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4634\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4685\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4635\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4636\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4637\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"name\": \"2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T20:24:32.6189324Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T20:24:17.1477549Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4688\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.72 [1]\\r\\nIP: 181.30.28.144 [1]\\r\\nIP: 43.131.49.246 [2]\\r\\nIP: 27.71.226.103 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.86.65.236 [1]\\r\\nIP: 5.181.86.88 [6]\\r\\nIP: 192.210.230.185 [1]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 31.43.185.3 [49]\\r\\nIP: 183.90.168.19 [1]\\r\\nIP: 194.165.16.78 [2]\\r\\nIP: 167.172.149.14 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 212.41.8.46 [1]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 5.181.86.44 [4]\\r\\nIP: 141.98.83.171 [5]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 194.165.16.71 [2]\\r\\nIP: 46.161.27.101 [2]\\r\\nIP: 173.201.17.86 [1]\\r\\nIP: 5.61.60.26 [1]\\r\\nIP: 179.60.150.115 [12]\\r\\nIP: 92.154.96.99 [1]\\r\\nIP: 141.98.83.172 [4]\\r\\nIP: 179.60.147.182 [4]\\r\\nIP: 149.102.131.247 [1]\\r\\nIP: 193.142.147.67 [33]\\r\\nIP: 73.104.247.50 [1]\\r\\nIP: 185.190.24.61 [22]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 185.190.24.17 [24]\\r\\nIP: 191.96.168.250 [30]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 193.142.146.209 [1]\\r\\nIP: 185.170.144.134 [70]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 147.78.245.142 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 179.60.150.113 [6]\\r\\nIP: 78.180.183.122 [1]\\r\\nIP: 85.215.173.128 [1]\\r\\nIP: 109.86.104.112 [1]\\r\\nIP: 146.20.225.190 [1]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 45.227.255.79 [2]\\r\\nIP: 185.190.24.102 [6]\\r\\nIP: 194.28.112.148 [1]\\r\\n63 more attempts by 14 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4689\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4690\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4691\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4692\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4693\",\r\n \"address\": \"43.131.49.246\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4694\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4695\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4696\",\r\n \"address\": \"45.86.65.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4697\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4698\",\r\n \"address\": \"192.210.230.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4699\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4700\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Donets'ka Oblast'\",\r\n \"city\": \"Krasnoarmiis'k\",\r\n \"longitude\": 37.1734,\r\n \"latitude\": 48.281,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4701\",\r\n \"address\": \"183.90.168.19\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bang Rak\",\r\n \"longitude\": 100.52114,\r\n \"latitude\": 13.72804,\r\n \"asn\": 45328,\r\n \"carrier\": \"Nipa Technology Co. Ltd\",\r\n \"organization\": \"Nipa Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4702\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4703\",\r\n \"address\": \"167.172.149.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4704\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4705\",\r\n \"address\": \"212.41.8.46\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4706\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4707\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4708\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4709\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4710\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4711\",\r\n \"address\": \"46.161.27.101\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Vps And Shared Hosting Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4712\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4713\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4714\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4715\",\r\n \"address\": \"92.154.96.99\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Hauts-De-Seine\",\r\n \"city\": \"Puteaux\",\r\n \"longitude\": 2.23762,\r\n \"latitude\": 48.88328,\r\n \"asn\": 3215,\r\n \"carrier\": \"Orange S.A.\",\r\n \"organization\": \"Lnmso655 Montsouris\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4716\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4717\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4718\",\r\n \"address\": \"149.102.131.247\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Manchester\",\r\n \"city\": \"Manchester\",\r\n \"longitude\": -2.24083,\r\n \"latitude\": 53.44222,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4719\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4720\",\r\n \"address\": \"73.104.247.50\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Jacksonville\",\r\n \"longitude\": -81.56225,\r\n \"latitude\": 30.21981,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4721\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4722\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4723\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4724\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4725\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4726\",\r\n \"address\": \"193.142.146.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Hostslick Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4727\",\r\n \"address\": \"185.170.144.134\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4728\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Gunzenhausen\",\r\n \"longitude\": 10.7534,\r\n \"latitude\": 49.11594,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4729\",\r\n \"address\": \"147.78.245.142\",\r\n \"location\": {\r\n \"countryCode\": \"JP\",\r\n \"countryName\": \"Japan\",\r\n \"state\": \"Tokyo\",\r\n \"city\": \"Tokyo\",\r\n \"longitude\": 139.73856,\r\n \"latitude\": 35.69628,\r\n \"asn\": 23959,\r\n \"carrier\": \"Owl Limited\",\r\n \"organization\": \"Virtual Machine Solutions Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4730\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4731\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4732\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4733\",\r\n \"address\": \"78.180.183.122\",\r\n \"location\": {\r\n \"countryCode\": \"TR\",\r\n \"countryName\": \"Turkey\",\r\n \"state\": \"Istanbul\",\r\n \"city\": \"Sisli\",\r\n \"longitude\": 28.9521,\r\n \"latitude\": 41.0483,\r\n \"asn\": 9121,\r\n \"carrier\": \"Turk Telekomunikasyon Anonim Sirketi\",\r\n \"organization\": \"Tt Adsl-Ttnet_Dynamic_Gay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4734\",\r\n \"address\": \"85.215.173.128\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.3195,\r\n \"latitude\": 52.5184,\r\n \"asn\": 6724,\r\n \"carrier\": \"Strato Ag\",\r\n \"organization\": \"Strato Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4735\",\r\n \"address\": \"109.86.104.112\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 13188,\r\n \"carrier\": \"Content Delivery Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4736\",\r\n \"address\": \"146.20.225.190\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 27357,\r\n \"carrier\": \"Rackspace Hosting\",\r\n \"organization\": \"Rackspace Hosting\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4737\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4738\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4739\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4740\",\r\n \"address\": \"194.28.112.148\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4741\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4691\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4742\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4692\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4743\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4693\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4744\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4694\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4745\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4695\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4746\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4696\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4747\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4697\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4748\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4698\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4749\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4699\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4750\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4700\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4751\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4701\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4752\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4702\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4703\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4704\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4705\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4706\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4707\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4708\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4709\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4710\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4711\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4762\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4712\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4763\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4713\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4764\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4714\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4765\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4715\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4766\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4716\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4767\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4717\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4768\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4718\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4769\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4719\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4770\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4720\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4771\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4721\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4772\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4722\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4773\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4723\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4774\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4724\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4775\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4725\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4776\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4726\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4777\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4727\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4778\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4728\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4779\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4729\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4780\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4730\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4781\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4731\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4782\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4732\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4783\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4733\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4784\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4734\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4785\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4735\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4786\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4736\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4787\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4737\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4788\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4738\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"name\": \"2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-24T19:41:11.3106136Z\",\r\n \"processingEndTimeUtc\": \"2022-08-24T19:41:10.6263724Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-23T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-23T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4791\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 23.224.230.146 [1]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 5.181.86.85 [14]\\r\\nIP: 131.153.178.70 [1]\\r\\nIP: 91.240.118.113 [24]\\r\\nIP: 146.70.117.116 [2]\\r\\nIP: 193.142.147.58 [27]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 179.60.150.114 [5]\\r\\nIP: 141.98.83.173 [3]\\r\\nIP: 191.96.168.250 [38]\\r\\nIP: 194.165.16.78 [1]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 193.142.147.59 [30]\\r\\nIP: 185.190.24.101 [5]\\r\\nIP: 45.227.254.4 [2]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 104.254.233.2 [2]\\r\\nIP: 5.181.86.61 [7]\\r\\nIP: 141.98.83.172 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 181.30.28.144 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 135.181.194.54 [1]\\r\\nIP: 80.13.124.200 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 5.181.86.11 [10]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 194.165.16.38 [5]\\r\\nIP: 34.75.15.244 [2]\\r\\nIP: 185.190.24.102 [8]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 45.227.254.5 [6]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 113.190.245.2 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 213.6.148.83 [3]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 103.231.188.130 [1]\\r\\nIP: 193.142.147.67 [30]\\r\\nIP: 62.233.50.113 [1]\\r\\nIP: 185.170.144.133 [19]\\r\\nIP: 179.60.150.111 [5]\\r\\nIP: 144.91.117.64 [1]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 194.165.16.11 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4792\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4793\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4794\",\r\n \"address\": \"23.224.230.146\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.25227,\r\n \"latitude\": 34.04303,\r\n \"asn\": 40065,\r\n \"carrier\": \"Cnservers Llc\",\r\n \"organization\": \"Cloudradium L.L.C\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4795\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4796\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4797\",\r\n \"address\": \"131.153.178.70\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.92784,\r\n \"latitude\": 33.4357,\r\n \"asn\": 19437,\r\n \"carrier\": \"Secured Servers Llc\",\r\n \"organization\": \"Secured Servers Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4798\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4799\",\r\n \"address\": \"146.70.117.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.7119,\r\n \"latitude\": 50.1137,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd Frankfurt\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4800\",\r\n \"address\": \"193.142.147.58\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4801\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4802\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4803\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4804\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4805\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4806\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4807\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4808\",\r\n \"address\": \"193.142.147.59\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4809\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4810\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4811\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4812\",\r\n \"address\": \"104.254.233.2\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 19437,\r\n \"carrier\": \"Secured Servers Llc\",\r\n \"organization\": \"Pnap-Ashdc5\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4813\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4814\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4815\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4816\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4817\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4818\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4819\",\r\n \"address\": \"135.181.194.54\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4820\",\r\n \"address\": \"80.13.124.200\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Hauts-De-Seine\",\r\n \"city\": \"Puteaux\",\r\n \"longitude\": 2.23762,\r\n \"latitude\": 48.88328,\r\n \"asn\": 3215,\r\n \"carrier\": \"Orange S.A.\",\r\n \"organization\": \"Lnput658 Puteaux Bloc 1\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4821\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4822\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4823\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4824\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4825\",\r\n \"address\": \"34.75.15.244\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"South Carolina\",\r\n \"city\": \"North Charleston\",\r\n \"longitude\": -80.05894,\r\n \"latitude\": 32.89008,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4826\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4827\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4828\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4829\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4830\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4831\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4832\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4833\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4834\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4835\",\r\n \"address\": \"103.231.188.130\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 17831,\r\n \"carrier\": \"8 Burn Road # 15-13 Trivex\",\r\n \"organization\": \"Vhost Holdings Pte Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4836\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4837\",\r\n \"address\": \"62.233.50.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4838\",\r\n \"address\": \"185.170.144.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4839\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4840\",\r\n \"address\": \"144.91.117.64\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Muenchen\",\r\n \"longitude\": 11.6074,\r\n \"latitude\": 48.1089,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4841\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4842\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4815\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4865\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4816\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4866\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4817\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4867\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4818\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4868\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4819\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4869\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4820\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4870\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4821\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4871\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4822\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4872\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4823\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4873\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4824\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4874\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4825\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4875\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4826\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4876\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4827\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4877\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4828\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4878\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4829\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4879\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4830\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4880\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4831\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4881\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4832\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4882\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4833\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4883\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4834\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4884\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4835\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4885\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4836\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4886\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4837\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4887\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4838\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4888\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4839\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4889\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4840\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4890\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4841\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4891\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"name\": \"2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-23T19:47:46.0119964Z\",\r\n \"processingEndTimeUtc\": \"2022-08-23T19:47:45.0676912Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-22T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-22T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4892\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.172 [5]\\r\\nIP: 185.190.24.50 [8]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 43.131.49.246 [1]\\r\\nIP: 185.190.24.101 [4]\\r\\nIP: 191.96.168.250 [22]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 5.181.86.88 [5]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 91.240.118.113 [9]\\r\\nIP: 179.60.150.116 [4]\\r\\nIP: 173.201.17.86 [1]\\r\\nIP: 196.22.249.27 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 116.206.231.59 [1]\\r\\nIP: 185.190.24.102 [7]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 194.135.24.55 [2]\\r\\nIP: 5.181.86.85 [3]\\r\\nIP: 152.89.217.238 [1]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 176.113.115.141 [4]\\r\\nIP: 86.106.121.74 [1]\\r\\nIP: 185.190.24.32 [5]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 185.190.24.103 [6]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 70.183.29.58 [1]\\r\\nIP: 185.170.144.133 [38]\\r\\nIP: 194.165.16.38 [8]\\r\\nIP: 112.78.168.114 [5]\\r\\nIP: 194.165.16.4 [6]\\r\\nIP: 194.165.17.14 [6]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 181.30.28.144 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4893\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4894\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4895\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4896\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4897\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4898\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4899\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4900\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4901\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4902\",\r\n \"address\": \"43.131.49.246\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4903\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4904\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4905\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4906\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4907\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4908\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4909\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4910\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4911\",\r\n \"address\": \"196.22.249.27\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Western Cape\",\r\n \"city\": \"Cape Town\",\r\n \"longitude\": 18.4241,\r\n \"latitude\": -33.9249,\r\n \"asn\": 36874,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"72 Canterbury Street\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4912\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4913\",\r\n \"address\": \"116.206.231.59\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"South Australia\",\r\n \"city\": \"Adelaide\",\r\n \"longitude\": 138.59973,\r\n \"latitude\": -34.92577,\r\n \"asn\": 133480,\r\n \"carrier\": \"Intergrid Group Pty Ltd\",\r\n \"organization\": \"Intergrid Group Pty. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4914\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4915\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4916\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4917\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4918\",\r\n \"address\": \"152.89.217.238\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 56694,\r\n \"carrier\": \"Llc Smart Ape\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4919\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4920\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4921\",\r\n \"address\": \"86.106.121.74\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -74.00888,\r\n \"latitude\": 40.72092,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd New York\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4922\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4923\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4924\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4925\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4926\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4927\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4928\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4929\",\r\n \"address\": \"70.183.29.58\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Rancho Santa Margarita\",\r\n \"longitude\": -117.60826,\r\n \"latitude\": 33.62295,\r\n \"asn\": 22773,\r\n \"carrier\": \"Cox Communications Inc.\",\r\n \"organization\": \"Cox Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4930\",\r\n \"address\": \"185.170.144.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4931\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4932\",\r\n \"address\": \"112.78.168.114\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jakarta Raya\",\r\n \"city\": \"Jakarta\",\r\n \"longitude\": 106.8267,\r\n \"latitude\": -6.1738,\r\n \"asn\": 17451,\r\n \"carrier\": \"Biznet Networks\",\r\n \"organization\": \"Biznet Networks\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4933\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4934\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4935\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4936\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4919\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4920\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4921\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4922\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4923\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4924\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4925\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4926\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4969\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4927\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4970\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4928\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4971\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4929\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4972\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4930\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4973\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4931\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4974\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4932\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4975\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4933\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4976\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4934\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4977\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4935\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4978\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4936\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"name\": \"2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-22T19:47:25.0250698Z\",\r\n \"processingEndTimeUtc\": \"2022-08-22T19:47:23.7684919Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-20T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-20T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4979\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.171 [3]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 194.165.16.4 [8]\\r\\nIP: 192.210.149.232 [1]\\r\\nIP: 179.60.150.115 [4]\\r\\nIP: 212.102.35.30 [45]\\r\\nIP: 136.32.204.105 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.173 [3]\\r\\nIP: 194.165.16.73 [2]\\r\\nIP: 45.227.254.5 [13]\\r\\nIP: 141.98.83.172 [3]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 66.115.189.143 [1]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 179.60.147.32 [29]\\r\\nIP: 185.190.24.101 [5]\\r\\nIP: 185.190.24.93 [10]\\r\\nIP: 176.113.115.141 [2]\\r\\nIP: 185.190.24.103 [9]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 194.135.24.55 [2]\\r\\nIP: 45.227.254.51 [3]\\r\\nIP: 45.227.254.49 [2]\\r\\nIP: 45.227.255.55 [1]\\r\\nIP: 203.115.110.73 [1]\\r\\nIP: 194.165.16.78 [2]\\r\\nIP: 92.255.85.166 [9]\\r\\nIP: 67.225.40.73 [1]\\r\\nIP: 45.227.255.79 [4]\\r\\nIP: 141.98.83.123 [5]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 45.227.254.27 [9]\\r\\nIP: 207.246.67.121 [1]\\r\\nIP: 92.114.153.67 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 141.98.83.126 [4]\\r\\nIP: 5.181.86.44 [5]\\r\\nIP: 37.32.30.41 [2]\\r\\nIP: 62.8.12.230 [1]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 60.208.6.75 [25]\\r\\nIP: 194.165.17.14 [7]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4980\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4981\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4982\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4983\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4984\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4985\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4986\",\r\n \"address\": \"192.210.149.232\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4987\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4988\",\r\n \"address\": \"212.102.35.30\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4989\",\r\n \"address\": \"136.32.204.105\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Kansas City\",\r\n \"longitude\": -94.53961,\r\n \"latitude\": 39.10771,\r\n \"asn\": 16591,\r\n \"carrier\": \"Google Fiber Inc.\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4990\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.66719,\r\n \"latitude\": 41.02253,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4991\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4992\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4993\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4994\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4995\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4996\",\r\n \"address\": \"66.115.189.143\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Georgia\",\r\n \"city\": \"Marietta\",\r\n \"longitude\": -84.4629,\r\n \"latitude\": 33.93318,\r\n \"asn\": 46562,\r\n \"carrier\": \"Performive Llc\",\r\n \"organization\": \"Performive Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4997\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4998\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4999\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5000\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5001\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5002\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5003\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5004\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5005\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5006\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5007\",\r\n \"address\": \"45.227.255.55\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5008\",\r\n \"address\": \"203.115.110.73\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.225,\r\n \"latitude\": 28.6353,\r\n \"asn\": 17426,\r\n \"carrier\": \"Primesoftex Ltd\",\r\n \"organization\": \"Primenet Global Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5009\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5010\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5011\",\r\n \"address\": \"67.225.40.73\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Saskatchewan\",\r\n \"city\": \"Regina\",\r\n \"longitude\": -104.61298,\r\n \"latitude\": 50.44894,\r\n \"asn\": 803,\r\n \"carrier\": \"Saskatchewan Telecommunications\",\r\n \"organization\": \"Sasktel Wide Area Network Engineering Center\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5012\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5013\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5014\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5015\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5016\",\r\n \"address\": \"207.246.67.121\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Miami\",\r\n \"longitude\": -80.24044,\r\n \"latitude\": 25.81253,\r\n \"asn\": 20473,\r\n \"carrier\": \"The Constant Company Llc\",\r\n \"organization\": \"Vultr Holdings Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5017\",\r\n \"address\": \"92.114.153.67\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 8926,\r\n \"carrier\": \"Moldtelecom Sa\",\r\n \"organization\": \"Jsc Moldtelecom S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5018\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5019\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5020\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5021\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5022\",\r\n \"address\": \"37.32.30.41\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 202468,\r\n \"carrier\": \"Noyan Abr Arvan Co. ( Private Joint Stock)\",\r\n \"organization\": \"Noyan Abr Arvan Co. ( Private Joint Stock)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5023\",\r\n \"address\": \"62.8.12.230\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Loire-Atlantique\",\r\n \"city\": \"Nantes\",\r\n \"longitude\": -1.55674,\r\n \"latitude\": 47.21684,\r\n \"asn\": 15557,\r\n \"carrier\": \"Sfr Sa\",\r\n \"organization\": \"Entreprise\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5024\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5025\",\r\n \"address\": \"60.208.6.75\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shandong\",\r\n \"city\": \"Jinan\",\r\n \"longitude\": 117.0,\r\n \"latitude\": 36.683,\r\n \"asn\": 4837,\r\n \"carrier\": \"China Unicom China169 Backbone\",\r\n \"organization\": \"Jinan Yingte Net Bar\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5026\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5022\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5023\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5024\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5025\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5026\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n }\r\n ]\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvbG9jYXRpb25zL2NlbnRyYWx1cy9hbGVydHMvMjUxNzMzNjI0MTY4NDU0OTU5OV8yNTNkMWFmOS04MzEyLTQyZGUtYTllYi05MmY4NWEwZWYwNjE/YXBpLXZlcnNpb249MjAyMi0wMS0wMQ==", + "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "c0fe37bf-dcaa-4e9d-a942-533c86f26046" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "749" + ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], @@ -100,22 +163,22 @@ "Kestrel" ], "x-ms-request-id": [ - "9ed9a514-0d32-4a2b-a64e-5ba70044bd9d" + "3496e916-6115-43bb-9999-6e1ca28ba3a7" ], "x-ms-correlation-request-id": [ - "9ed9a514-0d32-4a2b-a64e-5ba70044bd9d" + "3496e916-6115-43bb-9999-6e1ca28ba3a7" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210831T191008Z:9ed9a514-0d32-4a2b-a64e-5ba70044bd9d" + "FRANCESOUTH:20221117T092031Z:3496e916-6115-43bb-9999-6e1ca28ba3a7" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Tue, 31 Aug 2021 19:10:08 GMT" + "Thu, 17 Nov 2022 09:20:30 GMT" ], "Content-Length": [ - "3209" + "3259" ], "Content-Type": [ "application/json; charset=utf-8" @@ -124,7 +187,7 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"name\": \"2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5800635Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:10.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:10.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"name\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.2039067Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", "StatusCode": 200 } ], diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetSubscriptionScope.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetSubscriptionScope.json index 8f67008f393b..d1639ce17375 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetSubscriptionScope.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/GetSubscriptionScope.json @@ -1,24 +1,24 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2021-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjEtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjItMDEtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "fdb7301d-4327-4709-8100-7ec8596f10b7" + "7179b99a-3128-4846-aa9f-4b5790e91609" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -34,13 +34,13 @@ "749" ], "x-ms-request-id": [ - "330b6ec5-fd0f-4fdf-a36c-114e7efe78d9" + "5f70c92e-a92f-4485-89ad-d9c5beeffbe2" ], "x-ms-correlation-request-id": [ - "330b6ec5-fd0f-4fdf-a36c-114e7efe78d9" + "5f70c92e-a92f-4485-89ad-d9c5beeffbe2" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210831T190916Z:330b6ec5-fd0f-4fdf-a36c-114e7efe78d9" + "FRANCESOUTH:20221117T090937Z:5f70c92e-a92f-4485-89ad-d9c5beeffbe2" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -49,7 +49,7 @@ "nosniff" ], "Date": [ - "Tue, 31 Aug 2021 19:09:15 GMT" + "Thu, 17 Nov 2022 09:09:37 GMT" ], "Content-Type": [ "application/json; charset=utf-8" @@ -58,10 +58,10 @@ "-1" ], "Content-Length": [ - "143561" + "1626803" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"name\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4121044Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"name\": \"2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:13.877204Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_MaliciousContent-AzureWebApps\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:58.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:58.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Phishing content hosted on Azure Webapps\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to O365 customers. The content typically lure visitors into entering their corporate credentials or financial information into a legitimate looking website.\",\r\n \"remediationSteps\": [\r\n \"1. Use Azure Web Sites Process Explorer and try to identify unknown running processes (see https://blogs.msdn.microsoft.com/waws/2014/11/14/viewing-process-information-for-microsoft-azure-web-sites/)\",\r\n \"2. Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"resourceType\": \"App Service\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"type\": \"url\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"name\": \"2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3609448Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_OperationVolumeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:56.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:56.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] User accessed high volume of Key Vaults\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a larger volume of Key Vault operations has been performed compared to past historical data. Key Vaults typical exhibit the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:56\",\r\n \"all vault operations in last 24 hours\": \"[SecretSet:1, SecretGet:5, Authentication:2, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultGet:2]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:56\",\r\n \"client Information\": \"Microsoft.Azure.Management.Resources.ResourceManagementClient/2.0.0.0, \",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) performed more operations than usual, The user(objid) does not usually come from this IP, The user(objid) performed more operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"name\": \"2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3557186Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_AccountVolumeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:54.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:54.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] High volume of operations in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the number of vaults that a user or application accesses has changed compared to past historical data. Key Vault activity typically exhibits the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:54\",\r\n \"all vault operations in last 24 hours\": \"[AfterAuthentication:1, SecretGet:345545, EventGridGetAllSubscriptions:19, Authentication:169, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:64]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:54\",\r\n \"alert Reasons\": \"[The application(appid) accessed more vaults than usual, The application(appid) does not usually come from this IP, The user(objid) accessed more vaults than usual, The user(objid) does not usually come from this IP, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"name\": \"2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3095755Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_ListGetAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:52.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:52.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious secret listing and query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Secret List operation was followed by numerous Secret Get operations. In addition, this operation pattern is not normally performed by the user on this vault. This is likely indicative that someone is dumping the This is sample alert: secrets stored in the Key Vault for potentially malicious purposes.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:52\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:1, SecretGet:3, VaultGet:1, SecretList:5]\",\r\n \"suspicious Operations\": \"[SecretGet:3, SecretList:5]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:52\",\r\n \"client Information\": \"FxVersion/4.8.4075.0 OSName/Windows10Enterprise OSVersion/6.3.18363 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"alert Reasons\": \"[The application(appid) does not usually access this vault, The application(appid) does not usually come from this IP, The application(appid) does not usually perform a credential list operation followed by a get operation, The application(appid) does not usually perform this operation, The number of applications which accessed this vault is more than usual, The number of users(objid) who accessed this vault is more than usual, The user(objid) does not usually access this vault, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a credential list operation followed by a get operation, The user(objid) does not usually perform this operation, This vault does not usually have a credential list operation followed by a get operation, This vault does not usually have this operation, This vault had more operations than usual, This vault had more types of operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"name\": \"2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4678019Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_PutGetAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:50.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:50.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious policy change and secret query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Key Vault policy change has been made and operations to list and/or get secrets occurred shortly thereafter. In addition, this operation pattern is not normally performed by the user on this vault. This is highly indicative that the Key Vault has been compromised and the secrets within have been stolen by a malicious actor.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:50\",\r\n \"all vault operations in last 24 hours\": \"[VaultGet:14, CertificateImport:1, CertificateGet:479, VaultPut:4, SecretGet:760, Authentication:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultPut:4, VaultGet:5, CertificateGet:24]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"FxVersion/4.8.4121.0, FxVersion/4.8.4121.0 OSName/Windows10Enterprise OSVersion/6.3.17763 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"result Signature\": \"OK\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"start Time UTC\": \"08/12/2021 15:26:50\",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) does not usually perform a policy change operation followed by a credential get operation, The application(appid) does not usually perform this operation, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a policy change operation followed by a credential get operation, The user(objid) does not usually perform this operation, This vault does not usually have a policy change operation followed by a credential get operation, This vault does not usually have this operation, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"name\": \"2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3452444Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_TORAccess\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:48.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:48.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a TOR exit node to a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. This is suspicious because malicious actors will often try to mask their source location when attempting to gain unauthorized access to internet-connected resources.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:48\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:777440, SecretSet:1, SecretGet:777399]\",\r\n \"suspicious Operations\": \"[Authentication:1, SecretGet:1]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"Not Found, Unauthorized\",\r\n \"start Time UTC\": \"08/12/2021 15:26:48\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"python/3.8.0 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 azure-keyvault/7.0 Azure-SDK-For-Python\",\r\n \"alert Reasons\": \"[The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location.]\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"name\": \"2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4494527Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_AKS_SensitiveMount\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:46.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:46.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"intent\": \"PrivilegeEscalation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Container with a sensitive volume mount detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.\",\r\n \"remediationSteps\": [\r\n \"Review the container and the path in the alert details.\",\r\n \"If possible, consider mounting only specific folders or files that are necessary to the container operation.\",\r\n \"If the container is not legitimate, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"Sample\",\r\n \"container image\": \"sample-image\",\r\n \"container name\": \"sample-container\",\r\n \"pod name\": \"sample-pod\",\r\n \"sensitive mount name\": \"sample-mount\",\r\n \"sensitive mount path\": \"/Sample\",\r\n \"killChainIntent\": \"PrivilegeEscalation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"name\": \"2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5732381Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_ExposedService\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:44.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:44.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Exposed Kubernetes service detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Kubernetes audit log analysis detected exposure of a service by a load balancer. This service is related to a sensitive application that allows high impact operations in the cluster such as running processes on the node or creating new containers.\\nIn some cases, this service doesn't require authentication. If the service doesn't require authentication, exposing it to the internet poses a security risk.\",\r\n \"remediationSteps\": [\r\n \"1. Find the external IP address of the service with the command: kubectl get service [service name] -n [namespace]. The service name and namespace are in the alert details.\\\\n2. Check whether the service is exposed to the internet by trying to access to its IP address with the port listed in the alert details.\\\\n3. If the service is exposed to the internet and is not protected by an authentication mechanism, escalate the alert to your security information team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"sample-namespace\",\r\n \"username\": \"sample-user\",\r\n \"service name\": \"sample-service\",\r\n \"target port\": \"8080\",\r\n \"port\": \"8080\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"name\": \"2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4746809Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_BruteForce\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:40.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:40.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Brute Force attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone is attempting to brute force credentials to your SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Brute force attack, penetration testing.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"data Center\": \"East US 2\",\r\n \"failed Logins\": \"0\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\\\"}}\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"name\": \"2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.262894Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_HarmfulApplication\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:38.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:38.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Penetration testing, malicious activity\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"data Center\": \"East US 2\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"name\": \"2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3698246Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:36.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:36.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database elitronix-com on server Sample-SQL\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/www.microsoft.com\\\\/en-us\\\\/download\\\\/details.aspx?id=13759\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements.\",\r\n \"threat ID\": \"30\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"principal name\": \"Sample-account\",\r\n \"application\": \"Internet Information Services\",\r\n \"database\": \"Sample-DB\",\r\n \"server\": \"Sample-SQL\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"name\": \"2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4494527Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:34.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:34.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"intent\": \"Exploitation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Logon from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone logged on to your SQL server Sample-SQL from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Unauthorized access that exploits an opening in the firewall; legitimate access from a new location.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Microsoft SQL Server Management Studio\",\r\n \"client IP Location\": \"US\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"client Hostname\": \"Sample-VM\",\r\n \"killChainIntent\": \"Exploitation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"name\": \"2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2741282Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_DataExfiltration.ImportExportLocationAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:32.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:32.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual export location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted a massive amount of data from your SQL Server 'Sample-SQL' to an unusual location.\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Be sure to secure the new copy of your SQL server in the unusual storage account and follow the principle of \\\\\\\"least privilege\\\\\\\" for your SQL server\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/docs.microsoft.com\\\\/en-us\\\\/dotnet\\\\/framework\\\\/data\\\\/adonet\\\\/sql\\\\/authorization-and-permissions-in-sql-server\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"storage Name\": \"Sample-storage\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"isValid\": false,\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_39\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"name\": \"2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3713443Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:30.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:30.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Perform an undelete if the delete operation was a soft delete. See how to configure soft deletion and more information: https://go.microsoft.com/fwlink/?linkid=2078042\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Wasington_Virginia United States\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"Sample agent\",\r\n \"storage container(s) accessed\": \"SampleContainer\",\r\n \"container\": \"eicarContainerName1, eicarContainerName2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteBlob\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:30\",\r\n \"test: Pipeline name\": \"1.0.4656.1_sample\",\r\n \"storage file path(s) deleted\": \"eicarRequestedObjectKeyFilePath1.vhd, eicarRequestedObjectKeyFilePath2.pfx\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"name\": \"2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5019361Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:28.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:28.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a container in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage container permissions are configured correctly.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"• Confirm whether the storage container permissions change was performed for a legitimate purpose.\\r\\n• Review the storage container's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this storage container have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed container permissions to weaken its security.\\r\\n• A legitimate user has changed container permissions.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"TestAgent 2021-08-12T15:26:28.9846650Z\",\r\n \"storage container(s) accessed\": \"eicarContainerName\",\r\n \"container\": \"eicarContainerName1, eicarContainerName2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"SetContainerACL\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:28\",\r\n \"test: Pipeline name\": \"1.0.4656.1_test\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"name\": \"2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_TorAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:26.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:26.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure Storage account 'Sample-Storage' from a suspicious IP address (active Tor exit node).\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access. \\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using Tor.\\r\\n• A legitimate user has accessed your storage account using Tor.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Azure Data Center: East Us\",\r\n \"authentication type\": \"Anonymous\",\r\n \"operations types\": \"GetBlob\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"dummyAgent\",\r\n \"container\": \"eicarTestStorageContainer\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:26\",\r\n \"test: Pipeline name\": \"1.0.4656.1_storagetd-brs-a3\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"name\": \"2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4209361Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:24.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:24.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure Storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage container (for example: maintenance activity).\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Azure Data Center: East Us\",\r\n \"authentication type\": \"Anonymous\",\r\n \"operations types\": \"GetBlob\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"dummyAgent\",\r\n \"container\": \"eicarTestStorageContainer\",\r\n \"extracted data\": \"140 MB\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:24\",\r\n \"test: Pipeline name\": \"1.0.4656.1_storagetd-brs-a3\",\r\n \"extracted blobs\": \"500\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"name\": \"2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_SuspectExecutablePath\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Executable found running from a suspicious location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data detected an executable file on Sample-VM that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.\",\r\n \"remediationSteps\": [\r\n \"Review with %{User Name} the suspicious process in this alert to see if you recognise this as legitimate administrative activity. If not, Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Process Id\": \"0x1eec\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"account Session Id\": \"0x3e7\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"suspicious Command Line\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"user Name\": \"WORKGROUP\\\\Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"directory\": \"c:\\\\windows\\\\inf\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"name\": \"SAMPLE-account\",\r\n \"ntDomain\": \"SAMPLE\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"sid\": \"S-0-0-00\",\r\n \"isDomainJoined\": true,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x3e7\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"processId\": \"0x1038\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"processId\": \"0x1eec\",\r\n \"commandLine\": \"\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_54\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_55\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"sessionId\": \"0x3e7\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_54\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"name\": \"2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2358642Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected the execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with Sample-account the suspicious command process and command line to confirm that this is legitimate activity that you expect to see on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"user Name\": \"Sample-account\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Command Line\": \"\\\\sample.exe -t 4\",\r\n \"suspicious Process Id\": \"0x1640\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x427d8dd9\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"directory\": \"c:\\\\temp\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"processId\": \"0x1020\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"name\": \"Sample-account\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"sid\": \"S-1-5-21-3061399664-1673012318-3185014992-20022\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x427d8dd9\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"processId\": \"0x1640\",\r\n \"commandLine\": \".\\\\sample.exe -t 4\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_61\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_63\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_62\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"sessionId\": \"0x427d8dd9\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_63\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"name\": \"2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3545059Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_SuspectPhp\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious PHP execution detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Machine logs indicate a that a suspicious PHP process is running. The action included an attempt to run OS commands or PHP code from the command line using the PHP process.\\r\\nWhile this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\",\r\n \"2. Make sure that the web application is up-to-date.\",\r\n \"3. If possible, disable the sensitive PHP commands (see: http://php.net/manual/ini.core.php#ini.disable-functions).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Command Line\": \"php\",\r\n \"suspicious Process Id\": \"0x1e99b\",\r\n \"account Session Id\": \"0xbd6e\",\r\n \"suspicious Process\": \"php\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"user Name\": \"Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"php\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"processId\": \"0x1e49a\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"name\": \"Sample-account\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"sid\": \"\",\r\n \"type\": \"account\",\r\n \"LogonId\": \"0xbd6e\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"processId\": \"0x1e99b\",\r\n \"commandLine\": \"php\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_69\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_71\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_70\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"sessionId\": \"0xbd6e\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_71\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"name\": \"2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3385797Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM.Windows_GoldFileCleanup\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected suspicious file cleanup commands\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.\",\r\n \"remediationSteps\": [\r\n \"Review with user Sample-account the 'sample.exe executions and delete commands flagged in this alert to confirm that they are legitimate and expected on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"OMS-AGENT-2\",\r\n \"suspicious Process Id\": \"0x4a8\",\r\n \"suspicious Command Line\": \"cmd /c echo \\\" systeminfo && systeminfo && del \\\"\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\cmd.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"OMS-AGENT-2\\\\DnzmNhMdW96g7j3\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: GOLD\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2020-06-05T06%3a24%3a18&reportName=MSTI-AGP-GOLD.pdf&tenantId=7bf32e19-dc11-416d-85e8-2cff75271e2a&urlCreateDateTime=2020-06-05T06%3a24%3a18&token=%2083e9In2MDZfBKT5aMOejPcfhpNovCKiidxcnKaBGnQ=\\\"}}\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"cmd.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"processId\": \"0x4a8\",\r\n \"commandLine\": \"cmd /c echo Hi\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_77\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_79\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_78\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_79\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"name\": \"2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2246537Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM.Windows_PetyaRansomware\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected Petya ransomware indicators\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on OMS-AGENT-2 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the command line associated in this alert and escalate this alert to your security team.\",\r\n \"remediationSteps\": [\r\n \"1. Run a full anti-malware scan and verify that the threat was removed\",\r\n \"2. Install and run Microsoft’s Malicious Software Removal Tool (see http://www.microsoft.com/security/pc-security/malware-removal.aspx)\",\r\n \"3. Perform these actions pre-emptively on other hosts in your network.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x1574\",\r\n \"suspicious Command Line\": \"sample\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\sample.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"Sample-account\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Petya\\\":\\\"\\\"}}\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"processId\": \"0x1574\",\r\n \"commandLine\": \"sample\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_85\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_87\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_86\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_87\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"name\": \"2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5800635Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:10.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:10.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"name\": \"2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2313959Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AmRealtimeProtectionDisabled\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:08.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:08.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Antimalware real-time protection was disabled in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.\",\r\n \"remediationSteps\": [\r\n \"1. Determine if the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional - dismiss the alert. Otherwise, enable the antimalware real-time threat protection and treat the user account, subscription and virtual machine as compromised and continue with the next steps.\\n3. Remediate the compromised user account – change the password, review all activities performed by the user via Azure Activity Logs and locate suspicious activities\\n4. Remediate the compromised subscription - Review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, review all activities performed in this subscription via Azure Activity Logs and locate suspicious activities.\\n5. Remediate the compromised virtual machine – change the password of all users, run full antimalware scan on your virtual machine.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample Principal\",\r\n \"antimalware enabled\": \"true\",\r\n \"real time antimalware protection enabled\": \"false\",\r\n \"scheduled antimalware scan enabled\": \"\",\r\n \"extension Name\": \"IaasAntimalware\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"name\": \"2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5249506Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_CustomScriptExtensionSuspiciousCmd\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:06.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:06.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Custom script extension with suspicious command in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.\",\r\n \"remediationSteps\": [\r\n \"1. Contact the account owner to determine whether the activity was intentional. If the activity was intentional, dismiss the alert.\\n2. If the activity was unexpected, treat the user account, subscription, and virtual machine as compromised.\\n3. To remediate compromised user accounts, delete them if they’re unfamiliar (as they may have been created by a threat actor), otherwise change their authentication credentials. Use Azure Activity Logs to review all activities performed by the user and identify any that are suspicious.\\n4. To remediate compromised subscriptions, remove any unfamiliar Runbooks from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources in the subscription (delete any that are unfamiliar), review and investigate any security alerts for the subscription in Azure Security Center, and use Azure Activity Logs to review all activities performed in the subscription and identify any that are suspicious.\\n5. To remediate the compromised virtual machine, change the passwords for all users, run a full antimalware scan on the machine, and reimage the virtual machine from a malware-free source.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample user\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"identity address\": \"\",\r\n \"suspicious command\": \"powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"name\": \"2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3545059Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DarkWeb\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:04.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:04.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Anonymity network activity (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected anonymity network activity. Such activity, while possibly legitimate user behaviour, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_95\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_95\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"name\": \"2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.292004Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DataExfiltration\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:02.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:02.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Possible data exfiltration via DNS tunnel (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behaviour, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_100\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_100\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"name\": \"2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4550558Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_PhishingDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:00.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:00.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Communication with possible phishing domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.\",\r\n \"remediationSteps\": [\r\n \"Investigate the domain (using whois), validating that the registration belongs to the expected owner.\",\r\n \"If ownership is suspect, contact the machine owner to highlight the discrepancy and verify the degree of interaction, suggesting user log into any account(s) potentially exposed during suspicious session, validate recent activity and change compromised password(s).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_105\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_105\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"name\": \"2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3210584Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_SinkholedDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:58.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:58.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted communication with suspicious sinkholed domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected request for sinkholed domain. Such activity, while possibly legitimate user behaviour, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_109\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_109\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"name\": \"2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4807428Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_HighPrivilegeCommand\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempt to run high privilege command detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of App Service processes detected an attempt to run a command that requires high privileges.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x4680\",\r\n \"suspicious Command Line\": \"sample.exe\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"parent Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x15c0644\",\r\n \"user Name\": \"Sample-account\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"directory\": \"sample\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"processId\": \"0x39a8\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"processId\": \"0x4680\",\r\n \"commandLine\": \"sample.exe\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_114\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"name\": \"2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2316532Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_DanglingDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:54.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:54.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Dangling DNS record for an App Service resource detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A DNS record that points to a recently deleted App Service resource (also known as \\\"dangling DNS\\\" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.\",\r\n \"remediationSteps\": [\r\n \"From your DNS zone, remove all CNAME records that point to the deleted App Service resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"domain\": \"sample-domain.com\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"name\": \"2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_TI_Proxy\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:52.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:52.9690718Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] AKS API requests from proxy IP address detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected API requests to your cluster from an IP address that is associated with proxy services, such as TOR.\\r\\nWhile this behavior can be legitimate, it's often seen in malicious activities, when attackers try to hide their source IP.\",\r\n \"remediationSteps\": [\r\n \"1. Review the IP address in the alert details. If your organization uses proxy services such as TOR for managing the AKS cluster and the IP is recognized, you can ignore the alert.\",\r\n \"2. Consider securing the API server by using authorized IP address ranges (https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"username\": \"sample-user\",\r\n \"ip Address\": \"00.00.00.00\",\r\n \"threat Type\": \"Proxy\",\r\n \"threat Description\": \"Tor exit node\",\r\n \"sample URI\": \"sample-URI\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"name\": \"2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5146535Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_DeleteEvents\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:50.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:50.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Kubernetes events deleted (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Security Center detected that some Kubernetes events have been deleted. Kubernetes events are objects in Kubernetes which contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster.\",\r\n \"remediationSteps\": [\r\n \"Verify the legitimacy of the objects that the deleted events are related to.\\\\nIn case the object is suspicious, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"namespace\": \"sample-namespace\",\r\n \"username\": \"sample-user\",\r\n \"ip Address\": \"00.00.00.00\",\r\n \"status\": \"200\",\r\n \"deleted events\": \"sample-event1, sample-event2, sample-event3\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"name\": \"2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2959781Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_MaliciousContainerImage\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:48.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:48.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining container detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool.\",\r\n \"remediationSteps\": [\r\n \"Review the container in the alert details.\",\r\n \"If malicious, remove the container and escalate the alert to the information security team.\",\r\n \"Be sure to also remove the correlating Deployments \\\\\\\\ ReplicaSets \\\\\\\\ DaemonSets.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"namespace\": \"sample-namespace\",\r\n \"container name\": \"sample-container\",\r\n \"container image\": \"sample-image\",\r\n \"pod name\": \"sample-pod\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"name\": \"2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2763918Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_CoreDnsModification\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:46.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:46.9690718Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] CoreDNS modification in Kubernetes detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a modification of the CoreDNS configuration. The configuration of CoreDNS can be modified by overriding its configmap. While this activity can be legitimate, if attackers have permissions to modify the configmap, they can change the behavior of the cluster’s DNS server and poison it.\",\r\n \"remediationSteps\": [\r\n \"Review the configmap in the alert details. Specifically, search for Forward or Hosts configurations that can change the desired DNS behavior. The details of the configuration can be retrieved by the command:\\\\nkubectl get cm coredns-custom -n kube-system -o json\\\\nIf the configuration is intended, you can ignore the alert.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"sample-namespace\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"username\": \"sample-user\",\r\n \"configmap name\": \"coredns-custom\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"name\": \"2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3496523Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_BruteForce\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:44.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:44.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspected successful brute force attack\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful login occurred after an apparent brute force attack on your resource\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Brute force attack; penetration testing.\",\r\n \"client principal name\": \"Sample-account\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"san antonio, united states\",\r\n \"client application\": \"Sample-app\",\r\n \"successful logins\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"failed logins\": \"0\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\\\"}}\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_129\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_128\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"name\": \"2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:13.9865839Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:42.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:42.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database Sample-DB on server Sample-VM\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2106894\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"threat ID\": \"1\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"vulnerable statement\": \"*** Anonymized ***\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"name\": \"Sample-SA\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_135\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"name\": \"2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2090318Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_HarmfulApplication\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:40.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:40.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access your resource.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"Penetration testing; malicious activity\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client application\": \"Sample-app\",\r\n \"client IP location\": \"Sample\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"name\": \"2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5175386Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_SuspiciousIpAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:38.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:38.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Login from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.\",\r\n \"client principal name\": \"Sample-user\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Sample-Provider\",\r\n \"threatType\": \"Sample-Threat\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 0.8,\r\n \"threatDescription\": \"Sample-Threat\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_147\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_146\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"name\": \"2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4347524Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousRBACRoleAssignment\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:36.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:36.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for an RBAC role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected an RBAC role assignment that's unusual when compared with other assignments, performed by the same assigner.\\n The following components were anomalous:\\n -Assigner Authentication Method \\n This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to grant permissions to an additional user account they own.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below.\\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user. \\n5. Change the credentials for all resources that the user had permissions to access.\\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review all activities performed in this resource via Azure Activity Logs and investigate suspicious activities.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"scope of assignment\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"assigned role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assigner principal ID\": \"Sample user\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_153\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188630153349_32cad962-43a0-4691-8c14-443890eccece/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"name\": \"2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4166987Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_PrivilegedRoleDefinitionCreation\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:34.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:34.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"intent\": \"PrivilegeEscalation, DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Privileged custom role created for your subscription in a suspicious way (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the principal user that created the role.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user account as compromised and continue with the steps below.\\n3. Change the passwords of the user account or block the account entirely.\\n4. Delete the privileged role.\\n5. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n6. Change the credentials for all resources that the user had permissions to access.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"role definition creator principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"role definition creator IP address\": \"0.0.0.0\",\r\n \"role definition creator principal name\": \"Sample user\",\r\n \"role definition name\": \"sample\",\r\n \"role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"PrivilegeEscalation, DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Security/locations/centralus/alerts/2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"name\": \"2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-06-12T19:40:33.8308539Z\",\r\n \"processingEndTimeUtc\": \"2021-06-12T19:40:32.548439Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"Storage.Blob_AnonymousScan.Containers\",\r\n \"startTimeUtc\": \"2021-06-12T18:11:54.456Z\",\r\n \"endTimeUtc\": \"2021-06-12T18:11:54.456Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"correlationKey\": \"eQXuNbERVh6e/t+5e+8g+5PLuHGkeLWBAAjR80eo/KQ=\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Storage/storageAccounts/storagefdi4i\",\r\n \"type\": \"AzureResource\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"storagefdi4i\",\r\n \"alertDisplayName\": \"PREVIEW - Anonymous scan of public storage containers\",\r\n \"description\": \"There were 94 failed attempts to anonymously identify publicly accessible containers in your storage account `storagefdi4i`. This might indicate a reconnaissance attack, where the attacker scans your storage account to identify publicly accessible containers and then tries to find sensitive data inside them. In many cases, attackers might successfully access data after a series of failed attempts. It’s therefore important to act on this alert.\",\r\n \"remediationSteps\": [\r\n \"• If public access is not needed for the Azure Storage containers, consider disallowing it on the entire storage account or limiting it selectively on specific containers or blobs (https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent).\",\r\n \"• We recommend that you always follow the least privilege principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• To prevent breaches of sensitive data, please review your Azure Storage containers and make sure no sensitive data is stored in them.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"alert Id\": \"c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"azure AD user\": \"N/A (Azure AD authentication was not used)\",\r\n \"user agent\": \"Go-http-client/1.1\",\r\n \"api type\": \"Blob\",\r\n \"client location\": \"N/A\",\r\n \"number of failed access attempts\": \"94\",\r\n \"among the enumeration terms used\": \"app, bin, blog, deploy, confidential, crm, builds, doc, customers, images, attachments, intranet, backups, customer, exports, img, data, blob, downloads, build, azure, export, files, bucket, database, dev, admin, emails, dist, development, documents, debug, assets, cdn, devops, download, backup, code, erp, logs, cache, iso, creds, bak, credentials, config, file, administrator, attachment, exe\",\r\n \"number of containers successfully accessed\": \"0\",\r\n \"list of containers successfully accessed\": \"\",\r\n \"authentication type\": \"Anonymous\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"operations types\": \"GetContainerProperties\",\r\n \"service type\": \"Azure Blobs\",\r\n \"potential causes\": \"\",\r\n \"resourceType\": \"Storage\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Storage/storageAccounts/storagefdi4i\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"address\": \"78.46.106.254\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Nuernberg\",\r\n \"longitude\": 11.0768,\r\n \"latitude\": 49.452,\r\n \"asn\": 24940\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_159\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/iotsimulator/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"name\": \"2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-16T21:52:53.8710364Z\",\r\n \"processingEndTimeUtc\": \"2022-11-16T21:52:53.6916675Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-15T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-15T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.160 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"name\": \"2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-12T21:47:11.3785021Z\",\r\n \"processingEndTimeUtc\": \"2022-11-12T21:47:10.8521763Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_9\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"name\": \"2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-13T20:54:26.3966011Z\",\r\n \"processingEndTimeUtc\": \"2022-11-13T20:54:26.1755194Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_14\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"name\": \"2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-12T21:47:11.7084868Z\",\r\n \"processingEndTimeUtc\": \"2022-11-12T21:47:10.8520084Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 137.184.84.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"address\": \"137.184.84.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Jose\",\r\n \"longitude\": -121.83823,\r\n \"latitude\": 37.33053,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_19\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"name\": \"2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-13T20:54:26.3624463Z\",\r\n \"processingEndTimeUtc\": \"2022-11-13T20:54:26.1754203Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 137.184.84.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"137.184.84.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Jose\",\r\n \"longitude\": -121.83823,\r\n \"latitude\": 37.33053,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_24\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"name\": \"2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-11T21:04:29.5102358Z\",\r\n \"processingEndTimeUtc\": \"2022-11-11T21:04:28.8368795Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-10T14:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-10T14:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_29\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"name\": \"2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-04T21:03:19.814381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-04T21:03:12.9864236Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-03T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-03T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_34\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"name\": \"2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-03T20:56:42.8912983Z\",\r\n \"processingEndTimeUtc\": \"2022-11-03T20:56:39.5149213Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-02T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-02T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\\r\\nIP: 176.222.18.110 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_39\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_40\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"name\": \"2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-01T21:58:15.540622Z\",\r\n \"processingEndTimeUtc\": \"2022-11-01T21:58:14.9043034Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.128 [1]\\r\\nIP: 176.222.18.110 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_46\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_47\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"name\": \"2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-02T22:45:37.72398Z\",\r\n \"processingEndTimeUtc\": \"2022-11-02T22:45:37.2820909Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 176.222.18.110 [1]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_54\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_55\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"name\": \"2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-30T20:43:32.8362319Z\",\r\n \"processingEndTimeUtc\": \"2022-10-30T20:43:32.2666649Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-29T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-29T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 149.18.60.6 [1]\\r\\nIP: 148.75.113.72 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"address\": \"149.18.60.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 396998,\r\n \"carrier\": \"Path Network Inc.\",\r\n \"organization\": \"Logicweb Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"address\": \"148.75.113.72\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Newton\",\r\n \"longitude\": -74.80559,\r\n \"latitude\": 41.08337,\r\n \"asn\": 6128,\r\n \"carrier\": \"Cablevision Systems Corp.\",\r\n \"organization\": \"Optimum Online (Cablevision Systems)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_62\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_63\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"name\": \"2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-29T19:50:46.7836038Z\",\r\n \"processingEndTimeUtc\": \"2022-10-29T19:50:46.6002852Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-28T07:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-28T07:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 71.178.215.234 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"address\": \"71.178.215.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Fairfax\",\r\n \"longitude\": -77.2891,\r\n \"latitude\": 38.81818,\r\n \"asn\": 701,\r\n \"carrier\": \"Verizon\",\r\n \"organization\": \"Verizon\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_69\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"name\": \"2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-28T21:21:50.4934572Z\",\r\n \"processingEndTimeUtc\": \"2022-10-28T21:21:50.1558349Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-27T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-27T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 12.13.191.67 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 194.28.112.140 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"address\": \"12.13.191.67\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Louisiana\",\r\n \"city\": \"New Orleans\",\r\n \"longitude\": -90.06568,\r\n \"latitude\": 29.96582,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Marriott Corporationattn Joh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_74\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_77\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"name\": \"2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-28T01:00:14.0366672Z\",\r\n \"processingEndTimeUtc\": \"2022-10-28T01:00:13.8635731Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-26T17:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-26T17:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 8.30.197.172 [1]\\r\\nIP: 12.157.53.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"address\": \"8.30.197.172\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Paramus\",\r\n \"longitude\": -74.07017,\r\n \"latitude\": 40.94459,\r\n \"asn\": 12025,\r\n \"carrier\": \"Iron Mountain Data Center\",\r\n \"organization\": \"Groundwidgets Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"address\": \"12.157.53.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Long Beach\",\r\n \"longitude\": -118.1589,\r\n \"latitude\": 33.7808,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Velocity Bre\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_85\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_86\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"name\": \"2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Dismissed\",\r\n \"timeGeneratedUtc\": \"2022-10-25T22:59:24.7258494Z\",\r\n \"processingEndTimeUtc\": \"2022-10-25T22:59:24.4099152Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 147.78.47.29 [1]\\r\\nIP: 198.12.89.41 [1]\\r\\nIP: 173.249.187.107 [1]\\r\\nIP: 24.18.46.38 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"address\": \"198.12.89.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.8854,\r\n \"latitude\": 42.8883,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"address\": \"173.249.187.107\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Denver\",\r\n \"longitude\": -104.99809,\r\n \"latitude\": 39.75263,\r\n \"asn\": 133744,\r\n \"carrier\": \"Better Cloud Limited\",\r\n \"organization\": \"Global Link Communications Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"address\": \"24.18.46.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Edmonds\",\r\n \"longitude\": -122.34664,\r\n \"latitude\": 47.80392,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_92\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_93\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_94\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_95\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"name\": \"2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-23T20:55:55.6554453Z\",\r\n \"processingEndTimeUtc\": \"2022-10-23T20:55:55.0986682Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-22T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-22T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 173.201.17.86 [1]\\r\\nIP: 72.215.237.211 [2]\\r\\nIP: 69.28.75.137 [2]\\r\\nIP: 8.30.197.172 [1]\\r\\nIP: 141.98.83.131 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"address\": \"72.215.237.211\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Rhode Island\",\r\n \"city\": \"Warwick\",\r\n \"longitude\": -71.38996,\r\n \"latitude\": 41.71237,\r\n \"asn\": 22773,\r\n \"carrier\": \"Cox Communications Inc.\",\r\n \"organization\": \"Cox Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"address\": \"8.30.197.172\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Paramus\",\r\n \"longitude\": -74.07017,\r\n \"latitude\": 40.94459,\r\n \"asn\": 12025,\r\n \"carrier\": \"Iron Mountain Data Center\",\r\n \"organization\": \"Groundwidgets Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_103\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_104\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_105\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_106\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_107\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"name\": \"2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-22T20:37:45.3670215Z\",\r\n \"processingEndTimeUtc\": \"2022-10-22T20:37:34.4184682Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-21T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-21T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_116\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"name\": \"2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-22T20:37:34.6106772Z\",\r\n \"processingEndTimeUtc\": \"2022-10-22T20:37:34.4182771Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-21T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-21T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.147 [3]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_121\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"name\": \"2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T20:55:36.9527631Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T20:55:36.5859747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 69.202.183.90 [3]\\r\\nIP: 195.133.20.78 [99]\\r\\nIP: 141.95.145.187 [3]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 193.29.13.169 [9]\\r\\nIP: 147.78.47.36 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 147.78.47.147 [6]\\r\\nIP: 150.95.29.64 [2]\\r\\nIP: 45.141.87.2 [9]\\r\\nIP: 147.78.47.35 [7]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 173.254.223.125 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 92.255.85.152 [5]\\r\\nIP: 89.248.163.228 [3]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 179.60.150.115 [12]\\r\\nIP: 191.96.168.93 [9]\\r\\nIP: 147.78.47.69 [9]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 171.244.50.243 [2]\\r\\nIP: 94.26.229.154 [2]\\r\\nIP: 45.227.254.20 [10]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 94.26.248.176 [5]\\r\\nIP: 88.214.25.14 [3]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 45.141.87.9 [3]\\r\\nIP: 31.43.185.3 [22]\\r\\nIP: 45.141.87.10 [6]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 194.165.17.12 [4]\\r\\nIP: 147.78.47.154 [9]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 89.250.82.36 [1]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 193.29.13.170 [16]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 179.60.150.58 [8]\\r\\nIP: 45.226.126.252 [1]\\r\\nIP: 45.141.87.6 [6]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 45.227.254.49 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"address\": \"195.133.20.78\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"address\": \"173.254.223.125\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Tarzana\",\r\n \"longitude\": -118.54625,\r\n \"latitude\": 34.15501,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Quadranet Enterprises Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"address\": \"89.248.163.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"address\": \"147.78.47.69\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_161\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_162\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_163\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_164\",\r\n \"address\": \"89.250.82.36\",\r\n \"location\": {\r\n \"countryCode\": \"KZ\",\r\n \"countryName\": \"Kazakhstan\",\r\n \"state\": \"Almaty City\",\r\n \"city\": \"Almaty\",\r\n \"longitude\": 76.94999,\r\n \"latitude\": 43.24999,\r\n \"asn\": 41419,\r\n \"carrier\": \"Kazrena\",\r\n \"organization\": \"Kazrena\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_165\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_166\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_167\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_168\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_169\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_170\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_171\",\r\n \"address\": \"45.226.126.252\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Pernambuco\",\r\n \"city\": \"Olinda\",\r\n \"longitude\": -34.90666,\r\n \"latitude\": -7.98953,\r\n \"asn\": 266962,\r\n \"carrier\": \"G M Da Costa Internet\",\r\n \"organization\": \"G M Da Costa Internet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_172\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_173\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_174\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_175\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_126\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_176\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_127\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_177\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_128\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_178\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_129\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_179\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_130\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_180\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_131\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_181\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_132\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_182\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_133\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_183\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_134\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_184\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_135\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_185\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_136\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_186\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_137\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_187\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_138\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_188\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_139\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_190\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_191\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_142\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_192\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_143\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_144\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_194\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_145\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_195\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_146\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_196\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_147\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_148\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_198\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_149\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_199\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_150\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_200\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_151\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_152\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_202\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_153\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_203\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_154\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_204\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_155\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_167\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_217\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_168\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_218\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_221\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_222\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_223\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"name\": \"2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-21T22:30:30.848069Z\",\r\n \"processingEndTimeUtc\": \"2022-10-21T22:30:29.9442537Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_224\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.104 [1]\\r\\nIP: 207.154.207.116 [1]\\r\\nIP: 61.177.172.147 [1]\\r\\nIP: 152.136.192.58 [1]\\r\\nIP: 124.221.214.54 [98]\\r\\nIP: 135.148.104.183 [1]\\r\\nIP: 80.76.51.230 [1]\\r\\nIP: 185.51.61.82 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_225\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_226\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_227\",\r\n \"address\": \"61.177.172.104\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_228\",\r\n \"address\": \"207.154.207.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_229\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_230\",\r\n \"address\": \"152.136.192.58\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_231\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_232\",\r\n \"address\": \"135.148.104.183\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Reston\",\r\n \"longitude\": -77.34247,\r\n \"latitude\": 38.96097,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_233\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Zuid-Holland\",\r\n \"city\": \"Brielle\",\r\n \"longitude\": 4.16122,\r\n \"latitude\": 51.89596,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\",\r\n \"organization\": \"Des Capital B.V.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_234\",\r\n \"address\": \"185.51.61.82\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 42065,\r\n \"carrier\": \"Zao Electrontelecom\",\r\n \"organization\": \"Global Network Management Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_227\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_228\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_229\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_230\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_231\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_232\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_233\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_234\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"name\": \"2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-21T22:30:30.4576566Z\",\r\n \"processingEndTimeUtc\": \"2022-10-21T22:30:29.9447325Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_243\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.87.6 [6]\\r\\nIP: 171.244.50.243 [2]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 45.141.87.2 [9]\\r\\nIP: 45.141.87.9 [3]\\r\\nIP: 141.95.145.187 [3]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 31.43.185.3 [22]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 150.95.29.64 [2]\\r\\nIP: 45.226.126.252 [2]\\r\\nIP: 193.29.13.169 [9]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 45.227.254.49 [2]\\r\\nIP: 72.18.147.142 [1]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 195.133.20.78 [116]\\r\\nIP: 69.202.183.90 [3]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 147.78.47.147 [6]\\r\\nIP: 147.78.47.69 [9]\\r\\nIP: 45.141.87.10 [6]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 191.96.168.93 [9]\\r\\nIP: 45.227.254.20 [10]\\r\\nIP: 92.255.85.152 [5]\\r\\nIP: 89.250.82.36 [2]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 88.214.25.14 [3]\\r\\nIP: 194.165.17.12 [4]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 173.254.223.125 [1]\\r\\nIP: 179.60.150.115 [16]\\r\\nIP: 193.29.13.170 [16]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 179.60.150.58 [8]\\r\\nIP: 94.26.248.176 [5]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 94.26.229.154 [2]\\r\\nIP: 147.78.47.154 [14]\\r\\nIP: 147.78.47.35 [7]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 147.78.47.36 [3]\\r\\n4 more attempts by 2 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_244\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_245\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_246\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_247\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_248\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_249\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_250\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_251\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_252\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_253\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_254\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_255\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_256\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_257\",\r\n \"address\": \"45.226.126.252\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Pernambuco\",\r\n \"city\": \"Recife\",\r\n \"longitude\": -34.9141,\r\n \"latitude\": -8.00264,\r\n \"asn\": 266962,\r\n \"carrier\": \"G M Da Costa Internet\",\r\n \"organization\": \"G M Da Costa Internet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_258\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_259\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_260\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_261\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_262\",\r\n \"address\": \"72.18.147.142\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Englewood\",\r\n \"longitude\": -104.87196,\r\n \"latitude\": 39.62401,\r\n \"asn\": 30475,\r\n \"carrier\": \"Handy Networks Llc\",\r\n \"organization\": \"Handy Networks Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_263\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_264\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_265\",\r\n \"address\": \"195.133.20.78\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_266\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_267\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_268\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_269\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_270\",\r\n \"address\": \"147.78.47.69\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_271\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_272\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_273\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_274\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_275\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_276\",\r\n \"address\": \"89.250.82.36\",\r\n \"location\": {\r\n \"countryCode\": \"KZ\",\r\n \"countryName\": \"Kazakhstan\",\r\n \"state\": \"Almaty City\",\r\n \"city\": \"Almaty\",\r\n \"longitude\": 76.94999,\r\n \"latitude\": 43.24999,\r\n \"asn\": 41419,\r\n \"carrier\": \"Kazrena\",\r\n \"organization\": \"Kazrena\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_277\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_278\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_279\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_280\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_281\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_282\",\r\n \"address\": \"173.254.223.125\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Tarzana\",\r\n \"longitude\": -118.54625,\r\n \"latitude\": 34.15501,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Quadranet Enterprises Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_283\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_284\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_285\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_286\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_287\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_288\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_289\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_290\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_291\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_292\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_293\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_294\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_295\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_246\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_297\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_247\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_298\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_248\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_299\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_249\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_250\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_301\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_251\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_302\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_252\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_303\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_253\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_254\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_305\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_255\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_306\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_256\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_307\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_257\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_308\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_258\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_324\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_274\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_325\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_275\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_326\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_276\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_327\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_277\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_278\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_329\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_279\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_330\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_280\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"name\": \"2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T20:55:37.293538Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T20:55:36.5852719Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_346\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 124.221.214.54 [85]\\r\\nIP: 61.177.172.104 [1]\\r\\nIP: 135.148.104.183 [1]\\r\\nIP: 152.136.192.58 [1]\\r\\nIP: 185.51.61.82 [1]\\r\\nIP: 61.177.172.147 [1]\\r\\nIP: 80.76.51.230 [1]\\r\\nIP: 207.154.207.116 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_347\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_348\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_349\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_350\",\r\n \"address\": \"61.177.172.104\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_351\",\r\n \"address\": \"135.148.104.183\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Reston\",\r\n \"longitude\": -77.34247,\r\n \"latitude\": 38.96097,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_352\",\r\n \"address\": \"152.136.192.58\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_353\",\r\n \"address\": \"185.51.61.82\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 42065,\r\n \"carrier\": \"Zao Electrontelecom\",\r\n \"organization\": \"Global Network Management Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_354\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_355\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_356\",\r\n \"address\": \"207.154.207.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_349\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_350\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_351\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_360\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_352\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_361\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_353\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_362\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_354\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_355\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_364\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_356\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"name\": \"2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T03:55:32.6921658Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T03:55:32.383882Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-18T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-18T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_365\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 46.182.223.130 [1]\\r\\nIP: 197.26.19.254 [1]\\r\\nIP: 61.177.172.19 [1]\\r\\nIP: 182.61.13.82 [1]\\r\\nIP: 80.76.51.230 [2]\\r\\nIP: 35.245.223.130 [1]\\r\\nIP: 124.220.28.59 [1]\\r\\nIP: 61.177.173.35 [1]\\r\\nIP: 69.40.195.236 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 34.159.251.125 [1]\\r\\nIP: 40.72.187.176 [1]\\r\\nIP: 84.181.121.1 [1]\\r\\nIP: 121.5.105.147 [4]\\r\\nIP: 185.209.179.41 [1]\\r\\nIP: 35.246.78.205 [1]\\r\\nIP: 61.177.172.124 [1]\\r\\nIP: 124.221.214.54 [28]\\r\\nIP: 61.177.172.147 [2]\\r\\nIP: 34.83.98.1 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_366\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_367\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_368\",\r\n \"address\": \"46.182.223.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Groningen\",\r\n \"city\": \"Groningen\",\r\n \"longitude\": 6.5696,\r\n \"latitude\": 53.21686,\r\n \"asn\": 39704,\r\n \"carrier\": \"Cj2 Hosting B.V.\",\r\n \"organization\": \"Synatix Netblock # 2\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_369\",\r\n \"address\": \"197.26.19.254\",\r\n \"location\": {\r\n \"countryCode\": \"TN\",\r\n \"countryName\": \"Tunisia\",\r\n \"state\": \"Tunis\",\r\n \"city\": \"Tunis\",\r\n \"longitude\": 10.1717,\r\n \"latitude\": 36.798,\r\n \"asn\": 37492,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Agence Tunisienne Internet - Ati\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_370\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_371\",\r\n \"address\": \"182.61.13.82\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Zhongguancun\",\r\n \"longitude\": 116.31,\r\n \"latitude\": 39.978,\r\n \"asn\": 38365,\r\n \"carrier\": \"Beijing Baidu Netcom Science And Technology Co. Ltd.\",\r\n \"organization\": \"Beijing Baidu Netcom Science And Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_372\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_373\",\r\n \"address\": \"35.245.223.130\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"District Of Columbia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -77.0284,\r\n \"latitude\": 38.9069,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_374\",\r\n \"address\": \"124.220.28.59\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_375\",\r\n \"address\": \"61.177.173.35\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_376\",\r\n \"address\": \"69.40.195.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"North Carolina\",\r\n \"city\": \"Concord\",\r\n \"longitude\": -80.55684,\r\n \"latitude\": 35.4009,\r\n \"asn\": 7029,\r\n \"carrier\": \"Windstream Communications Llc\",\r\n \"organization\": \"Hudson Internet Pop - Dynamic Dsl Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_377\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_378\",\r\n \"address\": \"34.159.251.125\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_379\",\r\n \"address\": \"40.72.187.176\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanghai Shi\",\r\n \"city\": \"Shanghai\",\r\n \"longitude\": 121.47021,\r\n \"latitude\": 31.22847,\r\n \"asn\": 58593,\r\n \"carrier\": \"Shanghai Blue Cloud Technology Co. Ltd\",\r\n \"organization\": \"Shanghai Blue Cloud Technology Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_380\",\r\n \"address\": \"84.181.121.1\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Baden-Wuerttemberg\",\r\n \"city\": \"Tuellingen\",\r\n \"longitude\": 7.668,\r\n \"latitude\": 47.615,\r\n \"asn\": 3320,\r\n \"carrier\": \"Deutsche Telekom Ag\",\r\n \"organization\": \"Deutsche Telekom Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_381\",\r\n \"address\": \"121.5.105.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_382\",\r\n \"address\": \"185.209.179.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Valley Cottage\",\r\n \"longitude\": -73.92899,\r\n \"latitude\": 41.12222,\r\n \"asn\": 396356,\r\n \"carrier\": \"Maxihost Llc\",\r\n \"organization\": \"Latitude.Sh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_383\",\r\n \"address\": \"35.246.78.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Camden\",\r\n \"longitude\": -0.16861,\r\n \"latitude\": 51.54,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_384\",\r\n \"address\": \"61.177.172.124\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_385\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_386\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_387\",\r\n \"address\": \"34.83.98.1\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_388\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_368\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_389\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_369\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_390\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_370\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_391\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_371\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_392\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_372\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_393\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_373\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_394\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_374\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_395\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_375\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_396\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_376\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_397\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_377\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_398\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_378\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_399\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_379\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_400\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_380\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_401\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_381\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_382\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_403\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_383\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_404\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_384\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_385\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_406\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_386\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_407\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_387\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"name\": \"2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T03:55:33.4948297Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T03:55:32.3866334Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-18T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-18T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_408\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 62.204.41.152 [2]\\r\\nIP: 144.172.126.192 [2]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 194.165.17.24 [5]\\r\\nIP: 91.240.242.3 [4]\\r\\nIP: 147.78.47.36 [10]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 88.214.25.14 [17]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 147.78.47.147 [4]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 193.29.13.169 [14]\\r\\nIP: 191.96.168.93 [6]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 91.240.242.201 [8]\\r\\nIP: 45.227.254.8 [2]\\r\\nIP: 94.26.229.169 [1]\\r\\nIP: 141.98.83.89 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.137.233.50 [1]\\r\\nIP: 50.63.15.157 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 91.240.242.87 [17]\\r\\nIP: 45.141.87.10 [4]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 45.141.84.83 [5]\\r\\nIP: 94.232.43.155 [2]\\r\\nIP: 194.165.17.12 [8]\\r\\nIP: 171.244.50.243 [3]\\r\\nIP: 141.98.83.132 [7]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 64.251.14.96 [1]\\r\\nIP: 92.255.85.186 [1]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 80.66.88.204 [2]\\r\\nIP: 147.78.47.42 [8]\\r\\nIP: 46.161.27.101 [1]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 45.141.87.6 [5]\\r\\nIP: 179.60.147.204 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\n91 more attempts by 19 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_409\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_410\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_411\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_412\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_413\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_414\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_415\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_416\",\r\n \"address\": \"91.240.242.3\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_417\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_418\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_419\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_420\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_421\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_422\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_423\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_424\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_425\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_426\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_427\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_428\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_429\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_430\",\r\n \"address\": \"91.240.242.201\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_431\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_432\",\r\n \"address\": \"94.26.229.169\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_433\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_434\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_435\",\r\n \"address\": \"185.137.233.50\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Permskiy Kray\",\r\n \"city\": \"Perm\",\r\n \"longitude\": 56.25184,\r\n \"latitude\": 58.02006,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_436\",\r\n \"address\": \"50.63.15.157\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_437\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_438\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_439\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_440\",\r\n \"address\": \"91.240.242.87\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_441\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_442\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_443\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_444\",\r\n \"address\": \"94.232.43.155\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_445\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_446\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_447\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_448\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_449\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_450\",\r\n \"address\": \"64.251.14.96\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Fort Lauderdale\",\r\n \"longitude\": -80.12723,\r\n \"latitude\": 26.12112,\r\n \"asn\": 15083,\r\n \"carrier\": \"Infolink Global Corporation\",\r\n \"organization\": \"Serverpronto\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_451\",\r\n \"address\": \"92.255.85.186\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_452\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_453\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_454\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_455\",\r\n \"address\": \"147.78.47.42\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_456\",\r\n \"address\": \"46.161.27.101\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Vps And Shared Hosting Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_457\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_458\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_459\",\r\n \"address\": \"179.60.147.204\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_460\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_412\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_415\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_416\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_467\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_417\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_468\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_418\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_469\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_419\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_470\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_471\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_472\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_473\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_423\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_474\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_424\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_425\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_426\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_427\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_428\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_434\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_485\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_435\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_486\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_487\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_437\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_488\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_438\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_439\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_490\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_440\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_491\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_492\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_493\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_494\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_495\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_445\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_496\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_446\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_497\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_447\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_498\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_448\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_499\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_449\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_500\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_450\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_501\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_451\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_502\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_503\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_504\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_454\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_505\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_455\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_506\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_456\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_507\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_457\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_508\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_458\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_509\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_459\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_510\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_460\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"name\": \"2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T21:29:26.5199798Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T21:29:26.1229647Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-17T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-17T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_511\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.53 [1]\\r\\nIP: 43.142.245.166 [1]\\r\\nIP: 82.139.180.236 [1]\\r\\nIP: 39.91.166.121 [1]\\r\\nIP: 45.95.55.235 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 35.164.70.114 [1]\\r\\nIP: 61.177.172.19 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_512\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_513\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_514\",\r\n \"address\": \"61.177.173.53\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_515\",\r\n \"address\": \"43.142.245.166\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_516\",\r\n \"address\": \"82.139.180.236\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Podlaskie\",\r\n \"city\": \"Bialystok\",\r\n \"longitude\": 23.1482,\r\n \"latitude\": 53.11679,\r\n \"asn\": 8865,\r\n \"carrier\": \"Politechnika Bialostocka\",\r\n \"organization\": \"Politechnika Bialostocka\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_517\",\r\n \"address\": \"39.91.166.121\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shandong\",\r\n \"city\": \"Jinan\",\r\n \"longitude\": 117.0,\r\n \"latitude\": 36.683,\r\n \"asn\": 4837,\r\n \"carrier\": \"China Unicom China169 Backbone\",\r\n \"organization\": \"China Unicom Shandong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_518\",\r\n \"address\": \"45.95.55.235\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Rheinland-Pfalz\",\r\n \"city\": \"Koblenz\",\r\n \"longitude\": 7.5741,\r\n \"latitude\": 50.3849,\r\n \"asn\": 200303,\r\n \"carrier\": \"Jan Philipp Waldecker Trading As Lumaserv Systems\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_519\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_520\",\r\n \"address\": \"35.164.70.114\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Boardman\",\r\n \"longitude\": -119.81143,\r\n \"latitude\": 45.73723,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon.Com Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_521\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_514\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_515\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_516\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_517\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_518\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_519\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_520\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_521\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"name\": \"2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T21:29:26.5332876Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T21:29:26.1234563Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-17T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-17T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_530\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.122 [1]\\r\\nIP: 80.66.76.137 [1]\\r\\nIP: 80.66.76.151 [1]\\r\\nIP: 80.66.76.168 [2]\\r\\nIP: 147.78.47.35 [5]\\r\\nIP: 80.66.76.159 [4]\\r\\nIP: 80.66.76.136 [1]\\r\\nIP: 12.168.189.21 [1]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 103.43.177.129 [1]\\r\\nIP: 152.89.196.94 [5]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 80.66.76.141 [2]\\r\\nIP: 94.232.47.170 [8]\\r\\nIP: 80.66.76.161 [5]\\r\\nIP: 141.98.83.84 [11]\\r\\nIP: 141.98.83.133 [6]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 87.251.67.236 [3]\\r\\nIP: 80.66.76.126 [6]\\r\\nIP: 147.78.47.36 [2]\\r\\nIP: 12.233.48.50 [1]\\r\\nIP: 80.66.76.132 [3]\\r\\nIP: 80.66.76.184 [2]\\r\\nIP: 80.66.76.153 [4]\\r\\nIP: 193.29.13.170 [5]\\r\\nIP: 45.141.87.6 [3]\\r\\nIP: 141.98.83.164 [4]\\r\\nIP: 87.251.67.238 [3]\\r\\nIP: 80.66.76.173 [1]\\r\\nIP: 80.66.76.139 [2]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 87.251.67.223 [5]\\r\\nIP: 80.66.76.129 [5]\\r\\nIP: 147.78.47.149 [3]\\r\\nIP: 185.73.125.100 [4]\\r\\nIP: 87.251.67.230 [1]\\r\\nIP: 80.66.76.165 [4]\\r\\nIP: 152.89.196.74 [2]\\r\\nIP: 80.66.76.181 [1]\\r\\nIP: 194.165.17.24 [12]\\r\\nIP: 80.66.76.162 [3]\\r\\nIP: 194.165.17.12 [12]\\r\\nIP: 80.66.76.169 [1]\\r\\nIP: 80.66.76.124 [4]\\r\\nIP: 94.26.248.179 [2]\\r\\nIP: 45.227.254.29 [1]\\r\\nIP: 141.98.83.128 [3]\\r\\n505 more attempts by 101 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_531\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_532\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_533\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_534\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_535\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_536\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_537\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_538\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_539\",\r\n \"address\": \"80.66.76.136\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_540\",\r\n \"address\": \"12.168.189.21\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Germantown\",\r\n \"longitude\": -89.79201,\r\n \"latitude\": 35.08422,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"The Village At Germantown\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_541\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_542\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_543\",\r\n \"address\": \"103.43.177.129\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"Western Australia\",\r\n \"city\": \"Perth\",\r\n \"longitude\": 115.85859,\r\n \"latitude\": -31.9554,\r\n \"asn\": 133863,\r\n \"carrier\": \"Probax Pty Ltd\",\r\n \"organization\": \"Probax Pty Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_544\",\r\n \"address\": \"152.89.196.94\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_545\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_546\",\r\n \"address\": \"80.66.76.141\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_547\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_548\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_549\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_550\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_551\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_552\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_553\",\r\n \"address\": \"87.251.67.236\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_554\",\r\n \"address\": \"80.66.76.126\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_555\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_556\",\r\n \"address\": \"12.233.48.50\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Kansas City\",\r\n \"longitude\": -94.50542,\r\n \"latitude\": 39.131,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Frontier Schools System\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_557\",\r\n \"address\": \"80.66.76.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_558\",\r\n \"address\": \"80.66.76.184\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_559\",\r\n \"address\": \"80.66.76.153\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_560\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_561\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_562\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_563\",\r\n \"address\": \"87.251.67.238\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_564\",\r\n \"address\": \"80.66.76.173\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_565\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_566\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_567\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_568\",\r\n \"address\": \"80.66.76.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_569\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_570\",\r\n \"address\": \"185.73.125.100\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_571\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_572\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_573\",\r\n \"address\": \"152.89.196.74\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_574\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_575\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_576\",\r\n \"address\": \"80.66.76.162\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_577\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_578\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_579\",\r\n \"address\": \"80.66.76.124\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_580\",\r\n \"address\": \"94.26.248.179\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_581\",\r\n \"address\": \"45.227.254.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_582\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_585\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_586\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_536\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_587\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_537\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_591\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_592\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_542\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_593\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_543\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_594\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_544\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_595\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_545\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_596\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_546\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_597\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_547\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_548\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_549\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_550\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_551\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"name\": \"2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T20:18:57.7305267Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T20:18:57.239572Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-16T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-16T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_633\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.52 [1]\\r\\nIP: 61.177.173.36 [1]\\r\\nIP: 85.214.209.12 [1]\\r\\nIP: 195.19.96.168 [1]\\r\\nIP: 137.184.37.59 [1]\\r\\nIP: 165.22.248.214 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_634\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_635\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_636\",\r\n \"address\": \"61.177.173.52\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_637\",\r\n \"address\": \"61.177.173.36\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_638\",\r\n \"address\": \"85.214.209.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.3195,\r\n \"latitude\": 52.5184,\r\n \"asn\": 6724,\r\n \"carrier\": \"Strato Ag\",\r\n \"organization\": \"Strato Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_639\",\r\n \"address\": \"195.19.96.168\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60778,\r\n \"latitude\": 55.81834,\r\n \"asn\": 12389,\r\n \"carrier\": \"Pjsc Rostelecom\",\r\n \"organization\": \"Pjsc Rostelecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_640\",\r\n \"address\": \"137.184.37.59\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Palo Alto\",\r\n \"longitude\": -122.1512,\r\n \"latitude\": 37.44296,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_641\",\r\n \"address\": \"165.22.248.214\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.34738,\r\n \"latitude\": 47.61348,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_636\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_637\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_644\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_638\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_645\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_639\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_646\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_640\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_647\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_641\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"name\": \"2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T20:18:57.600268Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T20:18:57.2399048Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-16T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-16T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_648\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.124 [4]\\r\\nIP: 94.26.229.154 [1]\\r\\nIP: 185.73.124.23 [9]\\r\\nIP: 45.141.87.10 [4]\\r\\nIP: 80.66.76.138 [3]\\r\\nIP: 87.251.64.140 [2]\\r\\nIP: 80.66.76.179 [2]\\r\\nIP: 64.251.14.96 [1]\\r\\nIP: 194.165.16.18 [7]\\r\\nIP: 87.251.67.238 [7]\\r\\nIP: 94.232.47.15 [3]\\r\\nIP: 80.66.76.159 [5]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 152.89.196.73 [9]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 80.66.76.178 [3]\\r\\nIP: 147.78.47.29 [3]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 171.244.50.243 [7]\\r\\nIP: 12.168.189.21 [1]\\r\\nIP: 141.98.83.132 [10]\\r\\nIP: 80.66.76.168 [6]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 80.66.76.169 [5]\\r\\nIP: 147.78.47.39 [15]\\r\\nIP: 181.214.218.32 [1]\\r\\nIP: 80.66.76.177 [2]\\r\\nIP: 80.66.76.137 [3]\\r\\nIP: 193.29.13.169 [10]\\r\\nIP: 185.73.125.21 [5]\\r\\nIP: 80.66.76.130 [6]\\r\\nIP: 152.89.196.96 [5]\\r\\nIP: 80.66.76.136 [3]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.76.176 [10]\\r\\nIP: 152.89.196.99 [7]\\r\\nIP: 185.73.124.17 [8]\\r\\nIP: 188.124.36.118 [1]\\r\\nIP: 94.26.248.190 [1]\\r\\nIP: 80.66.76.181 [6]\\r\\nIP: 152.89.196.72 [9]\\r\\nIP: 45.227.254.20 [9]\\r\\nIP: 50.206.89.210 [1]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 80.66.76.126 [4]\\r\\nIP: 147.78.47.149 [8]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 94.26.248.176 [2]\\r\\nIP: 80.66.76.152 [3]\\r\\nIP: 80.66.76.160 [2]\\r\\n558 more attempts by 123 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_649\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_650\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_651\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_652\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_653\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_654\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_655\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_656\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_657\",\r\n \"address\": \"80.66.76.179\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_658\",\r\n \"address\": \"64.251.14.96\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Fort Lauderdale\",\r\n \"longitude\": -80.12723,\r\n \"latitude\": 26.12112,\r\n \"asn\": 15083,\r\n \"carrier\": \"Infolink Global Corporation\",\r\n \"organization\": \"Serverpronto\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_659\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_660\",\r\n \"address\": \"87.251.67.238\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_661\",\r\n \"address\": \"94.232.47.15\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_662\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_663\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_664\",\r\n \"address\": \"152.89.196.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_665\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_666\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_667\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_668\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_669\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_670\",\r\n \"address\": \"12.168.189.21\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Germantown\",\r\n \"longitude\": -89.79201,\r\n \"latitude\": 35.08422,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"The Village At Germantown\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_671\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_672\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_673\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_674\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_675\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_676\",\r\n \"address\": \"181.214.218.32\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_677\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_678\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_679\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_680\",\r\n \"address\": \"185.73.125.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_681\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_682\",\r\n \"address\": \"152.89.196.96\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_683\",\r\n \"address\": \"80.66.76.136\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_684\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_685\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_686\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_687\",\r\n \"address\": \"185.73.124.17\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_688\",\r\n \"address\": \"188.124.36.118\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Dzerzhinskiy\",\r\n \"longitude\": 37.8445,\r\n \"latitude\": 55.638,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_689\",\r\n \"address\": \"94.26.248.190\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_690\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_691\",\r\n \"address\": \"152.89.196.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_692\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_693\",\r\n \"address\": \"50.206.89.210\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Maryland\",\r\n \"city\": \"Gambrills\",\r\n \"longitude\": -76.66528,\r\n \"latitude\": 39.02566,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_694\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_695\",\r\n \"address\": \"80.66.76.126\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_696\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_697\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_698\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_699\",\r\n \"address\": \"80.66.76.152\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_700\",\r\n \"address\": \"80.66.76.160\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_736\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_686\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_737\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_687\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_738\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_688\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_739\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_689\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_740\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_690\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_741\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_691\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_742\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_692\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_743\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_693\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_744\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_694\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_745\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_695\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_746\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_696\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_747\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_697\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_748\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_698\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_749\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_699\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_750\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_700\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"name\": \"2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T19:58:11.5931492Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T19:58:10.6757317Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_751\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.90 [1]\\r\\nIP: 205.185.113.42 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 34.168.149.255 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_752\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_753\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_754\",\r\n \"address\": \"61.177.172.90\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_755\",\r\n \"address\": \"205.185.113.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Nevada\",\r\n \"city\": \"Las Vegas\",\r\n \"longitude\": -115.22485,\r\n \"latitude\": 36.1424,\r\n \"asn\": 53667,\r\n \"carrier\": \"Frantech Solutions\",\r\n \"organization\": \"Frantech Solutions\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_756\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_757\",\r\n \"address\": \"34.168.149.255\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_754\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_755\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_756\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_757\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"name\": \"2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T21:15:16.6149243Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T21:15:16.2347122Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_762\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 34.168.149.255 [1]\\r\\nIP: 34.67.85.236 [1]\\r\\nIP: 61.177.172.90 [1]\\r\\nIP: 205.185.113.42 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 69.40.195.236 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_763\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_764\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_765\",\r\n \"address\": \"34.168.149.255\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_766\",\r\n \"address\": \"34.67.85.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Council Bluffs\",\r\n \"longitude\": -95.87736,\r\n \"latitude\": 41.23296,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_767\",\r\n \"address\": \"61.177.172.90\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_768\",\r\n \"address\": \"205.185.113.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Nevada\",\r\n \"city\": \"Las Vegas\",\r\n \"longitude\": -115.22485,\r\n \"latitude\": 36.1424,\r\n \"asn\": 53667,\r\n \"carrier\": \"Frantech Solutions\",\r\n \"organization\": \"Frantech Solutions\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_769\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_770\",\r\n \"address\": \"69.40.195.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"North Carolina\",\r\n \"city\": \"Concord\",\r\n \"longitude\": -80.55684,\r\n \"latitude\": 35.4009,\r\n \"asn\": 7029,\r\n \"carrier\": \"Windstream Communications Llc\",\r\n \"organization\": \"Hudson Internet Pop - Dynamic Dsl Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_771\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_765\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_772\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_766\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_773\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_767\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_774\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_768\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_775\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_769\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_776\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_770\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365663999999999_fe707616-4570-429b-9e73-790a3918e776/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"name\": \"2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T19:58:11.565147Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T19:58:10.6760538Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_777\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.164 [8]\\r\\nIP: 141.98.83.165 [8]\\r\\nIP: 194.165.16.18 [10]\\r\\nIP: 20.87.218.172 [3]\\r\\nIP: 147.78.47.35 [17]\\r\\nIP: 62.233.50.123 [34]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 141.98.83.130 [8]\\r\\nIP: 87.251.67.99 [7]\\r\\nIP: 71.178.215.234 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 122.160.141.216 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 141.98.83.83 [8]\\r\\nIP: 98.217.4.181 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 104.161.77.173 [1]\\r\\nIP: 141.98.83.84 [6]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 141.98.83.166 [12]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 162.142.125.219 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 88.214.25.14 [15]\\r\\nIP: 45.141.87.10 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 141.98.83.85 [9]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 171.244.50.243 [1]\\r\\nIP: 212.103.60.106 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 45.141.87.2 [5]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.124 [15]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 185.156.72.31 [1]\\r\\nIP: 147.78.47.39 [4]\\r\\nIP: 194.165.16.29 [2]\\r\\nIP: 45.227.254.20 [12]\\r\\nIP: 179.60.150.115 [9]\\r\\n55 more attempts by 15 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_778\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_779\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_780\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_781\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_782\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_783\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_784\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_785\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_786\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_787\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_788\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_789\",\r\n \"address\": \"71.178.215.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Fairfax\",\r\n \"longitude\": -77.2891,\r\n \"latitude\": 38.81818,\r\n \"asn\": 701,\r\n \"carrier\": \"Verizon\",\r\n \"organization\": \"Verizon\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_790\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_791\",\r\n \"address\": \"122.160.141.216\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.1428,\r\n \"latitude\": 28.6907,\r\n \"asn\": 24560,\r\n \"carrier\": \"Bharti Airtel Ltd.\",\r\n \"organization\": \"Abts Delhi \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_792\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_793\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_794\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_795\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_796\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_797\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_798\",\r\n \"address\": \"98.217.4.181\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Hopkinton\",\r\n \"longitude\": -71.53711,\r\n \"latitude\": 42.22023,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_799\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_800\",\r\n \"address\": \"104.161.77.173\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.01242,\r\n \"latitude\": 33.43202,\r\n \"asn\": 53755,\r\n \"carrier\": \"Input Output Flood Llc\",\r\n \"organization\": \"Input Output Flood Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_801\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_802\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_803\",\r\n \"address\": \"141.98.83.166\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_804\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_805\",\r\n \"address\": \"162.142.125.219\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_806\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_807\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_808\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_809\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_810\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_811\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_812\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_813\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_814\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_815\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_816\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_817\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_818\",\r\n \"address\": \"212.103.60.106\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Nuernberg\",\r\n \"longitude\": 11.0384,\r\n \"latitude\": 49.4358,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Tt1 Datacenter Ug (Haftungsbeschraenkt)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_819\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_820\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_821\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_822\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_823\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_824\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_825\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_826\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_827\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_828\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_829\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_839\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_789\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_840\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_790\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_841\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_791\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_842\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_792\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_793\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_865\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_815\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_866\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_816\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_867\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_817\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_868\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_818\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_869\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_819\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_870\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_820\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_871\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_821\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_872\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_822\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_873\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_823\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_874\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_824\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_875\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_825\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_876\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_826\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_877\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_827\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_878\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_828\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_879\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_829\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"name\": \"2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T21:15:16.6618617Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T21:15:16.2350129Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_880\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 171.244.50.243 [1]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 191.96.168.246 [10]\\r\\nIP: 194.165.16.29 [2]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 89.44.9.29 [2]\\r\\nIP: 185.156.72.31 [1]\\r\\nIP: 141.98.83.165 [8]\\r\\nIP: 179.60.150.58 [7]\\r\\nIP: 141.98.83.125 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 20.87.218.172 [3]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 141.98.83.164 [8]\\r\\nIP: 45.141.87.6 [7]\\r\\nIP: 104.161.77.173 [1]\\r\\nIP: 141.98.83.89 [2]\\r\\nIP: 98.217.4.181 [1]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 122.160.141.216 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.17.24 [5]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 141.95.145.187 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 141.98.83.123 [2]\\r\\nIP: 24.18.46.38 [1]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 87.251.67.99 [7]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 144.172.126.192 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 62.233.50.123 [34]\\r\\nIP: 45.141.87.10 [1]\\r\\nIP: 147.78.47.35 [17]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 45.141.87.9 [8]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 162.142.125.219 [1]\\r\\nIP: 147.78.47.39 [4]\\r\\nIP: 88.214.25.14 [15]\\r\\nIP: 45.227.254.20 [12]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 45.141.87.2 [5]\\r\\n104 more attempts by 21 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_881\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_882\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_883\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_884\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_885\",\r\n \"address\": \"191.96.168.246\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_886\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_887\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_888\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_889\",\r\n \"address\": \"89.44.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Seine-Saint-Denis\",\r\n \"city\": \"Saint-Denis\",\r\n \"longitude\": 2.36488,\r\n \"latitude\": 48.93607,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd Paris\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_890\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_891\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_892\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_893\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_894\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_895\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_896\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_897\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_898\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_899\",\r\n \"address\": \"104.161.77.173\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.01242,\r\n \"latitude\": 33.43202,\r\n \"asn\": 53755,\r\n \"carrier\": \"Input Output Flood Llc\",\r\n \"organization\": \"Input Output Flood Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_900\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_901\",\r\n \"address\": \"98.217.4.181\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Hopkinton\",\r\n \"longitude\": -71.53711,\r\n \"latitude\": 42.22023,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_902\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_903\",\r\n \"address\": \"122.160.141.216\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.1428,\r\n \"latitude\": 28.6907,\r\n \"asn\": 24560,\r\n \"carrier\": \"Bharti Airtel Ltd.\",\r\n \"organization\": \"Abts Delhi \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_904\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_905\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_906\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_907\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_908\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_909\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_910\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_911\",\r\n \"address\": \"24.18.46.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Shoreline\",\r\n \"longitude\": -122.34728,\r\n \"latitude\": 47.75721,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_912\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_913\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_914\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_915\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_916\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_917\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_918\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_919\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_920\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_921\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_922\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_923\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_924\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_925\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_926\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_927\",\r\n \"address\": \"162.142.125.219\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_928\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_929\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_930\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_931\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_932\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_892\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_893\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_894\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_969\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_919\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_970\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_920\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_971\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_921\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_972\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_922\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_973\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_923\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_974\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_924\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_975\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_925\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_976\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_926\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_977\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_927\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_978\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_928\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_979\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_929\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_980\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_930\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_981\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_931\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_982\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_932\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"name\": \"2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-14T21:17:43.9805433Z\",\r\n \"processingEndTimeUtc\": \"2022-10-14T21:17:42.8602187Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-13T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-13T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_983\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.36 [1]\\r\\nIP: 61.177.172.19 [1]\\r\\nIP: 66.70.176.28 [1]\\r\\nIP: 43.140.205.176 [1]\\r\\nIP: 84.201.177.42 [1]\\r\\nIP: 176.31.240.226 [1]\\r\\nIP: 45.139.105.58 [1]\\r\\nIP: 61.177.172.147 [3]\\r\\nIP: 31.172.70.163 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_984\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_985\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_986\",\r\n \"address\": \"61.177.173.36\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_987\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_988\",\r\n \"address\": \"66.70.176.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_989\",\r\n \"address\": \"43.140.205.176\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_990\",\r\n \"address\": \"84.201.177.42\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.58903,\r\n \"latitude\": 55.73491,\r\n \"asn\": 200350,\r\n \"carrier\": \"Yandex.Cloud Llc\",\r\n \"organization\": \"Yandex Enterprise Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_991\",\r\n \"address\": \"176.31.240.226\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Nord\",\r\n \"city\": \"Roubaix\",\r\n \"longitude\": 3.17321,\r\n \"latitude\": 50.69127,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_992\",\r\n \"address\": \"45.139.105.58\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 138687,\r\n \"carrier\": \"Xdeer Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_993\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_994\",\r\n \"address\": \"31.172.70.163\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt-Ostend\",\r\n \"longitude\": 8.72751,\r\n \"latitude\": 50.11671,\r\n \"asn\": 44066,\r\n \"carrier\": \"Accelerated It Services & Consulting Gmbh\",\r\n \"organization\": \"Www.Fornex.Com Fornex Hosting S.L.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_995\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_986\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_996\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_987\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_997\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_988\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_998\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_989\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_999\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_990\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1000\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_991\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1001\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_992\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1002\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_993\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1003\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_994\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"name\": \"2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-14T21:17:43.9755639Z\",\r\n \"processingEndTimeUtc\": \"2022-10-14T21:17:42.8608101Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-13T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-13T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1004\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.87.6 [9]\\r\\nIP: 141.98.83.125 [11]\\r\\nIP: 141.98.83.165 [9]\\r\\nIP: 94.232.43.155 [1]\\r\\nIP: 147.78.47.40 [2]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 80.66.88.215 [2]\\r\\nIP: 141.98.83.132 [4]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 194.165.17.12 [14]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 45.141.87.10 [12]\\r\\nIP: 147.78.47.29 [9]\\r\\nIP: 89.248.163.228 [1]\\r\\nIP: 45.141.84.87 [13]\\r\\nIP: 45.227.255.55 [2]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 20.87.218.172 [1]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.89 [8]\\r\\nIP: 62.204.41.152 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 69.202.183.90 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 212.102.35.135 [26]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 193.29.13.170 [18]\\r\\nIP: 147.78.47.36 [6]\\r\\nIP: 194.165.16.18 [4]\\r\\nIP: 141.98.83.164 [1]\\r\\nIP: 91.240.118.113 [3]\\r\\nIP: 144.172.126.192 [1]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 193.29.13.169 [14]\\r\\nIP: 92.255.85.151 [12]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 147.78.47.42 [6]\\r\\nIP: 147.78.47.39 [12]\\r\\nIP: 147.78.47.35 [3]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 141.98.83.87 [5]\\r\\nIP: 87.251.64.160 [3]\\r\\n29 more attempts by 7 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1005\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1006\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1007\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1008\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1009\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1010\",\r\n \"address\": \"94.232.43.155\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1011\",\r\n \"address\": \"147.78.47.40\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1012\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1013\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1014\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1015\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1016\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1017\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1018\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1019\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1020\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1021\",\r\n \"address\": \"89.248.163.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1022\",\r\n \"address\": \"45.141.84.87\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1023\",\r\n \"address\": \"45.227.255.55\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1024\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1025\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1026\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1027\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1028\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1029\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1030\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1031\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1032\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1033\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1034\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1035\",\r\n \"address\": \"212.102.35.135\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1036\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1037\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1038\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1039\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1040\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1041\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1042\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1043\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1044\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1045\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1046\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1047\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1048\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1049\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1050\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1051\",\r\n \"address\": \"147.78.47.42\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1052\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1053\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1054\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1055\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1056\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1072\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1022\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1073\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1023\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1074\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1024\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1075\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1025\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1076\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1026\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1077\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1027\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1078\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1028\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1079\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1029\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1080\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1030\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1081\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1031\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1082\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1032\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1083\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1033\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1084\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1034\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1085\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1035\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1086\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1036\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1087\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1037\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1088\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1038\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1089\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1039\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1090\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1040\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1091\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1041\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1092\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1042\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1093\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1043\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1094\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1044\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1095\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1045\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1096\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1046\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1097\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1047\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1098\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1048\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1099\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1049\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1100\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1050\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1101\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1051\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1102\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1052\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1053\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1104\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1054\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1055\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1056\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"name\": \"2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T21:02:46.33272Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T21:02:45.807019Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-12T15:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-12T15:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1107\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.46 [1]\\r\\nIP: 211.210.79.220 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1108\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1109\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1110\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1111\",\r\n \"address\": \"211.210.79.220\",\r\n \"location\": {\r\n \"countryCode\": \"KR\",\r\n \"countryName\": \"Korea (South)\",\r\n \"state\": \"Seoul Teukbyeolsi\",\r\n \"city\": \"Seoul\",\r\n \"longitude\": 126.98265,\r\n \"latitude\": 37.561,\r\n \"asn\": 9318,\r\n \"carrier\": \"Sk Broadband Co Ltd\",\r\n \"organization\": \"Danal\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1110\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1111\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"name\": \"2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T21:03:57.9379168Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T21:02:45.8071653Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-12T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-12T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1114\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.158 [4]\\r\\nIP: 45.227.254.20 [14]\\r\\nIP: 80.66.76.178 [3]\\r\\nIP: 87.251.67.223 [3]\\r\\nIP: 185.73.124.20 [3]\\r\\nIP: 194.165.17.12 [10]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 80.66.76.151 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 80.66.76.143 [1]\\r\\nIP: 193.169.255.78 [1]\\r\\nIP: 80.66.76.174 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 80.66.76.161 [1]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 20.87.218.172 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 80.66.76.142 [3]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 87.251.67.230 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 80.66.76.139 [1]\\r\\nIP: 87.251.67.229 [1]\\r\\nIP: 80.66.76.164 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 212.102.35.135 [17]\\r\\nIP: 45.141.87.6 [6]\\r\\nIP: 80.66.76.131 [2]\\r\\nIP: 80.66.76.186 [2]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 194.165.16.16 [2]\\r\\nIP: 87.251.67.232 [4]\\r\\nIP: 80.66.76.159 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 87.251.67.226 [2]\\r\\nIP: 80.66.76.138 [2]\\r\\nIP: 80.66.76.127 [1]\\r\\nIP: 80.66.76.165 [2]\\r\\nIP: 80.66.76.175 [2]\\r\\nIP: 80.66.76.140 [2]\\r\\nIP: 159.242.227.27 [1]\\r\\nIP: 193.29.13.170 [12]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 185.73.124.19 [1]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 45.141.87.2 [2]\\r\\n152 more attempts by 42 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1115\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1116\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1117\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1118\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1119\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1120\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1121\",\r\n \"address\": \"185.73.124.20\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1122\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1123\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1124\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1125\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1126\",\r\n \"address\": \"80.66.76.143\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1127\",\r\n \"address\": \"193.169.255.78\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Pomorskie\",\r\n \"city\": \"Zelkowko\",\r\n \"longitude\": 17.0936,\r\n \"latitude\": 54.34198,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1128\",\r\n \"address\": \"80.66.76.174\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1129\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1130\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1131\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1132\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1133\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1134\",\r\n \"address\": \"80.66.76.142\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1135\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1136\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1137\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1138\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1139\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1140\",\r\n \"address\": \"87.251.67.229\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1141\",\r\n \"address\": \"80.66.76.164\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1142\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1143\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1144\",\r\n \"address\": \"212.102.35.135\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1145\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1146\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1147\",\r\n \"address\": \"80.66.76.186\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1148\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1149\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1150\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1151\",\r\n \"address\": \"87.251.67.232\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1152\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1153\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1154\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1155\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1156\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1157\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1158\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1159\",\r\n \"address\": \"80.66.76.175\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1160\",\r\n \"address\": \"80.66.76.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1161\",\r\n \"address\": \"159.242.227.27\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Wandsworth\",\r\n \"longitude\": -0.18333,\r\n \"latitude\": 51.45,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Prcdn Consumer Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1162\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1163\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1164\",\r\n \"address\": \"185.73.124.19\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1165\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1166\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1167\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1117\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1168\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1118\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1119\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1170\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1120\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1171\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1121\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1172\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1122\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1173\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1123\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1174\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1124\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1175\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1125\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1176\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1126\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1177\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1127\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1178\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1128\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1179\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1129\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1180\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1130\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1181\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1131\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1182\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1132\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1183\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1133\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1184\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1134\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1185\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1135\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1186\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1136\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1187\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1137\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1188\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1138\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1139\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1190\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1140\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1191\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1141\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1192\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1142\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1143\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1194\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1144\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1195\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1145\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1196\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1146\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1147\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1198\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1148\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1199\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1149\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1200\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1150\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1151\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1202\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1152\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1203\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1153\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1204\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1154\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1155\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"name\": \"2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T21:25:11.5033705Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T21:25:11.2368114Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-11T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-11T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 62.210.205.240 [1]\\r\\nIP: 219.130.135.190 [8]\\r\\nIP: 77.232.100.220 [1]\\r\\nIP: 167.99.49.113 [1]\\r\\nIP: 61.177.172.147 [3]\\r\\nIP: 54.200.70.29 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1218\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1219\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1220\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1221\",\r\n \"address\": \"219.130.135.190\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Jiangmen\",\r\n \"longitude\": 113.08611,\r\n \"latitude\": 22.58388,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Jiangmen Global Eyes Police Bureau\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1222\",\r\n \"address\": \"77.232.100.220\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Makkah\",\r\n \"city\": \"Jiddah\",\r\n \"longitude\": 39.184,\r\n \"latitude\": 21.538,\r\n \"asn\": 43766,\r\n \"carrier\": \"Mtc Ksa\",\r\n \"organization\": \"Mtc Ksa\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1223\",\r\n \"address\": \"167.99.49.113\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1224\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1225\",\r\n \"address\": \"54.200.70.29\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Boardman\",\r\n \"longitude\": -119.81143,\r\n \"latitude\": 45.73723,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon.Com Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1226\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1220\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1227\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1221\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1222\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1223\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1224\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1225\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"name\": \"2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T21:27:02.3321686Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T21:25:11.237187Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-11T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-11T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1232\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.88.129 [1]\\r\\nIP: 80.66.88.207 [5]\\r\\nIP: 194.165.16.29 [9]\\r\\nIP: 147.78.47.149 [6]\\r\\nIP: 87.251.67.236 [2]\\r\\nIP: 80.66.76.186 [2]\\r\\nIP: 80.66.76.153 [4]\\r\\nIP: 91.240.118.113 [6]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 45.141.87.9 [5]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 80.66.76.163 [2]\\r\\nIP: 80.66.76.142 [4]\\r\\nIP: 141.98.83.130 [2]\\r\\nIP: 152.89.196.94 [3]\\r\\nIP: 80.66.76.120 [1]\\r\\nIP: 80.66.76.174 [5]\\r\\nIP: 194.165.16.10 [1]\\r\\nIP: 185.73.124.17 [2]\\r\\nIP: 80.66.76.183 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 80.66.76.181 [1]\\r\\nIP: 80.66.76.130 [2]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 80.66.76.168 [2]\\r\\nIP: 185.73.124.14 [1]\\r\\nIP: 80.66.76.173 [1]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 152.89.196.99 [2]\\r\\nIP: 80.66.76.172 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 185.73.124.20 [1]\\r\\nIP: 45.141.87.2 [4]\\r\\nIP: 80.66.76.154 [2]\\r\\nIP: 152.89.196.92 [2]\\r\\nIP: 80.66.76.137 [1]\\r\\nIP: 80.66.76.127 [1]\\r\\nIP: 152.89.196.86 [2]\\r\\nIP: 194.165.16.158 [3]\\r\\nIP: 141.98.83.128 [3]\\r\\nIP: 185.73.124.23 [5]\\r\\nIP: 45.141.87.6 [9]\\r\\nIP: 80.66.76.176 [4]\\r\\nIP: 141.95.145.187 [1]\\r\\nIP: 80.66.76.125 [1]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 80.66.76.175 [1]\\r\\nIP: 80.66.76.129 [3]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 45.141.84.86 [4]\\r\\n148 more attempts by 47 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1233\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1234\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1235\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1236\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1237\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1238\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1239\",\r\n \"address\": \"87.251.67.236\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1240\",\r\n \"address\": \"80.66.76.186\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1241\",\r\n \"address\": \"80.66.76.153\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1242\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1243\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1244\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1245\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1246\",\r\n \"address\": \"80.66.76.163\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1247\",\r\n \"address\": \"80.66.76.142\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1248\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1249\",\r\n \"address\": \"152.89.196.94\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1250\",\r\n \"address\": \"80.66.76.120\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1251\",\r\n \"address\": \"80.66.76.174\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1252\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1253\",\r\n \"address\": \"185.73.124.17\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1254\",\r\n \"address\": \"80.66.76.183\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1255\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1256\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1257\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1258\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1259\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1260\",\r\n \"address\": \"185.73.124.14\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1261\",\r\n \"address\": \"80.66.76.173\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1262\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1263\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1264\",\r\n \"address\": \"80.66.76.172\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1265\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1266\",\r\n \"address\": \"185.73.124.20\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1267\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1268\",\r\n \"address\": \"80.66.76.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1269\",\r\n \"address\": \"152.89.196.92\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1270\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1271\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1272\",\r\n \"address\": \"152.89.196.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1273\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1274\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1275\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1276\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1277\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1278\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1279\",\r\n \"address\": \"80.66.76.125\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1280\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1281\",\r\n \"address\": \"80.66.76.175\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1282\",\r\n \"address\": \"80.66.76.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1283\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1284\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1285\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1235\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1286\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1236\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1237\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1288\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1238\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1289\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1239\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1290\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1240\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1291\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1241\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1292\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1242\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1293\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1243\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1294\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1244\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1295\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1245\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1246\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1297\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1247\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1298\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1248\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1299\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1249\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1250\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1301\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1251\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1302\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1252\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1303\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1253\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1254\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1305\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1255\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1306\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1256\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1307\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1257\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1308\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1258\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1324\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1274\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1325\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1275\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1326\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1276\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1327\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1277\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1278\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1329\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1279\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1330\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1280\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"name\": \"2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T20:11:22.6254055Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T20:11:22.3353053Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-10T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-10T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1335\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.147 [4]\\r\\nIP: 117.33.157.42 [1]\\r\\nIP: 44.203.254.12 [1]\\r\\nIP: 62.210.205.240 [1]\\r\\nIP: 218.92.0.221 [1]\\r\\nIP: 61.177.173.52 [1]\\r\\nIP: 61.177.173.46 [1]\\r\\nIP: 61.177.172.143 [2]\\r\\nIP: 61.177.172.98 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1336\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1337\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1338\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1339\",\r\n \"address\": \"117.33.157.42\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Yunnan\",\r\n \"city\": \"Ruili\",\r\n \"longitude\": 97.85808,\r\n \"latitude\": 23.99516,\r\n \"asn\": 134768,\r\n \"carrier\": \"Chinanet Shaanxi Province Cloud Base Network\",\r\n \"organization\": \"Chinanet Shanxi(Sn) Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1340\",\r\n \"address\": \"44.203.254.12\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 14618,\r\n \"carrier\": \"Amazon.Com Inc.\",\r\n \"organization\": \"Amazon Data Services Nova\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1341\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1342\",\r\n \"address\": \"218.92.0.221\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1343\",\r\n \"address\": \"61.177.173.52\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1344\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1345\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1346\",\r\n \"address\": \"61.177.172.98\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1338\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1339\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1340\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1341\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1342\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1343\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1344\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1345\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1346\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"name\": \"2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T20:11:23.0830696Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T20:11:22.335884Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-10T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-10T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1356\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.76.131 [3]\\r\\nIP: 147.78.47.154 [8]\\r\\nIP: 80.66.76.139 [2]\\r\\nIP: 141.98.83.130 [12]\\r\\nIP: 176.111.174.130 [16]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 80.66.76.140 [1]\\r\\nIP: 152.89.196.86 [3]\\r\\nIP: 80.66.76.177 [3]\\r\\nIP: 87.251.67.226 [2]\\r\\nIP: 80.66.76.178 [1]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 80.66.76.166 [1]\\r\\nIP: 152.89.196.99 [1]\\r\\nIP: 176.111.174.116 [28]\\r\\nIP: 194.165.16.18 [6]\\r\\nIP: 71.27.142.134 [1]\\r\\nIP: 45.227.254.29 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 152.89.196.83 [1]\\r\\nIP: 80.66.76.182 [4]\\r\\nIP: 141.98.83.166 [3]\\r\\nIP: 147.78.47.149 [7]\\r\\nIP: 80.66.76.187 [2]\\r\\nIP: 194.165.17.12 [6]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 152.89.196.81 [1]\\r\\nIP: 87.251.67.230 [2]\\r\\nIP: 94.232.47.170 [3]\\r\\nIP: 80.66.76.159 [3]\\r\\nIP: 87.251.67.229 [1]\\r\\nIP: 80.66.76.122 [1]\\r\\nIP: 185.73.124.23 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 179.60.150.58 [4]\\r\\nIP: 94.232.47.15 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 191.96.168.102 [23]\\r\\nIP: 80.66.76.181 [3]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 80.66.76.162 [1]\\r\\nIP: 80.66.76.121 [2]\\r\\nIP: 87.251.67.231 [1]\\r\\nIP: 87.251.67.228 [2]\\r\\nIP: 80.66.76.185 [2]\\r\\n244 more attempts by 54 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1357\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1358\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1359\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1360\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1361\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1362\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1363\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1364\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1365\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1366\",\r\n \"address\": \"80.66.76.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1367\",\r\n \"address\": \"152.89.196.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1368\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1369\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1370\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1371\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1372\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1373\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1374\",\r\n \"address\": \"80.66.76.166\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1375\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1376\",\r\n \"address\": \"176.111.174.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1377\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1378\",\r\n \"address\": \"71.27.142.134\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Westland\",\r\n \"longitude\": -83.37131,\r\n \"latitude\": 42.33206,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1379\",\r\n \"address\": \"45.227.254.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1380\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1381\",\r\n \"address\": \"152.89.196.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1382\",\r\n \"address\": \"80.66.76.182\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1383\",\r\n \"address\": \"141.98.83.166\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1384\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1385\",\r\n \"address\": \"80.66.76.187\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1386\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1387\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1388\",\r\n \"address\": \"152.89.196.81\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1389\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1390\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1391\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1392\",\r\n \"address\": \"87.251.67.229\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1393\",\r\n \"address\": \"80.66.76.122\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1394\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1395\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1396\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1397\",\r\n \"address\": \"94.232.47.15\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1398\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1399\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1400\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1401\",\r\n \"address\": \"191.96.168.102\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1402\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1403\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1404\",\r\n \"address\": \"80.66.76.162\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1405\",\r\n \"address\": \"80.66.76.121\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1406\",\r\n \"address\": \"87.251.67.231\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1407\",\r\n \"address\": \"87.251.67.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1408\",\r\n \"address\": \"80.66.76.185\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1359\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1410\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1360\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1411\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1361\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1362\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1427\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1377\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1428\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1378\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1429\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1379\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1430\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1380\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1382\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1433\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1383\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1449\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1450\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1451\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1452\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1453\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1405\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1456\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1457\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1408\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"name\": \"2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T20:02:27.764174Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T20:02:26.032772Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-09T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-09T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1459\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.209.179.41 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 61.177.172.143 [10]\\r\\nIP: 128.199.192.230 [1]\\r\\nIP: 61.177.172.108 [1]\\r\\nIP: 61.177.173.37 [1]\\r\\nIP: 62.210.209.36 [1]\\r\\nIP: 218.75.136.139 [25]\\r\\nIP: 194.5.193.132 [3]\\r\\nIP: 162.142.125.213 [1]\\r\\nIP: 124.220.16.45 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1460\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1461\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1462\",\r\n \"address\": \"185.209.179.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Valley Cottage\",\r\n \"longitude\": -73.92899,\r\n \"latitude\": 41.12222,\r\n \"asn\": 396356,\r\n \"carrier\": \"Maxihost Llc\",\r\n \"organization\": \"Latitude.Sh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1463\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1464\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1465\",\r\n \"address\": \"128.199.192.230\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1466\",\r\n \"address\": \"61.177.172.108\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1467\",\r\n \"address\": \"61.177.173.37\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1468\",\r\n \"address\": \"62.210.209.36\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1469\",\r\n \"address\": \"218.75.136.139\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Hunan\",\r\n \"city\": \"Changde\",\r\n \"longitude\": 111.71167,\r\n \"latitude\": 29.04722,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet-Hn Changde Node Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1470\",\r\n \"address\": \"194.5.193.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208006,\r\n \"carrier\": \"Softqloud Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1471\",\r\n \"address\": \"162.142.125.213\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1472\",\r\n \"address\": \"124.220.16.45\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1473\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1462\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1474\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1463\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1464\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1465\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1466\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1467\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1468\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1469\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1470\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1471\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1472\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"name\": \"2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T20:02:27.4002488Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T20:02:26.0336346Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-09T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-09T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1484\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.76.123 [2]\\r\\nIP: 87.251.67.226 [1]\\r\\nIP: 80.66.76.170 [3]\\r\\nIP: 80.66.76.151 [1]\\r\\nIP: 80.66.76.138 [1]\\r\\nIP: 103.168.205.209 [1]\\r\\nIP: 147.78.47.146 [7]\\r\\nIP: 80.66.76.121 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 80.66.76.132 [2]\\r\\nIP: 80.66.76.127 [2]\\r\\nIP: 152.89.196.96 [4]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 92.255.85.192 [8]\\r\\nIP: 80.66.76.167 [2]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 152.89.196.73 [1]\\r\\nIP: 80.66.76.176 [1]\\r\\nIP: 147.78.47.149 [3]\\r\\nIP: 195.78.54.73 [17]\\r\\nIP: 80.66.76.131 [1]\\r\\nIP: 176.111.174.73 [25]\\r\\nIP: 185.73.125.21 [3]\\r\\nIP: 80.66.76.165 [1]\\r\\nIP: 80.66.76.124 [1]\\r\\nIP: 87.251.67.223 [2]\\r\\nIP: 141.98.83.127 [7]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 80.66.76.130 [1]\\r\\nIP: 80.66.76.125 [1]\\r\\nIP: 94.232.47.170 [2]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 185.73.125.225 [1]\\r\\nIP: 207.244.72.33 [1]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 162.244.33.16 [4]\\r\\nIP: 152.89.196.81 [3]\\r\\nIP: 139.59.109.139 [1]\\r\\nIP: 80.66.76.185 [2]\\r\\nIP: 80.66.76.161 [1]\\r\\nIP: 80.66.76.137 [2]\\r\\nIP: 80.66.76.177 [1]\\r\\nIP: 80.66.76.169 [1]\\r\\nIP: 185.73.124.23 [1]\\r\\nIP: 87.251.67.239 [1]\\r\\nIP: 152.89.196.92 [4]\\r\\nIP: 113.190.245.2 [1]\\r\\n88 more attempts by 42 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1485\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1486\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1487\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1488\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1489\",\r\n \"address\": \"80.66.76.170\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1490\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1491\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1492\",\r\n \"address\": \"103.168.205.209\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"longitude\": 77.0,\r\n \"latitude\": 20.0,\r\n \"asn\": 132925,\r\n \"carrier\": \"Ideastack Solutions Private Limited\",\r\n \"organization\": \"Blue Space Technology\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1493\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1494\",\r\n \"address\": \"80.66.76.121\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1495\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1496\",\r\n \"address\": \"80.66.76.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1497\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1498\",\r\n \"address\": \"152.89.196.96\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1499\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1500\",\r\n \"address\": \"92.255.85.192\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1501\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1502\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1503\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1504\",\r\n \"address\": \"152.89.196.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1505\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1506\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1507\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1508\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1509\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1510\",\r\n \"address\": \"185.73.125.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1511\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1512\",\r\n \"address\": \"80.66.76.124\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1513\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1514\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1515\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1516\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1517\",\r\n \"address\": \"80.66.76.125\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1518\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1519\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1520\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1521\",\r\n \"address\": \"185.73.125.225\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1522\",\r\n \"address\": \"207.244.72.33\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"District Of Columbia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -77.0284,\r\n \"latitude\": 38.9069,\r\n \"asn\": 30633,\r\n \"carrier\": \"Leaseweb Usa Inc.\",\r\n \"organization\": \"Leaseweb Usa Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1523\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1524\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1525\",\r\n \"address\": \"162.244.33.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Fremont\",\r\n \"longitude\": -121.91032,\r\n \"latitude\": 37.52879,\r\n \"asn\": 14576,\r\n \"carrier\": \"Hosting Solution Ltd.\",\r\n \"organization\": \"Hosting Solution Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1526\",\r\n \"address\": \"152.89.196.81\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1527\",\r\n \"address\": \"139.59.109.139\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1528\",\r\n \"address\": \"80.66.76.185\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1529\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1530\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1531\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1532\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1533\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1534\",\r\n \"address\": \"87.251.67.239\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1535\",\r\n \"address\": \"152.89.196.92\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1536\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1557\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1558\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1559\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1560\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1561\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1511\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1562\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1512\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1563\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1513\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1564\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1514\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1565\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1515\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1566\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1516\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1567\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1517\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1568\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1518\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1569\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1519\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1570\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1520\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1571\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1521\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1572\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1522\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1573\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1523\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1574\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1524\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1575\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1525\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1576\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1526\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1577\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1527\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1578\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1528\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1579\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1529\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1580\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1530\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1581\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1531\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1582\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1532\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1585\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1586\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1536\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"name\": \"2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T19:56:07.1561879Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T19:56:06.5371227Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-08T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-08T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1587\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.143 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 61.177.173.51 [1]\\r\\nIP: 14.215.48.214 [3]\\r\\nIP: 61.177.173.46 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1588\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1589\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1590\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1591\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1592\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1593\",\r\n \"address\": \"61.177.173.51\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1594\",\r\n \"address\": \"14.215.48.214\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Yunnan\",\r\n \"city\": \"Ruili\",\r\n \"longitude\": 97.85808,\r\n \"latitude\": 23.99516,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Guangdong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1595\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1596\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1590\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1597\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1591\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1592\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1593\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1594\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1595\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"name\": \"2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T19:56:07.4442606Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T19:56:06.5374986Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-08T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-08T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1602\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 91.240.118.113 [5]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.132 [5]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 194.165.16.73 [3]\\r\\nIP: 194.165.16.37 [2]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 162.244.33.16 [1]\\r\\nIP: 62.233.50.123 [7]\\r\\nIP: 194.165.16.17 [8]\\r\\nIP: 116.58.22.75 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 92.255.85.186 [1]\\r\\nIP: 176.111.174.200 [3]\\r\\nIP: 96.93.214.186 [1]\\r\\nIP: 194.165.16.29 [10]\\r\\nIP: 141.98.9.35 [1]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 185.221.134.42 [1]\\r\\nIP: 176.111.174.71 [13]\\r\\nIP: 92.255.85.192 [3]\\r\\nIP: 20.168.51.145 [1]\\r\\nIP: 194.165.16.18 [6]\\r\\nIP: 195.78.54.73 [13]\\r\\nIP: 147.78.47.149 [7]\\r\\nIP: 192.99.233.28 [1]\\r\\nIP: 87.251.67.64 [6]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 176.111.174.73 [21]\\r\\nIP: 80.66.88.205 [3]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1603\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1604\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1605\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1606\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1607\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1608\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1609\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1610\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1611\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1612\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1613\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1614\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1615\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1616\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1617\",\r\n \"address\": \"162.244.33.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Fremont\",\r\n \"longitude\": -121.91032,\r\n \"latitude\": 37.52879,\r\n \"asn\": 14576,\r\n \"carrier\": \"Hosting Solution Ltd.\",\r\n \"organization\": \"Hosting Solution Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1618\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1619\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1620\",\r\n \"address\": \"116.58.22.75\",\r\n \"location\": {\r\n \"countryCode\": \"PK\",\r\n \"countryName\": \"Pakistan\",\r\n \"state\": \"Punjab\",\r\n \"city\": \"Lahore\",\r\n \"longitude\": 74.31333,\r\n \"latitude\": 31.56333,\r\n \"asn\": 17563,\r\n \"carrier\": \"Nexlinx\",\r\n \"organization\": \"Nexlinx Isp Pakistan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1621\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1622\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1623\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1624\",\r\n \"address\": \"92.255.85.186\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1625\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1626\",\r\n \"address\": \"96.93.214.186\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Denver\",\r\n \"longitude\": -104.98564,\r\n \"latitude\": 39.74249,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1627\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1628\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1629\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1630\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1631\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1632\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1633\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1634\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1635\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1636\",\r\n \"address\": \"92.255.85.192\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1637\",\r\n \"address\": \"20.168.51.145\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1638\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1639\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1640\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1641\",\r\n \"address\": \"192.99.233.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1642\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1643\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1644\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1645\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1646\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1647\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1605\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1648\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1606\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1649\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1607\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1650\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1608\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1651\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1609\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1652\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1610\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1653\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1611\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1654\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1612\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1655\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1613\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1656\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1614\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1657\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1615\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1658\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1616\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1659\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1617\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1660\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1618\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1661\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1619\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1662\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1620\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1663\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1621\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1664\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1622\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1665\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1623\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1666\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1624\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1667\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1625\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1668\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1626\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1669\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1627\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1670\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1628\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1671\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1629\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1672\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1630\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1673\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1631\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1674\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1632\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1675\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1633\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1676\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1634\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1677\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1635\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1678\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1636\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1679\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1637\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1680\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1638\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1681\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1639\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1682\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1640\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1683\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1641\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1684\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1642\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1685\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1643\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1644\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1645\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1688\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1646\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"name\": \"2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T19:27:10.8559195Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T19:27:10.200106Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-07T07:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-07T07:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1689\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 179.43.155.133 [2]\\r\\nIP: 62.210.205.240 [1]\\r\\nIP: 34.105.172.112 [1]\\r\\nIP: 61.177.172.143 [2]\\r\\nIP: 107.152.46.102 [2]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 49.88.112.109 [1]\\r\\nIP: 47.108.112.40 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1690\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1691\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1692\",\r\n \"address\": \"179.43.155.133\",\r\n \"location\": {\r\n \"countryCode\": \"CH\",\r\n \"countryName\": \"Switzerland\",\r\n \"state\": \"Zuerich\",\r\n \"city\": \"Zuerich\",\r\n \"longitude\": 8.53695,\r\n \"latitude\": 47.37417,\r\n \"asn\": 51852,\r\n \"carrier\": \"Private Layer Inc\",\r\n \"organization\": \"Private Layer Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1693\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1694\",\r\n \"address\": \"34.105.172.112\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Enfield\",\r\n \"longitude\": -0.10639,\r\n \"latitude\": 51.64694,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1695\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1696\",\r\n \"address\": \"107.152.46.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Illinois\",\r\n \"city\": \"Glenview\",\r\n \"longitude\": -87.82326,\r\n \"latitude\": 42.08015,\r\n \"asn\": 46844,\r\n \"carrier\": \"Sharktech\",\r\n \"organization\": \"Servercheap Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1697\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1698\",\r\n \"address\": \"49.88.112.109\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanghai Shi\",\r\n \"city\": \"Xuhui Qu\",\r\n \"longitude\": 121.41498,\r\n \"latitude\": 31.17389,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1699\",\r\n \"address\": \"47.108.112.40\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Zhejiang\",\r\n \"city\": \"Hangzhou\",\r\n \"longitude\": 120.15889,\r\n \"latitude\": 30.23556,\r\n \"asn\": 37963,\r\n \"carrier\": \"Hangzhou Alibaba Advertising Co. Ltd.\",\r\n \"organization\": \"Aliyun Computing Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1692\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1693\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1694\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1695\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1696\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1697\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1698\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1699\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"name\": \"2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T19:27:10.7887447Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T19:27:10.2008025Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-07T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-07T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1708\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 94.232.47.4 [13]\\r\\nIP: 193.37.69.219 [25]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 176.111.174.73 [3]\\r\\nIP: 141.98.9.37 [12]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 36.95.205.132 [1]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 80.66.88.129 [3]\\r\\nIP: 87.251.64.140 [5]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 173.15.245.6 [1]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 181.214.218.55 [5]\\r\\nIP: 194.165.16.16 [5]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 91.240.118.184 [8]\\r\\nIP: 116.58.22.75 [3]\\r\\nIP: 176.111.174.71 [9]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 176.111.174.130 [13]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 147.78.47.146 [7]\\r\\nIP: 45.227.254.25 [5]\\r\\nIP: 176.111.174.200 [10]\\r\\nIP: 141.98.83.125 [1]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 103.30.29.29 [1]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 141.98.9.35 [10]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 194.165.16.158 [4]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1709\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1710\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1711\",\r\n \"address\": \"94.232.47.4\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1712\",\r\n \"address\": \"193.37.69.219\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1713\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1714\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1715\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1716\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1717\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1718\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1719\",\r\n \"address\": \"36.95.205.132\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jakarta Raya\",\r\n \"city\": \"Jakarta\",\r\n \"longitude\": 106.8311,\r\n \"latitude\": -6.1851,\r\n \"asn\": 7713,\r\n \"carrier\": \"Pt Telekomunikasi Indonesia\",\r\n \"organization\": \"Pt Telekomunikasi Indonesia\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1720\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1721\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1722\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1723\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1724\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1725\",\r\n \"address\": \"173.15.245.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Commerce Charter Township\",\r\n \"longitude\": -83.5449,\r\n \"latitude\": 42.60315,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1726\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1727\",\r\n \"address\": \"181.214.218.55\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1728\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1729\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1730\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1731\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1732\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1733\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1734\",\r\n \"address\": \"116.58.22.75\",\r\n \"location\": {\r\n \"countryCode\": \"PK\",\r\n \"countryName\": \"Pakistan\",\r\n \"state\": \"Punjab\",\r\n \"city\": \"Lahore\",\r\n \"longitude\": 74.31333,\r\n \"latitude\": 31.56333,\r\n \"asn\": 17563,\r\n \"carrier\": \"Nexlinx\",\r\n \"organization\": \"Nexlinx Isp Pakistan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1735\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1736\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1737\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1738\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1739\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1740\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1741\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1742\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1743\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1744\",\r\n \"address\": \"103.30.29.29\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Chittagong\",\r\n \"city\": \"Chittagong\",\r\n \"longitude\": 91.8123,\r\n \"latitude\": 22.3475,\r\n \"asn\": 45326,\r\n \"carrier\": \"Broad Band Telecom Services Ltd\",\r\n \"organization\": \"Bbts Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1745\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1746\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1747\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1748\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1749\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1750\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1751\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1711\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1752\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1712\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1713\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1714\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1715\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1716\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1717\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1718\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1719\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1720\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1721\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1762\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1722\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1763\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1723\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1764\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1724\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1765\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1725\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1766\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1726\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1767\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1727\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1768\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1728\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1769\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1729\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1770\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1730\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1771\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1731\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1772\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1732\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1773\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1733\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1774\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1734\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1775\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1735\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1776\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1736\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1777\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1737\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1778\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1738\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1779\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1780\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1781\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1741\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1782\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1742\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1783\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1743\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1784\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1744\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1785\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1745\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1786\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1746\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1787\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1747\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1788\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1748\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1749\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1750\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"name\": \"2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-07T20:45:09.4714645Z\",\r\n \"processingEndTimeUtc\": \"2022-10-07T20:45:08.5306227Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-06T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-06T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1791\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.123 [1]\\r\\nIP: 185.156.72.25 [5]\\r\\nIP: 45.227.254.48 [1]\\r\\nIP: 181.214.218.55 [1]\\r\\nIP: 141.98.83.132 [8]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 192.99.233.28 [1]\\r\\nIP: 194.165.16.17 [3]\\r\\nIP: 141.98.83.126 [12]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 91.240.118.202 [2]\\r\\nIP: 45.227.254.25 [128]\\r\\nIP: 147.78.47.146 [1]\\r\\nIP: 176.111.174.130 [12]\\r\\nIP: 144.91.117.64 [1]\\r\\nIP: 194.165.16.158 [13]\\r\\nIP: 92.255.85.151 [4]\\r\\nIP: 176.9.52.56 [1]\\r\\nIP: 193.169.255.78 [1]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 185.221.134.42 [1]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 176.111.174.143 [14]\\r\\nIP: 92.255.85.194 [3]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 176.111.174.200 [21]\\r\\nIP: 77.121.215.0 [1]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 45.141.87.2 [34]\\r\\nIP: 45.141.84.86 [7]\\r\\nIP: 94.232.47.4 [25]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 91.240.118.113 [3]\\r\\nIP: 141.98.9.37 [6]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 216.131.112.27 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 195.78.54.194 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 45.227.254.26 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1792\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1793\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1794\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1795\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1796\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1797\",\r\n \"address\": \"181.214.218.55\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1798\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1799\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1800\",\r\n \"address\": \"192.99.233.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1801\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1802\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1803\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1804\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1805\",\r\n \"address\": \"91.240.118.202\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1806\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1807\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1808\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1809\",\r\n \"address\": \"144.91.117.64\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Muenchen\",\r\n \"longitude\": 11.6074,\r\n \"latitude\": 48.1089,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1810\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1811\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1812\",\r\n \"address\": \"176.9.52.56\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Gunzenhausen\",\r\n \"longitude\": 10.7534,\r\n \"latitude\": 49.11594,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1813\",\r\n \"address\": \"193.169.255.78\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Pomorskie\",\r\n \"city\": \"Zelkowko\",\r\n \"longitude\": 17.0936,\r\n \"latitude\": 54.34198,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1814\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1815\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1816\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1817\",\r\n \"address\": \"176.111.174.143\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1818\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1819\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1820\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1821\",\r\n \"address\": \"77.121.215.0\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Cherkas'ka Oblast'\",\r\n \"city\": \"Cherkasy\",\r\n \"longitude\": 32.0621,\r\n \"latitude\": 49.4285,\r\n \"asn\": 25229,\r\n \"carrier\": \"Kyivski Telekomunikatsiyni Merezhi Llc\",\r\n \"organization\": \"Volia Cherkassy\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1822\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1823\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1824\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1825\",\r\n \"address\": \"94.232.47.4\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1826\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1827\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1828\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1829\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1830\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1831\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1832\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1833\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1834\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1835\",\r\n \"address\": \"216.131.112.27\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 62651,\r\n \"carrier\": \"Strong Technology Llc.\",\r\n \"organization\": \"Netprotect\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1836\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1837\",\r\n \"address\": \"195.78.54.194\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1838\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1839\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1840\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1841\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1842\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1815\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1816\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1817\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1818\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1865\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1819\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1866\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1820\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1867\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1821\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1868\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1822\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1869\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1823\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1870\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1824\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1871\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1825\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1872\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1826\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1873\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1827\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1874\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1828\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1875\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1829\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1876\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1830\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1877\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1831\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1878\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1832\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1879\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1833\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1880\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1834\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1881\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1835\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1882\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1836\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1883\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1837\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1884\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1838\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1885\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1839\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"name\": \"2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-06T20:18:25.6741094Z\",\r\n \"processingEndTimeUtc\": \"2022-10-06T20:18:25.2845591Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-05T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-05T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1886\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 201.165.54.53 [1]\\r\\nIP: 194.165.16.158 [9]\\r\\nIP: 141.98.9.29 [9]\\r\\nIP: 195.78.54.194 [1]\\r\\nIP: 162.247.74.27 [1]\\r\\nIP: 147.78.47.146 [5]\\r\\nIP: 147.78.47.154 [8]\\r\\nIP: 91.240.118.113 [5]\\r\\nIP: 92.255.85.181 [4]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.120 [7]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.87 [4]\\r\\nIP: 141.98.83.123 [11]\\r\\nIP: 193.37.69.213 [12]\\r\\nIP: 141.98.81.137 [13]\\r\\nIP: 91.240.118.184 [14]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.204 [2]\\r\\nIP: 24.154.71.234 [2]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 45.141.84.85 [9]\\r\\nIP: 45.227.254.25 [29]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 176.111.174.116 [10]\\r\\nIP: 94.232.47.157 [33]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 23.83.131.85 [1]\\r\\nIP: 176.111.174.143 [29]\\r\\nIP: 193.37.69.212 [20]\\r\\nIP: 151.80.113.215 [1]\\r\\nIP: 91.240.242.8 [7]\\r\\nIP: 91.240.242.3 [5]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.141.84.86 [12]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1887\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1888\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1889\",\r\n \"address\": \"201.165.54.53\",\r\n \"location\": {\r\n \"countryCode\": \"MX\",\r\n \"countryName\": \"Mexico\",\r\n \"state\": \"Sinaloa\",\r\n \"city\": \"Los Mochis\",\r\n \"longitude\": -108.98835,\r\n \"latitude\": 25.79161,\r\n \"asn\": 13999,\r\n \"carrier\": \"Mega Cable S.A. De C.V.\",\r\n \"organization\": \"Mega Cable S.A. De C.V.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1890\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1891\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1892\",\r\n \"address\": \"195.78.54.194\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1893\",\r\n \"address\": \"162.247.74.27\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -74.00287,\r\n \"latitude\": 40.65724,\r\n \"asn\": 4224,\r\n \"carrier\": \"The Calyx Institute\",\r\n \"organization\": \"The Calyx Institute\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1894\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1895\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1896\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1897\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1898\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1899\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1900\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1901\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1902\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1903\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1904\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1905\",\r\n \"address\": \"193.37.69.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1906\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1907\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1908\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1909\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1910\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1911\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1912\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1913\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1914\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1915\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1916\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1917\",\r\n \"address\": \"176.111.174.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1918\",\r\n \"address\": \"94.232.47.157\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1919\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1920\",\r\n \"address\": \"23.83.131.85\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Scottsdale\",\r\n \"longitude\": -111.8085,\r\n \"latitude\": 33.66364,\r\n \"asn\": 19148,\r\n \"carrier\": \"Leaseweb Usa Inc.\",\r\n \"organization\": \"Leaseweb Usa Inc. Pheonix\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1921\",\r\n \"address\": \"176.111.174.143\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1922\",\r\n \"address\": \"193.37.69.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1923\",\r\n \"address\": \"151.80.113.215\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Nord\",\r\n \"city\": \"Roubaix\",\r\n \"longitude\": 3.17321,\r\n \"latitude\": 50.69127,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1924\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1925\",\r\n \"address\": \"91.240.242.3\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1926\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1927\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1892\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1893\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1894\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1919\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1920\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1921\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1922\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1923\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1924\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1925\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1926\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1927\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"name\": \"2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-05T20:06:02.9429652Z\",\r\n \"processingEndTimeUtc\": \"2022-10-05T20:06:01.9820349Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1967\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.26 [3]\\r\\nIP: 176.111.174.71 [20]\\r\\nIP: 141.98.83.120 [7]\\r\\nIP: 45.227.254.55 [2]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 193.148.61.116 [1]\\r\\nIP: 45.141.84.85 [6]\\r\\nIP: 141.98.9.29 [12]\\r\\nIP: 20.163.11.154 [1]\\r\\nIP: 80.66.88.202 [2]\\r\\nIP: 20.226.32.246 [1]\\r\\nIP: 147.78.47.154 [5]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 141.98.9.37 [9]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 141.98.83.123 [2]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.88 [2]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 141.98.83.125 [6]\\r\\nIP: 194.165.16.11 [3]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 176.111.174.200 [6]\\r\\nIP: 94.232.47.150 [33]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 94.232.47.151 [19]\\r\\nIP: 141.98.83.87 [6]\\r\\nIP: 5.62.43.223 [1]\\r\\nIP: 92.255.85.181 [1]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 94.232.47.155 [29]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 141.98.83.122 [4]\\r\\nIP: 141.98.9.34 [9]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 94.232.47.8 [26]\\r\\nIP: 91.240.118.184 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 80.66.88.215 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1968\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1969\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1970\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1971\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1972\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1973\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1974\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1975\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1976\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1977\",\r\n \"address\": \"193.148.61.116\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Los Angeles Ca\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1978\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1979\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1980\",\r\n \"address\": \"20.163.11.154\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1981\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1982\",\r\n \"address\": \"20.226.32.246\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Campinas\",\r\n \"longitude\": -47.0453,\r\n \"latitude\": -22.89177,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1983\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1984\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1985\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1986\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1987\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1988\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1989\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1990\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1991\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1992\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1993\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1994\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1995\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1996\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1997\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1998\",\r\n \"address\": \"94.232.47.150\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1999\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2000\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2001\",\r\n \"address\": \"94.232.47.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2002\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2003\",\r\n \"address\": \"5.62.43.223\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Camden\",\r\n \"longitude\": -0.16861,\r\n \"latitude\": 51.54,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Avast Software S.R.O.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2004\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2005\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2006\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2007\",\r\n \"address\": \"94.232.47.155\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2008\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2009\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2010\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2011\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2012\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2013\",\r\n \"address\": \"94.232.47.8\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2014\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2015\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2016\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2017\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2018\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2019\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1970\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2020\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1971\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2021\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"name\": \"2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-04T20:20:17.6238006Z\",\r\n \"processingEndTimeUtc\": \"2022-10-04T20:20:16.6615502Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-03T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-03T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2068\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 181.214.206.211 [12]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 141.98.83.83 [2]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 141.98.9.29 [11]\\r\\nIP: 192.227.168.178 [1]\\r\\nIP: 193.37.69.220 [23]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 62.204.41.152 [6]\\r\\nIP: 38.242.213.49 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 45.141.84.83 [6]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 194.165.16.17 [4]\\r\\nIP: 179.60.147.32 [7]\\r\\nIP: 66.195.201.152 [1]\\r\\nIP: 141.98.83.120 [6]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 113.88.234.130 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 94.232.47.151 [22]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 58.186.205.49 [1]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 195.78.54.174 [11]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 92.255.85.181 [5]\\r\\nIP: 176.111.174.73 [9]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 176.111.174.72 [19]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 15.237.104.62 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.89 [3]\\r\\nIP: 192.210.149.230 [1]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.9.36 [18]\\r\\nIP: 185.190.24.61 [4]\\r\\nIP: 5.181.86.11 [8]\\r\\nIP: 147.78.47.149 [10]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 191.242.227.11 [2]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 176.111.174.130 [12]\\r\\n36 more attempts by 5 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2069\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2070\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2071\",\r\n \"address\": \"181.214.206.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2072\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2073\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2074\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2075\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2076\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2077\",\r\n \"address\": \"192.227.168.178\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.8854,\r\n \"latitude\": 42.8883,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2078\",\r\n \"address\": \"193.37.69.220\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2079\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2080\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2081\",\r\n \"address\": \"38.242.213.49\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2082\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2083\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2084\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2085\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2086\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2087\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2088\",\r\n \"address\": \"66.195.201.152\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Memphis\",\r\n \"longitude\": -89.94812,\r\n \"latitude\": 35.11012,\r\n \"asn\": 3356,\r\n \"carrier\": \"Level 3 Parent Llc\",\r\n \"organization\": \"Level 3 Parent Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2089\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2090\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2091\",\r\n \"address\": \"113.88.234.130\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Henggang\",\r\n \"longitude\": 114.19833,\r\n \"latitude\": 22.64204,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Guangdong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2092\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2093\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2094\",\r\n \"address\": \"94.232.47.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2095\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2096\",\r\n \"address\": \"58.186.205.49\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Cau Giay\",\r\n \"longitude\": 105.79176,\r\n \"latitude\": 21.03714,\r\n \"asn\": 18403,\r\n \"carrier\": \"Fpt Telecom Company\",\r\n \"organization\": \"Fpt Telecom Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2097\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2098\",\r\n \"address\": \"195.78.54.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2099\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2100\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2101\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2102\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2103\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2104\",\r\n \"address\": \"176.111.174.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2105\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2106\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2107\",\r\n \"address\": \"15.237.104.62\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.34107,\r\n \"latitude\": 48.86023,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon Data Services France\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2108\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2109\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2110\",\r\n \"address\": \"192.210.149.230\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2111\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2112\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2113\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2114\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2115\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2116\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2117\",\r\n \"address\": \"191.242.227.11\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sorocaba\",\r\n \"longitude\": -47.44229,\r\n \"latitude\": -23.4971,\r\n \"asn\": 263483,\r\n \"carrier\": \"Direct Lan Telecomunicaes Sorocaba Ltda\",\r\n \"organization\": \"Direct Lan Telecomunica Es Sorocaba Ltda\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2118\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2119\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2120\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2071\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2072\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2123\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2073\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2124\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2074\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2140\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2090\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2141\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2091\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2092\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2143\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2093\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2144\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2094\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2145\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2095\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2096\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2097\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2098\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2099\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2100\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2101\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2102\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2153\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2103\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2104\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2155\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2105\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2156\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2106\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2107\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2158\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2108\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2159\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2109\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2110\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2161\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2111\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2162\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2112\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2163\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2113\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2114\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2165\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2115\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2166\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2116\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2167\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2117\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2168\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2118\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2119\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2170\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2120\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"name\": \"2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T19:49:12.0431333Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T19:49:11.6506508Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-02T18:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-02T18:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2171\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 183.146.30.163 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2172\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2173\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2174\",\r\n \"address\": \"183.146.30.163\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Zhejiang\",\r\n \"city\": \"Jinhua\",\r\n \"longitude\": 119.65083,\r\n \"latitude\": 29.11611,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet-Zj Jinhua Node Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2175\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2174\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"name\": \"2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T19:49:12.8041976Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T19:49:11.650774Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2176\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.140 [2]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 185.190.24.61 [3]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 147.78.47.147 [5]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 179.60.147.31 [12]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 179.60.147.32 [7]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 94.232.47.5 [47]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 194.165.17.7 [10]\\r\\nIP: 141.98.83.122 [7]\\r\\nIP: 176.111.174.200 [10]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 195.78.54.174 [17]\\r\\nIP: 69.172.78.13 [1]\\r\\nIP: 141.98.83.84 [12]\\r\\nIP: 138.199.18.131 [14]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 5.181.86.11 [2]\\r\\nIP: 185.156.72.27 [2]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 179.60.147.33 [17]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 141.98.83.88 [5]\\r\\nIP: 141.98.83.85 [2]\\r\\nIP: 147.78.47.149 [8]\\r\\nIP: 94.232.47.158 [30]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 45.141.84.83 [2]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 194.165.16.6 [4]\\r\\nIP: 176.111.174.72 [11]\\r\\nIP: 20.163.11.154 [1]\\r\\nIP: 91.240.118.184 [14]\\r\\nIP: 141.98.83.86 [14]\\r\\nIP: 141.98.9.37 [18]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 94.232.47.9 [21]\\r\\nIP: 141.98.83.89 [1]\\r\\n82 more attempts by 17 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2177\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2178\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2179\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2180\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2181\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2182\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2183\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2184\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2185\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2186\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2187\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2188\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2189\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2190\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2191\",\r\n \"address\": \"94.232.47.5\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2192\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2193\",\r\n \"address\": \"194.165.17.7\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2194\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2195\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2196\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2197\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2198\",\r\n \"address\": \"195.78.54.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2199\",\r\n \"address\": \"69.172.78.13\",\r\n \"location\": {\r\n \"countryCode\": \"HK\",\r\n \"countryName\": \"Hong Kong\",\r\n \"state\": \"Hong Kong\",\r\n \"city\": \"Aberdeen\",\r\n \"longitude\": 114.1524,\r\n \"latitude\": 22.24831,\r\n \"asn\": 132585,\r\n \"carrier\": \"Skyexchange Internet Access\",\r\n \"organization\": \"Skyexchange Internet Access\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2200\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2201\",\r\n \"address\": \"138.199.18.131\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2202\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2203\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2204\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2205\",\r\n \"address\": \"185.156.72.27\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2206\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2207\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2208\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2209\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2210\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2211\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2212\",\r\n \"address\": \"94.232.47.158\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2213\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2214\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2215\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2216\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2217\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2218\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2219\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2220\",\r\n \"address\": \"176.111.174.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2221\",\r\n \"address\": \"20.163.11.154\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2222\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2223\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2224\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2225\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2226\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2227\",\r\n \"address\": \"94.232.47.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2228\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2256\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2206\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2207\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2258\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2208\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2259\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2209\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2260\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2210\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2261\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2211\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2262\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2212\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2263\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2213\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2264\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2214\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2215\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2266\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2216\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2267\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2217\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2268\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2218\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2269\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2219\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2270\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2220\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2271\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2221\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2272\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2222\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2273\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2223\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2224\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2275\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2225\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2276\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2226\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2277\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2227\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2278\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2228\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"name\": \"2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-02T19:30:06.9299257Z\",\r\n \"processingEndTimeUtc\": \"2022-10-02T19:30:06.0289442Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-01T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-01T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2279\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.125 [6]\\r\\nIP: 179.60.147.31 [9]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.83.131 [8]\\r\\nIP: 193.37.69.211 [23]\\r\\nIP: 176.111.174.73 [8]\\r\\nIP: 179.60.150.115 [7]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 147.78.47.146 [3]\\r\\nIP: 147.78.47.147 [5]\\r\\nIP: 141.98.83.83 [5]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 5.181.86.11 [5]\\r\\nIP: 45.141.84.86 [1]\\r\\nIP: 94.232.47.152 [24]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 198.235.24.38 [1]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 193.37.69.209 [25]\\r\\nIP: 94.232.47.156 [33]\\r\\nIP: 147.78.47.149 [13]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 185.190.24.17 [5]\\r\\nIP: 141.98.83.132 [4]\\r\\nIP: 141.98.83.122 [8]\\r\\nIP: 141.98.83.89 [10]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 141.98.9.34 [35]\\r\\nIP: 176.111.174.71 [14]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 91.240.118.113 [6]\\r\\nIP: 20.226.32.246 [1]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 176.111.173.75 [1]\\r\\nIP: 138.199.18.131 [15]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 185.156.72.31 [5]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 91.240.242.8 [35]\\r\\n55 more attempts by 8 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2280\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2281\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2282\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2283\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2284\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2285\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2286\",\r\n \"address\": \"193.37.69.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2287\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2288\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2289\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2290\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2291\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2292\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2293\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2294\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2295\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2296\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2297\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2298\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2299\",\r\n \"address\": \"94.232.47.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2300\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2301\",\r\n \"address\": \"198.235.24.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Team Cymru\",\r\n \"threatType\": \"Botnet\",\r\n \"threatName\": \"Conficker\",\r\n \"confidence\": 0.75,\r\n \"reportLink\": \"https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Botnets.pdf?sv=2021-08-06&spr=https&st=2022-10-02T19%3a15%3a06Z&se=2022-12-31T19%3a30%3a06Z&sr=b&sp=r&sig=R3tc8ii2u2BkwkqvR1vAhwzjf7fD%2bjUJICU%2fnOP2CxM%3d&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa\",\r\n \"threatDescription\": \"Address is a known Botnet indicator.\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2302\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2303\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2304\",\r\n \"address\": \"193.37.69.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2305\",\r\n \"address\": \"94.232.47.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2306\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2307\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2308\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2309\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2310\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2311\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2312\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2313\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2314\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2315\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2316\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2317\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2318\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2319\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2320\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2321\",\r\n \"address\": \"20.226.32.246\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Campinas\",\r\n \"longitude\": -47.0453,\r\n \"latitude\": -22.89177,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2322\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2323\",\r\n \"address\": \"176.111.173.75\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2324\",\r\n \"address\": \"138.199.18.131\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2325\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2326\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2327\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2328\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2329\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2330\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2331\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2309\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2360\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2310\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2361\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2311\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2362\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2312\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2313\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2364\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2314\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2365\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2315\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2366\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2316\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2317\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2368\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2318\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2369\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2319\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2370\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2320\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2371\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2321\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2322\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2373\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2323\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2374\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2324\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2375\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2325\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2376\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2326\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2381\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2331\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"name\": \"2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-01T19:36:37.5737773Z\",\r\n \"processingEndTimeUtc\": \"2022-10-01T19:36:37.1669158Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-30T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-30T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2382\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.54 [3]\\r\\nIP: 194.165.16.29 [3]\\r\\nIP: 194.165.16.73 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 94.232.47.13 [30]\\r\\nIP: 141.98.83.126 [5]\\r\\nIP: 141.98.83.85 [6]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 5.181.86.11 [11]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 45.141.84.87 [19]\\r\\nIP: 91.240.242.15 [3]\\r\\nIP: 141.98.83.84 [5]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 179.60.150.115 [13]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 45.140.210.61 [1]\\r\\nIP: 141.98.9.35 [5]\\r\\nIP: 141.98.10.124 [8]\\r\\nIP: 94.232.47.11 [30]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 194.165.16.16 [5]\\r\\nIP: 194.165.16.158 [4]\\r\\nIP: 78.128.113.138 [6]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 141.98.9.37 [4]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 91.240.242.5 [22]\\r\\nIP: 20.163.30.220 [1]\\r\\nIP: 20.163.46.69 [1]\\r\\nIP: 45.227.254.51 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2383\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2384\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2385\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2386\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2387\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2388\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2389\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2390\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2391\",\r\n \"address\": \"94.232.47.13\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2392\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2393\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2394\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2395\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2396\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2397\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2398\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2399\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2400\",\r\n \"address\": \"45.141.84.87\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2401\",\r\n \"address\": \"91.240.242.15\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2402\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2403\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2404\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2405\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2406\",\r\n \"address\": \"45.140.210.61\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2407\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2408\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2409\",\r\n \"address\": \"94.232.47.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2410\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2411\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2412\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2413\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2414\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2415\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2416\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2417\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2418\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2419\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2420\",\r\n \"address\": \"91.240.242.5\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2421\",\r\n \"address\": \"20.163.30.220\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2422\",\r\n \"address\": \"20.163.46.69\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2423\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2427\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2428\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2429\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2430\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2433\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2405\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2408\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2449\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2450\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2451\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2412\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2452\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2453\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2415\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2416\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2456\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2417\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2457\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2418\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2419\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2423\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"name\": \"2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-30T19:55:09.682631Z\",\r\n \"processingEndTimeUtc\": \"2022-09-30T19:55:09.1843919Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2463\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 181.30.28.175 [1]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 141.98.83.127 [12]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 92.255.85.151 [5]\\r\\nIP: 45.227.255.79 [7]\\r\\nIP: 147.78.47.149 [6]\\r\\nIP: 141.98.9.34 [16]\\r\\nIP: 181.214.206.251 [6]\\r\\nIP: 141.98.83.131 [3]\\r\\nIP: 141.98.83.128 [8]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 179.60.147.32 [19]\\r\\nIP: 91.240.242.8 [2]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 43.230.156.26 [1]\\r\\nIP: 194.165.16.158 [10]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 141.98.83.125 [6]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 141.98.9.37 [8]\\r\\nIP: 5.188.206.230 [10]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 147.78.47.154 [1]\\r\\nIP: 194.165.16.78 [1]\\r\\nIP: 141.98.9.35 [15]\\r\\nIP: 141.98.83.123 [4]\\r\\nIP: 129.146.85.184 [1]\\r\\nIP: 192.3.110.166 [1]\\r\\nIP: 45.141.84.90 [30]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.29 [14]\\r\\nIP: 45.141.87.9 [24]\\r\\nIP: 141.98.10.204 [19]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 141.98.83.88 [1]\\r\\nIP: 194.165.17.22 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 20.168.105.212 [1]\\r\\n72 more attempts by 9 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2464\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2465\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2466\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2467\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2468\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2469\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2470\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2471\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2472\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2473\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2474\",\r\n \"address\": \"181.214.206.251\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2475\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2476\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2477\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2478\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2479\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2480\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2481\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2482\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2483\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2484\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2485\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2486\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2487\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2488\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2489\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2490\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2491\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2492\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2493\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2494\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2495\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2496\",\r\n \"address\": \"129.146.85.184\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2497\",\r\n \"address\": \"192.3.110.166\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2498\",\r\n \"address\": \"45.141.84.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2499\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2500\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2501\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2502\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2503\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2504\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2505\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2506\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2507\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2508\",\r\n \"address\": \"194.165.17.22\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2509\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2510\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2511\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2512\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2513\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2514\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2515\",\r\n \"address\": \"20.168.105.212\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2466\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2467\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2468\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2480\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2481\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2482\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2484\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2535\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2485\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2486\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2557\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2558\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2559\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2560\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2561\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2511\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2562\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2512\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2563\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2513\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2564\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2514\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2565\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2515\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"name\": \"2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-29T19:51:37.1590955Z\",\r\n \"processingEndTimeUtc\": \"2022-09-29T19:51:34.0584565Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-28T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-28T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2566\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.26.29.113 [52]\\r\\nIP: 141.98.10.124 [5]\\r\\nIP: 179.60.150.111 [2]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 5.181.86.51 [2]\\r\\nIP: 141.98.83.89 [1]\\r\\nIP: 24.154.71.234 [2]\\r\\nIP: 141.98.9.34 [1]\\r\\nIP: 141.98.10.207 [5]\\r\\nIP: 179.60.147.31 [9]\\r\\nIP: 20.163.30.220 [1]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 152.89.198.133 [1]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 45.141.84.86 [7]\\r\\nIP: 179.60.150.113 [3]\\r\\nIP: 45.227.253.130 [8]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 5.181.86.85 [2]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 5.181.86.61 [6]\\r\\nIP: 80.66.88.209 [2]\\r\\nIP: 45.227.254.26 [2]\\r\\nIP: 141.98.83.130 [7]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 92.255.85.152 [9]\\r\\nIP: 179.60.150.116 [2]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 107.181.178.109 [1]\\r\\nIP: 185.190.24.17 [12]\\r\\nIP: 141.98.9.29 [13]\\r\\nIP: 141.98.83.131 [6]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 94.232.47.12 [25]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 115.242.152.158 [2]\\r\\nIP: 193.37.69.207 [27]\\r\\nIP: 194.165.17.12 [13]\\r\\nIP: 193.37.69.210 [40]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 179.60.150.115 [10]\\r\\nIP: 185.190.24.32 [5]\\r\\nIP: 5.181.86.44 [1]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 141.98.83.122 [3]\\r\\n142 more attempts by 24 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2567\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2568\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2569\",\r\n \"address\": \"194.26.29.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2570\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2571\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2572\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2573\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2574\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2575\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2576\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2577\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2578\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2579\",\r\n \"address\": \"20.163.30.220\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2580\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2581\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2582\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2583\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2584\",\r\n \"address\": \"152.89.198.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.81472,\r\n \"latitude\": 55.71376,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2585\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2586\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2587\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2588\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2589\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2590\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2591\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2592\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2593\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2594\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2595\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2596\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2597\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2598\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2599\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2600\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2601\",\r\n \"address\": \"107.181.178.109\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Georgia\",\r\n \"city\": \"Marietta\",\r\n \"longitude\": -84.4629,\r\n \"latitude\": 33.93318,\r\n \"asn\": 46562,\r\n \"carrier\": \"Performive Llc\",\r\n \"organization\": \"Performive Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2602\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2603\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2604\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2605\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2606\",\r\n \"address\": \"94.232.47.12\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2607\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2608\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2609\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2610\",\r\n \"address\": \"193.37.69.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2611\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2612\",\r\n \"address\": \"193.37.69.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2613\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2614\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2615\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2616\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2617\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2618\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2644\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2645\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2646\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2647\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2648\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2598\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2649\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2599\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2650\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2600\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2651\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2601\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2652\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2602\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2653\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2603\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2654\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2604\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2655\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2605\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2656\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2606\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2657\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2607\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2658\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2608\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2659\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2609\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2660\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2610\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2661\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2611\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2662\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2612\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2663\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2613\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2664\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2614\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2665\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2615\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2666\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2616\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2667\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2617\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2668\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2618\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"name\": \"2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T20:06:40.3720303Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T20:06:39.6960251Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2669\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 147.78.47.147 [3]\\r\\nIP: 206.72.198.134 [1]\\r\\nIP: 179.60.150.111 [1]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 141.98.10.204 [5]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 141.98.83.122 [8]\\r\\nIP: 121.229.22.196 [2]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 5.188.206.10 [10]\\r\\nIP: 80.66.76.145 [5]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 107.172.93.17 [1]\\r\\nIP: 194.165.16.16 [10]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 45.227.254.54 [4]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 92.255.85.194 [19]\\r\\nIP: 193.32.126.158 [1]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 194.165.16.17 [6]\\r\\nIP: 185.161.69.10 [1]\\r\\nIP: 141.98.83.124 [6]\\r\\nIP: 141.98.9.34 [11]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 185.190.24.17 [18]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 115.242.152.158 [3]\\r\\nIP: 141.98.9.35 [7]\\r\\nIP: 179.60.147.33 [9]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 147.78.47.149 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 45.141.87.21 [4]\\r\\nIP: 141.98.83.87 [11]\\r\\nIP: 195.78.54.97 [55]\\r\\nIP: 141.98.9.29 [4]\\r\\nIP: 45.227.254.53 [2]\\r\\n97 more attempts by 19 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2670\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2671\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2672\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2673\",\r\n \"address\": \"206.72.198.134\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Secaucus\",\r\n \"longitude\": -74.06453,\r\n \"latitude\": 40.77826,\r\n \"asn\": 19318,\r\n \"carrier\": \"Interserver Inc\",\r\n \"organization\": \"Interserver Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2674\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2675\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2676\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2677\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2678\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2679\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2680\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2681\",\r\n \"address\": \"121.229.22.196\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2682\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2683\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2684\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2685\",\r\n \"address\": \"5.188.206.10\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2686\",\r\n \"address\": \"80.66.76.145\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2687\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2688\",\r\n \"address\": \"107.172.93.17\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2689\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2690\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2691\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2692\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2693\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2694\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2695\",\r\n \"address\": \"193.32.126.158\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Seine-Saint-Denis\",\r\n \"city\": \"Aubervilliers\",\r\n \"longitude\": 2.38121,\r\n \"latitude\": 48.91482,\r\n \"asn\": 39351,\r\n \"carrier\": \"31173 Services Ab\",\r\n \"organization\": \"31173 Services France\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2696\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2697\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2698\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2699\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2700\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2701\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2702\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2703\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2704\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2705\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2706\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2707\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2708\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2709\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2710\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2711\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2712\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2713\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2714\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2715\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2716\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2717\",\r\n \"address\": \"45.141.87.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2718\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2719\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2720\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2721\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2736\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2686\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2737\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2687\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2738\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2688\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2739\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2689\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2740\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2690\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2741\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2691\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2742\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2692\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2743\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2693\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2744\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2694\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2745\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2695\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2746\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2696\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2747\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2697\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2748\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2698\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2749\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2699\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2750\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2700\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2751\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2701\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2752\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2702\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2703\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2704\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2705\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2706\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2707\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2708\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2709\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2710\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2711\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2762\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2712\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2763\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2713\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2764\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2714\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2765\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2715\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2766\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2716\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2767\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2717\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2768\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2718\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2769\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2719\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2770\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2720\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2771\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2721\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"name\": \"2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-27T20:12:39.5796058Z\",\r\n \"processingEndTimeUtc\": \"2022-09-27T20:12:38.7743954Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-26T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-26T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2772\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.84.83 [29]\\r\\nIP: 141.98.9.34 [12]\\r\\nIP: 141.98.9.36 [8]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 194.165.16.6 [3]\\r\\nIP: 179.60.150.115 [10]\\r\\nIP: 5.181.86.11 [8]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 194.165.17.14 [2]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 194.165.16.37 [3]\\r\\nIP: 5.181.86.44 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 147.78.47.147 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 185.195.232.248 [3]\\r\\nIP: 5.188.206.10 [3]\\r\\nIP: 123.30.210.197 [3]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 45.141.84.119 [2]\\r\\nIP: 141.98.83.89 [3]\\r\\nIP: 185.156.72.25 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 5.181.86.88 [1]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 185.156.72.31 [3]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.83 [10]\\r\\nIP: 141.98.10.207 [4]\\r\\nIP: 185.156.72.29 [4]\\r\\nIP: 115.242.152.158 [1]\\r\\nIP: 179.60.150.113 [4]\\r\\nIP: 179.60.147.32 [10]\\r\\nIP: 141.98.83.127 [4]\\r\\nIP: 45.227.253.130 [7]\\r\\nIP: 147.78.47.149 [4]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 195.78.54.97 [34]\\r\\nIP: 179.60.150.116 [2]\\r\\n15 more attempts by 5 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2773\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2774\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2775\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2776\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2777\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2778\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2779\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2780\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2781\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2782\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2783\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2784\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2785\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2786\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2787\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2788\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2789\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2790\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2791\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2792\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2793\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2794\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2795\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2796\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2797\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2798\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2799\",\r\n \"address\": \"185.195.232.248\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 39351,\r\n \"carrier\": \"31173 Services Ab\",\r\n \"organization\": \"31173 Services United Kingdom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2800\",\r\n \"address\": \"5.188.206.10\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2801\",\r\n \"address\": \"123.30.210.197\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2802\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2803\",\r\n \"address\": \"45.141.84.119\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2804\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2805\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2806\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2807\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2808\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2809\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2810\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2811\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2812\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2813\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2814\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2815\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2816\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2817\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2818\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2819\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2820\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2821\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2822\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2823\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2824\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2839\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2789\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2840\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2790\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2841\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2791\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2842\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2792\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2793\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2865\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2815\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2866\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2816\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2867\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2817\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2868\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2818\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2869\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2819\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2870\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2820\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2871\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2821\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2872\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2822\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2873\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2823\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2874\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2824\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"name\": \"2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-26T19:58:54.397306Z\",\r\n \"processingEndTimeUtc\": \"2022-09-26T19:58:53.5738114Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2875\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 5.181.86.44 [2]\\r\\nIP: 186.249.36.154 [1]\\r\\nIP: 5.188.206.230 [5]\\r\\nIP: 194.165.16.38 [2]\\r\\nIP: 78.128.113.138 [8]\\r\\nIP: 194.165.17.14 [4]\\r\\nIP: 179.60.150.116 [6]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 87.251.64.160 [3]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 185.190.24.32 [1]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 38.122.130.162 [6]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 185.190.24.50 [2]\\r\\nIP: 198.235.24.156 [1]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 62.204.41.152 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 45.227.254.27 [1]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 216.19.1.14 [8]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 185.190.24.48 [4]\\r\\nIP: 45.227.253.130 [23]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 13.71.103.48 [1]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 141.98.83.120 [5]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 80.66.88.202 [2]\\r\\n164 more attempts by 29 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2876\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2877\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2878\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2879\",\r\n \"address\": \"186.249.36.154\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Franca\",\r\n \"longitude\": -47.40563,\r\n \"latitude\": -20.54751,\r\n \"asn\": 28195,\r\n \"carrier\": \"Com4 Data Center Eireli\",\r\n \"organization\": \"Com4 Data Center Eireli\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2880\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2881\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2882\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2883\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2884\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2885\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2886\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2887\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2888\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2889\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2890\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2891\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2892\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2893\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2894\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2895\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2896\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2897\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2898\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2899\",\r\n \"address\": \"198.235.24.156\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2900\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2901\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2902\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2903\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2904\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2905\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2906\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2907\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2908\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2909\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2910\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2911\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2912\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2913\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2914\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2915\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2916\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2917\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2918\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2919\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2920\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2921\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2922\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2923\",\r\n \"address\": \"13.71.103.48\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Tamil Nadu\",\r\n \"city\": \"Chennai\",\r\n \"longitude\": 80.2508,\r\n \"latitude\": 13.0524,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2924\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2925\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2926\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2927\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2892\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2893\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2894\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2969\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2919\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2970\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2920\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2971\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2921\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2972\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2922\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2973\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2923\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2974\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2924\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2975\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2925\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2976\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2926\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2977\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2927\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"name\": \"2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-25T19:28:48.9427258Z\",\r\n \"processingEndTimeUtc\": \"2022-09-25T19:28:48.1928389Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2978\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.4 [3]\\r\\nIP: 5.181.86.44 [2]\\r\\nIP: 192.3.110.166 [1]\\r\\nIP: 185.190.24.32 [1]\\r\\nIP: 194.165.17.14 [4]\\r\\nIP: 185.190.24.50 [2]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 141.98.9.34 [16]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 87.251.64.160 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 198.235.24.156 [1]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 179.60.150.113 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.81.137 [5]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 78.128.113.138 [8]\\r\\nIP: 87.251.67.98 [5]\\r\\nIP: 195.78.54.97 [32]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 141.98.10.204 [8]\\r\\nIP: 179.60.150.116 [6]\\r\\nIP: 80.66.88.202 [2]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 185.190.24.17 [6]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 45.141.87.18 [4]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 38.122.130.162 [6]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 186.249.36.154 [1]\\r\\nIP: 92.255.85.194 [25]\\r\\n99 more attempts by 26 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2979\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2980\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2981\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2982\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2983\",\r\n \"address\": \"192.3.110.166\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2984\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2985\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2986\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2987\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2988\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2989\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2990\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2991\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2992\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2993\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2994\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2995\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2996\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2997\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2998\",\r\n \"address\": \"198.235.24.156\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2999\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3000\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3001\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3002\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3003\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3004\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3005\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3006\",\r\n \"address\": \"87.251.67.98\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3007\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3008\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3009\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3010\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3011\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3012\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3013\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3014\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3015\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3016\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3017\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3018\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3019\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3020\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3021\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3022\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3023\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3024\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3025\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3026\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3027\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3028\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3029\",\r\n \"address\": \"186.249.36.154\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Franca\",\r\n \"longitude\": -47.40563,\r\n \"latitude\": -20.54751,\r\n \"asn\": 28195,\r\n \"carrier\": \"Com4 Data Center Eireli\",\r\n \"organization\": \"Com4 Data Center Eireli\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3030\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3072\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3022\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3073\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3023\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3074\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3024\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3075\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3025\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3076\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3026\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3077\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3027\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3078\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3028\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3079\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3029\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3080\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3030\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"name\": \"2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-24T19:25:53.91713Z\",\r\n \"processingEndTimeUtc\": \"2022-09-24T19:25:53.5050508Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-23T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-23T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3081\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.124 [2]\\r\\nIP: 62.233.50.123 [24]\\r\\nIP: 141.98.10.124 [10]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 216.19.1.14 [23]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 78.128.113.138 [6]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 5.188.206.230 [6]\\r\\nIP: 5.181.86.51 [3]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 87.251.67.98 [4]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 141.98.83.131 [7]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 45.227.254.27 [1]\\r\\nIP: 5.181.86.85 [4]\\r\\nIP: 194.165.16.38 [1]\\r\\nIP: 147.78.47.154 [4]\\r\\nIP: 45.227.254.4 [5]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 179.60.150.113 [1]\\r\\nIP: 179.60.150.116 [1]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 5.181.86.44 [4]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 141.98.10.181 [10]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 194.165.17.12 [7]\\r\\nIP: 185.190.24.61 [7]\\r\\nIP: 194.165.16.29 [4]\\r\\nIP: 141.98.81.137 [10]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 179.60.150.114 [1]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 179.60.147.31 [6]\\r\\nIP: 59.49.43.217 [1]\\r\\nIP: 141.98.10.207 [7]\\r\\nIP: 113.190.245.2 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 88.214.25.12 [1]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\n187 more attempts by 32 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3082\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3083\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3084\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3085\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3086\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3087\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3088\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3089\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3090\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3091\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3092\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3093\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3094\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3095\",\r\n \"address\": \"87.251.67.98\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3096\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3097\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3098\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3099\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3100\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3101\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3102\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3103\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3104\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3105\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3106\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3107\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3108\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3109\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3110\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3111\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3112\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3113\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3114\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3115\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3116\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3117\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3118\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3119\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3120\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3121\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3122\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3123\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3124\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3125\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3126\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3127\",\r\n \"address\": \"59.49.43.217\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanxi\",\r\n \"city\": \"Taiyuan\",\r\n \"longitude\": 112.56167,\r\n \"latitude\": 37.84667,\r\n \"asn\": 132147,\r\n \"carrier\": \"Ct-Shanxi-Man\",\r\n \"organization\": \"Shanxi Telecom Taiyuan Branch Broadband Adsl Port Ip Address\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3128\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3129\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3130\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3131\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3132\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3133\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3140\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3090\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3141\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3091\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3092\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3143\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3093\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3144\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3094\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3145\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3095\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3096\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3097\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3098\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3099\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3100\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3101\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3102\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3153\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3103\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3104\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3155\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3105\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3156\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3106\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3107\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3158\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3108\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3159\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3109\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3110\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3161\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3111\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3162\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3112\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3163\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3113\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3114\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3165\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3115\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3166\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3116\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3167\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3117\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3168\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3118\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3119\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3170\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3120\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3171\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3121\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3172\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3122\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3173\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3123\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3174\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3124\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3175\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3125\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3176\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3126\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3177\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3127\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3178\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3128\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3179\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3129\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3180\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3130\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3181\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3131\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3182\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3132\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3183\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3133\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"name\": \"2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-23T20:00:31.1607186Z\",\r\n \"processingEndTimeUtc\": \"2022-09-23T20:00:30.596124Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-22T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-22T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3184\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.78 [1]\\r\\nIP: 195.78.54.97 [33]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 103.104.168.36 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 179.60.150.116 [1]\\r\\nIP: 88.214.25.13 [5]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 38.122.130.162 [11]\\r\\nIP: 194.165.16.38 [3]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 216.19.1.14 [15]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 185.156.72.27 [2]\\r\\nIP: 179.60.147.31 [19]\\r\\nIP: 194.165.16.10 [1]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 5.181.86.88 [2]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 46.29.10.30 [1]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 185.190.24.32 [2]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 5.181.86.85 [3]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 5.181.86.61 [4]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 45.227.253.130 [6]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 51.178.4.205 [3]\\r\\nIP: 179.60.150.113 [2]\\r\\nIP: 45.227.254.27 [4]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 194.165.17.12 [13]\\r\\nIP: 43.157.17.13 [1]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 179.60.150.114 [2]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 185.190.24.50 [5]\\r\\nIP: 141.98.10.181 [5]\\r\\nIP: 80.66.88.201 [1]\\r\\n106 more attempts by 26 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3185\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3186\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3187\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3188\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3189\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3190\",\r\n \"address\": \"103.104.168.36\",\r\n \"location\": {\r\n \"countryCode\": \"HK\",\r\n \"countryName\": \"Hong Kong\",\r\n \"longitude\": 114.1,\r\n \"latitude\": 22.15,\r\n \"asn\": 136897,\r\n \"carrier\": \"Enjoyvc Cloud Group Limited.\",\r\n \"organization\": \"Cyit-Hk\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3191\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3192\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3193\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3194\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3195\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3196\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3197\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3198\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3199\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3200\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3201\",\r\n \"address\": \"185.156.72.27\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3202\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3203\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3204\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3205\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3206\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3207\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3208\",\r\n \"address\": \"46.29.10.30\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Krasnodarskiy Kray\",\r\n \"city\": \"Krasnodar\",\r\n \"longitude\": 38.9454,\r\n \"latitude\": 45.0749,\r\n \"asn\": 197204,\r\n \"carrier\": \"Telemaks Ltd\",\r\n \"organization\": \"Telemaks Ptp Static Routing Clients.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3209\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3210\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3211\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3212\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3213\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3214\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3215\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3216\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3217\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3218\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3219\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3220\",\r\n \"address\": \"51.178.4.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Waltham Forest\",\r\n \"longitude\": -0.0166,\r\n \"latitude\": 51.5833,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Failover Ips\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3221\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3222\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3223\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3224\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3225\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3226\",\r\n \"address\": \"43.157.17.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3227\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3228\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3229\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3230\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3231\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3232\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3233\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3234\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3235\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3236\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3256\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3206\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3207\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3258\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3208\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3259\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3209\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3260\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3210\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3261\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3211\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3262\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3212\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3263\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3213\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3264\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3214\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3215\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3266\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3216\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3267\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3217\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3268\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3218\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3269\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3219\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3270\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3220\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3271\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3221\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3272\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3222\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3273\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3223\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3224\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3275\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3225\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3276\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3226\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3277\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3227\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3278\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3228\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3279\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3229\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3280\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3230\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3231\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3282\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3232\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3283\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3233\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3284\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3234\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3285\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3235\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3286\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3236\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"name\": \"2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T20:37:27.9077468Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T20:37:26.8898617Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-21T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-21T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3287\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.76.51.230 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3288\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3289\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3290\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3291\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3290\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"name\": \"2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T20:37:28.3862144Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T20:37:26.8900314Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-21T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-21T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3292\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.140 [1]\\r\\nIP: 185.190.24.32 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.9.35 [2]\\r\\nIP: 80.153.67.94 [1]\\r\\nIP: 23.236.144.243 [1]\\r\\nIP: 91.240.242.15 [3]\\r\\nIP: 193.37.69.215 [24]\\r\\nIP: 174.108.172.27 [2]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 5.181.86.51 [2]\\r\\nIP: 45.141.84.116 [2]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 5.181.86.11 [17]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 38.122.130.162 [5]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 45.227.254.27 [8]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 141.98.10.181 [16]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 195.78.54.97 [17]\\r\\nIP: 141.98.81.137 [3]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 51.178.4.205 [6]\\r\\nIP: 5.181.86.85 [4]\\r\\nIP: 195.78.54.73 [17]\\r\\nIP: 141.98.83.124 [3]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 179.60.147.182 [2]\\r\\nIP: 179.60.147.32 [11]\\r\\nIP: 141.98.83.126 [1]\\r\\nIP: 5.181.86.88 [2]\\r\\nIP: 88.214.25.12 [3]\\r\\nIP: 87.251.64.35 [1]\\r\\nIP: 179.60.150.116 [3]\\r\\nIP: 141.98.9.34 [15]\\r\\n136 more attempts by 30 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3293\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3294\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3295\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3296\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3297\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3298\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3299\",\r\n \"address\": \"80.153.67.94\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.4061,\r\n \"latitude\": 52.5192,\r\n \"asn\": 3320,\r\n \"carrier\": \"Deutsche Telekom Ag\",\r\n \"organization\": \"Deutsche Telekom Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3300\",\r\n \"address\": \"23.236.144.243\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 55081,\r\n \"carrier\": \"24 Shells\",\r\n \"organization\": \"B2 Net Solutions Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3301\",\r\n \"address\": \"91.240.242.15\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3302\",\r\n \"address\": \"193.37.69.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3303\",\r\n \"address\": \"174.108.172.27\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"South Carolina\",\r\n \"city\": \"Sumter\",\r\n \"longitude\": -80.35409,\r\n \"latitude\": 33.87458,\r\n \"asn\": 11426,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3304\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3305\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3306\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3307\",\r\n \"address\": \"45.141.84.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3308\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3309\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3310\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3311\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3312\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3313\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3314\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3315\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3316\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3317\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3318\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3319\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3320\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3321\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3322\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3323\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3324\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3325\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3326\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3327\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3328\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3329\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3330\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3331\",\r\n \"address\": \"51.178.4.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Waltham Forest\",\r\n \"longitude\": -0.0166,\r\n \"latitude\": 51.5833,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Failover Ips\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3332\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3333\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3334\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3335\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3336\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3337\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3338\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3339\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3340\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3341\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3342\",\r\n \"address\": \"87.251.64.35\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3343\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3344\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3309\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3360\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3310\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3361\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3311\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3362\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3312\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3313\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3364\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3314\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3365\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3315\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3366\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3316\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3317\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3368\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3318\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3369\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3319\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3370\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3320\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3371\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3321\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3322\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3373\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3323\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3374\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3324\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3375\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3325\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3376\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3326\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3381\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3331\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3332\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3383\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3333\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3384\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3334\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3385\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3335\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3386\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3336\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3337\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3388\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3338\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3389\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3339\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3390\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3340\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3391\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3341\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3392\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3342\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3393\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3343\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3394\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3344\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"name\": \"2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-21T19:41:38.1643149Z\",\r\n \"processingEndTimeUtc\": \"2022-09-21T19:41:37.0449995Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3395\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.130 [2]\\r\\nIP: 141.98.83.89 [6]\\r\\nIP: 20.172.39.252 [1]\\r\\nIP: 141.98.83.127 [9]\\r\\nIP: 5.181.86.11 [10]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 181.214.206.176 [32]\\r\\nIP: 129.146.85.184 [1]\\r\\nIP: 5.181.86.85 [8]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 91.240.118.99 [4]\\r\\nIP: 92.255.85.151 [7]\\r\\nIP: 185.190.24.17 [10]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 179.60.147.32 [3]\\r\\nIP: 176.113.115.141 [25]\\r\\nIP: 194.26.29.11 [1]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 179.60.150.111 [12]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 38.122.130.162 [13]\\r\\nIP: 195.78.54.73 [15]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.81.137 [4]\\r\\nIP: 89.248.168.54 [1]\\r\\nIP: 147.78.47.147 [2]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 147.78.47.149 [9]\\r\\nIP: 194.165.16.29 [5]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.36 [2]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 5.181.86.61 [9]\\r\\n138 more attempts by 22 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3396\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3397\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3398\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3399\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3400\",\r\n \"address\": \"20.172.39.252\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3401\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3402\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3403\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3404\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3405\",\r\n \"address\": \"129.146.85.184\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3406\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3407\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3408\",\r\n \"address\": \"91.240.118.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3409\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3410\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3411\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3412\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3413\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3414\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3415\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3416\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57678,\r\n \"carrier\": \"Red Bytes Llc\",\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3417\",\r\n \"address\": \"194.26.29.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3418\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3419\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3420\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3421\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3422\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3423\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3424\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3425\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3426\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3427\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3428\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3429\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3430\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3431\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3432\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3433\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3434\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3435\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3436\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3437\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3438\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3439\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3440\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3441\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3442\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3443\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3444\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3445\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3446\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3447\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3449\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3450\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3451\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3452\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3453\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3405\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3456\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3457\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3408\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3412\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3415\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3416\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3467\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3417\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3468\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3418\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3469\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3419\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3470\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3471\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3472\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3473\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3423\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3474\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3424\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3425\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3426\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3427\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3428\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3434\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3485\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3435\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3486\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3487\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3437\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3488\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3438\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3439\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3490\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3440\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3491\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3492\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3493\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3494\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3495\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3445\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3496\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3446\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3497\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3447\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"name\": \"2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T19:33:13.4506209Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T19:33:12.2309742Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3498\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.37 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 92.255.85.151 [7]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 41.169.98.196 [1]\\r\\nIP: 5.181.86.61 [9]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.35 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 179.60.147.33 [1]\\r\\nIP: 179.60.150.111 [12]\\r\\nIP: 181.214.206.176 [32]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 147.78.47.147 [2]\\r\\nIP: 141.98.9.36 [2]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 45.227.254.49 [1]\\r\\nIP: 141.98.83.85 [7]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 179.60.147.32 [3]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 141.98.83.121 [9]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 185.190.24.61 [9]\\r\\nIP: 141.98.83.84 [5]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 91.240.118.99 [4]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 141.98.83.89 [6]\\r\\nIP: 45.141.87.10 [10]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 5.181.86.85 [8]\\r\\nIP: 45.141.87.9 [4]\\r\\nIP: 141.98.83.130 [2]\\r\\nIP: 5.181.86.11 [9]\\r\\nIP: 38.122.130.162 [13]\\r\\nIP: 195.78.54.73 [13]\\r\\nIP: 45.141.87.2 [13]\\r\\nIP: 89.248.168.54 [1]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 141.98.83.125 [3]\\r\\n135 more attempts by 20 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3499\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3500\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3501\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3502\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3503\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3504\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3505\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3506\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3507\",\r\n \"address\": \"41.169.98.196\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 36937,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Liquid Telecommunications Operations Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3508\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3509\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3510\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3511\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3512\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3513\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3514\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3515\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3516\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3517\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3518\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3519\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3520\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3521\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3522\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3523\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3524\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3525\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3526\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3527\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3528\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3529\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3530\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3531\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3532\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3533\",\r\n \"address\": \"91.240.118.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3534\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3535\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3536\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3537\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3538\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3539\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3540\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3541\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3542\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3543\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3544\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3545\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3546\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3547\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3548\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3549\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3550\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3557\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3558\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3559\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3560\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3561\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3511\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3562\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3512\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3563\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3513\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3564\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3514\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3565\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3515\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3566\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3516\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3567\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3517\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3568\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3518\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3569\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3519\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3570\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3520\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3571\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3521\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3572\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3522\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3573\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3523\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3574\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3524\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3575\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3525\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3576\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3526\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3577\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3527\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3578\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3528\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3579\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3529\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3580\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3530\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3581\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3531\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3582\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3532\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3585\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3586\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3536\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3587\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3537\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3591\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3592\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3542\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3593\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3543\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3594\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3544\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3595\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3545\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3596\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3546\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3597\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3547\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3548\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3549\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3550\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"name\": \"2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-19T20:03:27.0439222Z\",\r\n \"processingEndTimeUtc\": \"2022-09-19T20:03:26.2194939Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-18T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-18T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3601\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.190.24.17 [7]\\r\\nIP: 45.72.99.139 [1]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 181.214.206.176 [41]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 141.98.83.124 [3]\\r\\nIP: 141.98.9.37 [10]\\r\\nIP: 88.214.25.12 [1]\\r\\nIP: 141.98.9.35 [10]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 80.66.88.206 [2]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 45.227.254.48 [3]\\r\\nIP: 194.165.16.17 [3]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 141.98.9.34 [19]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 95.142.121.53 [1]\\r\\nIP: 194.165.16.38 [7]\\r\\nIP: 194.26.29.48 [1]\\r\\nIP: 194.165.16.37 [2]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 92.255.85.174 [3]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 5.181.86.11 [4]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 179.60.150.114 [15]\\r\\nIP: 20.106.123.242 [1]\\r\\nIP: 141.98.9.29 [2]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 45.141.87.21 [5]\\r\\nIP: 91.240.242.16 [1]\\r\\nIP: 45.227.254.55 [3]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 38.122.130.162 [1]\\r\\nIP: 45.141.84.85 [2]\\r\\nIP: 141.98.83.131 [6]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 141.98.83.84 [4]\\r\\nIP: 141.98.83.83 [9]\\r\\nIP: 45.227.255.13 [1]\\r\\n130 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3602\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3603\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3604\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3605\",\r\n \"address\": \"45.72.99.139\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 55286,\r\n \"carrier\": \"B2 Net Solutions Inc.\",\r\n \"organization\": \"B2 Net Solutions Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3606\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3607\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3608\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3609\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3610\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3611\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3612\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3613\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3614\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3615\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3616\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3617\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3618\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3619\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3620\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3621\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3622\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3623\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3624\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3625\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3626\",\r\n \"address\": \"95.142.121.53\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Prcdn Consumer Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3627\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3628\",\r\n \"address\": \"194.26.29.48\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3629\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3630\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3631\",\r\n \"address\": \"92.255.85.174\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3632\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3633\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3634\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3635\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3636\",\r\n \"address\": \"20.106.123.242\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3637\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3638\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3639\",\r\n \"address\": \"45.141.87.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3640\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3641\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3642\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3643\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3644\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3645\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3646\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3647\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3648\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3649\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3650\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3651\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3652\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3653\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3654\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3604\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3655\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3605\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3656\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3606\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3657\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3607\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3658\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3608\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3659\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3609\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3660\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3610\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3661\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3611\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3662\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3612\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3663\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3613\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3664\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3614\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3665\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3615\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3666\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3616\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3667\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3617\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3668\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3618\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3669\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3619\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3670\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3620\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3671\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3621\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3672\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3622\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3673\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3623\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3674\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3624\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3675\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3625\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3676\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3626\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3677\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3627\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3678\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3628\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3679\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3629\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3680\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3630\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3681\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3631\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3682\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3632\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3683\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3633\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3684\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3634\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3685\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3635\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3636\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3637\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3688\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3638\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3689\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3639\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3690\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3640\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3641\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3642\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3643\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3644\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3645\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3646\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"name\": \"2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-07T18:49:32.3154277Z\",\r\n \"processingEndTimeUtc\": \"2022-09-07T18:49:31.3026032Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-05T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-05T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3704\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 179.60.147.182 [1]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 141.98.83.89 [5]\\r\\nIP: 209.126.5.42 [1]\\r\\nIP: 141.98.9.36 [14]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 103.15.50.155 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 80.66.88.214 [3]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 77.83.36.225 [4]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.123 [6]\\r\\nIP: 141.98.83.132 [1]\\r\\nIP: 138.199.19.135 [7]\\r\\nIP: 141.98.83.133 [11]\\r\\nIP: 194.165.16.6 [3]\\r\\nIP: 141.98.81.137 [9]\\r\\nIP: 194.165.16.17 [4]\\r\\nIP: 141.98.83.130 [4]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 141.98.10.207 [29]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 91.240.242.5 [8]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 194.165.16.71 [3]\\r\\nIP: 45.227.254.52 [6]\\r\\nIP: 141.98.9.37 [11]\\r\\nIP: 45.141.87.11 [2]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 141.98.83.120 [4]\\r\\nIP: 141.98.9.34 [29]\\r\\nIP: 62.233.50.113 [2]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 5.253.204.134 [22]\\r\\nIP: 92.255.85.151 [1]\\r\\nIP: 45.227.253.254 [12]\\r\\nIP: 194.165.16.73 [3]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 45.227.254.55 [3]\\r\\nIP: 141.98.83.83 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3705\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3706\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3707\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3708\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3709\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3710\",\r\n \"address\": \"209.126.5.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Saint Louis\",\r\n \"longitude\": -90.19238,\r\n \"latitude\": 38.63137,\r\n \"asn\": 40021,\r\n \"carrier\": \"Contabo Inc.\",\r\n \"organization\": \"Contabo Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3711\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3712\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3713\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3714\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3715\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3716\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3717\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3718\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3719\",\r\n \"address\": \"77.83.36.225\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 35042,\r\n \"carrier\": \"Ip Interactive Ug (Haftungsbeschraenkt)\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3720\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3721\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3722\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3723\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3724\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3725\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3726\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3727\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3728\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3729\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3730\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3731\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3732\",\r\n \"address\": \"91.240.242.5\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3733\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3734\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3735\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3736\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3737\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3738\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3739\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3740\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3741\",\r\n \"address\": \"62.233.50.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3742\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3743\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3744\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3745\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3746\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3747\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3748\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3749\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3750\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3751\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3752\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3707\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3708\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3709\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3710\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3711\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3712\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3713\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3714\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3715\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3762\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3716\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3763\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3717\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3764\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3718\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3765\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3719\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3766\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3720\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3767\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3721\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3768\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3722\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3769\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3723\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3770\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3724\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3771\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3725\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3772\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3726\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3773\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3727\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3774\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3728\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3775\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3729\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3776\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3730\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3777\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3731\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3778\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3732\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3779\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3733\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3780\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3734\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3781\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3735\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3782\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3736\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3783\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3737\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3784\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3738\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3785\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3786\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3787\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3741\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3788\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3742\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3743\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3744\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3791\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3745\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3792\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3746\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3793\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3747\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3794\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3748\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3795\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3749\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3796\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3750\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3797\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3751\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3798\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3752\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"name\": \"2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T19:15:31.2420982Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T19:15:30.4547628Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3799\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 72.167.37.199 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 103.79.140.234 [5]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 185.170.144.135 [53]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 141.98.9.199 [2]\\r\\nIP: 92.255.85.40 [4]\\r\\nIP: 129.226.34.77 [1]\\r\\nIP: 194.165.16.17 [10]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 188.190.42.60 [1]\\r\\nIP: 27.71.226.103 [3]\\r\\nIP: 5.253.204.134 [27]\\r\\nIP: 138.199.19.135 [2]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 141.98.81.137 [8]\\r\\nIP: 193.122.114.185 [1]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 87.251.67.99 [3]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 92.255.85.151 [13]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 194.165.16.77 [3]\\r\\nIP: 147.78.47.146 [12]\\r\\nIP: 45.227.254.26 [2]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 141.98.83.130 [4]\\r\\nIP: 96.60.188.241 [1]\\r\\nIP: 194.165.16.29 [4]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 103.75.187.224 [1]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.83.132 [5]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 194.165.16.6 [4]\\r\\n72 more attempts by 6 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3800\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3801\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3802\",\r\n \"address\": \"72.167.37.199\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3803\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3804\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3805\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3806\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3807\",\r\n \"address\": \"185.170.144.135\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3808\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3809\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3810\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3811\",\r\n \"address\": \"129.226.34.77\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Maharashtra\",\r\n \"city\": \"Mumbai\",\r\n \"longitude\": 72.8777,\r\n \"latitude\": 19.076,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3812\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3813\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3814\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3815\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3816\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3817\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3818\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3819\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3820\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3821\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3822\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3823\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3824\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3825\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3826\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3827\",\r\n \"address\": \"193.122.114.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.33352,\r\n \"latitude\": 47.61101,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Public Cloud\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3828\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3829\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3830\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3831\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3832\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3833\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3834\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3835\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3836\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3837\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3838\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3839\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3840\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3841\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3842\",\r\n \"address\": \"96.60.188.241\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wisconsin\",\r\n \"city\": \"Junction City\",\r\n \"longitude\": -89.747,\r\n \"latitude\": 44.59457,\r\n \"asn\": 4181,\r\n \"carrier\": \"Tds Telecom\",\r\n \"organization\": \"Tds Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3843\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3844\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3845\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3846\",\r\n \"address\": \"103.75.187.224\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Inet Software One Member Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3847\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3848\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3849\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3850\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3851\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3865\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3815\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3866\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3816\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3867\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3817\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3868\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3818\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3869\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3819\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3870\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3820\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3871\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3821\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3872\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3822\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3873\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3823\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3874\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3824\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3875\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3825\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3876\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3826\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3877\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3827\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3878\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3828\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3879\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3829\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3880\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3830\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3881\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3831\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3882\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3832\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3883\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3833\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3884\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3834\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3885\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3835\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3886\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3836\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3887\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3837\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3888\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3838\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3889\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3839\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3890\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3840\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3891\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3841\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3892\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3893\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3843\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3894\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3844\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3895\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3845\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3896\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3846\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3897\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3847\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3898\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3848\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3899\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3849\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3900\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3850\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3901\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3851\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"name\": \"2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-06T20:06:49.6557309Z\",\r\n \"processingEndTimeUtc\": \"2022-09-06T20:06:49.179497Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3902\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.125 [7]\\r\\nIP: 72.167.37.199 [1]\\r\\nIP: 141.98.9.199 [2]\\r\\nIP: 103.75.187.224 [2]\\r\\nIP: 92.255.85.151 [32]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 188.190.42.60 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 141.98.81.137 [8]\\r\\nIP: 138.199.19.135 [2]\\r\\nIP: 141.98.9.34 [12]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 96.60.188.241 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 147.78.47.146 [12]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 194.165.16.16 [1]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 45.227.253.254 [16]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 194.165.16.29 [10]\\r\\nIP: 194.165.16.17 [10]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 141.98.83.130 [7]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 194.165.16.77 [3]\\r\\nIP: 141.98.83.128 [6]\\r\\nIP: 141.98.83.120 [4]\\r\\nIP: 185.170.144.135 [53]\\r\\nIP: 129.226.34.77 [1]\\r\\nIP: 41.169.98.196 [1]\\r\\nIP: 87.251.67.99 [3]\\r\\nIP: 45.227.254.49 [4]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 103.79.140.234 [5]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 27.71.226.103 [3]\\r\\nIP: 193.122.114.185 [1]\\r\\nIP: 5.253.204.134 [28]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 92.255.85.40 [4]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 141.98.9.29 [13]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 141.98.83.131 [4]\\r\\n45 more attempts by 10 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3903\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3904\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3905\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3906\",\r\n \"address\": \"72.167.37.199\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3907\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3908\",\r\n \"address\": \"103.75.187.224\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Inet Software One Member Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3909\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3910\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3911\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3912\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3913\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3914\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3915\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3916\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3917\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3918\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3919\",\r\n \"address\": \"96.60.188.241\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wisconsin\",\r\n \"city\": \"Junction City\",\r\n \"longitude\": -89.747,\r\n \"latitude\": 44.59457,\r\n \"asn\": 4181,\r\n \"carrier\": \"Tds Telecom\",\r\n \"organization\": \"Tds Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3920\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3921\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3922\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3923\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3924\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3925\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3926\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3927\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3928\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3929\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3930\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3931\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3932\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3933\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3934\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3935\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3936\",\r\n \"address\": \"185.170.144.135\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3937\",\r\n \"address\": \"129.226.34.77\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Maharashtra\",\r\n \"city\": \"Mumbai\",\r\n \"longitude\": 72.8777,\r\n \"latitude\": 19.076,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3938\",\r\n \"address\": \"41.169.98.196\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 36937,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Liquid Telecommunications Operations Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3939\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3940\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3941\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3942\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3943\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3944\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3945\",\r\n \"address\": \"193.122.114.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.33352,\r\n \"latitude\": 47.61101,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Public Cloud\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3946\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3947\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3948\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3949\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3950\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3951\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3952\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3953\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3954\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3969\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3919\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3970\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3920\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3971\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3921\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3972\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3922\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3973\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3923\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3974\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3924\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3975\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3925\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3976\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3926\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3977\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3927\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3978\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3928\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3979\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3929\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3980\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3930\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3981\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3931\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3982\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3932\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3983\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3933\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3984\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3934\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3985\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3935\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3986\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3936\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3987\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3937\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3988\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3938\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3989\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3939\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3990\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3940\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3991\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3941\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3992\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3942\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3993\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3943\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3994\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3944\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3995\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3945\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3996\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3946\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3997\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3947\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3998\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3948\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3999\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3949\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4000\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3950\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4001\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3951\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4002\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3952\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4003\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3953\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4004\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3954\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"name\": \"2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-03T19:41:58.5199865Z\",\r\n \"processingEndTimeUtc\": \"2022-09-03T19:41:57.422375Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4005\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 188.190.42.60 [1]\\r\\nIP: 92.255.85.168 [4]\\r\\nIP: 141.98.83.87 [5]\\r\\nIP: 185.190.24.61 [1]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 103.15.50.155 [4]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 87.251.67.99 [1]\\r\\nIP: 5.253.204.134 [29]\\r\\nIP: 141.98.9.36 [1]\\r\\nIP: 194.28.112.140 [5]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 45.227.253.130 [18]\\r\\nIP: 141.98.9.35 [4]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 185.190.24.102 [10]\\r\\nIP: 202.40.179.78 [1]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 134.209.148.16 [1]\\r\\nIP: 93.43.27.126 [1]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 141.98.83.121 [6]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 141.98.81.137 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.125 [4]\\r\\nIP: 141.98.83.173 [1]\\r\\nIP: 92.255.85.166 [3]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 45.227.254.5 [9]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 92.255.85.151 [36]\\r\\nIP: 51.81.210.3 [1]\\r\\nIP: 141.98.9.29 [5]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 185.190.24.101 [4]\\r\\n41 more attempts by 14 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4006\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4007\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4008\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4009\",\r\n \"address\": \"92.255.85.168\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4010\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4011\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4012\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4013\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4014\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4015\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4016\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4017\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4018\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4019\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4020\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4021\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4022\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4023\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4024\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4025\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4026\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4027\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4028\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4029\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4030\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4031\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4032\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4033\",\r\n \"address\": \"202.40.179.78\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Dhaka\",\r\n \"city\": \"Dhaka\",\r\n \"longitude\": 90.4125,\r\n \"latitude\": 23.8103,\r\n \"asn\": 23991,\r\n \"carrier\": \"Ranks Itt Ltd.\",\r\n \"organization\": \"Nationwide Isp & Iptsp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4034\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4035\",\r\n \"address\": \"134.209.148.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Mansfield\",\r\n \"longitude\": -71.22189,\r\n \"latitude\": 42.01698,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4036\",\r\n \"address\": \"93.43.27.126\",\r\n \"location\": {\r\n \"countryCode\": \"IT\",\r\n \"countryName\": \"Italy\",\r\n \"state\": \"Roma\",\r\n \"city\": \"Roma\",\r\n \"longitude\": 12.3063,\r\n \"latitude\": 41.7755,\r\n \"asn\": 12874,\r\n \"carrier\": \"Fastweb Spa\",\r\n \"organization\": \"Ibc-001 Public Subnet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4037\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4038\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4039\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4040\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4041\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4042\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4043\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4044\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4045\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4046\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4047\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4048\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4049\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4050\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4051\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4052\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4053\",\r\n \"address\": \"51.81.210.3\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Hillsboro\",\r\n \"longitude\": -122.95607,\r\n \"latitude\": 45.59054,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4054\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4055\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4056\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4057\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4072\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4022\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4073\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4023\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4074\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4024\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4075\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4025\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4076\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4026\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4077\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4027\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4078\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4028\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4079\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4029\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4080\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4030\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4081\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4031\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4082\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4032\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4083\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4033\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4084\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4034\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4085\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4035\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4086\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4036\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4087\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4037\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4088\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4038\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4089\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4039\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4090\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4040\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4091\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4041\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4092\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4042\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4093\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4043\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4094\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4044\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4095\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4045\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4096\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4046\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4097\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4047\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4098\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4048\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4099\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4049\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4100\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4050\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4101\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4051\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4102\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4052\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4053\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4104\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4054\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4055\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4056\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4057\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"name\": \"2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T01:45:32.5912419Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T01:45:31.6805301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4108\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.9.36 [1]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 185.190.24.61 [1]\\r\\nIP: 5.253.204.134 [29]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.81.137 [1]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 141.98.83.125 [4]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 185.190.24.101 [4]\\r\\nIP: 93.43.27.126 [1]\\r\\nIP: 185.156.72.29 [4]\\r\\nIP: 87.251.67.99 [1]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 134.209.148.16 [1]\\r\\nIP: 141.98.9.35 [4]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.156.72.25 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 79.175.151.178 [3]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 103.79.140.234 [2]\\r\\nIP: 141.98.83.84 [7]\\r\\nIP: 141.98.83.172 [4]\\r\\nIP: 141.98.83.87 [7]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 45.227.254.5 [9]\\r\\nIP: 141.98.10.37 [8]\\r\\nIP: 202.40.179.78 [1]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 141.98.83.121 [6]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 92.255.85.166 [3]\\r\\nIP: 92.255.85.152 [6]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 103.15.50.155 [4]\\r\\nIP: 141.98.9.29 [5]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 194.28.112.140 [5]\\r\\nIP: 27.71.226.103 [1]\\r\\nIP: 185.190.24.102 [10]\\r\\n87 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4109\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4110\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4111\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4112\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4113\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4114\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4115\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4116\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4117\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4118\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4119\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4120\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4121\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4122\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4123\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4124\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4125\",\r\n \"address\": \"93.43.27.126\",\r\n \"location\": {\r\n \"countryCode\": \"IT\",\r\n \"countryName\": \"Italy\",\r\n \"state\": \"Roma\",\r\n \"city\": \"Roma\",\r\n \"longitude\": 12.3063,\r\n \"latitude\": 41.7755,\r\n \"asn\": 12874,\r\n \"carrier\": \"Fastweb Spa\",\r\n \"organization\": \"Ibc-001 Public Subnet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4126\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4127\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4128\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4129\",\r\n \"address\": \"134.209.148.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Mansfield\",\r\n \"longitude\": -71.22189,\r\n \"latitude\": 42.01698,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4130\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4131\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4132\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4133\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4134\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4135\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4136\",\r\n \"address\": \"79.175.151.178\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 25184,\r\n \"carrier\": \"Afranet\",\r\n \"organization\": \"Afranet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4137\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4138\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4139\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4140\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4141\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4142\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4143\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4144\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4145\",\r\n \"address\": \"141.98.10.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4146\",\r\n \"address\": \"202.40.179.78\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Dhaka\",\r\n \"city\": \"Dhaka\",\r\n \"longitude\": 90.4125,\r\n \"latitude\": 23.8103,\r\n \"asn\": 23991,\r\n \"carrier\": \"Ranks Itt Ltd.\",\r\n \"organization\": \"Nationwide Isp & Iptsp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4147\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4148\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4149\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4150\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4151\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4152\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4153\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4154\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4155\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4156\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4157\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4158\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4159\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4160\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4161\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4111\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4162\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4112\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4163\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4113\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4114\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4165\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4115\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4166\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4116\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4167\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4117\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4168\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4118\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4119\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4170\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4120\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4171\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4121\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4172\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4122\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4173\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4123\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4174\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4124\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4175\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4125\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4176\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4126\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4177\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4127\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4178\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4128\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4179\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4129\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4180\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4130\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4181\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4131\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4182\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4132\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4183\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4133\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4184\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4134\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4185\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4135\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4186\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4136\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4187\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4137\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4188\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4138\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4139\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4190\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4140\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4191\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4141\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4192\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4142\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4143\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4194\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4144\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4195\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4145\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4196\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4146\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4147\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4198\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4148\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4199\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4149\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4200\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4150\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4151\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4202\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4152\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4203\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4153\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4204\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4154\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4155\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"name\": \"2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-02T19:26:44.4857834Z\",\r\n \"processingEndTimeUtc\": \"2022-09-02T19:26:43.9850649Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-01T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-01T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4211\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.6 [4]\\r\\nIP: 193.142.147.67 [26]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.81.137 [5]\\r\\nIP: 45.227.254.5 [39]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 147.78.47.147 [9]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 103.15.50.155 [1]\\r\\nIP: 92.255.85.40 [6]\\r\\nIP: 213.226.123.66 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 194.165.16.158 [5]\\r\\nIP: 196.44.131.147 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 212.22.187.98 [7]\\r\\nIP: 141.98.83.131 [1]\\r\\nIP: 185.190.24.102 [11]\\r\\nIP: 147.78.47.149 [10]\\r\\nIP: 165.227.225.29 [2]\\r\\nIP: 92.255.85.195 [2]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 185.190.24.61 [9]\\r\\nIP: 45.227.254.49 [3]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 80.66.88.209 [5]\\r\\nIP: 141.98.9.35 [6]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 141.98.83.123 [7]\\r\\nIP: 185.190.24.103 [2]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 89.248.168.54 [2]\\r\\nIP: 79.175.151.178 [6]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 213.226.123.35 [2]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 141.98.9.37 [2]\\r\\nIP: 141.98.83.89 [2]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 5.253.204.134 [27]\\r\\nIP: 179.60.147.32 [19]\\r\\n92 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4212\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4213\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4214\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4215\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4216\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4217\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4218\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4219\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4220\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4221\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4222\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4223\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4224\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4225\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4226\",\r\n \"address\": \"213.226.123.66\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49943,\r\n \"carrier\": \"It Resheniya Llc\",\r\n \"organization\": \"It Resheniya Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4227\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4228\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4229\",\r\n \"address\": \"196.44.131.147\",\r\n \"location\": {\r\n \"countryCode\": \"NA\",\r\n \"countryName\": \"Namibia\",\r\n \"state\": \"Khomas\",\r\n \"city\": \"Windhoek\",\r\n \"longitude\": 17.0875,\r\n \"latitude\": -22.57056,\r\n \"asn\": 36996,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Telecom Namibia\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4230\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4231\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4232\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4233\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4234\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4235\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4236\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4237\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4238\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4239\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4240\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4241\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4242\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4243\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4244\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4245\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4246\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4247\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4248\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4249\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4250\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4251\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4252\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4253\",\r\n \"address\": \"79.175.151.178\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 25184,\r\n \"carrier\": \"Afranet\",\r\n \"organization\": \"Afranet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4254\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4255\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4256\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4257\",\r\n \"address\": \"213.226.123.35\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49943,\r\n \"carrier\": \"It Resheniya Llc\",\r\n \"organization\": \"It Resheniya Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4258\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4259\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4260\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4261\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4262\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4263\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4264\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4214\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4215\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4266\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4216\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4267\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4217\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4268\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4218\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4269\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4219\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4270\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4220\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4271\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4221\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4272\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4222\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4273\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4223\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4224\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4275\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4225\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4276\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4226\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4277\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4227\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4278\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4228\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4279\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4229\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4280\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4230\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4231\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4282\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4232\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4283\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4233\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4284\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4234\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4285\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4235\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4286\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4236\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4237\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4288\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4238\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4289\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4239\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4290\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4240\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4291\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4241\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4292\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4242\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4293\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4243\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4294\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4244\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4295\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4245\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4246\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4297\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4247\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4298\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4248\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4299\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4249\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4250\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4301\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4251\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4302\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4252\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4303\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4253\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4254\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4305\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4255\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4306\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4256\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4307\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4257\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4308\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4258\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"name\": \"2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-30T19:51:55.8070313Z\",\r\n \"processingEndTimeUtc\": \"2022-08-30T19:51:55.0291097Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4314\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.81.137 [6]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 45.227.254.48 [5]\\r\\nIP: 141.98.9.29 [10]\\r\\nIP: 98.102.248.102 [1]\\r\\nIP: 45.227.254.5 [26]\\r\\nIP: 178.18.241.15 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 194.165.16.78 [3]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 194.26.29.48 [5]\\r\\nIP: 141.98.9.34 [3]\\r\\nIP: 5.253.204.134 [12]\\r\\nIP: 147.78.47.154 [4]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 80.66.88.207 [3]\\r\\nIP: 74.174.144.6 [1]\\r\\nIP: 194.165.16.17 [6]\\r\\nIP: 196.188.171.249 [2]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 179.60.150.113 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 80.66.88.208 [3]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 87.251.75.119 [36]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 85.172.1.54 [2]\\r\\nIP: 162.62.14.97 [1]\\r\\nIP: 88.214.25.13 [2]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 162.246.21.206 [1]\\r\\nIP: 45.227.254.4 [2]\\r\\nIP: 185.221.134.42 [2]\\r\\nIP: 179.60.147.32 [20]\\r\\nIP: 103.15.50.155 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 92.255.85.181 [2]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 5.181.86.88 [3]\\r\\n175 more attempts by 35 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4315\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4316\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4317\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4318\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4319\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4320\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4321\",\r\n \"address\": \"98.102.248.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Cleveland\",\r\n \"longitude\": -81.82835,\r\n \"latitude\": 41.37197,\r\n \"asn\": 10796,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4322\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4323\",\r\n \"address\": \"178.18.241.15\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Baden-Wuerttemberg\",\r\n \"city\": \"Karlsruhe-Weststadt\",\r\n \"longitude\": 8.37933,\r\n \"latitude\": 49.015,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4324\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4325\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4326\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4327\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4328\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4329\",\r\n \"address\": \"194.26.29.48\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4330\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4331\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4332\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4333\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4334\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4335\",\r\n \"address\": \"74.174.144.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Kentucky\",\r\n \"city\": \"Corbin\",\r\n \"longitude\": -84.11583,\r\n \"latitude\": 36.92363,\r\n \"asn\": 2386,\r\n \"carrier\": \"At&T Data Communications Services\",\r\n \"organization\": \"Eastern Cable Corp - Bgk Lan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4336\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4337\",\r\n \"address\": \"196.188.171.249\",\r\n \"location\": {\r\n \"countryCode\": \"ET\",\r\n \"countryName\": \"Ethiopia\",\r\n \"state\": \"Adis Abeba\",\r\n \"city\": \"Addis Ababa\",\r\n \"longitude\": 38.7468,\r\n \"latitude\": 9.0227,\r\n \"asn\": 24757,\r\n \"carrier\": \"Ethionet\",\r\n \"organization\": \"To__Bras_Dhcp_Oa-10800E\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4338\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4339\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4340\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4341\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4342\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4343\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4344\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4345\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4346\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4347\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4348\",\r\n \"address\": \"87.251.75.119\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4349\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4350\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4351\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4352\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4353\",\r\n \"address\": \"85.172.1.54\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Krasnodarskiy Kray\",\r\n \"city\": \"Krasnodar\",\r\n \"longitude\": 38.98064,\r\n \"latitude\": 45.04215,\r\n \"asn\": 25490,\r\n \"carrier\": \"Pjsc Rostelecom\",\r\n \"organization\": \"Ojsc Rostelecom Macroregional Branch South\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4354\",\r\n \"address\": \"162.62.14.97\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4355\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4356\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4357\",\r\n \"address\": \"162.246.21.206\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Secaucus\",\r\n \"longitude\": -74.06453,\r\n \"latitude\": 40.77826,\r\n \"asn\": 19318,\r\n \"carrier\": \"Interserver Inc\",\r\n \"organization\": \"Interserver Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4358\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4359\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4360\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4361\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4362\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4363\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4364\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4365\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4366\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4317\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4368\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4318\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4369\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4319\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4370\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4320\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4371\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4321\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4322\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4373\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4323\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4374\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4324\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4375\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4325\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4376\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4326\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4381\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4331\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4332\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4383\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4333\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4384\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4334\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4385\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4335\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4386\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4336\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4337\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4388\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4338\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4389\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4339\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4390\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4340\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4391\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4341\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4392\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4342\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4393\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4343\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4394\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4344\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4395\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4345\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4396\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4346\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4397\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4347\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4398\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4348\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4399\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4349\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4400\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4350\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4401\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4351\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4352\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4403\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4353\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4404\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4354\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4355\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4406\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4356\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4407\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4357\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4358\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4359\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4410\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4360\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4411\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4361\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4362\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"name\": \"2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-31T19:26:52.5249315Z\",\r\n \"processingEndTimeUtc\": \"2022-08-31T19:26:52.1218206Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4417\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 98.102.248.102 [1]\\r\\nIP: 179.60.150.116 [2]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 162.62.14.97 [1]\\r\\nIP: 5.253.204.134 [13]\\r\\nIP: 185.190.24.61 [2]\\r\\nIP: 212.22.187.98 [8]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 191.96.168.250 [10]\\r\\nIP: 80.66.88.212 [4]\\r\\nIP: 88.214.25.13 [2]\\r\\nIP: 74.174.144.6 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 185.190.24.17 [51]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 5.181.86.44 [5]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 193.142.147.66 [36]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 45.141.84.116 [7]\\r\\nIP: 152.89.196.90 [2]\\r\\nIP: 141.98.9.29 [10]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 196.188.171.249 [2]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 194.93.58.59 [1]\\r\\nIP: 87.251.75.119 [59]\\r\\nIP: 179.60.147.32 [20]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 185.190.24.32 [3]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 80.66.88.207 [3]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 194.165.16.4 [3]\\r\\nIP: 80.66.88.208 [3]\\r\\n135 more attempts by 44 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4418\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4419\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4420\",\r\n \"address\": \"98.102.248.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Cleveland\",\r\n \"longitude\": -81.82835,\r\n \"latitude\": 41.37197,\r\n \"asn\": 10796,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4421\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4422\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4423\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4424\",\r\n \"address\": \"162.62.14.97\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4425\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4426\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4427\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4428\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4429\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4430\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4431\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4432\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4433\",\r\n \"address\": \"74.174.144.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Kentucky\",\r\n \"city\": \"Corbin\",\r\n \"longitude\": -84.11583,\r\n \"latitude\": 36.92363,\r\n \"asn\": 2386,\r\n \"carrier\": \"At&T Data Communications Services\",\r\n \"organization\": \"Eastern Cable Corp - Bgk Lan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4434\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4435\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4436\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4437\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4438\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4439\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4440\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4441\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4442\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4443\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4444\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4445\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4446\",\r\n \"address\": \"45.141.84.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4447\",\r\n \"address\": \"152.89.196.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4448\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4449\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4450\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4451\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4452\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4453\",\r\n \"address\": \"196.188.171.249\",\r\n \"location\": {\r\n \"countryCode\": \"ET\",\r\n \"countryName\": \"Ethiopia\",\r\n \"state\": \"Adis Abeba\",\r\n \"city\": \"Addis Ababa\",\r\n \"longitude\": 38.7468,\r\n \"latitude\": 9.0227,\r\n \"asn\": 24757,\r\n \"carrier\": \"Ethionet\",\r\n \"organization\": \"To__Bras_Dhcp_Oa-10800E\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4454\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4455\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4456\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4457\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4458\",\r\n \"address\": \"194.93.58.59\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.81423,\r\n \"latitude\": 32.80543,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Dallas Tx\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4459\",\r\n \"address\": \"87.251.75.119\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4460\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4461\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4462\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4463\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4464\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4465\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4466\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4467\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4468\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4469\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4470\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4471\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4472\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4473\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4423\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4474\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4424\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4425\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4426\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4427\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4428\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4434\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4485\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4435\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4486\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4487\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4437\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4488\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4438\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4439\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4490\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4440\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4491\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4492\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4493\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4494\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4495\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4445\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4496\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4446\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4497\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4447\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4498\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4448\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4499\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4449\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4500\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4450\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4501\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4451\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4502\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4503\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4504\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4454\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4505\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4455\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4506\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4456\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4507\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4457\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4508\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4458\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4509\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4459\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4510\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4460\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4461\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4462\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4463\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4464\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4465\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4466\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4467\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4468\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"name\": \"2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T19:20:02.815682Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T19:20:02.1041712Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4520\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.156.72.31 [5]\\r\\nIP: 179.60.147.31 [28]\\r\\nIP: 213.6.148.83 [2]\\r\\nIP: 113.161.87.179 [1]\\r\\nIP: 185.190.24.103 [11]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 141.98.83.130 [5]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 185.190.24.101 [3]\\r\\nIP: 118.123.105.85 [1]\\r\\nIP: 194.28.112.149 [1]\\r\\nIP: 45.227.253.124 [18]\\r\\nIP: 193.142.147.53 [12]\\r\\nIP: 198.23.221.162 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 194.165.17.12 [30]\\r\\nIP: 191.96.168.250 [75]\\r\\nIP: 194.165.16.16 [1]\\r\\nIP: 92.51.70.138 [1]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 185.156.72.29 [2]\\r\\nIP: 5.61.60.26 [3]\\r\\nIP: 87.251.75.45 [11]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.36 [1]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 141.98.83.172 [7]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 45.227.254.51 [2]\\r\\nIP: 103.99.2.225 [1]\\r\\nIP: 141.98.9.35 [2]\\r\\nIP: 185.196.220.52 [10]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 194.165.16.72 [3]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 31.214.141.3 [1]\\r\\nIP: 45.143.201.62 [2]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 141.98.9.34 [5]\\r\\nIP: 212.22.187.98 [4]\\r\\n182 more attempts by 33 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4521\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4522\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4523\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4524\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4525\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4526\",\r\n \"address\": \"113.161.87.179\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4527\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4528\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4529\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4530\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4531\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4532\",\r\n \"address\": \"118.123.105.85\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Sichuan\",\r\n \"city\": \"Chengdu\",\r\n \"longitude\": 104.0675,\r\n \"latitude\": 30.65306,\r\n \"asn\": 38283,\r\n \"carrier\": \"Chinanet Sichuan Telecom Internet Data Center\",\r\n \"organization\": \"Chinanet Sichuan Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4533\",\r\n \"address\": \"194.28.112.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4534\",\r\n \"address\": \"45.227.253.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4535\",\r\n \"address\": \"193.142.147.53\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4536\",\r\n \"address\": \"198.23.221.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4537\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4538\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4539\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4540\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4541\",\r\n \"address\": \"92.51.70.138\",\r\n \"location\": {\r\n \"countryCode\": \"GE\",\r\n \"countryName\": \"Georgia\",\r\n \"state\": \"Tbilisi\",\r\n \"city\": \"Tbilisi\",\r\n \"longitude\": 44.83368,\r\n \"latitude\": 41.69411,\r\n \"asn\": 44327,\r\n \"carrier\": \"Delta Comm Llc\",\r\n \"organization\": \"Infra-Aw\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4542\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4543\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4544\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4545\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4546\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4547\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4548\",\r\n \"address\": \"87.251.75.45\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4549\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4550\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4551\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4552\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4553\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4554\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4555\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4556\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4557\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4558\",\r\n \"address\": \"185.196.220.52\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4559\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4560\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4561\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4562\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4563\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4564\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4565\",\r\n \"address\": \"31.214.141.3\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hamburg\",\r\n \"city\": \"Hamburg\",\r\n \"longitude\": 10.0819,\r\n \"latitude\": 53.6423,\r\n \"asn\": 30823,\r\n \"carrier\": \"Combahton Gmbh\",\r\n \"organization\": \"Zap-Hosting Gmbh & Co. Kg\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4566\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4567\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4568\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4569\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4570\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4571\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4572\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4573\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4523\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4574\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4524\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4575\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4525\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4576\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4526\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4577\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4527\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4578\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4528\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4579\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4529\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4580\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4530\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4581\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4531\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4582\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4532\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4585\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4586\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4536\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4587\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4537\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4591\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4592\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4542\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4593\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4543\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4594\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4544\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4595\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4545\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4596\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4546\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4597\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4547\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4548\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4549\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4550\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4551\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"name\": \"2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T03:10:05.3539329Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T03:10:03.616463Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4623\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.9.36 [1]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 45.227.254.5 [19]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 45.227.253.124 [15]\\r\\nIP: 141.98.83.132 [6]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 45.227.254.55 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 185.156.72.29 [2]\\r\\nIP: 179.60.147.31 [28]\\r\\nIP: 5.61.60.26 [2]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 31.214.141.3 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 97.106.89.92 [2]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.125 [2]\\r\\nIP: 52.172.27.33 [1]\\r\\nIP: 179.60.150.114 [6]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 92.255.85.151 [30]\\r\\nIP: 185.190.24.103 [11]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 45.227.253.254 [15]\\r\\nIP: 194.165.16.73 [2]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 185.190.24.102 [7]\\r\\nIP: 179.60.147.182 [2]\\r\\nIP: 103.99.2.225 [1]\\r\\nIP: 185.196.220.34 [35]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.172 [7]\\r\\nIP: 212.22.187.98 [4]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 191.96.168.250 [67]\\r\\nIP: 118.123.105.85 [1]\\r\\nIP: 141.98.83.131 [3]\\r\\nIP: 80.69.56.151 [1]\\r\\nIP: 20.163.56.75 [2]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.156.72.25 [3]\\r\\n118 more attempts by 27 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4624\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4625\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4626\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4627\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4628\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4629\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4630\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4631\",\r\n \"address\": \"45.227.253.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4632\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4633\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4634\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4635\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4636\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4637\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4638\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4639\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4640\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4641\",\r\n \"address\": \"31.214.141.3\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hamburg\",\r\n \"city\": \"Hamburg\",\r\n \"longitude\": 10.0819,\r\n \"latitude\": 53.6423,\r\n \"asn\": 30823,\r\n \"carrier\": \"Combahton Gmbh\",\r\n \"organization\": \"Zap-Hosting Gmbh & Co. Kg\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4642\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4643\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4644\",\r\n \"address\": \"97.106.89.92\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Tampa\",\r\n \"longitude\": -82.46379,\r\n \"latitude\": 27.98598,\r\n \"asn\": 33363,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4645\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4646\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4647\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4648\",\r\n \"address\": \"52.172.27.33\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Tamil Nadu\",\r\n \"city\": \"Chennai\",\r\n \"longitude\": 80.2508,\r\n \"latitude\": 13.0524,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4649\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4650\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4651\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4652\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4653\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4654\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4655\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4656\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4657\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4658\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4659\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4660\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4661\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4662\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4663\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4664\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4665\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4666\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4667\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4668\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4669\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4670\",\r\n \"address\": \"118.123.105.85\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Sichuan\",\r\n \"city\": \"Chengdu\",\r\n \"longitude\": 104.0675,\r\n \"latitude\": 30.65306,\r\n \"asn\": 38283,\r\n \"carrier\": \"Chinanet Sichuan Telecom Internet Data Center\",\r\n \"organization\": \"Chinanet Sichuan Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4671\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4672\",\r\n \"address\": \"80.69.56.151\",\r\n \"location\": {\r\n \"countryCode\": \"AZ\",\r\n \"countryName\": \"Azerbaijan\",\r\n \"state\": \"Naftalan\",\r\n \"city\": \"Naftalan\",\r\n \"longitude\": 46.825,\r\n \"latitude\": 40.5067,\r\n \"asn\": 34170,\r\n \"carrier\": \"Aztelekom\",\r\n \"organization\": \"Aztelekom.Net Ip Segment\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4673\",\r\n \"address\": \"20.163.56.75\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4674\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4675\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4676\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4626\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4677\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4627\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4678\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4628\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4679\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4629\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4680\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4630\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4681\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4631\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4682\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4632\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4683\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4633\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4684\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4634\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4685\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4635\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4636\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4637\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4688\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4638\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4689\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4639\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4690\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4640\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4641\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4642\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4643\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4644\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4645\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4646\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"name\": \"2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-27T19:18:23.4694672Z\",\r\n \"processingEndTimeUtc\": \"2022-08-27T19:18:22.6090964Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-26T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-26T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4726\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.255.99 [2]\\r\\nIP: 185.196.220.28 [1]\\r\\nIP: 103.124.137.161 [1]\\r\\nIP: 87.251.75.45 [125]\\r\\nIP: 212.122.84.86 [4]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 103.99.2.225 [6]\\r\\nIP: 185.196.220.59 [2]\\r\\nIP: 194.165.16.34 [1]\\r\\nIP: 212.22.187.98 [3]\\r\\nIP: 191.96.168.250 [51]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 139.99.135.225 [1]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 80.66.88.209 [2]\\r\\nIP: 152.89.196.90 [4]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 141.98.83.172 [3]\\r\\nIP: 179.60.150.114 [2]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 104.156.55.56 [1]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.190.24.101 [3]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 184.105.5.195 [1]\\r\\nIP: 185.190.24.103 [2]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 193.142.147.55 [1]\\r\\nIP: 193.142.147.50 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 193.142.147.65 [27]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 193.142.147.57 [1]\\r\\nIP: 43.156.58.184 [1]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 213.6.148.83 [3]\\r\\nIP: 193.142.147.66 [3]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 185.73.124.216 [13]\\r\\nIP: 20.168.26.32 [1]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 185.196.220.34 [12]\\r\\nIP: 92.255.85.183 [2]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 5.61.60.26 [1]\\r\\nIP: 185.196.220.58 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4727\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4728\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4729\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4730\",\r\n \"address\": \"185.196.220.28\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4731\",\r\n \"address\": \"103.124.137.161\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jawa Timur\",\r\n \"city\": \"Paciran\",\r\n \"longitude\": 112.34,\r\n \"latitude\": -6.8707,\r\n \"asn\": 138089,\r\n \"carrier\": \"Pt.Global Media Data Prima\",\r\n \"organization\": \"Pt.Global Media Data Prima\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4732\",\r\n \"address\": \"87.251.75.45\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4733\",\r\n \"address\": \"212.122.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 12539,\r\n \"carrier\": \"Penki Kontinentia Ltd\",\r\n \"organization\": \"Penkiu Kontinentu Komunikaciju Centras Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4734\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4735\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4736\",\r\n \"address\": \"185.196.220.59\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4737\",\r\n \"address\": \"194.165.16.34\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4738\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4739\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4740\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4741\",\r\n \"address\": \"139.99.135.225\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Waverton\",\r\n \"longitude\": 151.19581,\r\n \"latitude\": -33.83997,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Australia Pty Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4742\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4743\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4744\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4745\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4746\",\r\n \"address\": \"152.89.196.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4747\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4748\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4749\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4750\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4751\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4752\",\r\n \"address\": \"104.156.55.56\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Tampa\",\r\n \"longitude\": -82.50581,\r\n \"latitude\": 28.00488,\r\n \"asn\": 29802,\r\n \"carrier\": \"Hivelocity Inc.\",\r\n \"organization\": \"Hivelocity Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4753\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4754\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4755\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4756\",\r\n \"address\": \"184.105.5.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.99064,\r\n \"latitude\": 40.6946,\r\n \"asn\": 394996,\r\n \"carrier\": \"47-2339071\",\r\n \"organization\": \"47-2339071\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4757\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4758\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4759\",\r\n \"address\": \"193.142.147.55\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4760\",\r\n \"address\": \"193.142.147.50\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4761\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4762\",\r\n \"address\": \"193.142.147.65\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4763\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4764\",\r\n \"address\": \"193.142.147.57\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4765\",\r\n \"address\": \"43.156.58.184\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4766\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4767\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4768\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4769\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4770\",\r\n \"address\": \"185.73.124.216\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4771\",\r\n \"address\": \"20.168.26.32\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4772\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4773\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4774\",\r\n \"address\": \"92.255.85.183\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4775\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4776\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4777\",\r\n \"address\": \"185.196.220.58\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4778\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4729\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4779\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4730\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4780\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4731\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4781\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4732\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4782\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4733\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4783\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4734\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4784\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4735\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4785\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4736\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4786\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4737\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4787\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4738\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4788\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4741\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4791\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4742\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4792\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4743\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4793\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4744\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4794\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4745\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4795\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4746\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4796\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4747\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4797\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4748\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4798\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4749\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4799\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4750\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4800\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4751\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4801\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4752\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4802\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4753\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4803\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4754\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4804\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4755\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4805\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4756\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4806\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4757\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4807\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4758\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4808\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4759\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4809\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4760\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4810\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4761\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4811\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4762\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4812\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4763\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4813\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4764\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4814\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"name\": \"2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-26T19:51:08.2299434Z\",\r\n \"processingEndTimeUtc\": \"2022-08-26T19:51:07.7693809Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-25T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-25T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4827\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.255.59 [2]\\r\\nIP: 41.216.179.69 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 185.190.24.48 [8]\\r\\nIP: 193.142.147.65 [37]\\r\\nIP: 167.172.149.14 [1]\\r\\nIP: 193.148.61.176 [1]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.196.220.34 [26]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 179.60.150.116 [8]\\r\\nIP: 185.190.24.103 [4]\\r\\nIP: 149.57.252.78 [1]\\r\\nIP: 103.109.52.111 [6]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 5.181.86.11 [18]\\r\\nIP: 141.98.83.172 [1]\\r\\nIP: 52.180.252.174 [4]\\r\\nIP: 193.142.147.66 [22]\\r\\nIP: 5.181.86.51 [4]\\r\\nIP: 193.142.147.52 [11]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 183.90.168.19 [14]\\r\\nIP: 185.190.24.102 [5]\\r\\nIP: 107.172.93.5 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 179.60.147.31 [25]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 103.124.137.161 [2]\\r\\nIP: 5.181.86.7 [1]\\r\\nIP: 103.9.156.60 [1]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 141.98.83.173 [5]\\r\\nIP: 195.3.221.15 [4]\\r\\nIP: 191.96.168.250 [44]\\r\\nIP: 179.60.147.33 [23]\\r\\nIP: 103.99.2.225 [4]\\r\\nIP: 91.240.118.113 [11]\\r\\nIP: 88.214.25.13 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 107.175.218.26 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 185.190.24.50 [7]\\r\\nIP: 80.69.56.151 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 141.98.10.37 [3]\\r\\nIP: 185.190.24.17 [16]\\r\\nIP: 45.227.254.48 [2]\\r\\n61 more attempts by 15 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4828\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4829\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4830\",\r\n \"address\": \"45.227.255.59\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4831\",\r\n \"address\": \"41.216.179.69\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"longitude\": -2.0,\r\n \"latitude\": 54.0,\r\n \"asn\": 136175,\r\n \"carrier\": \"Serverhosh Internet Service\",\r\n \"organization\": \"Serverhosh Internet Service\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4832\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4833\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4834\",\r\n \"address\": \"193.142.147.65\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4835\",\r\n \"address\": \"167.172.149.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4836\",\r\n \"address\": \"193.148.61.176\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Los Angeles Ca\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4837\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4838\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4839\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4840\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4841\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4842\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4843\",\r\n \"address\": \"149.57.252.78\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Edison\",\r\n \"longitude\": -74.3806,\r\n \"latitude\": 40.5247,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Logicweb Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4844\",\r\n \"address\": \"103.109.52.111\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"longitude\": 90.0,\r\n \"latitude\": 24.0,\r\n \"asn\": 134790,\r\n \"carrier\": \"United International University\",\r\n \"organization\": \"United International University\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4845\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4846\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4847\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4848\",\r\n \"address\": \"52.180.252.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\",\r\n \"longitude\": -93.6151,\r\n \"latitude\": 41.589,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4849\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4850\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4851\",\r\n \"address\": \"193.142.147.52\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4852\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4853\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4854\",\r\n \"address\": \"183.90.168.19\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bang Rak\",\r\n \"longitude\": 100.52114,\r\n \"latitude\": 13.72804,\r\n \"asn\": 45328,\r\n \"carrier\": \"Nipa Technology Co. Ltd\",\r\n \"organization\": \"Nipa Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4855\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4856\",\r\n \"address\": \"107.172.93.5\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4857\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4858\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4859\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4860\",\r\n \"address\": \"103.124.137.161\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jawa Timur\",\r\n \"city\": \"Paciran\",\r\n \"longitude\": 112.34,\r\n \"latitude\": -6.8707,\r\n \"asn\": 138089,\r\n \"carrier\": \"Pt.Global Media Data Prima\",\r\n \"organization\": \"Pt.Global Media Data Prima\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4861\",\r\n \"address\": \"5.181.86.7\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4862\",\r\n \"address\": \"103.9.156.60\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 63730,\r\n \"carrier\": \"Vnso Technology Company\",\r\n \"organization\": \"Vnso Technology Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4863\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4864\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4865\",\r\n \"address\": \"195.3.221.15\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Mokotow\",\r\n \"longitude\": 21.00167,\r\n \"latitude\": 52.19392,\r\n \"asn\": 201814,\r\n \"carrier\": \"Meverywhere Sp. Z O.O.\",\r\n \"organization\": \"Innowacyjne Rozwiazania Informatyczne.Pl Sp. Z O.O.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4866\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4867\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4868\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4869\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4870\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4871\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4872\",\r\n \"address\": \"107.175.218.26\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wyoming\",\r\n \"city\": \"Casper\",\r\n \"longitude\": -106.39396,\r\n \"latitude\": 43.06622,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Global Cloud Line\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4873\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4874\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4875\",\r\n \"address\": \"80.69.56.151\",\r\n \"location\": {\r\n \"countryCode\": \"AZ\",\r\n \"countryName\": \"Azerbaijan\",\r\n \"state\": \"Naftalan\",\r\n \"city\": \"Naftalan\",\r\n \"longitude\": 46.825,\r\n \"latitude\": 40.5067,\r\n \"asn\": 34170,\r\n \"carrier\": \"Aztelekom\",\r\n \"organization\": \"Aztelekom.Net Ip Segment\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4876\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4877\",\r\n \"address\": \"141.98.10.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4878\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4879\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4880\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4830\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4881\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4831\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4882\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4832\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4883\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4833\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4884\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4834\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4885\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4835\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4886\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4836\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4887\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4837\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4888\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4838\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4889\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4839\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4890\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4840\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4891\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4841\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4892\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4893\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4843\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4894\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4844\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4895\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4845\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4896\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4846\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4897\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4847\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4898\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4848\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4899\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4849\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4900\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4850\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4901\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4851\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4902\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4852\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4903\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4853\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4904\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4854\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4905\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4855\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4906\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4856\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4907\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4857\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4908\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4858\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4909\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4859\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4910\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4860\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4911\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4861\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4912\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4862\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4913\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4863\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4914\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4864\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4915\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4865\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4916\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4866\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4917\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4867\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4918\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4868\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"name\": \"2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T20:24:32.6189324Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T20:24:17.1477549Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4930\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.72 [1]\\r\\nIP: 181.30.28.144 [1]\\r\\nIP: 43.131.49.246 [2]\\r\\nIP: 27.71.226.103 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.86.65.236 [1]\\r\\nIP: 5.181.86.88 [6]\\r\\nIP: 192.210.230.185 [1]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 31.43.185.3 [49]\\r\\nIP: 183.90.168.19 [1]\\r\\nIP: 194.165.16.78 [2]\\r\\nIP: 167.172.149.14 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 212.41.8.46 [1]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 5.181.86.44 [4]\\r\\nIP: 141.98.83.171 [5]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 194.165.16.71 [2]\\r\\nIP: 46.161.27.101 [2]\\r\\nIP: 173.201.17.86 [1]\\r\\nIP: 5.61.60.26 [1]\\r\\nIP: 179.60.150.115 [12]\\r\\nIP: 92.154.96.99 [1]\\r\\nIP: 141.98.83.172 [4]\\r\\nIP: 179.60.147.182 [4]\\r\\nIP: 149.102.131.247 [1]\\r\\nIP: 193.142.147.67 [33]\\r\\nIP: 73.104.247.50 [1]\\r\\nIP: 185.190.24.61 [22]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 185.190.24.17 [24]\\r\\nIP: 191.96.168.250 [30]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 193.142.146.209 [1]\\r\\nIP: 185.170.144.134 [70]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 147.78.245.142 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 179.60.150.113 [6]\\r\\nIP: 78.180.183.122 [1]\\r\\nIP: 85.215.173.128 [1]\\r\\nIP: 109.86.104.112 [1]\\r\\nIP: 146.20.225.190 [1]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 45.227.255.79 [2]\\r\\nIP: 185.190.24.102 [6]\\r\\nIP: 194.28.112.148 [1]\\r\\n63 more attempts by 14 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4931\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4932\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4933\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4934\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4935\",\r\n \"address\": \"43.131.49.246\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4936\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4937\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4938\",\r\n \"address\": \"45.86.65.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4939\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4940\",\r\n \"address\": \"192.210.230.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4941\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4942\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Donets'ka Oblast'\",\r\n \"city\": \"Krasnoarmiis'k\",\r\n \"longitude\": 37.1734,\r\n \"latitude\": 48.281,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4943\",\r\n \"address\": \"183.90.168.19\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bang Rak\",\r\n \"longitude\": 100.52114,\r\n \"latitude\": 13.72804,\r\n \"asn\": 45328,\r\n \"carrier\": \"Nipa Technology Co. Ltd\",\r\n \"organization\": \"Nipa Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4944\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4945\",\r\n \"address\": \"167.172.149.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4946\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4947\",\r\n \"address\": \"212.41.8.46\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4948\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4949\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4950\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4951\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4952\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4953\",\r\n \"address\": \"46.161.27.101\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Vps And Shared Hosting Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4954\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4955\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4956\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4957\",\r\n \"address\": \"92.154.96.99\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Hauts-De-Seine\",\r\n \"city\": \"Puteaux\",\r\n \"longitude\": 2.23762,\r\n \"latitude\": 48.88328,\r\n \"asn\": 3215,\r\n \"carrier\": \"Orange S.A.\",\r\n \"organization\": \"Lnmso655 Montsouris\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4958\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4959\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4960\",\r\n \"address\": \"149.102.131.247\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Manchester\",\r\n \"city\": \"Manchester\",\r\n \"longitude\": -2.24083,\r\n \"latitude\": 53.44222,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4961\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4962\",\r\n \"address\": \"73.104.247.50\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Jacksonville\",\r\n \"longitude\": -81.56225,\r\n \"latitude\": 30.21981,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4963\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4964\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4965\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4966\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4967\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4968\",\r\n \"address\": \"193.142.146.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Hostslick Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4969\",\r\n \"address\": \"185.170.144.134\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4970\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Gunzenhausen\",\r\n \"longitude\": 10.7534,\r\n \"latitude\": 49.11594,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4971\",\r\n \"address\": \"147.78.245.142\",\r\n \"location\": {\r\n \"countryCode\": \"JP\",\r\n \"countryName\": \"Japan\",\r\n \"state\": \"Tokyo\",\r\n \"city\": \"Tokyo\",\r\n \"longitude\": 139.73856,\r\n \"latitude\": 35.69628,\r\n \"asn\": 23959,\r\n \"carrier\": \"Owl Limited\",\r\n \"organization\": \"Virtual Machine Solutions Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4972\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4973\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4974\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4975\",\r\n \"address\": \"78.180.183.122\",\r\n \"location\": {\r\n \"countryCode\": \"TR\",\r\n \"countryName\": \"Turkey\",\r\n \"state\": \"Istanbul\",\r\n \"city\": \"Sisli\",\r\n \"longitude\": 28.9521,\r\n \"latitude\": 41.0483,\r\n \"asn\": 9121,\r\n \"carrier\": \"Turk Telekomunikasyon Anonim Sirketi\",\r\n \"organization\": \"Tt Adsl-Ttnet_Dynamic_Gay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4976\",\r\n \"address\": \"85.215.173.128\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.3195,\r\n \"latitude\": 52.5184,\r\n \"asn\": 6724,\r\n \"carrier\": \"Strato Ag\",\r\n \"organization\": \"Strato Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4977\",\r\n \"address\": \"109.86.104.112\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 13188,\r\n \"carrier\": \"Content Delivery Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4978\",\r\n \"address\": \"146.20.225.190\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 27357,\r\n \"carrier\": \"Rackspace Hosting\",\r\n \"organization\": \"Rackspace Hosting\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4979\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4980\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4981\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4982\",\r\n \"address\": \"194.28.112.148\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4983\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4933\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4984\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4934\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4985\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4935\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4986\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4936\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4987\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4937\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4988\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4938\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4989\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4939\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4990\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4940\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4991\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4941\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4992\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4942\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4993\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4943\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4994\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4944\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4995\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4945\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4996\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4946\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4997\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4947\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4998\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4948\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4999\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4949\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5000\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4950\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5001\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4951\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5002\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4952\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5003\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4953\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5004\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4954\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5005\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4955\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5006\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4956\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5007\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4957\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5008\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4958\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5009\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4959\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5010\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4960\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5011\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4961\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5012\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4962\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5013\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4963\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5014\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4964\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5015\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4965\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5016\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4966\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5017\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4967\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5018\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4968\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5019\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4969\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5020\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4970\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5021\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4971\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"name\": \"2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-24T19:41:11.3106136Z\",\r\n \"processingEndTimeUtc\": \"2022-08-24T19:41:10.6263724Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-23T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-23T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_5033\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 23.224.230.146 [1]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 5.181.86.85 [14]\\r\\nIP: 131.153.178.70 [1]\\r\\nIP: 91.240.118.113 [24]\\r\\nIP: 146.70.117.116 [2]\\r\\nIP: 193.142.147.58 [27]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 179.60.150.114 [5]\\r\\nIP: 141.98.83.173 [3]\\r\\nIP: 191.96.168.250 [38]\\r\\nIP: 194.165.16.78 [1]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 193.142.147.59 [30]\\r\\nIP: 185.190.24.101 [5]\\r\\nIP: 45.227.254.4 [2]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 104.254.233.2 [2]\\r\\nIP: 5.181.86.61 [7]\\r\\nIP: 141.98.83.172 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 181.30.28.144 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 135.181.194.54 [1]\\r\\nIP: 80.13.124.200 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 5.181.86.11 [10]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 194.165.16.38 [5]\\r\\nIP: 34.75.15.244 [2]\\r\\nIP: 185.190.24.102 [8]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 45.227.254.5 [6]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 113.190.245.2 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 213.6.148.83 [3]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 103.231.188.130 [1]\\r\\nIP: 193.142.147.67 [30]\\r\\nIP: 62.233.50.113 [1]\\r\\nIP: 185.170.144.133 [19]\\r\\nIP: 179.60.150.111 [5]\\r\\nIP: 144.91.117.64 [1]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 194.165.16.11 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_5034\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_5035\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_5036\",\r\n \"address\": \"23.224.230.146\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.25227,\r\n \"latitude\": 34.04303,\r\n \"asn\": 40065,\r\n \"carrier\": \"Cnservers Llc\",\r\n \"organization\": \"Cloudradium L.L.C\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5037\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5038\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5039\",\r\n \"address\": \"131.153.178.70\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.92784,\r\n \"latitude\": 33.4357,\r\n \"asn\": 19437,\r\n \"carrier\": \"Secured Servers Llc\",\r\n \"organization\": \"Secured Servers Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5040\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5041\",\r\n \"address\": \"146.70.117.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.7119,\r\n \"latitude\": 50.1137,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd Frankfurt\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5042\",\r\n \"address\": \"193.142.147.58\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5043\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5044\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5045\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5046\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5047\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5048\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5049\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5050\",\r\n \"address\": \"193.142.147.59\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5051\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5052\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5053\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5054\",\r\n \"address\": \"104.254.233.2\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 19437,\r\n \"carrier\": \"Secured Servers Llc\",\r\n \"organization\": \"Pnap-Ashdc5\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5055\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5056\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5057\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5058\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5059\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5060\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5061\",\r\n \"address\": \"135.181.194.54\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5062\",\r\n \"address\": \"80.13.124.200\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Hauts-De-Seine\",\r\n \"city\": \"Puteaux\",\r\n \"longitude\": 2.23762,\r\n \"latitude\": 48.88328,\r\n \"asn\": 3215,\r\n \"carrier\": \"Orange S.A.\",\r\n \"organization\": \"Lnput658 Puteaux Bloc 1\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5063\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5064\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5065\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5066\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5067\",\r\n \"address\": \"34.75.15.244\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"South Carolina\",\r\n \"city\": \"North Charleston\",\r\n \"longitude\": -80.05894,\r\n \"latitude\": 32.89008,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5068\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5069\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5070\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5071\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5072\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5073\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5074\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5075\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5076\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5077\",\r\n \"address\": \"103.231.188.130\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 17831,\r\n \"carrier\": \"8 Burn Road # 15-13 Trivex\",\r\n \"organization\": \"Vhost Holdings Pte Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5078\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5079\",\r\n \"address\": \"62.233.50.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5080\",\r\n \"address\": \"185.170.144.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5081\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5082\",\r\n \"address\": \"144.91.117.64\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Muenchen\",\r\n \"longitude\": 11.6074,\r\n \"latitude\": 48.1089,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5083\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5084\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5085\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5036\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5086\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5037\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5087\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5038\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5088\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5039\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5089\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5040\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5090\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5041\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5091\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5042\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5092\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5043\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5093\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5044\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5094\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5045\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5095\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5046\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5096\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5047\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5097\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5048\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5098\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5049\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5099\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5050\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5100\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5051\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5101\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5052\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5102\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5053\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5054\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5104\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5055\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5056\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5057\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5058\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5059\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5060\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5061\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5062\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5063\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5064\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5114\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5065\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5066\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5067\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5068\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5069\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5070\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5071\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5072\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5073\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5123\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5074\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5124\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"name\": \"2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-23T19:47:46.0119964Z\",\r\n \"processingEndTimeUtc\": \"2022-08-23T19:47:45.0676912Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-22T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-22T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_5134\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.172 [5]\\r\\nIP: 185.190.24.50 [8]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 43.131.49.246 [1]\\r\\nIP: 185.190.24.101 [4]\\r\\nIP: 191.96.168.250 [22]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 5.181.86.88 [5]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 91.240.118.113 [9]\\r\\nIP: 179.60.150.116 [4]\\r\\nIP: 173.201.17.86 [1]\\r\\nIP: 196.22.249.27 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 116.206.231.59 [1]\\r\\nIP: 185.190.24.102 [7]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 194.135.24.55 [2]\\r\\nIP: 5.181.86.85 [3]\\r\\nIP: 152.89.217.238 [1]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 176.113.115.141 [4]\\r\\nIP: 86.106.121.74 [1]\\r\\nIP: 185.190.24.32 [5]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 185.190.24.103 [6]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 70.183.29.58 [1]\\r\\nIP: 185.170.144.133 [38]\\r\\nIP: 194.165.16.38 [8]\\r\\nIP: 112.78.168.114 [5]\\r\\nIP: 194.165.16.4 [6]\\r\\nIP: 194.165.17.14 [6]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 181.30.28.144 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_5135\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_5136\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_5137\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5138\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5139\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5140\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5141\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5142\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5143\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5144\",\r\n \"address\": \"43.131.49.246\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5145\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5146\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5147\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5148\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5149\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5150\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5151\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5152\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5153\",\r\n \"address\": \"196.22.249.27\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Western Cape\",\r\n \"city\": \"Cape Town\",\r\n \"longitude\": 18.4241,\r\n \"latitude\": -33.9249,\r\n \"asn\": 36874,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"72 Canterbury Street\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5154\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5155\",\r\n \"address\": \"116.206.231.59\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"South Australia\",\r\n \"city\": \"Adelaide\",\r\n \"longitude\": 138.59973,\r\n \"latitude\": -34.92577,\r\n \"asn\": 133480,\r\n \"carrier\": \"Intergrid Group Pty Ltd\",\r\n \"organization\": \"Intergrid Group Pty. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5156\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5157\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5158\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5159\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5160\",\r\n \"address\": \"152.89.217.238\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 56694,\r\n \"carrier\": \"Llc Smart Ape\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5161\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5162\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5163\",\r\n \"address\": \"86.106.121.74\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -74.00888,\r\n \"latitude\": 40.72092,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd New York\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5164\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5165\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5166\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5167\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5168\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5169\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5170\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5171\",\r\n \"address\": \"70.183.29.58\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Rancho Santa Margarita\",\r\n \"longitude\": -117.60826,\r\n \"latitude\": 33.62295,\r\n \"asn\": 22773,\r\n \"carrier\": \"Cox Communications Inc.\",\r\n \"organization\": \"Cox Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5172\",\r\n \"address\": \"185.170.144.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5173\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5174\",\r\n \"address\": \"112.78.168.114\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jakarta Raya\",\r\n \"city\": \"Jakarta\",\r\n \"longitude\": 106.8267,\r\n \"latitude\": -6.1738,\r\n \"asn\": 17451,\r\n \"carrier\": \"Biznet Networks\",\r\n \"organization\": \"Biznet Networks\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5175\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5176\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5177\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5178\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5179\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5137\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5180\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5138\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5181\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5139\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5182\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5140\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5183\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5141\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5184\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5142\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5185\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5143\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5186\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5144\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5187\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5145\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5188\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5146\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5147\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5190\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5148\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5191\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5149\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5192\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5150\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5151\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5194\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5152\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5195\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5153\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5196\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5154\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5155\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5198\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5199\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5200\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5202\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5203\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5204\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5167\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5168\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5217\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5218\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"name\": \"2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-22T19:47:25.0250698Z\",\r\n \"processingEndTimeUtc\": \"2022-08-22T19:47:23.7684919Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-20T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-20T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_5221\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.171 [3]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 194.165.16.4 [8]\\r\\nIP: 192.210.149.232 [1]\\r\\nIP: 179.60.150.115 [4]\\r\\nIP: 212.102.35.30 [45]\\r\\nIP: 136.32.204.105 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.173 [3]\\r\\nIP: 194.165.16.73 [2]\\r\\nIP: 45.227.254.5 [13]\\r\\nIP: 141.98.83.172 [3]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 66.115.189.143 [1]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 179.60.147.32 [29]\\r\\nIP: 185.190.24.101 [5]\\r\\nIP: 185.190.24.93 [10]\\r\\nIP: 176.113.115.141 [2]\\r\\nIP: 185.190.24.103 [9]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 194.135.24.55 [2]\\r\\nIP: 45.227.254.51 [3]\\r\\nIP: 45.227.254.49 [2]\\r\\nIP: 45.227.255.55 [1]\\r\\nIP: 203.115.110.73 [1]\\r\\nIP: 194.165.16.78 [2]\\r\\nIP: 92.255.85.166 [9]\\r\\nIP: 67.225.40.73 [1]\\r\\nIP: 45.227.255.79 [4]\\r\\nIP: 141.98.83.123 [5]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 45.227.254.27 [9]\\r\\nIP: 207.246.67.121 [1]\\r\\nIP: 92.114.153.67 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 141.98.83.126 [4]\\r\\nIP: 5.181.86.44 [5]\\r\\nIP: 37.32.30.41 [2]\\r\\nIP: 62.8.12.230 [1]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 60.208.6.75 [25]\\r\\nIP: 194.165.17.14 [7]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_5222\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_5223\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_5224\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5225\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5226\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5227\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5228\",\r\n \"address\": \"192.210.149.232\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5229\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5230\",\r\n \"address\": \"212.102.35.30\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5231\",\r\n \"address\": \"136.32.204.105\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Kansas City\",\r\n \"longitude\": -94.53961,\r\n \"latitude\": 39.10771,\r\n \"asn\": 16591,\r\n \"carrier\": \"Google Fiber Inc.\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5232\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.66719,\r\n \"latitude\": 41.02253,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5233\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5234\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5235\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5236\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5237\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5238\",\r\n \"address\": \"66.115.189.143\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Georgia\",\r\n \"city\": \"Marietta\",\r\n \"longitude\": -84.4629,\r\n \"latitude\": 33.93318,\r\n \"asn\": 46562,\r\n \"carrier\": \"Performive Llc\",\r\n \"organization\": \"Performive Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5239\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5240\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5241\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5242\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5243\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5244\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5245\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5246\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5247\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5248\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5249\",\r\n \"address\": \"45.227.255.55\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5250\",\r\n \"address\": \"203.115.110.73\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.225,\r\n \"latitude\": 28.6353,\r\n \"asn\": 17426,\r\n \"carrier\": \"Primesoftex Ltd\",\r\n \"organization\": \"Primenet Global Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5251\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5252\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5253\",\r\n \"address\": \"67.225.40.73\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Saskatchewan\",\r\n \"city\": \"Regina\",\r\n \"longitude\": -104.61298,\r\n \"latitude\": 50.44894,\r\n \"asn\": 803,\r\n \"carrier\": \"Saskatchewan Telecommunications\",\r\n \"organization\": \"Sasktel Wide Area Network Engineering Center\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5254\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5255\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5256\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5257\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5258\",\r\n \"address\": \"207.246.67.121\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Miami\",\r\n \"longitude\": -80.24044,\r\n \"latitude\": 25.81253,\r\n \"asn\": 20473,\r\n \"carrier\": \"The Constant Company Llc\",\r\n \"organization\": \"Vultr Holdings Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5259\",\r\n \"address\": \"92.114.153.67\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 8926,\r\n \"carrier\": \"Moldtelecom Sa\",\r\n \"organization\": \"Jsc Moldtelecom S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5260\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5261\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5262\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5263\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5264\",\r\n \"address\": \"37.32.30.41\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 202468,\r\n \"carrier\": \"Noyan Abr Arvan Co. ( Private Joint Stock)\",\r\n \"organization\": \"Noyan Abr Arvan Co. ( Private Joint Stock)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5265\",\r\n \"address\": \"62.8.12.230\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Loire-Atlantique\",\r\n \"city\": \"Nantes\",\r\n \"longitude\": -1.55674,\r\n \"latitude\": 47.21684,\r\n \"asn\": 15557,\r\n \"carrier\": \"Sfr Sa\",\r\n \"organization\": \"Entreprise\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5266\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5267\",\r\n \"address\": \"60.208.6.75\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shandong\",\r\n \"city\": \"Jinan\",\r\n \"longitude\": 117.0,\r\n \"latitude\": 36.683,\r\n \"asn\": 4837,\r\n \"carrier\": \"China Unicom China169 Backbone\",\r\n \"organization\": \"Jinan Yingte Net Bar\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5268\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5269\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5224\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5270\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5225\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5271\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5226\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5272\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5227\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5273\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5228\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5229\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5275\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5230\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5276\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5231\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5277\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5232\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5278\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5233\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5279\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5234\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5280\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5235\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5236\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5282\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5237\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5283\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5238\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5284\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5239\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5285\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5240\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5286\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5241\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5242\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5288\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5243\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5289\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5244\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5290\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5245\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5291\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5246\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5292\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5247\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5293\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5248\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5294\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5249\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5295\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5250\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5251\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5297\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5252\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5298\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5253\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5299\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5254\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5255\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5301\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5256\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5302\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5257\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5303\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5258\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5305\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5306\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5307\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5308\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"name\": \"2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-19T09:12:15.1238208Z\",\r\n \"processingEndTimeUtc\": \"2022-10-19T09:12:12.7612332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-19T08:43:11.7850829Z\",\r\n \"endTimeUtc\": \"2022-10-19T08:46:18.8210573Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_1\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_2\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/19 08:43:11.7850829\",\r\n \"activity end time (UTC)\": \"2022/10/19 08:46:18.8210573\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"74\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"47\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (23), user (3), administrador (2), admin (2), distant1 (1), asp.net (1), escaner (1), dator (1), faraz (1), chris (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-19T08:46:18.8210573Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_3\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"name\": \"2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-19T09:12:15.7506308Z\",\r\n \"processingEndTimeUtc\": \"2022-10-19T09:12:12.7612332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-19T08:34:16.9189969Z\",\r\n \"endTimeUtc\": \"2022-10-19T08:35:36.0841961Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_4\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_5\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/19 08:34:16.9189969\",\r\n \"activity end time (UTC)\": \"2022/10/19 08:35:36.0841961\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"19\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (15), administrador (2), admin (2), reception (1), scanner (1), root (1), user (1), utente (1), bokforing (1), admin 3 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-19T08:35:36.0841961Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_6\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"name\": \"2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T08:12:21.5799147Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T08:12:17.8716581Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-18T07:01:04.8124138Z\",\r\n \"endTimeUtc\": \"2022-10-18T07:59:23.7067193Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_7\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_8\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/18 07:01:04.8124138\",\r\n \"activity end time (UTC)\": \"2022/10/18 07:59:23.7067193\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.129\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"31\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"24\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEFAULTACCOUNT (6), DATA CENTER USER (2), DSNVSUSER (1), DONALD E. BETTIS (1), FUELDISP (1), GP (1), CONTRAUSER (1), DEAFULTUSER (1), FULTON (1), EXACTIVEUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-18T07:59:23.7067193Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_9\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"name\": \"2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T04:12:02.5218294Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T04:11:58.4521214Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-17T03:00:40.7373365Z\",\r\n \"endTimeUtc\": \"2022-10-17T03:58:42.8075611Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_10\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_11\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/17 03:00:40.7373365\",\r\n \"activity end time (UTC)\": \"2022/10/17 03:58:42.8075611\",\r\n \"attacker source IP\": \"IP Address: 20.216.185.188\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"46\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"12\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (12), AZUREUSER (11), ADMINUSER (11), VMADMIN (2), SUPERUSER (2), AZADMIN (1), USERADMIN (1), AZUSER (1), AZURE (1), DEMOUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-17T03:58:42.8075611Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_12\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"name\": \"2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T03:11:56.1105452Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T03:11:51.6770359Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-16T02:31:21.2161162Z\",\r\n \"endTimeUtc\": \"2022-10-16T02:32:30.6331048Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_13\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_14\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/16 02:31:21.2161162\",\r\n \"activity end time (UTC)\": \"2022/10/16 02:32:30.6331048\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.215\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"26\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (6), user1 (2), admin (2), defaultaccount (2), administrador (2), principal (1), test666 (1), adminportal (1), reports (1), pop10 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-16T02:32:30.6331048Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_15\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"name\": \"2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T02:11:59.5981045Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T02:11:53.2828004Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-15T01:00:15.0973756Z\",\r\n \"endTimeUtc\": \"2022-10-15T01:59:46.8790817Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_16\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_17\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/15 01:00:15.0973756\",\r\n \"activity end time (UTC)\": \"2022/10/15 01:59:46.8790817\",\r\n \"attacker source IP\": \"IP Address: 91.240.118.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"35\",\r\n \"top accounts with failed sign in attempts (count)\": \"MACROLAN (2), MITEV (1), DEPJIVE (1), KIM (1), DEV (1), CTZ9 (1), CUBE (1), CREATIVES-SERVER (1), KOLECO (1), MONITOR (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-15T01:59:46.8790817Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_18\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"name\": \"2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T23:12:20.0982221Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T23:12:13.5169181Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-13T22:00:01.4482685Z\",\r\n \"endTimeUtc\": \"2022-10-13T22:59:53.5475957Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_19\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_20\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/13 22:00:01.4482685\",\r\n \"activity end time (UTC)\": \"2022/10/13 22:59:53.5475957\",\r\n \"attacker source IP\": \"IP Address: 191.96.168.246\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"289\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"288\",\r\n \"top accounts with failed sign in attempts (count)\": \"SCANSIONI (1), ALPHA (1), RCLARK (1), AD (1), RETAIL (1), CALIDAD (1), CONSULTANT (1), OSPITE (1), Z (1), CS1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-13T22:59:53.5475957Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_21\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"name\": \"2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T08:12:07.7636221Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T08:12:02.9681269Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-12T07:03:03.4902548Z\",\r\n \"endTimeUtc\": \"2022-10-12T07:58:25.9885039Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_22\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_23\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/12 07:03:03.4902548\",\r\n \"activity end time (UTC)\": \"2022/10/12 07:58:25.9885039\",\r\n \"attacker source IP\": \"IP Address: 20.127.38.151\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"19\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEMOADMIN (2), USERADMIN (2), AZUREADMIN (1), DEMO (1), VADMIN (1), AZUREUSER (1), SQLADMIN (1), ROOTADMIN (1), SUPERVISOR (1), ITADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-12T07:58:25.9885039Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_24\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"name\": \"2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T07:12:15.7469577Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T07:12:12.3009079Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-11T06:24:25.9159134Z\",\r\n \"endTimeUtc\": \"2022-10-11T06:25:34.0915332Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_25\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_26\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/11 06:24:25.9159134\",\r\n \"activity end time (UTC)\": \"2022/10/11 06:25:34.0915332\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"25\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (12), shipping (1), test3 (1), contabilidad (1), usuario (1), serveur-bacnet (1), phonix (1), iusrplesk_smwebmail (1), defaultaccount (1), administrateur (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-11T06:25:34.0915332Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_27\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"name\": \"2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T07:12:26.2282804Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T07:12:12.3164432Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-11T06:01:14.9169493Z\",\r\n \"endTimeUtc\": \"2022-10-11T06:56:30.497614Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_28\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_29\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/11 06:01:14.9169493\",\r\n \"activity end time (UTC)\": \"2022/10/11 06:56:30.4976140\",\r\n \"attacker source IP\": \"IP Address: 20.127.38.151\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"12\",\r\n \"top accounts with failed sign in attempts (count)\": \"USERADMIN (2), DEMOADMIN (1), SUPERVISOR (1), VDIADMIN (1), VMADMIN (1), DEMO (1), SUPERUSER (1), VADMIN (1), AZUREADMIN (1), AZUREUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-11T06:56:30.497614Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_30\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"name\": \"2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T05:12:25.7328319Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T05:12:22.9501113Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-10T04:39:37.8316652Z\",\r\n \"endTimeUtc\": \"2022-10-10T04:40:46.9760933Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_31\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_32\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/10 04:39:37.8316652\",\r\n \"activity end time (UTC)\": \"2022/10/10 04:40:46.9760933\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"25\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (10), test (2), presale (1), ricoh (1), hma (1), user1 (1), t1_buero (1), labor (1), caps (1), nashua (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-10T04:40:46.9760933Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_33\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"name\": \"2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T00:12:35.8969216Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T00:12:32.7404871Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-08T23:01:26.3028246Z\",\r\n \"endTimeUtc\": \"2022-10-08T23:02:34.9154571Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_34\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_35\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/08 23:01:26.3028246\",\r\n \"activity end time (UTC)\": \"2022/10/08 23:02:34.9154571\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.204\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (7), usuario (3), default (2), barbara (1), defaultaccount (1), mikuo (1), uzak1 (1), opc (1), tnt1 (1), agora_service (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-08T23:02:34.9154571Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_36\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/westeurope/alerts/2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"name\": \"2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T17:11:57.3573487Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T17:11:55.7883406Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_SshBruteForceFailed\",\r\n \"startTimeUtc\": \"2022-10-08T16:13:32.805Z\",\r\n \"endTimeUtc\": \"2022-10-08T16:59:53.736Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_37\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_38\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"2b613470-a780-4991-a9f5-7894862c213b\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testService1\",\r\n \"alertDisplayName\": \"Failed SSH brute force attack\",\r\n \"description\": \"Failed SSH brute force attacks were detected on testService1\",\r\n \"remediationSteps\": [\r\n \"1. In case this is an Azure virtual machine, add the source IP to NSG block list for 24 hours (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/) \",\r\n \"2. Enforce the use of strong passwords and do not re-use them across multiple resources and services (see http://windows.microsoft.com/en-us/Windows7/Tips-for-creating-strong-passwords-and-passphrases)\",\r\n \"3. In case this is an Azure virtual machine, Create an allow list for SSH access in NSG (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"number of failed authentication attempts to host\": \"63\",\r\n \"accounts used on failed sign in to host attempts\": \"[\\\"root\\\"]\",\r\n \"was SSH session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-08T16:59:53.736Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_39\",\r\n \"hostName\": \"testService1\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"omsAgentID\": \"2b613470-a780-4991-a9f5-7894862c213b\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"westeurope_40\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"westeurope_41\",\r\n \"name\": \" root\",\r\n \"ntDomain\": \" root\",\r\n \"host\": {\r\n \"$ref\": \"westeurope_39\"\r\n },\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"westeurope_42\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"westeurope_40\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myService1/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"name\": \"2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-07T12:12:12.6540563Z\",\r\n \"processingEndTimeUtc\": \"2022-10-07T12:12:10.2351107Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-07T11:04:11.9286049Z\",\r\n \"endTimeUtc\": \"2022-10-07T11:58:08.5153711Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_43\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_44\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/07 11:04:11.9286049\",\r\n \"activity end time (UTC)\": \"2022/10/07 11:58:08.5153711\",\r\n \"attacker source IP\": \"IP Address: 36.95.205.132\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (1), DEMOUSER (1), ADMINISTRATOR (1), TEST (1), AZUREUSER (1), SUPERVISOR (1), DEMOADMIN (1), ADMIN (1), SUPERUSER (1), TEST1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-07T11:58:08.5153711Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_45\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"name\": \"2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-06T05:12:05.9972706Z\",\r\n \"processingEndTimeUtc\": \"2022-10-06T05:12:01.8802104Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-06T04:23:26.0454432Z\",\r\n \"endTimeUtc\": \"2022-10-06T04:24:35.8466979Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_46\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_47\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/06 04:23:26.0454432\",\r\n \"activity end time (UTC)\": \"2022/10/06 04:24:35.8466979\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.202\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"29\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (3), scanner (3), test (2), server (2), user2 (2), ppp (1), max04 (1), acronis (1), windows11 (1), pc (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-06T04:24:35.8466979Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_48\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"name\": \"2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-05T03:12:04.1411263Z\",\r\n \"processingEndTimeUtc\": \"2022-10-05T03:12:00.6268144Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-05T02:50:46.5034967Z\",\r\n \"endTimeUtc\": \"2022-10-05T02:51:57.2848574Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_49\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_50\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/05 02:50:46.5034967\",\r\n \"activity end time (UTC)\": \"2022/10/05 02:51:57.2848574\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.211\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"32\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (3), info (2), temp (2), pos (1), 1 (1), ventas (1), spadmin (1), supervisor (1), infoworld (1), account (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-05T02:51:57.2848574Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_51\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517373625534965032_759ca676-028f-4204-8957-de649b3e6562/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"name\": \"2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T22:12:05.1705693Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T22:12:04.1268393Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-03T21:02:04.491411Z\",\r\n \"endTimeUtc\": \"2022-10-03T21:59:45.9038559Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_52\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_53\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/03 21:02:04.4914110\",\r\n \"activity end time (UTC)\": \"2022/10/03 21:59:45.9038559\",\r\n \"attacker source IP\": \"IP Address: 91.240.118.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"42\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"35\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (5), KSTURGEON (2), ADMIN (2), WADMIN (1), XAFSERVICEACCNT (1), SIADAD (1), YSMITH (1), KRUSS (1), VNIUSER-DONOTDELETE (1), KOTT.# (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-03T21:59:45.9038559Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_54\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"name\": \"2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-02T21:11:58.5816299Z\",\r\n \"processingEndTimeUtc\": \"2022-10-02T21:11:54.3443174Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-02T20:00:01.9149954Z\",\r\n \"endTimeUtc\": \"2022-10-02T20:59:52.1082032Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_55\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_56\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/02 20:00:01.9149954\",\r\n \"activity end time (UTC)\": \"2022/10/02 20:59:52.1082032\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"431\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"LOCALADMIN (30), SYSADMIN (29), VMADMIN (29), ADADMIN (29), DEMOUSER (29), ADMIN01 (29), DADMIN (29), SERVERADMIN (29), AZUREUSER (29), SADMIN (29)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-02T20:59:52.1082032Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_57\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"name\": \"2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-01T20:12:00.2987738Z\",\r\n \"processingEndTimeUtc\": \"2022-10-01T20:11:58.0659196Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-01T19:00:03.9085601Z\",\r\n \"endTimeUtc\": \"2022-10-01T19:59:57.4159824Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_58\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_59\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/01 19:00:03.9085601\",\r\n \"activity end time (UTC)\": \"2022/10/01 19:59:57.4159824\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"426\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (30), ADMINUSER (30), ADMIN123 (29), AZUREUSER (29), TESTUSER (28), SUPERADMIN (28), SYSADMIN (28), VMADMIN (28), LOCALADMIN (28), SERVERADMIN (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-01T19:59:57.4159824Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_60\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"name\": \"2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-30T19:12:00.7770747Z\",\r\n \"processingEndTimeUtc\": \"2022-09-30T19:11:57.5373519Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-30T18:00:04.3960635Z\",\r\n \"endTimeUtc\": \"2022-09-30T18:59:54.1716651Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_61\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_62\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/30 18:00:04.3960635\",\r\n \"activity end time (UTC)\": \"2022/09/30 18:59:54.1716651\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"422\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"SYSADMIN (29), VMADMIN (29), DEMOUSER (28), ADMIN01 (28), DADMIN (28), SADMIN (28), TESTUSER (28), SUPERADMIN (28), LOCALADMIN (28), SERVERADMIN (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-30T18:59:54.1716651Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_63\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"name\": \"2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-29T18:12:10.264524Z\",\r\n \"processingEndTimeUtc\": \"2022-09-29T18:12:04.7435178Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-29T17:00:02.5605584Z\",\r\n \"endTimeUtc\": \"2022-09-29T17:59:57.0286763Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_64\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_65\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/29 17:00:02.5605584\",\r\n \"activity end time (UTC)\": \"2022/09/29 17:59:57.0286763\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"419\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (29), LOCALADMIN (28), SERVERADMIN (28), ADADMIN (28), TESTUSER (28), SUPERADMIN (28), AZUREUSER (28), ADMINUSER (28), AZUREADMIN (28), ADMIN01 (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-29T17:59:57.0286763Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_66\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"name\": \"2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T17:12:10.505636Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T17:12:04.9963951Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-28T16:00:05.5258206Z\",\r\n \"endTimeUtc\": \"2022-09-28T16:59:37.992094Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_67\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_68\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/28 16:00:05.5258206\",\r\n \"activity end time (UTC)\": \"2022/09/28 16:59:37.9920940\",\r\n \"attacker source IP\": \"IP Address: 20.25.4.51\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"81\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"9\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (9), VMADMIN (9), AZUREUSER (9), DEMOADMIN (8), ADMINUSER (8), USERADMIN (8), DEMO (8), DEMOAZURE (8), SUPERUSER (7), AZURE (7)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-28T16:59:37.992094Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_69\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"name\": \"2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T17:12:09.9085237Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T17:12:04.9963951Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-28T16:00:00.9053856Z\",\r\n \"endTimeUtc\": \"2022-09-28T16:59:59.2397348Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_70\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_71\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/28 16:00:00.9053856\",\r\n \"activity end time (UTC)\": \"2022/09/28 16:59:59.2397348\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"1415\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"1263\",\r\n \"top accounts with failed sign in attempts (count)\": \"MYTHTV (2), NAGIOS (2), ACCOUNTS (2), ADMINISTRAREUR (2), ADMINSERVER (2), MICROSOFT (2), BACKUPEXEC (2), NOBODY (2), CYBER (2), AAA (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-28T16:59:59.2397348Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_72\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"name\": \"2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-27T16:11:58.2117895Z\",\r\n \"processingEndTimeUtc\": \"2022-09-27T16:11:55.1500289Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-27T15:00:34.6903888Z\",\r\n \"endTimeUtc\": \"2022-09-27T15:59:16.3833641Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_73\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_74\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/27 15:00:34.6903888\",\r\n \"activity end time (UTC)\": \"2022/09/27 15:59:16.3833641\",\r\n \"attacker source IP\": \"IP Address: 20.216.185.188\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"74\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (19), AZUREUSER (10), DEMOADMIN (7), DEMOUSER (6), AZURE (5), SUPERUSER (4), AZUREADMIN (4), DEMO (4), ADMINUSER (4), STUDENT (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-27T15:59:16.3833641Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_75\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"name\": \"2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-26T15:12:12.2955906Z\",\r\n \"processingEndTimeUtc\": \"2022-09-26T15:12:10.3345847Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-26T14:19:33.6913949Z\",\r\n \"endTimeUtc\": \"2022-09-26T14:58:23.8234441Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_76\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_77\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/26 14:19:33.6913949\",\r\n \"activity end time (UTC)\": \"2022/09/26 14:58:23.8234441\",\r\n \"attacker source IP\": \"IP Address: 20.245.85.81\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"13\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (3), WINADMIN (1), USERADMIN (1), DEMOADMIN (1), VMADMIN (1), NETADMIN (1), DEMO (1), DEMOUSER (1), AZUREADMIN (1), SUPERUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-26T14:58:23.8234441Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_78\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"name\": \"2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-25T13:11:53.1202057Z\",\r\n \"processingEndTimeUtc\": \"2022-09-25T13:11:49.5869519Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-25T12:00:01.1997686Z\",\r\n \"endTimeUtc\": \"2022-09-25T12:59:57.1598611Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_79\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_80\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/25 12:00:01.1997686\",\r\n \"activity end time (UTC)\": \"2022/09/25 12:59:57.1598611\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"632\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"628\",\r\n \"top accounts with failed sign in attempts (count)\": \"REINALDO (2), RAJU (2), PULSE (2), KIM (1), KENT (1), TESTE2 (1), TEST_FTP (1), TECHNO (1), SERVER2 (1), SERVER1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-25T12:59:57.1598611Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_81\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"name\": \"2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-24T12:11:59.378581Z\",\r\n \"processingEndTimeUtc\": \"2022-09-24T12:11:56.1933205Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-24T11:00:18.5763676Z\",\r\n \"endTimeUtc\": \"2022-09-24T11:58:49.6929962Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_82\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_83\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/24 11:00:18.5763676\",\r\n \"activity end time (UTC)\": \"2022/09/24 11:58:49.6929962\",\r\n \"attacker source IP\": \"IP Address: 181.30.28.175\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEFAULTACCOUNT (4), DADMIN (2), DPEREZ (1), DIYANA (1), DATACOM (1), DAWWRAY (1), DCDC (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-24T11:58:49.6929962Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_84\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"name\": \"2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-23T11:12:04.8132808Z\",\r\n \"processingEndTimeUtc\": \"2022-09-23T11:12:02.7422157Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-23T10:00:00.8274366Z\",\r\n \"endTimeUtc\": \"2022-09-23T10:59:59.507462Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_85\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_86\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/23 10:00:00.8274366\",\r\n \"activity end time (UTC)\": \"2022/09/23 10:59:59.5074620\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"634\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"601\",\r\n \"top accounts with failed sign in attempts (count)\": \"MENU (2), MAYA (2), MORGAN (2), MONITORING (2), MONGOUSER (2), MAURICIO (2), GEOMETRY (2), GERENTE (2), THIERRY1129 (2), TESTE2 (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-23T10:59:59.507462Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_87\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"name\": \"2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T05:12:05.8349115Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T05:12:03.3099425Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-22T04:00:04.6046565Z\",\r\n \"endTimeUtc\": \"2022-09-22T04:59:56.0312542Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_88\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_89\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/22 04:00:04.6046565\",\r\n \"activity end time (UTC)\": \"2022/09/22 04:59:56.0312542\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"478\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"477\",\r\n \"top accounts with failed sign in attempts (count)\": \"CHAT (1), AXIS (1), AWS (1), DEEPTHI (1), DEBORA (1), USERS1 (1), USER001 (1), USBMUX (1), UPLINK (1), SVT (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-22T04:59:56.0312542Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_90\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"name\": \"2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-21T02:11:54.213474Z\",\r\n \"processingEndTimeUtc\": \"2022-09-21T02:11:49.8007199Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-21T01:09:51.5862915Z\",\r\n \"endTimeUtc\": \"2022-09-21T01:11:21.0264894Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_91\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_92\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/21 01:09:51.5862915\",\r\n \"activity end time (UTC)\": \"2022/09/21 01:11:21.0264894\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"21\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (16), defaultaccount (1), asd (1), vpn07 (1), it (1), iusrplesk_smwebmail (1), asad (1), admin (1), takip (1), serv (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-21T01:11:21.0264894Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_93\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"name\": \"2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T00:12:55.5762868Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T00:12:52.7861694Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-19T23:45:22.3822188Z\",\r\n \"endTimeUtc\": \"2022-09-19T23:46:30.4248487Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_94\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_95\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/19 23:45:22.3822188\",\r\n \"activity end time (UTC)\": \"2022/09/19 23:46:30.4248487\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (13), admn (1), foats (1), admin (1), emanuel (1), user (1), support_388945a0 (1), slawek (1), defaultaccount (1), alvand.01 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-19T23:46:30.4248487Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_96\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"name\": \"2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T00:12:54.3199684Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T00:12:52.7866698Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-19T23:33:59.3779873Z\",\r\n \"endTimeUtc\": \"2022-09-19T23:35:26.6505374Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_97\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_98\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/19 23:33:59.3779873\",\r\n \"activity end time (UTC)\": \"2022/09/19 23:35:26.6505374\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"20\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (17), gh-11 (1), training (1), admin (1), vss (1), scanner (1), yousef (1), pointex (1), user (1), usuario (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-19T23:35:26.6505374Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_99\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517386703606220126_a816319c-5320-41db-a249-385660ee22f8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"name\": \"2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-18T16:12:00.3085599Z\",\r\n \"processingEndTimeUtc\": \"2022-09-18T16:11:57.4880747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-18T15:25:13.0131394Z\",\r\n \"endTimeUtc\": \"2022-09-18T15:26:21.8162231Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_100\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_101\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/18 15:25:13.0131394\",\r\n \"activity end time (UTC)\": \"2022/09/18 15:26:21.8162231\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"20\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (17), toshiba (1), admin (1), ntp (1), utente (1), accounting (1), remoto (1), user01 (1), sales-new (1), server t (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-18T15:26:21.8162231Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_102\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"name\": \"2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-18T16:12:05.4874397Z\",\r\n \"processingEndTimeUtc\": \"2022-09-18T16:11:57.4880747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-18T15:11:42.6615962Z\",\r\n \"endTimeUtc\": \"2022-09-18T15:12:51.457454Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_103\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_104\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/18 15:11:42.6615962\",\r\n \"activity end time (UTC)\": \"2022/09/18 15:12:51.4574540\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.207\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"18\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (18), win7 (2), terminal (1), markku.virtanen (1), admin (1), eng7 (1), xmetasr (1), hd (1), adm (1), vcenteno (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-18T15:12:51.457454Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_105\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"name\": \"2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-17T07:12:00.0473808Z\",\r\n \"processingEndTimeUtc\": \"2022-09-17T07:11:56.5511934Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-17T06:16:10.2702205Z\",\r\n \"endTimeUtc\": \"2022-09-17T06:17:19.8910018Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_106\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_107\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/17 06:16:10.2702205\",\r\n \"activity end time (UTC)\": \"2022/09/17 06:17:19.8910018\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"28\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (8), test (2), sys (1), principal (1), imran (1), almira (1), contabilidad (1), admin801 (1), peggy (1), tranquoclong (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-17T06:17:19.8910018Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_108\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"name\": \"2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-17T07:11:59.8011657Z\",\r\n \"processingEndTimeUtc\": \"2022-09-17T07:11:56.5511934Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-17T06:14:58.8904498Z\",\r\n \"endTimeUtc\": \"2022-09-17T06:56:27.7122183Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_109\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_110\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/17 06:14:58.8904498\",\r\n \"activity end time (UTC)\": \"2022/09/17 06:56:27.7122183\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"73\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"56\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (15), user (2), defaultaccount (2), jola (1), compta (1), ghost (1), zvnc2066 (1), morisita (1), mj (1), lucero (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-17T06:56:27.7122183Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_111\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"name\": \"2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-16T06:12:23.9923865Z\",\r\n \"processingEndTimeUtc\": \"2022-09-16T06:12:21.6042797Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-16T05:08:11.5262962Z\",\r\n \"endTimeUtc\": \"2022-09-16T05:18:17.0502097Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_112\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_113\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/16 05:08:11.5262962\",\r\n \"activity end time (UTC)\": \"2022/09/16 05:18:17.0502097\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.11\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"260\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"terminal1 (2), silvia (2), daniel (2), mari (2), natalia (2), francisco (2), ricoh (2), vp (2), acer (2), luiz (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-16T05:18:17.0502097Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_114\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"name\": \"2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-15T05:12:02.1262444Z\",\r\n \"processingEndTimeUtc\": \"2022-09-15T05:11:59.7844316Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-15T04:13:32.7545248Z\",\r\n \"endTimeUtc\": \"2022-09-15T04:44:44.3710273Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_115\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_116\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/15 04:13:32.7545248\",\r\n \"activity end time (UTC)\": \"2022/09/15 04:44:44.3710273\",\r\n \"attacker source IP\": \"IP Address: 194.28.112.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"102\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"85\",\r\n \"top accounts with failed sign in attempts (count)\": \"Administrator (10), admin (6), SvcCOPSSH (2), Support (2), ntp_CFKADS2226 (1), Administracao (1), Userstd01 (1), rebecca (1), suporte (1), MP (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-15T04:44:44.3710273Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_117\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"name\": \"2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-15T05:12:02.1782121Z\",\r\n \"processingEndTimeUtc\": \"2022-09-15T05:11:59.7844316Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-15T04:01:15.447908Z\",\r\n \"endTimeUtc\": \"2022-09-15T04:59:18.4256783Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_118\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_119\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/15 04:01:15.4479080\",\r\n \"activity end time (UTC)\": \"2022/09/15 04:59:18.4256783\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"40\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"SERVER (3), TEST (3), TESTUSER (3), USER (3), LOCALUSER (2), AZUREADMIN (2), AZUREUSER (2), ADMINISTRATOR (2), REMOTE (2), SYSADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-15T04:59:18.4256783Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_120\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"name\": \"2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-14T04:12:18.2784408Z\",\r\n \"processingEndTimeUtc\": \"2022-09-14T04:12:13.5856632Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-14T03:16:06.3695856Z\",\r\n \"endTimeUtc\": \"2022-09-14T03:28:53.2546631Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_121\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_122\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/14 03:16:06.3695856\",\r\n \"activity end time (UTC)\": \"2022/09/14 03:28:53.2546631\",\r\n \"attacker source IP\": \"IP Address: 45.141.84.119\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"267\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"leo (4), nathalia (4), emerson (4), francisco (3), usuario1 (2), user02 (2), terminal1 (2), billing (2), soporte (2), controller (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-14T03:28:53.2546631Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_123\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"name\": \"2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-14T04:12:17.5289904Z\",\r\n \"processingEndTimeUtc\": \"2022-09-14T04:12:13.5856632Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-14T03:00:09.0721606Z\",\r\n \"endTimeUtc\": \"2022-09-14T03:58:48.0506045Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_124\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_125\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/14 03:00:09.0721606\",\r\n \"activity end time (UTC)\": \"2022/09/14 03:58:48.0506045\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"47\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (3), AZUREADMIN (3), IME_USER (3), REMOTE (3), IME_ADMIN (3), ADMIN (3), RDP (3), HP (3), PC (3), AZUREUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-14T03:58:48.0506045Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_126\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"name\": \"2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:04.1627812Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5440471Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:06:33.966198Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:59:16.2352367Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_127\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_128\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:06:33.9661980\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:59:16.2352367\",\r\n \"attacker source IP\": \"IP Address: 94.68.140.243\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"15\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"11\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), SERVER (2), SYSADMIN (2), IME_ADMIN (1), RDP (1), LOCALUSER (1), LOCALADMIN (1), TEST (1), AZUREUSER (1), TESTUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:59:16.2352367Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_129\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"name\": \"2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:04.3606094Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5435472Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:01:06.5351616Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:59:02.3354809Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_130\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_131\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:01:06.5351616\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:59:02.3354809\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"45\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"REMOTE (3), LOCALUSER (3), SERVER (3), SYSADMIN (3), AZUREADMIN (3), TEST (3), LOCALADMIN (3), USER (3), TESTUSER (3), IME_ADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:59:02.3354809Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_132\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"name\": \"2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:03.911237Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5430516Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:01:02.6571238Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:58:26.9865062Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_133\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_134\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:01:02.6571238\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:58:26.9865062\",\r\n \"attacker source IP\": \"IP Address: 202.53.137.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (7), STUDENT (6), ADMIN (6), SUPPORT (6), BAT (6), AZUREUSER (6)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:58:26.9865062Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_135\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"name\": \"2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.729702Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1435668Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:03:00.0345939Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:58:17.2623523Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_136\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_137\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:03:00.0345939\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:58:17.2623523\",\r\n \"attacker source IP\": \"IP Address: 94.68.140.243\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"20\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"11\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (3), AZUREUSER (2), IME_USER (2), IME_ADMIN (2), TEST (2), PC (2), USER (2), ADMIN (1), REMOTE (1), RDP (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:58:17.2623523Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_138\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"name\": \"2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.292184Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1430669Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:02:01.5569515Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:59:42.6611129Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_139\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_140\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:02:01.5569515\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:59:42.6611129\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"69\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"7\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (16), AZUREADMIN (16), ADMINISTRATOR (11), ADMINUSER (6), AZURE (5), STUDENT (5), USERADMIN (5), VMADMIN (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:59:42.6611129Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_141\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"name\": \"2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:08.6726842Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1420668Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:01:14.3047487Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:58:35.508169Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_142\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_143\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:01:14.3047487\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:58:35.5081690\",\r\n \"attacker source IP\": \"IP Address: 202.53.137.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (6), AZUREUSER (6), SUPPORT (6), BAT (6), ADMIN (6), ADMINISTRATOR (6)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:58:35.508169Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_144\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"name\": \"2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.6088372Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1440671Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:00:33.1405851Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:59:46.8333262Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_145\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_146\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:00:33.1405851\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:59:46.8333262\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"94\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (6), RDP (6), REMOTE (6), HP (6), IME_USER (5), USER (5), AZURE (5), TESTUSER (5), ADMIN (5), ADMINISTRATOR (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:59:46.8333262Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_147\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393563668594148_38360230-c781-41cf-874b-7c504030a950/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"name\": \"2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-11T01:12:50.4913968Z\",\r\n \"processingEndTimeUtc\": \"2022-09-11T01:12:48.881971Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-11T00:00:12.8945794Z\",\r\n \"endTimeUtc\": \"2022-09-11T00:58:59.500311Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_148\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_149\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/11 00:00:12.8945794\",\r\n \"activity end time (UTC)\": \"2022/09/11 00:58:59.5003110\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"64\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (20), AZUREUSER (18), AZURE (6), STUDENT (6), USERADMIN (5), VMADMIN (5), ADMINUSER (4)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-11T00:58:59.500311Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_150\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"name\": \"2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-11T01:12:50.4969246Z\",\r\n \"processingEndTimeUtc\": \"2022-09-11T01:12:48.881971Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-11T00:00:01.3462764Z\",\r\n \"endTimeUtc\": \"2022-09-11T00:59:39.874272Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_151\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_152\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/11 00:00:01.3462764\",\r\n \"activity end time (UTC)\": \"2022/09/11 00:59:39.8742720\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"91\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (6), IME_ADMIN (5), IME_USER (5), USER (5), TEST (5), RDP (5), REMOTE (5), AZUREADMIN (5), SERVER (5), AZURE (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-11T00:59:39.874272Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_153\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"name\": \"2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:40.3691071Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:19:55.8595416Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:21:04.4330469Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_154\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_155\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:19:55.8595416\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:21:04.4330469\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (10), temp (1), tmitschke (1), pharmacie (1), utente1 (1), ime_user (1), sqli (1), sebastian (1), dave (1), user1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:21:04.4330469Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_156\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"name\": \"2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:41.2660094Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:02:03.6672061Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:59:12.4900011Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_157\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_158\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:02:03.6672061\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:59:12.4900011\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"50\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (19), AZUREUSER (18), AZURE (3), STUDENT (3), VMADMIN (3), USERADMIN (2), ADMINUSER (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:59:12.4900011Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_159\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"name\": \"2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:41.1471468Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:00:19.7258321Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:59:49.9335078Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_160\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_161\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:00:19.7258321\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:59:49.9335078\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"96\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"REMOTE (6), RDP (6), SERVER (6), TEST (6), TESTUSER (6), SYSADMIN (6), AZUREADMIN (5), LOCALADMIN (5), IME_USER (5), LOCALUSER (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:59:49.9335078Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_162\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395363802741678_e264f637-15f0-418f-aff8-27395309810c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"name\": \"2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-08T23:12:05.5813341Z\",\r\n \"processingEndTimeUtc\": \"2022-09-08T23:12:03.6043992Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-08T22:20:29.5893543Z\",\r\n \"endTimeUtc\": \"2022-09-08T22:29:58.4893361Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_163\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_164\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/08 22:20:29.5893543\",\r\n \"activity end time (UTC)\": \"2022/09/08 22:29:58.4893361\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"260\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"scans (2), gateway (2), tempadmin (2), visitor (2), bill (2), xavier (2), printer (2), destek (2), sqlagent (2), local (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-08T22:29:58.4893361Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_165\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"name\": \"2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-07T22:11:55.5454551Z\",\r\n \"processingEndTimeUtc\": \"2022-09-07T22:11:53.7318471Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-07T21:00:23.8352224Z\",\r\n \"endTimeUtc\": \"2022-09-07T21:58:54.9798418Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_166\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_167\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/07 21:00:23.8352224\",\r\n \"activity end time (UTC)\": \"2022/09/07 21:58:54.9798418\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"15\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (3), ADMINISTRATOR (2), ADMIN (2), STUDENT (2), AZUREUSER (2), USER (2), AZUREADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-07T21:58:54.9798418Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_168\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"name\": \"2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-06T21:11:57.5563617Z\",\r\n \"processingEndTimeUtc\": \"2022-09-06T21:11:55.6952354Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-06T20:03:04.4809494Z\",\r\n \"endTimeUtc\": \"2022-09-06T20:56:55.9879319Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_169\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_170\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/06 20:03:04.4809494\",\r\n \"activity end time (UTC)\": \"2022/09/06 20:56:55.9879319\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (2), USER (2), STUDENT (2), ADMIN (2), AZURE (2), AZUREADMIN (2), ADMINISTRATOR (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-06T20:56:55.9879319Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_171\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517398062155190505_da781582-764a-4262-a50c-a147df275b36/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"name\": \"2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T20:12:10.1745649Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T20:12:08.6252181Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-05T19:02:51.6994995Z\",\r\n \"endTimeUtc\": \"2022-09-05T19:58:21.2436919Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_172\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_173\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/05 19:02:51.6994995\",\r\n \"activity end time (UTC)\": \"2022/09/05 19:58:21.2436919\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), STUDENT (2), AZURE (2), AZUREUSER (2), ADMINISTRATOR (2), USER (2), ADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-05T19:58:21.2436919Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_174\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"name\": \"2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.5988845Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.193431Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:15:18.1240752Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:16:28.2863719Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_175\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_176\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:15:18.1240752\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:16:28.2863719\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (14), ioana (1), agora_service (1), defaultaccount (1), admimistrator (1), print (1), sctsupport (1), 020 (1), kaiin (1), tsinternetuser (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:16:28.2863719Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_177\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"name\": \"2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.6848188Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.1939306Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:03:27.5688076Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:59:07.7762063Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_178\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_179\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:03:27.5688076\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:59:07.7762063\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (2), AZUREADMIN (2), STUDENT (2), ADMIN (2), USER (2), ADMINISTRATOR (2), AZURE (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:59:07.7762063Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_180\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"name\": \"2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.5867761Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.1929306Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:00:05.4957014Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:59:55.0115416Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_181\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_182\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:00:05.4957014\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:59:55.0115416\",\r\n \"attacker source IP\": \"IP Address: 5.253.204.134\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"332\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"325\",\r\n \"top accounts with failed sign in attempts (count)\": \"LLOPEZ (1), JHALL (1), NATALIE (1), METRO (1), KUECHE (1), SICHERUNG (1), EMPFANG (1), JMORALES (1), SHAHID (1), MAGAZZINO (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:59:55.0115416Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_183\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"name\": \"2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-03T18:12:52.8145915Z\",\r\n \"processingEndTimeUtc\": \"2022-09-03T18:12:46.2244456Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-03T17:01:26.5171211Z\",\r\n \"endTimeUtc\": \"2022-09-03T17:59:43.2673099Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_184\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_185\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/03 17:01:26.5171211\",\r\n \"activity end time (UTC)\": \"2022/09/03 17:59:43.2673099\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (2), ADMINISTRATOR (2), ADMIN (2), AZUREADMIN (2), AZURE (2), USER (2), AZUREUSER (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-03T17:59:43.2673099Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_186\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"name\": \"2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-02T17:12:17.721054Z\",\r\n \"processingEndTimeUtc\": \"2022-09-02T17:12:02.1616332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-02T16:00:11.6214787Z\",\r\n \"endTimeUtc\": \"2022-09-02T16:59:51.9962096Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_187\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_188\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/02 16:00:11.6214787\",\r\n \"activity end time (UTC)\": \"2022/09/02 16:59:51.9962096\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (2), ADMIN (2), AZUREUSER (2), USER (2), ADMINISTRATOR (2), STUDENT (2), AZUREADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-02T16:59:51.9962096Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_189\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"name\": \"2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.3497998Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:01:01.3410856Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:59:56.7385647Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_190\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_191\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:01:01.3410856\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:59:56.7385647\",\r\n \"attacker source IP\": \"IP Address: 20.12.208.47\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"71\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"7\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (14), AZUREADMIN (14), AZUREUSER (14), USERADMIN (7), ADMINUSER (7), STUDENT (7), VMADMIN (7), ARASH (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:59:56.7385647Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_192\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"name\": \"2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.5178447Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:00:46.9534839Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:59:59.840547Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_193\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_194\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:00:46.9534839\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:59:59.8405470\",\r\n \"attacker source IP\": \"IP Address: 104.46.123.212\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"166\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (29), AZUREADMIN (29), VMADMIN (27), AZURE (27), AZUREUSER (26), USERADMIN (14), ADMINUSER (14)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:59:59.840547Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_195\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"name\": \"2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.1847762Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:00:25.7943636Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:57:07.2573856Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_196\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_197\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:00:25.7943636\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:57:07.2573856\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"13\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (2), AZUREADMIN (2), AZUREUSER (2), ADMINISTRATOR (2), ADMIN (2), USER (2), STUDENT (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:57:07.2573856Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_198\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"name\": \"2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-31T15:12:10.1524427Z\",\r\n \"processingEndTimeUtc\": \"2022-08-31T15:12:06.8390816Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-31T14:04:17.6514064Z\",\r\n \"endTimeUtc\": \"2022-08-31T14:56:42.6476761Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_199\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_200\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/31 14:04:17.6514064\",\r\n \"activity end time (UTC)\": \"2022/08/31 14:56:42.6476761\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (2), AZUREADMIN (2), STUDENT (2), AZUREUSER (2), ADMIN (1), USER (1), AZURE (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-31T14:56:42.6476761Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_201\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"name\": \"2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-30T14:12:13.7508035Z\",\r\n \"processingEndTimeUtc\": \"2022-08-30T14:12:13.3313494Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-30T13:00:10.0241762Z\",\r\n \"endTimeUtc\": \"2022-08-30T13:55:29.9649978Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_202\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_203\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/30 13:00:10.0241762\",\r\n \"activity end time (UTC)\": \"2022/08/30 13:55:29.9649978\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"USER (2), AZUREUSER (2), AZURE (2), ADMIN (2), ADMINISTRATOR (1), STUDENT (1), AZUREADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-30T13:55:29.9649978Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_204\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"name\": \"2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T12:12:08.8517839Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T12:12:07.531903Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-29T11:02:48.6404207Z\",\r\n \"endTimeUtc\": \"2022-08-29T11:58:11.789608Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_205\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_206\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/29 11:02:48.6404207\",\r\n \"activity end time (UTC)\": \"2022/08/29 11:58:11.7896080\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (2), AZUREUSER (2), AZUREADMIN (2), AZURE (2), ADMIN (1), ADMINISTRATOR (1), USER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-29T11:58:11.789608Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_207\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"name\": \"2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-28T06:11:54.9445211Z\",\r\n \"processingEndTimeUtc\": \"2022-08-28T06:11:53.4719546Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-28T05:01:43.073242Z\",\r\n \"endTimeUtc\": \"2022-08-28T05:57:10.0252952Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_208\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_209\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/28 05:01:43.0732420\",\r\n \"activity end time (UTC)\": \"2022/08/28 05:57:10.0252952\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), AZURE (2), AZUREUSER (2), STUDENT (2), ADMINISTRATOR (1), USER (1), ADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-28T05:57:10.0252952Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_210\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"name\": \"2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-26T23:13:05.4395068Z\",\r\n \"processingEndTimeUtc\": \"2022-08-26T23:13:04.9885857Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-26T22:01:04.6704718Z\",\r\n \"endTimeUtc\": \"2022-08-26T22:59:05.9404545Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_211\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_212\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/26 22:01:04.6704718\",\r\n \"activity end time (UTC)\": \"2022/08/26 22:59:05.9404545\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"33\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"8\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (4), LOCALADMIN (4), AZURE (4), AZUREUSER (4), AZUREADMIN (4), ADMIN (4), TEST (3), USER (3), LOCALUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-26T22:59:05.9404545Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_213\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"name\": \"2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T22:12:05.22952Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T22:12:03.1251328Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-25T21:16:17.9627546Z\",\r\n \"endTimeUtc\": \"2022-08-25T21:17:47.2384739Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_214\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_215\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/25 21:16:17.9627546\",\r\n \"activity end time (UTC)\": \"2022/08/25 21:17:47.2384739\",\r\n \"attacker source IP\": \"IP Address: 109.107.166.20\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"41\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"34\",\r\n \"top accounts with failed sign in attempts (count)\": \"Administrator (6), administrator (2), LogMeInRemoteUser (1), KastleRVM (1), AMDService (1), admin (1), stg (1), karla (1), SQLAgent (1), admini (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-25T21:17:47.2384739Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_216\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"name\": \"2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T22:12:13.9841697Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T22:12:03.1251328Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-25T21:00:41.0152726Z\",\r\n \"endTimeUtc\": \"2022-08-25T21:58:24.4497285Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_218\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/25 21:00:41.0152726\",\r\n \"activity end time (UTC)\": \"2022/08/25 21:58:24.4497285\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"33\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"8\",\r\n \"top accounts with failed sign in attempts (count)\": \"LOCALUSER (4), USER (4), AZURE (4), LOCALADMIN (4), TEST (4), AZUREADMIN (4), ADMIN (3), ADMINISTRATOR (3), AZUREUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-25T21:58:24.4497285Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_219\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"name\": \"2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-24T21:11:57.4592913Z\",\r\n \"processingEndTimeUtc\": \"2022-08-24T21:11:53.3866485Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-24T20:01:10.4816659Z\",\r\n \"endTimeUtc\": \"2022-08-24T20:58:39.6095585Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_220\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_221\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/24 20:01:10.4816659\",\r\n \"activity end time (UTC)\": \"2022/08/24 20:58:39.6095585\",\r\n \"attacker source IP\": \"IP Address: 52.180.252.174\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"35\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"USERADMIN (6), AZUREUSER (6), AZURE (6), VMADMIN (6), ADMINUSER (6), AZUREADMIN (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-24T20:58:39.6095585Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_222\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"name\": \"2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-23T20:12:09.1962911Z\",\r\n \"processingEndTimeUtc\": \"2022-08-23T20:12:08.070395Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-23T19:00:08.8459776Z\",\r\n \"endTimeUtc\": \"2022-08-23T19:01:18.0275781Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_223\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_224\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/23 19:00:08.8459776\",\r\n \"activity end time (UTC)\": \"2022/08/23 19:01:18.0275781\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (19), admin (3), user (1), test (1), defaultaccount (1), sys32 (1), localadmin (1), ferra (1), doctor (1), teste (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-23T19:01:18.0275781Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_225\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"name\": \"2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-22T19:12:00.8153763Z\",\r\n \"processingEndTimeUtc\": \"2022-08-22T19:11:59.130347Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-22T18:52:43.9086436Z\",\r\n \"endTimeUtc\": \"2022-08-22T18:53:53.491231Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_226\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_227\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/22 18:52:43.9086436\",\r\n \"activity end time (UTC)\": \"2022/08/22 18:53:53.4912310\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (12), administrateur (2), david (2), hehe (1), yunus (1), defaultaccount (1), dispatch (1), usuari (1), owner (1), caijiwugongzhen (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-22T18:53:53.491231Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_228\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"name\": \"2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-21T17:11:57.4816361Z\",\r\n \"processingEndTimeUtc\": \"2022-08-21T17:11:55.7633835Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-21T16:02:06.1108851Z\",\r\n \"endTimeUtc\": \"2022-08-21T16:58:30.0357074Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_229\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_230\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/21 16:02:06.1108851\",\r\n \"activity end time (UTC)\": \"2022/08/21 16:58:30.0357074\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"9\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (10), AZUREUSER (10), AZUREADMIN (10), AZURE (1), DADMIN (1), DEMOUSER (1), STUDENT (1), ADMINUSER (1), NFCADMIN (1), DEMO (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-21T16:58:30.0357074Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_231\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"name\": \"2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-20T16:12:20.2020498Z\",\r\n \"processingEndTimeUtc\": \"2022-08-20T16:12:16.5659301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-20T15:34:42.624038Z\",\r\n \"endTimeUtc\": \"2022-08-20T15:35:52.7204668Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_232\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_233\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/20 15:34:42.6240380\",\r\n \"activity end time (UTC)\": \"2022/08/20 15:35:52.7204668\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (7), admin (3), administrador (2), user24 (1), ctb-daniele (1), defaultaccount (1), quesia.fernandes (1), jms (1), iusrplesk_smwebmail (1), user4 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-20T15:35:52.7204668Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_234\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"name\": \"2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-20T16:12:28.0240769Z\",\r\n \"processingEndTimeUtc\": \"2022-08-20T16:12:16.5659301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-20T15:00:27.7591355Z\",\r\n \"endTimeUtc\": \"2022-08-20T15:59:05.698473Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_235\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_236\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/20 15:00:27.7591355\",\r\n \"activity end time (UTC)\": \"2022/08/20 15:59:05.6984730\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"40\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (9), AZUREADMIN (8), AZUREUSER (8), ADMINUSER (5), USERADMIN (4), DADMIN (1), SQLUSER (1), NFCADMIN (1), SUPERVISOR (1), DEMOADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-20T15:59:05.698473Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_237\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"name\": \"2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-19T15:12:34.699902Z\",\r\n \"processingEndTimeUtc\": \"2022-08-19T15:12:33.4163413Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-19T14:01:57.6464956Z\",\r\n \"endTimeUtc\": \"2022-08-19T14:57:10.3279386Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_238\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_239\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/19 14:01:57.6464956\",\r\n \"activity end time (UTC)\": \"2022/08/19 14:57:10.3279386\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"12\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINUSER (2), AZUREUSER (2), USERADMIN (2), AZUREADMIN (2), AZURE (2), STUDENT (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-19T14:57:10.3279386Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_240\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n }\r\n ]\r\n}", "StatusCode": 200 } ], diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/SetResourceGroupLevelResource.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/SetResourceGroupLevelResource.json index 05a799f4d666..2cf53e8273dd 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/SetResourceGroupLevelResource.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/SetResourceGroupLevelResource.json @@ -1,24 +1,24 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2021-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjEtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjItMDEtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "7190838d-65f3-4df5-b73c-b00653fe5f46" + "a5d3a813-d324-466e-8a5e-b339176ded34" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -30,17 +30,80 @@ "", "" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "749" + ], + "x-ms-request-id": [ + "f827d545-7799-43f5-88bc-777581ee2cfe" + ], + "x-ms-correlation-request-id": [ + "f827d545-7799-43f5-88bc-777581ee2cfe" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092829Z:f827d545-7799-43f5-88bc-777581ee2cfe" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:28:29 GMT" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ], + "Content-Length": [ + "706133" + ] + }, + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"name\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.869602Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"name\": \"2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.8636228Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_MaliciousContent-AzureWebApps\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:59.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:59.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Phishing content hosted on Azure Webapps\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to O365 customers. The content typically lure visitors into entering their corporate credentials or financial information into a legitimate looking website.\",\r\n \"remediationSteps\": [\r\n \"1. Use Azure Web Sites Process Explorer and try to identify unknown running processes (see https://blogs.msdn.microsoft.com/waws/2014/11/14/viewing-process-information-for-microsoft-azure-web-sites/)\",\r\n \"2. Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"resourceType\": \"App Service\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"type\": \"url\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"name\": \"2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3642739Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_OperationVolumeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:57.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] User accessed high volume of Key Vaults\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a larger volume of Key Vault operations has been performed compared to past historical data. Key Vaults typical exhibit the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:57\",\r\n \"all vault operations in last 24 hours\": \"[SecretSet:1, SecretGet:5, Authentication:2, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultGet:2]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:57\",\r\n \"client Information\": \"Microsoft.Azure.Management.Resources.ResourceManagementClient/2.0.0.0, \",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) performed more operations than usual, The user(objid) does not usually come from this IP, The user(objid) performed more operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"name\": \"2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.174761Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_AccountVolumeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:55.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] High volume of operations in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the number of vaults that a user or application accesses has changed compared to past historical data. Key Vault activity typically exhibits the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:55\",\r\n \"all vault operations in last 24 hours\": \"[AfterAuthentication:1, SecretGet:345545, EventGridGetAllSubscriptions:19, Authentication:169, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:64]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:55\",\r\n \"alert Reasons\": \"[The application(appid) accessed more vaults than usual, The application(appid) does not usually come from this IP, The user(objid) accessed more vaults than usual, The user(objid) does not usually come from this IP, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"name\": \"2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.0812111Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_ListGetAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:53.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious secret listing and query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Secret List operation was followed by numerous Secret Get operations. In addition, this operation pattern is not normally performed by the user on this vault. This is likely indicative that someone is dumping the This is sample alert: secrets stored in the Key Vault for potentially malicious purposes.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:53\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:1, SecretGet:3, VaultGet:1, SecretList:5]\",\r\n \"suspicious Operations\": \"[SecretGet:3, SecretList:5]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:53\",\r\n \"client Information\": \"FxVersion/4.8.4075.0 OSName/Windows10Enterprise OSVersion/6.3.18363 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"alert Reasons\": \"[The application(appid) does not usually access this vault, The application(appid) does not usually come from this IP, The application(appid) does not usually perform a credential list operation followed by a get operation, The application(appid) does not usually perform this operation, The number of applications which accessed this vault is more than usual, The number of users(objid) who accessed this vault is more than usual, The user(objid) does not usually access this vault, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a credential list operation followed by a get operation, The user(objid) does not usually perform this operation, This vault does not usually have a credential list operation followed by a get operation, This vault does not usually have this operation, This vault had more operations than usual, This vault had more types of operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"name\": \"2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.1952593Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_PutGetAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious policy change and secret query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Key Vault policy change has been made and operations to list and/or get secrets occurred shortly thereafter. In addition, this operation pattern is not normally performed by the user on this vault. This is highly indicative that the Key Vault has been compromised and the secrets within have been stolen by a malicious actor.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:51\",\r\n \"all vault operations in last 24 hours\": \"[VaultGet:14, CertificateImport:1, CertificateGet:479, VaultPut:4, SecretGet:760, Authentication:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultPut:4, VaultGet:5, CertificateGet:24]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"FxVersion/4.8.4121.0, FxVersion/4.8.4121.0 OSName/Windows10Enterprise OSVersion/6.3.17763 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"result Signature\": \"OK\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"start Time UTC\": \"11/17/2022 09:17:51\",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) does not usually perform a policy change operation followed by a credential get operation, The application(appid) does not usually perform this operation, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a policy change operation followed by a credential get operation, The user(objid) does not usually perform this operation, This vault does not usually have a policy change operation followed by a credential get operation, This vault does not usually have this operation, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"name\": \"2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:14.9914481Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_TORAccess\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:49.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a TOR exit node to a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. This is suspicious because malicious actors will often try to mask their source location when attempting to gain unauthorized access to internet-connected resources.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:49\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:777440, SecretSet:1, SecretGet:777399]\",\r\n \"suspicious Operations\": \"[Authentication:1, SecretGet:1]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"Not Found, Unauthorized\",\r\n \"start Time UTC\": \"11/17/2022 09:17:49\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"python/3.8.0 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 azure-keyvault/7.0 Azure-SDK-For-Python\",\r\n \"alert Reasons\": \"[The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location.]\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"name\": \"2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.2261751Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_K8S_SensitiveMount\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:47.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"intent\": \"PrivilegeEscalation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Container with a sensitive volume mount detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.\",\r\n \"remediationSteps\": [\r\n \"Review the container and the path in the alert details.\",\r\n \"If possible, consider mounting only specific folders or files that are necessary to the container operation.\",\r\n \"If the container is not legitimate, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"namespace\": \"Sample-namespace\",\r\n \"container image\": \"sample-image\",\r\n \"container name\": \"sample-container\",\r\n \"pod name\": \"sample-pod\",\r\n \"sensitive mount name\": \"sample-mount\",\r\n \"sensitive mount path\": \"/Sample\",\r\n \"resourceType\": \"GKE Cluster\",\r\n \"killChainIntent\": \"PrivilegeEscalation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"projectId\": \"012345678901\",\r\n \"resourceType\": \"GKE\",\r\n \"resourceName\": \"Sample-Cluster\",\r\n \"location\": \"us-central1-c\",\r\n \"locationType\": \"Zonal\",\r\n \"type\": \"gcp-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_26\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"name\": \"Sample-namespace\",\r\n \"cluster\": {\r\n \"$ref\": \"centralus_29\"\r\n },\r\n \"type\": \"K8s-namespace\"\r\n },\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"name\": \"sample-pod\",\r\n \"namespace\": {\r\n \"$ref\": \"centralus_30\"\r\n },\r\n \"type\": \"K8s-pod\"\r\n },\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"name\": \"sample-container\",\r\n \"image\": {\r\n \"$ref\": \"centralus_27\"\r\n },\r\n \"pod\": {\r\n \"$ref\": \"centralus_31\"\r\n },\r\n \"type\": \"container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"name\": \"2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.1277565Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_AdmissionController\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:45.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:45.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"intent\": \"Persistence, CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Creation of admission webhook configuration detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new admission webhook configuration. Kubernetes has two built-in generic admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster. The usage of such admission controllers can be legitimate, however attackers can use such webhooks for modifying the requests (in case of MutatingAdmissionWebhook) or inspecting the requests and gain sensitive information (in case of ValidatingAdmissionWebhook).\",\r\n \"remediationSteps\": [\r\n \"Review the admission controller webhook associated with this configuration. The details of the webhook configuration can be retrieved by the command:\",\r\n \"kubectl get mutatingwebhookconfigurations sample -o json\",\r\n \"If this configuration belongs to a legitimate admission controller in the cluster, you can ignore the alert.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resource type\": \"mutatingwebhookconfigurations\",\r\n \"resource name\": \"sample\",\r\n \"webhook configuration rules\": \"[{\\\"apiGroups\\\":[\\\"*\\\"],\\\"resources\\\":[\\\"pods\\\"],\\\"apiVersions\\\":[\\\"*\\\"],\\\"operations\\\":[\\\"CREATE\\\"],\\\"scope\\\":\\\"*\\\"}]\",\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"killChainIntent\": \"Persistence, CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_34\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"name\": \"2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.650249Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_BruteForce\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:41.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:41.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Brute Force attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone is attempting to brute force credentials to your SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Brute force attack, penetration testing.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"data Center\": \"East US 2\",\r\n \"failed Logins\": \"0\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\\\"}}\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"name\": \"2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4246385Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_HarmfulApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:39.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:39.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Penetration testing, malicious activity\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"data Center\": \"East US 2\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"name\": \"2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.5120779Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:37.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:37.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database elitronix-com on server Sample-SQL\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/www.microsoft.com\\\\/en-us\\\\/download\\\\/details.aspx?id=13759\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements.\",\r\n \"threat ID\": \"30\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"principal name\": \"Sample-account\",\r\n \"application\": \"Internet Information Services\",\r\n \"database\": \"Sample-DB\",\r\n \"server\": \"Sample-SQL\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"name\": \"2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4739185Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:35.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:35.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"intent\": \"Exploitation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Logon from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone logged on to your SQL server Sample-SQL from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Unauthorized access that exploits an opening in the firewall; legitimate access from a new location.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Microsoft SQL Server Management Studio\",\r\n \"client IP Location\": \"US\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"client Hostname\": \"Sample-VM\",\r\n \"killChainIntent\": \"Exploitation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"name\": \"2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.508384Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_DataExfiltration.ImportExportLocationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:33.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:33.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual export location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted a massive amount of data from your SQL Server 'Sample-SQL' to an unusual location.\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Be sure to secure the new copy of your SQL server in the unusual storage account and follow the principle of \\\\\\\"least privilege\\\\\\\" for your SQL server\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/docs.microsoft.com\\\\/en-us\\\\/dotnet\\\\/framework\\\\/data\\\\/adonet\\\\/sql\\\\/authorization-and-permissions-in-sql-server\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"storage Name\": \"Sample-storage\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"isValid\": false,\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_46\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"name\": \"2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.793991Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_SuspectExecutablePath\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Executable found running from a suspicious location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data detected an executable file on Sample-VM that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.\",\r\n \"remediationSteps\": [\r\n \"Review with %{User Name} the suspicious process in this alert to see if you recognise this as legitimate administrative activity. If not, Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Process Id\": \"0x1eec\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"account Session Id\": \"0x3e7\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"suspicious Command Line\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"user Name\": \"WORKGROUP\\\\Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"directory\": \"c:\\\\windows\\\\inf\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"name\": \"SAMPLE-account\",\r\n \"ntDomain\": \"SAMPLE\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"sid\": \"S-0-0-00\",\r\n \"isDomainJoined\": true,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x3e7\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"processId\": \"0x1038\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"processId\": \"0x1eec\",\r\n \"commandLine\": \"\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_54\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"sessionId\": \"0x3e7\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_53\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"name\": \"2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.802386Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected the execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with Sample-account the suspicious command process and command line to confirm that this is legitimate activity that you expect to see on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"user Name\": \"Sample-account\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Command Line\": \"\\\\sample.exe -t 4\",\r\n \"suspicious Process Id\": \"0x1640\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x427d8dd9\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"directory\": \"c:\\\\temp\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"processId\": \"0x1020\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"name\": \"Sample-account\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"sid\": \"S-1-5-21-3061399664-1673012318-3185014992-20022\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x427d8dd9\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"processId\": \"0x1640\",\r\n \"commandLine\": \".\\\\sample.exe -t 4\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_62\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_61\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"sessionId\": \"0x427d8dd9\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_62\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"name\": \"2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.0348941Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_SuspectPhp\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious PHP execution detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Machine logs indicate a that a suspicious PHP process is running. The action included an attempt to run OS commands or PHP code from the command line using the PHP process.\\r\\nWhile this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\",\r\n \"2. Make sure that the web application is up-to-date.\",\r\n \"3. If possible, disable the sensitive PHP commands (see: http://php.net/manual/ini.core.php#ini.disable-functions).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Command Line\": \"php\",\r\n \"suspicious Process Id\": \"0x1e99b\",\r\n \"account Session Id\": \"0xbd6e\",\r\n \"suspicious Process\": \"php\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"user Name\": \"Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"php\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"processId\": \"0x1e49a\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"name\": \"Sample-account\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"sid\": \"\",\r\n \"type\": \"account\",\r\n \"logonId\": \"0xbd6e\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"processId\": \"0x1e99b\",\r\n \"commandLine\": \"php\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_70\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_69\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"sessionId\": \"0xbd6e\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_70\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"name\": \"2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.8902381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM.Windows_GoldFileCleanup\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected suspicious file cleanup commands\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.\",\r\n \"remediationSteps\": [\r\n \"Review with user Sample-account the 'sample.exe executions and delete commands flagged in this alert to confirm that they are legitimate and expected on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"OMS-AGENT-2\",\r\n \"suspicious Process Id\": \"0x4a8\",\r\n \"suspicious Command Line\": \"cmd /c echo \\\" systeminfo && systeminfo && del \\\"\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\cmd.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"OMS-AGENT-2\\\\DnzmNhMdW96g7j3\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: GOLD\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2020-06-05T06%3a24%3a18&reportName=MSTI-AGP-GOLD.pdf&tenantId=7bf32e19-dc11-416d-85e8-2cff75271e2a&urlCreateDateTime=2020-06-05T06%3a24%3a18&token=%2083e9In2MDZfBKT5aMOejPcfhpNovCKiidxcnKaBGnQ=\\\"}}\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"cmd.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"processId\": \"0x4a8\",\r\n \"commandLine\": \"cmd /c echo Hi\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_78\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_77\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_78\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"name\": \"2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.9525043Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM.Windows_PetyaRansomware\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected Petya ransomware indicators\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on OMS-AGENT-2 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the command line associated in this alert and escalate this alert to your security team.\",\r\n \"remediationSteps\": [\r\n \"1. Run a full anti-malware scan and verify that the threat was removed\",\r\n \"2. Install and run Microsoft’s Malicious Software Removal Tool (see http://www.microsoft.com/security/pc-security/malware-removal.aspx)\",\r\n \"3. Perform these actions pre-emptively on other hosts in your network.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x1574\",\r\n \"suspicious Command Line\": \"sample\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\sample.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"Sample-account\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Petya\\\":\\\"\\\"}}\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"processId\": \"0x1574\",\r\n \"commandLine\": \"sample\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_86\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_85\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_86\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"name\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.2039067Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"name\": \"2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.2780047Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AmRealtimeProtectionDisabled\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:09.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:09.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Antimalware real-time protection was disabled in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.\",\r\n \"remediationSteps\": [\r\n \"1. Determine if the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional - dismiss the alert. Otherwise, enable the antimalware real-time threat protection and treat the user account, subscription and virtual machine as compromised and continue with the next steps.\\n3. Remediate the compromised user account – change the password, review all activities performed by the user via Azure Activity Logs and locate suspicious activities\\n4. Remediate the compromised subscription - Review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, review all activities performed in this subscription via Azure Activity Logs and locate suspicious activities.\\n5. Remediate the compromised virtual machine – change the password of all users, run full antimalware scan on your virtual machine.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample Principal\",\r\n \"antimalware enabled\": \"true\",\r\n \"real time antimalware protection enabled\": \"false\",\r\n \"scheduled antimalware scan enabled\": \"\",\r\n \"extension Name\": \"IaasAntimalware\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"name\": \"2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.3561453Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_CustomScriptExtensionSuspiciousCmd\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:07.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:07.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Custom script extension with suspicious command in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.\",\r\n \"remediationSteps\": [\r\n \"1. Contact the account owner to determine whether the activity was intentional. If the activity was intentional, dismiss the alert.\\n2. If the activity was unexpected, treat the user account, subscription, and virtual machine as compromised.\\n3. To remediate compromised user accounts, delete them if they’re unfamiliar (as they may have been created by a threat actor), otherwise change their authentication credentials. Use Azure Activity Logs to review all activities performed by the user and identify any that are suspicious.\\n4. To remediate compromised subscriptions, remove any unfamiliar Runbooks from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources in the subscription (delete any that are unfamiliar), review and investigate any security alerts for the subscription in Azure Security Center, and use Azure Activity Logs to review all activities performed in the subscription and identify any that are suspicious.\\n5. To remediate the compromised virtual machine, change the passwords for all users, run a full antimalware scan on the machine, and reimage the virtual machine from a malware-free source.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample user\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"identity address\": \"\",\r\n \"suspicious command\": \"powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"name\": \"2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DarkWeb\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:05.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:05.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Anonymity network activity (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected anonymity network activity. Such activity, while possibly legitimate user behaviour, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_94\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_94\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"name\": \"2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.358978Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DataExfiltration\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:03.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:03.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Possible data exfiltration via DNS tunnel (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected a possible DNS tunnel. Such activity, while possibly legitimate user behaviour, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_99\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_99\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"name\": \"2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.1504496Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_PhishingDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:01.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:01.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Communication with possible phishing domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.\",\r\n \"remediationSteps\": [\r\n \"Investigate the domain (using whois), validating that the registration belongs to the expected owner.\",\r\n \"If ownership is suspect, contact the machine owner to highlight the discrepancy and verify the degree of interaction, suggesting user log into any account(s) potentially exposed during suspicious session, validate recent activity and change compromised password(s).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_104\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_104\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"name\": \"2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.1876995Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_SinkholedDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:59.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:59.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted communication with suspicious sinkholed domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected request for sinkholed domain. Such activity, while possibly legitimate user behaviour, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_108\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_108\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"name\": \"2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.0653492Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_HighPrivilegeCommand\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempt to run high privilege command detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of App Service processes detected an attempt to run a command that requires high privileges.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x4680\",\r\n \"suspicious Command Line\": \"sample.exe\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"parent Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x15c0644\",\r\n \"user Name\": \"Sample-account\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"directory\": \"sample\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"processId\": \"0x39a8\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"processId\": \"0x4680\",\r\n \"commandLine\": \"sample.exe\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_113\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"name\": \"2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.9104498Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_DanglingDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:55.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Dangling DNS record for an App Service resource detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A DNS record that points to a recently deleted App Service resource (also known as \\\"dangling DNS\\\" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.\",\r\n \"remediationSteps\": [\r\n \"From your DNS zone, remove all CNAME records that point to the deleted App Service resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"domain\": \"sample-domain.com\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"name\": \"2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3436878Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container or directly on a Kubernetes node, has detected an execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with the specified user the suspicious command process and command line to confirm that this is legitimate activity. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"compromised Host\": \"AKS-AGENTPOOL-00171883-vmss000000\",\r\n \"suspicious Process\": \"/tmp/gcc\",\r\n \"suspicious Command Line\": \"/tmp/gcc -T -o stratum+tcp://stratum.slushpool:3333 -u foobar -p baz -o stratum+tcp://stratum.f2pool.com:3333 -u foobar -p baz -o stratum+tcp://stratum.antpool.com:3333 -u foobar -p baz\",\r\n \"parent Process\": \"bash\",\r\n \"suspicious Process Id\": \"0x2dc8\",\r\n \"imageName\": \":\",\r\n \"process Origin\": \"Pod Container\",\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"directory\": \"\",\r\n \"name\": \"bash\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"isValid\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"isValid\": false,\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"directory\": \"/tmp\",\r\n \"name\": \"gcc\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"hostName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"netBiosName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"isValid\": false,\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"name\": \"sample-cluster\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_118\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"containerId\": \"cc8ec8580f4c\",\r\n \"image\": {\r\n \"$ref\": \"centralus_119\"\r\n },\r\n \"type\": \"container\"\r\n },\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"processId\": \"0x2dc3\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_122\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_121\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"processId\": \"0x2dc8\",\r\n \"commandLine\": \"/tmp/gcc -T -o stratum+tcp://stratum.slushpool:3333 -u foobar -p baz -o stratum+tcp://stratum.f2pool.com:3333 -u foobar -p baz -o stratum+tcp://stratum.antpool.com:3333 -u foobar -p baz\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_123\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_125\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_124\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"name\": \"2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3309137Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_ImdsCall\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/AWS-Master-Connector_012345678901/securityentitydata/aws-eks-cluster-sample-cluster-ap-us-east-2\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access to cloud metadata service detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container detected access to the cloud metadata service for acquiring identity token. The container doesn't normally perform such operation. While this behavior might be legitimate, attackers might use this technique to access cloud resources after gaining initial access to a running container.\",\r\n \"remediationSteps\": [\r\n \"Review the command line in the alert details. If the container should acquire identity tokens, you can ignore the alert.\",\r\n \"If this behavior isnt expected, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"username\": \"sample-user\",\r\n \"process Name\": \"/usr/bin/curl\",\r\n \"command\": \"curl -s -H Metadata: true http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net\",\r\n \"process Id\": \"18775\",\r\n \"container ID\": \"cc8ec8580f4c\",\r\n \"image Name\": \"sample-image:v1\",\r\n \"resourceType\": \"EKS Cluster\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/AWS-Master-Connector_012345678901/securityentitydata/aws-eks-cluster-sample-cluster-ap-us-east-2\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"isValid\": false,\r\n \"type\": \"amazon-resource\",\r\n \"amazonResourceId\": \"arn:aws:eks:us-east-2:012345678901:cluster/sample-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"containerId\": \"cc8ec8580f4c\",\r\n \"image\": {\r\n \"$ref\": \"centralus_132\"\r\n },\r\n \"type\": \"container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"name\": \"2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4027022Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_SuspectProcessTermination\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:49.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Security-related process termination detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container or directly on a Kubernetes node, has detected an attempt to terminate processes related to security monitoring on the container. Attackers will often try to terminate such processes using predefined scripts post-compromise.\",\r\n \"remediationSteps\": [\r\n \"Review and confirm that this was legitimate activity that you expect to see on this container or pod. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"compromised Host\": \"aks-agentpool-00171883-vmss000000\",\r\n \"user Name\": \"root\",\r\n \"suspicious Process\": \"/usr/bin/pkill\",\r\n \"suspicious Command Line\": \"/usr/bin/pkill -KILL -x -U 0 auoms\",\r\n \"suspicious Process Id\": \"0x2dc8\",\r\n \"parent Process\": \"auomsctl\",\r\n \"process Origin\": \"Kubernetes Node\",\r\n \"account Session Id\": \"0xd5a\",\r\n \"resourceType\": \"GKE Cluster\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"hostName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"netBiosName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\",\r\n \"containerId\": \"cc8ec8580f4c\"\r\n },\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"pkill\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"directory\": \"\",\r\n \"name\": \"auomsctl\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"isValid\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"isValid\": false,\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"name\": \"root\",\r\n \"isValid\": false,\r\n \"id\": \"3418\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"isValid\": false,\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"projectId\": \"012345678901\",\r\n \"resourceType\": \"GKE\",\r\n \"resourceName\": \"Sample-Cluster\",\r\n \"location\": \"us-central1-c\",\r\n \"locationType\": \"Zonal\",\r\n \"type\": \"gcp-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"name\": \"sample-cluster\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_136\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"processId\": \"0x2dc3\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"processId\": \"0x2dc8\",\r\n \"commandLine\": \"/usr/bin/pkill -KILL -x -U 0 auoms\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_138\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_142\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_143\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"name\": \"2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3269355Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_ExposedDashboard\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:47.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Exposed Kubernetes dashboard detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service.\\nExposed dashboard allows an unauthenticated access to the cluster management and poses a security threat.\",\r\n \"remediationSteps\": [\r\n \"Review the LoadBalancer service in the alert details. In case the dashboard is exposed to the Internet, delete the LoadBalancer service immediately and escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"username\": \"alias@domain.com\",\r\n \"namespace\": \"kubernetes-dashboard\",\r\n \"service name\": \"kubernetes-dashboard\",\r\n \"port\": \"443\",\r\n \"target port\": \"8443\",\r\n \"resourceType\": \"Kubernetes - Azure Arc\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_149\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"name\": \"kubernetes-dashboard\",\r\n \"cluster\": {\r\n \"$ref\": \"centralus_150\"\r\n },\r\n \"type\": \"K8s-namespace\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"name\": \"kubernetes-dashboard\",\r\n \"namespace\": {\r\n \"$ref\": \"centralus_151\"\r\n },\r\n \"type\": \"K8s-service\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"name\": \"2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5211367Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_BruteForce\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:45.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:45.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspected successful brute force attack\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful login occurred after an apparent brute force attack on your resource\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Brute force attack; penetration testing.\",\r\n \"client principal name\": \"Sample-account\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"san antonio, united states\",\r\n \"client application\": \"Sample-app\",\r\n \"successful logins\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"failed logins\": \"0\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\\\"}}\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_156\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_155\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"name\": \"2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5596257Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:43.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:43.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database Sample-DB on server Sample-VM\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2106894\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"threat ID\": \"1\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"vulnerable statement\": \"*** Anonymized ***\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_161\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_162\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_163\",\r\n \"name\": \"Sample-SA\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_162\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"name\": \"2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5620796Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_HarmfulApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:41.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:41.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_165\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_166\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access your resource.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"Penetration testing; malicious activity\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client application\": \"Sample-app\",\r\n \"client IP location\": \"Sample\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_167\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_168\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_168\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_170\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_167\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"name\": \"2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5777053Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_SuspiciousIpAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:39.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:39.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_171\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_172\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Login from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.\",\r\n \"client principal name\": \"Sample-user\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_173\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_174\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Sample-Provider\",\r\n \"threatType\": \"Sample-Threat\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 0.8,\r\n \"threatDescription\": \"Sample-Threat\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_175\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_174\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_176\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_173\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72\",\r\n \"name\": \"2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.3749955Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousRBACRoleAssignment\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:37.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:37.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_177\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for an RBAC role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected an RBAC role assignment that's unusual when compared with other assignments, performed by the same assigner.\\n The following components were anomalous:\\n -Assigner Authentication Method \\n This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to grant permissions to an additional user account they own.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below.\\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user. \\n5. Change the credentials for all resources that the user had permissions to access.\\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review all activities performed in this resource via Azure Activity Logs and investigate suspicious activities.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"scope of assignment\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"assigned role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assigner principal ID\": \"Sample user\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_178\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_179\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_180\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_181\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_180\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f\",\r\n \"name\": \"2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.4527017Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_PrivilegedRoleDefinitionCreation\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:35.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:35.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f\",\r\n \"intent\": \"PrivilegeEscalation, DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_182\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Privileged custom role created for your subscription in a suspicious way (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the principal user that created the role.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user account as compromised and continue with the steps below.\\n3. Change the passwords of the user account or block the account entirely.\\n4. Delete the privileged role.\\n5. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n6. Change the credentials for all resources that the user had permissions to access.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"role definition creator principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"role definition creator IP address\": \"0.0.0.0\",\r\n \"role definition creator principal name\": \"Sample user\",\r\n \"role definition name\": \"sample\",\r\n \"role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"PrivilegeEscalation, DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_183\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86\",\r\n \"name\": \"2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.4942936Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousClassicRoleAssignment\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:29.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:29.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_184\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for a classic role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Microsoft Defender for Resource Manager detected a role assignment that's unusual when compared with other assignments performed by the same assigner / performed for the same assignee / in the tenant due to the following anomalies: \\nassignment time, assigner location, assigner, authentication method, assigned entities, client software used, assignment extent. \\nThis operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to escalate privileges to a different user account.\",\r\n \"remediationSteps\": [\r\n \"1.To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below. \\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n5. Change the credentials for all resources that the user had permissions to access. \\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review Azure Activity Logs for activities performed in this resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"assigner principal ID\": \"sample\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"scope of assignment\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"role\": \"CoAdmin\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_185\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_186\",\r\n \"name\": \"sample\",\r\n \"upnSuffix\": \"contoso.com\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_187\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_188\",\r\n \"name\": \"azureadmin\",\r\n \"upnSuffix\": \"contoso.com\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_187\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"name\": \"2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:19:41.7936291Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:25.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:25.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_190\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An IP that is a known Tor exit node accessed Storage file share 'Sample-fileShare' in storage account 'Sample-Storage'. \",\r\n \"remediationSteps\": [\r\n \"• Revoke all credentials that may be compromised and ensure that they're only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access.\\r\\nPotential causes:\\r\\n• An attacker has accessed the storage account using Tor and is trying to hide their identity (true positive).\\r\\n• A legitimate user has accessed the storage account using Tor, perhaps for penetration testing (benign positive).\",\r\n \"investigation steps\": \"• Check if this actor is legitimate. Examine the authentication method and credentials used, as well as the actor's history of actions on this storage account and other resources in this subscription.\\r\\n• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_191\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_192\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_192\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"name\": \"2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.7087609Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:23.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:23.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_194\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from a suspicious IP address.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is considered suspicious.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your storage account from a potentially suspicious IP.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_195\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_196\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"AlertSimulator\",\r\n \"threatType\": \"Sample-Type\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 1.0,\r\n \"threatDescription\": \"\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_196\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"name\": \"2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.8953381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_SMBExeOverwriteAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:21.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:21.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_198\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual overwrite of .exe in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual overwrite of an executable file in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unexpected overwrite of an executable (.exe file) has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has overwritten an executable file with a potentially malicious one in your storage account.\\r\\n• A legitimate user has overwritten an executable file.\",\r\n \"investigation steps\": \"• Determine who overwrote the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Kerberos\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files SMB\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"\",\r\n \"activity type\": \"OverwriteFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) overwritten\": \"Sample-File\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_199\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_200\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_200\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"name\": \"2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:19.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:19.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_202\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a directory or a file in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage directory or file permissions are configured correctly.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this directory or file have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed directory or file permissions to weaken its security.\\r\\n• A legitimate user has changed directory or file permissions.\",\r\n \"investigation steps\": \"• Confirm whether the directory or file permissions change was performed for a legitimate purpose.\\r\\n• Review the directory's or file's access permissions to make sure they are expected. NTFS permissions can be assigned at the directory or file level: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable#3-configure-ntfs-permissions-over-smb .\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Kerberos\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"Files SMB\",\r\n \"request status\": \"\",\r\n \"activity type\": \"SetSecurityInformation\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) accessed\": \"\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_203\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_204\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_204\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"name\": \"2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.6133961Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_MalwareHashReputation\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:17.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:17.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_206\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential malware uploaded to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has uploaded potential malware to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Remove the malicious file from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that a blob containing potential malware has been uploaded to your storage account.\\r\\nPotential causes:\\r\\n• An attacker has gained access to the storage account and has intentionally uploaded a malicious blob.\\r\\n• A legitimate user has unintentionally uploaded a malicious blob.\\r\\n• A legitimate user is performing tests on the system (e.g. penetration testing).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"PutRange\",\r\n \"file\": \"dummy/path/to/maliciousFile.exe\",\r\n \"api type\": \"Files REST\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"malware description\": \"File was identified as malicious, MalwareFamily = Virus:DOS/EICAR_Test_File\",\r\n \"threat report summary\": \"The European Institute for Computer Antivirus Research (EICAR) and the Computer Antivirus Research Organization (CARO) jointly developed a standard test file protocol called the “EICAR test file” which allows users to test their antivirus solution. The EICAR file is completely benign; however, when scanned, compliant antivirus solutions report the file in the same way as an actual malicious file. This does not mean that the computer is infected with malware, but rather it shows that the computer’s antivirus is functioning as expected.\",\r\n \"detection source\": \"Team Cymru\",\r\n \"threat report\": \"Sample-Report\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_207\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_208\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_209\",\r\n \"algorithm\": \"MD5\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_208\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_211\",\r\n \"directory\": \"Sample-fileShare/dummy/path/to\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_209\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_212\",\r\n \"name\": \"Sample-Name\",\r\n \"category\": \"Virus\",\r\n \"files\": [\r\n {\r\n \"$ref\": \"centralus_211\"\r\n }\r\n ],\r\n \"type\": \"malware\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"name\": \"2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.6367188Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:15.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:15.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_213\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is unfamiliar and unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account.\\r\\n• A legitimate user has accessed your storage account from a new location.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetShareProperties\",\r\n \"api type\": \"Files REST\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_214\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_215\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_215\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242244862413_43689788-9247-4044-b258-6093d62ba45c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"name\": \"2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.7708984Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_ExeUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:13.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:13.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .exe to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of an executable file to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an executable (.exe file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has uploaded a malicious executable file to your storage account.\\r\\n• A legitimate user has uploaded an executable file.\",\r\n \"investigation steps\": \"• Determine who uploaded the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Kerberos\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"Files SMB\",\r\n \"request status\": \"\",\r\n \"activity type\": \"CreateFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_218\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_219\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_219\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"name\": \"2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.5509007Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:11.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:11.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_221\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) deleted\": \"Sample-File1, Sample-File2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_222\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_223\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_224\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_223\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"name\": \"2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.599286Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExplorationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:09.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:09.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_225\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual data exploration in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual data exploration operation in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that files in a file share of a storage account have been enumerated in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user or application logic has explored data within the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"ListFiles\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_226\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_227\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_227\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"name\": \"2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:19:41.7936291Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExfiltration.NumberOfFilesAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:07.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:07.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_229\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual number of files extracted from a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual number of files from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large number of files has been extracted compared to recent activity on this Storage file share.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large number of files from a Storage file share (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual number of files from a Storage file share (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"5 MB\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"extracted files\": \"150\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_230\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_231\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_231\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"name\": \"2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.435833Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:05.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:05.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_233\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage file share.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage file share (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage file share (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"150 MB\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"extracted files\": \"5\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_234\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_235\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_235\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"name\": \"2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.5055333Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_ApplicationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:03.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:03.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_237\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual application accessed a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' using an unexpected application.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusual application has accessed this storage account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using a new application.\\r\\n• A legitimate user has used a new application/browser to access your storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"CreateFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_238\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_239\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_239\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"name\": \"2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.4988057Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_AccessInspectionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:01.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_241\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual access inspection in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual access inspection in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user has performed maintenance on the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the access policy inspection was performed for a legitimate purpose: https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy.\\r\\n• Review the file share's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"GetShareAcl\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_242\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_243\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_243\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"name\": \"2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2964395Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:59.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:59.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_245\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An IP that is a known Tor exit node accessed Storage container 'Sample-Container' in storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Revoke all credentials that may be compromised and ensure that they're only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access.\\r\\nPotential causes:\\r\\n• An attacker has accessed the storage account using Tor and is trying to hide their identity (true positive).\\r\\n• A legitimate user has accessed the storage account using Tor, perhaps for penetration testing (benign positive).\",\r\n \"investigation steps\": \"• Check if this actor is legitimate. Examine the authentication method and credentials used, as well as the actor's history of actions on this storage account and other resources in this subscription.\\r\\n• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"CreatePathDir\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_246\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_247\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_247\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_249\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_246\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"name\": \"2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2427463Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:57.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_250\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from a suspicious IP address.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is considered suspicious.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your storage account from a potentially suspicious IP.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"335.88 KB\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_251\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_252\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"AlertSimulator\",\r\n \"threatType\": \"Sample-Type\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 1.0,\r\n \"threatDescription\": \"\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_252\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"name\": \"2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1804085Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_SuspiciousApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:55.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_254\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] PREVIEW - Access from a suspicious application \",\r\n \"description\": \"THIS IS A SAMPLE ALERT: There was a failed attempt to anonymously access the blob container `Sample-Container` in your storage account `Sample-Storage`. This might indicate that an attacker is trying to exploit a vulnerability or access data in your storage account, or it could be the result of a penetration test carried out in your organization. The suspicious application detected was `eicarDummyApp`. For more details, please see the user-agent string in the alert fields. In many cases, attackers might successfully access data after a series of failed attempts. It’s therefore important to act on this alert.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"140 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"application name \": \"eicarDummyApp\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_255\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_256\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_256\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_258\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_255\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"name\": \"2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2482588Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PhishingContent\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:53.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_259\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] PREVIEW - Phishing content hosted on a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A URL used in a phishing attack points to your Azure Storage account. This URL was part of a phishing attack affecting users of Microsoft 365. Typically, content hosted on such pages is designed to trick visitors into entering their corporate credentials or financial information into a web form that looks legitimate.\",\r\n \"remediationSteps\": [\r\n \"• Review the content of the Azure Storage account to identify and remove phishing content. The URL in the alert may indicate a starting point for your investigation.\",\r\n \"• If you suspect that your Storage credentials have been compromised, revoke all storage access tokens that may have been compromised and implement the following security best practices:\",\r\n \" 2.1.\\\\tEnsure that your access tokens are only shared with authorized users.\",\r\n \"2.2. Limit access to your Storage account, following the 'least privilege' principle. (https://aka.ms/StorageAccountSecureAccess)\",\r\n \"2.3. Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Disallow anonymous public access to blobs in your Storage account, unless required for your scenario. (https://aka.ms/StorageAccountPublicAccess)\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_260\",\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"type\": \"url\"\r\n },\r\n {\r\n \"$id\": \"centralus_261\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"name\": \"2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1081657Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_262\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a directory or a file in your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Use Azure AD security groups: https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#what-is-the-best-way-to-apply-acls.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage directory or file permissions are configured correctly.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this directory or file have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed directory or file permissions to weaken its security.\\r\\n• A legitimate user has changed directory or file permissions.\",\r\n \"investigation steps\": \"• Confirm whether the directory or file permissions change was performed for a legitimate purpose: https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#access-control-lists-on-files-and-directories.\\r\\n• Review the directory's or file's access permissions to make sure they are expected.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"SetPathAccessControl\",\r\n \"storage file path(s) accessed\": \"\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_263\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_264\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_264\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"name\": \"2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.0980315Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenContainersScanning.SuccessfulDiscovery\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:49.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_266\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Publicly accessible storage containers successfully discovered\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful discovery of 3 publicly open storage containers in storage account 'Sample-Storage' was performed in the last hour by a scanning script or tool.\\r\\n\\r\\nScanned containers include: static, images, backups.\\r\\n\\r\\nThis usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storagecontainers with sensitive data in them.\\r\\nThe threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.\\r\\n\\r\\nAfter a threat actor successfully discovers a container, they usually continue by reading and exfiltrating the data.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\",\r\n \"• When allowing anonymous access to containers, consider adding a random suffix to its name (or use a randomly generated name) to limit these types of scans in the future. For example, use 'salesshare-4536-7836-8967'.\",\r\n \"• If this is a recurring alert from the same IP, consider blocking the source IP address (see how to block an IP address: https://go.microsoft.com/fwlink/?linkid=2179709).\",\r\n \"This can be done at the storage account level using the 'networking' configuration or at the subscription level using the networking 'access restrictions' configuration.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"• Reconnaisance attack (True Positive)\\r\\n• Penetration testing\\r\\n• A bug in an application is causing it to perform serial attempts to read different blobs (False Positive).\",\r\n \"investigation steps\": \"• Check this account for publicly open containers with sensitive data. If such containers exist, immediately change their access policy to private (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708).\\r\\n\\r\\nLook at diagnostic logs to see all sensitive data that may have leaked, and escalate the alert and information.\\r\\n• To list all containers that are publicly accessible in a storage account, use the PowerShell script in this link: https://go.microsoft.com/fwlink/?linkid=2180103.\\r\\n\\r\\n• Check whether the user that performed this scan is legitimate. Look at IP, location, user agent, and their history.\\r\\n• This alert may be triggered by a coding issue in the application accessing the storage container. If you've validated that the actor is legitimate, identified the coding issue, and ruled out a possible leak of sensitive content, this alert can be considered benign.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"140 MB\",\r\n \"among the enumeration terms used\": \"erp, exe, export, exports, file, files, firmware, git, img, iso, jenkins, logs, media, mobile, photos, pics, private, prod, production, products, projects, public, release, repo, reports, resources, script, scripts, services, snapshots, source, src, staging, stats, storage, tenant, tmp, upload, uploads, user, userdata, users, usr, vhd, vhdx, video, videos, web, www, xslx\",\r\n \"number of failed access attempts\": \"1232\",\r\n \"number of containers successfully accessed\": \"3\",\r\n \"list of containers successfully accessed\": \"Sample-1, Sample-2, Sample-3\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_267\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_268\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_269\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_268\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_270\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_267\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"name\": \"2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:15.6989769Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenContainersScanning.FailedAttempt\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:47.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_271\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Publicly accessible storage containers unsuccessfully scanned\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: 1232 failed attempts to scan for publicly open storage containers in storage account 'Sample-Storage' were performed in the last hour.\\r\\n\\r\\nScanned containers include: erp, exe, export, exports, file.\\r\\n\\r\\nThis usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storage containers with sensitive data in them.\\r\\nThe threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\",\r\n \"• When allowing anonymous access to containers, consider adding a random suffix to its name (or use a randomly generated name) to limit these types of scans in the future. For example, use 'salesshare-4536-7836-8967'.\",\r\n \"• If this is a recurring alert from the same IP, consider blocking the source IP address (see how to block an IP address: https://go.microsoft.com/fwlink/?linkid=2179709).\",\r\n \"This can be done at the storage account level using the 'networking' configuration or at the subscription level using the networking 'access restrictions' configuration.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"• Reconnaisance attack (True Positive)\\r\\n• Penetration testing\\r\\n• A bug in an application is causing it to perform serial attempts to read different blobs (False Positive).\",\r\n \"investigation steps\": \"• Check this account for publicly open containers with sensitive data. If such containers exist, immediately change their access policy to private (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708).\\r\\n\\r\\nThis is necessary despite the fact that the observed attempts failed, because reconnaissance has taken place and there might have been some successful activity.\\r\\n• To list all containers that are publicly accessible in a storage account, use the PowerShell script in this link: https://go.microsoft.com/fwlink/?linkid=2180103.\\r\\n\\r\\n• Check whether the user that performed the scanning is legitimate. Look at IP, location, user agent, and their history. Scanning operations read blob URIs and/or use \\\"list blobs\\\".\\r\\n• Check whether data was exfiltrated from containers in this storage account and/or by this actor.\\r\\n• This alert may be triggered by a coding issue in the application accessing the storage container. If you've validated that the actor is legitimate, identified the coding issue, and ruled out a possible leak of sensitive content, this alert can be considered benign.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"among the enumeration terms used\": \"erp, exe, export, exports, file, files, firmware, git, img, iso, jenkins, logs, media, mobile, photos, pics, private, prod, production, products, projects, public, release, repo, reports, resources, script, scripts, services, snapshots, source, src, staging, stats, storage, tenant, tmp, upload, uploads, user, userdata, users, usr, vhd, vhdx, video, videos, web, www, xslx\",\r\n \"number of failed access attempts\": \"1232\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_272\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_273\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_273\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"name\": \"2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9581337Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenACL\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:45.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:45.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_275\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Storage account with potentially sensitive data has been detected with a publicly exposed container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The access policy of a container in your storage account was modified to allow anonymous access. This might lead to a data breach if the container holds any sensitive data. This alert is based on analysis of Azure activity log.\",\r\n \"remediationSteps\": [\r\n \"• Check the access level of the container listed in the alert details. If the access level is set to 'anonymous' and this behavior is not intended, change the access level to 'private' and escalate the alert to your information security team.\",\r\n \"• Where possible, we recommend using shared access signature tokens instead of granting public access to storage containers and blobs.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"container name\": \"Sample-Container\",\r\n \"sensitive name\": \"Sample-Container\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_276\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"name\": \"2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.0277068Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_MalwareHashReputation\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:43.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:43.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_277\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential malware uploaded to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has uploaded potential malware to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Remove the malicious blob from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that a blob containing potential malware has been uploaded to your storage account.\\r\\nPotential causes:\\r\\n• An attacker has gained access to the storage account and has intentionally uploaded a malicious blob.\\r\\n• A legitimate user has unintentionally uploaded a malicious blob.\\r\\n• A legitimate user is performing tests on the system (e.g. penetration testing).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"PutBlob\",\r\n \"api type\": \"Blob\",\r\n \"container\": \"Sample-Container\",\r\n \"malware description\": \"Indicator related to a known malware campaign\",\r\n \"detection source\": \"A Microsoft Partner\",\r\n \"blob\": \"Sample-Blob\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_278\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_279\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_280\",\r\n \"algorithm\": \"MD5\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_279\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_282\",\r\n \"directory\": \"Sample-fileShare/dummy/path/to\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_280\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"name\": \"2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9214203Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:41.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:41.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_283\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is unfamiliar and unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account.\\r\\n• A legitimate user has accessed your storage account from a new location.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Azure AD\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"operations types\": \"GetContainerProperties\",\r\n \"api type\": \"Blob\",\r\n \"container\": \"Sample-Container\",\r\n \"azure AD application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_284\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_285\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_286\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"objectGuid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_285\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_288\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_284\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"name\": \"2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:15.4758611Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_ExeUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:39.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:39.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_289\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .exe to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of an executable file to your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an executable (.exe file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has uploaded a malicious executable file to your storage account.\\r\\n• A legitimate user has uploaded an executable file.\",\r\n \"investigation steps\": \"• Determine who uploaded the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Azure AD\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"eicar@microsoft.com\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"FlushFile\",\r\n \"azure AD application ID\": \"12345\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"containers\": \"Sample-Container1, Sample-Container2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_290\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_291\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_292\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_291\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"name\": \"2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9519418Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:37.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:37.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_293\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Perform an undelete if the delete operation was a soft delete. See how to configure soft deletion and more information: https://go.microsoft.com/fwlink/?linkid=2078042\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Account key\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteDirectory\",\r\n \"access key used\": \"key2\",\r\n \"storage file path(s) deleted\": \"Sample-File1, Sample-File2\",\r\n \"containers\": \"Sample-Container1, Sample-Container2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_294\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_295\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_295\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"name\": \"2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2482588Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExplorationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:35.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:35.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_297\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual data exploration in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual data exploration operation in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \" Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that blobs or containers in a storage account have been enumerated in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user or application logic has explored data within the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"ListBlobs\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_298\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_299\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_299\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"name\": \"2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.7896151Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:33.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:33.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_301\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual number of blobs extracted from a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual number of blobs from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large number of blobs has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large number of blobs from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual number of blobs from a Storage container (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"66.58 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"extracted blobs\": \"41084\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_302\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_303\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_303\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_305\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_302\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"name\": \"2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.8245787Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:31.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:31.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_306\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage container (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"254.47 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"extracted blobs\": \"2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_307\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_308\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_308\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_310\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_307\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"name\": \"2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1388808Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_CspkgUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:29.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:29.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_311\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .cspkg to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of a Cloud Service deployment package to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Determine if the cloud service package has been deployed to your subscription, and if so, delete the corresponding service.\",\r\n \"• Delete the .cspkg from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an Azure Cloud Service package (.cspkg file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has been preparing to deploy malicious code from your storage account to an Azure cloud service.\\r\\n• A legitimate user has been preparing for a legitimate service deployment.\",\r\n \"investigation steps\": \"• Determine who uploaded the cloud service package, and whether it is for a legitimate service.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"PutBlockList\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_312\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_313\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_313\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"name\": \"2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6456194Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_ApplicationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:27.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:27.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_315\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual application accessed a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' using an unexpected application.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusual application has accessed this storage account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using a new application.\\r\\n• A legitimate user has used a new application/browser to access your storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"PutBlob\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_316\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_317\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_317\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"name\": \"2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6977555Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AnonymousAccessAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:25.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:25.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_319\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unauthenticated access to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Container 'Sample-Container' in storage account 'Sample-Storage' from an IP address located in Azure Data Center: Central Us.\\r\\n\\r\\nThere may have been additional unauthenticated access to this storage account.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed anonymously (i.e. without any authentication), which is unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has exploited public read access to a container.\\r\\n• A legitimate user or application has used public read access to a container.\",\r\n \"investigation steps\": \"• Check if you have sensitive data on this publicly open container. If you do, immediately change the access policy to private, review diagnostic logs for sensitive data that may have leaked, and escalate the alert and information. (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708)).\\r\\n\\r\\nThis is necessary despite the fact that the observed attempts failed, because reconnaissance has taken place and there might have been some successful activity.\\r\\n• Check if this actor is legitimate. Review IP, location, user agent, and their history.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlobProperties, GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"22.96 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_320\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_321\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_321\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_323\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_320\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"name\": \"2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6177881Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AccessInspectionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:23.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:23.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_324\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual access inspection in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual access inspection in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user has performed maintenance on the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the access policy inspection was performed for a legitimate purpose: https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy.\\r\\n• Review the storage container's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Azure AD\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"GetContainerACL\",\r\n \"azure AD application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_325\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_326\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_327\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"objectGuid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_326\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"name\": \"2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.614246Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AM.MalwareFound\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:21.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:21.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_329\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Malicious file uploaded to storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A malicious file was uploaded to your storage account 'Sample-Storage'.\\r\\nThe malware detection is based on Microsoft antimalware scanning.\\r\\nPotential causes may include an intentional upload of malware by a threat actor, or an unintentional upload of a malicious file by a legitimate user.\",\r\n \"remediationSteps\": [\r\n \"Remove the malicious blob from your storage account. You may move it to a designated storage container for quarantine, or delete it.\",\r\n \"It is advisable to enable \\\\\\\"soft delete\\\\\\\" before deleting malware, to support the ability to undo the deletion. Learn more about enabling soft delete on Azure storage: https://docs.microsoft.com/azure/storage/blobs/soft-delete-blob-overview.\\\",\\\"If you have diagnostic logs enabled, query them to see if any other applications or users accessed this file. Trace their actions and contain the blast radius.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential Causes\": \"1. Intentional upload of malware by a malicious actor (true positive)\\r\\n\\r\\n2. Unintentional upload of malware by a legitimate user (true positive)\\r\\n\\r\\n3. A false positive detection by Microsoft antimalware scanning. You can submit a file for analysis if you suspect it may be a false positive: \\r\\n(https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/submission-guide)\",\r\n \"shA-256\": \"Sample-SHA\",\r\n \"investigation Steps\": \"• Learn more about the malware type by reading the report on the identified malware in Microsoft Security Intelligence:\\r\\n(https ://www.microsoft.com/wdsi/threats/threat-search?query=DOS/EICAR_Test_File)\\r\\n\\r\\n• If you have diagnostic logs enabled, go to them and query to see if any other applications or users accessed this file. Trace their actions and contain the blast radius.\\r\\n\\r\\n• Review the credentials used to perform the upload, to track back and find the user who uploaded the file.\\r\\n\\r\\n• If you performed an investigation and suspect the this might be a false positive, you can submit a file for analysis\\r\\n(https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).\\r\\nEnsure you enter the provider name \\\"Defender for Storage\\\".\\r\\n\\r\\n• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"malware types detected\": \"DOS/EICAR_Test_File\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_330\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_331\",\r\n \"algorithm\": \"SHA256\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_332\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_330\"\r\n },\r\n \"type\": \"blob-container\"\r\n },\r\n {\r\n \"$id\": \"centralus_333\",\r\n \"directory\": \"https://Sample-Storage.blob.core.windows.net/Sample\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_331\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_334\",\r\n \"name\": \"Sample-Name\",\r\n \"blobContainer\": {\r\n \"$ref\": \"centralus_332\"\r\n },\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"etag\": \"Sample-Tag\",\r\n \"type\": \"blob\"\r\n },\r\n {\r\n \"$id\": \"centralus_335\",\r\n \"name\": \"Sample-Name\",\r\n \"category\": \"Virus\",\r\n \"files\": [\r\n {\r\n \"$ref\": \"centralus_333\"\r\n }\r\n ],\r\n \"type\": \"malware\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"name\": \"2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.9503127Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5606644Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:17.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_336\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' was successfully accessed from an IP address known to be an active exit node of Tor, an anonymizing proxy.\\r\\nThe threat actor's access was authenticated using Aad.\\r\\nAuthenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Check for credential theft by reviewing the authentication method.\",\r\n \"potential causes\": \"• A legitimate user has accessed your Azure Cosmos DB account using Tor.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_337\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_338\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_338\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"name\": \"2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.7672167Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:15.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_340\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' was successfully accessed from an IP address that was identified as a threat by Microsoft Threat Intelligence.\\r\\nThe threat actor's access was authenticated using Aad.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Check for credential theft by reviewing the authentication method.\",\r\n \"potential causes\": \"• An attacker has accessed your Azure Cosmos DB account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your Azure Cosmos DB account from a potentially suspicious IP.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_341\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_342\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_342\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"name\": \"2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.9003843Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SqlInjection.Fuzzing\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:13.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:13.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"intent\": \"Discovery\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_344\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] SQL injection: failed fuzzing attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious SQL statement was used to query container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'.\\r\\nLike other well-known SQL injection attacks, this statement won’t succeed in Azure Cosmos DB. Nevertheless, it’s an indication that a threat actor is trying to attack the resources in this account.\\r\\nSome SQL injection attacks can succeed and be used to exfiltrate data. This means that if the attacker continues performing SQL injection attempts, they may be able to compromise your Azure Cosmos DB account and exfiltrate data.\\r\\nYou can prevent this threat by using parameterized queries (for more information, see the remediation steps).\",\r\n \"remediationSteps\": [\r\n \"• This alert may indicate this subscription is being targeted. To harden your environment, resolve any outstanding Defender for Cloud security recommendations for this resource and any others on this Azure subscription.\",\r\n \"• To prevent similar attacks in the future, use Azure Cosmos DB parameterized queries in all your apps.\",\r\n \"How to use parameterized queries: https://go.microsoft.com/fwlink/?linkid=2177214.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Search for other alerts on this subscription that might indicate that this is part of a larger attack.\\r\\n• Inspect the application that is connected to this Azure Cosmos DB account. It may be vulnerable to this fuzzing attack.\",\r\n \"potential causes\": \"• Failed attack attempt, part of an enumeration, reconnaissance or command injection attempt.\\r\\n• Pen testing.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"collection name\": \"Sample-Collection\",\r\n \"database name\": \"Sample-DataBase\",\r\n \"top suspicious queries\": \"• [1 rows returned] SELECT VALUE [{\\\"item\\\": COUNT(1)}]\\nFROM root\\nWHERE ((root[\\\"creation_datetime\\\"] = \\\"2022-07-06T00:00:00+00:00\\\") AND (root[\\\"camera_id\\\"] IN (\\\"javascript:alert(_SCAN-@126032-951533-1926@-);\\\")))\\nORDER BY root[\\\"order\\\"] ASC, root[\\\"_ts\\\"] ASC\\r\\n• [0 rows returned] SELECT root._rid, [{\\\"item\\\": root[\\\"order\\\"]}, {\\\"item\\\": root[\\\"_ts\\\"]}] AS orderByItems, root AS payload\\nFROM root\\nWHERE ((((root[\\\"creation_datetime\\\"] = \\\"2022-07-06T00:00:00+00:00\\\") AND (root[\\\"camera_id\\\"] IN (\\\"javascript:alert(_SCAN-@126032-951533-1926@-);\\\"))) AND (true)) AND IS_DEFINED(root))\\nORDER BY root[\\\"order\\\"] ASC, root[\\\"_ts\\\"] ASC\\nOFFSET 0 LIMIT 100\",\r\n \"total suspicious queries\": \"2\",\r\n \"killChainIntent\": \"Discovery\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_345\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_346\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_346\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"name\": \"2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.803451Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SqlInjection.DataExfiltration\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:11.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:11.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_348\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] SQL injection: potential data exfiltration\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious SQL statement was used to query container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'.\\r\\nThe injected statement might have succeeded in exfiltrating data the user wasn’t authorized to access.\\r\\nDue to the structure and capabilities of Azure Cosmos DB queries, many known SQL injection attacks on Azure Cosmos DB accounts cannot work. However, the variation used in this attack may work and threat actors can exfiltrate data.\",\r\n \"remediationSteps\": [\r\n \"• To prevent similar attacks in the future, use Azure Cosmos DB parameterized queries in all your apps.\",\r\n \"How to use parameterized queries: https://go.microsoft.com/fwlink/?linkid=2177214.\",\r\n \"• If, for some reason, you can’t use parameterized queries, perform another form of input validation to protect against SQL injection attacks.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Investigate the query and the user. For details of the user, review the audit logs of your application. Check which user ran the query.\\r\\n• If the action appears malicious, continue investigating the blast radius. You may run the query (shown in the field \\\"Top suspicious queries\\\") to see what data was exfiltrated.\",\r\n \"potential causes\": \"• Successful data exfiltration (True Positive).\\r\\n• Pen testing.\\r\\n• A legitimate actor is trying to see all of the data, bypassing the application's access control methods. In this case, this can be considered a False Positive, however this is unsafe and should be blocked (see remediation steps on blocking).\",\r\n \"user agent\": \"dummySqlAgent\",\r\n \"connection mode\": \"\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"\",\r\n \"total anomalous queries\": \"1\",\r\n \"top anomalous queries\": \"• SELECT * FROM root WHERE (root[\\\\\\\"userId\\\\\\\"] = \\\\\\\"123' OR '1'='1'\\\\\\\")\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_349\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_350\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_350\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"name\": \"2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.6843414Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:09.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:09.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_352\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: One or more containers in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' were accessed from a location considered unfamiliar, based on the usual access pattern.\\r\\nEither a threat actor has gained access to the account, or a legitimate user has connected from a new or unusual geographic location.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Contact the user to validate whether this is known and expected activity.\",\r\n \"potential causes\": \"• An attacker has accessed your Azure Cosmos DB account.\\r\\n• A legitimate user has accessed your Azure Cosmos DB account from a new location.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_353\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_354\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_354\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"name\": \"2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.671875Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_DataExfiltrationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:07.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:07.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_356\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual volume of data extracted\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An unusually large amount of data has been extracted from container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'. This might indicate that a threat actor exfiltrated data.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Check whether this Azure Cosmos DB account holds sensitive data. Look at diagnostic logs for any sensitive data that may have leaked and escalate the alert and information. If it appears sensitive data may have leaked, immediately review access permissions to the account and consider rotating keys.\",\r\n \"potential causes\": \"• An attacker has extracted a large amount of data from an account.\\r\\n• A legitimate user or application has extracted an unusual amount of data from an account.\",\r\n \"collection name\": \"Sample-Collection\",\r\n \"database name\": \"Sample-DataBase\",\r\n \"key type\": \"Aad\",\r\n \"connection mode\": \"Gateway\",\r\n \"impacted region\": \"EUS\",\r\n \"extracted data\": \"5.37 GB\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_357\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_358\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_358\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"name\": \"2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5606644Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousListKeys.SuspiciousPrincipal\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:05.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:05.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_360\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Preview - Suspicious extraction of Azure Cosmos DB account keys was detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious source extracted Azure Cosmos DB account access keys from your subscription. If this source is not a legitimate source, this may be a high impact issue. The access key that was extracted provides full control over the associated databases and the data stored within.\\r\\nThe key extraction is suspicious for the following reasons:\\r\\n- Key listing operations are rarely invoked by this principal on Azure Cosmos DB accounts in this subscription.\\r\\n\\r\\nThis can indicate that the identity performed this operation is compromised and is being used with malicious intent.\",\r\n \"remediationSteps\": [\r\n \"• Determine whether the activity was intentional by contacting the account owner. If the activity was intentional and legitimate, dismiss the alert. Otherwise, treat the user account, involved Azure Cosmos DB accounts and Azure subscription as compromised and continue with the next remediation steps.\",\r\n \"• Remediate the compromised principal account : delete the account if it’s an unfamiliar account (the attacker may have created it). Otherwise, change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\",\r\n \"• Remediate the compromised Azure Cosmos DB account: rotate Azure Cosmos DB account keys that were previously listed by the threat actor.\",\r\n \"• Remediate the compromised subscription: review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in the Microsoft Defender for Cloud portal to the subscription and investigate them, use Azure Activity Logs to locate any suspicious activities and review all activities that were performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Resource\",\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"source IP address\": \"00.00.00.00\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_361\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_362\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_362\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432\",\r\n \"name\": \"2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.8379753Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousListKeys.MaliciousScript\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:03.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:03.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_364\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Extraction of Azure Cosmos DB accounts keys via a potentially malicious script\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A Powershell script was run in your subscription and performed a suspicious pattern of key-listing operations to get the keys of Azure Cosmos DB accounts in your subscription.\\r\\nThreat actors use automated scripts, like Microburst, to list keys and find Azure Cosmos DB accounts they can access.\\r\\n\\r\\nThis operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise Azure Cosmos DB accounts in your environment for malicious intentions.\\r\\nAlternatively, a malicious insider could be trying to access sensitive data and perform lateral movement.\",\r\n \"remediationSteps\": [\r\n \"• Remediate the compromised user identity: If it’s an unfamiliar, new identity (the threat actor may have created it), then delete the user identity.\",\r\n \"Otherwise, change the user’s authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\",\r\n \"• Remediate the compromised Azure Cosmos DB account: rotate Azure Cosmos DB accounts keys that were previously listed by the threat actor.\",\r\n \"• Remediate the compromised subscription: review IAM permissions for the subscription and remove permissions for any unfamiliar user identity.\",\r\n \"Review all Azure resources and delete any unfamiliar Azure resources.\",\r\n \"Review all alerts in Microsoft Defender for Cloud related to the subscription and investigate them.\",\r\n \"Use Azure Activity Logs to find suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"ARM\",\r\n \"investigation steps\": \"Investigate whether the identity that performed the list-key operations is compromised:\\r\\n• Contact the Azure Cosmos DB account owner to understand their intentions and actions.\\r\\n• Look at the authentication method of this user and the actions they performed across the Azure subscription.\\r\\nUse Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\r\\n• If you have diagnostic logs enabled, inspect the actions this identity performed in the Azure Cosmos DB account/s.\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"username\": \"Sample-Username\",\r\n \"aad user ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_365\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_366\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_366\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"name\": \"2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-16T21:52:53.8710364Z\",\r\n \"processingEndTimeUtc\": \"2022-11-16T21:52:53.6916675Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-15T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-15T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_368\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.160 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_369\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_370\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_371\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"name\": \"2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-12T21:47:11.3785021Z\",\r\n \"processingEndTimeUtc\": \"2022-11-12T21:47:10.8521763Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_373\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_374\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_375\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_376\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"name\": \"2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-13T20:54:26.3966011Z\",\r\n \"processingEndTimeUtc\": \"2022-11-13T20:54:26.1755194Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_378\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_379\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_380\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_381\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"name\": \"2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-12T21:47:11.7084868Z\",\r\n \"processingEndTimeUtc\": \"2022-11-12T21:47:10.8520084Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_383\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 137.184.84.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_384\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_385\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_386\",\r\n \"address\": \"137.184.84.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Jose\",\r\n \"longitude\": -121.83823,\r\n \"latitude\": 37.33053,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_386\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"name\": \"2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-13T20:54:26.3624463Z\",\r\n \"processingEndTimeUtc\": \"2022-11-13T20:54:26.1754203Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_388\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 137.184.84.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_389\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_390\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_391\",\r\n \"address\": \"137.184.84.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Jose\",\r\n \"longitude\": -121.83823,\r\n \"latitude\": 37.33053,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_392\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_391\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"name\": \"2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-11T21:04:29.5102358Z\",\r\n \"processingEndTimeUtc\": \"2022-11-11T21:04:28.8368795Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-10T14:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-10T14:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_393\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_394\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_395\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_396\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_397\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"name\": \"2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-04T21:03:19.814381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-04T21:03:12.9864236Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-03T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-03T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_398\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_399\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_400\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_401\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"name\": \"2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-03T20:56:42.8912983Z\",\r\n \"processingEndTimeUtc\": \"2022-11-03T20:56:39.5149213Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-02T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-02T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_403\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\\r\\nIP: 176.222.18.110 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_404\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_405\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_406\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_407\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"name\": \"2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-01T21:58:15.540622Z\",\r\n \"processingEndTimeUtc\": \"2022-11-01T21:58:14.9043034Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_410\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.128 [1]\\r\\nIP: 176.222.18.110 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_411\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_412\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_413\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_414\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"name\": \"2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-02T22:45:37.72398Z\",\r\n \"processingEndTimeUtc\": \"2022-11-02T22:45:37.2820909Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_417\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 176.222.18.110 [1]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_418\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_419\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_420\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_421\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_422\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"name\": \"2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-30T20:43:32.8362319Z\",\r\n \"processingEndTimeUtc\": \"2022-10-30T20:43:32.2666649Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-29T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-29T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_426\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 149.18.60.6 [1]\\r\\nIP: 148.75.113.72 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_427\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_428\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_429\",\r\n \"address\": \"149.18.60.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 396998,\r\n \"carrier\": \"Path Network Inc.\",\r\n \"organization\": \"Logicweb Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_430\",\r\n \"address\": \"148.75.113.72\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Newton\",\r\n \"longitude\": -74.80559,\r\n \"latitude\": 41.08337,\r\n \"asn\": 6128,\r\n \"carrier\": \"Cablevision Systems Corp.\",\r\n \"organization\": \"Optimum Online (Cablevision Systems)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"name\": \"2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-29T19:50:46.7836038Z\",\r\n \"processingEndTimeUtc\": \"2022-10-29T19:50:46.6002852Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-28T07:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-28T07:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_433\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 71.178.215.234 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_434\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_435\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_436\",\r\n \"address\": \"71.178.215.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Fairfax\",\r\n \"longitude\": -77.2891,\r\n \"latitude\": 38.81818,\r\n \"asn\": 701,\r\n \"carrier\": \"Verizon\",\r\n \"organization\": \"Verizon\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"name\": \"2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-28T21:21:50.4934572Z\",\r\n \"processingEndTimeUtc\": \"2022-10-28T21:21:50.1558349Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-27T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-27T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_438\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 12.13.191.67 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 194.28.112.140 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_439\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_440\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_441\",\r\n \"address\": \"12.13.191.67\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Louisiana\",\r\n \"city\": \"New Orleans\",\r\n \"longitude\": -90.06568,\r\n \"latitude\": 29.96582,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Marriott Corporationattn Joh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_442\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_443\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_444\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"name\": \"2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-28T01:00:14.0366672Z\",\r\n \"processingEndTimeUtc\": \"2022-10-28T01:00:13.8635731Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-26T17:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-26T17:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_449\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 8.30.197.172 [1]\\r\\nIP: 12.157.53.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_450\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_451\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_452\",\r\n \"address\": \"8.30.197.172\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Paramus\",\r\n \"longitude\": -74.07017,\r\n \"latitude\": 40.94459,\r\n \"asn\": 12025,\r\n \"carrier\": \"Iron Mountain Data Center\",\r\n \"organization\": \"Groundwidgets Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_453\",\r\n \"address\": \"12.157.53.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Long Beach\",\r\n \"longitude\": -118.1589,\r\n \"latitude\": 33.7808,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Velocity Bre\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"name\": \"2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Dismissed\",\r\n \"timeGeneratedUtc\": \"2022-10-25T22:59:24.7258494Z\",\r\n \"processingEndTimeUtc\": \"2022-10-25T22:59:24.4099152Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_456\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 147.78.47.29 [1]\\r\\nIP: 198.12.89.41 [1]\\r\\nIP: 173.249.187.107 [1]\\r\\nIP: 24.18.46.38 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_457\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_458\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_459\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_460\",\r\n \"address\": \"198.12.89.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.8854,\r\n \"latitude\": 42.8883,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_461\",\r\n \"address\": \"173.249.187.107\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Denver\",\r\n \"longitude\": -104.99809,\r\n \"latitude\": 39.75263,\r\n \"asn\": 133744,\r\n \"carrier\": \"Better Cloud Limited\",\r\n \"organization\": \"Global Link Communications Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_462\",\r\n \"address\": \"24.18.46.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Edmonds\",\r\n \"longitude\": -122.34664,\r\n \"latitude\": 47.80392,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_459\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_460\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_461\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_462\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"name\": \"2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-23T20:55:55.6554453Z\",\r\n \"processingEndTimeUtc\": \"2022-10-23T20:55:55.0986682Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-22T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-22T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_467\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 173.201.17.86 [1]\\r\\nIP: 72.215.237.211 [2]\\r\\nIP: 69.28.75.137 [2]\\r\\nIP: 8.30.197.172 [1]\\r\\nIP: 141.98.83.131 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_468\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_469\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_470\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_471\",\r\n \"address\": \"72.215.237.211\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Rhode Island\",\r\n \"city\": \"Warwick\",\r\n \"longitude\": -71.38996,\r\n \"latitude\": 41.71237,\r\n \"asn\": 22773,\r\n \"carrier\": \"Cox Communications Inc.\",\r\n \"organization\": \"Cox Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_472\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_473\",\r\n \"address\": \"8.30.197.172\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Paramus\",\r\n \"longitude\": -74.07017,\r\n \"latitude\": 40.94459,\r\n \"asn\": 12025,\r\n \"carrier\": \"Iron Mountain Data Center\",\r\n \"organization\": \"Groundwidgets Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_474\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"name\": \"2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-22T20:37:45.3670215Z\",\r\n \"processingEndTimeUtc\": \"2022-10-22T20:37:34.4184682Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-21T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-21T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_480\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_481\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_482\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_483\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"name\": \"2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-22T20:37:34.6106772Z\",\r\n \"processingEndTimeUtc\": \"2022-10-22T20:37:34.4182771Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-21T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-21T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_485\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.147 [3]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_486\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_487\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_488\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_488\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"name\": \"2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T20:55:36.9527631Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T20:55:36.5859747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_490\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 69.202.183.90 [3]\\r\\nIP: 195.133.20.78 [99]\\r\\nIP: 141.95.145.187 [3]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 193.29.13.169 [9]\\r\\nIP: 147.78.47.36 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 147.78.47.147 [6]\\r\\nIP: 150.95.29.64 [2]\\r\\nIP: 45.141.87.2 [9]\\r\\nIP: 147.78.47.35 [7]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 173.254.223.125 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 92.255.85.152 [5]\\r\\nIP: 89.248.163.228 [3]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 179.60.150.115 [12]\\r\\nIP: 191.96.168.93 [9]\\r\\nIP: 147.78.47.69 [9]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 171.244.50.243 [2]\\r\\nIP: 94.26.229.154 [2]\\r\\nIP: 45.227.254.20 [10]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 94.26.248.176 [5]\\r\\nIP: 88.214.25.14 [3]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 45.141.87.9 [3]\\r\\nIP: 31.43.185.3 [22]\\r\\nIP: 45.141.87.10 [6]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 194.165.17.12 [4]\\r\\nIP: 147.78.47.154 [9]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 89.250.82.36 [1]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 193.29.13.170 [16]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 179.60.150.58 [8]\\r\\nIP: 45.226.126.252 [1]\\r\\nIP: 45.141.87.6 [6]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 45.227.254.49 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_491\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_492\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_493\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_494\",\r\n \"address\": \"195.133.20.78\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_495\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_496\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_497\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_498\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_499\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_500\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_501\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_502\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_503\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_504\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_505\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_506\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_507\",\r\n \"address\": \"173.254.223.125\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Tarzana\",\r\n \"longitude\": -118.54625,\r\n \"latitude\": 34.15501,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Quadranet Enterprises Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_508\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_509\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_510\",\r\n \"address\": \"89.248.163.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_511\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_512\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_513\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_514\",\r\n \"address\": \"147.78.47.69\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_515\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_516\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_517\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_518\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_519\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_520\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_521\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_522\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_523\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_524\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_525\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_526\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_527\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_528\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_529\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_530\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_531\",\r\n \"address\": \"89.250.82.36\",\r\n \"location\": {\r\n \"countryCode\": \"KZ\",\r\n \"countryName\": \"Kazakhstan\",\r\n \"state\": \"Almaty City\",\r\n \"city\": \"Almaty\",\r\n \"longitude\": 76.94999,\r\n \"latitude\": 43.24999,\r\n \"asn\": 41419,\r\n \"carrier\": \"Kazrena\",\r\n \"organization\": \"Kazrena\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_532\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_533\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_534\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_535\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_536\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_537\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_538\",\r\n \"address\": \"45.226.126.252\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Pernambuco\",\r\n \"city\": \"Olinda\",\r\n \"longitude\": -34.90666,\r\n \"latitude\": -7.98953,\r\n \"asn\": 266962,\r\n \"carrier\": \"G M Da Costa Internet\",\r\n \"organization\": \"G M Da Costa Internet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_539\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_540\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_541\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_557\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_558\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_559\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_560\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_511\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_561\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_512\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_562\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_513\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_563\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_514\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_564\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_515\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_565\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_516\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_566\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_517\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_567\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_518\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_568\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_519\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_569\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_520\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_570\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_521\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_571\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_522\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_572\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_523\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_573\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_524\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_574\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_525\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_575\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_526\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_576\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_527\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_577\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_528\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_578\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_529\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_579\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_530\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_580\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_531\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_581\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_532\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_582\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_585\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_536\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_586\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_537\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_587\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"name\": \"2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-21T22:30:30.848069Z\",\r\n \"processingEndTimeUtc\": \"2022-10-21T22:30:29.9442537Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_591\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.104 [1]\\r\\nIP: 207.154.207.116 [1]\\r\\nIP: 61.177.172.147 [1]\\r\\nIP: 152.136.192.58 [1]\\r\\nIP: 124.221.214.54 [98]\\r\\nIP: 135.148.104.183 [1]\\r\\nIP: 80.76.51.230 [1]\\r\\nIP: 185.51.61.82 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_592\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_593\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_594\",\r\n \"address\": \"61.177.172.104\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_595\",\r\n \"address\": \"207.154.207.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_596\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_597\",\r\n \"address\": \"152.136.192.58\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_598\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_599\",\r\n \"address\": \"135.148.104.183\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Reston\",\r\n \"longitude\": -77.34247,\r\n \"latitude\": 38.96097,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_600\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Zuid-Holland\",\r\n \"city\": \"Brielle\",\r\n \"longitude\": 4.16122,\r\n \"latitude\": 51.89596,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\",\r\n \"organization\": \"Des Capital B.V.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_601\",\r\n \"address\": \"185.51.61.82\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 42065,\r\n \"carrier\": \"Zao Electrontelecom\",\r\n \"organization\": \"Global Network Management Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_594\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_595\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_596\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_597\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_598\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_599\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_600\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_601\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"name\": \"2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-19T09:12:15.1238208Z\",\r\n \"processingEndTimeUtc\": \"2022-10-19T09:12:12.7612332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-19T08:43:11.7850829Z\",\r\n \"endTimeUtc\": \"2022-10-19T08:46:18.8210573Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_1\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_2\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/19 08:43:11.7850829\",\r\n \"activity end time (UTC)\": \"2022/10/19 08:46:18.8210573\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"74\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"47\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (23), user (3), administrador (2), admin (2), distant1 (1), asp.net (1), escaner (1), dator (1), faraz (1), chris (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-19T08:46:18.8210573Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_3\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"name\": \"2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-19T09:12:15.7506308Z\",\r\n \"processingEndTimeUtc\": \"2022-10-19T09:12:12.7612332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-19T08:34:16.9189969Z\",\r\n \"endTimeUtc\": \"2022-10-19T08:35:36.0841961Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_4\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_5\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/19 08:34:16.9189969\",\r\n \"activity end time (UTC)\": \"2022/10/19 08:35:36.0841961\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"19\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (15), administrador (2), admin (2), reception (1), scanner (1), root (1), user (1), utente (1), bokforing (1), admin 3 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-19T08:35:36.0841961Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_6\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"name\": \"2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T08:12:21.5799147Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T08:12:17.8716581Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-18T07:01:04.8124138Z\",\r\n \"endTimeUtc\": \"2022-10-18T07:59:23.7067193Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_7\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_8\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/18 07:01:04.8124138\",\r\n \"activity end time (UTC)\": \"2022/10/18 07:59:23.7067193\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.129\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"31\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"24\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEFAULTACCOUNT (6), DATA CENTER USER (2), DSNVSUSER (1), DONALD E. BETTIS (1), FUELDISP (1), GP (1), CONTRAUSER (1), DEAFULTUSER (1), FULTON (1), EXACTIVEUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-18T07:59:23.7067193Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_9\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"name\": \"2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T04:12:02.5218294Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T04:11:58.4521214Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-17T03:00:40.7373365Z\",\r\n \"endTimeUtc\": \"2022-10-17T03:58:42.8075611Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_10\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_11\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/17 03:00:40.7373365\",\r\n \"activity end time (UTC)\": \"2022/10/17 03:58:42.8075611\",\r\n \"attacker source IP\": \"IP Address: 20.216.185.188\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"46\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"12\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (12), AZUREUSER (11), ADMINUSER (11), VMADMIN (2), SUPERUSER (2), AZADMIN (1), USERADMIN (1), AZUSER (1), AZURE (1), DEMOUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-17T03:58:42.8075611Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_12\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"name\": \"2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T03:11:56.1105452Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T03:11:51.6770359Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-16T02:31:21.2161162Z\",\r\n \"endTimeUtc\": \"2022-10-16T02:32:30.6331048Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_13\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_14\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/16 02:31:21.2161162\",\r\n \"activity end time (UTC)\": \"2022/10/16 02:32:30.6331048\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.215\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"26\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (6), user1 (2), admin (2), defaultaccount (2), administrador (2), principal (1), test666 (1), adminportal (1), reports (1), pop10 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-16T02:32:30.6331048Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_15\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"name\": \"2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T02:11:59.5981045Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T02:11:53.2828004Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-15T01:00:15.0973756Z\",\r\n \"endTimeUtc\": \"2022-10-15T01:59:46.8790817Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_16\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_17\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/15 01:00:15.0973756\",\r\n \"activity end time (UTC)\": \"2022/10/15 01:59:46.8790817\",\r\n \"attacker source IP\": \"IP Address: 91.240.118.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"35\",\r\n \"top accounts with failed sign in attempts (count)\": \"MACROLAN (2), MITEV (1), DEPJIVE (1), KIM (1), DEV (1), CTZ9 (1), CUBE (1), CREATIVES-SERVER (1), KOLECO (1), MONITOR (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-15T01:59:46.8790817Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_18\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"name\": \"2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T23:12:20.0982221Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T23:12:13.5169181Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-13T22:00:01.4482685Z\",\r\n \"endTimeUtc\": \"2022-10-13T22:59:53.5475957Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_19\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_20\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/13 22:00:01.4482685\",\r\n \"activity end time (UTC)\": \"2022/10/13 22:59:53.5475957\",\r\n \"attacker source IP\": \"IP Address: 191.96.168.246\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"289\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"288\",\r\n \"top accounts with failed sign in attempts (count)\": \"SCANSIONI (1), ALPHA (1), RCLARK (1), AD (1), RETAIL (1), CALIDAD (1), CONSULTANT (1), OSPITE (1), Z (1), CS1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-13T22:59:53.5475957Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_21\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"name\": \"2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T08:12:07.7636221Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T08:12:02.9681269Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-12T07:03:03.4902548Z\",\r\n \"endTimeUtc\": \"2022-10-12T07:58:25.9885039Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_22\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_23\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/12 07:03:03.4902548\",\r\n \"activity end time (UTC)\": \"2022/10/12 07:58:25.9885039\",\r\n \"attacker source IP\": \"IP Address: 20.127.38.151\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"19\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEMOADMIN (2), USERADMIN (2), AZUREADMIN (1), DEMO (1), VADMIN (1), AZUREUSER (1), SQLADMIN (1), ROOTADMIN (1), SUPERVISOR (1), ITADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-12T07:58:25.9885039Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_24\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"name\": \"2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T07:12:15.7469577Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T07:12:12.3009079Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-11T06:24:25.9159134Z\",\r\n \"endTimeUtc\": \"2022-10-11T06:25:34.0915332Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_25\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_26\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/11 06:24:25.9159134\",\r\n \"activity end time (UTC)\": \"2022/10/11 06:25:34.0915332\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"25\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (12), shipping (1), test3 (1), contabilidad (1), usuario (1), serveur-bacnet (1), phonix (1), iusrplesk_smwebmail (1), defaultaccount (1), administrateur (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-11T06:25:34.0915332Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_27\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"name\": \"2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T07:12:26.2282804Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T07:12:12.3164432Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-11T06:01:14.9169493Z\",\r\n \"endTimeUtc\": \"2022-10-11T06:56:30.497614Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_28\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_29\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/11 06:01:14.9169493\",\r\n \"activity end time (UTC)\": \"2022/10/11 06:56:30.4976140\",\r\n \"attacker source IP\": \"IP Address: 20.127.38.151\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"12\",\r\n \"top accounts with failed sign in attempts (count)\": \"USERADMIN (2), DEMOADMIN (1), SUPERVISOR (1), VDIADMIN (1), VMADMIN (1), DEMO (1), SUPERUSER (1), VADMIN (1), AZUREADMIN (1), AZUREUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-11T06:56:30.497614Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_30\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"name\": \"2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T05:12:25.7328319Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T05:12:22.9501113Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-10T04:39:37.8316652Z\",\r\n \"endTimeUtc\": \"2022-10-10T04:40:46.9760933Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_31\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_32\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/10 04:39:37.8316652\",\r\n \"activity end time (UTC)\": \"2022/10/10 04:40:46.9760933\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"25\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (10), test (2), presale (1), ricoh (1), hma (1), user1 (1), t1_buero (1), labor (1), caps (1), nashua (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-10T04:40:46.9760933Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_33\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"name\": \"2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T00:12:35.8969216Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T00:12:32.7404871Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-08T23:01:26.3028246Z\",\r\n \"endTimeUtc\": \"2022-10-08T23:02:34.9154571Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_34\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_35\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/08 23:01:26.3028246\",\r\n \"activity end time (UTC)\": \"2022/10/08 23:02:34.9154571\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.204\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (7), usuario (3), default (2), barbara (1), defaultaccount (1), mikuo (1), uzak1 (1), opc (1), tnt1 (1), agora_service (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-08T23:02:34.9154571Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_36\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/westeurope/alerts/2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"name\": \"2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T17:11:57.3573487Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T17:11:55.7883406Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_SshBruteForceFailed\",\r\n \"startTimeUtc\": \"2022-10-08T16:13:32.805Z\",\r\n \"endTimeUtc\": \"2022-10-08T16:59:53.736Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_37\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_38\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"2b613470-a780-4991-a9f5-7894862c213b\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testService1\",\r\n \"alertDisplayName\": \"Failed SSH brute force attack\",\r\n \"description\": \"Failed SSH brute force attacks were detected on testService1\",\r\n \"remediationSteps\": [\r\n \"1. In case this is an Azure virtual machine, add the source IP to NSG block list for 24 hours (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/) \",\r\n \"2. Enforce the use of strong passwords and do not re-use them across multiple resources and services (see http://windows.microsoft.com/en-us/Windows7/Tips-for-creating-strong-passwords-and-passphrases)\",\r\n \"3. In case this is an Azure virtual machine, Create an allow list for SSH access in NSG (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"number of failed authentication attempts to host\": \"63\",\r\n \"accounts used on failed sign in to host attempts\": \"[\\\"root\\\"]\",\r\n \"was SSH session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-08T16:59:53.736Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_39\",\r\n \"hostName\": \"testService1\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"omsAgentID\": \"2b613470-a780-4991-a9f5-7894862c213b\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"westeurope_40\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"westeurope_41\",\r\n \"name\": \" root\",\r\n \"ntDomain\": \" root\",\r\n \"host\": {\r\n \"$ref\": \"westeurope_39\"\r\n },\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"westeurope_42\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"westeurope_40\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myService1/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"name\": \"2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-07T12:12:12.6540563Z\",\r\n \"processingEndTimeUtc\": \"2022-10-07T12:12:10.2351107Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-07T11:04:11.9286049Z\",\r\n \"endTimeUtc\": \"2022-10-07T11:58:08.5153711Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_43\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_44\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/07 11:04:11.9286049\",\r\n \"activity end time (UTC)\": \"2022/10/07 11:58:08.5153711\",\r\n \"attacker source IP\": \"IP Address: 36.95.205.132\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (1), DEMOUSER (1), ADMINISTRATOR (1), TEST (1), AZUREUSER (1), SUPERVISOR (1), DEMOADMIN (1), ADMIN (1), SUPERUSER (1), TEST1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-07T11:58:08.5153711Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_45\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"name\": \"2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-06T05:12:05.9972706Z\",\r\n \"processingEndTimeUtc\": \"2022-10-06T05:12:01.8802104Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-06T04:23:26.0454432Z\",\r\n \"endTimeUtc\": \"2022-10-06T04:24:35.8466979Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_46\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_47\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/06 04:23:26.0454432\",\r\n \"activity end time (UTC)\": \"2022/10/06 04:24:35.8466979\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.202\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"29\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (3), scanner (3), test (2), server (2), user2 (2), ppp (1), max04 (1), acronis (1), windows11 (1), pc (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-06T04:24:35.8466979Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_48\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"name\": \"2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-05T03:12:04.1411263Z\",\r\n \"processingEndTimeUtc\": \"2022-10-05T03:12:00.6268144Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-05T02:50:46.5034967Z\",\r\n \"endTimeUtc\": \"2022-10-05T02:51:57.2848574Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_49\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_50\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/05 02:50:46.5034967\",\r\n \"activity end time (UTC)\": \"2022/10/05 02:51:57.2848574\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.211\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"32\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (3), info (2), temp (2), pos (1), 1 (1), ventas (1), spadmin (1), supervisor (1), infoworld (1), account (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-05T02:51:57.2848574Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_51\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517373625534965032_759ca676-028f-4204-8957-de649b3e6562/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"name\": \"2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T22:12:05.1705693Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T22:12:04.1268393Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-03T21:02:04.491411Z\",\r\n \"endTimeUtc\": \"2022-10-03T21:59:45.9038559Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_52\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_53\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/03 21:02:04.4914110\",\r\n \"activity end time (UTC)\": \"2022/10/03 21:59:45.9038559\",\r\n \"attacker source IP\": \"IP Address: 91.240.118.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"42\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"35\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (5), KSTURGEON (2), ADMIN (2), WADMIN (1), XAFSERVICEACCNT (1), SIADAD (1), YSMITH (1), KRUSS (1), VNIUSER-DONOTDELETE (1), KOTT.# (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-03T21:59:45.9038559Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_54\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"name\": \"2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-02T21:11:58.5816299Z\",\r\n \"processingEndTimeUtc\": \"2022-10-02T21:11:54.3443174Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-02T20:00:01.9149954Z\",\r\n \"endTimeUtc\": \"2022-10-02T20:59:52.1082032Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_55\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_56\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/02 20:00:01.9149954\",\r\n \"activity end time (UTC)\": \"2022/10/02 20:59:52.1082032\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"431\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"LOCALADMIN (30), SYSADMIN (29), VMADMIN (29), ADADMIN (29), DEMOUSER (29), ADMIN01 (29), DADMIN (29), SERVERADMIN (29), AZUREUSER (29), SADMIN (29)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-02T20:59:52.1082032Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_57\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"name\": \"2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-01T20:12:00.2987738Z\",\r\n \"processingEndTimeUtc\": \"2022-10-01T20:11:58.0659196Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-01T19:00:03.9085601Z\",\r\n \"endTimeUtc\": \"2022-10-01T19:59:57.4159824Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_58\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_59\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/01 19:00:03.9085601\",\r\n \"activity end time (UTC)\": \"2022/10/01 19:59:57.4159824\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"426\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (30), ADMINUSER (30), ADMIN123 (29), AZUREUSER (29), TESTUSER (28), SUPERADMIN (28), SYSADMIN (28), VMADMIN (28), LOCALADMIN (28), SERVERADMIN (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-01T19:59:57.4159824Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_60\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"name\": \"2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-30T19:12:00.7770747Z\",\r\n \"processingEndTimeUtc\": \"2022-09-30T19:11:57.5373519Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-30T18:00:04.3960635Z\",\r\n \"endTimeUtc\": \"2022-09-30T18:59:54.1716651Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_61\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_62\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/30 18:00:04.3960635\",\r\n \"activity end time (UTC)\": \"2022/09/30 18:59:54.1716651\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"422\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"SYSADMIN (29), VMADMIN (29), DEMOUSER (28), ADMIN01 (28), DADMIN (28), SADMIN (28), TESTUSER (28), SUPERADMIN (28), LOCALADMIN (28), SERVERADMIN (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-30T18:59:54.1716651Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_63\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"name\": \"2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-29T18:12:10.264524Z\",\r\n \"processingEndTimeUtc\": \"2022-09-29T18:12:04.7435178Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-29T17:00:02.5605584Z\",\r\n \"endTimeUtc\": \"2022-09-29T17:59:57.0286763Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_64\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_65\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/29 17:00:02.5605584\",\r\n \"activity end time (UTC)\": \"2022/09/29 17:59:57.0286763\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"419\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (29), LOCALADMIN (28), SERVERADMIN (28), ADADMIN (28), TESTUSER (28), SUPERADMIN (28), AZUREUSER (28), ADMINUSER (28), AZUREADMIN (28), ADMIN01 (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-29T17:59:57.0286763Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_66\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"name\": \"2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T17:12:10.505636Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T17:12:04.9963951Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-28T16:00:05.5258206Z\",\r\n \"endTimeUtc\": \"2022-09-28T16:59:37.992094Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_67\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_68\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/28 16:00:05.5258206\",\r\n \"activity end time (UTC)\": \"2022/09/28 16:59:37.9920940\",\r\n \"attacker source IP\": \"IP Address: 20.25.4.51\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"81\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"9\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (9), VMADMIN (9), AZUREUSER (9), DEMOADMIN (8), ADMINUSER (8), USERADMIN (8), DEMO (8), DEMOAZURE (8), SUPERUSER (7), AZURE (7)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-28T16:59:37.992094Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_69\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"name\": \"2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T17:12:09.9085237Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T17:12:04.9963951Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-28T16:00:00.9053856Z\",\r\n \"endTimeUtc\": \"2022-09-28T16:59:59.2397348Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_70\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_71\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/28 16:00:00.9053856\",\r\n \"activity end time (UTC)\": \"2022/09/28 16:59:59.2397348\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"1415\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"1263\",\r\n \"top accounts with failed sign in attempts (count)\": \"MYTHTV (2), NAGIOS (2), ACCOUNTS (2), ADMINISTRAREUR (2), ADMINSERVER (2), MICROSOFT (2), BACKUPEXEC (2), NOBODY (2), CYBER (2), AAA (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-28T16:59:59.2397348Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_72\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"name\": \"2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-27T16:11:58.2117895Z\",\r\n \"processingEndTimeUtc\": \"2022-09-27T16:11:55.1500289Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-27T15:00:34.6903888Z\",\r\n \"endTimeUtc\": \"2022-09-27T15:59:16.3833641Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_73\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_74\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/27 15:00:34.6903888\",\r\n \"activity end time (UTC)\": \"2022/09/27 15:59:16.3833641\",\r\n \"attacker source IP\": \"IP Address: 20.216.185.188\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"74\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (19), AZUREUSER (10), DEMOADMIN (7), DEMOUSER (6), AZURE (5), SUPERUSER (4), AZUREADMIN (4), DEMO (4), ADMINUSER (4), STUDENT (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-27T15:59:16.3833641Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_75\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"name\": \"2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-26T15:12:12.2955906Z\",\r\n \"processingEndTimeUtc\": \"2022-09-26T15:12:10.3345847Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-26T14:19:33.6913949Z\",\r\n \"endTimeUtc\": \"2022-09-26T14:58:23.8234441Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_76\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_77\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/26 14:19:33.6913949\",\r\n \"activity end time (UTC)\": \"2022/09/26 14:58:23.8234441\",\r\n \"attacker source IP\": \"IP Address: 20.245.85.81\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"13\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (3), WINADMIN (1), USERADMIN (1), DEMOADMIN (1), VMADMIN (1), NETADMIN (1), DEMO (1), DEMOUSER (1), AZUREADMIN (1), SUPERUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-26T14:58:23.8234441Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_78\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"name\": \"2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-25T13:11:53.1202057Z\",\r\n \"processingEndTimeUtc\": \"2022-09-25T13:11:49.5869519Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-25T12:00:01.1997686Z\",\r\n \"endTimeUtc\": \"2022-09-25T12:59:57.1598611Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_79\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_80\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/25 12:00:01.1997686\",\r\n \"activity end time (UTC)\": \"2022/09/25 12:59:57.1598611\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"632\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"628\",\r\n \"top accounts with failed sign in attempts (count)\": \"REINALDO (2), RAJU (2), PULSE (2), KIM (1), KENT (1), TESTE2 (1), TEST_FTP (1), TECHNO (1), SERVER2 (1), SERVER1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-25T12:59:57.1598611Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_81\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"name\": \"2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-24T12:11:59.378581Z\",\r\n \"processingEndTimeUtc\": \"2022-09-24T12:11:56.1933205Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-24T11:00:18.5763676Z\",\r\n \"endTimeUtc\": \"2022-09-24T11:58:49.6929962Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_82\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_83\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/24 11:00:18.5763676\",\r\n \"activity end time (UTC)\": \"2022/09/24 11:58:49.6929962\",\r\n \"attacker source IP\": \"IP Address: 181.30.28.175\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEFAULTACCOUNT (4), DADMIN (2), DPEREZ (1), DIYANA (1), DATACOM (1), DAWWRAY (1), DCDC (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-24T11:58:49.6929962Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_84\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"name\": \"2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-23T11:12:04.8132808Z\",\r\n \"processingEndTimeUtc\": \"2022-09-23T11:12:02.7422157Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-23T10:00:00.8274366Z\",\r\n \"endTimeUtc\": \"2022-09-23T10:59:59.507462Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_85\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_86\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/23 10:00:00.8274366\",\r\n \"activity end time (UTC)\": \"2022/09/23 10:59:59.5074620\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"634\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"601\",\r\n \"top accounts with failed sign in attempts (count)\": \"MENU (2), MAYA (2), MORGAN (2), MONITORING (2), MONGOUSER (2), MAURICIO (2), GEOMETRY (2), GERENTE (2), THIERRY1129 (2), TESTE2 (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-23T10:59:59.507462Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_87\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"name\": \"2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T05:12:05.8349115Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T05:12:03.3099425Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-22T04:00:04.6046565Z\",\r\n \"endTimeUtc\": \"2022-09-22T04:59:56.0312542Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_88\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_89\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/22 04:00:04.6046565\",\r\n \"activity end time (UTC)\": \"2022/09/22 04:59:56.0312542\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"478\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"477\",\r\n \"top accounts with failed sign in attempts (count)\": \"CHAT (1), AXIS (1), AWS (1), DEEPTHI (1), DEBORA (1), USERS1 (1), USER001 (1), USBMUX (1), UPLINK (1), SVT (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-22T04:59:56.0312542Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_90\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"name\": \"2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-21T02:11:54.213474Z\",\r\n \"processingEndTimeUtc\": \"2022-09-21T02:11:49.8007199Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-21T01:09:51.5862915Z\",\r\n \"endTimeUtc\": \"2022-09-21T01:11:21.0264894Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_91\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_92\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/21 01:09:51.5862915\",\r\n \"activity end time (UTC)\": \"2022/09/21 01:11:21.0264894\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"21\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (16), defaultaccount (1), asd (1), vpn07 (1), it (1), iusrplesk_smwebmail (1), asad (1), admin (1), takip (1), serv (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-21T01:11:21.0264894Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_93\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"name\": \"2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T00:12:55.5762868Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T00:12:52.7861694Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-19T23:45:22.3822188Z\",\r\n \"endTimeUtc\": \"2022-09-19T23:46:30.4248487Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_94\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_95\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/19 23:45:22.3822188\",\r\n \"activity end time (UTC)\": \"2022/09/19 23:46:30.4248487\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (13), admn (1), foats (1), admin (1), emanuel (1), user (1), support_388945a0 (1), slawek (1), defaultaccount (1), alvand.01 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-19T23:46:30.4248487Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_96\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"name\": \"2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T00:12:54.3199684Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T00:12:52.7866698Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-19T23:33:59.3779873Z\",\r\n \"endTimeUtc\": \"2022-09-19T23:35:26.6505374Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_97\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_98\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/19 23:33:59.3779873\",\r\n \"activity end time (UTC)\": \"2022/09/19 23:35:26.6505374\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"20\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (17), gh-11 (1), training (1), admin (1), vss (1), scanner (1), yousef (1), pointex (1), user (1), usuario (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-19T23:35:26.6505374Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_99\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517386703606220126_a816319c-5320-41db-a249-385660ee22f8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"name\": \"2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-18T16:12:00.3085599Z\",\r\n \"processingEndTimeUtc\": \"2022-09-18T16:11:57.4880747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-18T15:25:13.0131394Z\",\r\n \"endTimeUtc\": \"2022-09-18T15:26:21.8162231Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_100\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_101\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/18 15:25:13.0131394\",\r\n \"activity end time (UTC)\": \"2022/09/18 15:26:21.8162231\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"20\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (17), toshiba (1), admin (1), ntp (1), utente (1), accounting (1), remoto (1), user01 (1), sales-new (1), server t (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-18T15:26:21.8162231Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_102\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"name\": \"2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-18T16:12:05.4874397Z\",\r\n \"processingEndTimeUtc\": \"2022-09-18T16:11:57.4880747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-18T15:11:42.6615962Z\",\r\n \"endTimeUtc\": \"2022-09-18T15:12:51.457454Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_103\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_104\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/18 15:11:42.6615962\",\r\n \"activity end time (UTC)\": \"2022/09/18 15:12:51.4574540\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.207\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"18\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (18), win7 (2), terminal (1), markku.virtanen (1), admin (1), eng7 (1), xmetasr (1), hd (1), adm (1), vcenteno (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-18T15:12:51.457454Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_105\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"name\": \"2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-17T07:12:00.0473808Z\",\r\n \"processingEndTimeUtc\": \"2022-09-17T07:11:56.5511934Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-17T06:16:10.2702205Z\",\r\n \"endTimeUtc\": \"2022-09-17T06:17:19.8910018Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_106\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_107\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/17 06:16:10.2702205\",\r\n \"activity end time (UTC)\": \"2022/09/17 06:17:19.8910018\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"28\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (8), test (2), sys (1), principal (1), imran (1), almira (1), contabilidad (1), admin801 (1), peggy (1), tranquoclong (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-17T06:17:19.8910018Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_108\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"name\": \"2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-17T07:11:59.8011657Z\",\r\n \"processingEndTimeUtc\": \"2022-09-17T07:11:56.5511934Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-17T06:14:58.8904498Z\",\r\n \"endTimeUtc\": \"2022-09-17T06:56:27.7122183Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_109\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_110\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/17 06:14:58.8904498\",\r\n \"activity end time (UTC)\": \"2022/09/17 06:56:27.7122183\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"73\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"56\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (15), user (2), defaultaccount (2), jola (1), compta (1), ghost (1), zvnc2066 (1), morisita (1), mj (1), lucero (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-17T06:56:27.7122183Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_111\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"name\": \"2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-16T06:12:23.9923865Z\",\r\n \"processingEndTimeUtc\": \"2022-09-16T06:12:21.6042797Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-16T05:08:11.5262962Z\",\r\n \"endTimeUtc\": \"2022-09-16T05:18:17.0502097Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_112\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_113\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/16 05:08:11.5262962\",\r\n \"activity end time (UTC)\": \"2022/09/16 05:18:17.0502097\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.11\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"260\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"terminal1 (2), silvia (2), daniel (2), mari (2), natalia (2), francisco (2), ricoh (2), vp (2), acer (2), luiz (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-16T05:18:17.0502097Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_114\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"name\": \"2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-15T05:12:02.1262444Z\",\r\n \"processingEndTimeUtc\": \"2022-09-15T05:11:59.7844316Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-15T04:13:32.7545248Z\",\r\n \"endTimeUtc\": \"2022-09-15T04:44:44.3710273Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_115\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_116\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/15 04:13:32.7545248\",\r\n \"activity end time (UTC)\": \"2022/09/15 04:44:44.3710273\",\r\n \"attacker source IP\": \"IP Address: 194.28.112.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"102\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"85\",\r\n \"top accounts with failed sign in attempts (count)\": \"Administrator (10), admin (6), SvcCOPSSH (2), Support (2), ntp_CFKADS2226 (1), Administracao (1), Userstd01 (1), rebecca (1), suporte (1), MP (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-15T04:44:44.3710273Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_117\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"name\": \"2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-15T05:12:02.1782121Z\",\r\n \"processingEndTimeUtc\": \"2022-09-15T05:11:59.7844316Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-15T04:01:15.447908Z\",\r\n \"endTimeUtc\": \"2022-09-15T04:59:18.4256783Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_118\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_119\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/15 04:01:15.4479080\",\r\n \"activity end time (UTC)\": \"2022/09/15 04:59:18.4256783\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"40\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"SERVER (3), TEST (3), TESTUSER (3), USER (3), LOCALUSER (2), AZUREADMIN (2), AZUREUSER (2), ADMINISTRATOR (2), REMOTE (2), SYSADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-15T04:59:18.4256783Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_120\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"name\": \"2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-14T04:12:18.2784408Z\",\r\n \"processingEndTimeUtc\": \"2022-09-14T04:12:13.5856632Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-14T03:16:06.3695856Z\",\r\n \"endTimeUtc\": \"2022-09-14T03:28:53.2546631Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_121\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_122\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/14 03:16:06.3695856\",\r\n \"activity end time (UTC)\": \"2022/09/14 03:28:53.2546631\",\r\n \"attacker source IP\": \"IP Address: 45.141.84.119\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"267\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"leo (4), nathalia (4), emerson (4), francisco (3), usuario1 (2), user02 (2), terminal1 (2), billing (2), soporte (2), controller (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-14T03:28:53.2546631Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_123\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"name\": \"2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-14T04:12:17.5289904Z\",\r\n \"processingEndTimeUtc\": \"2022-09-14T04:12:13.5856632Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-14T03:00:09.0721606Z\",\r\n \"endTimeUtc\": \"2022-09-14T03:58:48.0506045Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_124\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_125\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/14 03:00:09.0721606\",\r\n \"activity end time (UTC)\": \"2022/09/14 03:58:48.0506045\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"47\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (3), AZUREADMIN (3), IME_USER (3), REMOTE (3), IME_ADMIN (3), ADMIN (3), RDP (3), HP (3), PC (3), AZUREUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-14T03:58:48.0506045Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_126\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"name\": \"2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:04.1627812Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5440471Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:06:33.966198Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:59:16.2352367Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_127\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_128\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:06:33.9661980\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:59:16.2352367\",\r\n \"attacker source IP\": \"IP Address: 94.68.140.243\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"15\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"11\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), SERVER (2), SYSADMIN (2), IME_ADMIN (1), RDP (1), LOCALUSER (1), LOCALADMIN (1), TEST (1), AZUREUSER (1), TESTUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:59:16.2352367Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_129\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"name\": \"2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:04.3606094Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5435472Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:01:06.5351616Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:59:02.3354809Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_130\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_131\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:01:06.5351616\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:59:02.3354809\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"45\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"REMOTE (3), LOCALUSER (3), SERVER (3), SYSADMIN (3), AZUREADMIN (3), TEST (3), LOCALADMIN (3), USER (3), TESTUSER (3), IME_ADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:59:02.3354809Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_132\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"name\": \"2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:03.911237Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5430516Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:01:02.6571238Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:58:26.9865062Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_133\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_134\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:01:02.6571238\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:58:26.9865062\",\r\n \"attacker source IP\": \"IP Address: 202.53.137.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (7), STUDENT (6), ADMIN (6), SUPPORT (6), BAT (6), AZUREUSER (6)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:58:26.9865062Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_135\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"name\": \"2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.729702Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1435668Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:03:00.0345939Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:58:17.2623523Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_136\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_137\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:03:00.0345939\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:58:17.2623523\",\r\n \"attacker source IP\": \"IP Address: 94.68.140.243\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"20\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"11\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (3), AZUREUSER (2), IME_USER (2), IME_ADMIN (2), TEST (2), PC (2), USER (2), ADMIN (1), REMOTE (1), RDP (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:58:17.2623523Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_138\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"name\": \"2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.292184Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1430669Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:02:01.5569515Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:59:42.6611129Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_139\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_140\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:02:01.5569515\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:59:42.6611129\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"69\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"7\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (16), AZUREADMIN (16), ADMINISTRATOR (11), ADMINUSER (6), AZURE (5), STUDENT (5), USERADMIN (5), VMADMIN (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:59:42.6611129Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_141\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"name\": \"2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:08.6726842Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1420668Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:01:14.3047487Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:58:35.508169Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_142\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_143\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:01:14.3047487\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:58:35.5081690\",\r\n \"attacker source IP\": \"IP Address: 202.53.137.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (6), AZUREUSER (6), SUPPORT (6), BAT (6), ADMIN (6), ADMINISTRATOR (6)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:58:35.508169Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_144\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"name\": \"2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.6088372Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1440671Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:00:33.1405851Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:59:46.8333262Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_145\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_146\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:00:33.1405851\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:59:46.8333262\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"94\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (6), RDP (6), REMOTE (6), HP (6), IME_USER (5), USER (5), AZURE (5), TESTUSER (5), ADMIN (5), ADMINISTRATOR (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:59:46.8333262Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_147\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393563668594148_38360230-c781-41cf-874b-7c504030a950/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"name\": \"2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-11T01:12:50.4913968Z\",\r\n \"processingEndTimeUtc\": \"2022-09-11T01:12:48.881971Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-11T00:00:12.8945794Z\",\r\n \"endTimeUtc\": \"2022-09-11T00:58:59.500311Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_148\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_149\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/11 00:00:12.8945794\",\r\n \"activity end time (UTC)\": \"2022/09/11 00:58:59.5003110\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"64\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (20), AZUREUSER (18), AZURE (6), STUDENT (6), USERADMIN (5), VMADMIN (5), ADMINUSER (4)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-11T00:58:59.500311Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_150\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"name\": \"2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-11T01:12:50.4969246Z\",\r\n \"processingEndTimeUtc\": \"2022-09-11T01:12:48.881971Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-11T00:00:01.3462764Z\",\r\n \"endTimeUtc\": \"2022-09-11T00:59:39.874272Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_151\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_152\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/11 00:00:01.3462764\",\r\n \"activity end time (UTC)\": \"2022/09/11 00:59:39.8742720\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"91\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (6), IME_ADMIN (5), IME_USER (5), USER (5), TEST (5), RDP (5), REMOTE (5), AZUREADMIN (5), SERVER (5), AZURE (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-11T00:59:39.874272Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_153\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"name\": \"2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:40.3691071Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:19:55.8595416Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:21:04.4330469Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_154\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_155\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:19:55.8595416\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:21:04.4330469\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (10), temp (1), tmitschke (1), pharmacie (1), utente1 (1), ime_user (1), sqli (1), sebastian (1), dave (1), user1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:21:04.4330469Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_156\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"name\": \"2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:41.2660094Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:02:03.6672061Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:59:12.4900011Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_157\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_158\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:02:03.6672061\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:59:12.4900011\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"50\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (19), AZUREUSER (18), AZURE (3), STUDENT (3), VMADMIN (3), USERADMIN (2), ADMINUSER (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:59:12.4900011Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_159\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"name\": \"2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:41.1471468Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:00:19.7258321Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:59:49.9335078Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_160\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_161\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:00:19.7258321\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:59:49.9335078\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"96\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"REMOTE (6), RDP (6), SERVER (6), TEST (6), TESTUSER (6), SYSADMIN (6), AZUREADMIN (5), LOCALADMIN (5), IME_USER (5), LOCALUSER (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:59:49.9335078Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_162\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395363802741678_e264f637-15f0-418f-aff8-27395309810c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"name\": \"2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-08T23:12:05.5813341Z\",\r\n \"processingEndTimeUtc\": \"2022-09-08T23:12:03.6043992Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-08T22:20:29.5893543Z\",\r\n \"endTimeUtc\": \"2022-09-08T22:29:58.4893361Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_163\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_164\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/08 22:20:29.5893543\",\r\n \"activity end time (UTC)\": \"2022/09/08 22:29:58.4893361\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"260\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"scans (2), gateway (2), tempadmin (2), visitor (2), bill (2), xavier (2), printer (2), destek (2), sqlagent (2), local (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-08T22:29:58.4893361Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_165\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"name\": \"2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-07T22:11:55.5454551Z\",\r\n \"processingEndTimeUtc\": \"2022-09-07T22:11:53.7318471Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-07T21:00:23.8352224Z\",\r\n \"endTimeUtc\": \"2022-09-07T21:58:54.9798418Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_166\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_167\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/07 21:00:23.8352224\",\r\n \"activity end time (UTC)\": \"2022/09/07 21:58:54.9798418\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"15\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (3), ADMINISTRATOR (2), ADMIN (2), STUDENT (2), AZUREUSER (2), USER (2), AZUREADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-07T21:58:54.9798418Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_168\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"name\": \"2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-06T21:11:57.5563617Z\",\r\n \"processingEndTimeUtc\": \"2022-09-06T21:11:55.6952354Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-06T20:03:04.4809494Z\",\r\n \"endTimeUtc\": \"2022-09-06T20:56:55.9879319Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_169\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_170\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/06 20:03:04.4809494\",\r\n \"activity end time (UTC)\": \"2022/09/06 20:56:55.9879319\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (2), USER (2), STUDENT (2), ADMIN (2), AZURE (2), AZUREADMIN (2), ADMINISTRATOR (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-06T20:56:55.9879319Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_171\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517398062155190505_da781582-764a-4262-a50c-a147df275b36/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"name\": \"2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T20:12:10.1745649Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T20:12:08.6252181Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-05T19:02:51.6994995Z\",\r\n \"endTimeUtc\": \"2022-09-05T19:58:21.2436919Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_172\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_173\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/05 19:02:51.6994995\",\r\n \"activity end time (UTC)\": \"2022/09/05 19:58:21.2436919\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), STUDENT (2), AZURE (2), AZUREUSER (2), ADMINISTRATOR (2), USER (2), ADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-05T19:58:21.2436919Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_174\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"name\": \"2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.5988845Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.193431Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:15:18.1240752Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:16:28.2863719Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_175\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_176\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:15:18.1240752\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:16:28.2863719\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (14), ioana (1), agora_service (1), defaultaccount (1), admimistrator (1), print (1), sctsupport (1), 020 (1), kaiin (1), tsinternetuser (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:16:28.2863719Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_177\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"name\": \"2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.6848188Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.1939306Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:03:27.5688076Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:59:07.7762063Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_178\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_179\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:03:27.5688076\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:59:07.7762063\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (2), AZUREADMIN (2), STUDENT (2), ADMIN (2), USER (2), ADMINISTRATOR (2), AZURE (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:59:07.7762063Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_180\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"name\": \"2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.5867761Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.1929306Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:00:05.4957014Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:59:55.0115416Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_181\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_182\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:00:05.4957014\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:59:55.0115416\",\r\n \"attacker source IP\": \"IP Address: 5.253.204.134\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"332\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"325\",\r\n \"top accounts with failed sign in attempts (count)\": \"LLOPEZ (1), JHALL (1), NATALIE (1), METRO (1), KUECHE (1), SICHERUNG (1), EMPFANG (1), JMORALES (1), SHAHID (1), MAGAZZINO (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:59:55.0115416Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_183\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"name\": \"2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-03T18:12:52.8145915Z\",\r\n \"processingEndTimeUtc\": \"2022-09-03T18:12:46.2244456Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-03T17:01:26.5171211Z\",\r\n \"endTimeUtc\": \"2022-09-03T17:59:43.2673099Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_184\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_185\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/03 17:01:26.5171211\",\r\n \"activity end time (UTC)\": \"2022/09/03 17:59:43.2673099\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (2), ADMINISTRATOR (2), ADMIN (2), AZUREADMIN (2), AZURE (2), USER (2), AZUREUSER (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-03T17:59:43.2673099Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_186\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"name\": \"2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-02T17:12:17.721054Z\",\r\n \"processingEndTimeUtc\": \"2022-09-02T17:12:02.1616332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-02T16:00:11.6214787Z\",\r\n \"endTimeUtc\": \"2022-09-02T16:59:51.9962096Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_187\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_188\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/02 16:00:11.6214787\",\r\n \"activity end time (UTC)\": \"2022/09/02 16:59:51.9962096\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (2), ADMIN (2), AZUREUSER (2), USER (2), ADMINISTRATOR (2), STUDENT (2), AZUREADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-02T16:59:51.9962096Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_189\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"name\": \"2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.3497998Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:01:01.3410856Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:59:56.7385647Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_190\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_191\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:01:01.3410856\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:59:56.7385647\",\r\n \"attacker source IP\": \"IP Address: 20.12.208.47\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"71\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"7\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (14), AZUREADMIN (14), AZUREUSER (14), USERADMIN (7), ADMINUSER (7), STUDENT (7), VMADMIN (7), ARASH (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:59:56.7385647Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_192\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"name\": \"2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.5178447Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:00:46.9534839Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:59:59.840547Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_193\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_194\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:00:46.9534839\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:59:59.8405470\",\r\n \"attacker source IP\": \"IP Address: 104.46.123.212\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"166\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (29), AZUREADMIN (29), VMADMIN (27), AZURE (27), AZUREUSER (26), USERADMIN (14), ADMINUSER (14)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:59:59.840547Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_195\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"name\": \"2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.1847762Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:00:25.7943636Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:57:07.2573856Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_196\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_197\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:00:25.7943636\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:57:07.2573856\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"13\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (2), AZUREADMIN (2), AZUREUSER (2), ADMINISTRATOR (2), ADMIN (2), USER (2), STUDENT (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:57:07.2573856Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_198\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"name\": \"2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-31T15:12:10.1524427Z\",\r\n \"processingEndTimeUtc\": \"2022-08-31T15:12:06.8390816Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-31T14:04:17.6514064Z\",\r\n \"endTimeUtc\": \"2022-08-31T14:56:42.6476761Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_199\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_200\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/31 14:04:17.6514064\",\r\n \"activity end time (UTC)\": \"2022/08/31 14:56:42.6476761\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (2), AZUREADMIN (2), STUDENT (2), AZUREUSER (2), ADMIN (1), USER (1), AZURE (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-31T14:56:42.6476761Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_201\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"name\": \"2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-30T14:12:13.7508035Z\",\r\n \"processingEndTimeUtc\": \"2022-08-30T14:12:13.3313494Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-30T13:00:10.0241762Z\",\r\n \"endTimeUtc\": \"2022-08-30T13:55:29.9649978Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_202\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_203\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/30 13:00:10.0241762\",\r\n \"activity end time (UTC)\": \"2022/08/30 13:55:29.9649978\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"USER (2), AZUREUSER (2), AZURE (2), ADMIN (2), ADMINISTRATOR (1), STUDENT (1), AZUREADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-30T13:55:29.9649978Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_204\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"name\": \"2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T12:12:08.8517839Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T12:12:07.531903Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-29T11:02:48.6404207Z\",\r\n \"endTimeUtc\": \"2022-08-29T11:58:11.789608Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_205\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_206\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/29 11:02:48.6404207\",\r\n \"activity end time (UTC)\": \"2022/08/29 11:58:11.7896080\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (2), AZUREUSER (2), AZUREADMIN (2), AZURE (2), ADMIN (1), ADMINISTRATOR (1), USER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-29T11:58:11.789608Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_207\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"name\": \"2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-28T06:11:54.9445211Z\",\r\n \"processingEndTimeUtc\": \"2022-08-28T06:11:53.4719546Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-28T05:01:43.073242Z\",\r\n \"endTimeUtc\": \"2022-08-28T05:57:10.0252952Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_208\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_209\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/28 05:01:43.0732420\",\r\n \"activity end time (UTC)\": \"2022/08/28 05:57:10.0252952\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), AZURE (2), AZUREUSER (2), STUDENT (2), ADMINISTRATOR (1), USER (1), ADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-28T05:57:10.0252952Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_210\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"name\": \"2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-26T23:13:05.4395068Z\",\r\n \"processingEndTimeUtc\": \"2022-08-26T23:13:04.9885857Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-26T22:01:04.6704718Z\",\r\n \"endTimeUtc\": \"2022-08-26T22:59:05.9404545Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_211\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_212\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/26 22:01:04.6704718\",\r\n \"activity end time (UTC)\": \"2022/08/26 22:59:05.9404545\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"33\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"8\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (4), LOCALADMIN (4), AZURE (4), AZUREUSER (4), AZUREADMIN (4), ADMIN (4), TEST (3), USER (3), LOCALUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-26T22:59:05.9404545Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_213\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"name\": \"2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T22:12:05.22952Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T22:12:03.1251328Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-25T21:16:17.9627546Z\",\r\n \"endTimeUtc\": \"2022-08-25T21:17:47.2384739Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_214\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_215\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/25 21:16:17.9627546\",\r\n \"activity end time (UTC)\": \"2022/08/25 21:17:47.2384739\",\r\n \"attacker source IP\": \"IP Address: 109.107.166.20\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"41\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"34\",\r\n \"top accounts with failed sign in attempts (count)\": \"Administrator (6), administrator (2), LogMeInRemoteUser (1), KastleRVM (1), AMDService (1), admin (1), stg (1), karla (1), SQLAgent (1), admini (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-25T21:17:47.2384739Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_216\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"name\": \"2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T22:12:13.9841697Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T22:12:03.1251328Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-25T21:00:41.0152726Z\",\r\n \"endTimeUtc\": \"2022-08-25T21:58:24.4497285Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_218\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/25 21:00:41.0152726\",\r\n \"activity end time (UTC)\": \"2022/08/25 21:58:24.4497285\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"33\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"8\",\r\n \"top accounts with failed sign in attempts (count)\": \"LOCALUSER (4), USER (4), AZURE (4), LOCALADMIN (4), TEST (4), AZUREADMIN (4), ADMIN (3), ADMINISTRATOR (3), AZUREUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-25T21:58:24.4497285Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_219\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"name\": \"2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-24T21:11:57.4592913Z\",\r\n \"processingEndTimeUtc\": \"2022-08-24T21:11:53.3866485Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-24T20:01:10.4816659Z\",\r\n \"endTimeUtc\": \"2022-08-24T20:58:39.6095585Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_220\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_221\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/24 20:01:10.4816659\",\r\n \"activity end time (UTC)\": \"2022/08/24 20:58:39.6095585\",\r\n \"attacker source IP\": \"IP Address: 52.180.252.174\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"35\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"USERADMIN (6), AZUREUSER (6), AZURE (6), VMADMIN (6), ADMINUSER (6), AZUREADMIN (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-24T20:58:39.6095585Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_222\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"name\": \"2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-23T20:12:09.1962911Z\",\r\n \"processingEndTimeUtc\": \"2022-08-23T20:12:08.070395Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-23T19:00:08.8459776Z\",\r\n \"endTimeUtc\": \"2022-08-23T19:01:18.0275781Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_223\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_224\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/23 19:00:08.8459776\",\r\n \"activity end time (UTC)\": \"2022/08/23 19:01:18.0275781\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (19), admin (3), user (1), test (1), defaultaccount (1), sys32 (1), localadmin (1), ferra (1), doctor (1), teste (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-23T19:01:18.0275781Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_225\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"name\": \"2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-22T19:12:00.8153763Z\",\r\n \"processingEndTimeUtc\": \"2022-08-22T19:11:59.130347Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-22T18:52:43.9086436Z\",\r\n \"endTimeUtc\": \"2022-08-22T18:53:53.491231Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_226\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_227\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/22 18:52:43.9086436\",\r\n \"activity end time (UTC)\": \"2022/08/22 18:53:53.4912310\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (12), administrateur (2), david (2), hehe (1), yunus (1), defaultaccount (1), dispatch (1), usuari (1), owner (1), caijiwugongzhen (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-22T18:53:53.491231Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_228\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"name\": \"2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-21T17:11:57.4816361Z\",\r\n \"processingEndTimeUtc\": \"2022-08-21T17:11:55.7633835Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-21T16:02:06.1108851Z\",\r\n \"endTimeUtc\": \"2022-08-21T16:58:30.0357074Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_229\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_230\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/21 16:02:06.1108851\",\r\n \"activity end time (UTC)\": \"2022/08/21 16:58:30.0357074\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"9\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (10), AZUREUSER (10), AZUREADMIN (10), AZURE (1), DADMIN (1), DEMOUSER (1), STUDENT (1), ADMINUSER (1), NFCADMIN (1), DEMO (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-21T16:58:30.0357074Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_231\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"name\": \"2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-20T16:12:20.2020498Z\",\r\n \"processingEndTimeUtc\": \"2022-08-20T16:12:16.5659301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-20T15:34:42.624038Z\",\r\n \"endTimeUtc\": \"2022-08-20T15:35:52.7204668Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_232\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_233\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/20 15:34:42.6240380\",\r\n \"activity end time (UTC)\": \"2022/08/20 15:35:52.7204668\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (7), admin (3), administrador (2), user24 (1), ctb-daniele (1), defaultaccount (1), quesia.fernandes (1), jms (1), iusrplesk_smwebmail (1), user4 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-20T15:35:52.7204668Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_234\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"name\": \"2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-20T16:12:28.0240769Z\",\r\n \"processingEndTimeUtc\": \"2022-08-20T16:12:16.5659301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-20T15:00:27.7591355Z\",\r\n \"endTimeUtc\": \"2022-08-20T15:59:05.698473Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_235\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_236\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/20 15:00:27.7591355\",\r\n \"activity end time (UTC)\": \"2022/08/20 15:59:05.6984730\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"40\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (9), AZUREADMIN (8), AZUREUSER (8), ADMINUSER (5), USERADMIN (4), DADMIN (1), SQLUSER (1), NFCADMIN (1), SUPERVISOR (1), DEMOADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-20T15:59:05.698473Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_237\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"name\": \"2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-19T15:12:34.699902Z\",\r\n \"processingEndTimeUtc\": \"2022-08-19T15:12:33.4163413Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-19T14:01:57.6464956Z\",\r\n \"endTimeUtc\": \"2022-08-19T14:57:10.3279386Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_238\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_239\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/19 14:01:57.6464956\",\r\n \"activity end time (UTC)\": \"2022/08/19 14:57:10.3279386\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"12\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINUSER (2), AZUREUSER (2), USERADMIN (2), AZUREADMIN (2), AZURE (2), STUDENT (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-19T14:57:10.3279386Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_240\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n }\r\n ],\r\n \"nextLink\": \"https://management.azure.com/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01&%24skiptoken=TVHLjpswAPwXVPVUgk3Ig0irKkkJyjZA49gmy82AN3Fig4udzWO1%2f1602kOlOc5DM%2fPuNPxmN6I5G2f27iyjFKP5huycmXO0VpuZ5ynWsANXvLED9rh0fFC1ahYEQ89cSlN1QlvRNsYLppOyDKYjtxyVwA0mkLthBWoXggmcjKH%2fOh2Hnu7aN1HzzniJqLrWtK92sOPVpRP27jHJO2t%2bMi3ct57Suz75wPddAHt8%2f2bOQuP2zJsnfn%2fOiv0RkHh1r2MJWB5edj4drU%2btSHYRyJarDMXVI8%2fhcxKFEd2jgslCY5Jck2g0RuqW0Pj2F5Ma1REkW5ymNE7umKLfJQmjHBOxWX5lqHD4n%2fcwFauUSRrgRqfJGZJ8r3utgRiiLiUhYQ%2f6h56kxnu9ZFJbhGm2fSwCrGDKoxshSmZcWZDnOmcAjpJftODy%2fMCyzhiU4y1eZAgSuxZXgRUN6hU6vqibxGpli916XDbUlMuroH33wqcAx%2bHpZY906QciOy1C5%2bOHwzo1Pxw6fmCW15%2bT9XfOUeJ8%2fAM%3d\"\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01&%24skiptoken=TVHLjpswAPwXVPVUgk3Ig0irKkkJyjZA49gmy82AN3Fig4udzWO1%2f1602kOlOc5DM%2fPuNPxmN6I5G2f27iyjFKP5huycmXO0VpuZ5ynWsANXvLED9rh0fFC1ahYEQ89cSlN1QlvRNsYLppOyDKYjtxyVwA0mkLthBWoXggmcjKH%2fOh2Hnu7aN1HzzniJqLrWtK92sOPVpRP27jHJO2t%2bMi3ct57Suz75wPddAHt8%2f2bOQuP2zJsnfn%2fOiv0RkHh1r2MJWB5edj4drU%2btSHYRyJarDMXVI8%2fhcxKFEd2jgslCY5Jck2g0RuqW0Pj2F5Ma1REkW5ymNE7umKLfJQmjHBOxWX5lqHD4n%2fcwFauUSRrgRqfJGZJ8r3utgRiiLiUhYQ%2f6h56kxnu9ZFJbhGm2fSwCrGDKoxshSmZcWZDnOmcAjpJftODy%2fMCyzhiU4y1eZAgSuxZXgRUN6hU6vqibxGpli916XDbUlMuroH33wqcAx%2bHpZY906QciOy1C5%2bOHwzo1Pxw6fmCW15%2bT9XfOUeJ8%2fAM%3d", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjItMDEtMDEmJTI0c2tpcHRva2VuPVRWSExqcHN3QVB3WFZQVlVnazNJZzBpcktra0p5alpBNDlnbXk4MkFOM0ZpZzR1ZHpXTzElMmYxNjAya09sT2M1RE0lMmZQdU5QeG1ONkk1RzJmMjdpeWpGS1A1aHV5Y21YTzBWcHVaNXluV3NBTlh2TEVEOXJoMGZGQzFhaFlFUTg5Y1NsTjFRbHZSTnNZTHBwT3lES1lqdHh5VndBMG1rTHRoQldvWGdnbWNqS0glMmZPaDJIbnU3YU4xSHp6bmlKcUxyV3RLOTJzT1BWcFJQMjdqSEpPMnQlMmJNaTNjdDU3U3V6NzV3UGRkQUh0OCUyZjJiT1F1UDJ6SnNuZm4lMmZPaXYwUmtIaDFyMk1KV0I1ZWRqNGRyVSUyYnRTSFlSeUphckRNWFZJOCUyZmhjeEtGRWQyamdzbENZNUpjazJnMFJ1cVcwUGoyRjVNYTFSRWtXNXltTkU3dW1LTGZKUW1qSEJPeFdYNWxxSEQ0biUyZmN3RmF1VVNScmdScWZKR1pKOHIzdXRnUmlpTGlVaFlRJTJmNmg1Nmt4bnU5WkZKYmhHbTJmU3dDckdES294c2hTbVpjV1pEbk9tY0FqcEpmdE9EeSUyZk1DeXpoaVU0eTFlWkFnU3V4WlhnUlVONmhVNnZxaWJ4R3BsaTkxNlhEYlVsTXVyb0gzM3dxY0F4JTJiSHBaWTkwNlFjaU95MUM1JTJiT0h3em8xUHh3NmZtQ1cxNSUyYlQ5WGZPVWVKOCUyZkFNJTNk", + "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "a5d3a813-d324-466e-8a5e-b339176ded34" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-original-request-ids": [ + "" + ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "748" ], "x-ms-request-id": [ - "27154624-9307-4998-905a-876136cd6c6c" + "e7ae942f-4b6a-46a7-8cc4-5efd569e05fe" ], "x-ms-correlation-request-id": [ - "27154624-9307-4998-905a-876136cd6c6c" + "e7ae942f-4b6a-46a7-8cc4-5efd569e05fe" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210901T195624Z:27154624-9307-4998-905a-876136cd6c6c" + "FRANCESOUTH:20221117T092831Z:e7ae942f-4b6a-46a7-8cc4-5efd569e05fe" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -49,7 +112,7 @@ "nosniff" ], "Date": [ - "Wed, 01 Sep 2021 19:56:23 GMT" + "Thu, 17 Nov 2022 09:28:31 GMT" ], "Content-Type": [ "application/json; charset=utf-8" @@ -58,31 +121,31 @@ "-1" ], "Content-Length": [ - "143561" + "1233144" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"name\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4121044Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"name\": \"2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:13.877204Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_MaliciousContent-AzureWebApps\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:58.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:58.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Phishing content hosted on Azure Webapps\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to O365 customers. The content typically lure visitors into entering their corporate credentials or financial information into a legitimate looking website.\",\r\n \"remediationSteps\": [\r\n \"1. Use Azure Web Sites Process Explorer and try to identify unknown running processes (see https://blogs.msdn.microsoft.com/waws/2014/11/14/viewing-process-information-for-microsoft-azure-web-sites/)\",\r\n \"2. Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"resourceType\": \"App Service\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"type\": \"url\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"name\": \"2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3609448Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_OperationVolumeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:56.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:56.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] User accessed high volume of Key Vaults\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a larger volume of Key Vault operations has been performed compared to past historical data. Key Vaults typical exhibit the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:56\",\r\n \"all vault operations in last 24 hours\": \"[SecretSet:1, SecretGet:5, Authentication:2, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultGet:2]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:56\",\r\n \"client Information\": \"Microsoft.Azure.Management.Resources.ResourceManagementClient/2.0.0.0, \",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) performed more operations than usual, The user(objid) does not usually come from this IP, The user(objid) performed more operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"name\": \"2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3557186Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_AccountVolumeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:54.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:54.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] High volume of operations in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the number of vaults that a user or application accesses has changed compared to past historical data. Key Vault activity typically exhibits the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:54\",\r\n \"all vault operations in last 24 hours\": \"[AfterAuthentication:1, SecretGet:345545, EventGridGetAllSubscriptions:19, Authentication:169, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:64]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:54\",\r\n \"alert Reasons\": \"[The application(appid) accessed more vaults than usual, The application(appid) does not usually come from this IP, The user(objid) accessed more vaults than usual, The user(objid) does not usually come from this IP, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"name\": \"2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3095755Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_ListGetAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:52.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:52.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious secret listing and query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Secret List operation was followed by numerous Secret Get operations. In addition, this operation pattern is not normally performed by the user on this vault. This is likely indicative that someone is dumping the This is sample alert: secrets stored in the Key Vault for potentially malicious purposes.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:52\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:1, SecretGet:3, VaultGet:1, SecretList:5]\",\r\n \"suspicious Operations\": \"[SecretGet:3, SecretList:5]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:52\",\r\n \"client Information\": \"FxVersion/4.8.4075.0 OSName/Windows10Enterprise OSVersion/6.3.18363 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"alert Reasons\": \"[The application(appid) does not usually access this vault, The application(appid) does not usually come from this IP, The application(appid) does not usually perform a credential list operation followed by a get operation, The application(appid) does not usually perform this operation, The number of applications which accessed this vault is more than usual, The number of users(objid) who accessed this vault is more than usual, The user(objid) does not usually access this vault, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a credential list operation followed by a get operation, The user(objid) does not usually perform this operation, This vault does not usually have a credential list operation followed by a get operation, This vault does not usually have this operation, This vault had more operations than usual, This vault had more types of operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"name\": \"2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4678019Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_PutGetAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:50.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:50.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious policy change and secret query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Key Vault policy change has been made and operations to list and/or get secrets occurred shortly thereafter. In addition, this operation pattern is not normally performed by the user on this vault. This is highly indicative that the Key Vault has been compromised and the secrets within have been stolen by a malicious actor.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:50\",\r\n \"all vault operations in last 24 hours\": \"[VaultGet:14, CertificateImport:1, CertificateGet:479, VaultPut:4, SecretGet:760, Authentication:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultPut:4, VaultGet:5, CertificateGet:24]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"FxVersion/4.8.4121.0, FxVersion/4.8.4121.0 OSName/Windows10Enterprise OSVersion/6.3.17763 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"result Signature\": \"OK\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"start Time UTC\": \"08/12/2021 15:26:50\",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) does not usually perform a policy change operation followed by a credential get operation, The application(appid) does not usually perform this operation, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a policy change operation followed by a credential get operation, The user(objid) does not usually perform this operation, This vault does not usually have a policy change operation followed by a credential get operation, This vault does not usually have this operation, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"name\": \"2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3452444Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_TORAccess\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:48.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:48.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a TOR exit node to a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. This is suspicious because malicious actors will often try to mask their source location when attempting to gain unauthorized access to internet-connected resources.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:48\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:777440, SecretSet:1, SecretGet:777399]\",\r\n \"suspicious Operations\": \"[Authentication:1, SecretGet:1]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"Not Found, Unauthorized\",\r\n \"start Time UTC\": \"08/12/2021 15:26:48\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"python/3.8.0 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 azure-keyvault/7.0 Azure-SDK-For-Python\",\r\n \"alert Reasons\": \"[The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location.]\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"name\": \"2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4494527Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_AKS_SensitiveMount\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:46.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:46.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"intent\": \"PrivilegeEscalation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Container with a sensitive volume mount detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.\",\r\n \"remediationSteps\": [\r\n \"Review the container and the path in the alert details.\",\r\n \"If possible, consider mounting only specific folders or files that are necessary to the container operation.\",\r\n \"If the container is not legitimate, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"Sample\",\r\n \"container image\": \"sample-image\",\r\n \"container name\": \"sample-container\",\r\n \"pod name\": \"sample-pod\",\r\n \"sensitive mount name\": \"sample-mount\",\r\n \"sensitive mount path\": \"/Sample\",\r\n \"killChainIntent\": \"PrivilegeEscalation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"name\": \"2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5732381Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_ExposedService\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:44.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:44.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Exposed Kubernetes service detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Kubernetes audit log analysis detected exposure of a service by a load balancer. This service is related to a sensitive application that allows high impact operations in the cluster such as running processes on the node or creating new containers.\\nIn some cases, this service doesn't require authentication. If the service doesn't require authentication, exposing it to the internet poses a security risk.\",\r\n \"remediationSteps\": [\r\n \"1. Find the external IP address of the service with the command: kubectl get service [service name] -n [namespace]. The service name and namespace are in the alert details.\\\\n2. Check whether the service is exposed to the internet by trying to access to its IP address with the port listed in the alert details.\\\\n3. If the service is exposed to the internet and is not protected by an authentication mechanism, escalate the alert to your security information team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"sample-namespace\",\r\n \"username\": \"sample-user\",\r\n \"service name\": \"sample-service\",\r\n \"target port\": \"8080\",\r\n \"port\": \"8080\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"name\": \"2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4746809Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_BruteForce\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:40.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:40.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Brute Force attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone is attempting to brute force credentials to your SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Brute force attack, penetration testing.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"data Center\": \"East US 2\",\r\n \"failed Logins\": \"0\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\\\"}}\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"name\": \"2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.262894Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_HarmfulApplication\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:38.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:38.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Penetration testing, malicious activity\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"data Center\": \"East US 2\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"name\": \"2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3698246Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:36.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:36.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database elitronix-com on server Sample-SQL\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/www.microsoft.com\\\\/en-us\\\\/download\\\\/details.aspx?id=13759\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements.\",\r\n \"threat ID\": \"30\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"principal name\": \"Sample-account\",\r\n \"application\": \"Internet Information Services\",\r\n \"database\": \"Sample-DB\",\r\n \"server\": \"Sample-SQL\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"name\": \"2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4494527Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:34.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:34.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"intent\": \"Exploitation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Logon from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone logged on to your SQL server Sample-SQL from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Unauthorized access that exploits an opening in the firewall; legitimate access from a new location.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Microsoft SQL Server Management Studio\",\r\n \"client IP Location\": \"US\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"client Hostname\": \"Sample-VM\",\r\n \"killChainIntent\": \"Exploitation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"name\": \"2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2741282Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_DataExfiltration.ImportExportLocationAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:32.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:32.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual export location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted a massive amount of data from your SQL Server 'Sample-SQL' to an unusual location.\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Be sure to secure the new copy of your SQL server in the unusual storage account and follow the principle of \\\\\\\"least privilege\\\\\\\" for your SQL server\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/docs.microsoft.com\\\\/en-us\\\\/dotnet\\\\/framework\\\\/data\\\\/adonet\\\\/sql\\\\/authorization-and-permissions-in-sql-server\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"storage Name\": \"Sample-storage\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"isValid\": false,\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_39\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"name\": \"2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3713443Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:30.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:30.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Perform an undelete if the delete operation was a soft delete. See how to configure soft deletion and more information: https://go.microsoft.com/fwlink/?linkid=2078042\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Wasington_Virginia United States\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"Sample agent\",\r\n \"storage container(s) accessed\": \"SampleContainer\",\r\n \"container\": \"eicarContainerName1, eicarContainerName2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteBlob\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:30\",\r\n \"test: Pipeline name\": \"1.0.4656.1_sample\",\r\n \"storage file path(s) deleted\": \"eicarRequestedObjectKeyFilePath1.vhd, eicarRequestedObjectKeyFilePath2.pfx\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"name\": \"2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5019361Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:28.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:28.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a container in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage container permissions are configured correctly.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"• Confirm whether the storage container permissions change was performed for a legitimate purpose.\\r\\n• Review the storage container's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this storage container have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed container permissions to weaken its security.\\r\\n• A legitimate user has changed container permissions.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"TestAgent 2021-08-12T15:26:28.9846650Z\",\r\n \"storage container(s) accessed\": \"eicarContainerName\",\r\n \"container\": \"eicarContainerName1, eicarContainerName2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"SetContainerACL\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:28\",\r\n \"test: Pipeline name\": \"1.0.4656.1_test\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"name\": \"2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_TorAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:26.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:26.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure Storage account 'Sample-Storage' from a suspicious IP address (active Tor exit node).\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access. \\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using Tor.\\r\\n• A legitimate user has accessed your storage account using Tor.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Azure Data Center: East Us\",\r\n \"authentication type\": \"Anonymous\",\r\n \"operations types\": \"GetBlob\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"dummyAgent\",\r\n \"container\": \"eicarTestStorageContainer\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:26\",\r\n \"test: Pipeline name\": \"1.0.4656.1_storagetd-brs-a3\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"name\": \"2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4209361Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:24.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:24.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure Storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage container (for example: maintenance activity).\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Azure Data Center: East Us\",\r\n \"authentication type\": \"Anonymous\",\r\n \"operations types\": \"GetBlob\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"dummyAgent\",\r\n \"container\": \"eicarTestStorageContainer\",\r\n \"extracted data\": \"140 MB\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:24\",\r\n \"test: Pipeline name\": \"1.0.4656.1_storagetd-brs-a3\",\r\n \"extracted blobs\": \"500\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"name\": \"2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_SuspectExecutablePath\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Executable found running from a suspicious location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data detected an executable file on Sample-VM that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.\",\r\n \"remediationSteps\": [\r\n \"Review with %{User Name} the suspicious process in this alert to see if you recognise this as legitimate administrative activity. If not, Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Process Id\": \"0x1eec\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"account Session Id\": \"0x3e7\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"suspicious Command Line\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"user Name\": \"WORKGROUP\\\\Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"directory\": \"c:\\\\windows\\\\inf\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"name\": \"SAMPLE-account\",\r\n \"ntDomain\": \"SAMPLE\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"sid\": \"S-0-0-00\",\r\n \"isDomainJoined\": true,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x3e7\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"processId\": \"0x1038\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"processId\": \"0x1eec\",\r\n \"commandLine\": \"\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_54\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_55\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"sessionId\": \"0x3e7\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_54\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"name\": \"2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2358642Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected the execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with Sample-account the suspicious command process and command line to confirm that this is legitimate activity that you expect to see on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"user Name\": \"Sample-account\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Command Line\": \"\\\\sample.exe -t 4\",\r\n \"suspicious Process Id\": \"0x1640\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x427d8dd9\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"directory\": \"c:\\\\temp\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"processId\": \"0x1020\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"name\": \"Sample-account\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"sid\": \"S-1-5-21-3061399664-1673012318-3185014992-20022\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x427d8dd9\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"processId\": \"0x1640\",\r\n \"commandLine\": \".\\\\sample.exe -t 4\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_61\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_63\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_62\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"sessionId\": \"0x427d8dd9\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_63\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"name\": \"2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3545059Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_SuspectPhp\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious PHP execution detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Machine logs indicate a that a suspicious PHP process is running. The action included an attempt to run OS commands or PHP code from the command line using the PHP process.\\r\\nWhile this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\",\r\n \"2. Make sure that the web application is up-to-date.\",\r\n \"3. If possible, disable the sensitive PHP commands (see: http://php.net/manual/ini.core.php#ini.disable-functions).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Command Line\": \"php\",\r\n \"suspicious Process Id\": \"0x1e99b\",\r\n \"account Session Id\": \"0xbd6e\",\r\n \"suspicious Process\": \"php\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"user Name\": \"Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"php\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"processId\": \"0x1e49a\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"name\": \"Sample-account\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"sid\": \"\",\r\n \"type\": \"account\",\r\n \"LogonId\": \"0xbd6e\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"processId\": \"0x1e99b\",\r\n \"commandLine\": \"php\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_69\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_71\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_70\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"sessionId\": \"0xbd6e\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_71\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"name\": \"2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3385797Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM.Windows_GoldFileCleanup\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected suspicious file cleanup commands\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.\",\r\n \"remediationSteps\": [\r\n \"Review with user Sample-account the 'sample.exe executions and delete commands flagged in this alert to confirm that they are legitimate and expected on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"OMS-AGENT-2\",\r\n \"suspicious Process Id\": \"0x4a8\",\r\n \"suspicious Command Line\": \"cmd /c echo \\\" systeminfo && systeminfo && del \\\"\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\cmd.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"OMS-AGENT-2\\\\DnzmNhMdW96g7j3\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: GOLD\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2020-06-05T06%3a24%3a18&reportName=MSTI-AGP-GOLD.pdf&tenantId=7bf32e19-dc11-416d-85e8-2cff75271e2a&urlCreateDateTime=2020-06-05T06%3a24%3a18&token=%2083e9In2MDZfBKT5aMOejPcfhpNovCKiidxcnKaBGnQ=\\\"}}\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"cmd.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"processId\": \"0x4a8\",\r\n \"commandLine\": \"cmd /c echo Hi\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_77\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_79\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_78\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_79\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"name\": \"2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2246537Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM.Windows_PetyaRansomware\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected Petya ransomware indicators\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on OMS-AGENT-2 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the command line associated in this alert and escalate this alert to your security team.\",\r\n \"remediationSteps\": [\r\n \"1. Run a full anti-malware scan and verify that the threat was removed\",\r\n \"2. Install and run Microsoft’s Malicious Software Removal Tool (see http://www.microsoft.com/security/pc-security/malware-removal.aspx)\",\r\n \"3. Perform these actions pre-emptively on other hosts in your network.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x1574\",\r\n \"suspicious Command Line\": \"sample\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\sample.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"Sample-account\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Petya\\\":\\\"\\\"}}\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"processId\": \"0x1574\",\r\n \"commandLine\": \"sample\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_85\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_87\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_86\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_87\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"name\": \"2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5800635Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:10.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:10.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"name\": \"2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2313959Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AmRealtimeProtectionDisabled\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:08.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:08.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Antimalware real-time protection was disabled in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.\",\r\n \"remediationSteps\": [\r\n \"1. Determine if the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional - dismiss the alert. Otherwise, enable the antimalware real-time threat protection and treat the user account, subscription and virtual machine as compromised and continue with the next steps.\\n3. Remediate the compromised user account – change the password, review all activities performed by the user via Azure Activity Logs and locate suspicious activities\\n4. Remediate the compromised subscription - Review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, review all activities performed in this subscription via Azure Activity Logs and locate suspicious activities.\\n5. Remediate the compromised virtual machine – change the password of all users, run full antimalware scan on your virtual machine.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample Principal\",\r\n \"antimalware enabled\": \"true\",\r\n \"real time antimalware protection enabled\": \"false\",\r\n \"scheduled antimalware scan enabled\": \"\",\r\n \"extension Name\": \"IaasAntimalware\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"name\": \"2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5249506Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_CustomScriptExtensionSuspiciousCmd\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:06.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:06.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Custom script extension with suspicious command in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.\",\r\n \"remediationSteps\": [\r\n \"1. Contact the account owner to determine whether the activity was intentional. If the activity was intentional, dismiss the alert.\\n2. If the activity was unexpected, treat the user account, subscription, and virtual machine as compromised.\\n3. To remediate compromised user accounts, delete them if they’re unfamiliar (as they may have been created by a threat actor), otherwise change their authentication credentials. Use Azure Activity Logs to review all activities performed by the user and identify any that are suspicious.\\n4. To remediate compromised subscriptions, remove any unfamiliar Runbooks from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources in the subscription (delete any that are unfamiliar), review and investigate any security alerts for the subscription in Azure Security Center, and use Azure Activity Logs to review all activities performed in the subscription and identify any that are suspicious.\\n5. To remediate the compromised virtual machine, change the passwords for all users, run a full antimalware scan on the machine, and reimage the virtual machine from a malware-free source.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample user\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"identity address\": \"\",\r\n \"suspicious command\": \"powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"name\": \"2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3545059Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DarkWeb\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:04.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:04.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Anonymity network activity (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected anonymity network activity. Such activity, while possibly legitimate user behaviour, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_95\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_95\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"name\": \"2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.292004Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DataExfiltration\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:02.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:02.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Possible data exfiltration via DNS tunnel (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behaviour, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_100\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_100\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"name\": \"2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4550558Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_PhishingDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:00.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:00.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Communication with possible phishing domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.\",\r\n \"remediationSteps\": [\r\n \"Investigate the domain (using whois), validating that the registration belongs to the expected owner.\",\r\n \"If ownership is suspect, contact the machine owner to highlight the discrepancy and verify the degree of interaction, suggesting user log into any account(s) potentially exposed during suspicious session, validate recent activity and change compromised password(s).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_105\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_105\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"name\": \"2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3210584Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_SinkholedDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:58.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:58.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted communication with suspicious sinkholed domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected request for sinkholed domain. Such activity, while possibly legitimate user behaviour, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_109\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_109\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"name\": \"2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4807428Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_HighPrivilegeCommand\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempt to run high privilege command detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of App Service processes detected an attempt to run a command that requires high privileges.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x4680\",\r\n \"suspicious Command Line\": \"sample.exe\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"parent Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x15c0644\",\r\n \"user Name\": \"Sample-account\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"directory\": \"sample\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"processId\": \"0x39a8\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"processId\": \"0x4680\",\r\n \"commandLine\": \"sample.exe\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_114\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"name\": \"2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2316532Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_DanglingDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:54.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:54.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Dangling DNS record for an App Service resource detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A DNS record that points to a recently deleted App Service resource (also known as \\\"dangling DNS\\\" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.\",\r\n \"remediationSteps\": [\r\n \"From your DNS zone, remove all CNAME records that point to the deleted App Service resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"domain\": \"sample-domain.com\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"name\": \"2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_TI_Proxy\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:52.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:52.9690718Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] AKS API requests from proxy IP address detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected API requests to your cluster from an IP address that is associated with proxy services, such as TOR.\\r\\nWhile this behavior can be legitimate, it's often seen in malicious activities, when attackers try to hide their source IP.\",\r\n \"remediationSteps\": [\r\n \"1. Review the IP address in the alert details. If your organization uses proxy services such as TOR for managing the AKS cluster and the IP is recognized, you can ignore the alert.\",\r\n \"2. Consider securing the API server by using authorized IP address ranges (https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"username\": \"sample-user\",\r\n \"ip Address\": \"00.00.00.00\",\r\n \"threat Type\": \"Proxy\",\r\n \"threat Description\": \"Tor exit node\",\r\n \"sample URI\": \"sample-URI\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"name\": \"2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5146535Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_DeleteEvents\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:50.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:50.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Kubernetes events deleted (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Security Center detected that some Kubernetes events have been deleted. Kubernetes events are objects in Kubernetes which contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster.\",\r\n \"remediationSteps\": [\r\n \"Verify the legitimacy of the objects that the deleted events are related to.\\\\nIn case the object is suspicious, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"namespace\": \"sample-namespace\",\r\n \"username\": \"sample-user\",\r\n \"ip Address\": \"00.00.00.00\",\r\n \"status\": \"200\",\r\n \"deleted events\": \"sample-event1, sample-event2, sample-event3\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"name\": \"2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2959781Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_MaliciousContainerImage\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:48.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:48.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining container detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool.\",\r\n \"remediationSteps\": [\r\n \"Review the container in the alert details.\",\r\n \"If malicious, remove the container and escalate the alert to the information security team.\",\r\n \"Be sure to also remove the correlating Deployments \\\\\\\\ ReplicaSets \\\\\\\\ DaemonSets.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"namespace\": \"sample-namespace\",\r\n \"container name\": \"sample-container\",\r\n \"container image\": \"sample-image\",\r\n \"pod name\": \"sample-pod\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"name\": \"2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2763918Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_CoreDnsModification\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:46.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:46.9690718Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] CoreDNS modification in Kubernetes detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a modification of the CoreDNS configuration. The configuration of CoreDNS can be modified by overriding its configmap. While this activity can be legitimate, if attackers have permissions to modify the configmap, they can change the behavior of the cluster’s DNS server and poison it.\",\r\n \"remediationSteps\": [\r\n \"Review the configmap in the alert details. Specifically, search for Forward or Hosts configurations that can change the desired DNS behavior. The details of the configuration can be retrieved by the command:\\\\nkubectl get cm coredns-custom -n kube-system -o json\\\\nIf the configuration is intended, you can ignore the alert.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"sample-namespace\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"username\": \"sample-user\",\r\n \"configmap name\": \"coredns-custom\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"name\": \"2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3496523Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_BruteForce\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:44.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:44.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspected successful brute force attack\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful login occurred after an apparent brute force attack on your resource\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Brute force attack; penetration testing.\",\r\n \"client principal name\": \"Sample-account\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"san antonio, united states\",\r\n \"client application\": \"Sample-app\",\r\n \"successful logins\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"failed logins\": \"0\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\\\"}}\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_129\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_128\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"name\": \"2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:13.9865839Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:42.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:42.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database Sample-DB on server Sample-VM\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2106894\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"threat ID\": \"1\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"vulnerable statement\": \"*** Anonymized ***\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"name\": \"Sample-SA\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_135\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"name\": \"2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2090318Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_HarmfulApplication\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:40.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:40.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access your resource.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"Penetration testing; malicious activity\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client application\": \"Sample-app\",\r\n \"client IP location\": \"Sample\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"name\": \"2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5175386Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_SuspiciousIpAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:38.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:38.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Login from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.\",\r\n \"client principal name\": \"Sample-user\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Sample-Provider\",\r\n \"threatType\": \"Sample-Threat\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 0.8,\r\n \"threatDescription\": \"Sample-Threat\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_147\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_146\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"name\": \"2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4347524Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousRBACRoleAssignment\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:36.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:36.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for an RBAC role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected an RBAC role assignment that's unusual when compared with other assignments, performed by the same assigner.\\n The following components were anomalous:\\n -Assigner Authentication Method \\n This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to grant permissions to an additional user account they own.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below.\\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user. \\n5. Change the credentials for all resources that the user had permissions to access.\\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review all activities performed in this resource via Azure Activity Logs and investigate suspicious activities.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"scope of assignment\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"assigned role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assigner principal ID\": \"Sample user\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_153\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188630153349_32cad962-43a0-4691-8c14-443890eccece/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"name\": \"2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4166987Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_PrivilegedRoleDefinitionCreation\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:34.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:34.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"intent\": \"PrivilegeEscalation, DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Privileged custom role created for your subscription in a suspicious way (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the principal user that created the role.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user account as compromised and continue with the steps below.\\n3. Change the passwords of the user account or block the account entirely.\\n4. Delete the privileged role.\\n5. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n6. Change the credentials for all resources that the user had permissions to access.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"role definition creator principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"role definition creator IP address\": \"0.0.0.0\",\r\n \"role definition creator principal name\": \"Sample user\",\r\n \"role definition name\": \"sample\",\r\n \"role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"PrivilegeEscalation, DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Security/locations/centralus/alerts/2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"name\": \"2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-06-12T19:40:33.8308539Z\",\r\n \"processingEndTimeUtc\": \"2021-06-12T19:40:32.548439Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"Storage.Blob_AnonymousScan.Containers\",\r\n \"startTimeUtc\": \"2021-06-12T18:11:54.456Z\",\r\n \"endTimeUtc\": \"2021-06-12T18:11:54.456Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"correlationKey\": \"eQXuNbERVh6e/t+5e+8g+5PLuHGkeLWBAAjR80eo/KQ=\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Storage/storageAccounts/storagefdi4i\",\r\n \"type\": \"AzureResource\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"storagefdi4i\",\r\n \"alertDisplayName\": \"PREVIEW - Anonymous scan of public storage containers\",\r\n \"description\": \"There were 94 failed attempts to anonymously identify publicly accessible containers in your storage account `storagefdi4i`. This might indicate a reconnaissance attack, where the attacker scans your storage account to identify publicly accessible containers and then tries to find sensitive data inside them. In many cases, attackers might successfully access data after a series of failed attempts. It’s therefore important to act on this alert.\",\r\n \"remediationSteps\": [\r\n \"• If public access is not needed for the Azure Storage containers, consider disallowing it on the entire storage account or limiting it selectively on specific containers or blobs (https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent).\",\r\n \"• We recommend that you always follow the least privilege principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• To prevent breaches of sensitive data, please review your Azure Storage containers and make sure no sensitive data is stored in them.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"alert Id\": \"c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"azure AD user\": \"N/A (Azure AD authentication was not used)\",\r\n \"user agent\": \"Go-http-client/1.1\",\r\n \"api type\": \"Blob\",\r\n \"client location\": \"N/A\",\r\n \"number of failed access attempts\": \"94\",\r\n \"among the enumeration terms used\": \"app, bin, blog, deploy, confidential, crm, builds, doc, customers, images, attachments, intranet, backups, customer, exports, img, data, blob, downloads, build, azure, export, files, bucket, database, dev, admin, emails, dist, development, documents, debug, assets, cdn, devops, download, backup, code, erp, logs, cache, iso, creds, bak, credentials, config, file, administrator, attachment, exe\",\r\n \"number of containers successfully accessed\": \"0\",\r\n \"list of containers successfully accessed\": \"\",\r\n \"authentication type\": \"Anonymous\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"operations types\": \"GetContainerProperties\",\r\n \"service type\": \"Azure Blobs\",\r\n \"potential causes\": \"\",\r\n \"resourceType\": \"Storage\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Storage/storageAccounts/storagefdi4i\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"address\": \"78.46.106.254\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Nuernberg\",\r\n \"longitude\": 11.0768,\r\n \"latitude\": 49.452,\r\n \"asn\": 24940\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_159\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/iotsimulator/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"name\": \"2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-21T22:30:30.4576566Z\",\r\n \"processingEndTimeUtc\": \"2022-10-21T22:30:29.9447325Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.87.6 [6]\\r\\nIP: 171.244.50.243 [2]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 45.141.87.2 [9]\\r\\nIP: 45.141.87.9 [3]\\r\\nIP: 141.95.145.187 [3]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 31.43.185.3 [22]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 150.95.29.64 [2]\\r\\nIP: 45.226.126.252 [2]\\r\\nIP: 193.29.13.169 [9]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 45.227.254.49 [2]\\r\\nIP: 72.18.147.142 [1]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 195.133.20.78 [116]\\r\\nIP: 69.202.183.90 [3]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 147.78.47.147 [6]\\r\\nIP: 147.78.47.69 [9]\\r\\nIP: 45.141.87.10 [6]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 191.96.168.93 [9]\\r\\nIP: 45.227.254.20 [10]\\r\\nIP: 92.255.85.152 [5]\\r\\nIP: 89.250.82.36 [2]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 88.214.25.14 [3]\\r\\nIP: 194.165.17.12 [4]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 173.254.223.125 [1]\\r\\nIP: 179.60.150.115 [16]\\r\\nIP: 193.29.13.170 [16]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 179.60.150.58 [8]\\r\\nIP: 94.26.248.176 [5]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 94.26.229.154 [2]\\r\\nIP: 147.78.47.154 [14]\\r\\nIP: 147.78.47.35 [7]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 147.78.47.36 [3]\\r\\n4 more attempts by 2 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"address\": \"45.226.126.252\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Pernambuco\",\r\n \"city\": \"Recife\",\r\n \"longitude\": -34.9141,\r\n \"latitude\": -8.00264,\r\n \"asn\": 266962,\r\n \"carrier\": \"G M Da Costa Internet\",\r\n \"organization\": \"G M Da Costa Internet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"72.18.147.142\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Englewood\",\r\n \"longitude\": -104.87196,\r\n \"latitude\": 39.62401,\r\n \"asn\": 30475,\r\n \"carrier\": \"Handy Networks Llc\",\r\n \"organization\": \"Handy Networks Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"address\": \"195.133.20.78\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"address\": \"147.78.47.69\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"address\": \"89.250.82.36\",\r\n \"location\": {\r\n \"countryCode\": \"KZ\",\r\n \"countryName\": \"Kazakhstan\",\r\n \"state\": \"Almaty City\",\r\n \"city\": \"Almaty\",\r\n \"longitude\": 76.94999,\r\n \"latitude\": 43.24999,\r\n \"asn\": 41419,\r\n \"carrier\": \"Kazrena\",\r\n \"organization\": \"Kazrena\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"address\": \"173.254.223.125\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Tarzana\",\r\n \"longitude\": -118.54625,\r\n \"latitude\": 34.15501,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Quadranet Enterprises Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_6\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_7\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_8\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_9\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_10\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_11\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_12\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_13\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_14\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_15\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_16\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_17\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_18\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_19\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_20\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_21\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_22\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_23\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_24\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_25\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_26\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_27\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_28\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_29\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_30\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_31\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_32\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_33\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_34\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_35\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_36\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_37\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_38\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_39\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_40\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_41\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_42\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_43\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_44\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_45\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_46\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_47\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_48\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_49\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_50\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"name\": \"2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T20:55:37.293538Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T20:55:36.5852719Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 124.221.214.54 [85]\\r\\nIP: 61.177.172.104 [1]\\r\\nIP: 135.148.104.183 [1]\\r\\nIP: 152.136.192.58 [1]\\r\\nIP: 185.51.61.82 [1]\\r\\nIP: 61.177.172.147 [1]\\r\\nIP: 80.76.51.230 [1]\\r\\nIP: 207.154.207.116 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"address\": \"61.177.172.104\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"address\": \"135.148.104.183\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Reston\",\r\n \"longitude\": -77.34247,\r\n \"latitude\": 38.96097,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"address\": \"152.136.192.58\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"address\": \"185.51.61.82\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 42065,\r\n \"carrier\": \"Zao Electrontelecom\",\r\n \"organization\": \"Global Network Management Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"address\": \"207.154.207.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_107\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_108\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_109\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_110\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_113\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_114\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"name\": \"2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T03:55:32.6921658Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T03:55:32.383882Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-18T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-18T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 46.182.223.130 [1]\\r\\nIP: 197.26.19.254 [1]\\r\\nIP: 61.177.172.19 [1]\\r\\nIP: 182.61.13.82 [1]\\r\\nIP: 80.76.51.230 [2]\\r\\nIP: 35.245.223.130 [1]\\r\\nIP: 124.220.28.59 [1]\\r\\nIP: 61.177.173.35 [1]\\r\\nIP: 69.40.195.236 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 34.159.251.125 [1]\\r\\nIP: 40.72.187.176 [1]\\r\\nIP: 84.181.121.1 [1]\\r\\nIP: 121.5.105.147 [4]\\r\\nIP: 185.209.179.41 [1]\\r\\nIP: 35.246.78.205 [1]\\r\\nIP: 61.177.172.124 [1]\\r\\nIP: 124.221.214.54 [28]\\r\\nIP: 61.177.172.147 [2]\\r\\nIP: 34.83.98.1 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"address\": \"46.182.223.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Groningen\",\r\n \"city\": \"Groningen\",\r\n \"longitude\": 6.5696,\r\n \"latitude\": 53.21686,\r\n \"asn\": 39704,\r\n \"carrier\": \"Cj2 Hosting B.V.\",\r\n \"organization\": \"Synatix Netblock # 2\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"address\": \"197.26.19.254\",\r\n \"location\": {\r\n \"countryCode\": \"TN\",\r\n \"countryName\": \"Tunisia\",\r\n \"state\": \"Tunis\",\r\n \"city\": \"Tunis\",\r\n \"longitude\": 10.1717,\r\n \"latitude\": 36.798,\r\n \"asn\": 37492,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Agence Tunisienne Internet - Ati\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"address\": \"182.61.13.82\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Zhongguancun\",\r\n \"longitude\": 116.31,\r\n \"latitude\": 39.978,\r\n \"asn\": 38365,\r\n \"carrier\": \"Beijing Baidu Netcom Science And Technology Co. Ltd.\",\r\n \"organization\": \"Beijing Baidu Netcom Science And Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"address\": \"35.245.223.130\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"District Of Columbia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -77.0284,\r\n \"latitude\": 38.9069,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"address\": \"124.220.28.59\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"address\": \"61.177.173.35\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"address\": \"69.40.195.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"North Carolina\",\r\n \"city\": \"Concord\",\r\n \"longitude\": -80.55684,\r\n \"latitude\": 35.4009,\r\n \"asn\": 7029,\r\n \"carrier\": \"Windstream Communications Llc\",\r\n \"organization\": \"Hudson Internet Pop - Dynamic Dsl Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"address\": \"34.159.251.125\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"address\": \"40.72.187.176\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanghai Shi\",\r\n \"city\": \"Shanghai\",\r\n \"longitude\": 121.47021,\r\n \"latitude\": 31.22847,\r\n \"asn\": 58593,\r\n \"carrier\": \"Shanghai Blue Cloud Technology Co. Ltd\",\r\n \"organization\": \"Shanghai Blue Cloud Technology Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"address\": \"84.181.121.1\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Baden-Wuerttemberg\",\r\n \"city\": \"Tuellingen\",\r\n \"longitude\": 7.668,\r\n \"latitude\": 47.615,\r\n \"asn\": 3320,\r\n \"carrier\": \"Deutsche Telekom Ag\",\r\n \"organization\": \"Deutsche Telekom Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"address\": \"121.5.105.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"address\": \"185.209.179.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Valley Cottage\",\r\n \"longitude\": -73.92899,\r\n \"latitude\": 41.12222,\r\n \"asn\": 396356,\r\n \"carrier\": \"Maxihost Llc\",\r\n \"organization\": \"Latitude.Sh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"address\": \"35.246.78.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Camden\",\r\n \"longitude\": -0.16861,\r\n \"latitude\": 51.54,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"address\": \"61.177.172.124\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"address\": \"34.83.98.1\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_126\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_127\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_128\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_129\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_130\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_131\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_132\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_133\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_134\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_135\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_136\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_137\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_138\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_139\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_161\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_162\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_142\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_163\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_143\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_144\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_165\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_145\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"name\": \"2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T03:55:33.4948297Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T03:55:32.3866334Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-18T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-18T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_166\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 62.204.41.152 [2]\\r\\nIP: 144.172.126.192 [2]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 194.165.17.24 [5]\\r\\nIP: 91.240.242.3 [4]\\r\\nIP: 147.78.47.36 [10]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 88.214.25.14 [17]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 147.78.47.147 [4]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 193.29.13.169 [14]\\r\\nIP: 191.96.168.93 [6]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 91.240.242.201 [8]\\r\\nIP: 45.227.254.8 [2]\\r\\nIP: 94.26.229.169 [1]\\r\\nIP: 141.98.83.89 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.137.233.50 [1]\\r\\nIP: 50.63.15.157 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 91.240.242.87 [17]\\r\\nIP: 45.141.87.10 [4]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 45.141.84.83 [5]\\r\\nIP: 94.232.43.155 [2]\\r\\nIP: 194.165.17.12 [8]\\r\\nIP: 171.244.50.243 [3]\\r\\nIP: 141.98.83.132 [7]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 64.251.14.96 [1]\\r\\nIP: 92.255.85.186 [1]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 80.66.88.204 [2]\\r\\nIP: 147.78.47.42 [8]\\r\\nIP: 46.161.27.101 [1]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 45.141.87.6 [5]\\r\\nIP: 179.60.147.204 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\n91 more attempts by 19 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_167\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_168\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_169\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_170\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_171\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_172\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_173\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_174\",\r\n \"address\": \"91.240.242.3\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_175\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_176\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_177\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_178\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_179\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_180\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_181\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_182\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_183\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_184\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_185\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_186\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_187\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_188\",\r\n \"address\": \"91.240.242.201\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_189\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_190\",\r\n \"address\": \"94.26.229.169\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_191\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_192\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_193\",\r\n \"address\": \"185.137.233.50\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Permskiy Kray\",\r\n \"city\": \"Perm\",\r\n \"longitude\": 56.25184,\r\n \"latitude\": 58.02006,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_194\",\r\n \"address\": \"50.63.15.157\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_195\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_196\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_197\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_198\",\r\n \"address\": \"91.240.242.87\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_199\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_200\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_201\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_202\",\r\n \"address\": \"94.232.43.155\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_203\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_204\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_205\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_206\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_207\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_208\",\r\n \"address\": \"64.251.14.96\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Fort Lauderdale\",\r\n \"longitude\": -80.12723,\r\n \"latitude\": 26.12112,\r\n \"asn\": 15083,\r\n \"carrier\": \"Infolink Global Corporation\",\r\n \"organization\": \"Serverpronto\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_209\",\r\n \"address\": \"92.255.85.186\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_210\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_211\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_212\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_213\",\r\n \"address\": \"147.78.47.42\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_214\",\r\n \"address\": \"46.161.27.101\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Vps And Shared Hosting Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_215\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_216\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_217\",\r\n \"address\": \"179.60.147.204\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_218\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_221\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_222\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_223\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_224\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_225\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_226\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_227\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_256\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_206\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_207\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_258\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_208\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_259\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_209\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_260\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_210\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_261\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_211\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_262\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_212\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_263\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_213\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_264\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_214\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_215\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_266\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_216\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_267\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_217\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_268\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_218\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"name\": \"2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T21:29:26.5199798Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T21:29:26.1229647Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-17T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-17T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_269\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.53 [1]\\r\\nIP: 43.142.245.166 [1]\\r\\nIP: 82.139.180.236 [1]\\r\\nIP: 39.91.166.121 [1]\\r\\nIP: 45.95.55.235 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 35.164.70.114 [1]\\r\\nIP: 61.177.172.19 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_270\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_271\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_272\",\r\n \"address\": \"61.177.173.53\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_273\",\r\n \"address\": \"43.142.245.166\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_274\",\r\n \"address\": \"82.139.180.236\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Podlaskie\",\r\n \"city\": \"Bialystok\",\r\n \"longitude\": 23.1482,\r\n \"latitude\": 53.11679,\r\n \"asn\": 8865,\r\n \"carrier\": \"Politechnika Bialostocka\",\r\n \"organization\": \"Politechnika Bialostocka\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_275\",\r\n \"address\": \"39.91.166.121\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shandong\",\r\n \"city\": \"Jinan\",\r\n \"longitude\": 117.0,\r\n \"latitude\": 36.683,\r\n \"asn\": 4837,\r\n \"carrier\": \"China Unicom China169 Backbone\",\r\n \"organization\": \"China Unicom Shandong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_276\",\r\n \"address\": \"45.95.55.235\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Rheinland-Pfalz\",\r\n \"city\": \"Koblenz\",\r\n \"longitude\": 7.5741,\r\n \"latitude\": 50.3849,\r\n \"asn\": 200303,\r\n \"carrier\": \"Jan Philipp Waldecker Trading As Lumaserv Systems\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_277\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_278\",\r\n \"address\": \"35.164.70.114\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Boardman\",\r\n \"longitude\": -119.81143,\r\n \"latitude\": 45.73723,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon.Com Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_279\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_280\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_272\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_273\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_282\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_274\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_283\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_275\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_284\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_276\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_285\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_277\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_286\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_278\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_279\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"name\": \"2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T21:29:26.5332876Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T21:29:26.1234563Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-17T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-17T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_288\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.122 [1]\\r\\nIP: 80.66.76.137 [1]\\r\\nIP: 80.66.76.151 [1]\\r\\nIP: 80.66.76.168 [2]\\r\\nIP: 147.78.47.35 [5]\\r\\nIP: 80.66.76.159 [4]\\r\\nIP: 80.66.76.136 [1]\\r\\nIP: 12.168.189.21 [1]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 103.43.177.129 [1]\\r\\nIP: 152.89.196.94 [5]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 80.66.76.141 [2]\\r\\nIP: 94.232.47.170 [8]\\r\\nIP: 80.66.76.161 [5]\\r\\nIP: 141.98.83.84 [11]\\r\\nIP: 141.98.83.133 [6]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 87.251.67.236 [3]\\r\\nIP: 80.66.76.126 [6]\\r\\nIP: 147.78.47.36 [2]\\r\\nIP: 12.233.48.50 [1]\\r\\nIP: 80.66.76.132 [3]\\r\\nIP: 80.66.76.184 [2]\\r\\nIP: 80.66.76.153 [4]\\r\\nIP: 193.29.13.170 [5]\\r\\nIP: 45.141.87.6 [3]\\r\\nIP: 141.98.83.164 [4]\\r\\nIP: 87.251.67.238 [3]\\r\\nIP: 80.66.76.173 [1]\\r\\nIP: 80.66.76.139 [2]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 87.251.67.223 [5]\\r\\nIP: 80.66.76.129 [5]\\r\\nIP: 147.78.47.149 [3]\\r\\nIP: 185.73.125.100 [4]\\r\\nIP: 87.251.67.230 [1]\\r\\nIP: 80.66.76.165 [4]\\r\\nIP: 152.89.196.74 [2]\\r\\nIP: 80.66.76.181 [1]\\r\\nIP: 194.165.17.24 [12]\\r\\nIP: 80.66.76.162 [3]\\r\\nIP: 194.165.17.12 [12]\\r\\nIP: 80.66.76.169 [1]\\r\\nIP: 80.66.76.124 [4]\\r\\nIP: 94.26.248.179 [2]\\r\\nIP: 45.227.254.29 [1]\\r\\nIP: 141.98.83.128 [3]\\r\\n505 more attempts by 101 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_289\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_290\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_291\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_292\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_293\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_294\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_295\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_296\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_297\",\r\n \"address\": \"80.66.76.136\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_298\",\r\n \"address\": \"12.168.189.21\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Germantown\",\r\n \"longitude\": -89.79201,\r\n \"latitude\": 35.08422,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"The Village At Germantown\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_299\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_300\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_301\",\r\n \"address\": \"103.43.177.129\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"Western Australia\",\r\n \"city\": \"Perth\",\r\n \"longitude\": 115.85859,\r\n \"latitude\": -31.9554,\r\n \"asn\": 133863,\r\n \"carrier\": \"Probax Pty Ltd\",\r\n \"organization\": \"Probax Pty Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_302\",\r\n \"address\": \"152.89.196.94\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_303\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_304\",\r\n \"address\": \"80.66.76.141\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_305\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_306\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_307\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_308\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_309\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_310\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_311\",\r\n \"address\": \"87.251.67.236\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_312\",\r\n \"address\": \"80.66.76.126\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_313\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_314\",\r\n \"address\": \"12.233.48.50\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Kansas City\",\r\n \"longitude\": -94.50542,\r\n \"latitude\": 39.131,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Frontier Schools System\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_315\",\r\n \"address\": \"80.66.76.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_316\",\r\n \"address\": \"80.66.76.184\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_317\",\r\n \"address\": \"80.66.76.153\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_318\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_319\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_320\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_321\",\r\n \"address\": \"87.251.67.238\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_322\",\r\n \"address\": \"80.66.76.173\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_323\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_324\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_325\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_326\",\r\n \"address\": \"80.66.76.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_327\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_328\",\r\n \"address\": \"185.73.125.100\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_329\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_330\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_331\",\r\n \"address\": \"152.89.196.74\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_332\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_333\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_334\",\r\n \"address\": \"80.66.76.162\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_335\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_336\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_337\",\r\n \"address\": \"80.66.76.124\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_338\",\r\n \"address\": \"94.26.248.179\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_339\",\r\n \"address\": \"45.227.254.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_340\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_309\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_360\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_310\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_361\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_311\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_362\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_312\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_313\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_364\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_314\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_365\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_315\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_366\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_316\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_317\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_368\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_318\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_369\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_319\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_370\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_320\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_371\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_321\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_322\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_373\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_323\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_374\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_324\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_375\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_325\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_376\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_326\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_381\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_331\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_332\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_383\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_333\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_384\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_334\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_385\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_335\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_386\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_336\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_337\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_388\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_338\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_389\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_339\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_390\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_340\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"name\": \"2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T20:18:57.7305267Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T20:18:57.239572Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-16T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-16T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_391\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.52 [1]\\r\\nIP: 61.177.173.36 [1]\\r\\nIP: 85.214.209.12 [1]\\r\\nIP: 195.19.96.168 [1]\\r\\nIP: 137.184.37.59 [1]\\r\\nIP: 165.22.248.214 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_392\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_393\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_394\",\r\n \"address\": \"61.177.173.52\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_395\",\r\n \"address\": \"61.177.173.36\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_396\",\r\n \"address\": \"85.214.209.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.3195,\r\n \"latitude\": 52.5184,\r\n \"asn\": 6724,\r\n \"carrier\": \"Strato Ag\",\r\n \"organization\": \"Strato Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_397\",\r\n \"address\": \"195.19.96.168\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60778,\r\n \"latitude\": 55.81834,\r\n \"asn\": 12389,\r\n \"carrier\": \"Pjsc Rostelecom\",\r\n \"organization\": \"Pjsc Rostelecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_398\",\r\n \"address\": \"137.184.37.59\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Palo Alto\",\r\n \"longitude\": -122.1512,\r\n \"latitude\": 37.44296,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_399\",\r\n \"address\": \"165.22.248.214\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.34738,\r\n \"latitude\": 47.61348,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_400\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_394\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_401\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_395\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_396\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_403\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_397\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_404\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_398\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_399\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"name\": \"2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T20:18:57.600268Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T20:18:57.2399048Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-16T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-16T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_406\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.124 [4]\\r\\nIP: 94.26.229.154 [1]\\r\\nIP: 185.73.124.23 [9]\\r\\nIP: 45.141.87.10 [4]\\r\\nIP: 80.66.76.138 [3]\\r\\nIP: 87.251.64.140 [2]\\r\\nIP: 80.66.76.179 [2]\\r\\nIP: 64.251.14.96 [1]\\r\\nIP: 194.165.16.18 [7]\\r\\nIP: 87.251.67.238 [7]\\r\\nIP: 94.232.47.15 [3]\\r\\nIP: 80.66.76.159 [5]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 152.89.196.73 [9]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 80.66.76.178 [3]\\r\\nIP: 147.78.47.29 [3]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 171.244.50.243 [7]\\r\\nIP: 12.168.189.21 [1]\\r\\nIP: 141.98.83.132 [10]\\r\\nIP: 80.66.76.168 [6]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 80.66.76.169 [5]\\r\\nIP: 147.78.47.39 [15]\\r\\nIP: 181.214.218.32 [1]\\r\\nIP: 80.66.76.177 [2]\\r\\nIP: 80.66.76.137 [3]\\r\\nIP: 193.29.13.169 [10]\\r\\nIP: 185.73.125.21 [5]\\r\\nIP: 80.66.76.130 [6]\\r\\nIP: 152.89.196.96 [5]\\r\\nIP: 80.66.76.136 [3]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.76.176 [10]\\r\\nIP: 152.89.196.99 [7]\\r\\nIP: 185.73.124.17 [8]\\r\\nIP: 188.124.36.118 [1]\\r\\nIP: 94.26.248.190 [1]\\r\\nIP: 80.66.76.181 [6]\\r\\nIP: 152.89.196.72 [9]\\r\\nIP: 45.227.254.20 [9]\\r\\nIP: 50.206.89.210 [1]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 80.66.76.126 [4]\\r\\nIP: 147.78.47.149 [8]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 94.26.248.176 [2]\\r\\nIP: 80.66.76.152 [3]\\r\\nIP: 80.66.76.160 [2]\\r\\n558 more attempts by 123 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_407\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_408\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_409\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_410\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_411\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_412\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_413\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_414\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_415\",\r\n \"address\": \"80.66.76.179\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_416\",\r\n \"address\": \"64.251.14.96\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Fort Lauderdale\",\r\n \"longitude\": -80.12723,\r\n \"latitude\": 26.12112,\r\n \"asn\": 15083,\r\n \"carrier\": \"Infolink Global Corporation\",\r\n \"organization\": \"Serverpronto\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_417\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_418\",\r\n \"address\": \"87.251.67.238\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_419\",\r\n \"address\": \"94.232.47.15\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_420\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_421\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_422\",\r\n \"address\": \"152.89.196.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_423\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_424\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_425\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_426\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_427\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_428\",\r\n \"address\": \"12.168.189.21\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Germantown\",\r\n \"longitude\": -89.79201,\r\n \"latitude\": 35.08422,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"The Village At Germantown\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_429\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_430\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_431\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_432\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_433\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_434\",\r\n \"address\": \"181.214.218.32\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_435\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_436\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_437\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_438\",\r\n \"address\": \"185.73.125.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_439\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_440\",\r\n \"address\": \"152.89.196.96\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_441\",\r\n \"address\": \"80.66.76.136\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_442\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_443\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_444\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_445\",\r\n \"address\": \"185.73.124.17\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_446\",\r\n \"address\": \"188.124.36.118\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Dzerzhinskiy\",\r\n \"longitude\": 37.8445,\r\n \"latitude\": 55.638,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_447\",\r\n \"address\": \"94.26.248.190\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_448\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_449\",\r\n \"address\": \"152.89.196.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_450\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_451\",\r\n \"address\": \"50.206.89.210\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Maryland\",\r\n \"city\": \"Gambrills\",\r\n \"longitude\": -76.66528,\r\n \"latitude\": 39.02566,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_452\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_453\",\r\n \"address\": \"80.66.76.126\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_454\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_455\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_456\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_457\",\r\n \"address\": \"80.66.76.152\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_458\",\r\n \"address\": \"80.66.76.160\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_412\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_415\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_416\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_467\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_417\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_468\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_418\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_469\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_419\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_470\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_471\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_472\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_473\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_423\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_474\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_424\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_425\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_426\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_427\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_428\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_434\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_485\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_435\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_486\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_487\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_437\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_488\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_438\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_439\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_490\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_440\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_491\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_492\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_493\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_494\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_495\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_445\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_496\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_446\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_497\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_447\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_498\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_448\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_499\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_449\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_500\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_450\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_501\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_451\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_502\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_503\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_504\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_454\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_505\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_455\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_506\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_456\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_507\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_457\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_508\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_458\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"name\": \"2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T19:58:11.5931492Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T19:58:10.6757317Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_509\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.90 [1]\\r\\nIP: 205.185.113.42 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 34.168.149.255 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_510\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_511\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_512\",\r\n \"address\": \"61.177.172.90\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_513\",\r\n \"address\": \"205.185.113.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Nevada\",\r\n \"city\": \"Las Vegas\",\r\n \"longitude\": -115.22485,\r\n \"latitude\": 36.1424,\r\n \"asn\": 53667,\r\n \"carrier\": \"Frantech Solutions\",\r\n \"organization\": \"Frantech Solutions\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_514\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_515\",\r\n \"address\": \"34.168.149.255\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_512\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_513\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_514\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_515\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"name\": \"2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T21:15:16.6149243Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T21:15:16.2347122Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_520\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 34.168.149.255 [1]\\r\\nIP: 34.67.85.236 [1]\\r\\nIP: 61.177.172.90 [1]\\r\\nIP: 205.185.113.42 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 69.40.195.236 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_521\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_522\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_523\",\r\n \"address\": \"34.168.149.255\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_524\",\r\n \"address\": \"34.67.85.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Council Bluffs\",\r\n \"longitude\": -95.87736,\r\n \"latitude\": 41.23296,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_525\",\r\n \"address\": \"61.177.172.90\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_526\",\r\n \"address\": \"205.185.113.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Nevada\",\r\n \"city\": \"Las Vegas\",\r\n \"longitude\": -115.22485,\r\n \"latitude\": 36.1424,\r\n \"asn\": 53667,\r\n \"carrier\": \"Frantech Solutions\",\r\n \"organization\": \"Frantech Solutions\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_527\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_528\",\r\n \"address\": \"69.40.195.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"North Carolina\",\r\n \"city\": \"Concord\",\r\n \"longitude\": -80.55684,\r\n \"latitude\": 35.4009,\r\n \"asn\": 7029,\r\n \"carrier\": \"Windstream Communications Llc\",\r\n \"organization\": \"Hudson Internet Pop - Dynamic Dsl Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_523\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_524\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_525\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_526\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_527\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_528\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365663999999999_fe707616-4570-429b-9e73-790a3918e776/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"name\": \"2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T19:58:11.565147Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T19:58:10.6760538Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_535\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.164 [8]\\r\\nIP: 141.98.83.165 [8]\\r\\nIP: 194.165.16.18 [10]\\r\\nIP: 20.87.218.172 [3]\\r\\nIP: 147.78.47.35 [17]\\r\\nIP: 62.233.50.123 [34]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 141.98.83.130 [8]\\r\\nIP: 87.251.67.99 [7]\\r\\nIP: 71.178.215.234 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 122.160.141.216 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 141.98.83.83 [8]\\r\\nIP: 98.217.4.181 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 104.161.77.173 [1]\\r\\nIP: 141.98.83.84 [6]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 141.98.83.166 [12]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 162.142.125.219 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 88.214.25.14 [15]\\r\\nIP: 45.141.87.10 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 141.98.83.85 [9]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 171.244.50.243 [1]\\r\\nIP: 212.103.60.106 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 45.141.87.2 [5]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.124 [15]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 185.156.72.31 [1]\\r\\nIP: 147.78.47.39 [4]\\r\\nIP: 194.165.16.29 [2]\\r\\nIP: 45.227.254.20 [12]\\r\\nIP: 179.60.150.115 [9]\\r\\n55 more attempts by 15 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_536\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_537\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_538\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_539\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_540\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_541\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_542\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_543\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_544\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_545\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_546\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_547\",\r\n \"address\": \"71.178.215.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Fairfax\",\r\n \"longitude\": -77.2891,\r\n \"latitude\": 38.81818,\r\n \"asn\": 701,\r\n \"carrier\": \"Verizon\",\r\n \"organization\": \"Verizon\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_548\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_549\",\r\n \"address\": \"122.160.141.216\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.1428,\r\n \"latitude\": 28.6907,\r\n \"asn\": 24560,\r\n \"carrier\": \"Bharti Airtel Ltd.\",\r\n \"organization\": \"Abts Delhi \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_550\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_551\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_552\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_553\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_554\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_555\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_556\",\r\n \"address\": \"98.217.4.181\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Hopkinton\",\r\n \"longitude\": -71.53711,\r\n \"latitude\": 42.22023,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_557\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_558\",\r\n \"address\": \"104.161.77.173\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.01242,\r\n \"latitude\": 33.43202,\r\n \"asn\": 53755,\r\n \"carrier\": \"Input Output Flood Llc\",\r\n \"organization\": \"Input Output Flood Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_559\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_560\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_561\",\r\n \"address\": \"141.98.83.166\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_562\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_563\",\r\n \"address\": \"162.142.125.219\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_564\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_565\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_566\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_567\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_568\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_569\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_570\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_571\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_572\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_573\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_574\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_575\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_576\",\r\n \"address\": \"212.103.60.106\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Nuernberg\",\r\n \"longitude\": 11.0384,\r\n \"latitude\": 49.4358,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Tt1 Datacenter Ug (Haftungsbeschraenkt)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_577\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_578\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_579\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_580\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_581\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_582\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_583\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_584\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_585\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_586\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_587\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_591\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_592\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_542\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_593\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_543\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_594\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_544\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_595\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_545\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_596\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_546\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_597\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_547\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_548\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_549\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_550\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_551\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"name\": \"2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T21:15:16.6618617Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T21:15:16.2350129Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_638\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 171.244.50.243 [1]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 191.96.168.246 [10]\\r\\nIP: 194.165.16.29 [2]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 89.44.9.29 [2]\\r\\nIP: 185.156.72.31 [1]\\r\\nIP: 141.98.83.165 [8]\\r\\nIP: 179.60.150.58 [7]\\r\\nIP: 141.98.83.125 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 20.87.218.172 [3]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 141.98.83.164 [8]\\r\\nIP: 45.141.87.6 [7]\\r\\nIP: 104.161.77.173 [1]\\r\\nIP: 141.98.83.89 [2]\\r\\nIP: 98.217.4.181 [1]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 122.160.141.216 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.17.24 [5]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 141.95.145.187 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 141.98.83.123 [2]\\r\\nIP: 24.18.46.38 [1]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 87.251.67.99 [7]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 144.172.126.192 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 62.233.50.123 [34]\\r\\nIP: 45.141.87.10 [1]\\r\\nIP: 147.78.47.35 [17]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 45.141.87.9 [8]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 162.142.125.219 [1]\\r\\nIP: 147.78.47.39 [4]\\r\\nIP: 88.214.25.14 [15]\\r\\nIP: 45.227.254.20 [12]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 45.141.87.2 [5]\\r\\n104 more attempts by 21 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_639\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_640\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_641\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_642\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_643\",\r\n \"address\": \"191.96.168.246\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_644\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_645\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_646\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_647\",\r\n \"address\": \"89.44.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Seine-Saint-Denis\",\r\n \"city\": \"Saint-Denis\",\r\n \"longitude\": 2.36488,\r\n \"latitude\": 48.93607,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd Paris\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_648\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_649\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_650\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_651\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_652\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_653\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_654\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_655\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_656\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_657\",\r\n \"address\": \"104.161.77.173\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.01242,\r\n \"latitude\": 33.43202,\r\n \"asn\": 53755,\r\n \"carrier\": \"Input Output Flood Llc\",\r\n \"organization\": \"Input Output Flood Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_658\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_659\",\r\n \"address\": \"98.217.4.181\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Hopkinton\",\r\n \"longitude\": -71.53711,\r\n \"latitude\": 42.22023,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_660\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_661\",\r\n \"address\": \"122.160.141.216\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.1428,\r\n \"latitude\": 28.6907,\r\n \"asn\": 24560,\r\n \"carrier\": \"Bharti Airtel Ltd.\",\r\n \"organization\": \"Abts Delhi \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_662\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_663\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_664\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_665\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_666\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_667\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_668\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_669\",\r\n \"address\": \"24.18.46.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Shoreline\",\r\n \"longitude\": -122.34728,\r\n \"latitude\": 47.75721,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_670\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_671\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_672\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_673\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_674\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_675\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_676\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_677\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_678\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_679\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_680\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_681\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_682\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_683\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_684\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_685\",\r\n \"address\": \"162.142.125.219\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_686\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_687\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_688\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_689\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_690\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_641\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_642\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_643\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_644\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_645\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_646\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_736\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_686\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_737\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_687\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_738\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_688\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_739\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_689\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_740\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_690\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"name\": \"2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-14T21:17:43.9805433Z\",\r\n \"processingEndTimeUtc\": \"2022-10-14T21:17:42.8602187Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-13T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-13T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_741\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.36 [1]\\r\\nIP: 61.177.172.19 [1]\\r\\nIP: 66.70.176.28 [1]\\r\\nIP: 43.140.205.176 [1]\\r\\nIP: 84.201.177.42 [1]\\r\\nIP: 176.31.240.226 [1]\\r\\nIP: 45.139.105.58 [1]\\r\\nIP: 61.177.172.147 [3]\\r\\nIP: 31.172.70.163 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_742\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_743\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_744\",\r\n \"address\": \"61.177.173.36\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_745\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_746\",\r\n \"address\": \"66.70.176.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_747\",\r\n \"address\": \"43.140.205.176\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_748\",\r\n \"address\": \"84.201.177.42\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.58903,\r\n \"latitude\": 55.73491,\r\n \"asn\": 200350,\r\n \"carrier\": \"Yandex.Cloud Llc\",\r\n \"organization\": \"Yandex Enterprise Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_749\",\r\n \"address\": \"176.31.240.226\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Nord\",\r\n \"city\": \"Roubaix\",\r\n \"longitude\": 3.17321,\r\n \"latitude\": 50.69127,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_750\",\r\n \"address\": \"45.139.105.58\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 138687,\r\n \"carrier\": \"Xdeer Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_751\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_752\",\r\n \"address\": \"31.172.70.163\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt-Ostend\",\r\n \"longitude\": 8.72751,\r\n \"latitude\": 50.11671,\r\n \"asn\": 44066,\r\n \"carrier\": \"Accelerated It Services & Consulting Gmbh\",\r\n \"organization\": \"Www.Fornex.Com Fornex Hosting S.L.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_744\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_745\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_746\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_747\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_748\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_749\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_750\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_751\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_752\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"name\": \"2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-14T21:17:43.9755639Z\",\r\n \"processingEndTimeUtc\": \"2022-10-14T21:17:42.8608101Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-13T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-13T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_762\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.87.6 [9]\\r\\nIP: 141.98.83.125 [11]\\r\\nIP: 141.98.83.165 [9]\\r\\nIP: 94.232.43.155 [1]\\r\\nIP: 147.78.47.40 [2]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 80.66.88.215 [2]\\r\\nIP: 141.98.83.132 [4]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 194.165.17.12 [14]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 45.141.87.10 [12]\\r\\nIP: 147.78.47.29 [9]\\r\\nIP: 89.248.163.228 [1]\\r\\nIP: 45.141.84.87 [13]\\r\\nIP: 45.227.255.55 [2]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 20.87.218.172 [1]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.89 [8]\\r\\nIP: 62.204.41.152 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 69.202.183.90 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 212.102.35.135 [26]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 193.29.13.170 [18]\\r\\nIP: 147.78.47.36 [6]\\r\\nIP: 194.165.16.18 [4]\\r\\nIP: 141.98.83.164 [1]\\r\\nIP: 91.240.118.113 [3]\\r\\nIP: 144.172.126.192 [1]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 193.29.13.169 [14]\\r\\nIP: 92.255.85.151 [12]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 147.78.47.42 [6]\\r\\nIP: 147.78.47.39 [12]\\r\\nIP: 147.78.47.35 [3]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 141.98.83.87 [5]\\r\\nIP: 87.251.64.160 [3]\\r\\n29 more attempts by 7 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_763\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_764\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_765\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_766\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_767\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_768\",\r\n \"address\": \"94.232.43.155\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_769\",\r\n \"address\": \"147.78.47.40\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_770\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_771\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_772\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_773\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_774\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_775\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_776\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_777\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_778\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_779\",\r\n \"address\": \"89.248.163.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_780\",\r\n \"address\": \"45.141.84.87\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_781\",\r\n \"address\": \"45.227.255.55\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_782\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_783\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_784\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_785\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_786\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_787\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_788\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_789\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_790\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_791\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_792\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_793\",\r\n \"address\": \"212.102.35.135\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_794\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_795\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_796\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_797\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_798\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_799\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_800\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_801\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_802\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_803\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_804\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_805\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_806\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_807\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_808\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_809\",\r\n \"address\": \"147.78.47.42\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_810\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_811\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_812\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_813\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_814\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_839\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_789\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_840\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_790\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_841\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_791\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_842\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_792\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_793\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"name\": \"2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T21:02:46.33272Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T21:02:45.807019Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-12T15:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-12T15:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_865\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.46 [1]\\r\\nIP: 211.210.79.220 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_866\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_867\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_868\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_869\",\r\n \"address\": \"211.210.79.220\",\r\n \"location\": {\r\n \"countryCode\": \"KR\",\r\n \"countryName\": \"Korea (South)\",\r\n \"state\": \"Seoul Teukbyeolsi\",\r\n \"city\": \"Seoul\",\r\n \"longitude\": 126.98265,\r\n \"latitude\": 37.561,\r\n \"asn\": 9318,\r\n \"carrier\": \"Sk Broadband Co Ltd\",\r\n \"organization\": \"Danal\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_870\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_868\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_871\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_869\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"name\": \"2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T21:03:57.9379168Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T21:02:45.8071653Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-12T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-12T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_872\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.158 [4]\\r\\nIP: 45.227.254.20 [14]\\r\\nIP: 80.66.76.178 [3]\\r\\nIP: 87.251.67.223 [3]\\r\\nIP: 185.73.124.20 [3]\\r\\nIP: 194.165.17.12 [10]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 80.66.76.151 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 80.66.76.143 [1]\\r\\nIP: 193.169.255.78 [1]\\r\\nIP: 80.66.76.174 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 80.66.76.161 [1]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 20.87.218.172 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 80.66.76.142 [3]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 87.251.67.230 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 80.66.76.139 [1]\\r\\nIP: 87.251.67.229 [1]\\r\\nIP: 80.66.76.164 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 212.102.35.135 [17]\\r\\nIP: 45.141.87.6 [6]\\r\\nIP: 80.66.76.131 [2]\\r\\nIP: 80.66.76.186 [2]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 194.165.16.16 [2]\\r\\nIP: 87.251.67.232 [4]\\r\\nIP: 80.66.76.159 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 87.251.67.226 [2]\\r\\nIP: 80.66.76.138 [2]\\r\\nIP: 80.66.76.127 [1]\\r\\nIP: 80.66.76.165 [2]\\r\\nIP: 80.66.76.175 [2]\\r\\nIP: 80.66.76.140 [2]\\r\\nIP: 159.242.227.27 [1]\\r\\nIP: 193.29.13.170 [12]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 185.73.124.19 [1]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 45.141.87.2 [2]\\r\\n152 more attempts by 42 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_873\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_874\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_875\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_876\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_877\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_878\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_879\",\r\n \"address\": \"185.73.124.20\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_880\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_881\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_882\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_883\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_884\",\r\n \"address\": \"80.66.76.143\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_885\",\r\n \"address\": \"193.169.255.78\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Pomorskie\",\r\n \"city\": \"Zelkowko\",\r\n \"longitude\": 17.0936,\r\n \"latitude\": 54.34198,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_886\",\r\n \"address\": \"80.66.76.174\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_887\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_888\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_889\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_890\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_891\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_892\",\r\n \"address\": \"80.66.76.142\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_893\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_894\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_895\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_896\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_897\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_898\",\r\n \"address\": \"87.251.67.229\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_899\",\r\n \"address\": \"80.66.76.164\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_900\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_901\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_902\",\r\n \"address\": \"212.102.35.135\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_903\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_904\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_905\",\r\n \"address\": \"80.66.76.186\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_906\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_907\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_908\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_909\",\r\n \"address\": \"87.251.67.232\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_910\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_911\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_912\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_913\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_914\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_915\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_916\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_917\",\r\n \"address\": \"80.66.76.175\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_918\",\r\n \"address\": \"80.66.76.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_919\",\r\n \"address\": \"159.242.227.27\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Wandsworth\",\r\n \"longitude\": -0.18333,\r\n \"latitude\": 51.45,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Prcdn Consumer Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_920\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_921\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_922\",\r\n \"address\": \"185.73.124.19\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_923\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_924\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_892\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_893\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_894\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_969\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_919\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_970\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_920\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_971\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_921\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_972\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_922\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_973\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_923\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_974\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_924\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"name\": \"2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T21:25:11.5033705Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T21:25:11.2368114Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-11T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-11T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_975\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 62.210.205.240 [1]\\r\\nIP: 219.130.135.190 [8]\\r\\nIP: 77.232.100.220 [1]\\r\\nIP: 167.99.49.113 [1]\\r\\nIP: 61.177.172.147 [3]\\r\\nIP: 54.200.70.29 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_976\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_977\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_978\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_979\",\r\n \"address\": \"219.130.135.190\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Jiangmen\",\r\n \"longitude\": 113.08611,\r\n \"latitude\": 22.58388,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Jiangmen Global Eyes Police Bureau\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_980\",\r\n \"address\": \"77.232.100.220\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Makkah\",\r\n \"city\": \"Jiddah\",\r\n \"longitude\": 39.184,\r\n \"latitude\": 21.538,\r\n \"asn\": 43766,\r\n \"carrier\": \"Mtc Ksa\",\r\n \"organization\": \"Mtc Ksa\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_981\",\r\n \"address\": \"167.99.49.113\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_982\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_983\",\r\n \"address\": \"54.200.70.29\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Boardman\",\r\n \"longitude\": -119.81143,\r\n \"latitude\": 45.73723,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon.Com Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_984\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_978\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_985\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_979\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_986\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_980\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_987\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_981\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_988\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_982\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_989\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_983\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"name\": \"2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T21:27:02.3321686Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T21:25:11.237187Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-11T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-11T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_990\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.88.129 [1]\\r\\nIP: 80.66.88.207 [5]\\r\\nIP: 194.165.16.29 [9]\\r\\nIP: 147.78.47.149 [6]\\r\\nIP: 87.251.67.236 [2]\\r\\nIP: 80.66.76.186 [2]\\r\\nIP: 80.66.76.153 [4]\\r\\nIP: 91.240.118.113 [6]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 45.141.87.9 [5]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 80.66.76.163 [2]\\r\\nIP: 80.66.76.142 [4]\\r\\nIP: 141.98.83.130 [2]\\r\\nIP: 152.89.196.94 [3]\\r\\nIP: 80.66.76.120 [1]\\r\\nIP: 80.66.76.174 [5]\\r\\nIP: 194.165.16.10 [1]\\r\\nIP: 185.73.124.17 [2]\\r\\nIP: 80.66.76.183 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 80.66.76.181 [1]\\r\\nIP: 80.66.76.130 [2]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 80.66.76.168 [2]\\r\\nIP: 185.73.124.14 [1]\\r\\nIP: 80.66.76.173 [1]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 152.89.196.99 [2]\\r\\nIP: 80.66.76.172 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 185.73.124.20 [1]\\r\\nIP: 45.141.87.2 [4]\\r\\nIP: 80.66.76.154 [2]\\r\\nIP: 152.89.196.92 [2]\\r\\nIP: 80.66.76.137 [1]\\r\\nIP: 80.66.76.127 [1]\\r\\nIP: 152.89.196.86 [2]\\r\\nIP: 194.165.16.158 [3]\\r\\nIP: 141.98.83.128 [3]\\r\\nIP: 185.73.124.23 [5]\\r\\nIP: 45.141.87.6 [9]\\r\\nIP: 80.66.76.176 [4]\\r\\nIP: 141.95.145.187 [1]\\r\\nIP: 80.66.76.125 [1]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 80.66.76.175 [1]\\r\\nIP: 80.66.76.129 [3]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 45.141.84.86 [4]\\r\\n148 more attempts by 47 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_991\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_992\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_993\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_994\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_995\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_996\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_997\",\r\n \"address\": \"87.251.67.236\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_998\",\r\n \"address\": \"80.66.76.186\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_999\",\r\n \"address\": \"80.66.76.153\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1000\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1001\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1002\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1003\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1004\",\r\n \"address\": \"80.66.76.163\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1005\",\r\n \"address\": \"80.66.76.142\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1006\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1007\",\r\n \"address\": \"152.89.196.94\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1008\",\r\n \"address\": \"80.66.76.120\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1009\",\r\n \"address\": \"80.66.76.174\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1010\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1011\",\r\n \"address\": \"185.73.124.17\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1012\",\r\n \"address\": \"80.66.76.183\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1013\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1014\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1015\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1016\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1017\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1018\",\r\n \"address\": \"185.73.124.14\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1019\",\r\n \"address\": \"80.66.76.173\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1020\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1021\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1022\",\r\n \"address\": \"80.66.76.172\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1023\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1024\",\r\n \"address\": \"185.73.124.20\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1025\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1026\",\r\n \"address\": \"80.66.76.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1027\",\r\n \"address\": \"152.89.196.92\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1028\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1029\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1030\",\r\n \"address\": \"152.89.196.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1031\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1032\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1033\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1034\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1035\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1036\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1037\",\r\n \"address\": \"80.66.76.125\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1038\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1039\",\r\n \"address\": \"80.66.76.175\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1040\",\r\n \"address\": \"80.66.76.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1041\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1042\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1072\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1022\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1073\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1023\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1074\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1024\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1075\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1025\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1076\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1026\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1077\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1027\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1078\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1028\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1079\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1029\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1080\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1030\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1081\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1031\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1082\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1032\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1083\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1033\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1084\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1034\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1085\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1035\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1086\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1036\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1087\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1037\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1088\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1038\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1089\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1039\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1090\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1040\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1091\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1041\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1092\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1042\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"name\": \"2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T20:11:22.6254055Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T20:11:22.3353053Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-10T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-10T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1093\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.147 [4]\\r\\nIP: 117.33.157.42 [1]\\r\\nIP: 44.203.254.12 [1]\\r\\nIP: 62.210.205.240 [1]\\r\\nIP: 218.92.0.221 [1]\\r\\nIP: 61.177.173.52 [1]\\r\\nIP: 61.177.173.46 [1]\\r\\nIP: 61.177.172.143 [2]\\r\\nIP: 61.177.172.98 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1094\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1095\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1096\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1097\",\r\n \"address\": \"117.33.157.42\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Yunnan\",\r\n \"city\": \"Ruili\",\r\n \"longitude\": 97.85808,\r\n \"latitude\": 23.99516,\r\n \"asn\": 134768,\r\n \"carrier\": \"Chinanet Shaanxi Province Cloud Base Network\",\r\n \"organization\": \"Chinanet Shanxi(Sn) Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1098\",\r\n \"address\": \"44.203.254.12\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 14618,\r\n \"carrier\": \"Amazon.Com Inc.\",\r\n \"organization\": \"Amazon Data Services Nova\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1099\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1100\",\r\n \"address\": \"218.92.0.221\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1101\",\r\n \"address\": \"61.177.173.52\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1102\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1103\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1104\",\r\n \"address\": \"61.177.172.98\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1096\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1097\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1098\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1099\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1100\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1101\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1102\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1103\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1104\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"name\": \"2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T20:11:23.0830696Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T20:11:22.335884Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-10T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-10T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1114\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.76.131 [3]\\r\\nIP: 147.78.47.154 [8]\\r\\nIP: 80.66.76.139 [2]\\r\\nIP: 141.98.83.130 [12]\\r\\nIP: 176.111.174.130 [16]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 80.66.76.140 [1]\\r\\nIP: 152.89.196.86 [3]\\r\\nIP: 80.66.76.177 [3]\\r\\nIP: 87.251.67.226 [2]\\r\\nIP: 80.66.76.178 [1]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 80.66.76.166 [1]\\r\\nIP: 152.89.196.99 [1]\\r\\nIP: 176.111.174.116 [28]\\r\\nIP: 194.165.16.18 [6]\\r\\nIP: 71.27.142.134 [1]\\r\\nIP: 45.227.254.29 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 152.89.196.83 [1]\\r\\nIP: 80.66.76.182 [4]\\r\\nIP: 141.98.83.166 [3]\\r\\nIP: 147.78.47.149 [7]\\r\\nIP: 80.66.76.187 [2]\\r\\nIP: 194.165.17.12 [6]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 152.89.196.81 [1]\\r\\nIP: 87.251.67.230 [2]\\r\\nIP: 94.232.47.170 [3]\\r\\nIP: 80.66.76.159 [3]\\r\\nIP: 87.251.67.229 [1]\\r\\nIP: 80.66.76.122 [1]\\r\\nIP: 185.73.124.23 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 179.60.150.58 [4]\\r\\nIP: 94.232.47.15 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 191.96.168.102 [23]\\r\\nIP: 80.66.76.181 [3]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 80.66.76.162 [1]\\r\\nIP: 80.66.76.121 [2]\\r\\nIP: 87.251.67.231 [1]\\r\\nIP: 87.251.67.228 [2]\\r\\nIP: 80.66.76.185 [2]\\r\\n244 more attempts by 54 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1115\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1116\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1117\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1118\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1119\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1120\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1121\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1122\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1123\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1124\",\r\n \"address\": \"80.66.76.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1125\",\r\n \"address\": \"152.89.196.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1126\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1127\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1128\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1129\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1130\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1131\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1132\",\r\n \"address\": \"80.66.76.166\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1133\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1134\",\r\n \"address\": \"176.111.174.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1135\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1136\",\r\n \"address\": \"71.27.142.134\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Westland\",\r\n \"longitude\": -83.37131,\r\n \"latitude\": 42.33206,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1137\",\r\n \"address\": \"45.227.254.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1138\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1139\",\r\n \"address\": \"152.89.196.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1140\",\r\n \"address\": \"80.66.76.182\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1141\",\r\n \"address\": \"141.98.83.166\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1142\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1143\",\r\n \"address\": \"80.66.76.187\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1144\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1145\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1146\",\r\n \"address\": \"152.89.196.81\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1147\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1148\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1149\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1150\",\r\n \"address\": \"87.251.67.229\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1151\",\r\n \"address\": \"80.66.76.122\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1152\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1153\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1154\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1155\",\r\n \"address\": \"94.232.47.15\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1156\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1157\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1158\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1159\",\r\n \"address\": \"191.96.168.102\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1160\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1161\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1162\",\r\n \"address\": \"80.66.76.162\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1163\",\r\n \"address\": \"80.66.76.121\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1164\",\r\n \"address\": \"87.251.67.231\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1165\",\r\n \"address\": \"87.251.67.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1166\",\r\n \"address\": \"80.66.76.185\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1167\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1117\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1168\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1118\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1119\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1170\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1120\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1171\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1121\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1172\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1122\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1173\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1123\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1174\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1124\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1175\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1125\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1176\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1126\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1177\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1127\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1178\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1128\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1179\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1129\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1180\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1130\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1181\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1131\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1182\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1132\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1183\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1133\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1184\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1134\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1185\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1135\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1186\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1136\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1187\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1137\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1188\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1138\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1139\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1190\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1140\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1191\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1141\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1192\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1142\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1143\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1194\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1144\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1195\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1145\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1196\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1146\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1147\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1198\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1148\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1199\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1149\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1200\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1150\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1151\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1202\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1152\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1203\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1153\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1204\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1154\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1155\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"name\": \"2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T20:02:27.764174Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T20:02:26.032772Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-09T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-09T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.209.179.41 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 61.177.172.143 [10]\\r\\nIP: 128.199.192.230 [1]\\r\\nIP: 61.177.172.108 [1]\\r\\nIP: 61.177.173.37 [1]\\r\\nIP: 62.210.209.36 [1]\\r\\nIP: 218.75.136.139 [25]\\r\\nIP: 194.5.193.132 [3]\\r\\nIP: 162.142.125.213 [1]\\r\\nIP: 124.220.16.45 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1218\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1219\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1220\",\r\n \"address\": \"185.209.179.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Valley Cottage\",\r\n \"longitude\": -73.92899,\r\n \"latitude\": 41.12222,\r\n \"asn\": 396356,\r\n \"carrier\": \"Maxihost Llc\",\r\n \"organization\": \"Latitude.Sh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1221\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1222\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1223\",\r\n \"address\": \"128.199.192.230\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1224\",\r\n \"address\": \"61.177.172.108\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1225\",\r\n \"address\": \"61.177.173.37\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1226\",\r\n \"address\": \"62.210.209.36\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1227\",\r\n \"address\": \"218.75.136.139\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Hunan\",\r\n \"city\": \"Changde\",\r\n \"longitude\": 111.71167,\r\n \"latitude\": 29.04722,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet-Hn Changde Node Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1228\",\r\n \"address\": \"194.5.193.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208006,\r\n \"carrier\": \"Softqloud Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1229\",\r\n \"address\": \"162.142.125.213\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1230\",\r\n \"address\": \"124.220.16.45\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1220\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1221\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1222\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1223\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1224\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1225\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1226\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1227\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1228\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1229\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1230\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"name\": \"2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T20:02:27.4002488Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T20:02:26.0336346Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-09T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-09T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1242\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.76.123 [2]\\r\\nIP: 87.251.67.226 [1]\\r\\nIP: 80.66.76.170 [3]\\r\\nIP: 80.66.76.151 [1]\\r\\nIP: 80.66.76.138 [1]\\r\\nIP: 103.168.205.209 [1]\\r\\nIP: 147.78.47.146 [7]\\r\\nIP: 80.66.76.121 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 80.66.76.132 [2]\\r\\nIP: 80.66.76.127 [2]\\r\\nIP: 152.89.196.96 [4]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 92.255.85.192 [8]\\r\\nIP: 80.66.76.167 [2]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 152.89.196.73 [1]\\r\\nIP: 80.66.76.176 [1]\\r\\nIP: 147.78.47.149 [3]\\r\\nIP: 195.78.54.73 [17]\\r\\nIP: 80.66.76.131 [1]\\r\\nIP: 176.111.174.73 [25]\\r\\nIP: 185.73.125.21 [3]\\r\\nIP: 80.66.76.165 [1]\\r\\nIP: 80.66.76.124 [1]\\r\\nIP: 87.251.67.223 [2]\\r\\nIP: 141.98.83.127 [7]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 80.66.76.130 [1]\\r\\nIP: 80.66.76.125 [1]\\r\\nIP: 94.232.47.170 [2]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 185.73.125.225 [1]\\r\\nIP: 207.244.72.33 [1]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 162.244.33.16 [4]\\r\\nIP: 152.89.196.81 [3]\\r\\nIP: 139.59.109.139 [1]\\r\\nIP: 80.66.76.185 [2]\\r\\nIP: 80.66.76.161 [1]\\r\\nIP: 80.66.76.137 [2]\\r\\nIP: 80.66.76.177 [1]\\r\\nIP: 80.66.76.169 [1]\\r\\nIP: 185.73.124.23 [1]\\r\\nIP: 87.251.67.239 [1]\\r\\nIP: 152.89.196.92 [4]\\r\\nIP: 113.190.245.2 [1]\\r\\n88 more attempts by 42 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1243\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1244\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1245\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1246\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1247\",\r\n \"address\": \"80.66.76.170\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1248\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1249\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1250\",\r\n \"address\": \"103.168.205.209\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"longitude\": 77.0,\r\n \"latitude\": 20.0,\r\n \"asn\": 132925,\r\n \"carrier\": \"Ideastack Solutions Private Limited\",\r\n \"organization\": \"Blue Space Technology\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1251\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1252\",\r\n \"address\": \"80.66.76.121\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1253\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1254\",\r\n \"address\": \"80.66.76.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1255\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1256\",\r\n \"address\": \"152.89.196.96\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1257\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1258\",\r\n \"address\": \"92.255.85.192\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1259\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1260\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1261\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1262\",\r\n \"address\": \"152.89.196.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1263\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1264\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1265\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1266\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1267\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1268\",\r\n \"address\": \"185.73.125.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1269\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1270\",\r\n \"address\": \"80.66.76.124\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1271\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1272\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1273\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1274\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1275\",\r\n \"address\": \"80.66.76.125\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1276\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1277\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1278\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1279\",\r\n \"address\": \"185.73.125.225\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1280\",\r\n \"address\": \"207.244.72.33\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"District Of Columbia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -77.0284,\r\n \"latitude\": 38.9069,\r\n \"asn\": 30633,\r\n \"carrier\": \"Leaseweb Usa Inc.\",\r\n \"organization\": \"Leaseweb Usa Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1281\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1282\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1283\",\r\n \"address\": \"162.244.33.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Fremont\",\r\n \"longitude\": -121.91032,\r\n \"latitude\": 37.52879,\r\n \"asn\": 14576,\r\n \"carrier\": \"Hosting Solution Ltd.\",\r\n \"organization\": \"Hosting Solution Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1284\",\r\n \"address\": \"152.89.196.81\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1285\",\r\n \"address\": \"139.59.109.139\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1286\",\r\n \"address\": \"80.66.76.185\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1287\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1288\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1289\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1290\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1291\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1292\",\r\n \"address\": \"87.251.67.239\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1293\",\r\n \"address\": \"152.89.196.92\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1294\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1295\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1245\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1246\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1297\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1247\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1298\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1248\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1299\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1249\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1250\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1301\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1251\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1302\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1252\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1303\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1253\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1254\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1305\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1255\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1306\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1256\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1307\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1257\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1308\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1258\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1324\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1274\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1325\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1275\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1326\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1276\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1327\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1277\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1278\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1329\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1279\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1330\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1280\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"name\": \"2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T19:56:07.1561879Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T19:56:06.5371227Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-08T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-08T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1345\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.143 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 61.177.173.51 [1]\\r\\nIP: 14.215.48.214 [3]\\r\\nIP: 61.177.173.46 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1346\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1347\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1348\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1349\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1350\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1351\",\r\n \"address\": \"61.177.173.51\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1352\",\r\n \"address\": \"14.215.48.214\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Yunnan\",\r\n \"city\": \"Ruili\",\r\n \"longitude\": 97.85808,\r\n \"latitude\": 23.99516,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Guangdong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1353\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1348\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1349\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1350\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1351\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1352\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1353\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"name\": \"2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T19:56:07.4442606Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T19:56:06.5374986Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-08T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-08T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1360\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 91.240.118.113 [5]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.132 [5]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 194.165.16.73 [3]\\r\\nIP: 194.165.16.37 [2]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 162.244.33.16 [1]\\r\\nIP: 62.233.50.123 [7]\\r\\nIP: 194.165.16.17 [8]\\r\\nIP: 116.58.22.75 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 92.255.85.186 [1]\\r\\nIP: 176.111.174.200 [3]\\r\\nIP: 96.93.214.186 [1]\\r\\nIP: 194.165.16.29 [10]\\r\\nIP: 141.98.9.35 [1]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 185.221.134.42 [1]\\r\\nIP: 176.111.174.71 [13]\\r\\nIP: 92.255.85.192 [3]\\r\\nIP: 20.168.51.145 [1]\\r\\nIP: 194.165.16.18 [6]\\r\\nIP: 195.78.54.73 [13]\\r\\nIP: 147.78.47.149 [7]\\r\\nIP: 192.99.233.28 [1]\\r\\nIP: 87.251.67.64 [6]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 176.111.174.73 [21]\\r\\nIP: 80.66.88.205 [3]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1361\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1362\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1363\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1364\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1365\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1366\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1367\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1368\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1369\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1370\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1371\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1372\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1373\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1374\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1375\",\r\n \"address\": \"162.244.33.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Fremont\",\r\n \"longitude\": -121.91032,\r\n \"latitude\": 37.52879,\r\n \"asn\": 14576,\r\n \"carrier\": \"Hosting Solution Ltd.\",\r\n \"organization\": \"Hosting Solution Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1376\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1377\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1378\",\r\n \"address\": \"116.58.22.75\",\r\n \"location\": {\r\n \"countryCode\": \"PK\",\r\n \"countryName\": \"Pakistan\",\r\n \"state\": \"Punjab\",\r\n \"city\": \"Lahore\",\r\n \"longitude\": 74.31333,\r\n \"latitude\": 31.56333,\r\n \"asn\": 17563,\r\n \"carrier\": \"Nexlinx\",\r\n \"organization\": \"Nexlinx Isp Pakistan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1379\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1380\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1381\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1382\",\r\n \"address\": \"92.255.85.186\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1383\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1384\",\r\n \"address\": \"96.93.214.186\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Denver\",\r\n \"longitude\": -104.98564,\r\n \"latitude\": 39.74249,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1385\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1386\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1387\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1388\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1389\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1390\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1391\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1392\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1393\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1394\",\r\n \"address\": \"92.255.85.192\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1395\",\r\n \"address\": \"20.168.51.145\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1396\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1397\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1398\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1399\",\r\n \"address\": \"192.99.233.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1400\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1401\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1402\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1403\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1404\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1406\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1407\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1410\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1411\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1377\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1378\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1379\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1380\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1382\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1383\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1427\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1428\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1429\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1430\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1433\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"name\": \"2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T19:27:10.8559195Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T19:27:10.200106Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-07T07:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-07T07:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1447\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 179.43.155.133 [2]\\r\\nIP: 62.210.205.240 [1]\\r\\nIP: 34.105.172.112 [1]\\r\\nIP: 61.177.172.143 [2]\\r\\nIP: 107.152.46.102 [2]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 49.88.112.109 [1]\\r\\nIP: 47.108.112.40 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1448\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1449\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1450\",\r\n \"address\": \"179.43.155.133\",\r\n \"location\": {\r\n \"countryCode\": \"CH\",\r\n \"countryName\": \"Switzerland\",\r\n \"state\": \"Zuerich\",\r\n \"city\": \"Zuerich\",\r\n \"longitude\": 8.53695,\r\n \"latitude\": 47.37417,\r\n \"asn\": 51852,\r\n \"carrier\": \"Private Layer Inc\",\r\n \"organization\": \"Private Layer Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1451\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1452\",\r\n \"address\": \"34.105.172.112\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Enfield\",\r\n \"longitude\": -0.10639,\r\n \"latitude\": 51.64694,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1453\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1454\",\r\n \"address\": \"107.152.46.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Illinois\",\r\n \"city\": \"Glenview\",\r\n \"longitude\": -87.82326,\r\n \"latitude\": 42.08015,\r\n \"asn\": 46844,\r\n \"carrier\": \"Sharktech\",\r\n \"organization\": \"Servercheap Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1455\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1456\",\r\n \"address\": \"49.88.112.109\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanghai Shi\",\r\n \"city\": \"Xuhui Qu\",\r\n \"longitude\": 121.41498,\r\n \"latitude\": 31.17389,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1457\",\r\n \"address\": \"47.108.112.40\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Zhejiang\",\r\n \"city\": \"Hangzhou\",\r\n \"longitude\": 120.15889,\r\n \"latitude\": 30.23556,\r\n \"asn\": 37963,\r\n \"carrier\": \"Hangzhou Alibaba Advertising Co. Ltd.\",\r\n \"organization\": \"Aliyun Computing Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1450\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1451\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1452\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1453\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1454\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1455\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1456\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1457\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"name\": \"2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T19:27:10.7887447Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T19:27:10.2008025Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-07T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-07T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1466\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 94.232.47.4 [13]\\r\\nIP: 193.37.69.219 [25]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 176.111.174.73 [3]\\r\\nIP: 141.98.9.37 [12]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 36.95.205.132 [1]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 80.66.88.129 [3]\\r\\nIP: 87.251.64.140 [5]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 173.15.245.6 [1]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 181.214.218.55 [5]\\r\\nIP: 194.165.16.16 [5]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 91.240.118.184 [8]\\r\\nIP: 116.58.22.75 [3]\\r\\nIP: 176.111.174.71 [9]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 176.111.174.130 [13]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 147.78.47.146 [7]\\r\\nIP: 45.227.254.25 [5]\\r\\nIP: 176.111.174.200 [10]\\r\\nIP: 141.98.83.125 [1]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 103.30.29.29 [1]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 141.98.9.35 [10]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 194.165.16.158 [4]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1467\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1468\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1469\",\r\n \"address\": \"94.232.47.4\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1470\",\r\n \"address\": \"193.37.69.219\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1471\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1472\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1473\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1474\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1475\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1476\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1477\",\r\n \"address\": \"36.95.205.132\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jakarta Raya\",\r\n \"city\": \"Jakarta\",\r\n \"longitude\": 106.8311,\r\n \"latitude\": -6.1851,\r\n \"asn\": 7713,\r\n \"carrier\": \"Pt Telekomunikasi Indonesia\",\r\n \"organization\": \"Pt Telekomunikasi Indonesia\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1478\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1479\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1480\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1481\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1482\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1483\",\r\n \"address\": \"173.15.245.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Commerce Charter Township\",\r\n \"longitude\": -83.5449,\r\n \"latitude\": 42.60315,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1484\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1485\",\r\n \"address\": \"181.214.218.55\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1486\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1487\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1488\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1489\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1490\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1491\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1492\",\r\n \"address\": \"116.58.22.75\",\r\n \"location\": {\r\n \"countryCode\": \"PK\",\r\n \"countryName\": \"Pakistan\",\r\n \"state\": \"Punjab\",\r\n \"city\": \"Lahore\",\r\n \"longitude\": 74.31333,\r\n \"latitude\": 31.56333,\r\n \"asn\": 17563,\r\n \"carrier\": \"Nexlinx\",\r\n \"organization\": \"Nexlinx Isp Pakistan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1493\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1494\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1495\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1496\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1497\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1498\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1499\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1500\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1501\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1502\",\r\n \"address\": \"103.30.29.29\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Chittagong\",\r\n \"city\": \"Chittagong\",\r\n \"longitude\": 91.8123,\r\n \"latitude\": 22.3475,\r\n \"asn\": 45326,\r\n \"carrier\": \"Broad Band Telecom Services Ltd\",\r\n \"organization\": \"Bbts Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1503\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1504\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1505\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1506\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1507\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1508\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1509\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1510\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1480\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1481\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1482\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1484\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1485\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1486\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1535\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"name\": \"2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-07T20:45:09.4714645Z\",\r\n \"processingEndTimeUtc\": \"2022-10-07T20:45:08.5306227Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-06T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-06T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1549\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.123 [1]\\r\\nIP: 185.156.72.25 [5]\\r\\nIP: 45.227.254.48 [1]\\r\\nIP: 181.214.218.55 [1]\\r\\nIP: 141.98.83.132 [8]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 192.99.233.28 [1]\\r\\nIP: 194.165.16.17 [3]\\r\\nIP: 141.98.83.126 [12]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 91.240.118.202 [2]\\r\\nIP: 45.227.254.25 [128]\\r\\nIP: 147.78.47.146 [1]\\r\\nIP: 176.111.174.130 [12]\\r\\nIP: 144.91.117.64 [1]\\r\\nIP: 194.165.16.158 [13]\\r\\nIP: 92.255.85.151 [4]\\r\\nIP: 176.9.52.56 [1]\\r\\nIP: 193.169.255.78 [1]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 185.221.134.42 [1]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 176.111.174.143 [14]\\r\\nIP: 92.255.85.194 [3]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 176.111.174.200 [21]\\r\\nIP: 77.121.215.0 [1]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 45.141.87.2 [34]\\r\\nIP: 45.141.84.86 [7]\\r\\nIP: 94.232.47.4 [25]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 91.240.118.113 [3]\\r\\nIP: 141.98.9.37 [6]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 216.131.112.27 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 195.78.54.194 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 45.227.254.26 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1550\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1551\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1552\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1553\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1554\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1555\",\r\n \"address\": \"181.214.218.55\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1556\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1557\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1558\",\r\n \"address\": \"192.99.233.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1559\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1560\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1561\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1562\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1563\",\r\n \"address\": \"91.240.118.202\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1564\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1565\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1566\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1567\",\r\n \"address\": \"144.91.117.64\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Muenchen\",\r\n \"longitude\": 11.6074,\r\n \"latitude\": 48.1089,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1568\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1569\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1570\",\r\n \"address\": \"176.9.52.56\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Gunzenhausen\",\r\n \"longitude\": 10.7534,\r\n \"latitude\": 49.11594,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1571\",\r\n \"address\": \"193.169.255.78\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Pomorskie\",\r\n \"city\": \"Zelkowko\",\r\n \"longitude\": 17.0936,\r\n \"latitude\": 54.34198,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1572\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1573\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1574\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1575\",\r\n \"address\": \"176.111.174.143\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1576\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1577\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1578\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1579\",\r\n \"address\": \"77.121.215.0\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Cherkas'ka Oblast'\",\r\n \"city\": \"Cherkasy\",\r\n \"longitude\": 32.0621,\r\n \"latitude\": 49.4285,\r\n \"asn\": 25229,\r\n \"carrier\": \"Kyivski Telekomunikatsiyni Merezhi Llc\",\r\n \"organization\": \"Volia Cherkassy\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1580\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1581\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1582\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1583\",\r\n \"address\": \"94.232.47.4\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1584\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1585\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1586\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1587\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1588\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1589\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1590\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1591\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1592\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1593\",\r\n \"address\": \"216.131.112.27\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 62651,\r\n \"carrier\": \"Strong Technology Llc.\",\r\n \"organization\": \"Netprotect\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1594\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1595\",\r\n \"address\": \"195.78.54.194\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1596\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1597\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"name\": \"2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-06T20:18:25.6741094Z\",\r\n \"processingEndTimeUtc\": \"2022-10-06T20:18:25.2845591Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-05T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-05T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1644\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 201.165.54.53 [1]\\r\\nIP: 194.165.16.158 [9]\\r\\nIP: 141.98.9.29 [9]\\r\\nIP: 195.78.54.194 [1]\\r\\nIP: 162.247.74.27 [1]\\r\\nIP: 147.78.47.146 [5]\\r\\nIP: 147.78.47.154 [8]\\r\\nIP: 91.240.118.113 [5]\\r\\nIP: 92.255.85.181 [4]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.120 [7]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.87 [4]\\r\\nIP: 141.98.83.123 [11]\\r\\nIP: 193.37.69.213 [12]\\r\\nIP: 141.98.81.137 [13]\\r\\nIP: 91.240.118.184 [14]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.204 [2]\\r\\nIP: 24.154.71.234 [2]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 45.141.84.85 [9]\\r\\nIP: 45.227.254.25 [29]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 176.111.174.116 [10]\\r\\nIP: 94.232.47.157 [33]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 23.83.131.85 [1]\\r\\nIP: 176.111.174.143 [29]\\r\\nIP: 193.37.69.212 [20]\\r\\nIP: 151.80.113.215 [1]\\r\\nIP: 91.240.242.8 [7]\\r\\nIP: 91.240.242.3 [5]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.141.84.86 [12]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1645\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1646\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1647\",\r\n \"address\": \"201.165.54.53\",\r\n \"location\": {\r\n \"countryCode\": \"MX\",\r\n \"countryName\": \"Mexico\",\r\n \"state\": \"Sinaloa\",\r\n \"city\": \"Los Mochis\",\r\n \"longitude\": -108.98835,\r\n \"latitude\": 25.79161,\r\n \"asn\": 13999,\r\n \"carrier\": \"Mega Cable S.A. De C.V.\",\r\n \"organization\": \"Mega Cable S.A. De C.V.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1648\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1649\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1650\",\r\n \"address\": \"195.78.54.194\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1651\",\r\n \"address\": \"162.247.74.27\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -74.00287,\r\n \"latitude\": 40.65724,\r\n \"asn\": 4224,\r\n \"carrier\": \"The Calyx Institute\",\r\n \"organization\": \"The Calyx Institute\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1652\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1653\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1654\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1655\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1656\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1657\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1658\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1659\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1660\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1661\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1662\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1663\",\r\n \"address\": \"193.37.69.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1664\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1665\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1666\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1667\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1668\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1669\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1670\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1671\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1672\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1673\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1674\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1675\",\r\n \"address\": \"176.111.174.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1676\",\r\n \"address\": \"94.232.47.157\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1677\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1678\",\r\n \"address\": \"23.83.131.85\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Scottsdale\",\r\n \"longitude\": -111.8085,\r\n \"latitude\": 33.66364,\r\n \"asn\": 19148,\r\n \"carrier\": \"Leaseweb Usa Inc.\",\r\n \"organization\": \"Leaseweb Usa Inc. Pheonix\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1679\",\r\n \"address\": \"176.111.174.143\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1680\",\r\n \"address\": \"193.37.69.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1681\",\r\n \"address\": \"151.80.113.215\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Nord\",\r\n \"city\": \"Roubaix\",\r\n \"longitude\": 3.17321,\r\n \"latitude\": 50.69127,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1682\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1683\",\r\n \"address\": \"91.240.242.3\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1684\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1685\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1688\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1689\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1690\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"name\": \"2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-05T20:06:02.9429652Z\",\r\n \"processingEndTimeUtc\": \"2022-10-05T20:06:01.9820349Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1725\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.26 [3]\\r\\nIP: 176.111.174.71 [20]\\r\\nIP: 141.98.83.120 [7]\\r\\nIP: 45.227.254.55 [2]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 193.148.61.116 [1]\\r\\nIP: 45.141.84.85 [6]\\r\\nIP: 141.98.9.29 [12]\\r\\nIP: 20.163.11.154 [1]\\r\\nIP: 80.66.88.202 [2]\\r\\nIP: 20.226.32.246 [1]\\r\\nIP: 147.78.47.154 [5]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 141.98.9.37 [9]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 141.98.83.123 [2]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.88 [2]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 141.98.83.125 [6]\\r\\nIP: 194.165.16.11 [3]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 176.111.174.200 [6]\\r\\nIP: 94.232.47.150 [33]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 94.232.47.151 [19]\\r\\nIP: 141.98.83.87 [6]\\r\\nIP: 5.62.43.223 [1]\\r\\nIP: 92.255.85.181 [1]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 94.232.47.155 [29]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 141.98.83.122 [4]\\r\\nIP: 141.98.9.34 [9]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 94.232.47.8 [26]\\r\\nIP: 91.240.118.184 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 80.66.88.215 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1726\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1727\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1728\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1729\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1730\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1731\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1732\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1733\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1734\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1735\",\r\n \"address\": \"193.148.61.116\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Los Angeles Ca\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1736\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1737\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1738\",\r\n \"address\": \"20.163.11.154\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1739\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1740\",\r\n \"address\": \"20.226.32.246\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Campinas\",\r\n \"longitude\": -47.0453,\r\n \"latitude\": -22.89177,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1741\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1742\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1743\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1744\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1745\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1746\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1747\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1748\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1749\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1750\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1751\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1752\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1753\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1754\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1755\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1756\",\r\n \"address\": \"94.232.47.150\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1757\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1758\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1759\",\r\n \"address\": \"94.232.47.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1760\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1761\",\r\n \"address\": \"5.62.43.223\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Camden\",\r\n \"longitude\": -0.16861,\r\n \"latitude\": 51.54,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Avast Software S.R.O.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1762\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1763\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1764\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1765\",\r\n \"address\": \"94.232.47.155\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1766\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1767\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1768\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1769\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1770\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1771\",\r\n \"address\": \"94.232.47.8\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1772\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1773\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1774\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1775\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1776\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1777\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1728\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1778\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1729\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1779\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1730\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1780\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1731\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1781\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1732\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1782\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1733\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1783\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1734\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1784\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1735\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1785\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1736\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1786\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1737\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1787\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1738\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1788\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1741\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1791\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1742\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1792\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1743\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1793\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1744\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1794\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1745\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1795\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1746\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1796\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1747\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1797\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1748\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1798\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1749\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1799\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1750\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1800\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1751\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1801\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1752\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1802\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1753\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1803\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1754\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1804\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1755\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1805\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1756\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1806\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1757\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1807\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1758\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1808\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1759\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1809\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1760\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1810\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1761\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1811\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1762\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1812\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1763\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1813\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1764\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1814\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"name\": \"2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-04T20:20:17.6238006Z\",\r\n \"processingEndTimeUtc\": \"2022-10-04T20:20:16.6615502Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-03T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-03T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1826\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 181.214.206.211 [12]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 141.98.83.83 [2]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 141.98.9.29 [11]\\r\\nIP: 192.227.168.178 [1]\\r\\nIP: 193.37.69.220 [23]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 62.204.41.152 [6]\\r\\nIP: 38.242.213.49 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 45.141.84.83 [6]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 194.165.16.17 [4]\\r\\nIP: 179.60.147.32 [7]\\r\\nIP: 66.195.201.152 [1]\\r\\nIP: 141.98.83.120 [6]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 113.88.234.130 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 94.232.47.151 [22]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 58.186.205.49 [1]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 195.78.54.174 [11]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 92.255.85.181 [5]\\r\\nIP: 176.111.174.73 [9]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 176.111.174.72 [19]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 15.237.104.62 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.89 [3]\\r\\nIP: 192.210.149.230 [1]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.9.36 [18]\\r\\nIP: 185.190.24.61 [4]\\r\\nIP: 5.181.86.11 [8]\\r\\nIP: 147.78.47.149 [10]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 191.242.227.11 [2]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 176.111.174.130 [12]\\r\\n36 more attempts by 5 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1827\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1828\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1829\",\r\n \"address\": \"181.214.206.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1830\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1831\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1832\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1833\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1834\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1835\",\r\n \"address\": \"192.227.168.178\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.8854,\r\n \"latitude\": 42.8883,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1836\",\r\n \"address\": \"193.37.69.220\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1837\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1838\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1839\",\r\n \"address\": \"38.242.213.49\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1840\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1841\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1842\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1843\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1844\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1845\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1846\",\r\n \"address\": \"66.195.201.152\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Memphis\",\r\n \"longitude\": -89.94812,\r\n \"latitude\": 35.11012,\r\n \"asn\": 3356,\r\n \"carrier\": \"Level 3 Parent Llc\",\r\n \"organization\": \"Level 3 Parent Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1847\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1848\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1849\",\r\n \"address\": \"113.88.234.130\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Henggang\",\r\n \"longitude\": 114.19833,\r\n \"latitude\": 22.64204,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Guangdong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1850\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1851\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1852\",\r\n \"address\": \"94.232.47.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1853\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1854\",\r\n \"address\": \"58.186.205.49\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Cau Giay\",\r\n \"longitude\": 105.79176,\r\n \"latitude\": 21.03714,\r\n \"asn\": 18403,\r\n \"carrier\": \"Fpt Telecom Company\",\r\n \"organization\": \"Fpt Telecom Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1855\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1856\",\r\n \"address\": \"195.78.54.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1857\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1858\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1859\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1860\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1861\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1862\",\r\n \"address\": \"176.111.174.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1863\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1864\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1865\",\r\n \"address\": \"15.237.104.62\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.34107,\r\n \"latitude\": 48.86023,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon Data Services France\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1866\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1867\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1868\",\r\n \"address\": \"192.210.149.230\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1869\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1870\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1871\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1872\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1873\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1874\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1875\",\r\n \"address\": \"191.242.227.11\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sorocaba\",\r\n \"longitude\": -47.44229,\r\n \"latitude\": -23.4971,\r\n \"asn\": 263483,\r\n \"carrier\": \"Direct Lan Telecomunicaes Sorocaba Ltda\",\r\n \"organization\": \"Direct Lan Telecomunica Es Sorocaba Ltda\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1876\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1877\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1878\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1879\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1829\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1880\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1830\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1881\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1831\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1882\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1832\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1883\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1833\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1884\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1834\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1885\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1835\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1886\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1836\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1887\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1837\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1888\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1838\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1889\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1839\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1890\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1840\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1891\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1841\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1892\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1893\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1843\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1894\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1844\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1895\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1845\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1896\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1846\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1897\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1847\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1898\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1848\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1899\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1849\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1900\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1850\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1901\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1851\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1902\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1852\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1903\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1853\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1904\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1854\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1905\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1855\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1906\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1856\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1907\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1857\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1908\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1858\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1909\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1859\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1910\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1860\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1911\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1861\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1912\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1862\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1913\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1863\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1914\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1864\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1915\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1865\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1916\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1866\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1917\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1867\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1918\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1868\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"name\": \"2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T19:49:12.0431333Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T19:49:11.6506508Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-02T18:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-02T18:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1929\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 183.146.30.163 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1930\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1931\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1932\",\r\n \"address\": \"183.146.30.163\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Zhejiang\",\r\n \"city\": \"Jinhua\",\r\n \"longitude\": 119.65083,\r\n \"latitude\": 29.11611,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet-Zj Jinhua Node Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1932\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"name\": \"2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T19:49:12.8041976Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T19:49:11.650774Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1934\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.140 [2]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 185.190.24.61 [3]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 147.78.47.147 [5]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 179.60.147.31 [12]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 179.60.147.32 [7]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 94.232.47.5 [47]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 194.165.17.7 [10]\\r\\nIP: 141.98.83.122 [7]\\r\\nIP: 176.111.174.200 [10]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 195.78.54.174 [17]\\r\\nIP: 69.172.78.13 [1]\\r\\nIP: 141.98.83.84 [12]\\r\\nIP: 138.199.18.131 [14]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 5.181.86.11 [2]\\r\\nIP: 185.156.72.27 [2]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 179.60.147.33 [17]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 141.98.83.88 [5]\\r\\nIP: 141.98.83.85 [2]\\r\\nIP: 147.78.47.149 [8]\\r\\nIP: 94.232.47.158 [30]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 45.141.84.83 [2]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 194.165.16.6 [4]\\r\\nIP: 176.111.174.72 [11]\\r\\nIP: 20.163.11.154 [1]\\r\\nIP: 91.240.118.184 [14]\\r\\nIP: 141.98.83.86 [14]\\r\\nIP: 141.98.9.37 [18]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 94.232.47.9 [21]\\r\\nIP: 141.98.83.89 [1]\\r\\n82 more attempts by 17 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1935\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1936\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1937\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1938\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1939\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1940\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1941\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1942\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1943\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1944\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1945\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1946\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1947\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1948\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1949\",\r\n \"address\": \"94.232.47.5\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1950\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1951\",\r\n \"address\": \"194.165.17.7\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1952\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1953\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1954\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1955\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1956\",\r\n \"address\": \"195.78.54.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1957\",\r\n \"address\": \"69.172.78.13\",\r\n \"location\": {\r\n \"countryCode\": \"HK\",\r\n \"countryName\": \"Hong Kong\",\r\n \"state\": \"Hong Kong\",\r\n \"city\": \"Aberdeen\",\r\n \"longitude\": 114.1524,\r\n \"latitude\": 22.24831,\r\n \"asn\": 132585,\r\n \"carrier\": \"Skyexchange Internet Access\",\r\n \"organization\": \"Skyexchange Internet Access\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1958\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1959\",\r\n \"address\": \"138.199.18.131\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1960\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1961\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1962\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1963\",\r\n \"address\": \"185.156.72.27\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1964\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1965\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1966\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1967\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1968\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1969\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1970\",\r\n \"address\": \"94.232.47.158\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1971\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1972\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1973\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1974\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1975\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1976\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1977\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1978\",\r\n \"address\": \"176.111.174.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1979\",\r\n \"address\": \"20.163.11.154\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1980\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1981\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1982\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1983\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1984\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1985\",\r\n \"address\": \"94.232.47.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1986\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1987\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1937\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1988\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1938\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1989\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1939\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1990\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1940\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1991\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1941\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1992\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1942\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1993\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1943\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1994\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1944\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1995\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1945\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1996\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1946\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1997\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1947\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1998\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1948\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1999\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1949\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2000\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1950\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2001\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1951\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2002\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1952\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2003\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1953\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2004\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1954\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2005\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1955\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2006\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1956\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2007\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1957\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2008\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1958\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2009\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1959\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2010\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1960\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2011\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1961\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2012\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1962\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2013\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1963\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2014\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1964\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2015\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1965\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2016\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1966\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2017\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1967\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2018\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1968\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2019\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1969\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2020\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1970\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2021\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1971\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"name\": \"2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-02T19:30:06.9299257Z\",\r\n \"processingEndTimeUtc\": \"2022-10-02T19:30:06.0289442Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-01T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-01T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2037\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.125 [6]\\r\\nIP: 179.60.147.31 [9]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.83.131 [8]\\r\\nIP: 193.37.69.211 [23]\\r\\nIP: 176.111.174.73 [8]\\r\\nIP: 179.60.150.115 [7]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 147.78.47.146 [3]\\r\\nIP: 147.78.47.147 [5]\\r\\nIP: 141.98.83.83 [5]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 5.181.86.11 [5]\\r\\nIP: 45.141.84.86 [1]\\r\\nIP: 94.232.47.152 [24]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 198.235.24.38 [1]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 193.37.69.209 [25]\\r\\nIP: 94.232.47.156 [33]\\r\\nIP: 147.78.47.149 [13]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 185.190.24.17 [5]\\r\\nIP: 141.98.83.132 [4]\\r\\nIP: 141.98.83.122 [8]\\r\\nIP: 141.98.83.89 [10]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 141.98.9.34 [35]\\r\\nIP: 176.111.174.71 [14]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 91.240.118.113 [6]\\r\\nIP: 20.226.32.246 [1]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 176.111.173.75 [1]\\r\\nIP: 138.199.18.131 [15]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 185.156.72.31 [5]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 91.240.242.8 [35]\\r\\n55 more attempts by 8 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2038\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2039\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2040\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2041\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2042\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2043\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2044\",\r\n \"address\": \"193.37.69.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2045\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2046\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2047\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2048\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2049\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2050\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2051\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2052\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2053\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2054\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2055\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2056\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2057\",\r\n \"address\": \"94.232.47.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2058\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2059\",\r\n \"address\": \"198.235.24.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Team Cymru\",\r\n \"threatType\": \"Botnet\",\r\n \"threatName\": \"Conficker\",\r\n \"confidence\": 0.75,\r\n \"reportLink\": \"https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Botnets.pdf?sv=2021-08-06&spr=https&st=2022-10-02T19%3a15%3a06Z&se=2022-12-31T19%3a30%3a06Z&sr=b&sp=r&sig=R3tc8ii2u2BkwkqvR1vAhwzjf7fD%2bjUJICU%2fnOP2CxM%3d&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa\",\r\n \"threatDescription\": \"Address is a known Botnet indicator.\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2060\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2061\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2062\",\r\n \"address\": \"193.37.69.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2063\",\r\n \"address\": \"94.232.47.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2064\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2065\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2066\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2067\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2068\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2069\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2070\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2071\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2072\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2073\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2074\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2075\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2076\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2077\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2078\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2079\",\r\n \"address\": \"20.226.32.246\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Campinas\",\r\n \"longitude\": -47.0453,\r\n \"latitude\": -22.89177,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2080\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2081\",\r\n \"address\": \"176.111.173.75\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2082\",\r\n \"address\": \"138.199.18.131\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2083\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2084\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2085\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2086\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2087\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2088\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2089\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2090\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2040\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2091\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2041\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2092\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2042\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2093\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2043\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2094\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2044\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2095\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2045\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2096\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2046\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2097\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2047\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2098\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2048\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2099\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2049\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2100\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2050\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2101\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2051\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2102\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2052\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2053\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2104\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2054\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2055\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2056\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2057\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2058\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2059\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2060\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2061\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2062\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2063\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2114\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2064\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2065\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2066\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2067\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2068\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2069\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2070\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2071\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2072\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2123\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2073\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2124\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2074\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"name\": \"2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-01T19:36:37.5737773Z\",\r\n \"processingEndTimeUtc\": \"2022-10-01T19:36:37.1669158Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-30T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-30T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2140\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.54 [3]\\r\\nIP: 194.165.16.29 [3]\\r\\nIP: 194.165.16.73 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 94.232.47.13 [30]\\r\\nIP: 141.98.83.126 [5]\\r\\nIP: 141.98.83.85 [6]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 5.181.86.11 [11]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 45.141.84.87 [19]\\r\\nIP: 91.240.242.15 [3]\\r\\nIP: 141.98.83.84 [5]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 179.60.150.115 [13]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 45.140.210.61 [1]\\r\\nIP: 141.98.9.35 [5]\\r\\nIP: 141.98.10.124 [8]\\r\\nIP: 94.232.47.11 [30]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 194.165.16.16 [5]\\r\\nIP: 194.165.16.158 [4]\\r\\nIP: 78.128.113.138 [6]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 141.98.9.37 [4]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 91.240.242.5 [22]\\r\\nIP: 20.163.30.220 [1]\\r\\nIP: 20.163.46.69 [1]\\r\\nIP: 45.227.254.51 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2141\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2142\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2143\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2144\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2145\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2146\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2147\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2148\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2149\",\r\n \"address\": \"94.232.47.13\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2150\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2151\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2152\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2153\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2154\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2155\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2156\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2157\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2158\",\r\n \"address\": \"45.141.84.87\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2159\",\r\n \"address\": \"91.240.242.15\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2160\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2161\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2162\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2163\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2164\",\r\n \"address\": \"45.140.210.61\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2165\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2166\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2167\",\r\n \"address\": \"94.232.47.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2168\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2169\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2170\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2171\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2172\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2173\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2174\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2175\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2176\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2177\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2178\",\r\n \"address\": \"91.240.242.5\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2179\",\r\n \"address\": \"20.163.30.220\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2180\",\r\n \"address\": \"20.163.46.69\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2181\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2182\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2143\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2183\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2144\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2184\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2145\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2185\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2146\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2186\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2147\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2187\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2148\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2188\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2149\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2150\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2190\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2151\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2191\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2152\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2192\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2153\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2154\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2194\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2155\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2195\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2196\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2198\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2199\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2200\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2202\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2203\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2204\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2167\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2168\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2217\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2218\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"name\": \"2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-30T19:55:09.682631Z\",\r\n \"processingEndTimeUtc\": \"2022-09-30T19:55:09.1843919Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2221\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 181.30.28.175 [1]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 141.98.83.127 [12]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 92.255.85.151 [5]\\r\\nIP: 45.227.255.79 [7]\\r\\nIP: 147.78.47.149 [6]\\r\\nIP: 141.98.9.34 [16]\\r\\nIP: 181.214.206.251 [6]\\r\\nIP: 141.98.83.131 [3]\\r\\nIP: 141.98.83.128 [8]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 179.60.147.32 [19]\\r\\nIP: 91.240.242.8 [2]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 43.230.156.26 [1]\\r\\nIP: 194.165.16.158 [10]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 141.98.83.125 [6]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 141.98.9.37 [8]\\r\\nIP: 5.188.206.230 [10]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 147.78.47.154 [1]\\r\\nIP: 194.165.16.78 [1]\\r\\nIP: 141.98.9.35 [15]\\r\\nIP: 141.98.83.123 [4]\\r\\nIP: 129.146.85.184 [1]\\r\\nIP: 192.3.110.166 [1]\\r\\nIP: 45.141.84.90 [30]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.29 [14]\\r\\nIP: 45.141.87.9 [24]\\r\\nIP: 141.98.10.204 [19]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 141.98.83.88 [1]\\r\\nIP: 194.165.17.22 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 20.168.105.212 [1]\\r\\n72 more attempts by 9 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2222\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2223\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2224\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2225\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2226\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2227\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2228\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2229\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2230\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2231\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2232\",\r\n \"address\": \"181.214.206.251\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2233\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2234\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2235\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2236\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2237\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2238\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2239\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2240\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2241\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2242\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2243\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2244\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2245\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2246\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2247\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2248\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2249\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2250\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2251\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2252\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2253\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2254\",\r\n \"address\": \"129.146.85.184\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2255\",\r\n \"address\": \"192.3.110.166\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2256\",\r\n \"address\": \"45.141.84.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2257\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2258\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2259\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2260\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2261\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2262\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2263\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2264\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2265\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2266\",\r\n \"address\": \"194.165.17.22\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2267\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2268\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2269\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2270\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2271\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2272\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2273\",\r\n \"address\": \"20.168.105.212\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2224\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2275\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2225\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2276\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2226\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2277\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2227\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2278\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2228\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2279\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2229\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2280\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2230\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2231\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2282\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2232\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2283\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2233\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2284\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2234\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2285\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2235\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2286\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2236\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2237\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2288\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2238\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2289\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2239\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2290\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2240\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2291\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2241\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2292\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2242\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2293\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2243\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2294\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2244\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2295\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2245\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2246\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2297\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2247\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2298\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2248\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2299\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2249\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2250\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2301\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2251\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2302\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2252\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2303\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2253\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2254\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2305\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2255\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2306\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2256\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2307\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2257\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2308\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2258\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"name\": \"2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-29T19:51:37.1590955Z\",\r\n \"processingEndTimeUtc\": \"2022-09-29T19:51:34.0584565Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-28T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-28T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2324\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.26.29.113 [52]\\r\\nIP: 141.98.10.124 [5]\\r\\nIP: 179.60.150.111 [2]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 5.181.86.51 [2]\\r\\nIP: 141.98.83.89 [1]\\r\\nIP: 24.154.71.234 [2]\\r\\nIP: 141.98.9.34 [1]\\r\\nIP: 141.98.10.207 [5]\\r\\nIP: 179.60.147.31 [9]\\r\\nIP: 20.163.30.220 [1]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 152.89.198.133 [1]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 45.141.84.86 [7]\\r\\nIP: 179.60.150.113 [3]\\r\\nIP: 45.227.253.130 [8]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 5.181.86.85 [2]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 5.181.86.61 [6]\\r\\nIP: 80.66.88.209 [2]\\r\\nIP: 45.227.254.26 [2]\\r\\nIP: 141.98.83.130 [7]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 92.255.85.152 [9]\\r\\nIP: 179.60.150.116 [2]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 107.181.178.109 [1]\\r\\nIP: 185.190.24.17 [12]\\r\\nIP: 141.98.9.29 [13]\\r\\nIP: 141.98.83.131 [6]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 94.232.47.12 [25]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 115.242.152.158 [2]\\r\\nIP: 193.37.69.207 [27]\\r\\nIP: 194.165.17.12 [13]\\r\\nIP: 193.37.69.210 [40]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 179.60.150.115 [10]\\r\\nIP: 185.190.24.32 [5]\\r\\nIP: 5.181.86.44 [1]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 141.98.83.122 [3]\\r\\n142 more attempts by 24 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2325\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2326\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2327\",\r\n \"address\": \"194.26.29.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2328\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2329\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2330\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2331\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2332\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2333\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2334\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2335\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2336\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2337\",\r\n \"address\": \"20.163.30.220\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2338\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2339\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2340\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2341\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2342\",\r\n \"address\": \"152.89.198.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.81472,\r\n \"latitude\": 55.71376,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2343\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2344\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2345\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2346\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2347\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2348\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2349\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2350\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2351\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2352\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2353\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2354\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2355\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2356\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2357\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2358\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2359\",\r\n \"address\": \"107.181.178.109\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Georgia\",\r\n \"city\": \"Marietta\",\r\n \"longitude\": -84.4629,\r\n \"latitude\": 33.93318,\r\n \"asn\": 46562,\r\n \"carrier\": \"Performive Llc\",\r\n \"organization\": \"Performive Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2360\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2361\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2362\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2363\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2364\",\r\n \"address\": \"94.232.47.12\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2365\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2366\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2367\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2368\",\r\n \"address\": \"193.37.69.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2369\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2370\",\r\n \"address\": \"193.37.69.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2371\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2372\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2373\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2374\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2375\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2376\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2381\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2331\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2332\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2383\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2333\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2384\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2334\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2385\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2335\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2386\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2336\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2337\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2388\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2338\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2389\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2339\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2390\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2340\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2391\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2341\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2392\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2342\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2393\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2343\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2394\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2344\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2395\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2345\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2396\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2346\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2397\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2347\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2398\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2348\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2399\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2349\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2400\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2350\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2401\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2351\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2352\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2403\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2353\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2404\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2354\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2355\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2406\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2356\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2407\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2357\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2358\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2359\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2410\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2360\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2411\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2361\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2362\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"name\": \"2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T20:06:40.3720303Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T20:06:39.6960251Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2427\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 147.78.47.147 [3]\\r\\nIP: 206.72.198.134 [1]\\r\\nIP: 179.60.150.111 [1]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 141.98.10.204 [5]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 141.98.83.122 [8]\\r\\nIP: 121.229.22.196 [2]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 5.188.206.10 [10]\\r\\nIP: 80.66.76.145 [5]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 107.172.93.17 [1]\\r\\nIP: 194.165.16.16 [10]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 45.227.254.54 [4]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 92.255.85.194 [19]\\r\\nIP: 193.32.126.158 [1]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 194.165.16.17 [6]\\r\\nIP: 185.161.69.10 [1]\\r\\nIP: 141.98.83.124 [6]\\r\\nIP: 141.98.9.34 [11]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 185.190.24.17 [18]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 115.242.152.158 [3]\\r\\nIP: 141.98.9.35 [7]\\r\\nIP: 179.60.147.33 [9]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 147.78.47.149 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 45.141.87.21 [4]\\r\\nIP: 141.98.83.87 [11]\\r\\nIP: 195.78.54.97 [55]\\r\\nIP: 141.98.9.29 [4]\\r\\nIP: 45.227.254.53 [2]\\r\\n97 more attempts by 19 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2428\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2429\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2430\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2431\",\r\n \"address\": \"206.72.198.134\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Secaucus\",\r\n \"longitude\": -74.06453,\r\n \"latitude\": 40.77826,\r\n \"asn\": 19318,\r\n \"carrier\": \"Interserver Inc\",\r\n \"organization\": \"Interserver Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2432\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2433\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2434\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2435\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2436\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2437\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2438\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2439\",\r\n \"address\": \"121.229.22.196\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2440\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2441\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2442\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2443\",\r\n \"address\": \"5.188.206.10\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2444\",\r\n \"address\": \"80.66.76.145\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2445\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2446\",\r\n \"address\": \"107.172.93.17\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2447\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2448\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2449\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2450\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2451\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2452\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2453\",\r\n \"address\": \"193.32.126.158\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Seine-Saint-Denis\",\r\n \"city\": \"Aubervilliers\",\r\n \"longitude\": 2.38121,\r\n \"latitude\": 48.91482,\r\n \"asn\": 39351,\r\n \"carrier\": \"31173 Services Ab\",\r\n \"organization\": \"31173 Services France\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2454\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2455\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2456\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2457\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2458\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2459\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2460\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2461\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2462\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2463\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2464\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2465\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2466\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2467\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2468\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2469\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2470\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2471\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2472\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2473\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2474\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2475\",\r\n \"address\": \"45.141.87.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2476\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2477\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2478\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2479\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2434\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2485\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2435\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2486\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2487\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2437\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2488\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2438\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2439\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2490\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2440\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2491\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2492\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2493\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2494\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2495\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2445\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2496\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2446\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2497\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2447\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2498\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2448\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2499\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2449\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2500\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2450\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2501\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2451\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2502\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2503\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2504\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2454\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2505\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2455\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2506\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2456\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2507\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2457\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2508\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2458\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2509\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2459\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2510\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2460\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2461\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2462\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2463\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2464\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2465\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2466\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2467\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2468\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"name\": \"2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-27T20:12:39.5796058Z\",\r\n \"processingEndTimeUtc\": \"2022-09-27T20:12:38.7743954Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-26T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-26T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2530\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.84.83 [29]\\r\\nIP: 141.98.9.34 [12]\\r\\nIP: 141.98.9.36 [8]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 194.165.16.6 [3]\\r\\nIP: 179.60.150.115 [10]\\r\\nIP: 5.181.86.11 [8]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 194.165.17.14 [2]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 194.165.16.37 [3]\\r\\nIP: 5.181.86.44 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 147.78.47.147 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 185.195.232.248 [3]\\r\\nIP: 5.188.206.10 [3]\\r\\nIP: 123.30.210.197 [3]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 45.141.84.119 [2]\\r\\nIP: 141.98.83.89 [3]\\r\\nIP: 185.156.72.25 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 5.181.86.88 [1]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 185.156.72.31 [3]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.83 [10]\\r\\nIP: 141.98.10.207 [4]\\r\\nIP: 185.156.72.29 [4]\\r\\nIP: 115.242.152.158 [1]\\r\\nIP: 179.60.150.113 [4]\\r\\nIP: 179.60.147.32 [10]\\r\\nIP: 141.98.83.127 [4]\\r\\nIP: 45.227.253.130 [7]\\r\\nIP: 147.78.47.149 [4]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 195.78.54.97 [34]\\r\\nIP: 179.60.150.116 [2]\\r\\n15 more attempts by 5 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2531\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2532\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2533\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2534\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2535\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2536\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2537\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2538\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2539\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2540\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2541\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2542\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2543\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2544\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2545\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2546\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2547\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2548\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2549\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2550\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2551\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2552\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2553\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2554\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2555\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2556\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2557\",\r\n \"address\": \"185.195.232.248\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 39351,\r\n \"carrier\": \"31173 Services Ab\",\r\n \"organization\": \"31173 Services United Kingdom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2558\",\r\n \"address\": \"5.188.206.10\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2559\",\r\n \"address\": \"123.30.210.197\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2560\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2561\",\r\n \"address\": \"45.141.84.119\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2562\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2563\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2564\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2565\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2566\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2567\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2568\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2569\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2570\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2571\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2572\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2573\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2574\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2575\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2576\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2577\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2578\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2579\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2580\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2581\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2582\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2585\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2586\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2536\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2587\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2537\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2591\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2592\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2542\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2593\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2543\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2594\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2544\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2595\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2545\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2596\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2546\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2597\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2547\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2548\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2549\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2550\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2551\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"name\": \"2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-26T19:58:54.397306Z\",\r\n \"processingEndTimeUtc\": \"2022-09-26T19:58:53.5738114Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2633\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 5.181.86.44 [2]\\r\\nIP: 186.249.36.154 [1]\\r\\nIP: 5.188.206.230 [5]\\r\\nIP: 194.165.16.38 [2]\\r\\nIP: 78.128.113.138 [8]\\r\\nIP: 194.165.17.14 [4]\\r\\nIP: 179.60.150.116 [6]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 87.251.64.160 [3]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 185.190.24.32 [1]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 38.122.130.162 [6]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 185.190.24.50 [2]\\r\\nIP: 198.235.24.156 [1]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 62.204.41.152 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 45.227.254.27 [1]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 216.19.1.14 [8]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 185.190.24.48 [4]\\r\\nIP: 45.227.253.130 [23]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 13.71.103.48 [1]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 141.98.83.120 [5]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 80.66.88.202 [2]\\r\\n164 more attempts by 29 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2634\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2635\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2636\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2637\",\r\n \"address\": \"186.249.36.154\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Franca\",\r\n \"longitude\": -47.40563,\r\n \"latitude\": -20.54751,\r\n \"asn\": 28195,\r\n \"carrier\": \"Com4 Data Center Eireli\",\r\n \"organization\": \"Com4 Data Center Eireli\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2638\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2639\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2640\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2641\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2642\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2643\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2644\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2645\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2646\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2647\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2648\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2649\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2650\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2651\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2652\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2653\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2654\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2655\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2656\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2657\",\r\n \"address\": \"198.235.24.156\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2658\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2659\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2660\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2661\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2662\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2663\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2664\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2665\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2666\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2667\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2668\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2669\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2670\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2671\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2672\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2673\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2674\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2675\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2676\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2677\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2678\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2679\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2680\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2681\",\r\n \"address\": \"13.71.103.48\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Tamil Nadu\",\r\n \"city\": \"Chennai\",\r\n \"longitude\": 80.2508,\r\n \"latitude\": 13.0524,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2682\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2683\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2684\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2685\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2636\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2637\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2688\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2638\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2689\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2639\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2690\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2640\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2641\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2642\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2643\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2644\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2645\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2646\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"name\": \"2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-25T19:28:48.9427258Z\",\r\n \"processingEndTimeUtc\": \"2022-09-25T19:28:48.1928389Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2736\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.4 [3]\\r\\nIP: 5.181.86.44 [2]\\r\\nIP: 192.3.110.166 [1]\\r\\nIP: 185.190.24.32 [1]\\r\\nIP: 194.165.17.14 [4]\\r\\nIP: 185.190.24.50 [2]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 141.98.9.34 [16]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 87.251.64.160 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 198.235.24.156 [1]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 179.60.150.113 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.81.137 [5]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 78.128.113.138 [8]\\r\\nIP: 87.251.67.98 [5]\\r\\nIP: 195.78.54.97 [32]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 141.98.10.204 [8]\\r\\nIP: 179.60.150.116 [6]\\r\\nIP: 80.66.88.202 [2]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 185.190.24.17 [6]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 45.141.87.18 [4]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 38.122.130.162 [6]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 186.249.36.154 [1]\\r\\nIP: 92.255.85.194 [25]\\r\\n99 more attempts by 26 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2737\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2738\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2739\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2740\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2741\",\r\n \"address\": \"192.3.110.166\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2742\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2743\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2744\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2745\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2746\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2747\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2748\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2749\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2750\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2751\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2752\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2753\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2754\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2755\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2756\",\r\n \"address\": \"198.235.24.156\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2757\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2758\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2759\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2760\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2761\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2762\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2763\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2764\",\r\n \"address\": \"87.251.67.98\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2765\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2766\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2767\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2768\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2769\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2770\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2771\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2772\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2773\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2774\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2775\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2776\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2777\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2778\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2779\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2780\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2781\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2782\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2783\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2784\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2785\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2786\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2787\",\r\n \"address\": \"186.249.36.154\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Franca\",\r\n \"longitude\": -47.40563,\r\n \"latitude\": -20.54751,\r\n \"asn\": 28195,\r\n \"carrier\": \"Com4 Data Center Eireli\",\r\n \"organization\": \"Com4 Data Center Eireli\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2788\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2791\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2741\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2792\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2742\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2793\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2743\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2794\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2744\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2795\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2745\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2796\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2746\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2797\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2747\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2798\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2748\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2799\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2749\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2800\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2750\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2801\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2751\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2802\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2752\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2803\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2753\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2804\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2754\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2805\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2755\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2806\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2756\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2807\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2757\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2808\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2758\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2809\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2759\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2810\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2760\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2811\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2761\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2812\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2762\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2813\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2763\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2814\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2764\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"name\": \"2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-24T19:25:53.91713Z\",\r\n \"processingEndTimeUtc\": \"2022-09-24T19:25:53.5050508Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-23T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-23T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2839\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.124 [2]\\r\\nIP: 62.233.50.123 [24]\\r\\nIP: 141.98.10.124 [10]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 216.19.1.14 [23]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 78.128.113.138 [6]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 5.188.206.230 [6]\\r\\nIP: 5.181.86.51 [3]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 87.251.67.98 [4]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 141.98.83.131 [7]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 45.227.254.27 [1]\\r\\nIP: 5.181.86.85 [4]\\r\\nIP: 194.165.16.38 [1]\\r\\nIP: 147.78.47.154 [4]\\r\\nIP: 45.227.254.4 [5]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 179.60.150.113 [1]\\r\\nIP: 179.60.150.116 [1]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 5.181.86.44 [4]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 141.98.10.181 [10]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 194.165.17.12 [7]\\r\\nIP: 185.190.24.61 [7]\\r\\nIP: 194.165.16.29 [4]\\r\\nIP: 141.98.81.137 [10]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 179.60.150.114 [1]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 179.60.147.31 [6]\\r\\nIP: 59.49.43.217 [1]\\r\\nIP: 141.98.10.207 [7]\\r\\nIP: 113.190.245.2 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 88.214.25.12 [1]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\n187 more attempts by 32 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2840\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2841\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2842\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2843\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2844\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2845\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2846\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2847\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2848\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2849\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2850\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2851\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2852\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2853\",\r\n \"address\": \"87.251.67.98\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2854\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2855\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2856\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2857\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2858\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2859\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2860\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2861\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2862\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2863\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2864\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2865\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2866\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2867\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2868\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2869\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2870\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2871\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2872\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2873\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2874\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2875\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2876\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2877\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2878\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2879\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2880\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2881\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2882\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2883\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2884\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2885\",\r\n \"address\": \"59.49.43.217\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanxi\",\r\n \"city\": \"Taiyuan\",\r\n \"longitude\": 112.56167,\r\n \"latitude\": 37.84667,\r\n \"asn\": 132147,\r\n \"carrier\": \"Ct-Shanxi-Man\",\r\n \"organization\": \"Shanxi Telecom Taiyuan Branch Broadband Adsl Port Ip Address\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2886\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2887\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2888\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2889\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2890\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2891\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2892\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2893\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2843\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2894\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2844\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2895\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2845\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2896\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2846\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2897\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2847\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2898\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2848\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2899\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2849\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2900\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2850\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2901\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2851\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2902\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2852\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2903\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2853\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2904\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2854\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2905\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2855\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2906\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2856\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2907\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2857\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2908\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2858\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2909\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2859\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2910\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2860\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2911\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2861\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2912\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2862\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2913\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2863\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2914\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2864\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2915\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2865\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2916\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2866\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2917\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2867\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2918\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2868\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"name\": \"2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-23T20:00:31.1607186Z\",\r\n \"processingEndTimeUtc\": \"2022-09-23T20:00:30.596124Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-22T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-22T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2942\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.78 [1]\\r\\nIP: 195.78.54.97 [33]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 103.104.168.36 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 179.60.150.116 [1]\\r\\nIP: 88.214.25.13 [5]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 38.122.130.162 [11]\\r\\nIP: 194.165.16.38 [3]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 216.19.1.14 [15]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 185.156.72.27 [2]\\r\\nIP: 179.60.147.31 [19]\\r\\nIP: 194.165.16.10 [1]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 5.181.86.88 [2]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 46.29.10.30 [1]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 185.190.24.32 [2]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 5.181.86.85 [3]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 5.181.86.61 [4]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 45.227.253.130 [6]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 51.178.4.205 [3]\\r\\nIP: 179.60.150.113 [2]\\r\\nIP: 45.227.254.27 [4]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 194.165.17.12 [13]\\r\\nIP: 43.157.17.13 [1]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 179.60.150.114 [2]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 185.190.24.50 [5]\\r\\nIP: 141.98.10.181 [5]\\r\\nIP: 80.66.88.201 [1]\\r\\n106 more attempts by 26 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2943\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2944\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2945\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2946\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2947\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2948\",\r\n \"address\": \"103.104.168.36\",\r\n \"location\": {\r\n \"countryCode\": \"HK\",\r\n \"countryName\": \"Hong Kong\",\r\n \"longitude\": 114.1,\r\n \"latitude\": 22.15,\r\n \"asn\": 136897,\r\n \"carrier\": \"Enjoyvc Cloud Group Limited.\",\r\n \"organization\": \"Cyit-Hk\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2949\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2950\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2951\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2952\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2953\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2954\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2955\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2956\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2957\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2958\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2959\",\r\n \"address\": \"185.156.72.27\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2960\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2961\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2962\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2963\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2964\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2965\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2966\",\r\n \"address\": \"46.29.10.30\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Krasnodarskiy Kray\",\r\n \"city\": \"Krasnodar\",\r\n \"longitude\": 38.9454,\r\n \"latitude\": 45.0749,\r\n \"asn\": 197204,\r\n \"carrier\": \"Telemaks Ltd\",\r\n \"organization\": \"Telemaks Ptp Static Routing Clients.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2967\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2968\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2969\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2970\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2971\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2972\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2973\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2974\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2975\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2976\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2977\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2978\",\r\n \"address\": \"51.178.4.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Waltham Forest\",\r\n \"longitude\": -0.0166,\r\n \"latitude\": 51.5833,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Failover Ips\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2979\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2980\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2981\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2982\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2983\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2984\",\r\n \"address\": \"43.157.17.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2985\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2986\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2987\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2988\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2989\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2990\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2991\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2992\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2993\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2994\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2995\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2945\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2996\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2946\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2997\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2947\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2998\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2948\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2999\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2949\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3000\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2950\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3001\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2951\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3002\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2952\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3003\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2953\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3004\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2954\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3005\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2955\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3006\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2956\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3007\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2957\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3008\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2958\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3009\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2959\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3010\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2960\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3011\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2961\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3012\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2962\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3013\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2963\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3014\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2964\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3015\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2965\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3016\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2966\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3017\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2967\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3018\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2968\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3019\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2969\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3020\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2970\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3021\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2971\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"name\": \"2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T20:37:27.9077468Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T20:37:26.8898617Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-21T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-21T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3045\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.76.51.230 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3046\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3047\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3048\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3048\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"name\": \"2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T20:37:28.3862144Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T20:37:26.8900314Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-21T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-21T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3050\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.140 [1]\\r\\nIP: 185.190.24.32 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.9.35 [2]\\r\\nIP: 80.153.67.94 [1]\\r\\nIP: 23.236.144.243 [1]\\r\\nIP: 91.240.242.15 [3]\\r\\nIP: 193.37.69.215 [24]\\r\\nIP: 174.108.172.27 [2]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 5.181.86.51 [2]\\r\\nIP: 45.141.84.116 [2]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 5.181.86.11 [17]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 38.122.130.162 [5]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 45.227.254.27 [8]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 141.98.10.181 [16]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 195.78.54.97 [17]\\r\\nIP: 141.98.81.137 [3]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 51.178.4.205 [6]\\r\\nIP: 5.181.86.85 [4]\\r\\nIP: 195.78.54.73 [17]\\r\\nIP: 141.98.83.124 [3]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 179.60.147.182 [2]\\r\\nIP: 179.60.147.32 [11]\\r\\nIP: 141.98.83.126 [1]\\r\\nIP: 5.181.86.88 [2]\\r\\nIP: 88.214.25.12 [3]\\r\\nIP: 87.251.64.35 [1]\\r\\nIP: 179.60.150.116 [3]\\r\\nIP: 141.98.9.34 [15]\\r\\n136 more attempts by 30 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3051\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3052\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3053\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3054\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3055\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3056\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3057\",\r\n \"address\": \"80.153.67.94\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.4061,\r\n \"latitude\": 52.5192,\r\n \"asn\": 3320,\r\n \"carrier\": \"Deutsche Telekom Ag\",\r\n \"organization\": \"Deutsche Telekom Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3058\",\r\n \"address\": \"23.236.144.243\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 55081,\r\n \"carrier\": \"24 Shells\",\r\n \"organization\": \"B2 Net Solutions Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3059\",\r\n \"address\": \"91.240.242.15\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3060\",\r\n \"address\": \"193.37.69.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3061\",\r\n \"address\": \"174.108.172.27\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"South Carolina\",\r\n \"city\": \"Sumter\",\r\n \"longitude\": -80.35409,\r\n \"latitude\": 33.87458,\r\n \"asn\": 11426,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3062\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3063\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3064\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3065\",\r\n \"address\": \"45.141.84.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3066\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3067\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3068\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3069\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3070\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3071\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3072\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3073\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3074\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3075\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3076\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3077\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3078\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3079\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3080\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3081\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3082\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3083\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3084\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3085\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3086\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3087\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3088\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3089\",\r\n \"address\": \"51.178.4.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Waltham Forest\",\r\n \"longitude\": -0.0166,\r\n \"latitude\": 51.5833,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Failover Ips\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3090\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3091\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3092\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3093\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3094\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3095\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3096\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3097\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3098\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3099\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3100\",\r\n \"address\": \"87.251.64.35\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3101\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3102\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3053\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3104\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3054\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3055\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3056\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3057\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3058\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3059\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3060\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3061\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3062\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3063\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3114\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3064\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3065\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3066\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3067\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3068\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3069\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3070\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3071\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3072\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3123\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3073\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3124\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3074\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3140\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3090\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3141\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3091\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3092\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3143\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3093\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3144\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3094\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3145\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3095\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3096\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3097\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3098\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3099\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3100\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3101\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3102\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"name\": \"2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-21T19:41:38.1643149Z\",\r\n \"processingEndTimeUtc\": \"2022-09-21T19:41:37.0449995Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3153\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.130 [2]\\r\\nIP: 141.98.83.89 [6]\\r\\nIP: 20.172.39.252 [1]\\r\\nIP: 141.98.83.127 [9]\\r\\nIP: 5.181.86.11 [10]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 181.214.206.176 [32]\\r\\nIP: 129.146.85.184 [1]\\r\\nIP: 5.181.86.85 [8]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 91.240.118.99 [4]\\r\\nIP: 92.255.85.151 [7]\\r\\nIP: 185.190.24.17 [10]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 179.60.147.32 [3]\\r\\nIP: 176.113.115.141 [25]\\r\\nIP: 194.26.29.11 [1]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 179.60.150.111 [12]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 38.122.130.162 [13]\\r\\nIP: 195.78.54.73 [15]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.81.137 [4]\\r\\nIP: 89.248.168.54 [1]\\r\\nIP: 147.78.47.147 [2]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 147.78.47.149 [9]\\r\\nIP: 194.165.16.29 [5]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.36 [2]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 5.181.86.61 [9]\\r\\n138 more attempts by 22 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3154\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3155\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3156\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3157\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3158\",\r\n \"address\": \"20.172.39.252\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3159\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3160\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3161\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3162\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3163\",\r\n \"address\": \"129.146.85.184\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3164\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3165\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3166\",\r\n \"address\": \"91.240.118.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3167\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3168\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3169\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3170\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3171\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3172\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3173\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3174\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57678,\r\n \"carrier\": \"Red Bytes Llc\",\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3175\",\r\n \"address\": \"194.26.29.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3176\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3177\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3178\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3179\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3180\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3181\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3182\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3183\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3184\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3185\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3186\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3187\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3188\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3189\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3190\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3191\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3192\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3193\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3194\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3195\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3196\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3197\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3198\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3199\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3200\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3201\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3202\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3203\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3204\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3205\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3217\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3167\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3218\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3168\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3221\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3222\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3223\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3224\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3225\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3226\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3227\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"name\": \"2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T19:33:13.4506209Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T19:33:12.2309742Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3256\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.37 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 92.255.85.151 [7]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 41.169.98.196 [1]\\r\\nIP: 5.181.86.61 [9]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.35 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 179.60.147.33 [1]\\r\\nIP: 179.60.150.111 [12]\\r\\nIP: 181.214.206.176 [32]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 147.78.47.147 [2]\\r\\nIP: 141.98.9.36 [2]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 45.227.254.49 [1]\\r\\nIP: 141.98.83.85 [7]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 179.60.147.32 [3]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 141.98.83.121 [9]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 185.190.24.61 [9]\\r\\nIP: 141.98.83.84 [5]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 91.240.118.99 [4]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 141.98.83.89 [6]\\r\\nIP: 45.141.87.10 [10]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 5.181.86.85 [8]\\r\\nIP: 45.141.87.9 [4]\\r\\nIP: 141.98.83.130 [2]\\r\\nIP: 5.181.86.11 [9]\\r\\nIP: 38.122.130.162 [13]\\r\\nIP: 195.78.54.73 [13]\\r\\nIP: 45.141.87.2 [13]\\r\\nIP: 89.248.168.54 [1]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 141.98.83.125 [3]\\r\\n135 more attempts by 20 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3257\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3258\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3259\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3260\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3261\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3262\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3263\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3264\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3265\",\r\n \"address\": \"41.169.98.196\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 36937,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Liquid Telecommunications Operations Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3266\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3267\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3268\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3269\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3270\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3271\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3272\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3273\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3274\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3275\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3276\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3277\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3278\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3279\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3280\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3281\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3282\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3283\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3284\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3285\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3286\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3287\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3288\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3289\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3290\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3291\",\r\n \"address\": \"91.240.118.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3292\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3293\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3294\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3295\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3296\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3297\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3298\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3299\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3300\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3301\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3302\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3303\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3304\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3305\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3306\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3307\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3308\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3324\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3274\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3325\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3275\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3326\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3276\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3327\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3277\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3278\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3329\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3279\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3330\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3280\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"name\": \"2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-19T20:03:27.0439222Z\",\r\n \"processingEndTimeUtc\": \"2022-09-19T20:03:26.2194939Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-18T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-18T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3359\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.190.24.17 [7]\\r\\nIP: 45.72.99.139 [1]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 181.214.206.176 [41]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 141.98.83.124 [3]\\r\\nIP: 141.98.9.37 [10]\\r\\nIP: 88.214.25.12 [1]\\r\\nIP: 141.98.9.35 [10]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 80.66.88.206 [2]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 45.227.254.48 [3]\\r\\nIP: 194.165.16.17 [3]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 141.98.9.34 [19]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 95.142.121.53 [1]\\r\\nIP: 194.165.16.38 [7]\\r\\nIP: 194.26.29.48 [1]\\r\\nIP: 194.165.16.37 [2]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 92.255.85.174 [3]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 5.181.86.11 [4]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 179.60.150.114 [15]\\r\\nIP: 20.106.123.242 [1]\\r\\nIP: 141.98.9.29 [2]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 45.141.87.21 [5]\\r\\nIP: 91.240.242.16 [1]\\r\\nIP: 45.227.254.55 [3]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 38.122.130.162 [1]\\r\\nIP: 45.141.84.85 [2]\\r\\nIP: 141.98.83.131 [6]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 141.98.83.84 [4]\\r\\nIP: 141.98.83.83 [9]\\r\\nIP: 45.227.255.13 [1]\\r\\n130 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3360\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3361\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3362\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3363\",\r\n \"address\": \"45.72.99.139\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 55286,\r\n \"carrier\": \"B2 Net Solutions Inc.\",\r\n \"organization\": \"B2 Net Solutions Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3364\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3365\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3366\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3367\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3368\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3369\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3370\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3371\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3372\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3373\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3374\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3375\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3376\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3377\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3378\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3379\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3380\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3381\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3382\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3383\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3384\",\r\n \"address\": \"95.142.121.53\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Prcdn Consumer Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3385\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3386\",\r\n \"address\": \"194.26.29.48\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3387\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3388\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3389\",\r\n \"address\": \"92.255.85.174\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3390\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3391\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3392\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3393\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3394\",\r\n \"address\": \"20.106.123.242\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3395\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3396\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3397\",\r\n \"address\": \"45.141.87.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3398\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3399\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3400\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3401\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3402\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3403\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3404\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3405\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3406\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3407\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3408\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3409\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3410\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3411\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3362\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3427\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3377\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3428\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3378\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3429\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3379\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3430\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3380\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3382\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3433\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3383\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3449\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3450\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3451\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3452\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3453\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3405\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3456\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3457\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3408\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"name\": \"2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-07T18:49:32.3154277Z\",\r\n \"processingEndTimeUtc\": \"2022-09-07T18:49:31.3026032Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-05T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-05T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3462\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 179.60.147.182 [1]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 141.98.83.89 [5]\\r\\nIP: 209.126.5.42 [1]\\r\\nIP: 141.98.9.36 [14]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 103.15.50.155 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 80.66.88.214 [3]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 77.83.36.225 [4]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.123 [6]\\r\\nIP: 141.98.83.132 [1]\\r\\nIP: 138.199.19.135 [7]\\r\\nIP: 141.98.83.133 [11]\\r\\nIP: 194.165.16.6 [3]\\r\\nIP: 141.98.81.137 [9]\\r\\nIP: 194.165.16.17 [4]\\r\\nIP: 141.98.83.130 [4]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 141.98.10.207 [29]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 91.240.242.5 [8]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 194.165.16.71 [3]\\r\\nIP: 45.227.254.52 [6]\\r\\nIP: 141.98.9.37 [11]\\r\\nIP: 45.141.87.11 [2]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 141.98.83.120 [4]\\r\\nIP: 141.98.9.34 [29]\\r\\nIP: 62.233.50.113 [2]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 5.253.204.134 [22]\\r\\nIP: 92.255.85.151 [1]\\r\\nIP: 45.227.253.254 [12]\\r\\nIP: 194.165.16.73 [3]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 45.227.254.55 [3]\\r\\nIP: 141.98.83.83 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3463\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3464\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3465\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3466\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3467\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3468\",\r\n \"address\": \"209.126.5.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Saint Louis\",\r\n \"longitude\": -90.19238,\r\n \"latitude\": 38.63137,\r\n \"asn\": 40021,\r\n \"carrier\": \"Contabo Inc.\",\r\n \"organization\": \"Contabo Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3469\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3470\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3471\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3472\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3473\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3474\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3475\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3476\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3477\",\r\n \"address\": \"77.83.36.225\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 35042,\r\n \"carrier\": \"Ip Interactive Ug (Haftungsbeschraenkt)\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3478\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3479\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3480\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3481\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3482\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3483\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3484\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3485\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3486\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3487\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3488\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3489\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3490\",\r\n \"address\": \"91.240.242.5\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3491\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3492\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3493\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3494\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3495\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3496\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3497\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3498\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3499\",\r\n \"address\": \"62.233.50.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3500\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3501\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3502\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3503\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3504\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3505\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3506\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3507\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3508\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3509\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3510\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3465\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3466\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3467\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3468\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3480\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3481\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3482\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3484\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3485\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3486\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3535\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"name\": \"2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T19:15:31.2420982Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T19:15:30.4547628Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3557\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 72.167.37.199 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 103.79.140.234 [5]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 185.170.144.135 [53]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 141.98.9.199 [2]\\r\\nIP: 92.255.85.40 [4]\\r\\nIP: 129.226.34.77 [1]\\r\\nIP: 194.165.16.17 [10]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 188.190.42.60 [1]\\r\\nIP: 27.71.226.103 [3]\\r\\nIP: 5.253.204.134 [27]\\r\\nIP: 138.199.19.135 [2]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 141.98.81.137 [8]\\r\\nIP: 193.122.114.185 [1]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 87.251.67.99 [3]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 92.255.85.151 [13]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 194.165.16.77 [3]\\r\\nIP: 147.78.47.146 [12]\\r\\nIP: 45.227.254.26 [2]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 141.98.83.130 [4]\\r\\nIP: 96.60.188.241 [1]\\r\\nIP: 194.165.16.29 [4]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 103.75.187.224 [1]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.83.132 [5]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 194.165.16.6 [4]\\r\\n72 more attempts by 6 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3558\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3559\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3560\",\r\n \"address\": \"72.167.37.199\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3561\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3562\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3563\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3564\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3565\",\r\n \"address\": \"185.170.144.135\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3566\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3567\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3568\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3569\",\r\n \"address\": \"129.226.34.77\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Maharashtra\",\r\n \"city\": \"Mumbai\",\r\n \"longitude\": 72.8777,\r\n \"latitude\": 19.076,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3570\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3571\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3572\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3573\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3574\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3575\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3576\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3577\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3578\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3579\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3580\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3581\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3582\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3583\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3584\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3585\",\r\n \"address\": \"193.122.114.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.33352,\r\n \"latitude\": 47.61101,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Public Cloud\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3586\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3587\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3588\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3589\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3590\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3591\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3592\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3593\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3594\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3595\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3596\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3597\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3598\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3599\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3600\",\r\n \"address\": \"96.60.188.241\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wisconsin\",\r\n \"city\": \"Junction City\",\r\n \"longitude\": -89.747,\r\n \"latitude\": 44.59457,\r\n \"asn\": 4181,\r\n \"carrier\": \"Tds Telecom\",\r\n \"organization\": \"Tds Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3601\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3602\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3603\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3604\",\r\n \"address\": \"103.75.187.224\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Inet Software One Member Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3605\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3606\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3607\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3608\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3609\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3644\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3645\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3646\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3647\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3648\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3598\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3649\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3599\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3650\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3600\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3651\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3601\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3652\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3602\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3653\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3603\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3654\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3604\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3655\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3605\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3656\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3606\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3657\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3607\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3658\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3608\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3659\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3609\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"name\": \"2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-06T20:06:49.6557309Z\",\r\n \"processingEndTimeUtc\": \"2022-09-06T20:06:49.179497Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3660\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.125 [7]\\r\\nIP: 72.167.37.199 [1]\\r\\nIP: 141.98.9.199 [2]\\r\\nIP: 103.75.187.224 [2]\\r\\nIP: 92.255.85.151 [32]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 188.190.42.60 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 141.98.81.137 [8]\\r\\nIP: 138.199.19.135 [2]\\r\\nIP: 141.98.9.34 [12]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 96.60.188.241 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 147.78.47.146 [12]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 194.165.16.16 [1]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 45.227.253.254 [16]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 194.165.16.29 [10]\\r\\nIP: 194.165.16.17 [10]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 141.98.83.130 [7]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 194.165.16.77 [3]\\r\\nIP: 141.98.83.128 [6]\\r\\nIP: 141.98.83.120 [4]\\r\\nIP: 185.170.144.135 [53]\\r\\nIP: 129.226.34.77 [1]\\r\\nIP: 41.169.98.196 [1]\\r\\nIP: 87.251.67.99 [3]\\r\\nIP: 45.227.254.49 [4]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 103.79.140.234 [5]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 27.71.226.103 [3]\\r\\nIP: 193.122.114.185 [1]\\r\\nIP: 5.253.204.134 [28]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 92.255.85.40 [4]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 141.98.9.29 [13]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 141.98.83.131 [4]\\r\\n45 more attempts by 10 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3661\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3662\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3663\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3664\",\r\n \"address\": \"72.167.37.199\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3665\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3666\",\r\n \"address\": \"103.75.187.224\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Inet Software One Member Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3667\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3668\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3669\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3670\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3671\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3672\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3673\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3674\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3675\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3676\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3677\",\r\n \"address\": \"96.60.188.241\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wisconsin\",\r\n \"city\": \"Junction City\",\r\n \"longitude\": -89.747,\r\n \"latitude\": 44.59457,\r\n \"asn\": 4181,\r\n \"carrier\": \"Tds Telecom\",\r\n \"organization\": \"Tds Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3678\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3679\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3680\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3681\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3682\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3683\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3684\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3685\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3686\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3687\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3688\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3689\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3690\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3691\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3692\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3693\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3694\",\r\n \"address\": \"185.170.144.135\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3695\",\r\n \"address\": \"129.226.34.77\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Maharashtra\",\r\n \"city\": \"Mumbai\",\r\n \"longitude\": 72.8777,\r\n \"latitude\": 19.076,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3696\",\r\n \"address\": \"41.169.98.196\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 36937,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Liquid Telecommunications Operations Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3697\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3698\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3699\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3700\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3701\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3702\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3703\",\r\n \"address\": \"193.122.114.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.33352,\r\n \"latitude\": 47.61101,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Public Cloud\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3704\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3705\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3706\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3707\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3708\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3709\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3710\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3711\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3712\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3736\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3686\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3737\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3687\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3738\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3688\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3739\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3689\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3740\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3690\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3741\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3691\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3742\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3692\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3743\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3693\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3744\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3694\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3745\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3695\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3746\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3696\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3747\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3697\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3748\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3698\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3749\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3699\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3750\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3700\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3751\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3701\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3752\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3702\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3703\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3704\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3705\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3706\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3707\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3708\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3709\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3710\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3711\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3762\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3712\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"name\": \"2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-03T19:41:58.5199865Z\",\r\n \"processingEndTimeUtc\": \"2022-09-03T19:41:57.422375Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3763\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 188.190.42.60 [1]\\r\\nIP: 92.255.85.168 [4]\\r\\nIP: 141.98.83.87 [5]\\r\\nIP: 185.190.24.61 [1]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 103.15.50.155 [4]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 87.251.67.99 [1]\\r\\nIP: 5.253.204.134 [29]\\r\\nIP: 141.98.9.36 [1]\\r\\nIP: 194.28.112.140 [5]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 45.227.253.130 [18]\\r\\nIP: 141.98.9.35 [4]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 185.190.24.102 [10]\\r\\nIP: 202.40.179.78 [1]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 134.209.148.16 [1]\\r\\nIP: 93.43.27.126 [1]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 141.98.83.121 [6]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 141.98.81.137 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.125 [4]\\r\\nIP: 141.98.83.173 [1]\\r\\nIP: 92.255.85.166 [3]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 45.227.254.5 [9]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 92.255.85.151 [36]\\r\\nIP: 51.81.210.3 [1]\\r\\nIP: 141.98.9.29 [5]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 185.190.24.101 [4]\\r\\n41 more attempts by 14 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3764\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3765\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3766\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3767\",\r\n \"address\": \"92.255.85.168\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3768\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3769\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3770\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3771\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3772\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3773\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3774\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3775\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3776\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3777\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3778\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3779\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3780\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3781\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3782\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3783\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3784\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3785\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3786\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3787\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3788\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3789\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3790\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3791\",\r\n \"address\": \"202.40.179.78\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Dhaka\",\r\n \"city\": \"Dhaka\",\r\n \"longitude\": 90.4125,\r\n \"latitude\": 23.8103,\r\n \"asn\": 23991,\r\n \"carrier\": \"Ranks Itt Ltd.\",\r\n \"organization\": \"Nationwide Isp & Iptsp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3792\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3793\",\r\n \"address\": \"134.209.148.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Mansfield\",\r\n \"longitude\": -71.22189,\r\n \"latitude\": 42.01698,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3794\",\r\n \"address\": \"93.43.27.126\",\r\n \"location\": {\r\n \"countryCode\": \"IT\",\r\n \"countryName\": \"Italy\",\r\n \"state\": \"Roma\",\r\n \"city\": \"Roma\",\r\n \"longitude\": 12.3063,\r\n \"latitude\": 41.7755,\r\n \"asn\": 12874,\r\n \"carrier\": \"Fastweb Spa\",\r\n \"organization\": \"Ibc-001 Public Subnet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3795\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3796\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3797\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3798\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3799\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3800\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3801\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3802\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3803\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3804\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3805\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3806\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3807\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3808\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3809\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3810\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3811\",\r\n \"address\": \"51.81.210.3\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Hillsboro\",\r\n \"longitude\": -122.95607,\r\n \"latitude\": 45.59054,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3812\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3813\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3814\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3815\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3839\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3789\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3840\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3790\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3841\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3791\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3842\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3792\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3793\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3865\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3815\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"name\": \"2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T01:45:32.5912419Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T01:45:31.6805301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3866\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.9.36 [1]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 185.190.24.61 [1]\\r\\nIP: 5.253.204.134 [29]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.81.137 [1]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 141.98.83.125 [4]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 185.190.24.101 [4]\\r\\nIP: 93.43.27.126 [1]\\r\\nIP: 185.156.72.29 [4]\\r\\nIP: 87.251.67.99 [1]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 134.209.148.16 [1]\\r\\nIP: 141.98.9.35 [4]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.156.72.25 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 79.175.151.178 [3]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 103.79.140.234 [2]\\r\\nIP: 141.98.83.84 [7]\\r\\nIP: 141.98.83.172 [4]\\r\\nIP: 141.98.83.87 [7]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 45.227.254.5 [9]\\r\\nIP: 141.98.10.37 [8]\\r\\nIP: 202.40.179.78 [1]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 141.98.83.121 [6]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 92.255.85.166 [3]\\r\\nIP: 92.255.85.152 [6]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 103.15.50.155 [4]\\r\\nIP: 141.98.9.29 [5]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 194.28.112.140 [5]\\r\\nIP: 27.71.226.103 [1]\\r\\nIP: 185.190.24.102 [10]\\r\\n87 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3867\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3868\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3869\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3870\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3871\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3872\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3873\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3874\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3875\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3876\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3877\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3878\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3879\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3880\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3881\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3882\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3883\",\r\n \"address\": \"93.43.27.126\",\r\n \"location\": {\r\n \"countryCode\": \"IT\",\r\n \"countryName\": \"Italy\",\r\n \"state\": \"Roma\",\r\n \"city\": \"Roma\",\r\n \"longitude\": 12.3063,\r\n \"latitude\": 41.7755,\r\n \"asn\": 12874,\r\n \"carrier\": \"Fastweb Spa\",\r\n \"organization\": \"Ibc-001 Public Subnet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3884\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3885\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3886\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3887\",\r\n \"address\": \"134.209.148.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Mansfield\",\r\n \"longitude\": -71.22189,\r\n \"latitude\": 42.01698,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3888\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3889\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3890\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3891\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3892\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3893\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3894\",\r\n \"address\": \"79.175.151.178\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 25184,\r\n \"carrier\": \"Afranet\",\r\n \"organization\": \"Afranet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3895\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3896\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3897\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3898\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3899\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3900\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3901\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3902\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3903\",\r\n \"address\": \"141.98.10.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3904\",\r\n \"address\": \"202.40.179.78\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Dhaka\",\r\n \"city\": \"Dhaka\",\r\n \"longitude\": 90.4125,\r\n \"latitude\": 23.8103,\r\n \"asn\": 23991,\r\n \"carrier\": \"Ranks Itt Ltd.\",\r\n \"organization\": \"Nationwide Isp & Iptsp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3905\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3906\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3907\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3908\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3909\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3910\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3911\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3912\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3913\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3914\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3915\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3916\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3917\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3918\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3892\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3893\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3894\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"name\": \"2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-02T19:26:44.4857834Z\",\r\n \"processingEndTimeUtc\": \"2022-09-02T19:26:43.9850649Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-01T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-01T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3969\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.6 [4]\\r\\nIP: 193.142.147.67 [26]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.81.137 [5]\\r\\nIP: 45.227.254.5 [39]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 147.78.47.147 [9]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 103.15.50.155 [1]\\r\\nIP: 92.255.85.40 [6]\\r\\nIP: 213.226.123.66 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 194.165.16.158 [5]\\r\\nIP: 196.44.131.147 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 212.22.187.98 [7]\\r\\nIP: 141.98.83.131 [1]\\r\\nIP: 185.190.24.102 [11]\\r\\nIP: 147.78.47.149 [10]\\r\\nIP: 165.227.225.29 [2]\\r\\nIP: 92.255.85.195 [2]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 185.190.24.61 [9]\\r\\nIP: 45.227.254.49 [3]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 80.66.88.209 [5]\\r\\nIP: 141.98.9.35 [6]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 141.98.83.123 [7]\\r\\nIP: 185.190.24.103 [2]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 89.248.168.54 [2]\\r\\nIP: 79.175.151.178 [6]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 213.226.123.35 [2]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 141.98.9.37 [2]\\r\\nIP: 141.98.83.89 [2]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 5.253.204.134 [27]\\r\\nIP: 179.60.147.32 [19]\\r\\n92 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3970\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3971\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3972\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3973\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3974\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3975\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3976\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3977\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3978\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3979\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3980\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3981\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3982\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3983\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3984\",\r\n \"address\": \"213.226.123.66\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49943,\r\n \"carrier\": \"It Resheniya Llc\",\r\n \"organization\": \"It Resheniya Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3985\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3986\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3987\",\r\n \"address\": \"196.44.131.147\",\r\n \"location\": {\r\n \"countryCode\": \"NA\",\r\n \"countryName\": \"Namibia\",\r\n \"state\": \"Khomas\",\r\n \"city\": \"Windhoek\",\r\n \"longitude\": 17.0875,\r\n \"latitude\": -22.57056,\r\n \"asn\": 36996,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Telecom Namibia\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3988\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3989\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3990\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3991\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3992\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3993\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3994\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3995\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3996\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3997\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3998\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3999\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4000\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4001\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4002\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4003\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4004\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4005\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4006\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4007\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4008\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4009\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4010\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4011\",\r\n \"address\": \"79.175.151.178\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 25184,\r\n \"carrier\": \"Afranet\",\r\n \"organization\": \"Afranet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4012\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4013\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4014\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4015\",\r\n \"address\": \"213.226.123.35\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49943,\r\n \"carrier\": \"It Resheniya Llc\",\r\n \"organization\": \"It Resheniya Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4016\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4017\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4018\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4019\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4020\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4021\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"name\": \"2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-30T19:51:55.8070313Z\",\r\n \"processingEndTimeUtc\": \"2022-08-30T19:51:55.0291097Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4072\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.81.137 [6]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 45.227.254.48 [5]\\r\\nIP: 141.98.9.29 [10]\\r\\nIP: 98.102.248.102 [1]\\r\\nIP: 45.227.254.5 [26]\\r\\nIP: 178.18.241.15 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 194.165.16.78 [3]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 194.26.29.48 [5]\\r\\nIP: 141.98.9.34 [3]\\r\\nIP: 5.253.204.134 [12]\\r\\nIP: 147.78.47.154 [4]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 80.66.88.207 [3]\\r\\nIP: 74.174.144.6 [1]\\r\\nIP: 194.165.16.17 [6]\\r\\nIP: 196.188.171.249 [2]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 179.60.150.113 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 80.66.88.208 [3]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 87.251.75.119 [36]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 85.172.1.54 [2]\\r\\nIP: 162.62.14.97 [1]\\r\\nIP: 88.214.25.13 [2]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 162.246.21.206 [1]\\r\\nIP: 45.227.254.4 [2]\\r\\nIP: 185.221.134.42 [2]\\r\\nIP: 179.60.147.32 [20]\\r\\nIP: 103.15.50.155 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 92.255.85.181 [2]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 5.181.86.88 [3]\\r\\n175 more attempts by 35 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4073\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4074\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4075\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4076\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4077\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4078\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4079\",\r\n \"address\": \"98.102.248.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Cleveland\",\r\n \"longitude\": -81.82835,\r\n \"latitude\": 41.37197,\r\n \"asn\": 10796,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4080\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4081\",\r\n \"address\": \"178.18.241.15\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Baden-Wuerttemberg\",\r\n \"city\": \"Karlsruhe-Weststadt\",\r\n \"longitude\": 8.37933,\r\n \"latitude\": 49.015,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4082\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4083\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4084\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4085\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4086\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4087\",\r\n \"address\": \"194.26.29.48\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4088\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4089\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4090\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4091\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4092\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4093\",\r\n \"address\": \"74.174.144.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Kentucky\",\r\n \"city\": \"Corbin\",\r\n \"longitude\": -84.11583,\r\n \"latitude\": 36.92363,\r\n \"asn\": 2386,\r\n \"carrier\": \"At&T Data Communications Services\",\r\n \"organization\": \"Eastern Cable Corp - Bgk Lan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4094\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4095\",\r\n \"address\": \"196.188.171.249\",\r\n \"location\": {\r\n \"countryCode\": \"ET\",\r\n \"countryName\": \"Ethiopia\",\r\n \"state\": \"Adis Abeba\",\r\n \"city\": \"Addis Ababa\",\r\n \"longitude\": 38.7468,\r\n \"latitude\": 9.0227,\r\n \"asn\": 24757,\r\n \"carrier\": \"Ethionet\",\r\n \"organization\": \"To__Bras_Dhcp_Oa-10800E\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4096\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4097\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4098\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4099\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4100\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4101\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4102\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4103\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4104\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4105\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4106\",\r\n \"address\": \"87.251.75.119\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4107\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4108\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4109\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4110\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4111\",\r\n \"address\": \"85.172.1.54\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Krasnodarskiy Kray\",\r\n \"city\": \"Krasnodar\",\r\n \"longitude\": 38.98064,\r\n \"latitude\": 45.04215,\r\n \"asn\": 25490,\r\n \"carrier\": \"Pjsc Rostelecom\",\r\n \"organization\": \"Ojsc Rostelecom Macroregional Branch South\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4112\",\r\n \"address\": \"162.62.14.97\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4113\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4114\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4115\",\r\n \"address\": \"162.246.21.206\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Secaucus\",\r\n \"longitude\": -74.06453,\r\n \"latitude\": 40.77826,\r\n \"asn\": 19318,\r\n \"carrier\": \"Interserver Inc\",\r\n \"organization\": \"Interserver Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4116\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4117\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4118\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4119\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4120\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4121\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4122\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4123\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4124\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4140\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4090\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4141\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4091\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4092\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4143\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4093\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4144\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4094\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4145\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4095\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4096\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4097\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4098\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4099\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4100\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4101\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4102\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4153\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4103\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4104\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4155\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4105\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4156\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4106\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4107\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4158\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4108\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4159\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4109\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4110\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4161\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4111\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4162\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4112\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4163\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4113\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4114\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4165\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4115\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4166\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4116\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4167\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4117\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4168\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4118\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4119\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4170\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4120\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4171\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4121\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4172\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4122\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4173\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4123\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4174\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4124\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"name\": \"2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-31T19:26:52.5249315Z\",\r\n \"processingEndTimeUtc\": \"2022-08-31T19:26:52.1218206Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4175\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 98.102.248.102 [1]\\r\\nIP: 179.60.150.116 [2]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 162.62.14.97 [1]\\r\\nIP: 5.253.204.134 [13]\\r\\nIP: 185.190.24.61 [2]\\r\\nIP: 212.22.187.98 [8]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 191.96.168.250 [10]\\r\\nIP: 80.66.88.212 [4]\\r\\nIP: 88.214.25.13 [2]\\r\\nIP: 74.174.144.6 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 185.190.24.17 [51]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 5.181.86.44 [5]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 193.142.147.66 [36]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 45.141.84.116 [7]\\r\\nIP: 152.89.196.90 [2]\\r\\nIP: 141.98.9.29 [10]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 196.188.171.249 [2]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 194.93.58.59 [1]\\r\\nIP: 87.251.75.119 [59]\\r\\nIP: 179.60.147.32 [20]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 185.190.24.32 [3]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 80.66.88.207 [3]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 194.165.16.4 [3]\\r\\nIP: 80.66.88.208 [3]\\r\\n135 more attempts by 44 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4176\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4177\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4178\",\r\n \"address\": \"98.102.248.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Cleveland\",\r\n \"longitude\": -81.82835,\r\n \"latitude\": 41.37197,\r\n \"asn\": 10796,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4179\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4180\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4181\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4182\",\r\n \"address\": \"162.62.14.97\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4183\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4184\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4185\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4186\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4187\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4188\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4189\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4190\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4191\",\r\n \"address\": \"74.174.144.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Kentucky\",\r\n \"city\": \"Corbin\",\r\n \"longitude\": -84.11583,\r\n \"latitude\": 36.92363,\r\n \"asn\": 2386,\r\n \"carrier\": \"At&T Data Communications Services\",\r\n \"organization\": \"Eastern Cable Corp - Bgk Lan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4192\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4193\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4194\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4195\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4196\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4197\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4198\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4199\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4200\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4201\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4202\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4203\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4204\",\r\n \"address\": \"45.141.84.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4205\",\r\n \"address\": \"152.89.196.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4206\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4207\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4208\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4209\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4210\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4211\",\r\n \"address\": \"196.188.171.249\",\r\n \"location\": {\r\n \"countryCode\": \"ET\",\r\n \"countryName\": \"Ethiopia\",\r\n \"state\": \"Adis Abeba\",\r\n \"city\": \"Addis Ababa\",\r\n \"longitude\": 38.7468,\r\n \"latitude\": 9.0227,\r\n \"asn\": 24757,\r\n \"carrier\": \"Ethionet\",\r\n \"organization\": \"To__Bras_Dhcp_Oa-10800E\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4212\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4213\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4214\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4215\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4216\",\r\n \"address\": \"194.93.58.59\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.81423,\r\n \"latitude\": 32.80543,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Dallas Tx\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4217\",\r\n \"address\": \"87.251.75.119\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4218\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4219\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4220\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4221\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4222\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4223\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4224\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4225\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4226\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4227\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4256\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4206\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4207\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4258\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4208\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4259\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4209\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4260\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4210\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4261\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4211\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4262\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4212\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4263\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4213\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4264\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4214\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4215\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4266\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4216\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4267\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4217\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4268\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4218\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4269\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4219\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4270\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4220\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4271\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4221\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4272\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4222\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4273\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4223\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4224\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4275\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4225\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4276\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4226\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4277\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4227\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"name\": \"2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T19:20:02.815682Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T19:20:02.1041712Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4278\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.156.72.31 [5]\\r\\nIP: 179.60.147.31 [28]\\r\\nIP: 213.6.148.83 [2]\\r\\nIP: 113.161.87.179 [1]\\r\\nIP: 185.190.24.103 [11]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 141.98.83.130 [5]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 185.190.24.101 [3]\\r\\nIP: 118.123.105.85 [1]\\r\\nIP: 194.28.112.149 [1]\\r\\nIP: 45.227.253.124 [18]\\r\\nIP: 193.142.147.53 [12]\\r\\nIP: 198.23.221.162 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 194.165.17.12 [30]\\r\\nIP: 191.96.168.250 [75]\\r\\nIP: 194.165.16.16 [1]\\r\\nIP: 92.51.70.138 [1]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 185.156.72.29 [2]\\r\\nIP: 5.61.60.26 [3]\\r\\nIP: 87.251.75.45 [11]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.36 [1]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 141.98.83.172 [7]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 45.227.254.51 [2]\\r\\nIP: 103.99.2.225 [1]\\r\\nIP: 141.98.9.35 [2]\\r\\nIP: 185.196.220.52 [10]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 194.165.16.72 [3]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 31.214.141.3 [1]\\r\\nIP: 45.143.201.62 [2]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 141.98.9.34 [5]\\r\\nIP: 212.22.187.98 [4]\\r\\n182 more attempts by 33 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4279\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4280\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4281\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4282\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4283\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4284\",\r\n \"address\": \"113.161.87.179\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4285\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4286\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4287\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4288\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4289\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4290\",\r\n \"address\": \"118.123.105.85\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Sichuan\",\r\n \"city\": \"Chengdu\",\r\n \"longitude\": 104.0675,\r\n \"latitude\": 30.65306,\r\n \"asn\": 38283,\r\n \"carrier\": \"Chinanet Sichuan Telecom Internet Data Center\",\r\n \"organization\": \"Chinanet Sichuan Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4291\",\r\n \"address\": \"194.28.112.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4292\",\r\n \"address\": \"45.227.253.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4293\",\r\n \"address\": \"193.142.147.53\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4294\",\r\n \"address\": \"198.23.221.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4295\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4296\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4297\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4298\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4299\",\r\n \"address\": \"92.51.70.138\",\r\n \"location\": {\r\n \"countryCode\": \"GE\",\r\n \"countryName\": \"Georgia\",\r\n \"state\": \"Tbilisi\",\r\n \"city\": \"Tbilisi\",\r\n \"longitude\": 44.83368,\r\n \"latitude\": 41.69411,\r\n \"asn\": 44327,\r\n \"carrier\": \"Delta Comm Llc\",\r\n \"organization\": \"Infra-Aw\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4300\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4301\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4302\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4303\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4304\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4305\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4306\",\r\n \"address\": \"87.251.75.45\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4307\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4308\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4309\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4310\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4311\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4312\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4313\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4314\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4315\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4316\",\r\n \"address\": \"185.196.220.52\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4317\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4318\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4319\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4320\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4321\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4322\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4323\",\r\n \"address\": \"31.214.141.3\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hamburg\",\r\n \"city\": \"Hamburg\",\r\n \"longitude\": 10.0819,\r\n \"latitude\": 53.6423,\r\n \"asn\": 30823,\r\n \"carrier\": \"Combahton Gmbh\",\r\n \"organization\": \"Zap-Hosting Gmbh & Co. Kg\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4324\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4325\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4326\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4327\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4328\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4329\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4330\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4309\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4360\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4310\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4361\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4311\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4362\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4312\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4313\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4364\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4314\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4365\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4315\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4366\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4316\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4317\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4368\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4318\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4369\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4319\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4370\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4320\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4371\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4321\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4322\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4373\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4323\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4374\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4324\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4375\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4325\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4376\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4326\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"name\": \"2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T03:10:05.3539329Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T03:10:03.616463Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4381\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.9.36 [1]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 45.227.254.5 [19]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 45.227.253.124 [15]\\r\\nIP: 141.98.83.132 [6]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 45.227.254.55 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 185.156.72.29 [2]\\r\\nIP: 179.60.147.31 [28]\\r\\nIP: 5.61.60.26 [2]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 31.214.141.3 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 97.106.89.92 [2]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.125 [2]\\r\\nIP: 52.172.27.33 [1]\\r\\nIP: 179.60.150.114 [6]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 92.255.85.151 [30]\\r\\nIP: 185.190.24.103 [11]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 45.227.253.254 [15]\\r\\nIP: 194.165.16.73 [2]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 185.190.24.102 [7]\\r\\nIP: 179.60.147.182 [2]\\r\\nIP: 103.99.2.225 [1]\\r\\nIP: 185.196.220.34 [35]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.172 [7]\\r\\nIP: 212.22.187.98 [4]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 191.96.168.250 [67]\\r\\nIP: 118.123.105.85 [1]\\r\\nIP: 141.98.83.131 [3]\\r\\nIP: 80.69.56.151 [1]\\r\\nIP: 20.163.56.75 [2]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.156.72.25 [3]\\r\\n118 more attempts by 27 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4382\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4383\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4384\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4385\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4386\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4387\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4388\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4389\",\r\n \"address\": \"45.227.253.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4390\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4391\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4392\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4393\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4394\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4395\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4396\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4397\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4398\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4399\",\r\n \"address\": \"31.214.141.3\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hamburg\",\r\n \"city\": \"Hamburg\",\r\n \"longitude\": 10.0819,\r\n \"latitude\": 53.6423,\r\n \"asn\": 30823,\r\n \"carrier\": \"Combahton Gmbh\",\r\n \"organization\": \"Zap-Hosting Gmbh & Co. Kg\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4400\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4401\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4402\",\r\n \"address\": \"97.106.89.92\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Tampa\",\r\n \"longitude\": -82.46379,\r\n \"latitude\": 27.98598,\r\n \"asn\": 33363,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4403\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4404\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4405\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4406\",\r\n \"address\": \"52.172.27.33\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Tamil Nadu\",\r\n \"city\": \"Chennai\",\r\n \"longitude\": 80.2508,\r\n \"latitude\": 13.0524,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4407\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4408\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4409\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4410\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4411\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4412\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4413\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4414\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4415\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4416\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4417\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4418\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4419\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4420\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4421\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4422\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4423\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4424\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4425\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4426\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4427\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4428\",\r\n \"address\": \"118.123.105.85\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Sichuan\",\r\n \"city\": \"Chengdu\",\r\n \"longitude\": 104.0675,\r\n \"latitude\": 30.65306,\r\n \"asn\": 38283,\r\n \"carrier\": \"Chinanet Sichuan Telecom Internet Data Center\",\r\n \"organization\": \"Chinanet Sichuan Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4429\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4430\",\r\n \"address\": \"80.69.56.151\",\r\n \"location\": {\r\n \"countryCode\": \"AZ\",\r\n \"countryName\": \"Azerbaijan\",\r\n \"state\": \"Naftalan\",\r\n \"city\": \"Naftalan\",\r\n \"longitude\": 46.825,\r\n \"latitude\": 40.5067,\r\n \"asn\": 34170,\r\n \"carrier\": \"Aztelekom\",\r\n \"organization\": \"Aztelekom.Net Ip Segment\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4431\",\r\n \"address\": \"20.163.56.75\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4432\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4433\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4449\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4450\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4451\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4452\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4453\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4405\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4456\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4457\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4408\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4412\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4415\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4416\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4467\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4417\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4468\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4418\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4469\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4419\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4470\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4471\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4472\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4473\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4423\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4474\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4424\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4425\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4426\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4427\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4428\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"name\": \"2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-27T19:18:23.4694672Z\",\r\n \"processingEndTimeUtc\": \"2022-08-27T19:18:22.6090964Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-26T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-26T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4484\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.255.99 [2]\\r\\nIP: 185.196.220.28 [1]\\r\\nIP: 103.124.137.161 [1]\\r\\nIP: 87.251.75.45 [125]\\r\\nIP: 212.122.84.86 [4]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 103.99.2.225 [6]\\r\\nIP: 185.196.220.59 [2]\\r\\nIP: 194.165.16.34 [1]\\r\\nIP: 212.22.187.98 [3]\\r\\nIP: 191.96.168.250 [51]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 139.99.135.225 [1]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 80.66.88.209 [2]\\r\\nIP: 152.89.196.90 [4]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 141.98.83.172 [3]\\r\\nIP: 179.60.150.114 [2]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 104.156.55.56 [1]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.190.24.101 [3]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 184.105.5.195 [1]\\r\\nIP: 185.190.24.103 [2]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 193.142.147.55 [1]\\r\\nIP: 193.142.147.50 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 193.142.147.65 [27]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 193.142.147.57 [1]\\r\\nIP: 43.156.58.184 [1]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 213.6.148.83 [3]\\r\\nIP: 193.142.147.66 [3]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 185.73.124.216 [13]\\r\\nIP: 20.168.26.32 [1]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 185.196.220.34 [12]\\r\\nIP: 92.255.85.183 [2]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 5.61.60.26 [1]\\r\\nIP: 185.196.220.58 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4485\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4486\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4487\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4488\",\r\n \"address\": \"185.196.220.28\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4489\",\r\n \"address\": \"103.124.137.161\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jawa Timur\",\r\n \"city\": \"Paciran\",\r\n \"longitude\": 112.34,\r\n \"latitude\": -6.8707,\r\n \"asn\": 138089,\r\n \"carrier\": \"Pt.Global Media Data Prima\",\r\n \"organization\": \"Pt.Global Media Data Prima\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4490\",\r\n \"address\": \"87.251.75.45\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4491\",\r\n \"address\": \"212.122.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 12539,\r\n \"carrier\": \"Penki Kontinentia Ltd\",\r\n \"organization\": \"Penkiu Kontinentu Komunikaciju Centras Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4492\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4493\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4494\",\r\n \"address\": \"185.196.220.59\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4495\",\r\n \"address\": \"194.165.16.34\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4496\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4497\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4498\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4499\",\r\n \"address\": \"139.99.135.225\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Waverton\",\r\n \"longitude\": 151.19581,\r\n \"latitude\": -33.83997,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Australia Pty Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4500\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4501\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4502\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4503\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4504\",\r\n \"address\": \"152.89.196.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4505\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4506\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4507\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4508\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4509\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4510\",\r\n \"address\": \"104.156.55.56\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Tampa\",\r\n \"longitude\": -82.50581,\r\n \"latitude\": 28.00488,\r\n \"asn\": 29802,\r\n \"carrier\": \"Hivelocity Inc.\",\r\n \"organization\": \"Hivelocity Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4511\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4512\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4513\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4514\",\r\n \"address\": \"184.105.5.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.99064,\r\n \"latitude\": 40.6946,\r\n \"asn\": 394996,\r\n \"carrier\": \"47-2339071\",\r\n \"organization\": \"47-2339071\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4515\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4516\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4517\",\r\n \"address\": \"193.142.147.55\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4518\",\r\n \"address\": \"193.142.147.50\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4519\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4520\",\r\n \"address\": \"193.142.147.65\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4521\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4522\",\r\n \"address\": \"193.142.147.57\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4523\",\r\n \"address\": \"43.156.58.184\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4524\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4525\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4526\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4527\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4528\",\r\n \"address\": \"185.73.124.216\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4529\",\r\n \"address\": \"20.168.26.32\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4530\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4531\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4532\",\r\n \"address\": \"92.255.85.183\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4533\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4534\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4535\",\r\n \"address\": \"185.196.220.58\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4557\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4558\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4559\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4560\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4511\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4561\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4512\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4562\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4513\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4563\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4514\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4564\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4515\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4565\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4516\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4566\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4517\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4567\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4518\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4568\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4519\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4569\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4520\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4570\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4521\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4571\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4522\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4572\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4523\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4573\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4524\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4574\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4525\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4575\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4526\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4576\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4527\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4577\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4528\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4578\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4529\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4579\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4530\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4580\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4531\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4581\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4532\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4582\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"name\": \"2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-26T19:51:08.2299434Z\",\r\n \"processingEndTimeUtc\": \"2022-08-26T19:51:07.7693809Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-25T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-25T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4585\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.255.59 [2]\\r\\nIP: 41.216.179.69 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 185.190.24.48 [8]\\r\\nIP: 193.142.147.65 [37]\\r\\nIP: 167.172.149.14 [1]\\r\\nIP: 193.148.61.176 [1]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.196.220.34 [26]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 179.60.150.116 [8]\\r\\nIP: 185.190.24.103 [4]\\r\\nIP: 149.57.252.78 [1]\\r\\nIP: 103.109.52.111 [6]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 5.181.86.11 [18]\\r\\nIP: 141.98.83.172 [1]\\r\\nIP: 52.180.252.174 [4]\\r\\nIP: 193.142.147.66 [22]\\r\\nIP: 5.181.86.51 [4]\\r\\nIP: 193.142.147.52 [11]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 183.90.168.19 [14]\\r\\nIP: 185.190.24.102 [5]\\r\\nIP: 107.172.93.5 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 179.60.147.31 [25]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 103.124.137.161 [2]\\r\\nIP: 5.181.86.7 [1]\\r\\nIP: 103.9.156.60 [1]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 141.98.83.173 [5]\\r\\nIP: 195.3.221.15 [4]\\r\\nIP: 191.96.168.250 [44]\\r\\nIP: 179.60.147.33 [23]\\r\\nIP: 103.99.2.225 [4]\\r\\nIP: 91.240.118.113 [11]\\r\\nIP: 88.214.25.13 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 107.175.218.26 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 185.190.24.50 [7]\\r\\nIP: 80.69.56.151 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 141.98.10.37 [3]\\r\\nIP: 185.190.24.17 [16]\\r\\nIP: 45.227.254.48 [2]\\r\\n61 more attempts by 15 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4586\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4587\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4588\",\r\n \"address\": \"45.227.255.59\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4589\",\r\n \"address\": \"41.216.179.69\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"longitude\": -2.0,\r\n \"latitude\": 54.0,\r\n \"asn\": 136175,\r\n \"carrier\": \"Serverhosh Internet Service\",\r\n \"organization\": \"Serverhosh Internet Service\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4590\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4591\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4592\",\r\n \"address\": \"193.142.147.65\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4593\",\r\n \"address\": \"167.172.149.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4594\",\r\n \"address\": \"193.148.61.176\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Los Angeles Ca\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4595\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4596\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4597\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4598\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4599\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4600\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4601\",\r\n \"address\": \"149.57.252.78\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Edison\",\r\n \"longitude\": -74.3806,\r\n \"latitude\": 40.5247,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Logicweb Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4602\",\r\n \"address\": \"103.109.52.111\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"longitude\": 90.0,\r\n \"latitude\": 24.0,\r\n \"asn\": 134790,\r\n \"carrier\": \"United International University\",\r\n \"organization\": \"United International University\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4603\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4604\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4605\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4606\",\r\n \"address\": \"52.180.252.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\",\r\n \"longitude\": -93.6151,\r\n \"latitude\": 41.589,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4607\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4608\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4609\",\r\n \"address\": \"193.142.147.52\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4610\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4611\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4612\",\r\n \"address\": \"183.90.168.19\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bang Rak\",\r\n \"longitude\": 100.52114,\r\n \"latitude\": 13.72804,\r\n \"asn\": 45328,\r\n \"carrier\": \"Nipa Technology Co. Ltd\",\r\n \"organization\": \"Nipa Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4613\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4614\",\r\n \"address\": \"107.172.93.5\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4615\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4616\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4617\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4618\",\r\n \"address\": \"103.124.137.161\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jawa Timur\",\r\n \"city\": \"Paciran\",\r\n \"longitude\": 112.34,\r\n \"latitude\": -6.8707,\r\n \"asn\": 138089,\r\n \"carrier\": \"Pt.Global Media Data Prima\",\r\n \"organization\": \"Pt.Global Media Data Prima\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4619\",\r\n \"address\": \"5.181.86.7\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4620\",\r\n \"address\": \"103.9.156.60\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 63730,\r\n \"carrier\": \"Vnso Technology Company\",\r\n \"organization\": \"Vnso Technology Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4621\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4622\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4623\",\r\n \"address\": \"195.3.221.15\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Mokotow\",\r\n \"longitude\": 21.00167,\r\n \"latitude\": 52.19392,\r\n \"asn\": 201814,\r\n \"carrier\": \"Meverywhere Sp. Z O.O.\",\r\n \"organization\": \"Innowacyjne Rozwiazania Informatyczne.Pl Sp. Z O.O.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4624\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4625\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4626\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4627\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4628\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4629\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4630\",\r\n \"address\": \"107.175.218.26\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wyoming\",\r\n \"city\": \"Casper\",\r\n \"longitude\": -106.39396,\r\n \"latitude\": 43.06622,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Global Cloud Line\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4631\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4632\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4633\",\r\n \"address\": \"80.69.56.151\",\r\n \"location\": {\r\n \"countryCode\": \"AZ\",\r\n \"countryName\": \"Azerbaijan\",\r\n \"state\": \"Naftalan\",\r\n \"city\": \"Naftalan\",\r\n \"longitude\": 46.825,\r\n \"latitude\": 40.5067,\r\n \"asn\": 34170,\r\n \"carrier\": \"Aztelekom\",\r\n \"organization\": \"Aztelekom.Net Ip Segment\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4634\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4635\",\r\n \"address\": \"141.98.10.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4636\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4637\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4644\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4645\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4646\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4647\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4648\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4598\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4649\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4599\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4650\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4600\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4651\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4601\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4652\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4602\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4653\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4603\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4654\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4604\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4655\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4605\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4656\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4606\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4657\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4607\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4658\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4608\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4659\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4609\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4660\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4610\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4661\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4611\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4662\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4612\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4663\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4613\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4664\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4614\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4665\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4615\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4666\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4616\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4667\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4617\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4668\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4618\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4669\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4619\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4670\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4620\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4671\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4621\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4672\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4622\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4673\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4623\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4674\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4624\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4675\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4625\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4676\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4626\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4677\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4627\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4678\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4628\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4679\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4629\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4680\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4630\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4681\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4631\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4682\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4632\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4683\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4633\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4684\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4634\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4685\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4635\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4636\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4637\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"name\": \"2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T20:24:32.6189324Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T20:24:17.1477549Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4688\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.72 [1]\\r\\nIP: 181.30.28.144 [1]\\r\\nIP: 43.131.49.246 [2]\\r\\nIP: 27.71.226.103 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.86.65.236 [1]\\r\\nIP: 5.181.86.88 [6]\\r\\nIP: 192.210.230.185 [1]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 31.43.185.3 [49]\\r\\nIP: 183.90.168.19 [1]\\r\\nIP: 194.165.16.78 [2]\\r\\nIP: 167.172.149.14 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 212.41.8.46 [1]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 5.181.86.44 [4]\\r\\nIP: 141.98.83.171 [5]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 194.165.16.71 [2]\\r\\nIP: 46.161.27.101 [2]\\r\\nIP: 173.201.17.86 [1]\\r\\nIP: 5.61.60.26 [1]\\r\\nIP: 179.60.150.115 [12]\\r\\nIP: 92.154.96.99 [1]\\r\\nIP: 141.98.83.172 [4]\\r\\nIP: 179.60.147.182 [4]\\r\\nIP: 149.102.131.247 [1]\\r\\nIP: 193.142.147.67 [33]\\r\\nIP: 73.104.247.50 [1]\\r\\nIP: 185.190.24.61 [22]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 185.190.24.17 [24]\\r\\nIP: 191.96.168.250 [30]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 193.142.146.209 [1]\\r\\nIP: 185.170.144.134 [70]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 147.78.245.142 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 179.60.150.113 [6]\\r\\nIP: 78.180.183.122 [1]\\r\\nIP: 85.215.173.128 [1]\\r\\nIP: 109.86.104.112 [1]\\r\\nIP: 146.20.225.190 [1]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 45.227.255.79 [2]\\r\\nIP: 185.190.24.102 [6]\\r\\nIP: 194.28.112.148 [1]\\r\\n63 more attempts by 14 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4689\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4690\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4691\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4692\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4693\",\r\n \"address\": \"43.131.49.246\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4694\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4695\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4696\",\r\n \"address\": \"45.86.65.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4697\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4698\",\r\n \"address\": \"192.210.230.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4699\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4700\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Donets'ka Oblast'\",\r\n \"city\": \"Krasnoarmiis'k\",\r\n \"longitude\": 37.1734,\r\n \"latitude\": 48.281,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4701\",\r\n \"address\": \"183.90.168.19\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bang Rak\",\r\n \"longitude\": 100.52114,\r\n \"latitude\": 13.72804,\r\n \"asn\": 45328,\r\n \"carrier\": \"Nipa Technology Co. Ltd\",\r\n \"organization\": \"Nipa Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4702\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4703\",\r\n \"address\": \"167.172.149.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4704\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4705\",\r\n \"address\": \"212.41.8.46\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4706\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4707\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4708\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4709\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4710\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4711\",\r\n \"address\": \"46.161.27.101\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Vps And Shared Hosting Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4712\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4713\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4714\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4715\",\r\n \"address\": \"92.154.96.99\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Hauts-De-Seine\",\r\n \"city\": \"Puteaux\",\r\n \"longitude\": 2.23762,\r\n \"latitude\": 48.88328,\r\n \"asn\": 3215,\r\n \"carrier\": \"Orange S.A.\",\r\n \"organization\": \"Lnmso655 Montsouris\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4716\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4717\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4718\",\r\n \"address\": \"149.102.131.247\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Manchester\",\r\n \"city\": \"Manchester\",\r\n \"longitude\": -2.24083,\r\n \"latitude\": 53.44222,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4719\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4720\",\r\n \"address\": \"73.104.247.50\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Jacksonville\",\r\n \"longitude\": -81.56225,\r\n \"latitude\": 30.21981,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4721\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4722\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4723\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4724\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4725\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4726\",\r\n \"address\": \"193.142.146.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Hostslick Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4727\",\r\n \"address\": \"185.170.144.134\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4728\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Gunzenhausen\",\r\n \"longitude\": 10.7534,\r\n \"latitude\": 49.11594,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4729\",\r\n \"address\": \"147.78.245.142\",\r\n \"location\": {\r\n \"countryCode\": \"JP\",\r\n \"countryName\": \"Japan\",\r\n \"state\": \"Tokyo\",\r\n \"city\": \"Tokyo\",\r\n \"longitude\": 139.73856,\r\n \"latitude\": 35.69628,\r\n \"asn\": 23959,\r\n \"carrier\": \"Owl Limited\",\r\n \"organization\": \"Virtual Machine Solutions Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4730\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4731\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4732\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4733\",\r\n \"address\": \"78.180.183.122\",\r\n \"location\": {\r\n \"countryCode\": \"TR\",\r\n \"countryName\": \"Turkey\",\r\n \"state\": \"Istanbul\",\r\n \"city\": \"Sisli\",\r\n \"longitude\": 28.9521,\r\n \"latitude\": 41.0483,\r\n \"asn\": 9121,\r\n \"carrier\": \"Turk Telekomunikasyon Anonim Sirketi\",\r\n \"organization\": \"Tt Adsl-Ttnet_Dynamic_Gay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4734\",\r\n \"address\": \"85.215.173.128\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.3195,\r\n \"latitude\": 52.5184,\r\n \"asn\": 6724,\r\n \"carrier\": \"Strato Ag\",\r\n \"organization\": \"Strato Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4735\",\r\n \"address\": \"109.86.104.112\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 13188,\r\n \"carrier\": \"Content Delivery Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4736\",\r\n \"address\": \"146.20.225.190\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 27357,\r\n \"carrier\": \"Rackspace Hosting\",\r\n \"organization\": \"Rackspace Hosting\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4737\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4738\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4739\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4740\",\r\n \"address\": \"194.28.112.148\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4741\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4691\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4742\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4692\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4743\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4693\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4744\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4694\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4745\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4695\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4746\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4696\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4747\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4697\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4748\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4698\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4749\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4699\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4750\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4700\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4751\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4701\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4752\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4702\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4703\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4704\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4705\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4706\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4707\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4708\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4709\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4710\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4711\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4762\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4712\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4763\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4713\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4764\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4714\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4765\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4715\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4766\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4716\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4767\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4717\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4768\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4718\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4769\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4719\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4770\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4720\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4771\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4721\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4772\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4722\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4773\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4723\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4774\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4724\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4775\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4725\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4776\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4726\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4777\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4727\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4778\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4728\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4779\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4729\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4780\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4730\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4781\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4731\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4782\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4732\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4783\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4733\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4784\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4734\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4785\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4735\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4786\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4736\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4787\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4737\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4788\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4738\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"name\": \"2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-24T19:41:11.3106136Z\",\r\n \"processingEndTimeUtc\": \"2022-08-24T19:41:10.6263724Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-23T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-23T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4791\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 23.224.230.146 [1]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 5.181.86.85 [14]\\r\\nIP: 131.153.178.70 [1]\\r\\nIP: 91.240.118.113 [24]\\r\\nIP: 146.70.117.116 [2]\\r\\nIP: 193.142.147.58 [27]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 179.60.150.114 [5]\\r\\nIP: 141.98.83.173 [3]\\r\\nIP: 191.96.168.250 [38]\\r\\nIP: 194.165.16.78 [1]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 193.142.147.59 [30]\\r\\nIP: 185.190.24.101 [5]\\r\\nIP: 45.227.254.4 [2]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 104.254.233.2 [2]\\r\\nIP: 5.181.86.61 [7]\\r\\nIP: 141.98.83.172 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 181.30.28.144 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 135.181.194.54 [1]\\r\\nIP: 80.13.124.200 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 5.181.86.11 [10]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 194.165.16.38 [5]\\r\\nIP: 34.75.15.244 [2]\\r\\nIP: 185.190.24.102 [8]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 45.227.254.5 [6]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 113.190.245.2 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 213.6.148.83 [3]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 103.231.188.130 [1]\\r\\nIP: 193.142.147.67 [30]\\r\\nIP: 62.233.50.113 [1]\\r\\nIP: 185.170.144.133 [19]\\r\\nIP: 179.60.150.111 [5]\\r\\nIP: 144.91.117.64 [1]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 194.165.16.11 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4792\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4793\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4794\",\r\n \"address\": \"23.224.230.146\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.25227,\r\n \"latitude\": 34.04303,\r\n \"asn\": 40065,\r\n \"carrier\": \"Cnservers Llc\",\r\n \"organization\": \"Cloudradium L.L.C\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4795\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4796\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4797\",\r\n \"address\": \"131.153.178.70\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.92784,\r\n \"latitude\": 33.4357,\r\n \"asn\": 19437,\r\n \"carrier\": \"Secured Servers Llc\",\r\n \"organization\": \"Secured Servers Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4798\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4799\",\r\n \"address\": \"146.70.117.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.7119,\r\n \"latitude\": 50.1137,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd Frankfurt\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4800\",\r\n \"address\": \"193.142.147.58\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4801\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4802\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4803\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4804\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4805\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4806\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4807\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4808\",\r\n \"address\": \"193.142.147.59\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4809\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4810\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4811\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4812\",\r\n \"address\": \"104.254.233.2\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 19437,\r\n \"carrier\": \"Secured Servers Llc\",\r\n \"organization\": \"Pnap-Ashdc5\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4813\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4814\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4815\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4816\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4817\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4818\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4819\",\r\n \"address\": \"135.181.194.54\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4820\",\r\n \"address\": \"80.13.124.200\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Hauts-De-Seine\",\r\n \"city\": \"Puteaux\",\r\n \"longitude\": 2.23762,\r\n \"latitude\": 48.88328,\r\n \"asn\": 3215,\r\n \"carrier\": \"Orange S.A.\",\r\n \"organization\": \"Lnput658 Puteaux Bloc 1\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4821\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4822\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4823\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4824\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4825\",\r\n \"address\": \"34.75.15.244\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"South Carolina\",\r\n \"city\": \"North Charleston\",\r\n \"longitude\": -80.05894,\r\n \"latitude\": 32.89008,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4826\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4827\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4828\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4829\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4830\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4831\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4832\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4833\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4834\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4835\",\r\n \"address\": \"103.231.188.130\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 17831,\r\n \"carrier\": \"8 Burn Road # 15-13 Trivex\",\r\n \"organization\": \"Vhost Holdings Pte Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4836\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4837\",\r\n \"address\": \"62.233.50.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4838\",\r\n \"address\": \"185.170.144.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4839\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4840\",\r\n \"address\": \"144.91.117.64\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Muenchen\",\r\n \"longitude\": 11.6074,\r\n \"latitude\": 48.1089,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4841\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4842\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4815\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4865\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4816\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4866\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4817\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4867\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4818\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4868\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4819\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4869\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4820\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4870\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4821\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4871\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4822\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4872\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4823\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4873\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4824\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4874\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4825\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4875\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4826\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4876\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4827\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4877\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4828\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4878\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4829\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4879\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4830\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4880\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4831\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4881\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4832\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4882\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4833\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4883\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4834\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4884\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4835\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4885\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4836\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4886\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4837\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4887\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4838\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4888\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4839\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4889\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4840\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4890\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4841\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4891\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"name\": \"2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-23T19:47:46.0119964Z\",\r\n \"processingEndTimeUtc\": \"2022-08-23T19:47:45.0676912Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-22T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-22T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4892\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.172 [5]\\r\\nIP: 185.190.24.50 [8]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 43.131.49.246 [1]\\r\\nIP: 185.190.24.101 [4]\\r\\nIP: 191.96.168.250 [22]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 5.181.86.88 [5]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 91.240.118.113 [9]\\r\\nIP: 179.60.150.116 [4]\\r\\nIP: 173.201.17.86 [1]\\r\\nIP: 196.22.249.27 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 116.206.231.59 [1]\\r\\nIP: 185.190.24.102 [7]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 194.135.24.55 [2]\\r\\nIP: 5.181.86.85 [3]\\r\\nIP: 152.89.217.238 [1]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 176.113.115.141 [4]\\r\\nIP: 86.106.121.74 [1]\\r\\nIP: 185.190.24.32 [5]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 185.190.24.103 [6]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 70.183.29.58 [1]\\r\\nIP: 185.170.144.133 [38]\\r\\nIP: 194.165.16.38 [8]\\r\\nIP: 112.78.168.114 [5]\\r\\nIP: 194.165.16.4 [6]\\r\\nIP: 194.165.17.14 [6]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 181.30.28.144 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4893\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4894\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4895\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4896\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4897\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4898\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4899\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4900\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4901\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4902\",\r\n \"address\": \"43.131.49.246\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4903\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4904\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4905\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4906\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4907\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4908\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4909\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4910\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4911\",\r\n \"address\": \"196.22.249.27\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Western Cape\",\r\n \"city\": \"Cape Town\",\r\n \"longitude\": 18.4241,\r\n \"latitude\": -33.9249,\r\n \"asn\": 36874,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"72 Canterbury Street\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4912\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4913\",\r\n \"address\": \"116.206.231.59\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"South Australia\",\r\n \"city\": \"Adelaide\",\r\n \"longitude\": 138.59973,\r\n \"latitude\": -34.92577,\r\n \"asn\": 133480,\r\n \"carrier\": \"Intergrid Group Pty Ltd\",\r\n \"organization\": \"Intergrid Group Pty. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4914\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4915\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4916\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4917\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4918\",\r\n \"address\": \"152.89.217.238\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 56694,\r\n \"carrier\": \"Llc Smart Ape\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4919\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4920\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4921\",\r\n \"address\": \"86.106.121.74\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -74.00888,\r\n \"latitude\": 40.72092,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd New York\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4922\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4923\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4924\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4925\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4926\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4927\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4928\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4929\",\r\n \"address\": \"70.183.29.58\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Rancho Santa Margarita\",\r\n \"longitude\": -117.60826,\r\n \"latitude\": 33.62295,\r\n \"asn\": 22773,\r\n \"carrier\": \"Cox Communications Inc.\",\r\n \"organization\": \"Cox Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4930\",\r\n \"address\": \"185.170.144.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4931\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4932\",\r\n \"address\": \"112.78.168.114\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jakarta Raya\",\r\n \"city\": \"Jakarta\",\r\n \"longitude\": 106.8267,\r\n \"latitude\": -6.1738,\r\n \"asn\": 17451,\r\n \"carrier\": \"Biznet Networks\",\r\n \"organization\": \"Biznet Networks\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4933\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4934\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4935\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4936\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4919\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4920\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4921\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4922\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4923\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4924\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4925\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4926\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4969\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4927\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4970\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4928\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4971\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4929\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4972\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4930\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4973\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4931\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4974\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4932\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4975\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4933\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4976\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4934\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4977\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4935\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4978\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4936\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"name\": \"2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-22T19:47:25.0250698Z\",\r\n \"processingEndTimeUtc\": \"2022-08-22T19:47:23.7684919Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-20T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-20T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4979\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.171 [3]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 194.165.16.4 [8]\\r\\nIP: 192.210.149.232 [1]\\r\\nIP: 179.60.150.115 [4]\\r\\nIP: 212.102.35.30 [45]\\r\\nIP: 136.32.204.105 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.173 [3]\\r\\nIP: 194.165.16.73 [2]\\r\\nIP: 45.227.254.5 [13]\\r\\nIP: 141.98.83.172 [3]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 66.115.189.143 [1]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 179.60.147.32 [29]\\r\\nIP: 185.190.24.101 [5]\\r\\nIP: 185.190.24.93 [10]\\r\\nIP: 176.113.115.141 [2]\\r\\nIP: 185.190.24.103 [9]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 194.135.24.55 [2]\\r\\nIP: 45.227.254.51 [3]\\r\\nIP: 45.227.254.49 [2]\\r\\nIP: 45.227.255.55 [1]\\r\\nIP: 203.115.110.73 [1]\\r\\nIP: 194.165.16.78 [2]\\r\\nIP: 92.255.85.166 [9]\\r\\nIP: 67.225.40.73 [1]\\r\\nIP: 45.227.255.79 [4]\\r\\nIP: 141.98.83.123 [5]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 45.227.254.27 [9]\\r\\nIP: 207.246.67.121 [1]\\r\\nIP: 92.114.153.67 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 141.98.83.126 [4]\\r\\nIP: 5.181.86.44 [5]\\r\\nIP: 37.32.30.41 [2]\\r\\nIP: 62.8.12.230 [1]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 60.208.6.75 [25]\\r\\nIP: 194.165.17.14 [7]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4980\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4981\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4982\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4983\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4984\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4985\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4986\",\r\n \"address\": \"192.210.149.232\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4987\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4988\",\r\n \"address\": \"212.102.35.30\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4989\",\r\n \"address\": \"136.32.204.105\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Kansas City\",\r\n \"longitude\": -94.53961,\r\n \"latitude\": 39.10771,\r\n \"asn\": 16591,\r\n \"carrier\": \"Google Fiber Inc.\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4990\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.66719,\r\n \"latitude\": 41.02253,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4991\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4992\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4993\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4994\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4995\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4996\",\r\n \"address\": \"66.115.189.143\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Georgia\",\r\n \"city\": \"Marietta\",\r\n \"longitude\": -84.4629,\r\n \"latitude\": 33.93318,\r\n \"asn\": 46562,\r\n \"carrier\": \"Performive Llc\",\r\n \"organization\": \"Performive Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4997\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4998\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4999\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5000\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5001\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5002\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5003\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5004\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5005\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5006\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5007\",\r\n \"address\": \"45.227.255.55\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5008\",\r\n \"address\": \"203.115.110.73\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.225,\r\n \"latitude\": 28.6353,\r\n \"asn\": 17426,\r\n \"carrier\": \"Primesoftex Ltd\",\r\n \"organization\": \"Primenet Global Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5009\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5010\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5011\",\r\n \"address\": \"67.225.40.73\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Saskatchewan\",\r\n \"city\": \"Regina\",\r\n \"longitude\": -104.61298,\r\n \"latitude\": 50.44894,\r\n \"asn\": 803,\r\n \"carrier\": \"Saskatchewan Telecommunications\",\r\n \"organization\": \"Sasktel Wide Area Network Engineering Center\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5012\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5013\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5014\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5015\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5016\",\r\n \"address\": \"207.246.67.121\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Miami\",\r\n \"longitude\": -80.24044,\r\n \"latitude\": 25.81253,\r\n \"asn\": 20473,\r\n \"carrier\": \"The Constant Company Llc\",\r\n \"organization\": \"Vultr Holdings Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5017\",\r\n \"address\": \"92.114.153.67\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 8926,\r\n \"carrier\": \"Moldtelecom Sa\",\r\n \"organization\": \"Jsc Moldtelecom S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5018\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5019\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5020\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5021\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5022\",\r\n \"address\": \"37.32.30.41\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 202468,\r\n \"carrier\": \"Noyan Abr Arvan Co. ( Private Joint Stock)\",\r\n \"organization\": \"Noyan Abr Arvan Co. ( Private Joint Stock)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5023\",\r\n \"address\": \"62.8.12.230\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Loire-Atlantique\",\r\n \"city\": \"Nantes\",\r\n \"longitude\": -1.55674,\r\n \"latitude\": 47.21684,\r\n \"asn\": 15557,\r\n \"carrier\": \"Sfr Sa\",\r\n \"organization\": \"Entreprise\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5024\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5025\",\r\n \"address\": \"60.208.6.75\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shandong\",\r\n \"city\": \"Jinan\",\r\n \"longitude\": 117.0,\r\n \"latitude\": 36.683,\r\n \"asn\": 4837,\r\n \"carrier\": \"China Unicom China169 Backbone\",\r\n \"organization\": \"Jinan Yingte Net Bar\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5026\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5022\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5023\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5024\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5025\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5026\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n }\r\n ]\r\n}", "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a/activate?api-version=2021-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTc3MzUxODc3OTAzMDkyODFfZDU5ODk5NDEtYzk3OS00MDk2LWExZTktZDVkY2Y2ZmIxMzJhL2FjdGl2YXRlP2FwaS12ZXJzaW9uPTIwMjEtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/activate?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTczMzYyNDExODQ4NjI0MTNfOGRlMDkyNzAtZGM1My00MGQ0LWJlZWQtZjI5ZDQ3NWI1ZDVhL2FjdGl2YXRlP2FwaS12ZXJzaW9uPTIwMjItMDEtMDE=", "RequestMethod": "POST", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "8a1696d2-86d5-4eb0-af62-7213383ec3b7" + "ebc08010-0020-4b4f-839d-0ca574580647" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -97,52 +160,238 @@ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ - "1198" + "1199" ], "x-ms-request-id": [ - "03fbbc5e-47f3-4c45-a191-868933089ccc" + "59f17683-bf9a-4b08-ae85-ff41d02ca1d3" ], "x-ms-correlation-request-id": [ - "03fbbc5e-47f3-4c45-a191-868933089ccc" + "59f17683-bf9a-4b08-ae85-ff41d02ca1d3" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210901T195625Z:03fbbc5e-47f3-4c45-a191-868933089ccc" + "FRANCESOUTH:20221117T092834Z:59f17683-bf9a-4b08-ae85-ff41d02ca1d3" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 01 Sep 2021 19:56:25 GMT" + "Thu, 17 Nov 2022 09:28:34 GMT" ], "Expires": [ "-1" - ], - "Content-Length": [ - "0" ] }, "ResponseBody": "", "StatusCode": 204 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a?api-version=2021-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTc3MzUxODc3OTAzMDkyODFfZDU5ODk5NDEtYzk3OS00MDk2LWExZTktZDVkY2Y2ZmIxMzJhP2FwaS12ZXJzaW9uPTIwMjEtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTczMzYyNDExODQ4NjI0MTNfOGRlMDkyNzAtZGM1My00MGQ0LWJlZWQtZjI5ZDQ3NWI1ZDVhP2FwaS12ZXJzaW9uPTIwMjItMDEtMDE=", + "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "c2ab758b-0fb2-4e3c-b495-bf1ef2701fdc" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "749" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Kestrel" + ], + "x-ms-request-id": [ + "1cce41ab-0b9c-4ce0-8b03-5b2988ac3e0d" + ], + "x-ms-correlation-request-id": [ + "1cce41ab-0b9c-4ce0-8b03-5b2988ac3e0d" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092834Z:1cce41ab-0b9c-4ce0-8b03-5b2988ac3e0d" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:28:34 GMT" + ], + "Content-Length": [ + "2847" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"name\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.869602Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTczMzYyNDExODQ4NjI0MTNfOGRlMDkyNzAtZGM1My00MGQ0LWJlZWQtZjI5ZDQ3NWI1ZDVhP2FwaS12ZXJzaW9uPTIwMjItMDEtMDE=", "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "ad148c82-508f-4198-a7a7-eb9e765065b1" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "749" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Kestrel" + ], + "x-ms-request-id": [ + "a51b1296-6d60-4c52-83ae-3f4c31160010" + ], + "x-ms-correlation-request-id": [ + "a51b1296-6d60-4c52-83ae-3f4c31160010" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092836Z:a51b1296-6d60-4c52-83ae-3f4c31160010" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:28:36 GMT" + ], + "Content-Length": [ + "2850" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"name\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Dismissed\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.869602Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTczMzYyNDExODQ4NjI0MTNfOGRlMDkyNzAtZGM1My00MGQ0LWJlZWQtZjI5ZDQ3NWI1ZDVhP2FwaS12ZXJzaW9uPTIwMjItMDEtMDE=", + "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "1e70f591-9ab3-46ec-a26c-d76df6df7d07" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "749" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Kestrel" + ], + "x-ms-request-id": [ + "df995b37-1665-4739-b8eb-d9299a2b86d3" + ], + "x-ms-correlation-request-id": [ + "df995b37-1665-4739-b8eb-d9299a2b86d3" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092839Z:df995b37-1665-4739-b8eb-d9299a2b86d3" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:28:38 GMT" + ], + "Content-Length": [ + "2849" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"name\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Resolved\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.869602Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTczMzYyNDExODQ4NjI0MTNfOGRlMDkyNzAtZGM1My00MGQ0LWJlZWQtZjI5ZDQ3NWI1ZDVhP2FwaS12ZXJzaW9uPTIwMjItMDEtMDE=", + "RequestMethod": "GET", "RequestHeaders": { "x-ms-client-request-id": [ - "dfbd4b77-3f4f-4877-8b3e-4500ccd58e68" + "a2691867-adf5-4faa-8a68-c7c9527a2c68" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -160,22 +409,22 @@ "Kestrel" ], "x-ms-request-id": [ - "6ecfe9af-06ba-4975-8354-5aa0a513b62b" + "276b5803-5698-45f1-aa93-c1025509bc60" ], "x-ms-correlation-request-id": [ - "6ecfe9af-06ba-4975-8354-5aa0a513b62b" + "276b5803-5698-45f1-aa93-c1025509bc60" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210901T200417Z:6ecfe9af-06ba-4975-8354-5aa0a513b62b" + "FRANCESOUTH:20221117T092841Z:276b5803-5698-45f1-aa93-c1025509bc60" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 01 Sep 2021 20:04:17 GMT" + "Thu, 17 Nov 2022 09:28:41 GMT" ], "Content-Length": [ - "2795" + "2851" ], "Content-Type": [ "application/json; charset=utf-8" @@ -184,8 +433,179 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"name\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4121044Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"name\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"InProgress\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.869602Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/dismiss?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTczMzYyNDExODQ4NjI0MTNfOGRlMDkyNzAtZGM1My00MGQ0LWJlZWQtZjI5ZDQ3NWI1ZDVhL2Rpc21pc3M/YXBpLXZlcnNpb249MjAyMi0wMS0wMQ==", + "RequestMethod": "POST", + "RequestHeaders": { + "x-ms-client-request-id": [ + "3aeb8176-2f63-44b4-8d8b-029b5e4ecc5f" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Kestrel" + ], + "x-ms-ratelimit-remaining-subscription-writes": [ + "1199" + ], + "x-ms-request-id": [ + "073cf054-a379-44ab-bdef-b316f2c3e04d" + ], + "x-ms-correlation-request-id": [ + "073cf054-a379-44ab-bdef-b316f2c3e04d" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092836Z:073cf054-a379-44ab-bdef-b316f2c3e04d" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:28:35 GMT" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "", + "StatusCode": 204 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/resolve?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTczMzYyNDExODQ4NjI0MTNfOGRlMDkyNzAtZGM1My00MGQ0LWJlZWQtZjI5ZDQ3NWI1ZDVhL3Jlc29sdmU/YXBpLXZlcnNpb249MjAyMi0wMS0wMQ==", + "RequestMethod": "POST", + "RequestHeaders": { + "x-ms-client-request-id": [ + "a2a7caaf-ea9f-42f7-88c9-d8b7fa4ad8f1" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Kestrel" + ], + "x-ms-ratelimit-remaining-subscription-writes": [ + "1199" + ], + "x-ms-request-id": [ + "614d664e-11ba-40f7-9b70-a24e0923e16c" + ], + "x-ms-correlation-request-id": [ + "614d664e-11ba-40f7-9b70-a24e0923e16c" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092838Z:614d664e-11ba-40f7-9b70-a24e0923e16c" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:28:37 GMT" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "", + "StatusCode": 204 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/inProgress?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTczMzYyNDExODQ4NjI0MTNfOGRlMDkyNzAtZGM1My00MGQ0LWJlZWQtZjI5ZDQ3NWI1ZDVhL2luUHJvZ3Jlc3M/YXBpLXZlcnNpb249MjAyMi0wMS0wMQ==", + "RequestMethod": "POST", + "RequestHeaders": { + "x-ms-client-request-id": [ + "9c6ceb13-9373-491d-bb91-a0943c678b62" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Kestrel" + ], + "x-ms-ratelimit-remaining-subscription-writes": [ + "1199" + ], + "x-ms-request-id": [ + "6935a46d-bfe4-40cf-8784-3d8b9db989c2" + ], + "x-ms-correlation-request-id": [ + "6935a46d-bfe4-40cf-8784-3d8b9db989c2" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092840Z:6935a46d-bfe4-40cf-8784-3d8b9db989c2" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:28:39 GMT" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "", + "StatusCode": 204 } ], "Names": {}, diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/SetResourceId.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/SetResourceId.json index 80a5f567ba31..f0ae2c849168 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/SetResourceId.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/SetResourceId.json @@ -1,24 +1,24 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2021-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjEtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjItMDEtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "ba4fe4b7-3c48-4f71-9119-c08025f7bf36" + "8fc78c57-8256-4966-b656-d2745623f54e" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -30,17 +30,80 @@ "", "" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "749" + ], + "x-ms-request-id": [ + "42b19955-28be-4c0a-b0a2-1170be963e28" + ], + "x-ms-correlation-request-id": [ + "42b19955-28be-4c0a-b0a2-1170be963e28" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092857Z:42b19955-28be-4c0a-b0a2-1170be963e28" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:28:56 GMT" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ], + "Content-Length": [ + "706137" + ] + }, + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"name\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"InProgress\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.869602Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"name\": \"2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.8636228Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_MaliciousContent-AzureWebApps\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:59.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:59.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Phishing content hosted on Azure Webapps\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to O365 customers. The content typically lure visitors into entering their corporate credentials or financial information into a legitimate looking website.\",\r\n \"remediationSteps\": [\r\n \"1. Use Azure Web Sites Process Explorer and try to identify unknown running processes (see https://blogs.msdn.microsoft.com/waws/2014/11/14/viewing-process-information-for-microsoft-azure-web-sites/)\",\r\n \"2. Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"resourceType\": \"App Service\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"type\": \"url\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"name\": \"2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3642739Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_OperationVolumeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:57.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] User accessed high volume of Key Vaults\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a larger volume of Key Vault operations has been performed compared to past historical data. Key Vaults typical exhibit the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:57\",\r\n \"all vault operations in last 24 hours\": \"[SecretSet:1, SecretGet:5, Authentication:2, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultGet:2]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:57\",\r\n \"client Information\": \"Microsoft.Azure.Management.Resources.ResourceManagementClient/2.0.0.0, \",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) performed more operations than usual, The user(objid) does not usually come from this IP, The user(objid) performed more operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"name\": \"2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.174761Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_AccountVolumeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:55.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] High volume of operations in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the number of vaults that a user or application accesses has changed compared to past historical data. Key Vault activity typically exhibits the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:55\",\r\n \"all vault operations in last 24 hours\": \"[AfterAuthentication:1, SecretGet:345545, EventGridGetAllSubscriptions:19, Authentication:169, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:64]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:55\",\r\n \"alert Reasons\": \"[The application(appid) accessed more vaults than usual, The application(appid) does not usually come from this IP, The user(objid) accessed more vaults than usual, The user(objid) does not usually come from this IP, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"name\": \"2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.0812111Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_ListGetAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:53.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious secret listing and query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Secret List operation was followed by numerous Secret Get operations. In addition, this operation pattern is not normally performed by the user on this vault. This is likely indicative that someone is dumping the This is sample alert: secrets stored in the Key Vault for potentially malicious purposes.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:53\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:1, SecretGet:3, VaultGet:1, SecretList:5]\",\r\n \"suspicious Operations\": \"[SecretGet:3, SecretList:5]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:53\",\r\n \"client Information\": \"FxVersion/4.8.4075.0 OSName/Windows10Enterprise OSVersion/6.3.18363 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"alert Reasons\": \"[The application(appid) does not usually access this vault, The application(appid) does not usually come from this IP, The application(appid) does not usually perform a credential list operation followed by a get operation, The application(appid) does not usually perform this operation, The number of applications which accessed this vault is more than usual, The number of users(objid) who accessed this vault is more than usual, The user(objid) does not usually access this vault, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a credential list operation followed by a get operation, The user(objid) does not usually perform this operation, This vault does not usually have a credential list operation followed by a get operation, This vault does not usually have this operation, This vault had more operations than usual, This vault had more types of operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"name\": \"2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.1952593Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_PutGetAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious policy change and secret query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Key Vault policy change has been made and operations to list and/or get secrets occurred shortly thereafter. In addition, this operation pattern is not normally performed by the user on this vault. This is highly indicative that the Key Vault has been compromised and the secrets within have been stolen by a malicious actor.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:51\",\r\n \"all vault operations in last 24 hours\": \"[VaultGet:14, CertificateImport:1, CertificateGet:479, VaultPut:4, SecretGet:760, Authentication:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultPut:4, VaultGet:5, CertificateGet:24]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"FxVersion/4.8.4121.0, FxVersion/4.8.4121.0 OSName/Windows10Enterprise OSVersion/6.3.17763 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"result Signature\": \"OK\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"start Time UTC\": \"11/17/2022 09:17:51\",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) does not usually perform a policy change operation followed by a credential get operation, The application(appid) does not usually perform this operation, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a policy change operation followed by a credential get operation, The user(objid) does not usually perform this operation, This vault does not usually have a policy change operation followed by a credential get operation, This vault does not usually have this operation, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"name\": \"2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:14.9914481Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_TORAccess\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:49.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a TOR exit node to a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. This is suspicious because malicious actors will often try to mask their source location when attempting to gain unauthorized access to internet-connected resources.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:49\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:777440, SecretSet:1, SecretGet:777399]\",\r\n \"suspicious Operations\": \"[Authentication:1, SecretGet:1]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"Not Found, Unauthorized\",\r\n \"start Time UTC\": \"11/17/2022 09:17:49\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"python/3.8.0 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 azure-keyvault/7.0 Azure-SDK-For-Python\",\r\n \"alert Reasons\": \"[The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location.]\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"name\": \"2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.2261751Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_K8S_SensitiveMount\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:47.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"intent\": \"PrivilegeEscalation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Container with a sensitive volume mount detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.\",\r\n \"remediationSteps\": [\r\n \"Review the container and the path in the alert details.\",\r\n \"If possible, consider mounting only specific folders or files that are necessary to the container operation.\",\r\n \"If the container is not legitimate, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"namespace\": \"Sample-namespace\",\r\n \"container image\": \"sample-image\",\r\n \"container name\": \"sample-container\",\r\n \"pod name\": \"sample-pod\",\r\n \"sensitive mount name\": \"sample-mount\",\r\n \"sensitive mount path\": \"/Sample\",\r\n \"resourceType\": \"GKE Cluster\",\r\n \"killChainIntent\": \"PrivilegeEscalation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"projectId\": \"012345678901\",\r\n \"resourceType\": \"GKE\",\r\n \"resourceName\": \"Sample-Cluster\",\r\n \"location\": \"us-central1-c\",\r\n \"locationType\": \"Zonal\",\r\n \"type\": \"gcp-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_26\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"name\": \"Sample-namespace\",\r\n \"cluster\": {\r\n \"$ref\": \"centralus_29\"\r\n },\r\n \"type\": \"K8s-namespace\"\r\n },\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"name\": \"sample-pod\",\r\n \"namespace\": {\r\n \"$ref\": \"centralus_30\"\r\n },\r\n \"type\": \"K8s-pod\"\r\n },\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"name\": \"sample-container\",\r\n \"image\": {\r\n \"$ref\": \"centralus_27\"\r\n },\r\n \"pod\": {\r\n \"$ref\": \"centralus_31\"\r\n },\r\n \"type\": \"container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"name\": \"2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.1277565Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_AdmissionController\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:45.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:45.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"intent\": \"Persistence, CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Creation of admission webhook configuration detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new admission webhook configuration. Kubernetes has two built-in generic admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster. The usage of such admission controllers can be legitimate, however attackers can use such webhooks for modifying the requests (in case of MutatingAdmissionWebhook) or inspecting the requests and gain sensitive information (in case of ValidatingAdmissionWebhook).\",\r\n \"remediationSteps\": [\r\n \"Review the admission controller webhook associated with this configuration. The details of the webhook configuration can be retrieved by the command:\",\r\n \"kubectl get mutatingwebhookconfigurations sample -o json\",\r\n \"If this configuration belongs to a legitimate admission controller in the cluster, you can ignore the alert.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resource type\": \"mutatingwebhookconfigurations\",\r\n \"resource name\": \"sample\",\r\n \"webhook configuration rules\": \"[{\\\"apiGroups\\\":[\\\"*\\\"],\\\"resources\\\":[\\\"pods\\\"],\\\"apiVersions\\\":[\\\"*\\\"],\\\"operations\\\":[\\\"CREATE\\\"],\\\"scope\\\":\\\"*\\\"}]\",\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"killChainIntent\": \"Persistence, CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_34\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"name\": \"2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.650249Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_BruteForce\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:41.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:41.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Brute Force attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone is attempting to brute force credentials to your SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Brute force attack, penetration testing.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"data Center\": \"East US 2\",\r\n \"failed Logins\": \"0\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\\\"}}\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"name\": \"2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4246385Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_HarmfulApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:39.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:39.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Penetration testing, malicious activity\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"data Center\": \"East US 2\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"name\": \"2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.5120779Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:37.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:37.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database elitronix-com on server Sample-SQL\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/www.microsoft.com\\\\/en-us\\\\/download\\\\/details.aspx?id=13759\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements.\",\r\n \"threat ID\": \"30\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"principal name\": \"Sample-account\",\r\n \"application\": \"Internet Information Services\",\r\n \"database\": \"Sample-DB\",\r\n \"server\": \"Sample-SQL\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"name\": \"2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4739185Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:35.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:35.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"intent\": \"Exploitation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Logon from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone logged on to your SQL server Sample-SQL from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Unauthorized access that exploits an opening in the firewall; legitimate access from a new location.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Microsoft SQL Server Management Studio\",\r\n \"client IP Location\": \"US\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"client Hostname\": \"Sample-VM\",\r\n \"killChainIntent\": \"Exploitation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"name\": \"2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.508384Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_DataExfiltration.ImportExportLocationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:33.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:33.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual export location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted a massive amount of data from your SQL Server 'Sample-SQL' to an unusual location.\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Be sure to secure the new copy of your SQL server in the unusual storage account and follow the principle of \\\\\\\"least privilege\\\\\\\" for your SQL server\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/docs.microsoft.com\\\\/en-us\\\\/dotnet\\\\/framework\\\\/data\\\\/adonet\\\\/sql\\\\/authorization-and-permissions-in-sql-server\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"storage Name\": \"Sample-storage\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"isValid\": false,\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_46\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"name\": \"2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.793991Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_SuspectExecutablePath\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Executable found running from a suspicious location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data detected an executable file on Sample-VM that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.\",\r\n \"remediationSteps\": [\r\n \"Review with %{User Name} the suspicious process in this alert to see if you recognise this as legitimate administrative activity. If not, Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Process Id\": \"0x1eec\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"account Session Id\": \"0x3e7\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"suspicious Command Line\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"user Name\": \"WORKGROUP\\\\Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"directory\": \"c:\\\\windows\\\\inf\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"name\": \"SAMPLE-account\",\r\n \"ntDomain\": \"SAMPLE\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"sid\": \"S-0-0-00\",\r\n \"isDomainJoined\": true,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x3e7\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"processId\": \"0x1038\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"processId\": \"0x1eec\",\r\n \"commandLine\": \"\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_54\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"sessionId\": \"0x3e7\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_53\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"name\": \"2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.802386Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected the execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with Sample-account the suspicious command process and command line to confirm that this is legitimate activity that you expect to see on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"user Name\": \"Sample-account\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Command Line\": \"\\\\sample.exe -t 4\",\r\n \"suspicious Process Id\": \"0x1640\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x427d8dd9\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"directory\": \"c:\\\\temp\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"processId\": \"0x1020\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"name\": \"Sample-account\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"sid\": \"S-1-5-21-3061399664-1673012318-3185014992-20022\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x427d8dd9\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"processId\": \"0x1640\",\r\n \"commandLine\": \".\\\\sample.exe -t 4\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_62\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_61\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"sessionId\": \"0x427d8dd9\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_62\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"name\": \"2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.0348941Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_SuspectPhp\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious PHP execution detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Machine logs indicate a that a suspicious PHP process is running. The action included an attempt to run OS commands or PHP code from the command line using the PHP process.\\r\\nWhile this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\",\r\n \"2. Make sure that the web application is up-to-date.\",\r\n \"3. If possible, disable the sensitive PHP commands (see: http://php.net/manual/ini.core.php#ini.disable-functions).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Command Line\": \"php\",\r\n \"suspicious Process Id\": \"0x1e99b\",\r\n \"account Session Id\": \"0xbd6e\",\r\n \"suspicious Process\": \"php\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"user Name\": \"Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"php\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"processId\": \"0x1e49a\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"name\": \"Sample-account\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"sid\": \"\",\r\n \"type\": \"account\",\r\n \"logonId\": \"0xbd6e\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"processId\": \"0x1e99b\",\r\n \"commandLine\": \"php\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_70\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_69\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"sessionId\": \"0xbd6e\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_70\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"name\": \"2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.8902381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM.Windows_GoldFileCleanup\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected suspicious file cleanup commands\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.\",\r\n \"remediationSteps\": [\r\n \"Review with user Sample-account the 'sample.exe executions and delete commands flagged in this alert to confirm that they are legitimate and expected on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"OMS-AGENT-2\",\r\n \"suspicious Process Id\": \"0x4a8\",\r\n \"suspicious Command Line\": \"cmd /c echo \\\" systeminfo && systeminfo && del \\\"\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\cmd.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"OMS-AGENT-2\\\\DnzmNhMdW96g7j3\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: GOLD\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2020-06-05T06%3a24%3a18&reportName=MSTI-AGP-GOLD.pdf&tenantId=7bf32e19-dc11-416d-85e8-2cff75271e2a&urlCreateDateTime=2020-06-05T06%3a24%3a18&token=%2083e9In2MDZfBKT5aMOejPcfhpNovCKiidxcnKaBGnQ=\\\"}}\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"cmd.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"processId\": \"0x4a8\",\r\n \"commandLine\": \"cmd /c echo Hi\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_78\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_77\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_78\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"name\": \"2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.9525043Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM.Windows_PetyaRansomware\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected Petya ransomware indicators\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on OMS-AGENT-2 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the command line associated in this alert and escalate this alert to your security team.\",\r\n \"remediationSteps\": [\r\n \"1. Run a full anti-malware scan and verify that the threat was removed\",\r\n \"2. Install and run Microsoft’s Malicious Software Removal Tool (see http://www.microsoft.com/security/pc-security/malware-removal.aspx)\",\r\n \"3. Perform these actions pre-emptively on other hosts in your network.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x1574\",\r\n \"suspicious Command Line\": \"sample\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\sample.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"Sample-account\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Petya\\\":\\\"\\\"}}\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"processId\": \"0x1574\",\r\n \"commandLine\": \"sample\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_86\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_85\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_86\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"name\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.2039067Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"name\": \"2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.2780047Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AmRealtimeProtectionDisabled\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:09.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:09.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Antimalware real-time protection was disabled in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.\",\r\n \"remediationSteps\": [\r\n \"1. Determine if the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional - dismiss the alert. Otherwise, enable the antimalware real-time threat protection and treat the user account, subscription and virtual machine as compromised and continue with the next steps.\\n3. Remediate the compromised user account – change the password, review all activities performed by the user via Azure Activity Logs and locate suspicious activities\\n4. Remediate the compromised subscription - Review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, review all activities performed in this subscription via Azure Activity Logs and locate suspicious activities.\\n5. Remediate the compromised virtual machine – change the password of all users, run full antimalware scan on your virtual machine.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample Principal\",\r\n \"antimalware enabled\": \"true\",\r\n \"real time antimalware protection enabled\": \"false\",\r\n \"scheduled antimalware scan enabled\": \"\",\r\n \"extension Name\": \"IaasAntimalware\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"name\": \"2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.3561453Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_CustomScriptExtensionSuspiciousCmd\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:07.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:07.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Custom script extension with suspicious command in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.\",\r\n \"remediationSteps\": [\r\n \"1. Contact the account owner to determine whether the activity was intentional. If the activity was intentional, dismiss the alert.\\n2. If the activity was unexpected, treat the user account, subscription, and virtual machine as compromised.\\n3. To remediate compromised user accounts, delete them if they’re unfamiliar (as they may have been created by a threat actor), otherwise change their authentication credentials. Use Azure Activity Logs to review all activities performed by the user and identify any that are suspicious.\\n4. To remediate compromised subscriptions, remove any unfamiliar Runbooks from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources in the subscription (delete any that are unfamiliar), review and investigate any security alerts for the subscription in Azure Security Center, and use Azure Activity Logs to review all activities performed in the subscription and identify any that are suspicious.\\n5. To remediate the compromised virtual machine, change the passwords for all users, run a full antimalware scan on the machine, and reimage the virtual machine from a malware-free source.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample user\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"identity address\": \"\",\r\n \"suspicious command\": \"powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"name\": \"2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DarkWeb\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:05.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:05.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Anonymity network activity (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected anonymity network activity. Such activity, while possibly legitimate user behaviour, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_94\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_94\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"name\": \"2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.358978Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DataExfiltration\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:03.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:03.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Possible data exfiltration via DNS tunnel (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected a possible DNS tunnel. Such activity, while possibly legitimate user behaviour, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_99\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_99\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"name\": \"2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.1504496Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_PhishingDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:01.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:01.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Communication with possible phishing domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.\",\r\n \"remediationSteps\": [\r\n \"Investigate the domain (using whois), validating that the registration belongs to the expected owner.\",\r\n \"If ownership is suspect, contact the machine owner to highlight the discrepancy and verify the degree of interaction, suggesting user log into any account(s) potentially exposed during suspicious session, validate recent activity and change compromised password(s).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_104\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_104\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"name\": \"2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.1876995Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_SinkholedDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:59.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:59.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted communication with suspicious sinkholed domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected request for sinkholed domain. Such activity, while possibly legitimate user behaviour, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_108\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_108\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"name\": \"2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.0653492Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_HighPrivilegeCommand\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempt to run high privilege command detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of App Service processes detected an attempt to run a command that requires high privileges.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x4680\",\r\n \"suspicious Command Line\": \"sample.exe\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"parent Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x15c0644\",\r\n \"user Name\": \"Sample-account\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"directory\": \"sample\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"processId\": \"0x39a8\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"processId\": \"0x4680\",\r\n \"commandLine\": \"sample.exe\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_113\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"name\": \"2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.9104498Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_DanglingDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:55.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Dangling DNS record for an App Service resource detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A DNS record that points to a recently deleted App Service resource (also known as \\\"dangling DNS\\\" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.\",\r\n \"remediationSteps\": [\r\n \"From your DNS zone, remove all CNAME records that point to the deleted App Service resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"domain\": \"sample-domain.com\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"name\": \"2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3436878Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container or directly on a Kubernetes node, has detected an execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with the specified user the suspicious command process and command line to confirm that this is legitimate activity. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"compromised Host\": \"AKS-AGENTPOOL-00171883-vmss000000\",\r\n \"suspicious Process\": \"/tmp/gcc\",\r\n \"suspicious Command Line\": \"/tmp/gcc -T -o stratum+tcp://stratum.slushpool:3333 -u foobar -p baz -o stratum+tcp://stratum.f2pool.com:3333 -u foobar -p baz -o stratum+tcp://stratum.antpool.com:3333 -u foobar -p baz\",\r\n \"parent Process\": \"bash\",\r\n \"suspicious Process Id\": \"0x2dc8\",\r\n \"imageName\": \":\",\r\n \"process Origin\": \"Pod Container\",\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"directory\": \"\",\r\n \"name\": \"bash\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"isValid\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"isValid\": false,\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"directory\": \"/tmp\",\r\n \"name\": \"gcc\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"hostName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"netBiosName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"isValid\": false,\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"name\": \"sample-cluster\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_118\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"containerId\": \"cc8ec8580f4c\",\r\n \"image\": {\r\n \"$ref\": \"centralus_119\"\r\n },\r\n \"type\": \"container\"\r\n },\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"processId\": \"0x2dc3\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_122\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_121\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"processId\": \"0x2dc8\",\r\n \"commandLine\": \"/tmp/gcc -T -o stratum+tcp://stratum.slushpool:3333 -u foobar -p baz -o stratum+tcp://stratum.f2pool.com:3333 -u foobar -p baz -o stratum+tcp://stratum.antpool.com:3333 -u foobar -p baz\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_123\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_125\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_124\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"name\": \"2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3309137Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_ImdsCall\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/AWS-Master-Connector_012345678901/securityentitydata/aws-eks-cluster-sample-cluster-ap-us-east-2\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access to cloud metadata service detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container detected access to the cloud metadata service for acquiring identity token. The container doesn't normally perform such operation. While this behavior might be legitimate, attackers might use this technique to access cloud resources after gaining initial access to a running container.\",\r\n \"remediationSteps\": [\r\n \"Review the command line in the alert details. If the container should acquire identity tokens, you can ignore the alert.\",\r\n \"If this behavior isnt expected, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"username\": \"sample-user\",\r\n \"process Name\": \"/usr/bin/curl\",\r\n \"command\": \"curl -s -H Metadata: true http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net\",\r\n \"process Id\": \"18775\",\r\n \"container ID\": \"cc8ec8580f4c\",\r\n \"image Name\": \"sample-image:v1\",\r\n \"resourceType\": \"EKS Cluster\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/AWS-Master-Connector_012345678901/securityentitydata/aws-eks-cluster-sample-cluster-ap-us-east-2\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"isValid\": false,\r\n \"type\": \"amazon-resource\",\r\n \"amazonResourceId\": \"arn:aws:eks:us-east-2:012345678901:cluster/sample-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"containerId\": \"cc8ec8580f4c\",\r\n \"image\": {\r\n \"$ref\": \"centralus_132\"\r\n },\r\n \"type\": \"container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"name\": \"2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4027022Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_SuspectProcessTermination\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:49.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Security-related process termination detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container or directly on a Kubernetes node, has detected an attempt to terminate processes related to security monitoring on the container. Attackers will often try to terminate such processes using predefined scripts post-compromise.\",\r\n \"remediationSteps\": [\r\n \"Review and confirm that this was legitimate activity that you expect to see on this container or pod. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"compromised Host\": \"aks-agentpool-00171883-vmss000000\",\r\n \"user Name\": \"root\",\r\n \"suspicious Process\": \"/usr/bin/pkill\",\r\n \"suspicious Command Line\": \"/usr/bin/pkill -KILL -x -U 0 auoms\",\r\n \"suspicious Process Id\": \"0x2dc8\",\r\n \"parent Process\": \"auomsctl\",\r\n \"process Origin\": \"Kubernetes Node\",\r\n \"account Session Id\": \"0xd5a\",\r\n \"resourceType\": \"GKE Cluster\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"hostName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"netBiosName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\",\r\n \"containerId\": \"cc8ec8580f4c\"\r\n },\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"pkill\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"directory\": \"\",\r\n \"name\": \"auomsctl\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"isValid\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"isValid\": false,\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"name\": \"root\",\r\n \"isValid\": false,\r\n \"id\": \"3418\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"isValid\": false,\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"projectId\": \"012345678901\",\r\n \"resourceType\": \"GKE\",\r\n \"resourceName\": \"Sample-Cluster\",\r\n \"location\": \"us-central1-c\",\r\n \"locationType\": \"Zonal\",\r\n \"type\": \"gcp-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"name\": \"sample-cluster\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_136\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"processId\": \"0x2dc3\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"processId\": \"0x2dc8\",\r\n \"commandLine\": \"/usr/bin/pkill -KILL -x -U 0 auoms\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_138\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_142\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_143\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"name\": \"2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3269355Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_ExposedDashboard\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:47.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Exposed Kubernetes dashboard detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service.\\nExposed dashboard allows an unauthenticated access to the cluster management and poses a security threat.\",\r\n \"remediationSteps\": [\r\n \"Review the LoadBalancer service in the alert details. In case the dashboard is exposed to the Internet, delete the LoadBalancer service immediately and escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"username\": \"alias@domain.com\",\r\n \"namespace\": \"kubernetes-dashboard\",\r\n \"service name\": \"kubernetes-dashboard\",\r\n \"port\": \"443\",\r\n \"target port\": \"8443\",\r\n \"resourceType\": \"Kubernetes - Azure Arc\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_149\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"name\": \"kubernetes-dashboard\",\r\n \"cluster\": {\r\n \"$ref\": \"centralus_150\"\r\n },\r\n \"type\": \"K8s-namespace\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"name\": \"kubernetes-dashboard\",\r\n \"namespace\": {\r\n \"$ref\": \"centralus_151\"\r\n },\r\n \"type\": \"K8s-service\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"name\": \"2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5211367Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_BruteForce\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:45.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:45.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspected successful brute force attack\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful login occurred after an apparent brute force attack on your resource\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Brute force attack; penetration testing.\",\r\n \"client principal name\": \"Sample-account\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"san antonio, united states\",\r\n \"client application\": \"Sample-app\",\r\n \"successful logins\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"failed logins\": \"0\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\\\"}}\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_156\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_155\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"name\": \"2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5596257Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:43.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:43.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database Sample-DB on server Sample-VM\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2106894\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"threat ID\": \"1\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"vulnerable statement\": \"*** Anonymized ***\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_161\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_162\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_163\",\r\n \"name\": \"Sample-SA\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_162\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"name\": \"2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5620796Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_HarmfulApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:41.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:41.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_165\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_166\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access your resource.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"Penetration testing; malicious activity\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client application\": \"Sample-app\",\r\n \"client IP location\": \"Sample\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_167\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_168\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_168\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_170\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_167\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"name\": \"2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5777053Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_SuspiciousIpAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:39.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:39.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_171\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_172\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Login from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.\",\r\n \"client principal name\": \"Sample-user\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_173\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_174\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Sample-Provider\",\r\n \"threatType\": \"Sample-Threat\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 0.8,\r\n \"threatDescription\": \"Sample-Threat\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_175\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_174\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_176\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_173\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72\",\r\n \"name\": \"2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.3749955Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousRBACRoleAssignment\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:37.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:37.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_177\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for an RBAC role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected an RBAC role assignment that's unusual when compared with other assignments, performed by the same assigner.\\n The following components were anomalous:\\n -Assigner Authentication Method \\n This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to grant permissions to an additional user account they own.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below.\\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user. \\n5. Change the credentials for all resources that the user had permissions to access.\\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review all activities performed in this resource via Azure Activity Logs and investigate suspicious activities.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"scope of assignment\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"assigned role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assigner principal ID\": \"Sample user\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_178\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_179\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_180\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_181\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_180\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f\",\r\n \"name\": \"2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.4527017Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_PrivilegedRoleDefinitionCreation\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:35.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:35.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f\",\r\n \"intent\": \"PrivilegeEscalation, DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_182\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Privileged custom role created for your subscription in a suspicious way (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the principal user that created the role.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user account as compromised and continue with the steps below.\\n3. Change the passwords of the user account or block the account entirely.\\n4. Delete the privileged role.\\n5. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n6. Change the credentials for all resources that the user had permissions to access.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"role definition creator principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"role definition creator IP address\": \"0.0.0.0\",\r\n \"role definition creator principal name\": \"Sample user\",\r\n \"role definition name\": \"sample\",\r\n \"role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"PrivilegeEscalation, DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_183\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86\",\r\n \"name\": \"2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.4942936Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousClassicRoleAssignment\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:29.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:29.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_184\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for a classic role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Microsoft Defender for Resource Manager detected a role assignment that's unusual when compared with other assignments performed by the same assigner / performed for the same assignee / in the tenant due to the following anomalies: \\nassignment time, assigner location, assigner, authentication method, assigned entities, client software used, assignment extent. \\nThis operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to escalate privileges to a different user account.\",\r\n \"remediationSteps\": [\r\n \"1.To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below. \\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n5. Change the credentials for all resources that the user had permissions to access. \\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review Azure Activity Logs for activities performed in this resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"assigner principal ID\": \"sample\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"scope of assignment\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"role\": \"CoAdmin\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_185\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_186\",\r\n \"name\": \"sample\",\r\n \"upnSuffix\": \"contoso.com\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_187\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_188\",\r\n \"name\": \"azureadmin\",\r\n \"upnSuffix\": \"contoso.com\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_187\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"name\": \"2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:19:41.7936291Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:25.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:25.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_190\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An IP that is a known Tor exit node accessed Storage file share 'Sample-fileShare' in storage account 'Sample-Storage'. \",\r\n \"remediationSteps\": [\r\n \"• Revoke all credentials that may be compromised and ensure that they're only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access.\\r\\nPotential causes:\\r\\n• An attacker has accessed the storage account using Tor and is trying to hide their identity (true positive).\\r\\n• A legitimate user has accessed the storage account using Tor, perhaps for penetration testing (benign positive).\",\r\n \"investigation steps\": \"• Check if this actor is legitimate. Examine the authentication method and credentials used, as well as the actor's history of actions on this storage account and other resources in this subscription.\\r\\n• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_191\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_192\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_192\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"name\": \"2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.7087609Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:23.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:23.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_194\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from a suspicious IP address.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is considered suspicious.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your storage account from a potentially suspicious IP.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_195\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_196\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"AlertSimulator\",\r\n \"threatType\": \"Sample-Type\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 1.0,\r\n \"threatDescription\": \"\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_196\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"name\": \"2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.8953381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_SMBExeOverwriteAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:21.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:21.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_198\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual overwrite of .exe in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual overwrite of an executable file in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unexpected overwrite of an executable (.exe file) has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has overwritten an executable file with a potentially malicious one in your storage account.\\r\\n• A legitimate user has overwritten an executable file.\",\r\n \"investigation steps\": \"• Determine who overwrote the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Kerberos\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files SMB\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"\",\r\n \"activity type\": \"OverwriteFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) overwritten\": \"Sample-File\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_199\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_200\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_200\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"name\": \"2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:19.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:19.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_202\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a directory or a file in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage directory or file permissions are configured correctly.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this directory or file have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed directory or file permissions to weaken its security.\\r\\n• A legitimate user has changed directory or file permissions.\",\r\n \"investigation steps\": \"• Confirm whether the directory or file permissions change was performed for a legitimate purpose.\\r\\n• Review the directory's or file's access permissions to make sure they are expected. NTFS permissions can be assigned at the directory or file level: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable#3-configure-ntfs-permissions-over-smb .\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Kerberos\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"Files SMB\",\r\n \"request status\": \"\",\r\n \"activity type\": \"SetSecurityInformation\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) accessed\": \"\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_203\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_204\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_204\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"name\": \"2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.6133961Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_MalwareHashReputation\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:17.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:17.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_206\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential malware uploaded to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has uploaded potential malware to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Remove the malicious file from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that a blob containing potential malware has been uploaded to your storage account.\\r\\nPotential causes:\\r\\n• An attacker has gained access to the storage account and has intentionally uploaded a malicious blob.\\r\\n• A legitimate user has unintentionally uploaded a malicious blob.\\r\\n• A legitimate user is performing tests on the system (e.g. penetration testing).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"PutRange\",\r\n \"file\": \"dummy/path/to/maliciousFile.exe\",\r\n \"api type\": \"Files REST\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"malware description\": \"File was identified as malicious, MalwareFamily = Virus:DOS/EICAR_Test_File\",\r\n \"threat report summary\": \"The European Institute for Computer Antivirus Research (EICAR) and the Computer Antivirus Research Organization (CARO) jointly developed a standard test file protocol called the “EICAR test file” which allows users to test their antivirus solution. The EICAR file is completely benign; however, when scanned, compliant antivirus solutions report the file in the same way as an actual malicious file. This does not mean that the computer is infected with malware, but rather it shows that the computer’s antivirus is functioning as expected.\",\r\n \"detection source\": \"Team Cymru\",\r\n \"threat report\": \"Sample-Report\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_207\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_208\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_209\",\r\n \"algorithm\": \"MD5\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_208\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_211\",\r\n \"directory\": \"Sample-fileShare/dummy/path/to\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_209\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_212\",\r\n \"name\": \"Sample-Name\",\r\n \"category\": \"Virus\",\r\n \"files\": [\r\n {\r\n \"$ref\": \"centralus_211\"\r\n }\r\n ],\r\n \"type\": \"malware\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"name\": \"2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.6367188Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:15.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:15.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_213\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is unfamiliar and unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account.\\r\\n• A legitimate user has accessed your storage account from a new location.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetShareProperties\",\r\n \"api type\": \"Files REST\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_214\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_215\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_215\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242244862413_43689788-9247-4044-b258-6093d62ba45c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"name\": \"2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.7708984Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_ExeUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:13.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:13.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .exe to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of an executable file to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an executable (.exe file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has uploaded a malicious executable file to your storage account.\\r\\n• A legitimate user has uploaded an executable file.\",\r\n \"investigation steps\": \"• Determine who uploaded the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Kerberos\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"Files SMB\",\r\n \"request status\": \"\",\r\n \"activity type\": \"CreateFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_218\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_219\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_219\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"name\": \"2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.5509007Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:11.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:11.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_221\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) deleted\": \"Sample-File1, Sample-File2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_222\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_223\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_224\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_223\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"name\": \"2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.599286Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExplorationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:09.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:09.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_225\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual data exploration in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual data exploration operation in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that files in a file share of a storage account have been enumerated in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user or application logic has explored data within the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"ListFiles\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_226\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_227\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_227\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"name\": \"2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:19:41.7936291Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExfiltration.NumberOfFilesAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:07.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:07.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_229\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual number of files extracted from a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual number of files from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large number of files has been extracted compared to recent activity on this Storage file share.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large number of files from a Storage file share (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual number of files from a Storage file share (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"5 MB\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"extracted files\": \"150\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_230\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_231\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_231\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"name\": \"2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.435833Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:05.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:05.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_233\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage file share.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage file share (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage file share (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"150 MB\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"extracted files\": \"5\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_234\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_235\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_235\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"name\": \"2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.5055333Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_ApplicationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:03.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:03.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_237\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual application accessed a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' using an unexpected application.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusual application has accessed this storage account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using a new application.\\r\\n• A legitimate user has used a new application/browser to access your storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"CreateFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_238\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_239\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_239\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"name\": \"2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.4988057Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_AccessInspectionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:01.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_241\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual access inspection in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual access inspection in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user has performed maintenance on the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the access policy inspection was performed for a legitimate purpose: https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy.\\r\\n• Review the file share's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"GetShareAcl\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_242\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_243\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_243\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"name\": \"2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2964395Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:59.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:59.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_245\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An IP that is a known Tor exit node accessed Storage container 'Sample-Container' in storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Revoke all credentials that may be compromised and ensure that they're only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access.\\r\\nPotential causes:\\r\\n• An attacker has accessed the storage account using Tor and is trying to hide their identity (true positive).\\r\\n• A legitimate user has accessed the storage account using Tor, perhaps for penetration testing (benign positive).\",\r\n \"investigation steps\": \"• Check if this actor is legitimate. Examine the authentication method and credentials used, as well as the actor's history of actions on this storage account and other resources in this subscription.\\r\\n• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"CreatePathDir\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_246\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_247\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_247\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_249\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_246\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"name\": \"2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2427463Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:57.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_250\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from a suspicious IP address.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is considered suspicious.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your storage account from a potentially suspicious IP.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"335.88 KB\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_251\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_252\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"AlertSimulator\",\r\n \"threatType\": \"Sample-Type\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 1.0,\r\n \"threatDescription\": \"\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_252\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"name\": \"2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1804085Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_SuspiciousApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:55.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_254\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] PREVIEW - Access from a suspicious application \",\r\n \"description\": \"THIS IS A SAMPLE ALERT: There was a failed attempt to anonymously access the blob container `Sample-Container` in your storage account `Sample-Storage`. This might indicate that an attacker is trying to exploit a vulnerability or access data in your storage account, or it could be the result of a penetration test carried out in your organization. The suspicious application detected was `eicarDummyApp`. For more details, please see the user-agent string in the alert fields. In many cases, attackers might successfully access data after a series of failed attempts. It’s therefore important to act on this alert.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"140 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"application name \": \"eicarDummyApp\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_255\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_256\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_256\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_258\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_255\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"name\": \"2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2482588Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PhishingContent\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:53.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_259\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] PREVIEW - Phishing content hosted on a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A URL used in a phishing attack points to your Azure Storage account. This URL was part of a phishing attack affecting users of Microsoft 365. Typically, content hosted on such pages is designed to trick visitors into entering their corporate credentials or financial information into a web form that looks legitimate.\",\r\n \"remediationSteps\": [\r\n \"• Review the content of the Azure Storage account to identify and remove phishing content. The URL in the alert may indicate a starting point for your investigation.\",\r\n \"• If you suspect that your Storage credentials have been compromised, revoke all storage access tokens that may have been compromised and implement the following security best practices:\",\r\n \" 2.1.\\\\tEnsure that your access tokens are only shared with authorized users.\",\r\n \"2.2. Limit access to your Storage account, following the 'least privilege' principle. (https://aka.ms/StorageAccountSecureAccess)\",\r\n \"2.3. Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Disallow anonymous public access to blobs in your Storage account, unless required for your scenario. (https://aka.ms/StorageAccountPublicAccess)\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_260\",\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"type\": \"url\"\r\n },\r\n {\r\n \"$id\": \"centralus_261\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"name\": \"2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1081657Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_262\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a directory or a file in your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Use Azure AD security groups: https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#what-is-the-best-way-to-apply-acls.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage directory or file permissions are configured correctly.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this directory or file have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed directory or file permissions to weaken its security.\\r\\n• A legitimate user has changed directory or file permissions.\",\r\n \"investigation steps\": \"• Confirm whether the directory or file permissions change was performed for a legitimate purpose: https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#access-control-lists-on-files-and-directories.\\r\\n• Review the directory's or file's access permissions to make sure they are expected.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"SetPathAccessControl\",\r\n \"storage file path(s) accessed\": \"\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_263\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_264\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_264\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"name\": \"2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.0980315Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenContainersScanning.SuccessfulDiscovery\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:49.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_266\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Publicly accessible storage containers successfully discovered\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful discovery of 3 publicly open storage containers in storage account 'Sample-Storage' was performed in the last hour by a scanning script or tool.\\r\\n\\r\\nScanned containers include: static, images, backups.\\r\\n\\r\\nThis usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storagecontainers with sensitive data in them.\\r\\nThe threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.\\r\\n\\r\\nAfter a threat actor successfully discovers a container, they usually continue by reading and exfiltrating the data.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\",\r\n \"• When allowing anonymous access to containers, consider adding a random suffix to its name (or use a randomly generated name) to limit these types of scans in the future. For example, use 'salesshare-4536-7836-8967'.\",\r\n \"• If this is a recurring alert from the same IP, consider blocking the source IP address (see how to block an IP address: https://go.microsoft.com/fwlink/?linkid=2179709).\",\r\n \"This can be done at the storage account level using the 'networking' configuration or at the subscription level using the networking 'access restrictions' configuration.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"• Reconnaisance attack (True Positive)\\r\\n• Penetration testing\\r\\n• A bug in an application is causing it to perform serial attempts to read different blobs (False Positive).\",\r\n \"investigation steps\": \"• Check this account for publicly open containers with sensitive data. If such containers exist, immediately change their access policy to private (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708).\\r\\n\\r\\nLook at diagnostic logs to see all sensitive data that may have leaked, and escalate the alert and information.\\r\\n• To list all containers that are publicly accessible in a storage account, use the PowerShell script in this link: https://go.microsoft.com/fwlink/?linkid=2180103.\\r\\n\\r\\n• Check whether the user that performed this scan is legitimate. Look at IP, location, user agent, and their history.\\r\\n• This alert may be triggered by a coding issue in the application accessing the storage container. If you've validated that the actor is legitimate, identified the coding issue, and ruled out a possible leak of sensitive content, this alert can be considered benign.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"140 MB\",\r\n \"among the enumeration terms used\": \"erp, exe, export, exports, file, files, firmware, git, img, iso, jenkins, logs, media, mobile, photos, pics, private, prod, production, products, projects, public, release, repo, reports, resources, script, scripts, services, snapshots, source, src, staging, stats, storage, tenant, tmp, upload, uploads, user, userdata, users, usr, vhd, vhdx, video, videos, web, www, xslx\",\r\n \"number of failed access attempts\": \"1232\",\r\n \"number of containers successfully accessed\": \"3\",\r\n \"list of containers successfully accessed\": \"Sample-1, Sample-2, Sample-3\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_267\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_268\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_269\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_268\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_270\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_267\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"name\": \"2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:15.6989769Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenContainersScanning.FailedAttempt\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:47.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_271\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Publicly accessible storage containers unsuccessfully scanned\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: 1232 failed attempts to scan for publicly open storage containers in storage account 'Sample-Storage' were performed in the last hour.\\r\\n\\r\\nScanned containers include: erp, exe, export, exports, file.\\r\\n\\r\\nThis usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storage containers with sensitive data in them.\\r\\nThe threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\",\r\n \"• When allowing anonymous access to containers, consider adding a random suffix to its name (or use a randomly generated name) to limit these types of scans in the future. For example, use 'salesshare-4536-7836-8967'.\",\r\n \"• If this is a recurring alert from the same IP, consider blocking the source IP address (see how to block an IP address: https://go.microsoft.com/fwlink/?linkid=2179709).\",\r\n \"This can be done at the storage account level using the 'networking' configuration or at the subscription level using the networking 'access restrictions' configuration.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"• Reconnaisance attack (True Positive)\\r\\n• Penetration testing\\r\\n• A bug in an application is causing it to perform serial attempts to read different blobs (False Positive).\",\r\n \"investigation steps\": \"• Check this account for publicly open containers with sensitive data. If such containers exist, immediately change their access policy to private (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708).\\r\\n\\r\\nThis is necessary despite the fact that the observed attempts failed, because reconnaissance has taken place and there might have been some successful activity.\\r\\n• To list all containers that are publicly accessible in a storage account, use the PowerShell script in this link: https://go.microsoft.com/fwlink/?linkid=2180103.\\r\\n\\r\\n• Check whether the user that performed the scanning is legitimate. Look at IP, location, user agent, and their history. Scanning operations read blob URIs and/or use \\\"list blobs\\\".\\r\\n• Check whether data was exfiltrated from containers in this storage account and/or by this actor.\\r\\n• This alert may be triggered by a coding issue in the application accessing the storage container. If you've validated that the actor is legitimate, identified the coding issue, and ruled out a possible leak of sensitive content, this alert can be considered benign.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"among the enumeration terms used\": \"erp, exe, export, exports, file, files, firmware, git, img, iso, jenkins, logs, media, mobile, photos, pics, private, prod, production, products, projects, public, release, repo, reports, resources, script, scripts, services, snapshots, source, src, staging, stats, storage, tenant, tmp, upload, uploads, user, userdata, users, usr, vhd, vhdx, video, videos, web, www, xslx\",\r\n \"number of failed access attempts\": \"1232\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_272\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_273\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_273\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"name\": \"2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9581337Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenACL\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:45.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:45.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_275\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Storage account with potentially sensitive data has been detected with a publicly exposed container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The access policy of a container in your storage account was modified to allow anonymous access. This might lead to a data breach if the container holds any sensitive data. This alert is based on analysis of Azure activity log.\",\r\n \"remediationSteps\": [\r\n \"• Check the access level of the container listed in the alert details. If the access level is set to 'anonymous' and this behavior is not intended, change the access level to 'private' and escalate the alert to your information security team.\",\r\n \"• Where possible, we recommend using shared access signature tokens instead of granting public access to storage containers and blobs.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"container name\": \"Sample-Container\",\r\n \"sensitive name\": \"Sample-Container\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_276\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"name\": \"2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.0277068Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_MalwareHashReputation\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:43.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:43.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_277\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential malware uploaded to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has uploaded potential malware to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Remove the malicious blob from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that a blob containing potential malware has been uploaded to your storage account.\\r\\nPotential causes:\\r\\n• An attacker has gained access to the storage account and has intentionally uploaded a malicious blob.\\r\\n• A legitimate user has unintentionally uploaded a malicious blob.\\r\\n• A legitimate user is performing tests on the system (e.g. penetration testing).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"PutBlob\",\r\n \"api type\": \"Blob\",\r\n \"container\": \"Sample-Container\",\r\n \"malware description\": \"Indicator related to a known malware campaign\",\r\n \"detection source\": \"A Microsoft Partner\",\r\n \"blob\": \"Sample-Blob\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_278\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_279\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_280\",\r\n \"algorithm\": \"MD5\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_279\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_282\",\r\n \"directory\": \"Sample-fileShare/dummy/path/to\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_280\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"name\": \"2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9214203Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:41.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:41.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_283\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is unfamiliar and unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account.\\r\\n• A legitimate user has accessed your storage account from a new location.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Azure AD\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"operations types\": \"GetContainerProperties\",\r\n \"api type\": \"Blob\",\r\n \"container\": \"Sample-Container\",\r\n \"azure AD application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_284\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_285\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_286\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"objectGuid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_285\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_288\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_284\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"name\": \"2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:15.4758611Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_ExeUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:39.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:39.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_289\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .exe to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of an executable file to your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an executable (.exe file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has uploaded a malicious executable file to your storage account.\\r\\n• A legitimate user has uploaded an executable file.\",\r\n \"investigation steps\": \"• Determine who uploaded the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Azure AD\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"eicar@microsoft.com\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"FlushFile\",\r\n \"azure AD application ID\": \"12345\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"containers\": \"Sample-Container1, Sample-Container2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_290\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_291\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_292\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_291\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"name\": \"2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9519418Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:37.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:37.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_293\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Perform an undelete if the delete operation was a soft delete. See how to configure soft deletion and more information: https://go.microsoft.com/fwlink/?linkid=2078042\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Account key\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteDirectory\",\r\n \"access key used\": \"key2\",\r\n \"storage file path(s) deleted\": \"Sample-File1, Sample-File2\",\r\n \"containers\": \"Sample-Container1, Sample-Container2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_294\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_295\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_295\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"name\": \"2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2482588Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExplorationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:35.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:35.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_297\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual data exploration in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual data exploration operation in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \" Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that blobs or containers in a storage account have been enumerated in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user or application logic has explored data within the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"ListBlobs\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_298\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_299\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_299\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"name\": \"2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.7896151Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:33.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:33.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_301\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual number of blobs extracted from a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual number of blobs from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large number of blobs has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large number of blobs from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual number of blobs from a Storage container (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"66.58 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"extracted blobs\": \"41084\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_302\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_303\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_303\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_305\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_302\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"name\": \"2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.8245787Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:31.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:31.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_306\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage container (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"254.47 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"extracted blobs\": \"2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_307\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_308\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_308\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_310\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_307\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"name\": \"2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1388808Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_CspkgUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:29.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:29.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_311\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .cspkg to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of a Cloud Service deployment package to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Determine if the cloud service package has been deployed to your subscription, and if so, delete the corresponding service.\",\r\n \"• Delete the .cspkg from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an Azure Cloud Service package (.cspkg file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has been preparing to deploy malicious code from your storage account to an Azure cloud service.\\r\\n• A legitimate user has been preparing for a legitimate service deployment.\",\r\n \"investigation steps\": \"• Determine who uploaded the cloud service package, and whether it is for a legitimate service.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"PutBlockList\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_312\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_313\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_313\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"name\": \"2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6456194Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_ApplicationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:27.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:27.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_315\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual application accessed a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' using an unexpected application.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusual application has accessed this storage account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using a new application.\\r\\n• A legitimate user has used a new application/browser to access your storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"PutBlob\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_316\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_317\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_317\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"name\": \"2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6977555Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AnonymousAccessAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:25.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:25.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_319\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unauthenticated access to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Container 'Sample-Container' in storage account 'Sample-Storage' from an IP address located in Azure Data Center: Central Us.\\r\\n\\r\\nThere may have been additional unauthenticated access to this storage account.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed anonymously (i.e. without any authentication), which is unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has exploited public read access to a container.\\r\\n• A legitimate user or application has used public read access to a container.\",\r\n \"investigation steps\": \"• Check if you have sensitive data on this publicly open container. If you do, immediately change the access policy to private, review diagnostic logs for sensitive data that may have leaked, and escalate the alert and information. (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708)).\\r\\n\\r\\nThis is necessary despite the fact that the observed attempts failed, because reconnaissance has taken place and there might have been some successful activity.\\r\\n• Check if this actor is legitimate. Review IP, location, user agent, and their history.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlobProperties, GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"22.96 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_320\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_321\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_321\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_323\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_320\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"name\": \"2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6177881Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AccessInspectionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:23.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:23.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_324\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual access inspection in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual access inspection in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user has performed maintenance on the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the access policy inspection was performed for a legitimate purpose: https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy.\\r\\n• Review the storage container's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Azure AD\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"GetContainerACL\",\r\n \"azure AD application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_325\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_326\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_327\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"objectGuid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_326\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"name\": \"2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.614246Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AM.MalwareFound\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:21.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:21.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_329\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Malicious file uploaded to storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A malicious file was uploaded to your storage account 'Sample-Storage'.\\r\\nThe malware detection is based on Microsoft antimalware scanning.\\r\\nPotential causes may include an intentional upload of malware by a threat actor, or an unintentional upload of a malicious file by a legitimate user.\",\r\n \"remediationSteps\": [\r\n \"Remove the malicious blob from your storage account. You may move it to a designated storage container for quarantine, or delete it.\",\r\n \"It is advisable to enable \\\\\\\"soft delete\\\\\\\" before deleting malware, to support the ability to undo the deletion. Learn more about enabling soft delete on Azure storage: https://docs.microsoft.com/azure/storage/blobs/soft-delete-blob-overview.\\\",\\\"If you have diagnostic logs enabled, query them to see if any other applications or users accessed this file. Trace their actions and contain the blast radius.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential Causes\": \"1. Intentional upload of malware by a malicious actor (true positive)\\r\\n\\r\\n2. Unintentional upload of malware by a legitimate user (true positive)\\r\\n\\r\\n3. A false positive detection by Microsoft antimalware scanning. You can submit a file for analysis if you suspect it may be a false positive: \\r\\n(https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/submission-guide)\",\r\n \"shA-256\": \"Sample-SHA\",\r\n \"investigation Steps\": \"• Learn more about the malware type by reading the report on the identified malware in Microsoft Security Intelligence:\\r\\n(https ://www.microsoft.com/wdsi/threats/threat-search?query=DOS/EICAR_Test_File)\\r\\n\\r\\n• If you have diagnostic logs enabled, go to them and query to see if any other applications or users accessed this file. Trace their actions and contain the blast radius.\\r\\n\\r\\n• Review the credentials used to perform the upload, to track back and find the user who uploaded the file.\\r\\n\\r\\n• If you performed an investigation and suspect the this might be a false positive, you can submit a file for analysis\\r\\n(https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).\\r\\nEnsure you enter the provider name \\\"Defender for Storage\\\".\\r\\n\\r\\n• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"malware types detected\": \"DOS/EICAR_Test_File\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_330\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_331\",\r\n \"algorithm\": \"SHA256\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_332\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_330\"\r\n },\r\n \"type\": \"blob-container\"\r\n },\r\n {\r\n \"$id\": \"centralus_333\",\r\n \"directory\": \"https://Sample-Storage.blob.core.windows.net/Sample\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_331\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_334\",\r\n \"name\": \"Sample-Name\",\r\n \"blobContainer\": {\r\n \"$ref\": \"centralus_332\"\r\n },\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"etag\": \"Sample-Tag\",\r\n \"type\": \"blob\"\r\n },\r\n {\r\n \"$id\": \"centralus_335\",\r\n \"name\": \"Sample-Name\",\r\n \"category\": \"Virus\",\r\n \"files\": [\r\n {\r\n \"$ref\": \"centralus_333\"\r\n }\r\n ],\r\n \"type\": \"malware\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"name\": \"2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.9503127Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5606644Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:17.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_336\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' was successfully accessed from an IP address known to be an active exit node of Tor, an anonymizing proxy.\\r\\nThe threat actor's access was authenticated using Aad.\\r\\nAuthenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Check for credential theft by reviewing the authentication method.\",\r\n \"potential causes\": \"• A legitimate user has accessed your Azure Cosmos DB account using Tor.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_337\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_338\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_338\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"name\": \"2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.7672167Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:15.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_340\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' was successfully accessed from an IP address that was identified as a threat by Microsoft Threat Intelligence.\\r\\nThe threat actor's access was authenticated using Aad.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Check for credential theft by reviewing the authentication method.\",\r\n \"potential causes\": \"• An attacker has accessed your Azure Cosmos DB account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your Azure Cosmos DB account from a potentially suspicious IP.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_341\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_342\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_342\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"name\": \"2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.9003843Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SqlInjection.Fuzzing\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:13.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:13.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"intent\": \"Discovery\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_344\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] SQL injection: failed fuzzing attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious SQL statement was used to query container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'.\\r\\nLike other well-known SQL injection attacks, this statement won’t succeed in Azure Cosmos DB. Nevertheless, it’s an indication that a threat actor is trying to attack the resources in this account.\\r\\nSome SQL injection attacks can succeed and be used to exfiltrate data. This means that if the attacker continues performing SQL injection attempts, they may be able to compromise your Azure Cosmos DB account and exfiltrate data.\\r\\nYou can prevent this threat by using parameterized queries (for more information, see the remediation steps).\",\r\n \"remediationSteps\": [\r\n \"• This alert may indicate this subscription is being targeted. To harden your environment, resolve any outstanding Defender for Cloud security recommendations for this resource and any others on this Azure subscription.\",\r\n \"• To prevent similar attacks in the future, use Azure Cosmos DB parameterized queries in all your apps.\",\r\n \"How to use parameterized queries: https://go.microsoft.com/fwlink/?linkid=2177214.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Search for other alerts on this subscription that might indicate that this is part of a larger attack.\\r\\n• Inspect the application that is connected to this Azure Cosmos DB account. It may be vulnerable to this fuzzing attack.\",\r\n \"potential causes\": \"• Failed attack attempt, part of an enumeration, reconnaissance or command injection attempt.\\r\\n• Pen testing.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"collection name\": \"Sample-Collection\",\r\n \"database name\": \"Sample-DataBase\",\r\n \"top suspicious queries\": \"• [1 rows returned] SELECT VALUE [{\\\"item\\\": COUNT(1)}]\\nFROM root\\nWHERE ((root[\\\"creation_datetime\\\"] = \\\"2022-07-06T00:00:00+00:00\\\") AND (root[\\\"camera_id\\\"] IN (\\\"javascript:alert(_SCAN-@126032-951533-1926@-);\\\")))\\nORDER BY root[\\\"order\\\"] ASC, root[\\\"_ts\\\"] ASC\\r\\n• [0 rows returned] SELECT root._rid, [{\\\"item\\\": root[\\\"order\\\"]}, {\\\"item\\\": root[\\\"_ts\\\"]}] AS orderByItems, root AS payload\\nFROM root\\nWHERE ((((root[\\\"creation_datetime\\\"] = \\\"2022-07-06T00:00:00+00:00\\\") AND (root[\\\"camera_id\\\"] IN (\\\"javascript:alert(_SCAN-@126032-951533-1926@-);\\\"))) AND (true)) AND IS_DEFINED(root))\\nORDER BY root[\\\"order\\\"] ASC, root[\\\"_ts\\\"] ASC\\nOFFSET 0 LIMIT 100\",\r\n \"total suspicious queries\": \"2\",\r\n \"killChainIntent\": \"Discovery\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_345\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_346\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_346\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"name\": \"2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.803451Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SqlInjection.DataExfiltration\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:11.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:11.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_348\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] SQL injection: potential data exfiltration\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious SQL statement was used to query container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'.\\r\\nThe injected statement might have succeeded in exfiltrating data the user wasn’t authorized to access.\\r\\nDue to the structure and capabilities of Azure Cosmos DB queries, many known SQL injection attacks on Azure Cosmos DB accounts cannot work. However, the variation used in this attack may work and threat actors can exfiltrate data.\",\r\n \"remediationSteps\": [\r\n \"• To prevent similar attacks in the future, use Azure Cosmos DB parameterized queries in all your apps.\",\r\n \"How to use parameterized queries: https://go.microsoft.com/fwlink/?linkid=2177214.\",\r\n \"• If, for some reason, you can’t use parameterized queries, perform another form of input validation to protect against SQL injection attacks.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Investigate the query and the user. For details of the user, review the audit logs of your application. Check which user ran the query.\\r\\n• If the action appears malicious, continue investigating the blast radius. You may run the query (shown in the field \\\"Top suspicious queries\\\") to see what data was exfiltrated.\",\r\n \"potential causes\": \"• Successful data exfiltration (True Positive).\\r\\n• Pen testing.\\r\\n• A legitimate actor is trying to see all of the data, bypassing the application's access control methods. In this case, this can be considered a False Positive, however this is unsafe and should be blocked (see remediation steps on blocking).\",\r\n \"user agent\": \"dummySqlAgent\",\r\n \"connection mode\": \"\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"\",\r\n \"total anomalous queries\": \"1\",\r\n \"top anomalous queries\": \"• SELECT * FROM root WHERE (root[\\\\\\\"userId\\\\\\\"] = \\\\\\\"123' OR '1'='1'\\\\\\\")\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_349\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_350\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_350\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"name\": \"2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.6843414Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:09.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:09.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_352\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: One or more containers in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' were accessed from a location considered unfamiliar, based on the usual access pattern.\\r\\nEither a threat actor has gained access to the account, or a legitimate user has connected from a new or unusual geographic location.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Contact the user to validate whether this is known and expected activity.\",\r\n \"potential causes\": \"• An attacker has accessed your Azure Cosmos DB account.\\r\\n• A legitimate user has accessed your Azure Cosmos DB account from a new location.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_353\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_354\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_354\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"name\": \"2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.671875Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_DataExfiltrationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:07.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:07.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_356\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual volume of data extracted\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An unusually large amount of data has been extracted from container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'. This might indicate that a threat actor exfiltrated data.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Check whether this Azure Cosmos DB account holds sensitive data. Look at diagnostic logs for any sensitive data that may have leaked and escalate the alert and information. If it appears sensitive data may have leaked, immediately review access permissions to the account and consider rotating keys.\",\r\n \"potential causes\": \"• An attacker has extracted a large amount of data from an account.\\r\\n• A legitimate user or application has extracted an unusual amount of data from an account.\",\r\n \"collection name\": \"Sample-Collection\",\r\n \"database name\": \"Sample-DataBase\",\r\n \"key type\": \"Aad\",\r\n \"connection mode\": \"Gateway\",\r\n \"impacted region\": \"EUS\",\r\n \"extracted data\": \"5.37 GB\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_357\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_358\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_358\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"name\": \"2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5606644Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousListKeys.SuspiciousPrincipal\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:05.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:05.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_360\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Preview - Suspicious extraction of Azure Cosmos DB account keys was detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious source extracted Azure Cosmos DB account access keys from your subscription. If this source is not a legitimate source, this may be a high impact issue. The access key that was extracted provides full control over the associated databases and the data stored within.\\r\\nThe key extraction is suspicious for the following reasons:\\r\\n- Key listing operations are rarely invoked by this principal on Azure Cosmos DB accounts in this subscription.\\r\\n\\r\\nThis can indicate that the identity performed this operation is compromised and is being used with malicious intent.\",\r\n \"remediationSteps\": [\r\n \"• Determine whether the activity was intentional by contacting the account owner. If the activity was intentional and legitimate, dismiss the alert. Otherwise, treat the user account, involved Azure Cosmos DB accounts and Azure subscription as compromised and continue with the next remediation steps.\",\r\n \"• Remediate the compromised principal account : delete the account if it’s an unfamiliar account (the attacker may have created it). Otherwise, change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\",\r\n \"• Remediate the compromised Azure Cosmos DB account: rotate Azure Cosmos DB account keys that were previously listed by the threat actor.\",\r\n \"• Remediate the compromised subscription: review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in the Microsoft Defender for Cloud portal to the subscription and investigate them, use Azure Activity Logs to locate any suspicious activities and review all activities that were performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Resource\",\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"source IP address\": \"00.00.00.00\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_361\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_362\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_362\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432\",\r\n \"name\": \"2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.8379753Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousListKeys.MaliciousScript\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:03.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:03.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_364\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Extraction of Azure Cosmos DB accounts keys via a potentially malicious script\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A Powershell script was run in your subscription and performed a suspicious pattern of key-listing operations to get the keys of Azure Cosmos DB accounts in your subscription.\\r\\nThreat actors use automated scripts, like Microburst, to list keys and find Azure Cosmos DB accounts they can access.\\r\\n\\r\\nThis operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise Azure Cosmos DB accounts in your environment for malicious intentions.\\r\\nAlternatively, a malicious insider could be trying to access sensitive data and perform lateral movement.\",\r\n \"remediationSteps\": [\r\n \"• Remediate the compromised user identity: If it’s an unfamiliar, new identity (the threat actor may have created it), then delete the user identity.\",\r\n \"Otherwise, change the user’s authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\",\r\n \"• Remediate the compromised Azure Cosmos DB account: rotate Azure Cosmos DB accounts keys that were previously listed by the threat actor.\",\r\n \"• Remediate the compromised subscription: review IAM permissions for the subscription and remove permissions for any unfamiliar user identity.\",\r\n \"Review all Azure resources and delete any unfamiliar Azure resources.\",\r\n \"Review all alerts in Microsoft Defender for Cloud related to the subscription and investigate them.\",\r\n \"Use Azure Activity Logs to find suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"ARM\",\r\n \"investigation steps\": \"Investigate whether the identity that performed the list-key operations is compromised:\\r\\n• Contact the Azure Cosmos DB account owner to understand their intentions and actions.\\r\\n• Look at the authentication method of this user and the actions they performed across the Azure subscription.\\r\\nUse Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\r\\n• If you have diagnostic logs enabled, inspect the actions this identity performed in the Azure Cosmos DB account/s.\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"username\": \"Sample-Username\",\r\n \"aad user ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_365\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_366\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_366\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"name\": \"2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-16T21:52:53.8710364Z\",\r\n \"processingEndTimeUtc\": \"2022-11-16T21:52:53.6916675Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-15T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-15T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_368\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.160 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_369\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_370\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_371\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"name\": \"2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-12T21:47:11.3785021Z\",\r\n \"processingEndTimeUtc\": \"2022-11-12T21:47:10.8521763Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_373\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_374\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_375\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_376\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"name\": \"2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-13T20:54:26.3966011Z\",\r\n \"processingEndTimeUtc\": \"2022-11-13T20:54:26.1755194Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_378\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_379\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_380\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_381\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"name\": \"2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-12T21:47:11.7084868Z\",\r\n \"processingEndTimeUtc\": \"2022-11-12T21:47:10.8520084Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_383\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 137.184.84.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_384\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_385\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_386\",\r\n \"address\": \"137.184.84.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Jose\",\r\n \"longitude\": -121.83823,\r\n \"latitude\": 37.33053,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_386\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"name\": \"2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-13T20:54:26.3624463Z\",\r\n \"processingEndTimeUtc\": \"2022-11-13T20:54:26.1754203Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_388\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 137.184.84.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_389\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_390\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_391\",\r\n \"address\": \"137.184.84.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Jose\",\r\n \"longitude\": -121.83823,\r\n \"latitude\": 37.33053,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_392\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_391\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"name\": \"2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-11T21:04:29.5102358Z\",\r\n \"processingEndTimeUtc\": \"2022-11-11T21:04:28.8368795Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-10T14:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-10T14:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_393\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_394\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_395\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_396\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_397\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"name\": \"2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-04T21:03:19.814381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-04T21:03:12.9864236Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-03T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-03T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_398\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_399\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_400\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_401\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"name\": \"2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-03T20:56:42.8912983Z\",\r\n \"processingEndTimeUtc\": \"2022-11-03T20:56:39.5149213Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-02T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-02T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_403\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\\r\\nIP: 176.222.18.110 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_404\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_405\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_406\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_407\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"name\": \"2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-01T21:58:15.540622Z\",\r\n \"processingEndTimeUtc\": \"2022-11-01T21:58:14.9043034Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_410\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.128 [1]\\r\\nIP: 176.222.18.110 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_411\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_412\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_413\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_414\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"name\": \"2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-02T22:45:37.72398Z\",\r\n \"processingEndTimeUtc\": \"2022-11-02T22:45:37.2820909Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_417\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 176.222.18.110 [1]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_418\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_419\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_420\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_421\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_422\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"name\": \"2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-30T20:43:32.8362319Z\",\r\n \"processingEndTimeUtc\": \"2022-10-30T20:43:32.2666649Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-29T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-29T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_426\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 149.18.60.6 [1]\\r\\nIP: 148.75.113.72 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_427\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_428\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_429\",\r\n \"address\": \"149.18.60.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 396998,\r\n \"carrier\": \"Path Network Inc.\",\r\n \"organization\": \"Logicweb Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_430\",\r\n \"address\": \"148.75.113.72\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Newton\",\r\n \"longitude\": -74.80559,\r\n \"latitude\": 41.08337,\r\n \"asn\": 6128,\r\n \"carrier\": \"Cablevision Systems Corp.\",\r\n \"organization\": \"Optimum Online (Cablevision Systems)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"name\": \"2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-29T19:50:46.7836038Z\",\r\n \"processingEndTimeUtc\": \"2022-10-29T19:50:46.6002852Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-28T07:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-28T07:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_433\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 71.178.215.234 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_434\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_435\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_436\",\r\n \"address\": \"71.178.215.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Fairfax\",\r\n \"longitude\": -77.2891,\r\n \"latitude\": 38.81818,\r\n \"asn\": 701,\r\n \"carrier\": \"Verizon\",\r\n \"organization\": \"Verizon\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"name\": \"2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-28T21:21:50.4934572Z\",\r\n \"processingEndTimeUtc\": \"2022-10-28T21:21:50.1558349Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-27T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-27T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_438\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 12.13.191.67 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 194.28.112.140 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_439\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_440\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_441\",\r\n \"address\": \"12.13.191.67\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Louisiana\",\r\n \"city\": \"New Orleans\",\r\n \"longitude\": -90.06568,\r\n \"latitude\": 29.96582,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Marriott Corporationattn Joh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_442\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_443\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_444\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"name\": \"2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-28T01:00:14.0366672Z\",\r\n \"processingEndTimeUtc\": \"2022-10-28T01:00:13.8635731Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-26T17:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-26T17:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_449\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 8.30.197.172 [1]\\r\\nIP: 12.157.53.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_450\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_451\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_452\",\r\n \"address\": \"8.30.197.172\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Paramus\",\r\n \"longitude\": -74.07017,\r\n \"latitude\": 40.94459,\r\n \"asn\": 12025,\r\n \"carrier\": \"Iron Mountain Data Center\",\r\n \"organization\": \"Groundwidgets Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_453\",\r\n \"address\": \"12.157.53.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Long Beach\",\r\n \"longitude\": -118.1589,\r\n \"latitude\": 33.7808,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Velocity Bre\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"name\": \"2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Dismissed\",\r\n \"timeGeneratedUtc\": \"2022-10-25T22:59:24.7258494Z\",\r\n \"processingEndTimeUtc\": \"2022-10-25T22:59:24.4099152Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_456\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 147.78.47.29 [1]\\r\\nIP: 198.12.89.41 [1]\\r\\nIP: 173.249.187.107 [1]\\r\\nIP: 24.18.46.38 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_457\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_458\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_459\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_460\",\r\n \"address\": \"198.12.89.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.8854,\r\n \"latitude\": 42.8883,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_461\",\r\n \"address\": \"173.249.187.107\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Denver\",\r\n \"longitude\": -104.99809,\r\n \"latitude\": 39.75263,\r\n \"asn\": 133744,\r\n \"carrier\": \"Better Cloud Limited\",\r\n \"organization\": \"Global Link Communications Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_462\",\r\n \"address\": \"24.18.46.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Edmonds\",\r\n \"longitude\": -122.34664,\r\n \"latitude\": 47.80392,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_459\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_460\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_461\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_462\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"name\": \"2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-23T20:55:55.6554453Z\",\r\n \"processingEndTimeUtc\": \"2022-10-23T20:55:55.0986682Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-22T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-22T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_467\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 173.201.17.86 [1]\\r\\nIP: 72.215.237.211 [2]\\r\\nIP: 69.28.75.137 [2]\\r\\nIP: 8.30.197.172 [1]\\r\\nIP: 141.98.83.131 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_468\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_469\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_470\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_471\",\r\n \"address\": \"72.215.237.211\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Rhode Island\",\r\n \"city\": \"Warwick\",\r\n \"longitude\": -71.38996,\r\n \"latitude\": 41.71237,\r\n \"asn\": 22773,\r\n \"carrier\": \"Cox Communications Inc.\",\r\n \"organization\": \"Cox Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_472\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_473\",\r\n \"address\": \"8.30.197.172\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Paramus\",\r\n \"longitude\": -74.07017,\r\n \"latitude\": 40.94459,\r\n \"asn\": 12025,\r\n \"carrier\": \"Iron Mountain Data Center\",\r\n \"organization\": \"Groundwidgets Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_474\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"name\": \"2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-22T20:37:45.3670215Z\",\r\n \"processingEndTimeUtc\": \"2022-10-22T20:37:34.4184682Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-21T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-21T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_480\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_481\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_482\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_483\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"name\": \"2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-22T20:37:34.6106772Z\",\r\n \"processingEndTimeUtc\": \"2022-10-22T20:37:34.4182771Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-21T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-21T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_485\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.147 [3]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_486\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_487\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_488\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_488\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"name\": \"2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T20:55:36.9527631Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T20:55:36.5859747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_490\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 69.202.183.90 [3]\\r\\nIP: 195.133.20.78 [99]\\r\\nIP: 141.95.145.187 [3]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 193.29.13.169 [9]\\r\\nIP: 147.78.47.36 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 147.78.47.147 [6]\\r\\nIP: 150.95.29.64 [2]\\r\\nIP: 45.141.87.2 [9]\\r\\nIP: 147.78.47.35 [7]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 173.254.223.125 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 92.255.85.152 [5]\\r\\nIP: 89.248.163.228 [3]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 179.60.150.115 [12]\\r\\nIP: 191.96.168.93 [9]\\r\\nIP: 147.78.47.69 [9]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 171.244.50.243 [2]\\r\\nIP: 94.26.229.154 [2]\\r\\nIP: 45.227.254.20 [10]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 94.26.248.176 [5]\\r\\nIP: 88.214.25.14 [3]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 45.141.87.9 [3]\\r\\nIP: 31.43.185.3 [22]\\r\\nIP: 45.141.87.10 [6]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 194.165.17.12 [4]\\r\\nIP: 147.78.47.154 [9]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 89.250.82.36 [1]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 193.29.13.170 [16]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 179.60.150.58 [8]\\r\\nIP: 45.226.126.252 [1]\\r\\nIP: 45.141.87.6 [6]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 45.227.254.49 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_491\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_492\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_493\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_494\",\r\n \"address\": \"195.133.20.78\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_495\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_496\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_497\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_498\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_499\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_500\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_501\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_502\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_503\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_504\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_505\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_506\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_507\",\r\n \"address\": \"173.254.223.125\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Tarzana\",\r\n \"longitude\": -118.54625,\r\n \"latitude\": 34.15501,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Quadranet Enterprises Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_508\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_509\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_510\",\r\n \"address\": \"89.248.163.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_511\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_512\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_513\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_514\",\r\n \"address\": \"147.78.47.69\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_515\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_516\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_517\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_518\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_519\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_520\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_521\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_522\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_523\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_524\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_525\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_526\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_527\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_528\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_529\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_530\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_531\",\r\n \"address\": \"89.250.82.36\",\r\n \"location\": {\r\n \"countryCode\": \"KZ\",\r\n \"countryName\": \"Kazakhstan\",\r\n \"state\": \"Almaty City\",\r\n \"city\": \"Almaty\",\r\n \"longitude\": 76.94999,\r\n \"latitude\": 43.24999,\r\n \"asn\": 41419,\r\n \"carrier\": \"Kazrena\",\r\n \"organization\": \"Kazrena\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_532\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_533\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_534\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_535\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_536\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_537\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_538\",\r\n \"address\": \"45.226.126.252\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Pernambuco\",\r\n \"city\": \"Olinda\",\r\n \"longitude\": -34.90666,\r\n \"latitude\": -7.98953,\r\n \"asn\": 266962,\r\n \"carrier\": \"G M Da Costa Internet\",\r\n \"organization\": \"G M Da Costa Internet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_539\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_540\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_541\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_557\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_558\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_559\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_560\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_511\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_561\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_512\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_562\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_513\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_563\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_514\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_564\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_515\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_565\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_516\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_566\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_517\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_567\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_518\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_568\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_519\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_569\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_520\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_570\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_521\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_571\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_522\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_572\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_523\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_573\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_524\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_574\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_525\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_575\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_526\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_576\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_527\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_577\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_528\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_578\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_529\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_579\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_530\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_580\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_531\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_581\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_532\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_582\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_585\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_536\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_586\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_537\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_587\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"name\": \"2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-21T22:30:30.848069Z\",\r\n \"processingEndTimeUtc\": \"2022-10-21T22:30:29.9442537Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_591\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.104 [1]\\r\\nIP: 207.154.207.116 [1]\\r\\nIP: 61.177.172.147 [1]\\r\\nIP: 152.136.192.58 [1]\\r\\nIP: 124.221.214.54 [98]\\r\\nIP: 135.148.104.183 [1]\\r\\nIP: 80.76.51.230 [1]\\r\\nIP: 185.51.61.82 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_592\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_593\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_594\",\r\n \"address\": \"61.177.172.104\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_595\",\r\n \"address\": \"207.154.207.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_596\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_597\",\r\n \"address\": \"152.136.192.58\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_598\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_599\",\r\n \"address\": \"135.148.104.183\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Reston\",\r\n \"longitude\": -77.34247,\r\n \"latitude\": 38.96097,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_600\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Zuid-Holland\",\r\n \"city\": \"Brielle\",\r\n \"longitude\": 4.16122,\r\n \"latitude\": 51.89596,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\",\r\n \"organization\": \"Des Capital B.V.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_601\",\r\n \"address\": \"185.51.61.82\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 42065,\r\n \"carrier\": \"Zao Electrontelecom\",\r\n \"organization\": \"Global Network Management Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_594\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_595\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_596\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_597\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_598\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_599\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_600\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_601\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"name\": \"2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-19T09:12:15.1238208Z\",\r\n \"processingEndTimeUtc\": \"2022-10-19T09:12:12.7612332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-19T08:43:11.7850829Z\",\r\n \"endTimeUtc\": \"2022-10-19T08:46:18.8210573Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_1\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_2\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/19 08:43:11.7850829\",\r\n \"activity end time (UTC)\": \"2022/10/19 08:46:18.8210573\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"74\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"47\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (23), user (3), administrador (2), admin (2), distant1 (1), asp.net (1), escaner (1), dator (1), faraz (1), chris (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-19T08:46:18.8210573Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_3\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"name\": \"2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-19T09:12:15.7506308Z\",\r\n \"processingEndTimeUtc\": \"2022-10-19T09:12:12.7612332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-19T08:34:16.9189969Z\",\r\n \"endTimeUtc\": \"2022-10-19T08:35:36.0841961Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_4\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_5\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/19 08:34:16.9189969\",\r\n \"activity end time (UTC)\": \"2022/10/19 08:35:36.0841961\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"19\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (15), administrador (2), admin (2), reception (1), scanner (1), root (1), user (1), utente (1), bokforing (1), admin 3 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-19T08:35:36.0841961Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_6\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"name\": \"2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T08:12:21.5799147Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T08:12:17.8716581Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-18T07:01:04.8124138Z\",\r\n \"endTimeUtc\": \"2022-10-18T07:59:23.7067193Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_7\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_8\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/18 07:01:04.8124138\",\r\n \"activity end time (UTC)\": \"2022/10/18 07:59:23.7067193\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.129\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"31\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"24\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEFAULTACCOUNT (6), DATA CENTER USER (2), DSNVSUSER (1), DONALD E. BETTIS (1), FUELDISP (1), GP (1), CONTRAUSER (1), DEAFULTUSER (1), FULTON (1), EXACTIVEUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-18T07:59:23.7067193Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_9\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"name\": \"2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T04:12:02.5218294Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T04:11:58.4521214Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-17T03:00:40.7373365Z\",\r\n \"endTimeUtc\": \"2022-10-17T03:58:42.8075611Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_10\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_11\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/17 03:00:40.7373365\",\r\n \"activity end time (UTC)\": \"2022/10/17 03:58:42.8075611\",\r\n \"attacker source IP\": \"IP Address: 20.216.185.188\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"46\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"12\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (12), AZUREUSER (11), ADMINUSER (11), VMADMIN (2), SUPERUSER (2), AZADMIN (1), USERADMIN (1), AZUSER (1), AZURE (1), DEMOUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-17T03:58:42.8075611Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_12\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"name\": \"2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T03:11:56.1105452Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T03:11:51.6770359Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-16T02:31:21.2161162Z\",\r\n \"endTimeUtc\": \"2022-10-16T02:32:30.6331048Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_13\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_14\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/16 02:31:21.2161162\",\r\n \"activity end time (UTC)\": \"2022/10/16 02:32:30.6331048\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.215\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"26\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (6), user1 (2), admin (2), defaultaccount (2), administrador (2), principal (1), test666 (1), adminportal (1), reports (1), pop10 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-16T02:32:30.6331048Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_15\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"name\": \"2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T02:11:59.5981045Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T02:11:53.2828004Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-15T01:00:15.0973756Z\",\r\n \"endTimeUtc\": \"2022-10-15T01:59:46.8790817Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_16\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_17\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/15 01:00:15.0973756\",\r\n \"activity end time (UTC)\": \"2022/10/15 01:59:46.8790817\",\r\n \"attacker source IP\": \"IP Address: 91.240.118.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"35\",\r\n \"top accounts with failed sign in attempts (count)\": \"MACROLAN (2), MITEV (1), DEPJIVE (1), KIM (1), DEV (1), CTZ9 (1), CUBE (1), CREATIVES-SERVER (1), KOLECO (1), MONITOR (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-15T01:59:46.8790817Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_18\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"name\": \"2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T23:12:20.0982221Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T23:12:13.5169181Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-13T22:00:01.4482685Z\",\r\n \"endTimeUtc\": \"2022-10-13T22:59:53.5475957Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_19\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_20\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/13 22:00:01.4482685\",\r\n \"activity end time (UTC)\": \"2022/10/13 22:59:53.5475957\",\r\n \"attacker source IP\": \"IP Address: 191.96.168.246\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"289\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"288\",\r\n \"top accounts with failed sign in attempts (count)\": \"SCANSIONI (1), ALPHA (1), RCLARK (1), AD (1), RETAIL (1), CALIDAD (1), CONSULTANT (1), OSPITE (1), Z (1), CS1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-13T22:59:53.5475957Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_21\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"name\": \"2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T08:12:07.7636221Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T08:12:02.9681269Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-12T07:03:03.4902548Z\",\r\n \"endTimeUtc\": \"2022-10-12T07:58:25.9885039Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_22\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_23\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/12 07:03:03.4902548\",\r\n \"activity end time (UTC)\": \"2022/10/12 07:58:25.9885039\",\r\n \"attacker source IP\": \"IP Address: 20.127.38.151\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"19\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEMOADMIN (2), USERADMIN (2), AZUREADMIN (1), DEMO (1), VADMIN (1), AZUREUSER (1), SQLADMIN (1), ROOTADMIN (1), SUPERVISOR (1), ITADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-12T07:58:25.9885039Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_24\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"name\": \"2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T07:12:15.7469577Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T07:12:12.3009079Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-11T06:24:25.9159134Z\",\r\n \"endTimeUtc\": \"2022-10-11T06:25:34.0915332Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_25\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_26\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/11 06:24:25.9159134\",\r\n \"activity end time (UTC)\": \"2022/10/11 06:25:34.0915332\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"25\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (12), shipping (1), test3 (1), contabilidad (1), usuario (1), serveur-bacnet (1), phonix (1), iusrplesk_smwebmail (1), defaultaccount (1), administrateur (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-11T06:25:34.0915332Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_27\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"name\": \"2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T07:12:26.2282804Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T07:12:12.3164432Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-11T06:01:14.9169493Z\",\r\n \"endTimeUtc\": \"2022-10-11T06:56:30.497614Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_28\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_29\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/11 06:01:14.9169493\",\r\n \"activity end time (UTC)\": \"2022/10/11 06:56:30.4976140\",\r\n \"attacker source IP\": \"IP Address: 20.127.38.151\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"12\",\r\n \"top accounts with failed sign in attempts (count)\": \"USERADMIN (2), DEMOADMIN (1), SUPERVISOR (1), VDIADMIN (1), VMADMIN (1), DEMO (1), SUPERUSER (1), VADMIN (1), AZUREADMIN (1), AZUREUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-11T06:56:30.497614Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_30\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"name\": \"2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T05:12:25.7328319Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T05:12:22.9501113Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-10T04:39:37.8316652Z\",\r\n \"endTimeUtc\": \"2022-10-10T04:40:46.9760933Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_31\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_32\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/10 04:39:37.8316652\",\r\n \"activity end time (UTC)\": \"2022/10/10 04:40:46.9760933\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"25\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (10), test (2), presale (1), ricoh (1), hma (1), user1 (1), t1_buero (1), labor (1), caps (1), nashua (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-10T04:40:46.9760933Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_33\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"name\": \"2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T00:12:35.8969216Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T00:12:32.7404871Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-08T23:01:26.3028246Z\",\r\n \"endTimeUtc\": \"2022-10-08T23:02:34.9154571Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_34\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_35\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/08 23:01:26.3028246\",\r\n \"activity end time (UTC)\": \"2022/10/08 23:02:34.9154571\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.204\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (7), usuario (3), default (2), barbara (1), defaultaccount (1), mikuo (1), uzak1 (1), opc (1), tnt1 (1), agora_service (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-08T23:02:34.9154571Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_36\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/westeurope/alerts/2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"name\": \"2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T17:11:57.3573487Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T17:11:55.7883406Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_SshBruteForceFailed\",\r\n \"startTimeUtc\": \"2022-10-08T16:13:32.805Z\",\r\n \"endTimeUtc\": \"2022-10-08T16:59:53.736Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_37\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_38\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"2b613470-a780-4991-a9f5-7894862c213b\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testService1\",\r\n \"alertDisplayName\": \"Failed SSH brute force attack\",\r\n \"description\": \"Failed SSH brute force attacks were detected on testService1\",\r\n \"remediationSteps\": [\r\n \"1. In case this is an Azure virtual machine, add the source IP to NSG block list for 24 hours (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/) \",\r\n \"2. Enforce the use of strong passwords and do not re-use them across multiple resources and services (see http://windows.microsoft.com/en-us/Windows7/Tips-for-creating-strong-passwords-and-passphrases)\",\r\n \"3. In case this is an Azure virtual machine, Create an allow list for SSH access in NSG (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"number of failed authentication attempts to host\": \"63\",\r\n \"accounts used on failed sign in to host attempts\": \"[\\\"root\\\"]\",\r\n \"was SSH session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-08T16:59:53.736Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_39\",\r\n \"hostName\": \"testService1\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"omsAgentID\": \"2b613470-a780-4991-a9f5-7894862c213b\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"westeurope_40\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"westeurope_41\",\r\n \"name\": \" root\",\r\n \"ntDomain\": \" root\",\r\n \"host\": {\r\n \"$ref\": \"westeurope_39\"\r\n },\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"westeurope_42\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"westeurope_40\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myService1/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"name\": \"2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-07T12:12:12.6540563Z\",\r\n \"processingEndTimeUtc\": \"2022-10-07T12:12:10.2351107Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-07T11:04:11.9286049Z\",\r\n \"endTimeUtc\": \"2022-10-07T11:58:08.5153711Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_43\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_44\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/07 11:04:11.9286049\",\r\n \"activity end time (UTC)\": \"2022/10/07 11:58:08.5153711\",\r\n \"attacker source IP\": \"IP Address: 36.95.205.132\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (1), DEMOUSER (1), ADMINISTRATOR (1), TEST (1), AZUREUSER (1), SUPERVISOR (1), DEMOADMIN (1), ADMIN (1), SUPERUSER (1), TEST1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-07T11:58:08.5153711Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_45\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"name\": \"2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-06T05:12:05.9972706Z\",\r\n \"processingEndTimeUtc\": \"2022-10-06T05:12:01.8802104Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-06T04:23:26.0454432Z\",\r\n \"endTimeUtc\": \"2022-10-06T04:24:35.8466979Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_46\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_47\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/06 04:23:26.0454432\",\r\n \"activity end time (UTC)\": \"2022/10/06 04:24:35.8466979\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.202\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"29\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (3), scanner (3), test (2), server (2), user2 (2), ppp (1), max04 (1), acronis (1), windows11 (1), pc (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-06T04:24:35.8466979Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_48\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"name\": \"2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-05T03:12:04.1411263Z\",\r\n \"processingEndTimeUtc\": \"2022-10-05T03:12:00.6268144Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-05T02:50:46.5034967Z\",\r\n \"endTimeUtc\": \"2022-10-05T02:51:57.2848574Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_49\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_50\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/05 02:50:46.5034967\",\r\n \"activity end time (UTC)\": \"2022/10/05 02:51:57.2848574\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.211\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"32\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (3), info (2), temp (2), pos (1), 1 (1), ventas (1), spadmin (1), supervisor (1), infoworld (1), account (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-05T02:51:57.2848574Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_51\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517373625534965032_759ca676-028f-4204-8957-de649b3e6562/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"name\": \"2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T22:12:05.1705693Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T22:12:04.1268393Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-03T21:02:04.491411Z\",\r\n \"endTimeUtc\": \"2022-10-03T21:59:45.9038559Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_52\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_53\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/03 21:02:04.4914110\",\r\n \"activity end time (UTC)\": \"2022/10/03 21:59:45.9038559\",\r\n \"attacker source IP\": \"IP Address: 91.240.118.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"42\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"35\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (5), KSTURGEON (2), ADMIN (2), WADMIN (1), XAFSERVICEACCNT (1), SIADAD (1), YSMITH (1), KRUSS (1), VNIUSER-DONOTDELETE (1), KOTT.# (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-03T21:59:45.9038559Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_54\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"name\": \"2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-02T21:11:58.5816299Z\",\r\n \"processingEndTimeUtc\": \"2022-10-02T21:11:54.3443174Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-02T20:00:01.9149954Z\",\r\n \"endTimeUtc\": \"2022-10-02T20:59:52.1082032Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_55\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_56\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/02 20:00:01.9149954\",\r\n \"activity end time (UTC)\": \"2022/10/02 20:59:52.1082032\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"431\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"LOCALADMIN (30), SYSADMIN (29), VMADMIN (29), ADADMIN (29), DEMOUSER (29), ADMIN01 (29), DADMIN (29), SERVERADMIN (29), AZUREUSER (29), SADMIN (29)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-02T20:59:52.1082032Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_57\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"name\": \"2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-01T20:12:00.2987738Z\",\r\n \"processingEndTimeUtc\": \"2022-10-01T20:11:58.0659196Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-01T19:00:03.9085601Z\",\r\n \"endTimeUtc\": \"2022-10-01T19:59:57.4159824Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_58\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_59\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/01 19:00:03.9085601\",\r\n \"activity end time (UTC)\": \"2022/10/01 19:59:57.4159824\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"426\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (30), ADMINUSER (30), ADMIN123 (29), AZUREUSER (29), TESTUSER (28), SUPERADMIN (28), SYSADMIN (28), VMADMIN (28), LOCALADMIN (28), SERVERADMIN (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-01T19:59:57.4159824Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_60\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"name\": \"2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-30T19:12:00.7770747Z\",\r\n \"processingEndTimeUtc\": \"2022-09-30T19:11:57.5373519Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-30T18:00:04.3960635Z\",\r\n \"endTimeUtc\": \"2022-09-30T18:59:54.1716651Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_61\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_62\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/30 18:00:04.3960635\",\r\n \"activity end time (UTC)\": \"2022/09/30 18:59:54.1716651\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"422\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"SYSADMIN (29), VMADMIN (29), DEMOUSER (28), ADMIN01 (28), DADMIN (28), SADMIN (28), TESTUSER (28), SUPERADMIN (28), LOCALADMIN (28), SERVERADMIN (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-30T18:59:54.1716651Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_63\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"name\": \"2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-29T18:12:10.264524Z\",\r\n \"processingEndTimeUtc\": \"2022-09-29T18:12:04.7435178Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-29T17:00:02.5605584Z\",\r\n \"endTimeUtc\": \"2022-09-29T17:59:57.0286763Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_64\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_65\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/29 17:00:02.5605584\",\r\n \"activity end time (UTC)\": \"2022/09/29 17:59:57.0286763\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"419\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (29), LOCALADMIN (28), SERVERADMIN (28), ADADMIN (28), TESTUSER (28), SUPERADMIN (28), AZUREUSER (28), ADMINUSER (28), AZUREADMIN (28), ADMIN01 (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-29T17:59:57.0286763Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_66\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"name\": \"2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T17:12:10.505636Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T17:12:04.9963951Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-28T16:00:05.5258206Z\",\r\n \"endTimeUtc\": \"2022-09-28T16:59:37.992094Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_67\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_68\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/28 16:00:05.5258206\",\r\n \"activity end time (UTC)\": \"2022/09/28 16:59:37.9920940\",\r\n \"attacker source IP\": \"IP Address: 20.25.4.51\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"81\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"9\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (9), VMADMIN (9), AZUREUSER (9), DEMOADMIN (8), ADMINUSER (8), USERADMIN (8), DEMO (8), DEMOAZURE (8), SUPERUSER (7), AZURE (7)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-28T16:59:37.992094Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_69\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"name\": \"2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T17:12:09.9085237Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T17:12:04.9963951Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-28T16:00:00.9053856Z\",\r\n \"endTimeUtc\": \"2022-09-28T16:59:59.2397348Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_70\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_71\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/28 16:00:00.9053856\",\r\n \"activity end time (UTC)\": \"2022/09/28 16:59:59.2397348\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"1415\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"1263\",\r\n \"top accounts with failed sign in attempts (count)\": \"MYTHTV (2), NAGIOS (2), ACCOUNTS (2), ADMINISTRAREUR (2), ADMINSERVER (2), MICROSOFT (2), BACKUPEXEC (2), NOBODY (2), CYBER (2), AAA (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-28T16:59:59.2397348Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_72\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"name\": \"2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-27T16:11:58.2117895Z\",\r\n \"processingEndTimeUtc\": \"2022-09-27T16:11:55.1500289Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-27T15:00:34.6903888Z\",\r\n \"endTimeUtc\": \"2022-09-27T15:59:16.3833641Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_73\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_74\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/27 15:00:34.6903888\",\r\n \"activity end time (UTC)\": \"2022/09/27 15:59:16.3833641\",\r\n \"attacker source IP\": \"IP Address: 20.216.185.188\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"74\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (19), AZUREUSER (10), DEMOADMIN (7), DEMOUSER (6), AZURE (5), SUPERUSER (4), AZUREADMIN (4), DEMO (4), ADMINUSER (4), STUDENT (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-27T15:59:16.3833641Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_75\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"name\": \"2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-26T15:12:12.2955906Z\",\r\n \"processingEndTimeUtc\": \"2022-09-26T15:12:10.3345847Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-26T14:19:33.6913949Z\",\r\n \"endTimeUtc\": \"2022-09-26T14:58:23.8234441Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_76\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_77\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/26 14:19:33.6913949\",\r\n \"activity end time (UTC)\": \"2022/09/26 14:58:23.8234441\",\r\n \"attacker source IP\": \"IP Address: 20.245.85.81\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"13\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (3), WINADMIN (1), USERADMIN (1), DEMOADMIN (1), VMADMIN (1), NETADMIN (1), DEMO (1), DEMOUSER (1), AZUREADMIN (1), SUPERUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-26T14:58:23.8234441Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_78\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"name\": \"2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-25T13:11:53.1202057Z\",\r\n \"processingEndTimeUtc\": \"2022-09-25T13:11:49.5869519Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-25T12:00:01.1997686Z\",\r\n \"endTimeUtc\": \"2022-09-25T12:59:57.1598611Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_79\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_80\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/25 12:00:01.1997686\",\r\n \"activity end time (UTC)\": \"2022/09/25 12:59:57.1598611\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"632\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"628\",\r\n \"top accounts with failed sign in attempts (count)\": \"REINALDO (2), RAJU (2), PULSE (2), KIM (1), KENT (1), TESTE2 (1), TEST_FTP (1), TECHNO (1), SERVER2 (1), SERVER1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-25T12:59:57.1598611Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_81\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"name\": \"2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-24T12:11:59.378581Z\",\r\n \"processingEndTimeUtc\": \"2022-09-24T12:11:56.1933205Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-24T11:00:18.5763676Z\",\r\n \"endTimeUtc\": \"2022-09-24T11:58:49.6929962Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_82\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_83\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/24 11:00:18.5763676\",\r\n \"activity end time (UTC)\": \"2022/09/24 11:58:49.6929962\",\r\n \"attacker source IP\": \"IP Address: 181.30.28.175\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEFAULTACCOUNT (4), DADMIN (2), DPEREZ (1), DIYANA (1), DATACOM (1), DAWWRAY (1), DCDC (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-24T11:58:49.6929962Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_84\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"name\": \"2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-23T11:12:04.8132808Z\",\r\n \"processingEndTimeUtc\": \"2022-09-23T11:12:02.7422157Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-23T10:00:00.8274366Z\",\r\n \"endTimeUtc\": \"2022-09-23T10:59:59.507462Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_85\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_86\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/23 10:00:00.8274366\",\r\n \"activity end time (UTC)\": \"2022/09/23 10:59:59.5074620\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"634\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"601\",\r\n \"top accounts with failed sign in attempts (count)\": \"MENU (2), MAYA (2), MORGAN (2), MONITORING (2), MONGOUSER (2), MAURICIO (2), GEOMETRY (2), GERENTE (2), THIERRY1129 (2), TESTE2 (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-23T10:59:59.507462Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_87\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"name\": \"2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T05:12:05.8349115Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T05:12:03.3099425Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-22T04:00:04.6046565Z\",\r\n \"endTimeUtc\": \"2022-09-22T04:59:56.0312542Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_88\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_89\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/22 04:00:04.6046565\",\r\n \"activity end time (UTC)\": \"2022/09/22 04:59:56.0312542\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"478\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"477\",\r\n \"top accounts with failed sign in attempts (count)\": \"CHAT (1), AXIS (1), AWS (1), DEEPTHI (1), DEBORA (1), USERS1 (1), USER001 (1), USBMUX (1), UPLINK (1), SVT (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-22T04:59:56.0312542Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_90\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"name\": \"2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-21T02:11:54.213474Z\",\r\n \"processingEndTimeUtc\": \"2022-09-21T02:11:49.8007199Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-21T01:09:51.5862915Z\",\r\n \"endTimeUtc\": \"2022-09-21T01:11:21.0264894Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_91\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_92\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/21 01:09:51.5862915\",\r\n \"activity end time (UTC)\": \"2022/09/21 01:11:21.0264894\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"21\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (16), defaultaccount (1), asd (1), vpn07 (1), it (1), iusrplesk_smwebmail (1), asad (1), admin (1), takip (1), serv (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-21T01:11:21.0264894Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_93\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"name\": \"2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T00:12:55.5762868Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T00:12:52.7861694Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-19T23:45:22.3822188Z\",\r\n \"endTimeUtc\": \"2022-09-19T23:46:30.4248487Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_94\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_95\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/19 23:45:22.3822188\",\r\n \"activity end time (UTC)\": \"2022/09/19 23:46:30.4248487\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (13), admn (1), foats (1), admin (1), emanuel (1), user (1), support_388945a0 (1), slawek (1), defaultaccount (1), alvand.01 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-19T23:46:30.4248487Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_96\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"name\": \"2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T00:12:54.3199684Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T00:12:52.7866698Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-19T23:33:59.3779873Z\",\r\n \"endTimeUtc\": \"2022-09-19T23:35:26.6505374Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_97\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_98\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/19 23:33:59.3779873\",\r\n \"activity end time (UTC)\": \"2022/09/19 23:35:26.6505374\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"20\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (17), gh-11 (1), training (1), admin (1), vss (1), scanner (1), yousef (1), pointex (1), user (1), usuario (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-19T23:35:26.6505374Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_99\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517386703606220126_a816319c-5320-41db-a249-385660ee22f8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"name\": \"2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-18T16:12:00.3085599Z\",\r\n \"processingEndTimeUtc\": \"2022-09-18T16:11:57.4880747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-18T15:25:13.0131394Z\",\r\n \"endTimeUtc\": \"2022-09-18T15:26:21.8162231Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_100\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_101\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/18 15:25:13.0131394\",\r\n \"activity end time (UTC)\": \"2022/09/18 15:26:21.8162231\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"20\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (17), toshiba (1), admin (1), ntp (1), utente (1), accounting (1), remoto (1), user01 (1), sales-new (1), server t (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-18T15:26:21.8162231Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_102\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"name\": \"2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-18T16:12:05.4874397Z\",\r\n \"processingEndTimeUtc\": \"2022-09-18T16:11:57.4880747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-18T15:11:42.6615962Z\",\r\n \"endTimeUtc\": \"2022-09-18T15:12:51.457454Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_103\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_104\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/18 15:11:42.6615962\",\r\n \"activity end time (UTC)\": \"2022/09/18 15:12:51.4574540\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.207\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"18\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (18), win7 (2), terminal (1), markku.virtanen (1), admin (1), eng7 (1), xmetasr (1), hd (1), adm (1), vcenteno (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-18T15:12:51.457454Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_105\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"name\": \"2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-17T07:12:00.0473808Z\",\r\n \"processingEndTimeUtc\": \"2022-09-17T07:11:56.5511934Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-17T06:16:10.2702205Z\",\r\n \"endTimeUtc\": \"2022-09-17T06:17:19.8910018Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_106\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_107\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/17 06:16:10.2702205\",\r\n \"activity end time (UTC)\": \"2022/09/17 06:17:19.8910018\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"28\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (8), test (2), sys (1), principal (1), imran (1), almira (1), contabilidad (1), admin801 (1), peggy (1), tranquoclong (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-17T06:17:19.8910018Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_108\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"name\": \"2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-17T07:11:59.8011657Z\",\r\n \"processingEndTimeUtc\": \"2022-09-17T07:11:56.5511934Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-17T06:14:58.8904498Z\",\r\n \"endTimeUtc\": \"2022-09-17T06:56:27.7122183Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_109\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_110\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/17 06:14:58.8904498\",\r\n \"activity end time (UTC)\": \"2022/09/17 06:56:27.7122183\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"73\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"56\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (15), user (2), defaultaccount (2), jola (1), compta (1), ghost (1), zvnc2066 (1), morisita (1), mj (1), lucero (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-17T06:56:27.7122183Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_111\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"name\": \"2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-16T06:12:23.9923865Z\",\r\n \"processingEndTimeUtc\": \"2022-09-16T06:12:21.6042797Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-16T05:08:11.5262962Z\",\r\n \"endTimeUtc\": \"2022-09-16T05:18:17.0502097Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_112\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_113\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/16 05:08:11.5262962\",\r\n \"activity end time (UTC)\": \"2022/09/16 05:18:17.0502097\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.11\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"260\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"terminal1 (2), silvia (2), daniel (2), mari (2), natalia (2), francisco (2), ricoh (2), vp (2), acer (2), luiz (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-16T05:18:17.0502097Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_114\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"name\": \"2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-15T05:12:02.1262444Z\",\r\n \"processingEndTimeUtc\": \"2022-09-15T05:11:59.7844316Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-15T04:13:32.7545248Z\",\r\n \"endTimeUtc\": \"2022-09-15T04:44:44.3710273Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_115\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_116\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/15 04:13:32.7545248\",\r\n \"activity end time (UTC)\": \"2022/09/15 04:44:44.3710273\",\r\n \"attacker source IP\": \"IP Address: 194.28.112.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"102\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"85\",\r\n \"top accounts with failed sign in attempts (count)\": \"Administrator (10), admin (6), SvcCOPSSH (2), Support (2), ntp_CFKADS2226 (1), Administracao (1), Userstd01 (1), rebecca (1), suporte (1), MP (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-15T04:44:44.3710273Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_117\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"name\": \"2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-15T05:12:02.1782121Z\",\r\n \"processingEndTimeUtc\": \"2022-09-15T05:11:59.7844316Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-15T04:01:15.447908Z\",\r\n \"endTimeUtc\": \"2022-09-15T04:59:18.4256783Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_118\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_119\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/15 04:01:15.4479080\",\r\n \"activity end time (UTC)\": \"2022/09/15 04:59:18.4256783\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"40\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"SERVER (3), TEST (3), TESTUSER (3), USER (3), LOCALUSER (2), AZUREADMIN (2), AZUREUSER (2), ADMINISTRATOR (2), REMOTE (2), SYSADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-15T04:59:18.4256783Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_120\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"name\": \"2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-14T04:12:18.2784408Z\",\r\n \"processingEndTimeUtc\": \"2022-09-14T04:12:13.5856632Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-14T03:16:06.3695856Z\",\r\n \"endTimeUtc\": \"2022-09-14T03:28:53.2546631Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_121\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_122\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/14 03:16:06.3695856\",\r\n \"activity end time (UTC)\": \"2022/09/14 03:28:53.2546631\",\r\n \"attacker source IP\": \"IP Address: 45.141.84.119\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"267\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"leo (4), nathalia (4), emerson (4), francisco (3), usuario1 (2), user02 (2), terminal1 (2), billing (2), soporte (2), controller (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-14T03:28:53.2546631Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_123\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"name\": \"2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-14T04:12:17.5289904Z\",\r\n \"processingEndTimeUtc\": \"2022-09-14T04:12:13.5856632Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-14T03:00:09.0721606Z\",\r\n \"endTimeUtc\": \"2022-09-14T03:58:48.0506045Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_124\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_125\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/14 03:00:09.0721606\",\r\n \"activity end time (UTC)\": \"2022/09/14 03:58:48.0506045\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"47\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (3), AZUREADMIN (3), IME_USER (3), REMOTE (3), IME_ADMIN (3), ADMIN (3), RDP (3), HP (3), PC (3), AZUREUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-14T03:58:48.0506045Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_126\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"name\": \"2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:04.1627812Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5440471Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:06:33.966198Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:59:16.2352367Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_127\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_128\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:06:33.9661980\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:59:16.2352367\",\r\n \"attacker source IP\": \"IP Address: 94.68.140.243\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"15\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"11\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), SERVER (2), SYSADMIN (2), IME_ADMIN (1), RDP (1), LOCALUSER (1), LOCALADMIN (1), TEST (1), AZUREUSER (1), TESTUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:59:16.2352367Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_129\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"name\": \"2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:04.3606094Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5435472Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:01:06.5351616Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:59:02.3354809Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_130\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_131\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:01:06.5351616\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:59:02.3354809\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"45\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"REMOTE (3), LOCALUSER (3), SERVER (3), SYSADMIN (3), AZUREADMIN (3), TEST (3), LOCALADMIN (3), USER (3), TESTUSER (3), IME_ADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:59:02.3354809Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_132\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"name\": \"2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:03.911237Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5430516Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:01:02.6571238Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:58:26.9865062Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_133\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_134\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:01:02.6571238\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:58:26.9865062\",\r\n \"attacker source IP\": \"IP Address: 202.53.137.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (7), STUDENT (6), ADMIN (6), SUPPORT (6), BAT (6), AZUREUSER (6)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:58:26.9865062Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_135\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"name\": \"2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.729702Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1435668Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:03:00.0345939Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:58:17.2623523Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_136\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_137\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:03:00.0345939\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:58:17.2623523\",\r\n \"attacker source IP\": \"IP Address: 94.68.140.243\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"20\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"11\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (3), AZUREUSER (2), IME_USER (2), IME_ADMIN (2), TEST (2), PC (2), USER (2), ADMIN (1), REMOTE (1), RDP (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:58:17.2623523Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_138\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"name\": \"2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.292184Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1430669Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:02:01.5569515Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:59:42.6611129Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_139\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_140\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:02:01.5569515\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:59:42.6611129\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"69\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"7\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (16), AZUREADMIN (16), ADMINISTRATOR (11), ADMINUSER (6), AZURE (5), STUDENT (5), USERADMIN (5), VMADMIN (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:59:42.6611129Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_141\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"name\": \"2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:08.6726842Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1420668Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:01:14.3047487Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:58:35.508169Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_142\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_143\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:01:14.3047487\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:58:35.5081690\",\r\n \"attacker source IP\": \"IP Address: 202.53.137.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (6), AZUREUSER (6), SUPPORT (6), BAT (6), ADMIN (6), ADMINISTRATOR (6)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:58:35.508169Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_144\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"name\": \"2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.6088372Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1440671Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:00:33.1405851Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:59:46.8333262Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_145\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_146\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:00:33.1405851\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:59:46.8333262\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"94\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (6), RDP (6), REMOTE (6), HP (6), IME_USER (5), USER (5), AZURE (5), TESTUSER (5), ADMIN (5), ADMINISTRATOR (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:59:46.8333262Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_147\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393563668594148_38360230-c781-41cf-874b-7c504030a950/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"name\": \"2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-11T01:12:50.4913968Z\",\r\n \"processingEndTimeUtc\": \"2022-09-11T01:12:48.881971Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-11T00:00:12.8945794Z\",\r\n \"endTimeUtc\": \"2022-09-11T00:58:59.500311Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_148\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_149\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/11 00:00:12.8945794\",\r\n \"activity end time (UTC)\": \"2022/09/11 00:58:59.5003110\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"64\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (20), AZUREUSER (18), AZURE (6), STUDENT (6), USERADMIN (5), VMADMIN (5), ADMINUSER (4)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-11T00:58:59.500311Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_150\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"name\": \"2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-11T01:12:50.4969246Z\",\r\n \"processingEndTimeUtc\": \"2022-09-11T01:12:48.881971Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-11T00:00:01.3462764Z\",\r\n \"endTimeUtc\": \"2022-09-11T00:59:39.874272Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_151\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_152\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/11 00:00:01.3462764\",\r\n \"activity end time (UTC)\": \"2022/09/11 00:59:39.8742720\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"91\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (6), IME_ADMIN (5), IME_USER (5), USER (5), TEST (5), RDP (5), REMOTE (5), AZUREADMIN (5), SERVER (5), AZURE (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-11T00:59:39.874272Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_153\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"name\": \"2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:40.3691071Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:19:55.8595416Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:21:04.4330469Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_154\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_155\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:19:55.8595416\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:21:04.4330469\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (10), temp (1), tmitschke (1), pharmacie (1), utente1 (1), ime_user (1), sqli (1), sebastian (1), dave (1), user1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:21:04.4330469Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_156\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"name\": \"2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:41.2660094Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:02:03.6672061Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:59:12.4900011Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_157\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_158\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:02:03.6672061\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:59:12.4900011\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"50\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (19), AZUREUSER (18), AZURE (3), STUDENT (3), VMADMIN (3), USERADMIN (2), ADMINUSER (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:59:12.4900011Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_159\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"name\": \"2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:41.1471468Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:00:19.7258321Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:59:49.9335078Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_160\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_161\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:00:19.7258321\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:59:49.9335078\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"96\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"REMOTE (6), RDP (6), SERVER (6), TEST (6), TESTUSER (6), SYSADMIN (6), AZUREADMIN (5), LOCALADMIN (5), IME_USER (5), LOCALUSER (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:59:49.9335078Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_162\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395363802741678_e264f637-15f0-418f-aff8-27395309810c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"name\": \"2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-08T23:12:05.5813341Z\",\r\n \"processingEndTimeUtc\": \"2022-09-08T23:12:03.6043992Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-08T22:20:29.5893543Z\",\r\n \"endTimeUtc\": \"2022-09-08T22:29:58.4893361Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_163\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_164\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/08 22:20:29.5893543\",\r\n \"activity end time (UTC)\": \"2022/09/08 22:29:58.4893361\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"260\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"scans (2), gateway (2), tempadmin (2), visitor (2), bill (2), xavier (2), printer (2), destek (2), sqlagent (2), local (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-08T22:29:58.4893361Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_165\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"name\": \"2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-07T22:11:55.5454551Z\",\r\n \"processingEndTimeUtc\": \"2022-09-07T22:11:53.7318471Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-07T21:00:23.8352224Z\",\r\n \"endTimeUtc\": \"2022-09-07T21:58:54.9798418Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_166\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_167\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/07 21:00:23.8352224\",\r\n \"activity end time (UTC)\": \"2022/09/07 21:58:54.9798418\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"15\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (3), ADMINISTRATOR (2), ADMIN (2), STUDENT (2), AZUREUSER (2), USER (2), AZUREADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-07T21:58:54.9798418Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_168\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"name\": \"2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-06T21:11:57.5563617Z\",\r\n \"processingEndTimeUtc\": \"2022-09-06T21:11:55.6952354Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-06T20:03:04.4809494Z\",\r\n \"endTimeUtc\": \"2022-09-06T20:56:55.9879319Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_169\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_170\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/06 20:03:04.4809494\",\r\n \"activity end time (UTC)\": \"2022/09/06 20:56:55.9879319\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (2), USER (2), STUDENT (2), ADMIN (2), AZURE (2), AZUREADMIN (2), ADMINISTRATOR (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-06T20:56:55.9879319Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_171\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517398062155190505_da781582-764a-4262-a50c-a147df275b36/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"name\": \"2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T20:12:10.1745649Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T20:12:08.6252181Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-05T19:02:51.6994995Z\",\r\n \"endTimeUtc\": \"2022-09-05T19:58:21.2436919Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_172\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_173\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/05 19:02:51.6994995\",\r\n \"activity end time (UTC)\": \"2022/09/05 19:58:21.2436919\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), STUDENT (2), AZURE (2), AZUREUSER (2), ADMINISTRATOR (2), USER (2), ADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-05T19:58:21.2436919Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_174\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"name\": \"2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.5988845Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.193431Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:15:18.1240752Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:16:28.2863719Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_175\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_176\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:15:18.1240752\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:16:28.2863719\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (14), ioana (1), agora_service (1), defaultaccount (1), admimistrator (1), print (1), sctsupport (1), 020 (1), kaiin (1), tsinternetuser (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:16:28.2863719Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_177\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"name\": \"2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.6848188Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.1939306Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:03:27.5688076Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:59:07.7762063Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_178\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_179\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:03:27.5688076\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:59:07.7762063\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (2), AZUREADMIN (2), STUDENT (2), ADMIN (2), USER (2), ADMINISTRATOR (2), AZURE (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:59:07.7762063Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_180\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"name\": \"2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.5867761Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.1929306Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:00:05.4957014Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:59:55.0115416Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_181\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_182\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:00:05.4957014\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:59:55.0115416\",\r\n \"attacker source IP\": \"IP Address: 5.253.204.134\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"332\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"325\",\r\n \"top accounts with failed sign in attempts (count)\": \"LLOPEZ (1), JHALL (1), NATALIE (1), METRO (1), KUECHE (1), SICHERUNG (1), EMPFANG (1), JMORALES (1), SHAHID (1), MAGAZZINO (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:59:55.0115416Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_183\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"name\": \"2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-03T18:12:52.8145915Z\",\r\n \"processingEndTimeUtc\": \"2022-09-03T18:12:46.2244456Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-03T17:01:26.5171211Z\",\r\n \"endTimeUtc\": \"2022-09-03T17:59:43.2673099Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_184\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_185\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/03 17:01:26.5171211\",\r\n \"activity end time (UTC)\": \"2022/09/03 17:59:43.2673099\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (2), ADMINISTRATOR (2), ADMIN (2), AZUREADMIN (2), AZURE (2), USER (2), AZUREUSER (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-03T17:59:43.2673099Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_186\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"name\": \"2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-02T17:12:17.721054Z\",\r\n \"processingEndTimeUtc\": \"2022-09-02T17:12:02.1616332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-02T16:00:11.6214787Z\",\r\n \"endTimeUtc\": \"2022-09-02T16:59:51.9962096Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_187\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_188\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/02 16:00:11.6214787\",\r\n \"activity end time (UTC)\": \"2022/09/02 16:59:51.9962096\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (2), ADMIN (2), AZUREUSER (2), USER (2), ADMINISTRATOR (2), STUDENT (2), AZUREADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-02T16:59:51.9962096Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_189\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"name\": \"2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.3497998Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:01:01.3410856Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:59:56.7385647Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_190\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_191\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:01:01.3410856\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:59:56.7385647\",\r\n \"attacker source IP\": \"IP Address: 20.12.208.47\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"71\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"7\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (14), AZUREADMIN (14), AZUREUSER (14), USERADMIN (7), ADMINUSER (7), STUDENT (7), VMADMIN (7), ARASH (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:59:56.7385647Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_192\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"name\": \"2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.5178447Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:00:46.9534839Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:59:59.840547Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_193\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_194\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:00:46.9534839\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:59:59.8405470\",\r\n \"attacker source IP\": \"IP Address: 104.46.123.212\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"166\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (29), AZUREADMIN (29), VMADMIN (27), AZURE (27), AZUREUSER (26), USERADMIN (14), ADMINUSER (14)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:59:59.840547Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_195\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"name\": \"2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.1847762Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:00:25.7943636Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:57:07.2573856Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_196\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_197\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:00:25.7943636\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:57:07.2573856\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"13\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (2), AZUREADMIN (2), AZUREUSER (2), ADMINISTRATOR (2), ADMIN (2), USER (2), STUDENT (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:57:07.2573856Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_198\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"name\": \"2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-31T15:12:10.1524427Z\",\r\n \"processingEndTimeUtc\": \"2022-08-31T15:12:06.8390816Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-31T14:04:17.6514064Z\",\r\n \"endTimeUtc\": \"2022-08-31T14:56:42.6476761Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_199\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_200\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/31 14:04:17.6514064\",\r\n \"activity end time (UTC)\": \"2022/08/31 14:56:42.6476761\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (2), AZUREADMIN (2), STUDENT (2), AZUREUSER (2), ADMIN (1), USER (1), AZURE (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-31T14:56:42.6476761Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_201\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"name\": \"2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-30T14:12:13.7508035Z\",\r\n \"processingEndTimeUtc\": \"2022-08-30T14:12:13.3313494Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-30T13:00:10.0241762Z\",\r\n \"endTimeUtc\": \"2022-08-30T13:55:29.9649978Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_202\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_203\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/30 13:00:10.0241762\",\r\n \"activity end time (UTC)\": \"2022/08/30 13:55:29.9649978\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"USER (2), AZUREUSER (2), AZURE (2), ADMIN (2), ADMINISTRATOR (1), STUDENT (1), AZUREADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-30T13:55:29.9649978Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_204\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"name\": \"2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T12:12:08.8517839Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T12:12:07.531903Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-29T11:02:48.6404207Z\",\r\n \"endTimeUtc\": \"2022-08-29T11:58:11.789608Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_205\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_206\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/29 11:02:48.6404207\",\r\n \"activity end time (UTC)\": \"2022/08/29 11:58:11.7896080\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (2), AZUREUSER (2), AZUREADMIN (2), AZURE (2), ADMIN (1), ADMINISTRATOR (1), USER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-29T11:58:11.789608Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_207\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"name\": \"2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-28T06:11:54.9445211Z\",\r\n \"processingEndTimeUtc\": \"2022-08-28T06:11:53.4719546Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-28T05:01:43.073242Z\",\r\n \"endTimeUtc\": \"2022-08-28T05:57:10.0252952Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_208\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_209\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/28 05:01:43.0732420\",\r\n \"activity end time (UTC)\": \"2022/08/28 05:57:10.0252952\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), AZURE (2), AZUREUSER (2), STUDENT (2), ADMINISTRATOR (1), USER (1), ADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-28T05:57:10.0252952Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_210\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"name\": \"2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-26T23:13:05.4395068Z\",\r\n \"processingEndTimeUtc\": \"2022-08-26T23:13:04.9885857Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-26T22:01:04.6704718Z\",\r\n \"endTimeUtc\": \"2022-08-26T22:59:05.9404545Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_211\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_212\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/26 22:01:04.6704718\",\r\n \"activity end time (UTC)\": \"2022/08/26 22:59:05.9404545\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"33\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"8\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (4), LOCALADMIN (4), AZURE (4), AZUREUSER (4), AZUREADMIN (4), ADMIN (4), TEST (3), USER (3), LOCALUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-26T22:59:05.9404545Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_213\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"name\": \"2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T22:12:05.22952Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T22:12:03.1251328Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-25T21:16:17.9627546Z\",\r\n \"endTimeUtc\": \"2022-08-25T21:17:47.2384739Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_214\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_215\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/25 21:16:17.9627546\",\r\n \"activity end time (UTC)\": \"2022/08/25 21:17:47.2384739\",\r\n \"attacker source IP\": \"IP Address: 109.107.166.20\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"41\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"34\",\r\n \"top accounts with failed sign in attempts (count)\": \"Administrator (6), administrator (2), LogMeInRemoteUser (1), KastleRVM (1), AMDService (1), admin (1), stg (1), karla (1), SQLAgent (1), admini (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-25T21:17:47.2384739Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_216\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"name\": \"2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T22:12:13.9841697Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T22:12:03.1251328Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-25T21:00:41.0152726Z\",\r\n \"endTimeUtc\": \"2022-08-25T21:58:24.4497285Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_218\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/25 21:00:41.0152726\",\r\n \"activity end time (UTC)\": \"2022/08/25 21:58:24.4497285\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"33\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"8\",\r\n \"top accounts with failed sign in attempts (count)\": \"LOCALUSER (4), USER (4), AZURE (4), LOCALADMIN (4), TEST (4), AZUREADMIN (4), ADMIN (3), ADMINISTRATOR (3), AZUREUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-25T21:58:24.4497285Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_219\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"name\": \"2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-24T21:11:57.4592913Z\",\r\n \"processingEndTimeUtc\": \"2022-08-24T21:11:53.3866485Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-24T20:01:10.4816659Z\",\r\n \"endTimeUtc\": \"2022-08-24T20:58:39.6095585Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_220\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_221\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/24 20:01:10.4816659\",\r\n \"activity end time (UTC)\": \"2022/08/24 20:58:39.6095585\",\r\n \"attacker source IP\": \"IP Address: 52.180.252.174\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"35\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"USERADMIN (6), AZUREUSER (6), AZURE (6), VMADMIN (6), ADMINUSER (6), AZUREADMIN (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-24T20:58:39.6095585Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_222\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"name\": \"2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-23T20:12:09.1962911Z\",\r\n \"processingEndTimeUtc\": \"2022-08-23T20:12:08.070395Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-23T19:00:08.8459776Z\",\r\n \"endTimeUtc\": \"2022-08-23T19:01:18.0275781Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_223\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_224\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/23 19:00:08.8459776\",\r\n \"activity end time (UTC)\": \"2022/08/23 19:01:18.0275781\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (19), admin (3), user (1), test (1), defaultaccount (1), sys32 (1), localadmin (1), ferra (1), doctor (1), teste (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-23T19:01:18.0275781Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_225\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"name\": \"2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-22T19:12:00.8153763Z\",\r\n \"processingEndTimeUtc\": \"2022-08-22T19:11:59.130347Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-22T18:52:43.9086436Z\",\r\n \"endTimeUtc\": \"2022-08-22T18:53:53.491231Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_226\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_227\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/22 18:52:43.9086436\",\r\n \"activity end time (UTC)\": \"2022/08/22 18:53:53.4912310\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (12), administrateur (2), david (2), hehe (1), yunus (1), defaultaccount (1), dispatch (1), usuari (1), owner (1), caijiwugongzhen (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-22T18:53:53.491231Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_228\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"name\": \"2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-21T17:11:57.4816361Z\",\r\n \"processingEndTimeUtc\": \"2022-08-21T17:11:55.7633835Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-21T16:02:06.1108851Z\",\r\n \"endTimeUtc\": \"2022-08-21T16:58:30.0357074Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_229\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_230\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/21 16:02:06.1108851\",\r\n \"activity end time (UTC)\": \"2022/08/21 16:58:30.0357074\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"9\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (10), AZUREUSER (10), AZUREADMIN (10), AZURE (1), DADMIN (1), DEMOUSER (1), STUDENT (1), ADMINUSER (1), NFCADMIN (1), DEMO (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-21T16:58:30.0357074Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_231\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"name\": \"2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-20T16:12:20.2020498Z\",\r\n \"processingEndTimeUtc\": \"2022-08-20T16:12:16.5659301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-20T15:34:42.624038Z\",\r\n \"endTimeUtc\": \"2022-08-20T15:35:52.7204668Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_232\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_233\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/20 15:34:42.6240380\",\r\n \"activity end time (UTC)\": \"2022/08/20 15:35:52.7204668\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (7), admin (3), administrador (2), user24 (1), ctb-daniele (1), defaultaccount (1), quesia.fernandes (1), jms (1), iusrplesk_smwebmail (1), user4 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-20T15:35:52.7204668Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_234\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"name\": \"2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-20T16:12:28.0240769Z\",\r\n \"processingEndTimeUtc\": \"2022-08-20T16:12:16.5659301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-20T15:00:27.7591355Z\",\r\n \"endTimeUtc\": \"2022-08-20T15:59:05.698473Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_235\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_236\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/20 15:00:27.7591355\",\r\n \"activity end time (UTC)\": \"2022/08/20 15:59:05.6984730\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"40\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (9), AZUREADMIN (8), AZUREUSER (8), ADMINUSER (5), USERADMIN (4), DADMIN (1), SQLUSER (1), NFCADMIN (1), SUPERVISOR (1), DEMOADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-20T15:59:05.698473Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_237\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"name\": \"2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-19T15:12:34.699902Z\",\r\n \"processingEndTimeUtc\": \"2022-08-19T15:12:33.4163413Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-19T14:01:57.6464956Z\",\r\n \"endTimeUtc\": \"2022-08-19T14:57:10.3279386Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_238\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_239\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/19 14:01:57.6464956\",\r\n \"activity end time (UTC)\": \"2022/08/19 14:57:10.3279386\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"12\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINUSER (2), AZUREUSER (2), USERADMIN (2), AZUREADMIN (2), AZURE (2), STUDENT (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-19T14:57:10.3279386Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_240\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n }\r\n ],\r\n \"nextLink\": \"https://management.azure.com/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01&%24skiptoken=TVHLjpswAPwXVPVUgk3Ig0irKkkJyjZA49gmy82AN3Fig4udzWO1%2f1602kOlOc5DM%2fPuNPxmN6I5G2f27iyjFKP5huycmXO0VpuZ5ynWsANXvLED9rh0fFC1ahYEQ89cSlN1QlvRNsYLppOyDKYjtxyVwA0mkLthBWoXggmcjKH%2fOh2Hnu7aN1HzzniJqLrWtK92sOPVpRP27jHJO2t%2bMi3ct57Suz75wPddAHt8%2f2bOQuP2zJsnfn%2fOiv0RkHh1r2MJWB5edj4drU%2btSHYRyJarDMXVI8%2fhcxKFEd2jgslCY5Jck2g0RuqW0Pj2F5Ma1REkW5ymNE7umKLfJQmjHBOxWX5lqHD4n%2fcwFauUSRrgRqfJGZJ8r3utgRiiLiUhYQ%2f6h56kxnu9ZFJbhGm2fSwCrGDKoxshSmZcWZDnOmcAjpJftODy%2fMCyzhiU4y1eZAgSuxZXgRUN6hU6vqibxGpli916XDbUlMuroH33wqcAx%2bHpZY906QciOy1C5%2bOHwzo1Pxw6fmCW15%2bT9XfOUeJ8%2fAM%3d\"\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01&%24skiptoken=TVHLjpswAPwXVPVUgk3Ig0irKkkJyjZA49gmy82AN3Fig4udzWO1%2f1602kOlOc5DM%2fPuNPxmN6I5G2f27iyjFKP5huycmXO0VpuZ5ynWsANXvLED9rh0fFC1ahYEQ89cSlN1QlvRNsYLppOyDKYjtxyVwA0mkLthBWoXggmcjKH%2fOh2Hnu7aN1HzzniJqLrWtK92sOPVpRP27jHJO2t%2bMi3ct57Suz75wPddAHt8%2f2bOQuP2zJsnfn%2fOiv0RkHh1r2MJWB5edj4drU%2btSHYRyJarDMXVI8%2fhcxKFEd2jgslCY5Jck2g0RuqW0Pj2F5Ma1REkW5ymNE7umKLfJQmjHBOxWX5lqHD4n%2fcwFauUSRrgRqfJGZJ8r3utgRiiLiUhYQ%2f6h56kxnu9ZFJbhGm2fSwCrGDKoxshSmZcWZDnOmcAjpJftODy%2fMCyzhiU4y1eZAgSuxZXgRUN6hU6vqibxGpli916XDbUlMuroH33wqcAx%2bHpZY906QciOy1C5%2bOHwzo1Pxw6fmCW15%2bT9XfOUeJ8%2fAM%3d", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjItMDEtMDEmJTI0c2tpcHRva2VuPVRWSExqcHN3QVB3WFZQVlVnazNJZzBpcktra0p5alpBNDlnbXk4MkFOM0ZpZzR1ZHpXTzElMmYxNjAya09sT2M1RE0lMmZQdU5QeG1ONkk1RzJmMjdpeWpGS1A1aHV5Y21YTzBWcHVaNXluV3NBTlh2TEVEOXJoMGZGQzFhaFlFUTg5Y1NsTjFRbHZSTnNZTHBwT3lES1lqdHh5VndBMG1rTHRoQldvWGdnbWNqS0glMmZPaDJIbnU3YU4xSHp6bmlKcUxyV3RLOTJzT1BWcFJQMjdqSEpPMnQlMmJNaTNjdDU3U3V6NzV3UGRkQUh0OCUyZjJiT1F1UDJ6SnNuZm4lMmZPaXYwUmtIaDFyMk1KV0I1ZWRqNGRyVSUyYnRTSFlSeUphckRNWFZJOCUyZmhjeEtGRWQyamdzbENZNUpjazJnMFJ1cVcwUGoyRjVNYTFSRWtXNXltTkU3dW1LTGZKUW1qSEJPeFdYNWxxSEQ0biUyZmN3RmF1VVNScmdScWZKR1pKOHIzdXRnUmlpTGlVaFlRJTJmNmg1Nmt4bnU5WkZKYmhHbTJmU3dDckdES294c2hTbVpjV1pEbk9tY0FqcEpmdE9EeSUyZk1DeXpoaVU0eTFlWkFnU3V4WlhnUlVONmhVNnZxaWJ4R3BsaTkxNlhEYlVsTXVyb0gzM3dxY0F4JTJiSHBaWTkwNlFjaU95MUM1JTJiT0h3em8xUHh3NmZtQ1cxNSUyYlQ5WGZPVWVKOCUyZkFNJTNk", + "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "8fc78c57-8256-4966-b656-d2745623f54e" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-original-request-ids": [ + "" + ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "748" ], "x-ms-request-id": [ - "0a6010b8-5e22-4d54-ba62-af9ef9c9ca65" + "d8203749-bc1b-4437-8bdd-a9fc6f28a15a" ], "x-ms-correlation-request-id": [ - "0a6010b8-5e22-4d54-ba62-af9ef9c9ca65" + "d8203749-bc1b-4437-8bdd-a9fc6f28a15a" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210901T195716Z:0a6010b8-5e22-4d54-ba62-af9ef9c9ca65" + "FRANCESOUTH:20221117T092858Z:d8203749-bc1b-4437-8bdd-a9fc6f28a15a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -49,7 +112,7 @@ "nosniff" ], "Date": [ - "Wed, 01 Sep 2021 19:57:15 GMT" + "Thu, 17 Nov 2022 09:28:58 GMT" ], "Content-Type": [ "application/json; charset=utf-8" @@ -58,31 +121,31 @@ "-1" ], "Content-Length": [ - "143561" + "1233144" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"name\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4121044Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"name\": \"2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:13.877204Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_MaliciousContent-AzureWebApps\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:58.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:58.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Phishing content hosted on Azure Webapps\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to O365 customers. The content typically lure visitors into entering their corporate credentials or financial information into a legitimate looking website.\",\r\n \"remediationSteps\": [\r\n \"1. Use Azure Web Sites Process Explorer and try to identify unknown running processes (see https://blogs.msdn.microsoft.com/waws/2014/11/14/viewing-process-information-for-microsoft-azure-web-sites/)\",\r\n \"2. Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"resourceType\": \"App Service\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"type\": \"url\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"name\": \"2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3609448Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_OperationVolumeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:56.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:56.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] User accessed high volume of Key Vaults\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a larger volume of Key Vault operations has been performed compared to past historical data. Key Vaults typical exhibit the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:56\",\r\n \"all vault operations in last 24 hours\": \"[SecretSet:1, SecretGet:5, Authentication:2, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultGet:2]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:56\",\r\n \"client Information\": \"Microsoft.Azure.Management.Resources.ResourceManagementClient/2.0.0.0, \",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) performed more operations than usual, The user(objid) does not usually come from this IP, The user(objid) performed more operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"name\": \"2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3557186Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_AccountVolumeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:54.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:54.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] High volume of operations in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the number of vaults that a user or application accesses has changed compared to past historical data. Key Vault activity typically exhibits the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:54\",\r\n \"all vault operations in last 24 hours\": \"[AfterAuthentication:1, SecretGet:345545, EventGridGetAllSubscriptions:19, Authentication:169, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:64]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:54\",\r\n \"alert Reasons\": \"[The application(appid) accessed more vaults than usual, The application(appid) does not usually come from this IP, The user(objid) accessed more vaults than usual, The user(objid) does not usually come from this IP, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"name\": \"2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3095755Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_ListGetAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:52.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:52.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious secret listing and query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Secret List operation was followed by numerous Secret Get operations. In addition, this operation pattern is not normally performed by the user on this vault. This is likely indicative that someone is dumping the This is sample alert: secrets stored in the Key Vault for potentially malicious purposes.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:52\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:1, SecretGet:3, VaultGet:1, SecretList:5]\",\r\n \"suspicious Operations\": \"[SecretGet:3, SecretList:5]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:52\",\r\n \"client Information\": \"FxVersion/4.8.4075.0 OSName/Windows10Enterprise OSVersion/6.3.18363 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"alert Reasons\": \"[The application(appid) does not usually access this vault, The application(appid) does not usually come from this IP, The application(appid) does not usually perform a credential list operation followed by a get operation, The application(appid) does not usually perform this operation, The number of applications which accessed this vault is more than usual, The number of users(objid) who accessed this vault is more than usual, The user(objid) does not usually access this vault, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a credential list operation followed by a get operation, The user(objid) does not usually perform this operation, This vault does not usually have a credential list operation followed by a get operation, This vault does not usually have this operation, This vault had more operations than usual, This vault had more types of operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"name\": \"2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4678019Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_PutGetAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:50.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:50.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious policy change and secret query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Key Vault policy change has been made and operations to list and/or get secrets occurred shortly thereafter. In addition, this operation pattern is not normally performed by the user on this vault. This is highly indicative that the Key Vault has been compromised and the secrets within have been stolen by a malicious actor.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:50\",\r\n \"all vault operations in last 24 hours\": \"[VaultGet:14, CertificateImport:1, CertificateGet:479, VaultPut:4, SecretGet:760, Authentication:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultPut:4, VaultGet:5, CertificateGet:24]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"FxVersion/4.8.4121.0, FxVersion/4.8.4121.0 OSName/Windows10Enterprise OSVersion/6.3.17763 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"result Signature\": \"OK\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"start Time UTC\": \"08/12/2021 15:26:50\",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) does not usually perform a policy change operation followed by a credential get operation, The application(appid) does not usually perform this operation, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a policy change operation followed by a credential get operation, The user(objid) does not usually perform this operation, This vault does not usually have a policy change operation followed by a credential get operation, This vault does not usually have this operation, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"name\": \"2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3452444Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_TORAccess\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:48.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:48.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a TOR exit node to a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. This is suspicious because malicious actors will often try to mask their source location when attempting to gain unauthorized access to internet-connected resources.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:48\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:777440, SecretSet:1, SecretGet:777399]\",\r\n \"suspicious Operations\": \"[Authentication:1, SecretGet:1]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"Not Found, Unauthorized\",\r\n \"start Time UTC\": \"08/12/2021 15:26:48\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"python/3.8.0 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 azure-keyvault/7.0 Azure-SDK-For-Python\",\r\n \"alert Reasons\": \"[The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location.]\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"name\": \"2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4494527Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_AKS_SensitiveMount\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:46.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:46.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"intent\": \"PrivilegeEscalation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Container with a sensitive volume mount detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.\",\r\n \"remediationSteps\": [\r\n \"Review the container and the path in the alert details.\",\r\n \"If possible, consider mounting only specific folders or files that are necessary to the container operation.\",\r\n \"If the container is not legitimate, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"Sample\",\r\n \"container image\": \"sample-image\",\r\n \"container name\": \"sample-container\",\r\n \"pod name\": \"sample-pod\",\r\n \"sensitive mount name\": \"sample-mount\",\r\n \"sensitive mount path\": \"/Sample\",\r\n \"killChainIntent\": \"PrivilegeEscalation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"name\": \"2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5732381Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_ExposedService\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:44.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:44.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Exposed Kubernetes service detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Kubernetes audit log analysis detected exposure of a service by a load balancer. This service is related to a sensitive application that allows high impact operations in the cluster such as running processes on the node or creating new containers.\\nIn some cases, this service doesn't require authentication. If the service doesn't require authentication, exposing it to the internet poses a security risk.\",\r\n \"remediationSteps\": [\r\n \"1. Find the external IP address of the service with the command: kubectl get service [service name] -n [namespace]. The service name and namespace are in the alert details.\\\\n2. Check whether the service is exposed to the internet by trying to access to its IP address with the port listed in the alert details.\\\\n3. If the service is exposed to the internet and is not protected by an authentication mechanism, escalate the alert to your security information team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"sample-namespace\",\r\n \"username\": \"sample-user\",\r\n \"service name\": \"sample-service\",\r\n \"target port\": \"8080\",\r\n \"port\": \"8080\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"name\": \"2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4746809Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_BruteForce\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:40.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:40.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Brute Force attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone is attempting to brute force credentials to your SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Brute force attack, penetration testing.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"data Center\": \"East US 2\",\r\n \"failed Logins\": \"0\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\\\"}}\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"name\": \"2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.262894Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_HarmfulApplication\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:38.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:38.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Penetration testing, malicious activity\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"data Center\": \"East US 2\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"name\": \"2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3698246Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:36.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:36.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database elitronix-com on server Sample-SQL\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/www.microsoft.com\\\\/en-us\\\\/download\\\\/details.aspx?id=13759\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements.\",\r\n \"threat ID\": \"30\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"principal name\": \"Sample-account\",\r\n \"application\": \"Internet Information Services\",\r\n \"database\": \"Sample-DB\",\r\n \"server\": \"Sample-SQL\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"name\": \"2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4494527Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:34.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:34.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"intent\": \"Exploitation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Logon from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone logged on to your SQL server Sample-SQL from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Unauthorized access that exploits an opening in the firewall; legitimate access from a new location.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Microsoft SQL Server Management Studio\",\r\n \"client IP Location\": \"US\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"client Hostname\": \"Sample-VM\",\r\n \"killChainIntent\": \"Exploitation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"name\": \"2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2741282Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_DataExfiltration.ImportExportLocationAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:32.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:32.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual export location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted a massive amount of data from your SQL Server 'Sample-SQL' to an unusual location.\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Be sure to secure the new copy of your SQL server in the unusual storage account and follow the principle of \\\\\\\"least privilege\\\\\\\" for your SQL server\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/docs.microsoft.com\\\\/en-us\\\\/dotnet\\\\/framework\\\\/data\\\\/adonet\\\\/sql\\\\/authorization-and-permissions-in-sql-server\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"storage Name\": \"Sample-storage\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"isValid\": false,\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_39\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"name\": \"2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3713443Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:30.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:30.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Perform an undelete if the delete operation was a soft delete. See how to configure soft deletion and more information: https://go.microsoft.com/fwlink/?linkid=2078042\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Wasington_Virginia United States\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"Sample agent\",\r\n \"storage container(s) accessed\": \"SampleContainer\",\r\n \"container\": \"eicarContainerName1, eicarContainerName2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteBlob\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:30\",\r\n \"test: Pipeline name\": \"1.0.4656.1_sample\",\r\n \"storage file path(s) deleted\": \"eicarRequestedObjectKeyFilePath1.vhd, eicarRequestedObjectKeyFilePath2.pfx\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"name\": \"2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5019361Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:28.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:28.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a container in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage container permissions are configured correctly.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"• Confirm whether the storage container permissions change was performed for a legitimate purpose.\\r\\n• Review the storage container's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this storage container have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed container permissions to weaken its security.\\r\\n• A legitimate user has changed container permissions.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"TestAgent 2021-08-12T15:26:28.9846650Z\",\r\n \"storage container(s) accessed\": \"eicarContainerName\",\r\n \"container\": \"eicarContainerName1, eicarContainerName2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"SetContainerACL\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:28\",\r\n \"test: Pipeline name\": \"1.0.4656.1_test\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"name\": \"2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_TorAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:26.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:26.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure Storage account 'Sample-Storage' from a suspicious IP address (active Tor exit node).\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access. \\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using Tor.\\r\\n• A legitimate user has accessed your storage account using Tor.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Azure Data Center: East Us\",\r\n \"authentication type\": \"Anonymous\",\r\n \"operations types\": \"GetBlob\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"dummyAgent\",\r\n \"container\": \"eicarTestStorageContainer\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:26\",\r\n \"test: Pipeline name\": \"1.0.4656.1_storagetd-brs-a3\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"name\": \"2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4209361Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:24.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:24.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure Storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage container (for example: maintenance activity).\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Azure Data Center: East Us\",\r\n \"authentication type\": \"Anonymous\",\r\n \"operations types\": \"GetBlob\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"dummyAgent\",\r\n \"container\": \"eicarTestStorageContainer\",\r\n \"extracted data\": \"140 MB\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:24\",\r\n \"test: Pipeline name\": \"1.0.4656.1_storagetd-brs-a3\",\r\n \"extracted blobs\": \"500\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"name\": \"2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_SuspectExecutablePath\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Executable found running from a suspicious location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data detected an executable file on Sample-VM that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.\",\r\n \"remediationSteps\": [\r\n \"Review with %{User Name} the suspicious process in this alert to see if you recognise this as legitimate administrative activity. If not, Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Process Id\": \"0x1eec\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"account Session Id\": \"0x3e7\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"suspicious Command Line\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"user Name\": \"WORKGROUP\\\\Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"directory\": \"c:\\\\windows\\\\inf\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"name\": \"SAMPLE-account\",\r\n \"ntDomain\": \"SAMPLE\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"sid\": \"S-0-0-00\",\r\n \"isDomainJoined\": true,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x3e7\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"processId\": \"0x1038\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"processId\": \"0x1eec\",\r\n \"commandLine\": \"\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_54\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_55\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"sessionId\": \"0x3e7\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_54\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"name\": \"2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2358642Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected the execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with Sample-account the suspicious command process and command line to confirm that this is legitimate activity that you expect to see on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"user Name\": \"Sample-account\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Command Line\": \"\\\\sample.exe -t 4\",\r\n \"suspicious Process Id\": \"0x1640\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x427d8dd9\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"directory\": \"c:\\\\temp\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"processId\": \"0x1020\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"name\": \"Sample-account\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"sid\": \"S-1-5-21-3061399664-1673012318-3185014992-20022\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x427d8dd9\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"processId\": \"0x1640\",\r\n \"commandLine\": \".\\\\sample.exe -t 4\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_61\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_63\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_62\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"sessionId\": \"0x427d8dd9\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_63\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"name\": \"2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3545059Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_SuspectPhp\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious PHP execution detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Machine logs indicate a that a suspicious PHP process is running. The action included an attempt to run OS commands or PHP code from the command line using the PHP process.\\r\\nWhile this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\",\r\n \"2. Make sure that the web application is up-to-date.\",\r\n \"3. If possible, disable the sensitive PHP commands (see: http://php.net/manual/ini.core.php#ini.disable-functions).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Command Line\": \"php\",\r\n \"suspicious Process Id\": \"0x1e99b\",\r\n \"account Session Id\": \"0xbd6e\",\r\n \"suspicious Process\": \"php\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"user Name\": \"Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"php\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"processId\": \"0x1e49a\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"name\": \"Sample-account\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"sid\": \"\",\r\n \"type\": \"account\",\r\n \"LogonId\": \"0xbd6e\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"processId\": \"0x1e99b\",\r\n \"commandLine\": \"php\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_69\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_71\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_70\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"sessionId\": \"0xbd6e\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_71\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"name\": \"2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3385797Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM.Windows_GoldFileCleanup\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected suspicious file cleanup commands\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.\",\r\n \"remediationSteps\": [\r\n \"Review with user Sample-account the 'sample.exe executions and delete commands flagged in this alert to confirm that they are legitimate and expected on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"OMS-AGENT-2\",\r\n \"suspicious Process Id\": \"0x4a8\",\r\n \"suspicious Command Line\": \"cmd /c echo \\\" systeminfo && systeminfo && del \\\"\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\cmd.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"OMS-AGENT-2\\\\DnzmNhMdW96g7j3\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: GOLD\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2020-06-05T06%3a24%3a18&reportName=MSTI-AGP-GOLD.pdf&tenantId=7bf32e19-dc11-416d-85e8-2cff75271e2a&urlCreateDateTime=2020-06-05T06%3a24%3a18&token=%2083e9In2MDZfBKT5aMOejPcfhpNovCKiidxcnKaBGnQ=\\\"}}\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"cmd.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"processId\": \"0x4a8\",\r\n \"commandLine\": \"cmd /c echo Hi\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_77\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_79\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_78\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_79\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"name\": \"2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2246537Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM.Windows_PetyaRansomware\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected Petya ransomware indicators\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on OMS-AGENT-2 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the command line associated in this alert and escalate this alert to your security team.\",\r\n \"remediationSteps\": [\r\n \"1. Run a full anti-malware scan and verify that the threat was removed\",\r\n \"2. Install and run Microsoft’s Malicious Software Removal Tool (see http://www.microsoft.com/security/pc-security/malware-removal.aspx)\",\r\n \"3. Perform these actions pre-emptively on other hosts in your network.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x1574\",\r\n \"suspicious Command Line\": \"sample\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\sample.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"Sample-account\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Petya\\\":\\\"\\\"}}\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"processId\": \"0x1574\",\r\n \"commandLine\": \"sample\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_85\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_87\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_86\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_87\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"name\": \"2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5800635Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:10.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:10.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"name\": \"2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2313959Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AmRealtimeProtectionDisabled\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:08.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:08.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Antimalware real-time protection was disabled in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.\",\r\n \"remediationSteps\": [\r\n \"1. Determine if the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional - dismiss the alert. Otherwise, enable the antimalware real-time threat protection and treat the user account, subscription and virtual machine as compromised and continue with the next steps.\\n3. Remediate the compromised user account – change the password, review all activities performed by the user via Azure Activity Logs and locate suspicious activities\\n4. Remediate the compromised subscription - Review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, review all activities performed in this subscription via Azure Activity Logs and locate suspicious activities.\\n5. Remediate the compromised virtual machine – change the password of all users, run full antimalware scan on your virtual machine.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample Principal\",\r\n \"antimalware enabled\": \"true\",\r\n \"real time antimalware protection enabled\": \"false\",\r\n \"scheduled antimalware scan enabled\": \"\",\r\n \"extension Name\": \"IaasAntimalware\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"name\": \"2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5249506Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_CustomScriptExtensionSuspiciousCmd\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:06.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:06.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Custom script extension with suspicious command in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.\",\r\n \"remediationSteps\": [\r\n \"1. Contact the account owner to determine whether the activity was intentional. If the activity was intentional, dismiss the alert.\\n2. If the activity was unexpected, treat the user account, subscription, and virtual machine as compromised.\\n3. To remediate compromised user accounts, delete them if they’re unfamiliar (as they may have been created by a threat actor), otherwise change their authentication credentials. Use Azure Activity Logs to review all activities performed by the user and identify any that are suspicious.\\n4. To remediate compromised subscriptions, remove any unfamiliar Runbooks from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources in the subscription (delete any that are unfamiliar), review and investigate any security alerts for the subscription in Azure Security Center, and use Azure Activity Logs to review all activities performed in the subscription and identify any that are suspicious.\\n5. To remediate the compromised virtual machine, change the passwords for all users, run a full antimalware scan on the machine, and reimage the virtual machine from a malware-free source.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample user\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"identity address\": \"\",\r\n \"suspicious command\": \"powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"name\": \"2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3545059Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DarkWeb\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:04.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:04.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Anonymity network activity (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected anonymity network activity. Such activity, while possibly legitimate user behaviour, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_95\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_95\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"name\": \"2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.292004Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DataExfiltration\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:02.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:02.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Possible data exfiltration via DNS tunnel (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behaviour, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_100\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_100\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"name\": \"2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4550558Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_PhishingDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:00.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:00.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Communication with possible phishing domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.\",\r\n \"remediationSteps\": [\r\n \"Investigate the domain (using whois), validating that the registration belongs to the expected owner.\",\r\n \"If ownership is suspect, contact the machine owner to highlight the discrepancy and verify the degree of interaction, suggesting user log into any account(s) potentially exposed during suspicious session, validate recent activity and change compromised password(s).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_105\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_105\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"name\": \"2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3210584Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_SinkholedDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:58.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:58.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted communication with suspicious sinkholed domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected request for sinkholed domain. Such activity, while possibly legitimate user behaviour, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_109\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_109\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"name\": \"2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4807428Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_HighPrivilegeCommand\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempt to run high privilege command detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of App Service processes detected an attempt to run a command that requires high privileges.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x4680\",\r\n \"suspicious Command Line\": \"sample.exe\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"parent Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x15c0644\",\r\n \"user Name\": \"Sample-account\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"directory\": \"sample\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"processId\": \"0x39a8\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"processId\": \"0x4680\",\r\n \"commandLine\": \"sample.exe\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_114\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"name\": \"2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2316532Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_DanglingDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:54.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:54.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Dangling DNS record for an App Service resource detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A DNS record that points to a recently deleted App Service resource (also known as \\\"dangling DNS\\\" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.\",\r\n \"remediationSteps\": [\r\n \"From your DNS zone, remove all CNAME records that point to the deleted App Service resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"domain\": \"sample-domain.com\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"name\": \"2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_TI_Proxy\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:52.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:52.9690718Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] AKS API requests from proxy IP address detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected API requests to your cluster from an IP address that is associated with proxy services, such as TOR.\\r\\nWhile this behavior can be legitimate, it's often seen in malicious activities, when attackers try to hide their source IP.\",\r\n \"remediationSteps\": [\r\n \"1. Review the IP address in the alert details. If your organization uses proxy services such as TOR for managing the AKS cluster and the IP is recognized, you can ignore the alert.\",\r\n \"2. Consider securing the API server by using authorized IP address ranges (https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"username\": \"sample-user\",\r\n \"ip Address\": \"00.00.00.00\",\r\n \"threat Type\": \"Proxy\",\r\n \"threat Description\": \"Tor exit node\",\r\n \"sample URI\": \"sample-URI\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"name\": \"2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5146535Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_DeleteEvents\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:50.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:50.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Kubernetes events deleted (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Security Center detected that some Kubernetes events have been deleted. Kubernetes events are objects in Kubernetes which contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster.\",\r\n \"remediationSteps\": [\r\n \"Verify the legitimacy of the objects that the deleted events are related to.\\\\nIn case the object is suspicious, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"namespace\": \"sample-namespace\",\r\n \"username\": \"sample-user\",\r\n \"ip Address\": \"00.00.00.00\",\r\n \"status\": \"200\",\r\n \"deleted events\": \"sample-event1, sample-event2, sample-event3\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"name\": \"2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2959781Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_MaliciousContainerImage\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:48.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:48.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining container detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool.\",\r\n \"remediationSteps\": [\r\n \"Review the container in the alert details.\",\r\n \"If malicious, remove the container and escalate the alert to the information security team.\",\r\n \"Be sure to also remove the correlating Deployments \\\\\\\\ ReplicaSets \\\\\\\\ DaemonSets.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"namespace\": \"sample-namespace\",\r\n \"container name\": \"sample-container\",\r\n \"container image\": \"sample-image\",\r\n \"pod name\": \"sample-pod\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"name\": \"2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2763918Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_CoreDnsModification\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:46.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:46.9690718Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] CoreDNS modification in Kubernetes detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a modification of the CoreDNS configuration. The configuration of CoreDNS can be modified by overriding its configmap. While this activity can be legitimate, if attackers have permissions to modify the configmap, they can change the behavior of the cluster’s DNS server and poison it.\",\r\n \"remediationSteps\": [\r\n \"Review the configmap in the alert details. Specifically, search for Forward or Hosts configurations that can change the desired DNS behavior. The details of the configuration can be retrieved by the command:\\\\nkubectl get cm coredns-custom -n kube-system -o json\\\\nIf the configuration is intended, you can ignore the alert.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"sample-namespace\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"username\": \"sample-user\",\r\n \"configmap name\": \"coredns-custom\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"name\": \"2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3496523Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_BruteForce\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:44.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:44.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspected successful brute force attack\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful login occurred after an apparent brute force attack on your resource\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Brute force attack; penetration testing.\",\r\n \"client principal name\": \"Sample-account\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"san antonio, united states\",\r\n \"client application\": \"Sample-app\",\r\n \"successful logins\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"failed logins\": \"0\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\\\"}}\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_129\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_128\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"name\": \"2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:13.9865839Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:42.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:42.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database Sample-DB on server Sample-VM\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2106894\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"threat ID\": \"1\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"vulnerable statement\": \"*** Anonymized ***\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"name\": \"Sample-SA\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_135\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"name\": \"2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2090318Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_HarmfulApplication\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:40.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:40.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access your resource.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"Penetration testing; malicious activity\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client application\": \"Sample-app\",\r\n \"client IP location\": \"Sample\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"name\": \"2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5175386Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_SuspiciousIpAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:38.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:38.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Login from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.\",\r\n \"client principal name\": \"Sample-user\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Sample-Provider\",\r\n \"threatType\": \"Sample-Threat\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 0.8,\r\n \"threatDescription\": \"Sample-Threat\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_147\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_146\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"name\": \"2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4347524Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousRBACRoleAssignment\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:36.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:36.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for an RBAC role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected an RBAC role assignment that's unusual when compared with other assignments, performed by the same assigner.\\n The following components were anomalous:\\n -Assigner Authentication Method \\n This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to grant permissions to an additional user account they own.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below.\\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user. \\n5. Change the credentials for all resources that the user had permissions to access.\\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review all activities performed in this resource via Azure Activity Logs and investigate suspicious activities.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"scope of assignment\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"assigned role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assigner principal ID\": \"Sample user\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_153\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188630153349_32cad962-43a0-4691-8c14-443890eccece/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"name\": \"2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4166987Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_PrivilegedRoleDefinitionCreation\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:34.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:34.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"intent\": \"PrivilegeEscalation, DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Privileged custom role created for your subscription in a suspicious way (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the principal user that created the role.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user account as compromised and continue with the steps below.\\n3. Change the passwords of the user account or block the account entirely.\\n4. Delete the privileged role.\\n5. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n6. Change the credentials for all resources that the user had permissions to access.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"role definition creator principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"role definition creator IP address\": \"0.0.0.0\",\r\n \"role definition creator principal name\": \"Sample user\",\r\n \"role definition name\": \"sample\",\r\n \"role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"PrivilegeEscalation, DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Security/locations/centralus/alerts/2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"name\": \"2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-06-12T19:40:33.8308539Z\",\r\n \"processingEndTimeUtc\": \"2021-06-12T19:40:32.548439Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"Storage.Blob_AnonymousScan.Containers\",\r\n \"startTimeUtc\": \"2021-06-12T18:11:54.456Z\",\r\n \"endTimeUtc\": \"2021-06-12T18:11:54.456Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"correlationKey\": \"eQXuNbERVh6e/t+5e+8g+5PLuHGkeLWBAAjR80eo/KQ=\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Storage/storageAccounts/storagefdi4i\",\r\n \"type\": \"AzureResource\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"storagefdi4i\",\r\n \"alertDisplayName\": \"PREVIEW - Anonymous scan of public storage containers\",\r\n \"description\": \"There were 94 failed attempts to anonymously identify publicly accessible containers in your storage account `storagefdi4i`. This might indicate a reconnaissance attack, where the attacker scans your storage account to identify publicly accessible containers and then tries to find sensitive data inside them. In many cases, attackers might successfully access data after a series of failed attempts. It’s therefore important to act on this alert.\",\r\n \"remediationSteps\": [\r\n \"• If public access is not needed for the Azure Storage containers, consider disallowing it on the entire storage account or limiting it selectively on specific containers or blobs (https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent).\",\r\n \"• We recommend that you always follow the least privilege principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• To prevent breaches of sensitive data, please review your Azure Storage containers and make sure no sensitive data is stored in them.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"alert Id\": \"c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"azure AD user\": \"N/A (Azure AD authentication was not used)\",\r\n \"user agent\": \"Go-http-client/1.1\",\r\n \"api type\": \"Blob\",\r\n \"client location\": \"N/A\",\r\n \"number of failed access attempts\": \"94\",\r\n \"among the enumeration terms used\": \"app, bin, blog, deploy, confidential, crm, builds, doc, customers, images, attachments, intranet, backups, customer, exports, img, data, blob, downloads, build, azure, export, files, bucket, database, dev, admin, emails, dist, development, documents, debug, assets, cdn, devops, download, backup, code, erp, logs, cache, iso, creds, bak, credentials, config, file, administrator, attachment, exe\",\r\n \"number of containers successfully accessed\": \"0\",\r\n \"list of containers successfully accessed\": \"\",\r\n \"authentication type\": \"Anonymous\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"operations types\": \"GetContainerProperties\",\r\n \"service type\": \"Azure Blobs\",\r\n \"potential causes\": \"\",\r\n \"resourceType\": \"Storage\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Storage/storageAccounts/storagefdi4i\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"address\": \"78.46.106.254\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Nuernberg\",\r\n \"longitude\": 11.0768,\r\n \"latitude\": 49.452,\r\n \"asn\": 24940\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_159\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/iotsimulator/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"name\": \"2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-21T22:30:30.4576566Z\",\r\n \"processingEndTimeUtc\": \"2022-10-21T22:30:29.9447325Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.87.6 [6]\\r\\nIP: 171.244.50.243 [2]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 45.141.87.2 [9]\\r\\nIP: 45.141.87.9 [3]\\r\\nIP: 141.95.145.187 [3]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 31.43.185.3 [22]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 150.95.29.64 [2]\\r\\nIP: 45.226.126.252 [2]\\r\\nIP: 193.29.13.169 [9]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 45.227.254.49 [2]\\r\\nIP: 72.18.147.142 [1]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 195.133.20.78 [116]\\r\\nIP: 69.202.183.90 [3]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 147.78.47.147 [6]\\r\\nIP: 147.78.47.69 [9]\\r\\nIP: 45.141.87.10 [6]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 191.96.168.93 [9]\\r\\nIP: 45.227.254.20 [10]\\r\\nIP: 92.255.85.152 [5]\\r\\nIP: 89.250.82.36 [2]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 88.214.25.14 [3]\\r\\nIP: 194.165.17.12 [4]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 173.254.223.125 [1]\\r\\nIP: 179.60.150.115 [16]\\r\\nIP: 193.29.13.170 [16]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 179.60.150.58 [8]\\r\\nIP: 94.26.248.176 [5]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 94.26.229.154 [2]\\r\\nIP: 147.78.47.154 [14]\\r\\nIP: 147.78.47.35 [7]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 147.78.47.36 [3]\\r\\n4 more attempts by 2 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"address\": \"45.226.126.252\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Pernambuco\",\r\n \"city\": \"Recife\",\r\n \"longitude\": -34.9141,\r\n \"latitude\": -8.00264,\r\n \"asn\": 266962,\r\n \"carrier\": \"G M Da Costa Internet\",\r\n \"organization\": \"G M Da Costa Internet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"72.18.147.142\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Englewood\",\r\n \"longitude\": -104.87196,\r\n \"latitude\": 39.62401,\r\n \"asn\": 30475,\r\n \"carrier\": \"Handy Networks Llc\",\r\n \"organization\": \"Handy Networks Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"address\": \"195.133.20.78\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"address\": \"147.78.47.69\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"address\": \"89.250.82.36\",\r\n \"location\": {\r\n \"countryCode\": \"KZ\",\r\n \"countryName\": \"Kazakhstan\",\r\n \"state\": \"Almaty City\",\r\n \"city\": \"Almaty\",\r\n \"longitude\": 76.94999,\r\n \"latitude\": 43.24999,\r\n \"asn\": 41419,\r\n \"carrier\": \"Kazrena\",\r\n \"organization\": \"Kazrena\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"address\": \"173.254.223.125\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Tarzana\",\r\n \"longitude\": -118.54625,\r\n \"latitude\": 34.15501,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Quadranet Enterprises Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_6\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_7\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_8\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_9\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_10\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_11\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_12\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_13\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_14\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_15\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_16\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_17\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_18\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_19\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_20\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_21\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_22\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_23\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_24\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_25\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_26\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_27\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_28\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_29\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_30\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_31\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_32\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_33\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_34\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_35\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_36\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_37\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_38\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_39\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_40\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_41\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_42\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_43\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_44\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_45\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_46\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_47\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_48\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_49\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_50\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"name\": \"2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T20:55:37.293538Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T20:55:36.5852719Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 124.221.214.54 [85]\\r\\nIP: 61.177.172.104 [1]\\r\\nIP: 135.148.104.183 [1]\\r\\nIP: 152.136.192.58 [1]\\r\\nIP: 185.51.61.82 [1]\\r\\nIP: 61.177.172.147 [1]\\r\\nIP: 80.76.51.230 [1]\\r\\nIP: 207.154.207.116 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"address\": \"61.177.172.104\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"address\": \"135.148.104.183\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Reston\",\r\n \"longitude\": -77.34247,\r\n \"latitude\": 38.96097,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"address\": \"152.136.192.58\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"address\": \"185.51.61.82\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 42065,\r\n \"carrier\": \"Zao Electrontelecom\",\r\n \"organization\": \"Global Network Management Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"address\": \"207.154.207.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_107\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_108\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_109\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_110\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_113\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_114\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"name\": \"2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T03:55:32.6921658Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T03:55:32.383882Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-18T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-18T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 46.182.223.130 [1]\\r\\nIP: 197.26.19.254 [1]\\r\\nIP: 61.177.172.19 [1]\\r\\nIP: 182.61.13.82 [1]\\r\\nIP: 80.76.51.230 [2]\\r\\nIP: 35.245.223.130 [1]\\r\\nIP: 124.220.28.59 [1]\\r\\nIP: 61.177.173.35 [1]\\r\\nIP: 69.40.195.236 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 34.159.251.125 [1]\\r\\nIP: 40.72.187.176 [1]\\r\\nIP: 84.181.121.1 [1]\\r\\nIP: 121.5.105.147 [4]\\r\\nIP: 185.209.179.41 [1]\\r\\nIP: 35.246.78.205 [1]\\r\\nIP: 61.177.172.124 [1]\\r\\nIP: 124.221.214.54 [28]\\r\\nIP: 61.177.172.147 [2]\\r\\nIP: 34.83.98.1 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"address\": \"46.182.223.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Groningen\",\r\n \"city\": \"Groningen\",\r\n \"longitude\": 6.5696,\r\n \"latitude\": 53.21686,\r\n \"asn\": 39704,\r\n \"carrier\": \"Cj2 Hosting B.V.\",\r\n \"organization\": \"Synatix Netblock # 2\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"address\": \"197.26.19.254\",\r\n \"location\": {\r\n \"countryCode\": \"TN\",\r\n \"countryName\": \"Tunisia\",\r\n \"state\": \"Tunis\",\r\n \"city\": \"Tunis\",\r\n \"longitude\": 10.1717,\r\n \"latitude\": 36.798,\r\n \"asn\": 37492,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Agence Tunisienne Internet - Ati\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"address\": \"182.61.13.82\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Zhongguancun\",\r\n \"longitude\": 116.31,\r\n \"latitude\": 39.978,\r\n \"asn\": 38365,\r\n \"carrier\": \"Beijing Baidu Netcom Science And Technology Co. Ltd.\",\r\n \"organization\": \"Beijing Baidu Netcom Science And Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"address\": \"35.245.223.130\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"District Of Columbia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -77.0284,\r\n \"latitude\": 38.9069,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"address\": \"124.220.28.59\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"address\": \"61.177.173.35\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"address\": \"69.40.195.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"North Carolina\",\r\n \"city\": \"Concord\",\r\n \"longitude\": -80.55684,\r\n \"latitude\": 35.4009,\r\n \"asn\": 7029,\r\n \"carrier\": \"Windstream Communications Llc\",\r\n \"organization\": \"Hudson Internet Pop - Dynamic Dsl Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"address\": \"34.159.251.125\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"address\": \"40.72.187.176\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanghai Shi\",\r\n \"city\": \"Shanghai\",\r\n \"longitude\": 121.47021,\r\n \"latitude\": 31.22847,\r\n \"asn\": 58593,\r\n \"carrier\": \"Shanghai Blue Cloud Technology Co. Ltd\",\r\n \"organization\": \"Shanghai Blue Cloud Technology Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"address\": \"84.181.121.1\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Baden-Wuerttemberg\",\r\n \"city\": \"Tuellingen\",\r\n \"longitude\": 7.668,\r\n \"latitude\": 47.615,\r\n \"asn\": 3320,\r\n \"carrier\": \"Deutsche Telekom Ag\",\r\n \"organization\": \"Deutsche Telekom Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"address\": \"121.5.105.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"address\": \"185.209.179.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Valley Cottage\",\r\n \"longitude\": -73.92899,\r\n \"latitude\": 41.12222,\r\n \"asn\": 396356,\r\n \"carrier\": \"Maxihost Llc\",\r\n \"organization\": \"Latitude.Sh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"address\": \"35.246.78.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Camden\",\r\n \"longitude\": -0.16861,\r\n \"latitude\": 51.54,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"address\": \"61.177.172.124\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"address\": \"34.83.98.1\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_126\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_127\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_128\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_129\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_130\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_131\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_132\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_133\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_134\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_135\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_136\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_137\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_138\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_139\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_161\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_162\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_142\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_163\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_143\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_144\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_165\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_145\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"name\": \"2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T03:55:33.4948297Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T03:55:32.3866334Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-18T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-18T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_166\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 62.204.41.152 [2]\\r\\nIP: 144.172.126.192 [2]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 194.165.17.24 [5]\\r\\nIP: 91.240.242.3 [4]\\r\\nIP: 147.78.47.36 [10]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 88.214.25.14 [17]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 147.78.47.147 [4]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 193.29.13.169 [14]\\r\\nIP: 191.96.168.93 [6]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 91.240.242.201 [8]\\r\\nIP: 45.227.254.8 [2]\\r\\nIP: 94.26.229.169 [1]\\r\\nIP: 141.98.83.89 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.137.233.50 [1]\\r\\nIP: 50.63.15.157 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 91.240.242.87 [17]\\r\\nIP: 45.141.87.10 [4]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 45.141.84.83 [5]\\r\\nIP: 94.232.43.155 [2]\\r\\nIP: 194.165.17.12 [8]\\r\\nIP: 171.244.50.243 [3]\\r\\nIP: 141.98.83.132 [7]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 64.251.14.96 [1]\\r\\nIP: 92.255.85.186 [1]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 80.66.88.204 [2]\\r\\nIP: 147.78.47.42 [8]\\r\\nIP: 46.161.27.101 [1]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 45.141.87.6 [5]\\r\\nIP: 179.60.147.204 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\n91 more attempts by 19 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_167\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_168\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_169\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_170\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_171\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_172\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_173\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_174\",\r\n \"address\": \"91.240.242.3\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_175\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_176\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_177\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_178\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_179\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_180\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_181\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_182\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_183\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_184\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_185\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_186\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_187\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_188\",\r\n \"address\": \"91.240.242.201\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_189\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_190\",\r\n \"address\": \"94.26.229.169\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_191\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_192\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_193\",\r\n \"address\": \"185.137.233.50\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Permskiy Kray\",\r\n \"city\": \"Perm\",\r\n \"longitude\": 56.25184,\r\n \"latitude\": 58.02006,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_194\",\r\n \"address\": \"50.63.15.157\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_195\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_196\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_197\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_198\",\r\n \"address\": \"91.240.242.87\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_199\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_200\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_201\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_202\",\r\n \"address\": \"94.232.43.155\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_203\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_204\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_205\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_206\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_207\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_208\",\r\n \"address\": \"64.251.14.96\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Fort Lauderdale\",\r\n \"longitude\": -80.12723,\r\n \"latitude\": 26.12112,\r\n \"asn\": 15083,\r\n \"carrier\": \"Infolink Global Corporation\",\r\n \"organization\": \"Serverpronto\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_209\",\r\n \"address\": \"92.255.85.186\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_210\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_211\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_212\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_213\",\r\n \"address\": \"147.78.47.42\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_214\",\r\n \"address\": \"46.161.27.101\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Vps And Shared Hosting Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_215\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_216\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_217\",\r\n \"address\": \"179.60.147.204\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_218\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_221\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_222\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_223\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_224\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_225\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_226\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_227\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_256\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_206\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_207\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_258\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_208\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_259\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_209\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_260\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_210\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_261\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_211\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_262\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_212\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_263\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_213\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_264\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_214\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_215\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_266\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_216\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_267\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_217\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_268\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_218\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"name\": \"2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T21:29:26.5199798Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T21:29:26.1229647Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-17T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-17T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_269\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.53 [1]\\r\\nIP: 43.142.245.166 [1]\\r\\nIP: 82.139.180.236 [1]\\r\\nIP: 39.91.166.121 [1]\\r\\nIP: 45.95.55.235 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 35.164.70.114 [1]\\r\\nIP: 61.177.172.19 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_270\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_271\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_272\",\r\n \"address\": \"61.177.173.53\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_273\",\r\n \"address\": \"43.142.245.166\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_274\",\r\n \"address\": \"82.139.180.236\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Podlaskie\",\r\n \"city\": \"Bialystok\",\r\n \"longitude\": 23.1482,\r\n \"latitude\": 53.11679,\r\n \"asn\": 8865,\r\n \"carrier\": \"Politechnika Bialostocka\",\r\n \"organization\": \"Politechnika Bialostocka\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_275\",\r\n \"address\": \"39.91.166.121\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shandong\",\r\n \"city\": \"Jinan\",\r\n \"longitude\": 117.0,\r\n \"latitude\": 36.683,\r\n \"asn\": 4837,\r\n \"carrier\": \"China Unicom China169 Backbone\",\r\n \"organization\": \"China Unicom Shandong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_276\",\r\n \"address\": \"45.95.55.235\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Rheinland-Pfalz\",\r\n \"city\": \"Koblenz\",\r\n \"longitude\": 7.5741,\r\n \"latitude\": 50.3849,\r\n \"asn\": 200303,\r\n \"carrier\": \"Jan Philipp Waldecker Trading As Lumaserv Systems\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_277\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_278\",\r\n \"address\": \"35.164.70.114\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Boardman\",\r\n \"longitude\": -119.81143,\r\n \"latitude\": 45.73723,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon.Com Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_279\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_280\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_272\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_273\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_282\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_274\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_283\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_275\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_284\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_276\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_285\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_277\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_286\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_278\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_279\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"name\": \"2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T21:29:26.5332876Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T21:29:26.1234563Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-17T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-17T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_288\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.122 [1]\\r\\nIP: 80.66.76.137 [1]\\r\\nIP: 80.66.76.151 [1]\\r\\nIP: 80.66.76.168 [2]\\r\\nIP: 147.78.47.35 [5]\\r\\nIP: 80.66.76.159 [4]\\r\\nIP: 80.66.76.136 [1]\\r\\nIP: 12.168.189.21 [1]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 103.43.177.129 [1]\\r\\nIP: 152.89.196.94 [5]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 80.66.76.141 [2]\\r\\nIP: 94.232.47.170 [8]\\r\\nIP: 80.66.76.161 [5]\\r\\nIP: 141.98.83.84 [11]\\r\\nIP: 141.98.83.133 [6]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 87.251.67.236 [3]\\r\\nIP: 80.66.76.126 [6]\\r\\nIP: 147.78.47.36 [2]\\r\\nIP: 12.233.48.50 [1]\\r\\nIP: 80.66.76.132 [3]\\r\\nIP: 80.66.76.184 [2]\\r\\nIP: 80.66.76.153 [4]\\r\\nIP: 193.29.13.170 [5]\\r\\nIP: 45.141.87.6 [3]\\r\\nIP: 141.98.83.164 [4]\\r\\nIP: 87.251.67.238 [3]\\r\\nIP: 80.66.76.173 [1]\\r\\nIP: 80.66.76.139 [2]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 87.251.67.223 [5]\\r\\nIP: 80.66.76.129 [5]\\r\\nIP: 147.78.47.149 [3]\\r\\nIP: 185.73.125.100 [4]\\r\\nIP: 87.251.67.230 [1]\\r\\nIP: 80.66.76.165 [4]\\r\\nIP: 152.89.196.74 [2]\\r\\nIP: 80.66.76.181 [1]\\r\\nIP: 194.165.17.24 [12]\\r\\nIP: 80.66.76.162 [3]\\r\\nIP: 194.165.17.12 [12]\\r\\nIP: 80.66.76.169 [1]\\r\\nIP: 80.66.76.124 [4]\\r\\nIP: 94.26.248.179 [2]\\r\\nIP: 45.227.254.29 [1]\\r\\nIP: 141.98.83.128 [3]\\r\\n505 more attempts by 101 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_289\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_290\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_291\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_292\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_293\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_294\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_295\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_296\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_297\",\r\n \"address\": \"80.66.76.136\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_298\",\r\n \"address\": \"12.168.189.21\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Germantown\",\r\n \"longitude\": -89.79201,\r\n \"latitude\": 35.08422,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"The Village At Germantown\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_299\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_300\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_301\",\r\n \"address\": \"103.43.177.129\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"Western Australia\",\r\n \"city\": \"Perth\",\r\n \"longitude\": 115.85859,\r\n \"latitude\": -31.9554,\r\n \"asn\": 133863,\r\n \"carrier\": \"Probax Pty Ltd\",\r\n \"organization\": \"Probax Pty Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_302\",\r\n \"address\": \"152.89.196.94\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_303\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_304\",\r\n \"address\": \"80.66.76.141\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_305\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_306\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_307\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_308\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_309\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_310\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_311\",\r\n \"address\": \"87.251.67.236\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_312\",\r\n \"address\": \"80.66.76.126\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_313\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_314\",\r\n \"address\": \"12.233.48.50\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Kansas City\",\r\n \"longitude\": -94.50542,\r\n \"latitude\": 39.131,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Frontier Schools System\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_315\",\r\n \"address\": \"80.66.76.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_316\",\r\n \"address\": \"80.66.76.184\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_317\",\r\n \"address\": \"80.66.76.153\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_318\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_319\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_320\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_321\",\r\n \"address\": \"87.251.67.238\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_322\",\r\n \"address\": \"80.66.76.173\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_323\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_324\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_325\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_326\",\r\n \"address\": \"80.66.76.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_327\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_328\",\r\n \"address\": \"185.73.125.100\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_329\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_330\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_331\",\r\n \"address\": \"152.89.196.74\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_332\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_333\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_334\",\r\n \"address\": \"80.66.76.162\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_335\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_336\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_337\",\r\n \"address\": \"80.66.76.124\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_338\",\r\n \"address\": \"94.26.248.179\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_339\",\r\n \"address\": \"45.227.254.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_340\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_309\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_360\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_310\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_361\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_311\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_362\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_312\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_313\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_364\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_314\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_365\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_315\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_366\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_316\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_317\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_368\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_318\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_369\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_319\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_370\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_320\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_371\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_321\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_322\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_373\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_323\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_374\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_324\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_375\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_325\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_376\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_326\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_381\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_331\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_332\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_383\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_333\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_384\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_334\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_385\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_335\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_386\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_336\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_337\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_388\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_338\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_389\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_339\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_390\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_340\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"name\": \"2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T20:18:57.7305267Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T20:18:57.239572Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-16T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-16T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_391\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.52 [1]\\r\\nIP: 61.177.173.36 [1]\\r\\nIP: 85.214.209.12 [1]\\r\\nIP: 195.19.96.168 [1]\\r\\nIP: 137.184.37.59 [1]\\r\\nIP: 165.22.248.214 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_392\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_393\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_394\",\r\n \"address\": \"61.177.173.52\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_395\",\r\n \"address\": \"61.177.173.36\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_396\",\r\n \"address\": \"85.214.209.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.3195,\r\n \"latitude\": 52.5184,\r\n \"asn\": 6724,\r\n \"carrier\": \"Strato Ag\",\r\n \"organization\": \"Strato Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_397\",\r\n \"address\": \"195.19.96.168\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60778,\r\n \"latitude\": 55.81834,\r\n \"asn\": 12389,\r\n \"carrier\": \"Pjsc Rostelecom\",\r\n \"organization\": \"Pjsc Rostelecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_398\",\r\n \"address\": \"137.184.37.59\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Palo Alto\",\r\n \"longitude\": -122.1512,\r\n \"latitude\": 37.44296,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_399\",\r\n \"address\": \"165.22.248.214\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.34738,\r\n \"latitude\": 47.61348,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_400\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_394\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_401\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_395\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_396\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_403\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_397\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_404\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_398\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_399\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"name\": \"2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T20:18:57.600268Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T20:18:57.2399048Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-16T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-16T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_406\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.124 [4]\\r\\nIP: 94.26.229.154 [1]\\r\\nIP: 185.73.124.23 [9]\\r\\nIP: 45.141.87.10 [4]\\r\\nIP: 80.66.76.138 [3]\\r\\nIP: 87.251.64.140 [2]\\r\\nIP: 80.66.76.179 [2]\\r\\nIP: 64.251.14.96 [1]\\r\\nIP: 194.165.16.18 [7]\\r\\nIP: 87.251.67.238 [7]\\r\\nIP: 94.232.47.15 [3]\\r\\nIP: 80.66.76.159 [5]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 152.89.196.73 [9]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 80.66.76.178 [3]\\r\\nIP: 147.78.47.29 [3]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 171.244.50.243 [7]\\r\\nIP: 12.168.189.21 [1]\\r\\nIP: 141.98.83.132 [10]\\r\\nIP: 80.66.76.168 [6]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 80.66.76.169 [5]\\r\\nIP: 147.78.47.39 [15]\\r\\nIP: 181.214.218.32 [1]\\r\\nIP: 80.66.76.177 [2]\\r\\nIP: 80.66.76.137 [3]\\r\\nIP: 193.29.13.169 [10]\\r\\nIP: 185.73.125.21 [5]\\r\\nIP: 80.66.76.130 [6]\\r\\nIP: 152.89.196.96 [5]\\r\\nIP: 80.66.76.136 [3]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.76.176 [10]\\r\\nIP: 152.89.196.99 [7]\\r\\nIP: 185.73.124.17 [8]\\r\\nIP: 188.124.36.118 [1]\\r\\nIP: 94.26.248.190 [1]\\r\\nIP: 80.66.76.181 [6]\\r\\nIP: 152.89.196.72 [9]\\r\\nIP: 45.227.254.20 [9]\\r\\nIP: 50.206.89.210 [1]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 80.66.76.126 [4]\\r\\nIP: 147.78.47.149 [8]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 94.26.248.176 [2]\\r\\nIP: 80.66.76.152 [3]\\r\\nIP: 80.66.76.160 [2]\\r\\n558 more attempts by 123 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_407\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_408\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_409\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_410\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_411\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_412\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_413\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_414\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_415\",\r\n \"address\": \"80.66.76.179\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_416\",\r\n \"address\": \"64.251.14.96\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Fort Lauderdale\",\r\n \"longitude\": -80.12723,\r\n \"latitude\": 26.12112,\r\n \"asn\": 15083,\r\n \"carrier\": \"Infolink Global Corporation\",\r\n \"organization\": \"Serverpronto\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_417\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_418\",\r\n \"address\": \"87.251.67.238\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_419\",\r\n \"address\": \"94.232.47.15\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_420\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_421\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_422\",\r\n \"address\": \"152.89.196.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_423\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_424\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_425\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_426\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_427\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_428\",\r\n \"address\": \"12.168.189.21\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Germantown\",\r\n \"longitude\": -89.79201,\r\n \"latitude\": 35.08422,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"The Village At Germantown\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_429\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_430\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_431\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_432\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_433\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_434\",\r\n \"address\": \"181.214.218.32\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_435\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_436\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_437\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_438\",\r\n \"address\": \"185.73.125.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_439\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_440\",\r\n \"address\": \"152.89.196.96\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_441\",\r\n \"address\": \"80.66.76.136\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_442\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_443\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_444\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_445\",\r\n \"address\": \"185.73.124.17\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_446\",\r\n \"address\": \"188.124.36.118\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Dzerzhinskiy\",\r\n \"longitude\": 37.8445,\r\n \"latitude\": 55.638,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_447\",\r\n \"address\": \"94.26.248.190\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_448\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_449\",\r\n \"address\": \"152.89.196.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_450\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_451\",\r\n \"address\": \"50.206.89.210\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Maryland\",\r\n \"city\": \"Gambrills\",\r\n \"longitude\": -76.66528,\r\n \"latitude\": 39.02566,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_452\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_453\",\r\n \"address\": \"80.66.76.126\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_454\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_455\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_456\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_457\",\r\n \"address\": \"80.66.76.152\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_458\",\r\n \"address\": \"80.66.76.160\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_412\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_415\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_416\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_467\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_417\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_468\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_418\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_469\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_419\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_470\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_471\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_472\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_473\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_423\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_474\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_424\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_425\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_426\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_427\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_428\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_434\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_485\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_435\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_486\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_487\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_437\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_488\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_438\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_439\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_490\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_440\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_491\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_492\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_493\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_494\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_495\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_445\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_496\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_446\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_497\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_447\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_498\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_448\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_499\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_449\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_500\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_450\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_501\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_451\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_502\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_503\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_504\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_454\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_505\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_455\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_506\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_456\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_507\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_457\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_508\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_458\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"name\": \"2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T19:58:11.5931492Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T19:58:10.6757317Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_509\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.90 [1]\\r\\nIP: 205.185.113.42 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 34.168.149.255 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_510\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_511\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_512\",\r\n \"address\": \"61.177.172.90\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_513\",\r\n \"address\": \"205.185.113.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Nevada\",\r\n \"city\": \"Las Vegas\",\r\n \"longitude\": -115.22485,\r\n \"latitude\": 36.1424,\r\n \"asn\": 53667,\r\n \"carrier\": \"Frantech Solutions\",\r\n \"organization\": \"Frantech Solutions\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_514\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_515\",\r\n \"address\": \"34.168.149.255\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_512\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_513\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_514\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_515\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"name\": \"2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T21:15:16.6149243Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T21:15:16.2347122Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_520\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 34.168.149.255 [1]\\r\\nIP: 34.67.85.236 [1]\\r\\nIP: 61.177.172.90 [1]\\r\\nIP: 205.185.113.42 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 69.40.195.236 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_521\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_522\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_523\",\r\n \"address\": \"34.168.149.255\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_524\",\r\n \"address\": \"34.67.85.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Council Bluffs\",\r\n \"longitude\": -95.87736,\r\n \"latitude\": 41.23296,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_525\",\r\n \"address\": \"61.177.172.90\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_526\",\r\n \"address\": \"205.185.113.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Nevada\",\r\n \"city\": \"Las Vegas\",\r\n \"longitude\": -115.22485,\r\n \"latitude\": 36.1424,\r\n \"asn\": 53667,\r\n \"carrier\": \"Frantech Solutions\",\r\n \"organization\": \"Frantech Solutions\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_527\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_528\",\r\n \"address\": \"69.40.195.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"North Carolina\",\r\n \"city\": \"Concord\",\r\n \"longitude\": -80.55684,\r\n \"latitude\": 35.4009,\r\n \"asn\": 7029,\r\n \"carrier\": \"Windstream Communications Llc\",\r\n \"organization\": \"Hudson Internet Pop - Dynamic Dsl Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_523\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_524\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_525\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_526\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_527\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_528\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365663999999999_fe707616-4570-429b-9e73-790a3918e776/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"name\": \"2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T19:58:11.565147Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T19:58:10.6760538Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_535\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.164 [8]\\r\\nIP: 141.98.83.165 [8]\\r\\nIP: 194.165.16.18 [10]\\r\\nIP: 20.87.218.172 [3]\\r\\nIP: 147.78.47.35 [17]\\r\\nIP: 62.233.50.123 [34]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 141.98.83.130 [8]\\r\\nIP: 87.251.67.99 [7]\\r\\nIP: 71.178.215.234 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 122.160.141.216 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 141.98.83.83 [8]\\r\\nIP: 98.217.4.181 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 104.161.77.173 [1]\\r\\nIP: 141.98.83.84 [6]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 141.98.83.166 [12]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 162.142.125.219 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 88.214.25.14 [15]\\r\\nIP: 45.141.87.10 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 141.98.83.85 [9]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 171.244.50.243 [1]\\r\\nIP: 212.103.60.106 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 45.141.87.2 [5]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.124 [15]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 185.156.72.31 [1]\\r\\nIP: 147.78.47.39 [4]\\r\\nIP: 194.165.16.29 [2]\\r\\nIP: 45.227.254.20 [12]\\r\\nIP: 179.60.150.115 [9]\\r\\n55 more attempts by 15 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_536\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_537\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_538\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_539\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_540\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_541\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_542\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_543\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_544\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_545\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_546\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_547\",\r\n \"address\": \"71.178.215.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Fairfax\",\r\n \"longitude\": -77.2891,\r\n \"latitude\": 38.81818,\r\n \"asn\": 701,\r\n \"carrier\": \"Verizon\",\r\n \"organization\": \"Verizon\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_548\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_549\",\r\n \"address\": \"122.160.141.216\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.1428,\r\n \"latitude\": 28.6907,\r\n \"asn\": 24560,\r\n \"carrier\": \"Bharti Airtel Ltd.\",\r\n \"organization\": \"Abts Delhi \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_550\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_551\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_552\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_553\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_554\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_555\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_556\",\r\n \"address\": \"98.217.4.181\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Hopkinton\",\r\n \"longitude\": -71.53711,\r\n \"latitude\": 42.22023,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_557\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_558\",\r\n \"address\": \"104.161.77.173\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.01242,\r\n \"latitude\": 33.43202,\r\n \"asn\": 53755,\r\n \"carrier\": \"Input Output Flood Llc\",\r\n \"organization\": \"Input Output Flood Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_559\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_560\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_561\",\r\n \"address\": \"141.98.83.166\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_562\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_563\",\r\n \"address\": \"162.142.125.219\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_564\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_565\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_566\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_567\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_568\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_569\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_570\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_571\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_572\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_573\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_574\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_575\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_576\",\r\n \"address\": \"212.103.60.106\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Nuernberg\",\r\n \"longitude\": 11.0384,\r\n \"latitude\": 49.4358,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Tt1 Datacenter Ug (Haftungsbeschraenkt)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_577\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_578\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_579\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_580\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_581\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_582\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_583\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_584\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_585\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_586\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_587\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_591\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_592\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_542\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_593\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_543\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_594\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_544\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_595\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_545\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_596\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_546\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_597\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_547\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_548\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_549\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_550\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_551\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"name\": \"2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T21:15:16.6618617Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T21:15:16.2350129Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_638\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 171.244.50.243 [1]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 191.96.168.246 [10]\\r\\nIP: 194.165.16.29 [2]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 89.44.9.29 [2]\\r\\nIP: 185.156.72.31 [1]\\r\\nIP: 141.98.83.165 [8]\\r\\nIP: 179.60.150.58 [7]\\r\\nIP: 141.98.83.125 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 20.87.218.172 [3]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 141.98.83.164 [8]\\r\\nIP: 45.141.87.6 [7]\\r\\nIP: 104.161.77.173 [1]\\r\\nIP: 141.98.83.89 [2]\\r\\nIP: 98.217.4.181 [1]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 122.160.141.216 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.17.24 [5]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 141.95.145.187 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 141.98.83.123 [2]\\r\\nIP: 24.18.46.38 [1]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 87.251.67.99 [7]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 144.172.126.192 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 62.233.50.123 [34]\\r\\nIP: 45.141.87.10 [1]\\r\\nIP: 147.78.47.35 [17]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 45.141.87.9 [8]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 162.142.125.219 [1]\\r\\nIP: 147.78.47.39 [4]\\r\\nIP: 88.214.25.14 [15]\\r\\nIP: 45.227.254.20 [12]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 45.141.87.2 [5]\\r\\n104 more attempts by 21 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_639\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_640\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_641\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_642\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_643\",\r\n \"address\": \"191.96.168.246\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_644\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_645\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_646\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_647\",\r\n \"address\": \"89.44.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Seine-Saint-Denis\",\r\n \"city\": \"Saint-Denis\",\r\n \"longitude\": 2.36488,\r\n \"latitude\": 48.93607,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd Paris\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_648\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_649\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_650\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_651\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_652\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_653\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_654\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_655\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_656\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_657\",\r\n \"address\": \"104.161.77.173\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.01242,\r\n \"latitude\": 33.43202,\r\n \"asn\": 53755,\r\n \"carrier\": \"Input Output Flood Llc\",\r\n \"organization\": \"Input Output Flood Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_658\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_659\",\r\n \"address\": \"98.217.4.181\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Hopkinton\",\r\n \"longitude\": -71.53711,\r\n \"latitude\": 42.22023,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_660\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_661\",\r\n \"address\": \"122.160.141.216\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.1428,\r\n \"latitude\": 28.6907,\r\n \"asn\": 24560,\r\n \"carrier\": \"Bharti Airtel Ltd.\",\r\n \"organization\": \"Abts Delhi \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_662\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_663\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_664\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_665\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_666\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_667\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_668\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_669\",\r\n \"address\": \"24.18.46.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Shoreline\",\r\n \"longitude\": -122.34728,\r\n \"latitude\": 47.75721,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_670\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_671\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_672\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_673\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_674\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_675\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_676\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_677\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_678\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_679\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_680\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_681\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_682\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_683\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_684\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_685\",\r\n \"address\": \"162.142.125.219\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_686\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_687\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_688\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_689\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_690\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_641\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_642\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_643\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_644\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_645\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_646\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_736\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_686\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_737\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_687\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_738\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_688\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_739\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_689\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_740\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_690\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"name\": \"2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-14T21:17:43.9805433Z\",\r\n \"processingEndTimeUtc\": \"2022-10-14T21:17:42.8602187Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-13T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-13T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_741\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.36 [1]\\r\\nIP: 61.177.172.19 [1]\\r\\nIP: 66.70.176.28 [1]\\r\\nIP: 43.140.205.176 [1]\\r\\nIP: 84.201.177.42 [1]\\r\\nIP: 176.31.240.226 [1]\\r\\nIP: 45.139.105.58 [1]\\r\\nIP: 61.177.172.147 [3]\\r\\nIP: 31.172.70.163 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_742\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_743\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_744\",\r\n \"address\": \"61.177.173.36\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_745\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_746\",\r\n \"address\": \"66.70.176.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_747\",\r\n \"address\": \"43.140.205.176\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_748\",\r\n \"address\": \"84.201.177.42\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.58903,\r\n \"latitude\": 55.73491,\r\n \"asn\": 200350,\r\n \"carrier\": \"Yandex.Cloud Llc\",\r\n \"organization\": \"Yandex Enterprise Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_749\",\r\n \"address\": \"176.31.240.226\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Nord\",\r\n \"city\": \"Roubaix\",\r\n \"longitude\": 3.17321,\r\n \"latitude\": 50.69127,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_750\",\r\n \"address\": \"45.139.105.58\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 138687,\r\n \"carrier\": \"Xdeer Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_751\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_752\",\r\n \"address\": \"31.172.70.163\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt-Ostend\",\r\n \"longitude\": 8.72751,\r\n \"latitude\": 50.11671,\r\n \"asn\": 44066,\r\n \"carrier\": \"Accelerated It Services & Consulting Gmbh\",\r\n \"organization\": \"Www.Fornex.Com Fornex Hosting S.L.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_744\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_745\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_746\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_747\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_748\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_749\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_750\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_751\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_752\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"name\": \"2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-14T21:17:43.9755639Z\",\r\n \"processingEndTimeUtc\": \"2022-10-14T21:17:42.8608101Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-13T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-13T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_762\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.87.6 [9]\\r\\nIP: 141.98.83.125 [11]\\r\\nIP: 141.98.83.165 [9]\\r\\nIP: 94.232.43.155 [1]\\r\\nIP: 147.78.47.40 [2]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 80.66.88.215 [2]\\r\\nIP: 141.98.83.132 [4]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 194.165.17.12 [14]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 45.141.87.10 [12]\\r\\nIP: 147.78.47.29 [9]\\r\\nIP: 89.248.163.228 [1]\\r\\nIP: 45.141.84.87 [13]\\r\\nIP: 45.227.255.55 [2]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 20.87.218.172 [1]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.89 [8]\\r\\nIP: 62.204.41.152 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 69.202.183.90 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 212.102.35.135 [26]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 193.29.13.170 [18]\\r\\nIP: 147.78.47.36 [6]\\r\\nIP: 194.165.16.18 [4]\\r\\nIP: 141.98.83.164 [1]\\r\\nIP: 91.240.118.113 [3]\\r\\nIP: 144.172.126.192 [1]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 193.29.13.169 [14]\\r\\nIP: 92.255.85.151 [12]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 147.78.47.42 [6]\\r\\nIP: 147.78.47.39 [12]\\r\\nIP: 147.78.47.35 [3]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 141.98.83.87 [5]\\r\\nIP: 87.251.64.160 [3]\\r\\n29 more attempts by 7 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_763\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_764\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_765\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_766\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_767\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_768\",\r\n \"address\": \"94.232.43.155\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_769\",\r\n \"address\": \"147.78.47.40\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_770\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_771\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_772\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_773\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_774\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_775\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_776\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_777\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_778\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_779\",\r\n \"address\": \"89.248.163.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_780\",\r\n \"address\": \"45.141.84.87\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_781\",\r\n \"address\": \"45.227.255.55\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_782\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_783\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_784\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_785\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_786\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_787\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_788\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_789\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_790\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_791\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_792\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_793\",\r\n \"address\": \"212.102.35.135\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_794\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_795\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_796\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_797\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_798\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_799\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_800\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_801\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_802\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_803\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_804\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_805\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_806\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_807\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_808\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_809\",\r\n \"address\": \"147.78.47.42\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_810\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_811\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_812\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_813\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_814\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_839\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_789\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_840\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_790\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_841\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_791\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_842\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_792\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_793\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"name\": \"2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T21:02:46.33272Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T21:02:45.807019Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-12T15:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-12T15:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_865\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.46 [1]\\r\\nIP: 211.210.79.220 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_866\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_867\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_868\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_869\",\r\n \"address\": \"211.210.79.220\",\r\n \"location\": {\r\n \"countryCode\": \"KR\",\r\n \"countryName\": \"Korea (South)\",\r\n \"state\": \"Seoul Teukbyeolsi\",\r\n \"city\": \"Seoul\",\r\n \"longitude\": 126.98265,\r\n \"latitude\": 37.561,\r\n \"asn\": 9318,\r\n \"carrier\": \"Sk Broadband Co Ltd\",\r\n \"organization\": \"Danal\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_870\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_868\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_871\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_869\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"name\": \"2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T21:03:57.9379168Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T21:02:45.8071653Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-12T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-12T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_872\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.158 [4]\\r\\nIP: 45.227.254.20 [14]\\r\\nIP: 80.66.76.178 [3]\\r\\nIP: 87.251.67.223 [3]\\r\\nIP: 185.73.124.20 [3]\\r\\nIP: 194.165.17.12 [10]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 80.66.76.151 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 80.66.76.143 [1]\\r\\nIP: 193.169.255.78 [1]\\r\\nIP: 80.66.76.174 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 80.66.76.161 [1]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 20.87.218.172 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 80.66.76.142 [3]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 87.251.67.230 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 80.66.76.139 [1]\\r\\nIP: 87.251.67.229 [1]\\r\\nIP: 80.66.76.164 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 212.102.35.135 [17]\\r\\nIP: 45.141.87.6 [6]\\r\\nIP: 80.66.76.131 [2]\\r\\nIP: 80.66.76.186 [2]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 194.165.16.16 [2]\\r\\nIP: 87.251.67.232 [4]\\r\\nIP: 80.66.76.159 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 87.251.67.226 [2]\\r\\nIP: 80.66.76.138 [2]\\r\\nIP: 80.66.76.127 [1]\\r\\nIP: 80.66.76.165 [2]\\r\\nIP: 80.66.76.175 [2]\\r\\nIP: 80.66.76.140 [2]\\r\\nIP: 159.242.227.27 [1]\\r\\nIP: 193.29.13.170 [12]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 185.73.124.19 [1]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 45.141.87.2 [2]\\r\\n152 more attempts by 42 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_873\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_874\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_875\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_876\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_877\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_878\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_879\",\r\n \"address\": \"185.73.124.20\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_880\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_881\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_882\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_883\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_884\",\r\n \"address\": \"80.66.76.143\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_885\",\r\n \"address\": \"193.169.255.78\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Pomorskie\",\r\n \"city\": \"Zelkowko\",\r\n \"longitude\": 17.0936,\r\n \"latitude\": 54.34198,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_886\",\r\n \"address\": \"80.66.76.174\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_887\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_888\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_889\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_890\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_891\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_892\",\r\n \"address\": \"80.66.76.142\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_893\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_894\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_895\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_896\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_897\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_898\",\r\n \"address\": \"87.251.67.229\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_899\",\r\n \"address\": \"80.66.76.164\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_900\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_901\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_902\",\r\n \"address\": \"212.102.35.135\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_903\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_904\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_905\",\r\n \"address\": \"80.66.76.186\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_906\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_907\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_908\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_909\",\r\n \"address\": \"87.251.67.232\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_910\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_911\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_912\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_913\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_914\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_915\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_916\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_917\",\r\n \"address\": \"80.66.76.175\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_918\",\r\n \"address\": \"80.66.76.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_919\",\r\n \"address\": \"159.242.227.27\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Wandsworth\",\r\n \"longitude\": -0.18333,\r\n \"latitude\": 51.45,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Prcdn Consumer Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_920\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_921\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_922\",\r\n \"address\": \"185.73.124.19\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_923\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_924\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_892\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_893\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_894\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_969\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_919\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_970\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_920\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_971\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_921\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_972\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_922\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_973\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_923\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_974\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_924\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"name\": \"2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T21:25:11.5033705Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T21:25:11.2368114Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-11T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-11T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_975\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 62.210.205.240 [1]\\r\\nIP: 219.130.135.190 [8]\\r\\nIP: 77.232.100.220 [1]\\r\\nIP: 167.99.49.113 [1]\\r\\nIP: 61.177.172.147 [3]\\r\\nIP: 54.200.70.29 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_976\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_977\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_978\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_979\",\r\n \"address\": \"219.130.135.190\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Jiangmen\",\r\n \"longitude\": 113.08611,\r\n \"latitude\": 22.58388,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Jiangmen Global Eyes Police Bureau\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_980\",\r\n \"address\": \"77.232.100.220\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Makkah\",\r\n \"city\": \"Jiddah\",\r\n \"longitude\": 39.184,\r\n \"latitude\": 21.538,\r\n \"asn\": 43766,\r\n \"carrier\": \"Mtc Ksa\",\r\n \"organization\": \"Mtc Ksa\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_981\",\r\n \"address\": \"167.99.49.113\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_982\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_983\",\r\n \"address\": \"54.200.70.29\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Boardman\",\r\n \"longitude\": -119.81143,\r\n \"latitude\": 45.73723,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon.Com Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_984\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_978\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_985\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_979\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_986\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_980\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_987\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_981\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_988\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_982\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_989\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_983\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"name\": \"2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T21:27:02.3321686Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T21:25:11.237187Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-11T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-11T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_990\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.88.129 [1]\\r\\nIP: 80.66.88.207 [5]\\r\\nIP: 194.165.16.29 [9]\\r\\nIP: 147.78.47.149 [6]\\r\\nIP: 87.251.67.236 [2]\\r\\nIP: 80.66.76.186 [2]\\r\\nIP: 80.66.76.153 [4]\\r\\nIP: 91.240.118.113 [6]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 45.141.87.9 [5]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 80.66.76.163 [2]\\r\\nIP: 80.66.76.142 [4]\\r\\nIP: 141.98.83.130 [2]\\r\\nIP: 152.89.196.94 [3]\\r\\nIP: 80.66.76.120 [1]\\r\\nIP: 80.66.76.174 [5]\\r\\nIP: 194.165.16.10 [1]\\r\\nIP: 185.73.124.17 [2]\\r\\nIP: 80.66.76.183 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 80.66.76.181 [1]\\r\\nIP: 80.66.76.130 [2]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 80.66.76.168 [2]\\r\\nIP: 185.73.124.14 [1]\\r\\nIP: 80.66.76.173 [1]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 152.89.196.99 [2]\\r\\nIP: 80.66.76.172 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 185.73.124.20 [1]\\r\\nIP: 45.141.87.2 [4]\\r\\nIP: 80.66.76.154 [2]\\r\\nIP: 152.89.196.92 [2]\\r\\nIP: 80.66.76.137 [1]\\r\\nIP: 80.66.76.127 [1]\\r\\nIP: 152.89.196.86 [2]\\r\\nIP: 194.165.16.158 [3]\\r\\nIP: 141.98.83.128 [3]\\r\\nIP: 185.73.124.23 [5]\\r\\nIP: 45.141.87.6 [9]\\r\\nIP: 80.66.76.176 [4]\\r\\nIP: 141.95.145.187 [1]\\r\\nIP: 80.66.76.125 [1]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 80.66.76.175 [1]\\r\\nIP: 80.66.76.129 [3]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 45.141.84.86 [4]\\r\\n148 more attempts by 47 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_991\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_992\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_993\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_994\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_995\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_996\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_997\",\r\n \"address\": \"87.251.67.236\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_998\",\r\n \"address\": \"80.66.76.186\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_999\",\r\n \"address\": \"80.66.76.153\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1000\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1001\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1002\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1003\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1004\",\r\n \"address\": \"80.66.76.163\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1005\",\r\n \"address\": \"80.66.76.142\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1006\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1007\",\r\n \"address\": \"152.89.196.94\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1008\",\r\n \"address\": \"80.66.76.120\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1009\",\r\n \"address\": \"80.66.76.174\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1010\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1011\",\r\n \"address\": \"185.73.124.17\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1012\",\r\n \"address\": \"80.66.76.183\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1013\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1014\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1015\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1016\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1017\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1018\",\r\n \"address\": \"185.73.124.14\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1019\",\r\n \"address\": \"80.66.76.173\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1020\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1021\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1022\",\r\n \"address\": \"80.66.76.172\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1023\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1024\",\r\n \"address\": \"185.73.124.20\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1025\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1026\",\r\n \"address\": \"80.66.76.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1027\",\r\n \"address\": \"152.89.196.92\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1028\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1029\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1030\",\r\n \"address\": \"152.89.196.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1031\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1032\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1033\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1034\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1035\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1036\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1037\",\r\n \"address\": \"80.66.76.125\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1038\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1039\",\r\n \"address\": \"80.66.76.175\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1040\",\r\n \"address\": \"80.66.76.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1041\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1042\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1072\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1022\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1073\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1023\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1074\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1024\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1075\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1025\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1076\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1026\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1077\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1027\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1078\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1028\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1079\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1029\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1080\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1030\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1081\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1031\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1082\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1032\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1083\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1033\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1084\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1034\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1085\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1035\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1086\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1036\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1087\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1037\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1088\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1038\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1089\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1039\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1090\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1040\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1091\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1041\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1092\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1042\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"name\": \"2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T20:11:22.6254055Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T20:11:22.3353053Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-10T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-10T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1093\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.147 [4]\\r\\nIP: 117.33.157.42 [1]\\r\\nIP: 44.203.254.12 [1]\\r\\nIP: 62.210.205.240 [1]\\r\\nIP: 218.92.0.221 [1]\\r\\nIP: 61.177.173.52 [1]\\r\\nIP: 61.177.173.46 [1]\\r\\nIP: 61.177.172.143 [2]\\r\\nIP: 61.177.172.98 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1094\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1095\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1096\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1097\",\r\n \"address\": \"117.33.157.42\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Yunnan\",\r\n \"city\": \"Ruili\",\r\n \"longitude\": 97.85808,\r\n \"latitude\": 23.99516,\r\n \"asn\": 134768,\r\n \"carrier\": \"Chinanet Shaanxi Province Cloud Base Network\",\r\n \"organization\": \"Chinanet Shanxi(Sn) Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1098\",\r\n \"address\": \"44.203.254.12\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 14618,\r\n \"carrier\": \"Amazon.Com Inc.\",\r\n \"organization\": \"Amazon Data Services Nova\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1099\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1100\",\r\n \"address\": \"218.92.0.221\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1101\",\r\n \"address\": \"61.177.173.52\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1102\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1103\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1104\",\r\n \"address\": \"61.177.172.98\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1096\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1097\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1098\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1099\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1100\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1101\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1102\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1103\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1104\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"name\": \"2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T20:11:23.0830696Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T20:11:22.335884Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-10T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-10T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1114\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.76.131 [3]\\r\\nIP: 147.78.47.154 [8]\\r\\nIP: 80.66.76.139 [2]\\r\\nIP: 141.98.83.130 [12]\\r\\nIP: 176.111.174.130 [16]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 80.66.76.140 [1]\\r\\nIP: 152.89.196.86 [3]\\r\\nIP: 80.66.76.177 [3]\\r\\nIP: 87.251.67.226 [2]\\r\\nIP: 80.66.76.178 [1]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 80.66.76.166 [1]\\r\\nIP: 152.89.196.99 [1]\\r\\nIP: 176.111.174.116 [28]\\r\\nIP: 194.165.16.18 [6]\\r\\nIP: 71.27.142.134 [1]\\r\\nIP: 45.227.254.29 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 152.89.196.83 [1]\\r\\nIP: 80.66.76.182 [4]\\r\\nIP: 141.98.83.166 [3]\\r\\nIP: 147.78.47.149 [7]\\r\\nIP: 80.66.76.187 [2]\\r\\nIP: 194.165.17.12 [6]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 152.89.196.81 [1]\\r\\nIP: 87.251.67.230 [2]\\r\\nIP: 94.232.47.170 [3]\\r\\nIP: 80.66.76.159 [3]\\r\\nIP: 87.251.67.229 [1]\\r\\nIP: 80.66.76.122 [1]\\r\\nIP: 185.73.124.23 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 179.60.150.58 [4]\\r\\nIP: 94.232.47.15 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 191.96.168.102 [23]\\r\\nIP: 80.66.76.181 [3]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 80.66.76.162 [1]\\r\\nIP: 80.66.76.121 [2]\\r\\nIP: 87.251.67.231 [1]\\r\\nIP: 87.251.67.228 [2]\\r\\nIP: 80.66.76.185 [2]\\r\\n244 more attempts by 54 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1115\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1116\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1117\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1118\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1119\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1120\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1121\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1122\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1123\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1124\",\r\n \"address\": \"80.66.76.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1125\",\r\n \"address\": \"152.89.196.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1126\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1127\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1128\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1129\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1130\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1131\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1132\",\r\n \"address\": \"80.66.76.166\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1133\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1134\",\r\n \"address\": \"176.111.174.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1135\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1136\",\r\n \"address\": \"71.27.142.134\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Westland\",\r\n \"longitude\": -83.37131,\r\n \"latitude\": 42.33206,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1137\",\r\n \"address\": \"45.227.254.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1138\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1139\",\r\n \"address\": \"152.89.196.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1140\",\r\n \"address\": \"80.66.76.182\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1141\",\r\n \"address\": \"141.98.83.166\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1142\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1143\",\r\n \"address\": \"80.66.76.187\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1144\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1145\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1146\",\r\n \"address\": \"152.89.196.81\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1147\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1148\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1149\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1150\",\r\n \"address\": \"87.251.67.229\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1151\",\r\n \"address\": \"80.66.76.122\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1152\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1153\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1154\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1155\",\r\n \"address\": \"94.232.47.15\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1156\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1157\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1158\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1159\",\r\n \"address\": \"191.96.168.102\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1160\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1161\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1162\",\r\n \"address\": \"80.66.76.162\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1163\",\r\n \"address\": \"80.66.76.121\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1164\",\r\n \"address\": \"87.251.67.231\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1165\",\r\n \"address\": \"87.251.67.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1166\",\r\n \"address\": \"80.66.76.185\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1167\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1117\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1168\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1118\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1119\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1170\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1120\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1171\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1121\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1172\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1122\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1173\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1123\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1174\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1124\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1175\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1125\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1176\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1126\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1177\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1127\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1178\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1128\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1179\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1129\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1180\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1130\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1181\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1131\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1182\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1132\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1183\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1133\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1184\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1134\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1185\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1135\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1186\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1136\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1187\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1137\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1188\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1138\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1139\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1190\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1140\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1191\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1141\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1192\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1142\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1143\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1194\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1144\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1195\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1145\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1196\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1146\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1147\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1198\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1148\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1199\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1149\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1200\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1150\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1151\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1202\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1152\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1203\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1153\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1204\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1154\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1155\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"name\": \"2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T20:02:27.764174Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T20:02:26.032772Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-09T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-09T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.209.179.41 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 61.177.172.143 [10]\\r\\nIP: 128.199.192.230 [1]\\r\\nIP: 61.177.172.108 [1]\\r\\nIP: 61.177.173.37 [1]\\r\\nIP: 62.210.209.36 [1]\\r\\nIP: 218.75.136.139 [25]\\r\\nIP: 194.5.193.132 [3]\\r\\nIP: 162.142.125.213 [1]\\r\\nIP: 124.220.16.45 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1218\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1219\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1220\",\r\n \"address\": \"185.209.179.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Valley Cottage\",\r\n \"longitude\": -73.92899,\r\n \"latitude\": 41.12222,\r\n \"asn\": 396356,\r\n \"carrier\": \"Maxihost Llc\",\r\n \"organization\": \"Latitude.Sh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1221\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1222\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1223\",\r\n \"address\": \"128.199.192.230\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1224\",\r\n \"address\": \"61.177.172.108\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1225\",\r\n \"address\": \"61.177.173.37\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1226\",\r\n \"address\": \"62.210.209.36\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1227\",\r\n \"address\": \"218.75.136.139\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Hunan\",\r\n \"city\": \"Changde\",\r\n \"longitude\": 111.71167,\r\n \"latitude\": 29.04722,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet-Hn Changde Node Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1228\",\r\n \"address\": \"194.5.193.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208006,\r\n \"carrier\": \"Softqloud Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1229\",\r\n \"address\": \"162.142.125.213\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1230\",\r\n \"address\": \"124.220.16.45\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1220\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1221\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1222\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1223\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1224\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1225\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1226\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1227\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1228\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1229\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1230\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"name\": \"2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T20:02:27.4002488Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T20:02:26.0336346Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-09T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-09T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1242\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.76.123 [2]\\r\\nIP: 87.251.67.226 [1]\\r\\nIP: 80.66.76.170 [3]\\r\\nIP: 80.66.76.151 [1]\\r\\nIP: 80.66.76.138 [1]\\r\\nIP: 103.168.205.209 [1]\\r\\nIP: 147.78.47.146 [7]\\r\\nIP: 80.66.76.121 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 80.66.76.132 [2]\\r\\nIP: 80.66.76.127 [2]\\r\\nIP: 152.89.196.96 [4]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 92.255.85.192 [8]\\r\\nIP: 80.66.76.167 [2]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 152.89.196.73 [1]\\r\\nIP: 80.66.76.176 [1]\\r\\nIP: 147.78.47.149 [3]\\r\\nIP: 195.78.54.73 [17]\\r\\nIP: 80.66.76.131 [1]\\r\\nIP: 176.111.174.73 [25]\\r\\nIP: 185.73.125.21 [3]\\r\\nIP: 80.66.76.165 [1]\\r\\nIP: 80.66.76.124 [1]\\r\\nIP: 87.251.67.223 [2]\\r\\nIP: 141.98.83.127 [7]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 80.66.76.130 [1]\\r\\nIP: 80.66.76.125 [1]\\r\\nIP: 94.232.47.170 [2]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 185.73.125.225 [1]\\r\\nIP: 207.244.72.33 [1]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 162.244.33.16 [4]\\r\\nIP: 152.89.196.81 [3]\\r\\nIP: 139.59.109.139 [1]\\r\\nIP: 80.66.76.185 [2]\\r\\nIP: 80.66.76.161 [1]\\r\\nIP: 80.66.76.137 [2]\\r\\nIP: 80.66.76.177 [1]\\r\\nIP: 80.66.76.169 [1]\\r\\nIP: 185.73.124.23 [1]\\r\\nIP: 87.251.67.239 [1]\\r\\nIP: 152.89.196.92 [4]\\r\\nIP: 113.190.245.2 [1]\\r\\n88 more attempts by 42 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1243\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1244\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1245\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1246\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1247\",\r\n \"address\": \"80.66.76.170\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1248\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1249\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1250\",\r\n \"address\": \"103.168.205.209\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"longitude\": 77.0,\r\n \"latitude\": 20.0,\r\n \"asn\": 132925,\r\n \"carrier\": \"Ideastack Solutions Private Limited\",\r\n \"organization\": \"Blue Space Technology\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1251\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1252\",\r\n \"address\": \"80.66.76.121\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1253\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1254\",\r\n \"address\": \"80.66.76.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1255\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1256\",\r\n \"address\": \"152.89.196.96\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1257\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1258\",\r\n \"address\": \"92.255.85.192\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1259\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1260\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1261\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1262\",\r\n \"address\": \"152.89.196.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1263\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1264\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1265\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1266\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1267\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1268\",\r\n \"address\": \"185.73.125.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1269\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1270\",\r\n \"address\": \"80.66.76.124\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1271\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1272\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1273\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1274\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1275\",\r\n \"address\": \"80.66.76.125\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1276\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1277\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1278\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1279\",\r\n \"address\": \"185.73.125.225\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1280\",\r\n \"address\": \"207.244.72.33\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"District Of Columbia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -77.0284,\r\n \"latitude\": 38.9069,\r\n \"asn\": 30633,\r\n \"carrier\": \"Leaseweb Usa Inc.\",\r\n \"organization\": \"Leaseweb Usa Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1281\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1282\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1283\",\r\n \"address\": \"162.244.33.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Fremont\",\r\n \"longitude\": -121.91032,\r\n \"latitude\": 37.52879,\r\n \"asn\": 14576,\r\n \"carrier\": \"Hosting Solution Ltd.\",\r\n \"organization\": \"Hosting Solution Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1284\",\r\n \"address\": \"152.89.196.81\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1285\",\r\n \"address\": \"139.59.109.139\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1286\",\r\n \"address\": \"80.66.76.185\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1287\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1288\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1289\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1290\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1291\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1292\",\r\n \"address\": \"87.251.67.239\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1293\",\r\n \"address\": \"152.89.196.92\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1294\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1295\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1245\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1246\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1297\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1247\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1298\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1248\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1299\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1249\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1250\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1301\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1251\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1302\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1252\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1303\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1253\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1254\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1305\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1255\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1306\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1256\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1307\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1257\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1308\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1258\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1324\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1274\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1325\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1275\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1326\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1276\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1327\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1277\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1278\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1329\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1279\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1330\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1280\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"name\": \"2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T19:56:07.1561879Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T19:56:06.5371227Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-08T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-08T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1345\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.143 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 61.177.173.51 [1]\\r\\nIP: 14.215.48.214 [3]\\r\\nIP: 61.177.173.46 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1346\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1347\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1348\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1349\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1350\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1351\",\r\n \"address\": \"61.177.173.51\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1352\",\r\n \"address\": \"14.215.48.214\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Yunnan\",\r\n \"city\": \"Ruili\",\r\n \"longitude\": 97.85808,\r\n \"latitude\": 23.99516,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Guangdong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1353\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1348\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1349\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1350\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1351\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1352\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1353\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"name\": \"2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T19:56:07.4442606Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T19:56:06.5374986Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-08T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-08T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1360\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 91.240.118.113 [5]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.132 [5]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 194.165.16.73 [3]\\r\\nIP: 194.165.16.37 [2]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 162.244.33.16 [1]\\r\\nIP: 62.233.50.123 [7]\\r\\nIP: 194.165.16.17 [8]\\r\\nIP: 116.58.22.75 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 92.255.85.186 [1]\\r\\nIP: 176.111.174.200 [3]\\r\\nIP: 96.93.214.186 [1]\\r\\nIP: 194.165.16.29 [10]\\r\\nIP: 141.98.9.35 [1]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 185.221.134.42 [1]\\r\\nIP: 176.111.174.71 [13]\\r\\nIP: 92.255.85.192 [3]\\r\\nIP: 20.168.51.145 [1]\\r\\nIP: 194.165.16.18 [6]\\r\\nIP: 195.78.54.73 [13]\\r\\nIP: 147.78.47.149 [7]\\r\\nIP: 192.99.233.28 [1]\\r\\nIP: 87.251.67.64 [6]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 176.111.174.73 [21]\\r\\nIP: 80.66.88.205 [3]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1361\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1362\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1363\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1364\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1365\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1366\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1367\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1368\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1369\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1370\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1371\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1372\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1373\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1374\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1375\",\r\n \"address\": \"162.244.33.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Fremont\",\r\n \"longitude\": -121.91032,\r\n \"latitude\": 37.52879,\r\n \"asn\": 14576,\r\n \"carrier\": \"Hosting Solution Ltd.\",\r\n \"organization\": \"Hosting Solution Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1376\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1377\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1378\",\r\n \"address\": \"116.58.22.75\",\r\n \"location\": {\r\n \"countryCode\": \"PK\",\r\n \"countryName\": \"Pakistan\",\r\n \"state\": \"Punjab\",\r\n \"city\": \"Lahore\",\r\n \"longitude\": 74.31333,\r\n \"latitude\": 31.56333,\r\n \"asn\": 17563,\r\n \"carrier\": \"Nexlinx\",\r\n \"organization\": \"Nexlinx Isp Pakistan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1379\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1380\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1381\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1382\",\r\n \"address\": \"92.255.85.186\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1383\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1384\",\r\n \"address\": \"96.93.214.186\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Denver\",\r\n \"longitude\": -104.98564,\r\n \"latitude\": 39.74249,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1385\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1386\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1387\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1388\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1389\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1390\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1391\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1392\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1393\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1394\",\r\n \"address\": \"92.255.85.192\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1395\",\r\n \"address\": \"20.168.51.145\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1396\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1397\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1398\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1399\",\r\n \"address\": \"192.99.233.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1400\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1401\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1402\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1403\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1404\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1406\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1407\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1410\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1411\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1377\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1378\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1379\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1380\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1382\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1383\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1427\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1428\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1429\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1430\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1433\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"name\": \"2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T19:27:10.8559195Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T19:27:10.200106Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-07T07:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-07T07:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1447\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 179.43.155.133 [2]\\r\\nIP: 62.210.205.240 [1]\\r\\nIP: 34.105.172.112 [1]\\r\\nIP: 61.177.172.143 [2]\\r\\nIP: 107.152.46.102 [2]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 49.88.112.109 [1]\\r\\nIP: 47.108.112.40 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1448\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1449\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1450\",\r\n \"address\": \"179.43.155.133\",\r\n \"location\": {\r\n \"countryCode\": \"CH\",\r\n \"countryName\": \"Switzerland\",\r\n \"state\": \"Zuerich\",\r\n \"city\": \"Zuerich\",\r\n \"longitude\": 8.53695,\r\n \"latitude\": 47.37417,\r\n \"asn\": 51852,\r\n \"carrier\": \"Private Layer Inc\",\r\n \"organization\": \"Private Layer Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1451\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1452\",\r\n \"address\": \"34.105.172.112\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Enfield\",\r\n \"longitude\": -0.10639,\r\n \"latitude\": 51.64694,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1453\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1454\",\r\n \"address\": \"107.152.46.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Illinois\",\r\n \"city\": \"Glenview\",\r\n \"longitude\": -87.82326,\r\n \"latitude\": 42.08015,\r\n \"asn\": 46844,\r\n \"carrier\": \"Sharktech\",\r\n \"organization\": \"Servercheap Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1455\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1456\",\r\n \"address\": \"49.88.112.109\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanghai Shi\",\r\n \"city\": \"Xuhui Qu\",\r\n \"longitude\": 121.41498,\r\n \"latitude\": 31.17389,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1457\",\r\n \"address\": \"47.108.112.40\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Zhejiang\",\r\n \"city\": \"Hangzhou\",\r\n \"longitude\": 120.15889,\r\n \"latitude\": 30.23556,\r\n \"asn\": 37963,\r\n \"carrier\": \"Hangzhou Alibaba Advertising Co. Ltd.\",\r\n \"organization\": \"Aliyun Computing Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1450\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1451\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1452\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1453\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1454\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1455\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1456\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1457\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"name\": \"2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T19:27:10.7887447Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T19:27:10.2008025Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-07T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-07T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1466\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 94.232.47.4 [13]\\r\\nIP: 193.37.69.219 [25]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 176.111.174.73 [3]\\r\\nIP: 141.98.9.37 [12]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 36.95.205.132 [1]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 80.66.88.129 [3]\\r\\nIP: 87.251.64.140 [5]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 173.15.245.6 [1]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 181.214.218.55 [5]\\r\\nIP: 194.165.16.16 [5]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 91.240.118.184 [8]\\r\\nIP: 116.58.22.75 [3]\\r\\nIP: 176.111.174.71 [9]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 176.111.174.130 [13]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 147.78.47.146 [7]\\r\\nIP: 45.227.254.25 [5]\\r\\nIP: 176.111.174.200 [10]\\r\\nIP: 141.98.83.125 [1]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 103.30.29.29 [1]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 141.98.9.35 [10]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 194.165.16.158 [4]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1467\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1468\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1469\",\r\n \"address\": \"94.232.47.4\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1470\",\r\n \"address\": \"193.37.69.219\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1471\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1472\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1473\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1474\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1475\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1476\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1477\",\r\n \"address\": \"36.95.205.132\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jakarta Raya\",\r\n \"city\": \"Jakarta\",\r\n \"longitude\": 106.8311,\r\n \"latitude\": -6.1851,\r\n \"asn\": 7713,\r\n \"carrier\": \"Pt Telekomunikasi Indonesia\",\r\n \"organization\": \"Pt Telekomunikasi Indonesia\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1478\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1479\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1480\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1481\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1482\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1483\",\r\n \"address\": \"173.15.245.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Commerce Charter Township\",\r\n \"longitude\": -83.5449,\r\n \"latitude\": 42.60315,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1484\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1485\",\r\n \"address\": \"181.214.218.55\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1486\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1487\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1488\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1489\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1490\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1491\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1492\",\r\n \"address\": \"116.58.22.75\",\r\n \"location\": {\r\n \"countryCode\": \"PK\",\r\n \"countryName\": \"Pakistan\",\r\n \"state\": \"Punjab\",\r\n \"city\": \"Lahore\",\r\n \"longitude\": 74.31333,\r\n \"latitude\": 31.56333,\r\n \"asn\": 17563,\r\n \"carrier\": \"Nexlinx\",\r\n \"organization\": \"Nexlinx Isp Pakistan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1493\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1494\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1495\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1496\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1497\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1498\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1499\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1500\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1501\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1502\",\r\n \"address\": \"103.30.29.29\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Chittagong\",\r\n \"city\": \"Chittagong\",\r\n \"longitude\": 91.8123,\r\n \"latitude\": 22.3475,\r\n \"asn\": 45326,\r\n \"carrier\": \"Broad Band Telecom Services Ltd\",\r\n \"organization\": \"Bbts Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1503\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1504\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1505\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1506\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1507\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1508\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1509\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1510\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1480\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1481\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1482\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1484\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1485\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1486\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1535\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"name\": \"2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-07T20:45:09.4714645Z\",\r\n \"processingEndTimeUtc\": \"2022-10-07T20:45:08.5306227Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-06T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-06T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1549\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.123 [1]\\r\\nIP: 185.156.72.25 [5]\\r\\nIP: 45.227.254.48 [1]\\r\\nIP: 181.214.218.55 [1]\\r\\nIP: 141.98.83.132 [8]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 192.99.233.28 [1]\\r\\nIP: 194.165.16.17 [3]\\r\\nIP: 141.98.83.126 [12]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 91.240.118.202 [2]\\r\\nIP: 45.227.254.25 [128]\\r\\nIP: 147.78.47.146 [1]\\r\\nIP: 176.111.174.130 [12]\\r\\nIP: 144.91.117.64 [1]\\r\\nIP: 194.165.16.158 [13]\\r\\nIP: 92.255.85.151 [4]\\r\\nIP: 176.9.52.56 [1]\\r\\nIP: 193.169.255.78 [1]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 185.221.134.42 [1]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 176.111.174.143 [14]\\r\\nIP: 92.255.85.194 [3]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 176.111.174.200 [21]\\r\\nIP: 77.121.215.0 [1]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 45.141.87.2 [34]\\r\\nIP: 45.141.84.86 [7]\\r\\nIP: 94.232.47.4 [25]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 91.240.118.113 [3]\\r\\nIP: 141.98.9.37 [6]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 216.131.112.27 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 195.78.54.194 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 45.227.254.26 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1550\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1551\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1552\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1553\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1554\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1555\",\r\n \"address\": \"181.214.218.55\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1556\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1557\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1558\",\r\n \"address\": \"192.99.233.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1559\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1560\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1561\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1562\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1563\",\r\n \"address\": \"91.240.118.202\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1564\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1565\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1566\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1567\",\r\n \"address\": \"144.91.117.64\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Muenchen\",\r\n \"longitude\": 11.6074,\r\n \"latitude\": 48.1089,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1568\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1569\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1570\",\r\n \"address\": \"176.9.52.56\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Gunzenhausen\",\r\n \"longitude\": 10.7534,\r\n \"latitude\": 49.11594,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1571\",\r\n \"address\": \"193.169.255.78\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Pomorskie\",\r\n \"city\": \"Zelkowko\",\r\n \"longitude\": 17.0936,\r\n \"latitude\": 54.34198,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1572\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1573\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1574\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1575\",\r\n \"address\": \"176.111.174.143\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1576\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1577\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1578\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1579\",\r\n \"address\": \"77.121.215.0\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Cherkas'ka Oblast'\",\r\n \"city\": \"Cherkasy\",\r\n \"longitude\": 32.0621,\r\n \"latitude\": 49.4285,\r\n \"asn\": 25229,\r\n \"carrier\": \"Kyivski Telekomunikatsiyni Merezhi Llc\",\r\n \"organization\": \"Volia Cherkassy\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1580\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1581\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1582\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1583\",\r\n \"address\": \"94.232.47.4\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1584\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1585\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1586\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1587\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1588\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1589\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1590\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1591\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1592\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1593\",\r\n \"address\": \"216.131.112.27\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 62651,\r\n \"carrier\": \"Strong Technology Llc.\",\r\n \"organization\": \"Netprotect\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1594\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1595\",\r\n \"address\": \"195.78.54.194\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1596\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1597\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"name\": \"2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-06T20:18:25.6741094Z\",\r\n \"processingEndTimeUtc\": \"2022-10-06T20:18:25.2845591Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-05T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-05T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1644\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 201.165.54.53 [1]\\r\\nIP: 194.165.16.158 [9]\\r\\nIP: 141.98.9.29 [9]\\r\\nIP: 195.78.54.194 [1]\\r\\nIP: 162.247.74.27 [1]\\r\\nIP: 147.78.47.146 [5]\\r\\nIP: 147.78.47.154 [8]\\r\\nIP: 91.240.118.113 [5]\\r\\nIP: 92.255.85.181 [4]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.120 [7]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.87 [4]\\r\\nIP: 141.98.83.123 [11]\\r\\nIP: 193.37.69.213 [12]\\r\\nIP: 141.98.81.137 [13]\\r\\nIP: 91.240.118.184 [14]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.204 [2]\\r\\nIP: 24.154.71.234 [2]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 45.141.84.85 [9]\\r\\nIP: 45.227.254.25 [29]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 176.111.174.116 [10]\\r\\nIP: 94.232.47.157 [33]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 23.83.131.85 [1]\\r\\nIP: 176.111.174.143 [29]\\r\\nIP: 193.37.69.212 [20]\\r\\nIP: 151.80.113.215 [1]\\r\\nIP: 91.240.242.8 [7]\\r\\nIP: 91.240.242.3 [5]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.141.84.86 [12]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1645\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1646\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1647\",\r\n \"address\": \"201.165.54.53\",\r\n \"location\": {\r\n \"countryCode\": \"MX\",\r\n \"countryName\": \"Mexico\",\r\n \"state\": \"Sinaloa\",\r\n \"city\": \"Los Mochis\",\r\n \"longitude\": -108.98835,\r\n \"latitude\": 25.79161,\r\n \"asn\": 13999,\r\n \"carrier\": \"Mega Cable S.A. De C.V.\",\r\n \"organization\": \"Mega Cable S.A. De C.V.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1648\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1649\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1650\",\r\n \"address\": \"195.78.54.194\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1651\",\r\n \"address\": \"162.247.74.27\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -74.00287,\r\n \"latitude\": 40.65724,\r\n \"asn\": 4224,\r\n \"carrier\": \"The Calyx Institute\",\r\n \"organization\": \"The Calyx Institute\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1652\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1653\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1654\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1655\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1656\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1657\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1658\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1659\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1660\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1661\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1662\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1663\",\r\n \"address\": \"193.37.69.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1664\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1665\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1666\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1667\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1668\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1669\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1670\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1671\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1672\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1673\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1674\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1675\",\r\n \"address\": \"176.111.174.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1676\",\r\n \"address\": \"94.232.47.157\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1677\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1678\",\r\n \"address\": \"23.83.131.85\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Scottsdale\",\r\n \"longitude\": -111.8085,\r\n \"latitude\": 33.66364,\r\n \"asn\": 19148,\r\n \"carrier\": \"Leaseweb Usa Inc.\",\r\n \"organization\": \"Leaseweb Usa Inc. Pheonix\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1679\",\r\n \"address\": \"176.111.174.143\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1680\",\r\n \"address\": \"193.37.69.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1681\",\r\n \"address\": \"151.80.113.215\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Nord\",\r\n \"city\": \"Roubaix\",\r\n \"longitude\": 3.17321,\r\n \"latitude\": 50.69127,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1682\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1683\",\r\n \"address\": \"91.240.242.3\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1684\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1685\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1688\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1689\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1690\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"name\": \"2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-05T20:06:02.9429652Z\",\r\n \"processingEndTimeUtc\": \"2022-10-05T20:06:01.9820349Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1725\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.26 [3]\\r\\nIP: 176.111.174.71 [20]\\r\\nIP: 141.98.83.120 [7]\\r\\nIP: 45.227.254.55 [2]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 193.148.61.116 [1]\\r\\nIP: 45.141.84.85 [6]\\r\\nIP: 141.98.9.29 [12]\\r\\nIP: 20.163.11.154 [1]\\r\\nIP: 80.66.88.202 [2]\\r\\nIP: 20.226.32.246 [1]\\r\\nIP: 147.78.47.154 [5]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 141.98.9.37 [9]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 141.98.83.123 [2]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.88 [2]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 141.98.83.125 [6]\\r\\nIP: 194.165.16.11 [3]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 176.111.174.200 [6]\\r\\nIP: 94.232.47.150 [33]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 94.232.47.151 [19]\\r\\nIP: 141.98.83.87 [6]\\r\\nIP: 5.62.43.223 [1]\\r\\nIP: 92.255.85.181 [1]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 94.232.47.155 [29]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 141.98.83.122 [4]\\r\\nIP: 141.98.9.34 [9]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 94.232.47.8 [26]\\r\\nIP: 91.240.118.184 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 80.66.88.215 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1726\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1727\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1728\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1729\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1730\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1731\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1732\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1733\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1734\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1735\",\r\n \"address\": \"193.148.61.116\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Los Angeles Ca\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1736\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1737\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1738\",\r\n \"address\": \"20.163.11.154\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1739\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1740\",\r\n \"address\": \"20.226.32.246\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Campinas\",\r\n \"longitude\": -47.0453,\r\n \"latitude\": -22.89177,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1741\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1742\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1743\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1744\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1745\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1746\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1747\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1748\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1749\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1750\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1751\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1752\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1753\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1754\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1755\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1756\",\r\n \"address\": \"94.232.47.150\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1757\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1758\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1759\",\r\n \"address\": \"94.232.47.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1760\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1761\",\r\n \"address\": \"5.62.43.223\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Camden\",\r\n \"longitude\": -0.16861,\r\n \"latitude\": 51.54,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Avast Software S.R.O.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1762\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1763\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1764\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1765\",\r\n \"address\": \"94.232.47.155\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1766\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1767\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1768\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1769\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1770\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1771\",\r\n \"address\": \"94.232.47.8\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1772\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1773\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1774\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1775\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1776\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1777\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1728\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1778\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1729\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1779\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1730\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1780\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1731\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1781\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1732\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1782\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1733\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1783\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1734\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1784\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1735\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1785\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1736\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1786\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1737\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1787\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1738\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1788\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1741\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1791\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1742\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1792\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1743\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1793\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1744\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1794\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1745\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1795\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1746\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1796\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1747\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1797\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1748\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1798\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1749\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1799\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1750\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1800\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1751\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1801\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1752\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1802\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1753\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1803\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1754\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1804\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1755\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1805\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1756\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1806\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1757\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1807\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1758\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1808\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1759\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1809\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1760\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1810\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1761\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1811\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1762\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1812\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1763\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1813\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1764\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1814\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"name\": \"2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-04T20:20:17.6238006Z\",\r\n \"processingEndTimeUtc\": \"2022-10-04T20:20:16.6615502Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-03T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-03T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1826\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 181.214.206.211 [12]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 141.98.83.83 [2]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 141.98.9.29 [11]\\r\\nIP: 192.227.168.178 [1]\\r\\nIP: 193.37.69.220 [23]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 62.204.41.152 [6]\\r\\nIP: 38.242.213.49 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 45.141.84.83 [6]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 194.165.16.17 [4]\\r\\nIP: 179.60.147.32 [7]\\r\\nIP: 66.195.201.152 [1]\\r\\nIP: 141.98.83.120 [6]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 113.88.234.130 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 94.232.47.151 [22]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 58.186.205.49 [1]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 195.78.54.174 [11]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 92.255.85.181 [5]\\r\\nIP: 176.111.174.73 [9]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 176.111.174.72 [19]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 15.237.104.62 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.89 [3]\\r\\nIP: 192.210.149.230 [1]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.9.36 [18]\\r\\nIP: 185.190.24.61 [4]\\r\\nIP: 5.181.86.11 [8]\\r\\nIP: 147.78.47.149 [10]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 191.242.227.11 [2]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 176.111.174.130 [12]\\r\\n36 more attempts by 5 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1827\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1828\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1829\",\r\n \"address\": \"181.214.206.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1830\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1831\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1832\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1833\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1834\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1835\",\r\n \"address\": \"192.227.168.178\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.8854,\r\n \"latitude\": 42.8883,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1836\",\r\n \"address\": \"193.37.69.220\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1837\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1838\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1839\",\r\n \"address\": \"38.242.213.49\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1840\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1841\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1842\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1843\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1844\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1845\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1846\",\r\n \"address\": \"66.195.201.152\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Memphis\",\r\n \"longitude\": -89.94812,\r\n \"latitude\": 35.11012,\r\n \"asn\": 3356,\r\n \"carrier\": \"Level 3 Parent Llc\",\r\n \"organization\": \"Level 3 Parent Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1847\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1848\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1849\",\r\n \"address\": \"113.88.234.130\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Henggang\",\r\n \"longitude\": 114.19833,\r\n \"latitude\": 22.64204,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Guangdong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1850\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1851\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1852\",\r\n \"address\": \"94.232.47.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1853\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1854\",\r\n \"address\": \"58.186.205.49\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Cau Giay\",\r\n \"longitude\": 105.79176,\r\n \"latitude\": 21.03714,\r\n \"asn\": 18403,\r\n \"carrier\": \"Fpt Telecom Company\",\r\n \"organization\": \"Fpt Telecom Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1855\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1856\",\r\n \"address\": \"195.78.54.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1857\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1858\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1859\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1860\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1861\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1862\",\r\n \"address\": \"176.111.174.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1863\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1864\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1865\",\r\n \"address\": \"15.237.104.62\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.34107,\r\n \"latitude\": 48.86023,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon Data Services France\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1866\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1867\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1868\",\r\n \"address\": \"192.210.149.230\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1869\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1870\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1871\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1872\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1873\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1874\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1875\",\r\n \"address\": \"191.242.227.11\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sorocaba\",\r\n \"longitude\": -47.44229,\r\n \"latitude\": -23.4971,\r\n \"asn\": 263483,\r\n \"carrier\": \"Direct Lan Telecomunicaes Sorocaba Ltda\",\r\n \"organization\": \"Direct Lan Telecomunica Es Sorocaba Ltda\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1876\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1877\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1878\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1879\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1829\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1880\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1830\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1881\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1831\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1882\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1832\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1883\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1833\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1884\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1834\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1885\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1835\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1886\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1836\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1887\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1837\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1888\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1838\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1889\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1839\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1890\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1840\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1891\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1841\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1892\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1893\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1843\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1894\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1844\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1895\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1845\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1896\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1846\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1897\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1847\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1898\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1848\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1899\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1849\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1900\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1850\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1901\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1851\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1902\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1852\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1903\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1853\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1904\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1854\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1905\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1855\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1906\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1856\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1907\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1857\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1908\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1858\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1909\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1859\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1910\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1860\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1911\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1861\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1912\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1862\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1913\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1863\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1914\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1864\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1915\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1865\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1916\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1866\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1917\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1867\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1918\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1868\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"name\": \"2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T19:49:12.0431333Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T19:49:11.6506508Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-02T18:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-02T18:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1929\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 183.146.30.163 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1930\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1931\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1932\",\r\n \"address\": \"183.146.30.163\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Zhejiang\",\r\n \"city\": \"Jinhua\",\r\n \"longitude\": 119.65083,\r\n \"latitude\": 29.11611,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet-Zj Jinhua Node Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1932\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"name\": \"2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T19:49:12.8041976Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T19:49:11.650774Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1934\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.140 [2]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 185.190.24.61 [3]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 147.78.47.147 [5]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 179.60.147.31 [12]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 179.60.147.32 [7]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 94.232.47.5 [47]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 194.165.17.7 [10]\\r\\nIP: 141.98.83.122 [7]\\r\\nIP: 176.111.174.200 [10]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 195.78.54.174 [17]\\r\\nIP: 69.172.78.13 [1]\\r\\nIP: 141.98.83.84 [12]\\r\\nIP: 138.199.18.131 [14]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 5.181.86.11 [2]\\r\\nIP: 185.156.72.27 [2]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 179.60.147.33 [17]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 141.98.83.88 [5]\\r\\nIP: 141.98.83.85 [2]\\r\\nIP: 147.78.47.149 [8]\\r\\nIP: 94.232.47.158 [30]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 45.141.84.83 [2]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 194.165.16.6 [4]\\r\\nIP: 176.111.174.72 [11]\\r\\nIP: 20.163.11.154 [1]\\r\\nIP: 91.240.118.184 [14]\\r\\nIP: 141.98.83.86 [14]\\r\\nIP: 141.98.9.37 [18]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 94.232.47.9 [21]\\r\\nIP: 141.98.83.89 [1]\\r\\n82 more attempts by 17 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1935\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1936\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1937\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1938\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1939\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1940\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1941\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1942\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1943\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1944\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1945\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1946\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1947\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1948\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1949\",\r\n \"address\": \"94.232.47.5\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1950\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1951\",\r\n \"address\": \"194.165.17.7\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1952\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1953\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1954\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1955\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1956\",\r\n \"address\": \"195.78.54.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1957\",\r\n \"address\": \"69.172.78.13\",\r\n \"location\": {\r\n \"countryCode\": \"HK\",\r\n \"countryName\": \"Hong Kong\",\r\n \"state\": \"Hong Kong\",\r\n \"city\": \"Aberdeen\",\r\n \"longitude\": 114.1524,\r\n \"latitude\": 22.24831,\r\n \"asn\": 132585,\r\n \"carrier\": \"Skyexchange Internet Access\",\r\n \"organization\": \"Skyexchange Internet Access\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1958\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1959\",\r\n \"address\": \"138.199.18.131\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1960\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1961\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1962\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1963\",\r\n \"address\": \"185.156.72.27\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1964\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1965\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1966\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1967\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1968\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1969\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1970\",\r\n \"address\": \"94.232.47.158\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1971\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1972\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1973\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1974\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1975\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1976\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1977\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1978\",\r\n \"address\": \"176.111.174.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1979\",\r\n \"address\": \"20.163.11.154\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1980\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1981\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1982\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1983\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1984\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1985\",\r\n \"address\": \"94.232.47.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1986\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1987\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1937\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1988\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1938\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1989\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1939\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1990\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1940\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1991\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1941\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1992\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1942\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1993\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1943\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1994\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1944\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1995\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1945\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1996\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1946\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1997\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1947\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1998\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1948\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1999\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1949\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2000\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1950\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2001\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1951\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2002\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1952\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2003\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1953\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2004\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1954\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2005\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1955\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2006\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1956\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2007\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1957\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2008\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1958\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2009\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1959\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2010\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1960\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2011\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1961\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2012\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1962\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2013\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1963\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2014\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1964\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2015\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1965\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2016\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1966\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2017\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1967\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2018\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1968\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2019\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1969\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2020\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1970\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2021\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1971\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"name\": \"2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-02T19:30:06.9299257Z\",\r\n \"processingEndTimeUtc\": \"2022-10-02T19:30:06.0289442Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-01T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-01T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2037\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.125 [6]\\r\\nIP: 179.60.147.31 [9]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.83.131 [8]\\r\\nIP: 193.37.69.211 [23]\\r\\nIP: 176.111.174.73 [8]\\r\\nIP: 179.60.150.115 [7]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 147.78.47.146 [3]\\r\\nIP: 147.78.47.147 [5]\\r\\nIP: 141.98.83.83 [5]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 5.181.86.11 [5]\\r\\nIP: 45.141.84.86 [1]\\r\\nIP: 94.232.47.152 [24]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 198.235.24.38 [1]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 193.37.69.209 [25]\\r\\nIP: 94.232.47.156 [33]\\r\\nIP: 147.78.47.149 [13]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 185.190.24.17 [5]\\r\\nIP: 141.98.83.132 [4]\\r\\nIP: 141.98.83.122 [8]\\r\\nIP: 141.98.83.89 [10]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 141.98.9.34 [35]\\r\\nIP: 176.111.174.71 [14]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 91.240.118.113 [6]\\r\\nIP: 20.226.32.246 [1]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 176.111.173.75 [1]\\r\\nIP: 138.199.18.131 [15]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 185.156.72.31 [5]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 91.240.242.8 [35]\\r\\n55 more attempts by 8 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2038\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2039\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2040\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2041\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2042\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2043\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2044\",\r\n \"address\": \"193.37.69.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2045\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2046\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2047\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2048\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2049\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2050\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2051\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2052\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2053\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2054\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2055\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2056\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2057\",\r\n \"address\": \"94.232.47.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2058\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2059\",\r\n \"address\": \"198.235.24.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Team Cymru\",\r\n \"threatType\": \"Botnet\",\r\n \"threatName\": \"Conficker\",\r\n \"confidence\": 0.75,\r\n \"reportLink\": \"https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Botnets.pdf?sv=2021-08-06&spr=https&st=2022-10-02T19%3a15%3a06Z&se=2022-12-31T19%3a30%3a06Z&sr=b&sp=r&sig=R3tc8ii2u2BkwkqvR1vAhwzjf7fD%2bjUJICU%2fnOP2CxM%3d&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa\",\r\n \"threatDescription\": \"Address is a known Botnet indicator.\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2060\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2061\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2062\",\r\n \"address\": \"193.37.69.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2063\",\r\n \"address\": \"94.232.47.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2064\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2065\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2066\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2067\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2068\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2069\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2070\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2071\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2072\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2073\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2074\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2075\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2076\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2077\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2078\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2079\",\r\n \"address\": \"20.226.32.246\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Campinas\",\r\n \"longitude\": -47.0453,\r\n \"latitude\": -22.89177,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2080\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2081\",\r\n \"address\": \"176.111.173.75\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2082\",\r\n \"address\": \"138.199.18.131\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2083\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2084\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2085\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2086\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2087\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2088\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2089\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2090\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2040\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2091\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2041\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2092\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2042\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2093\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2043\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2094\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2044\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2095\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2045\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2096\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2046\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2097\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2047\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2098\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2048\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2099\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2049\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2100\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2050\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2101\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2051\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2102\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2052\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2053\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2104\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2054\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2055\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2056\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2057\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2058\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2059\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2060\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2061\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2062\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2063\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2114\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2064\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2065\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2066\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2067\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2068\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2069\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2070\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2071\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2072\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2123\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2073\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2124\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2074\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"name\": \"2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-01T19:36:37.5737773Z\",\r\n \"processingEndTimeUtc\": \"2022-10-01T19:36:37.1669158Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-30T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-30T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2140\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.54 [3]\\r\\nIP: 194.165.16.29 [3]\\r\\nIP: 194.165.16.73 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 94.232.47.13 [30]\\r\\nIP: 141.98.83.126 [5]\\r\\nIP: 141.98.83.85 [6]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 5.181.86.11 [11]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 45.141.84.87 [19]\\r\\nIP: 91.240.242.15 [3]\\r\\nIP: 141.98.83.84 [5]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 179.60.150.115 [13]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 45.140.210.61 [1]\\r\\nIP: 141.98.9.35 [5]\\r\\nIP: 141.98.10.124 [8]\\r\\nIP: 94.232.47.11 [30]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 194.165.16.16 [5]\\r\\nIP: 194.165.16.158 [4]\\r\\nIP: 78.128.113.138 [6]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 141.98.9.37 [4]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 91.240.242.5 [22]\\r\\nIP: 20.163.30.220 [1]\\r\\nIP: 20.163.46.69 [1]\\r\\nIP: 45.227.254.51 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2141\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2142\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2143\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2144\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2145\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2146\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2147\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2148\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2149\",\r\n \"address\": \"94.232.47.13\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2150\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2151\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2152\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2153\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2154\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2155\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2156\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2157\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2158\",\r\n \"address\": \"45.141.84.87\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2159\",\r\n \"address\": \"91.240.242.15\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2160\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2161\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2162\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2163\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2164\",\r\n \"address\": \"45.140.210.61\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2165\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2166\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2167\",\r\n \"address\": \"94.232.47.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2168\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2169\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2170\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2171\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2172\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2173\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2174\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2175\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2176\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2177\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2178\",\r\n \"address\": \"91.240.242.5\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2179\",\r\n \"address\": \"20.163.30.220\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2180\",\r\n \"address\": \"20.163.46.69\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2181\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2182\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2143\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2183\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2144\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2184\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2145\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2185\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2146\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2186\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2147\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2187\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2148\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2188\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2149\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2150\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2190\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2151\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2191\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2152\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2192\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2153\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2154\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2194\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2155\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2195\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2196\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2198\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2199\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2200\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2202\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2203\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2204\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2167\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2168\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2217\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2218\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"name\": \"2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-30T19:55:09.682631Z\",\r\n \"processingEndTimeUtc\": \"2022-09-30T19:55:09.1843919Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2221\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 181.30.28.175 [1]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 141.98.83.127 [12]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 92.255.85.151 [5]\\r\\nIP: 45.227.255.79 [7]\\r\\nIP: 147.78.47.149 [6]\\r\\nIP: 141.98.9.34 [16]\\r\\nIP: 181.214.206.251 [6]\\r\\nIP: 141.98.83.131 [3]\\r\\nIP: 141.98.83.128 [8]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 179.60.147.32 [19]\\r\\nIP: 91.240.242.8 [2]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 43.230.156.26 [1]\\r\\nIP: 194.165.16.158 [10]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 141.98.83.125 [6]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 141.98.9.37 [8]\\r\\nIP: 5.188.206.230 [10]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 147.78.47.154 [1]\\r\\nIP: 194.165.16.78 [1]\\r\\nIP: 141.98.9.35 [15]\\r\\nIP: 141.98.83.123 [4]\\r\\nIP: 129.146.85.184 [1]\\r\\nIP: 192.3.110.166 [1]\\r\\nIP: 45.141.84.90 [30]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.29 [14]\\r\\nIP: 45.141.87.9 [24]\\r\\nIP: 141.98.10.204 [19]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 141.98.83.88 [1]\\r\\nIP: 194.165.17.22 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 20.168.105.212 [1]\\r\\n72 more attempts by 9 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2222\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2223\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2224\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2225\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2226\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2227\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2228\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2229\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2230\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2231\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2232\",\r\n \"address\": \"181.214.206.251\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2233\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2234\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2235\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2236\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2237\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2238\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2239\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2240\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2241\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2242\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2243\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2244\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2245\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2246\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2247\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2248\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2249\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2250\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2251\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2252\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2253\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2254\",\r\n \"address\": \"129.146.85.184\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2255\",\r\n \"address\": \"192.3.110.166\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2256\",\r\n \"address\": \"45.141.84.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2257\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2258\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2259\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2260\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2261\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2262\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2263\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2264\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2265\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2266\",\r\n \"address\": \"194.165.17.22\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2267\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2268\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2269\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2270\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2271\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2272\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2273\",\r\n \"address\": \"20.168.105.212\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2224\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2275\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2225\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2276\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2226\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2277\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2227\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2278\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2228\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2279\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2229\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2280\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2230\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2231\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2282\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2232\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2283\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2233\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2284\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2234\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2285\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2235\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2286\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2236\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2237\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2288\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2238\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2289\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2239\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2290\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2240\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2291\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2241\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2292\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2242\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2293\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2243\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2294\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2244\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2295\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2245\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2246\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2297\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2247\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2298\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2248\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2299\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2249\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2250\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2301\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2251\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2302\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2252\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2303\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2253\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2254\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2305\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2255\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2306\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2256\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2307\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2257\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2308\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2258\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"name\": \"2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-29T19:51:37.1590955Z\",\r\n \"processingEndTimeUtc\": \"2022-09-29T19:51:34.0584565Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-28T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-28T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2324\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.26.29.113 [52]\\r\\nIP: 141.98.10.124 [5]\\r\\nIP: 179.60.150.111 [2]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 5.181.86.51 [2]\\r\\nIP: 141.98.83.89 [1]\\r\\nIP: 24.154.71.234 [2]\\r\\nIP: 141.98.9.34 [1]\\r\\nIP: 141.98.10.207 [5]\\r\\nIP: 179.60.147.31 [9]\\r\\nIP: 20.163.30.220 [1]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 152.89.198.133 [1]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 45.141.84.86 [7]\\r\\nIP: 179.60.150.113 [3]\\r\\nIP: 45.227.253.130 [8]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 5.181.86.85 [2]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 5.181.86.61 [6]\\r\\nIP: 80.66.88.209 [2]\\r\\nIP: 45.227.254.26 [2]\\r\\nIP: 141.98.83.130 [7]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 92.255.85.152 [9]\\r\\nIP: 179.60.150.116 [2]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 107.181.178.109 [1]\\r\\nIP: 185.190.24.17 [12]\\r\\nIP: 141.98.9.29 [13]\\r\\nIP: 141.98.83.131 [6]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 94.232.47.12 [25]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 115.242.152.158 [2]\\r\\nIP: 193.37.69.207 [27]\\r\\nIP: 194.165.17.12 [13]\\r\\nIP: 193.37.69.210 [40]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 179.60.150.115 [10]\\r\\nIP: 185.190.24.32 [5]\\r\\nIP: 5.181.86.44 [1]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 141.98.83.122 [3]\\r\\n142 more attempts by 24 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2325\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2326\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2327\",\r\n \"address\": \"194.26.29.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2328\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2329\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2330\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2331\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2332\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2333\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2334\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2335\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2336\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2337\",\r\n \"address\": \"20.163.30.220\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2338\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2339\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2340\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2341\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2342\",\r\n \"address\": \"152.89.198.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.81472,\r\n \"latitude\": 55.71376,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2343\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2344\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2345\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2346\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2347\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2348\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2349\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2350\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2351\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2352\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2353\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2354\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2355\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2356\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2357\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2358\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2359\",\r\n \"address\": \"107.181.178.109\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Georgia\",\r\n \"city\": \"Marietta\",\r\n \"longitude\": -84.4629,\r\n \"latitude\": 33.93318,\r\n \"asn\": 46562,\r\n \"carrier\": \"Performive Llc\",\r\n \"organization\": \"Performive Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2360\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2361\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2362\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2363\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2364\",\r\n \"address\": \"94.232.47.12\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2365\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2366\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2367\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2368\",\r\n \"address\": \"193.37.69.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2369\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2370\",\r\n \"address\": \"193.37.69.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2371\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2372\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2373\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2374\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2375\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2376\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2381\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2331\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2332\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2383\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2333\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2384\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2334\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2385\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2335\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2386\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2336\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2337\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2388\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2338\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2389\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2339\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2390\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2340\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2391\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2341\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2392\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2342\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2393\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2343\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2394\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2344\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2395\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2345\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2396\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2346\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2397\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2347\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2398\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2348\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2399\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2349\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2400\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2350\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2401\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2351\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2352\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2403\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2353\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2404\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2354\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2355\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2406\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2356\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2407\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2357\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2358\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2359\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2410\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2360\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2411\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2361\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2362\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"name\": \"2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T20:06:40.3720303Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T20:06:39.6960251Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2427\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 147.78.47.147 [3]\\r\\nIP: 206.72.198.134 [1]\\r\\nIP: 179.60.150.111 [1]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 141.98.10.204 [5]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 141.98.83.122 [8]\\r\\nIP: 121.229.22.196 [2]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 5.188.206.10 [10]\\r\\nIP: 80.66.76.145 [5]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 107.172.93.17 [1]\\r\\nIP: 194.165.16.16 [10]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 45.227.254.54 [4]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 92.255.85.194 [19]\\r\\nIP: 193.32.126.158 [1]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 194.165.16.17 [6]\\r\\nIP: 185.161.69.10 [1]\\r\\nIP: 141.98.83.124 [6]\\r\\nIP: 141.98.9.34 [11]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 185.190.24.17 [18]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 115.242.152.158 [3]\\r\\nIP: 141.98.9.35 [7]\\r\\nIP: 179.60.147.33 [9]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 147.78.47.149 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 45.141.87.21 [4]\\r\\nIP: 141.98.83.87 [11]\\r\\nIP: 195.78.54.97 [55]\\r\\nIP: 141.98.9.29 [4]\\r\\nIP: 45.227.254.53 [2]\\r\\n97 more attempts by 19 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2428\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2429\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2430\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2431\",\r\n \"address\": \"206.72.198.134\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Secaucus\",\r\n \"longitude\": -74.06453,\r\n \"latitude\": 40.77826,\r\n \"asn\": 19318,\r\n \"carrier\": \"Interserver Inc\",\r\n \"organization\": \"Interserver Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2432\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2433\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2434\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2435\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2436\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2437\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2438\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2439\",\r\n \"address\": \"121.229.22.196\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2440\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2441\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2442\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2443\",\r\n \"address\": \"5.188.206.10\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2444\",\r\n \"address\": \"80.66.76.145\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2445\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2446\",\r\n \"address\": \"107.172.93.17\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2447\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2448\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2449\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2450\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2451\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2452\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2453\",\r\n \"address\": \"193.32.126.158\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Seine-Saint-Denis\",\r\n \"city\": \"Aubervilliers\",\r\n \"longitude\": 2.38121,\r\n \"latitude\": 48.91482,\r\n \"asn\": 39351,\r\n \"carrier\": \"31173 Services Ab\",\r\n \"organization\": \"31173 Services France\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2454\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2455\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2456\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2457\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2458\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2459\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2460\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2461\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2462\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2463\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2464\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2465\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2466\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2467\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2468\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2469\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2470\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2471\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2472\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2473\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2474\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2475\",\r\n \"address\": \"45.141.87.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2476\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2477\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2478\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2479\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2434\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2485\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2435\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2486\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2487\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2437\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2488\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2438\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2439\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2490\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2440\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2491\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2492\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2493\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2494\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2495\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2445\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2496\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2446\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2497\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2447\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2498\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2448\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2499\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2449\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2500\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2450\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2501\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2451\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2502\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2503\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2504\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2454\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2505\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2455\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2506\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2456\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2507\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2457\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2508\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2458\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2509\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2459\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2510\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2460\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2461\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2462\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2463\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2464\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2465\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2466\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2467\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2468\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"name\": \"2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-27T20:12:39.5796058Z\",\r\n \"processingEndTimeUtc\": \"2022-09-27T20:12:38.7743954Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-26T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-26T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2530\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.84.83 [29]\\r\\nIP: 141.98.9.34 [12]\\r\\nIP: 141.98.9.36 [8]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 194.165.16.6 [3]\\r\\nIP: 179.60.150.115 [10]\\r\\nIP: 5.181.86.11 [8]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 194.165.17.14 [2]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 194.165.16.37 [3]\\r\\nIP: 5.181.86.44 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 147.78.47.147 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 185.195.232.248 [3]\\r\\nIP: 5.188.206.10 [3]\\r\\nIP: 123.30.210.197 [3]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 45.141.84.119 [2]\\r\\nIP: 141.98.83.89 [3]\\r\\nIP: 185.156.72.25 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 5.181.86.88 [1]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 185.156.72.31 [3]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.83 [10]\\r\\nIP: 141.98.10.207 [4]\\r\\nIP: 185.156.72.29 [4]\\r\\nIP: 115.242.152.158 [1]\\r\\nIP: 179.60.150.113 [4]\\r\\nIP: 179.60.147.32 [10]\\r\\nIP: 141.98.83.127 [4]\\r\\nIP: 45.227.253.130 [7]\\r\\nIP: 147.78.47.149 [4]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 195.78.54.97 [34]\\r\\nIP: 179.60.150.116 [2]\\r\\n15 more attempts by 5 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2531\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2532\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2533\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2534\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2535\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2536\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2537\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2538\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2539\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2540\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2541\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2542\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2543\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2544\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2545\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2546\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2547\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2548\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2549\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2550\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2551\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2552\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2553\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2554\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2555\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2556\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2557\",\r\n \"address\": \"185.195.232.248\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 39351,\r\n \"carrier\": \"31173 Services Ab\",\r\n \"organization\": \"31173 Services United Kingdom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2558\",\r\n \"address\": \"5.188.206.10\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2559\",\r\n \"address\": \"123.30.210.197\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2560\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2561\",\r\n \"address\": \"45.141.84.119\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2562\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2563\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2564\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2565\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2566\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2567\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2568\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2569\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2570\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2571\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2572\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2573\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2574\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2575\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2576\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2577\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2578\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2579\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2580\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2581\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2582\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2585\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2586\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2536\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2587\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2537\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2591\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2592\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2542\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2593\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2543\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2594\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2544\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2595\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2545\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2596\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2546\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2597\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2547\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2548\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2549\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2550\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2551\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"name\": \"2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-26T19:58:54.397306Z\",\r\n \"processingEndTimeUtc\": \"2022-09-26T19:58:53.5738114Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2633\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 5.181.86.44 [2]\\r\\nIP: 186.249.36.154 [1]\\r\\nIP: 5.188.206.230 [5]\\r\\nIP: 194.165.16.38 [2]\\r\\nIP: 78.128.113.138 [8]\\r\\nIP: 194.165.17.14 [4]\\r\\nIP: 179.60.150.116 [6]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 87.251.64.160 [3]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 185.190.24.32 [1]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 38.122.130.162 [6]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 185.190.24.50 [2]\\r\\nIP: 198.235.24.156 [1]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 62.204.41.152 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 45.227.254.27 [1]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 216.19.1.14 [8]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 185.190.24.48 [4]\\r\\nIP: 45.227.253.130 [23]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 13.71.103.48 [1]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 141.98.83.120 [5]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 80.66.88.202 [2]\\r\\n164 more attempts by 29 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2634\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2635\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2636\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2637\",\r\n \"address\": \"186.249.36.154\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Franca\",\r\n \"longitude\": -47.40563,\r\n \"latitude\": -20.54751,\r\n \"asn\": 28195,\r\n \"carrier\": \"Com4 Data Center Eireli\",\r\n \"organization\": \"Com4 Data Center Eireli\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2638\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2639\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2640\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2641\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2642\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2643\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2644\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2645\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2646\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2647\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2648\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2649\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2650\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2651\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2652\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2653\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2654\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2655\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2656\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2657\",\r\n \"address\": \"198.235.24.156\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2658\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2659\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2660\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2661\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2662\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2663\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2664\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2665\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2666\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2667\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2668\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2669\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2670\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2671\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2672\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2673\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2674\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2675\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2676\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2677\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2678\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2679\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2680\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2681\",\r\n \"address\": \"13.71.103.48\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Tamil Nadu\",\r\n \"city\": \"Chennai\",\r\n \"longitude\": 80.2508,\r\n \"latitude\": 13.0524,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2682\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2683\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2684\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2685\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2636\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2637\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2688\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2638\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2689\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2639\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2690\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2640\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2641\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2642\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2643\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2644\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2645\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2646\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"name\": \"2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-25T19:28:48.9427258Z\",\r\n \"processingEndTimeUtc\": \"2022-09-25T19:28:48.1928389Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2736\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.4 [3]\\r\\nIP: 5.181.86.44 [2]\\r\\nIP: 192.3.110.166 [1]\\r\\nIP: 185.190.24.32 [1]\\r\\nIP: 194.165.17.14 [4]\\r\\nIP: 185.190.24.50 [2]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 141.98.9.34 [16]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 87.251.64.160 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 198.235.24.156 [1]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 179.60.150.113 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.81.137 [5]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 78.128.113.138 [8]\\r\\nIP: 87.251.67.98 [5]\\r\\nIP: 195.78.54.97 [32]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 141.98.10.204 [8]\\r\\nIP: 179.60.150.116 [6]\\r\\nIP: 80.66.88.202 [2]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 185.190.24.17 [6]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 45.141.87.18 [4]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 38.122.130.162 [6]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 186.249.36.154 [1]\\r\\nIP: 92.255.85.194 [25]\\r\\n99 more attempts by 26 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2737\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2738\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2739\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2740\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2741\",\r\n \"address\": \"192.3.110.166\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2742\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2743\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2744\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2745\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2746\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2747\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2748\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2749\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2750\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2751\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2752\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2753\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2754\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2755\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2756\",\r\n \"address\": \"198.235.24.156\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2757\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2758\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2759\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2760\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2761\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2762\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2763\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2764\",\r\n \"address\": \"87.251.67.98\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2765\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2766\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2767\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2768\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2769\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2770\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2771\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2772\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2773\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2774\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2775\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2776\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2777\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2778\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2779\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2780\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2781\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2782\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2783\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2784\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2785\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2786\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2787\",\r\n \"address\": \"186.249.36.154\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Franca\",\r\n \"longitude\": -47.40563,\r\n \"latitude\": -20.54751,\r\n \"asn\": 28195,\r\n \"carrier\": \"Com4 Data Center Eireli\",\r\n \"organization\": \"Com4 Data Center Eireli\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2788\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2791\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2741\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2792\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2742\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2793\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2743\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2794\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2744\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2795\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2745\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2796\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2746\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2797\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2747\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2798\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2748\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2799\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2749\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2800\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2750\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2801\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2751\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2802\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2752\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2803\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2753\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2804\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2754\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2805\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2755\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2806\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2756\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2807\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2757\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2808\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2758\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2809\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2759\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2810\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2760\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2811\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2761\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2812\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2762\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2813\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2763\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2814\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2764\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"name\": \"2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-24T19:25:53.91713Z\",\r\n \"processingEndTimeUtc\": \"2022-09-24T19:25:53.5050508Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-23T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-23T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2839\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.124 [2]\\r\\nIP: 62.233.50.123 [24]\\r\\nIP: 141.98.10.124 [10]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 216.19.1.14 [23]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 78.128.113.138 [6]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 5.188.206.230 [6]\\r\\nIP: 5.181.86.51 [3]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 87.251.67.98 [4]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 141.98.83.131 [7]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 45.227.254.27 [1]\\r\\nIP: 5.181.86.85 [4]\\r\\nIP: 194.165.16.38 [1]\\r\\nIP: 147.78.47.154 [4]\\r\\nIP: 45.227.254.4 [5]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 179.60.150.113 [1]\\r\\nIP: 179.60.150.116 [1]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 5.181.86.44 [4]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 141.98.10.181 [10]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 194.165.17.12 [7]\\r\\nIP: 185.190.24.61 [7]\\r\\nIP: 194.165.16.29 [4]\\r\\nIP: 141.98.81.137 [10]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 179.60.150.114 [1]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 179.60.147.31 [6]\\r\\nIP: 59.49.43.217 [1]\\r\\nIP: 141.98.10.207 [7]\\r\\nIP: 113.190.245.2 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 88.214.25.12 [1]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\n187 more attempts by 32 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2840\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2841\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2842\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2843\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2844\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2845\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2846\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2847\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2848\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2849\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2850\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2851\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2852\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2853\",\r\n \"address\": \"87.251.67.98\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2854\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2855\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2856\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2857\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2858\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2859\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2860\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2861\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2862\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2863\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2864\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2865\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2866\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2867\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2868\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2869\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2870\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2871\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2872\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2873\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2874\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2875\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2876\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2877\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2878\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2879\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2880\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2881\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2882\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2883\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2884\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2885\",\r\n \"address\": \"59.49.43.217\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanxi\",\r\n \"city\": \"Taiyuan\",\r\n \"longitude\": 112.56167,\r\n \"latitude\": 37.84667,\r\n \"asn\": 132147,\r\n \"carrier\": \"Ct-Shanxi-Man\",\r\n \"organization\": \"Shanxi Telecom Taiyuan Branch Broadband Adsl Port Ip Address\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2886\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2887\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2888\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2889\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2890\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2891\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2892\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2893\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2843\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2894\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2844\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2895\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2845\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2896\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2846\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2897\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2847\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2898\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2848\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2899\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2849\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2900\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2850\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2901\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2851\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2902\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2852\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2903\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2853\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2904\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2854\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2905\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2855\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2906\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2856\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2907\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2857\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2908\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2858\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2909\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2859\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2910\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2860\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2911\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2861\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2912\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2862\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2913\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2863\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2914\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2864\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2915\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2865\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2916\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2866\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2917\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2867\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2918\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2868\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"name\": \"2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-23T20:00:31.1607186Z\",\r\n \"processingEndTimeUtc\": \"2022-09-23T20:00:30.596124Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-22T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-22T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2942\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.78 [1]\\r\\nIP: 195.78.54.97 [33]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 103.104.168.36 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 179.60.150.116 [1]\\r\\nIP: 88.214.25.13 [5]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 38.122.130.162 [11]\\r\\nIP: 194.165.16.38 [3]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 216.19.1.14 [15]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 185.156.72.27 [2]\\r\\nIP: 179.60.147.31 [19]\\r\\nIP: 194.165.16.10 [1]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 5.181.86.88 [2]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 46.29.10.30 [1]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 185.190.24.32 [2]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 5.181.86.85 [3]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 5.181.86.61 [4]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 45.227.253.130 [6]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 51.178.4.205 [3]\\r\\nIP: 179.60.150.113 [2]\\r\\nIP: 45.227.254.27 [4]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 194.165.17.12 [13]\\r\\nIP: 43.157.17.13 [1]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 179.60.150.114 [2]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 185.190.24.50 [5]\\r\\nIP: 141.98.10.181 [5]\\r\\nIP: 80.66.88.201 [1]\\r\\n106 more attempts by 26 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2943\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2944\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2945\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2946\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2947\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2948\",\r\n \"address\": \"103.104.168.36\",\r\n \"location\": {\r\n \"countryCode\": \"HK\",\r\n \"countryName\": \"Hong Kong\",\r\n \"longitude\": 114.1,\r\n \"latitude\": 22.15,\r\n \"asn\": 136897,\r\n \"carrier\": \"Enjoyvc Cloud Group Limited.\",\r\n \"organization\": \"Cyit-Hk\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2949\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2950\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2951\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2952\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2953\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2954\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2955\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2956\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2957\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2958\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2959\",\r\n \"address\": \"185.156.72.27\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2960\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2961\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2962\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2963\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2964\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2965\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2966\",\r\n \"address\": \"46.29.10.30\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Krasnodarskiy Kray\",\r\n \"city\": \"Krasnodar\",\r\n \"longitude\": 38.9454,\r\n \"latitude\": 45.0749,\r\n \"asn\": 197204,\r\n \"carrier\": \"Telemaks Ltd\",\r\n \"organization\": \"Telemaks Ptp Static Routing Clients.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2967\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2968\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2969\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2970\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2971\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2972\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2973\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2974\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2975\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2976\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2977\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2978\",\r\n \"address\": \"51.178.4.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Waltham Forest\",\r\n \"longitude\": -0.0166,\r\n \"latitude\": 51.5833,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Failover Ips\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2979\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2980\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2981\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2982\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2983\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2984\",\r\n \"address\": \"43.157.17.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2985\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2986\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2987\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2988\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2989\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2990\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2991\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2992\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2993\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2994\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2995\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2945\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2996\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2946\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2997\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2947\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2998\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2948\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2999\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2949\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3000\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2950\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3001\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2951\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3002\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2952\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3003\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2953\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3004\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2954\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3005\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2955\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3006\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2956\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3007\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2957\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3008\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2958\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3009\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2959\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3010\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2960\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3011\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2961\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3012\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2962\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3013\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2963\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3014\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2964\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3015\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2965\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3016\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2966\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3017\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2967\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3018\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2968\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3019\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2969\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3020\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2970\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3021\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2971\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"name\": \"2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T20:37:27.9077468Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T20:37:26.8898617Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-21T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-21T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3045\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.76.51.230 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3046\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3047\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3048\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3048\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"name\": \"2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T20:37:28.3862144Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T20:37:26.8900314Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-21T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-21T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3050\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.140 [1]\\r\\nIP: 185.190.24.32 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.9.35 [2]\\r\\nIP: 80.153.67.94 [1]\\r\\nIP: 23.236.144.243 [1]\\r\\nIP: 91.240.242.15 [3]\\r\\nIP: 193.37.69.215 [24]\\r\\nIP: 174.108.172.27 [2]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 5.181.86.51 [2]\\r\\nIP: 45.141.84.116 [2]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 5.181.86.11 [17]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 38.122.130.162 [5]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 45.227.254.27 [8]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 141.98.10.181 [16]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 195.78.54.97 [17]\\r\\nIP: 141.98.81.137 [3]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 51.178.4.205 [6]\\r\\nIP: 5.181.86.85 [4]\\r\\nIP: 195.78.54.73 [17]\\r\\nIP: 141.98.83.124 [3]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 179.60.147.182 [2]\\r\\nIP: 179.60.147.32 [11]\\r\\nIP: 141.98.83.126 [1]\\r\\nIP: 5.181.86.88 [2]\\r\\nIP: 88.214.25.12 [3]\\r\\nIP: 87.251.64.35 [1]\\r\\nIP: 179.60.150.116 [3]\\r\\nIP: 141.98.9.34 [15]\\r\\n136 more attempts by 30 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3051\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3052\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3053\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3054\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3055\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3056\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3057\",\r\n \"address\": \"80.153.67.94\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.4061,\r\n \"latitude\": 52.5192,\r\n \"asn\": 3320,\r\n \"carrier\": \"Deutsche Telekom Ag\",\r\n \"organization\": \"Deutsche Telekom Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3058\",\r\n \"address\": \"23.236.144.243\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 55081,\r\n \"carrier\": \"24 Shells\",\r\n \"organization\": \"B2 Net Solutions Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3059\",\r\n \"address\": \"91.240.242.15\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3060\",\r\n \"address\": \"193.37.69.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3061\",\r\n \"address\": \"174.108.172.27\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"South Carolina\",\r\n \"city\": \"Sumter\",\r\n \"longitude\": -80.35409,\r\n \"latitude\": 33.87458,\r\n \"asn\": 11426,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3062\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3063\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3064\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3065\",\r\n \"address\": \"45.141.84.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3066\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3067\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3068\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3069\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3070\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3071\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3072\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3073\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3074\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3075\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3076\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3077\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3078\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3079\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3080\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3081\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3082\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3083\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3084\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3085\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3086\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3087\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3088\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3089\",\r\n \"address\": \"51.178.4.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Waltham Forest\",\r\n \"longitude\": -0.0166,\r\n \"latitude\": 51.5833,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Failover Ips\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3090\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3091\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3092\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3093\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3094\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3095\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3096\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3097\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3098\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3099\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3100\",\r\n \"address\": \"87.251.64.35\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3101\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3102\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3053\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3104\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3054\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3055\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3056\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3057\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3058\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3059\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3060\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3061\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3062\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3063\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3114\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3064\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3065\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3066\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3067\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3068\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3069\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3070\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3071\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3072\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3123\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3073\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3124\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3074\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3140\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3090\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3141\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3091\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3092\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3143\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3093\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3144\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3094\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3145\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3095\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3096\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3097\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3098\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3099\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3100\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3101\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3102\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"name\": \"2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-21T19:41:38.1643149Z\",\r\n \"processingEndTimeUtc\": \"2022-09-21T19:41:37.0449995Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3153\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.130 [2]\\r\\nIP: 141.98.83.89 [6]\\r\\nIP: 20.172.39.252 [1]\\r\\nIP: 141.98.83.127 [9]\\r\\nIP: 5.181.86.11 [10]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 181.214.206.176 [32]\\r\\nIP: 129.146.85.184 [1]\\r\\nIP: 5.181.86.85 [8]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 91.240.118.99 [4]\\r\\nIP: 92.255.85.151 [7]\\r\\nIP: 185.190.24.17 [10]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 179.60.147.32 [3]\\r\\nIP: 176.113.115.141 [25]\\r\\nIP: 194.26.29.11 [1]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 179.60.150.111 [12]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 38.122.130.162 [13]\\r\\nIP: 195.78.54.73 [15]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.81.137 [4]\\r\\nIP: 89.248.168.54 [1]\\r\\nIP: 147.78.47.147 [2]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 147.78.47.149 [9]\\r\\nIP: 194.165.16.29 [5]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.36 [2]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 5.181.86.61 [9]\\r\\n138 more attempts by 22 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3154\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3155\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3156\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3157\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3158\",\r\n \"address\": \"20.172.39.252\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3159\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3160\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3161\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3162\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3163\",\r\n \"address\": \"129.146.85.184\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3164\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3165\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3166\",\r\n \"address\": \"91.240.118.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3167\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3168\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3169\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3170\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3171\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3172\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3173\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3174\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57678,\r\n \"carrier\": \"Red Bytes Llc\",\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3175\",\r\n \"address\": \"194.26.29.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3176\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3177\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3178\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3179\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3180\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3181\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3182\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3183\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3184\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3185\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3186\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3187\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3188\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3189\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3190\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3191\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3192\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3193\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3194\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3195\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3196\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3197\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3198\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3199\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3200\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3201\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3202\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3203\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3204\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3205\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3217\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3167\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3218\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3168\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3221\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3222\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3223\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3224\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3225\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3226\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3227\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"name\": \"2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T19:33:13.4506209Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T19:33:12.2309742Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3256\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.37 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 92.255.85.151 [7]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 41.169.98.196 [1]\\r\\nIP: 5.181.86.61 [9]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.35 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 179.60.147.33 [1]\\r\\nIP: 179.60.150.111 [12]\\r\\nIP: 181.214.206.176 [32]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 147.78.47.147 [2]\\r\\nIP: 141.98.9.36 [2]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 45.227.254.49 [1]\\r\\nIP: 141.98.83.85 [7]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 179.60.147.32 [3]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 141.98.83.121 [9]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 185.190.24.61 [9]\\r\\nIP: 141.98.83.84 [5]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 91.240.118.99 [4]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 141.98.83.89 [6]\\r\\nIP: 45.141.87.10 [10]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 5.181.86.85 [8]\\r\\nIP: 45.141.87.9 [4]\\r\\nIP: 141.98.83.130 [2]\\r\\nIP: 5.181.86.11 [9]\\r\\nIP: 38.122.130.162 [13]\\r\\nIP: 195.78.54.73 [13]\\r\\nIP: 45.141.87.2 [13]\\r\\nIP: 89.248.168.54 [1]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 141.98.83.125 [3]\\r\\n135 more attempts by 20 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3257\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3258\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3259\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3260\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3261\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3262\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3263\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3264\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3265\",\r\n \"address\": \"41.169.98.196\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 36937,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Liquid Telecommunications Operations Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3266\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3267\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3268\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3269\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3270\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3271\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3272\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3273\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3274\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3275\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3276\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3277\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3278\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3279\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3280\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3281\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3282\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3283\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3284\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3285\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3286\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3287\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3288\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3289\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3290\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3291\",\r\n \"address\": \"91.240.118.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3292\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3293\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3294\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3295\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3296\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3297\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3298\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3299\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3300\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3301\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3302\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3303\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3304\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3305\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3306\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3307\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3308\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3324\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3274\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3325\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3275\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3326\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3276\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3327\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3277\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3278\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3329\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3279\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3330\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3280\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"name\": \"2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-19T20:03:27.0439222Z\",\r\n \"processingEndTimeUtc\": \"2022-09-19T20:03:26.2194939Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-18T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-18T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3359\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.190.24.17 [7]\\r\\nIP: 45.72.99.139 [1]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 181.214.206.176 [41]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 141.98.83.124 [3]\\r\\nIP: 141.98.9.37 [10]\\r\\nIP: 88.214.25.12 [1]\\r\\nIP: 141.98.9.35 [10]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 80.66.88.206 [2]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 45.227.254.48 [3]\\r\\nIP: 194.165.16.17 [3]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 141.98.9.34 [19]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 95.142.121.53 [1]\\r\\nIP: 194.165.16.38 [7]\\r\\nIP: 194.26.29.48 [1]\\r\\nIP: 194.165.16.37 [2]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 92.255.85.174 [3]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 5.181.86.11 [4]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 179.60.150.114 [15]\\r\\nIP: 20.106.123.242 [1]\\r\\nIP: 141.98.9.29 [2]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 45.141.87.21 [5]\\r\\nIP: 91.240.242.16 [1]\\r\\nIP: 45.227.254.55 [3]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 38.122.130.162 [1]\\r\\nIP: 45.141.84.85 [2]\\r\\nIP: 141.98.83.131 [6]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 141.98.83.84 [4]\\r\\nIP: 141.98.83.83 [9]\\r\\nIP: 45.227.255.13 [1]\\r\\n130 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3360\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3361\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3362\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3363\",\r\n \"address\": \"45.72.99.139\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 55286,\r\n \"carrier\": \"B2 Net Solutions Inc.\",\r\n \"organization\": \"B2 Net Solutions Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3364\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3365\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3366\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3367\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3368\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3369\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3370\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3371\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3372\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3373\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3374\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3375\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3376\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3377\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3378\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3379\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3380\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3381\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3382\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3383\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3384\",\r\n \"address\": \"95.142.121.53\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Prcdn Consumer Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3385\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3386\",\r\n \"address\": \"194.26.29.48\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3387\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3388\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3389\",\r\n \"address\": \"92.255.85.174\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3390\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3391\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3392\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3393\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3394\",\r\n \"address\": \"20.106.123.242\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3395\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3396\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3397\",\r\n \"address\": \"45.141.87.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3398\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3399\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3400\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3401\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3402\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3403\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3404\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3405\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3406\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3407\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3408\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3409\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3410\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3411\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3362\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3427\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3377\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3428\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3378\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3429\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3379\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3430\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3380\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3382\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3433\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3383\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3449\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3450\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3451\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3452\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3453\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3405\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3456\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3457\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3408\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"name\": \"2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-07T18:49:32.3154277Z\",\r\n \"processingEndTimeUtc\": \"2022-09-07T18:49:31.3026032Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-05T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-05T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3462\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 179.60.147.182 [1]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 141.98.83.89 [5]\\r\\nIP: 209.126.5.42 [1]\\r\\nIP: 141.98.9.36 [14]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 103.15.50.155 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 80.66.88.214 [3]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 77.83.36.225 [4]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.123 [6]\\r\\nIP: 141.98.83.132 [1]\\r\\nIP: 138.199.19.135 [7]\\r\\nIP: 141.98.83.133 [11]\\r\\nIP: 194.165.16.6 [3]\\r\\nIP: 141.98.81.137 [9]\\r\\nIP: 194.165.16.17 [4]\\r\\nIP: 141.98.83.130 [4]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 141.98.10.207 [29]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 91.240.242.5 [8]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 194.165.16.71 [3]\\r\\nIP: 45.227.254.52 [6]\\r\\nIP: 141.98.9.37 [11]\\r\\nIP: 45.141.87.11 [2]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 141.98.83.120 [4]\\r\\nIP: 141.98.9.34 [29]\\r\\nIP: 62.233.50.113 [2]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 5.253.204.134 [22]\\r\\nIP: 92.255.85.151 [1]\\r\\nIP: 45.227.253.254 [12]\\r\\nIP: 194.165.16.73 [3]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 45.227.254.55 [3]\\r\\nIP: 141.98.83.83 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3463\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3464\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3465\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3466\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3467\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3468\",\r\n \"address\": \"209.126.5.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Saint Louis\",\r\n \"longitude\": -90.19238,\r\n \"latitude\": 38.63137,\r\n \"asn\": 40021,\r\n \"carrier\": \"Contabo Inc.\",\r\n \"organization\": \"Contabo Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3469\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3470\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3471\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3472\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3473\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3474\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3475\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3476\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3477\",\r\n \"address\": \"77.83.36.225\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 35042,\r\n \"carrier\": \"Ip Interactive Ug (Haftungsbeschraenkt)\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3478\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3479\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3480\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3481\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3482\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3483\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3484\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3485\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3486\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3487\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3488\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3489\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3490\",\r\n \"address\": \"91.240.242.5\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3491\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3492\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3493\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3494\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3495\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3496\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3497\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3498\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3499\",\r\n \"address\": \"62.233.50.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3500\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3501\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3502\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3503\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3504\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3505\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3506\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3507\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3508\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3509\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3510\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3465\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3466\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3467\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3468\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3480\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3481\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3482\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3484\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3485\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3486\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3535\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"name\": \"2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T19:15:31.2420982Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T19:15:30.4547628Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3557\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 72.167.37.199 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 103.79.140.234 [5]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 185.170.144.135 [53]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 141.98.9.199 [2]\\r\\nIP: 92.255.85.40 [4]\\r\\nIP: 129.226.34.77 [1]\\r\\nIP: 194.165.16.17 [10]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 188.190.42.60 [1]\\r\\nIP: 27.71.226.103 [3]\\r\\nIP: 5.253.204.134 [27]\\r\\nIP: 138.199.19.135 [2]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 141.98.81.137 [8]\\r\\nIP: 193.122.114.185 [1]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 87.251.67.99 [3]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 92.255.85.151 [13]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 194.165.16.77 [3]\\r\\nIP: 147.78.47.146 [12]\\r\\nIP: 45.227.254.26 [2]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 141.98.83.130 [4]\\r\\nIP: 96.60.188.241 [1]\\r\\nIP: 194.165.16.29 [4]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 103.75.187.224 [1]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.83.132 [5]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 194.165.16.6 [4]\\r\\n72 more attempts by 6 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3558\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3559\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3560\",\r\n \"address\": \"72.167.37.199\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3561\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3562\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3563\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3564\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3565\",\r\n \"address\": \"185.170.144.135\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3566\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3567\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3568\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3569\",\r\n \"address\": \"129.226.34.77\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Maharashtra\",\r\n \"city\": \"Mumbai\",\r\n \"longitude\": 72.8777,\r\n \"latitude\": 19.076,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3570\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3571\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3572\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3573\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3574\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3575\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3576\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3577\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3578\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3579\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3580\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3581\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3582\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3583\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3584\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3585\",\r\n \"address\": \"193.122.114.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.33352,\r\n \"latitude\": 47.61101,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Public Cloud\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3586\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3587\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3588\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3589\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3590\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3591\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3592\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3593\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3594\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3595\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3596\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3597\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3598\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3599\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3600\",\r\n \"address\": \"96.60.188.241\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wisconsin\",\r\n \"city\": \"Junction City\",\r\n \"longitude\": -89.747,\r\n \"latitude\": 44.59457,\r\n \"asn\": 4181,\r\n \"carrier\": \"Tds Telecom\",\r\n \"organization\": \"Tds Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3601\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3602\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3603\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3604\",\r\n \"address\": \"103.75.187.224\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Inet Software One Member Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3605\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3606\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3607\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3608\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3609\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3644\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3645\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3646\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3647\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3648\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3598\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3649\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3599\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3650\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3600\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3651\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3601\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3652\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3602\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3653\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3603\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3654\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3604\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3655\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3605\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3656\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3606\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3657\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3607\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3658\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3608\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3659\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3609\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"name\": \"2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-06T20:06:49.6557309Z\",\r\n \"processingEndTimeUtc\": \"2022-09-06T20:06:49.179497Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3660\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.125 [7]\\r\\nIP: 72.167.37.199 [1]\\r\\nIP: 141.98.9.199 [2]\\r\\nIP: 103.75.187.224 [2]\\r\\nIP: 92.255.85.151 [32]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 188.190.42.60 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 141.98.81.137 [8]\\r\\nIP: 138.199.19.135 [2]\\r\\nIP: 141.98.9.34 [12]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 96.60.188.241 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 147.78.47.146 [12]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 194.165.16.16 [1]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 45.227.253.254 [16]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 194.165.16.29 [10]\\r\\nIP: 194.165.16.17 [10]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 141.98.83.130 [7]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 194.165.16.77 [3]\\r\\nIP: 141.98.83.128 [6]\\r\\nIP: 141.98.83.120 [4]\\r\\nIP: 185.170.144.135 [53]\\r\\nIP: 129.226.34.77 [1]\\r\\nIP: 41.169.98.196 [1]\\r\\nIP: 87.251.67.99 [3]\\r\\nIP: 45.227.254.49 [4]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 103.79.140.234 [5]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 27.71.226.103 [3]\\r\\nIP: 193.122.114.185 [1]\\r\\nIP: 5.253.204.134 [28]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 92.255.85.40 [4]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 141.98.9.29 [13]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 141.98.83.131 [4]\\r\\n45 more attempts by 10 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3661\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3662\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3663\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3664\",\r\n \"address\": \"72.167.37.199\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3665\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3666\",\r\n \"address\": \"103.75.187.224\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Inet Software One Member Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3667\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3668\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3669\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3670\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3671\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3672\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3673\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3674\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3675\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3676\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3677\",\r\n \"address\": \"96.60.188.241\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wisconsin\",\r\n \"city\": \"Junction City\",\r\n \"longitude\": -89.747,\r\n \"latitude\": 44.59457,\r\n \"asn\": 4181,\r\n \"carrier\": \"Tds Telecom\",\r\n \"organization\": \"Tds Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3678\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3679\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3680\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3681\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3682\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3683\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3684\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3685\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3686\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3687\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3688\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3689\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3690\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3691\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3692\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3693\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3694\",\r\n \"address\": \"185.170.144.135\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3695\",\r\n \"address\": \"129.226.34.77\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Maharashtra\",\r\n \"city\": \"Mumbai\",\r\n \"longitude\": 72.8777,\r\n \"latitude\": 19.076,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3696\",\r\n \"address\": \"41.169.98.196\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 36937,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Liquid Telecommunications Operations Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3697\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3698\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3699\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3700\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3701\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3702\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3703\",\r\n \"address\": \"193.122.114.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.33352,\r\n \"latitude\": 47.61101,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Public Cloud\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3704\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3705\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3706\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3707\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3708\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3709\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3710\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3711\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3712\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3736\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3686\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3737\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3687\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3738\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3688\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3739\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3689\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3740\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3690\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3741\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3691\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3742\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3692\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3743\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3693\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3744\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3694\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3745\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3695\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3746\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3696\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3747\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3697\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3748\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3698\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3749\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3699\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3750\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3700\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3751\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3701\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3752\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3702\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3703\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3704\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3705\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3706\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3707\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3708\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3709\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3710\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3711\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3762\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3712\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"name\": \"2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-03T19:41:58.5199865Z\",\r\n \"processingEndTimeUtc\": \"2022-09-03T19:41:57.422375Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3763\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 188.190.42.60 [1]\\r\\nIP: 92.255.85.168 [4]\\r\\nIP: 141.98.83.87 [5]\\r\\nIP: 185.190.24.61 [1]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 103.15.50.155 [4]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 87.251.67.99 [1]\\r\\nIP: 5.253.204.134 [29]\\r\\nIP: 141.98.9.36 [1]\\r\\nIP: 194.28.112.140 [5]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 45.227.253.130 [18]\\r\\nIP: 141.98.9.35 [4]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 185.190.24.102 [10]\\r\\nIP: 202.40.179.78 [1]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 134.209.148.16 [1]\\r\\nIP: 93.43.27.126 [1]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 141.98.83.121 [6]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 141.98.81.137 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.125 [4]\\r\\nIP: 141.98.83.173 [1]\\r\\nIP: 92.255.85.166 [3]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 45.227.254.5 [9]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 92.255.85.151 [36]\\r\\nIP: 51.81.210.3 [1]\\r\\nIP: 141.98.9.29 [5]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 185.190.24.101 [4]\\r\\n41 more attempts by 14 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3764\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3765\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3766\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3767\",\r\n \"address\": \"92.255.85.168\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3768\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3769\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3770\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3771\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3772\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3773\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3774\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3775\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3776\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3777\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3778\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3779\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3780\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3781\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3782\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3783\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3784\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3785\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3786\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3787\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3788\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3789\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3790\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3791\",\r\n \"address\": \"202.40.179.78\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Dhaka\",\r\n \"city\": \"Dhaka\",\r\n \"longitude\": 90.4125,\r\n \"latitude\": 23.8103,\r\n \"asn\": 23991,\r\n \"carrier\": \"Ranks Itt Ltd.\",\r\n \"organization\": \"Nationwide Isp & Iptsp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3792\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3793\",\r\n \"address\": \"134.209.148.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Mansfield\",\r\n \"longitude\": -71.22189,\r\n \"latitude\": 42.01698,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3794\",\r\n \"address\": \"93.43.27.126\",\r\n \"location\": {\r\n \"countryCode\": \"IT\",\r\n \"countryName\": \"Italy\",\r\n \"state\": \"Roma\",\r\n \"city\": \"Roma\",\r\n \"longitude\": 12.3063,\r\n \"latitude\": 41.7755,\r\n \"asn\": 12874,\r\n \"carrier\": \"Fastweb Spa\",\r\n \"organization\": \"Ibc-001 Public Subnet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3795\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3796\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3797\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3798\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3799\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3800\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3801\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3802\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3803\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3804\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3805\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3806\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3807\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3808\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3809\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3810\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3811\",\r\n \"address\": \"51.81.210.3\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Hillsboro\",\r\n \"longitude\": -122.95607,\r\n \"latitude\": 45.59054,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3812\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3813\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3814\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3815\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3839\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3789\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3840\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3790\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3841\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3791\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3842\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3792\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3793\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3865\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3815\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"name\": \"2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T01:45:32.5912419Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T01:45:31.6805301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3866\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.9.36 [1]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 185.190.24.61 [1]\\r\\nIP: 5.253.204.134 [29]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.81.137 [1]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 141.98.83.125 [4]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 185.190.24.101 [4]\\r\\nIP: 93.43.27.126 [1]\\r\\nIP: 185.156.72.29 [4]\\r\\nIP: 87.251.67.99 [1]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 134.209.148.16 [1]\\r\\nIP: 141.98.9.35 [4]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.156.72.25 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 79.175.151.178 [3]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 103.79.140.234 [2]\\r\\nIP: 141.98.83.84 [7]\\r\\nIP: 141.98.83.172 [4]\\r\\nIP: 141.98.83.87 [7]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 45.227.254.5 [9]\\r\\nIP: 141.98.10.37 [8]\\r\\nIP: 202.40.179.78 [1]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 141.98.83.121 [6]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 92.255.85.166 [3]\\r\\nIP: 92.255.85.152 [6]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 103.15.50.155 [4]\\r\\nIP: 141.98.9.29 [5]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 194.28.112.140 [5]\\r\\nIP: 27.71.226.103 [1]\\r\\nIP: 185.190.24.102 [10]\\r\\n87 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3867\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3868\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3869\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3870\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3871\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3872\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3873\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3874\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3875\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3876\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3877\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3878\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3879\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3880\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3881\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3882\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3883\",\r\n \"address\": \"93.43.27.126\",\r\n \"location\": {\r\n \"countryCode\": \"IT\",\r\n \"countryName\": \"Italy\",\r\n \"state\": \"Roma\",\r\n \"city\": \"Roma\",\r\n \"longitude\": 12.3063,\r\n \"latitude\": 41.7755,\r\n \"asn\": 12874,\r\n \"carrier\": \"Fastweb Spa\",\r\n \"organization\": \"Ibc-001 Public Subnet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3884\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3885\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3886\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3887\",\r\n \"address\": \"134.209.148.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Mansfield\",\r\n \"longitude\": -71.22189,\r\n \"latitude\": 42.01698,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3888\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3889\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3890\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3891\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3892\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3893\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3894\",\r\n \"address\": \"79.175.151.178\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 25184,\r\n \"carrier\": \"Afranet\",\r\n \"organization\": \"Afranet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3895\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3896\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3897\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3898\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3899\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3900\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3901\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3902\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3903\",\r\n \"address\": \"141.98.10.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3904\",\r\n \"address\": \"202.40.179.78\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Dhaka\",\r\n \"city\": \"Dhaka\",\r\n \"longitude\": 90.4125,\r\n \"latitude\": 23.8103,\r\n \"asn\": 23991,\r\n \"carrier\": \"Ranks Itt Ltd.\",\r\n \"organization\": \"Nationwide Isp & Iptsp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3905\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3906\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3907\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3908\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3909\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3910\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3911\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3912\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3913\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3914\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3915\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3916\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3917\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3918\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3892\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3893\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3894\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"name\": \"2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-02T19:26:44.4857834Z\",\r\n \"processingEndTimeUtc\": \"2022-09-02T19:26:43.9850649Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-01T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-01T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3969\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.6 [4]\\r\\nIP: 193.142.147.67 [26]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.81.137 [5]\\r\\nIP: 45.227.254.5 [39]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 147.78.47.147 [9]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 103.15.50.155 [1]\\r\\nIP: 92.255.85.40 [6]\\r\\nIP: 213.226.123.66 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 194.165.16.158 [5]\\r\\nIP: 196.44.131.147 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 212.22.187.98 [7]\\r\\nIP: 141.98.83.131 [1]\\r\\nIP: 185.190.24.102 [11]\\r\\nIP: 147.78.47.149 [10]\\r\\nIP: 165.227.225.29 [2]\\r\\nIP: 92.255.85.195 [2]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 185.190.24.61 [9]\\r\\nIP: 45.227.254.49 [3]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 80.66.88.209 [5]\\r\\nIP: 141.98.9.35 [6]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 141.98.83.123 [7]\\r\\nIP: 185.190.24.103 [2]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 89.248.168.54 [2]\\r\\nIP: 79.175.151.178 [6]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 213.226.123.35 [2]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 141.98.9.37 [2]\\r\\nIP: 141.98.83.89 [2]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 5.253.204.134 [27]\\r\\nIP: 179.60.147.32 [19]\\r\\n92 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3970\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3971\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3972\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3973\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3974\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3975\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3976\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3977\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3978\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3979\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3980\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3981\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3982\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3983\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3984\",\r\n \"address\": \"213.226.123.66\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49943,\r\n \"carrier\": \"It Resheniya Llc\",\r\n \"organization\": \"It Resheniya Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3985\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3986\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3987\",\r\n \"address\": \"196.44.131.147\",\r\n \"location\": {\r\n \"countryCode\": \"NA\",\r\n \"countryName\": \"Namibia\",\r\n \"state\": \"Khomas\",\r\n \"city\": \"Windhoek\",\r\n \"longitude\": 17.0875,\r\n \"latitude\": -22.57056,\r\n \"asn\": 36996,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Telecom Namibia\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3988\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3989\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3990\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3991\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3992\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3993\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3994\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3995\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3996\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3997\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3998\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3999\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4000\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4001\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4002\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4003\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4004\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4005\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4006\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4007\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4008\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4009\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4010\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4011\",\r\n \"address\": \"79.175.151.178\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 25184,\r\n \"carrier\": \"Afranet\",\r\n \"organization\": \"Afranet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4012\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4013\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4014\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4015\",\r\n \"address\": \"213.226.123.35\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49943,\r\n \"carrier\": \"It Resheniya Llc\",\r\n \"organization\": \"It Resheniya Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4016\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4017\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4018\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4019\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4020\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4021\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"name\": \"2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-30T19:51:55.8070313Z\",\r\n \"processingEndTimeUtc\": \"2022-08-30T19:51:55.0291097Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4072\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.81.137 [6]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 45.227.254.48 [5]\\r\\nIP: 141.98.9.29 [10]\\r\\nIP: 98.102.248.102 [1]\\r\\nIP: 45.227.254.5 [26]\\r\\nIP: 178.18.241.15 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 194.165.16.78 [3]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 194.26.29.48 [5]\\r\\nIP: 141.98.9.34 [3]\\r\\nIP: 5.253.204.134 [12]\\r\\nIP: 147.78.47.154 [4]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 80.66.88.207 [3]\\r\\nIP: 74.174.144.6 [1]\\r\\nIP: 194.165.16.17 [6]\\r\\nIP: 196.188.171.249 [2]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 179.60.150.113 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 80.66.88.208 [3]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 87.251.75.119 [36]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 85.172.1.54 [2]\\r\\nIP: 162.62.14.97 [1]\\r\\nIP: 88.214.25.13 [2]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 162.246.21.206 [1]\\r\\nIP: 45.227.254.4 [2]\\r\\nIP: 185.221.134.42 [2]\\r\\nIP: 179.60.147.32 [20]\\r\\nIP: 103.15.50.155 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 92.255.85.181 [2]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 5.181.86.88 [3]\\r\\n175 more attempts by 35 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4073\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4074\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4075\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4076\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4077\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4078\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4079\",\r\n \"address\": \"98.102.248.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Cleveland\",\r\n \"longitude\": -81.82835,\r\n \"latitude\": 41.37197,\r\n \"asn\": 10796,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4080\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4081\",\r\n \"address\": \"178.18.241.15\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Baden-Wuerttemberg\",\r\n \"city\": \"Karlsruhe-Weststadt\",\r\n \"longitude\": 8.37933,\r\n \"latitude\": 49.015,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4082\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4083\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4084\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4085\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4086\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4087\",\r\n \"address\": \"194.26.29.48\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4088\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4089\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4090\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4091\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4092\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4093\",\r\n \"address\": \"74.174.144.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Kentucky\",\r\n \"city\": \"Corbin\",\r\n \"longitude\": -84.11583,\r\n \"latitude\": 36.92363,\r\n \"asn\": 2386,\r\n \"carrier\": \"At&T Data Communications Services\",\r\n \"organization\": \"Eastern Cable Corp - Bgk Lan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4094\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4095\",\r\n \"address\": \"196.188.171.249\",\r\n \"location\": {\r\n \"countryCode\": \"ET\",\r\n \"countryName\": \"Ethiopia\",\r\n \"state\": \"Adis Abeba\",\r\n \"city\": \"Addis Ababa\",\r\n \"longitude\": 38.7468,\r\n \"latitude\": 9.0227,\r\n \"asn\": 24757,\r\n \"carrier\": \"Ethionet\",\r\n \"organization\": \"To__Bras_Dhcp_Oa-10800E\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4096\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4097\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4098\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4099\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4100\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4101\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4102\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4103\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4104\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4105\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4106\",\r\n \"address\": \"87.251.75.119\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4107\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4108\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4109\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4110\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4111\",\r\n \"address\": \"85.172.1.54\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Krasnodarskiy Kray\",\r\n \"city\": \"Krasnodar\",\r\n \"longitude\": 38.98064,\r\n \"latitude\": 45.04215,\r\n \"asn\": 25490,\r\n \"carrier\": \"Pjsc Rostelecom\",\r\n \"organization\": \"Ojsc Rostelecom Macroregional Branch South\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4112\",\r\n \"address\": \"162.62.14.97\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4113\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4114\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4115\",\r\n \"address\": \"162.246.21.206\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Secaucus\",\r\n \"longitude\": -74.06453,\r\n \"latitude\": 40.77826,\r\n \"asn\": 19318,\r\n \"carrier\": \"Interserver Inc\",\r\n \"organization\": \"Interserver Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4116\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4117\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4118\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4119\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4120\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4121\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4122\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4123\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4124\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4140\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4090\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4141\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4091\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4092\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4143\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4093\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4144\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4094\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4145\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4095\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4096\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4097\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4098\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4099\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4100\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4101\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4102\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4153\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4103\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4104\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4155\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4105\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4156\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4106\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4107\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4158\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4108\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4159\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4109\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4110\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4161\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4111\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4162\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4112\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4163\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4113\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4114\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4165\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4115\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4166\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4116\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4167\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4117\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4168\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4118\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4119\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4170\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4120\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4171\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4121\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4172\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4122\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4173\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4123\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4174\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4124\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"name\": \"2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-31T19:26:52.5249315Z\",\r\n \"processingEndTimeUtc\": \"2022-08-31T19:26:52.1218206Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4175\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 98.102.248.102 [1]\\r\\nIP: 179.60.150.116 [2]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 162.62.14.97 [1]\\r\\nIP: 5.253.204.134 [13]\\r\\nIP: 185.190.24.61 [2]\\r\\nIP: 212.22.187.98 [8]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 191.96.168.250 [10]\\r\\nIP: 80.66.88.212 [4]\\r\\nIP: 88.214.25.13 [2]\\r\\nIP: 74.174.144.6 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 185.190.24.17 [51]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 5.181.86.44 [5]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 193.142.147.66 [36]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 45.141.84.116 [7]\\r\\nIP: 152.89.196.90 [2]\\r\\nIP: 141.98.9.29 [10]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 196.188.171.249 [2]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 194.93.58.59 [1]\\r\\nIP: 87.251.75.119 [59]\\r\\nIP: 179.60.147.32 [20]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 185.190.24.32 [3]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 80.66.88.207 [3]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 194.165.16.4 [3]\\r\\nIP: 80.66.88.208 [3]\\r\\n135 more attempts by 44 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4176\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4177\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4178\",\r\n \"address\": \"98.102.248.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Cleveland\",\r\n \"longitude\": -81.82835,\r\n \"latitude\": 41.37197,\r\n \"asn\": 10796,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4179\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4180\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4181\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4182\",\r\n \"address\": \"162.62.14.97\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4183\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4184\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4185\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4186\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4187\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4188\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4189\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4190\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4191\",\r\n \"address\": \"74.174.144.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Kentucky\",\r\n \"city\": \"Corbin\",\r\n \"longitude\": -84.11583,\r\n \"latitude\": 36.92363,\r\n \"asn\": 2386,\r\n \"carrier\": \"At&T Data Communications Services\",\r\n \"organization\": \"Eastern Cable Corp - Bgk Lan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4192\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4193\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4194\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4195\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4196\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4197\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4198\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4199\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4200\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4201\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4202\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4203\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4204\",\r\n \"address\": \"45.141.84.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4205\",\r\n \"address\": \"152.89.196.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4206\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4207\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4208\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4209\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4210\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4211\",\r\n \"address\": \"196.188.171.249\",\r\n \"location\": {\r\n \"countryCode\": \"ET\",\r\n \"countryName\": \"Ethiopia\",\r\n \"state\": \"Adis Abeba\",\r\n \"city\": \"Addis Ababa\",\r\n \"longitude\": 38.7468,\r\n \"latitude\": 9.0227,\r\n \"asn\": 24757,\r\n \"carrier\": \"Ethionet\",\r\n \"organization\": \"To__Bras_Dhcp_Oa-10800E\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4212\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4213\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4214\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4215\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4216\",\r\n \"address\": \"194.93.58.59\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.81423,\r\n \"latitude\": 32.80543,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Dallas Tx\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4217\",\r\n \"address\": \"87.251.75.119\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4218\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4219\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4220\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4221\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4222\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4223\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4224\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4225\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4226\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4227\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4256\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4206\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4207\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4258\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4208\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4259\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4209\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4260\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4210\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4261\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4211\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4262\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4212\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4263\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4213\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4264\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4214\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4215\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4266\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4216\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4267\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4217\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4268\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4218\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4269\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4219\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4270\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4220\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4271\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4221\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4272\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4222\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4273\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4223\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4224\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4275\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4225\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4276\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4226\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4277\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4227\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"name\": \"2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T19:20:02.815682Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T19:20:02.1041712Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4278\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.156.72.31 [5]\\r\\nIP: 179.60.147.31 [28]\\r\\nIP: 213.6.148.83 [2]\\r\\nIP: 113.161.87.179 [1]\\r\\nIP: 185.190.24.103 [11]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 141.98.83.130 [5]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 185.190.24.101 [3]\\r\\nIP: 118.123.105.85 [1]\\r\\nIP: 194.28.112.149 [1]\\r\\nIP: 45.227.253.124 [18]\\r\\nIP: 193.142.147.53 [12]\\r\\nIP: 198.23.221.162 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 194.165.17.12 [30]\\r\\nIP: 191.96.168.250 [75]\\r\\nIP: 194.165.16.16 [1]\\r\\nIP: 92.51.70.138 [1]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 185.156.72.29 [2]\\r\\nIP: 5.61.60.26 [3]\\r\\nIP: 87.251.75.45 [11]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.36 [1]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 141.98.83.172 [7]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 45.227.254.51 [2]\\r\\nIP: 103.99.2.225 [1]\\r\\nIP: 141.98.9.35 [2]\\r\\nIP: 185.196.220.52 [10]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 194.165.16.72 [3]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 31.214.141.3 [1]\\r\\nIP: 45.143.201.62 [2]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 141.98.9.34 [5]\\r\\nIP: 212.22.187.98 [4]\\r\\n182 more attempts by 33 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4279\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4280\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4281\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4282\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4283\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4284\",\r\n \"address\": \"113.161.87.179\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4285\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4286\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4287\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4288\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4289\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4290\",\r\n \"address\": \"118.123.105.85\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Sichuan\",\r\n \"city\": \"Chengdu\",\r\n \"longitude\": 104.0675,\r\n \"latitude\": 30.65306,\r\n \"asn\": 38283,\r\n \"carrier\": \"Chinanet Sichuan Telecom Internet Data Center\",\r\n \"organization\": \"Chinanet Sichuan Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4291\",\r\n \"address\": \"194.28.112.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4292\",\r\n \"address\": \"45.227.253.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4293\",\r\n \"address\": \"193.142.147.53\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4294\",\r\n \"address\": \"198.23.221.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4295\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4296\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4297\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4298\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4299\",\r\n \"address\": \"92.51.70.138\",\r\n \"location\": {\r\n \"countryCode\": \"GE\",\r\n \"countryName\": \"Georgia\",\r\n \"state\": \"Tbilisi\",\r\n \"city\": \"Tbilisi\",\r\n \"longitude\": 44.83368,\r\n \"latitude\": 41.69411,\r\n \"asn\": 44327,\r\n \"carrier\": \"Delta Comm Llc\",\r\n \"organization\": \"Infra-Aw\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4300\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4301\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4302\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4303\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4304\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4305\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4306\",\r\n \"address\": \"87.251.75.45\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4307\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4308\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4309\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4310\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4311\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4312\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4313\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4314\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4315\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4316\",\r\n \"address\": \"185.196.220.52\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4317\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4318\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4319\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4320\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4321\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4322\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4323\",\r\n \"address\": \"31.214.141.3\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hamburg\",\r\n \"city\": \"Hamburg\",\r\n \"longitude\": 10.0819,\r\n \"latitude\": 53.6423,\r\n \"asn\": 30823,\r\n \"carrier\": \"Combahton Gmbh\",\r\n \"organization\": \"Zap-Hosting Gmbh & Co. Kg\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4324\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4325\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4326\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4327\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4328\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4329\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4330\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4309\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4360\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4310\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4361\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4311\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4362\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4312\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4313\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4364\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4314\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4365\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4315\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4366\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4316\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4317\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4368\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4318\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4369\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4319\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4370\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4320\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4371\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4321\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4322\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4373\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4323\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4374\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4324\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4375\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4325\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4376\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4326\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"name\": \"2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T03:10:05.3539329Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T03:10:03.616463Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4381\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.9.36 [1]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 45.227.254.5 [19]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 45.227.253.124 [15]\\r\\nIP: 141.98.83.132 [6]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 45.227.254.55 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 185.156.72.29 [2]\\r\\nIP: 179.60.147.31 [28]\\r\\nIP: 5.61.60.26 [2]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 31.214.141.3 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 97.106.89.92 [2]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.125 [2]\\r\\nIP: 52.172.27.33 [1]\\r\\nIP: 179.60.150.114 [6]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 92.255.85.151 [30]\\r\\nIP: 185.190.24.103 [11]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 45.227.253.254 [15]\\r\\nIP: 194.165.16.73 [2]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 185.190.24.102 [7]\\r\\nIP: 179.60.147.182 [2]\\r\\nIP: 103.99.2.225 [1]\\r\\nIP: 185.196.220.34 [35]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.172 [7]\\r\\nIP: 212.22.187.98 [4]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 191.96.168.250 [67]\\r\\nIP: 118.123.105.85 [1]\\r\\nIP: 141.98.83.131 [3]\\r\\nIP: 80.69.56.151 [1]\\r\\nIP: 20.163.56.75 [2]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.156.72.25 [3]\\r\\n118 more attempts by 27 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4382\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4383\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4384\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4385\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4386\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4387\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4388\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4389\",\r\n \"address\": \"45.227.253.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4390\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4391\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4392\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4393\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4394\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4395\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4396\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4397\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4398\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4399\",\r\n \"address\": \"31.214.141.3\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hamburg\",\r\n \"city\": \"Hamburg\",\r\n \"longitude\": 10.0819,\r\n \"latitude\": 53.6423,\r\n \"asn\": 30823,\r\n \"carrier\": \"Combahton Gmbh\",\r\n \"organization\": \"Zap-Hosting Gmbh & Co. Kg\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4400\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4401\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4402\",\r\n \"address\": \"97.106.89.92\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Tampa\",\r\n \"longitude\": -82.46379,\r\n \"latitude\": 27.98598,\r\n \"asn\": 33363,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4403\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4404\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4405\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4406\",\r\n \"address\": \"52.172.27.33\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Tamil Nadu\",\r\n \"city\": \"Chennai\",\r\n \"longitude\": 80.2508,\r\n \"latitude\": 13.0524,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4407\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4408\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4409\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4410\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4411\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4412\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4413\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4414\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4415\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4416\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4417\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4418\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4419\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4420\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4421\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4422\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4423\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4424\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4425\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4426\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4427\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4428\",\r\n \"address\": \"118.123.105.85\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Sichuan\",\r\n \"city\": \"Chengdu\",\r\n \"longitude\": 104.0675,\r\n \"latitude\": 30.65306,\r\n \"asn\": 38283,\r\n \"carrier\": \"Chinanet Sichuan Telecom Internet Data Center\",\r\n \"organization\": \"Chinanet Sichuan Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4429\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4430\",\r\n \"address\": \"80.69.56.151\",\r\n \"location\": {\r\n \"countryCode\": \"AZ\",\r\n \"countryName\": \"Azerbaijan\",\r\n \"state\": \"Naftalan\",\r\n \"city\": \"Naftalan\",\r\n \"longitude\": 46.825,\r\n \"latitude\": 40.5067,\r\n \"asn\": 34170,\r\n \"carrier\": \"Aztelekom\",\r\n \"organization\": \"Aztelekom.Net Ip Segment\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4431\",\r\n \"address\": \"20.163.56.75\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4432\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4433\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4449\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4450\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4451\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4452\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4453\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4405\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4456\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4457\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4408\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4412\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4415\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4416\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4467\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4417\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4468\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4418\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4469\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4419\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4470\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4471\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4472\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4473\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4423\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4474\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4424\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4425\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4426\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4427\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4428\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"name\": \"2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-27T19:18:23.4694672Z\",\r\n \"processingEndTimeUtc\": \"2022-08-27T19:18:22.6090964Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-26T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-26T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4484\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.255.99 [2]\\r\\nIP: 185.196.220.28 [1]\\r\\nIP: 103.124.137.161 [1]\\r\\nIP: 87.251.75.45 [125]\\r\\nIP: 212.122.84.86 [4]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 103.99.2.225 [6]\\r\\nIP: 185.196.220.59 [2]\\r\\nIP: 194.165.16.34 [1]\\r\\nIP: 212.22.187.98 [3]\\r\\nIP: 191.96.168.250 [51]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 139.99.135.225 [1]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 80.66.88.209 [2]\\r\\nIP: 152.89.196.90 [4]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 141.98.83.172 [3]\\r\\nIP: 179.60.150.114 [2]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 104.156.55.56 [1]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.190.24.101 [3]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 184.105.5.195 [1]\\r\\nIP: 185.190.24.103 [2]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 193.142.147.55 [1]\\r\\nIP: 193.142.147.50 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 193.142.147.65 [27]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 193.142.147.57 [1]\\r\\nIP: 43.156.58.184 [1]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 213.6.148.83 [3]\\r\\nIP: 193.142.147.66 [3]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 185.73.124.216 [13]\\r\\nIP: 20.168.26.32 [1]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 185.196.220.34 [12]\\r\\nIP: 92.255.85.183 [2]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 5.61.60.26 [1]\\r\\nIP: 185.196.220.58 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4485\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4486\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4487\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4488\",\r\n \"address\": \"185.196.220.28\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4489\",\r\n \"address\": \"103.124.137.161\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jawa Timur\",\r\n \"city\": \"Paciran\",\r\n \"longitude\": 112.34,\r\n \"latitude\": -6.8707,\r\n \"asn\": 138089,\r\n \"carrier\": \"Pt.Global Media Data Prima\",\r\n \"organization\": \"Pt.Global Media Data Prima\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4490\",\r\n \"address\": \"87.251.75.45\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4491\",\r\n \"address\": \"212.122.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 12539,\r\n \"carrier\": \"Penki Kontinentia Ltd\",\r\n \"organization\": \"Penkiu Kontinentu Komunikaciju Centras Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4492\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4493\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4494\",\r\n \"address\": \"185.196.220.59\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4495\",\r\n \"address\": \"194.165.16.34\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4496\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4497\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4498\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4499\",\r\n \"address\": \"139.99.135.225\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Waverton\",\r\n \"longitude\": 151.19581,\r\n \"latitude\": -33.83997,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Australia Pty Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4500\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4501\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4502\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4503\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4504\",\r\n \"address\": \"152.89.196.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4505\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4506\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4507\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4508\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4509\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4510\",\r\n \"address\": \"104.156.55.56\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Tampa\",\r\n \"longitude\": -82.50581,\r\n \"latitude\": 28.00488,\r\n \"asn\": 29802,\r\n \"carrier\": \"Hivelocity Inc.\",\r\n \"organization\": \"Hivelocity Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4511\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4512\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4513\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4514\",\r\n \"address\": \"184.105.5.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.99064,\r\n \"latitude\": 40.6946,\r\n \"asn\": 394996,\r\n \"carrier\": \"47-2339071\",\r\n \"organization\": \"47-2339071\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4515\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4516\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4517\",\r\n \"address\": \"193.142.147.55\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4518\",\r\n \"address\": \"193.142.147.50\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4519\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4520\",\r\n \"address\": \"193.142.147.65\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4521\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4522\",\r\n \"address\": \"193.142.147.57\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4523\",\r\n \"address\": \"43.156.58.184\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4524\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4525\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4526\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4527\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4528\",\r\n \"address\": \"185.73.124.216\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4529\",\r\n \"address\": \"20.168.26.32\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4530\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4531\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4532\",\r\n \"address\": \"92.255.85.183\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4533\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4534\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4535\",\r\n \"address\": \"185.196.220.58\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4557\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4558\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4559\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4560\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4511\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4561\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4512\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4562\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4513\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4563\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4514\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4564\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4515\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4565\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4516\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4566\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4517\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4567\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4518\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4568\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4519\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4569\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4520\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4570\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4521\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4571\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4522\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4572\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4523\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4573\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4524\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4574\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4525\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4575\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4526\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4576\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4527\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4577\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4528\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4578\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4529\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4579\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4530\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4580\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4531\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4581\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4532\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4582\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"name\": \"2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-26T19:51:08.2299434Z\",\r\n \"processingEndTimeUtc\": \"2022-08-26T19:51:07.7693809Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-25T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-25T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4585\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.255.59 [2]\\r\\nIP: 41.216.179.69 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 185.190.24.48 [8]\\r\\nIP: 193.142.147.65 [37]\\r\\nIP: 167.172.149.14 [1]\\r\\nIP: 193.148.61.176 [1]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.196.220.34 [26]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 179.60.150.116 [8]\\r\\nIP: 185.190.24.103 [4]\\r\\nIP: 149.57.252.78 [1]\\r\\nIP: 103.109.52.111 [6]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 5.181.86.11 [18]\\r\\nIP: 141.98.83.172 [1]\\r\\nIP: 52.180.252.174 [4]\\r\\nIP: 193.142.147.66 [22]\\r\\nIP: 5.181.86.51 [4]\\r\\nIP: 193.142.147.52 [11]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 183.90.168.19 [14]\\r\\nIP: 185.190.24.102 [5]\\r\\nIP: 107.172.93.5 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 179.60.147.31 [25]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 103.124.137.161 [2]\\r\\nIP: 5.181.86.7 [1]\\r\\nIP: 103.9.156.60 [1]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 141.98.83.173 [5]\\r\\nIP: 195.3.221.15 [4]\\r\\nIP: 191.96.168.250 [44]\\r\\nIP: 179.60.147.33 [23]\\r\\nIP: 103.99.2.225 [4]\\r\\nIP: 91.240.118.113 [11]\\r\\nIP: 88.214.25.13 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 107.175.218.26 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 185.190.24.50 [7]\\r\\nIP: 80.69.56.151 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 141.98.10.37 [3]\\r\\nIP: 185.190.24.17 [16]\\r\\nIP: 45.227.254.48 [2]\\r\\n61 more attempts by 15 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4586\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4587\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4588\",\r\n \"address\": \"45.227.255.59\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4589\",\r\n \"address\": \"41.216.179.69\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"longitude\": -2.0,\r\n \"latitude\": 54.0,\r\n \"asn\": 136175,\r\n \"carrier\": \"Serverhosh Internet Service\",\r\n \"organization\": \"Serverhosh Internet Service\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4590\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4591\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4592\",\r\n \"address\": \"193.142.147.65\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4593\",\r\n \"address\": \"167.172.149.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4594\",\r\n \"address\": \"193.148.61.176\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Los Angeles Ca\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4595\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4596\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4597\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4598\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4599\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4600\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4601\",\r\n \"address\": \"149.57.252.78\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Edison\",\r\n \"longitude\": -74.3806,\r\n \"latitude\": 40.5247,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Logicweb Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4602\",\r\n \"address\": \"103.109.52.111\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"longitude\": 90.0,\r\n \"latitude\": 24.0,\r\n \"asn\": 134790,\r\n \"carrier\": \"United International University\",\r\n \"organization\": \"United International University\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4603\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4604\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4605\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4606\",\r\n \"address\": \"52.180.252.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\",\r\n \"longitude\": -93.6151,\r\n \"latitude\": 41.589,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4607\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4608\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4609\",\r\n \"address\": \"193.142.147.52\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4610\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4611\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4612\",\r\n \"address\": \"183.90.168.19\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bang Rak\",\r\n \"longitude\": 100.52114,\r\n \"latitude\": 13.72804,\r\n \"asn\": 45328,\r\n \"carrier\": \"Nipa Technology Co. Ltd\",\r\n \"organization\": \"Nipa Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4613\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4614\",\r\n \"address\": \"107.172.93.5\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4615\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4616\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4617\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4618\",\r\n \"address\": \"103.124.137.161\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jawa Timur\",\r\n \"city\": \"Paciran\",\r\n \"longitude\": 112.34,\r\n \"latitude\": -6.8707,\r\n \"asn\": 138089,\r\n \"carrier\": \"Pt.Global Media Data Prima\",\r\n \"organization\": \"Pt.Global Media Data Prima\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4619\",\r\n \"address\": \"5.181.86.7\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4620\",\r\n \"address\": \"103.9.156.60\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 63730,\r\n \"carrier\": \"Vnso Technology Company\",\r\n \"organization\": \"Vnso Technology Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4621\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4622\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4623\",\r\n \"address\": \"195.3.221.15\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Mokotow\",\r\n \"longitude\": 21.00167,\r\n \"latitude\": 52.19392,\r\n \"asn\": 201814,\r\n \"carrier\": \"Meverywhere Sp. Z O.O.\",\r\n \"organization\": \"Innowacyjne Rozwiazania Informatyczne.Pl Sp. Z O.O.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4624\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4625\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4626\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4627\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4628\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4629\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4630\",\r\n \"address\": \"107.175.218.26\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wyoming\",\r\n \"city\": \"Casper\",\r\n \"longitude\": -106.39396,\r\n \"latitude\": 43.06622,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Global Cloud Line\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4631\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4632\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4633\",\r\n \"address\": \"80.69.56.151\",\r\n \"location\": {\r\n \"countryCode\": \"AZ\",\r\n \"countryName\": \"Azerbaijan\",\r\n \"state\": \"Naftalan\",\r\n \"city\": \"Naftalan\",\r\n \"longitude\": 46.825,\r\n \"latitude\": 40.5067,\r\n \"asn\": 34170,\r\n \"carrier\": \"Aztelekom\",\r\n \"organization\": \"Aztelekom.Net Ip Segment\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4634\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4635\",\r\n \"address\": \"141.98.10.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4636\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4637\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4644\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4645\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4646\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4647\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4648\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4598\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4649\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4599\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4650\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4600\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4651\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4601\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4652\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4602\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4653\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4603\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4654\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4604\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4655\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4605\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4656\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4606\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4657\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4607\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4658\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4608\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4659\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4609\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4660\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4610\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4661\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4611\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4662\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4612\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4663\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4613\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4664\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4614\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4665\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4615\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4666\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4616\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4667\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4617\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4668\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4618\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4669\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4619\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4670\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4620\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4671\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4621\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4672\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4622\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4673\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4623\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4674\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4624\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4675\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4625\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4676\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4626\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4677\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4627\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4678\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4628\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4679\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4629\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4680\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4630\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4681\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4631\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4682\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4632\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4683\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4633\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4684\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4634\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4685\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4635\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4636\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4637\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"name\": \"2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T20:24:32.6189324Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T20:24:17.1477549Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4688\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.72 [1]\\r\\nIP: 181.30.28.144 [1]\\r\\nIP: 43.131.49.246 [2]\\r\\nIP: 27.71.226.103 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.86.65.236 [1]\\r\\nIP: 5.181.86.88 [6]\\r\\nIP: 192.210.230.185 [1]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 31.43.185.3 [49]\\r\\nIP: 183.90.168.19 [1]\\r\\nIP: 194.165.16.78 [2]\\r\\nIP: 167.172.149.14 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 212.41.8.46 [1]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 5.181.86.44 [4]\\r\\nIP: 141.98.83.171 [5]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 194.165.16.71 [2]\\r\\nIP: 46.161.27.101 [2]\\r\\nIP: 173.201.17.86 [1]\\r\\nIP: 5.61.60.26 [1]\\r\\nIP: 179.60.150.115 [12]\\r\\nIP: 92.154.96.99 [1]\\r\\nIP: 141.98.83.172 [4]\\r\\nIP: 179.60.147.182 [4]\\r\\nIP: 149.102.131.247 [1]\\r\\nIP: 193.142.147.67 [33]\\r\\nIP: 73.104.247.50 [1]\\r\\nIP: 185.190.24.61 [22]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 185.190.24.17 [24]\\r\\nIP: 191.96.168.250 [30]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 193.142.146.209 [1]\\r\\nIP: 185.170.144.134 [70]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 147.78.245.142 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 179.60.150.113 [6]\\r\\nIP: 78.180.183.122 [1]\\r\\nIP: 85.215.173.128 [1]\\r\\nIP: 109.86.104.112 [1]\\r\\nIP: 146.20.225.190 [1]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 45.227.255.79 [2]\\r\\nIP: 185.190.24.102 [6]\\r\\nIP: 194.28.112.148 [1]\\r\\n63 more attempts by 14 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4689\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4690\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4691\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4692\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4693\",\r\n \"address\": \"43.131.49.246\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4694\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4695\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4696\",\r\n \"address\": \"45.86.65.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4697\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4698\",\r\n \"address\": \"192.210.230.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4699\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4700\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Donets'ka Oblast'\",\r\n \"city\": \"Krasnoarmiis'k\",\r\n \"longitude\": 37.1734,\r\n \"latitude\": 48.281,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4701\",\r\n \"address\": \"183.90.168.19\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bang Rak\",\r\n \"longitude\": 100.52114,\r\n \"latitude\": 13.72804,\r\n \"asn\": 45328,\r\n \"carrier\": \"Nipa Technology Co. Ltd\",\r\n \"organization\": \"Nipa Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4702\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4703\",\r\n \"address\": \"167.172.149.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4704\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4705\",\r\n \"address\": \"212.41.8.46\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4706\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4707\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4708\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4709\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4710\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4711\",\r\n \"address\": \"46.161.27.101\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Vps And Shared Hosting Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4712\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4713\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4714\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4715\",\r\n \"address\": \"92.154.96.99\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Hauts-De-Seine\",\r\n \"city\": \"Puteaux\",\r\n \"longitude\": 2.23762,\r\n \"latitude\": 48.88328,\r\n \"asn\": 3215,\r\n \"carrier\": \"Orange S.A.\",\r\n \"organization\": \"Lnmso655 Montsouris\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4716\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4717\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4718\",\r\n \"address\": \"149.102.131.247\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Manchester\",\r\n \"city\": \"Manchester\",\r\n \"longitude\": -2.24083,\r\n \"latitude\": 53.44222,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4719\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4720\",\r\n \"address\": \"73.104.247.50\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Jacksonville\",\r\n \"longitude\": -81.56225,\r\n \"latitude\": 30.21981,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4721\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4722\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4723\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4724\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4725\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4726\",\r\n \"address\": \"193.142.146.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Hostslick Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4727\",\r\n \"address\": \"185.170.144.134\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4728\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Gunzenhausen\",\r\n \"longitude\": 10.7534,\r\n \"latitude\": 49.11594,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4729\",\r\n \"address\": \"147.78.245.142\",\r\n \"location\": {\r\n \"countryCode\": \"JP\",\r\n \"countryName\": \"Japan\",\r\n \"state\": \"Tokyo\",\r\n \"city\": \"Tokyo\",\r\n \"longitude\": 139.73856,\r\n \"latitude\": 35.69628,\r\n \"asn\": 23959,\r\n \"carrier\": \"Owl Limited\",\r\n \"organization\": \"Virtual Machine Solutions Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4730\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4731\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4732\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4733\",\r\n \"address\": \"78.180.183.122\",\r\n \"location\": {\r\n \"countryCode\": \"TR\",\r\n \"countryName\": \"Turkey\",\r\n \"state\": \"Istanbul\",\r\n \"city\": \"Sisli\",\r\n \"longitude\": 28.9521,\r\n \"latitude\": 41.0483,\r\n \"asn\": 9121,\r\n \"carrier\": \"Turk Telekomunikasyon Anonim Sirketi\",\r\n \"organization\": \"Tt Adsl-Ttnet_Dynamic_Gay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4734\",\r\n \"address\": \"85.215.173.128\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.3195,\r\n \"latitude\": 52.5184,\r\n \"asn\": 6724,\r\n \"carrier\": \"Strato Ag\",\r\n \"organization\": \"Strato Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4735\",\r\n \"address\": \"109.86.104.112\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 13188,\r\n \"carrier\": \"Content Delivery Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4736\",\r\n \"address\": \"146.20.225.190\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 27357,\r\n \"carrier\": \"Rackspace Hosting\",\r\n \"organization\": \"Rackspace Hosting\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4737\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4738\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4739\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4740\",\r\n \"address\": \"194.28.112.148\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4741\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4691\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4742\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4692\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4743\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4693\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4744\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4694\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4745\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4695\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4746\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4696\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4747\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4697\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4748\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4698\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4749\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4699\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4750\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4700\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4751\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4701\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4752\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4702\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4703\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4704\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4705\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4706\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4707\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4708\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4709\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4710\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4711\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4762\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4712\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4763\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4713\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4764\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4714\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4765\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4715\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4766\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4716\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4767\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4717\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4768\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4718\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4769\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4719\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4770\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4720\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4771\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4721\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4772\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4722\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4773\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4723\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4774\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4724\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4775\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4725\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4776\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4726\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4777\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4727\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4778\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4728\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4779\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4729\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4780\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4730\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4781\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4731\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4782\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4732\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4783\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4733\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4784\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4734\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4785\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4735\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4786\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4736\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4787\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4737\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4788\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4738\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"name\": \"2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-24T19:41:11.3106136Z\",\r\n \"processingEndTimeUtc\": \"2022-08-24T19:41:10.6263724Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-23T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-23T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4791\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 23.224.230.146 [1]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 5.181.86.85 [14]\\r\\nIP: 131.153.178.70 [1]\\r\\nIP: 91.240.118.113 [24]\\r\\nIP: 146.70.117.116 [2]\\r\\nIP: 193.142.147.58 [27]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 179.60.150.114 [5]\\r\\nIP: 141.98.83.173 [3]\\r\\nIP: 191.96.168.250 [38]\\r\\nIP: 194.165.16.78 [1]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 193.142.147.59 [30]\\r\\nIP: 185.190.24.101 [5]\\r\\nIP: 45.227.254.4 [2]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 104.254.233.2 [2]\\r\\nIP: 5.181.86.61 [7]\\r\\nIP: 141.98.83.172 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 181.30.28.144 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 135.181.194.54 [1]\\r\\nIP: 80.13.124.200 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 5.181.86.11 [10]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 194.165.16.38 [5]\\r\\nIP: 34.75.15.244 [2]\\r\\nIP: 185.190.24.102 [8]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 45.227.254.5 [6]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 113.190.245.2 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 213.6.148.83 [3]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 103.231.188.130 [1]\\r\\nIP: 193.142.147.67 [30]\\r\\nIP: 62.233.50.113 [1]\\r\\nIP: 185.170.144.133 [19]\\r\\nIP: 179.60.150.111 [5]\\r\\nIP: 144.91.117.64 [1]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 194.165.16.11 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4792\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4793\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4794\",\r\n \"address\": \"23.224.230.146\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.25227,\r\n \"latitude\": 34.04303,\r\n \"asn\": 40065,\r\n \"carrier\": \"Cnservers Llc\",\r\n \"organization\": \"Cloudradium L.L.C\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4795\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4796\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4797\",\r\n \"address\": \"131.153.178.70\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.92784,\r\n \"latitude\": 33.4357,\r\n \"asn\": 19437,\r\n \"carrier\": \"Secured Servers Llc\",\r\n \"organization\": \"Secured Servers Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4798\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4799\",\r\n \"address\": \"146.70.117.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.7119,\r\n \"latitude\": 50.1137,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd Frankfurt\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4800\",\r\n \"address\": \"193.142.147.58\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4801\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4802\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4803\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4804\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4805\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4806\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4807\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4808\",\r\n \"address\": \"193.142.147.59\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4809\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4810\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4811\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4812\",\r\n \"address\": \"104.254.233.2\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 19437,\r\n \"carrier\": \"Secured Servers Llc\",\r\n \"organization\": \"Pnap-Ashdc5\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4813\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4814\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4815\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4816\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4817\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4818\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4819\",\r\n \"address\": \"135.181.194.54\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4820\",\r\n \"address\": \"80.13.124.200\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Hauts-De-Seine\",\r\n \"city\": \"Puteaux\",\r\n \"longitude\": 2.23762,\r\n \"latitude\": 48.88328,\r\n \"asn\": 3215,\r\n \"carrier\": \"Orange S.A.\",\r\n \"organization\": \"Lnput658 Puteaux Bloc 1\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4821\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4822\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4823\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4824\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4825\",\r\n \"address\": \"34.75.15.244\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"South Carolina\",\r\n \"city\": \"North Charleston\",\r\n \"longitude\": -80.05894,\r\n \"latitude\": 32.89008,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4826\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4827\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4828\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4829\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4830\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4831\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4832\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4833\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4834\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4835\",\r\n \"address\": \"103.231.188.130\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 17831,\r\n \"carrier\": \"8 Burn Road # 15-13 Trivex\",\r\n \"organization\": \"Vhost Holdings Pte Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4836\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4837\",\r\n \"address\": \"62.233.50.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4838\",\r\n \"address\": \"185.170.144.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4839\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4840\",\r\n \"address\": \"144.91.117.64\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Muenchen\",\r\n \"longitude\": 11.6074,\r\n \"latitude\": 48.1089,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4841\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4842\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4815\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4865\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4816\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4866\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4817\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4867\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4818\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4868\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4819\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4869\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4820\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4870\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4821\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4871\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4822\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4872\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4823\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4873\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4824\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4874\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4825\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4875\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4826\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4876\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4827\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4877\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4828\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4878\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4829\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4879\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4830\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4880\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4831\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4881\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4832\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4882\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4833\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4883\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4834\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4884\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4835\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4885\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4836\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4886\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4837\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4887\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4838\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4888\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4839\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4889\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4840\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4890\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4841\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4891\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"name\": \"2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-23T19:47:46.0119964Z\",\r\n \"processingEndTimeUtc\": \"2022-08-23T19:47:45.0676912Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-22T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-22T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4892\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.172 [5]\\r\\nIP: 185.190.24.50 [8]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 43.131.49.246 [1]\\r\\nIP: 185.190.24.101 [4]\\r\\nIP: 191.96.168.250 [22]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 5.181.86.88 [5]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 91.240.118.113 [9]\\r\\nIP: 179.60.150.116 [4]\\r\\nIP: 173.201.17.86 [1]\\r\\nIP: 196.22.249.27 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 116.206.231.59 [1]\\r\\nIP: 185.190.24.102 [7]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 194.135.24.55 [2]\\r\\nIP: 5.181.86.85 [3]\\r\\nIP: 152.89.217.238 [1]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 176.113.115.141 [4]\\r\\nIP: 86.106.121.74 [1]\\r\\nIP: 185.190.24.32 [5]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 185.190.24.103 [6]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 70.183.29.58 [1]\\r\\nIP: 185.170.144.133 [38]\\r\\nIP: 194.165.16.38 [8]\\r\\nIP: 112.78.168.114 [5]\\r\\nIP: 194.165.16.4 [6]\\r\\nIP: 194.165.17.14 [6]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 181.30.28.144 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4893\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4894\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4895\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4896\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4897\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4898\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4899\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4900\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4901\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4902\",\r\n \"address\": \"43.131.49.246\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4903\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4904\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4905\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4906\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4907\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4908\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4909\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4910\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4911\",\r\n \"address\": \"196.22.249.27\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Western Cape\",\r\n \"city\": \"Cape Town\",\r\n \"longitude\": 18.4241,\r\n \"latitude\": -33.9249,\r\n \"asn\": 36874,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"72 Canterbury Street\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4912\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4913\",\r\n \"address\": \"116.206.231.59\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"South Australia\",\r\n \"city\": \"Adelaide\",\r\n \"longitude\": 138.59973,\r\n \"latitude\": -34.92577,\r\n \"asn\": 133480,\r\n \"carrier\": \"Intergrid Group Pty Ltd\",\r\n \"organization\": \"Intergrid Group Pty. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4914\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4915\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4916\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4917\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4918\",\r\n \"address\": \"152.89.217.238\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 56694,\r\n \"carrier\": \"Llc Smart Ape\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4919\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4920\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4921\",\r\n \"address\": \"86.106.121.74\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -74.00888,\r\n \"latitude\": 40.72092,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd New York\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4922\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4923\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4924\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4925\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4926\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4927\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4928\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4929\",\r\n \"address\": \"70.183.29.58\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Rancho Santa Margarita\",\r\n \"longitude\": -117.60826,\r\n \"latitude\": 33.62295,\r\n \"asn\": 22773,\r\n \"carrier\": \"Cox Communications Inc.\",\r\n \"organization\": \"Cox Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4930\",\r\n \"address\": \"185.170.144.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4931\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4932\",\r\n \"address\": \"112.78.168.114\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jakarta Raya\",\r\n \"city\": \"Jakarta\",\r\n \"longitude\": 106.8267,\r\n \"latitude\": -6.1738,\r\n \"asn\": 17451,\r\n \"carrier\": \"Biznet Networks\",\r\n \"organization\": \"Biznet Networks\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4933\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4934\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4935\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4936\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4919\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4920\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4921\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4922\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4923\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4924\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4925\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4926\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4969\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4927\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4970\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4928\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4971\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4929\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4972\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4930\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4973\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4931\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4974\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4932\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4975\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4933\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4976\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4934\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4977\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4935\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4978\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4936\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"name\": \"2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-22T19:47:25.0250698Z\",\r\n \"processingEndTimeUtc\": \"2022-08-22T19:47:23.7684919Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-20T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-20T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4979\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.171 [3]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 194.165.16.4 [8]\\r\\nIP: 192.210.149.232 [1]\\r\\nIP: 179.60.150.115 [4]\\r\\nIP: 212.102.35.30 [45]\\r\\nIP: 136.32.204.105 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.173 [3]\\r\\nIP: 194.165.16.73 [2]\\r\\nIP: 45.227.254.5 [13]\\r\\nIP: 141.98.83.172 [3]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 66.115.189.143 [1]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 179.60.147.32 [29]\\r\\nIP: 185.190.24.101 [5]\\r\\nIP: 185.190.24.93 [10]\\r\\nIP: 176.113.115.141 [2]\\r\\nIP: 185.190.24.103 [9]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 194.135.24.55 [2]\\r\\nIP: 45.227.254.51 [3]\\r\\nIP: 45.227.254.49 [2]\\r\\nIP: 45.227.255.55 [1]\\r\\nIP: 203.115.110.73 [1]\\r\\nIP: 194.165.16.78 [2]\\r\\nIP: 92.255.85.166 [9]\\r\\nIP: 67.225.40.73 [1]\\r\\nIP: 45.227.255.79 [4]\\r\\nIP: 141.98.83.123 [5]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 45.227.254.27 [9]\\r\\nIP: 207.246.67.121 [1]\\r\\nIP: 92.114.153.67 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 141.98.83.126 [4]\\r\\nIP: 5.181.86.44 [5]\\r\\nIP: 37.32.30.41 [2]\\r\\nIP: 62.8.12.230 [1]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 60.208.6.75 [25]\\r\\nIP: 194.165.17.14 [7]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4980\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4981\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4982\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4983\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4984\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4985\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4986\",\r\n \"address\": \"192.210.149.232\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4987\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4988\",\r\n \"address\": \"212.102.35.30\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4989\",\r\n \"address\": \"136.32.204.105\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Kansas City\",\r\n \"longitude\": -94.53961,\r\n \"latitude\": 39.10771,\r\n \"asn\": 16591,\r\n \"carrier\": \"Google Fiber Inc.\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4990\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.66719,\r\n \"latitude\": 41.02253,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4991\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4992\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4993\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4994\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4995\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4996\",\r\n \"address\": \"66.115.189.143\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Georgia\",\r\n \"city\": \"Marietta\",\r\n \"longitude\": -84.4629,\r\n \"latitude\": 33.93318,\r\n \"asn\": 46562,\r\n \"carrier\": \"Performive Llc\",\r\n \"organization\": \"Performive Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4997\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4998\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4999\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5000\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5001\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5002\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5003\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5004\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5005\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5006\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5007\",\r\n \"address\": \"45.227.255.55\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5008\",\r\n \"address\": \"203.115.110.73\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.225,\r\n \"latitude\": 28.6353,\r\n \"asn\": 17426,\r\n \"carrier\": \"Primesoftex Ltd\",\r\n \"organization\": \"Primenet Global Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5009\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5010\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5011\",\r\n \"address\": \"67.225.40.73\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Saskatchewan\",\r\n \"city\": \"Regina\",\r\n \"longitude\": -104.61298,\r\n \"latitude\": 50.44894,\r\n \"asn\": 803,\r\n \"carrier\": \"Saskatchewan Telecommunications\",\r\n \"organization\": \"Sasktel Wide Area Network Engineering Center\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5012\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5013\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5014\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5015\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5016\",\r\n \"address\": \"207.246.67.121\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Miami\",\r\n \"longitude\": -80.24044,\r\n \"latitude\": 25.81253,\r\n \"asn\": 20473,\r\n \"carrier\": \"The Constant Company Llc\",\r\n \"organization\": \"Vultr Holdings Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5017\",\r\n \"address\": \"92.114.153.67\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 8926,\r\n \"carrier\": \"Moldtelecom Sa\",\r\n \"organization\": \"Jsc Moldtelecom S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5018\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5019\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5020\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5021\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5022\",\r\n \"address\": \"37.32.30.41\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 202468,\r\n \"carrier\": \"Noyan Abr Arvan Co. ( Private Joint Stock)\",\r\n \"organization\": \"Noyan Abr Arvan Co. ( Private Joint Stock)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5023\",\r\n \"address\": \"62.8.12.230\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Loire-Atlantique\",\r\n \"city\": \"Nantes\",\r\n \"longitude\": -1.55674,\r\n \"latitude\": 47.21684,\r\n \"asn\": 15557,\r\n \"carrier\": \"Sfr Sa\",\r\n \"organization\": \"Entreprise\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5024\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5025\",\r\n \"address\": \"60.208.6.75\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shandong\",\r\n \"city\": \"Jinan\",\r\n \"longitude\": 117.0,\r\n \"latitude\": 36.683,\r\n \"asn\": 4837,\r\n \"carrier\": \"China Unicom China169 Backbone\",\r\n \"organization\": \"Jinan Yingte Net Bar\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5026\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5022\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5023\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5024\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5025\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5026\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n }\r\n ]\r\n}", "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a/activate?api-version=2021-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvbG9jYXRpb25zL2NlbnRyYWx1cy9hbGVydHMvMjUxNzczNTE4Nzc5MDMwOTI4MV9kNTk4OTk0MS1jOTc5LTQwOTYtYTFlOS1kNWRjZjZmYjEzMmEvYWN0aXZhdGU/YXBpLXZlcnNpb249MjAyMS0wMS0wMQ==", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/activate?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvbG9jYXRpb25zL2NlbnRyYWx1cy9hbGVydHMvMjUxNzMzNjI0MTE4NDg2MjQxM184ZGUwOTI3MC1kYzUzLTQwZDQtYmVlZC1mMjlkNDc1YjVkNWEvYWN0aXZhdGU/YXBpLXZlcnNpb249MjAyMi0wMS0wMQ==", "RequestMethod": "POST", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "26685d24-b9c8-4ff4-8124-df405b10b037" + "771e5023-c2e5-4711-837a-9e72c55fad80" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -100,49 +163,109 @@ "1199" ], "x-ms-request-id": [ - "b1f60949-8b2e-4d8f-8e25-471062e08524" + "2a6ddce8-eb52-47fd-9b26-435b4044f5ef" ], "x-ms-correlation-request-id": [ - "b1f60949-8b2e-4d8f-8e25-471062e08524" + "2a6ddce8-eb52-47fd-9b26-435b4044f5ef" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210901T195717Z:b1f60949-8b2e-4d8f-8e25-471062e08524" + "FRANCESOUTH:20221117T092901Z:2a6ddce8-eb52-47fd-9b26-435b4044f5ef" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 01 Sep 2021 19:57:17 GMT" + "Thu, 17 Nov 2022 09:29:01 GMT" ], "Expires": [ "-1" - ], - "Content-Length": [ - "0" ] }, "ResponseBody": "", "StatusCode": 204 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a?api-version=2021-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTc3MzUxODc3OTAzMDkyODFfZDU5ODk5NDEtYzk3OS00MDk2LWExZTktZDVkY2Y2ZmIxMzJhP2FwaS12ZXJzaW9uPTIwMjEtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTczMzYyNDExODQ4NjI0MTNfOGRlMDkyNzAtZGM1My00MGQ0LWJlZWQtZjI5ZDQ3NWI1ZDVhP2FwaS12ZXJzaW9uPTIwMjItMDEtMDE=", "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "d2ae8280-97ee-40d8-b12f-0a827d945716" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "749" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Kestrel" + ], + "x-ms-request-id": [ + "b1f66b6a-d940-4596-9b80-1f260de32f78" + ], + "x-ms-correlation-request-id": [ + "b1f66b6a-d940-4596-9b80-1f260de32f78" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092902Z:b1f66b6a-d940-4596-9b80-1f260de32f78" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:29:02 GMT" + ], + "Content-Length": [ + "2847" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"name\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.869602Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTczMzYyNDExODQ4NjI0MTNfOGRlMDkyNzAtZGM1My00MGQ0LWJlZWQtZjI5ZDQ3NWI1ZDVhP2FwaS12ZXJzaW9uPTIwMjItMDEtMDE=", + "RequestMethod": "GET", "RequestHeaders": { "x-ms-client-request-id": [ - "6a54ab77-67d0-4577-b1b1-d90ef83cbbd2" + "d90fd2af-dde0-464a-879d-3717341ef652" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -160,22 +283,85 @@ "Kestrel" ], "x-ms-request-id": [ - "637e77bd-fe65-40a2-a733-2e2594d03389" + "a72dc669-9ff7-4365-843e-85ed1d6f9c88" + ], + "x-ms-correlation-request-id": [ + "a72dc669-9ff7-4365-843e-85ed1d6f9c88" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092904Z:a72dc669-9ff7-4365-843e-85ed1d6f9c88" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:29:03 GMT" + ], + "Content-Length": [ + "2850" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"name\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Dismissed\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.869602Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTczMzYyNDExODQ4NjI0MTNfOGRlMDkyNzAtZGM1My00MGQ0LWJlZWQtZjI5ZDQ3NWI1ZDVhP2FwaS12ZXJzaW9uPTIwMjItMDEtMDE=", + "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "c4257319-41cb-4594-957d-ccdbc4e43e6c" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "748" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Kestrel" + ], + "x-ms-request-id": [ + "f4edcd2b-98f3-4462-b1c4-98f56026fd71" ], "x-ms-correlation-request-id": [ - "637e77bd-fe65-40a2-a733-2e2594d03389" + "f4edcd2b-98f3-4462-b1c4-98f56026fd71" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210901T200430Z:637e77bd-fe65-40a2-a733-2e2594d03389" + "FRANCESOUTH:20221117T092905Z:f4edcd2b-98f3-4462-b1c4-98f56026fd71" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 01 Sep 2021 20:04:29 GMT" + "Thu, 17 Nov 2022 09:29:05 GMT" ], "Content-Length": [ - "2795" + "2849" ], "Content-Type": [ "application/json; charset=utf-8" @@ -184,8 +370,242 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"name\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4121044Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"name\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Resolved\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.869602Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL1NhbXBsZS1SRy9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2xvY2F0aW9ucy9jZW50cmFsdXMvYWxlcnRzLzI1MTczMzYyNDExODQ4NjI0MTNfOGRlMDkyNzAtZGM1My00MGQ0LWJlZWQtZjI5ZDQ3NWI1ZDVhP2FwaS12ZXJzaW9uPTIwMjItMDEtMDE=", + "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "894c664b-2aeb-4ddd-b8d4-b1ba9d04d7c4" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "749" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Kestrel" + ], + "x-ms-request-id": [ + "0fcb31ae-473c-438d-8ff9-b644c88da2b6" + ], + "x-ms-correlation-request-id": [ + "0fcb31ae-473c-438d-8ff9-b644c88da2b6" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092907Z:0fcb31ae-473c-438d-8ff9-b644c88da2b6" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:29:06 GMT" + ], + "Content-Length": [ + "2851" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"name\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"InProgress\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.869602Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/dismiss?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvbG9jYXRpb25zL2NlbnRyYWx1cy9hbGVydHMvMjUxNzMzNjI0MTE4NDg2MjQxM184ZGUwOTI3MC1kYzUzLTQwZDQtYmVlZC1mMjlkNDc1YjVkNWEvZGlzbWlzcz9hcGktdmVyc2lvbj0yMDIyLTAxLTAx", + "RequestMethod": "POST", + "RequestHeaders": { + "x-ms-client-request-id": [ + "7d975e4d-8e9a-4a2e-b7ad-b9c9a93ca951" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Kestrel" + ], + "x-ms-ratelimit-remaining-subscription-writes": [ + "1199" + ], + "x-ms-request-id": [ + "efa299f2-0569-417b-8499-7baca5c24288" + ], + "x-ms-correlation-request-id": [ + "efa299f2-0569-417b-8499-7baca5c24288" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092903Z:efa299f2-0569-417b-8499-7baca5c24288" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:29:03 GMT" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "", + "StatusCode": 204 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/resolve?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvbG9jYXRpb25zL2NlbnRyYWx1cy9hbGVydHMvMjUxNzMzNjI0MTE4NDg2MjQxM184ZGUwOTI3MC1kYzUzLTQwZDQtYmVlZC1mMjlkNDc1YjVkNWEvcmVzb2x2ZT9hcGktdmVyc2lvbj0yMDIyLTAxLTAx", + "RequestMethod": "POST", + "RequestHeaders": { + "x-ms-client-request-id": [ + "2b7eb6da-c5a6-4853-b014-730d2ad2b2dc" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Kestrel" + ], + "x-ms-ratelimit-remaining-subscription-writes": [ + "1199" + ], + "x-ms-request-id": [ + "c2bea5e2-8812-44b3-8942-aa4bda554c28" + ], + "x-ms-correlation-request-id": [ + "c2bea5e2-8812-44b3-8942-aa4bda554c28" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092905Z:c2bea5e2-8812-44b3-8942-aa4bda554c28" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:29:05 GMT" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "", + "StatusCode": 204 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/inProgress?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvbG9jYXRpb25zL2NlbnRyYWx1cy9hbGVydHMvMjUxNzMzNjI0MTE4NDg2MjQxM184ZGUwOTI3MC1kYzUzLTQwZDQtYmVlZC1mMjlkNDc1YjVkNWEvaW5Qcm9ncmVzcz9hcGktdmVyc2lvbj0yMDIyLTAxLTAx", + "RequestMethod": "POST", + "RequestHeaders": { + "x-ms-client-request-id": [ + "7ac0aa7b-836b-4e95-b8e2-c1dc02414199" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Kestrel" + ], + "x-ms-ratelimit-remaining-subscription-writes": [ + "1199" + ], + "x-ms-request-id": [ + "19d97c7e-9f5d-4598-96aa-36cf04b1dc2d" + ], + "x-ms-correlation-request-id": [ + "19d97c7e-9f5d-4598-96aa-36cf04b1dc2d" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092906Z:19d97c7e-9f5d-4598-96aa-36cf04b1dc2d" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:29:06 GMT" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "", + "StatusCode": 204 } ], "Names": {}, diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/SetSubscriptionLevelResource.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/SetSubscriptionLevelResource.json index fd5a11d2e41f..2d5be4952028 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/SetSubscriptionLevelResource.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAlertTests/SetSubscriptionLevelResource.json @@ -1,24 +1,24 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2021-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjEtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjItMDEtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "d4cc6d76-9652-4063-b5f9-c3fac7d59b15" + "10cff901-ef3f-4949-9877-608d7b6cc987" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -34,13 +34,13 @@ "749" ], "x-ms-request-id": [ - "4c31a745-12aa-42cc-841d-5ae97d498593" + "8ad7e204-6ac3-43a7-bd87-a1e3095def18" ], "x-ms-correlation-request-id": [ - "4c31a745-12aa-42cc-841d-5ae97d498593" + "8ad7e204-6ac3-43a7-bd87-a1e3095def18" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210901T195611Z:4c31a745-12aa-42cc-841d-5ae97d498593" + "FRANCESOUTH:20221117T092922Z:8ad7e204-6ac3-43a7-bd87-a1e3095def18" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -49,7 +49,7 @@ "nosniff" ], "Date": [ - "Wed, 01 Sep 2021 19:56:11 GMT" + "Thu, 17 Nov 2022 09:29:22 GMT" ], "Content-Type": [ "application/json; charset=utf-8" @@ -58,31 +58,94 @@ "-1" ], "Content-Length": [ - "143561" + "706137" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"name\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4121044Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:27:00.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187790309281_d5989941-c979-4096-a1e9-d5dcf6fb132a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"name\": \"2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:13.877204Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_MaliciousContent-AzureWebApps\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:58.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:58.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Phishing content hosted on Azure Webapps\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to O365 customers. The content typically lure visitors into entering their corporate credentials or financial information into a legitimate looking website.\",\r\n \"remediationSteps\": [\r\n \"1. Use Azure Web Sites Process Explorer and try to identify unknown running processes (see https://blogs.msdn.microsoft.com/waws/2014/11/14/viewing-process-information-for-microsoft-azure-web-sites/)\",\r\n \"2. Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"resourceType\": \"App Service\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"type\": \"url\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187810309281_b5f1716f-edd8-4a1b-947c-bfc4e52a9a80/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"name\": \"2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3609448Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_OperationVolumeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:56.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:56.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] User accessed high volume of Key Vaults\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a larger volume of Key Vault operations has been performed compared to past historical data. Key Vaults typical exhibit the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:56\",\r\n \"all vault operations in last 24 hours\": \"[SecretSet:1, SecretGet:5, Authentication:2, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultGet:2]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:56\",\r\n \"client Information\": \"Microsoft.Azure.Management.Resources.ResourceManagementClient/2.0.0.0, \",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) performed more operations than usual, The user(objid) does not usually come from this IP, The user(objid) performed more operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187830309281_7be7cf0e-b502-4b02-99a9-a0a81f85f0eb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"name\": \"2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3557186Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_AccountVolumeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:54.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:54.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] High volume of operations in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the number of vaults that a user or application accesses has changed compared to past historical data. Key Vault activity typically exhibits the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:54\",\r\n \"all vault operations in last 24 hours\": \"[AfterAuthentication:1, SecretGet:345545, EventGridGetAllSubscriptions:19, Authentication:169, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:64]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:54\",\r\n \"alert Reasons\": \"[The application(appid) accessed more vaults than usual, The application(appid) does not usually come from this IP, The user(objid) accessed more vaults than usual, The user(objid) does not usually come from this IP, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187850309281_82c383d6-dce5-46a6-8dfa-51bd945ee90d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"name\": \"2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3095755Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_ListGetAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:52.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:52.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious secret listing and query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Secret List operation was followed by numerous Secret Get operations. In addition, this operation pattern is not normally performed by the user on this vault. This is likely indicative that someone is dumping the This is sample alert: secrets stored in the Key Vault for potentially malicious purposes.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:52\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:1, SecretGet:3, VaultGet:1, SecretList:5]\",\r\n \"suspicious Operations\": \"[SecretGet:3, SecretList:5]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"08/12/2021 15:26:52\",\r\n \"client Information\": \"FxVersion/4.8.4075.0 OSName/Windows10Enterprise OSVersion/6.3.18363 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"alert Reasons\": \"[The application(appid) does not usually access this vault, The application(appid) does not usually come from this IP, The application(appid) does not usually perform a credential list operation followed by a get operation, The application(appid) does not usually perform this operation, The number of applications which accessed this vault is more than usual, The number of users(objid) who accessed this vault is more than usual, The user(objid) does not usually access this vault, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a credential list operation followed by a get operation, The user(objid) does not usually perform this operation, This vault does not usually have a credential list operation followed by a get operation, This vault does not usually have this operation, This vault had more operations than usual, This vault had more types of operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187870309281_a8687660-0c8d-4583-9084-c5a617d46d62/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"name\": \"2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4678019Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_PutGetAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:50.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:50.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious policy change and secret query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Key Vault policy change has been made and operations to list and/or get secrets occurred shortly thereafter. In addition, this operation pattern is not normally performed by the user on this vault. This is highly indicative that the Key Vault has been compromised and the secrets within have been stolen by a malicious actor.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:50\",\r\n \"all vault operations in last 24 hours\": \"[VaultGet:14, CertificateImport:1, CertificateGet:479, VaultPut:4, SecretGet:760, Authentication:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultPut:4, VaultGet:5, CertificateGet:24]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"FxVersion/4.8.4121.0, FxVersion/4.8.4121.0 OSName/Windows10Enterprise OSVersion/6.3.17763 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"result Signature\": \"OK\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"start Time UTC\": \"08/12/2021 15:26:50\",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) does not usually perform a policy change operation followed by a credential get operation, The application(appid) does not usually perform this operation, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a policy change operation followed by a credential get operation, The user(objid) does not usually perform this operation, This vault does not usually have a policy change operation followed by a credential get operation, This vault does not usually have this operation, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187890309281_3ff76da1-7dad-490d-be7d-e20d8c025575/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"name\": \"2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3452444Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_KV_TORAccess\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:48.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:48.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a TOR exit node to a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. This is suspicious because malicious actors will often try to mask their source location when attempting to gain unauthorized access to internet-connected resources.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"08/12/2021 15:26:48\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:777440, SecretSet:1, SecretGet:777399]\",\r\n \"suspicious Operations\": \"[Authentication:1, SecretGet:1]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"Not Found, Unauthorized\",\r\n \"start Time UTC\": \"08/12/2021 15:26:48\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"python/3.8.0 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 azure-keyvault/7.0 Azure-SDK-For-Python\",\r\n \"alert Reasons\": \"[The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location.]\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187910309281_7869d309-3ac2-44df-8447-f8ee4618c51a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"name\": \"2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4494527Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_AKS_SensitiveMount\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:46.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:46.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5\",\r\n \"intent\": \"PrivilegeEscalation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Container with a sensitive volume mount detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.\",\r\n \"remediationSteps\": [\r\n \"Review the container and the path in the alert details.\",\r\n \"If possible, consider mounting only specific folders or files that are necessary to the container operation.\",\r\n \"If the container is not legitimate, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"Sample\",\r\n \"container image\": \"sample-image\",\r\n \"container name\": \"sample-container\",\r\n \"pod name\": \"sample-pod\",\r\n \"sensitive mount name\": \"sample-mount\",\r\n \"sensitive mount path\": \"/Sample\",\r\n \"killChainIntent\": \"PrivilegeEscalation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187930309281_120baab3-4ab7-4014-9208-6f725ae660c5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"name\": \"2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5732381Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_ExposedService\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:44.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:44.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Exposed Kubernetes service detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Kubernetes audit log analysis detected exposure of a service by a load balancer. This service is related to a sensitive application that allows high impact operations in the cluster such as running processes on the node or creating new containers.\\nIn some cases, this service doesn't require authentication. If the service doesn't require authentication, exposing it to the internet poses a security risk.\",\r\n \"remediationSteps\": [\r\n \"1. Find the external IP address of the service with the command: kubectl get service [service name] -n [namespace]. The service name and namespace are in the alert details.\\\\n2. Check whether the service is exposed to the internet by trying to access to its IP address with the port listed in the alert details.\\\\n3. If the service is exposed to the internet and is not protected by an authentication mechanism, escalate the alert to your security information team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"sample-namespace\",\r\n \"username\": \"sample-user\",\r\n \"service name\": \"sample-service\",\r\n \"target port\": \"8080\",\r\n \"port\": \"8080\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187950309281_d081776e-5ed8-4db2-91e3-3d6b70347515/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"name\": \"2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4746809Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_BruteForce\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:40.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:40.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Brute Force attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone is attempting to brute force credentials to your SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Brute force attack, penetration testing.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"data Center\": \"East US 2\",\r\n \"failed Logins\": \"0\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\\\"}}\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T13%3a59%3a46&reportName=MSTI-TS-Brute-Force.pdf&tenantId=aa72f7b4-fc6f-4e96-8517-5d20661ce7ff&urlCreateDateTime=2021-08-12T13%3a59%3a46&token=7vNL6ycsNIIi/%20CFl8p/wWyNpMj51nfUM7hllsUoBBI=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735187990309281_32d7ab57-4a10-4907-b3af-d86bb5906969/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"name\": \"2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.262894Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_HarmfulApplication\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:38.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:38.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Penetration testing, malicious activity\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"data Center\": \"East US 2\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188010309281_d7be455f-6d00-4fe7-a378-ec5522d035c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"name\": \"2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3698246Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:36.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:36.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database elitronix-com on server Sample-SQL\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/www.microsoft.com\\\\/en-us\\\\/download\\\\/details.aspx?id=13759\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements.\",\r\n \"threat ID\": \"30\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"principal name\": \"Sample-account\",\r\n \"application\": \"Internet Information Services\",\r\n \"database\": \"Sample-DB\",\r\n \"server\": \"Sample-SQL\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188030309281_0254db86-74a7-4929-b0d4-de0a448f0c76/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"name\": \"2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4494527Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:34.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:34.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef\",\r\n \"intent\": \"Exploitation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Logon from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone logged on to your SQL server Sample-SQL from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Unauthorized access that exploits an opening in the firewall; legitimate access from a new location.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Microsoft SQL Server Management Studio\",\r\n \"client IP Location\": \"US\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"client Hostname\": \"Sample-VM\",\r\n \"killChainIntent\": \"Exploitation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188050309281_14387308-b77d-4510-b9d5-014724e107ef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"name\": \"2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2741282Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_SQL.DB_DataExfiltration.ImportExportLocationAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:32.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:32.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual export location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted a massive amount of data from your SQL Server 'Sample-SQL' to an unusual location.\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Be sure to secure the new copy of your SQL server in the unusual storage account and follow the principle of \\\\\\\"least privilege\\\\\\\" for your SQL server\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/docs.microsoft.com\\\\/en-us\\\\/dotnet\\\\/framework\\\\/data\\\\/adonet\\\\/sql\\\\/authorization-and-permissions-in-sql-server\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"storage Name\": \"Sample-storage\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"isValid\": false,\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_39\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188070309281_8f0c0265-3fa0-45d2-bd90-3ac723142e69/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"name\": \"2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3713443Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:30.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:30.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Perform an undelete if the delete operation was a soft delete. See how to configure soft deletion and more information: https://go.microsoft.com/fwlink/?linkid=2078042\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Wasington_Virginia United States\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"Sample agent\",\r\n \"storage container(s) accessed\": \"SampleContainer\",\r\n \"container\": \"eicarContainerName1, eicarContainerName2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteBlob\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:30\",\r\n \"test: Pipeline name\": \"1.0.4656.1_sample\",\r\n \"storage file path(s) deleted\": \"eicarRequestedObjectKeyFilePath1.vhd, eicarRequestedObjectKeyFilePath2.pfx\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188090153349_7ac1efb5-bf30-4c6e-ac23-d6f281ec1ef4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"name\": \"2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5019361Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:28.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:28.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a container in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage container permissions are configured correctly.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"• Confirm whether the storage container permissions change was performed for a legitimate purpose.\\r\\n• Review the storage container's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this storage container have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed container permissions to weaken its security.\\r\\n• A legitimate user has changed container permissions.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"TestAgent 2021-08-12T15:26:28.9846650Z\",\r\n \"storage container(s) accessed\": \"eicarContainerName\",\r\n \"container\": \"eicarContainerName1, eicarContainerName2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"SetContainerACL\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:28\",\r\n \"test: Pipeline name\": \"1.0.4656.1_test\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188110153349_edd313f3-33c6-4a35-979b-fb42e5e6105d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"name\": \"2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_TorAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:26.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:26.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure Storage account 'Sample-Storage' from a suspicious IP address (active Tor exit node).\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access. \\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using Tor.\\r\\n• A legitimate user has accessed your storage account using Tor.\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Azure Data Center: East Us\",\r\n \"authentication type\": \"Anonymous\",\r\n \"operations types\": \"GetBlob\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"dummyAgent\",\r\n \"container\": \"eicarTestStorageContainer\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:26\",\r\n \"test: Pipeline name\": \"1.0.4656.1_storagetd-brs-a3\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188130153349_7c258d92-43a5-4f6d-9662-98c52a30cec3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"name\": \"2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4209361Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:24.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:24.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure Storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage container (for example: maintenance activity).\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client location\": \"Azure Data Center: East Us\",\r\n \"authentication type\": \"Anonymous\",\r\n \"operations types\": \"GetBlob\",\r\n \"service type\": \"Azure Blobs\",\r\n \"user agent\": \"dummyAgent\",\r\n \"container\": \"eicarTestStorageContainer\",\r\n \"extracted data\": \"140 MB\",\r\n \"test: Slice start time\": \"08/12/2021 15:26:24\",\r\n \"test: Pipeline name\": \"1.0.4656.1_storagetd-brs-a3\",\r\n \"extracted blobs\": \"500\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188150153349_6189dca4-37ab-45f5-bfcb-551205198d7e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"name\": \"2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_SuspectExecutablePath\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Executable found running from a suspicious location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data detected an executable file on Sample-VM that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.\",\r\n \"remediationSteps\": [\r\n \"Review with %{User Name} the suspicious process in this alert to see if you recognise this as legitimate administrative activity. If not, Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Process Id\": \"0x1eec\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"account Session Id\": \"0x3e7\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"suspicious Command Line\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"user Name\": \"WORKGROUP\\\\Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"directory\": \"c:\\\\windows\\\\inf\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"name\": \"SAMPLE-account\",\r\n \"ntDomain\": \"SAMPLE\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"sid\": \"S-0-0-00\",\r\n \"isDomainJoined\": true,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x3e7\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"processId\": \"0x1038\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"processId\": \"0x1eec\",\r\n \"commandLine\": \"\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_54\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_55\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"sessionId\": \"0x3e7\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:22.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_54\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188170153349_96fd08f0-7623-45cd-ac6c-a0245fe5033c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"name\": \"2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2358642Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected the execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with Sample-account the suspicious command process and command line to confirm that this is legitimate activity that you expect to see on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"user Name\": \"Sample-account\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Command Line\": \"\\\\sample.exe -t 4\",\r\n \"suspicious Process Id\": \"0x1640\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x427d8dd9\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"directory\": \"c:\\\\temp\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"processId\": \"0x1020\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"name\": \"Sample-account\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"sid\": \"S-1-5-21-3061399664-1673012318-3185014992-20022\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x427d8dd9\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"processId\": \"0x1640\",\r\n \"commandLine\": \".\\\\sample.exe -t 4\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_61\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_63\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_62\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"sessionId\": \"0x427d8dd9\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:20.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_63\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188190153349_7e8f5d14-58af-4dd3-a6a6-a4de0ebf578f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"name\": \"2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3545059Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM_SuspectPhp\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious PHP execution detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Machine logs indicate a that a suspicious PHP process is running. The action included an attempt to run OS commands or PHP code from the command line using the PHP process.\\r\\nWhile this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\",\r\n \"2. Make sure that the web application is up-to-date.\",\r\n \"3. If possible, disable the sensitive PHP commands (see: http://php.net/manual/ini.core.php#ini.disable-functions).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Command Line\": \"php\",\r\n \"suspicious Process Id\": \"0x1e99b\",\r\n \"account Session Id\": \"0xbd6e\",\r\n \"suspicious Process\": \"php\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"user Name\": \"Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"php\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"processId\": \"0x1e49a\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"name\": \"Sample-account\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"sid\": \"\",\r\n \"type\": \"account\",\r\n \"LogonId\": \"0xbd6e\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"processId\": \"0x1e99b\",\r\n \"commandLine\": \"php\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_69\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_71\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_70\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"sessionId\": \"0xbd6e\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:18.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_71\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188210153349_5d1552be-1cc6-4ac0-ab57-36809a0801fe/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"name\": \"2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3385797Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM.Windows_GoldFileCleanup\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected suspicious file cleanup commands\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.\",\r\n \"remediationSteps\": [\r\n \"Review with user Sample-account the 'sample.exe executions and delete commands flagged in this alert to confirm that they are legitimate and expected on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"OMS-AGENT-2\",\r\n \"suspicious Process Id\": \"0x4a8\",\r\n \"suspicious Command Line\": \"cmd /c echo \\\" systeminfo && systeminfo && del \\\"\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\cmd.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"OMS-AGENT-2\\\\DnzmNhMdW96g7j3\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: GOLD\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2020-06-05T06%3a24%3a18&reportName=MSTI-AGP-GOLD.pdf&tenantId=7bf32e19-dc11-416d-85e8-2cff75271e2a&urlCreateDateTime=2020-06-05T06%3a24%3a18&token=%2083e9In2MDZfBKT5aMOejPcfhpNovCKiidxcnKaBGnQ=\\\"}}\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"cmd.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"processId\": \"0x4a8\",\r\n \"commandLine\": \"cmd /c echo Hi\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_77\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_79\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_78\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:16.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_79\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188230153349_56818a68-50bf-4cda-a6a2-678ab609fbca/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"name\": \"2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2246537Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"alertType\": \"SIMULATED_VM.Windows_PetyaRansomware\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"WorkspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected Petya ransomware indicators\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on OMS-AGENT-2 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the command line associated in this alert and escalate this alert to your security team.\",\r\n \"remediationSteps\": [\r\n \"1. Run a full anti-malware scan and verify that the threat was removed\",\r\n \"2. Install and run Microsoft’s Malicious Software Removal Tool (see http://www.microsoft.com/security/pc-security/malware-removal.aspx)\",\r\n \"3. Perform these actions pre-emptively on other hosts in your network.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x1574\",\r\n \"suspicious Command Line\": \"sample\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\sample.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"Sample-account\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Petya\\\":\\\"\\\"}}\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"LogonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"processId\": \"0x1574\",\r\n \"commandLine\": \"sample\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_85\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_87\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_86\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:14.984665Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_87\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188250153349_eb5fc9a3-4d9c-453f-b482-129fb0f12af1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"name\": \"2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5800635Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:10.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:10.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"name\": \"2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2313959Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AmRealtimeProtectionDisabled\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:08.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:08.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Antimalware real-time protection was disabled in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.\",\r\n \"remediationSteps\": [\r\n \"1. Determine if the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional - dismiss the alert. Otherwise, enable the antimalware real-time threat protection and treat the user account, subscription and virtual machine as compromised and continue with the next steps.\\n3. Remediate the compromised user account – change the password, review all activities performed by the user via Azure Activity Logs and locate suspicious activities\\n4. Remediate the compromised subscription - Review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, review all activities performed in this subscription via Azure Activity Logs and locate suspicious activities.\\n5. Remediate the compromised virtual machine – change the password of all users, run full antimalware scan on your virtual machine.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample Principal\",\r\n \"antimalware enabled\": \"true\",\r\n \"real time antimalware protection enabled\": \"false\",\r\n \"scheduled antimalware scan enabled\": \"\",\r\n \"extension Name\": \"IaasAntimalware\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188310153349_aa029229-86a8-4904-b254-6450bf1f8a52/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"name\": \"2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5249506Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_CustomScriptExtensionSuspiciousCmd\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:06.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:06.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Custom script extension with suspicious command in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.\",\r\n \"remediationSteps\": [\r\n \"1. Contact the account owner to determine whether the activity was intentional. If the activity was intentional, dismiss the alert.\\n2. If the activity was unexpected, treat the user account, subscription, and virtual machine as compromised.\\n3. To remediate compromised user accounts, delete them if they’re unfamiliar (as they may have been created by a threat actor), otherwise change their authentication credentials. Use Azure Activity Logs to review all activities performed by the user and identify any that are suspicious.\\n4. To remediate compromised subscriptions, remove any unfamiliar Runbooks from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources in the subscription (delete any that are unfamiliar), review and investigate any security alerts for the subscription in Azure Security Center, and use Azure Activity Logs to review all activities performed in the subscription and identify any that are suspicious.\\n5. To remediate the compromised virtual machine, change the passwords for all users, run a full antimalware scan on the machine, and reimage the virtual machine from a malware-free source.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample user\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"identity address\": \"\",\r\n \"suspicious command\": \"powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188330153349_a3b85641-b81e-4a6e-83cc-9dd8f66945ce/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"name\": \"2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3545059Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DarkWeb\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:04.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:04.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Anonymity network activity (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected anonymity network activity. Such activity, while possibly legitimate user behaviour, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_95\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_95\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188350153349_3a9ce82e-e055-4b16-a2e7-44ed5b69a7f4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"name\": \"2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.292004Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DataExfiltration\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:02.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:02.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Possible data exfiltration via DNS tunnel (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behaviour, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_100\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_100\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188370153349_114ef916-68a1-4d11-a464-8b1899c65c58/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"name\": \"2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4550558Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_PhishingDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:00.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:00.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Communication with possible phishing domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.\",\r\n \"remediationSteps\": [\r\n \"Investigate the domain (using whois), validating that the registration belongs to the expected owner.\",\r\n \"If ownership is suspect, contact the machine owner to highlight the discrepancy and verify the degree of interaction, suggesting user log into any account(s) potentially exposed during suspicious session, validate recent activity and change compromised password(s).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_105\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_105\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188390153349_14f709e3-4215-4a6a-8204-6c711daa813b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"name\": \"2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3210584Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_SinkholedDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:58.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:58.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted communication with suspicious sinkholed domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected request for sinkholed domain. Such activity, while possibly legitimate user behaviour, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"ContainerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_109\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_109\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188410153349_62c5f525-6fc0-4d01-828f-6fe1d8259e1e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"name\": \"2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4807428Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_HighPrivilegeCommand\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempt to run high privilege command detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of App Service processes detected an attempt to run a command that requires high privileges.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x4680\",\r\n \"suspicious Command Line\": \"sample.exe\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"parent Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x15c0644\",\r\n \"user Name\": \"Sample-account\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"directory\": \"sample\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"processId\": \"0x39a8\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"processId\": \"0x4680\",\r\n \"commandLine\": \"sample.exe\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2021-08-12T15:25:56.9690718Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_114\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188430309281_bc9afe46-21c0-4041-9357-2427c5fbe4d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"name\": \"2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2316532Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_DanglingDomain\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:54.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:54.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Dangling DNS record for an App Service resource detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A DNS record that points to a recently deleted App Service resource (also known as \\\"dangling DNS\\\" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.\",\r\n \"remediationSteps\": [\r\n \"From your DNS zone, remove all CNAME records that point to the deleted App Service resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"domain\": \"sample-domain.com\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188450309281_7c82b3ae-b7f7-4f12-89c8-bb898e0991c8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"name\": \"2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5426571Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_TI_Proxy\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:52.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:52.9690718Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] AKS API requests from proxy IP address detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected API requests to your cluster from an IP address that is associated with proxy services, such as TOR.\\r\\nWhile this behavior can be legitimate, it's often seen in malicious activities, when attackers try to hide their source IP.\",\r\n \"remediationSteps\": [\r\n \"1. Review the IP address in the alert details. If your organization uses proxy services such as TOR for managing the AKS cluster and the IP is recognized, you can ignore the alert.\",\r\n \"2. Consider securing the API server by using authorized IP address ranges (https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"username\": \"sample-user\",\r\n \"ip Address\": \"00.00.00.00\",\r\n \"threat Type\": \"Proxy\",\r\n \"threat Description\": \"Tor exit node\",\r\n \"sample URI\": \"sample-URI\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188470309281_965cbf99-ca6c-4863-aea8-b491e4fbf170/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"name\": \"2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5146535Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_DeleteEvents\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:50.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:50.9690718Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Kubernetes events deleted (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Security Center detected that some Kubernetes events have been deleted. Kubernetes events are objects in Kubernetes which contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster.\",\r\n \"remediationSteps\": [\r\n \"Verify the legitimacy of the objects that the deleted events are related to.\\\\nIn case the object is suspicious, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"namespace\": \"sample-namespace\",\r\n \"username\": \"sample-user\",\r\n \"ip Address\": \"00.00.00.00\",\r\n \"status\": \"200\",\r\n \"deleted events\": \"sample-event1, sample-event2, sample-event3\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188490309281_d3636b5a-82b9-4445-a57d-f97df5eeb674/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"name\": \"2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2959781Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_MaliciousContainerImage\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:48.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:48.9690718Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-ConnectedCluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining container detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool.\",\r\n \"remediationSteps\": [\r\n \"Review the container in the alert details.\",\r\n \"If malicious, remove the container and escalate the alert to the information security team.\",\r\n \"Be sure to also remove the correlating Deployments \\\\\\\\ ReplicaSets \\\\\\\\ DaemonSets.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Connected Cluster\",\r\n \"namespace\": \"sample-namespace\",\r\n \"container name\": \"sample-container\",\r\n \"container image\": \"sample-image\",\r\n \"pod name\": \"sample-pod\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-ConnectedCluster\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188510309281_a859d451-053a-40b6-938a-4d2016e025d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"name\": \"2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2763918Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.9690718Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_AKS_CoreDnsModification\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:46.9690718Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:46.9690718Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KubernetesService\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] CoreDNS modification in Kubernetes detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a modification of the CoreDNS configuration. The configuration of CoreDNS can be modified by overriding its configmap. While this activity can be legitimate, if attackers have permissions to modify the configmap, they can change the behavior of the cluster’s DNS server and poison it.\",\r\n \"remediationSteps\": [\r\n \"Review the configmap in the alert details. Specifically, search for Forward or Hosts configurations that can change the desired DNS behavior. The details of the configuration can be retrieved by the command:\\\\nkubectl get cm coredns-custom -n kube-system -o json\\\\nIf the configuration is intended, you can ignore the alert.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"namespace\": \"sample-namespace\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"username\": \"sample-user\",\r\n \"configmap name\": \"coredns-custom\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/Sample-KubernetesService\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188530309281_9dd3761a-714a-4de5-9edf-a3641eecf3f4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"name\": \"2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.3496523Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_BruteForce\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:44.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:44.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspected successful brute force attack\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful login occurred after an apparent brute force attack on your resource\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Brute force attack; penetration testing.\",\r\n \"client principal name\": \"Sample-account\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"san antonio, united states\",\r\n \"client application\": \"Sample-app\",\r\n \"successful logins\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"failed logins\": \"0\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\\\"}}\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-08-12T14%3a22%3a59&reportName=MSTI-TS-Brute-Force.pdf&tenantId=486418ae-549f-45e9-8399-1399b172c638&urlCreateDateTime=2021-08-12T14%3a22%3a59&token=/blU%20E%20vbq2LmaDzn2NkEM/bXEyftIKAR/DPmJu8xVc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_129\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_128\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188550153349_9c1f5900-27ad-4caf-a78c-c67c8be1545d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"name\": \"2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:13.9865839Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:42.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:42.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database Sample-DB on server Sample-VM\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2106894\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"threat ID\": \"1\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"vulnerable statement\": \"*** Anonymized ***\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"name\": \"Sample-SA\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_135\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188570153349_64ce81f5-91c3-412f-a248-7e34c58f3b7c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"name\": \"2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.2090318Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_HarmfulApplication\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:40.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:40.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access your resource.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"Penetration testing; malicious activity\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client application\": \"Sample-app\",\r\n \"client IP location\": \"Sample\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188590153349_b515f050-153f-46fa-bf36-116f9bc7d2fd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"name\": \"2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5175386Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_SuspiciousIpAnomaly\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:38.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:38.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Login from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.\",\r\n \"client principal name\": \"Sample-user\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Sample-Provider\",\r\n \"threatType\": \"Sample-Threat\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 0.8,\r\n \"threatDescription\": \"Sample-Threat\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_147\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_146\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188610153349_593319a0-eb37-4a7d-8f67-2a5b7a13ea54/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"name\": \"2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4347524Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousRBACRoleAssignment\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:36.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:36.984665Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188630153349_32cad962-43a0-4691-8c14-443890eccece\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for an RBAC role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected an RBAC role assignment that's unusual when compared with other assignments, performed by the same assigner.\\n The following components were anomalous:\\n -Assigner Authentication Method \\n This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to grant permissions to an additional user account they own.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below.\\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user. \\n5. Change the credentials for all resources that the user had permissions to access.\\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review all activities performed in this resource via Azure Activity Logs and investigate suspicious activities.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"scope of assignment\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"assigned role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assigner principal ID\": \"Sample user\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_153\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188630153349_32cad962-43a0-4691-8c14-443890eccece/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"name\": \"2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.4166987Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_PrivilegedRoleDefinitionCreation\",\r\n \"startTimeUtc\": \"2021-08-12T15:25:34.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:25:34.984665Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05\",\r\n \"intent\": \"PrivilegeEscalation, DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Privileged custom role created for your subscription in a suspicious way (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the principal user that created the role.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user account as compromised and continue with the steps below.\\n3. Change the passwords of the user account or block the account entirely.\\n4. Delete the privileged role.\\n5. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n6. Change the credentials for all resources that the user had permissions to access.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"role definition creator principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"role definition creator IP address\": \"0.0.0.0\",\r\n \"role definition creator principal name\": \"Sample user\",\r\n \"role definition name\": \"sample\",\r\n \"role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"PrivilegeEscalation, DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188650153349_782e0960-6954-4e2f-8f79-69c554da3a05/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Security/locations/centralus/alerts/2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"name\": \"2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-06-12T19:40:33.8308539Z\",\r\n \"processingEndTimeUtc\": \"2021-06-12T19:40:32.548439Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"Storage.Blob_AnonymousScan.Containers\",\r\n \"startTimeUtc\": \"2021-06-12T18:11:54.456Z\",\r\n \"endTimeUtc\": \"2021-06-12T18:11:54.456Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"correlationKey\": \"eQXuNbERVh6e/t+5e+8g+5PLuHGkeLWBAAjR80eo/KQ=\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Storage/storageAccounts/storagefdi4i\",\r\n \"type\": \"AzureResource\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"storagefdi4i\",\r\n \"alertDisplayName\": \"PREVIEW - Anonymous scan of public storage containers\",\r\n \"description\": \"There were 94 failed attempts to anonymously identify publicly accessible containers in your storage account `storagefdi4i`. This might indicate a reconnaissance attack, where the attacker scans your storage account to identify publicly accessible containers and then tries to find sensitive data inside them. In many cases, attackers might successfully access data after a series of failed attempts. It’s therefore important to act on this alert.\",\r\n \"remediationSteps\": [\r\n \"• If public access is not needed for the Azure Storage containers, consider disallowing it on the entire storage account or limiting it selectively on specific containers or blobs (https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent).\",\r\n \"• We recommend that you always follow the least privilege principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• To prevent breaches of sensitive data, please review your Azure Storage containers and make sure no sensitive data is stored in them.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"alert Id\": \"c2e8b810-06f7-4327-9983-5d6949f39929\",\r\n \"azure AD user\": \"N/A (Azure AD authentication was not used)\",\r\n \"user agent\": \"Go-http-client/1.1\",\r\n \"api type\": \"Blob\",\r\n \"client location\": \"N/A\",\r\n \"number of failed access attempts\": \"94\",\r\n \"among the enumeration terms used\": \"app, bin, blog, deploy, confidential, crm, builds, doc, customers, images, attachments, intranet, backups, customer, exports, img, data, blob, downloads, build, azure, export, files, bucket, database, dev, admin, emails, dist, development, documents, debug, assets, cdn, devops, download, backup, code, erp, logs, cache, iso, creds, bak, credentials, config, file, administrator, attachment, exe\",\r\n \"number of containers successfully accessed\": \"0\",\r\n \"list of containers successfully accessed\": \"\",\r\n \"authentication type\": \"Anonymous\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"operations types\": \"GetContainerProperties\",\r\n \"service type\": \"Azure Blobs\",\r\n \"potential causes\": \"\",\r\n \"resourceType\": \"Storage\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotsimulator/providers/Microsoft.Storage/storageAccounts/storagefdi4i\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"address\": \"78.46.106.254\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Nuernberg\",\r\n \"longitude\": 11.0768,\r\n \"latitude\": 49.452,\r\n \"asn\": 24940\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_159\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517787792855439999_c2e8b810-06f7-4327-9983-5d6949f39929/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/iotsimulator/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"name\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"InProgress\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.869602Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_APPS_WpThemeInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:18:01.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious WordPress theme invocation detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\\r\\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\\r\\nThis type of activity was seen in the past as part of an attack campaign over WordPress.\",\r\n \"remediationSteps\": [\r\n \"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.\",\r\n \"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"sample Source IP Addresses\": \"00.00.00.00\",\r\n \"sample User Agents\": \"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36\",\r\n \"last Event Time\": \"12/11/2019 12:34:27 AM\",\r\n \"sample Referer\": \"-\",\r\n \"sample URIs\": \"/login.php\",\r\n \"resourceType\": \"App Service\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"hostName\": \"Sample-App\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241184862413_8de09270-dc53-40d4-beed-f29d475b5d5a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"name\": \"2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.8636228Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_MaliciousContent-AzureWebApps\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:59.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:59.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Phishing content hosted on Azure Webapps\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to O365 customers. The content typically lure visitors into entering their corporate credentials or financial information into a legitimate looking website.\",\r\n \"remediationSteps\": [\r\n \"1. Use Azure Web Sites Process Explorer and try to identify unknown running processes (see https://blogs.msdn.microsoft.com/waws/2014/11/14/viewing-process-information-for-microsoft-azure-web-sites/)\",\r\n \"2. Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"resourceType\": \"App Service\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"url\": \"https://sample.azurewebsites.net\",\r\n \"type\": \"url\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241204862413_a2f1c26a-afc8-4f78-9f56-a4a396e6cdb6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"name\": \"2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3642739Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_OperationVolumeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:57.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] User accessed high volume of Key Vaults\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a larger volume of Key Vault operations has been performed compared to past historical data. Key Vaults typical exhibit the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:57\",\r\n \"all vault operations in last 24 hours\": \"[SecretSet:1, SecretGet:5, Authentication:2, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultGet:2]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:57\",\r\n \"client Information\": \"Microsoft.Azure.Management.Resources.ResourceManagementClient/2.0.0.0, \",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) performed more operations than usual, The user(objid) does not usually come from this IP, The user(objid) performed more operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241224862413_c9827456-fa7a-4b3b-929e-225cd9a1c482/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"name\": \"2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.174761Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_AccountVolumeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:55.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] High volume of operations in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the number of vaults that a user or application accesses has changed compared to past historical data. Key Vault activity typically exhibits the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:55\",\r\n \"all vault operations in last 24 hours\": \"[AfterAuthentication:1, SecretGet:345545, EventGridGetAllSubscriptions:19, Authentication:169, VaultGet:3]\",\r\n \"suspicious Operations\": \"[SecretGet:64]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:55\",\r\n \"alert Reasons\": \"[The application(appid) accessed more vaults than usual, The application(appid) does not usually come from this IP, The user(objid) accessed more vaults than usual, The user(objid) does not usually come from this IP, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241244862413_080c4ccc-ec92-40ad-8a4c-0b76dc121e45/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"name\": \"2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.0812111Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_ListGetAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:53.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious secret listing and query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Secret List operation was followed by numerous Secret Get operations. In addition, this operation pattern is not normally performed by the user on this vault. This is likely indicative that someone is dumping the This is sample alert: secrets stored in the Key Vault for potentially malicious purposes.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:53\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:1, SecretGet:3, VaultGet:1, SecretList:5]\",\r\n \"suspicious Operations\": \"[SecretGet:3, SecretList:5]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"OK\",\r\n \"start Time UTC\": \"11/17/2022 09:17:53\",\r\n \"client Information\": \"FxVersion/4.8.4075.0 OSName/Windows10Enterprise OSVersion/6.3.18363 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"alert Reasons\": \"[The application(appid) does not usually access this vault, The application(appid) does not usually come from this IP, The application(appid) does not usually perform a credential list operation followed by a get operation, The application(appid) does not usually perform this operation, The number of applications which accessed this vault is more than usual, The number of users(objid) who accessed this vault is more than usual, The user(objid) does not usually access this vault, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a credential list operation followed by a get operation, The user(objid) does not usually perform this operation, This vault does not usually have a credential list operation followed by a get operation, This vault does not usually have this operation, This vault had more operations than usual, This vault had more types of operations than usual, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241264862413_759dd0b3-a2fb-4e11-8e15-2e647a2ea558/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"name\": \"2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.1952593Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_PutGetAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious policy change and secret query in a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Key Vault policy change has been made and operations to list and/or get secrets occurred shortly thereafter. In addition, this operation pattern is not normally performed by the user on this vault. This is highly indicative that the Key Vault has been compromised and the secrets within have been stolen by a malicious actor.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:51\",\r\n \"all vault operations in last 24 hours\": \"[VaultGet:14, CertificateImport:1, CertificateGet:479, VaultPut:4, SecretGet:760, Authentication:3]\",\r\n \"suspicious Operations\": \"[SecretGet:2, VaultPut:4, VaultGet:5, CertificateGet:24]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"FxVersion/4.8.4121.0, FxVersion/4.8.4121.0 OSName/Windows10Enterprise OSVersion/6.3.17763 Microsoft.Azure.KeyVault.KeyVaultClient/3.0.0.1\",\r\n \"result Signature\": \"OK\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"start Time UTC\": \"11/17/2022 09:17:51\",\r\n \"alert Reasons\": \"[The application(appid) does not usually come from this IP, The application(appid) does not usually perform a policy change operation followed by a credential get operation, The application(appid) does not usually perform this operation, The user(objid) does not usually come from this IP, The user(objid) does not usually perform a policy change operation followed by a credential get operation, The user(objid) does not usually perform this operation, This vault does not usually have a policy change operation followed by a credential get operation, This vault does not usually have this operation, This vault is not usually accessed from this IP] Note: related application(appid), user(objid), IP and operations are included in appid, objid, callerIpAddress and suspiciousOperations entries, respectively\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241284862413_55e7cf15-861e-47a1-b897-a2dcd920b24a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"name\": \"2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:14.9914481Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_KV_TORAccess\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:49.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-KV\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a TOR exit node to a Key Vault\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. This is suspicious because malicious actors will often try to mask their source location when attempting to gain unauthorized access to internet-connected resources.\",\r\n \"remediationSteps\": [\r\n \"Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Key Vault\",\r\n \"end Time UTC\": \"11/17/2022 09:17:49\",\r\n \"all vault operations in last 24 hours\": \"[Authentication:777440, SecretSet:1, SecretGet:777399]\",\r\n \"suspicious Operations\": \"[Authentication:1, SecretGet:1]\",\r\n \"attacker IP Address\": \"00.00.00.00\",\r\n \"attacker Object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"result Signature\": \"Not Found, Unauthorized\",\r\n \"start Time UTC\": \"11/17/2022 09:17:49\",\r\n \"application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Information\": \"python/3.8.0 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 azure-keyvault/7.0 Azure-SDK-For-Python\",\r\n \"alert Reasons\": \"[The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location.]\",\r\n \"target\": \"https://sample.vault.azure.net/secrets/sample\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/microsoft.keyvault/vaults/Sample-KV\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241304862413_3ad2c706-89d1-43e7-b170-7a7b478f13d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"name\": \"2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.2261751Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_K8S_SensitiveMount\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:47.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41\",\r\n \"intent\": \"PrivilegeEscalation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Container with a sensitive volume mount detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.\",\r\n \"remediationSteps\": [\r\n \"Review the container and the path in the alert details.\",\r\n \"If possible, consider mounting only specific folders or files that are necessary to the container operation.\",\r\n \"If the container is not legitimate, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"namespace\": \"Sample-namespace\",\r\n \"container image\": \"sample-image\",\r\n \"container name\": \"sample-container\",\r\n \"pod name\": \"sample-pod\",\r\n \"sensitive mount name\": \"sample-mount\",\r\n \"sensitive mount path\": \"/Sample\",\r\n \"resourceType\": \"GKE Cluster\",\r\n \"killChainIntent\": \"PrivilegeEscalation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"projectId\": \"012345678901\",\r\n \"resourceType\": \"GKE\",\r\n \"resourceName\": \"Sample-Cluster\",\r\n \"location\": \"us-central1-c\",\r\n \"locationType\": \"Zonal\",\r\n \"type\": \"gcp-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_26\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"name\": \"Sample-namespace\",\r\n \"cluster\": {\r\n \"$ref\": \"centralus_29\"\r\n },\r\n \"type\": \"K8s-namespace\"\r\n },\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"name\": \"sample-pod\",\r\n \"namespace\": {\r\n \"$ref\": \"centralus_30\"\r\n },\r\n \"type\": \"K8s-pod\"\r\n },\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"name\": \"sample-container\",\r\n \"image\": {\r\n \"$ref\": \"centralus_27\"\r\n },\r\n \"pod\": {\r\n \"$ref\": \"centralus_31\"\r\n },\r\n \"type\": \"container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241324862413_16e4b810-cc81-43bd-88f5-c5f416cafd41/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"name\": \"2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.1277565Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_AdmissionController\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:45.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:45.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada\",\r\n \"intent\": \"Persistence, CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Creation of admission webhook configuration detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new admission webhook configuration. Kubernetes has two built-in generic admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster. The usage of such admission controllers can be legitimate, however attackers can use such webhooks for modifying the requests (in case of MutatingAdmissionWebhook) or inspecting the requests and gain sensitive information (in case of ValidatingAdmissionWebhook).\",\r\n \"remediationSteps\": [\r\n \"Review the admission controller webhook associated with this configuration. The details of the webhook configuration can be retrieved by the command:\",\r\n \"kubectl get mutatingwebhookconfigurations sample -o json\",\r\n \"If this configuration belongs to a legitimate admission controller in the cluster, you can ignore the alert.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resource type\": \"mutatingwebhookconfigurations\",\r\n \"resource name\": \"sample\",\r\n \"webhook configuration rules\": \"[{\\\"apiGroups\\\":[\\\"*\\\"],\\\"resources\\\":[\\\"pods\\\"],\\\"apiVersions\\\":[\\\"*\\\"],\\\"operations\\\":[\\\"CREATE\\\"],\\\"scope\\\":\\\"*\\\"}]\",\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"killChainIntent\": \"Persistence, CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_34\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241344862413_5e3ea537-b8d7-4368-87c6-fdbd7150fada/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"name\": \"2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.650249Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_BruteForce\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:41.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:41.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Brute Force attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone is attempting to brute force credentials to your SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Brute force attack, penetration testing.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"data Center\": \"East US 2\",\r\n \"failed Logins\": \"0\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\\\"}}\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T08%3a01%3a37&reportName=MSTI-TS-Brute-Force.pdf&tenantId=36141d0d-51a3-416b-a40c-ad019d5a5b02&urlCreateDateTime=2022-11-17T08%3a01%3a37&token=QFwN4yDMKVqr%20BZM/b/4ml7zuTdJPH8d0epXPbn9SIc=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241384862413_b9df9011-0644-49e8-a130-0e5e8eaa4d11/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"name\": \"2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4246385Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_HarmfulApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:39.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:39.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access SQL server 'Sample-SQL'.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Penetration testing, malicious activity\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"client IP Location\": \"Boydton, United States\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"data Center\": \"East US 2\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"United States\",\r\n \"city\": \"Boydton\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241404862413_01421344-d8c2-4134-bc7d-2f202813c7fa/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"name\": \"2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.5120779Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:37.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:37.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database elitronix-com on server Sample-SQL\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/www.microsoft.com\\\\/en-us\\\\/download\\\\/details.aspx?id=13759\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements.\",\r\n \"threat ID\": \"30\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"principal name\": \"Sample-account\",\r\n \"application\": \"Internet Information Services\",\r\n \"database\": \"Sample-DB\",\r\n \"server\": \"Sample-SQL\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241424862413_9771eb7f-dd1c-4a1c-abbb-dd718b9d0ac0/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"name\": \"2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4739185Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:35.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:35.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187\",\r\n \"intent\": \"Exploitation\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Logon from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone logged on to your SQL server Sample-SQL from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"potential causes\": \"Unauthorized access that exploits an opening in the firewall; legitimate access from a new location.\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Microsoft SQL Server Management Studio\",\r\n \"client IP Location\": \"US\",\r\n \"recommendations\": \"{\\\"displayValue\\\":\\\"Ensure the use of strong passwords, and avoid reusing them across multiple databases.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2099068\\\"}\",\r\n \"client Hostname\": \"Sample-VM\",\r\n \"killChainIntent\": \"Exploitation\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"type\": \"ip\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241444862413_a23c5ba4-29cb-431b-be3d-d89c74ef0187/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"name\": \"2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.508384Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_SQL.DB_DataExfiltration.ImportExportLocationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:33.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:33.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-SQL\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual export location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted a massive amount of data from your SQL Server 'Sample-SQL' to an unusual location.\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Be sure to secure the new copy of your SQL server in the unusual storage account and follow the principle of \\\\\\\"least privilege\\\\\\\" for your SQL server\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/docs.microsoft.com\\\\/en-us\\\\/dotnet\\\\/framework\\\\/data\\\\/adonet\\\\/sql\\\\/authorization-and-permissions-in-sql-server\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Database\",\r\n \"client IP Address\": \"00.00.00.00\",\r\n \"client Principal Name\": \"Sample-account\",\r\n \"client Application\": \"Sample-app\",\r\n \"storage Name\": \"Sample-storage\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"location\": {\r\n \"countryName\": \"US\",\r\n \"city\": \"New York\"\r\n },\r\n \"isValid\": false,\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Sql/servers/Sample-SQL/databases/Sample-DB\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_46\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241464862413_a63a7b5f-ba11-4c0e-9752-865ce7f32982/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"name\": \"2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.793991Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_SuspectExecutablePath\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Executable found running from a suspicious location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data detected an executable file on Sample-VM that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.\",\r\n \"remediationSteps\": [\r\n \"Review with %{User Name} the suspicious process in this alert to see if you recognise this as legitimate administrative activity. If not, Escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Process Id\": \"0x1eec\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"account Session Id\": \"0x3e7\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"suspicious Command Line\": \"c:\\\\windows\\\\inf\\\\sample.exe\",\r\n \"user Name\": \"WORKGROUP\\\\Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"directory\": \"c:\\\\windows\\\\inf\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"name\": \"SAMPLE-account\",\r\n \"ntDomain\": \"SAMPLE\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"sid\": \"S-0-0-00\",\r\n \"isDomainJoined\": true,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x3e7\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"processId\": \"0x1038\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"processId\": \"0x1eec\",\r\n \"commandLine\": \"\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_54\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"sessionId\": \"0x3e7\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:23.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_53\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241564549599_50f651d1-6214-4500-99ae-e64fd3c77fae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"name\": \"2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.802386Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected the execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with Sample-account the suspicious command process and command line to confirm that this is legitimate activity that you expect to see on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"user Name\": \"Sample-account\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Command Line\": \"\\\\sample.exe -t 4\",\r\n \"suspicious Process Id\": \"0x1640\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x427d8dd9\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"directory\": \"c:\\\\temp\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"processId\": \"0x1020\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"name\": \"Sample-account\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"sid\": \"S-1-5-21-3061399664-1673012318-3185014992-20022\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x427d8dd9\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"processId\": \"0x1640\",\r\n \"commandLine\": \".\\\\sample.exe -t 4\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_60\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_62\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_61\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"sessionId\": \"0x427d8dd9\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:21.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_59\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_62\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241584549599_6ff9d6fb-15b5-49b7-9cda-d40c832da291/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"name\": \"2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.0348941Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM_SuspectPhp\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspicious PHP execution detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Machine logs indicate a that a suspicious PHP process is running. The action included an attempt to run OS commands or PHP code from the command line using the PHP process.\\r\\nWhile this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\",\r\n \"2. Make sure that the web application is up-to-date.\",\r\n \"3. If possible, disable the sensitive PHP commands (see: http://php.net/manual/ini.core.php#ini.disable-functions).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"suspicious Command Line\": \"php\",\r\n \"suspicious Process Id\": \"0x1e99b\",\r\n \"account Session Id\": \"0xbd6e\",\r\n \"suspicious Process\": \"php\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"user Name\": \"Sample-account\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"php\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"processId\": \"0x1e49a\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"name\": \"Sample-account\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"sid\": \"\",\r\n \"type\": \"account\",\r\n \"logonId\": \"0xbd6e\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"processId\": \"0x1e99b\",\r\n \"commandLine\": \"php\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_68\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_70\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_69\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"sessionId\": \"0xbd6e\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:19.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_67\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_70\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241604549599_f63a54c4-8f46-4173-b83f-32ac43b3cf49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"name\": \"2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.8902381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM.Windows_GoldFileCleanup\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected suspicious file cleanup commands\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.\",\r\n \"remediationSteps\": [\r\n \"Review with user Sample-account the 'sample.exe executions and delete commands flagged in this alert to confirm that they are legitimate and expected on Sample-VM. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"OMS-AGENT-2\",\r\n \"suspicious Process Id\": \"0x4a8\",\r\n \"suspicious Command Line\": \"cmd /c echo \\\" systeminfo && systeminfo && del \\\"\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\cmd.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"OMS-AGENT-2\\\\DnzmNhMdW96g7j3\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: GOLD\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2020-06-05T06%3a24%3a18&reportName=MSTI-AGP-GOLD.pdf&tenantId=7bf32e19-dc11-416d-85e8-2cff75271e2a&urlCreateDateTime=2020-06-05T06%3a24%3a18&token=%2083e9In2MDZfBKT5aMOejPcfhpNovCKiidxcnKaBGnQ=\\\"}}\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"cmd.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"processId\": \"0x4a8\",\r\n \"commandLine\": \"cmd /c echo Hi\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_76\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_78\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_77\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:17.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_75\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_78\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241624549599_d78fd4ee-e38d-491d-9c4b-05c7fe9f0799/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"name\": \"2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.9525043Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"SIMULATED_VM.Windows_PetyaRansomware\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceResourceGroup\": \"defaultresourcegroup-wus\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"00000000-0000-0000-0000-000000000000\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Detected Petya ransomware indicators\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of host data on OMS-AGENT-2 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the command line associated in this alert and escalate this alert to your security team.\",\r\n \"remediationSteps\": [\r\n \"1. Run a full anti-malware scan and verify that the threat was removed\",\r\n \"2. Install and run Microsoft’s Malicious Software Removal Tool (see http://www.microsoft.com/security/pc-security/malware-removal.aspx)\",\r\n \"3. Perform these actions pre-emptively on other hosts in your network.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Virtual Machine\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x1574\",\r\n \"suspicious Command Line\": \"sample\",\r\n \"suspicious Process\": \"c:\\\\windows\\\\system32\\\\sample.exe\",\r\n \"account Session Id\": \"0x12ed4a93\",\r\n \"user Name\": \"Sample-account\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Petya\\\":\\\"\\\"}}\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"Sample-VM\",\r\n \"netBiosName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"osFamily\": \"Windows\",\r\n \"osVersion\": \"Windows\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"directory\": \"c:\\\\windows\\\\system32\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"processId\": \"0x12ac\",\r\n \"commandLine\": \"\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"name\": \"Sample-VM\",\r\n \"ntDomain\": \"Sample-VM\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"sid\": \"\",\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\",\r\n \"logonId\": \"0x12ed4a93\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"processId\": \"0x1574\",\r\n \"commandLine\": \"sample\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_84\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_86\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_85\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"sessionId\": \"0x12ed4a93\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:15.54504Z\",\r\n \"type\": \"host-logon-session\",\r\n \"host\": {\r\n \"$ref\": \"centralus_83\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_86\"\r\n }\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241644549599_f5398038-bb33-476b-9ee1-bbcd8440b52c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"name\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.2039067Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"name\": \"2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.2780047Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AmRealtimeProtectionDisabled\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:09.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:09.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845\",\r\n \"intent\": \"DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Antimalware real-time protection was disabled in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.\",\r\n \"remediationSteps\": [\r\n \"1. Determine if the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional - dismiss the alert. Otherwise, enable the antimalware real-time threat protection and treat the user account, subscription and virtual machine as compromised and continue with the next steps.\\n3. Remediate the compromised user account – change the password, review all activities performed by the user via Azure Activity Logs and locate suspicious activities\\n4. Remediate the compromised subscription - Review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, review all activities performed in this subscription via Azure Activity Logs and locate suspicious activities.\\n5. Remediate the compromised virtual machine – change the password of all users, run full antimalware scan on your virtual machine.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample Principal\",\r\n \"antimalware enabled\": \"true\",\r\n \"real time antimalware protection enabled\": \"false\",\r\n \"scheduled antimalware scan enabled\": \"\",\r\n \"extension Name\": \"IaasAntimalware\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"DefenseEvasion\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241704549599_a7a3d7f7-5424-410e-8dc9-af6feec3f845/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"name\": \"2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.3561453Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_CustomScriptExtensionSuspiciousCmd\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:07.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:07.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Custom script extension with suspicious command in your virtual machine (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\\nAttackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.\",\r\n \"remediationSteps\": [\r\n \"1. Contact the account owner to determine whether the activity was intentional. If the activity was intentional, dismiss the alert.\\n2. If the activity was unexpected, treat the user account, subscription, and virtual machine as compromised.\\n3. To remediate compromised user accounts, delete them if they’re unfamiliar (as they may have been created by a threat actor), otherwise change their authentication credentials. Use Azure Activity Logs to review all activities performed by the user and identify any that are suspicious.\\n4. To remediate compromised subscriptions, remove any unfamiliar Runbooks from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources in the subscription (delete any that are unfamiliar), review and investigate any security alerts for the subscription in Azure Security Center, and use Azure Activity Logs to review all activities performed in the subscription and identify any that are suspicious.\\n5. To remediate the compromised virtual machine, change the passwords for all users, run a full antimalware scan on the machine, and reimage the virtual machine from a malware-free source.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"principal name\": \"Sample user\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"identity address\": \"\",\r\n \"suspicious command\": \"powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241724549599_47d719c0-69d3-4cee-ba56-8d271774f5da/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"name\": \"2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DarkWeb\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:05.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:05.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Anonymity network activity (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected anonymity network activity. Such activity, while possibly legitimate user behaviour, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_94\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_94\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241744549599_a0d52777-680f-497a-a19e-1202ede123ac/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"name\": \"2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.358978Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_DataExfiltration\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:03.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:03.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Possible data exfiltration via DNS tunnel (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected a possible DNS tunnel. Such activity, while possibly legitimate user behaviour, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"dnsDomain\": \"\",\r\n \"ntDomain\": \"\",\r\n \"hostName\": \"sampleHost\",\r\n \"netBiosName\": \"sampleHost\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_99\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_99\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241764549599_ec62b5ca-d799-45f2-992a-3f3870adef1e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"name\": \"2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.1504496Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_PhishingDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:01.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:01.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Communication with possible phishing domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.\",\r\n \"remediationSteps\": [\r\n \"Investigate the domain (using whois), validating that the registration belongs to the expected owner.\",\r\n \"If ownership is suspect, contact the machine owner to highlight the discrepancy and verify the degree of interaction, suggesting user log into any account(s) potentially exposed during suspicious session, validate recent activity and change compromised password(s).\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_104\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_104\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241784549599_2a6023f1-83a9-4b54-b355-461e719cdbcb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"name\": \"2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.1876995Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"DNS\",\r\n \"alertType\": \"SIMULATED_AzureDNS_SinkholedDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:59.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:59.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted communication with suspicious sinkholed domain (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of DNS transactions detected request for sinkholed domain. Such activity, while possibly legitimate user behaviour, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.\",\r\n \"remediationSteps\": [\r\n \"Ask the machine owner if this is intended behavior.\",\r\n \"If the activity is unexpected, treat the machine as potentially compromised and remediate as follows.\",\r\n \"Isolate the machine from the network to prevent lateral movement.\",\r\n \"Run a full antimalware scan on the machine, following any resulting remediation advice.\",\r\n \"Review installed and running software on the machine, removing any unknown or unwanted packages.\",\r\n \"Revert the machine to a known good state, reinstalling operating system if required and restoring software from a verified malware-free source.\",\r\n \"Resolve Azure Security Center recommendations for the machine, remediating highlighted security issues to prevent future breaches.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"domainName\": \"sample.domain\",\r\n \"answers\": \"00.00.00.00\",\r\n \"resourceType\": \"AzureDNS\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/Sample-VM\",\r\n \"type\": \"host\",\r\n \"containerId\": null\r\n },\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Francisco\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"domainName\": \"sample.domain\",\r\n \"ipAdresses\": [\r\n {\r\n \"$ref\": \"centralus_108\"\r\n }\r\n ],\r\n \"hostIpAddress\": {\r\n \"$ref\": \"centralus_108\"\r\n },\r\n \"type\": \"dns\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241804549599_c4eda3f1-c08e-4a5f-8166-2176047d6a8f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"name\": \"2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.0653492Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_HighPrivilegeCommand\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempt to run high privilege command detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of App Service processes detected an attempt to run a command that requires high privileges.\",\r\n \"remediationSteps\": [\r\n \"1. Review the command line in the alert details. If legitimate, you can ignore the alert. If not, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"compromised Host\": \"Sample-VM\",\r\n \"suspicious Process Id\": \"0x4680\",\r\n \"suspicious Command Line\": \"sample.exe\",\r\n \"suspicious Process\": \"sample.exe\",\r\n \"parent Process\": \"sample.exe\",\r\n \"account Session Id\": \"0x15c0644\",\r\n \"user Name\": \"Sample-account\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"directory\": \"sample\",\r\n \"name\": \"sample.exe\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Web/sites/Sample-App\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"processId\": \"0x39a8\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"processId\": \"0x4680\",\r\n \"commandLine\": \"sample.exe\",\r\n \"elevationToken\": \"Default\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:57.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_113\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241824862413_93c3f43b-80af-4e67-826c-1b293865bfc6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"name\": \"2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:03.9104498Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"App Services\",\r\n \"alertType\": \"SIMULATED_AppServices_DanglingDomain\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:55.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f\",\r\n \"intent\": \"Unknown\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-App\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Dangling DNS record for an App Service resource detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A DNS record that points to a recently deleted App Service resource (also known as \\\"dangling DNS\\\" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.\",\r\n \"remediationSteps\": [\r\n \"From your DNS zone, remove all CNAME records that point to the deleted App Service resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"App Service\",\r\n \"domain\": \"sample-domain.com\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-app\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241844862413_6c308f3f-1614-4e9d-ba37-b7146d8ace6f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"name\": \"2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3436878Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_DigitalCurrencyMining\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35\",\r\n \"intent\": \"Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Digital currency mining related behavior detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container or directly on a Kubernetes node, has detected an execution of a process or command normally associated with digital currency mining.\",\r\n \"remediationSteps\": [\r\n \"Review with the specified user the suspicious command process and command line to confirm that this is legitimate activity. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"compromised Host\": \"AKS-AGENTPOOL-00171883-vmss000000\",\r\n \"suspicious Process\": \"/tmp/gcc\",\r\n \"suspicious Command Line\": \"/tmp/gcc -T -o stratum+tcp://stratum.slushpool:3333 -u foobar -p baz -o stratum+tcp://stratum.f2pool.com:3333 -u foobar -p baz -o stratum+tcp://stratum.antpool.com:3333 -u foobar -p baz\",\r\n \"parent Process\": \"bash\",\r\n \"suspicious Process Id\": \"0x2dc8\",\r\n \"imageName\": \":\",\r\n \"process Origin\": \"Pod Container\",\r\n \"resourceType\": \"Kubernetes Service\",\r\n \"killChainIntent\": \"Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.ContainerService/ManagedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"directory\": \"\",\r\n \"name\": \"bash\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"isValid\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"isValid\": false,\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"directory\": \"/tmp\",\r\n \"name\": \"gcc\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"hostName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"netBiosName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"isValid\": false,\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"name\": \"sample-cluster\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_118\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"containerId\": \"cc8ec8580f4c\",\r\n \"image\": {\r\n \"$ref\": \"centralus_119\"\r\n },\r\n \"type\": \"container\"\r\n },\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"processId\": \"0x2dc3\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_122\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_121\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"processId\": \"0x2dc8\",\r\n \"commandLine\": \"/tmp/gcc -T -o stratum+tcp://stratum.slushpool:3333 -u foobar -p baz -o stratum+tcp://stratum.f2pool.com:3333 -u foobar -p baz -o stratum+tcp://stratum.antpool.com:3333 -u foobar -p baz\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_123\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_125\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_124\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241864862413_ae31f5c7-acae-4ab5-85e0-d9d2eb0beb35/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"name\": \"2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3309137Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_ImdsCall\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/AWS-Master-Connector_012345678901/securityentitydata/aws-eks-cluster-sample-cluster-ap-us-east-2\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access to cloud metadata service detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container detected access to the cloud metadata service for acquiring identity token. The container doesn't normally perform such operation. While this behavior might be legitimate, attackers might use this technique to access cloud resources after gaining initial access to a running container.\",\r\n \"remediationSteps\": [\r\n \"Review the command line in the alert details. If the container should acquire identity tokens, you can ignore the alert.\",\r\n \"If this behavior isnt expected, escalate the alert to your information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"username\": \"sample-user\",\r\n \"process Name\": \"/usr/bin/curl\",\r\n \"command\": \"curl -s -H Metadata: true http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net\",\r\n \"process Id\": \"18775\",\r\n \"container ID\": \"cc8ec8580f4c\",\r\n \"image Name\": \"sample-image:v1\",\r\n \"resourceType\": \"EKS Cluster\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/AWS-Master-Connector_012345678901/securityentitydata/aws-eks-cluster-sample-cluster-ap-us-east-2\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"imageId\": \"sample-image:v1\",\r\n \"type\": \"container-image\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"isValid\": false,\r\n \"type\": \"amazon-resource\",\r\n \"amazonResourceId\": \"arn:aws:eks:us-east-2:012345678901:cluster/sample-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"containerId\": \"cc8ec8580f4c\",\r\n \"image\": {\r\n \"$ref\": \"centralus_132\"\r\n },\r\n \"type\": \"container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241884862413_da0ad177-1118-4019-a1ed-c4c83d1adbc3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"name\": \"2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.4027022Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_NODE_SuspectProcessTermination\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:49.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Security-related process termination detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Analysis of processes running within a container or directly on a Kubernetes node, has detected an attempt to terminate processes related to security monitoring on the container. Attackers will often try to terminate such processes using predefined scripts post-compromise.\",\r\n \"remediationSteps\": [\r\n \"Review and confirm that this was legitimate activity that you expect to see on this container or pod. If not, escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"compromised Host\": \"aks-agentpool-00171883-vmss000000\",\r\n \"user Name\": \"root\",\r\n \"suspicious Process\": \"/usr/bin/pkill\",\r\n \"suspicious Command Line\": \"/usr/bin/pkill -KILL -x -U 0 auoms\",\r\n \"suspicious Process Id\": \"0x2dc8\",\r\n \"parent Process\": \"auomsctl\",\r\n \"process Origin\": \"Kubernetes Node\",\r\n \"account Session Id\": \"0xd5a\",\r\n \"resourceType\": \"GKE Cluster\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"hostName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"netBiosName\": \"aks-agentpool-00171883-vmss000000\",\r\n \"osFamily\": \"Linux\",\r\n \"osVersion\": \"Linux\",\r\n \"type\": \"host\",\r\n \"containerId\": \"cc8ec8580f4c\"\r\n },\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"directory\": \"/usr/bin\",\r\n \"name\": \"pkill\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"directory\": \"\",\r\n \"name\": \"auomsctl\",\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"isValid\": false,\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"isValid\": false,\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"name\": \"root\",\r\n \"isValid\": false,\r\n \"id\": \"3418\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"isValid\": false,\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"projectId\": \"012345678901\",\r\n \"resourceType\": \"GKE\",\r\n \"resourceName\": \"Sample-Cluster\",\r\n \"location\": \"us-central1-c\",\r\n \"locationType\": \"Zonal\",\r\n \"type\": \"gcp-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"name\": \"sample-cluster\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_136\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"processId\": \"0x2dc3\",\r\n \"commandLine\": \"\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"process\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"processId\": \"0x2dc8\",\r\n \"commandLine\": \"/usr/bin/pkill -KILL -x -U 0 auoms\",\r\n \"creationTimeUtc\": \"2022-11-17T09:16:53.5137586Z\",\r\n \"imageFile\": {\r\n \"$ref\": \"centralus_138\"\r\n },\r\n \"account\": {\r\n \"$ref\": \"centralus_142\"\r\n },\r\n \"parentProcess\": {\r\n \"$ref\": \"centralus_143\"\r\n },\r\n \"host\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"type\": \"process\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241904862413_3ecac552-63f9-4f8f-aca2-228ea8ffe76a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"name\": \"2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.3269355Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_K8S_ExposedDashboard\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:47.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-Cluster\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Cluster\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Exposed Kubernetes dashboard detected (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service.\\nExposed dashboard allows an unauthenticated access to the cluster management and poses a security threat.\",\r\n \"remediationSteps\": [\r\n \"Review the LoadBalancer service in the alert details. In case the dashboard is exposed to the Internet, delete the LoadBalancer service immediately and escalate the alert to the information security team.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"username\": \"alias@domain.com\",\r\n \"namespace\": \"kubernetes-dashboard\",\r\n \"service name\": \"kubernetes-dashboard\",\r\n \"port\": \"443\",\r\n \"target port\": \"8443\",\r\n \"resourceType\": \"Kubernetes - Azure Arc\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-Cluster\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"cloudResource\": {\r\n \"$ref\": \"centralus_149\"\r\n },\r\n \"type\": \"K8s-cluster\"\r\n },\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"name\": \"kubernetes-dashboard\",\r\n \"cluster\": {\r\n \"$ref\": \"centralus_150\"\r\n },\r\n \"type\": \"K8s-namespace\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"name\": \"kubernetes-dashboard\",\r\n \"namespace\": {\r\n \"$ref\": \"centralus_151\"\r\n },\r\n \"type\": \"K8s-service\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241924862413_7c2cab44-ac41-4483-a0f4-a53a9481a3b2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"name\": \"2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5211367Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_BruteForce\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:45.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:45.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Suspected successful brute force attack\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful login occurred after an apparent brute force attack on your resource\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Brute force attack; penetration testing.\",\r\n \"client principal name\": \"Sample-account\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"san antonio, united states\",\r\n \"client application\": \"Sample-app\",\r\n \"successful logins\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"failed logins\": \"0\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"enrichment_tas_threat__reports\": \"{\\\"Kind\\\":\\\"MultiLink\\\",\\\"DisplayValueToUrlDictionary\\\":{\\\"Report: Brute Force\\\":\\\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\\\"}}\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-11-17T09%3a17%3a15&reportName=MSTI-TS-Brute-Force.pdf&tenantId=e1138600-e9cd-42ba-a8a9-083dc88216ad&urlCreateDateTime=2022-11-17T09%3a17%3a15&token=khm1ipbU2AiBA6m2LF4721dy%2026D3u9doKoJGYd21%20c=\",\r\n \"category\": \"enrichment_tas_threat__reports\",\r\n \"label\": \"Report: Brute Force\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_156\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_155\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241944549599_30ff397d-a059-48cc-abb2-fb5218e1768e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"name\": \"2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5596257Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_PotentialSqlInjection\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:43.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:43.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential SQL Injection\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database Sample-DB on server Sample-VM\",\r\n \"remediationSteps\": [\r\n \"{\\\"displayValue\\\":\\\"Read more about SQL Injection threats and best practices for safe application code.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2106894\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"potential causes\": \"Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and was exploited to inject malicious SQL statements\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"threat ID\": \"1\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"vulnerable statement\": \"*** Anonymized ***\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_161\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_162\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_163\",\r\n \"name\": \"Sample-SA\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_162\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241964549599_9b4143ed-3e75-49f4-98dc-3e70be373258/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"name\": \"2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5620796Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_HarmfulApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:41.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:41.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_165\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_166\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Attempted logon by a potentially harmful application\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access your resource.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"Penetration testing; malicious activity\",\r\n \"client principal name\": \"Sample-user\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client application\": \"Sample-app\",\r\n \"client IP location\": \"Sample\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"successful Logins from potentially harmful application\": \"1\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_167\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_168\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_168\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_170\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_167\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241984549599_b57da812-0eb1-4889-83f8-72eca9fa37ec/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"name\": \"2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.5777053Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"SQL Server on Azure Virtual Machine\",\r\n \"alertType\": \"SIMULATED_SQL.VM_SuspiciousIpAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:39.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:39.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_171\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"centralus_172\",\r\n \"workspaceId\": \"00000000-0000-0000-0000-000000000001\",\r\n \"workspaceSubscriptionId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"workspaceResourceGroup\": \"Sample-RG\",\r\n \"agentId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"LogAnalytics\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-VM\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Login from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.\",\r\n \"remediationSteps\": [\r\n \"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"SQL Server 2019\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\r\n \"potential causes\": \"An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.\",\r\n \"client principal name\": \"Sample-user\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"client IP location\": \"Sample\",\r\n \"client application\": \"Sample-app\",\r\n \"oms workspace ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"oms agent ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_173\",\r\n \"hostName\": \"Sample-VM\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\r\n \"omsAgentID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_174\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"sample\",\r\n \"countryName\": \"united states\",\r\n \"state\": \"texas\",\r\n \"city\": \"san antonio\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 0.0,\r\n \"asn\": 0,\r\n \"carrier\": \"sample\",\r\n \"organization\": \"sample-organization\",\r\n \"organizationType\": \"sample-organization\",\r\n \"cloudProvider\": \"Azure\",\r\n \"systemService\": \"sample\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Sample-Provider\",\r\n \"threatType\": \"Sample-Threat\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 0.8,\r\n \"threatDescription\": \"Sample-Threat\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_175\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_174\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_176\",\r\n \"name\": \"Sample-SA\",\r\n \"host\": {\r\n \"$ref\": \"centralus_173\"\r\n },\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242004549599_f553fe3a-9ccd-4f79-b1a9-64fab5db80d5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72\",\r\n \"name\": \"2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.3749955Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousRBACRoleAssignment\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:37.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:37.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_177\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for an RBAC role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected an RBAC role assignment that's unusual when compared with other assignments, performed by the same assigner.\\n The following components were anomalous:\\n -Assigner Authentication Method \\n This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to grant permissions to an additional user account they own.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below.\\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user. \\n5. Change the credentials for all resources that the user had permissions to access.\\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review all activities performed in this resource via Azure Activity Logs and investigate suspicious activities.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"scope of assignment\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"assigned role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"assigner principal ID\": \"Sample user\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_178\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_179\",\r\n \"resourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_180\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_181\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_180\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242024549599_75409b20-73c3-401d-91b6-02877cf1bd72/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f\",\r\n \"name\": \"2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.4527017Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_PrivilegedRoleDefinitionCreation\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:35.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:35.54504Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f\",\r\n \"intent\": \"PrivilegeEscalation, DefenseEvasion\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_182\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Privileged custom role created for your subscription in a suspicious way (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.\",\r\n \"remediationSteps\": [\r\n \"1. To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the principal user that created the role.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user account as compromised and continue with the steps below.\\n3. Change the passwords of the user account or block the account entirely.\\n4. Delete the privileged role.\\n5. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n6. Change the credentials for all resources that the user had permissions to access.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"role definition creator principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"role definition creator IP address\": \"0.0.0.0\",\r\n \"role definition creator principal name\": \"Sample user\",\r\n \"role definition name\": \"sample\",\r\n \"role definition ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"PrivilegeEscalation, DefenseEvasion\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_183\",\r\n \"name\": \"Sample user\",\r\n \"upnSuffix\": \"sample\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242044549599_bbbb0469-0821-4a1f-b399-f9fb1a86634f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86\",\r\n \"name\": \"2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.4942936Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_AnomalousClassicRoleAssignment\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:29.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:29.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86\",\r\n \"intent\": \"DefenseEvasion, LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_184\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Permissions granted for a classic role in an unusual way for your Azure environment (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Microsoft Defender for Resource Manager detected a role assignment that's unusual when compared with other assignments performed by the same assigner / performed for the same assignee / in the tenant due to the following anomalies: \\nassignment time, assigner location, assigner, authentication method, assigned entities, client software used, assignment extent. \\nThis operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to escalate privileges to a different user account.\",\r\n \"remediationSteps\": [\r\n \"1.To determine whether this was a legitimate operation performed by the actual account owner, contact the account owner of the assigner.\\n2. If the activity is legitimate, dismiss this alert. Otherwise, treat the user accounts of the assigner and assignee as compromised and continue with the steps below. \\n3. Change the passwords of the accounts of the assigner and assignee, or block the user accounts entirely.\\n4. Using Azure Activity Logs and Azure AD audit logs, review all activities performed by the user.\\n5. Change the credentials for all resources that the user had permissions to access. \\n6. Treat the resource as compromised and perform remediation actions: review IAM permissions for the resource and remove permissions for any unfamiliar user account, review all Azure Security Center alerts related to the resource and investigate them, review Azure Activity Logs for activities performed in this resource.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"assigner principal ID\": \"sample\",\r\n \"assignee principal ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"scope of assignment\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"role\": \"CoAdmin\",\r\n \"resourceType\": \"Azure Resource\",\r\n \"killChainIntent\": \"DefenseEvasion, LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_185\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_186\",\r\n \"name\": \"sample\",\r\n \"upnSuffix\": \"contoso.com\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"aadUserId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_187\",\r\n \"address\": \"00.00.00.00\",\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_188\",\r\n \"name\": \"azureadmin\",\r\n \"upnSuffix\": \"contoso.com\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_187\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242104549599_33717eda-d0f9-438d-8a31-3972c8525e86/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"name\": \"2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:19:41.7936291Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:25.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:25.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_190\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An IP that is a known Tor exit node accessed Storage file share 'Sample-fileShare' in storage account 'Sample-Storage'. \",\r\n \"remediationSteps\": [\r\n \"• Revoke all credentials that may be compromised and ensure that they're only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access.\\r\\nPotential causes:\\r\\n• An attacker has accessed the storage account using Tor and is trying to hide their identity (true positive).\\r\\n• A legitimate user has accessed the storage account using Tor, perhaps for penetration testing (benign positive).\",\r\n \"investigation steps\": \"• Check if this actor is legitimate. Examine the authentication method and credentials used, as well as the actor's history of actions on this storage account and other resources in this subscription.\\r\\n• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_191\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_192\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_192\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242144862413_7779c8ca-05bb-4bd8-9081-9f25124865db/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"name\": \"2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.7087609Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:23.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:23.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_194\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from a suspicious IP address.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is considered suspicious.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your storage account from a potentially suspicious IP.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_195\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_196\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"AlertSimulator\",\r\n \"threatType\": \"Sample-Type\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 1.0,\r\n \"threatDescription\": \"\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_196\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242164862413_da5aadf6-91c7-408b-bc48-337dc0878015/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"name\": \"2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.8953381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_SMBExeOverwriteAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:21.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:21.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_198\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual overwrite of .exe in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual overwrite of an executable file in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unexpected overwrite of an executable (.exe file) has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has overwritten an executable file with a potentially malicious one in your storage account.\\r\\n• A legitimate user has overwritten an executable file.\",\r\n \"investigation steps\": \"• Determine who overwrote the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Kerberos\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files SMB\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"\",\r\n \"activity type\": \"OverwriteFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) overwritten\": \"Sample-File\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_199\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_200\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_200\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242184862413_4d82d8e8-626c-48fb-93be-617bf9576868/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"name\": \"2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:19.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:19.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_202\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a directory or a file in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage directory or file permissions are configured correctly.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this directory or file have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed directory or file permissions to weaken its security.\\r\\n• A legitimate user has changed directory or file permissions.\",\r\n \"investigation steps\": \"• Confirm whether the directory or file permissions change was performed for a legitimate purpose.\\r\\n• Review the directory's or file's access permissions to make sure they are expected. NTFS permissions can be assigned at the directory or file level: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable#3-configure-ntfs-permissions-over-smb .\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Kerberos\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"Files SMB\",\r\n \"request status\": \"\",\r\n \"activity type\": \"SetSecurityInformation\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) accessed\": \"\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_203\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_204\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_204\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242204862413_cea4724d-d2af-46cd-b221-c627879634cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"name\": \"2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.6133961Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_MalwareHashReputation\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:17.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:17.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_206\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential malware uploaded to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has uploaded potential malware to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Remove the malicious file from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that a blob containing potential malware has been uploaded to your storage account.\\r\\nPotential causes:\\r\\n• An attacker has gained access to the storage account and has intentionally uploaded a malicious blob.\\r\\n• A legitimate user has unintentionally uploaded a malicious blob.\\r\\n• A legitimate user is performing tests on the system (e.g. penetration testing).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"PutRange\",\r\n \"file\": \"dummy/path/to/maliciousFile.exe\",\r\n \"api type\": \"Files REST\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"malware description\": \"File was identified as malicious, MalwareFamily = Virus:DOS/EICAR_Test_File\",\r\n \"threat report summary\": \"The European Institute for Computer Antivirus Research (EICAR) and the Computer Antivirus Research Organization (CARO) jointly developed a standard test file protocol called the “EICAR test file” which allows users to test their antivirus solution. The EICAR file is completely benign; however, when scanned, compliant antivirus solutions report the file in the same way as an actual malicious file. This does not mean that the computer is infected with malware, but rather it shows that the computer’s antivirus is functioning as expected.\",\r\n \"detection source\": \"Team Cymru\",\r\n \"threat report\": \"Sample-Report\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_207\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_208\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_209\",\r\n \"algorithm\": \"MD5\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_208\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_211\",\r\n \"directory\": \"Sample-fileShare/dummy/path/to\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_209\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_212\",\r\n \"name\": \"Sample-Name\",\r\n \"category\": \"Virus\",\r\n \"files\": [\r\n {\r\n \"$ref\": \"centralus_211\"\r\n }\r\n ],\r\n \"type\": \"malware\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242224862413_68620698-3c3b-4b4a-ac31-c5ca6bc2bcec/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"name\": \"2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.6367188Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:15.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:15.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242244862413_43689788-9247-4044-b258-6093d62ba45c\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_213\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is unfamiliar and unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account.\\r\\n• A legitimate user has accessed your storage account from a new location.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetShareProperties\",\r\n \"api type\": \"Files REST\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_214\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_215\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_215\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242244862413_43689788-9247-4044-b258-6093d62ba45c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"name\": \"2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.7708984Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_ExeUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:13.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:13.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .exe to a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of an executable file to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle. Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview.\",\r\n \"• Rotate all storage account keys that may be compromised and ensure that your storage account keys are only shared with authorized users.\",\r\n \"• Ensure that storage account keys are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage account keys in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an executable (.exe file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has uploaded a malicious executable file to your storage account.\\r\\n• A legitimate user has uploaded an executable file.\",\r\n \"investigation steps\": \"• Determine who uploaded the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Kerberos\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"Files SMB\",\r\n \"request status\": \"\",\r\n \"activity type\": \"CreateFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_218\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_219\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_219\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242264862413_40c9d79c-7fe1-421b-9e75-2f61a3e4d332/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"name\": \"2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.5509007Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:11.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:11.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_221\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"storage file path(s) deleted\": \"Sample-File1, Sample-File2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_222\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_223\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_224\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_223\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242284862413_14cf4760-ba3a-431e-a222-6e8091e75ea9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"name\": \"2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.599286Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExplorationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:09.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:09.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_225\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual data exploration in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual data exploration operation in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that files in a file share of a storage account have been enumerated in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user or application logic has explored data within the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"ListFiles\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_226\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_227\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_227\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242304862413_f2faa67f-cc5a-495d-8911-a6e6face829f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"name\": \"2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:19:41.7936291Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExfiltration.NumberOfFilesAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:07.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:07.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_229\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual number of files extracted from a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual number of files from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large number of files has been extracted compared to recent activity on this Storage file share.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large number of files from a Storage file share (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual number of files from a Storage file share (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"5 MB\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"extracted files\": \"150\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_230\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_231\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_231\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242324862413_ac27ec0b-ab0f-4047-ae09-2052672e3602/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"name\": \"2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.435833Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:05.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:05.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_233\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage file share.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage file share (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage file share (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetFile\",\r\n \"api type\": \"Files REST\",\r\n \"size of extracted data\": \"150 MB\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"extracted files\": \"5\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_234\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_235\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_235\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242344862413_441a8bad-fce3-4cf9-95c2-cad95850875c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"name\": \"2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.5055333Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_ApplicationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:03.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:03.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_237\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual application accessed a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' using an unexpected application.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusual application has accessed this storage account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using a new application.\\r\\n• A legitimate user has used a new application/browser to access your storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"CreateFile\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_238\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_239\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_239\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242364862413_eba0e060-7a61-47d4-a1f1-32a3da169aeb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"name\": \"2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.4988057Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Files_AccessInspectionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:16:01.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:16:01.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_241\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual access inspection in a storage file share\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual access inspection in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/files/toc.json.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user has performed maintenance on the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the access policy inspection was performed for a legitimate purpose: https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy.\\r\\n• Review the file share's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Files\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Files REST\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"GetShareAcl\",\r\n \"file share\": \"Sample-fileShare\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_242\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_243\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_243\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242384862413_81750549-ca83-418a-bab8-fdd3b64457a4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"name\": \"2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2964395Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:59.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:59.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_245\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An IP that is a known Tor exit node accessed Storage container 'Sample-Container' in storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Revoke all credentials that may be compromised and ensure that they're only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert takes into account the authentication type used (if any), and whether this is the first case of such access.\\r\\nPotential causes:\\r\\n• An attacker has accessed the storage account using Tor and is trying to hide their identity (true positive).\\r\\n• A legitimate user has accessed the storage account using Tor, perhaps for penetration testing (benign positive).\",\r\n \"investigation steps\": \"• Check if this actor is legitimate. Examine the authentication method and credentials used, as well as the actor's history of actions on this storage account and other resources in this subscription.\\r\\n• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"CreatePathDir\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"size of extracted data\": \"0 Bytes\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_246\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_247\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_247\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_249\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_246\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242404862413_9b32b98f-83de-47e2-abc4-1b438e3d2927/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"name\": \"2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2427463Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:57.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:57.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_250\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from a suspicious IP address.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is considered suspicious.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your storage account from a potentially suspicious IP.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"335.88 KB\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_251\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_252\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"AlertSimulator\",\r\n \"threatType\": \"Sample-Type\",\r\n \"threatName\": \"Sample-Threat\",\r\n \"confidence\": 1.0,\r\n \"threatDescription\": \"\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_252\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242424862413_e94423bd-33f1-477c-919e-bb63d3f8be57/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"name\": \"2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1804085Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_SuspiciousApplication\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:55.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:55.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_254\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] PREVIEW - Access from a suspicious application \",\r\n \"description\": \"THIS IS A SAMPLE ALERT: There was a failed attempt to anonymously access the blob container `Sample-Container` in your storage account `Sample-Storage`. This might indicate that an attacker is trying to exploit a vulnerability or access data in your storage account, or it could be the result of a penetration test carried out in your organization. The suspicious application detected was `eicarDummyApp`. For more details, please see the user-agent string in the alert fields. In many cases, attackers might successfully access data after a series of failed attempts. It’s therefore important to act on this alert.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"140 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"application name \": \"eicarDummyApp\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_255\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_256\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_256\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_258\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_255\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242444862413_02add91f-a22e-428b-96d3-3942ff14aded/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"name\": \"2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2482588Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PhishingContent\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:53.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:53.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_259\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] PREVIEW - Phishing content hosted on a storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A URL used in a phishing attack points to your Azure Storage account. This URL was part of a phishing attack affecting users of Microsoft 365. Typically, content hosted on such pages is designed to trick visitors into entering their corporate credentials or financial information into a web form that looks legitimate.\",\r\n \"remediationSteps\": [\r\n \"• Review the content of the Azure Storage account to identify and remove phishing content. The URL in the alert may indicate a starting point for your investigation.\",\r\n \"• If you suspect that your Storage credentials have been compromised, revoke all storage access tokens that may have been compromised and implement the following security best practices:\",\r\n \" 2.1.\\\\tEnsure that your access tokens are only shared with authorized users.\",\r\n \"2.2. Limit access to your Storage account, following the 'least privilege' principle. (https://aka.ms/StorageAccountSecureAccess)\",\r\n \"2.3. Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Disallow anonymous public access to blobs in your Storage account, unless required for your scenario. (https://aka.ms/StorageAccountPublicAccess)\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_260\",\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"type\": \"url\"\r\n },\r\n {\r\n \"$id\": \"centralus_261\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242464862413_d0e6088d-72e2-4426-ac98-c904baf74a39/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"name\": \"2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1081657Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_PermissionsChangeAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:51.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:51.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3\",\r\n \"intent\": \"Persistence\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_262\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual change of access permissions in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a directory or a file in your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Use Azure AD security groups: https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#what-is-the-best-way-to-apply-acls.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage directory or file permissions are configured correctly.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of this directory or file have been changed in an unusual way.\\r\\nPotential causes:\\r\\n• An attacker has changed directory or file permissions to weaken its security.\\r\\n• A legitimate user has changed directory or file permissions.\",\r\n \"investigation steps\": \"• Confirm whether the directory or file permissions change was performed for a legitimate purpose: https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#access-control-lists-on-files-and-directories.\\r\\n• Review the directory's or file's access permissions to make sure they are expected.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"SetPathAccessControl\",\r\n \"storage file path(s) accessed\": \"\",\r\n \"killChainIntent\": \"Persistence\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_263\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_264\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_264\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242484862413_1388b27e-922a-469f-892b-ea8e2dbaf9c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"name\": \"2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.0980315Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenContainersScanning.SuccessfulDiscovery\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:49.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:49.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_266\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Publicly accessible storage containers successfully discovered\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A successful discovery of 3 publicly open storage containers in storage account 'Sample-Storage' was performed in the last hour by a scanning script or tool.\\r\\n\\r\\nScanned containers include: static, images, backups.\\r\\n\\r\\nThis usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storagecontainers with sensitive data in them.\\r\\nThe threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.\\r\\n\\r\\nAfter a threat actor successfully discovers a container, they usually continue by reading and exfiltrating the data.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\",\r\n \"• When allowing anonymous access to containers, consider adding a random suffix to its name (or use a randomly generated name) to limit these types of scans in the future. For example, use 'salesshare-4536-7836-8967'.\",\r\n \"• If this is a recurring alert from the same IP, consider blocking the source IP address (see how to block an IP address: https://go.microsoft.com/fwlink/?linkid=2179709).\",\r\n \"This can be done at the storage account level using the 'networking' configuration or at the subscription level using the networking 'access restrictions' configuration.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"• Reconnaisance attack (True Positive)\\r\\n• Penetration testing\\r\\n• A bug in an application is causing it to perform serial attempts to read different blobs (False Positive).\",\r\n \"investigation steps\": \"• Check this account for publicly open containers with sensitive data. If such containers exist, immediately change their access policy to private (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708).\\r\\n\\r\\nLook at diagnostic logs to see all sensitive data that may have leaked, and escalate the alert and information.\\r\\n• To list all containers that are publicly accessible in a storage account, use the PowerShell script in this link: https://go.microsoft.com/fwlink/?linkid=2180103.\\r\\n\\r\\n• Check whether the user that performed this scan is legitimate. Look at IP, location, user agent, and their history.\\r\\n• This alert may be triggered by a coding issue in the application accessing the storage container. If you've validated that the actor is legitimate, identified the coding issue, and ruled out a possible leak of sensitive content, this alert can be considered benign.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"140 MB\",\r\n \"among the enumeration terms used\": \"erp, exe, export, exports, file, files, firmware, git, img, iso, jenkins, logs, media, mobile, photos, pics, private, prod, production, products, projects, public, release, repo, reports, resources, script, scripts, services, snapshots, source, src, staging, stats, storage, tenant, tmp, upload, uploads, user, userdata, users, usr, vhd, vhdx, video, videos, web, www, xslx\",\r\n \"number of failed access attempts\": \"1232\",\r\n \"number of containers successfully accessed\": \"3\",\r\n \"list of containers successfully accessed\": \"Sample-1, Sample-2, Sample-3\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_267\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_268\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_269\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_268\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_270\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_267\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242504862413_16f8c4b6-7770-4f2a-b26c-98bbb88e80f9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"name\": \"2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:15.6989769Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenContainersScanning.FailedAttempt\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:47.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:47.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_271\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Publicly accessible storage containers unsuccessfully scanned\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: 1232 failed attempts to scan for publicly open storage containers in storage account 'Sample-Storage' were performed in the last hour.\\r\\n\\r\\nScanned containers include: erp, exe, export, exports, file.\\r\\n\\r\\nThis usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storage containers with sensitive data in them.\\r\\nThe threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\",\r\n \"• When allowing anonymous access to containers, consider adding a random suffix to its name (or use a randomly generated name) to limit these types of scans in the future. For example, use 'salesshare-4536-7836-8967'.\",\r\n \"• If this is a recurring alert from the same IP, consider blocking the source IP address (see how to block an IP address: https://go.microsoft.com/fwlink/?linkid=2179709).\",\r\n \"This can be done at the storage account level using the 'networking' configuration or at the subscription level using the networking 'access restrictions' configuration.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"• Reconnaisance attack (True Positive)\\r\\n• Penetration testing\\r\\n• A bug in an application is causing it to perform serial attempts to read different blobs (False Positive).\",\r\n \"investigation steps\": \"• Check this account for publicly open containers with sensitive data. If such containers exist, immediately change their access policy to private (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708).\\r\\n\\r\\nThis is necessary despite the fact that the observed attempts failed, because reconnaissance has taken place and there might have been some successful activity.\\r\\n• To list all containers that are publicly accessible in a storage account, use the PowerShell script in this link: https://go.microsoft.com/fwlink/?linkid=2180103.\\r\\n\\r\\n• Check whether the user that performed the scanning is legitimate. Look at IP, location, user agent, and their history. Scanning operations read blob URIs and/or use \\\"list blobs\\\".\\r\\n• Check whether data was exfiltrated from containers in this storage account and/or by this actor.\\r\\n• This alert may be triggered by a coding issue in the application accessing the storage container. If you've validated that the actor is legitimate, identified the coding issue, and ruled out a possible leak of sensitive content, this alert can be considered benign.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"among the enumeration terms used\": \"erp, exe, export, exports, file, files, firmware, git, img, iso, jenkins, logs, media, mobile, photos, pics, private, prod, production, products, projects, public, release, repo, reports, resources, script, scripts, services, snapshots, source, src, staging, stats, storage, tenant, tmp, upload, uploads, user, userdata, users, usr, vhd, vhdx, video, videos, web, www, xslx\",\r\n \"number of failed access attempts\": \"1232\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_272\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_273\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_273\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242524862413_416c09b0-1bfb-454c-b1e7-af3cf678a197/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"name\": \"2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9581337Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_OpenACL\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:45.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:45.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_275\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Storage account with potentially sensitive data has been detected with a publicly exposed container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: The access policy of a container in your storage account was modified to allow anonymous access. This might lead to a data breach if the container holds any sensitive data. This alert is based on analysis of Azure activity log.\",\r\n \"remediationSteps\": [\r\n \"• Check the access level of the container listed in the alert details. If the access level is set to 'anonymous' and this behavior is not intended, change the access level to 'private' and escalate the alert to your information security team.\",\r\n \"• Where possible, we recommend using shared access signature tokens instead of granting public access to storage containers and blobs.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"container name\": \"Sample-Container\",\r\n \"sensitive name\": \"Sample-Container\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_276\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242544862413_0de6216d-37d3-43f2-9a1a-0a845c33e066/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"name\": \"2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.0277068Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_MalwareHashReputation\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:43.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:43.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_277\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Potential malware uploaded to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has uploaded potential malware to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Remove the malicious blob from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that a blob containing potential malware has been uploaded to your storage account.\\r\\nPotential causes:\\r\\n• An attacker has gained access to the storage account and has intentionally uploaded a malicious blob.\\r\\n• A legitimate user has unintentionally uploaded a malicious blob.\\r\\n• A legitimate user is performing tests on the system (e.g. penetration testing).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"PutBlob\",\r\n \"api type\": \"Blob\",\r\n \"container\": \"Sample-Container\",\r\n \"malware description\": \"Indicator related to a known malware campaign\",\r\n \"detection source\": \"A Microsoft Partner\",\r\n \"blob\": \"Sample-Blob\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_278\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_279\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_280\",\r\n \"algorithm\": \"MD5\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_279\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_282\",\r\n \"directory\": \"Sample-fileShare/dummy/path/to\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_280\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242564862413_ce86e4ef-e90f-4a90-b5e6-95d1a7b34fb9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"name\": \"2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9214203Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:41.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:41.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_283\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' from an unusual location.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed successfully from an IP address that is unfamiliar and unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account.\\r\\n• A legitimate user has accessed your storage account from a new location.\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Azure AD\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"operations types\": \"GetContainerProperties\",\r\n \"api type\": \"Blob\",\r\n \"container\": \"Sample-Container\",\r\n \"azure AD application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_284\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_285\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_286\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"objectGuid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_285\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_288\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_284\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242584862413_86782ca4-d8c6-480f-bba0-835c4ef545cb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"name\": \"2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:15.4758611Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_ExeUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:39.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:39.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_289\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .exe to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of an executable file to your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Delete the .exe from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an executable (.exe file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has uploaded a malicious executable file to your storage account.\\r\\n• A legitimate user has uploaded an executable file.\",\r\n \"investigation steps\": \"• Determine who uploaded the latest version of the executable file.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Azure AD\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"eicar@microsoft.com\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"FlushFile\",\r\n \"azure AD application ID\": \"12345\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"containers\": \"Sample-Container1, Sample-Container2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_290\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_291\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_292\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_291\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242604862413_7f5d8e1e-30da-461d-9e54-017bc4089268/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"name\": \"2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.9519418Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DeletionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:37.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:37.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_293\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual deletion in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'. This alert was triggered by an ADLS Gen2 transaction.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"• Perform an undelete if the delete operation was a soft delete. See how to configure soft deletion and more information: https://go.microsoft.com/fwlink/?linkid=2078042\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has deleted data from your storage account.\\r\\n• A legitimate user has performed an unusual deletion.\",\r\n \"investigation steps\": \"• Confirm whether the data deletion was intended based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"authentication type\": \"Account key\",\r\n \"client location\": \"Sample-Location\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"api type\": \"ADLS Gen2\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"DeleteDirectory\",\r\n \"access key used\": \"key2\",\r\n \"storage file path(s) deleted\": \"Sample-File1, Sample-File2\",\r\n \"containers\": \"Sample-Container1, Sample-Container2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_294\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_295\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_295\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242624862413_8a9bf18a-c4e4-4a83-ac73-5bf7000385e3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"name\": \"2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.2482588Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5295037Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExplorationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:35.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:35.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_297\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual data exploration in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual data exploration operation in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \" Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that blobs or containers in a storage account have been enumerated in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user or application logic has explored data within the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"ListBlobs\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_298\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_299\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_299\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242644862413_3f031153-69ed-4762-bc56-2b18c72f673f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"name\": \"2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.7896151Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:33.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:33.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_301\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual number of blobs extracted from a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual number of blobs from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large number of blobs has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large number of blobs from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual number of blobs from a Storage container (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"66.58 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"extracted blobs\": \"41084\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_302\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_303\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_303\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_305\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_302\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242664862413_73153419-1385-456c-bb1a-3502d45ac377/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"name\": \"2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.8245787Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_DataExfiltration.AmountOfDataAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:31.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:31.5137586Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_306\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual amount of data extracted from a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage container.\\r\\nPotential causes:\\r\\n• An attacker has extracted a large amount of data from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\\r\\n• A legitimate user or application has extracted an unusual amount of data from a Storage container (for example: maintenance activity).\",\r\n \"investigation steps\": \"{\\\"displayValue\\\":\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2075734\\\"}\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"254.47 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"extracted blobs\": \"2\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_307\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_308\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_308\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_310\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_307\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242684862413_a4e79a82-4645-4698-a823-e33a9795676e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"name\": \"2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:05.1388808Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_CspkgUploadAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:29.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:29.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485\",\r\n \"intent\": \"LateralMovement, Execution\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_311\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual upload of .cspkg to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual upload of a Cloud Service deployment package to your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Determine if the cloud service package has been deployed to your subscription, and if so, delete the corresponding service.\",\r\n \"• Delete the .cspkg from your storage account.\",\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an Azure Cloud Service package (.cspkg file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has been preparing to deploy malicious code from your storage account to an Azure cloud service.\\r\\n• A legitimate user has been preparing for a legitimate service deployment.\",\r\n \"investigation steps\": \"• Determine who uploaded the cloud service package, and whether it is for a legitimate service.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Shared access signature (SAS)\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"access key used to generate SAS token\": \"key1\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"PutBlockList\",\r\n \"storage file path(s) uploaded\": \"Sample-Path1, Sample-Path2\",\r\n \"killChainIntent\": \"LateralMovement, Execution\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_312\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_313\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_313\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242704862413_e9599a83-a7e3-433c-9ec2-8f5e8d331485/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"name\": \"2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6456194Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_ApplicationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:27.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:27.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_315\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual application accessed a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has accessed your Azure storage account 'Sample-Storage' using an unexpected application.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that an unusual application has accessed this storage account.\\r\\nPotential causes:\\r\\n• An attacker has accessed your storage account using a new application.\\r\\n• A legitimate user has used a new application/browser to access your storage account.\",\r\n \"investigation steps\": \"• Confirm whether the storage account access was expected, based on information provided above such as IP address, location and user agent used.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Account key\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"PutBlob\",\r\n \"access key used\": \"key2\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_316\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_317\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_317\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242724862413_52ea7665-354e-4a5d-9cfd-701562f67adb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"name\": \"2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6977555Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AnonymousAccessAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:25.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:25.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_319\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unauthenticated access to a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Container 'Sample-Container' in storage account 'Sample-Storage' from an IP address located in Azure Data Center: Central Us.\\r\\n\\r\\nThere may have been additional unauthenticated access to this storage account.\",\r\n \"remediationSteps\": [\r\n \"• Where applicable, we recommend to configure authenticated access to blob containers using Azure AD roles or shared access signature tokens.\",\r\n \"• If you have a legitimate reason for these containers to remain publicly accessible, verify that they do not contain sensitive data. Additionally, ensure that users with write permissions are aware that the uploaded data will be publicly accessible.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that this account has been accessed anonymously (i.e. without any authentication), which is unexpected compared to recent access pattern on this account.\\r\\nPotential causes:\\r\\n• An attacker has exploited public read access to a container.\\r\\n• A legitimate user or application has used public read access to a container.\",\r\n \"investigation steps\": \"• Check if you have sensitive data on this publicly open container. If you do, immediately change the access policy to private, review diagnostic logs for sensitive data that may have leaked, and escalate the alert and information. (see how to change your access policy: https://go.microsoft.com/fwlink/?linkid=2179708)).\\r\\n\\r\\nThis is necessary despite the fact that the observed attempts failed, because reconnaissance has taken place and there might have been some successful activity.\\r\\n• Check if this actor is legitimate. Review IP, location, user agent, and their history.\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Anonymous\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"azure AD user\": \"N/A (Azure AD user authentication was not used)\",\r\n \"operations types\": \"GetBlobProperties, GetBlob\",\r\n \"api type\": \"Blob\",\r\n \"size of extracted data\": \"22.96 MB\",\r\n \"container\": \"Sample-Container\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_320\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_321\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_321\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_323\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_320\"\r\n },\r\n \"type\": \"blob-container\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242744862413_62662ba9-98fc-42c5-9b72-c0e71cb317d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"name\": \"2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.6177881Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AccessInspectionAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:23.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:23.5137586Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_324\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual access inspection in a storage blob container\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Someone has performed an unusual access inspection in your Azure storage account 'Sample-Storage'.\",\r\n \"remediationSteps\": [\r\n \"• Limit access to your storage account, following the 'least privilege' principle: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle.\",\r\n \"• Consider using identity-based authentication: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.\",\r\n \"• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\",\r\n \"• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential causes\": \"This alert indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account.\\r\\nPotential causes:\\r\\n• An attacker has performed reconnaissance for a future attack.\\r\\n• A legitimate user has performed maintenance on the storage account.\",\r\n \"investigation steps\": \"• Confirm whether the access policy inspection was performed for a legitimate purpose: https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy.\\r\\n• Review the storage container's access permissions to make sure they are expected. The permissions can be viewed and updated through the Azure Portal or Azure Storage Explorer.\\r\\n• View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information: https://go.microsoft.com/fwlink/?linkid=2075734\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"client location\": \"Sample-Location\",\r\n \"authentication type\": \"Azure AD\",\r\n \"user agent\": \"Sample-Agent\",\r\n \"service type\": \"Azure Blobs\",\r\n \"api type\": \"Blob\",\r\n \"additional Information\": \"Sample-Additional-Information\",\r\n \"container\": \"Sample-Container\",\r\n \"request status\": \"Success\",\r\n \"activity type\": \"GetContainerACL\",\r\n \"azure AD application ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_325\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_326\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_327\",\r\n \"aadTenantId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"objectGuid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"isValid\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"centralus_328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_326\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242764862413_368c0702-d523-4e52-9f29-8089fc32bc04/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"name\": \"2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:04.614246Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5137586Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Storage Accounts\",\r\n \"alertType\": \"SIMULATED_Storage.Blob_AM.MalwareFound\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:21.5137586Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:21.5137586Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e\",\r\n \"intent\": \"LateralMovement\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_329\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-Storage\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Malicious file uploaded to storage account\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A malicious file was uploaded to your storage account 'Sample-Storage'.\\r\\nThe malware detection is based on Microsoft antimalware scanning.\\r\\nPotential causes may include an intentional upload of malware by a threat actor, or an unintentional upload of a malicious file by a legitimate user.\",\r\n \"remediationSteps\": [\r\n \"Remove the malicious blob from your storage account. You may move it to a designated storage container for quarantine, or delete it.\",\r\n \"It is advisable to enable \\\\\\\"soft delete\\\\\\\" before deleting malware, to support the ability to undo the deletion. Learn more about enabling soft delete on Azure storage: https://docs.microsoft.com/azure/storage/blobs/soft-delete-blob-overview.\\\",\\\"If you have diagnostic logs enabled, query them to see if any other applications or users accessed this file. Trace their actions and contain the blast radius.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Storage\",\r\n \"potential Causes\": \"1. Intentional upload of malware by a malicious actor (true positive)\\r\\n\\r\\n2. Unintentional upload of malware by a legitimate user (true positive)\\r\\n\\r\\n3. A false positive detection by Microsoft antimalware scanning. You can submit a file for analysis if you suspect it may be a false positive: \\r\\n(https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/submission-guide)\",\r\n \"shA-256\": \"Sample-SHA\",\r\n \"investigation Steps\": \"• Learn more about the malware type by reading the report on the identified malware in Microsoft Security Intelligence:\\r\\n(https ://www.microsoft.com/wdsi/threats/threat-search?query=DOS/EICAR_Test_File)\\r\\n\\r\\n• If you have diagnostic logs enabled, go to them and query to see if any other applications or users accessed this file. Trace their actions and contain the blast radius.\\r\\n\\r\\n• Review the credentials used to perform the upload, to track back and find the user who uploaded the file.\\r\\n\\r\\n• If you performed an investigation and suspect the this might be a false positive, you can submit a file for analysis\\r\\n(https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).\\r\\nEnsure you enter the provider name \\\"Defender for Storage\\\".\\r\\n\\r\\n• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.\",\r\n \"malware types detected\": \"DOS/EICAR_Test_File\",\r\n \"killChainIntent\": \"LateralMovement\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_330\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/microsoft.storage/storageaccounts/Sample-Storage\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_331\",\r\n \"algorithm\": \"SHA256\",\r\n \"value\": \"Sample-SHA\",\r\n \"type\": \"filehash\"\r\n },\r\n {\r\n \"$id\": \"centralus_332\",\r\n \"name\": \"Sample-Name\",\r\n \"storageResource\": {\r\n \"$ref\": \"centralus_330\"\r\n },\r\n \"type\": \"blob-container\"\r\n },\r\n {\r\n \"$id\": \"centralus_333\",\r\n \"directory\": \"https://Sample-Storage.blob.core.windows.net/Sample\",\r\n \"name\": \"Sample-Name\",\r\n \"fileHashes\": [\r\n {\r\n \"$ref\": \"centralus_331\"\r\n }\r\n ],\r\n \"type\": \"file\"\r\n },\r\n {\r\n \"$id\": \"centralus_334\",\r\n \"name\": \"Sample-Name\",\r\n \"blobContainer\": {\r\n \"$ref\": \"centralus_332\"\r\n },\r\n \"url\": \"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\r\n \"etag\": \"Sample-Tag\",\r\n \"type\": \"blob\"\r\n },\r\n {\r\n \"$id\": \"centralus_335\",\r\n \"name\": \"Sample-Name\",\r\n \"category\": \"Virus\",\r\n \"files\": [\r\n {\r\n \"$ref\": \"centralus_333\"\r\n }\r\n ],\r\n \"type\": \"malware\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242784862413_5cdf49ba-2c0f-4f90-9b78-cb6ae93ac19e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"name\": \"2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.9503127Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5606644Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_TorAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:17.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:17.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_336\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a Tor exit node\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' was successfully accessed from an IP address known to be an active exit node of Tor, an anonymizing proxy.\\r\\nThe threat actor's access was authenticated using Aad.\\r\\nAuthenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Check for credential theft by reviewing the authentication method.\",\r\n \"potential causes\": \"• A legitimate user has accessed your Azure Cosmos DB account using Tor.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_337\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_338\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_338\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242824549599_6e49ca65-f83a-4760-a285-8d8e95f2cb32/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"name\": \"2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.7672167Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousIp\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:15.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:15.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_340\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from a suspicious IP\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' was successfully accessed from an IP address that was identified as a threat by Microsoft Threat Intelligence.\\r\\nThe threat actor's access was authenticated using Aad.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Check for credential theft by reviewing the authentication method.\",\r\n \"potential causes\": \"• An attacker has accessed your Azure Cosmos DB account from a potentially suspicious IP.\\r\\n• A legitimate user has accessed your Azure Cosmos DB account from a potentially suspicious IP.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_341\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_342\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_342\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242844549599_5f583548-cb4d-4596-a5ec-ae557370756e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"name\": \"2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.9003843Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SqlInjection.Fuzzing\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:13.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:13.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede\",\r\n \"intent\": \"Discovery\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_344\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] SQL injection: failed fuzzing attempt\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious SQL statement was used to query container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'.\\r\\nLike other well-known SQL injection attacks, this statement won’t succeed in Azure Cosmos DB. Nevertheless, it’s an indication that a threat actor is trying to attack the resources in this account.\\r\\nSome SQL injection attacks can succeed and be used to exfiltrate data. This means that if the attacker continues performing SQL injection attempts, they may be able to compromise your Azure Cosmos DB account and exfiltrate data.\\r\\nYou can prevent this threat by using parameterized queries (for more information, see the remediation steps).\",\r\n \"remediationSteps\": [\r\n \"• This alert may indicate this subscription is being targeted. To harden your environment, resolve any outstanding Defender for Cloud security recommendations for this resource and any others on this Azure subscription.\",\r\n \"• To prevent similar attacks in the future, use Azure Cosmos DB parameterized queries in all your apps.\",\r\n \"How to use parameterized queries: https://go.microsoft.com/fwlink/?linkid=2177214.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Verify whether this user is legitimate. Review the credentials used and user's history of actions on this resource and others.\\r\\n• Search for other alerts on this subscription that might indicate that this is part of a larger attack.\\r\\n• Inspect the application that is connected to this Azure Cosmos DB account. It may be vulnerable to this fuzzing attack.\",\r\n \"potential causes\": \"• Failed attack attempt, part of an enumeration, reconnaissance or command injection attempt.\\r\\n• Pen testing.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"client IP address\": \"00.00.00.00\",\r\n \"collection name\": \"Sample-Collection\",\r\n \"database name\": \"Sample-DataBase\",\r\n \"top suspicious queries\": \"• [1 rows returned] SELECT VALUE [{\\\"item\\\": COUNT(1)}]\\nFROM root\\nWHERE ((root[\\\"creation_datetime\\\"] = \\\"2022-07-06T00:00:00+00:00\\\") AND (root[\\\"camera_id\\\"] IN (\\\"javascript:alert(_SCAN-@126032-951533-1926@-);\\\")))\\nORDER BY root[\\\"order\\\"] ASC, root[\\\"_ts\\\"] ASC\\r\\n• [0 rows returned] SELECT root._rid, [{\\\"item\\\": root[\\\"order\\\"]}, {\\\"item\\\": root[\\\"_ts\\\"]}] AS orderByItems, root AS payload\\nFROM root\\nWHERE ((((root[\\\"creation_datetime\\\"] = \\\"2022-07-06T00:00:00+00:00\\\") AND (root[\\\"camera_id\\\"] IN (\\\"javascript:alert(_SCAN-@126032-951533-1926@-);\\\"))) AND (true)) AND IS_DEFINED(root))\\nORDER BY root[\\\"order\\\"] ASC, root[\\\"_ts\\\"] ASC\\nOFFSET 0 LIMIT 100\",\r\n \"total suspicious queries\": \"2\",\r\n \"killChainIntent\": \"Discovery\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_345\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_346\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_346\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242864549599_4df6c5e3-351b-4dc6-b5d9-9a7602cd3ede/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"name\": \"2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.803451Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SqlInjection.DataExfiltration\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:11.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:11.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_348\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] SQL injection: potential data exfiltration\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious SQL statement was used to query container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'.\\r\\nThe injected statement might have succeeded in exfiltrating data the user wasn’t authorized to access.\\r\\nDue to the structure and capabilities of Azure Cosmos DB queries, many known SQL injection attacks on Azure Cosmos DB accounts cannot work. However, the variation used in this attack may work and threat actors can exfiltrate data.\",\r\n \"remediationSteps\": [\r\n \"• To prevent similar attacks in the future, use Azure Cosmos DB parameterized queries in all your apps.\",\r\n \"How to use parameterized queries: https://go.microsoft.com/fwlink/?linkid=2177214.\",\r\n \"• If, for some reason, you can’t use parameterized queries, perform another form of input validation to protect against SQL injection attacks.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Investigate the query and the user. For details of the user, review the audit logs of your application. Check which user ran the query.\\r\\n• If the action appears malicious, continue investigating the blast radius. You may run the query (shown in the field \\\"Top suspicious queries\\\") to see what data was exfiltrated.\",\r\n \"potential causes\": \"• Successful data exfiltration (True Positive).\\r\\n• Pen testing.\\r\\n• A legitimate actor is trying to see all of the data, bypassing the application's access control methods. In this case, this can be considered a False Positive, however this is unsafe and should be blocked (see remediation steps on blocking).\",\r\n \"user agent\": \"dummySqlAgent\",\r\n \"connection mode\": \"\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"\",\r\n \"total anomalous queries\": \"1\",\r\n \"top anomalous queries\": \"• SELECT * FROM root WHERE (root[\\\\\\\"userId\\\\\\\"] = \\\\\\\"123' OR '1'='1'\\\\\\\")\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_349\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_350\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_350\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242884549599_a3bfe6e4-6912-46f8-aba7-412e130fee4a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"name\": \"2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.6843414Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_GeoAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:09.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:09.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188\",\r\n \"intent\": \"InitialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_352\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Access from an unusual location\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: One or more containers in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount' were accessed from a location considered unfamiliar, based on the usual access pattern.\\r\\nEither a threat actor has gained access to the account, or a legitimate user has connected from a new or unusual geographic location.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Contact the user to validate whether this is known and expected activity.\",\r\n \"potential causes\": \"• An attacker has accessed your Azure Cosmos DB account.\\r\\n• A legitimate user has accessed your Azure Cosmos DB account from a new location.\",\r\n \"user agent\": \"dummyAgent\",\r\n \"connection mode\": \"Gateway\",\r\n \"container name\": \"Sample-Container\",\r\n \"database name\": \"Sample-Database\",\r\n \"key type\": \"Aad\",\r\n \"killChainIntent\": \"InitialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_353\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_354\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_354\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242904549599_2f4cd1ea-38c1-4cd5-9a25-345086de3188/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"name\": \"2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.671875Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_DataExfiltrationAnomaly\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:07.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:07.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64\",\r\n \"intent\": \"Exfiltration\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_356\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Unusual volume of data extracted\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: An unusually large amount of data has been extracted from container 'Sample-Container' in Azure Cosmos DB account 'Sample-AzureCosmosDBAccount'. This might indicate that a threat actor exfiltrated data.\",\r\n \"remediationSteps\": [\r\n \"• If it’s determined that the user isn’t legitimate, revoke any credentials that may be compromised and ensure that they are shared with authorized users only.\",\r\n \"• Limit access to the Azure Cosmos DB account, following the principle of least privilege. We recommend: https://go.microsoft.com/fwlink/?linkid=2177213.\",\r\n \"• Ensure that Azure Cosmos DB access tokens are stored in a secure location such as Azure Key Vault. Avoid storing or sharing Azure Cosmos DB access tokens in source code, documentation, or email.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Cosmos DB\",\r\n \"alert Id\": \"00000000-0000-0000-0000-000000000000\",\r\n \"investigation steps\": \"• Check whether this Azure Cosmos DB account holds sensitive data. Look at diagnostic logs for any sensitive data that may have leaked and escalate the alert and information. If it appears sensitive data may have leaked, immediately review access permissions to the account and consider rotating keys.\",\r\n \"potential causes\": \"• An attacker has extracted a large amount of data from an account.\\r\\n• A legitimate user or application has extracted an unusual amount of data from an account.\",\r\n \"collection name\": \"Sample-Collection\",\r\n \"database name\": \"Sample-DataBase\",\r\n \"key type\": \"Aad\",\r\n \"connection mode\": \"Gateway\",\r\n \"impacted region\": \"EUS\",\r\n \"extracted data\": \"5.37 GB\",\r\n \"killChainIntent\": \"Exfiltration\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_357\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_358\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_358\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242924549599_7cd05b6b-62eb-4d32-8400-e373ef0f7d64/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"name\": \"2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:27.1754832Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.5606644Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousListKeys.SuspiciousPrincipal\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:05.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:05.54504Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_360\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Preview - Suspicious extraction of Azure Cosmos DB account keys was detected\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A suspicious source extracted Azure Cosmos DB account access keys from your subscription. If this source is not a legitimate source, this may be a high impact issue. The access key that was extracted provides full control over the associated databases and the data stored within.\\r\\nThe key extraction is suspicious for the following reasons:\\r\\n- Key listing operations are rarely invoked by this principal on Azure Cosmos DB accounts in this subscription.\\r\\n\\r\\nThis can indicate that the identity performed this operation is compromised and is being used with malicious intent.\",\r\n \"remediationSteps\": [\r\n \"• Determine whether the activity was intentional by contacting the account owner. If the activity was intentional and legitimate, dismiss the alert. Otherwise, treat the user account, involved Azure Cosmos DB accounts and Azure subscription as compromised and continue with the next remediation steps.\",\r\n \"• Remediate the compromised principal account : delete the account if it’s an unfamiliar account (the attacker may have created it). Otherwise, change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\",\r\n \"• Remediate the compromised Azure Cosmos DB account: rotate Azure Cosmos DB account keys that were previously listed by the threat actor.\",\r\n \"• Remediate the compromised subscription: review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in the Microsoft Defender for Cloud portal to the subscription and investigate them, use Azure Activity Logs to locate any suspicious activities and review all activities that were performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"Azure Resource\",\r\n \"principal object ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"source IP address\": \"00.00.00.00\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_361\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_362\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_362\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242944549599_e4264e9b-78dc-452b-ad10-f513e732094b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432\",\r\n \"name\": \"2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.8379753Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"Azure Cosmos DB Accounts\",\r\n \"alertType\": \"SIMULATED_AzureCosmosDB_SuspiciousListKeys.MaliciousScript\",\r\n \"startTimeUtc\": \"2022-11-17T09:15:03.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:15:03.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432\",\r\n \"intent\": \"CredentialAccess\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_364\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"Sample-AzureCosmosDb\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] Extraction of Azure Cosmos DB accounts keys via a potentially malicious script\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: A Powershell script was run in your subscription and performed a suspicious pattern of key-listing operations to get the keys of Azure Cosmos DB accounts in your subscription.\\r\\nThreat actors use automated scripts, like Microburst, to list keys and find Azure Cosmos DB accounts they can access.\\r\\n\\r\\nThis operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise Azure Cosmos DB accounts in your environment for malicious intentions.\\r\\nAlternatively, a malicious insider could be trying to access sensitive data and perform lateral movement.\",\r\n \"remediationSteps\": [\r\n \"• Remediate the compromised user identity: If it’s an unfamiliar, new identity (the threat actor may have created it), then delete the user identity.\",\r\n \"Otherwise, change the user’s authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\",\r\n \"• Remediate the compromised Azure Cosmos DB account: rotate Azure Cosmos DB accounts keys that were previously listed by the threat actor.\",\r\n \"• Remediate the compromised subscription: review IAM permissions for the subscription and remove permissions for any unfamiliar user identity.\",\r\n \"Review all Azure resources and delete any unfamiliar Azure resources.\",\r\n \"Review all alerts in Microsoft Defender for Cloud related to the subscription and investigate them.\",\r\n \"Use Azure Activity Logs to find suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"resourceType\": \"ARM\",\r\n \"investigation steps\": \"Investigate whether the identity that performed the list-key operations is compromised:\\r\\n• Contact the Azure Cosmos DB account owner to understand their intentions and actions.\\r\\n• Look at the authentication method of this user and the actions they performed across the Azure subscription.\\r\\nUse Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\r\\n• If you have diagnostic logs enabled, inspect the actions this identity performed in the Azure Cosmos DB account/s.\",\r\n \"ip address\": \"00.00.00.00\",\r\n \"username\": \"Sample-Username\",\r\n \"aad user ID\": \"00000000-0000-0000-0000-000000000000\",\r\n \"killChainIntent\": \"CredentialAccess\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_365\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/Sample-RG/providers/Microsoft.DocumentDb/databaseAccounts/Sample-AzureCosmosDBAccount\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_366\",\r\n \"address\": \"00.00.00.00\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -78.17197,\r\n \"latitude\": 38.73078,\r\n \"asn\": 8075\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"A Microsoft Partner\",\r\n \"threatType\": \"Eicar threat type\",\r\n \"threatName\": \"Eicar malware family\",\r\n \"confidence\": 1.0,\r\n \"reportLink\": \"\",\r\n \"threatDescription\": \"Eicar description\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_366\"\r\n },\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336242964549599_1e34a2ba-af65-44e1-b47b-f120b3026432/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"name\": \"2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-16T21:52:53.8710364Z\",\r\n \"processingEndTimeUtc\": \"2022-11-16T21:52:53.6916675Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-15T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-15T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_368\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.160 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_369\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_370\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_371\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517338123999999999_88986299-6133-49ef-9af0-183ce5a8ba88/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"name\": \"2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-12T21:47:11.3785021Z\",\r\n \"processingEndTimeUtc\": \"2022-11-12T21:47:10.8521763Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_373\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_374\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_375\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_376\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341363999999999_7ef9c4d7-b0ec-4ca2-bfa2-292ca89e85a7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"name\": \"2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-13T20:54:26.3966011Z\",\r\n \"processingEndTimeUtc\": \"2022-11-13T20:54:26.1755194Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_378\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_379\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_380\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_381\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341363999999999_d0ccb6c9-dfc8-4f0f-804a-1491193ae919/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"name\": \"2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-12T21:47:11.7084868Z\",\r\n \"processingEndTimeUtc\": \"2022-11-12T21:47:10.8520084Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_383\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 137.184.84.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_384\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_385\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_386\",\r\n \"address\": \"137.184.84.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Jose\",\r\n \"longitude\": -121.83823,\r\n \"latitude\": 37.33053,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_386\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341615999999999_0c5bf4bb-a995-43f5-9619-d158d44e43ed/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"name\": \"2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-13T20:54:26.3624463Z\",\r\n \"processingEndTimeUtc\": \"2022-11-13T20:54:26.1754203Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-11T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_388\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 137.184.84.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_389\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_390\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_391\",\r\n \"address\": \"137.184.84.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"San Jose\",\r\n \"longitude\": -121.83823,\r\n \"latitude\": 37.33053,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_392\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_391\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517341615999999999_d28ae776-b17f-4397-ab44-19a62eed2130/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"name\": \"2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-11T21:04:29.5102358Z\",\r\n \"processingEndTimeUtc\": \"2022-11-11T21:04:28.8368795Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-10T14:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-10T14:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_393\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_394\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_395\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_396\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_397\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517342119999999999_9079a3fc-c3ae-482d-bdb5-967f090a9f53/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"name\": \"2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-04T21:03:19.814381Z\",\r\n \"processingEndTimeUtc\": \"2022-11-04T21:03:12.9864236Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-03T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-03T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_398\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_399\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_400\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_401\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517348527999999999_14ef79d9-7c6c-4536-9770-b31421fdff88/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"name\": \"2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-03T20:56:42.8912983Z\",\r\n \"processingEndTimeUtc\": \"2022-11-03T20:56:39.5149213Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-11-02T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-11-02T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_403\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\\r\\nIP: 176.222.18.110 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_404\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_405\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_406\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_407\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517349355999999999_b3b7f42f-47b3-4d2c-b3ab-3ee863a2ddac/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"name\": \"2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-01T21:58:15.540622Z\",\r\n \"processingEndTimeUtc\": \"2022-11-01T21:58:14.9043034Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_410\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.128 [1]\\r\\nIP: 176.222.18.110 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_411\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_412\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_413\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_414\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517351155999999999_17bb7035-efb1-4cf5-b5e2-aaa572cf00d0/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"name\": \"2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-02T22:45:37.72398Z\",\r\n \"processingEndTimeUtc\": \"2022-11-02T22:45:37.2820909Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-31T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_417\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 176.222.18.110 [1]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_418\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_419\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_420\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_421\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_422\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517351155999999999_8c7482af-7ba4-4e69-8973-033a11f4af71/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"name\": \"2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-30T20:43:32.8362319Z\",\r\n \"processingEndTimeUtc\": \"2022-10-30T20:43:32.2666649Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-29T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-29T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_426\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 149.18.60.6 [1]\\r\\nIP: 148.75.113.72 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_427\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_428\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_429\",\r\n \"address\": \"149.18.60.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 396998,\r\n \"carrier\": \"Path Network Inc.\",\r\n \"organization\": \"Logicweb Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_430\",\r\n \"address\": \"148.75.113.72\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Newton\",\r\n \"longitude\": -74.80559,\r\n \"latitude\": 41.08337,\r\n \"asn\": 6128,\r\n \"carrier\": \"Cablevision Systems Corp.\",\r\n \"organization\": \"Optimum Online (Cablevision Systems)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517352919999999999_e28803ea-be48-4d93-b226-0cc1e5f5a45e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"name\": \"2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-29T19:50:46.7836038Z\",\r\n \"processingEndTimeUtc\": \"2022-10-29T19:50:46.6002852Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-28T07:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-28T07:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_433\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 71.178.215.234 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_434\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_435\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_436\",\r\n \"address\": \"71.178.215.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Fairfax\",\r\n \"longitude\": -77.2891,\r\n \"latitude\": 38.81818,\r\n \"asn\": 701,\r\n \"carrier\": \"Verizon\",\r\n \"organization\": \"Verizon\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517353603999999999_b8ba4071-d12f-4877-9f8c-0f31f2c7949d/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"name\": \"2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-28T21:21:50.4934572Z\",\r\n \"processingEndTimeUtc\": \"2022-10-28T21:21:50.1558349Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-27T03:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-27T03:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_438\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 12.13.191.67 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 194.28.112.140 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_439\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_440\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_441\",\r\n \"address\": \"12.13.191.67\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Louisiana\",\r\n \"city\": \"New Orleans\",\r\n \"longitude\": -90.06568,\r\n \"latitude\": 29.96582,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Marriott Corporationattn Joh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_442\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_443\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_444\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517354611999999999_26362dd9-4c7e-4922-bea3-d52efeb701d9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"name\": \"2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-28T01:00:14.0366672Z\",\r\n \"processingEndTimeUtc\": \"2022-10-28T01:00:13.8635731Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-26T17:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-26T17:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_449\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 8.30.197.172 [1]\\r\\nIP: 12.157.53.195 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_450\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_451\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_452\",\r\n \"address\": \"8.30.197.172\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Paramus\",\r\n \"longitude\": -74.07017,\r\n \"latitude\": 40.94459,\r\n \"asn\": 12025,\r\n \"carrier\": \"Iron Mountain Data Center\",\r\n \"organization\": \"Groundwidgets Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_453\",\r\n \"address\": \"12.157.53.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Long Beach\",\r\n \"longitude\": -118.1589,\r\n \"latitude\": 33.7808,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Velocity Bre\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517354971999999999_e9273933-75d5-4b6e-8fca-2b3f01cbb49e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"name\": \"2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Dismissed\",\r\n \"timeGeneratedUtc\": \"2022-10-25T22:59:24.7258494Z\",\r\n \"processingEndTimeUtc\": \"2022-10-25T22:59:24.4099152Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_456\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 147.78.47.29 [1]\\r\\nIP: 198.12.89.41 [1]\\r\\nIP: 173.249.187.107 [1]\\r\\nIP: 24.18.46.38 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_457\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_458\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_459\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_460\",\r\n \"address\": \"198.12.89.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.8854,\r\n \"latitude\": 42.8883,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_461\",\r\n \"address\": \"173.249.187.107\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Denver\",\r\n \"longitude\": -104.99809,\r\n \"latitude\": 39.75263,\r\n \"asn\": 133744,\r\n \"carrier\": \"Better Cloud Limited\",\r\n \"organization\": \"Global Link Communications Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_462\",\r\n \"address\": \"24.18.46.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Edmonds\",\r\n \"longitude\": -122.34664,\r\n \"latitude\": 47.80392,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_459\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_460\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_461\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_462\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517357311999999999_88c78f97-4457-4148-a6d9-570ec3f5f5f8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"name\": \"2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-23T20:55:55.6554453Z\",\r\n \"processingEndTimeUtc\": \"2022-10-23T20:55:55.0986682Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-22T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-22T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_467\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 173.201.17.86 [1]\\r\\nIP: 72.215.237.211 [2]\\r\\nIP: 69.28.75.137 [2]\\r\\nIP: 8.30.197.172 [1]\\r\\nIP: 141.98.83.131 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_468\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_469\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_470\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_471\",\r\n \"address\": \"72.215.237.211\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Rhode Island\",\r\n \"city\": \"Warwick\",\r\n \"longitude\": -71.38996,\r\n \"latitude\": 41.71237,\r\n \"asn\": 22773,\r\n \"carrier\": \"Cox Communications Inc.\",\r\n \"organization\": \"Cox Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_472\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_473\",\r\n \"address\": \"8.30.197.172\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Paramus\",\r\n \"longitude\": -74.07017,\r\n \"latitude\": 40.94459,\r\n \"asn\": 12025,\r\n \"carrier\": \"Iron Mountain Data Center\",\r\n \"organization\": \"Groundwidgets Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_474\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359003999999999_8873c3ae-55b2-46fe-8027-d53e4d328e95/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"name\": \"2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-22T20:37:45.3670215Z\",\r\n \"processingEndTimeUtc\": \"2022-10-22T20:37:34.4184682Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-21T05:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-21T05:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_480\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 150.95.29.64 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_481\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_482\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_483\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359723999999999_71299d42-cfb6-4f65-a4a0-658c5887e490/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"name\": \"2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-22T20:37:34.6106772Z\",\r\n \"processingEndTimeUtc\": \"2022-10-22T20:37:34.4182771Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-21T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-21T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_485\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.147 [3]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_486\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_487\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_488\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_488\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517359867999999999_766c77ab-8895-4f7a-89e6-4d083108bf9c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"name\": \"2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T20:55:36.9527631Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T20:55:36.5859747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_490\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 69.202.183.90 [3]\\r\\nIP: 195.133.20.78 [99]\\r\\nIP: 141.95.145.187 [3]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 193.29.13.169 [9]\\r\\nIP: 147.78.47.36 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 147.78.47.147 [6]\\r\\nIP: 150.95.29.64 [2]\\r\\nIP: 45.141.87.2 [9]\\r\\nIP: 147.78.47.35 [7]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 173.254.223.125 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 92.255.85.152 [5]\\r\\nIP: 89.248.163.228 [3]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 179.60.150.115 [12]\\r\\nIP: 191.96.168.93 [9]\\r\\nIP: 147.78.47.69 [9]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 171.244.50.243 [2]\\r\\nIP: 94.26.229.154 [2]\\r\\nIP: 45.227.254.20 [10]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 94.26.248.176 [5]\\r\\nIP: 88.214.25.14 [3]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 45.141.87.9 [3]\\r\\nIP: 31.43.185.3 [22]\\r\\nIP: 45.141.87.10 [6]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 194.165.17.12 [4]\\r\\nIP: 147.78.47.154 [9]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 89.250.82.36 [1]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 193.29.13.170 [16]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 179.60.150.58 [8]\\r\\nIP: 45.226.126.252 [1]\\r\\nIP: 45.141.87.6 [6]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 45.227.254.49 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_491\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_492\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_493\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_494\",\r\n \"address\": \"195.133.20.78\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_495\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_496\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_497\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_498\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_499\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_500\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_501\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_502\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_503\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_504\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_505\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_506\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_507\",\r\n \"address\": \"173.254.223.125\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Tarzana\",\r\n \"longitude\": -118.54625,\r\n \"latitude\": 34.15501,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Quadranet Enterprises Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_508\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_509\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_510\",\r\n \"address\": \"89.248.163.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_511\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_512\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_513\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_514\",\r\n \"address\": \"147.78.47.69\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_515\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_516\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_517\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_518\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_519\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_520\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_521\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_522\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_523\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_524\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_525\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_526\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_527\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_528\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_529\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_530\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_531\",\r\n \"address\": \"89.250.82.36\",\r\n \"location\": {\r\n \"countryCode\": \"KZ\",\r\n \"countryName\": \"Kazakhstan\",\r\n \"state\": \"Almaty City\",\r\n \"city\": \"Almaty\",\r\n \"longitude\": 76.94999,\r\n \"latitude\": 43.24999,\r\n \"asn\": 41419,\r\n \"carrier\": \"Kazrena\",\r\n \"organization\": \"Kazrena\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_532\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_533\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_534\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_535\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_536\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_537\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_538\",\r\n \"address\": \"45.226.126.252\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Pernambuco\",\r\n \"city\": \"Olinda\",\r\n \"longitude\": -34.90666,\r\n \"latitude\": -7.98953,\r\n \"asn\": 266962,\r\n \"carrier\": \"G M Da Costa Internet\",\r\n \"organization\": \"G M Da Costa Internet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_539\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_540\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_541\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_557\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_558\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_559\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_560\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_511\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_561\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_512\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_562\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_513\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_563\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_514\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_564\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_515\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_565\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_516\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_566\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_517\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_567\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_518\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_568\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_519\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_569\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_520\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_570\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_521\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_571\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_522\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_572\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_523\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_573\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_524\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_574\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_525\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_575\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_526\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_576\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_527\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_577\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_528\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_578\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_529\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_579\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_530\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_580\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_531\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_581\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_532\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_582\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_585\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_536\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_586\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_537\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_587\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_3717b643-f9b0-44df-aec3-f3d73ec4b836/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"name\": \"2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-21T22:30:30.848069Z\",\r\n \"processingEndTimeUtc\": \"2022-10-21T22:30:29.9442537Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_591\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.104 [1]\\r\\nIP: 207.154.207.116 [1]\\r\\nIP: 61.177.172.147 [1]\\r\\nIP: 152.136.192.58 [1]\\r\\nIP: 124.221.214.54 [98]\\r\\nIP: 135.148.104.183 [1]\\r\\nIP: 80.76.51.230 [1]\\r\\nIP: 185.51.61.82 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_592\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_593\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_594\",\r\n \"address\": \"61.177.172.104\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_595\",\r\n \"address\": \"207.154.207.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_596\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_597\",\r\n \"address\": \"152.136.192.58\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_598\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_599\",\r\n \"address\": \"135.148.104.183\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Reston\",\r\n \"longitude\": -77.34247,\r\n \"latitude\": 38.96097,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_600\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Zuid-Holland\",\r\n \"city\": \"Brielle\",\r\n \"longitude\": 4.16122,\r\n \"latitude\": 51.89596,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\",\r\n \"organization\": \"Des Capital B.V.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_601\",\r\n \"address\": \"185.51.61.82\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 42065,\r\n \"carrier\": \"Zao Electrontelecom\",\r\n \"organization\": \"Global Network Management Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_594\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_595\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_596\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_597\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_598\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_599\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_600\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_601\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_5dbece07-f4fe-4459-b8fc-1bedb76dfd7e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"name\": \"2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-19T09:12:15.1238208Z\",\r\n \"processingEndTimeUtc\": \"2022-10-19T09:12:12.7612332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-19T08:43:11.7850829Z\",\r\n \"endTimeUtc\": \"2022-10-19T08:46:18.8210573Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_1\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_2\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/19 08:43:11.7850829\",\r\n \"activity end time (UTC)\": \"2022/10/19 08:46:18.8210573\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"74\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"47\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (23), user (3), administrador (2), admin (2), distant1 (1), asp.net (1), escaner (1), dator (1), faraz (1), chris (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-19T08:46:18.8210573Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_3\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361318082149170_bde90507-747d-4a5e-8dfd-62646238fea9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"name\": \"2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-19T09:12:15.7506308Z\",\r\n \"processingEndTimeUtc\": \"2022-10-19T09:12:12.7612332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-19T08:34:16.9189969Z\",\r\n \"endTimeUtc\": \"2022-10-19T08:35:36.0841961Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_4\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_5\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/19 08:34:16.9189969\",\r\n \"activity end time (UTC)\": \"2022/10/19 08:35:36.0841961\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"19\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (15), administrador (2), admin (2), reception (1), scanner (1), root (1), user (1), utente (1), bokforing (1), admin 3 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-19T08:35:36.0841961Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_6\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361323430810030_69e34fab-9b7e-4f03-8079-160944ecf021/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"name\": \"2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T08:12:21.5799147Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T08:12:17.8716581Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-18T07:01:04.8124138Z\",\r\n \"endTimeUtc\": \"2022-10-18T07:59:23.7067193Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_7\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_8\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/18 07:01:04.8124138\",\r\n \"activity end time (UTC)\": \"2022/10/18 07:59:23.7067193\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.129\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"31\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"24\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEFAULTACCOUNT (6), DATA CENTER USER (2), DSNVSUSER (1), DONALD E. BETTIS (1), FUELDISP (1), GP (1), CONTRAUSER (1), DEAFULTUSER (1), FULTON (1), EXACTIVEUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-18T07:59:23.7067193Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_9\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362243351875861_bc4ae0e9-f30b-4edf-87df-58c2ea0106c3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"name\": \"2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T04:12:02.5218294Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T04:11:58.4521214Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-17T03:00:40.7373365Z\",\r\n \"endTimeUtc\": \"2022-10-17T03:58:42.8075611Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_10\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_11\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/17 03:00:40.7373365\",\r\n \"activity end time (UTC)\": \"2022/10/17 03:58:42.8075611\",\r\n \"attacker source IP\": \"IP Address: 20.216.185.188\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"46\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"12\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (12), AZUREUSER (11), ADMINUSER (11), VMADMIN (2), SUPERUSER (2), AZADMIN (1), USERADMIN (1), AZUSER (1), AZURE (1), DEMOUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-17T03:58:42.8075611Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_12\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363251592626634_6b19f1dd-f008-484f-9b61-4955f6293b77/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"name\": \"2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T03:11:56.1105452Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T03:11:51.6770359Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-16T02:31:21.2161162Z\",\r\n \"endTimeUtc\": \"2022-10-16T02:32:30.6331048Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_13\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_14\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/16 02:31:21.2161162\",\r\n \"activity end time (UTC)\": \"2022/10/16 02:32:30.6331048\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.215\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"26\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (6), user1 (2), admin (2), defaultaccount (2), administrador (2), principal (1), test666 (1), adminportal (1), reports (1), pop10 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-16T02:32:30.6331048Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_15\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364133187838837_1d3e3a68-49e1-482b-9911-06f2d9dee722/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"name\": \"2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T02:11:59.5981045Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T02:11:53.2828004Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-15T01:00:15.0973756Z\",\r\n \"endTimeUtc\": \"2022-10-15T01:59:46.8790817Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_16\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_17\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/15 01:00:15.0973756\",\r\n \"activity end time (UTC)\": \"2022/10/15 01:59:46.8790817\",\r\n \"attacker source IP\": \"IP Address: 91.240.118.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"35\",\r\n \"top accounts with failed sign in attempts (count)\": \"MACROLAN (2), MITEV (1), DEPJIVE (1), KIM (1), DEV (1), CTZ9 (1), CUBE (1), CREATIVES-SERVER (1), KOLECO (1), MONITOR (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-15T01:59:46.8790817Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_18\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365051849026243_511e56c3-106b-430e-9009-4cc5f52e854e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"name\": \"2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T23:12:20.0982221Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T23:12:13.5169181Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-13T22:00:01.4482685Z\",\r\n \"endTimeUtc\": \"2022-10-13T22:59:53.5475957Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_19\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_20\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/13 22:00:01.4482685\",\r\n \"activity end time (UTC)\": \"2022/10/13 22:59:53.5475957\",\r\n \"attacker source IP\": \"IP Address: 191.96.168.246\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"289\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"288\",\r\n \"top accounts with failed sign in attempts (count)\": \"SCANSIONI (1), ALPHA (1), RCLARK (1), AD (1), RETAIL (1), CALIDAD (1), CONSULTANT (1), OSPITE (1), Z (1), CS1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-13T22:59:53.5475957Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_21\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366023985517314_a2370f80-604f-4886-8e34-75faa27d9a3b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"name\": \"2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T08:12:07.7636221Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T08:12:02.9681269Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-12T07:03:03.4902548Z\",\r\n \"endTimeUtc\": \"2022-10-12T07:58:25.9885039Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_22\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_23\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/12 07:03:03.4902548\",\r\n \"activity end time (UTC)\": \"2022/10/12 07:58:25.9885039\",\r\n \"attacker source IP\": \"IP Address: 20.127.38.151\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"19\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEMOADMIN (2), USERADMIN (2), AZUREADMIN (1), DEMO (1), VADMIN (1), AZUREUSER (1), SQLADMIN (1), ROOTADMIN (1), SUPERVISOR (1), ITADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-12T07:58:25.9885039Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_24\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367426165097451_cf4b2741-5d03-426f-945b-888f33a9c8b4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"name\": \"2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T07:12:15.7469577Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T07:12:12.3009079Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-11T06:24:25.9159134Z\",\r\n \"endTimeUtc\": \"2022-10-11T06:25:34.0915332Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_25\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_26\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/11 06:24:25.9159134\",\r\n \"activity end time (UTC)\": \"2022/10/11 06:25:34.0915332\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"25\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (12), shipping (1), test3 (1), contabilidad (1), usuario (1), serveur-bacnet (1), phonix (1), iusrplesk_smwebmail (1), defaultaccount (1), administrateur (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-11T06:25:34.0915332Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_27\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368313340840865_0edf2f3c-3adb-4b15-bb43-792e170e2fe2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"name\": \"2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T07:12:26.2282804Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T07:12:12.3164432Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-11T06:01:14.9169493Z\",\r\n \"endTimeUtc\": \"2022-10-11T06:56:30.497614Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_28\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_29\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/11 06:01:14.9169493\",\r\n \"activity end time (UTC)\": \"2022/10/11 06:56:30.4976140\",\r\n \"attacker source IP\": \"IP Address: 20.127.38.151\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"12\",\r\n \"top accounts with failed sign in attempts (count)\": \"USERADMIN (2), DEMOADMIN (1), SUPERVISOR (1), VDIADMIN (1), VMADMIN (1), DEMO (1), SUPERUSER (1), VADMIN (1), AZUREADMIN (1), AZUREUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-11T06:56:30.497614Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_30\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368327250830506_4753852e-5df0-4b5b-8c1c-c68ea8e249cd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"name\": \"2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T05:12:25.7328319Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T05:12:22.9501113Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-10T04:39:37.8316652Z\",\r\n \"endTimeUtc\": \"2022-10-10T04:40:46.9760933Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_31\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_32\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/10 04:39:37.8316652\",\r\n \"activity end time (UTC)\": \"2022/10/10 04:40:46.9760933\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"25\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (10), test (2), presale (1), ricoh (1), hma (1), user1 (1), t1_buero (1), labor (1), caps (1), nashua (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-10T04:40:46.9760933Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_33\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369240221683347_4dbfc85e-995a-4a66-904f-a4b3e624d0ea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"name\": \"2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T00:12:35.8969216Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T00:12:32.7404871Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-08T23:01:26.3028246Z\",\r\n \"endTimeUtc\": \"2022-10-08T23:02:34.9154571Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_34\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_35\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/08 23:01:26.3028246\",\r\n \"activity end time (UTC)\": \"2022/10/08 23:02:34.9154571\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.204\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (7), usuario (3), default (2), barbara (1), defaultaccount (1), mikuo (1), uzak1 (1), opc (1), tnt1 (1), agora_service (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-08T23:02:34.9154571Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_36\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370307136971753_4967db7e-b426-4c00-a684-878abe10cf30/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/westeurope/alerts/2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"name\": \"2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T17:11:57.3573487Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T17:11:55.7883406Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_SshBruteForceFailed\",\r\n \"startTimeUtc\": \"2022-10-08T16:13:32.805Z\",\r\n \"endTimeUtc\": \"2022-10-08T16:59:53.736Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_37\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_38\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"2b613470-a780-4991-a9f5-7894862c213b\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testService1\",\r\n \"alertDisplayName\": \"Failed SSH brute force attack\",\r\n \"description\": \"Failed SSH brute force attacks were detected on testService1\",\r\n \"remediationSteps\": [\r\n \"1. In case this is an Azure virtual machine, add the source IP to NSG block list for 24 hours (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/) \",\r\n \"2. Enforce the use of strong passwords and do not re-use them across multiple resources and services (see http://windows.microsoft.com/en-us/Windows7/Tips-for-creating-strong-passwords-and-passphrases)\",\r\n \"3. In case this is an Azure virtual machine, Create an allow list for SSH access in NSG (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"number of failed authentication attempts to host\": \"63\",\r\n \"accounts used on failed sign in to host attempts\": \"[\\\"root\\\"]\",\r\n \"was SSH session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-08T16:59:53.736Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_39\",\r\n \"hostName\": \"testService1\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"omsAgentID\": \"2b613470-a780-4991-a9f5-7894862c213b\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"westeurope_40\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"westeurope_41\",\r\n \"name\": \" root\",\r\n \"ntDomain\": \" root\",\r\n \"host\": {\r\n \"$ref\": \"westeurope_39\"\r\n },\r\n \"isDomainJoined\": false,\r\n \"type\": \"account\"\r\n },\r\n {\r\n \"$id\": \"westeurope_42\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"westeurope_40\"\r\n },\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370551871949999_f7956fd4-fc7a-4894-8674-3e2de7c5fa0e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myService1/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"name\": \"2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-07T12:12:12.6540563Z\",\r\n \"processingEndTimeUtc\": \"2022-10-07T12:12:10.2351107Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-07T11:04:11.9286049Z\",\r\n \"endTimeUtc\": \"2022-10-07T11:58:08.5153711Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_43\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_44\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/07 11:04:11.9286049\",\r\n \"activity end time (UTC)\": \"2022/10/07 11:58:08.5153711\",\r\n \"attacker source IP\": \"IP Address: 36.95.205.132\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (1), DEMOUSER (1), ADMINISTRATOR (1), TEST (1), AZUREUSER (1), SUPERVISOR (1), DEMOADMIN (1), ADMIN (1), SUPERUSER (1), TEST1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-07T11:58:08.5153711Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_45\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371601480713950_851da2f5-2fdb-44d9-8d6b-28e773de55b3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"name\": \"2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-06T05:12:05.9972706Z\",\r\n \"processingEndTimeUtc\": \"2022-10-06T05:12:01.8802104Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-06T04:23:26.0454432Z\",\r\n \"endTimeUtc\": \"2022-10-06T04:24:35.8466979Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_46\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_47\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/06 04:23:26.0454432\",\r\n \"activity end time (UTC)\": \"2022/10/06 04:24:35.8466979\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.202\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"29\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (3), scanner (3), test (2), server (2), user2 (2), ppp (1), max04 (1), acronis (1), windows11 (1), pc (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-06T04:24:35.8466979Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_48\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517372705939545567_a78ff14c-6c39-4dc3-b154-39f15fb137ae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"name\": \"2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-05T03:12:04.1411263Z\",\r\n \"processingEndTimeUtc\": \"2022-10-05T03:12:00.6268144Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-05T02:50:46.5034967Z\",\r\n \"endTimeUtc\": \"2022-10-05T02:51:57.2848574Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517373625534965032_759ca676-028f-4204-8957-de649b3e6562\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_49\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_50\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/05 02:50:46.5034967\",\r\n \"activity end time (UTC)\": \"2022/10/05 02:51:57.2848574\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.211\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"32\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (3), info (2), temp (2), pos (1), 1 (1), ventas (1), spadmin (1), supervisor (1), infoworld (1), account (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-05T02:51:57.2848574Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_51\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517373625534965032_759ca676-028f-4204-8957-de649b3e6562/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"name\": \"2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T22:12:05.1705693Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T22:12:04.1268393Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-03T21:02:04.491411Z\",\r\n \"endTimeUtc\": \"2022-10-03T21:59:45.9038559Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_52\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_53\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/03 21:02:04.4914110\",\r\n \"activity end time (UTC)\": \"2022/10/03 21:59:45.9038559\",\r\n \"attacker source IP\": \"IP Address: 91.240.118.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"42\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"35\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (5), KSTURGEON (2), ADMIN (2), WADMIN (1), XAFSERVICEACCNT (1), SIADAD (1), YSMITH (1), KRUSS (1), VNIUSER-DONOTDELETE (1), KOTT.# (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-03T21:59:45.9038559Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_54\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517374698755085889_02eadad4-5d35-45a5-990d-bb80c96d0037/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"name\": \"2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-02T21:11:58.5816299Z\",\r\n \"processingEndTimeUtc\": \"2022-10-02T21:11:54.3443174Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-02T20:00:01.9149954Z\",\r\n \"endTimeUtc\": \"2022-10-02T20:59:52.1082032Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_55\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_56\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/02 20:00:01.9149954\",\r\n \"activity end time (UTC)\": \"2022/10/02 20:59:52.1082032\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"431\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"LOCALADMIN (30), SYSADMIN (29), VMADMIN (29), ADADMIN (29), DEMOUSER (29), ADMIN01 (29), DADMIN (29), SERVERADMIN (29), AZUREUSER (29), SADMIN (29)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-02T20:59:52.1082032Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_57\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375599980850045_b3e924bd-f420-4f8d-b180-70092a4402df/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"name\": \"2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-01T20:12:00.2987738Z\",\r\n \"processingEndTimeUtc\": \"2022-10-01T20:11:58.0659196Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-10-01T19:00:03.9085601Z\",\r\n \"endTimeUtc\": \"2022-10-01T19:59:57.4159824Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_58\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_59\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/10/01 19:00:03.9085601\",\r\n \"activity end time (UTC)\": \"2022/10/01 19:59:57.4159824\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"426\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (30), ADMINUSER (30), ADMIN123 (29), AZUREUSER (29), TESTUSER (28), SUPERADMIN (28), SYSADMIN (28), VMADMIN (28), LOCALADMIN (28), SERVERADMIN (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-10-01T19:59:57.4159824Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_60\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517376499960914398_90a66ab2-7ee5-46b4-83d3-6f203a39d979/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"name\": \"2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-30T19:12:00.7770747Z\",\r\n \"processingEndTimeUtc\": \"2022-09-30T19:11:57.5373519Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-30T18:00:04.3960635Z\",\r\n \"endTimeUtc\": \"2022-09-30T18:59:54.1716651Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_61\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_62\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/30 18:00:04.3960635\",\r\n \"activity end time (UTC)\": \"2022/09/30 18:59:54.1716651\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"422\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"SYSADMIN (29), VMADMIN (29), DEMOUSER (28), ADMIN01 (28), DADMIN (28), SADMIN (28), TESTUSER (28), SUPERADMIN (28), LOCALADMIN (28), SERVERADMIN (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-30T18:59:54.1716651Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_63\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517377399956039364_5154b239-0265-424c-b5de-179170bbc8d3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"name\": \"2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-29T18:12:10.264524Z\",\r\n \"processingEndTimeUtc\": \"2022-09-29T18:12:04.7435178Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-29T17:00:02.5605584Z\",\r\n \"endTimeUtc\": \"2022-09-29T17:59:57.0286763Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_64\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_65\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/29 17:00:02.5605584\",\r\n \"activity end time (UTC)\": \"2022/09/29 17:59:57.0286763\",\r\n \"attacker source IP\": \"IP Address: 20.111.37.32\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"419\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"14\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (29), LOCALADMIN (28), SERVERADMIN (28), ADADMIN (28), TESTUSER (28), SUPERADMIN (28), AZUREUSER (28), ADMINUSER (28), AZUREADMIN (28), ADMIN01 (28)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-29T17:59:57.0286763Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_66\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378299974394415_26242699-ee6b-4381-8c50-026b01fe5ad3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"name\": \"2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T17:12:10.505636Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T17:12:04.9963951Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-28T16:00:05.5258206Z\",\r\n \"endTimeUtc\": \"2022-09-28T16:59:37.992094Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_67\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_68\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/28 16:00:05.5258206\",\r\n \"activity end time (UTC)\": \"2022/09/28 16:59:37.9920940\",\r\n \"attacker source IP\": \"IP Address: 20.25.4.51\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"81\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"9\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (9), VMADMIN (9), AZUREUSER (9), DEMOADMIN (8), ADMINUSER (8), USERADMIN (8), DEMO (8), DEMOAZURE (8), SUPERUSER (7), AZURE (7)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-28T16:59:37.992094Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_69\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379199944741793_88fea8c2-0b38-486d-9593-9ea25f5209ef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"name\": \"2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T17:12:09.9085237Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T17:12:04.9963951Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-28T16:00:00.9053856Z\",\r\n \"endTimeUtc\": \"2022-09-28T16:59:59.2397348Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_70\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_71\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/28 16:00:00.9053856\",\r\n \"activity end time (UTC)\": \"2022/09/28 16:59:59.2397348\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.113\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"1415\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"1263\",\r\n \"top accounts with failed sign in attempts (count)\": \"MYTHTV (2), NAGIOS (2), ACCOUNTS (2), ADMINISTRAREUR (2), ADMINSERVER (2), MICROSOFT (2), BACKUPEXEC (2), NOBODY (2), CYBER (2), AAA (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-28T16:59:59.2397348Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_72\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379199990946143_9ecf7757-6eb2-4781-9e6a-f8806368d3fd/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"name\": \"2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-27T16:11:58.2117895Z\",\r\n \"processingEndTimeUtc\": \"2022-09-27T16:11:55.1500289Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-27T15:00:34.6903888Z\",\r\n \"endTimeUtc\": \"2022-09-27T15:59:16.3833641Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_73\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_74\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/27 15:00:34.6903888\",\r\n \"activity end time (UTC)\": \"2022/09/27 15:59:16.3833641\",\r\n \"attacker source IP\": \"IP Address: 20.216.185.188\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"74\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (19), AZUREUSER (10), DEMOADMIN (7), DEMOUSER (6), AZURE (5), SUPERUSER (4), AZUREADMIN (4), DEMO (4), ADMINUSER (4), STUDENT (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-27T15:59:16.3833641Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_75\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380099653096111_d96e1aab-0432-41d2-8156-a6acfc350313/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"name\": \"2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-26T15:12:12.2955906Z\",\r\n \"processingEndTimeUtc\": \"2022-09-26T15:12:10.3345847Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-26T14:19:33.6913949Z\",\r\n \"endTimeUtc\": \"2022-09-26T14:58:23.8234441Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_76\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_77\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/26 14:19:33.6913949\",\r\n \"activity end time (UTC)\": \"2022/09/26 14:58:23.8234441\",\r\n \"attacker source IP\": \"IP Address: 20.245.85.81\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"13\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (3), WINADMIN (1), USERADMIN (1), DEMOADMIN (1), VMADMIN (1), NETADMIN (1), DEMO (1), DEMOUSER (1), AZUREADMIN (1), SUPERUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-26T14:58:23.8234441Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_78\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380988263086050_b29b6894-bec1-4e08-bf01-80c03d04304a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"name\": \"2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-25T13:11:53.1202057Z\",\r\n \"processingEndTimeUtc\": \"2022-09-25T13:11:49.5869519Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-25T12:00:01.1997686Z\",\r\n \"endTimeUtc\": \"2022-09-25T12:59:57.1598611Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_79\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_80\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/25 12:00:01.1997686\",\r\n \"activity end time (UTC)\": \"2022/09/25 12:59:57.1598611\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"632\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"628\",\r\n \"top accounts with failed sign in attempts (count)\": \"REINALDO (2), RAJU (2), PULSE (2), KIM (1), KENT (1), TESTE2 (1), TEST_FTP (1), TECHNO (1), SERVER2 (1), SERVER1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-25T12:59:57.1598611Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_81\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517381935988002313_4d1be1e0-080f-4b9c-8c02-cc3b2bd14ab1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"name\": \"2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-24T12:11:59.378581Z\",\r\n \"processingEndTimeUtc\": \"2022-09-24T12:11:56.1933205Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-24T11:00:18.5763676Z\",\r\n \"endTimeUtc\": \"2022-09-24T11:58:49.6929962Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_82\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_83\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/24 11:00:18.5763676\",\r\n \"activity end time (UTC)\": \"2022/09/24 11:58:49.6929962\",\r\n \"attacker source IP\": \"IP Address: 181.30.28.175\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"DEFAULTACCOUNT (4), DADMIN (2), DPEREZ (1), DIYANA (1), DATACOM (1), DAWWRAY (1), DCDC (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-24T11:58:49.6929962Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_84\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517382835814236323_e34e59e5-a5b3-471c-be16-1e85854090a7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"name\": \"2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-23T11:12:04.8132808Z\",\r\n \"processingEndTimeUtc\": \"2022-09-23T11:12:02.7422157Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-23T10:00:00.8274366Z\",\r\n \"endTimeUtc\": \"2022-09-23T10:59:59.507462Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_85\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_86\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/23 10:00:00.8274366\",\r\n \"activity end time (UTC)\": \"2022/09/23 10:59:59.5074620\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"634\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"601\",\r\n \"top accounts with failed sign in attempts (count)\": \"MENU (2), MAYA (2), MORGAN (2), MONITORING (2), MONGOUSER (2), MAURICIO (2), GEOMETRY (2), GERENTE (2), THIERRY1129 (2), TESTE2 (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-23T10:59:59.507462Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_87\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383735991725633_47ad7800-e236-4ce6-8edf-8220149cf2d1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"name\": \"2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T05:12:05.8349115Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T05:12:03.3099425Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-22T04:00:04.6046565Z\",\r\n \"endTimeUtc\": \"2022-09-22T04:59:56.0312542Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_88\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_89\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/22 04:00:04.6046565\",\r\n \"activity end time (UTC)\": \"2022/09/22 04:59:56.0312542\",\r\n \"attacker source IP\": \"IP Address: 195.78.54.97\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"478\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"477\",\r\n \"top accounts with failed sign in attempts (count)\": \"CHAT (1), AXIS (1), AWS (1), DEEPTHI (1), DEBORA (1), USERS1 (1), USER001 (1), USBMUX (1), UPLINK (1), SVT (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-22T04:59:56.0312542Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_90\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384815953953434_70363aae-c34d-4f99-abd8-b920e9908069/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"name\": \"2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-21T02:11:54.213474Z\",\r\n \"processingEndTimeUtc\": \"2022-09-21T02:11:49.8007199Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-21T01:09:51.5862915Z\",\r\n \"endTimeUtc\": \"2022-09-21T01:11:21.0264894Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_91\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_92\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/21 01:09:51.5862915\",\r\n \"activity end time (UTC)\": \"2022/09/21 01:11:21.0264894\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"21\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (16), defaultaccount (1), asd (1), vpn07 (1), it (1), iusrplesk_smwebmail (1), asad (1), admin (1), takip (1), serv (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-21T01:11:21.0264894Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_93\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385782084137084_e63d1179-e210-4bfc-855d-48980d3484c6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"name\": \"2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T00:12:55.5762868Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T00:12:52.7861694Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-19T23:45:22.3822188Z\",\r\n \"endTimeUtc\": \"2022-09-19T23:46:30.4248487Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_94\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_95\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/19 23:45:22.3822188\",\r\n \"activity end time (UTC)\": \"2022/09/19 23:46:30.4248487\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (13), admn (1), foats (1), admin (1), emanuel (1), user (1), support_388945a0 (1), slawek (1), defaultaccount (1), alvand.01 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-19T23:46:30.4248487Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_96\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517386696776177811_80c6475e-8bab-44a2-ae90-d1b7d787ec96/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"name\": \"2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T00:12:54.3199684Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T00:12:52.7866698Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-19T23:33:59.3779873Z\",\r\n \"endTimeUtc\": \"2022-09-19T23:35:26.6505374Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517386703606220126_a816319c-5320-41db-a249-385660ee22f8\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_97\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_98\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/19 23:33:59.3779873\",\r\n \"activity end time (UTC)\": \"2022/09/19 23:35:26.6505374\",\r\n \"attacker source IP\": \"IP Address: 87.251.64.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"20\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (17), gh-11 (1), training (1), admin (1), vss (1), scanner (1), yousef (1), pointex (1), user (1), usuario (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-19T23:35:26.6505374Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_99\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517386703606220126_a816319c-5320-41db-a249-385660ee22f8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"name\": \"2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-18T16:12:00.3085599Z\",\r\n \"processingEndTimeUtc\": \"2022-09-18T16:11:57.4880747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-18T15:25:13.0131394Z\",\r\n \"endTimeUtc\": \"2022-09-18T15:26:21.8162231Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_100\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_101\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/18 15:25:13.0131394\",\r\n \"activity end time (UTC)\": \"2022/09/18 15:26:21.8162231\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"20\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (17), toshiba (1), admin (1), ntp (1), utente (1), accounting (1), remoto (1), user01 (1), sales-new (1), server t (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-18T15:26:21.8162231Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_102\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387860869868605_3968a869-1a60-428a-9a9b-ba732b616829/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"name\": \"2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-18T16:12:05.4874397Z\",\r\n \"processingEndTimeUtc\": \"2022-09-18T16:11:57.4880747Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-18T15:11:42.6615962Z\",\r\n \"endTimeUtc\": \"2022-09-18T15:12:51.457454Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_103\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_104\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/18 15:11:42.6615962\",\r\n \"activity end time (UTC)\": \"2022/09/18 15:12:51.4574540\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.207\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"18\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (18), win7 (2), terminal (1), markku.virtanen (1), admin (1), eng7 (1), xmetasr (1), hd (1), adm (1), vcenteno (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-18T15:12:51.457454Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_105\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387868973384037_dcad6e56-2fed-4b7a-8d38-2d22714db84c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"name\": \"2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-17T07:12:00.0473808Z\",\r\n \"processingEndTimeUtc\": \"2022-09-17T07:11:56.5511934Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-17T06:16:10.2702205Z\",\r\n \"endTimeUtc\": \"2022-09-17T06:17:19.8910018Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_106\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_107\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/17 06:16:10.2702205\",\r\n \"activity end time (UTC)\": \"2022/09/17 06:17:19.8910018\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"28\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (8), test (2), sys (1), principal (1), imran (1), almira (1), contabilidad (1), admin801 (1), peggy (1), tranquoclong (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-17T06:17:19.8910018Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_108\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389054297297794_72327d76-f7cb-48e4-9a66-50df30da282f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"name\": \"2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-17T07:11:59.8011657Z\",\r\n \"processingEndTimeUtc\": \"2022-09-17T07:11:56.5511934Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-17T06:14:58.8904498Z\",\r\n \"endTimeUtc\": \"2022-09-17T06:56:27.7122183Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_109\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_110\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/17 06:14:58.8904498\",\r\n \"activity end time (UTC)\": \"2022/09/17 06:56:27.7122183\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"73\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"56\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (15), user (2), defaultaccount (2), jola (1), compta (1), ghost (1), zvnc2066 (1), morisita (1), mj (1), lucero (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-17T06:56:27.7122183Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_111\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389055011095501_88ea4ec2-46aa-401d-873a-875ef42a0b06/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"name\": \"2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-16T06:12:23.9923865Z\",\r\n \"processingEndTimeUtc\": \"2022-09-16T06:12:21.6042797Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-16T05:08:11.5262962Z\",\r\n \"endTimeUtc\": \"2022-09-16T05:18:17.0502097Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_112\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_113\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/16 05:08:11.5262962\",\r\n \"activity end time (UTC)\": \"2022/09/16 05:18:17.0502097\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.11\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"260\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"terminal1 (2), silvia (2), daniel (2), mari (2), natalia (2), francisco (2), ricoh (2), vp (2), acer (2), luiz (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-16T05:18:17.0502097Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_114\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517389959084737037_e75cdb2b-36b6-45f9-ac1c-f0e19db9c99a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"name\": \"2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-15T05:12:02.1262444Z\",\r\n \"processingEndTimeUtc\": \"2022-09-15T05:11:59.7844316Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-15T04:13:32.7545248Z\",\r\n \"endTimeUtc\": \"2022-09-15T04:44:44.3710273Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_115\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_116\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/15 04:13:32.7545248\",\r\n \"activity end time (UTC)\": \"2022/09/15 04:44:44.3710273\",\r\n \"attacker source IP\": \"IP Address: 194.28.112.140\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"102\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"85\",\r\n \"top accounts with failed sign in attempts (count)\": \"Administrator (10), admin (6), SvcCOPSSH (2), Support (2), ntp_CFKADS2226 (1), Administracao (1), Userstd01 (1), rebecca (1), suporte (1), MP (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-15T04:44:44.3710273Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_117\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517390855872454751_42829edb-5555-4488-b43b-2ebeecadf3fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"name\": \"2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-15T05:12:02.1782121Z\",\r\n \"processingEndTimeUtc\": \"2022-09-15T05:11:59.7844316Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-15T04:01:15.447908Z\",\r\n \"endTimeUtc\": \"2022-09-15T04:59:18.4256783Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_118\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_119\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/15 04:01:15.4479080\",\r\n \"activity end time (UTC)\": \"2022/09/15 04:59:18.4256783\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"40\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"SERVER (3), TEST (3), TESTUSER (3), USER (3), LOCALUSER (2), AZUREADMIN (2), AZUREUSER (2), ADMINISTRATOR (2), REMOTE (2), SYSADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-15T04:59:18.4256783Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_120\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517390863245520919_fcd6c1b2-2d7c-4ba3-82ef-162db12aeb4f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"name\": \"2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-14T04:12:18.2784408Z\",\r\n \"processingEndTimeUtc\": \"2022-09-14T04:12:13.5856632Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-14T03:16:06.3695856Z\",\r\n \"endTimeUtc\": \"2022-09-14T03:28:53.2546631Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_121\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_122\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/14 03:16:06.3695856\",\r\n \"activity end time (UTC)\": \"2022/09/14 03:28:53.2546631\",\r\n \"attacker source IP\": \"IP Address: 45.141.84.119\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"267\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"leo (4), nathalia (4), emerson (4), francisco (3), usuario1 (2), user02 (2), terminal1 (2), billing (2), soporte (2), controller (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-14T03:28:53.2546631Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_123\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517391754336304143_46b9554d-b194-47b5-b072-5856c29f5799/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"name\": \"2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-14T04:12:17.5289904Z\",\r\n \"processingEndTimeUtc\": \"2022-09-14T04:12:13.5856632Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-14T03:00:09.0721606Z\",\r\n \"endTimeUtc\": \"2022-09-14T03:58:48.0506045Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_124\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_125\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/14 03:00:09.0721606\",\r\n \"activity end time (UTC)\": \"2022/09/14 03:58:48.0506045\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"47\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (3), AZUREADMIN (3), IME_USER (3), REMOTE (3), IME_ADMIN (3), ADMIN (3), RDP (3), HP (3), PC (3), AZUREUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-14T03:58:48.0506045Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_126\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517391763909278393_54c9cafd-28cf-4439-b725-c3c6b1bfd4bc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"name\": \"2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:04.1627812Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5440471Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:06:33.966198Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:59:16.2352367Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_127\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_128\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:06:33.9661980\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:59:16.2352367\",\r\n \"attacker source IP\": \"IP Address: 94.68.140.243\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"15\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"11\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), SERVER (2), SYSADMIN (2), IME_ADMIN (1), RDP (1), LOCALUSER (1), LOCALADMIN (1), TEST (1), AZUREUSER (1), TESTUSER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:59:16.2352367Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_129\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392660060338019_1b24d18d-91f3-4b98-8ff2-dc5b89207cef/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"name\": \"2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:04.3606094Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5435472Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:01:06.5351616Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:59:02.3354809Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_130\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_131\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:01:06.5351616\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:59:02.3354809\",\r\n \"attacker source IP\": \"IP Address: 177.222.33.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"45\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"REMOTE (3), LOCALUSER (3), SERVER (3), SYSADMIN (3), AZUREADMIN (3), TEST (3), LOCALADMIN (3), USER (3), TESTUSER (3), IME_ADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:59:02.3354809Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_132\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392663334648383_23bae19c-dca6-40f2-b156-2ec471523287/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"name\": \"2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-13T03:12:03.911237Z\",\r\n \"processingEndTimeUtc\": \"2022-09-13T03:12:02.5430516Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-13T02:01:02.6571238Z\",\r\n \"endTimeUtc\": \"2022-09-13T02:58:26.9865062Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_133\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_134\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/13 02:01:02.6571238\",\r\n \"activity end time (UTC)\": \"2022/09/13 02:58:26.9865062\",\r\n \"attacker source IP\": \"IP Address: 202.53.137.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (7), STUDENT (6), ADMIN (6), SUPPORT (6), BAT (6), AZUREUSER (6)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-13T02:58:26.9865062Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_135\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517392663373428761_752f132e-e58b-46c2-92fe-783aeb505110/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"name\": \"2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.729702Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1435668Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:03:00.0345939Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:58:17.2623523Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_136\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_137\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:03:00.0345939\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:58:17.2623523\",\r\n \"attacker source IP\": \"IP Address: 94.68.140.243\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"20\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"11\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (3), AZUREUSER (2), IME_USER (2), IME_ADMIN (2), TEST (2), PC (2), USER (2), ADMIN (1), REMOTE (1), RDP (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:58:17.2623523Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_138\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393562199654060_423f4a69-851a-4f7c-9b08-88a813960bd8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"name\": \"2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.292184Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1430669Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:02:01.5569515Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:59:42.6611129Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_139\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_140\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:02:01.5569515\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:59:42.6611129\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"69\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"7\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (16), AZUREADMIN (16), ADMINISTRATOR (11), ADMINUSER (6), AZURE (5), STUDENT (5), USERADMIN (5), VMADMIN (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:59:42.6611129Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_141\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393562784430484_cf36c220-d19d-40ce-8862-58b437e21676/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"name\": \"2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:08.6726842Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1420668Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:01:14.3047487Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:58:35.508169Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_142\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_143\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:01:14.3047487\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:58:35.5081690\",\r\n \"attacker source IP\": \"IP Address: 202.53.137.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"36\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (6), AZUREUSER (6), SUPPORT (6), BAT (6), ADMIN (6), ADMINISTRATOR (6)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:58:35.508169Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_144\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393563256952512_ccf75af6-6489-438f-8374-1dd5dc089d9c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"name\": \"2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-12T02:12:09.6088372Z\",\r\n \"processingEndTimeUtc\": \"2022-09-12T02:12:08.1440671Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-12T01:00:33.1405851Z\",\r\n \"endTimeUtc\": \"2022-09-12T01:59:46.8333262Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517393563668594148_38360230-c781-41cf-874b-7c504030a950\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_145\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_146\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/12 01:00:33.1405851\",\r\n \"activity end time (UTC)\": \"2022/09/12 01:59:46.8333262\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"94\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (6), RDP (6), REMOTE (6), HP (6), IME_USER (5), USER (5), AZURE (5), TESTUSER (5), ADMIN (5), ADMINISTRATOR (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-12T01:59:46.8333262Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_147\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517393563668594148_38360230-c781-41cf-874b-7c504030a950/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"name\": \"2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-11T01:12:50.4913968Z\",\r\n \"processingEndTimeUtc\": \"2022-09-11T01:12:48.881971Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-11T00:00:12.8945794Z\",\r\n \"endTimeUtc\": \"2022-09-11T00:58:59.500311Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_148\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_149\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/11 00:00:12.8945794\",\r\n \"activity end time (UTC)\": \"2022/09/11 00:58:59.5003110\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"64\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (20), AZUREUSER (18), AZURE (6), STUDENT (6), USERADMIN (5), VMADMIN (5), ADMINUSER (4)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-11T00:58:59.500311Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_150\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517394463871054205_41da342d-fb0d-462a-96dc-9841a6fe0e82/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"name\": \"2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-11T01:12:50.4969246Z\",\r\n \"processingEndTimeUtc\": \"2022-09-11T01:12:48.881971Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-11T00:00:01.3462764Z\",\r\n \"endTimeUtc\": \"2022-09-11T00:59:39.874272Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_151\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_152\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/11 00:00:01.3462764\",\r\n \"activity end time (UTC)\": \"2022/09/11 00:59:39.8742720\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"91\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"PC (6), IME_ADMIN (5), IME_USER (5), USER (5), TEST (5), RDP (5), REMOTE (5), AZUREADMIN (5), SERVER (5), AZURE (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-11T00:59:39.874272Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_153\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517394463986537235_3e43fd50-118a-4518-bcb5-22c0612e65cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"name\": \"2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:40.3691071Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:19:55.8595416Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:21:04.4330469Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_154\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_155\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:19:55.8595416\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:21:04.4330469\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (10), temp (1), tmitschke (1), pharmacie (1), utente1 (1), ime_user (1), sqli (1), sebastian (1), dave (1), user1 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:21:04.4330469Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_156\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395352041404583_dd6b6fcd-306f-4fa1-8f19-c24954bc7364/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"name\": \"2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:41.2660094Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:02:03.6672061Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:59:12.4900011Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_157\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_158\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:02:03.6672061\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:59:12.4900011\",\r\n \"attacker source IP\": \"IP Address: 13.95.158.167\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"50\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (19), AZUREUSER (18), AZURE (3), STUDENT (3), VMADMIN (3), USERADMIN (2), ADMINUSER (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:59:12.4900011Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_159\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395362763327938_7b42fe72-da92-4f2c-ae36-88949fdfb6e3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"name\": \"2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-10T00:12:41.1471468Z\",\r\n \"processingEndTimeUtc\": \"2022-09-10T00:12:39.184926Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-09T23:00:19.7258321Z\",\r\n \"endTimeUtc\": \"2022-09-09T23:59:49.9335078Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517395363802741678_e264f637-15f0-418f-aff8-27395309810c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_160\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_161\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/09 23:00:19.7258321\",\r\n \"activity end time (UTC)\": \"2022/09/09 23:59:49.9335078\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"96\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"17\",\r\n \"top accounts with failed sign in attempts (count)\": \"REMOTE (6), RDP (6), SERVER (6), TEST (6), TESTUSER (6), SYSADMIN (6), AZUREADMIN (5), LOCALADMIN (5), IME_USER (5), LOCALUSER (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-09T23:59:49.9335078Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_162\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517395363802741678_e264f637-15f0-418f-aff8-27395309810c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"name\": \"2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-08T23:12:05.5813341Z\",\r\n \"processingEndTimeUtc\": \"2022-09-08T23:12:03.6043992Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-08T22:20:29.5893543Z\",\r\n \"endTimeUtc\": \"2022-09-08T22:29:58.4893361Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_163\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_164\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/08 22:20:29.5893543\",\r\n \"activity end time (UTC)\": \"2022/09/08 22:29:58.4893361\",\r\n \"attacker source IP\": \"IP Address: 194.26.29.40\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"260\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"129\",\r\n \"top accounts with failed sign in attempts (count)\": \"scans (2), gateway (2), tempadmin (2), visitor (2), bill (2), xavier (2), printer (2), destek (2), sqlagent (2), local (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-08T22:29:58.4893361Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_165\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517396251704106456_216760a0-095e-40bf-a772-c0a3590de9f3/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"name\": \"2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-07T22:11:55.5454551Z\",\r\n \"processingEndTimeUtc\": \"2022-09-07T22:11:53.7318471Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-07T21:00:23.8352224Z\",\r\n \"endTimeUtc\": \"2022-09-07T21:58:54.9798418Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_166\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_167\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/07 21:00:23.8352224\",\r\n \"activity end time (UTC)\": \"2022/09/07 21:58:54.9798418\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"15\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (3), ADMINISTRATOR (2), ADMIN (2), STUDENT (2), AZUREUSER (2), USER (2), AZUREADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-07T21:58:54.9798418Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_168\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517397163761647775_a0e5fef0-d465-4cf1-9a2b-2ca03d39f582/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"name\": \"2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-06T21:11:57.5563617Z\",\r\n \"processingEndTimeUtc\": \"2022-09-06T21:11:55.6952354Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-06T20:03:04.4809494Z\",\r\n \"endTimeUtc\": \"2022-09-06T20:56:55.9879319Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517398062155190505_da781582-764a-4262-a50c-a147df275b36\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_169\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_170\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/06 20:03:04.4809494\",\r\n \"activity end time (UTC)\": \"2022/09/06 20:56:55.9879319\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (2), USER (2), STUDENT (2), ADMIN (2), AZURE (2), AZUREADMIN (2), ADMINISTRATOR (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-06T20:56:55.9879319Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_171\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517398062155190505_da781582-764a-4262-a50c-a147df275b36/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"name\": \"2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T20:12:10.1745649Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T20:12:08.6252181Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-05T19:02:51.6994995Z\",\r\n \"endTimeUtc\": \"2022-09-05T19:58:21.2436919Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_172\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_173\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/05 19:02:51.6994995\",\r\n \"activity end time (UTC)\": \"2022/09/05 19:58:21.2436919\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), STUDENT (2), AZURE (2), AZUREUSER (2), ADMINISTRATOR (2), USER (2), ADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-05T19:58:21.2436919Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_174\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517398962283005004_6c66864f-5e93-44f3-bfb9-5c7f06649b56/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"name\": \"2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.5988845Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.193431Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:15:18.1240752Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:16:28.2863719Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_175\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_176\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:15:18.1240752\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:16:28.2863719\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.210\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (14), ioana (1), agora_service (1), defaultaccount (1), admimistrator (1), print (1), sctsupport (1), 020 (1), kaiin (1), tsinternetuser (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:16:28.2863719Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_177\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399854818759247_a6d094df-cbf2-41f6-86fc-fa93e1006e59/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"name\": \"2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.6848188Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.1939306Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:03:27.5688076Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:59:07.7762063Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_178\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_179\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:03:27.5688076\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:59:07.7762063\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREUSER (2), AZUREADMIN (2), STUDENT (2), ADMIN (2), USER (2), ADMINISTRATOR (2), AZURE (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:59:07.7762063Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_180\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399861924311923_2a65efd3-24a3-4723-81fb-41a642795f91/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"name\": \"2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-04T19:11:52.5867761Z\",\r\n \"processingEndTimeUtc\": \"2022-09-04T19:11:52.1929306Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-04T18:00:05.4957014Z\",\r\n \"endTimeUtc\": \"2022-09-04T18:59:55.0115416Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_181\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_182\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/04 18:00:05.4957014\",\r\n \"activity end time (UTC)\": \"2022/09/04 18:59:55.0115416\",\r\n \"attacker source IP\": \"IP Address: 5.253.204.134\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"332\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"325\",\r\n \"top accounts with failed sign in attempts (count)\": \"LLOPEZ (1), JHALL (1), NATALIE (1), METRO (1), KUECHE (1), SICHERUNG (1), EMPFANG (1), JMORALES (1), SHAHID (1), MAGAZZINO (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-04T18:59:55.0115416Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_183\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399863945042985_d20ae170-96a9-4c9e-9e23-fed8c60c9591/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"name\": \"2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-03T18:12:52.8145915Z\",\r\n \"processingEndTimeUtc\": \"2022-09-03T18:12:46.2244456Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-03T17:01:26.5171211Z\",\r\n \"endTimeUtc\": \"2022-09-03T17:59:43.2673099Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_184\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_185\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/03 17:01:26.5171211\",\r\n \"activity end time (UTC)\": \"2022/09/03 17:59:43.2673099\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (2), ADMINISTRATOR (2), ADMIN (2), AZUREADMIN (2), AZURE (2), USER (2), AZUREUSER (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-03T17:59:43.2673099Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_186\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400763134828788_aec44f96-b511-48ab-af2e-f10e7130fcea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"name\": \"2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-02T17:12:17.721054Z\",\r\n \"processingEndTimeUtc\": \"2022-09-02T17:12:02.1616332Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-02T16:00:11.6214787Z\",\r\n \"endTimeUtc\": \"2022-09-02T16:59:51.9962096Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_187\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_188\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/02 16:00:11.6214787\",\r\n \"activity end time (UTC)\": \"2022/09/02 16:59:51.9962096\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"14\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (2), ADMIN (2), AZUREUSER (2), USER (2), ADMINISTRATOR (2), STUDENT (2), AZUREADMIN (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-02T16:59:51.9962096Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_189\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517401663883785212_22e417c5-e93c-4a50-ae08-9695138f42af/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"name\": \"2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.3497998Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:01:01.3410856Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:59:56.7385647Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_190\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_191\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:01:01.3410856\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:59:56.7385647\",\r\n \"attacker source IP\": \"IP Address: 20.12.208.47\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"71\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"7\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (14), AZUREADMIN (14), AZUREUSER (14), USERADMIN (7), ADMINUSER (7), STUDENT (7), VMADMIN (7), ARASH (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:59:56.7385647Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_192\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563386589143_90b70b51-8242-4a99-b0e7-3486bc432f94/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"name\": \"2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.5178447Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:00:46.9534839Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:59:59.840547Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_193\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_194\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:00:46.9534839\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:59:59.8405470\",\r\n \"attacker source IP\": \"IP Address: 104.46.123.212\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"166\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (29), AZUREADMIN (29), VMADMIN (27), AZURE (27), AZUREUSER (26), USERADMIN (14), ADMINUSER (14)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:59:59.840547Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_195\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563530465160_8c60471a-569f-4b45-86f2-7c4da8278886/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"name\": \"2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-01T16:12:08.1847762Z\",\r\n \"processingEndTimeUtc\": \"2022-09-01T16:12:06.8225976Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-09-01T15:00:25.7943636Z\",\r\n \"endTimeUtc\": \"2022-09-01T15:57:07.2573856Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_196\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_197\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/09/01 15:00:25.7943636\",\r\n \"activity end time (UTC)\": \"2022/09/01 15:57:07.2573856\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"13\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZURE (2), AZUREADMIN (2), AZUREUSER (2), ADMINISTRATOR (2), ADMIN (2), USER (2), STUDENT (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-09-01T15:57:07.2573856Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_198\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402563742056363_b6dd891c-3e90-486e-add3-261293a313ed/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"name\": \"2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-31T15:12:10.1524427Z\",\r\n \"processingEndTimeUtc\": \"2022-08-31T15:12:06.8390816Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-31T14:04:17.6514064Z\",\r\n \"endTimeUtc\": \"2022-08-31T14:56:42.6476761Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_199\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_200\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/31 14:04:17.6514064\",\r\n \"activity end time (UTC)\": \"2022/08/31 14:56:42.6476761\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (2), AZUREADMIN (2), STUDENT (2), AZUREUSER (2), ADMIN (1), USER (1), AZURE (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-31T14:56:42.6476761Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_201\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517403461423485935_9f978154-b395-4cfd-97a1-5717aded214c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"name\": \"2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-30T14:12:13.7508035Z\",\r\n \"processingEndTimeUtc\": \"2022-08-30T14:12:13.3313494Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-30T13:00:10.0241762Z\",\r\n \"endTimeUtc\": \"2022-08-30T13:55:29.9649978Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_202\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_203\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/30 13:00:10.0241762\",\r\n \"activity end time (UTC)\": \"2022/08/30 13:55:29.9649978\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"USER (2), AZUREUSER (2), AZURE (2), ADMIN (2), ADMINISTRATOR (1), STUDENT (1), AZUREADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-30T13:55:29.9649978Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_204\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517404363899758237_be31b760-6573-4260-a2ef-962e756228ea/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"name\": \"2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T12:12:08.8517839Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T12:12:07.531903Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-29T11:02:48.6404207Z\",\r\n \"endTimeUtc\": \"2022-08-29T11:58:11.789608Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_205\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_206\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/29 11:02:48.6404207\",\r\n \"activity end time (UTC)\": \"2022/08/29 11:58:11.7896080\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"STUDENT (2), AZUREUSER (2), AZUREADMIN (2), AZURE (2), ADMIN (1), ADMINISTRATOR (1), USER (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-29T11:58:11.789608Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_207\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405298313595792_046c09e4-92f5-482f-b9cf-ff2d5d42fb89/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"name\": \"2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-28T06:11:54.9445211Z\",\r\n \"processingEndTimeUtc\": \"2022-08-28T06:11:53.4719546Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-28T05:01:43.073242Z\",\r\n \"endTimeUtc\": \"2022-08-28T05:57:10.0252952Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_208\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_209\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/28 05:01:43.0732420\",\r\n \"activity end time (UTC)\": \"2022/08/28 05:57:10.0252952\",\r\n \"attacker source IP\": \"IP Address: 27.71.226.103\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"11\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"6\",\r\n \"top accounts with failed sign in attempts (count)\": \"AZUREADMIN (2), AZURE (2), AZUREUSER (2), STUDENT (2), ADMINISTRATOR (1), USER (1), ADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-28T05:57:10.0252952Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_210\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517406378969267579_ec10e421-25da-4a3e-8813-e1c54747d813/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"name\": \"2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-26T23:13:05.4395068Z\",\r\n \"processingEndTimeUtc\": \"2022-08-26T23:13:04.9885857Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-26T22:01:04.6704718Z\",\r\n \"endTimeUtc\": \"2022-08-26T22:59:05.9404545Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_211\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_212\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/26 22:01:04.6704718\",\r\n \"activity end time (UTC)\": \"2022/08/26 22:59:05.9404545\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"33\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"8\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINISTRATOR (4), LOCALADMIN (4), AZURE (4), AZUREUSER (4), AZUREADMIN (4), ADMIN (4), TEST (3), USER (3), LOCALUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-26T22:59:05.9404545Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_213\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407495353295281_d8fe06ee-0c50-42e8-afad-8a6024c97d26/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"name\": \"2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T22:12:05.22952Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T22:12:03.1251328Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-25T21:16:17.9627546Z\",\r\n \"endTimeUtc\": \"2022-08-25T21:17:47.2384739Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_214\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_215\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/25 21:16:17.9627546\",\r\n \"activity end time (UTC)\": \"2022/08/25 21:17:47.2384739\",\r\n \"attacker source IP\": \"IP Address: 109.107.166.20\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"41\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"34\",\r\n \"top accounts with failed sign in attempts (count)\": \"Administrator (6), administrator (2), LogMeInRemoteUser (1), KastleRVM (1), AMDService (1), admin (1), stg (1), karla (1), SQLAgent (1), admini (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-25T21:17:47.2384739Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_216\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408386220372453_500391c8-d79f-4fbc-a616-d4e3ce7cad37/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"name\": \"2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T22:12:13.9841697Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T22:12:03.1251328Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-25T21:00:41.0152726Z\",\r\n \"endTimeUtc\": \"2022-08-25T21:58:24.4497285Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_218\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/25 21:00:41.0152726\",\r\n \"activity end time (UTC)\": \"2022/08/25 21:58:24.4497285\",\r\n \"attacker source IP\": \"IP Address: 212.122.84.86\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"33\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"8\",\r\n \"top accounts with failed sign in attempts (count)\": \"LOCALUSER (4), USER (4), AZURE (4), LOCALADMIN (4), TEST (4), AZUREADMIN (4), ADMIN (3), ADMINISTRATOR (3), AZUREUSER (3)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-25T21:58:24.4497285Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_219\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408395589847273_6472e7a5-8550-438b-99d0-f676581174a1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"name\": \"2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-24T21:11:57.4592913Z\",\r\n \"processingEndTimeUtc\": \"2022-08-24T21:11:53.3866485Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-24T20:01:10.4816659Z\",\r\n \"endTimeUtc\": \"2022-08-24T20:58:39.6095585Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_220\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_221\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/24 20:01:10.4816659\",\r\n \"activity end time (UTC)\": \"2022/08/24 20:58:39.6095585\",\r\n \"attacker source IP\": \"IP Address: 52.180.252.174\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"35\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"USERADMIN (6), AZUREUSER (6), AZURE (6), VMADMIN (6), ADMINUSER (6), AZUREADMIN (5)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-24T20:58:39.6095585Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_222\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517409295295183340_8020edfa-28a6-4376-95a3-fdadd3d60259/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"name\": \"2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-23T20:12:09.1962911Z\",\r\n \"processingEndTimeUtc\": \"2022-08-23T20:12:08.070395Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-23T19:00:08.8459776Z\",\r\n \"endTimeUtc\": \"2022-08-23T19:01:18.0275781Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_223\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_224\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/23 19:00:08.8459776\",\r\n \"activity end time (UTC)\": \"2022/08/23 19:01:18.0275781\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.203\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"16\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (19), admin (3), user (1), test (1), defaultaccount (1), sys32 (1), localadmin (1), ferra (1), doctor (1), teste (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-23T19:01:18.0275781Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_225\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410195911540223_b32eb02f-06da-4577-930a-8a9b77496103/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"name\": \"2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-22T19:12:00.8153763Z\",\r\n \"processingEndTimeUtc\": \"2022-08-22T19:11:59.130347Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-22T18:52:43.9086436Z\",\r\n \"endTimeUtc\": \"2022-08-22T18:53:53.491231Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_226\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_227\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/22 18:52:43.9086436\",\r\n \"activity end time (UTC)\": \"2022/08/22 18:53:53.4912310\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.209\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"23\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (12), administrateur (2), david (2), hehe (1), yunus (1), defaultaccount (1), dispatch (1), usuari (1), owner (1), caijiwugongzhen (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-22T18:53:53.491231Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_228\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517411064360913563_4e3486b8-167a-4ee7-b245-87f55f892803/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"name\": \"2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-21T17:11:57.4816361Z\",\r\n \"processingEndTimeUtc\": \"2022-08-21T17:11:55.7633835Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-21T16:02:06.1108851Z\",\r\n \"endTimeUtc\": \"2022-08-21T16:58:30.0357074Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_229\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_230\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/21 16:02:06.1108851\",\r\n \"activity end time (UTC)\": \"2022/08/21 16:58:30.0357074\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"9\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (10), AZUREUSER (10), AZUREADMIN (10), AZURE (1), DADMIN (1), DEMOUSER (1), STUDENT (1), ADMINUSER (1), NFCADMIN (1), DEMO (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-21T16:58:30.0357074Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_231\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412030738891148_077ce0fd-67ec-4f6e-8f55-207b3a39cb16/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"name\": \"2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-20T16:12:20.2020498Z\",\r\n \"processingEndTimeUtc\": \"2022-08-20T16:12:16.5659301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-20T15:34:42.624038Z\",\r\n \"endTimeUtc\": \"2022-08-20T15:35:52.7204668Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_232\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_233\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/20 15:34:42.6240380\",\r\n \"activity end time (UTC)\": \"2022/08/20 15:35:52.7204668\",\r\n \"attacker source IP\": \"IP Address: 80.66.88.214\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"37\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"27\",\r\n \"top accounts with failed sign in attempts (count)\": \"administrator (7), admin (3), administrador (2), user24 (1), ctb-daniele (1), defaultaccount (1), quesia.fernandes (1), jms (1), iusrplesk_smwebmail (1), user4 (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-20T15:35:52.7204668Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_234\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412911173759619_ed95360a-5aa0-4257-9e05-4b627c22c7f1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"name\": \"2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-20T16:12:28.0240769Z\",\r\n \"processingEndTimeUtc\": \"2022-08-20T16:12:16.5659301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-20T15:00:27.7591355Z\",\r\n \"endTimeUtc\": \"2022-08-20T15:59:05.698473Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_235\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_236\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/20 15:00:27.7591355\",\r\n \"activity end time (UTC)\": \"2022/08/20 15:59:05.6984730\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"40\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"10\",\r\n \"top accounts with failed sign in attempts (count)\": \"VMADMIN (9), AZUREADMIN (8), AZUREUSER (8), ADMINUSER (5), USERADMIN (4), DADMIN (1), SQLUSER (1), NFCADMIN (1), SUPERVISOR (1), DEMOADMIN (1)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-20T15:59:05.698473Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_237\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517412931722408644_c0040ad1-ecca-4774-a076-c14ed6384fa2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Security/locations/westeurope/alerts/2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"name\": \"2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-19T15:12:34.699902Z\",\r\n \"processingEndTimeUtc\": \"2022-08-19T15:12:33.4163413Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"VM_LoginBruteForceValidUserFailed\",\r\n \"startTimeUtc\": \"2022-08-19T14:01:57.6464956Z\",\r\n \"endTimeUtc\": \"2022-08-19T14:57:10.3279386Z\",\r\n \"severity\": \"Medium\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6\",\r\n \"intent\": \"Probing\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"westeurope_238\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n },\r\n {\r\n \"$id\": \"westeurope_239\",\r\n \"workspaceId\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"workspaceSubscriptionId\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"workspaceResourceGroup\": \"mainws\",\r\n \"agentId\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"LogAnalytics\",\r\n \"workspaceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertsTest\",\r\n \"alertDisplayName\": \"Suspicious authentication activity\",\r\n \"description\": \"Although none of them succeeded, some of them used accounts were recognized by the host.\\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host.\\nThis indicates that some of your host account names might exist in a well-known account name dictionary.\",\r\n \"remediationSteps\": [\r\n \"1. Enforce the use of strong passwords and do not re-use them across multiple resources and services \",\r\n \"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)\",\r\n \"3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time) \"\r\n ],\r\n \"extendedProperties\": {\r\n \"activity start time (UTC)\": \"2022/08/19 14:01:57.6464956\",\r\n \"activity end time (UTC)\": \"2022/08/19 14:57:10.3279386\",\r\n \"attacker source IP\": \"IP Address: 40.113.140.206\",\r\n \"attacker source computer name\": \"Unknown\",\r\n \"number of failed authentication attempts to host\": \"12\",\r\n \"number of existing accounts used by source to sign in\": \"1\",\r\n \"number of nonexistent accounts used by source to sign in\": \"5\",\r\n \"top accounts with failed sign in attempts (count)\": \"ADMINUSER (2), AZUREUSER (2), USERADMIN (2), AZUREADMIN (2), AZURE (2), STUDENT (2)\",\r\n \"was RDP session initiated\": \"No\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"end Time UTC\": \"2022-08-19T14:57:10.3279386Z\",\r\n \"killChainIntent\": \"Probing\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"westeurope_240\",\r\n \"hostName\": \"alertsTest\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\",\r\n \"omsAgentID\": \"7de44dca-5e07-4a1a-b45e-c273f7851eda\",\r\n \"type\": \"host\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517413830823535043_094b7553-b67a-40a7-b8d6-daec3607bbf6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/TAKLEI/referencedFrom/alertDeepLink/location/westeurope\"\r\n }\r\n }\r\n ],\r\n \"nextLink\": \"https://management.azure.com/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01&%24skiptoken=TVHLjpswAPwXVPVUgk3Ig0irKkkJyjZA49gmy82AN3Fig4udzWO1%2f1602kOlOc5DM%2fPuNPxmN6I5G2f27iyjFKP5huycmXO0VpuZ5ynWsANXvLED9rh0fFC1ahYEQ89cSlN1QlvRNsYLppOyDKYjtxyVwA0mkLthBWoXggmcjKH%2fOh2Hnu7aN1HzzniJqLrWtK92sOPVpRP27jHJO2t%2bMi3ct57Suz75wPddAHt8%2f2bOQuP2zJsnfn%2fOiv0RkHh1r2MJWB5edj4drU%2btSHYRyJarDMXVI8%2fhcxKFEd2jgslCY5Jck2g0RuqW0Pj2F5Ma1REkW5ymNE7umKLfJQmjHBOxWX5lqHD4n%2fcwFauUSRrgRqfJGZJ8r3utgRiiLiUhYQ%2f6h56kxnu9ZFJbhGm2fSwCrGDKoxshSmZcWZDnOmcAjpJftODy%2fMCyzhiU4y1eZAgSuxZXgRUN6hU6vqibxGpli916XDbUlMuroH33wqcAx%2bHpZY906QciOy1C5%2bOHwzo1Pxw6fmCW15%2bT9XfOUeJ8%2fAM%3d\"\r\n}", "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6/activate?api-version=2021-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvbG9jYXRpb25zL2NlbnRyYWx1cy9hbGVydHMvMjUxNzczNTE4ODI5MDE1MzM0OV9kMTRlOTVjMi00NTA4LTQyMWItOWYxYS0wMTdmNGU2ZGU1ZDYvYWN0aXZhdGU/YXBpLXZlcnNpb249MjAyMS0wMS0wMQ==", - "RequestMethod": "POST", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/alerts?api-version=2022-01-01&%24skiptoken=TVHLjpswAPwXVPVUgk3Ig0irKkkJyjZA49gmy82AN3Fig4udzWO1%2f1602kOlOc5DM%2fPuNPxmN6I5G2f27iyjFKP5huycmXO0VpuZ5ynWsANXvLED9rh0fFC1ahYEQ89cSlN1QlvRNsYLppOyDKYjtxyVwA0mkLthBWoXggmcjKH%2fOh2Hnu7aN1HzzniJqLrWtK92sOPVpRP27jHJO2t%2bMi3ct57Suz75wPddAHt8%2f2bOQuP2zJsnfn%2fOiv0RkHh1r2MJWB5edj4drU%2btSHYRyJarDMXVI8%2fhcxKFEd2jgslCY5Jck2g0RuqW0Pj2F5Ma1REkW5ymNE7umKLfJQmjHBOxWX5lqHD4n%2fcwFauUSRrgRqfJGZJ8r3utgRiiLiUhYQ%2f6h56kxnu9ZFJbhGm2fSwCrGDKoxshSmZcWZDnOmcAjpJftODy%2fMCyzhiU4y1eZAgSuxZXgRUN6hU6vqibxGpli916XDbUlMuroH33wqcAx%2bHpZY906QciOy1C5%2bOHwzo1Pxw6fmCW15%2bT9XfOUeJ8%2fAM%3d", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYWxlcnRzP2FwaS12ZXJzaW9uPTIwMjItMDEtMDEmJTI0c2tpcHRva2VuPVRWSExqcHN3QVB3WFZQVlVnazNJZzBpcktra0p5alpBNDlnbXk4MkFOM0ZpZzR1ZHpXTzElMmYxNjAya09sT2M1RE0lMmZQdU5QeG1ONkk1RzJmMjdpeWpGS1A1aHV5Y21YTzBWcHVaNXluV3NBTlh2TEVEOXJoMGZGQzFhaFlFUTg5Y1NsTjFRbHZSTnNZTHBwT3lES1lqdHh5VndBMG1rTHRoQldvWGdnbWNqS0glMmZPaDJIbnU3YU4xSHp6bmlKcUxyV3RLOTJzT1BWcFJQMjdqSEpPMnQlMmJNaTNjdDU3U3V6NzV3UGRkQUh0OCUyZjJiT1F1UDJ6SnNuZm4lMmZPaXYwUmtIaDFyMk1KV0I1ZWRqNGRyVSUyYnRTSFlSeUphckRNWFZJOCUyZmhjeEtGRWQyamdzbENZNUpjazJnMFJ1cVcwUGoyRjVNYTFSRWtXNXltTkU3dW1LTGZKUW1qSEJPeFdYNWxxSEQ0biUyZmN3RmF1VVNScmdScWZKR1pKOHIzdXRnUmlpTGlVaFlRJTJmNmg1Nmt4bnU5WkZKYmhHbTJmU3dDckdES294c2hTbVpjV1pEbk9tY0FqcEpmdE9EeSUyZk1DeXpoaVU0eTFlWkFnU3V4WlhnUlVONmhVNnZxaWJ4R3BsaTkxNlhEYlVsTXVyb0gzM3dxY0F4JTJiSHBaWTkwNlFjaU95MUM1JTJiT0h3em8xUHh3NmZtQ1cxNSUyYlQ5WGZPVWVKOCUyZkFNJTNk", + "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "10cff901-ef3f-4949-9877-608d7b6cc987" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-original-request-ids": [ + "" + ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "748" + ], + "x-ms-request-id": [ + "f38586a9-cca6-4e59-a297-efc9deafa5eb" + ], + "x-ms-correlation-request-id": [ + "f38586a9-cca6-4e59-a297-efc9deafa5eb" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092924Z:f38586a9-cca6-4e59-a297-efc9deafa5eb" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:29:24 GMT" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ], + "Content-Length": [ + "1233144" + ] + }, + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"name\": \"2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-21T22:30:30.4576566Z\",\r\n \"processingEndTimeUtc\": \"2022-10-21T22:30:29.9447325Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.87.6 [6]\\r\\nIP: 171.244.50.243 [2]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 45.141.87.2 [9]\\r\\nIP: 45.141.87.9 [3]\\r\\nIP: 141.95.145.187 [3]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 31.43.185.3 [22]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 150.95.29.64 [2]\\r\\nIP: 45.226.126.252 [2]\\r\\nIP: 193.29.13.169 [9]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 45.227.254.49 [2]\\r\\nIP: 72.18.147.142 [1]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 195.133.20.78 [116]\\r\\nIP: 69.202.183.90 [3]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 147.78.47.147 [6]\\r\\nIP: 147.78.47.69 [9]\\r\\nIP: 45.141.87.10 [6]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 191.96.168.93 [9]\\r\\nIP: 45.227.254.20 [10]\\r\\nIP: 92.255.85.152 [5]\\r\\nIP: 89.250.82.36 [2]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 88.214.25.14 [3]\\r\\nIP: 194.165.17.12 [4]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 173.254.223.125 [1]\\r\\nIP: 179.60.150.115 [16]\\r\\nIP: 193.29.13.170 [16]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 179.60.150.58 [8]\\r\\nIP: 94.26.248.176 [5]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 94.26.229.154 [2]\\r\\nIP: 147.78.47.154 [14]\\r\\nIP: 147.78.47.35 [7]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 147.78.47.36 [3]\\r\\n4 more attempts by 2 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_6\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_7\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_8\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_9\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_10\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_11\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_12\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_13\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_14\",\r\n \"address\": \"150.95.29.64\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bangkok\",\r\n \"longitude\": 100.50177,\r\n \"latitude\": 13.75633,\r\n \"asn\": 135161,\r\n \"carrier\": \"Gmo-Z Com Netdesign Holdings Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_15\",\r\n \"address\": \"45.226.126.252\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Pernambuco\",\r\n \"city\": \"Recife\",\r\n \"longitude\": -34.9141,\r\n \"latitude\": -8.00264,\r\n \"asn\": 266962,\r\n \"carrier\": \"G M Da Costa Internet\",\r\n \"organization\": \"G M Da Costa Internet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_16\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_17\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_18\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_19\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_20\",\r\n \"address\": \"72.18.147.142\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Englewood\",\r\n \"longitude\": -104.87196,\r\n \"latitude\": 39.62401,\r\n \"asn\": 30475,\r\n \"carrier\": \"Handy Networks Llc\",\r\n \"organization\": \"Handy Networks Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_21\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_22\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_23\",\r\n \"address\": \"195.133.20.78\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_24\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_25\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_26\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_27\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_28\",\r\n \"address\": \"147.78.47.69\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_29\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_30\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_31\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_32\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_33\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_34\",\r\n \"address\": \"89.250.82.36\",\r\n \"location\": {\r\n \"countryCode\": \"KZ\",\r\n \"countryName\": \"Kazakhstan\",\r\n \"state\": \"Almaty City\",\r\n \"city\": \"Almaty\",\r\n \"longitude\": 76.94999,\r\n \"latitude\": 43.24999,\r\n \"asn\": 41419,\r\n \"carrier\": \"Kazrena\",\r\n \"organization\": \"Kazrena\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_35\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_36\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_37\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_38\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_39\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_40\",\r\n \"address\": \"173.254.223.125\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Tarzana\",\r\n \"longitude\": -118.54625,\r\n \"latitude\": 34.15501,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Quadranet Enterprises Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_41\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_42\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_43\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_44\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_45\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_46\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_47\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_48\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_49\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_50\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_51\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_52\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_53\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_54\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_55\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_56\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_6\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_57\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_7\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_58\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_8\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_59\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_9\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_60\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_10\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_61\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_11\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_62\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_12\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_63\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_13\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_64\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_14\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_65\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_15\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_66\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_16\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_67\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_17\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_68\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_18\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_69\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_19\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_70\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_20\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_71\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_21\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_72\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_22\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_73\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_23\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_74\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_24\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_75\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_25\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_76\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_26\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_77\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_27\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_78\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_28\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_79\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_29\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_80\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_30\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_81\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_31\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_82\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_32\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_83\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_33\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_84\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_34\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_85\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_35\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_86\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_36\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_87\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_37\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_88\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_38\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_89\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_39\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_90\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_40\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_91\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_41\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_92\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_42\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_93\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_43\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_94\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_44\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_95\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_45\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_96\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_46\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_97\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_47\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_98\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_48\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_99\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_49\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_100\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_50\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_101\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_51\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_102\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_52\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_53\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_b30cfa94-16c1-4b79-b5d3-9c675cdc044e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"name\": \"2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T20:55:37.293538Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T20:55:36.5852719Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_104\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 124.221.214.54 [85]\\r\\nIP: 61.177.172.104 [1]\\r\\nIP: 135.148.104.183 [1]\\r\\nIP: 152.136.192.58 [1]\\r\\nIP: 185.51.61.82 [1]\\r\\nIP: 61.177.172.147 [1]\\r\\nIP: 80.76.51.230 [1]\\r\\nIP: 207.154.207.116 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_105\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_106\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_107\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_108\",\r\n \"address\": \"61.177.172.104\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_109\",\r\n \"address\": \"135.148.104.183\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Reston\",\r\n \"longitude\": -77.34247,\r\n \"latitude\": 38.96097,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_110\",\r\n \"address\": \"152.136.192.58\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_111\",\r\n \"address\": \"185.51.61.82\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 42065,\r\n \"carrier\": \"Zao Electrontelecom\",\r\n \"organization\": \"Global Network Management Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_112\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_113\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_114\",\r\n \"address\": \"207.154.207.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_107\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_108\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_109\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_110\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_111\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_112\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_113\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_114\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517361631999999999_f6915bb1-1e24-4b03-9158-5f326c76624e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"name\": \"2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T03:55:32.6921658Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T03:55:32.383882Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-18T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-18T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_123\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 46.182.223.130 [1]\\r\\nIP: 197.26.19.254 [1]\\r\\nIP: 61.177.172.19 [1]\\r\\nIP: 182.61.13.82 [1]\\r\\nIP: 80.76.51.230 [2]\\r\\nIP: 35.245.223.130 [1]\\r\\nIP: 124.220.28.59 [1]\\r\\nIP: 61.177.173.35 [1]\\r\\nIP: 69.40.195.236 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 34.159.251.125 [1]\\r\\nIP: 40.72.187.176 [1]\\r\\nIP: 84.181.121.1 [1]\\r\\nIP: 121.5.105.147 [4]\\r\\nIP: 185.209.179.41 [1]\\r\\nIP: 35.246.78.205 [1]\\r\\nIP: 61.177.172.124 [1]\\r\\nIP: 124.221.214.54 [28]\\r\\nIP: 61.177.172.147 [2]\\r\\nIP: 34.83.98.1 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_124\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_125\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_126\",\r\n \"address\": \"46.182.223.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Groningen\",\r\n \"city\": \"Groningen\",\r\n \"longitude\": 6.5696,\r\n \"latitude\": 53.21686,\r\n \"asn\": 39704,\r\n \"carrier\": \"Cj2 Hosting B.V.\",\r\n \"organization\": \"Synatix Netblock # 2\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_127\",\r\n \"address\": \"197.26.19.254\",\r\n \"location\": {\r\n \"countryCode\": \"TN\",\r\n \"countryName\": \"Tunisia\",\r\n \"state\": \"Tunis\",\r\n \"city\": \"Tunis\",\r\n \"longitude\": 10.1717,\r\n \"latitude\": 36.798,\r\n \"asn\": 37492,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Agence Tunisienne Internet - Ati\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_128\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_129\",\r\n \"address\": \"182.61.13.82\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Zhongguancun\",\r\n \"longitude\": 116.31,\r\n \"latitude\": 39.978,\r\n \"asn\": 38365,\r\n \"carrier\": \"Beijing Baidu Netcom Science And Technology Co. Ltd.\",\r\n \"organization\": \"Beijing Baidu Netcom Science And Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_130\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_131\",\r\n \"address\": \"35.245.223.130\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"District Of Columbia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -77.0284,\r\n \"latitude\": 38.9069,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_132\",\r\n \"address\": \"124.220.28.59\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_133\",\r\n \"address\": \"61.177.173.35\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_134\",\r\n \"address\": \"69.40.195.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"North Carolina\",\r\n \"city\": \"Concord\",\r\n \"longitude\": -80.55684,\r\n \"latitude\": 35.4009,\r\n \"asn\": 7029,\r\n \"carrier\": \"Windstream Communications Llc\",\r\n \"organization\": \"Hudson Internet Pop - Dynamic Dsl Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_135\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_136\",\r\n \"address\": \"34.159.251.125\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_137\",\r\n \"address\": \"40.72.187.176\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanghai Shi\",\r\n \"city\": \"Shanghai\",\r\n \"longitude\": 121.47021,\r\n \"latitude\": 31.22847,\r\n \"asn\": 58593,\r\n \"carrier\": \"Shanghai Blue Cloud Technology Co. Ltd\",\r\n \"organization\": \"Shanghai Blue Cloud Technology Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_138\",\r\n \"address\": \"84.181.121.1\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Baden-Wuerttemberg\",\r\n \"city\": \"Tuellingen\",\r\n \"longitude\": 7.668,\r\n \"latitude\": 47.615,\r\n \"asn\": 3320,\r\n \"carrier\": \"Deutsche Telekom Ag\",\r\n \"organization\": \"Deutsche Telekom Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_139\",\r\n \"address\": \"121.5.105.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_140\",\r\n \"address\": \"185.209.179.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Valley Cottage\",\r\n \"longitude\": -73.92899,\r\n \"latitude\": 41.12222,\r\n \"asn\": 396356,\r\n \"carrier\": \"Maxihost Llc\",\r\n \"organization\": \"Latitude.Sh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_141\",\r\n \"address\": \"35.246.78.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Camden\",\r\n \"longitude\": -0.16861,\r\n \"latitude\": 51.54,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_142\",\r\n \"address\": \"61.177.172.124\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_143\",\r\n \"address\": \"124.221.214.54\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_144\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_145\",\r\n \"address\": \"34.83.98.1\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_126\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_127\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_128\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_129\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_130\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_131\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_132\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_153\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_133\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_134\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_155\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_135\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_156\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_136\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_137\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_158\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_138\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_159\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_139\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_140\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_161\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_141\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_162\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_142\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_163\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_143\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_144\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_165\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_145\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362459999999999_d5234c64-fc23-4fac-8b6e-23bd4bb652a4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"name\": \"2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-20T03:55:33.4948297Z\",\r\n \"processingEndTimeUtc\": \"2022-10-20T03:55:32.3866334Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-18T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-18T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_166\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 62.204.41.152 [2]\\r\\nIP: 144.172.126.192 [2]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 194.165.17.24 [5]\\r\\nIP: 91.240.242.3 [4]\\r\\nIP: 147.78.47.36 [10]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 88.214.25.14 [17]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 147.78.47.147 [4]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 193.29.13.169 [14]\\r\\nIP: 191.96.168.93 [6]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 91.240.242.201 [8]\\r\\nIP: 45.227.254.8 [2]\\r\\nIP: 94.26.229.169 [1]\\r\\nIP: 141.98.83.89 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.137.233.50 [1]\\r\\nIP: 50.63.15.157 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 91.240.242.87 [17]\\r\\nIP: 45.141.87.10 [4]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 45.141.84.83 [5]\\r\\nIP: 94.232.43.155 [2]\\r\\nIP: 194.165.17.12 [8]\\r\\nIP: 171.244.50.243 [3]\\r\\nIP: 141.98.83.132 [7]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 64.251.14.96 [1]\\r\\nIP: 92.255.85.186 [1]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 80.66.88.204 [2]\\r\\nIP: 147.78.47.42 [8]\\r\\nIP: 46.161.27.101 [1]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 45.141.87.6 [5]\\r\\nIP: 179.60.147.204 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\n91 more attempts by 19 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_167\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_168\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_169\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_170\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_171\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_172\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_173\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_174\",\r\n \"address\": \"91.240.242.3\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_175\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_176\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_177\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_178\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_179\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_180\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_181\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_182\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_183\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_184\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_185\",\r\n \"address\": \"191.96.168.93\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_186\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_187\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_188\",\r\n \"address\": \"91.240.242.201\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_189\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_190\",\r\n \"address\": \"94.26.229.169\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_191\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_192\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_193\",\r\n \"address\": \"185.137.233.50\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Permskiy Kray\",\r\n \"city\": \"Perm\",\r\n \"longitude\": 56.25184,\r\n \"latitude\": 58.02006,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_194\",\r\n \"address\": \"50.63.15.157\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_195\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_196\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_197\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_198\",\r\n \"address\": \"91.240.242.87\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_199\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_200\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_201\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_202\",\r\n \"address\": \"94.232.43.155\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_203\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_204\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_205\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_206\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_207\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_208\",\r\n \"address\": \"64.251.14.96\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Fort Lauderdale\",\r\n \"longitude\": -80.12723,\r\n \"latitude\": 26.12112,\r\n \"asn\": 15083,\r\n \"carrier\": \"Infolink Global Corporation\",\r\n \"organization\": \"Serverpronto\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_209\",\r\n \"address\": \"92.255.85.186\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_210\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_211\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_212\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_213\",\r\n \"address\": \"147.78.47.42\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_214\",\r\n \"address\": \"46.161.27.101\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Vps And Shared Hosting Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_215\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_216\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_217\",\r\n \"address\": \"179.60.147.204\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_218\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_221\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_222\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_223\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_224\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_225\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_226\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_227\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_256\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_206\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_207\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_258\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_208\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_259\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_209\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_260\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_210\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_261\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_211\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_262\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_212\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_263\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_213\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_264\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_214\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_215\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_266\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_216\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_267\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_217\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_268\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_218\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517362495999999999_f51b3d96-c7bb-4de5-8d34-d287bd2fdf17/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"name\": \"2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T21:29:26.5199798Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T21:29:26.1229647Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-17T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-17T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_269\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.53 [1]\\r\\nIP: 43.142.245.166 [1]\\r\\nIP: 82.139.180.236 [1]\\r\\nIP: 39.91.166.121 [1]\\r\\nIP: 45.95.55.235 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 35.164.70.114 [1]\\r\\nIP: 61.177.172.19 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_270\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_271\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_272\",\r\n \"address\": \"61.177.173.53\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_273\",\r\n \"address\": \"43.142.245.166\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_274\",\r\n \"address\": \"82.139.180.236\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Podlaskie\",\r\n \"city\": \"Bialystok\",\r\n \"longitude\": 23.1482,\r\n \"latitude\": 53.11679,\r\n \"asn\": 8865,\r\n \"carrier\": \"Politechnika Bialostocka\",\r\n \"organization\": \"Politechnika Bialostocka\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_275\",\r\n \"address\": \"39.91.166.121\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shandong\",\r\n \"city\": \"Jinan\",\r\n \"longitude\": 117.0,\r\n \"latitude\": 36.683,\r\n \"asn\": 4837,\r\n \"carrier\": \"China Unicom China169 Backbone\",\r\n \"organization\": \"China Unicom Shandong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_276\",\r\n \"address\": \"45.95.55.235\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Rheinland-Pfalz\",\r\n \"city\": \"Koblenz\",\r\n \"longitude\": 7.5741,\r\n \"latitude\": 50.3849,\r\n \"asn\": 200303,\r\n \"carrier\": \"Jan Philipp Waldecker Trading As Lumaserv Systems\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_277\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_278\",\r\n \"address\": \"35.164.70.114\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Boardman\",\r\n \"longitude\": -119.81143,\r\n \"latitude\": 45.73723,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon.Com Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_279\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_280\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_272\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_273\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_282\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_274\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_283\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_275\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_284\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_276\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_285\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_277\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_286\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_278\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_279\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363287999999999_a844ee8e-d913-41e9-bd45-d9a9b6dabd2a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"name\": \"2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-18T21:29:26.5332876Z\",\r\n \"processingEndTimeUtc\": \"2022-10-18T21:29:26.1234563Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-17T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-17T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_288\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.122 [1]\\r\\nIP: 80.66.76.137 [1]\\r\\nIP: 80.66.76.151 [1]\\r\\nIP: 80.66.76.168 [2]\\r\\nIP: 147.78.47.35 [5]\\r\\nIP: 80.66.76.159 [4]\\r\\nIP: 80.66.76.136 [1]\\r\\nIP: 12.168.189.21 [1]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 103.43.177.129 [1]\\r\\nIP: 152.89.196.94 [5]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 80.66.76.141 [2]\\r\\nIP: 94.232.47.170 [8]\\r\\nIP: 80.66.76.161 [5]\\r\\nIP: 141.98.83.84 [11]\\r\\nIP: 141.98.83.133 [6]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 87.251.67.236 [3]\\r\\nIP: 80.66.76.126 [6]\\r\\nIP: 147.78.47.36 [2]\\r\\nIP: 12.233.48.50 [1]\\r\\nIP: 80.66.76.132 [3]\\r\\nIP: 80.66.76.184 [2]\\r\\nIP: 80.66.76.153 [4]\\r\\nIP: 193.29.13.170 [5]\\r\\nIP: 45.141.87.6 [3]\\r\\nIP: 141.98.83.164 [4]\\r\\nIP: 87.251.67.238 [3]\\r\\nIP: 80.66.76.173 [1]\\r\\nIP: 80.66.76.139 [2]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 87.251.67.223 [5]\\r\\nIP: 80.66.76.129 [5]\\r\\nIP: 147.78.47.149 [3]\\r\\nIP: 185.73.125.100 [4]\\r\\nIP: 87.251.67.230 [1]\\r\\nIP: 80.66.76.165 [4]\\r\\nIP: 152.89.196.74 [2]\\r\\nIP: 80.66.76.181 [1]\\r\\nIP: 194.165.17.24 [12]\\r\\nIP: 80.66.76.162 [3]\\r\\nIP: 194.165.17.12 [12]\\r\\nIP: 80.66.76.169 [1]\\r\\nIP: 80.66.76.124 [4]\\r\\nIP: 94.26.248.179 [2]\\r\\nIP: 45.227.254.29 [1]\\r\\nIP: 141.98.83.128 [3]\\r\\n505 more attempts by 101 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_289\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_290\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_291\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_292\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_293\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_294\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_295\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_296\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_297\",\r\n \"address\": \"80.66.76.136\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_298\",\r\n \"address\": \"12.168.189.21\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Germantown\",\r\n \"longitude\": -89.79201,\r\n \"latitude\": 35.08422,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"The Village At Germantown\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_299\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_300\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_301\",\r\n \"address\": \"103.43.177.129\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"Western Australia\",\r\n \"city\": \"Perth\",\r\n \"longitude\": 115.85859,\r\n \"latitude\": -31.9554,\r\n \"asn\": 133863,\r\n \"carrier\": \"Probax Pty Ltd\",\r\n \"organization\": \"Probax Pty Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_302\",\r\n \"address\": \"152.89.196.94\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_303\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_304\",\r\n \"address\": \"80.66.76.141\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_305\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_306\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_307\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_308\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_309\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_310\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_311\",\r\n \"address\": \"87.251.67.236\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_312\",\r\n \"address\": \"80.66.76.126\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_313\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_314\",\r\n \"address\": \"12.233.48.50\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Kansas City\",\r\n \"longitude\": -94.50542,\r\n \"latitude\": 39.131,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"Frontier Schools System\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_315\",\r\n \"address\": \"80.66.76.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_316\",\r\n \"address\": \"80.66.76.184\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_317\",\r\n \"address\": \"80.66.76.153\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_318\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_319\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_320\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_321\",\r\n \"address\": \"87.251.67.238\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_322\",\r\n \"address\": \"80.66.76.173\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_323\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_324\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_325\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_326\",\r\n \"address\": \"80.66.76.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_327\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_328\",\r\n \"address\": \"185.73.125.100\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_329\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_330\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_331\",\r\n \"address\": \"152.89.196.74\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_332\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_333\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_334\",\r\n \"address\": \"80.66.76.162\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_335\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_336\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_337\",\r\n \"address\": \"80.66.76.124\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_338\",\r\n \"address\": \"94.26.248.179\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_339\",\r\n \"address\": \"45.227.254.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_340\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_309\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_360\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_310\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_361\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_311\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_362\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_312\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_313\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_364\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_314\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_365\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_315\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_366\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_316\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_317\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_368\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_318\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_369\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_319\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_370\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_320\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_371\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_321\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_322\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_373\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_323\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_374\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_324\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_375\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_325\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_376\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_326\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_381\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_331\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_332\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_383\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_333\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_384\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_334\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_385\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_335\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_386\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_336\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_337\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_388\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_338\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_389\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_339\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_390\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_340\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517363359999999999_c554e5dd-a4f9-4963-a8b8-266bf33528fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"name\": \"2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T20:18:57.7305267Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T20:18:57.239572Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-16T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-16T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_391\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.52 [1]\\r\\nIP: 61.177.173.36 [1]\\r\\nIP: 85.214.209.12 [1]\\r\\nIP: 195.19.96.168 [1]\\r\\nIP: 137.184.37.59 [1]\\r\\nIP: 165.22.248.214 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_392\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_393\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_394\",\r\n \"address\": \"61.177.173.52\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_395\",\r\n \"address\": \"61.177.173.36\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_396\",\r\n \"address\": \"85.214.209.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.3195,\r\n \"latitude\": 52.5184,\r\n \"asn\": 6724,\r\n \"carrier\": \"Strato Ag\",\r\n \"organization\": \"Strato Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_397\",\r\n \"address\": \"195.19.96.168\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60778,\r\n \"latitude\": 55.81834,\r\n \"asn\": 12389,\r\n \"carrier\": \"Pjsc Rostelecom\",\r\n \"organization\": \"Pjsc Rostelecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_398\",\r\n \"address\": \"137.184.37.59\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Palo Alto\",\r\n \"longitude\": -122.1512,\r\n \"latitude\": 37.44296,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_399\",\r\n \"address\": \"165.22.248.214\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.34738,\r\n \"latitude\": 47.61348,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_400\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_394\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_401\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_395\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_396\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_403\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_397\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_404\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_398\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_399\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364079999999999_20dde8ee-ef1a-4a99-8628-87ce4221db20/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"name\": \"2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-17T20:18:57.600268Z\",\r\n \"processingEndTimeUtc\": \"2022-10-17T20:18:57.2399048Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-16T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-16T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_406\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.124 [4]\\r\\nIP: 94.26.229.154 [1]\\r\\nIP: 185.73.124.23 [9]\\r\\nIP: 45.141.87.10 [4]\\r\\nIP: 80.66.76.138 [3]\\r\\nIP: 87.251.64.140 [2]\\r\\nIP: 80.66.76.179 [2]\\r\\nIP: 64.251.14.96 [1]\\r\\nIP: 194.165.16.18 [7]\\r\\nIP: 87.251.67.238 [7]\\r\\nIP: 94.232.47.15 [3]\\r\\nIP: 80.66.76.159 [5]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 152.89.196.73 [9]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 80.66.76.178 [3]\\r\\nIP: 147.78.47.29 [3]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 171.244.50.243 [7]\\r\\nIP: 12.168.189.21 [1]\\r\\nIP: 141.98.83.132 [10]\\r\\nIP: 80.66.76.168 [6]\\r\\nIP: 69.28.75.137 [1]\\r\\nIP: 80.66.76.169 [5]\\r\\nIP: 147.78.47.39 [15]\\r\\nIP: 181.214.218.32 [1]\\r\\nIP: 80.66.76.177 [2]\\r\\nIP: 80.66.76.137 [3]\\r\\nIP: 193.29.13.169 [10]\\r\\nIP: 185.73.125.21 [5]\\r\\nIP: 80.66.76.130 [6]\\r\\nIP: 152.89.196.96 [5]\\r\\nIP: 80.66.76.136 [3]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.76.176 [10]\\r\\nIP: 152.89.196.99 [7]\\r\\nIP: 185.73.124.17 [8]\\r\\nIP: 188.124.36.118 [1]\\r\\nIP: 94.26.248.190 [1]\\r\\nIP: 80.66.76.181 [6]\\r\\nIP: 152.89.196.72 [9]\\r\\nIP: 45.227.254.20 [9]\\r\\nIP: 50.206.89.210 [1]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 80.66.76.126 [4]\\r\\nIP: 147.78.47.149 [8]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 94.26.248.176 [2]\\r\\nIP: 80.66.76.152 [3]\\r\\nIP: 80.66.76.160 [2]\\r\\n558 more attempts by 123 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_407\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_408\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_409\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_410\",\r\n \"address\": \"94.26.229.154\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_411\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_412\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_413\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_414\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_415\",\r\n \"address\": \"80.66.76.179\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_416\",\r\n \"address\": \"64.251.14.96\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Fort Lauderdale\",\r\n \"longitude\": -80.12723,\r\n \"latitude\": 26.12112,\r\n \"asn\": 15083,\r\n \"carrier\": \"Infolink Global Corporation\",\r\n \"organization\": \"Serverpronto\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_417\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_418\",\r\n \"address\": \"87.251.67.238\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_419\",\r\n \"address\": \"94.232.47.15\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_420\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_421\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_422\",\r\n \"address\": \"152.89.196.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_423\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_424\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_425\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_426\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_427\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_428\",\r\n \"address\": \"12.168.189.21\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Germantown\",\r\n \"longitude\": -89.79201,\r\n \"latitude\": 35.08422,\r\n \"asn\": 7018,\r\n \"carrier\": \"Att Services Inc\",\r\n \"organization\": \"The Village At Germantown\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_429\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_430\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_431\",\r\n \"address\": \"69.28.75.137\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Orlando\",\r\n \"longitude\": -81.4335,\r\n \"latitude\": 28.61933,\r\n \"asn\": 6364,\r\n \"carrier\": \"Atlantic.Net\",\r\n \"organization\": \"Atlantic.Net Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_432\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_433\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_434\",\r\n \"address\": \"181.214.218.32\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_435\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_436\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_437\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_438\",\r\n \"address\": \"185.73.125.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_439\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_440\",\r\n \"address\": \"152.89.196.96\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_441\",\r\n \"address\": \"80.66.76.136\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_442\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_443\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_444\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_445\",\r\n \"address\": \"185.73.124.17\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_446\",\r\n \"address\": \"188.124.36.118\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Dzerzhinskiy\",\r\n \"longitude\": 37.8445,\r\n \"latitude\": 55.638,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_447\",\r\n \"address\": \"94.26.248.190\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_448\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_449\",\r\n \"address\": \"152.89.196.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_450\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_451\",\r\n \"address\": \"50.206.89.210\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Maryland\",\r\n \"city\": \"Gambrills\",\r\n \"longitude\": -76.66528,\r\n \"latitude\": 39.02566,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_452\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_453\",\r\n \"address\": \"80.66.76.126\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_454\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_455\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_456\",\r\n \"address\": \"94.26.248.176\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_457\",\r\n \"address\": \"80.66.76.152\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_458\",\r\n \"address\": \"80.66.76.160\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_412\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_415\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_416\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_467\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_417\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_468\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_418\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_469\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_419\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_470\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_471\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_472\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_473\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_423\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_474\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_424\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_425\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_426\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_427\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_428\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_434\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_485\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_435\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_486\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_487\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_437\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_488\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_438\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_439\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_490\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_440\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_491\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_492\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_493\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_494\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_495\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_445\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_496\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_446\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_497\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_447\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_498\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_448\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_499\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_449\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_500\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_450\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_501\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_451\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_502\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_503\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_504\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_454\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_505\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_455\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_506\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_456\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_507\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_457\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_508\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_458\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517364223999999999_4556135e-1ef5-46bf-b1f4-76b107b71ed9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"name\": \"2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T19:58:11.5931492Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T19:58:10.6757317Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_509\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.90 [1]\\r\\nIP: 205.185.113.42 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 34.168.149.255 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_510\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_511\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_512\",\r\n \"address\": \"61.177.172.90\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_513\",\r\n \"address\": \"205.185.113.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Nevada\",\r\n \"city\": \"Las Vegas\",\r\n \"longitude\": -115.22485,\r\n \"latitude\": 36.1424,\r\n \"asn\": 53667,\r\n \"carrier\": \"Frantech Solutions\",\r\n \"organization\": \"Frantech Solutions\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_514\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_515\",\r\n \"address\": \"34.168.149.255\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_512\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_513\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_514\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_515\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365663999999999_e9a00741-eaa7-4af9-a42a-f780ab5c1484/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"name\": \"2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T21:15:16.6149243Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T21:15:16.2347122Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T08:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365663999999999_fe707616-4570-429b-9e73-790a3918e776\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_520\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 34.168.149.255 [1]\\r\\nIP: 34.67.85.236 [1]\\r\\nIP: 61.177.172.90 [1]\\r\\nIP: 205.185.113.42 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 69.40.195.236 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_521\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_522\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_523\",\r\n \"address\": \"34.168.149.255\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"The Dalles\",\r\n \"longitude\": -121.187,\r\n \"latitude\": 45.55425,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_524\",\r\n \"address\": \"34.67.85.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Council Bluffs\",\r\n \"longitude\": -95.87736,\r\n \"latitude\": 41.23296,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_525\",\r\n \"address\": \"61.177.172.90\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_526\",\r\n \"address\": \"205.185.113.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Nevada\",\r\n \"city\": \"Las Vegas\",\r\n \"longitude\": -115.22485,\r\n \"latitude\": 36.1424,\r\n \"asn\": 53667,\r\n \"carrier\": \"Frantech Solutions\",\r\n \"organization\": \"Frantech Solutions\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_527\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_528\",\r\n \"address\": \"69.40.195.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"North Carolina\",\r\n \"city\": \"Concord\",\r\n \"longitude\": -80.55684,\r\n \"latitude\": 35.4009,\r\n \"asn\": 7029,\r\n \"carrier\": \"Windstream Communications Llc\",\r\n \"organization\": \"Hudson Internet Pop - Dynamic Dsl Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_523\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_524\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_525\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_526\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_527\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_528\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365663999999999_fe707616-4570-429b-9e73-790a3918e776/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"name\": \"2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-15T19:58:11.565147Z\",\r\n \"processingEndTimeUtc\": \"2022-10-15T19:58:10.6760538Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_535\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.164 [8]\\r\\nIP: 141.98.83.165 [8]\\r\\nIP: 194.165.16.18 [10]\\r\\nIP: 20.87.218.172 [3]\\r\\nIP: 147.78.47.35 [17]\\r\\nIP: 62.233.50.123 [34]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 141.98.83.130 [8]\\r\\nIP: 87.251.67.99 [7]\\r\\nIP: 71.178.215.234 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 122.160.141.216 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 141.98.83.83 [8]\\r\\nIP: 98.217.4.181 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 104.161.77.173 [1]\\r\\nIP: 141.98.83.84 [6]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 141.98.83.166 [12]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 162.142.125.219 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 88.214.25.14 [15]\\r\\nIP: 45.141.87.10 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 141.98.83.85 [9]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 171.244.50.243 [1]\\r\\nIP: 212.103.60.106 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 45.141.87.2 [5]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.124 [15]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 185.156.72.31 [1]\\r\\nIP: 147.78.47.39 [4]\\r\\nIP: 194.165.16.29 [2]\\r\\nIP: 45.227.254.20 [12]\\r\\nIP: 179.60.150.115 [9]\\r\\n55 more attempts by 15 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_536\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_537\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_538\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_539\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_540\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_541\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_542\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_543\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_544\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_545\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_546\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_547\",\r\n \"address\": \"71.178.215.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Fairfax\",\r\n \"longitude\": -77.2891,\r\n \"latitude\": 38.81818,\r\n \"asn\": 701,\r\n \"carrier\": \"Verizon\",\r\n \"organization\": \"Verizon\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_548\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_549\",\r\n \"address\": \"122.160.141.216\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.1428,\r\n \"latitude\": 28.6907,\r\n \"asn\": 24560,\r\n \"carrier\": \"Bharti Airtel Ltd.\",\r\n \"organization\": \"Abts Delhi \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_550\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_551\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_552\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_553\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_554\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_555\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_556\",\r\n \"address\": \"98.217.4.181\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Hopkinton\",\r\n \"longitude\": -71.53711,\r\n \"latitude\": 42.22023,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_557\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_558\",\r\n \"address\": \"104.161.77.173\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.01242,\r\n \"latitude\": 33.43202,\r\n \"asn\": 53755,\r\n \"carrier\": \"Input Output Flood Llc\",\r\n \"organization\": \"Input Output Flood Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_559\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_560\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_561\",\r\n \"address\": \"141.98.83.166\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_562\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_563\",\r\n \"address\": \"162.142.125.219\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_564\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_565\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_566\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_567\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_568\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_569\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_570\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_571\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_572\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_573\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_574\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_575\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_576\",\r\n \"address\": \"212.103.60.106\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Nuernberg\",\r\n \"longitude\": 11.0384,\r\n \"latitude\": 49.4358,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Tt1 Datacenter Ug (Haftungsbeschraenkt)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_577\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_578\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_579\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_580\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_581\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_582\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_583\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_584\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_585\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_586\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_587\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_591\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_592\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_542\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_593\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_543\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_594\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_544\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_595\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_545\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_596\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_546\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_597\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_547\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_548\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_549\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_550\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_551\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365951999999999_70bae063-44ea-483a-9eca-72890628adc8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"name\": \"2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-16T21:15:16.6618617Z\",\r\n \"processingEndTimeUtc\": \"2022-10-16T21:15:16.2350129Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-14T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_638\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 171.244.50.243 [1]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 191.96.168.246 [10]\\r\\nIP: 194.165.16.29 [2]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 89.44.9.29 [2]\\r\\nIP: 185.156.72.31 [1]\\r\\nIP: 141.98.83.165 [8]\\r\\nIP: 179.60.150.58 [7]\\r\\nIP: 141.98.83.125 [1]\\r\\nIP: 144.172.126.136 [1]\\r\\nIP: 20.87.218.172 [3]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 141.98.83.164 [8]\\r\\nIP: 45.141.87.6 [7]\\r\\nIP: 104.161.77.173 [1]\\r\\nIP: 141.98.83.89 [2]\\r\\nIP: 98.217.4.181 [1]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 122.160.141.216 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.17.24 [5]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 141.95.145.187 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 141.98.83.123 [2]\\r\\nIP: 24.18.46.38 [1]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 87.251.67.99 [7]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 144.172.126.192 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 62.233.50.123 [34]\\r\\nIP: 45.141.87.10 [1]\\r\\nIP: 147.78.47.35 [17]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 45.141.87.9 [8]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 162.142.125.219 [1]\\r\\nIP: 147.78.47.39 [4]\\r\\nIP: 88.214.25.14 [15]\\r\\nIP: 45.227.254.20 [12]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 45.141.87.2 [5]\\r\\n104 more attempts by 21 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_639\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_640\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_641\",\r\n \"address\": \"171.244.50.243\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_642\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_643\",\r\n \"address\": \"191.96.168.246\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_644\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_645\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_646\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_647\",\r\n \"address\": \"89.44.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Seine-Saint-Denis\",\r\n \"city\": \"Saint-Denis\",\r\n \"longitude\": 2.36488,\r\n \"latitude\": 48.93607,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd Paris\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_648\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_649\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_650\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_651\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_652\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_653\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_654\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_655\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_656\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_657\",\r\n \"address\": \"104.161.77.173\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.01242,\r\n \"latitude\": 33.43202,\r\n \"asn\": 53755,\r\n \"carrier\": \"Input Output Flood Llc\",\r\n \"organization\": \"Input Output Flood Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_658\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_659\",\r\n \"address\": \"98.217.4.181\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Hopkinton\",\r\n \"longitude\": -71.53711,\r\n \"latitude\": 42.22023,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_660\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_661\",\r\n \"address\": \"122.160.141.216\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.1428,\r\n \"latitude\": 28.6907,\r\n \"asn\": 24560,\r\n \"carrier\": \"Bharti Airtel Ltd.\",\r\n \"organization\": \"Abts Delhi \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_662\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_663\",\r\n \"address\": \"194.165.17.24\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_664\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_665\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_666\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_667\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_668\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_669\",\r\n \"address\": \"24.18.46.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Shoreline\",\r\n \"longitude\": -122.34728,\r\n \"latitude\": 47.75721,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_670\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_671\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_672\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_673\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_674\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_675\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_676\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_677\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_678\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_679\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_680\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_681\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_682\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_683\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_684\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_685\",\r\n \"address\": \"162.142.125.219\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_686\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_687\",\r\n \"address\": \"88.214.25.14\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_688\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_689\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_690\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_641\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_642\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_643\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_644\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_645\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_646\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_736\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_686\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_737\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_687\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_738\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_688\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_739\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_689\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_740\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_690\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517365951999999999_9969b40c-de01-4f48-8ad1-6252bee12ff8/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"name\": \"2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-14T21:17:43.9805433Z\",\r\n \"processingEndTimeUtc\": \"2022-10-14T21:17:42.8602187Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-13T02:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-13T02:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_741\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.36 [1]\\r\\nIP: 61.177.172.19 [1]\\r\\nIP: 66.70.176.28 [1]\\r\\nIP: 43.140.205.176 [1]\\r\\nIP: 84.201.177.42 [1]\\r\\nIP: 176.31.240.226 [1]\\r\\nIP: 45.139.105.58 [1]\\r\\nIP: 61.177.172.147 [3]\\r\\nIP: 31.172.70.163 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_742\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_743\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_744\",\r\n \"address\": \"61.177.173.36\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_745\",\r\n \"address\": \"61.177.172.19\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_746\",\r\n \"address\": \"66.70.176.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_747\",\r\n \"address\": \"43.140.205.176\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_748\",\r\n \"address\": \"84.201.177.42\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.58903,\r\n \"latitude\": 55.73491,\r\n \"asn\": 200350,\r\n \"carrier\": \"Yandex.Cloud Llc\",\r\n \"organization\": \"Yandex Enterprise Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_749\",\r\n \"address\": \"176.31.240.226\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Nord\",\r\n \"city\": \"Roubaix\",\r\n \"longitude\": 3.17321,\r\n \"latitude\": 50.69127,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_750\",\r\n \"address\": \"45.139.105.58\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 138687,\r\n \"carrier\": \"Xdeer Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_751\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_752\",\r\n \"address\": \"31.172.70.163\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt-Ostend\",\r\n \"longitude\": 8.72751,\r\n \"latitude\": 50.11671,\r\n \"asn\": 44066,\r\n \"carrier\": \"Accelerated It Services & Consulting Gmbh\",\r\n \"organization\": \"Www.Fornex.Com Fornex Hosting S.L.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_744\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_745\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_746\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_747\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_748\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_749\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_750\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_751\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_752\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366743999999999_115e1809-369e-4e0f-874d-a4642ba1bdf7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"name\": \"2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-14T21:17:43.9755639Z\",\r\n \"processingEndTimeUtc\": \"2022-10-14T21:17:42.8608101Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-13T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-13T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_762\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.87.6 [9]\\r\\nIP: 141.98.83.125 [11]\\r\\nIP: 141.98.83.165 [9]\\r\\nIP: 94.232.43.155 [1]\\r\\nIP: 147.78.47.40 [2]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 80.66.88.215 [2]\\r\\nIP: 141.98.83.132 [4]\\r\\nIP: 144.172.126.136 [3]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 194.165.17.12 [14]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 45.141.87.10 [12]\\r\\nIP: 147.78.47.29 [9]\\r\\nIP: 89.248.163.228 [1]\\r\\nIP: 45.141.84.87 [13]\\r\\nIP: 45.227.255.55 [2]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 20.87.218.172 [1]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.89 [8]\\r\\nIP: 62.204.41.152 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 69.202.183.90 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 212.102.35.135 [26]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 193.29.13.170 [18]\\r\\nIP: 147.78.47.36 [6]\\r\\nIP: 194.165.16.18 [4]\\r\\nIP: 141.98.83.164 [1]\\r\\nIP: 91.240.118.113 [3]\\r\\nIP: 144.172.126.192 [1]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 193.29.13.169 [14]\\r\\nIP: 92.255.85.151 [12]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 147.78.47.42 [6]\\r\\nIP: 147.78.47.39 [12]\\r\\nIP: 147.78.47.35 [3]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 141.98.83.87 [5]\\r\\nIP: 87.251.64.160 [3]\\r\\n29 more attempts by 7 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_763\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_764\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_765\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_766\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_767\",\r\n \"address\": \"141.98.83.165\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_768\",\r\n \"address\": \"94.232.43.155\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_769\",\r\n \"address\": \"147.78.47.40\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_770\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_771\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_772\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_773\",\r\n \"address\": \"144.172.126.136\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_774\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_775\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_776\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_777\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_778\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_779\",\r\n \"address\": \"89.248.163.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_780\",\r\n \"address\": \"45.141.84.87\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_781\",\r\n \"address\": \"45.227.255.55\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_782\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_783\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_784\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_785\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_786\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_787\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_788\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_789\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_790\",\r\n \"address\": \"69.202.183.90\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.95873,\r\n \"latitude\": 40.64541,\r\n \"asn\": 12271,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_791\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_792\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_793\",\r\n \"address\": \"212.102.35.135\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_794\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_795\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_796\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_797\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_798\",\r\n \"address\": \"147.78.47.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_799\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_800\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_801\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_802\",\r\n \"address\": \"144.172.126.192\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Dover\",\r\n \"longitude\": -75.49399,\r\n \"latitude\": 39.15765,\r\n \"asn\": 396881,\r\n \"carrier\": \"Drserver.Net\",\r\n \"organization\": \"Drserver International\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_803\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_804\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_805\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyivs'ka Oblast'\",\r\n \"city\": \"Boryspil'\",\r\n \"longitude\": 30.9561,\r\n \"latitude\": 50.3482,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_806\",\r\n \"address\": \"193.29.13.169\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_807\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_808\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_809\",\r\n \"address\": \"147.78.47.42\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_810\",\r\n \"address\": \"147.78.47.39\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_811\",\r\n \"address\": \"147.78.47.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_812\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_813\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_814\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_839\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_789\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_840\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_790\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_841\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_791\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_842\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_792\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_793\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517366815999999999_79835fed-9e98-4a12-809c-d073868f0f29/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"name\": \"2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T21:02:46.33272Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T21:02:45.807019Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-12T15:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-12T15:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_865\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.173.46 [1]\\r\\nIP: 211.210.79.220 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_866\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_867\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_868\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_869\",\r\n \"address\": \"211.210.79.220\",\r\n \"location\": {\r\n \"countryCode\": \"KR\",\r\n \"countryName\": \"Korea (South)\",\r\n \"state\": \"Seoul Teukbyeolsi\",\r\n \"city\": \"Seoul\",\r\n \"longitude\": 126.98265,\r\n \"latitude\": 37.561,\r\n \"asn\": 9318,\r\n \"carrier\": \"Sk Broadband Co Ltd\",\r\n \"organization\": \"Danal\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_870\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_868\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_871\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_869\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367139999999999_0c3fa9bb-4940-48ba-afec-dd90d8d07a14/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"name\": \"2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-13T21:03:57.9379168Z\",\r\n \"processingEndTimeUtc\": \"2022-10-13T21:02:45.8071653Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-12T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-12T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_872\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.158 [4]\\r\\nIP: 45.227.254.20 [14]\\r\\nIP: 80.66.76.178 [3]\\r\\nIP: 87.251.67.223 [3]\\r\\nIP: 185.73.124.20 [3]\\r\\nIP: 194.165.17.12 [10]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 80.66.76.151 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 80.66.76.143 [1]\\r\\nIP: 193.169.255.78 [1]\\r\\nIP: 80.66.76.174 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 80.66.76.161 [1]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 20.87.218.172 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 80.66.76.142 [3]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 87.251.67.230 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 80.66.76.139 [1]\\r\\nIP: 87.251.67.229 [1]\\r\\nIP: 80.66.76.164 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 129.153.120.234 [1]\\r\\nIP: 212.102.35.135 [17]\\r\\nIP: 45.141.87.6 [6]\\r\\nIP: 80.66.76.131 [2]\\r\\nIP: 80.66.76.186 [2]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 147.78.47.29 [5]\\r\\nIP: 194.165.16.16 [2]\\r\\nIP: 87.251.67.232 [4]\\r\\nIP: 80.66.76.159 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 87.251.67.226 [2]\\r\\nIP: 80.66.76.138 [2]\\r\\nIP: 80.66.76.127 [1]\\r\\nIP: 80.66.76.165 [2]\\r\\nIP: 80.66.76.175 [2]\\r\\nIP: 80.66.76.140 [2]\\r\\nIP: 159.242.227.27 [1]\\r\\nIP: 193.29.13.170 [12]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 185.73.124.19 [1]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 45.141.87.2 [2]\\r\\n152 more attempts by 42 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_873\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_874\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_875\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_876\",\r\n \"address\": \"45.227.254.20\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_877\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_878\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_879\",\r\n \"address\": \"185.73.124.20\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_880\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_881\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_882\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_883\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_884\",\r\n \"address\": \"80.66.76.143\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_885\",\r\n \"address\": \"193.169.255.78\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Pomorskie\",\r\n \"city\": \"Zelkowko\",\r\n \"longitude\": 17.0936,\r\n \"latitude\": 54.34198,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_886\",\r\n \"address\": \"80.66.76.174\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_887\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_888\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_889\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_890\",\r\n \"address\": \"20.87.218.172\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_891\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_892\",\r\n \"address\": \"80.66.76.142\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_893\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_894\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_895\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_896\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_897\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_898\",\r\n \"address\": \"87.251.67.229\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_899\",\r\n \"address\": \"80.66.76.164\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_900\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_901\",\r\n \"address\": \"129.153.120.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Redwood City\",\r\n \"longitude\": -122.24714,\r\n \"latitude\": 37.53475,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_902\",\r\n \"address\": \"212.102.35.135\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_903\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_904\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_905\",\r\n \"address\": \"80.66.76.186\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_906\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_907\",\r\n \"address\": \"147.78.47.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_908\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_909\",\r\n \"address\": \"87.251.67.232\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_910\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_911\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_912\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_913\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_914\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_915\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_916\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_917\",\r\n \"address\": \"80.66.76.175\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_918\",\r\n \"address\": \"80.66.76.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_919\",\r\n \"address\": \"159.242.227.27\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Wandsworth\",\r\n \"longitude\": -0.18333,\r\n \"latitude\": 51.45,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Prcdn Consumer Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_920\",\r\n \"address\": \"193.29.13.170\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 42397,\r\n \"carrier\": \"Bunea Telecom Srl\",\r\n \"organization\": \"Bunea Telecom Srl\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_921\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_922\",\r\n \"address\": \"185.73.124.19\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_923\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_924\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_892\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_893\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_894\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_969\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_919\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_970\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_920\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_971\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_921\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_972\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_922\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_973\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_923\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_974\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_924\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517367679999999999_250f57d7-7a8d-4ab9-9409-00bae632c619/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"name\": \"2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T21:25:11.5033705Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T21:25:11.2368114Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-11T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-11T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_975\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 62.210.205.240 [1]\\r\\nIP: 219.130.135.190 [8]\\r\\nIP: 77.232.100.220 [1]\\r\\nIP: 167.99.49.113 [1]\\r\\nIP: 61.177.172.147 [3]\\r\\nIP: 54.200.70.29 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_976\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_977\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_978\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_979\",\r\n \"address\": \"219.130.135.190\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Jiangmen\",\r\n \"longitude\": 113.08611,\r\n \"latitude\": 22.58388,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Jiangmen Global Eyes Police Bureau\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_980\",\r\n \"address\": \"77.232.100.220\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Makkah\",\r\n \"city\": \"Jiddah\",\r\n \"longitude\": 39.184,\r\n \"latitude\": 21.538,\r\n \"asn\": 43766,\r\n \"carrier\": \"Mtc Ksa\",\r\n \"organization\": \"Mtc Ksa\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_981\",\r\n \"address\": \"167.99.49.113\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_982\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_983\",\r\n \"address\": \"54.200.70.29\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Boardman\",\r\n \"longitude\": -119.81143,\r\n \"latitude\": 45.73723,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon.Com Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_984\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_978\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_985\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_979\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_986\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_980\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_987\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_981\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_988\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_982\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_989\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_983\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368507999999999_dff0c06d-29a8-4a11-821f-7ea11f135b33/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"name\": \"2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-12T21:27:02.3321686Z\",\r\n \"processingEndTimeUtc\": \"2022-10-12T21:25:11.237187Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-11T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-11T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_990\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.88.129 [1]\\r\\nIP: 80.66.88.207 [5]\\r\\nIP: 194.165.16.29 [9]\\r\\nIP: 147.78.47.149 [6]\\r\\nIP: 87.251.67.236 [2]\\r\\nIP: 80.66.76.186 [2]\\r\\nIP: 80.66.76.153 [4]\\r\\nIP: 91.240.118.113 [6]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 45.141.87.9 [5]\\r\\nIP: 141.98.83.164 [5]\\r\\nIP: 80.66.76.163 [2]\\r\\nIP: 80.66.76.142 [4]\\r\\nIP: 141.98.83.130 [2]\\r\\nIP: 152.89.196.94 [3]\\r\\nIP: 80.66.76.120 [1]\\r\\nIP: 80.66.76.174 [5]\\r\\nIP: 194.165.16.10 [1]\\r\\nIP: 185.73.124.17 [2]\\r\\nIP: 80.66.76.183 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 80.66.76.181 [1]\\r\\nIP: 80.66.76.130 [2]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 80.66.76.168 [2]\\r\\nIP: 185.73.124.14 [1]\\r\\nIP: 80.66.76.173 [1]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 152.89.196.99 [2]\\r\\nIP: 80.66.76.172 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 185.73.124.20 [1]\\r\\nIP: 45.141.87.2 [4]\\r\\nIP: 80.66.76.154 [2]\\r\\nIP: 152.89.196.92 [2]\\r\\nIP: 80.66.76.137 [1]\\r\\nIP: 80.66.76.127 [1]\\r\\nIP: 152.89.196.86 [2]\\r\\nIP: 194.165.16.158 [3]\\r\\nIP: 141.98.83.128 [3]\\r\\nIP: 185.73.124.23 [5]\\r\\nIP: 45.141.87.6 [9]\\r\\nIP: 80.66.76.176 [4]\\r\\nIP: 141.95.145.187 [1]\\r\\nIP: 80.66.76.125 [1]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 80.66.76.175 [1]\\r\\nIP: 80.66.76.129 [3]\\r\\nIP: 80.66.76.123 [1]\\r\\nIP: 45.141.84.86 [4]\\r\\n148 more attempts by 47 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_991\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_992\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_993\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_994\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_995\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_996\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_997\",\r\n \"address\": \"87.251.67.236\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_998\",\r\n \"address\": \"80.66.76.186\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_999\",\r\n \"address\": \"80.66.76.153\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1000\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1001\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1002\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1003\",\r\n \"address\": \"141.98.83.164\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1004\",\r\n \"address\": \"80.66.76.163\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1005\",\r\n \"address\": \"80.66.76.142\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1006\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1007\",\r\n \"address\": \"152.89.196.94\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1008\",\r\n \"address\": \"80.66.76.120\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1009\",\r\n \"address\": \"80.66.76.174\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1010\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1011\",\r\n \"address\": \"185.73.124.17\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1012\",\r\n \"address\": \"80.66.76.183\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1013\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1014\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1015\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1016\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1017\",\r\n \"address\": \"80.66.76.168\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1018\",\r\n \"address\": \"185.73.124.14\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1019\",\r\n \"address\": \"80.66.76.173\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1020\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1021\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1022\",\r\n \"address\": \"80.66.76.172\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1023\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1024\",\r\n \"address\": \"185.73.124.20\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1025\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1026\",\r\n \"address\": \"80.66.76.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1027\",\r\n \"address\": \"152.89.196.92\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1028\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1029\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1030\",\r\n \"address\": \"152.89.196.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1031\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1032\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1033\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1034\",\r\n \"address\": \"45.141.87.6\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1035\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1036\",\r\n \"address\": \"141.95.145.187\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1037\",\r\n \"address\": \"80.66.76.125\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1038\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1039\",\r\n \"address\": \"80.66.76.175\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1040\",\r\n \"address\": \"80.66.76.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1041\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1042\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1072\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1022\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1073\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1023\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1074\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1024\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1075\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1025\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1076\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1026\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1077\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1027\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1078\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1028\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1079\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1029\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1080\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1030\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1081\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1031\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1082\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1032\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1083\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1033\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1084\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1034\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1085\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1035\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1086\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1036\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1087\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1037\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1088\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1038\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1089\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1039\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1090\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1040\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1091\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1041\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1092\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1042\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517368543999999999_b5510f78-06ce-46f8-98fc-0952549296b4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"name\": \"2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T20:11:22.6254055Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T20:11:22.3353053Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-10T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-10T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1093\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.147 [4]\\r\\nIP: 117.33.157.42 [1]\\r\\nIP: 44.203.254.12 [1]\\r\\nIP: 62.210.205.240 [1]\\r\\nIP: 218.92.0.221 [1]\\r\\nIP: 61.177.173.52 [1]\\r\\nIP: 61.177.173.46 [1]\\r\\nIP: 61.177.172.143 [2]\\r\\nIP: 61.177.172.98 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1094\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1095\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1096\",\r\n \"address\": \"61.177.172.147\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1097\",\r\n \"address\": \"117.33.157.42\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Yunnan\",\r\n \"city\": \"Ruili\",\r\n \"longitude\": 97.85808,\r\n \"latitude\": 23.99516,\r\n \"asn\": 134768,\r\n \"carrier\": \"Chinanet Shaanxi Province Cloud Base Network\",\r\n \"organization\": \"Chinanet Shanxi(Sn) Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1098\",\r\n \"address\": \"44.203.254.12\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 14618,\r\n \"carrier\": \"Amazon.Com Inc.\",\r\n \"organization\": \"Amazon Data Services Nova\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1099\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1100\",\r\n \"address\": \"218.92.0.221\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1101\",\r\n \"address\": \"61.177.173.52\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1102\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1103\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1104\",\r\n \"address\": \"61.177.172.98\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1096\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1097\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1098\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1099\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1100\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1101\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1102\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1103\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1104\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369371999999999_33dea9b6-1d58-4ba3-8c49-6f5075a81084/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"name\": \"2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-11T20:11:23.0830696Z\",\r\n \"processingEndTimeUtc\": \"2022-10-11T20:11:22.335884Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-10T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-10T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1114\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.76.131 [3]\\r\\nIP: 147.78.47.154 [8]\\r\\nIP: 80.66.76.139 [2]\\r\\nIP: 141.98.83.130 [12]\\r\\nIP: 176.111.174.130 [16]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 80.66.76.140 [1]\\r\\nIP: 152.89.196.86 [3]\\r\\nIP: 80.66.76.177 [3]\\r\\nIP: 87.251.67.226 [2]\\r\\nIP: 80.66.76.178 [1]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 80.66.76.167 [1]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 80.66.76.166 [1]\\r\\nIP: 152.89.196.99 [1]\\r\\nIP: 176.111.174.116 [28]\\r\\nIP: 194.165.16.18 [6]\\r\\nIP: 71.27.142.134 [1]\\r\\nIP: 45.227.254.29 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 152.89.196.83 [1]\\r\\nIP: 80.66.76.182 [4]\\r\\nIP: 141.98.83.166 [3]\\r\\nIP: 147.78.47.149 [7]\\r\\nIP: 80.66.76.187 [2]\\r\\nIP: 194.165.17.12 [6]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 152.89.196.81 [1]\\r\\nIP: 87.251.67.230 [2]\\r\\nIP: 94.232.47.170 [3]\\r\\nIP: 80.66.76.159 [3]\\r\\nIP: 87.251.67.229 [1]\\r\\nIP: 80.66.76.122 [1]\\r\\nIP: 185.73.124.23 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 179.60.150.58 [4]\\r\\nIP: 94.232.47.15 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 191.96.168.102 [23]\\r\\nIP: 80.66.76.181 [3]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 80.66.76.162 [1]\\r\\nIP: 80.66.76.121 [2]\\r\\nIP: 87.251.67.231 [1]\\r\\nIP: 87.251.67.228 [2]\\r\\nIP: 80.66.76.185 [2]\\r\\n244 more attempts by 54 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1115\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1116\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1117\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1118\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1119\",\r\n \"address\": \"80.66.76.139\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1120\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1121\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1122\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1123\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1124\",\r\n \"address\": \"80.66.76.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1125\",\r\n \"address\": \"152.89.196.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1126\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1127\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1128\",\r\n \"address\": \"80.66.76.178\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1129\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1130\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1131\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1132\",\r\n \"address\": \"80.66.76.166\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1133\",\r\n \"address\": \"152.89.196.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1134\",\r\n \"address\": \"176.111.174.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1135\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1136\",\r\n \"address\": \"71.27.142.134\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Westland\",\r\n \"longitude\": -83.37131,\r\n \"latitude\": 42.33206,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1137\",\r\n \"address\": \"45.227.254.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1138\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1139\",\r\n \"address\": \"152.89.196.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1140\",\r\n \"address\": \"80.66.76.182\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1141\",\r\n \"address\": \"141.98.83.166\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1142\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1143\",\r\n \"address\": \"80.66.76.187\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1144\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1145\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1146\",\r\n \"address\": \"152.89.196.81\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1147\",\r\n \"address\": \"87.251.67.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1148\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1149\",\r\n \"address\": \"80.66.76.159\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1150\",\r\n \"address\": \"87.251.67.229\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1151\",\r\n \"address\": \"80.66.76.122\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1152\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1153\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1154\",\r\n \"address\": \"179.60.150.58\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1155\",\r\n \"address\": \"94.232.47.15\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1156\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1157\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1158\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1159\",\r\n \"address\": \"191.96.168.102\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1160\",\r\n \"address\": \"80.66.76.181\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1161\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1162\",\r\n \"address\": \"80.66.76.162\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1163\",\r\n \"address\": \"80.66.76.121\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1164\",\r\n \"address\": \"87.251.67.231\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1165\",\r\n \"address\": \"87.251.67.228\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1166\",\r\n \"address\": \"80.66.76.185\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1167\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1117\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1168\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1118\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1119\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1170\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1120\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1171\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1121\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1172\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1122\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1173\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1123\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1174\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1124\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1175\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1125\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1176\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1126\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1177\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1127\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1178\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1128\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1179\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1129\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1180\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1130\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1181\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1131\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1182\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1132\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1183\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1133\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1184\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1134\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1185\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1135\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1186\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1136\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1187\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1137\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1188\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1138\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1139\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1190\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1140\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1191\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1141\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1192\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1142\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1143\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1194\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1144\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1195\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1145\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1196\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1146\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1147\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1198\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1148\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1199\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1149\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1200\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1150\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1151\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1202\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1152\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1203\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1153\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1204\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1154\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1155\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517369407999999999_673f2ee3-d10f-47cb-99d9-66d973a683bb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"name\": \"2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T20:02:27.764174Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T20:02:26.032772Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-09T01:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-09T01:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1217\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.209.179.41 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 61.177.172.143 [10]\\r\\nIP: 128.199.192.230 [1]\\r\\nIP: 61.177.172.108 [1]\\r\\nIP: 61.177.173.37 [1]\\r\\nIP: 62.210.209.36 [1]\\r\\nIP: 218.75.136.139 [25]\\r\\nIP: 194.5.193.132 [3]\\r\\nIP: 162.142.125.213 [1]\\r\\nIP: 124.220.16.45 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1218\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1219\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1220\",\r\n \"address\": \"185.209.179.41\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Valley Cottage\",\r\n \"longitude\": -73.92899,\r\n \"latitude\": 41.12222,\r\n \"asn\": 396356,\r\n \"carrier\": \"Maxihost Llc\",\r\n \"organization\": \"Latitude.Sh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1221\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1222\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1223\",\r\n \"address\": \"128.199.192.230\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1224\",\r\n \"address\": \"61.177.172.108\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1225\",\r\n \"address\": \"61.177.173.37\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1226\",\r\n \"address\": \"62.210.209.36\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1227\",\r\n \"address\": \"218.75.136.139\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Hunan\",\r\n \"city\": \"Changde\",\r\n \"longitude\": 111.71167,\r\n \"latitude\": 29.04722,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet-Hn Changde Node Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1228\",\r\n \"address\": \"194.5.193.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208006,\r\n \"carrier\": \"Softqloud Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1229\",\r\n \"address\": \"162.142.125.213\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Ann Arbor\",\r\n \"longitude\": -83.71418,\r\n \"latitude\": 42.27317,\r\n \"asn\": 398324,\r\n \"carrier\": \"Censys Inc.\",\r\n \"organization\": \"Censys Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1230\",\r\n \"address\": \"124.220.16.45\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Beijing Shi\",\r\n \"city\": \"Beijing\",\r\n \"longitude\": 116.37923,\r\n \"latitude\": 39.91176,\r\n \"asn\": 45090,\r\n \"carrier\": \"Shenzhen Tencent Computer Systems Company Limited\",\r\n \"organization\": \"Tencent Cloud Computing (Beijing) Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1220\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1221\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1222\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1223\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1224\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1225\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1226\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1227\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1228\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1229\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1230\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370235999999999_c9a3aa4b-dc7c-45e1-aa5f-dc259ddbfba6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"name\": \"2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-10T20:02:27.4002488Z\",\r\n \"processingEndTimeUtc\": \"2022-10-10T20:02:26.0336346Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-09T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-09T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1242\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.76.123 [2]\\r\\nIP: 87.251.67.226 [1]\\r\\nIP: 80.66.76.170 [3]\\r\\nIP: 80.66.76.151 [1]\\r\\nIP: 80.66.76.138 [1]\\r\\nIP: 103.168.205.209 [1]\\r\\nIP: 147.78.47.146 [7]\\r\\nIP: 80.66.76.121 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 80.66.76.132 [2]\\r\\nIP: 80.66.76.127 [2]\\r\\nIP: 152.89.196.96 [4]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 92.255.85.192 [8]\\r\\nIP: 80.66.76.167 [2]\\r\\nIP: 87.251.67.224 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 152.89.196.73 [1]\\r\\nIP: 80.66.76.176 [1]\\r\\nIP: 147.78.47.149 [3]\\r\\nIP: 195.78.54.73 [17]\\r\\nIP: 80.66.76.131 [1]\\r\\nIP: 176.111.174.73 [25]\\r\\nIP: 185.73.125.21 [3]\\r\\nIP: 80.66.76.165 [1]\\r\\nIP: 80.66.76.124 [1]\\r\\nIP: 87.251.67.223 [2]\\r\\nIP: 141.98.83.127 [7]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 80.66.76.130 [1]\\r\\nIP: 80.66.76.125 [1]\\r\\nIP: 94.232.47.170 [2]\\r\\nIP: 194.165.16.17 [1]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 185.73.125.225 [1]\\r\\nIP: 207.244.72.33 [1]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 162.244.33.16 [4]\\r\\nIP: 152.89.196.81 [3]\\r\\nIP: 139.59.109.139 [1]\\r\\nIP: 80.66.76.185 [2]\\r\\nIP: 80.66.76.161 [1]\\r\\nIP: 80.66.76.137 [2]\\r\\nIP: 80.66.76.177 [1]\\r\\nIP: 80.66.76.169 [1]\\r\\nIP: 185.73.124.23 [1]\\r\\nIP: 87.251.67.239 [1]\\r\\nIP: 152.89.196.92 [4]\\r\\nIP: 113.190.245.2 [1]\\r\\n88 more attempts by 42 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1243\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1244\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1245\",\r\n \"address\": \"80.66.76.123\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1246\",\r\n \"address\": \"87.251.67.226\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1247\",\r\n \"address\": \"80.66.76.170\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1248\",\r\n \"address\": \"80.66.76.151\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1249\",\r\n \"address\": \"80.66.76.138\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1250\",\r\n \"address\": \"103.168.205.209\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"longitude\": 77.0,\r\n \"latitude\": 20.0,\r\n \"asn\": 132925,\r\n \"carrier\": \"Ideastack Solutions Private Limited\",\r\n \"organization\": \"Blue Space Technology\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1251\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1252\",\r\n \"address\": \"80.66.76.121\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1253\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1254\",\r\n \"address\": \"80.66.76.132\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1255\",\r\n \"address\": \"80.66.76.127\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1256\",\r\n \"address\": \"152.89.196.96\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1257\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1258\",\r\n \"address\": \"92.255.85.192\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1259\",\r\n \"address\": \"80.66.76.167\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1260\",\r\n \"address\": \"87.251.67.224\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1261\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1262\",\r\n \"address\": \"152.89.196.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1263\",\r\n \"address\": \"80.66.76.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1264\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1265\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1266\",\r\n \"address\": \"80.66.76.131\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1267\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1268\",\r\n \"address\": \"185.73.125.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1269\",\r\n \"address\": \"80.66.76.165\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1270\",\r\n \"address\": \"80.66.76.124\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1271\",\r\n \"address\": \"87.251.67.223\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1272\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1273\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1274\",\r\n \"address\": \"80.66.76.130\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1275\",\r\n \"address\": \"80.66.76.125\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1276\",\r\n \"address\": \"94.232.47.170\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1277\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1278\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1279\",\r\n \"address\": \"185.73.125.225\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"longitude\": 100.0,\r\n \"latitude\": 60.0,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1280\",\r\n \"address\": \"207.244.72.33\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"District Of Columbia\",\r\n \"city\": \"Washington\",\r\n \"longitude\": -77.0284,\r\n \"latitude\": 38.9069,\r\n \"asn\": 30633,\r\n \"carrier\": \"Leaseweb Usa Inc.\",\r\n \"organization\": \"Leaseweb Usa Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1281\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1282\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1283\",\r\n \"address\": \"162.244.33.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Fremont\",\r\n \"longitude\": -121.91032,\r\n \"latitude\": 37.52879,\r\n \"asn\": 14576,\r\n \"carrier\": \"Hosting Solution Ltd.\",\r\n \"organization\": \"Hosting Solution Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1284\",\r\n \"address\": \"152.89.196.81\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1285\",\r\n \"address\": \"139.59.109.139\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1286\",\r\n \"address\": \"80.66.76.185\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1287\",\r\n \"address\": \"80.66.76.161\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1288\",\r\n \"address\": \"80.66.76.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1289\",\r\n \"address\": \"80.66.76.177\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1290\",\r\n \"address\": \"80.66.76.169\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1291\",\r\n \"address\": \"185.73.124.23\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1292\",\r\n \"address\": \"87.251.67.239\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1293\",\r\n \"address\": \"152.89.196.92\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1294\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1295\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1245\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1246\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1297\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1247\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1298\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1248\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1299\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1249\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1250\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1301\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1251\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1302\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1252\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1303\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1253\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1254\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1305\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1255\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1306\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1256\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1307\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1257\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1308\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1258\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1324\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1274\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1325\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1275\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1326\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1276\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1327\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1277\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1278\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1329\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1279\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1330\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1280\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370271999999999_877567db-b219-48b7-9ee9-70fb11fae1bb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"name\": \"2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T19:56:07.1561879Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T19:56:06.5371227Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-08T04:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-08T04:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1345\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 61.177.172.143 [1]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 61.177.173.49 [1]\\r\\nIP: 61.177.173.51 [1]\\r\\nIP: 14.215.48.214 [3]\\r\\nIP: 61.177.173.46 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1346\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1347\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1348\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1349\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1350\",\r\n \"address\": \"61.177.173.49\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1351\",\r\n \"address\": \"61.177.173.51\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1352\",\r\n \"address\": \"14.215.48.214\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Yunnan\",\r\n \"city\": \"Ruili\",\r\n \"longitude\": 97.85808,\r\n \"latitude\": 23.99516,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Guangdong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1353\",\r\n \"address\": \"61.177.173.46\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1348\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1349\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1350\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1351\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1352\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1353\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517370991999999999_3eac6756-089b-4df9-abac-b6b10cec8e49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"name\": \"2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-09T19:56:07.4442606Z\",\r\n \"processingEndTimeUtc\": \"2022-10-09T19:56:06.5374986Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-08T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-08T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1360\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 91.240.118.113 [5]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.132 [5]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 92.255.85.156 [2]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 194.165.16.73 [3]\\r\\nIP: 194.165.16.37 [2]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 162.244.33.16 [1]\\r\\nIP: 62.233.50.123 [7]\\r\\nIP: 194.165.16.17 [8]\\r\\nIP: 116.58.22.75 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 141.98.83.128 [5]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 92.255.85.186 [1]\\r\\nIP: 176.111.174.200 [3]\\r\\nIP: 96.93.214.186 [1]\\r\\nIP: 194.165.16.29 [10]\\r\\nIP: 141.98.9.35 [1]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 185.221.134.42 [1]\\r\\nIP: 176.111.174.71 [13]\\r\\nIP: 92.255.85.192 [3]\\r\\nIP: 20.168.51.145 [1]\\r\\nIP: 194.165.16.18 [6]\\r\\nIP: 195.78.54.73 [13]\\r\\nIP: 147.78.47.149 [7]\\r\\nIP: 192.99.233.28 [1]\\r\\nIP: 87.251.67.64 [6]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 176.111.174.73 [21]\\r\\nIP: 80.66.88.205 [3]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1361\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1362\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1363\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1364\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1365\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1366\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1367\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1368\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1369\",\r\n \"address\": \"92.255.85.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1370\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1371\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1372\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1373\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1374\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1375\",\r\n \"address\": \"162.244.33.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Fremont\",\r\n \"longitude\": -121.91032,\r\n \"latitude\": 37.52879,\r\n \"asn\": 14576,\r\n \"carrier\": \"Hosting Solution Ltd.\",\r\n \"organization\": \"Hosting Solution Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1376\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1377\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1378\",\r\n \"address\": \"116.58.22.75\",\r\n \"location\": {\r\n \"countryCode\": \"PK\",\r\n \"countryName\": \"Pakistan\",\r\n \"state\": \"Punjab\",\r\n \"city\": \"Lahore\",\r\n \"longitude\": 74.31333,\r\n \"latitude\": 31.56333,\r\n \"asn\": 17563,\r\n \"carrier\": \"Nexlinx\",\r\n \"organization\": \"Nexlinx Isp Pakistan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1379\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1380\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1381\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1382\",\r\n \"address\": \"92.255.85.186\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1383\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1384\",\r\n \"address\": \"96.93.214.186\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Colorado\",\r\n \"city\": \"Denver\",\r\n \"longitude\": -104.98564,\r\n \"latitude\": 39.74249,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1385\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1386\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1387\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1388\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1389\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1390\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1391\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1392\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1393\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1394\",\r\n \"address\": \"92.255.85.192\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1395\",\r\n \"address\": \"20.168.51.145\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1396\",\r\n \"address\": \"194.165.16.18\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1397\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1398\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1399\",\r\n \"address\": \"192.99.233.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1400\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1401\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1402\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1403\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1404\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1406\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1407\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1410\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1411\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1377\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1378\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1379\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1380\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1382\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1383\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1427\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1428\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1429\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1430\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1433\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371135999999999_c96dabcd-17e0-455a-a6eb-4dcc369d3b9e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"name\": \"2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T19:27:10.8559195Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T19:27:10.200106Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-07T07:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-07T07:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1447\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 179.43.155.133 [2]\\r\\nIP: 62.210.205.240 [1]\\r\\nIP: 34.105.172.112 [1]\\r\\nIP: 61.177.172.143 [2]\\r\\nIP: 107.152.46.102 [2]\\r\\nIP: 61.177.173.47 [1]\\r\\nIP: 49.88.112.109 [1]\\r\\nIP: 47.108.112.40 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1448\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1449\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1450\",\r\n \"address\": \"179.43.155.133\",\r\n \"location\": {\r\n \"countryCode\": \"CH\",\r\n \"countryName\": \"Switzerland\",\r\n \"state\": \"Zuerich\",\r\n \"city\": \"Zuerich\",\r\n \"longitude\": 8.53695,\r\n \"latitude\": 47.37417,\r\n \"asn\": 51852,\r\n \"carrier\": \"Private Layer Inc\",\r\n \"organization\": \"Private Layer Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1451\",\r\n \"address\": \"62.210.205.240\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.3365,\r\n \"latitude\": 48.8814,\r\n \"asn\": 12876,\r\n \"carrier\": \"Online S.A.S.\",\r\n \"organization\": \"Online Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1452\",\r\n \"address\": \"34.105.172.112\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Enfield\",\r\n \"longitude\": -0.10639,\r\n \"latitude\": 51.64694,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1453\",\r\n \"address\": \"61.177.172.143\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Huaqiaozhen\",\r\n \"longitude\": 121.089,\r\n \"latitude\": 31.302,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1454\",\r\n \"address\": \"107.152.46.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Illinois\",\r\n \"city\": \"Glenview\",\r\n \"longitude\": -87.82326,\r\n \"latitude\": 42.08015,\r\n \"asn\": 46844,\r\n \"carrier\": \"Sharktech\",\r\n \"organization\": \"Servercheap Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1455\",\r\n \"address\": \"61.177.173.47\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1456\",\r\n \"address\": \"49.88.112.109\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanghai Shi\",\r\n \"city\": \"Xuhui Qu\",\r\n \"longitude\": 121.41498,\r\n \"latitude\": 31.17389,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1457\",\r\n \"address\": \"47.108.112.40\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Zhejiang\",\r\n \"city\": \"Hangzhou\",\r\n \"longitude\": 120.15889,\r\n \"latitude\": 30.23556,\r\n \"asn\": 37963,\r\n \"carrier\": \"Hangzhou Alibaba Advertising Co. Ltd.\",\r\n \"organization\": \"Aliyun Computing Co. Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1450\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1451\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1452\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1453\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1454\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1455\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1456\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1457\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371747999999999_6e699ea8-fb70-478f-b074-3d90c4052e1b/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"name\": \"2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-08T19:27:10.7887447Z\",\r\n \"processingEndTimeUtc\": \"2022-10-08T19:27:10.2008025Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-07T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-07T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1466\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 94.232.47.4 [13]\\r\\nIP: 193.37.69.219 [25]\\r\\nIP: 80.66.88.203 [3]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 176.111.174.73 [3]\\r\\nIP: 141.98.9.37 [12]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 36.95.205.132 [1]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 80.66.88.129 [3]\\r\\nIP: 87.251.64.140 [5]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 173.15.245.6 [1]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 181.214.218.55 [5]\\r\\nIP: 194.165.16.16 [5]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 91.240.118.184 [8]\\r\\nIP: 116.58.22.75 [3]\\r\\nIP: 176.111.174.71 [9]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 176.111.174.130 [13]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 147.78.47.146 [7]\\r\\nIP: 45.227.254.25 [5]\\r\\nIP: 176.111.174.200 [10]\\r\\nIP: 141.98.83.125 [1]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 103.30.29.29 [1]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 141.98.9.35 [10]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 194.165.16.158 [4]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1467\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1468\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1469\",\r\n \"address\": \"94.232.47.4\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1470\",\r\n \"address\": \"193.37.69.219\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1471\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1472\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1473\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1474\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1475\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1476\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1477\",\r\n \"address\": \"36.95.205.132\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jakarta Raya\",\r\n \"city\": \"Jakarta\",\r\n \"longitude\": 106.8311,\r\n \"latitude\": -6.1851,\r\n \"asn\": 7713,\r\n \"carrier\": \"Pt Telekomunikasi Indonesia\",\r\n \"organization\": \"Pt Telekomunikasi Indonesia\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1478\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1479\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1480\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1481\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1482\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1483\",\r\n \"address\": \"173.15.245.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Michigan\",\r\n \"city\": \"Commerce Charter Township\",\r\n \"longitude\": -83.5449,\r\n \"latitude\": 42.60315,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1484\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1485\",\r\n \"address\": \"181.214.218.55\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1486\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1487\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1488\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1489\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1490\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1491\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1492\",\r\n \"address\": \"116.58.22.75\",\r\n \"location\": {\r\n \"countryCode\": \"PK\",\r\n \"countryName\": \"Pakistan\",\r\n \"state\": \"Punjab\",\r\n \"city\": \"Lahore\",\r\n \"longitude\": 74.31333,\r\n \"latitude\": 31.56333,\r\n \"asn\": 17563,\r\n \"carrier\": \"Nexlinx\",\r\n \"organization\": \"Nexlinx Isp Pakistan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1493\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1494\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1495\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1496\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1497\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1498\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1499\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1500\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1501\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1502\",\r\n \"address\": \"103.30.29.29\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Chittagong\",\r\n \"city\": \"Chittagong\",\r\n \"longitude\": 91.8123,\r\n \"latitude\": 22.3475,\r\n \"asn\": 45326,\r\n \"carrier\": \"Broad Band Telecom Services Ltd\",\r\n \"organization\": \"Bbts Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1503\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1504\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1505\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1506\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1507\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1508\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1509\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1510\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1480\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1481\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1482\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1484\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1485\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1486\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1535\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517371999999999999_eba10dff-5d46-4cee-b650-1aad616fd0e9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"name\": \"2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-07T20:45:09.4714645Z\",\r\n \"processingEndTimeUtc\": \"2022-10-07T20:45:08.5306227Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-06T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-06T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1549\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.123 [1]\\r\\nIP: 185.156.72.25 [5]\\r\\nIP: 45.227.254.48 [1]\\r\\nIP: 181.214.218.55 [1]\\r\\nIP: 141.98.83.132 [8]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 192.99.233.28 [1]\\r\\nIP: 194.165.16.17 [3]\\r\\nIP: 141.98.83.126 [12]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 91.240.118.202 [2]\\r\\nIP: 45.227.254.25 [128]\\r\\nIP: 147.78.47.146 [1]\\r\\nIP: 176.111.174.130 [12]\\r\\nIP: 144.91.117.64 [1]\\r\\nIP: 194.165.16.158 [13]\\r\\nIP: 92.255.85.151 [4]\\r\\nIP: 176.9.52.56 [1]\\r\\nIP: 193.169.255.78 [1]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 185.221.134.42 [1]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 176.111.174.143 [14]\\r\\nIP: 92.255.85.194 [3]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 176.111.174.200 [21]\\r\\nIP: 77.121.215.0 [1]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 45.141.87.2 [34]\\r\\nIP: 45.141.84.86 [7]\\r\\nIP: 94.232.47.4 [25]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 91.240.118.113 [3]\\r\\nIP: 141.98.9.37 [6]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 216.131.112.27 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 195.78.54.194 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 45.227.254.26 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1550\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1551\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1552\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1553\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1554\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1555\",\r\n \"address\": \"181.214.218.55\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"longitude\": -55.0,\r\n \"latitude\": -10.0,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1556\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1557\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1558\",\r\n \"address\": \"192.99.233.28\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Quebec\",\r\n \"city\": \"Montreal\",\r\n \"longitude\": -73.56201,\r\n \"latitude\": 45.50208,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Hosting Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1559\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1560\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1561\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1562\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1563\",\r\n \"address\": \"91.240.118.202\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1564\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1565\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1566\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1567\",\r\n \"address\": \"144.91.117.64\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Muenchen\",\r\n \"longitude\": 11.6074,\r\n \"latitude\": 48.1089,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1568\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1569\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1570\",\r\n \"address\": \"176.9.52.56\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Gunzenhausen\",\r\n \"longitude\": 10.7534,\r\n \"latitude\": 49.11594,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1571\",\r\n \"address\": \"193.169.255.78\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Pomorskie\",\r\n \"city\": \"Zelkowko\",\r\n \"longitude\": 17.0936,\r\n \"latitude\": 54.34198,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1572\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1573\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1574\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1575\",\r\n \"address\": \"176.111.174.143\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1576\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1577\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1578\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1579\",\r\n \"address\": \"77.121.215.0\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Cherkas'ka Oblast'\",\r\n \"city\": \"Cherkasy\",\r\n \"longitude\": 32.0621,\r\n \"latitude\": 49.4285,\r\n \"asn\": 25229,\r\n \"carrier\": \"Kyivski Telekomunikatsiyni Merezhi Llc\",\r\n \"organization\": \"Volia Cherkassy\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1580\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1581\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1582\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1583\",\r\n \"address\": \"94.232.47.4\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1584\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1585\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1586\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1587\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1588\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1589\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1590\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1591\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1592\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1593\",\r\n \"address\": \"216.131.112.27\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 62651,\r\n \"carrier\": \"Strong Technology Llc.\",\r\n \"organization\": \"Netprotect\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1594\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1595\",\r\n \"address\": \"195.78.54.194\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1596\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1597\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517372863999999999_2743a0e8-9f11-4b3a-8af3-8d50e5da5036/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"name\": \"2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-06T20:18:25.6741094Z\",\r\n \"processingEndTimeUtc\": \"2022-10-06T20:18:25.2845591Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-05T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-05T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1644\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 201.165.54.53 [1]\\r\\nIP: 194.165.16.158 [9]\\r\\nIP: 141.98.9.29 [9]\\r\\nIP: 195.78.54.194 [1]\\r\\nIP: 162.247.74.27 [1]\\r\\nIP: 147.78.47.146 [5]\\r\\nIP: 147.78.47.154 [8]\\r\\nIP: 91.240.118.113 [5]\\r\\nIP: 92.255.85.181 [4]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.120 [7]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.87 [4]\\r\\nIP: 141.98.83.123 [11]\\r\\nIP: 193.37.69.213 [12]\\r\\nIP: 141.98.81.137 [13]\\r\\nIP: 91.240.118.184 [14]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.204 [2]\\r\\nIP: 24.154.71.234 [2]\\r\\nIP: 204.157.105.130 [1]\\r\\nIP: 45.141.84.85 [9]\\r\\nIP: 45.227.254.25 [29]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 109.205.214.3 [1]\\r\\nIP: 176.111.174.116 [10]\\r\\nIP: 94.232.47.157 [33]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 23.83.131.85 [1]\\r\\nIP: 176.111.174.143 [29]\\r\\nIP: 193.37.69.212 [20]\\r\\nIP: 151.80.113.215 [1]\\r\\nIP: 91.240.242.8 [7]\\r\\nIP: 91.240.242.3 [5]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.141.84.86 [12]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1645\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1646\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1647\",\r\n \"address\": \"201.165.54.53\",\r\n \"location\": {\r\n \"countryCode\": \"MX\",\r\n \"countryName\": \"Mexico\",\r\n \"state\": \"Sinaloa\",\r\n \"city\": \"Los Mochis\",\r\n \"longitude\": -108.98835,\r\n \"latitude\": 25.79161,\r\n \"asn\": 13999,\r\n \"carrier\": \"Mega Cable S.A. De C.V.\",\r\n \"organization\": \"Mega Cable S.A. De C.V.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1648\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1649\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1650\",\r\n \"address\": \"195.78.54.194\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1651\",\r\n \"address\": \"162.247.74.27\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -74.00287,\r\n \"latitude\": 40.65724,\r\n \"asn\": 4224,\r\n \"carrier\": \"The Calyx Institute\",\r\n \"organization\": \"The Calyx Institute\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1652\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1653\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1654\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1655\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1656\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1657\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1658\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1659\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1660\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1661\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1662\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1663\",\r\n \"address\": \"193.37.69.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1664\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1665\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1666\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1667\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1668\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1669\",\r\n \"address\": \"204.157.105.130\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Jandira\",\r\n \"longitude\": -46.90199,\r\n \"latitude\": -23.5343,\r\n \"asn\": 268817,\r\n \"carrier\": \"Decola Telecom\",\r\n \"organization\": \"Decola Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1670\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1671\",\r\n \"address\": \"45.227.254.25\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1672\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1673\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1674\",\r\n \"address\": \"109.205.214.3\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Dedicated Servers Vps Vds\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1675\",\r\n \"address\": \"176.111.174.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1676\",\r\n \"address\": \"94.232.47.157\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1677\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1678\",\r\n \"address\": \"23.83.131.85\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Scottsdale\",\r\n \"longitude\": -111.8085,\r\n \"latitude\": 33.66364,\r\n \"asn\": 19148,\r\n \"carrier\": \"Leaseweb Usa Inc.\",\r\n \"organization\": \"Leaseweb Usa Inc. Pheonix\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1679\",\r\n \"address\": \"176.111.174.143\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1680\",\r\n \"address\": \"193.37.69.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1681\",\r\n \"address\": \"151.80.113.215\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Nord\",\r\n \"city\": \"Roubaix\",\r\n \"longitude\": 3.17321,\r\n \"latitude\": 50.69127,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Sas\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1682\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1683\",\r\n \"address\": \"91.240.242.3\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1684\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1685\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1688\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1689\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1690\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517373727999999999_a44ab21f-d922-43b7-aea4-74007c3205cc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"name\": \"2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-05T20:06:02.9429652Z\",\r\n \"processingEndTimeUtc\": \"2022-10-05T20:06:01.9820349Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1725\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.26 [3]\\r\\nIP: 176.111.174.71 [20]\\r\\nIP: 141.98.83.120 [7]\\r\\nIP: 45.227.254.55 [2]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 193.148.61.116 [1]\\r\\nIP: 45.141.84.85 [6]\\r\\nIP: 141.98.9.29 [12]\\r\\nIP: 20.163.11.154 [1]\\r\\nIP: 80.66.88.202 [2]\\r\\nIP: 20.226.32.246 [1]\\r\\nIP: 147.78.47.154 [5]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 141.98.9.37 [9]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 141.98.83.123 [2]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.88 [2]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 141.98.83.125 [6]\\r\\nIP: 194.165.16.11 [3]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 176.111.174.200 [6]\\r\\nIP: 94.232.47.150 [33]\\r\\nIP: 141.98.83.131 [9]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 94.232.47.151 [19]\\r\\nIP: 141.98.83.87 [6]\\r\\nIP: 5.62.43.223 [1]\\r\\nIP: 92.255.85.181 [1]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 94.232.47.155 [29]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 141.98.83.122 [4]\\r\\nIP: 141.98.9.34 [9]\\r\\nIP: 210.8.65.86 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 94.232.47.8 [26]\\r\\nIP: 91.240.118.184 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 80.66.88.215 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1726\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1727\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1728\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1729\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1730\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1731\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1732\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1733\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1734\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1735\",\r\n \"address\": \"193.148.61.116\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Los Angeles Ca\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1736\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1737\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1738\",\r\n \"address\": \"20.163.11.154\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1739\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1740\",\r\n \"address\": \"20.226.32.246\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Campinas\",\r\n \"longitude\": -47.0453,\r\n \"latitude\": -22.89177,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1741\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1742\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1743\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1744\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1745\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1746\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1747\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1748\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1749\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1750\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1751\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1752\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1753\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1754\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1755\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1756\",\r\n \"address\": \"94.232.47.150\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1757\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1758\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1759\",\r\n \"address\": \"94.232.47.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1760\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1761\",\r\n \"address\": \"5.62.43.223\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Camden\",\r\n \"longitude\": -0.16861,\r\n \"latitude\": 51.54,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Avast Software S.R.O.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1762\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1763\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1764\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1765\",\r\n \"address\": \"94.232.47.155\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1766\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1767\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1768\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1769\",\r\n \"address\": \"210.8.65.86\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Old Guildford\",\r\n \"longitude\": 150.98807,\r\n \"latitude\": -33.86708,\r\n \"asn\": 2764,\r\n \"carrier\": \"Aapt Limited\",\r\n \"organization\": \"Aapt Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1770\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1771\",\r\n \"address\": \"94.232.47.8\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1772\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1773\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1774\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1775\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1776\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1777\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1728\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1778\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1729\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1779\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1730\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1780\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1731\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1781\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1732\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1782\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1733\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1783\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1734\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1784\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1735\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1785\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1736\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1786\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1737\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1787\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1738\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1788\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1741\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1791\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1742\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1792\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1743\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1793\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1744\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1794\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1745\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1795\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1746\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1796\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1747\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1797\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1748\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1798\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1749\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1799\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1750\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1800\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1751\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1801\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1752\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1802\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1753\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1803\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1754\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1804\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1755\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1805\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1756\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1806\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1757\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1807\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1758\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1808\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1759\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1809\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1760\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1810\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1761\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1811\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1762\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1812\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1763\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1813\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1764\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1814\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517374591999999999_1d78725c-9952-4a1d-8ea9-e696a20922fb/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"name\": \"2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-04T20:20:17.6238006Z\",\r\n \"processingEndTimeUtc\": \"2022-10-04T20:20:16.6615502Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-03T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-03T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1826\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 181.214.206.211 [12]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 141.98.83.83 [2]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 141.98.9.29 [11]\\r\\nIP: 192.227.168.178 [1]\\r\\nIP: 193.37.69.220 [23]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 62.204.41.152 [6]\\r\\nIP: 38.242.213.49 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 45.141.84.83 [6]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 194.165.16.17 [4]\\r\\nIP: 179.60.147.32 [7]\\r\\nIP: 66.195.201.152 [1]\\r\\nIP: 141.98.83.120 [6]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 113.88.234.130 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 94.232.47.151 [22]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 58.186.205.49 [1]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 195.78.54.174 [11]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 92.255.85.181 [5]\\r\\nIP: 176.111.174.73 [9]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 176.111.174.72 [19]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 15.237.104.62 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.89 [3]\\r\\nIP: 192.210.149.230 [1]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.9.36 [18]\\r\\nIP: 185.190.24.61 [4]\\r\\nIP: 5.181.86.11 [8]\\r\\nIP: 147.78.47.149 [10]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 191.242.227.11 [2]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 176.111.174.130 [12]\\r\\n36 more attempts by 5 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1827\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1828\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1829\",\r\n \"address\": \"181.214.206.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1830\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1831\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1832\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1833\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1834\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1835\",\r\n \"address\": \"192.227.168.178\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.8854,\r\n \"latitude\": 42.8883,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1836\",\r\n \"address\": \"193.37.69.220\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1837\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1838\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1839\",\r\n \"address\": \"38.242.213.49\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1840\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1841\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1842\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1843\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1844\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1845\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1846\",\r\n \"address\": \"66.195.201.152\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Tennessee\",\r\n \"city\": \"Memphis\",\r\n \"longitude\": -89.94812,\r\n \"latitude\": 35.11012,\r\n \"asn\": 3356,\r\n \"carrier\": \"Level 3 Parent Llc\",\r\n \"organization\": \"Level 3 Parent Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1847\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1848\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1849\",\r\n \"address\": \"113.88.234.130\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Henggang\",\r\n \"longitude\": 114.19833,\r\n \"latitude\": 22.64204,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Guangdong Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1850\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1851\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1852\",\r\n \"address\": \"94.232.47.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1853\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1854\",\r\n \"address\": \"58.186.205.49\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Cau Giay\",\r\n \"longitude\": 105.79176,\r\n \"latitude\": 21.03714,\r\n \"asn\": 18403,\r\n \"carrier\": \"Fpt Telecom Company\",\r\n \"organization\": \"Fpt Telecom Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1855\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1856\",\r\n \"address\": \"195.78.54.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1857\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1858\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1859\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1860\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1861\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1862\",\r\n \"address\": \"176.111.174.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1863\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1864\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1865\",\r\n \"address\": \"15.237.104.62\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Paris\",\r\n \"city\": \"Paris\",\r\n \"longitude\": 2.34107,\r\n \"latitude\": 48.86023,\r\n \"asn\": 16509,\r\n \"carrier\": \"Amazon.Com Inc\",\r\n \"organization\": \"Amazon Data Services France\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1866\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1867\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1868\",\r\n \"address\": \"192.210.149.230\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1869\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1870\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1871\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1872\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1873\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1874\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1875\",\r\n \"address\": \"191.242.227.11\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sorocaba\",\r\n \"longitude\": -47.44229,\r\n \"latitude\": -23.4971,\r\n \"asn\": 263483,\r\n \"carrier\": \"Direct Lan Telecomunicaes Sorocaba Ltda\",\r\n \"organization\": \"Direct Lan Telecomunica Es Sorocaba Ltda\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1876\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1877\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1878\",\r\n \"address\": \"176.111.174.130\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1879\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1829\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1880\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1830\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1881\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1831\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1882\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1832\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1883\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1833\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1884\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1834\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1885\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1835\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1886\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1836\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1887\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1837\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1888\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1838\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1889\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1839\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1890\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1840\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1891\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1841\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1892\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1893\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1843\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1894\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1844\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1895\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1845\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1896\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1846\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1897\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1847\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1898\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1848\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1899\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1849\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1900\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1850\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1901\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1851\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1902\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1852\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1903\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1853\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1904\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1854\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1905\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1855\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1906\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1856\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1907\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1857\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1908\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1858\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1909\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1859\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1910\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1860\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1911\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1861\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1912\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1862\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1913\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1863\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1914\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1864\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1915\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1865\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1916\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1866\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1917\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1867\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1918\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1868\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375455999999999_aae96208-c51f-4ff5-807a-670dfeece3d5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"name\": \"2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T19:49:12.0431333Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T19:49:11.6506508Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-02T18:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-02T18:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1929\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 183.146.30.163 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1930\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1931\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1932\",\r\n \"address\": \"183.146.30.163\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Zhejiang\",\r\n \"city\": \"Jinhua\",\r\n \"longitude\": 119.65083,\r\n \"latitude\": 29.11611,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet-Zj Jinhua Node Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1932\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517375671999999999_f3eed8a4-da91-409a-b8e4-713efbe17c43/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"name\": \"2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-03T19:49:12.8041976Z\",\r\n \"processingEndTimeUtc\": \"2022-10-03T19:49:11.650774Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1934\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.140 [2]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 185.190.24.61 [3]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 147.78.47.147 [5]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 179.60.147.31 [12]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 179.60.147.32 [7]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 94.232.47.5 [47]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 194.165.17.7 [10]\\r\\nIP: 141.98.83.122 [7]\\r\\nIP: 176.111.174.200 [10]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 195.78.54.174 [17]\\r\\nIP: 69.172.78.13 [1]\\r\\nIP: 141.98.83.84 [12]\\r\\nIP: 138.199.18.131 [14]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 5.181.86.11 [2]\\r\\nIP: 185.156.72.27 [2]\\r\\nIP: 141.98.83.127 [3]\\r\\nIP: 179.60.147.33 [17]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 141.98.83.88 [5]\\r\\nIP: 141.98.83.85 [2]\\r\\nIP: 147.78.47.149 [8]\\r\\nIP: 94.232.47.158 [30]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 45.141.84.83 [2]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 194.165.16.6 [4]\\r\\nIP: 176.111.174.72 [11]\\r\\nIP: 20.163.11.154 [1]\\r\\nIP: 91.240.118.184 [14]\\r\\nIP: 141.98.83.86 [14]\\r\\nIP: 141.98.9.37 [18]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 94.232.47.9 [21]\\r\\nIP: 141.98.83.89 [1]\\r\\n82 more attempts by 17 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_1935\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_1936\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_1937\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1938\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1939\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1940\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1941\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1942\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1943\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1944\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1945\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1946\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1947\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1948\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1949\",\r\n \"address\": \"94.232.47.5\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1950\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1951\",\r\n \"address\": \"194.165.17.7\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1952\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1953\",\r\n \"address\": \"176.111.174.200\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1954\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1955\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1956\",\r\n \"address\": \"195.78.54.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1957\",\r\n \"address\": \"69.172.78.13\",\r\n \"location\": {\r\n \"countryCode\": \"HK\",\r\n \"countryName\": \"Hong Kong\",\r\n \"state\": \"Hong Kong\",\r\n \"city\": \"Aberdeen\",\r\n \"longitude\": 114.1524,\r\n \"latitude\": 22.24831,\r\n \"asn\": 132585,\r\n \"carrier\": \"Skyexchange Internet Access\",\r\n \"organization\": \"Skyexchange Internet Access\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1958\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1959\",\r\n \"address\": \"138.199.18.131\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1960\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1961\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1962\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1963\",\r\n \"address\": \"185.156.72.27\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1964\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1965\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1966\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1967\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1968\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1969\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1970\",\r\n \"address\": \"94.232.47.158\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1971\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1972\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1973\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1974\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1975\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1976\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1977\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1978\",\r\n \"address\": \"176.111.174.72\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1979\",\r\n \"address\": \"20.163.11.154\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1980\",\r\n \"address\": \"91.240.118.184\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1981\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1982\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1983\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1984\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1985\",\r\n \"address\": \"94.232.47.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1986\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_1987\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1937\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1988\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1938\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1989\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1939\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1990\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1940\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1991\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1941\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1992\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1942\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1993\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1943\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1994\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1944\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1995\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1945\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1996\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1946\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1997\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1947\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1998\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1948\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_1999\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1949\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2000\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1950\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2001\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1951\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2002\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1952\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2003\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1953\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2004\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1954\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2005\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1955\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2006\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1956\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2007\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1957\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2008\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1958\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2009\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1959\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2010\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1960\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2011\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1961\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2012\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1962\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2013\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1963\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2014\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1964\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2015\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1965\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2016\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1966\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2017\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1967\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2018\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1968\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2019\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1969\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2020\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1970\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2021\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1971\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_1986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517376319999999999_3bf5e392-63d4-4fd5-b8c2-8565749653c2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"name\": \"2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-02T19:30:06.9299257Z\",\r\n \"processingEndTimeUtc\": \"2022-10-02T19:30:06.0289442Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-10-01T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-10-01T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2037\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.125 [6]\\r\\nIP: 179.60.147.31 [9]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.83.131 [8]\\r\\nIP: 193.37.69.211 [23]\\r\\nIP: 176.111.174.73 [8]\\r\\nIP: 179.60.150.115 [7]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 147.78.47.146 [3]\\r\\nIP: 147.78.47.147 [5]\\r\\nIP: 141.98.83.83 [5]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 194.165.16.158 [1]\\r\\nIP: 5.181.86.11 [5]\\r\\nIP: 45.141.84.86 [1]\\r\\nIP: 94.232.47.152 [24]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 198.235.24.38 [1]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 193.37.69.209 [25]\\r\\nIP: 94.232.47.156 [33]\\r\\nIP: 147.78.47.149 [13]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 185.190.24.17 [5]\\r\\nIP: 141.98.83.132 [4]\\r\\nIP: 141.98.83.122 [8]\\r\\nIP: 141.98.83.89 [10]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 141.98.9.34 [35]\\r\\nIP: 176.111.174.71 [14]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 91.240.118.113 [6]\\r\\nIP: 20.226.32.246 [1]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 176.111.173.75 [1]\\r\\nIP: 138.199.18.131 [15]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 80.66.88.129 [1]\\r\\nIP: 185.156.72.31 [5]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 91.240.242.8 [35]\\r\\n55 more attempts by 8 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2038\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2039\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2040\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2041\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2042\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2043\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2044\",\r\n \"address\": \"193.37.69.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2045\",\r\n \"address\": \"176.111.174.73\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2046\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2047\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2048\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2049\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2050\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2051\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2052\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2053\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2054\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2055\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2056\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2057\",\r\n \"address\": \"94.232.47.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2058\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2059\",\r\n \"address\": \"198.235.24.38\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"threatIntelligence\": [\r\n {\r\n \"providerName\": \"Team Cymru\",\r\n \"threatType\": \"Botnet\",\r\n \"threatName\": \"Conficker\",\r\n \"confidence\": 0.75,\r\n \"reportLink\": \"https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Botnets.pdf?sv=2021-08-06&spr=https&st=2022-10-02T19%3a15%3a06Z&se=2022-12-31T19%3a30%3a06Z&sr=b&sp=r&sig=R3tc8ii2u2BkwkqvR1vAhwzjf7fD%2bjUJICU%2fnOP2CxM%3d&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa\",\r\n \"threatDescription\": \"Address is a known Botnet indicator.\"\r\n }\r\n ],\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2060\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2061\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2062\",\r\n \"address\": \"193.37.69.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2063\",\r\n \"address\": \"94.232.47.156\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2064\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2065\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2066\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2067\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2068\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2069\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2070\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2071\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2072\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2073\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2074\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2075\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2076\",\r\n \"address\": \"176.111.174.71\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.68784,\r\n \"latitude\": 55.77543,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2077\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2078\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2079\",\r\n \"address\": \"20.226.32.246\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Campinas\",\r\n \"longitude\": -47.0453,\r\n \"latitude\": -22.89177,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2080\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2081\",\r\n \"address\": \"176.111.173.75\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2082\",\r\n \"address\": \"138.199.18.131\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2083\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2084\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2085\",\r\n \"address\": \"80.66.88.129\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2086\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2087\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2088\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2089\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2090\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2040\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2091\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2041\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2092\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2042\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2093\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2043\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2094\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2044\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2095\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2045\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2096\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2046\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2097\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2047\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2098\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2048\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2099\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2049\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2100\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2050\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2101\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2051\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2102\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2052\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2053\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2104\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2054\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2055\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2056\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2057\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2058\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2059\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2060\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2061\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2062\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2063\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2114\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2064\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2065\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2066\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2067\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2068\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2069\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2070\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2071\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2072\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2123\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2073\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2124\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2074\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517377183999999999_b62485e3-2280-4f43-8459-2a39242325dc/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"name\": \"2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-10-01T19:36:37.5737773Z\",\r\n \"processingEndTimeUtc\": \"2022-10-01T19:36:37.1669158Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-30T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-30T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2140\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.54 [3]\\r\\nIP: 194.165.16.29 [3]\\r\\nIP: 194.165.16.73 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 94.232.47.13 [30]\\r\\nIP: 141.98.83.126 [5]\\r\\nIP: 141.98.83.85 [6]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 5.181.86.11 [11]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 45.141.84.87 [19]\\r\\nIP: 91.240.242.15 [3]\\r\\nIP: 141.98.83.84 [5]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 179.60.150.115 [13]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 45.140.210.61 [1]\\r\\nIP: 141.98.9.35 [5]\\r\\nIP: 141.98.10.124 [8]\\r\\nIP: 94.232.47.11 [30]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 194.165.16.16 [5]\\r\\nIP: 194.165.16.158 [4]\\r\\nIP: 78.128.113.138 [6]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 141.98.9.37 [4]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 91.240.242.5 [22]\\r\\nIP: 20.163.30.220 [1]\\r\\nIP: 20.163.46.69 [1]\\r\\nIP: 45.227.254.51 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2141\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2142\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2143\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2144\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2145\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2146\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2147\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2148\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2149\",\r\n \"address\": \"94.232.47.13\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2150\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2151\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2152\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2153\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2154\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2155\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2156\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2157\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2158\",\r\n \"address\": \"45.141.84.87\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2159\",\r\n \"address\": \"91.240.242.15\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2160\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2161\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2162\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2163\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2164\",\r\n \"address\": \"45.140.210.61\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2165\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2166\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2167\",\r\n \"address\": \"94.232.47.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2168\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2169\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2170\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2171\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2172\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2173\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2174\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2175\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2176\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2177\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2178\",\r\n \"address\": \"91.240.242.5\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2179\",\r\n \"address\": \"20.163.30.220\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2180\",\r\n \"address\": \"20.163.46.69\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2181\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2182\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2143\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2183\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2144\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2184\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2145\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2185\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2146\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2186\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2147\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2187\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2148\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2188\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2149\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2189\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2150\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2190\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2151\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2191\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2152\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2192\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2153\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2193\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2154\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2194\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2155\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2195\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2196\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2197\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2198\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2199\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2200\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2201\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2202\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2203\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2204\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2205\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2167\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2168\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2217\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2218\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378047999999999_73bfc982-6daf-46f5-8c2d-95a9042e119f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"name\": \"2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-30T19:55:09.682631Z\",\r\n \"processingEndTimeUtc\": \"2022-09-30T19:55:09.1843919Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2221\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 181.30.28.175 [1]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 141.98.83.127 [12]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 92.255.85.151 [5]\\r\\nIP: 45.227.255.79 [7]\\r\\nIP: 147.78.47.149 [6]\\r\\nIP: 141.98.9.34 [16]\\r\\nIP: 181.214.206.251 [6]\\r\\nIP: 141.98.83.131 [3]\\r\\nIP: 141.98.83.128 [8]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 179.60.147.32 [19]\\r\\nIP: 91.240.242.8 [2]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 141.98.83.124 [2]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 43.230.156.26 [1]\\r\\nIP: 194.165.16.158 [10]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 141.98.83.125 [6]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 141.98.9.37 [8]\\r\\nIP: 5.188.206.230 [10]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 147.78.47.154 [1]\\r\\nIP: 194.165.16.78 [1]\\r\\nIP: 141.98.9.35 [15]\\r\\nIP: 141.98.83.123 [4]\\r\\nIP: 129.146.85.184 [1]\\r\\nIP: 192.3.110.166 [1]\\r\\nIP: 45.141.84.90 [30]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.29 [14]\\r\\nIP: 45.141.87.9 [24]\\r\\nIP: 141.98.10.204 [19]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 141.98.83.88 [1]\\r\\nIP: 194.165.17.22 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 20.168.105.212 [1]\\r\\n72 more attempts by 9 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2222\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2223\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2224\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2225\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2226\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2227\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2228\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2229\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2230\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2231\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2232\",\r\n \"address\": \"181.214.206.251\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2233\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2234\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2235\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2236\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2237\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2238\",\r\n \"address\": \"91.240.242.8\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2239\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2240\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2241\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2242\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2243\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2244\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2245\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2246\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2247\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2248\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2249\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2250\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2251\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2252\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2253\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2254\",\r\n \"address\": \"129.146.85.184\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2255\",\r\n \"address\": \"192.3.110.166\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2256\",\r\n \"address\": \"45.141.84.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2257\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2258\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2259\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2260\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2261\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2262\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2263\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2264\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2265\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2266\",\r\n \"address\": \"194.165.17.22\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2267\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2268\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2269\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2270\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2271\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2272\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2273\",\r\n \"address\": \"20.168.105.212\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2224\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2275\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2225\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2276\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2226\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2277\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2227\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2278\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2228\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2279\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2229\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2280\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2230\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2281\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2231\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2282\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2232\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2283\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2233\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2284\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2234\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2285\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2235\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2286\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2236\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2287\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2237\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2288\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2238\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2289\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2239\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2290\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2240\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2291\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2241\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2292\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2242\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2293\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2243\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2294\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2244\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2295\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2245\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2296\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2246\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2297\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2247\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2298\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2248\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2299\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2249\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2300\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2250\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2301\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2251\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2302\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2252\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2303\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2253\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2304\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2254\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2305\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2255\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2306\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2256\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2307\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2257\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2308\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2258\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517378911999999999_ff8c9d9e-4701-4d7d-acb6-db12230aca1a/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"name\": \"2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-29T19:51:37.1590955Z\",\r\n \"processingEndTimeUtc\": \"2022-09-29T19:51:34.0584565Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-28T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-28T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2324\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.26.29.113 [52]\\r\\nIP: 141.98.10.124 [5]\\r\\nIP: 179.60.150.111 [2]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 5.181.86.51 [2]\\r\\nIP: 141.98.83.89 [1]\\r\\nIP: 24.154.71.234 [2]\\r\\nIP: 141.98.9.34 [1]\\r\\nIP: 141.98.10.207 [5]\\r\\nIP: 179.60.147.31 [9]\\r\\nIP: 20.163.30.220 [1]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 152.89.198.133 [1]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 45.141.84.86 [7]\\r\\nIP: 179.60.150.113 [3]\\r\\nIP: 45.227.253.130 [8]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 5.181.86.85 [2]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 5.181.86.61 [6]\\r\\nIP: 80.66.88.209 [2]\\r\\nIP: 45.227.254.26 [2]\\r\\nIP: 141.98.83.130 [7]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 92.255.85.152 [9]\\r\\nIP: 179.60.150.116 [2]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 107.181.178.109 [1]\\r\\nIP: 185.190.24.17 [12]\\r\\nIP: 141.98.9.29 [13]\\r\\nIP: 141.98.83.131 [6]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 94.232.47.12 [25]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 115.242.152.158 [2]\\r\\nIP: 193.37.69.207 [27]\\r\\nIP: 194.165.17.12 [13]\\r\\nIP: 193.37.69.210 [40]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 179.60.150.115 [10]\\r\\nIP: 185.190.24.32 [5]\\r\\nIP: 5.181.86.44 [1]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 141.98.83.122 [3]\\r\\n142 more attempts by 24 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2325\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2326\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2327\",\r\n \"address\": \"194.26.29.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2328\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2329\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2330\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2331\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2332\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2333\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2334\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2335\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2336\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2337\",\r\n \"address\": \"20.163.30.220\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2338\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2339\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2340\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2341\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2342\",\r\n \"address\": \"152.89.198.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.81472,\r\n \"latitude\": 55.71376,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2343\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2344\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2345\",\r\n \"address\": \"45.141.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2346\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2347\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2348\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2349\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2350\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2351\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2352\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2353\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2354\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2355\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2356\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2357\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2358\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2359\",\r\n \"address\": \"107.181.178.109\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Georgia\",\r\n \"city\": \"Marietta\",\r\n \"longitude\": -84.4629,\r\n \"latitude\": 33.93318,\r\n \"asn\": 46562,\r\n \"carrier\": \"Performive Llc\",\r\n \"organization\": \"Performive Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2360\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2361\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2362\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2363\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2364\",\r\n \"address\": \"94.232.47.12\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.64348,\r\n \"latitude\": 55.88878,\r\n \"asn\": 204490,\r\n \"carrier\": \"Kontel Llc\",\r\n \"organization\": \"Dmitriy Panchenko\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2365\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2366\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2367\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2368\",\r\n \"address\": \"193.37.69.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2369\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2370\",\r\n \"address\": \"193.37.69.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2371\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2372\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2373\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2374\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2375\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2376\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2381\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2331\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2382\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2332\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2383\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2333\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2384\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2334\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2385\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2335\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2386\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2336\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2387\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2337\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2388\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2338\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2389\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2339\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2390\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2340\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2391\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2341\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2392\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2342\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2393\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2343\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2394\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2344\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2395\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2345\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2396\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2346\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2397\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2347\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2398\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2348\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2399\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2349\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2400\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2350\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2401\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2351\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2402\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2352\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2403\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2353\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2404\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2354\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2405\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2355\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2406\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2356\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2407\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2357\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2408\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2358\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2409\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2359\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2410\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2360\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2411\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2361\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2362\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517379775999999999_eeff042c-fc7f-4d14-845e-c36ad13d8f2c/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"name\": \"2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-28T20:06:40.3720303Z\",\r\n \"processingEndTimeUtc\": \"2022-09-28T20:06:39.6960251Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2427\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 147.78.47.147 [3]\\r\\nIP: 206.72.198.134 [1]\\r\\nIP: 179.60.150.111 [1]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 141.98.10.204 [5]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 141.98.83.122 [8]\\r\\nIP: 121.229.22.196 [2]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 5.188.206.10 [10]\\r\\nIP: 80.66.76.145 [5]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 107.172.93.17 [1]\\r\\nIP: 194.165.16.16 [10]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 45.227.254.54 [4]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 92.255.85.194 [19]\\r\\nIP: 193.32.126.158 [1]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 194.165.16.17 [6]\\r\\nIP: 185.161.69.10 [1]\\r\\nIP: 141.98.83.124 [6]\\r\\nIP: 141.98.9.34 [11]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 185.190.24.17 [18]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 115.242.152.158 [3]\\r\\nIP: 141.98.9.35 [7]\\r\\nIP: 179.60.147.33 [9]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 147.78.47.149 [9]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 194.165.16.11 [2]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 45.141.87.21 [4]\\r\\nIP: 141.98.83.87 [11]\\r\\nIP: 195.78.54.97 [55]\\r\\nIP: 141.98.9.29 [4]\\r\\nIP: 45.227.254.53 [2]\\r\\n97 more attempts by 19 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2428\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2429\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2430\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2431\",\r\n \"address\": \"206.72.198.134\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Secaucus\",\r\n \"longitude\": -74.06453,\r\n \"latitude\": 40.77826,\r\n \"asn\": 19318,\r\n \"carrier\": \"Interserver Inc\",\r\n \"organization\": \"Interserver Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2432\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2433\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2434\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2435\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2436\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2437\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2438\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2439\",\r\n \"address\": \"121.229.22.196\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Jiangsu\",\r\n \"city\": \"Nanjing\",\r\n \"longitude\": 118.78417,\r\n \"latitude\": 32.04583,\r\n \"asn\": 4134,\r\n \"carrier\": \"Chinanet\",\r\n \"organization\": \"Chinanet Jiangsu Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2440\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2441\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2442\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2443\",\r\n \"address\": \"5.188.206.10\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2444\",\r\n \"address\": \"80.66.76.145\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2445\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2446\",\r\n \"address\": \"107.172.93.17\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2447\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2448\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2449\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2450\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2451\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2452\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2453\",\r\n \"address\": \"193.32.126.158\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Seine-Saint-Denis\",\r\n \"city\": \"Aubervilliers\",\r\n \"longitude\": 2.38121,\r\n \"latitude\": 48.91482,\r\n \"asn\": 39351,\r\n \"carrier\": \"31173 Services Ab\",\r\n \"organization\": \"31173 Services France\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2454\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2455\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2456\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2457\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2458\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2459\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2460\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2461\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2462\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2463\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2464\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2465\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2466\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2467\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2468\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2469\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2470\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2471\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2472\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2473\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2474\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2475\",\r\n \"address\": \"45.141.87.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2476\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2477\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2478\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2479\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2484\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2434\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2485\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2435\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2486\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2436\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2487\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2437\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2488\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2438\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2489\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2439\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2490\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2440\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2491\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2441\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2492\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2442\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2493\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2443\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2494\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2444\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2495\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2445\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2496\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2446\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2497\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2447\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2498\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2448\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2499\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2449\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2500\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2450\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2501\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2451\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2502\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2452\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2503\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2453\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2504\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2454\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2505\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2455\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2506\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2456\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2507\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2457\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2508\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2458\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2509\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2459\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2510\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2460\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2461\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2462\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2463\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2464\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2465\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2466\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2467\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2468\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517380639999999999_daeba000-26b3-4762-85de-7f237a9972f2/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"name\": \"2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-27T20:12:39.5796058Z\",\r\n \"processingEndTimeUtc\": \"2022-09-27T20:12:38.7743954Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-26T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-26T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2530\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.141.84.83 [29]\\r\\nIP: 141.98.9.34 [12]\\r\\nIP: 141.98.9.36 [8]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 87.251.67.64 [2]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 194.165.16.6 [3]\\r\\nIP: 179.60.150.115 [10]\\r\\nIP: 5.181.86.11 [8]\\r\\nIP: 91.240.118.113 [1]\\r\\nIP: 43.230.156.26 [2]\\r\\nIP: 194.165.17.14 [2]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 194.165.16.37 [3]\\r\\nIP: 5.181.86.44 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 147.78.47.147 [1]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 185.195.232.248 [3]\\r\\nIP: 5.188.206.10 [3]\\r\\nIP: 123.30.210.197 [3]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 45.141.84.119 [2]\\r\\nIP: 141.98.83.89 [3]\\r\\nIP: 185.156.72.25 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 5.181.86.88 [1]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 185.156.72.31 [3]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.83 [10]\\r\\nIP: 141.98.10.207 [4]\\r\\nIP: 185.156.72.29 [4]\\r\\nIP: 115.242.152.158 [1]\\r\\nIP: 179.60.150.113 [4]\\r\\nIP: 179.60.147.32 [10]\\r\\nIP: 141.98.83.127 [4]\\r\\nIP: 45.227.253.130 [7]\\r\\nIP: 147.78.47.149 [4]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 195.78.54.97 [34]\\r\\nIP: 179.60.150.116 [2]\\r\\n15 more attempts by 5 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2531\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2532\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2533\",\r\n \"address\": \"45.141.84.83\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2534\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2535\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2536\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2537\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2538\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2539\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2540\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2541\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2542\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2543\",\r\n \"address\": \"43.230.156.26\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Haryana\",\r\n \"city\": \"Faridabad\",\r\n \"longitude\": 77.3178,\r\n \"latitude\": 28.4089,\r\n \"asn\": 133647,\r\n \"carrier\": \"Elxire Data Services Pvt. Ltd.\",\r\n \"organization\": \"Elxire Data Services Pvt. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2544\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2545\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2546\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2547\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2548\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2549\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2550\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2551\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2552\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2553\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2554\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2555\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2556\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2557\",\r\n \"address\": \"185.195.232.248\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 39351,\r\n \"carrier\": \"31173 Services Ab\",\r\n \"organization\": \"31173 Services United Kingdom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2558\",\r\n \"address\": \"5.188.206.10\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2559\",\r\n \"address\": \"123.30.210.197\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2560\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2561\",\r\n \"address\": \"45.141.84.119\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2562\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2563\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2564\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2565\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2566\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2567\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2568\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2569\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2570\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2571\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2572\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2573\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2574\",\r\n \"address\": \"115.242.152.158\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Himachal Pradesh\",\r\n \"city\": \"Kasauli\",\r\n \"longitude\": 76.96488,\r\n \"latitude\": 30.90129,\r\n \"asn\": 55836,\r\n \"carrier\": \"Reliance Jio Infocomm Limited\",\r\n \"organization\": \"Reliance Jio Infocomm Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2575\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2576\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2577\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2578\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2579\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2580\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2581\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2582\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2585\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2586\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2536\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2587\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2537\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2588\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2538\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2589\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2539\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2590\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2540\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2591\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2541\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2592\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2542\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2593\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2543\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2594\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2544\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2595\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2545\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2596\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2546\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2597\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2547\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2598\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2548\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2599\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2549\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2600\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2550\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2601\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2551\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2602\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2552\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2603\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2553\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2604\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2554\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2605\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2555\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2606\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2556\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2607\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2557\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2608\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2558\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2609\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2559\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517381503999999999_58a462b5-1ce8-4033-a98f-b6f39ba34392/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"name\": \"2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-26T19:58:54.397306Z\",\r\n \"processingEndTimeUtc\": \"2022-09-26T19:58:53.5738114Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2633\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 5.181.86.44 [2]\\r\\nIP: 186.249.36.154 [1]\\r\\nIP: 5.188.206.230 [5]\\r\\nIP: 194.165.16.38 [2]\\r\\nIP: 78.128.113.138 [8]\\r\\nIP: 194.165.17.14 [4]\\r\\nIP: 179.60.150.116 [6]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 87.251.64.160 [3]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 185.190.24.32 [1]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 141.98.83.87 [3]\\r\\nIP: 38.122.130.162 [6]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 185.190.24.50 [2]\\r\\nIP: 198.235.24.156 [1]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 62.204.41.152 [1]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 45.227.254.27 [1]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 216.19.1.14 [8]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 146.196.46.255 [2]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 185.190.24.48 [4]\\r\\nIP: 45.227.253.130 [23]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 13.71.103.48 [1]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 141.98.83.120 [5]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 80.66.88.202 [2]\\r\\n164 more attempts by 29 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2634\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2635\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2636\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2637\",\r\n \"address\": \"186.249.36.154\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Franca\",\r\n \"longitude\": -47.40563,\r\n \"latitude\": -20.54751,\r\n \"asn\": 28195,\r\n \"carrier\": \"Com4 Data Center Eireli\",\r\n \"organization\": \"Com4 Data Center Eireli\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2638\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2639\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2640\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2641\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2642\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2643\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2644\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2645\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2646\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2647\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2648\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2649\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2650\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2651\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2652\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2653\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2654\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2655\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2656\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2657\",\r\n \"address\": \"198.235.24.156\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2658\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2659\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2660\",\r\n \"address\": \"62.204.41.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Vnukovo\",\r\n \"longitude\": 37.59325,\r\n \"latitude\": 55.73761,\r\n \"asn\": 59425,\r\n \"carrier\": \"Horizon Llc\",\r\n \"organization\": \"Horizon Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2661\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2662\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2663\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2664\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2665\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2666\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2667\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2668\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2669\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2670\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2671\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2672\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2673\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2674\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2675\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2676\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2677\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2678\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2679\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2680\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2681\",\r\n \"address\": \"13.71.103.48\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Tamil Nadu\",\r\n \"city\": \"Chennai\",\r\n \"longitude\": 80.2508,\r\n \"latitude\": 13.0524,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2682\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2683\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2684\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2685\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2636\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2637\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2688\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2638\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2689\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2639\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2690\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2640\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2691\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2641\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2692\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2642\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2693\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2643\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2694\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2644\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2695\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2645\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2696\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2646\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2697\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2647\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2698\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2648\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2699\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2649\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2700\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2650\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2701\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2651\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2702\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2652\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2703\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2653\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2704\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2654\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2705\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2655\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2706\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2656\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2707\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2657\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2708\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2658\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2709\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2659\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2710\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2660\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2711\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2661\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2712\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2662\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383231999999999_5da4d982-95a1-473f-8fae-344abdbc1c40/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"name\": \"2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-25T19:28:48.9427258Z\",\r\n \"processingEndTimeUtc\": \"2022-09-25T19:28:48.1928389Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2736\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.254.4 [3]\\r\\nIP: 5.181.86.44 [2]\\r\\nIP: 192.3.110.166 [1]\\r\\nIP: 185.190.24.32 [1]\\r\\nIP: 194.165.17.14 [4]\\r\\nIP: 185.190.24.50 [2]\\r\\nIP: 141.98.83.85 [3]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 141.98.83.121 [4]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 141.98.9.34 [16]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 87.251.64.160 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 198.235.24.156 [1]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 179.60.150.113 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.81.137 [5]\\r\\nIP: 141.98.83.86 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 78.128.113.138 [8]\\r\\nIP: 87.251.67.98 [5]\\r\\nIP: 195.78.54.97 [32]\\r\\nIP: 146.196.46.255 [1]\\r\\nIP: 141.98.10.204 [8]\\r\\nIP: 179.60.150.116 [6]\\r\\nIP: 80.66.88.202 [2]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 185.190.24.17 [6]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 45.141.87.18 [4]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 38.122.130.162 [6]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 91.240.118.113 [2]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 45.227.254.55 [1]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 141.98.9.36 [6]\\r\\nIP: 141.98.83.88 [8]\\r\\nIP: 186.249.36.154 [1]\\r\\nIP: 92.255.85.194 [25]\\r\\n99 more attempts by 26 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2737\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2738\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2739\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2740\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2741\",\r\n \"address\": \"192.3.110.166\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2742\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2743\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2744\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2745\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2746\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2747\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2748\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2749\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2750\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2751\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2752\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2753\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2754\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2755\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2756\",\r\n \"address\": \"198.235.24.156\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Santa Clara\",\r\n \"longitude\": -121.9614,\r\n \"latitude\": 37.39631,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Palo Alto Networks Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2757\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2758\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2759\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2760\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2761\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2762\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2763\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2764\",\r\n \"address\": \"87.251.67.98\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2765\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2766\",\r\n \"address\": \"146.196.46.255\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"West Bengal\",\r\n \"city\": \"Ultadanga\",\r\n \"longitude\": 88.3869,\r\n \"latitude\": 22.5948,\r\n \"asn\": 135872,\r\n \"carrier\": \"Gtpl Kcbpl Broadband Pvt Ltd\",\r\n \"organization\": \"Gtpl Kcbpl Broadband Pvt Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2767\",\r\n \"address\": \"141.98.10.204\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2768\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2769\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2770\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2771\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2772\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2773\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2774\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2775\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2776\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2777\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2778\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2779\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2780\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2781\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2782\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2783\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2784\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2785\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2786\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2787\",\r\n \"address\": \"186.249.36.154\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Franca\",\r\n \"longitude\": -47.40563,\r\n \"latitude\": -20.54751,\r\n \"asn\": 28195,\r\n \"carrier\": \"Com4 Data Center Eireli\",\r\n \"organization\": \"Com4 Data Center Eireli\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2788\",\r\n \"address\": \"92.255.85.194\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2791\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2741\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2792\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2742\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2793\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2743\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2794\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2744\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2795\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2745\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2796\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2746\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2797\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2747\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2798\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2748\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2799\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2749\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2800\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2750\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2801\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2751\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2802\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2752\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2803\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2753\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2804\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2754\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2805\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2755\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2806\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2756\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2807\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2757\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2808\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2758\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2809\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2759\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2810\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2760\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2811\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2761\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2812\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2762\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2813\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2763\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2814\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2764\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2815\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2765\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517383231999999999_7cfbc788-1649-4ef2-ae60-3eebf3810b87/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"name\": \"2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-24T19:25:53.91713Z\",\r\n \"processingEndTimeUtc\": \"2022-09-24T19:25:53.5050508Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-23T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-23T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2839\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.124 [2]\\r\\nIP: 62.233.50.123 [24]\\r\\nIP: 141.98.10.124 [10]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 216.19.1.14 [23]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 78.128.113.138 [6]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 5.188.206.230 [6]\\r\\nIP: 5.181.86.51 [3]\\r\\nIP: 87.251.64.140 [3]\\r\\nIP: 87.251.67.98 [4]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 141.98.83.131 [7]\\r\\nIP: 179.60.150.111 [3]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 45.227.254.27 [1]\\r\\nIP: 5.181.86.85 [4]\\r\\nIP: 194.165.16.38 [1]\\r\\nIP: 147.78.47.154 [4]\\r\\nIP: 45.227.254.4 [5]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 179.60.150.113 [1]\\r\\nIP: 179.60.150.116 [1]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 194.165.16.17 [7]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 5.181.86.44 [4]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 141.98.10.181 [10]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 194.165.17.12 [7]\\r\\nIP: 185.190.24.61 [7]\\r\\nIP: 194.165.16.29 [4]\\r\\nIP: 141.98.81.137 [10]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 179.60.150.114 [1]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 179.60.147.31 [6]\\r\\nIP: 59.49.43.217 [1]\\r\\nIP: 141.98.10.207 [7]\\r\\nIP: 113.190.245.2 [1]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 88.214.25.12 [1]\\r\\nIP: 80.66.88.204 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\n187 more attempts by 32 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2840\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2841\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2842\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2843\",\r\n \"address\": \"62.233.50.123\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2844\",\r\n \"address\": \"141.98.10.124\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2845\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2846\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2847\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2848\",\r\n \"address\": \"78.128.113.138\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 209160,\r\n \"carrier\": \"Miti 2000 Eood\",\r\n \"organization\": \"Miti 2000 Eood\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2849\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2850\",\r\n \"address\": \"5.188.206.230\",\r\n \"location\": {\r\n \"countryCode\": \"BG\",\r\n \"countryName\": \"Bulgaria\",\r\n \"state\": \"Sofiya-Grad\",\r\n \"city\": \"Sofiya\",\r\n \"longitude\": 23.3217,\r\n \"latitude\": 42.6978,\r\n \"asn\": 200391,\r\n \"carrier\": \"Krez 999 Eood\",\r\n \"organization\": \"Technology Advanced Investment Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2851\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2852\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2853\",\r\n \"address\": \"87.251.67.98\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2854\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2855\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2856\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2857\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2858\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2859\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2860\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2861\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2862\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2863\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2864\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2865\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2866\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2867\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2868\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2869\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2870\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2871\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2872\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2873\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2874\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2875\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2876\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2877\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2878\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2879\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2880\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2881\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2882\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2883\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2884\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2885\",\r\n \"address\": \"59.49.43.217\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shanxi\",\r\n \"city\": \"Taiyuan\",\r\n \"longitude\": 112.56167,\r\n \"latitude\": 37.84667,\r\n \"asn\": 132147,\r\n \"carrier\": \"Ct-Shanxi-Man\",\r\n \"organization\": \"Shanxi Telecom Taiyuan Branch Broadband Adsl Port Ip Address\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2886\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2887\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2888\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2889\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2890\",\r\n \"address\": \"80.66.88.204\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2891\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2892\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2893\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2843\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2894\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2844\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2895\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2845\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2896\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2846\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2897\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2847\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2898\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2848\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2899\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2849\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2900\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2850\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2901\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2851\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2902\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2852\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2903\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2853\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2904\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2854\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2905\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2855\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2906\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2856\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2907\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2857\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2908\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2858\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2909\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2859\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2910\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2860\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2911\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2861\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2912\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2862\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2913\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2863\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2914\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2864\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2915\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2865\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2916\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2866\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2917\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2867\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2918\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2868\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384095999999999_5bd6b6fd-38d0-4d33-8d41-e22df1e42820/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"name\": \"2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-23T20:00:31.1607186Z\",\r\n \"processingEndTimeUtc\": \"2022-09-23T20:00:30.596124Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-22T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-22T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_2942\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.78 [1]\\r\\nIP: 195.78.54.97 [33]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 103.104.168.36 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 179.60.150.116 [1]\\r\\nIP: 88.214.25.13 [5]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 38.122.130.162 [11]\\r\\nIP: 194.165.16.38 [3]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 141.98.83.133 [1]\\r\\nIP: 216.19.1.14 [15]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 185.156.72.27 [2]\\r\\nIP: 179.60.147.31 [19]\\r\\nIP: 194.165.16.10 [1]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 5.181.86.88 [2]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 46.29.10.30 [1]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 141.98.83.84 [1]\\r\\nIP: 185.190.24.32 [2]\\r\\nIP: 185.156.72.29 [3]\\r\\nIP: 5.181.86.85 [3]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 5.181.86.61 [4]\\r\\nIP: 88.214.25.12 [2]\\r\\nIP: 45.227.253.130 [6]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 51.178.4.205 [3]\\r\\nIP: 179.60.150.113 [2]\\r\\nIP: 45.227.254.27 [4]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 194.165.17.12 [13]\\r\\nIP: 43.157.17.13 [1]\\r\\nIP: 141.98.9.36 [7]\\r\\nIP: 45.227.254.4 [3]\\r\\nIP: 179.60.150.114 [2]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.127 [6]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 185.190.24.50 [5]\\r\\nIP: 141.98.10.181 [5]\\r\\nIP: 80.66.88.201 [1]\\r\\n106 more attempts by 26 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_2943\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_2944\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_2945\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2946\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2947\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2948\",\r\n \"address\": \"103.104.168.36\",\r\n \"location\": {\r\n \"countryCode\": \"HK\",\r\n \"countryName\": \"Hong Kong\",\r\n \"longitude\": 114.1,\r\n \"latitude\": 22.15,\r\n \"asn\": 136897,\r\n \"carrier\": \"Enjoyvc Cloud Group Limited.\",\r\n \"organization\": \"Cyit-Hk\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2949\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2950\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2951\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2952\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2953\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2954\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2955\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2956\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2957\",\r\n \"address\": \"216.19.1.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Camp Verde\",\r\n \"longitude\": -111.85611,\r\n \"latitude\": 34.52507,\r\n \"asn\": 64242,\r\n \"carrier\": \"Speednet Llc\",\r\n \"organization\": \"Speedconnect Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2958\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2959\",\r\n \"address\": \"185.156.72.27\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2960\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2961\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2962\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2963\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2964\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2965\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2966\",\r\n \"address\": \"46.29.10.30\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Krasnodarskiy Kray\",\r\n \"city\": \"Krasnodar\",\r\n \"longitude\": 38.9454,\r\n \"latitude\": 45.0749,\r\n \"asn\": 197204,\r\n \"carrier\": \"Telemaks Ltd\",\r\n \"organization\": \"Telemaks Ptp Static Routing Clients.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2967\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2968\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2969\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2970\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2971\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2972\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2973\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2974\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2975\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2976\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2977\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2978\",\r\n \"address\": \"51.178.4.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Waltham Forest\",\r\n \"longitude\": -0.0166,\r\n \"latitude\": 51.5833,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Failover Ips\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2979\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2980\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2981\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2982\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2983\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2984\",\r\n \"address\": \"43.157.17.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2985\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2986\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2987\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2988\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2989\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2990\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2991\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2992\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2993\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2994\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_2995\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2945\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2996\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2946\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2997\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2947\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2998\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2948\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_2999\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2949\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3000\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2950\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3001\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2951\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3002\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2952\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3003\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2953\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3004\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2954\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3005\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2955\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3006\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2956\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3007\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2957\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3008\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2958\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3009\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2959\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3010\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2960\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3011\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2961\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3012\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2962\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3013\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2963\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3014\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2964\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3015\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2965\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3016\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2966\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3017\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2967\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3018\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2968\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3019\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2969\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3020\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2970\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3021\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2971\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_2994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517384959999999999_ebfe7f16-b4b0-482d-815c-e3b2fb482724/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myservice1/providers/Microsoft.Security/locations/centralus/alerts/2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"name\": \"2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T20:37:27.9077468Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T20:37:26.8898617Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-21T11:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-21T11:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3045\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"testservice1\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"22\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.76.51.230 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3046\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3047\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3048\",\r\n \"address\": \"80.76.51.230\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 211252,\r\n \"carrier\": \"Delis Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3048\"\r\n },\r\n \"destinationPort\": 22,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385427999999999_ec9e777c-2b94-4e6a-af50-8888076d67c4/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/myservice1/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"name\": \"2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-22T20:37:28.3862144Z\",\r\n \"processingEndTimeUtc\": \"2022-09-22T20:37:26.8900314Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-21T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-21T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3050\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 87.251.64.140 [1]\\r\\nIP: 185.190.24.32 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.9.35 [2]\\r\\nIP: 80.153.67.94 [1]\\r\\nIP: 23.236.144.243 [1]\\r\\nIP: 91.240.242.15 [3]\\r\\nIP: 193.37.69.215 [24]\\r\\nIP: 174.108.172.27 [2]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 5.181.86.51 [2]\\r\\nIP: 45.141.84.116 [2]\\r\\nIP: 194.165.16.4 [1]\\r\\nIP: 5.181.86.11 [17]\\r\\nIP: 194.165.16.6 [2]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 194.165.16.17 [5]\\r\\nIP: 141.98.83.83 [4]\\r\\nIP: 38.122.130.162 [5]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 45.227.254.27 [8]\\r\\nIP: 141.98.83.122 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 141.98.10.181 [16]\\r\\nIP: 80.66.88.215 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 176.222.18.110 [1]\\r\\nIP: 195.78.54.97 [17]\\r\\nIP: 141.98.81.137 [3]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 141.98.83.133 [3]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 179.60.150.115 [6]\\r\\nIP: 51.178.4.205 [6]\\r\\nIP: 5.181.86.85 [4]\\r\\nIP: 195.78.54.73 [17]\\r\\nIP: 141.98.83.124 [3]\\r\\nIP: 185.190.24.93 [3]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 179.60.147.182 [2]\\r\\nIP: 179.60.147.32 [11]\\r\\nIP: 141.98.83.126 [1]\\r\\nIP: 5.181.86.88 [2]\\r\\nIP: 88.214.25.12 [3]\\r\\nIP: 87.251.64.35 [1]\\r\\nIP: 179.60.150.116 [3]\\r\\nIP: 141.98.9.34 [15]\\r\\n136 more attempts by 30 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3051\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3052\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3053\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3054\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3055\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3056\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3057\",\r\n \"address\": \"80.153.67.94\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.4061,\r\n \"latitude\": 52.5192,\r\n \"asn\": 3320,\r\n \"carrier\": \"Deutsche Telekom Ag\",\r\n \"organization\": \"Deutsche Telekom Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3058\",\r\n \"address\": \"23.236.144.243\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 55081,\r\n \"carrier\": \"24 Shells\",\r\n \"organization\": \"B2 Net Solutions Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3059\",\r\n \"address\": \"91.240.242.15\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3060\",\r\n \"address\": \"193.37.69.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3061\",\r\n \"address\": \"174.108.172.27\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"South Carolina\",\r\n \"city\": \"Sumter\",\r\n \"longitude\": -80.35409,\r\n \"latitude\": 33.87458,\r\n \"asn\": 11426,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3062\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3063\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3064\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3065\",\r\n \"address\": \"45.141.84.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3066\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3067\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3068\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3069\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3070\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3071\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3072\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3073\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3074\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3075\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3076\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3077\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3078\",\r\n \"address\": \"141.98.10.181\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3079\",\r\n \"address\": \"80.66.88.215\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3080\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3081\",\r\n \"address\": \"176.222.18.110\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Khanty-Mansiyskiy Avtonomnyy Okrug\",\r\n \"city\": \"Surgut\",\r\n \"longitude\": 73.4,\r\n \"latitude\": 61.2667,\r\n \"asn\": 41822,\r\n \"carrier\": \"Mts Pjsc\",\r\n \"organization\": \"Ural Branch Of Cjsc Comstar-Regions In Surgut\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3082\",\r\n \"address\": \"195.78.54.97\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3083\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3084\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3085\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3086\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3087\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3088\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3089\",\r\n \"address\": \"51.178.4.205\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"Waltham Forest\",\r\n \"longitude\": -0.0166,\r\n \"latitude\": 51.5833,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Failover Ips\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3090\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3091\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3092\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3093\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3094\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3095\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3096\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3097\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3098\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3099\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3100\",\r\n \"address\": \"87.251.64.35\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3101\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3102\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3103\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3053\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3104\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3054\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3105\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3055\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3106\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3056\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3107\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3057\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3108\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3058\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3109\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3059\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3110\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3060\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3111\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3061\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3112\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3062\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3113\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3063\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3114\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3064\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3115\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3065\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3116\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3066\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3117\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3067\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3118\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3068\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3119\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3069\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3120\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3070\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3121\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3071\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3122\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3072\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3123\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3073\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3124\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3074\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3140\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3090\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3141\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3091\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3092\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3143\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3093\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3144\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3094\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3145\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3095\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3096\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3097\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3098\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3099\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3100\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3101\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3102\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517385823999999999_02ef0997-1545-497a-9816-3fd88951c3d7/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"name\": \"2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-21T19:41:38.1643149Z\",\r\n \"processingEndTimeUtc\": \"2022-09-21T19:41:37.0449995Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3153\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.130 [2]\\r\\nIP: 141.98.83.89 [6]\\r\\nIP: 20.172.39.252 [1]\\r\\nIP: 141.98.83.127 [9]\\r\\nIP: 5.181.86.11 [10]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 181.214.206.176 [32]\\r\\nIP: 129.146.85.184 [1]\\r\\nIP: 5.181.86.85 [8]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 91.240.118.99 [4]\\r\\nIP: 92.255.85.151 [7]\\r\\nIP: 185.190.24.17 [10]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 179.60.147.32 [3]\\r\\nIP: 176.113.115.141 [25]\\r\\nIP: 194.26.29.11 [1]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 179.60.150.111 [12]\\r\\nIP: 141.98.83.126 [6]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 194.165.16.17 [2]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 194.165.16.16 [3]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 141.98.83.128 [4]\\r\\nIP: 38.122.130.162 [13]\\r\\nIP: 195.78.54.73 [15]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.81.137 [4]\\r\\nIP: 89.248.168.54 [1]\\r\\nIP: 147.78.47.147 [2]\\r\\nIP: 141.98.83.125 [3]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 147.78.47.149 [9]\\r\\nIP: 194.165.16.29 [5]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.36 [2]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 5.181.86.61 [9]\\r\\n138 more attempts by 22 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3154\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3155\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3156\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3157\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3158\",\r\n \"address\": \"20.172.39.252\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3159\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3160\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3161\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3162\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3163\",\r\n \"address\": \"129.146.85.184\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3164\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3165\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3166\",\r\n \"address\": \"91.240.118.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3167\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3168\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3169\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3170\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3171\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3172\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3173\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3174\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57678,\r\n \"carrier\": \"Red Bytes Llc\",\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3175\",\r\n \"address\": \"194.26.29.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3176\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3177\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3178\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3179\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3180\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3181\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3182\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3183\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3184\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3185\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3186\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3187\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3188\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3189\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3190\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3191\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3192\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3193\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3194\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3195\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3196\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3197\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3198\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3199\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3200\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3201\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3202\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3203\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3204\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3205\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3206\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3156\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3207\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3157\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3208\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3158\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3209\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3159\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3210\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3160\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3211\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3161\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3212\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3162\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3213\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3163\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3214\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3164\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3215\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3165\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3216\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3166\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3217\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3167\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3218\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3168\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3219\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3169\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3220\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3170\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3221\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3171\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3222\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3172\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3223\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3173\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3224\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3174\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3225\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3175\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3226\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3176\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3227\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3177\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387551999999999_33aa9455-56a8-4365-b4bd-bcf5e2370b89/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"name\": \"2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-20T19:33:13.4506209Z\",\r\n \"processingEndTimeUtc\": \"2022-09-20T19:33:12.2309742Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-19T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3256\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.37 [1]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 92.255.85.151 [7]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 41.169.98.196 [1]\\r\\nIP: 5.181.86.61 [9]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.9.35 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 194.165.16.72 [1]\\r\\nIP: 179.60.147.33 [1]\\r\\nIP: 179.60.150.111 [12]\\r\\nIP: 181.214.206.176 [32]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 80.66.88.201 [1]\\r\\nIP: 147.78.47.147 [2]\\r\\nIP: 141.98.9.36 [2]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 45.227.254.49 [1]\\r\\nIP: 141.98.83.85 [7]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 80.66.88.207 [2]\\r\\nIP: 179.60.147.32 [3]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 141.98.83.121 [9]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 185.190.24.61 [9]\\r\\nIP: 141.98.83.84 [5]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 91.240.118.99 [4]\\r\\nIP: 185.190.24.50 [6]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 141.98.83.89 [6]\\r\\nIP: 45.141.87.10 [10]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 141.98.83.131 [2]\\r\\nIP: 5.181.86.85 [8]\\r\\nIP: 45.141.87.9 [4]\\r\\nIP: 141.98.83.130 [2]\\r\\nIP: 5.181.86.11 [9]\\r\\nIP: 38.122.130.162 [13]\\r\\nIP: 195.78.54.73 [13]\\r\\nIP: 45.141.87.2 [13]\\r\\nIP: 89.248.168.54 [1]\\r\\nIP: 141.98.83.86 [4]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 141.98.83.125 [3]\\r\\n135 more attempts by 20 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3257\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3258\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3259\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3260\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3261\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3262\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3263\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3264\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3265\",\r\n \"address\": \"41.169.98.196\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 36937,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Liquid Telecommunications Operations Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3266\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3267\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3268\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3269\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3270\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3271\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3272\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3273\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3274\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3275\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3276\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3277\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3278\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3279\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3280\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3281\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3282\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3283\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3284\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3285\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3286\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3287\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3288\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3289\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3290\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3291\",\r\n \"address\": \"91.240.118.99\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3292\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3293\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3294\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3295\",\r\n \"address\": \"45.141.87.10\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3296\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3297\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3298\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3299\",\r\n \"address\": \"45.141.87.9\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3300\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3301\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3302\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3303\",\r\n \"address\": \"195.78.54.73\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.78758,\r\n \"latitude\": 32.80194,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Ipxo Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3304\",\r\n \"address\": \"45.141.87.2\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3305\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3306\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3307\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3308\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3309\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3259\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3310\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3260\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3311\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3261\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3312\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3262\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3313\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3263\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3314\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3264\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3315\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3265\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3316\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3266\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3317\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3267\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3318\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3268\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3319\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3269\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3320\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3270\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3321\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3271\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3322\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3272\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3323\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3273\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3324\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3274\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3325\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3275\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3326\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3276\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3327\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3277\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3328\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3278\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3329\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3279\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3330\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3280\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517387551999999999_80f3982f-7a9d-4423-8aa9-5cc19be6a711/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"name\": \"2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-19T20:03:27.0439222Z\",\r\n \"processingEndTimeUtc\": \"2022-09-19T20:03:26.2194939Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-18T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-18T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3359\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.190.24.17 [7]\\r\\nIP: 45.72.99.139 [1]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 181.214.206.176 [41]\\r\\nIP: 141.98.83.121 [2]\\r\\nIP: 141.98.83.124 [3]\\r\\nIP: 141.98.9.37 [10]\\r\\nIP: 88.214.25.12 [1]\\r\\nIP: 141.98.9.35 [10]\\r\\nIP: 147.78.47.154 [3]\\r\\nIP: 80.66.88.206 [2]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 45.227.254.48 [3]\\r\\nIP: 194.165.16.17 [3]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 45.227.254.54 [2]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 45.227.255.99 [1]\\r\\nIP: 141.98.9.34 [19]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 141.98.83.130 [1]\\r\\nIP: 95.142.121.53 [1]\\r\\nIP: 194.165.16.38 [7]\\r\\nIP: 194.26.29.48 [1]\\r\\nIP: 194.165.16.37 [2]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 92.255.85.174 [3]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 5.181.86.11 [4]\\r\\nIP: 141.98.83.125 [5]\\r\\nIP: 179.60.150.114 [15]\\r\\nIP: 20.106.123.242 [1]\\r\\nIP: 141.98.9.29 [2]\\r\\nIP: 141.98.81.137 [2]\\r\\nIP: 45.141.87.21 [5]\\r\\nIP: 91.240.242.16 [1]\\r\\nIP: 45.227.254.55 [3]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 194.165.16.77 [1]\\r\\nIP: 38.122.130.162 [1]\\r\\nIP: 45.141.84.85 [2]\\r\\nIP: 141.98.83.131 [6]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 179.60.150.115 [8]\\r\\nIP: 141.98.83.84 [4]\\r\\nIP: 141.98.83.83 [9]\\r\\nIP: 45.227.255.13 [1]\\r\\n130 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3360\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3361\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3362\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3363\",\r\n \"address\": \"45.72.99.139\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 55286,\r\n \"carrier\": \"B2 Net Solutions Inc.\",\r\n \"organization\": \"B2 Net Solutions Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3364\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3365\",\r\n \"address\": \"181.214.206.176\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 3257,\r\n \"carrier\": \"Gtt Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3366\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3367\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3368\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3369\",\r\n \"address\": \"88.214.25.12\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3370\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3371\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3372\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3373\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3374\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3375\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3376\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3377\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3378\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3379\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3380\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3381\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3382\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3383\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3384\",\r\n \"address\": \"95.142.121.53\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 198605,\r\n \"carrier\": \"Avast Software S.R.O.\",\r\n \"organization\": \"Prcdn Consumer Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3385\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3386\",\r\n \"address\": \"194.26.29.48\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3387\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3388\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3389\",\r\n \"address\": \"92.255.85.174\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3390\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3391\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3392\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3393\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3394\",\r\n \"address\": \"20.106.123.242\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3395\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3396\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3397\",\r\n \"address\": \"45.141.87.21\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3398\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3399\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3400\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3401\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3402\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3403\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3404\",\r\n \"address\": \"38.122.130.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3405\",\r\n \"address\": \"45.141.84.85\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3406\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3407\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3408\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3409\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3410\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3411\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3412\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3362\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3413\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3363\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3414\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3364\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3415\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3365\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3416\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3366\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3417\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3367\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3418\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3368\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3419\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3369\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3420\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3370\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3421\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3371\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3422\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3372\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3423\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3373\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3424\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3374\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3425\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3375\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3426\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3376\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3427\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3377\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3428\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3378\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3429\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3379\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3430\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3380\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3431\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3381\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3432\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3382\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3433\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3383\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3449\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3450\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3451\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3452\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3453\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3405\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3456\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3457\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3408\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517388415999999999_c2919a83-9501-4cb0-b41a-9ecaf83e3759/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"name\": \"2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-07T18:49:32.3154277Z\",\r\n \"processingEndTimeUtc\": \"2022-09-07T18:49:31.3026032Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-05T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-05T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3462\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 179.60.147.182 [1]\\r\\nIP: 176.111.173.247 [1]\\r\\nIP: 141.98.83.89 [5]\\r\\nIP: 209.126.5.42 [1]\\r\\nIP: 141.98.9.36 [14]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 103.15.50.155 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 80.66.88.214 [3]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 77.83.36.225 [4]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.123 [6]\\r\\nIP: 141.98.83.132 [1]\\r\\nIP: 138.199.19.135 [7]\\r\\nIP: 141.98.83.133 [11]\\r\\nIP: 194.165.16.6 [3]\\r\\nIP: 141.98.81.137 [9]\\r\\nIP: 194.165.16.17 [4]\\r\\nIP: 141.98.83.130 [4]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 141.98.10.207 [29]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 91.240.242.5 [8]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 194.165.16.71 [3]\\r\\nIP: 45.227.254.52 [6]\\r\\nIP: 141.98.9.37 [11]\\r\\nIP: 45.141.87.11 [2]\\r\\nIP: 141.98.83.128 [7]\\r\\nIP: 141.98.83.120 [4]\\r\\nIP: 141.98.9.34 [29]\\r\\nIP: 62.233.50.113 [2]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 5.253.204.134 [22]\\r\\nIP: 92.255.85.151 [1]\\r\\nIP: 45.227.253.254 [12]\\r\\nIP: 194.165.16.73 [3]\\r\\nIP: 213.6.148.83 [1]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 194.165.16.29 [7]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 45.227.254.55 [3]\\r\\nIP: 141.98.83.83 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3463\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3464\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3465\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3466\",\r\n \"address\": \"176.111.173.247\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Warszawa\",\r\n \"longitude\": 21.01834,\r\n \"latitude\": 52.2317,\r\n \"asn\": 213010,\r\n \"carrier\": \"Gigahostingservices Ou\",\r\n \"organization\": \"Gigahostingservices Ou\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3467\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3468\",\r\n \"address\": \"209.126.5.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Saint Louis\",\r\n \"longitude\": -90.19238,\r\n \"latitude\": 38.63137,\r\n \"asn\": 40021,\r\n \"carrier\": \"Contabo Inc.\",\r\n \"organization\": \"Contabo Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3469\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3470\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3471\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3472\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3473\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3474\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3475\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3476\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3477\",\r\n \"address\": \"77.83.36.225\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 35042,\r\n \"carrier\": \"Ip Interactive Ug (Haftungsbeschraenkt)\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3478\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3479\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3480\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3481\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3482\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3483\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3484\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3485\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3486\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3487\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3488\",\r\n \"address\": \"141.98.10.207\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3489\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3490\",\r\n \"address\": \"91.240.242.5\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3491\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3492\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3493\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3494\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3495\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3496\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3497\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3498\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3499\",\r\n \"address\": \"62.233.50.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3500\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3501\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3502\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3503\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3504\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3505\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3506\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3507\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3508\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3509\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3510\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3511\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3465\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3512\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3466\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3513\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3467\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3514\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3468\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3515\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3469\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3516\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3470\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3517\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3471\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3518\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3472\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3519\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3473\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3520\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3474\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3521\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3475\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3522\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3476\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3523\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3477\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3524\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3478\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3525\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3479\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3526\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3480\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3527\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3481\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3528\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3482\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3529\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3483\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3530\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3484\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3531\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3485\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3532\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3486\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3533\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3534\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3535\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517399647999999999_93bfd7c5-8b1d-499b-b9c8-a597b634f168/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"name\": \"2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T19:15:31.2420982Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T19:15:30.4547628Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3557\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 72.167.37.199 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 103.79.140.234 [5]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 185.170.144.135 [53]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 141.98.9.199 [2]\\r\\nIP: 92.255.85.40 [4]\\r\\nIP: 129.226.34.77 [1]\\r\\nIP: 194.165.16.17 [10]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 141.98.83.131 [4]\\r\\nIP: 188.190.42.60 [1]\\r\\nIP: 27.71.226.103 [3]\\r\\nIP: 5.253.204.134 [27]\\r\\nIP: 138.199.19.135 [2]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 141.98.81.137 [8]\\r\\nIP: 193.122.114.185 [1]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 87.251.67.99 [3]\\r\\nIP: 141.98.83.128 [2]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 45.227.255.79 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 141.98.9.29 [8]\\r\\nIP: 92.255.85.151 [13]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 194.165.16.77 [3]\\r\\nIP: 147.78.47.146 [12]\\r\\nIP: 45.227.254.26 [2]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 141.98.83.130 [4]\\r\\nIP: 96.60.188.241 [1]\\r\\nIP: 194.165.16.29 [4]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 103.75.187.224 [1]\\r\\nIP: 141.98.83.124 [4]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.83.132 [5]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 194.165.16.6 [4]\\r\\n72 more attempts by 6 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3558\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3559\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3560\",\r\n \"address\": \"72.167.37.199\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3561\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3562\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3563\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3564\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3565\",\r\n \"address\": \"185.170.144.135\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3566\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3567\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3568\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3569\",\r\n \"address\": \"129.226.34.77\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Maharashtra\",\r\n \"city\": \"Mumbai\",\r\n \"longitude\": 72.8777,\r\n \"latitude\": 19.076,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3570\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3571\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3572\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3573\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3574\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3575\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3576\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3577\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3578\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3579\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3580\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3581\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3582\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3583\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3584\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3585\",\r\n \"address\": \"193.122.114.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.33352,\r\n \"latitude\": 47.61101,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Public Cloud\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3586\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3587\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3588\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3589\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3590\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3591\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3592\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3593\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3594\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3595\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3596\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3597\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3598\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3599\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3600\",\r\n \"address\": \"96.60.188.241\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wisconsin\",\r\n \"city\": \"Junction City\",\r\n \"longitude\": -89.747,\r\n \"latitude\": 44.59457,\r\n \"asn\": 4181,\r\n \"carrier\": \"Tds Telecom\",\r\n \"organization\": \"Tds Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3601\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3602\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3603\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3604\",\r\n \"address\": \"103.75.187.224\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Inet Software One Member Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3605\",\r\n \"address\": \"141.98.83.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3606\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3607\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3608\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3609\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3610\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3560\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3611\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3561\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3612\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3562\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3613\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3563\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3614\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3564\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3615\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3565\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3616\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3566\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3617\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3567\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3618\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3568\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3619\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3569\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3620\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3570\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3621\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3571\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3622\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3572\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3623\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3573\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3624\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3574\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3625\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3575\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3626\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3576\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3627\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3577\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3628\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3578\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3629\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3579\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3630\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3580\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3631\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3581\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3632\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3582\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3633\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3583\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3634\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3584\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3635\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3585\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3636\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3586\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3637\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3587\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3644\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3645\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3646\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3647\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3648\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3598\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3649\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3599\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3650\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3600\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3651\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3601\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3652\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3602\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3653\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3603\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3654\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3604\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3655\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3605\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3656\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3606\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3657\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3607\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3658\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3608\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3659\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3609\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400511999999999_0a793d26-4a52-4f59-883f-bd532bc74752/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"name\": \"2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-06T20:06:49.6557309Z\",\r\n \"processingEndTimeUtc\": \"2022-09-06T20:06:49.179497Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-04T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3660\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.125 [7]\\r\\nIP: 72.167.37.199 [1]\\r\\nIP: 141.98.9.199 [2]\\r\\nIP: 103.75.187.224 [2]\\r\\nIP: 92.255.85.151 [32]\\r\\nIP: 141.98.83.122 [1]\\r\\nIP: 188.190.42.60 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 141.98.81.137 [8]\\r\\nIP: 138.199.19.135 [2]\\r\\nIP: 141.98.9.34 [12]\\r\\nIP: 141.98.83.121 [5]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 96.60.188.241 [1]\\r\\nIP: 45.141.87.18 [2]\\r\\nIP: 147.78.47.146 [12]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 194.165.16.16 [1]\\r\\nIP: 147.78.47.149 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 45.227.253.254 [16]\\r\\nIP: 141.98.83.127 [5]\\r\\nIP: 194.165.16.29 [10]\\r\\nIP: 194.165.16.17 [10]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 141.98.83.130 [7]\\r\\nIP: 141.98.9.36 [13]\\r\\nIP: 194.165.16.77 [3]\\r\\nIP: 141.98.83.128 [6]\\r\\nIP: 141.98.83.120 [4]\\r\\nIP: 185.170.144.135 [53]\\r\\nIP: 129.226.34.77 [1]\\r\\nIP: 41.169.98.196 [1]\\r\\nIP: 87.251.67.99 [3]\\r\\nIP: 45.227.254.49 [4]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 103.79.140.234 [5]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 27.71.226.103 [3]\\r\\nIP: 193.122.114.185 [1]\\r\\nIP: 5.253.204.134 [28]\\r\\nIP: 141.98.83.133 [2]\\r\\nIP: 92.255.85.40 [4]\\r\\nIP: 91.240.242.16 [2]\\r\\nIP: 141.98.9.29 [13]\\r\\nIP: 141.98.83.84 [3]\\r\\nIP: 141.98.9.35 [11]\\r\\nIP: 45.227.255.13 [3]\\r\\nIP: 141.98.83.131 [4]\\r\\n45 more attempts by 10 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3661\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3662\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3663\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3664\",\r\n \"address\": \"72.167.37.199\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.93249,\r\n \"latitude\": 33.33469,\r\n \"asn\": 398101,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Godaddy.Com Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3665\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3666\",\r\n \"address\": \"103.75.187.224\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Ha Noi\",\r\n \"longitude\": 105.84,\r\n \"latitude\": 21.022,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Inet Software One Member Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3667\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3668\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3669\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3670\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3671\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3672\",\r\n \"address\": \"138.199.19.135\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3673\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3674\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3675\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3676\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3677\",\r\n \"address\": \"96.60.188.241\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wisconsin\",\r\n \"city\": \"Junction City\",\r\n \"longitude\": -89.747,\r\n \"latitude\": 44.59457,\r\n \"asn\": 4181,\r\n \"carrier\": \"Tds Telecom\",\r\n \"organization\": \"Tds Telecom\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3678\",\r\n \"address\": \"45.141.87.18\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3679\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3680\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3681\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3682\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3683\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3684\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3685\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3686\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3687\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3688\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3689\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3690\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3691\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3692\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3693\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3694\",\r\n \"address\": \"185.170.144.135\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3695\",\r\n \"address\": \"129.226.34.77\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Maharashtra\",\r\n \"city\": \"Mumbai\",\r\n \"longitude\": 72.8777,\r\n \"latitude\": 19.076,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3696\",\r\n \"address\": \"41.169.98.196\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Gauteng\",\r\n \"city\": \"Johannesburg\",\r\n \"longitude\": 28.05639,\r\n \"latitude\": -26.19917,\r\n \"asn\": 36937,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Liquid Telecommunications Operations Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3697\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3698\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3699\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3700\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3701\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3702\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3703\",\r\n \"address\": \"193.122.114.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Washington\",\r\n \"city\": \"Seattle\",\r\n \"longitude\": -122.33352,\r\n \"latitude\": 47.61101,\r\n \"asn\": 31898,\r\n \"carrier\": \"Oracle Corporation\",\r\n \"organization\": \"Oracle Public Cloud\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3704\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3705\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3706\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3707\",\r\n \"address\": \"91.240.242.16\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Alliance Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3708\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3709\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3710\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3711\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3712\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3713\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3663\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3714\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3664\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3715\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3665\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3716\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3666\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3717\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3667\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3718\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3668\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3719\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3669\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3720\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3670\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3721\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3671\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3722\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3672\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3723\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3673\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3724\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3674\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3725\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3675\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3726\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3676\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3727\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3677\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3728\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3678\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3729\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3679\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3730\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3680\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3731\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3681\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3732\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3682\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3733\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3683\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3734\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3684\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3735\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3685\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3736\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3686\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3737\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3687\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3738\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3688\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3739\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3689\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3740\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3690\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3741\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3691\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3742\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3692\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3743\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3693\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3744\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3694\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3745\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3695\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3746\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3696\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3747\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3697\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3748\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3698\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3749\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3699\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3750\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3700\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3751\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3701\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3752\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3702\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3703\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3704\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3705\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3706\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3707\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3708\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3709\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3710\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3711\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3762\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3712\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517400511999999999_68f0b29d-0a50-4062-a61f-66d184dcae33/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"name\": \"2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-03T19:41:58.5199865Z\",\r\n \"processingEndTimeUtc\": \"2022-09-03T19:41:57.422375Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3763\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 188.190.42.60 [1]\\r\\nIP: 92.255.85.168 [4]\\r\\nIP: 141.98.83.87 [5]\\r\\nIP: 185.190.24.61 [1]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 179.60.147.182 [3]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 103.15.50.155 [4]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 87.251.67.99 [1]\\r\\nIP: 5.253.204.134 [29]\\r\\nIP: 141.98.9.36 [1]\\r\\nIP: 194.28.112.140 [5]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 45.227.253.130 [18]\\r\\nIP: 141.98.9.35 [4]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 80.66.88.203 [1]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 185.190.24.102 [10]\\r\\nIP: 202.40.179.78 [1]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 134.209.148.16 [1]\\r\\nIP: 93.43.27.126 [1]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 141.98.83.121 [6]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 141.98.81.137 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 141.98.83.125 [4]\\r\\nIP: 141.98.83.173 [1]\\r\\nIP: 92.255.85.166 [3]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 45.227.254.5 [9]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 92.255.85.151 [36]\\r\\nIP: 51.81.210.3 [1]\\r\\nIP: 141.98.9.29 [5]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 185.190.24.101 [4]\\r\\n41 more attempts by 14 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3764\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3765\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3766\",\r\n \"address\": \"188.190.42.60\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Khmel'nyts'ka Oblast'\",\r\n \"city\": \"Horodok\",\r\n \"longitude\": 26.5839,\r\n \"latitude\": 49.1637,\r\n \"asn\": 49332,\r\n \"carrier\": \"Lanet Network Ltd\",\r\n \"organization\": \"Lanet Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3767\",\r\n \"address\": \"92.255.85.168\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3768\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3769\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3770\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3771\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3772\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3773\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3774\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3775\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3776\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3777\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3778\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3779\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3780\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3781\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3782\",\r\n \"address\": \"45.227.253.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3783\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3784\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3785\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3786\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3787\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3788\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3789\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3790\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3791\",\r\n \"address\": \"202.40.179.78\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Dhaka\",\r\n \"city\": \"Dhaka\",\r\n \"longitude\": 90.4125,\r\n \"latitude\": 23.8103,\r\n \"asn\": 23991,\r\n \"carrier\": \"Ranks Itt Ltd.\",\r\n \"organization\": \"Nationwide Isp & Iptsp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3792\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3793\",\r\n \"address\": \"134.209.148.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Mansfield\",\r\n \"longitude\": -71.22189,\r\n \"latitude\": 42.01698,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3794\",\r\n \"address\": \"93.43.27.126\",\r\n \"location\": {\r\n \"countryCode\": \"IT\",\r\n \"countryName\": \"Italy\",\r\n \"state\": \"Roma\",\r\n \"city\": \"Roma\",\r\n \"longitude\": 12.3063,\r\n \"latitude\": 41.7755,\r\n \"asn\": 12874,\r\n \"carrier\": \"Fastweb Spa\",\r\n \"organization\": \"Ibc-001 Public Subnet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3795\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3796\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3797\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3798\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3799\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3800\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3801\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3802\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3803\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3804\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3805\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3806\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3807\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3808\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3809\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3810\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3811\",\r\n \"address\": \"51.81.210.3\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Oregon\",\r\n \"city\": \"Hillsboro\",\r\n \"longitude\": -122.95607,\r\n \"latitude\": 45.59054,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Us Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3812\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3813\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3814\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3815\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3816\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3766\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3817\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3767\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3818\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3768\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3819\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3769\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3820\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3770\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3821\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3771\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3822\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3772\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3823\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3773\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3824\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3774\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3825\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3775\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3826\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3776\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3827\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3777\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3828\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3778\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3829\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3779\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3830\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3780\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3831\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3781\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3832\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3782\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3833\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3783\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3834\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3784\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3835\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3785\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3836\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3786\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3837\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3787\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3838\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3788\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3839\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3789\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3840\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3790\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3841\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3791\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3842\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3792\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3793\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3865\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3815\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402239999999999_ec3f54c3-109f-4c49-9920-72223ac27a2f/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"name\": \"2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-05T01:45:32.5912419Z\",\r\n \"processingEndTimeUtc\": \"2022-09-05T01:45:31.6805301Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-02T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3866\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.9.36 [1]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 92.255.85.40 [3]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 185.190.24.61 [1]\\r\\nIP: 5.253.204.134 [29]\\r\\nIP: 141.98.83.120 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.81.137 [1]\\r\\nIP: 194.165.16.29 [1]\\r\\nIP: 141.98.83.128 [1]\\r\\nIP: 141.98.83.125 [4]\\r\\nIP: 141.98.83.86 [3]\\r\\nIP: 185.190.24.101 [4]\\r\\nIP: 93.43.27.126 [1]\\r\\nIP: 185.156.72.29 [4]\\r\\nIP: 87.251.67.99 [1]\\r\\nIP: 141.98.83.83 [3]\\r\\nIP: 134.209.148.16 [1]\\r\\nIP: 141.98.9.35 [4]\\r\\nIP: 141.98.83.88 [3]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 185.156.72.25 [3]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 141.98.83.132 [2]\\r\\nIP: 79.175.151.178 [3]\\r\\nIP: 141.98.9.199 [1]\\r\\nIP: 103.79.140.234 [2]\\r\\nIP: 141.98.83.84 [7]\\r\\nIP: 141.98.83.172 [4]\\r\\nIP: 141.98.83.87 [7]\\r\\nIP: 141.98.9.34 [25]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 45.227.254.5 [9]\\r\\nIP: 141.98.10.37 [8]\\r\\nIP: 202.40.179.78 [1]\\r\\nIP: 194.165.16.158 [8]\\r\\nIP: 141.98.83.121 [6]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 147.78.47.149 [2]\\r\\nIP: 92.255.85.166 [3]\\r\\nIP: 92.255.85.152 [6]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 103.15.50.155 [4]\\r\\nIP: 141.98.9.29 [5]\\r\\nIP: 141.98.83.123 [3]\\r\\nIP: 194.165.16.16 [7]\\r\\nIP: 194.28.112.140 [5]\\r\\nIP: 27.71.226.103 [1]\\r\\nIP: 185.190.24.102 [10]\\r\\n87 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3867\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3868\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3869\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3870\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3871\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3872\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3873\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3874\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3875\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3876\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3877\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3878\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3879\",\r\n \"address\": \"141.98.83.128\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3880\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3881\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3882\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3883\",\r\n \"address\": \"93.43.27.126\",\r\n \"location\": {\r\n \"countryCode\": \"IT\",\r\n \"countryName\": \"Italy\",\r\n \"state\": \"Roma\",\r\n \"city\": \"Roma\",\r\n \"longitude\": 12.3063,\r\n \"latitude\": 41.7755,\r\n \"asn\": 12874,\r\n \"carrier\": \"Fastweb Spa\",\r\n \"organization\": \"Ibc-001 Public Subnet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3884\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3885\",\r\n \"address\": \"87.251.67.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3886\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3887\",\r\n \"address\": \"134.209.148.16\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Massachusetts\",\r\n \"city\": \"Mansfield\",\r\n \"longitude\": -71.22189,\r\n \"latitude\": 42.01698,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3888\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3889\",\r\n \"address\": \"141.98.83.88\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3890\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3891\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3892\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3893\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3894\",\r\n \"address\": \"79.175.151.178\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 25184,\r\n \"carrier\": \"Afranet\",\r\n \"organization\": \"Afranet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3895\",\r\n \"address\": \"141.98.9.199\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3896\",\r\n \"address\": \"103.79.140.234\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Quang Tri\",\r\n \"city\": \"Dong Ha\",\r\n \"longitude\": 107.09,\r\n \"latitude\": 16.809,\r\n \"asn\": 135967,\r\n \"carrier\": \"Bach Kim Network Solutions Join Stock Company\",\r\n \"organization\": \"Cadi International Trading Services Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3897\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3898\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3899\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3900\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3901\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3902\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3903\",\r\n \"address\": \"141.98.10.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3904\",\r\n \"address\": \"202.40.179.78\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"state\": \"Dhaka\",\r\n \"city\": \"Dhaka\",\r\n \"longitude\": 90.4125,\r\n \"latitude\": 23.8103,\r\n \"asn\": 23991,\r\n \"carrier\": \"Ranks Itt Ltd.\",\r\n \"organization\": \"Nationwide Isp & Iptsp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3905\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3906\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3907\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3908\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3909\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3910\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3911\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3912\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3913\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3914\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3915\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3916\",\r\n \"address\": \"194.28.112.140\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3917\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3918\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3919\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3869\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3920\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3870\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3921\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3871\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3922\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3872\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3923\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3873\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3924\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3874\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3925\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3875\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3926\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3876\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3927\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3877\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3928\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3878\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3929\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3879\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3930\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3880\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3931\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3881\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3932\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3882\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3933\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3883\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3934\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3884\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3935\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3885\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3936\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3886\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3887\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3888\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3889\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3890\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3891\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3892\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3893\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3894\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_3968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517402239999999999_f03d60d5-6c4b-4ca8-988e-b063550db0b5/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"name\": \"2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-09-02T19:26:44.4857834Z\",\r\n \"processingEndTimeUtc\": \"2022-09-02T19:26:43.9850649Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-09-01T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-09-01T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_3969\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.6 [4]\\r\\nIP: 193.142.147.67 [26]\\r\\nIP: 141.98.83.85 [1]\\r\\nIP: 141.98.9.36 [3]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 141.98.81.137 [5]\\r\\nIP: 45.227.254.5 [39]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 147.78.47.147 [9]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 103.15.50.155 [1]\\r\\nIP: 92.255.85.40 [6]\\r\\nIP: 213.226.123.66 [1]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 194.165.16.158 [5]\\r\\nIP: 196.44.131.147 [1]\\r\\nIP: 146.190.60.103 [1]\\r\\nIP: 212.22.187.98 [7]\\r\\nIP: 141.98.83.131 [1]\\r\\nIP: 185.190.24.102 [11]\\r\\nIP: 147.78.47.149 [10]\\r\\nIP: 165.227.225.29 [2]\\r\\nIP: 92.255.85.195 [2]\\r\\nIP: 45.227.254.53 [2]\\r\\nIP: 141.98.83.83 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 185.190.24.61 [9]\\r\\nIP: 45.227.254.49 [3]\\r\\nIP: 212.118.107.26 [1]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 80.66.88.209 [5]\\r\\nIP: 141.98.9.35 [6]\\r\\nIP: 194.165.16.16 [4]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 141.98.83.123 [7]\\r\\nIP: 185.190.24.103 [2]\\r\\nIP: 80.66.88.206 [1]\\r\\nIP: 89.248.168.54 [2]\\r\\nIP: 79.175.151.178 [6]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 141.98.83.132 [3]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 213.226.123.35 [2]\\r\\nIP: 80.66.88.212 [1]\\r\\nIP: 141.98.9.37 [2]\\r\\nIP: 141.98.83.89 [2]\\r\\nIP: 141.98.83.127 [2]\\r\\nIP: 5.253.204.134 [27]\\r\\nIP: 179.60.147.32 [19]\\r\\n92 more attempts by 18 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_3970\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_3971\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_3972\",\r\n \"address\": \"194.165.16.6\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3973\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3974\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3975\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3976\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3977\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3978\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3979\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3980\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3981\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3982\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3983\",\r\n \"address\": \"92.255.85.40\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3984\",\r\n \"address\": \"213.226.123.66\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49943,\r\n \"carrier\": \"It Resheniya Llc\",\r\n \"organization\": \"It Resheniya Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3985\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3986\",\r\n \"address\": \"194.165.16.158\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3987\",\r\n \"address\": \"196.44.131.147\",\r\n \"location\": {\r\n \"countryCode\": \"NA\",\r\n \"countryName\": \"Namibia\",\r\n \"state\": \"Khomas\",\r\n \"city\": \"Windhoek\",\r\n \"longitude\": 17.0875,\r\n \"latitude\": -22.57056,\r\n \"asn\": 36996,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"Telecom Namibia\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3988\",\r\n \"address\": \"146.190.60.103\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Simi Valley\",\r\n \"longitude\": -118.68727,\r\n \"latitude\": 34.2931,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3989\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3990\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3991\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3992\",\r\n \"address\": \"147.78.47.149\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3993\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3994\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3995\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3996\",\r\n \"address\": \"141.98.83.83\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3997\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3998\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_3999\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4000\",\r\n \"address\": \"212.118.107.26\",\r\n \"location\": {\r\n \"countryCode\": \"SA\",\r\n \"countryName\": \"Saudi Arabia\",\r\n \"state\": \"Ar Riyad\",\r\n \"city\": \"Ar Riya\",\r\n \"longitude\": 46.72185,\r\n \"latitude\": 24.68773,\r\n \"asn\": 34397,\r\n \"carrier\": \"Middle East Internet Company Limited\",\r\n \"organization\": \"Middle East Internet Company Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4001\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4002\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4003\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4004\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4005\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4006\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4007\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4008\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4009\",\r\n \"address\": \"80.66.88.206\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4010\",\r\n \"address\": \"89.248.168.54\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 202425,\r\n \"carrier\": \"Ip Volume Inc\",\r\n \"organization\": \"Ip Volume Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4011\",\r\n \"address\": \"79.175.151.178\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 25184,\r\n \"carrier\": \"Afranet\",\r\n \"organization\": \"Afranet\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4012\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4013\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4014\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4015\",\r\n \"address\": \"213.226.123.35\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49943,\r\n \"carrier\": \"It Resheniya Llc\",\r\n \"organization\": \"It Resheniya Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4016\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4017\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4018\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4019\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4020\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4021\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4022\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3972\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4023\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3973\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4024\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3974\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4025\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3975\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4026\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3976\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3977\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3978\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3979\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3980\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3981\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_3999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517403103999999999_886082b3-5cdb-4aca-8687-4d1bffa23ff1/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"name\": \"2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-30T19:51:55.8070313Z\",\r\n \"processingEndTimeUtc\": \"2022-08-30T19:51:55.0291097Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4072\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.81.137 [6]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 45.227.254.48 [5]\\r\\nIP: 141.98.9.29 [10]\\r\\nIP: 98.102.248.102 [1]\\r\\nIP: 45.227.254.5 [26]\\r\\nIP: 178.18.241.15 [1]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 194.165.16.78 [3]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 194.26.29.48 [5]\\r\\nIP: 141.98.9.34 [3]\\r\\nIP: 5.253.204.134 [12]\\r\\nIP: 147.78.47.154 [4]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 80.66.88.207 [3]\\r\\nIP: 74.174.144.6 [1]\\r\\nIP: 194.165.16.17 [6]\\r\\nIP: 196.188.171.249 [2]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 179.60.150.113 [2]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 80.66.88.208 [3]\\r\\nIP: 141.98.9.37 [5]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 212.22.187.98 [6]\\r\\nIP: 87.251.75.119 [36]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.120 [1]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 85.172.1.54 [2]\\r\\nIP: 162.62.14.97 [1]\\r\\nIP: 88.214.25.13 [2]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 162.246.21.206 [1]\\r\\nIP: 45.227.254.4 [2]\\r\\nIP: 185.221.134.42 [2]\\r\\nIP: 179.60.147.32 [20]\\r\\nIP: 103.15.50.155 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 92.255.85.181 [2]\\r\\nIP: 141.98.83.126 [2]\\r\\nIP: 5.181.86.88 [3]\\r\\n175 more attempts by 35 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4073\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4074\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4075\",\r\n \"address\": \"141.98.81.137\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Drenthe\",\r\n \"city\": \"Meppel\",\r\n \"longitude\": 6.19086,\r\n \"latitude\": 52.69648,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4076\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4077\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4078\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4079\",\r\n \"address\": \"98.102.248.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Cleveland\",\r\n \"longitude\": -81.82835,\r\n \"latitude\": 41.37197,\r\n \"asn\": 10796,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4080\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4081\",\r\n \"address\": \"178.18.241.15\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Baden-Wuerttemberg\",\r\n \"city\": \"Karlsruhe-Weststadt\",\r\n \"longitude\": 8.37933,\r\n \"latitude\": 49.015,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4082\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4083\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4084\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4085\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4086\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4087\",\r\n \"address\": \"194.26.29.48\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\",\r\n \"organization\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4088\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4089\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4090\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4091\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4092\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4093\",\r\n \"address\": \"74.174.144.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Kentucky\",\r\n \"city\": \"Corbin\",\r\n \"longitude\": -84.11583,\r\n \"latitude\": 36.92363,\r\n \"asn\": 2386,\r\n \"carrier\": \"At&T Data Communications Services\",\r\n \"organization\": \"Eastern Cable Corp - Bgk Lan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4094\",\r\n \"address\": \"194.165.16.17\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4095\",\r\n \"address\": \"196.188.171.249\",\r\n \"location\": {\r\n \"countryCode\": \"ET\",\r\n \"countryName\": \"Ethiopia\",\r\n \"state\": \"Adis Abeba\",\r\n \"city\": \"Addis Ababa\",\r\n \"longitude\": 38.7468,\r\n \"latitude\": 9.0227,\r\n \"asn\": 24757,\r\n \"carrier\": \"Ethionet\",\r\n \"organization\": \"To__Bras_Dhcp_Oa-10800E\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4096\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4097\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4098\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4099\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4100\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4101\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4102\",\r\n \"address\": \"141.98.9.37\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4103\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4104\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4105\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4106\",\r\n \"address\": \"87.251.75.119\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4107\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4108\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4109\",\r\n \"address\": \"141.98.83.120\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4110\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4111\",\r\n \"address\": \"85.172.1.54\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Krasnodarskiy Kray\",\r\n \"city\": \"Krasnodar\",\r\n \"longitude\": 38.98064,\r\n \"latitude\": 45.04215,\r\n \"asn\": 25490,\r\n \"carrier\": \"Pjsc Rostelecom\",\r\n \"organization\": \"Ojsc Rostelecom Macroregional Branch South\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4112\",\r\n \"address\": \"162.62.14.97\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4113\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4114\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4115\",\r\n \"address\": \"162.246.21.206\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Secaucus\",\r\n \"longitude\": -74.06453,\r\n \"latitude\": 40.77826,\r\n \"asn\": 19318,\r\n \"carrier\": \"Interserver Inc\",\r\n \"organization\": \"Interserver Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4116\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4117\",\r\n \"address\": \"185.221.134.42\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.26486,\r\n \"latitude\": 34.05285,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4118\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4119\",\r\n \"address\": \"103.15.50.155\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45538,\r\n \"carrier\": \"Ods Joint Stock Company\",\r\n \"organization\": \"Mat Bao Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4120\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4121\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4122\",\r\n \"address\": \"92.255.85.181\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4123\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4124\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4125\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4075\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4126\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4076\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4127\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4077\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4128\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4078\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4129\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4079\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4130\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4080\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4131\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4081\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4132\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4082\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4133\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4083\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4134\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4084\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4135\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4085\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4136\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4086\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4137\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4087\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4138\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4088\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4139\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4089\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4140\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4090\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4141\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4091\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4142\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4092\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4143\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4093\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4144\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4094\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4145\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4095\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4146\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4096\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4147\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4097\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4148\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4098\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4149\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4099\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4150\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4100\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4151\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4101\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4152\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4102\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4153\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4103\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4154\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4104\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4155\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4105\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4156\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4106\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4157\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4107\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4158\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4108\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4159\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4109\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4160\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4110\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4161\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4111\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4162\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4112\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4163\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4113\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4164\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4114\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4165\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4115\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4166\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4116\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4167\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4117\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4168\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4118\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4169\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4119\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4170\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4120\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4171\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4121\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4172\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4122\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4173\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4123\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4174\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4124\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405695999999999_73bd6dfc-03e2-478c-9560-16476693bbae/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"name\": \"2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-31T19:26:52.5249315Z\",\r\n \"processingEndTimeUtc\": \"2022-08-31T19:26:52.1218206Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-29T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4175\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 98.102.248.102 [1]\\r\\nIP: 179.60.150.116 [2]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 92.255.85.195 [3]\\r\\nIP: 162.62.14.97 [1]\\r\\nIP: 5.253.204.134 [13]\\r\\nIP: 185.190.24.61 [2]\\r\\nIP: 212.22.187.98 [8]\\r\\nIP: 80.66.88.211 [2]\\r\\nIP: 147.78.47.154 [6]\\r\\nIP: 191.96.168.250 [10]\\r\\nIP: 80.66.88.212 [4]\\r\\nIP: 88.214.25.13 [2]\\r\\nIP: 74.174.144.6 [1]\\r\\nIP: 141.98.9.35 [3]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 194.165.16.16 [6]\\r\\nIP: 185.190.24.17 [51]\\r\\nIP: 141.98.83.87 [2]\\r\\nIP: 141.98.83.130 [3]\\r\\nIP: 5.181.86.44 [5]\\r\\nIP: 185.190.24.93 [1]\\r\\nIP: 193.142.147.66 [36]\\r\\nIP: 185.161.69.10 [2]\\r\\nIP: 185.190.24.48 [2]\\r\\nIP: 45.141.84.116 [7]\\r\\nIP: 152.89.196.90 [2]\\r\\nIP: 141.98.9.29 [10]\\r\\nIP: 141.98.83.89 [4]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 195.133.20.247 [1]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 196.188.171.249 [2]\\r\\nIP: 194.165.16.29 [6]\\r\\nIP: 141.98.83.84 [2]\\r\\nIP: 141.98.83.123 [1]\\r\\nIP: 185.190.24.50 [4]\\r\\nIP: 194.93.58.59 [1]\\r\\nIP: 87.251.75.119 [59]\\r\\nIP: 179.60.147.32 [20]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 185.190.24.32 [3]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 80.66.88.207 [3]\\r\\nIP: 80.66.88.210 [2]\\r\\nIP: 147.78.47.146 [4]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 194.165.16.4 [3]\\r\\nIP: 80.66.88.208 [3]\\r\\n135 more attempts by 44 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4176\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4177\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4178\",\r\n \"address\": \"98.102.248.102\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Cleveland\",\r\n \"longitude\": -81.82835,\r\n \"latitude\": 41.37197,\r\n \"asn\": 10796,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4179\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4180\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4181\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4182\",\r\n \"address\": \"162.62.14.97\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"16 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4183\",\r\n \"address\": \"5.253.204.134\",\r\n \"location\": {\r\n \"countryCode\": \"LU\",\r\n \"countryName\": \"Luxembourg\",\r\n \"state\": \"Luxembourg\",\r\n \"city\": \"Luxembourg\",\r\n \"longitude\": 6.10624,\r\n \"latitude\": 49.61624,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Luxembourg Noc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4184\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4185\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4186\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4187\",\r\n \"address\": \"147.78.47.154\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4188\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4189\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4190\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4191\",\r\n \"address\": \"74.174.144.6\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Kentucky\",\r\n \"city\": \"Corbin\",\r\n \"longitude\": -84.11583,\r\n \"latitude\": 36.92363,\r\n \"asn\": 2386,\r\n \"carrier\": \"At&T Data Communications Services\",\r\n \"organization\": \"Eastern Cable Corp - Bgk Lan\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4192\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4193\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4194\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4195\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4196\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4197\",\r\n \"address\": \"141.98.83.87\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4198\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4199\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4200\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4201\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4202\",\r\n \"address\": \"185.161.69.10\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Delaware\",\r\n \"city\": \"Hockessin\",\r\n \"longitude\": -75.68502,\r\n \"latitude\": 39.7866,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4203\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4204\",\r\n \"address\": \"45.141.84.116\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4205\",\r\n \"address\": \"152.89.196.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4206\",\r\n \"address\": \"141.98.9.29\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4207\",\r\n \"address\": \"141.98.83.89\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4208\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4209\",\r\n \"address\": \"195.133.20.247\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4210\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4211\",\r\n \"address\": \"196.188.171.249\",\r\n \"location\": {\r\n \"countryCode\": \"ET\",\r\n \"countryName\": \"Ethiopia\",\r\n \"state\": \"Adis Abeba\",\r\n \"city\": \"Addis Ababa\",\r\n \"longitude\": 38.7468,\r\n \"latitude\": 9.0227,\r\n \"asn\": 24757,\r\n \"carrier\": \"Ethionet\",\r\n \"organization\": \"To__Bras_Dhcp_Oa-10800E\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4212\",\r\n \"address\": \"194.165.16.29\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4213\",\r\n \"address\": \"141.98.83.84\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4214\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4215\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4216\",\r\n \"address\": \"194.93.58.59\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Texas\",\r\n \"city\": \"Dallas\",\r\n \"longitude\": -96.81423,\r\n \"latitude\": 32.80543,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Dallas Tx\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4217\",\r\n \"address\": \"87.251.75.119\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4218\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4219\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4220\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4221\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4222\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4223\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4224\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4225\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4226\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4227\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4228\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4178\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4229\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4179\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4230\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4180\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4231\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4181\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4232\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4182\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4233\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4183\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4234\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4184\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4235\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4185\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4236\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4186\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4237\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4187\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4238\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4188\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4239\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4189\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4240\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4190\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4241\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4191\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4242\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4192\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4243\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4193\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4244\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4194\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4245\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4195\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4246\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4196\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4247\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4197\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4248\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4198\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4249\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4199\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4250\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4200\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4251\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4201\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4252\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4202\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4253\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4203\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4254\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4204\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4255\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4205\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4256\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4206\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4257\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4207\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4258\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4208\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4259\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4209\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4260\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4210\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4261\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4211\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4262\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4212\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4263\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4213\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4264\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4214\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4265\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4215\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4266\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4216\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4267\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4217\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4268\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4218\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4269\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4219\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4270\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4220\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4271\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4221\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4272\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4222\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4273\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4223\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4274\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4224\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4275\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4225\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4276\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4226\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4277\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4227\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517405695999999999_7cc64d69-2820-4005-a29e-f301366a4457/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"name\": \"2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T19:20:02.815682Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T19:20:02.1041712Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4278\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 185.156.72.31 [5]\\r\\nIP: 179.60.147.31 [28]\\r\\nIP: 213.6.148.83 [2]\\r\\nIP: 113.161.87.179 [1]\\r\\nIP: 185.190.24.103 [11]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 141.98.83.130 [5]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 185.190.24.101 [3]\\r\\nIP: 118.123.105.85 [1]\\r\\nIP: 194.28.112.149 [1]\\r\\nIP: 45.227.253.124 [18]\\r\\nIP: 193.142.147.53 [12]\\r\\nIP: 198.23.221.162 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 194.165.17.12 [30]\\r\\nIP: 191.96.168.250 [75]\\r\\nIP: 194.165.16.16 [1]\\r\\nIP: 92.51.70.138 [1]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 141.98.83.122 [2]\\r\\nIP: 185.156.72.29 [2]\\r\\nIP: 5.61.60.26 [3]\\r\\nIP: 87.251.75.45 [11]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 141.98.9.36 [1]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 141.98.83.172 [7]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 45.227.254.51 [2]\\r\\nIP: 103.99.2.225 [1]\\r\\nIP: 141.98.9.35 [2]\\r\\nIP: 185.196.220.52 [10]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 194.165.16.72 [3]\\r\\nIP: 141.98.83.133 [4]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 141.98.83.127 [1]\\r\\nIP: 31.214.141.3 [1]\\r\\nIP: 45.143.201.62 [2]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 141.98.83.121 [1]\\r\\nIP: 92.255.85.195 [1]\\r\\nIP: 141.98.9.34 [5]\\r\\nIP: 212.22.187.98 [4]\\r\\n182 more attempts by 33 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4279\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4280\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4281\",\r\n \"address\": \"185.156.72.31\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4282\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4283\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4284\",\r\n \"address\": \"113.161.87.179\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4285\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4286\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4287\",\r\n \"address\": \"141.98.83.130\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4288\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4289\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4290\",\r\n \"address\": \"118.123.105.85\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Sichuan\",\r\n \"city\": \"Chengdu\",\r\n \"longitude\": 104.0675,\r\n \"latitude\": 30.65306,\r\n \"asn\": 38283,\r\n \"carrier\": \"Chinanet Sichuan Telecom Internet Data Center\",\r\n \"organization\": \"Chinanet Sichuan Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4291\",\r\n \"address\": \"194.28.112.149\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4292\",\r\n \"address\": \"45.227.253.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4293\",\r\n \"address\": \"193.142.147.53\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4294\",\r\n \"address\": \"198.23.221.162\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4295\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4296\",\r\n \"address\": \"194.165.17.12\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4297\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4298\",\r\n \"address\": \"194.165.16.16\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4299\",\r\n \"address\": \"92.51.70.138\",\r\n \"location\": {\r\n \"countryCode\": \"GE\",\r\n \"countryName\": \"Georgia\",\r\n \"state\": \"Tbilisi\",\r\n \"city\": \"Tbilisi\",\r\n \"longitude\": 44.83368,\r\n \"latitude\": 41.69411,\r\n \"asn\": 44327,\r\n \"carrier\": \"Delta Comm Llc\",\r\n \"organization\": \"Infra-Aw\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4300\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4301\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4302\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4303\",\r\n \"address\": \"141.98.83.122\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4304\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4305\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4306\",\r\n \"address\": \"87.251.75.45\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4307\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4308\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4309\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4310\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4311\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4312\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4313\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4314\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4315\",\r\n \"address\": \"141.98.9.35\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4316\",\r\n \"address\": \"185.196.220.52\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4317\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4318\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4319\",\r\n \"address\": \"141.98.83.133\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4320\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4321\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4322\",\r\n \"address\": \"141.98.83.127\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4323\",\r\n \"address\": \"31.214.141.3\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hamburg\",\r\n \"city\": \"Hamburg\",\r\n \"longitude\": 10.0819,\r\n \"latitude\": 53.6423,\r\n \"asn\": 30823,\r\n \"carrier\": \"Combahton Gmbh\",\r\n \"organization\": \"Zap-Hosting Gmbh & Co. Kg\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4324\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4325\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4326\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4327\",\r\n \"address\": \"141.98.83.121\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4328\",\r\n \"address\": \"92.255.85.195\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4329\",\r\n \"address\": \"141.98.9.34\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4330\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4331\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4281\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4332\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4282\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4333\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4283\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4334\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4284\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4335\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4285\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4336\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4286\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4337\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4287\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4338\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4288\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4339\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4289\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4340\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4290\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4341\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4291\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4342\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4292\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4343\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4293\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4344\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4294\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4345\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4295\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4346\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4296\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4347\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4297\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4348\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4298\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4349\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4299\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4350\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4300\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4351\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4301\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4352\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4302\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4353\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4303\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4354\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4304\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4355\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4305\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4356\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4306\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4357\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4307\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4358\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4308\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4359\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4309\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4360\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4310\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4361\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4311\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4362\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4312\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4363\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4313\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4364\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4314\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4365\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4315\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4366\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4316\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4367\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4317\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4368\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4318\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4369\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4319\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4370\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4320\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4371\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4321\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4372\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4322\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4373\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4323\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4374\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4324\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4375\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4325\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4376\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4326\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4377\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4327\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4378\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4328\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4379\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4329\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4380\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4330\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407423999999999_5dae424a-ec6c-4c91-9339-75cbf047c7aa/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"name\": \"2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-29T03:10:05.3539329Z\",\r\n \"processingEndTimeUtc\": \"2022-08-29T03:10:03.616463Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-27T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4381\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.9.36 [1]\\r\\nIP: 147.78.47.146 [2]\\r\\nIP: 45.227.254.5 [19]\\r\\nIP: 191.252.62.106 [2]\\r\\nIP: 141.98.83.85 [4]\\r\\nIP: 45.227.253.124 [15]\\r\\nIP: 141.98.83.132 [6]\\r\\nIP: 80.66.88.210 [1]\\r\\nIP: 45.227.254.55 [2]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 185.156.72.29 [2]\\r\\nIP: 179.60.147.31 [28]\\r\\nIP: 5.61.60.26 [2]\\r\\nIP: 147.78.47.147 [3]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 31.214.141.3 [1]\\r\\nIP: 45.227.254.8 [1]\\r\\nIP: 195.133.20.248 [1]\\r\\nIP: 97.106.89.92 [2]\\r\\nIP: 92.255.85.152 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 141.98.83.125 [2]\\r\\nIP: 52.172.27.33 [1]\\r\\nIP: 179.60.150.114 [6]\\r\\nIP: 45.227.254.51 [1]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 92.255.85.151 [30]\\r\\nIP: 185.190.24.103 [11]\\r\\nIP: 45.227.254.52 [2]\\r\\nIP: 45.227.253.254 [15]\\r\\nIP: 194.165.16.73 [2]\\r\\nIP: 141.98.83.86 [2]\\r\\nIP: 165.227.225.29 [1]\\r\\nIP: 185.190.24.102 [7]\\r\\nIP: 179.60.147.182 [2]\\r\\nIP: 103.99.2.225 [1]\\r\\nIP: 185.196.220.34 [35]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 141.98.83.172 [7]\\r\\nIP: 212.22.187.98 [4]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 191.96.168.250 [67]\\r\\nIP: 118.123.105.85 [1]\\r\\nIP: 141.98.83.131 [3]\\r\\nIP: 80.69.56.151 [1]\\r\\nIP: 20.163.56.75 [2]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.156.72.25 [3]\\r\\n118 more attempts by 27 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4382\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4383\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4384\",\r\n \"address\": \"141.98.9.36\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Alviva Holding Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4385\",\r\n \"address\": \"147.78.47.146\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4386\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4387\",\r\n \"address\": \"191.252.62.106\",\r\n \"location\": {\r\n \"countryCode\": \"BR\",\r\n \"countryName\": \"Brazil\",\r\n \"state\": \"Sao Paulo\",\r\n \"city\": \"Sao Paulo\",\r\n \"longitude\": -46.63314,\r\n \"latitude\": -23.55152,\r\n \"asn\": 27715,\r\n \"carrier\": \"Locaweb Servios De Internet S/A\",\r\n \"organization\": \"Locaweb Servi Os De Internet S/A\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4388\",\r\n \"address\": \"141.98.83.85\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4389\",\r\n \"address\": \"45.227.253.124\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4390\",\r\n \"address\": \"141.98.83.132\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4391\",\r\n \"address\": \"80.66.88.210\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4392\",\r\n \"address\": \"45.227.254.55\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4393\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4394\",\r\n \"address\": \"185.156.72.29\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4395\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4396\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4397\",\r\n \"address\": \"147.78.47.147\",\r\n \"location\": {\r\n \"countryCode\": \"RO\",\r\n \"countryName\": \"Romania\",\r\n \"state\": \"Bucuresti\",\r\n \"city\": \"Bucuresti\",\r\n \"longitude\": 26.09935,\r\n \"latitude\": 44.43655,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4398\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4399\",\r\n \"address\": \"31.214.141.3\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hamburg\",\r\n \"city\": \"Hamburg\",\r\n \"longitude\": 10.0819,\r\n \"latitude\": 53.6423,\r\n \"asn\": 30823,\r\n \"carrier\": \"Combahton Gmbh\",\r\n \"organization\": \"Zap-Hosting Gmbh & Co. Kg\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4400\",\r\n \"address\": \"45.227.254.8\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4401\",\r\n \"address\": \"195.133.20.248\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211059,\r\n \"carrier\": \"Tribeka Web Advisors S.A.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4402\",\r\n \"address\": \"97.106.89.92\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Tampa\",\r\n \"longitude\": -82.46379,\r\n \"latitude\": 27.98598,\r\n \"asn\": 33363,\r\n \"carrier\": \"Charter Communications Inc\",\r\n \"organization\": \"Charter Communications Inc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4403\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4404\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4405\",\r\n \"address\": \"141.98.83.125\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4406\",\r\n \"address\": \"52.172.27.33\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Tamil Nadu\",\r\n \"city\": \"Chennai\",\r\n \"longitude\": 80.2508,\r\n \"latitude\": 13.0524,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4407\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4408\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4409\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4410\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4411\",\r\n \"address\": \"92.255.85.151\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4412\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4413\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4414\",\r\n \"address\": \"45.227.253.254\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"state\": \"Panama\",\r\n \"city\": \"Panama\",\r\n \"longitude\": -79.5188,\r\n \"latitude\": 8.9943,\r\n \"asn\": 49453,\r\n \"carrier\": \"Global Layer\",\r\n \"organization\": \"Directwebh Corp\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4415\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4416\",\r\n \"address\": \"141.98.83.86\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4417\",\r\n \"address\": \"165.227.225.29\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4418\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4419\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4420\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4421\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4422\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4423\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4424\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4425\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4426\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4427\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4428\",\r\n \"address\": \"118.123.105.85\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Sichuan\",\r\n \"city\": \"Chengdu\",\r\n \"longitude\": 104.0675,\r\n \"latitude\": 30.65306,\r\n \"asn\": 38283,\r\n \"carrier\": \"Chinanet Sichuan Telecom Internet Data Center\",\r\n \"organization\": \"Chinanet Sichuan Province Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4429\",\r\n \"address\": \"141.98.83.131\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4430\",\r\n \"address\": \"80.69.56.151\",\r\n \"location\": {\r\n \"countryCode\": \"AZ\",\r\n \"countryName\": \"Azerbaijan\",\r\n \"state\": \"Naftalan\",\r\n \"city\": \"Naftalan\",\r\n \"longitude\": 46.825,\r\n \"latitude\": 40.5067,\r\n \"asn\": 34170,\r\n \"carrier\": \"Aztelekom\",\r\n \"organization\": \"Aztelekom.Net Ip Segment\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4431\",\r\n \"address\": \"20.163.56.75\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4432\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4433\",\r\n \"address\": \"185.156.72.25\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 61432,\r\n \"carrier\": \"Itbks892\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4434\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4384\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4435\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4385\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4436\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4386\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4437\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4387\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4438\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4388\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4439\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4389\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4440\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4390\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4441\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4391\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4442\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4392\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4443\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4393\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4444\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4394\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4445\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4395\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4446\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4396\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4447\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4397\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4448\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4398\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4449\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4399\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4450\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4400\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4451\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4401\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4452\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4402\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4453\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4403\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4454\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4404\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4455\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4405\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4456\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4406\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4457\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4407\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4458\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4408\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4459\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4409\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4460\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4410\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4461\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4411\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4462\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4412\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4463\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4413\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4464\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4414\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4465\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4415\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4466\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4416\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4467\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4417\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4468\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4418\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4469\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4419\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4470\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4420\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4471\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4421\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4472\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4422\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4473\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4423\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4474\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4424\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4475\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4425\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4476\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4426\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4477\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4427\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4478\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4428\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4479\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4429\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4480\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4430\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4481\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4431\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4482\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4432\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4483\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4433\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517407423999999999_9869cbdb-592c-4d2e-ba39-5ffca7c634e9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"name\": \"2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-27T19:18:23.4694672Z\",\r\n \"processingEndTimeUtc\": \"2022-08-27T19:18:22.6090964Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-26T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-26T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4484\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.255.99 [2]\\r\\nIP: 185.196.220.28 [1]\\r\\nIP: 103.124.137.161 [1]\\r\\nIP: 87.251.75.45 [125]\\r\\nIP: 212.122.84.86 [4]\\r\\nIP: 109.107.166.20 [1]\\r\\nIP: 103.99.2.225 [6]\\r\\nIP: 185.196.220.59 [2]\\r\\nIP: 194.165.16.34 [1]\\r\\nIP: 212.22.187.98 [3]\\r\\nIP: 191.96.168.250 [51]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 139.99.135.225 [1]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 80.66.88.209 [2]\\r\\nIP: 152.89.196.90 [4]\\r\\nIP: 45.141.87.11 [3]\\r\\nIP: 45.140.210.69 [1]\\r\\nIP: 141.98.83.172 [3]\\r\\nIP: 179.60.150.114 [2]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 104.156.55.56 [1]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.190.24.101 [3]\\r\\nIP: 45.227.254.48 [2]\\r\\nIP: 184.105.5.195 [1]\\r\\nIP: 185.190.24.103 [2]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 193.142.147.55 [1]\\r\\nIP: 193.142.147.50 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 193.142.147.65 [27]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 193.142.147.57 [1]\\r\\nIP: 43.156.58.184 [1]\\r\\nIP: 92.255.85.152 [2]\\r\\nIP: 213.6.148.83 [3]\\r\\nIP: 193.142.147.66 [3]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 185.73.124.216 [13]\\r\\nIP: 20.168.26.32 [1]\\r\\nIP: 80.66.88.208 [2]\\r\\nIP: 185.196.220.34 [12]\\r\\nIP: 92.255.85.183 [2]\\r\\nIP: 45.227.255.13 [1]\\r\\nIP: 5.61.60.26 [1]\\r\\nIP: 185.196.220.58 [2]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4485\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4486\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4487\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4488\",\r\n \"address\": \"185.196.220.28\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4489\",\r\n \"address\": \"103.124.137.161\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jawa Timur\",\r\n \"city\": \"Paciran\",\r\n \"longitude\": 112.34,\r\n \"latitude\": -6.8707,\r\n \"asn\": 138089,\r\n \"carrier\": \"Pt.Global Media Data Prima\",\r\n \"organization\": \"Pt.Global Media Data Prima\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4490\",\r\n \"address\": \"87.251.75.45\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4491\",\r\n \"address\": \"212.122.84.86\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 12539,\r\n \"carrier\": \"Penki Kontinentia Ltd\",\r\n \"organization\": \"Penkiu Kontinentu Komunikaciju Centras Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4492\",\r\n \"address\": \"109.107.166.20\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 56380,\r\n \"carrier\": \"Joint Stock Company Asteros\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4493\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4494\",\r\n \"address\": \"185.196.220.59\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4495\",\r\n \"address\": \"194.165.16.34\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4496\",\r\n \"address\": \"212.22.187.98\",\r\n \"location\": {\r\n \"countryCode\": \"KE\",\r\n \"countryName\": \"Kenya\",\r\n \"state\": \"Nairobi Area\",\r\n \"city\": \"Nairobi\",\r\n \"longitude\": 36.81667,\r\n \"latitude\": -1.28333,\r\n \"asn\": 12556,\r\n \"carrier\": \"Internet Solutions (Kenya)\",\r\n \"organization\": \"(Internet Solutions)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4497\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4498\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4499\",\r\n \"address\": \"139.99.135.225\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"New South Wales\",\r\n \"city\": \"Waverton\",\r\n \"longitude\": 151.19581,\r\n \"latitude\": -33.83997,\r\n \"asn\": 16276,\r\n \"carrier\": \"Ovh Sas\",\r\n \"organization\": \"Ovh Australia Pty Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4500\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4501\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4502\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4503\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4504\",\r\n \"address\": \"152.89.196.90\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.66904,\r\n \"latitude\": 55.77056,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4505\",\r\n \"address\": \"45.141.87.11\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 206728,\r\n \"carrier\": \"Media Land Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4506\",\r\n \"address\": \"45.140.210.69\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Nordrhein-Westfalen\",\r\n \"city\": \"Duesseldorf\",\r\n \"longitude\": 6.7735,\r\n \"latitude\": 51.2277,\r\n \"asn\": 211459,\r\n \"carrier\": \"Atha Media Prima Cv.\",\r\n \"organization\": \"Amp - Germany\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4507\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4508\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4509\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4510\",\r\n \"address\": \"104.156.55.56\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Tampa\",\r\n \"longitude\": -82.50581,\r\n \"latitude\": 28.00488,\r\n \"asn\": 29802,\r\n \"carrier\": \"Hivelocity Inc.\",\r\n \"organization\": \"Hivelocity Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4511\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4512\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4513\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4514\",\r\n \"address\": \"184.105.5.195\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Brooklyn\",\r\n \"longitude\": -73.99064,\r\n \"latitude\": 40.6946,\r\n \"asn\": 394996,\r\n \"carrier\": \"47-2339071\",\r\n \"organization\": \"47-2339071\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4515\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4516\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4517\",\r\n \"address\": \"193.142.147.55\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4518\",\r\n \"address\": \"193.142.147.50\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4519\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.6688,\r\n \"latitude\": 41.0238,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4520\",\r\n \"address\": \"193.142.147.65\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4521\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4522\",\r\n \"address\": \"193.142.147.57\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4523\",\r\n \"address\": \"43.156.58.184\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4524\",\r\n \"address\": \"92.255.85.152\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4525\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4526\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4527\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4528\",\r\n \"address\": \"185.73.124.216\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4529\",\r\n \"address\": \"20.168.26.32\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Phoenix\",\r\n \"longitude\": -112.08255,\r\n \"latitude\": 33.50938,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4530\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4531\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4532\",\r\n \"address\": \"92.255.85.183\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4533\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4534\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4535\",\r\n \"address\": \"185.196.220.58\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4536\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4487\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4537\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4488\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4538\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4489\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4539\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4490\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4540\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4491\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4541\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4492\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4542\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4493\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4543\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4494\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4544\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4495\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4545\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4496\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4546\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4497\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4547\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4498\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4548\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4499\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4549\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4500\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4550\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4501\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4551\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4502\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4552\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4503\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4553\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4504\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4554\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4505\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4555\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4506\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4556\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4507\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4557\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4508\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4558\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4509\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4559\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4510\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4560\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4511\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4561\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4512\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4562\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4513\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4563\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4514\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4564\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4515\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4565\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4516\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4566\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4517\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4567\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4518\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4568\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4519\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4569\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4520\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4570\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4521\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4571\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4522\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4572\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4523\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4573\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4524\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4574\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4525\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4575\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4526\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4576\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4527\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4577\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4528\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4578\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4529\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4579\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4530\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4580\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4531\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4581\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4532\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4582\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4533\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4583\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4534\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4584\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4535\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517408287999999999_543d55c3-6d89-4efa-8a07-10ce05318554/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"name\": \"2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-26T19:51:08.2299434Z\",\r\n \"processingEndTimeUtc\": \"2022-08-26T19:51:07.7693809Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-25T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-25T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4585\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 45.227.255.59 [2]\\r\\nIP: 41.216.179.69 [1]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 185.190.24.48 [8]\\r\\nIP: 193.142.147.65 [37]\\r\\nIP: 167.172.149.14 [1]\\r\\nIP: 193.148.61.176 [1]\\r\\nIP: 194.165.16.77 [2]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.196.220.34 [26]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 179.60.150.116 [8]\\r\\nIP: 185.190.24.103 [4]\\r\\nIP: 149.57.252.78 [1]\\r\\nIP: 103.109.52.111 [6]\\r\\nIP: 194.165.16.76 [1]\\r\\nIP: 5.181.86.11 [18]\\r\\nIP: 141.98.83.172 [1]\\r\\nIP: 52.180.252.174 [4]\\r\\nIP: 193.142.147.66 [22]\\r\\nIP: 5.181.86.51 [4]\\r\\nIP: 193.142.147.52 [11]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.213 [1]\\r\\nIP: 183.90.168.19 [14]\\r\\nIP: 185.190.24.102 [5]\\r\\nIP: 107.172.93.5 [1]\\r\\nIP: 181.30.28.175 [1]\\r\\nIP: 179.60.147.31 [25]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 103.124.137.161 [2]\\r\\nIP: 5.181.86.7 [1]\\r\\nIP: 103.9.156.60 [1]\\r\\nIP: 45.227.254.4 [9]\\r\\nIP: 141.98.83.173 [5]\\r\\nIP: 195.3.221.15 [4]\\r\\nIP: 191.96.168.250 [44]\\r\\nIP: 179.60.147.33 [23]\\r\\nIP: 103.99.2.225 [4]\\r\\nIP: 91.240.118.113 [11]\\r\\nIP: 88.214.25.13 [3]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 107.175.218.26 [1]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 185.190.24.50 [7]\\r\\nIP: 80.69.56.151 [1]\\r\\nIP: 45.227.255.13 [2]\\r\\nIP: 141.98.10.37 [3]\\r\\nIP: 185.190.24.17 [16]\\r\\nIP: 45.227.254.48 [2]\\r\\n61 more attempts by 15 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4586\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4587\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4588\",\r\n \"address\": \"45.227.255.59\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4589\",\r\n \"address\": \"41.216.179.69\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"longitude\": -2.0,\r\n \"latitude\": 54.0,\r\n \"asn\": 136175,\r\n \"carrier\": \"Serverhosh Internet Service\",\r\n \"organization\": \"Serverhosh Internet Service\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4590\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4591\",\r\n \"address\": \"185.190.24.48\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4592\",\r\n \"address\": \"193.142.147.65\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4593\",\r\n \"address\": \"167.172.149.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4594\",\r\n \"address\": \"193.148.61.176\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Los Angeles Ca\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4595\",\r\n \"address\": \"194.165.16.77\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4596\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4597\",\r\n \"address\": \"185.196.220.34\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"longitude\": 9.0,\r\n \"latitude\": 51.0,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4598\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4599\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4600\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4601\",\r\n \"address\": \"149.57.252.78\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New Jersey\",\r\n \"city\": \"Edison\",\r\n \"longitude\": -74.3806,\r\n \"latitude\": 40.5247,\r\n \"asn\": 8100,\r\n \"carrier\": \"Quadranet Enterprises Llc\",\r\n \"organization\": \"Logicweb Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4602\",\r\n \"address\": \"103.109.52.111\",\r\n \"location\": {\r\n \"countryCode\": \"BD\",\r\n \"countryName\": \"Bangladesh\",\r\n \"longitude\": 90.0,\r\n \"latitude\": 24.0,\r\n \"asn\": 134790,\r\n \"carrier\": \"United International University\",\r\n \"organization\": \"United International University\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4603\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4604\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4605\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4606\",\r\n \"address\": \"52.180.252.174\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Iowa\",\r\n \"city\": \"Des Moines\",\r\n \"longitude\": -93.6151,\r\n \"latitude\": 41.589,\r\n \"asn\": 8075,\r\n \"carrier\": \"Microsoft Corporation\",\r\n \"organization\": \"Microsoft Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4607\",\r\n \"address\": \"193.142.147.66\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4608\",\r\n \"address\": \"5.181.86.51\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4609\",\r\n \"address\": \"193.142.147.52\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4610\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4611\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4612\",\r\n \"address\": \"183.90.168.19\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bang Rak\",\r\n \"longitude\": 100.52114,\r\n \"latitude\": 13.72804,\r\n \"asn\": 45328,\r\n \"carrier\": \"Nipa Technology Co. Ltd\",\r\n \"organization\": \"Nipa Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4613\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4614\",\r\n \"address\": \"107.172.93.5\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4615\",\r\n \"address\": \"181.30.28.175\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Ciudad De Buenos Aires\",\r\n \"city\": \"Buenos Aires\",\r\n \"longitude\": -58.41731,\r\n \"latitude\": -34.61178,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4616\",\r\n \"address\": \"179.60.147.31\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4617\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4618\",\r\n \"address\": \"103.124.137.161\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jawa Timur\",\r\n \"city\": \"Paciran\",\r\n \"longitude\": 112.34,\r\n \"latitude\": -6.8707,\r\n \"asn\": 138089,\r\n \"carrier\": \"Pt.Global Media Data Prima\",\r\n \"organization\": \"Pt.Global Media Data Prima\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4619\",\r\n \"address\": \"5.181.86.7\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4620\",\r\n \"address\": \"103.9.156.60\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ho Chi Minh\",\r\n \"city\": \"Ho Chi Minh City\",\r\n \"longitude\": 106.655,\r\n \"latitude\": 10.78,\r\n \"asn\": 63730,\r\n \"carrier\": \"Vnso Technology Company\",\r\n \"organization\": \"Vnso Technology Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4621\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4622\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4623\",\r\n \"address\": \"195.3.221.15\",\r\n \"location\": {\r\n \"countryCode\": \"PL\",\r\n \"countryName\": \"Poland\",\r\n \"state\": \"Mazowieckie\",\r\n \"city\": \"Mokotow\",\r\n \"longitude\": 21.00167,\r\n \"latitude\": 52.19392,\r\n \"asn\": 201814,\r\n \"carrier\": \"Meverywhere Sp. Z O.O.\",\r\n \"organization\": \"Innowacyjne Rozwiazania Informatyczne.Pl Sp. Z O.O.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4624\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4625\",\r\n \"address\": \"179.60.147.33\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4626\",\r\n \"address\": \"103.99.2.225\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Me Linh\",\r\n \"longitude\": 105.72415,\r\n \"latitude\": 21.19228,\r\n \"asn\": 135905,\r\n \"carrier\": \"Vietnam Posts And Telecommunications Group\",\r\n \"organization\": \"Vpsonline Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4627\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4628\",\r\n \"address\": \"88.214.25.13\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Gelnhausen\",\r\n \"longitude\": 9.19234,\r\n \"latitude\": 50.2009,\r\n \"asn\": 29551,\r\n \"carrier\": \"Aixit Gmbh\",\r\n \"organization\": \"Thinktech Technology Industrial Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4629\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4630\",\r\n \"address\": \"107.175.218.26\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Wyoming\",\r\n \"city\": \"Casper\",\r\n \"longitude\": -106.39396,\r\n \"latitude\": 43.06622,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Global Cloud Line\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4631\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4632\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4633\",\r\n \"address\": \"80.69.56.151\",\r\n \"location\": {\r\n \"countryCode\": \"AZ\",\r\n \"countryName\": \"Azerbaijan\",\r\n \"state\": \"Naftalan\",\r\n \"city\": \"Naftalan\",\r\n \"longitude\": 46.825,\r\n \"latitude\": 40.5067,\r\n \"asn\": 34170,\r\n \"carrier\": \"Aztelekom\",\r\n \"organization\": \"Aztelekom.Net Ip Segment\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4634\",\r\n \"address\": \"45.227.255.13\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4635\",\r\n \"address\": \"141.98.10.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 209605,\r\n \"carrier\": \"Uab Host Baltic\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4636\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4637\",\r\n \"address\": \"45.227.254.48\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4638\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4588\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4639\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4589\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4640\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4590\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4641\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4591\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4642\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4592\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4643\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4593\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4644\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4594\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4645\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4595\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4646\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4596\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4647\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4597\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4648\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4598\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4649\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4599\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4650\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4600\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4651\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4601\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4652\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4602\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4653\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4603\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4654\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4604\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4655\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4605\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4656\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4606\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4657\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4607\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4658\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4608\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4659\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4609\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4660\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4610\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4661\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4611\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4662\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4612\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4663\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4613\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4664\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4614\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4665\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4615\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4666\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4616\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4667\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4617\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4668\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4618\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4669\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4619\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4670\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4620\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4671\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4621\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4672\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4622\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4673\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4623\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4674\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4624\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4675\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4625\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4676\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4626\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4677\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4627\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4678\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4628\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4679\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4629\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4680\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4630\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4681\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4631\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4682\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4632\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4683\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4633\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4684\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4634\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4685\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4635\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4686\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4636\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4687\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4637\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517409151999999999_b7f765fd-7530-432f-9383-b1c7b5596866/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"name\": \"2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-25T20:24:32.6189324Z\",\r\n \"processingEndTimeUtc\": \"2022-08-25T20:24:17.1477549Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-24T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-24T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4688\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 194.165.16.72 [1]\\r\\nIP: 181.30.28.144 [1]\\r\\nIP: 43.131.49.246 [2]\\r\\nIP: 27.71.226.103 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 45.86.65.236 [1]\\r\\nIP: 5.181.86.88 [6]\\r\\nIP: 192.210.230.185 [1]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 31.43.185.3 [49]\\r\\nIP: 183.90.168.19 [1]\\r\\nIP: 194.165.16.78 [2]\\r\\nIP: 167.172.149.14 [1]\\r\\nIP: 91.240.118.113 [4]\\r\\nIP: 212.41.8.46 [1]\\r\\nIP: 80.66.88.201 [2]\\r\\nIP: 5.181.86.44 [4]\\r\\nIP: 141.98.83.171 [5]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 194.165.16.71 [2]\\r\\nIP: 46.161.27.101 [2]\\r\\nIP: 173.201.17.86 [1]\\r\\nIP: 5.61.60.26 [1]\\r\\nIP: 179.60.150.115 [12]\\r\\nIP: 92.154.96.99 [1]\\r\\nIP: 141.98.83.172 [4]\\r\\nIP: 179.60.147.182 [4]\\r\\nIP: 149.102.131.247 [1]\\r\\nIP: 193.142.147.67 [33]\\r\\nIP: 73.104.247.50 [1]\\r\\nIP: 185.190.24.61 [22]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 185.190.24.17 [24]\\r\\nIP: 191.96.168.250 [30]\\r\\nIP: 185.190.24.93 [5]\\r\\nIP: 193.142.146.209 [1]\\r\\nIP: 185.170.144.134 [70]\\r\\nIP: 65.108.204.95 [1]\\r\\nIP: 147.78.245.142 [1]\\r\\nIP: 87.251.64.160 [1]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 179.60.150.113 [6]\\r\\nIP: 78.180.183.122 [1]\\r\\nIP: 85.215.173.128 [1]\\r\\nIP: 109.86.104.112 [1]\\r\\nIP: 146.20.225.190 [1]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 45.227.255.79 [2]\\r\\nIP: 185.190.24.102 [6]\\r\\nIP: 194.28.112.148 [1]\\r\\n63 more attempts by 14 more IPs\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4689\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4690\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4691\",\r\n \"address\": \"194.165.16.72\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4692\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4693\",\r\n \"address\": \"43.131.49.246\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4694\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4695\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4696\",\r\n \"address\": \"45.86.65.236\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.24164,\r\n \"latitude\": 34.04564,\r\n \"asn\": 35913,\r\n \"carrier\": \"Dedipath\",\r\n \"organization\": \"Dedipath\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4697\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4698\",\r\n \"address\": \"192.210.230.185\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Upland\",\r\n \"longitude\": -117.66391,\r\n \"latitude\": 34.10385,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Racknerd Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4699\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4700\",\r\n \"address\": \"31.43.185.3\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Donets'ka Oblast'\",\r\n \"city\": \"Krasnoarmiis'k\",\r\n \"longitude\": 37.1734,\r\n \"latitude\": 48.281,\r\n \"asn\": 211736,\r\n \"carrier\": \"Fop Dmytro Nedilskyi\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4701\",\r\n \"address\": \"183.90.168.19\",\r\n \"location\": {\r\n \"countryCode\": \"TH\",\r\n \"countryName\": \"Thailand\",\r\n \"state\": \"Krung Thep\",\r\n \"city\": \"Bang Rak\",\r\n \"longitude\": 100.52114,\r\n \"latitude\": 13.72804,\r\n \"asn\": 45328,\r\n \"carrier\": \"Nipa Technology Co. Ltd\",\r\n \"organization\": \"Nipa Technology Co. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4702\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4703\",\r\n \"address\": \"167.172.149.14\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -73.97902,\r\n \"latitude\": 40.75891,\r\n \"asn\": 14061,\r\n \"carrier\": \"Digitalocean Llc\",\r\n \"organization\": \"Digitalocean Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4704\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4705\",\r\n \"address\": \"212.41.8.46\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 49505,\r\n \"carrier\": \"Ooo Network Of Data-Centers Selectel\",\r\n \"organization\": \"Selectel Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4706\",\r\n \"address\": \"80.66.88.201\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4707\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4708\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4709\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4710\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4711\",\r\n \"address\": \"46.161.27.101\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Vps And Shared Hosting Pool\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4712\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4713\",\r\n \"address\": \"5.61.60.26\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Greater London\",\r\n \"city\": \"London\",\r\n \"longitude\": 0.0,\r\n \"latitude\": 51.51222,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"Iroko Networks Corporation\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4714\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4715\",\r\n \"address\": \"92.154.96.99\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Hauts-De-Seine\",\r\n \"city\": \"Puteaux\",\r\n \"longitude\": 2.23762,\r\n \"latitude\": 48.88328,\r\n \"asn\": 3215,\r\n \"carrier\": \"Orange S.A.\",\r\n \"organization\": \"Lnmso655 Montsouris\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4716\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4717\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4718\",\r\n \"address\": \"149.102.131.247\",\r\n \"location\": {\r\n \"countryCode\": \"GB\",\r\n \"countryName\": \"United Kingdom\",\r\n \"state\": \"Manchester\",\r\n \"city\": \"Manchester\",\r\n \"longitude\": -2.24083,\r\n \"latitude\": 53.44222,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Psinet Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4719\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4720\",\r\n \"address\": \"73.104.247.50\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Jacksonville\",\r\n \"longitude\": -81.56225,\r\n \"latitude\": 30.21981,\r\n \"asn\": 7922,\r\n \"carrier\": \"Comcast\",\r\n \"organization\": \"Comcast\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4721\",\r\n \"address\": \"185.190.24.61\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4722\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4723\",\r\n \"address\": \"185.190.24.17\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4724\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4725\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4726\",\r\n \"address\": \"193.142.146.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"Hostslick Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4727\",\r\n \"address\": \"185.170.144.134\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4728\",\r\n \"address\": \"65.108.204.95\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Gunzenhausen\",\r\n \"longitude\": 10.7534,\r\n \"latitude\": 49.11594,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4729\",\r\n \"address\": \"147.78.245.142\",\r\n \"location\": {\r\n \"countryCode\": \"JP\",\r\n \"countryName\": \"Japan\",\r\n \"state\": \"Tokyo\",\r\n \"city\": \"Tokyo\",\r\n \"longitude\": 139.73856,\r\n \"latitude\": 35.69628,\r\n \"asn\": 23959,\r\n \"carrier\": \"Owl Limited\",\r\n \"organization\": \"Virtual Machine Solutions Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4730\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4731\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4732\",\r\n \"address\": \"179.60.150.113\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4733\",\r\n \"address\": \"78.180.183.122\",\r\n \"location\": {\r\n \"countryCode\": \"TR\",\r\n \"countryName\": \"Turkey\",\r\n \"state\": \"Istanbul\",\r\n \"city\": \"Sisli\",\r\n \"longitude\": 28.9521,\r\n \"latitude\": 41.0483,\r\n \"asn\": 9121,\r\n \"carrier\": \"Turk Telekomunikasyon Anonim Sirketi\",\r\n \"organization\": \"Tt Adsl-Ttnet_Dynamic_Gay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4734\",\r\n \"address\": \"85.215.173.128\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Berlin\",\r\n \"city\": \"Berlin\",\r\n \"longitude\": 13.3195,\r\n \"latitude\": 52.5184,\r\n \"asn\": 6724,\r\n \"carrier\": \"Strato Ag\",\r\n \"organization\": \"Strato Ag\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4735\",\r\n \"address\": \"109.86.104.112\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kyiv Misto\",\r\n \"city\": \"Kyiv\",\r\n \"longitude\": 30.51667,\r\n \"latitude\": 50.43333,\r\n \"asn\": 13188,\r\n \"carrier\": \"Content Delivery Network Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4736\",\r\n \"address\": \"146.20.225.190\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 27357,\r\n \"carrier\": \"Rackspace Hosting\",\r\n \"organization\": \"Rackspace Hosting\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4737\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4738\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4739\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4740\",\r\n \"address\": \"194.28.112.148\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 50968,\r\n \"carrier\": \"Hostmaster Ltd.\",\r\n \"organization\": \"Network Systems Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4741\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4691\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4742\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4692\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4743\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4693\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4744\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4694\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4745\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4695\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4746\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4696\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4747\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4697\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4748\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4698\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4749\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4699\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4750\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4700\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4751\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4701\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4752\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4702\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4753\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4703\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4754\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4704\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4755\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4705\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4756\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4706\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4757\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4707\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4758\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4708\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4759\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4709\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4760\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4710\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4761\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4711\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4762\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4712\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4763\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4713\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4764\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4714\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4765\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4715\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4766\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4716\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4767\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4717\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4768\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4718\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4769\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4719\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4770\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4720\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4771\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4721\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4772\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4722\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4773\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4723\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4774\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4724\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4775\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4725\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4776\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4726\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4777\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4727\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4778\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4728\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4779\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4729\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4780\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4730\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4781\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4731\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4782\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4732\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4783\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4733\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4784\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4734\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4785\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4735\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4786\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4736\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4787\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4737\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4788\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4738\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4789\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4739\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4790\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4740\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410015999999999_6a3dc5df-e4b2-46aa-918a-cae2cfecda8e/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"name\": \"2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-24T19:41:11.3106136Z\",\r\n \"processingEndTimeUtc\": \"2022-08-24T19:41:10.6263724Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-23T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-23T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4791\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 23.224.230.146 [1]\\r\\nIP: 87.251.67.64 [1]\\r\\nIP: 5.181.86.85 [14]\\r\\nIP: 131.153.178.70 [1]\\r\\nIP: 91.240.118.113 [24]\\r\\nIP: 146.70.117.116 [2]\\r\\nIP: 193.142.147.58 [27]\\r\\nIP: 179.60.147.182 [1]\\r\\nIP: 179.60.150.114 [5]\\r\\nIP: 141.98.83.173 [3]\\r\\nIP: 191.96.168.250 [38]\\r\\nIP: 194.165.16.78 [1]\\r\\nIP: 194.135.24.55 [1]\\r\\nIP: 185.190.24.103 [7]\\r\\nIP: 193.142.147.59 [30]\\r\\nIP: 185.190.24.101 [5]\\r\\nIP: 45.227.254.4 [2]\\r\\nIP: 80.66.88.211 [1]\\r\\nIP: 104.254.233.2 [2]\\r\\nIP: 5.181.86.61 [7]\\r\\nIP: 141.98.83.172 [1]\\r\\nIP: 80.66.88.202 [1]\\r\\nIP: 181.30.28.144 [1]\\r\\nIP: 45.227.254.53 [1]\\r\\nIP: 87.251.64.140 [1]\\r\\nIP: 135.181.194.54 [1]\\r\\nIP: 80.13.124.200 [1]\\r\\nIP: 80.66.88.208 [1]\\r\\nIP: 5.181.86.11 [10]\\r\\nIP: 80.66.88.214 [1]\\r\\nIP: 194.165.16.38 [5]\\r\\nIP: 34.75.15.244 [2]\\r\\nIP: 185.190.24.102 [8]\\r\\nIP: 80.66.88.205 [2]\\r\\nIP: 45.227.254.5 [6]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 113.190.245.2 [1]\\r\\nIP: 45.143.201.62 [1]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 213.6.148.83 [3]\\r\\nIP: 141.98.83.171 [3]\\r\\nIP: 103.231.188.130 [1]\\r\\nIP: 193.142.147.67 [30]\\r\\nIP: 62.233.50.113 [1]\\r\\nIP: 185.170.144.133 [19]\\r\\nIP: 179.60.150.111 [5]\\r\\nIP: 144.91.117.64 [1]\\r\\nIP: 45.227.254.54 [3]\\r\\nIP: 194.165.16.11 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4792\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4793\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4794\",\r\n \"address\": \"23.224.230.146\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Los Angeles\",\r\n \"longitude\": -118.25227,\r\n \"latitude\": 34.04303,\r\n \"asn\": 40065,\r\n \"carrier\": \"Cnservers Llc\",\r\n \"organization\": \"Cloudradium L.L.C\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4795\",\r\n \"address\": \"87.251.67.64\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4796\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4797\",\r\n \"address\": \"131.153.178.70\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Arizona\",\r\n \"city\": \"Tempe\",\r\n \"longitude\": -111.92784,\r\n \"latitude\": 33.4357,\r\n \"asn\": 19437,\r\n \"carrier\": \"Secured Servers Llc\",\r\n \"organization\": \"Secured Servers Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4798\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4799\",\r\n \"address\": \"146.70.117.116\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.7119,\r\n \"latitude\": 50.1137,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd Frankfurt\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4800\",\r\n \"address\": \"193.142.147.58\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4801\",\r\n \"address\": \"179.60.147.182\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4802\",\r\n \"address\": \"179.60.150.114\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4803\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4804\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4805\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4806\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4807\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4808\",\r\n \"address\": \"193.142.147.59\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4809\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4810\",\r\n \"address\": \"45.227.254.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4811\",\r\n \"address\": \"80.66.88.211\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4812\",\r\n \"address\": \"104.254.233.2\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Virginia\",\r\n \"city\": \"Ashburn\",\r\n \"longitude\": -77.4742,\r\n \"latitude\": 39.0437,\r\n \"asn\": 19437,\r\n \"carrier\": \"Secured Servers Llc\",\r\n \"organization\": \"Pnap-Ashdc5\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4813\",\r\n \"address\": \"5.181.86.61\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4814\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4815\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4816\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4817\",\r\n \"address\": \"45.227.254.53\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4818\",\r\n \"address\": \"87.251.64.140\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4819\",\r\n \"address\": \"135.181.194.54\",\r\n \"location\": {\r\n \"countryCode\": \"FI\",\r\n \"countryName\": \"Finland\",\r\n \"state\": \"Uusimaa\",\r\n \"city\": \"Helsinki\",\r\n \"longitude\": 24.935,\r\n \"latitude\": 60.165,\r\n \"asn\": 24940,\r\n \"carrier\": \"Hetzner Online Gmbh\",\r\n \"organization\": \"Hetzner Online Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4820\",\r\n \"address\": \"80.13.124.200\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Hauts-De-Seine\",\r\n \"city\": \"Puteaux\",\r\n \"longitude\": 2.23762,\r\n \"latitude\": 48.88328,\r\n \"asn\": 3215,\r\n \"carrier\": \"Orange S.A.\",\r\n \"organization\": \"Lnput658 Puteaux Bloc 1\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4821\",\r\n \"address\": \"80.66.88.208\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4822\",\r\n \"address\": \"5.181.86.11\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4823\",\r\n \"address\": \"80.66.88.214\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4824\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4825\",\r\n \"address\": \"34.75.15.244\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"South Carolina\",\r\n \"city\": \"North Charleston\",\r\n \"longitude\": -80.05894,\r\n \"latitude\": 32.89008,\r\n \"asn\": 396982,\r\n \"carrier\": \"Google\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4826\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4827\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4828\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4829\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4830\",\r\n \"address\": \"113.190.245.2\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Thanh Xuan\",\r\n \"longitude\": 105.81277,\r\n \"latitude\": 20.98257,\r\n \"asn\": 45899,\r\n \"carrier\": \"Vnpt Corp\",\r\n \"organization\": \"Vietnam Posts And Telecommunications Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4831\",\r\n \"address\": \"45.143.201.62\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 210950,\r\n \"carrier\": \"Tov E-Rishennya\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4832\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4833\",\r\n \"address\": \"213.6.148.83\",\r\n \"location\": {\r\n \"countryCode\": \"PS\",\r\n \"countryName\": \"Occupied Palestinian Territory\",\r\n \"state\": \"Nablus\",\r\n \"city\": \"Nablus\",\r\n \"longitude\": 35.26,\r\n \"latitude\": 32.23,\r\n \"asn\": 12975,\r\n \"carrier\": \"Palestine Telecommunications Company (Paltel)\",\r\n \"organization\": \"Palestine Telecommunications Company (Paltel)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4834\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4835\",\r\n \"address\": \"103.231.188.130\",\r\n \"location\": {\r\n \"countryCode\": \"SG\",\r\n \"countryName\": \"Singapore\",\r\n \"state\": \"Central Singapore\",\r\n \"city\": \"Singapore\",\r\n \"longitude\": 103.85178,\r\n \"latitude\": 1.28795,\r\n \"asn\": 17831,\r\n \"carrier\": \"8 Burn Road # 15-13 Trivex\",\r\n \"organization\": \"Vhost Holdings Pte Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4836\",\r\n \"address\": \"193.142.147.67\",\r\n \"location\": {\r\n \"countryCode\": \"SC\",\r\n \"countryName\": \"Seychelles\",\r\n \"longitude\": 55.4,\r\n \"latitude\": -4.35,\r\n \"asn\": 208046,\r\n \"carrier\": \"Maximilian Kutzner\",\r\n \"organization\": \"X33 Dedicated Servers\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4837\",\r\n \"address\": \"62.233.50.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.60081,\r\n \"latitude\": 55.75548,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Sierra Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4838\",\r\n \"address\": \"185.170.144.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4839\",\r\n \"address\": \"179.60.150.111\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4840\",\r\n \"address\": \"144.91.117.64\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Bayern\",\r\n \"city\": \"Muenchen\",\r\n \"longitude\": 11.6074,\r\n \"latitude\": 48.1089,\r\n \"asn\": 51167,\r\n \"carrier\": \"Contabo Gmbh\",\r\n \"organization\": \"Contabo Gmbh\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4841\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4842\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4843\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4794\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4844\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4795\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4845\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4796\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4846\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4797\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4847\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4798\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4848\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4799\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4849\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4800\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4850\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4801\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4851\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4802\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4852\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4803\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4853\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4804\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4854\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4805\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4855\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4806\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4856\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4807\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4857\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4808\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4858\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4809\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4859\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4810\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4860\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4811\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4861\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4812\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4862\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4813\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4863\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4814\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4864\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4815\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4865\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4816\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4866\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4817\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4867\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4818\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4868\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4819\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4869\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4820\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4870\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4821\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4871\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4822\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4872\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4823\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4873\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4824\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4874\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4825\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4875\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4826\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4876\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4827\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4877\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4828\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4878\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4829\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4879\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4830\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4880\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4831\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4881\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4832\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4882\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4833\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4883\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4834\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4884\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4835\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4885\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4836\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4886\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4837\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4887\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4838\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4888\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4839\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4889\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4840\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4890\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4841\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4891\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4842\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517410879999999999_222da3b4-d32c-4be4-8c88-dcef6a423c49/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"name\": \"2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-23T19:47:46.0119964Z\",\r\n \"processingEndTimeUtc\": \"2022-08-23T19:47:45.0676912Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-22T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-22T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4892\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 80.66.88.202 [1]\\r\\nIP: 80.66.88.207 [1]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 194.165.16.71 [1]\\r\\nIP: 141.98.83.172 [5]\\r\\nIP: 185.190.24.50 [8]\\r\\nIP: 80.66.88.213 [2]\\r\\nIP: 43.131.49.246 [1]\\r\\nIP: 185.190.24.101 [4]\\r\\nIP: 191.96.168.250 [22]\\r\\nIP: 194.165.16.11 [1]\\r\\nIP: 5.181.86.88 [5]\\r\\nIP: 141.98.83.173 [2]\\r\\nIP: 91.240.118.113 [9]\\r\\nIP: 179.60.150.116 [4]\\r\\nIP: 173.201.17.86 [1]\\r\\nIP: 196.22.249.27 [2]\\r\\nIP: 45.227.254.54 [1]\\r\\nIP: 116.206.231.59 [1]\\r\\nIP: 185.190.24.102 [7]\\r\\nIP: 80.66.88.205 [1]\\r\\nIP: 194.135.24.55 [2]\\r\\nIP: 5.181.86.85 [3]\\r\\nIP: 152.89.217.238 [1]\\r\\nIP: 27.71.226.103 [2]\\r\\nIP: 176.113.115.141 [4]\\r\\nIP: 86.106.121.74 [1]\\r\\nIP: 185.190.24.32 [5]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 89.188.170.131 [1]\\r\\nIP: 185.190.24.103 [6]\\r\\nIP: 87.251.64.160 [2]\\r\\nIP: 45.227.254.52 [1]\\r\\nIP: 179.60.150.115 [9]\\r\\nIP: 70.183.29.58 [1]\\r\\nIP: 185.170.144.133 [38]\\r\\nIP: 194.165.16.38 [8]\\r\\nIP: 112.78.168.114 [5]\\r\\nIP: 194.165.16.4 [6]\\r\\nIP: 194.165.17.14 [6]\\r\\nIP: 141.98.83.171 [1]\\r\\nIP: 181.30.28.144 [1]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4893\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4894\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4895\",\r\n \"address\": \"80.66.88.202\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4896\",\r\n \"address\": \"80.66.88.207\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4897\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4898\",\r\n \"address\": \"194.165.16.71\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4899\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4900\",\r\n \"address\": \"185.190.24.50\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4901\",\r\n \"address\": \"80.66.88.213\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4902\",\r\n \"address\": \"43.131.49.246\",\r\n \"location\": {\r\n \"countryCode\": \"DE\",\r\n \"countryName\": \"Germany\",\r\n \"state\": \"Hessen\",\r\n \"city\": \"Frankfurt Am Main\",\r\n \"longitude\": 8.6821,\r\n \"latitude\": 50.1109,\r\n \"asn\": 132203,\r\n \"carrier\": \"Tencent Building Kejizhongyi Avenue\",\r\n \"organization\": \"6 Collyer Quay\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4903\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4904\",\r\n \"address\": \"191.96.168.250\",\r\n \"location\": {\r\n \"countryCode\": \"CL\",\r\n \"countryName\": \"Chile\",\r\n \"state\": \"Region Metropolitana\",\r\n \"city\": \"Santiago\",\r\n \"longitude\": -70.656,\r\n \"latitude\": -33.465,\r\n \"asn\": 174,\r\n \"carrier\": \"Cogent Communications\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4905\",\r\n \"address\": \"194.165.16.11\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4906\",\r\n \"address\": \"5.181.86.88\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4907\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4908\",\r\n \"address\": \"91.240.118.113\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4909\",\r\n \"address\": \"179.60.150.116\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4910\",\r\n \"address\": \"173.201.17.86\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Guangdong\",\r\n \"city\": \"Shenzhen\",\r\n \"longitude\": 114.10167,\r\n \"latitude\": 22.5475,\r\n \"asn\": 398789,\r\n \"carrier\": \"Godaddy.Com Llc\",\r\n \"organization\": \"Longray\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4911\",\r\n \"address\": \"196.22.249.27\",\r\n \"location\": {\r\n \"countryCode\": \"ZA\",\r\n \"countryName\": \"South Africa\",\r\n \"state\": \"Western Cape\",\r\n \"city\": \"Cape Town\",\r\n \"longitude\": 18.4241,\r\n \"latitude\": -33.9249,\r\n \"asn\": 36874,\r\n \"carrier\": \"African Network Information Center\",\r\n \"organization\": \"72 Canterbury Street\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4912\",\r\n \"address\": \"45.227.254.54\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4913\",\r\n \"address\": \"116.206.231.59\",\r\n \"location\": {\r\n \"countryCode\": \"AU\",\r\n \"countryName\": \"Australia\",\r\n \"state\": \"South Australia\",\r\n \"city\": \"Adelaide\",\r\n \"longitude\": 138.59973,\r\n \"latitude\": -34.92577,\r\n \"asn\": 133480,\r\n \"carrier\": \"Intergrid Group Pty Ltd\",\r\n \"organization\": \"Intergrid Group Pty. Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4914\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4915\",\r\n \"address\": \"80.66.88.205\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4916\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4917\",\r\n \"address\": \"5.181.86.85\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4918\",\r\n \"address\": \"152.89.217.238\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 56694,\r\n \"carrier\": \"Llc Smart Ape\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4919\",\r\n \"address\": \"27.71.226.103\",\r\n \"location\": {\r\n \"countryCode\": \"VN\",\r\n \"countryName\": \"Viet Nam\",\r\n \"state\": \"Ha Noi\",\r\n \"city\": \"Nam Tu Liem\",\r\n \"longitude\": 105.76073,\r\n \"latitude\": 21.01489,\r\n \"asn\": 38731,\r\n \"carrier\": \"Vietel - Cht Company\",\r\n \"organization\": \"Viettel Group\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4920\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4921\",\r\n \"address\": \"86.106.121.74\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"New York\",\r\n \"longitude\": -74.00888,\r\n \"latitude\": 40.72092,\r\n \"asn\": 9009,\r\n \"carrier\": \"M247 Ltd\",\r\n \"organization\": \"M247 Ltd New York\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4922\",\r\n \"address\": \"185.190.24.32\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4923\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4924\",\r\n \"address\": \"89.188.170.131\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskovskaya Oblast'\",\r\n \"city\": \"Stupino\",\r\n \"longitude\": 38.08672,\r\n \"latitude\": 54.89836,\r\n \"asn\": 59574,\r\n \"carrier\": \"Sks Telecom Ltd\",\r\n \"organization\": \"Isp Stupino.Ru Network\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4925\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4926\",\r\n \"address\": \"87.251.64.160\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Novosibirskaya Oblast'\",\r\n \"city\": \"Novosibirsk\",\r\n \"longitude\": 82.92782,\r\n \"latitude\": 55.03923,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4927\",\r\n \"address\": \"45.227.254.52\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4928\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4929\",\r\n \"address\": \"70.183.29.58\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"California\",\r\n \"city\": \"Rancho Santa Margarita\",\r\n \"longitude\": -117.60826,\r\n \"latitude\": 33.62295,\r\n \"asn\": 22773,\r\n \"carrier\": \"Cox Communications Inc.\",\r\n \"organization\": \"Cox Communications Inc.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4930\",\r\n \"address\": \"185.170.144.133\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Moskva\",\r\n \"city\": \"Moskva\",\r\n \"longitude\": 37.6366,\r\n \"latitude\": 55.76441,\r\n \"asn\": 48080,\r\n \"carrier\": \"Dmitriy Panchenko\",\r\n \"organization\": \"Xhostis Remote Datacenter\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4931\",\r\n \"address\": \"194.165.16.38\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4932\",\r\n \"address\": \"112.78.168.114\",\r\n \"location\": {\r\n \"countryCode\": \"ID\",\r\n \"countryName\": \"Indonesia\",\r\n \"state\": \"Jakarta Raya\",\r\n \"city\": \"Jakarta\",\r\n \"longitude\": 106.8267,\r\n \"latitude\": -6.1738,\r\n \"asn\": 17451,\r\n \"carrier\": \"Biznet Networks\",\r\n \"organization\": \"Biznet Networks\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4933\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4934\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4935\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4936\",\r\n \"address\": \"181.30.28.144\",\r\n \"location\": {\r\n \"countryCode\": \"AR\",\r\n \"countryName\": \"Argentina\",\r\n \"state\": \"Buenos Aires\",\r\n \"city\": \"Zelaya\",\r\n \"longitude\": -58.87109,\r\n \"latitude\": -34.37014,\r\n \"asn\": 7303,\r\n \"carrier\": \"Telecom Argentina S.A.\",\r\n \"organization\": \"Telecom Argentina S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4937\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4895\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4938\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4896\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4939\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4897\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4940\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4898\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4941\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4899\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4942\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4900\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4943\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4901\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4944\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4902\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4945\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4903\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4946\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4904\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4947\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4905\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4948\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4906\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4949\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4907\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4950\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4908\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4951\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4909\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4952\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4910\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4953\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4911\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4954\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4912\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4955\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4913\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4956\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4914\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4957\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4915\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4958\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4916\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4959\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4917\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4960\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4918\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4961\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4919\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4962\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4920\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4963\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4921\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4964\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4922\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4965\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4923\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4966\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4924\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4967\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4925\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4968\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4926\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4969\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4927\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4970\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4928\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4971\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4929\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4972\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4930\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4973\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4931\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4974\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4932\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4975\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4933\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4976\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4934\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4977\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4935\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_4978\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4936\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517411743999999999_d99b95a1-afd3-4ee6-b55e-1e44ba51f7b9/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Security/locations/centralus/alerts/2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"name\": \"2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-08-22T19:47:25.0250698Z\",\r\n \"processingEndTimeUtc\": \"2022-08-22T19:47:23.7684919Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"alertType\": \"Network_TrafficFromUnrecommendedIP\",\r\n \"startTimeUtc\": \"2022-08-20T00:00:00Z\",\r\n \"endTimeUtc\": \"2022-08-20T00:00:00Z\",\r\n \"severity\": \"Low\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698\",\r\n \"intent\": \"PreAttack\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_4979\",\r\n \"azureResourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"alertstest\",\r\n \"alertDisplayName\": \"Traffic detected from IP addresses recommended for blocking\",\r\n \"description\": \"Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource.\\r\\nAlternatively, the IP address has been flagged as malicious by Microsoft's threat intelligence sources.\",\r\n \"remediationSteps\": [\r\n \"{\\\"kind\\\":\\\"openBlade\\\",\\\"displayValue\\\":\\\"Enforce rule\\\",\\\"extension\\\":\\\"Microsoft_Azure_Security_R3\\\",\\\"detailBlade\\\":\\\"AdaptiveNetworkControlsResourceBlade\\\",\\\"detailBladeInputs\\\":\\\"protectedResourceId=/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\\\"}\"\r\n ],\r\n \"extendedProperties\": {\r\n \"investigation Steps\": \"1. Review the IP addresses and determine if they should be communicating with the virtual machine\\r\\n2. Enforce the hardening rule recommended by Defender for Cloud which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly\",\r\n \"destination Port\": \"3389\",\r\n \"protocol\": \"TCP\",\r\n \"source IP(s) [Number of attempts]\": \"IP: 141.98.83.171 [3]\\r\\nIP: 80.66.88.203 [2]\\r\\nIP: 194.165.16.76 [2]\\r\\nIP: 194.165.16.4 [8]\\r\\nIP: 192.210.149.232 [1]\\r\\nIP: 179.60.150.115 [4]\\r\\nIP: 212.102.35.30 [45]\\r\\nIP: 136.32.204.105 [1]\\r\\nIP: 24.154.71.234 [1]\\r\\nIP: 141.98.83.173 [3]\\r\\nIP: 194.165.16.73 [2]\\r\\nIP: 45.227.254.5 [13]\\r\\nIP: 141.98.83.172 [3]\\r\\nIP: 194.165.16.37 [1]\\r\\nIP: 66.115.189.143 [1]\\r\\nIP: 194.165.16.10 [2]\\r\\nIP: 179.60.147.32 [29]\\r\\nIP: 185.190.24.101 [5]\\r\\nIP: 185.190.24.93 [10]\\r\\nIP: 176.113.115.141 [2]\\r\\nIP: 185.190.24.103 [9]\\r\\nIP: 45.227.255.99 [3]\\r\\nIP: 194.135.24.55 [2]\\r\\nIP: 45.227.254.51 [3]\\r\\nIP: 45.227.254.49 [2]\\r\\nIP: 45.227.255.55 [1]\\r\\nIP: 203.115.110.73 [1]\\r\\nIP: 194.165.16.78 [2]\\r\\nIP: 92.255.85.166 [9]\\r\\nIP: 67.225.40.73 [1]\\r\\nIP: 45.227.255.79 [4]\\r\\nIP: 141.98.83.123 [5]\\r\\nIP: 185.190.24.102 [2]\\r\\nIP: 45.227.254.27 [9]\\r\\nIP: 207.246.67.121 [1]\\r\\nIP: 92.114.153.67 [1]\\r\\nIP: 80.66.88.209 [1]\\r\\nIP: 80.66.88.212 [2]\\r\\nIP: 141.98.83.126 [4]\\r\\nIP: 5.181.86.44 [5]\\r\\nIP: 37.32.30.41 [2]\\r\\nIP: 62.8.12.230 [1]\\r\\nIP: 45.227.254.26 [1]\\r\\nIP: 60.208.6.75 [25]\\r\\nIP: 194.165.17.14 [7]\",\r\n \"resourceType\": \"Virtual Machine\",\r\n \"killChainIntent\": \"PreAttack\"\r\n },\r\n \"entities\": [\r\n {\r\n \"$id\": \"centralus_4980\",\r\n \"resourceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"azure-resource\"\r\n },\r\n {\r\n \"$id\": \"centralus_4981\",\r\n \"azureID\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\",\r\n \"type\": \"host\"\r\n },\r\n {\r\n \"$id\": \"centralus_4982\",\r\n \"address\": \"141.98.83.171\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4983\",\r\n \"address\": \"80.66.88.203\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4984\",\r\n \"address\": \"194.165.16.76\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4985\",\r\n \"address\": \"194.165.16.4\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4986\",\r\n \"address\": \"192.210.149.232\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"New York\",\r\n \"city\": \"Buffalo\",\r\n \"longitude\": -78.81913,\r\n \"latitude\": 42.90758,\r\n \"asn\": 36352,\r\n \"carrier\": \"Colocrossing\",\r\n \"organization\": \"Colocrossing\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4987\",\r\n \"address\": \"179.60.150.115\",\r\n \"location\": {\r\n \"countryCode\": \"BZ\",\r\n \"countryName\": \"Belize\",\r\n \"longitude\": -88.45,\r\n \"latitude\": 17.15,\r\n \"asn\": 12586,\r\n \"carrier\": \"Ghostnet Gmbh\",\r\n \"organization\": \"Maxwell Group Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4988\",\r\n \"address\": \"212.102.35.30\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 212238,\r\n \"carrier\": \"Datacamp Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4989\",\r\n \"address\": \"136.32.204.105\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Missouri\",\r\n \"city\": \"Kansas City\",\r\n \"longitude\": -94.53961,\r\n \"latitude\": 39.10771,\r\n \"asn\": 16591,\r\n \"carrier\": \"Google Fiber Inc.\",\r\n \"organization\": \"Google\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4990\",\r\n \"address\": \"24.154.71.234\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Ohio\",\r\n \"city\": \"Youngstown\",\r\n \"longitude\": -80.66719,\r\n \"latitude\": 41.02253,\r\n \"asn\": 27364,\r\n \"carrier\": \"Armstrong\",\r\n \"organization\": \"Armstrong\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4991\",\r\n \"address\": \"141.98.83.173\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4992\",\r\n \"address\": \"194.165.16.73\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4993\",\r\n \"address\": \"45.227.254.5\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4994\",\r\n \"address\": \"141.98.83.172\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4995\",\r\n \"address\": \"194.165.16.37\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4996\",\r\n \"address\": \"66.115.189.143\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Georgia\",\r\n \"city\": \"Marietta\",\r\n \"longitude\": -84.4629,\r\n \"latitude\": 33.93318,\r\n \"asn\": 46562,\r\n \"carrier\": \"Performive Llc\",\r\n \"organization\": \"Performive Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4997\",\r\n \"address\": \"194.165.16.10\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4998\",\r\n \"address\": \"179.60.147.32\",\r\n \"location\": {\r\n \"countryCode\": \"VE\",\r\n \"countryName\": \"Venezuela\",\r\n \"state\": \"Distrito Capital\",\r\n \"city\": \"Caracas\",\r\n \"longitude\": -66.9009,\r\n \"latitude\": 10.4985,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Cloud Solutions S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_4999\",\r\n \"address\": \"185.190.24.101\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5000\",\r\n \"address\": \"185.190.24.93\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5001\",\r\n \"address\": \"176.113.115.141\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"organization\": \"Red Bytes Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5002\",\r\n \"address\": \"185.190.24.103\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5003\",\r\n \"address\": \"45.227.255.99\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5004\",\r\n \"address\": \"194.135.24.55\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Krym Avtonomna Respublika\",\r\n \"city\": \"Simferopol\",\r\n \"longitude\": 34.1024,\r\n \"latitude\": 44.9521,\r\n \"asn\": 33696,\r\n \"carrier\": \"Nextarray Llc.\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5005\",\r\n \"address\": \"45.227.254.51\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5006\",\r\n \"address\": \"45.227.254.49\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5007\",\r\n \"address\": \"45.227.255.55\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5008\",\r\n \"address\": \"203.115.110.73\",\r\n \"location\": {\r\n \"countryCode\": \"IN\",\r\n \"countryName\": \"India\",\r\n \"state\": \"Delhi\",\r\n \"city\": \"Delhi\",\r\n \"longitude\": 77.225,\r\n \"latitude\": 28.6353,\r\n \"asn\": 17426,\r\n \"carrier\": \"Primesoftex Ltd\",\r\n \"organization\": \"Primenet Global Ltd.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5009\",\r\n \"address\": \"194.165.16.78\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5010\",\r\n \"address\": \"92.255.85.166\",\r\n \"location\": {\r\n \"countryCode\": \"RU\",\r\n \"countryName\": \"Russian Federation\",\r\n \"state\": \"Sankt-Peterburg\",\r\n \"city\": \"Sankt-Peterburg\",\r\n \"longitude\": 30.31579,\r\n \"latitude\": 59.93904,\r\n \"asn\": 57523,\r\n \"carrier\": \"Chang Way Technologies Co. Limited\",\r\n \"organization\": \"Chang Way Technologies Co. Limited\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5011\",\r\n \"address\": \"67.225.40.73\",\r\n \"location\": {\r\n \"countryCode\": \"CA\",\r\n \"countryName\": \"Canada\",\r\n \"state\": \"Saskatchewan\",\r\n \"city\": \"Regina\",\r\n \"longitude\": -104.61298,\r\n \"latitude\": 50.44894,\r\n \"asn\": 803,\r\n \"carrier\": \"Saskatchewan Telecommunications\",\r\n \"organization\": \"Sasktel Wide Area Network Engineering Center\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5012\",\r\n \"address\": \"45.227.255.79\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"state\": \"Noord-Holland\",\r\n \"city\": \"Amsterdam\",\r\n \"longitude\": 4.94019,\r\n \"latitude\": 52.30905,\r\n \"asn\": 43350,\r\n \"carrier\": \"Nforce Entertainment B.V.\",\r\n \"organization\": \"Okpay Investment Company\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5013\",\r\n \"address\": \"141.98.83.123\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5014\",\r\n \"address\": \"185.190.24.102\",\r\n \"location\": {\r\n \"countryCode\": \"AX\",\r\n \"countryName\": \"Aland Islands\",\r\n \"longitude\": 19.95,\r\n \"latitude\": 60.1,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Tribeka Web Advisors S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5015\",\r\n \"address\": \"45.227.254.27\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5016\",\r\n \"address\": \"207.246.67.121\",\r\n \"location\": {\r\n \"countryCode\": \"US\",\r\n \"countryName\": \"United States\",\r\n \"state\": \"Florida\",\r\n \"city\": \"Miami\",\r\n \"longitude\": -80.24044,\r\n \"latitude\": 25.81253,\r\n \"asn\": 20473,\r\n \"carrier\": \"The Constant Company Llc\",\r\n \"organization\": \"Vultr Holdings Llc\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5017\",\r\n \"address\": \"92.114.153.67\",\r\n \"location\": {\r\n \"countryCode\": \"MD\",\r\n \"countryName\": \"Moldova\",\r\n \"state\": \"Chisinau\",\r\n \"city\": \"Chisinau\",\r\n \"longitude\": 28.8416,\r\n \"latitude\": 47.0269,\r\n \"asn\": 8926,\r\n \"carrier\": \"Moldtelecom Sa\",\r\n \"organization\": \"Jsc Moldtelecom S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5018\",\r\n \"address\": \"80.66.88.209\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5019\",\r\n \"address\": \"80.66.88.212\",\r\n \"location\": {\r\n \"countryCode\": \"NL\",\r\n \"countryName\": \"Netherlands\",\r\n \"longitude\": 5.45,\r\n \"latitude\": 52.3,\r\n \"asn\": 208091,\r\n \"carrier\": \"Postepay S.P.A.\",\r\n \"organization\": \" Xhost Internet Solutions Lp Suite 6060 128 Aldersgate Street \"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5020\",\r\n \"address\": \"141.98.83.126\",\r\n \"location\": {\r\n \"countryCode\": \"PA\",\r\n \"countryName\": \"Panama\",\r\n \"longitude\": -80.0,\r\n \"latitude\": 9.0,\r\n \"asn\": 209588,\r\n \"carrier\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5021\",\r\n \"address\": \"5.181.86.44\",\r\n \"location\": {\r\n \"countryCode\": \"UA\",\r\n \"countryName\": \"Ukraine\",\r\n \"state\": \"Kharkivs'ka Oblast'\",\r\n \"city\": \"Kharkiv\",\r\n \"longitude\": 36.2304,\r\n \"latitude\": 49.9935,\r\n \"asn\": 211632,\r\n \"carrier\": \"Internet Solutions & Innovations\",\r\n \"organization\": \"Internet Solutions & Innovations\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5022\",\r\n \"address\": \"37.32.30.41\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 202468,\r\n \"carrier\": \"Noyan Abr Arvan Co. ( Private Joint Stock)\",\r\n \"organization\": \"Noyan Abr Arvan Co. ( Private Joint Stock)\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5023\",\r\n \"address\": \"62.8.12.230\",\r\n \"location\": {\r\n \"countryCode\": \"FR\",\r\n \"countryName\": \"France\",\r\n \"state\": \"Loire-Atlantique\",\r\n \"city\": \"Nantes\",\r\n \"longitude\": -1.55674,\r\n \"latitude\": 47.21684,\r\n \"asn\": 15557,\r\n \"carrier\": \"Sfr Sa\",\r\n \"organization\": \"Entreprise\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5024\",\r\n \"address\": \"45.227.254.26\",\r\n \"location\": {\r\n \"countryCode\": \"LT\",\r\n \"countryName\": \"Lithuania\",\r\n \"state\": \"Vilniaus Apskritis\",\r\n \"city\": \"Vilnius\",\r\n \"longitude\": 25.2797,\r\n \"latitude\": 54.6872,\r\n \"asn\": 267784,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Xwin Universal Ltd\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5025\",\r\n \"address\": \"60.208.6.75\",\r\n \"location\": {\r\n \"countryCode\": \"CN\",\r\n \"countryName\": \"China\",\r\n \"state\": \"Shandong\",\r\n \"city\": \"Jinan\",\r\n \"longitude\": 117.0,\r\n \"latitude\": 36.683,\r\n \"asn\": 4837,\r\n \"carrier\": \"China Unicom China169 Backbone\",\r\n \"organization\": \"Jinan Yingte Net Bar\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5026\",\r\n \"address\": \"194.165.17.14\",\r\n \"location\": {\r\n \"countryCode\": \"IR\",\r\n \"countryName\": \"Iran\",\r\n \"state\": \"Tehran\",\r\n \"city\": \"Tehran\",\r\n \"longitude\": 51.41528,\r\n \"latitude\": 35.68722,\r\n \"asn\": 48721,\r\n \"carrier\": \"Flyservers S.A.\",\r\n \"organization\": \"Flyservers S.A.\"\r\n },\r\n \"type\": \"ip\"\r\n },\r\n {\r\n \"$id\": \"centralus_5027\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4982\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5028\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4983\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5029\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4984\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5030\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4985\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5031\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4986\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5032\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4987\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5033\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4988\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5034\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4989\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5035\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4990\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5036\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4991\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5037\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4992\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5038\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4993\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5039\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4994\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5040\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4995\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5041\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4996\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5042\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4997\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5043\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4998\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5044\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_4999\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5045\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5000\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5046\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5001\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5047\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5002\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5048\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5003\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5049\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5004\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5050\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5005\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5051\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5006\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5052\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5007\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5053\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5008\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5054\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5009\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5055\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5010\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5056\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5011\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5057\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5012\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5058\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5013\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5059\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5014\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5060\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5015\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5061\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5016\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5062\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5017\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5063\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5018\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5064\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5019\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5065\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5020\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5066\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5021\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5067\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5022\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5068\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5023\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5069\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5024\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5070\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5025\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n },\r\n {\r\n \"$id\": \"centralus_5071\",\r\n \"sourceAddress\": {\r\n \"$ref\": \"centralus_5026\"\r\n },\r\n \"destinationPort\": 3389,\r\n \"protocol\": \"Tcp\",\r\n \"type\": \"network-connection\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517413471999999999_fc540134-b745-48de-81c5-e8984a5b9698/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroup/taklei/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n }\r\n ]\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061/activate?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvbG9jYXRpb25zL2NlbnRyYWx1cy9hbGVydHMvMjUxNzMzNjI0MTY4NDU0OTU5OV8yNTNkMWFmOS04MzEyLTQyZGUtYTllYi05MmY4NWEwZWYwNjEvYWN0aXZhdGU/YXBpLXZlcnNpb249MjAyMi0wMS0wMQ==", + "RequestMethod": "POST", "RequestHeaders": { "x-ms-client-request-id": [ - "4004d8a3-5a9a-4eaa-9dc3-477a442cf637" + "09566371-831a-44bd-bea3-754b65889a9a" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -100,49 +163,235 @@ "1199" ], "x-ms-request-id": [ - "a7cb5105-d1df-4f7b-b551-12be5e0e4a40" + "78cac342-b2ee-4fbb-b89f-aa7134c5114d" ], "x-ms-correlation-request-id": [ - "a7cb5105-d1df-4f7b-b551-12be5e0e4a40" + "78cac342-b2ee-4fbb-b89f-aa7134c5114d" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210901T195613Z:a7cb5105-d1df-4f7b-b551-12be5e0e4a40" + "FRANCESOUTH:20221117T092926Z:78cac342-b2ee-4fbb-b89f-aa7134c5114d" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 01 Sep 2021 19:56:13 GMT" + "Thu, 17 Nov 2022 09:29:25 GMT" ], "Expires": [ "-1" - ], - "Content-Length": [ - "0" ] }, "ResponseBody": "", "StatusCode": 204 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6?api-version=2021-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvbG9jYXRpb25zL2NlbnRyYWx1cy9hbGVydHMvMjUxNzczNTE4ODI5MDE1MzM0OV9kMTRlOTVjMi00NTA4LTQyMWItOWYxYS0wMTdmNGU2ZGU1ZDY/YXBpLXZlcnNpb249MjAyMS0wMS0wMQ==", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvbG9jYXRpb25zL2NlbnRyYWx1cy9hbGVydHMvMjUxNzMzNjI0MTY4NDU0OTU5OV8yNTNkMWFmOS04MzEyLTQyZGUtYTllYi05MmY4NWEwZWYwNjE/YXBpLXZlcnNpb249MjAyMi0wMS0wMQ==", "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "ff350d46-2ff2-4087-9247-4978b266c8a5" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "749" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Kestrel" + ], + "x-ms-request-id": [ + "e0c3c4c1-4f3a-4a62-9381-7fa2f3580b9e" + ], + "x-ms-correlation-request-id": [ + "e0c3c4c1-4f3a-4a62-9381-7fa2f3580b9e" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092927Z:e0c3c4c1-4f3a-4a62-9381-7fa2f3580b9e" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:29:26 GMT" + ], + "Content-Length": [ + "3259" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"name\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Active\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.2039067Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvbG9jYXRpb25zL2NlbnRyYWx1cy9hbGVydHMvMjUxNzMzNjI0MTY4NDU0OTU5OV8yNTNkMWFmOS04MzEyLTQyZGUtYTllYi05MmY4NWEwZWYwNjE/YXBpLXZlcnNpb249MjAyMi0wMS0wMQ==", + "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "6f55fd03-eb93-4946-beca-b7a31d028bf2" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "749" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Kestrel" + ], + "x-ms-request-id": [ + "0450e02f-f53c-4b4e-9168-68c001ec8d3d" + ], + "x-ms-correlation-request-id": [ + "0450e02f-f53c-4b4e-9168-68c001ec8d3d" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092929Z:0450e02f-f53c-4b4e-9168-68c001ec8d3d" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:29:28 GMT" + ], + "Content-Length": [ + "3262" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"name\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Dismissed\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.2039067Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvbG9jYXRpb25zL2NlbnRyYWx1cy9hbGVydHMvMjUxNzMzNjI0MTY4NDU0OTU5OV8yNTNkMWFmOS04MzEyLTQyZGUtYTllYi05MmY4NWEwZWYwNjE/YXBpLXZlcnNpb249MjAyMi0wMS0wMQ==", + "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "228a6aa4-fa29-4b81-a9e1-f5315a988fcc" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "749" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Kestrel" + ], + "x-ms-request-id": [ + "653614f6-ff7f-4531-9186-21a77208c18e" + ], + "x-ms-correlation-request-id": [ + "653614f6-ff7f-4531-9186-21a77208c18e" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092930Z:653614f6-ff7f-4531-9186-21a77208c18e" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:29:30 GMT" + ], + "Content-Length": [ + "3261" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"name\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"Resolved\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.2039067Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvbG9jYXRpb25zL2NlbnRyYWx1cy9hbGVydHMvMjUxNzMzNjI0MTY4NDU0OTU5OV8yNTNkMWFmOS04MzEyLTQyZGUtYTllYi05MmY4NWEwZWYwNjE/YXBpLXZlcnNpb249MjAyMi0wMS0wMQ==", + "RequestMethod": "GET", "RequestHeaders": { "x-ms-client-request-id": [ - "0370f4a3-fe79-4e03-9fdd-dcb567b0e99f" + "712d64da-f9a5-45cd-b39b-58805763c581" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -160,22 +409,22 @@ "Kestrel" ], "x-ms-request-id": [ - "c0599077-5f99-4270-bac0-9ec569a02ea0" + "e607e5cc-03a9-439f-9f0a-99a064e4af92" ], "x-ms-correlation-request-id": [ - "c0599077-5f99-4270-bac0-9ec569a02ea0" + "e607e5cc-03a9-439f-9f0a-99a064e4af92" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210901T200405Z:c0599077-5f99-4270-bac0-9ec569a02ea0" + "FRANCESOUTH:20221117T092932Z:e607e5cc-03a9-439f-9f0a-99a064e4af92" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 01 Sep 2021 20:04:04 GMT" + "Thu, 17 Nov 2022 09:29:32 GMT" ], "Content-Length": [ - "3209" + "3263" ], "Content-Type": [ "application/json; charset=utf-8" @@ -184,8 +433,179 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"name\": \"2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"timeGeneratedUtc\": \"2021-08-12T15:27:03.5800635Z\",\r\n \"processingEndTimeUtc\": \"2021-08-12T15:27:02.984665Z\",\r\n \"status\": \"Active\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Azure Security Center\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2021-08-12T15:26:10.984665Z\",\r\n \"endTimeUtc\": \"2021-08-12T15:26:10.984665Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"AzureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517735188290153349_d14e95c2-4508-421b-9f1a-017f4e6de5d6/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"name\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"type\": \"Microsoft.Security/Locations/alerts\",\r\n \"properties\": {\r\n \"status\": \"InProgress\",\r\n \"timeGeneratedUtc\": \"2022-11-17T09:18:06.2039067Z\",\r\n \"processingEndTimeUtc\": \"2022-11-17T09:18:03.54504Z\",\r\n \"version\": \"2022-01-01.0\",\r\n \"vendorName\": \"Microsoft\",\r\n \"productName\": \"Microsoft Defender for Cloud\",\r\n \"productComponentName\": \"ARM\",\r\n \"alertType\": \"SIMULATED_ARM_MicroBurst.AZStorageKeysREST\",\r\n \"startTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"endTimeUtc\": \"2022-11-17T09:17:11.54504Z\",\r\n \"severity\": \"High\",\r\n \"isIncident\": false,\r\n \"systemAlertId\": \"2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061\",\r\n \"intent\": \"Collection\",\r\n \"resourceIdentifiers\": [\r\n {\r\n \"$id\": \"centralus_1\",\r\n \"azureResourceId\": \"/SUBSCRIPTIONS/487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"type\": \"AzureResource\",\r\n \"azureResourceTenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n ],\r\n \"compromisedEntity\": \"487bb485-b5b0-471e-9c0d-10717612f869\",\r\n \"alertDisplayName\": \"[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)\",\r\n \"description\": \"THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.\",\r\n \"remediationSteps\": [\r\n \"1. Determine whether the activity was intentional – by contacting the account owner.\\n2. If the activity was intentional, dismiss the alert. Otherwise, treat the user account and subscription as compromised and continue with the next remediation steps.\\n3. Remediate the compromised user account: delete the user account if it's an unfamiliar account (the attacker may have created it), otherwise change its authentication credentials, use Azure Activity Logs to locate suspicious activities and review all activities performed by the user.\\n4. Remediate the compromised subscription: remove any unfamiliar Runbook from the compromised automation account, review IAM permissions for the subscription and remove permissions for any unfamiliar user account, review all Azure resources and delete any unfamiliar Azure Resource, review all alerts in Azure Security Center related to the subscription and investigate them, use Azure Activity Logs to locate suspicious activities and review all activities performed in this subscription.\"\r\n ],\r\n \"extendedProperties\": {\r\n \"microBurst modules\": \"Get-AZStorageKeysREST\",\r\n \"principalOid\": \"00000000-0000-0000-0000-000000000000\",\r\n \"ip address\": \"00.00.00.000\",\r\n \"username\": \"Sample user\",\r\n \"resourceType\": \"ARM\",\r\n \"killChainIntent\": \"Collection\"\r\n },\r\n \"extendedLinks\": [\r\n {\r\n \"href\": \"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\r\n \"label\": \"NetSPI blogpost\",\r\n \"type\": \"webLink\"\r\n },\r\n {\r\n \"href\": \"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\r\n \"label\": \"MicroBurst source code\",\r\n \"type\": \"webLink\"\r\n }\r\n ],\r\n \"alertUri\": \"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061/subscriptionId/487bb485-b5b0-471e-9c0d-10717612f869/referencedFrom/alertDeepLink/location/centralus\"\r\n }\r\n}", "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061/dismiss?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvbG9jYXRpb25zL2NlbnRyYWx1cy9hbGVydHMvMjUxNzMzNjI0MTY4NDU0OTU5OV8yNTNkMWFmOS04MzEyLTQyZGUtYTllYi05MmY4NWEwZWYwNjEvZGlzbWlzcz9hcGktdmVyc2lvbj0yMDIyLTAxLTAx", + "RequestMethod": "POST", + "RequestHeaders": { + "x-ms-client-request-id": [ + "ce0bdcab-e72a-4f52-b66e-9c394743e997" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Kestrel" + ], + "x-ms-ratelimit-remaining-subscription-writes": [ + "1199" + ], + "x-ms-request-id": [ + "06efb3ce-3015-4735-bbd8-d1e60a33e57e" + ], + "x-ms-correlation-request-id": [ + "06efb3ce-3015-4735-bbd8-d1e60a33e57e" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092928Z:06efb3ce-3015-4735-bbd8-d1e60a33e57e" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:29:27 GMT" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "", + "StatusCode": 204 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061/resolve?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvbG9jYXRpb25zL2NlbnRyYWx1cy9hbGVydHMvMjUxNzMzNjI0MTY4NDU0OTU5OV8yNTNkMWFmOS04MzEyLTQyZGUtYTllYi05MmY4NWEwZWYwNjEvcmVzb2x2ZT9hcGktdmVyc2lvbj0yMDIyLTAxLTAx", + "RequestMethod": "POST", + "RequestHeaders": { + "x-ms-client-request-id": [ + "c52c7af9-ae14-4f42-ba79-0fba5449be8e" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Kestrel" + ], + "x-ms-ratelimit-remaining-subscription-writes": [ + "1199" + ], + "x-ms-request-id": [ + "595667c8-0e2d-4365-af5c-241b4257a6d5" + ], + "x-ms-correlation-request-id": [ + "595667c8-0e2d-4365-af5c-241b4257a6d5" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092929Z:595667c8-0e2d-4365-af5c-241b4257a6d5" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:29:29 GMT" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "", + "StatusCode": 204 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/locations/centralus/alerts/2517336241684549599_253d1af9-8312-42de-a9eb-92f85a0ef061/inProgress?api-version=2022-01-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvbG9jYXRpb25zL2NlbnRyYWx1cy9hbGVydHMvMjUxNzMzNjI0MTY4NDU0OTU5OV8yNTNkMWFmOS04MzEyLTQyZGUtYTllYi05MmY4NWEwZWYwNjEvaW5Qcm9ncmVzcz9hcGktdmVyc2lvbj0yMDIyLTAxLTAx", + "RequestMethod": "POST", + "RequestHeaders": { + "x-ms-client-request-id": [ + "8fa22ca1-3b57-41bd-aae0-0f3b7f75a340" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, + "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Kestrel" + ], + "x-ms-ratelimit-remaining-subscription-writes": [ + "1199" + ], + "x-ms-request-id": [ + "ebeafd6d-059a-4035-8a15-ae25ad3c0dc2" + ], + "x-ms-correlation-request-id": [ + "ebeafd6d-059a-4035-8a15-ae25ad3c0dc2" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T092931Z:ebeafd6d-059a-4035-8a15-ae25ad3c0dc2" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:29:30 GMT" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "", + "StatusCode": 204 } ], "Names": {}, diff --git a/src/Security/Security/Cmdlets/Alerts/GetAlerts.cs b/src/Security/Security/Cmdlets/Alerts/GetAlerts.cs index a5edc207f8d5..29aab66e7a14 100644 --- a/src/Security/Security/Cmdlets/Alerts/GetAlerts.cs +++ b/src/Security/Security/Cmdlets/Alerts/GetAlerts.cs @@ -93,7 +93,7 @@ public override void ExecuteCmdlet() break; case ParameterSetNames.ResourceGroupLevelResource: SecurityCenterClient.AscLocation = Location; - alert = SecurityCenterClient.Alerts.GetResourceGroupLevelWithHttpMessagesAsync(Name, ResourceGroupName).GetAwaiter().GetResult().Body; + alert = SecurityCenterClient.Alerts.GetResourceGroupLevelWithHttpMessagesAsync(ResourceGroupName, Name).GetAwaiter().GetResult().Body; WriteObject(alert.ConvertToPSType(), enumerateCollection: false); break; case ParameterSetNames.ResourceId: @@ -107,7 +107,7 @@ public override void ExecuteCmdlet() } else { - alert = SecurityCenterClient.Alerts.GetResourceGroupLevelWithHttpMessagesAsync(AzureIdUtilities.GetResourceName(ResourceId), rg).GetAwaiter().GetResult().Body; + alert = SecurityCenterClient.Alerts.GetResourceGroupLevelWithHttpMessagesAsync(rg, AzureIdUtilities.GetResourceName(ResourceId)).GetAwaiter().GetResult().Body; } WriteObject(alert.ConvertToPSType(), enumerateCollection: false); diff --git a/src/Security/Security/Cmdlets/Alerts/SetAlerts.cs b/src/Security/Security/Cmdlets/Alerts/SetAlerts.cs index 0d7a20b7f721..36ff0df89132 100644 --- a/src/Security/Security/Cmdlets/Alerts/SetAlerts.cs +++ b/src/Security/Security/Cmdlets/Alerts/SetAlerts.cs @@ -110,6 +110,9 @@ public override void ExecuteCmdlet() case "resolved": actionType = "Resolve"; break; + case "inprogress": + actionType = "InProgress"; + break; default: break; } @@ -133,6 +136,10 @@ public override void ExecuteCmdlet() { SecurityCenterClient.Alerts.UpdateSubscriptionLevelStateToResolveWithHttpMessagesAsync(name).GetAwaiter().GetResult(); } + else if (actionType == "InProgress") + { + SecurityCenterClient.Alerts.UpdateSubscriptionLevelStateToInProgressWithHttpMessagesAsync(name).GetAwaiter().GetResult(); + } } } else @@ -141,15 +148,19 @@ public override void ExecuteCmdlet() { if (actionType == "Dismiss") { - SecurityCenterClient.Alerts.UpdateResourceGroupLevelStateToDismissWithHttpMessagesAsync(name, rg).GetAwaiter().GetResult(); + SecurityCenterClient.Alerts.UpdateResourceGroupLevelStateToDismissWithHttpMessagesAsync(rg, name).GetAwaiter().GetResult(); } else if (actionType == "Activate") { - SecurityCenterClient.Alerts.UpdateResourceGroupLevelStateToActivateWithHttpMessagesAsync(name, rg).GetAwaiter().GetResult(); + SecurityCenterClient.Alerts.UpdateResourceGroupLevelStateToActivateWithHttpMessagesAsync(rg, name).GetAwaiter().GetResult(); } else if (actionType == "Resolve") { - SecurityCenterClient.Alerts.UpdateResourceGroupLevelStateToResolveWithHttpMessagesAsync(name, rg).GetAwaiter().GetResult(); + SecurityCenterClient.Alerts.UpdateResourceGroupLevelStateToResolveWithHttpMessagesAsync(rg, name).GetAwaiter().GetResult(); + } + else if (actionType == "InProgress") + { + SecurityCenterClient.Alerts.UpdateResourceGroupLevelStateToInProgressWithHttpMessagesAsync(rg, name).GetAwaiter().GetResult(); } } } From 519d1f0bc556afd4c2f1446cd6e2a9c5d7d24b34 Mon Sep 17 00:00:00 2001 From: yifat Date: Thu, 17 Nov 2022 11:45:36 +0200 Subject: [PATCH 08/18] Record and fix JitNetworkAccessPolicy tests --- .../SecurityJitNetworkAccessPolicyTests.ps1 | 4 +- .../GetResourceGroupLevelResource.json | 105 ++++++++--------- .../GetResourceGroupScope.json | 103 +++++++++-------- .../GetResourceId.json | 105 ++++++++--------- .../GetSubscriptionScope.json | 103 +++++++++-------- .../RemoveResourceGroupLevelResource.json | 103 +++++++++-------- .../RemoveResourceId.json | 101 +++++++++-------- .../SetResourceGroupLevelResource.json | 75 ++++++------ .../StartResourceGroupLevelResource.json | 107 +++++++++--------- 9 files changed, 415 insertions(+), 391 deletions(-) diff --git a/src/Security/Security.Test/ScenarioTests/SecurityJitNetworkAccessPolicyTests.ps1 b/src/Security/Security.Test/ScenarioTests/SecurityJitNetworkAccessPolicyTests.ps1 index 2d7a578e8e76..a1d1beec0a51 100644 --- a/src/Security/Security.Test/ScenarioTests/SecurityJitNetworkAccessPolicyTests.ps1 +++ b/src/Security/Security.Test/ScenarioTests/SecurityJitNetworkAccessPolicyTests.ps1 @@ -76,7 +76,7 @@ function Set-AzureRmJitNetworkAccessPolicy-ResourceGroupLevelResource $rgName = Get-TestResourceGroupName [Microsoft.Azure.Commands.Security.Models.JitNetworkAccessPolicies.PSSecurityJitNetworkAccessPolicyVirtualMachine]$vm = New-Object -TypeName Microsoft.Azure.Commands.Security.Models.JitNetworkAccessPolicies.PSSecurityJitNetworkAccessPolicyVirtualMachine - $vm.Id = "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService" + $vm.Id = "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1" [Microsoft.Azure.Commands.Security.Models.JitNetworkAccessPolicies.PSSecurityJitNetworkAccessPortRule]$port = New-Object -TypeName Microsoft.Azure.Commands.Security.Models.JitNetworkAccessPolicies.PSSecurityJitNetworkAccessPortRule $port.AllowedSourceAddressPrefix = "127.0.0.1" $port.MaxRequestAccessDuration = "PT3H" @@ -126,7 +126,7 @@ function Start-AzureRmJitNetworkAccessPolicy-ResourceGroupLevelResource $rgName = Get-TestResourceGroupName [Microsoft.Azure.Commands.Security.Models.JitNetworkAccessPolicies.PSSecurityJitNetworkAccessPolicyInitiateVirtualMachine]$vm = New-Object -TypeName Microsoft.Azure.Commands.Security.Models.JitNetworkAccessPolicies.PSSecurityJitNetworkAccessPolicyInitiateVirtualMachine - $vm.Id = "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService" + $vm.Id = "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1" [Microsoft.Azure.Commands.Security.Models.JitNetworkAccessPolicies.PSSecurityJitNetworkAccessPolicyInitiatePort]$port = New-Object -TypeName Microsoft.Azure.Commands.Security.Models.JitNetworkAccessPolicies.PSSecurityJitNetworkAccessPolicyInitiatePort $port.AllowedSourceAddressPrefix = "127.0.0.1" $port.EndTimeUtc = [DateTime]::UtcNow.AddHours(2) diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/GetResourceGroupLevelResource.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/GetResourceGroupLevelResource.json index 911db4224338..77d35fed9b90 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/GetResourceGroupLevelResource.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/GetResourceGroupLevelResource.json @@ -1,22 +1,21 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2018-06-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMTgtMDYtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2022-03-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMjItMDMtMDE=", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\"\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "07ce869b-870a-4d24-8f60-e91896bcf6fe" + "b17fd6f6-33a5-4df1-8cf8-70c09bd212f2" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" @@ -25,6 +24,7 @@ "59" ] }, + "RequestBody": "{\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\"\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -32,32 +32,35 @@ "Pragma": [ "no-cache" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "249" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "api-supported-versions": [ + "1.0" + ], "x-ms-request-id": [ - "e5f7b441-5097-4d3e-8eb6-c63c0fc932f2" + "8e713b98-4779-46de-a2c1-a5d6fae0691d" ], "Server": [ - "Microsoft-HTTPAPI/2.0" - ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "249" + "Kestrel" ], "x-ms-correlation-request-id": [ - "f19f85c2-86c2-4f6b-9fbd-30f33fca6b20" + "255cdb8d-a593-448a-98d6-577f8127c5ef" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T114216Z:f19f85c2-86c2-4f6b-9fbd-30f33fca6b20" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094341Z:255cdb8d-a593-448a-98d6-577f8127c5ef" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 11:42:16 GMT" + "Thu, 17 Nov 2022 09:43:41 GMT" ], "Content-Length": [ - "248" + "263" ], "Content-Type": [ "application/json; charset=utf-8" @@ -66,34 +69,34 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"subPlan\": \"P2\",\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", "StatusCode": 200 }, { "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default?api-version=2020-01-01", "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL215U2VydmljZTEvcHJvdmlkZXJzL01pY3Jvc29mdC5TZWN1cml0eS9sb2NhdGlvbnMvY2VudHJhbHVzL2ppdE5ldHdvcmtBY2Nlc3NQb2xpY2llcy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "843f8f3a-5acc-45b4-b7bf-ab14b76616b7" + "fb9037c0-4875-433c-be8b-7c487419a847" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" ], "Content-Length": [ - "471" + "472" ] }, + "RequestBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -101,32 +104,32 @@ "Pragma": [ "no-cache" ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], "x-ms-request-id": [ - "b2b0940f-35e9-4c45-b827-98f28c95572d" + "" ], "Server": [ - "Microsoft-HTTPAPI/2.0" + "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1199" ], "x-ms-correlation-request-id": [ - "a7889bb0-81ca-4370-98c3-a803326b4344" + "21837d3e-335c-4718-815e-d59717bb5ede" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T114217Z:a7889bb0-81ca-4370-98c3-a803326b4344" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094343Z:21837d3e-335c-4718-815e-d59717bb5ede" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 11:42:17 GMT" + "Thu, 17 Nov 2022 09:43:43 GMT" ], "Content-Length": [ - "644" + "645" ], "Content-Type": [ "application/json; charset=utf-8" @@ -135,28 +138,28 @@ "-1" ] }, - "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", + "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", "StatusCode": 200 }, { "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default?api-version=2020-01-01", "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL215U2VydmljZTEvcHJvdmlkZXJzL01pY3Jvc29mdC5TZWN1cml0eS9sb2NhdGlvbnMvY2VudHJhbHVzL2ppdE5ldHdvcmtBY2Nlc3NQb2xpY2llcy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "6eb3500e-616d-4645-b212-5ea869178b59" + "36cd4f0a-d704-49bb-83d0-f39905b6f5ab" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -164,32 +167,32 @@ "Pragma": [ "no-cache" ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], "x-ms-request-id": [ - "4a9a99b1-0979-4755-9359-a6164c1c62f5" + "" ], "Server": [ - "Microsoft-HTTPAPI/2.0" + "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "749" ], "x-ms-correlation-request-id": [ - "024b2900-dbfa-480f-a9cd-e50a72b9ef84" + "6d6ed069-a137-4a90-9560-831d631beb75" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T114217Z:024b2900-dbfa-480f-a9cd-e50a72b9ef84" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094344Z:6d6ed069-a137-4a90-9560-831d631beb75" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 11:42:17 GMT" + "Thu, 17 Nov 2022 09:43:44 GMT" ], "Content-Length": [ - "644" + "645" ], "Content-Type": [ "application/json; charset=utf-8" @@ -198,7 +201,7 @@ "-1" ] }, - "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", + "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", "StatusCode": 200 } ], diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/GetResourceGroupScope.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/GetResourceGroupScope.json index 44e1f2564b3a..748c790be7d8 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/GetResourceGroupScope.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/GetResourceGroupScope.json @@ -1,22 +1,21 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2018-06-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMTgtMDYtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2022-03-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMjItMDMtMDE=", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\"\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "a918b69a-b279-4318-b6b4-6963df3c8484" + "d1b30269-7d72-4fbb-87c0-9fcc01be54d2" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" @@ -25,6 +24,7 @@ "59" ] }, + "RequestBody": "{\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\"\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -32,32 +32,35 @@ "Pragma": [ "no-cache" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "249" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "api-supported-versions": [ + "1.0" + ], "x-ms-request-id": [ - "5b43b2b0-c5f2-4aac-b3a9-9214383167a1" + "f8b795ba-0476-4058-8319-9936b28b4909" ], "Server": [ - "Microsoft-HTTPAPI/2.0" - ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "249" + "Kestrel" ], "x-ms-correlation-request-id": [ - "715c307f-6e89-43e7-a0b6-1fb2a5ec8047" + "c3f7e14b-4c69-49ce-9d71-319dbf8f9c4f" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T114149Z:715c307f-6e89-43e7-a0b6-1fb2a5ec8047" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094332Z:c3f7e14b-4c69-49ce-9d71-319dbf8f9c4f" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 11:41:49 GMT" + "Thu, 17 Nov 2022 09:43:32 GMT" ], "Content-Length": [ - "248" + "263" ], "Content-Type": [ "application/json; charset=utf-8" @@ -66,34 +69,34 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"subPlan\": \"P2\",\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", "StatusCode": 200 }, { "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default?api-version=2020-01-01", "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL215U2VydmljZTEvcHJvdmlkZXJzL01pY3Jvc29mdC5TZWN1cml0eS9sb2NhdGlvbnMvY2VudHJhbHVzL2ppdE5ldHdvcmtBY2Nlc3NQb2xpY2llcy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "418488ce-a271-4e24-a8d7-720dd20597c5" + "c4239572-f58b-4729-bcc3-f5d8d7f077f8" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" ], "Content-Length": [ - "471" + "472" ] }, + "RequestBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -101,32 +104,32 @@ "Pragma": [ "no-cache" ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], "x-ms-request-id": [ - "b3a96e28-2464-47ed-8ec7-546633e6ff80" + "" ], "Server": [ - "Microsoft-HTTPAPI/2.0" + "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1199" ], "x-ms-correlation-request-id": [ - "839e5b64-5995-4283-aa3e-6df0c7d2e354" + "890f166a-642d-418a-ae28-59f82eca3807" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T114150Z:839e5b64-5995-4283-aa3e-6df0c7d2e354" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094335Z:890f166a-642d-418a-ae28-59f82eca3807" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 11:41:50 GMT" + "Thu, 17 Nov 2022 09:43:34 GMT" ], "Content-Length": [ - "644" + "645" ], "Content-Type": [ "application/json; charset=utf-8" @@ -135,28 +138,28 @@ "-1" ] }, - "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", + "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", "StatusCode": 200 }, { "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/jitNetworkAccessPolicies?api-version=2020-01-01", "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL215U2VydmljZTEvcHJvdmlkZXJzL01pY3Jvc29mdC5TZWN1cml0eS9qaXROZXR3b3JrQWNjZXNzUG9saWNpZXM/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "5477c80b-535a-4d2f-a540-dfaa88f993e9" + "c77f1a89-b526-42a4-adab-759a5cfb18cb" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -165,21 +168,21 @@ "no-cache" ], "x-ms-original-request-ids": [ - "6550dcaa-bad4-47b7-aaaf-14e7cd30c95b", - "978432fc-47cb-40d9-bc97-8a5f354d8ab9", - "afa5b778-7688-4634-b4b9-5f8d092d28e4" + "", + "", + "" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "749" ], "x-ms-request-id": [ - "d2772b93-e2f1-4235-bdb4-1384d03c8a07" + "e86d3763-1e9d-4ae8-aa98-7e85041923d1" ], "x-ms-correlation-request-id": [ - "d2772b93-e2f1-4235-bdb4-1384d03c8a07" + "e86d3763-1e9d-4ae8-aa98-7e85041923d1" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T114150Z:d2772b93-e2f1-4235-bdb4-1384d03c8a07" + "FRANCESOUTH:20221117T094335Z:e86d3763-1e9d-4ae8-aa98-7e85041923d1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -188,7 +191,7 @@ "nosniff" ], "Date": [ - "Wed, 13 May 2020 11:41:50 GMT" + "Thu, 17 Nov 2022 09:43:34 GMT" ], "Content-Type": [ "application/json; charset=utf-8" @@ -197,10 +200,10 @@ "-1" ], "Content-Length": [ - "1581" + "657" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"*\",\r\n \"allowedSourceAddressPrefix\": \"*\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n },\r\n {\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"*\",\r\n \"allowedSourceAddressPrefix\": \"*\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n },\r\n {\r\n \"number\": 3389,\r\n \"protocol\": \"*\",\r\n \"allowedSourceAddressPrefix\": \"*\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n },\r\n {\r\n \"number\": 5985,\r\n \"protocol\": \"*\",\r\n \"allowedSourceAddressPrefix\": \"*\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n },\r\n {\r\n \"number\": 5986,\r\n \"protocol\": \"*\",\r\n \"allowedSourceAddressPrefix\": \"*\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Succeeded\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/northeurope/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"northeurope\"\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n }\r\n ]\r\n}", "StatusCode": 200 } ], diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/GetResourceId.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/GetResourceId.json index cc2218aac438..5ed10d409d8c 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/GetResourceId.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/GetResourceId.json @@ -1,22 +1,21 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2018-06-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMTgtMDYtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2022-03-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMjItMDMtMDE=", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\"\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "3a8e6506-c1f5-40d3-821a-5845b2c5fc18" + "1d54e1e9-7588-4aac-ba4c-22174433ebf8" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" @@ -25,6 +24,7 @@ "59" ] }, + "RequestBody": "{\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\"\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -32,32 +32,35 @@ "Pragma": [ "no-cache" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "249" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "api-supported-versions": [ + "1.0" + ], "x-ms-request-id": [ - "b14094f3-f4f1-4ae3-b353-27ce780e2244" + "171a77a2-f499-4e9b-9b6e-982995207ac3" ], "Server": [ - "Microsoft-HTTPAPI/2.0" - ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "249" + "Kestrel" ], "x-ms-correlation-request-id": [ - "6db0154b-ea31-4a35-a459-d354945677d0" + "124f8c25-2c1a-4c38-93aa-3b0fdf388b4f" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T114232Z:6db0154b-ea31-4a35-a459-d354945677d0" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094356Z:124f8c25-2c1a-4c38-93aa-3b0fdf388b4f" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 11:42:31 GMT" + "Thu, 17 Nov 2022 09:43:56 GMT" ], "Content-Length": [ - "248" + "263" ], "Content-Type": [ "application/json; charset=utf-8" @@ -66,34 +69,34 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"subPlan\": \"P2\",\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", "StatusCode": 200 }, { "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default?api-version=2020-01-01", "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL215U2VydmljZTEvcHJvdmlkZXJzL01pY3Jvc29mdC5TZWN1cml0eS9sb2NhdGlvbnMvY2VudHJhbHVzL2ppdE5ldHdvcmtBY2Nlc3NQb2xpY2llcy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "ecefb380-845c-423c-bc48-ff12b1718ef2" + "db4e0feb-d13f-45e7-8cff-b66e801c85a3" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" ], "Content-Length": [ - "471" + "472" ] }, + "RequestBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -101,32 +104,32 @@ "Pragma": [ "no-cache" ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], "x-ms-request-id": [ - "ed8956f2-c4af-4123-92dd-94ede8dc8a67" + "" ], "Server": [ - "Microsoft-HTTPAPI/2.0" + "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1199" ], "x-ms-correlation-request-id": [ - "5040de79-3d8e-489f-94f6-1f82fd2babc3" + "30d97073-8a66-4e5c-828e-a1dece2739aa" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T114233Z:5040de79-3d8e-489f-94f6-1f82fd2babc3" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094413Z:30d97073-8a66-4e5c-828e-a1dece2739aa" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 11:42:32 GMT" + "Thu, 17 Nov 2022 09:44:12 GMT" ], "Content-Length": [ - "644" + "645" ], "Content-Type": [ "application/json; charset=utf-8" @@ -135,28 +138,28 @@ "-1" ] }, - "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", + "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", "StatusCode": 200 }, { "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default?api-version=2020-01-01", "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL215U2VydmljZTEvcHJvdmlkZXJzL01pY3Jvc29mdC5TZWN1cml0eS9sb2NhdGlvbnMvY2VudHJhbHVzL2ppdE5ldHdvcmtBY2Nlc3NQb2xpY2llcy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "27f18d14-0c54-434b-a021-6fdffaa7d6df" + "f5618083-bc21-4b11-b8ab-258112724503" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -164,32 +167,32 @@ "Pragma": [ "no-cache" ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], "x-ms-request-id": [ - "846f49f2-cdf9-4a59-a970-613d6697343b" + "" ], "Server": [ - "Microsoft-HTTPAPI/2.0" + "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "749" ], "x-ms-correlation-request-id": [ - "611a29a2-b4c0-4a10-8369-0bfcad52b802" + "b56185e8-d03c-49ad-af93-7fb8ffc0c652" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T114233Z:611a29a2-b4c0-4a10-8369-0bfcad52b802" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094414Z:b56185e8-d03c-49ad-af93-7fb8ffc0c652" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 11:42:33 GMT" + "Thu, 17 Nov 2022 09:44:14 GMT" ], "Content-Length": [ - "644" + "645" ], "Content-Type": [ "application/json; charset=utf-8" @@ -198,7 +201,7 @@ "-1" ] }, - "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", + "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", "StatusCode": 200 } ], diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/GetSubscriptionScope.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/GetSubscriptionScope.json index 3b2e731d8f2b..c54e63efd9c3 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/GetSubscriptionScope.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/GetSubscriptionScope.json @@ -1,22 +1,21 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2018-06-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMTgtMDYtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2022-03-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMjItMDMtMDE=", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\"\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "4a8f2b51-9a9f-4117-9adf-82b183faa7e8" + "9b7a3d6a-b136-4a22-b93c-97d0dc8c4121" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" @@ -25,6 +24,7 @@ "59" ] }, + "RequestBody": "{\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\"\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -32,32 +32,35 @@ "Pragma": [ "no-cache" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "248" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "api-supported-versions": [ + "1.0" + ], "x-ms-request-id": [ - "c2410d42-b56d-4542-a9ec-86404ad72fe5" + "9dc6cc7c-a945-4e6a-91a8-93915cebbf04" ], "Server": [ - "Microsoft-HTTPAPI/2.0" - ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "248" + "Kestrel" ], "x-ms-correlation-request-id": [ - "45003f4a-c3c4-4201-bf84-fa4c867bfe21" + "57c7ae81-cc5a-41f7-b009-689549b1fe17" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T151840Z:45003f4a-c3c4-4201-bf84-fa4c867bfe21" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094459Z:57c7ae81-cc5a-41f7-b009-689549b1fe17" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 15:18:39 GMT" + "Thu, 17 Nov 2022 09:44:59 GMT" ], "Content-Length": [ - "248" + "263" ], "Content-Type": [ "application/json; charset=utf-8" @@ -66,34 +69,34 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"subPlan\": \"P2\",\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", "StatusCode": 200 }, { "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default?api-version=2020-01-01", "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL215U2VydmljZTEvcHJvdmlkZXJzL01pY3Jvc29mdC5TZWN1cml0eS9sb2NhdGlvbnMvY2VudHJhbHVzL2ppdE5ldHdvcmtBY2Nlc3NQb2xpY2llcy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "bedc6690-ba7e-46b0-801a-1e9e778cb7ef" + "b2e52c15-bc8c-4187-b913-13f2715adc1d" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" ], "Content-Length": [ - "471" + "472" ] }, + "RequestBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -101,32 +104,32 @@ "Pragma": [ "no-cache" ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], "x-ms-request-id": [ - "104a3008-71c7-42cd-bc11-dbba28a4aefd" + "" ], "Server": [ - "Microsoft-HTTPAPI/2.0" + "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1198" ], "x-ms-correlation-request-id": [ - "d6fba167-36d4-412a-887a-e47554b5da71" + "a7d74fed-8f18-4838-a3f5-bc67406e5b30" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T151841Z:d6fba167-36d4-412a-887a-e47554b5da71" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094501Z:a7d74fed-8f18-4838-a3f5-bc67406e5b30" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 15:18:40 GMT" + "Thu, 17 Nov 2022 09:45:01 GMT" ], "Content-Length": [ - "644" + "645" ], "Content-Type": [ "application/json; charset=utf-8" @@ -135,28 +138,28 @@ "-1" ] }, - "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", + "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", "StatusCode": 200 }, { "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/jitNetworkAccessPolicies?api-version=2020-01-01", "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvaml0TmV0d29ya0FjY2Vzc1BvbGljaWVzP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "dcf8fee1-d1f3-401f-b00e-2ea9e42f26d8" + "06bba5ac-dda2-4a46-b04a-e6b54e35cc25" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -165,21 +168,21 @@ "no-cache" ], "x-ms-original-request-ids": [ - "04a5f316-611f-41e2-aa46-d1a0ec8fee96", - "916332d3-6cd9-44b8-92b3-b4e9e14a4e9a", - "43bc4660-a319-496d-bc2c-2d5aa074a61f" + "", + "", + "" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "749" ], "x-ms-request-id": [ - "d7401509-10e7-4cca-bc0d-652dc4b2beb5" + "281c19b2-9262-413f-ba4d-d54382f2c0f9" ], "x-ms-correlation-request-id": [ - "d7401509-10e7-4cca-bc0d-652dc4b2beb5" + "281c19b2-9262-413f-ba4d-d54382f2c0f9" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T151841Z:d7401509-10e7-4cca-bc0d-652dc4b2beb5" + "FRANCESOUTH:20221117T094502Z:281c19b2-9262-413f-ba4d-d54382f2c0f9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -188,7 +191,7 @@ "nosniff" ], "Date": [ - "Wed, 13 May 2020 15:18:40 GMT" + "Thu, 17 Nov 2022 09:45:01 GMT" ], "Content-Type": [ "application/json; charset=utf-8" @@ -197,10 +200,10 @@ "-1" ], "Content-Length": [ - "1877" + "1044" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [\r\n {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"endTimeUtc\": \"2020-05-13T17:18:22.009706Z\",\r\n \"status\": \"Initiated\",\r\n \"statusReason\": \"UserRequested\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"startTimeUtc\": \"2020-05-13T15:18:22.54646Z\",\r\n \"requestor\": \"\"\r\n }\r\n ],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n },\r\n {\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 3389,\r\n \"protocol\": \"*\",\r\n \"allowedSourceAddressPrefix\": \"*\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n },\r\n {\r\n \"number\": 5985,\r\n \"protocol\": \"*\",\r\n \"allowedSourceAddressPrefix\": \"*\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n },\r\n {\r\n \"number\": 5986,\r\n \"protocol\": \"*\",\r\n \"allowedSourceAddressPrefix\": \"*\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Succeeded\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/northeurope/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"northeurope\"\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [\r\n {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"endTimeUtc\": \"2022-11-17T11:44:50.5921811Z\",\r\n \"status\": \"Initiated\",\r\n \"statusReason\": \"UserRequested\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"startTimeUtc\": \"2022-11-17T09:44:51.5874583Z\",\r\n \"requestor\": \"\"\r\n }\r\n ],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n }\r\n ]\r\n}", "StatusCode": 200 } ], diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/RemoveResourceGroupLevelResource.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/RemoveResourceGroupLevelResource.json index bd9d32d81c3d..06c4ea59187c 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/RemoveResourceGroupLevelResource.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/RemoveResourceGroupLevelResource.json @@ -1,22 +1,21 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2018-06-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMTgtMDYtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2022-03-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMjItMDMtMDE=", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\"\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "6f5d1090-eba9-4b9a-9be4-1c4b47b0602d" + "20cf7abb-5525-4237-aa8b-bbad4ac11238" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" @@ -25,6 +24,7 @@ "59" ] }, + "RequestBody": "{\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\"\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -32,32 +32,35 @@ "Pragma": [ "no-cache" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "249" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "api-supported-versions": [ + "1.0" + ], "x-ms-request-id": [ - "6ccf439b-0416-4eb5-b137-7e4f10573705" + "ffde7d88-df2f-4944-9403-fe5d9992dcc8" ], "Server": [ - "Microsoft-HTTPAPI/2.0" - ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "249" + "Kestrel" ], "x-ms-correlation-request-id": [ - "a22e5ba3-da0d-41b4-adf4-1e069f60e023" + "1de5138b-0ba5-4b44-9a57-8749367801f2" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T114249Z:a22e5ba3-da0d-41b4-adf4-1e069f60e023" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094428Z:1de5138b-0ba5-4b44-9a57-8749367801f2" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 11:42:48 GMT" + "Thu, 17 Nov 2022 09:44:28 GMT" ], "Content-Length": [ - "248" + "263" ], "Content-Type": [ "application/json; charset=utf-8" @@ -66,34 +69,34 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"subPlan\": \"P2\",\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", "StatusCode": 200 }, { "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default?api-version=2020-01-01", "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL215U2VydmljZTEvcHJvdmlkZXJzL01pY3Jvc29mdC5TZWN1cml0eS9sb2NhdGlvbnMvY2VudHJhbHVzL2ppdE5ldHdvcmtBY2Nlc3NQb2xpY2llcy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "20ee64cd-f9ea-4e98-84e4-432ce94cafaa" + "98945797-7e9d-4737-b7de-dced1b3aa6e1" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" ], "Content-Length": [ - "471" + "472" ] }, + "RequestBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -101,32 +104,32 @@ "Pragma": [ "no-cache" ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], "x-ms-request-id": [ - "e6f926ed-77b6-47ad-9094-46fe19487a35" + "" ], "Server": [ - "Microsoft-HTTPAPI/2.0" + "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ - "1199" + "1198" ], "x-ms-correlation-request-id": [ - "8459b79c-51cb-4b33-887f-46500fba4c22" + "70e019d1-42d0-4c2a-af19-2913f7d94ef4" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T114250Z:8459b79c-51cb-4b33-887f-46500fba4c22" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094439Z:70e019d1-42d0-4c2a-af19-2913f7d94ef4" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 11:42:49 GMT" + "Thu, 17 Nov 2022 09:44:38 GMT" ], "Content-Length": [ - "644" + "645" ], "Content-Type": [ "application/json; charset=utf-8" @@ -135,28 +138,28 @@ "-1" ] }, - "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", + "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", "StatusCode": 200 }, { "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default?api-version=2020-01-01", "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL215U2VydmljZTEvcHJvdmlkZXJzL01pY3Jvc29mdC5TZWN1cml0eS9sb2NhdGlvbnMvY2VudHJhbHVzL2ppdE5ldHdvcmtBY2Nlc3NQb2xpY2llcy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", "RequestMethod": "DELETE", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "9b39cb8f-42a9-4cc4-90f1-58febad388e2" + "6d819b82-64ac-457c-b033-49ceb287735f" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -164,29 +167,29 @@ "Pragma": [ "no-cache" ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], "x-ms-request-id": [ - "e17de7a4-fbba-46aa-b50e-2794c0960eeb" + "" ], "Server": [ - "Microsoft-HTTPAPI/2.0" + "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14999" ], "x-ms-correlation-request-id": [ - "5f495ea6-4562-4b61-992d-51cb67b6a568" + "bc2fd589-1222-4b5e-aa41-d869f3c2a8ef" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T114318Z:5f495ea6-4562-4b61-992d-51cb67b6a568" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094443Z:bc2fd589-1222-4b5e-aa41-d869f3c2a8ef" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 11:43:18 GMT" + "Thu, 17 Nov 2022 09:44:42 GMT" ], "Expires": [ "-1" diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/RemoveResourceId.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/RemoveResourceId.json index 81d15d4ebdcd..dde44e857f78 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/RemoveResourceId.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/RemoveResourceId.json @@ -1,22 +1,21 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2018-06-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMTgtMDYtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2022-03-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMjItMDMtMDE=", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\"\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "fc7550ee-c201-4d3f-b047-81248c651dc0" + "72bf4c5a-cdc7-4135-83e0-101b48dda148" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" @@ -25,6 +24,7 @@ "59" ] }, + "RequestBody": "{\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\"\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -32,32 +32,35 @@ "Pragma": [ "no-cache" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "249" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "api-supported-versions": [ + "1.0" + ], "x-ms-request-id": [ - "0a54c40d-cf1f-40bc-8977-e8ca5b352ae4" + "2810549e-d89a-497f-ab71-b242e0c12141" ], "Server": [ - "Microsoft-HTTPAPI/2.0" - ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "249" + "Kestrel" ], "x-ms-correlation-request-id": [ - "e06c881c-3ba9-4ba5-907e-7815b035f2a3" + "5dcb2a8e-b560-4156-bbb5-977e4a085db4" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T114240Z:e06c881c-3ba9-4ba5-907e-7815b035f2a3" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094419Z:5dcb2a8e-b560-4156-bbb5-977e4a085db4" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 11:42:40 GMT" + "Thu, 17 Nov 2022 09:44:19 GMT" ], "Content-Length": [ - "248" + "263" ], "Content-Type": [ "application/json; charset=utf-8" @@ -66,34 +69,34 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"subPlan\": \"P2\",\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", "StatusCode": 200 }, { "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default?api-version=2020-01-01", "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL215U2VydmljZTEvcHJvdmlkZXJzL01pY3Jvc29mdC5TZWN1cml0eS9sb2NhdGlvbnMvY2VudHJhbHVzL2ppdE5ldHdvcmtBY2Nlc3NQb2xpY2llcy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "d5cfe526-712f-4e86-909f-56876a3b7905" + "2637b6ad-24d1-4ccd-82e2-a325252d5a92" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" ], "Content-Length": [ - "471" + "472" ] }, + "RequestBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -101,32 +104,32 @@ "Pragma": [ "no-cache" ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], "x-ms-request-id": [ - "52247aa6-4590-40c8-bb34-42a37d01b135" + "" ], "Server": [ - "Microsoft-HTTPAPI/2.0" + "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1199" ], "x-ms-correlation-request-id": [ - "6b192625-3cb0-4e56-97c9-6c33f209b4fb" + "fb65dfa6-f7d9-4542-a605-01206090d20f" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T114241Z:6b192625-3cb0-4e56-97c9-6c33f209b4fb" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094420Z:fb65dfa6-f7d9-4542-a605-01206090d20f" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 11:42:41 GMT" + "Thu, 17 Nov 2022 09:44:19 GMT" ], "Content-Length": [ - "644" + "645" ], "Content-Type": [ "application/json; charset=utf-8" @@ -135,28 +138,28 @@ "-1" ] }, - "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", + "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", "StatusCode": 200 }, { "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default?api-version=2020-01-01", "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL215U2VydmljZTEvcHJvdmlkZXJzL01pY3Jvc29mdC5TZWN1cml0eS9sb2NhdGlvbnMvY2VudHJhbHVzL2ppdE5ldHdvcmtBY2Nlc3NQb2xpY2llcy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", "RequestMethod": "DELETE", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "ed6f3698-ea40-4188-a6a9-c2a6100046f5" + "8a566ebb-29e1-4e4a-a024-bd5af6cbace2" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -164,29 +167,29 @@ "Pragma": [ "no-cache" ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], "x-ms-request-id": [ - "722d3438-1d85-4813-bf49-4fe211cede1e" + "" ], "Server": [ - "Microsoft-HTTPAPI/2.0" + "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14999" ], "x-ms-correlation-request-id": [ - "100e0945-9204-49dc-910f-3956a8bee371" + "45a4520e-a6bb-4ee9-9f4a-915f1395eca6" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T114242Z:100e0945-9204-49dc-910f-3956a8bee371" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094423Z:45a4520e-a6bb-4ee9-9f4a-915f1395eca6" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 11:42:42 GMT" + "Thu, 17 Nov 2022 09:44:23 GMT" ], "Expires": [ "-1" diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/SetResourceGroupLevelResource.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/SetResourceGroupLevelResource.json index 30202375604e..f783c2224b41 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/SetResourceGroupLevelResource.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/SetResourceGroupLevelResource.json @@ -1,22 +1,21 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2018-06-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMTgtMDYtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2022-03-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMjItMDMtMDE=", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\"\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "ffa8c747-fc12-4787-9663-f68478b77c07" + "c63447b4-3b44-4647-afb0-252d96fa7a57" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" @@ -25,6 +24,7 @@ "59" ] }, + "RequestBody": "{\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\"\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -32,32 +32,35 @@ "Pragma": [ "no-cache" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "249" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "api-supported-versions": [ + "1.0" + ], "x-ms-request-id": [ - "75719ae0-64f2-4525-aa16-ddd00aa061e7" + "3a986686-0347-4722-884c-bbd3fa9c4e67" ], "Server": [ - "Microsoft-HTTPAPI/2.0" - ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "249" + "Kestrel" ], "x-ms-correlation-request-id": [ - "fb95e6c3-31e8-40c5-94d7-63f603c81275" + "f472e598-8ba2-4161-9b29-f0f45672bfe0" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T114224Z:fb95e6c3-31e8-40c5-94d7-63f603c81275" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094349Z:f472e598-8ba2-4161-9b29-f0f45672bfe0" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 11:42:24 GMT" + "Thu, 17 Nov 2022 09:43:49 GMT" ], "Content-Length": [ - "248" + "263" ], "Content-Type": [ "application/json; charset=utf-8" @@ -66,34 +69,34 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"subPlan\": \"P2\",\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", "StatusCode": 200 }, { "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default?api-version=2020-01-01", "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL215U2VydmljZTEvcHJvdmlkZXJzL01pY3Jvc29mdC5TZWN1cml0eS9sb2NhdGlvbnMvY2VudHJhbHVzL2ppdE5ldHdvcmtBY2Nlc3NQb2xpY2llcy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "2af60966-d8ea-43b4-8981-61dc5f3dbfca" + "99615ea7-f011-4158-8c7a-5445a8c411c9" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" ], "Content-Length": [ - "471" + "472" ] }, + "RequestBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -101,32 +104,32 @@ "Pragma": [ "no-cache" ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], "x-ms-request-id": [ - "f74148e0-855c-4581-bb3a-30c378e0357a" + "" ], "Server": [ - "Microsoft-HTTPAPI/2.0" + "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1199" ], "x-ms-correlation-request-id": [ - "809bb4e6-1348-4312-b51c-f2de44746e03" + "b626bb27-4cd9-4d6f-836c-38e438c1bda7" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T114225Z:809bb4e6-1348-4312-b51c-f2de44746e03" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094352Z:b626bb27-4cd9-4d6f-836c-38e438c1bda7" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 11:42:25 GMT" + "Thu, 17 Nov 2022 09:43:51 GMT" ], "Content-Length": [ - "644" + "645" ], "Content-Type": [ "application/json; charset=utf-8" @@ -135,7 +138,7 @@ "-1" ] }, - "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", + "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", "StatusCode": 200 } ], diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/StartResourceGroupLevelResource.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/StartResourceGroupLevelResource.json index 18fe75aabb15..f99e4aaeab25 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/StartResourceGroupLevelResource.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityJitNetworkAccessPolicyTests/StartResourceGroupLevelResource.json @@ -1,22 +1,21 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2018-06-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMTgtMDYtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2022-03-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvcHJpY2luZ3MvVmlydHVhbE1hY2hpbmVzP2FwaS12ZXJzaW9uPTIwMjItMDMtMDE=", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\"\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "a3c08d59-d60b-47bd-9a22-298a685dbc45" + "01e996b9-28a9-48bd-b20f-4a5a7acdfbca" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" @@ -25,6 +24,7 @@ "59" ] }, + "RequestBody": "{\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\"\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -32,32 +32,35 @@ "Pragma": [ "no-cache" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "249" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "api-supported-versions": [ + "1.0" + ], "x-ms-request-id": [ - "ef335765-b7db-419e-b931-57653408343a" + "faa989a9-6b5b-4818-bd5c-c3dfcdda8117" ], "Server": [ - "Microsoft-HTTPAPI/2.0" - ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "249" + "Kestrel" ], "x-ms-correlation-request-id": [ - "26af06bd-1c94-4c74-baf6-ce77ecf0f94e" + "8beabccb-2796-4798-abb5-079141eb512e" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T151820Z:26af06bd-1c94-4c74-baf6-ce77ecf0f94e" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094448Z:8beabccb-2796-4798-abb5-079141eb512e" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 15:18:20 GMT" + "Thu, 17 Nov 2022 09:44:48 GMT" ], "Content-Length": [ - "248" + "263" ], "Content-Type": [ "application/json; charset=utf-8" @@ -66,34 +69,34 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/pricings/VirtualMachines\",\r\n \"name\": \"VirtualMachines\",\r\n \"type\": \"Microsoft.Security/pricings\",\r\n \"properties\": {\r\n \"subPlan\": \"P2\",\r\n \"pricingTier\": \"Standard\",\r\n \"freeTrialRemainingTime\": \"PT0S\"\r\n }\r\n}", "StatusCode": 200 }, { "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default?api-version=2020-01-01", "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL215U2VydmljZTEvcHJvdmlkZXJzL01pY3Jvc29mdC5TZWN1cml0eS9sb2NhdGlvbnMvY2VudHJhbHVzL2ppdE5ldHdvcmtBY2Nlc3NQb2xpY2llcy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "9fa7b04d-ee28-451f-869a-11046e9177fd" + "8355b992-7884-489c-99a5-af9aab014cb9" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" ], "Content-Length": [ - "471" + "472" ] }, + "RequestBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -101,32 +104,32 @@ "Pragma": [ "no-cache" ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], "x-ms-request-id": [ - "65caaf33-fec1-4255-98ec-86c74cd5f2c4" + "" ], "Server": [ - "Microsoft-HTTPAPI/2.0" + "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1199" ], "x-ms-correlation-request-id": [ - "48196abb-7d76-49e3-bc8b-9748eda4326d" + "c31e3890-2f45-43d5-a774-7f2d4a4f09ad" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T151821Z:48196abb-7d76-49e3-bc8b-9748eda4326d" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094450Z:c31e3890-2f45-43d5-a774-7f2d4a4f09ad" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 15:18:21 GMT" + "Thu, 17 Nov 2022 09:44:49 GMT" ], "Content-Length": [ - "644" + "645" ], "Content-Type": [ "application/json; charset=utf-8" @@ -135,34 +138,34 @@ "-1" ] }, - "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", + "ResponseBody": "{\r\n \"kind\": \"Basic\",\r\n \"properties\": {\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"protocol\": \"TCP\",\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"maxRequestAccessDuration\": \"PT3H\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"requests\": [],\r\n \"provisioningState\": \"Updating\",\r\n \"appendMode\": false\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/locations/jitNetworkAccessPolicies\",\r\n \"location\": \"centralus\"\r\n}", "StatusCode": 200 }, { "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Security/locations/centralus/jitNetworkAccessPolicies/default/initiate?api-version=2020-01-01", "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Jlc291cmNlR3JvdXBzL215U2VydmljZTEvcHJvdmlkZXJzL01pY3Jvc29mdC5TZWN1cml0eS9sb2NhdGlvbnMvY2VudHJhbHVzL2ppdE5ldHdvcmtBY2Nlc3NQb2xpY2llcy9kZWZhdWx0L2luaXRpYXRlP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", "RequestMethod": "POST", - "RequestBody": "{\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"endTimeUtc\": \"2020-05-13T17:18:22.009706Z\"\r\n }\r\n ]\r\n }\r\n ]\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "f3025794-63b4-4e6a-81e5-87c60591f9e5" + "18447021-614b-414a-8b45-3acad892333e" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.28207.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.18363.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" ], "Content-Length": [ - "380" + "382" ] }, + "RequestBody": "{\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"endTimeUtc\": \"2022-11-17T11:44:50.5921811Z\"\r\n }\r\n ]\r\n }\r\n ]\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -170,32 +173,32 @@ "Pragma": [ "no-cache" ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], "x-ms-request-id": [ - "b95f5fbc-5d4e-4b73-bb79-b68ae3bb92c4" + "" ], "Server": [ - "Microsoft-HTTPAPI/2.0" + "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1199" ], "x-ms-correlation-request-id": [ - "717a18d4-c5c2-47bc-8371-7a27fbbef9de" + "7399f689-ddf5-4ade-b65c-43eecf2b0292" ], "x-ms-routing-request-id": [ - "GERMANYWESTCENTRAL:20200513T151822Z:717a18d4-c5c2-47bc-8371-7a27fbbef9de" - ], - "Strict-Transport-Security": [ - "max-age=31536000; includeSubDomains" + "FRANCESOUTH:20221117T094454Z:7399f689-ddf5-4ade-b65c-43eecf2b0292" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Wed, 13 May 2020 15:18:22 GMT" + "Thu, 17 Nov 2022 09:44:54 GMT" ], "Content-Length": [ - "384" + "388" ], "Content-Type": [ "application/json; charset=utf-8" @@ -204,7 +207,7 @@ "-1" ] }, - "ResponseBody": "{\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"endTimeUtc\": \"2020-05-13T17:18:22.009706Z\",\r\n \"status\": \"Initiating\",\r\n \"statusReason\": \"UserRequested\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"startTimeUtc\": \"2020-05-13T15:18:22.54646Z\",\r\n \"requestor\": \"\"\r\n}", + "ResponseBody": "{\r\n \"virtualMachines\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\",\r\n \"ports\": [\r\n {\r\n \"number\": 22,\r\n \"allowedSourceAddressPrefix\": \"127.0.0.1\",\r\n \"endTimeUtc\": \"2022-11-17T11:44:50.5921811Z\",\r\n \"status\": \"Initiating\",\r\n \"statusReason\": \"UserRequested\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"startTimeUtc\": \"2022-11-17T09:44:51.5874583Z\",\r\n \"requestor\": \"\"\r\n}", "StatusCode": 202 } ], From 78e32832e25ad60b7d04d4bbc18d2d6431e02af9 Mon Sep 17 00:00:00 2001 From: yifat Date: Thu, 17 Nov 2022 11:51:35 +0200 Subject: [PATCH 09/18] Record assessments and metadata tests --- .../ScenarioTests/SecurityAssessmentTests.ps1 | 2 +- .../CreateAndDeleteAssessmentMetadata.json | 50 +- .../GetAllAssessmentMetadata.json | 10 +- .../CreateAndDeleteAssessment.json | 432 +++++++++++++----- .../GetAllAssessments.json | 24 +- 5 files changed, 349 insertions(+), 169 deletions(-) diff --git a/src/Security/Security.Test/ScenarioTests/SecurityAssessmentTests.ps1 b/src/Security/Security.Test/ScenarioTests/SecurityAssessmentTests.ps1 index c25a73d9f296..d1d153d944f7 100644 --- a/src/Security/Security.Test/ScenarioTests/SecurityAssessmentTests.ps1 +++ b/src/Security/Security.Test/ScenarioTests/SecurityAssessmentTests.ps1 @@ -28,7 +28,7 @@ Get security contacts on a subscription #> function CreateAndDelete-AzSecurityAssessment { - $assessmentGuid = "0338728b-bc5c-41d6-ab83-29cf28652680" + $assessmentGuid = "45fb078b-a96e-4d0b-90cb-f3ed8a5530c0" $metadata = Get-AzSecurityAssessmentMetadata | where { $_.Name -eq $assessmentGuid } Assert-True { $metadata.Count -eq 0 } diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/CreateAndDeleteAssessmentMetadata.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/CreateAndDeleteAssessmentMetadata.json index cf4dae17a9c7..530def754c3c 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/CreateAndDeleteAssessmentMetadata.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/CreateAndDeleteAssessmentMetadata.json @@ -6,7 +6,7 @@ "RequestMethod": "GET", "RequestHeaders": { "x-ms-client-request-id": [ - "6fd3aef1-cae0-405d-9f57-628d75fc0d8c" + "a8f28810-1502-455f-bea0-2e752fdfb635" ], "Accept-Language": [ "en-US" @@ -30,13 +30,13 @@ "749" ], "x-ms-request-id": [ - "1a0b3441-285a-4194-ac1d-8514bef53b0e" + "25c3fe9d-6edb-4f93-a268-47b07c8f6e37" ], "x-ms-correlation-request-id": [ - "1a0b3441-285a-4194-ac1d-8514bef53b0e" + "25c3fe9d-6edb-4f93-a268-47b07c8f6e37" ], "x-ms-routing-request-id": [ - "FRANCESOUTH:20221117T082003Z:1a0b3441-285a-4194-ac1d-8514bef53b0e" + "FRANCESOUTH:20221117T094914Z:25c3fe9d-6edb-4f93-a268-47b07c8f6e37" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -45,7 +45,7 @@ "nosniff" ], "Date": [ - "Thu, 17 Nov 2022 08:20:03 GMT" + "Thu, 17 Nov 2022 09:49:13 GMT" ], "Content-Length": [ "1308177" @@ -66,7 +66,7 @@ "RequestMethod": "GET", "RequestHeaders": { "x-ms-client-request-id": [ - "5b48e6c9-3d2a-4d91-bd35-399bc741f505" + "c7268614-d44c-41b4-ba6d-5df8c1d0d17a" ], "Accept-Language": [ "en-US" @@ -90,13 +90,13 @@ "749" ], "x-ms-request-id": [ - "32ac8b94-52fd-4fef-b70e-c11e83b3d7d5" + "0784c4ea-84d0-481a-8138-3a4c5e813f75" ], "x-ms-correlation-request-id": [ - "32ac8b94-52fd-4fef-b70e-c11e83b3d7d5" + "0784c4ea-84d0-481a-8138-3a4c5e813f75" ], "x-ms-routing-request-id": [ - "FRANCESOUTH:20221117T082006Z:32ac8b94-52fd-4fef-b70e-c11e83b3d7d5" + "FRANCESOUTH:20221117T094917Z:0784c4ea-84d0-481a-8138-3a4c5e813f75" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -105,7 +105,7 @@ "nosniff" ], "Date": [ - "Thu, 17 Nov 2022 08:20:06 GMT" + "Thu, 17 Nov 2022 09:49:16 GMT" ], "Content-Length": [ "1308608" @@ -126,7 +126,7 @@ "RequestMethod": "GET", "RequestHeaders": { "x-ms-client-request-id": [ - "75971b95-40c7-48b7-af27-8a3c3a05453d" + "bfcc4b9d-12ba-4dd1-8af8-512b3d27d405" ], "Accept-Language": [ "en-US" @@ -150,13 +150,13 @@ "749" ], "x-ms-request-id": [ - "32b37e39-0e55-47cd-a170-ba9806eceed8" + "8ef0c676-c03f-4372-bfd1-dcd0171e0013" ], "x-ms-correlation-request-id": [ - "32b37e39-0e55-47cd-a170-ba9806eceed8" + "8ef0c676-c03f-4372-bfd1-dcd0171e0013" ], "x-ms-routing-request-id": [ - "FRANCESOUTH:20221117T082010Z:32b37e39-0e55-47cd-a170-ba9806eceed8" + "FRANCESOUTH:20221117T094920Z:8ef0c676-c03f-4372-bfd1-dcd0171e0013" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -165,7 +165,7 @@ "nosniff" ], "Date": [ - "Thu, 17 Nov 2022 08:20:09 GMT" + "Thu, 17 Nov 2022 09:49:19 GMT" ], "Content-Length": [ "1308177" @@ -186,7 +186,7 @@ "RequestMethod": "PUT", "RequestHeaders": { "x-ms-client-request-id": [ - "dff416e4-62e5-4769-9076-c1e303edb078" + "472c379b-f55a-4f60-aa30-7d3412a0dbb7" ], "Accept-Language": [ "en-US" @@ -216,13 +216,13 @@ "1199" ], "x-ms-request-id": [ - "38d91867-47a8-4e1d-96e6-cc43ab72f23e" + "7aee2a29-59e0-43ca-9cbc-b8b8b51e46b3" ], "x-ms-correlation-request-id": [ - "38d91867-47a8-4e1d-96e6-cc43ab72f23e" + "7aee2a29-59e0-43ca-9cbc-b8b8b51e46b3" ], "x-ms-routing-request-id": [ - "FRANCESOUTH:20221117T082006Z:38d91867-47a8-4e1d-96e6-cc43ab72f23e" + "FRANCESOUTH:20221117T094916Z:7aee2a29-59e0-43ca-9cbc-b8b8b51e46b3" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -231,7 +231,7 @@ "nosniff" ], "Date": [ - "Thu, 17 Nov 2022 08:20:05 GMT" + "Thu, 17 Nov 2022 09:49:15 GMT" ], "Content-Length": [ "430" @@ -252,7 +252,7 @@ "RequestMethod": "DELETE", "RequestHeaders": { "x-ms-client-request-id": [ - "c1ee1196-50f2-4f5e-a959-f871b54fb8fc" + "b3409e97-c874-4e3b-9ec0-3660d2cca04c" ], "Accept-Language": [ "en-US" @@ -276,13 +276,13 @@ "14999" ], "x-ms-request-id": [ - "bf13f950-fd5b-4921-964c-e26f60f6a43d" + "8624820e-600a-47b9-aa95-4087bad57742" ], "x-ms-correlation-request-id": [ - "bf13f950-fd5b-4921-964c-e26f60f6a43d" + "8624820e-600a-47b9-aa95-4087bad57742" ], "x-ms-routing-request-id": [ - "FRANCESOUTH:20221117T082009Z:bf13f950-fd5b-4921-964c-e26f60f6a43d" + "FRANCESOUTH:20221117T094919Z:8624820e-600a-47b9-aa95-4087bad57742" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -291,7 +291,7 @@ "nosniff" ], "Date": [ - "Thu, 17 Nov 2022 08:20:08 GMT" + "Thu, 17 Nov 2022 09:49:18 GMT" ], "Expires": [ "-1" diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/GetAllAssessmentMetadata.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/GetAllAssessmentMetadata.json index ed36c75e6c2c..d85d0f436e99 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/GetAllAssessmentMetadata.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentMetadataTests/GetAllAssessmentMetadata.json @@ -6,7 +6,7 @@ "RequestMethod": "GET", "RequestHeaders": { "x-ms-client-request-id": [ - "d28540b6-de12-48e3-947f-400a85f47583" + "956c7f23-6e40-4953-adaa-a324c354f361" ], "Accept-Language": [ "en-US" @@ -30,13 +30,13 @@ "749" ], "x-ms-request-id": [ - "2e5b12e2-ff09-4184-a2ac-d7722215366c" + "19ed7dca-645b-42dd-8aca-9a087078ac62" ], "x-ms-correlation-request-id": [ - "2e5b12e2-ff09-4184-a2ac-d7722215366c" + "19ed7dca-645b-42dd-8aca-9a087078ac62" ], "x-ms-routing-request-id": [ - "FRANCESOUTH:20221117T082015Z:2e5b12e2-ff09-4184-a2ac-d7722215366c" + "FRANCESOUTH:20221117T094925Z:19ed7dca-645b-42dd-8aca-9a087078ac62" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -45,7 +45,7 @@ "nosniff" ], "Date": [ - "Thu, 17 Nov 2022 08:20:14 GMT" + "Thu, 17 Nov 2022 09:49:24 GMT" ], "Content-Length": [ "1308177" diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentTests/CreateAndDeleteAssessment.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentTests/CreateAndDeleteAssessment.json index 6eb3a71fba96..fd4895f80841 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentTests/CreateAndDeleteAssessment.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentTests/CreateAndDeleteAssessment.json @@ -1,24 +1,24 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata?api-version=2020-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata?api-version=2021-06-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhP2FwaS12ZXJzaW9uPTIwMjEtMDYtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "db4fdab5-03f0-4711-847d-401de2ef7d42" + "3da51434-d2f3-40d7-9e5f-8b807e259577" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.29321.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.19042.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.2.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -30,13 +30,13 @@ "749" ], "x-ms-request-id": [ - "aa7f57eb-05be-4998-999f-882c55c62728" + "4a46499d-116f-44d2-87f1-1c8df5330a92" ], "x-ms-correlation-request-id": [ - "aa7f57eb-05be-4998-999f-882c55c62728" + "4a46499d-116f-44d2-87f1-1c8df5330a92" ], "x-ms-routing-request-id": [ - "UKSOUTH:20201130T144743Z:aa7f57eb-05be-4998-999f-882c55c62728" + "FRANCESOUTH:20221117T095057Z:4a46499d-116f-44d2-87f1-1c8df5330a92" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -45,10 +45,10 @@ "nosniff" ], "Date": [ - "Mon, 30 Nov 2020 14:47:43 GMT" + "Thu, 17 Nov 2022 09:50:57 GMT" ], "Content-Length": [ - "345413" + "1308177" ], "Content-Type": [ "application/json; charset=utf-8" @@ -57,28 +57,88 @@ "-1" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.
Learn more about how Endpoint Protection for machines is evaluated.\",\r\n \"remediationDescription\": \"To remediate missing endpoint protection:
1. Confirm that your solution is on the list of tools supported by Security Center.
2. Install the supported endpoint protection solution or enable an existing tool.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine:
1. Stop your VM when it is safe to do so.
2. Enable Secure Boot for the VM.
3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
1. Go to Virtual machines and click on your machine.
2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases:
1. Select the SQL database.
2. Under Data encryption, select On.
3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
1. Select the SQL server.
2. Under Auditing, select On.
3. Select Storage details and configure a storage account for the audit log.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5a913c68-0590-402c-a531-e57e19379da3\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65\",\r\n \"description\": \"Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is both installed on the virtual machines and properly collects security events to the configured workspace.\",\r\n \"remediationDescription\": \"To resolve Log Analytics agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499\",\r\n \"description\": \"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. This agent is also is required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. We recommend configuring auto-provisioning to automatically deploy the agent. If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.\",\r\n \"remediationDescription\": \"For multiple ways to install and configure your Log Analytics agent please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click the Role assignments tab and set the 'Role' filter to 'Owner'.
2. Select the owners you want to remove.
3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled
1. In the 'Role' drop-down list, select the Owner role.
2. In the Select list, select a user.
3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"remediationDescription\": \"To enable Azure Defender for SQL on SQL servers: 1. Select the SQL server. 2. Under 'Security Center', set Azure Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Click Save.
Note: Azure Defender for SQL is billed as shown on the pricing page\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.
Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.

Available resources and information about this tool & migration:
1. Overview of Virtual machines (classic) deprecation, step by step process for migration & available microsoft resources.
2. Details about Migrate to ARM migration tool.
3. Migrate to ARM migration tool using Power shell.\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources:
1. Go to the Virtual machines (classic) Portal Blade.
2. Click on Migrate to ARM.
3. Click on Validate. If validate failed, use the suggested methods in the error messages or Migration Overview document to fix the errors.
4. Click on Prepare. If prepare failed, use the suggested methods in the error messages or Migration Overview document to fix the errors.
5. (Optional) Click on Abort to rollback migration.
6. Click on Commit. Commit finalizes the migration and cannot be rolled back.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal:
1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service.
2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS). If you are using Basic load balancer, you need to first migrate to Standard to use authorized IP ranges.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services (Deprecated)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"(Deprecated) Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows:
1. Go to Azure Kubernetes Services.
2. Click 'Add' and enter your cluster's configuration.
3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics:
1. Go to Data Lake Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance:
1. Select the SQL managed instance.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"remediationDescription\": \"To enable Azure Defender for SQL on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Security Center', set Azure Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Click Save.
Note: Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps:
1. Go to the Redis Caches, and select your redis cache.
2. Select 'Advanced settings'.
3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics:
1. Go to Batch and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics:
1. Go to Stream Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics:
1. Go to the Service Bus.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"You should encrypt Automation Account Variables that store sensitive data. This step can only be taken at creation time.
If you have Automation Account Variables storing sensitive data that are not already encrypted, then you will need to delete them and recreate them as encrypted variables.
To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics:
1. Go to Data Lake Store and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics:
1. Go to Search and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign':
1. Go to the Service fabric cluster.
2. Click on 'Custom fabric settings'.
3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics:
1. Go to Logic Apps and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources :
1. Go to the Storage Account
2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics:
1. Go to Key Vault and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"
1. In your storage account, go to 'Firewalls and virtual networks'.
2. Under 'Allow access from', choose 'Selected networks'.
3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account.
4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required:
1. In your storage account, go to the 'Configuration' page.
2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates:
1. Review the list of missing system updates.
2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b\",\r\n \"description\": \"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. You’ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets. To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"For information on how to add the Log analytics agent as an extension to your virtual machine scale set please see the following instructions. For information on how to deploy the log analytics agent at scale on virtual machine scale set using Azure Policy please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution:
1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as:
  • The configuration of the operating system
  • Application configuration or presence
  • Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:Learn more\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Windows.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Linux.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"name\": \"fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Validity period of certificates stored in Azure Key Vault should not exceed 12 months\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\r\n \"description\": \"Ensure your certificates do not have a validity period that exceeds 12 months.\",\r\n \"remediationDescription\": \"To remediate you must create a new version of the certificate. Ensure that your application or service will be able to get a new version of the certificate before proceeding. Select a key vault from the list below. The list of certificates with a validity period that exceeds 12 months will appear. From the Azure Portal, open Azure Key Vault and select the vault with the certificate that needs to be replaced. Select the relevant certificate and the certificate details page opens. 1. On the certificate details page, select \\\"+ New Version\\\". The \\\"Create a Certificate\\\" pane opens. 2. Change the \\\"Validity period (in months)\\\" field to 12 or less. 3. Select \\\"Create\\\". 4. Ensure that you have set up auto-renewal, or have a process to renew your certificate prior to expiration.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\r\n \"description\": \"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.\",\r\n \"remediationDescription\": \"To prevent public access to containers and blobs in your storage account:
1. In the Azure portal, navigate to your storage account.
2. From the settings menu, select \\\"Configuration\\\".
3. Set \\\"Allow Blob public access\\\" to \\\"Disabled\\\".
Learn more about public access
Note: It might take several minutes after remediation completes until the resource appears in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\r\n \"description\": \"Protect the data on your Azure virtual machines with Azure Backup.
Azure Backup is an Azure-native, cost-effective, data protection solution.
It creates recovery points that are stored in geo-redundant recovery vaults.
When you restore from a recovery point, you can restore the whole VM or specific files.\",\r\n \"remediationDescription\": \"1. To enable Azure Backup for an individual virtual machine, navigate to the virtual machine on the Azure portal and select 'Backup' from the menu.
In the screen that appears, you can then choose to backup the machine to a new or existing Recovery Services vault in the same location and subscription.
Learn more at https://aka.ms/AzureVMBackupDoc 2. To enable Azure Backup for virtual machines at scale, you can assign the policy 'Configure backup on VMs of a location to an existing central Vault in the same location' to a given scope.
This policy can be assigned to one subscription-location pair at a time.
Learn more at http://aka.ms/AzureBackupVMGovernance\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your function app:
1. Go to the App Service for your API app 2. Navigate to Platform features 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"name\": \"2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MariaDB\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\r\n \"description\": \"Azure Database for MariaDB allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MariaDB server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=2086853\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your web app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"name\": \"95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for PostgreSQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\r\n \"description\": \"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for PostgreSQL server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867615\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests.
Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Web App:
1. Navigate to Azure App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require.
For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"name\": \"8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MySQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\r\n \"description\": \"Azure Database for MySQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MySQL server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867608\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"name\": \"5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your API app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs should be enabled in App Service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\",\r\n \"description\": \"Audit enabling of diagnostic logs on the app.
This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised\",\r\n \"remediationDescription\": \"To enable App Service diagnostics:
1. Navigate to Azure App Service and select App Service logs 2. In Application logging, select File System 3. Specify the retention period for the logs 4. If using Azure monitor select Diagnostic settings and click Add diagnostic setting 5. Select one or more catagories of logs to collect 6. Select one of the options to store the diagnostics logs and follow the instructions.
For more information, visit https://aka.ms/enable-logs\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"name\": \"cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your API app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"name\": \"1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for PostgreSQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\r\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for PostgreSQL:
1. Select your Azure Database for PostgreSQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848213\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"name\": \"1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for MySQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\r\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for MySQL:
1. Select your Azure Database for MySQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848211\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your web app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your function app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"name\": \"6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"name\": \"7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"name\": \"39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your web app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"name\": \"f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your function app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"name\": \"08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\r\n \"description\": \"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your API app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"name\": \"e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"name\": \"96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your function app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"name\": \"c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"name\": \"c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for PostgreSQL:
1. Navigate to your Azure Database for PostgreSQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/postgresql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/pgprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"name\": \"ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MariaDB:
1. Navigate to your Azure Database for MariaDB. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mariadbprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"name\": \"cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MySQL:
1. Navigate to your Azure Database for MySQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mysql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mysqlprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\r\n \"description\": \"Audit SQL servers configured with an auditing retention period of less than 90 days.\",\r\n \"remediationDescription\": \"To configure auditing retention on your Azure SQL server or Azure Synapse server:
1.From the Azure portal, select the Azure SQL Server or Azure Synapse resource. 2.From the menu, select Auditing. 3.Select Storage details. 4.To set a new retention period of 90 days or higher, manually enter a value or move the slider for Retention (Days). 5.Select OK.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your function app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your web App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your web app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"name\": \"67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your API app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:
1. Follow the guidance here to create service principals with a certificate.
2. Select a subscription from the list of subscriptions below or navigate to the specific subscription.
3. You need to have co-admin access in order to complete this step. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"name\": \"506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if redirection from HTTP to HTTPS is configured on all HTTP listeners of Application Load Balancers.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"name\": \"4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 buckets should have policies enabled that require all requests to accept only transmission of data over HTTPS in the S3 resource policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"name\": \"b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your Amazon S3 buckets have Amazon S3 default encryption configured or if the S3 bucket policy explicitly denies put-object requests without an encryption on server side\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"name\": \"c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Config should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Config is enabled for the current account and region. The AWS Config service manages configuration of supported AWS resources in your account and sends log files to you. Security Hub recommends AWS Config should be enabled in all regions.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"name\": \"bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. MFA adds a layer of protection on top of a user name and password for accessing cardholder data environment. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"name\": \"9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"name\": \"b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"name\": \"5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public write access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your S3 buckets enable public write access by checking the bucket policy, the Block Public Access settings, and the bucket access control list (ACL). Make sure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"name\": \"7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public read access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your S3 buckets enable public read access by checking the bucket policy, the Block Public Access settings, and the bucket access control list (ACL).Make sure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"name\": \"7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM user credentials should be disabled if not used within a pre-defined number days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your AWS Identity and Access Management (IAM) users have inactive credentials that have not been used within a specified number of days, default is 90 days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"name\": \"d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the account password policy for IAM users uses the following configurations: Require at least one uppercase character in password (Default = true), Require at least one lowercase character in password (Default = true), Require at least one number in password (Default = true), Password minimum length (Default = 7 or longer), Number of passwords before allowing reuse (Default = 4), Number of days before password expiration (Default = 90).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"name\": \"d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM root user access key should not exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the root user access key is available.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"name\": \"7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users should not have IAM policies attached\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that none of your IAM users have attached policies, they must inherit permissions from IAM groups or roles.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"name\": \"c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should not allow full \\\"*\\\" administrative privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the AWS Identity and Access Management (IAM) policies default version (also known as customer managed policies) do not have administrator access with a statement that has \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\". It does not check inline and AWS Managed Policies, only for the Customer Managed Policies that you created.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"name\": \"a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer master key (CMK) rotation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if key rotation is enabled for each customer master key (CMK). It doesn't check CMKs that have imported key material.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"name\": \"b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the Lambda resource has a Lambda function policy attached that prohibits public access\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"name\": \"e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"name\": \"ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if RDS instances are publicly accessible by checking the publiclyAccessible field in the instance configuration item.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"name\": \"d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Redshift clusters are publicly accessible by checking the publiclyAccessible field in the cluster configuration item\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"name\": \"529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the GitHub or Bitbucket source repository URL includes personal access tokens or user name and password.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"name\": \"8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Database Migration Service replication instances are public by checking the field value of PubliclyAccessible.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"name\": \"b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elastic Block Store snapshots aren't publicly restorable.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"name\": \"3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 buckets should block public access, this checks if the following public access block settings are configured from an account level: ignorePublicAcls: True, blockPublicPolicy: True, blockPublicAcls: True, restrictPublicBuckets: True.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"name\": \"93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC default security group should prohibit inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that the default security group of a VPC doesn't allow inbound or outbound traffic\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"name\": \"390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as SSH, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"name\": \"86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that security groups are attached to Amazon EC2 instances or to an ENI and are surfaces unused security groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/099e9ded-7834-43ad-be02-30114c800211\",\r\n \"name\": \"099e9ded-7834-43ad-be02-30114c800211\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elasticsearch Service domains are in a VPC.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"name\": \"40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if all Lambda function are in a VPC\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"name\": \"5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain clear text credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if a CodeBuild project includes environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"name\": \"ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An accurate asset inventory of EIPs should be maintained by checking if Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs)\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"name\": \"023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SageMaker notebook instances should not have direct internet access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if direct internet access is disabled for an Amazon SageMaker notebook instance by checking the DirectInternetAccess field is set to disabled for an Amazon SageMaker notebook instance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"name\": \"0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"name\": \"f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configured.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"name\": \"336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A log metric filter and alarm should exist for usage of the \\\"root\\\" user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks the following metric filters : That the log group name is configured for use with multi-region CloudTrail activated, that there is at least one Event Selector for a Trail with IncludeManagementEvents configured to true and ReadWriteType configured to All, and that there is at least one subscriber active to an SNS topic associated to the alarm.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"name\": \"5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC(s) for packet rejects. VPC Flow Logs enable you to capture information about the IP address traffic to and from network interfaces in your VPC, and can help detect anomalous traffic.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"name\": \"4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail trails are set to send logs to Amazon CloudWatch Logs\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"name\": \"6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail is enabled in your AWS account\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"name\": \"21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if CloudTrail log file validation is enabled\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"name\": \"75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks only EC2 instances managed by AWS Systems Manager, if after patch installation on the instances they are compliant . AWS Systems Manager is an AWS service that can be used control and view your AWS resources. Systems Manager scans the managed EC2 instances in order to maintain security and compliance, by reporting or taking action on a policy violation that is discovered. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"name\": \"6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Systems Manager is configured to manage your EC2 instances. AWS Systems Manager is an AWS service that can be used control and view your AWS resources. Systems Manager scans the managed EC2 instances in order to maintain security and compliance, by reporting or taking action on a policy violation that is discovered. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"name\": \"32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association has been executed on an instance\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"name\": \"5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if S3 buckets have cross-region replication enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"name\": \"94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"name\": \"d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon GuardDuty is enabled in your AWS account and region. Amazon GuardDuty is a continuous security monitoring service that can identify unexpected and potentially unauthorized and malicious activity within your AWS environment \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"name\": \"bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SSM agent should be installed on your AWS EC2 instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Systems Manager is an AWS service that can be used to control and view your AWS infrastructure. The AWS Systems Manager Agent (SSM Agent) is a software that can be installed and configured on a machine and makes it possible for Systems Manager to update and configure these resources. Security Center leverages the SSM Agent for automatic installation of Azure Arc, that enables greater parity for AWS instances to Azure VMs.\",\r\n \"remediationDescription\": \"First, Make sure EC2 instances are managed by Systems Manager: 1.Open AWS System Manager.
2. Choose Quick setup
3. keep the default options on the configuration screen.
4. Choose Set up Systems Manager.
For directions on installing and configuring the SSM Agent on Windows instances visit this page For directions on installing and configuring the SSM Agent on Linux instances visit this page \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"name\": \"a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled in every region in your AWS accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub is a regional service and customer must enable Security Hub in each region to view findings in that region. You should continuously monitor all regions across all of your AWS accounts for unauthorized behavior or misconfigurations, including regions you don’t use heavily.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"name\": \"20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled for all AWS member accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. Integrating it into Security Center enables a comprehensive view across multiple cloud environments. any AWS member account related to an onboarded account should have Security Hub enabled as well.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"name\": \"726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Make sure to log in using the credentials of a fully-managed corporate account and not a personal account.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select the checkbox next to non-corporate users, and then click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"name\": \"4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that multi-factor authentication is enabled for all non-service accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) must be enabled for all Google Cloud Platform accounts, excluding service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP Security Settings and set up multi-factor authentication for all non-service accounts within the project.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"name\": \"0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service accounts are not configured with administrative roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select Members and make sure that there aren't any 'User-Managed user created service account' accounts with one of the following roles: admin, editor, or owner.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"name\": \"90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the 'Service Account User' and 'Service Account Token Creator' roles are not granted to users at a project level. Instead, grant these roles to users in the context of specific service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. In the filter table field, enter 'Role: Service Account User' and click 'Delete' (bin icon) for every user listed. Similarly, filter using 'Role: Service Account Token Creator' and delete every user listed.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"name\": \"ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service account keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'Service Account Keys', for every External (user-managed) service account where the creation date is 90 days or more, delete the service account key and create a new one instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"name\": \"f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties. Also, make sure that users are not assigned with both 'Service Account Admin' and other 'Service Account User' roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Edit members with both 'Service Account Admin' and 'Service Account User', delete one of the roles, and then click 'Save'. \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"name\": \"3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud KMS encryption keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to GCP Security Kms. For every key ring, for every key in the key ring, do the following: Select 'Right side pop up the blade' > 'Edit rotation period' > 'Select a new rotation period' and specify a period of less than 90 days, and then specify a 'Starting on' date.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"name\": \"3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties and that there are no users assigned with both the 'Cloud KMS Admin' role and any of the following roles: 'Cloud KMS CryptoKey', 'Cloud KMS Encrypter/Decrypter', 'Cloud KMS CryptoKey Encrypter' or 'Cloud KMS CryptoKey Decrypterer'.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. For the member that is listed at the recommendation, click 'Edit'. For the 'Cloud KMS Admin' role, click 'Delete', and then Click 'Save'. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"name\": \"52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all API keys are not used within the scope of projects. The standard authentication flow should be implemented, since the use of API keys presents many security risks.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', delete the relevant API Keys. These API keys should be replaced by a standard authentication flow as described In the Authentication overview [GCP docs authentication]\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"name\": \"76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted, and used only by trusted hosts, HTTP referrers, or applications.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. Under 'Key restrictions', set application restriction to HTTP referrers, IP Addresses, Android Apps, or iOS Apps, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"name\": \"0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted to only access API endpoints that are essential to the calling application.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. For every API key, make sure that the 'Key restrictions' parameter 'API restrictions' is not set to 'None'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"name\": \"5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys'. Select 'API Key Name'. Click 'REGENERATE KEY' to rotate the API key, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"name\": \"f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud Audit Logging is configured to track read and write activities across all supported services and for all users. Configured this way, all administrative activities, or attempts to access user data, will be tracked.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin Audit. On the 'Audit Log' page, select the 'Log type' tab. Select 'Admin read', 'Data read', and 'Data write', and then click 'Save'. Make sure there are no exemptions.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"name\": \"cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all resource have a log sink configured, exporting copies of all the log entries to a centralized location such as a SIEM.\",\r\n \"remediationDescription\": \"Browse to GCP Logs viewer. Switch to the 'Advanced' filter bar, clear any text from the filter field, and then click 'Submit Filter'. Click 'Create Sink', fill out the required details, and then click 'Create Sink'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"name\": \"bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filters and alerts are configured to monitor project ownership assignment/change actions.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browse to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, and run the following query: (protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'. Finally, edit the alert policy and update the 'Target Aggregation' option to 'Count'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"name\": \"3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filter and alerts are configured for Audit Configuration changes. Audit logging data is required for security analysis. Tracking the log metric filters and alerts is important to ensure that all activities in the projects are being audited as planned.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"SetIamPolicy\\\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*. In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"name\": \"f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Custom Role changes. Monitoring role creation, update, or deletion may help to identify over-privileged or misused roles. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"iam_role\\\" AND protoPayload.methodName = \\\"google.iam.admin.v1.CreateRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"name\": \"c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Virtual Private Cloud (VPC) Network Firewall rule changes. Firewall create or update rule events indicate network access changes, which may indicate suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_firewall_rule\\\" AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\" OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to https://console.cloud.google.com/logs/metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"name\": \"7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network route changes. Monitoring network route changes to route tables may indicate of a suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_route\\\" AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\" OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Creat Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"name\": \"0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network changes. Monitoring network changes to the VPC is important to make sure it is not compromised.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gce_network AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\" OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\" OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\" OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\" OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add 'Alert Triggers', and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"name\": \"46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"\\\"Ensure that the log metric filter and alerts are configured for Cloud Storage IAM permission changes. Monitoring changes to a storage bucket permissions can help identify malicious attempts to access a sensitive storage buckets and objects inside buckets.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gcs_bucket AND protoPayload.methodName=\\\"storage.setIamPermissions\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"name\": \"b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for SQL instance configuration changes. Monitoring changes to an SQL instance can help identify malicious attempts to access a sensitive data stored in an SQL instance. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"cloudsql.instances.update\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"name\": \"ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that projects do not have a default network. A default predefined network generates multiple unsecure firewall rules that are not audit logged, cannot be configured to enable firewall rule logging, and do not allow the use of a Cloud VPN or VPC Network Peering with the default network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the 'default' network. On the network detail page, click 'edit', and then click 'Delete VPC network'. If required, you can to create a new network with custom firewall rules to replace the 'default' network.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"name\": \"3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all projects do not have a legacy network. Legacy networks may have an impact for high network traffic projects and pose a single point of contention or failure.\",\r\n \"remediationDescription\": \"Create a non-legacy network and then delete the legacy networks using the following command: 'gcloud compute networks delete my-legacy-network'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"name\": \"e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Domain Name System Security Extensions (DNSSEC) is enabled for Cloud DNS zones. DNSSEC helps mitigate the risk of a DNS hijacking and man-in-the-middle attacks, by preventing attackers from issuing fake DNS responses that may misdirect browsers to malicious websites.\",\r\n \"remediationDescription\": \"Browse to GCP DNS zones. For each zone of type 'Public', set DNSSEC to 'On'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"name\": \"049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the key-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the key-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"name\": \"cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the zone-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the zone-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"name\": \"0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that SSH access is restricted from the internet because it can be used as initial access to the network. Prevent inbound traffic via SSH (port 22) from the internet using the generic IP address (0.0.0.0/0).\",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"name\": \"684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RDP access is restricted from the internet, as is may be used for initial access to the network. Prevent inbound traffic via RDP (port 3389) from the internet using the generic IP address (0.0.0.0/0). \",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"name\": \"3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all VPC Flow Logs are enabled, for every subnet in a VPC Network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the relevant subnet, click 'Edit', set 'Flow Logs' to 'On', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"name\": \"c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there are no HTTPS or SSL Proxy Load Balancers that use weak SSL policies with TLS or 1.1.\",\r\n \"remediationDescription\": \"Browser to GCP SSL Policies. Select the relevant policy, click 'Edit', set 'Minimum TLS version' to 'TLS 1.2', set 'Profile' to 'Modern' or 'Restricted', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"name\": \"233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all instances are not configured to use the default service account with full access to all Google Cloud APIs.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant VM instance, stop the instance if it is currently started, and then click 'Edit'. Under 'Service Account', select 'Compute Engine default service account', make sure that 'Allow full access to all Cloud APIs' is not selected, click 'Save' and then 'Start'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"name\": \"1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure \\\"Block Project-wide SSH keys\\\" is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that no project-wide SSH keys are used for VM instances, as they enable login to all instances in the project.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the impacted instance, click 'Edit', under 'SSH Keys', select 'Block project-wide SSH keys', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"name\": \"fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that OS login is enabled for all projects, as this pairs the SSH keys in use with IAM users. \",\r\n \"remediationDescription\": \"Browse to GCP Compute metadata. Click 'Edit', add metadata key for 'enable-oslogin' with value 'TRUE', and then click 'Save'. For every instances that overrides the project setting, browse to GCP Compute instances. Select the relevant instance name, click 'Edit', under 'custom metadata', remove 'enable-oslogin' keys with the value 'FALSE', and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"name\": \"c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that 'Enable connecting to serial ports' is not enabled for all VM Instance. When the interactive serial console is enabled for an instance, clients can connect to the instance from any IP address using the proper username and SSH key.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Remote access', make sure that 'Enable connecting to serial ports' is not selected.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"name\": \"3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent data loss, forwarding of data packets should not be enabled on instances.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Network interfaces', make sure that 'IP forwarding' is set to 'Off' for every network interface.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"name\": \"6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, all data at rest is encrypted by Google Compute Engine. Make sure that VM disks are encrypted using Customer-Supplied Encryption Keys (CSEK) enabling you to control and manage the encryption keys yourself.\",\r\n \"remediationDescription\": \"Browse to GCP Compute disks. Select the relevant disk and make sure that the 'Encryption type' is set to 'Customer supplied'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"name\": \"9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against advanced threats, a Compute Engine instance using a public image and must be launched with a Shielded VM. It is also important to verify that the boot loader and firmware on the VMs are signed and untampered.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Shielded VM', make sure that 'Turn on vTPM' and 'Turn on Integrity Monitoring' are enabled.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"name\": \"0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances must not be configured with public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"name\": \"79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that an IAM policy on Cloud Storage buckets does not allow anonymous or public access so sensitive data.\",\r\n \"remediationDescription\": \"To restrict access to Cloud Storage Buckets: Browse to GCP Storage browser. Select the relevant bucket, select 'Permissions', and then under 'Role(s)', remove all Cloud IAM permissions that were granted to 'allUsers' and 'allAuthenticatedUsers'. To restrict access from public addresses: browse to GCP Firewalls List.. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP adress values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"name\": \"a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For simple and unified resource access, ensure that Cloud Storage buckets have uniform bucket-level access enabled.\",\r\n \"remediationDescription\": \"Browse to GCP Storage browser. Edit the relevant bucket, under 'Access Control', select 'Uniform', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"name\": \"a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the Cloud SQL Database instance requires all incoming connections to always use SSL encryption.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances, select the relevant instance and under 'Connections', select 'Allow only SSL connections'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"name\": \"1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to only accept connections from trustworthy networks and/or IP addresses and restrict all other access. \",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"name\": \"2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to use private IP addresses, and not public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"name\": \"664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL database instances must be configured with automated backups.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances. Select the relevant instance, and under 'Backups', make sure that 'Automated backups' is set to 'Enabled' and that the 'Backup time' is set.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"name\": \"5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure that sensitive data is not compromised, IAM policies on BigQuery datasets must not allow anonymous or public access.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"name\": \"582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"root\\\" account is the most privileged account and has unrestricted access to all resources in the AWS account. It is highly recommended to avoid use of this account.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"name\": \"1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled on all accounts that have a console password.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"name\": \"8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS resources can be accessed by using different types of credentials by AWS IAm users. Credentials such as passwords or access keys that haven't been used in 90 days or more should be deactivated or removed.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"name\": \"9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key. they are used to sign programmatic requests made to AWS. Access keys should be regularly rotated to reduce chance of access key used that is associated with a compromised or terminated account and ensure that data can't be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"name\": \"554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one uppercase letter to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"name\": \"66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one lowercase letter to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"name\": \"b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one symbol to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5425052d-cc0d-4424-af71-050311f99634\",\r\n \"name\": \"5425052d-cc0d-4424-af71-050311f99634\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one number to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"name\": \"09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum password length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require a length of 14 or greater to enforce password complexity requirements.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"name\": \"01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policy should prevent the reuse of passwords to prevent reuse of given password by the same user.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"name\": \"0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies should require passwords to expire after 90 days or less.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"name\": \"8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no root account access key exists\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to an AWS account. All access keys associated with the root account should be removed.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"name\": \"8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"MFA should be enabled for a root account to increase console security. When a user signs in to an AWS website, they will be prompted for their user name, password as well as for an authentication code\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"name\": \"8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure hardware MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"MFA should be enabled for a root account to increase console security. When a user signs in to an AWS website, they will be prompted for their user name, password as well as for an authentication code. The account should be protected with a hardware MFA\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"name\": \"c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies are attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles don't have access to AWS resources. IAM policies are used to grant privileges to users, groups, or roles. IAM policies should be applied directly to groups and roles but not users\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"name\": \"bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. IAM Role should be created to allow authorized users to manage incidents with AWS Support.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"name\": \"9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies are the way in which privileges are granted to users, groups, or roles. Granting only the permissions needed to perform a task should be done instead of allowing full administrative privileges.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"name\": \"22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. CloudTrail should be enabled to allow security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"name\": \"fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail log file validation is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A digitally signed digest file is created by CloudTrail log file validation, containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"name\": \"0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket CloudTrail logs to is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling public access to CloudTrail log content could assist an adversary in identifying weaknesses in the affected account's use or configuration.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"name\": \"5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, sending these logs to CloudWatch should be done to enable realtime analysis. \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"name\": \"dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you that can be used for security analysis, resource change tracking, and compliance auditing and should be enabled across all regions.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"name\": \"30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket and could be used for security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"name\": \"c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs should be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"name\": \"23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Key Management Service (KMS) enables customers to rotate the backing key, a key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). The backing key is used to perform cryptographic operations such as encryption and decryption.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"name\": \"a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VPC flow logging is enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC Flow Logs enables you to gather information about the IP traffic going to and from network interfaces in your VPC. After a flow log has been created, you can view and retrieve its data in Amazon CloudWatch Logs. VPC Flow Logs should be enabled for packet \\\"Rejects\\\" for VPCs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"name\": \"00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for unauthorized API calls.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"name\": \"83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for console logins that are not protected by multi-factor authentication (MFA).\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"name\": \"a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for root account login attempts.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"name\": \"5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to Identity and Access Management (IAM) policies\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"name\": \"011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to CloudTrail's configurations\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"name\": \"c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for failed console authentication attempts.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"name\": \"293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for customer created CMKs which have changed state to disabled or scheduled deletion.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"name\": \"0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to S3 bucket policies.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"name\": \"7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to AWS Config configuration settings\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"name\": \"b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to Security Groups.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"name\": \"022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to NACLs\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"name\": \"3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to network gateways.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"name\": \"33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to route tables.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"name\": \"9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to VPCs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"name\": \"b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as SSH, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"name\": \"9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as RDP, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"name\": \"ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the default security group of every VPC restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"When an instance is launched and no security group is specified, the instance is automatically assign to a default security group. A default security group should restrict all traffic\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your subnets:
1. Select a subnet to enable NSG on.
2. Click the 'Network security group' section.
3. Follow the steps and select an existing network security group to attach to this specific subnet.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with Application Gateway resources unprotected by the DDoS protection service. These resources contain public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"
1. Select a virtual network to enable the DDoS protection service standard on.
2. Select the Standard option.
3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls:
1. From the portal, open Security Center.
2. Select \\\"Adaptive application controls\\\" from Security Center's sidebar.
3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect.
4. Create a new applications control policy according to the instructions in Security Center's documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your list of known-safe applications:
1. From the portal, open Security Center.
2. Select \\\"Adaptive application controls\\\" from Security Center's sidebar.
3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines.
4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
  1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
  2. Click the \\\"Rules\\\" tab.
  3. If you want to modify a recommended rule's parameters:
    • In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
    • Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
  4. If you want to create a new rule:
    • Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
    • Fill in the parameters and click \\\"Add rule\\\". The blade closes and the new rule is listed in the Rules tab.
  5. Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"Azure Security Center has identified some overly-permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks. Learn more.\",\r\n \"remediationDescription\": \"To enable just-in-time VM access:
  • Select one or more VMs from the list below and click \\\"Remediate\\\", or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
  • On the \\\"JIT VM access configuration\\\" page, define the ports for which the just-in-time VM access will be applicable.
    • To add additional ports, click the \\\"Add\\\" button on the top left, or click an existing port and edit it.
    • On the \\\"Add port configuration\\\" blade, enter the required parameters.
  • Click \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"Install a vulnerability assessment solution on your virtual machines\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"Virtual machines for which a vulnerability assessment 3rd party solution is deployed are being continuously assessed against application and OS vulnerabilities. Whenever such vulnerabilities are found, these are available for more information as part of the recommendation.\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22).
3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges.
4. Click 'Save'.
Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding:
1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade.
2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left).
3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'.
4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click the Network Security Group with overly permissive rules.
3. In the 'Network security group' blade, click on each of the rules that are overly permissive.
4. Improve the rule by applying less permissive source IP ranges.
5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a Network Security Group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the Network Security Group to assign to the subnet and click \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Click 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the Network Security Group to assign to this NIC.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a network security group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the network security group to assign to the subnet and select \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Select 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the network security group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the extension to enable a vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several hours after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"Installation of the dependency agent and enabling data collection in Security Center can be done in several ways:
  • Using Security Center automatic provisioning on your subscription(s).
    • This will automatically provision the Microsoft Monitoring Dependency Agent on current and future-created virtual machines on your subscription(s). Learn more
    • You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Pricing & settings' menu item
      • click on a subscription and enable auto provisioning in the 'data collection' menu item.
  • Install the Microsoft Monitoring Dependency agent on your Virtual machines as a VM extension or directly, by following these instructions:
    • Provision the Microsoft Monitoring Dependency agent with Azure Policies. The applicable policy definitions are:
      • '[Preview]: Deploy Microsoft Monitoring Dependency Agent for Windows VMs.'
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"Installation of the dependency agent and enabling data collection in Security Center can be done in several ways:
  • Using Security Center automatic provisioning on your subscription(s).
    • This will automatically provision the Microsoft Monitoring Dependency Agent on current and future-created virtual machines on your subscription(s). Learn more
    • You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Pricing & settings' menu item
      • click on a subscription and enable auto provisioning in the 'data collection' menu item.
  • Install the Microsoft Monitoring Dependency agent on your Virtual machines as a VM extension or directly, by following these instructions:
    • Provision the Microsoft Monitoring Dependency agent with Azure Policies. The applicable policy definitions are:
      • '[Preview]: Deploy Microsoft Monitoring Dependency Agent for Linux VMs.'
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c\",\r\n \"description\": \"Some of your virtual networks aren't protected with a firewall. Use Azure Firewall to restricting access to your virtual networks and prevent potential threats. To learn more about Azure Firewall,
Click here\",\r\n \"remediationDescription\": \"To protect your virtual networks with Azure Firewall:
1. From the list below, select a network. Or select Take action if you've arrived here from a specific virtual network page.
2. Follow the Azure Firewall deployment instructions. Make sure to configure all default routes properly.
Important: Azure Firewall is billed separately from Azure Security Center. Learn more about Azure Firewall pricing.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047\",\r\n \"description\": \"Azure Security Center includes Azure Defender for Key Vault, providing an additional layer of security intelligence.
Azure Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.

Important: Remediating this recommendation will result in charges for protecting your key vaults. If you don't have any key vaults in this subscription, no charges will be incurred.
If you create any key vaults on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Key Vault.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure Key Vault vaults in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Key Vault\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Azure SQL Database servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.

Important: Remediating this recommendation will result in charges for protecting your Azure SQL Database servers. If you don't have any Azure SQL Database servers in this subscription, no charges will be incurred.
If you create any Azure SQL Database servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Azure SQL Database servers.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure SQL Database servers in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Azure SQL Database servers\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL servers on machines should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.

Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. If you don't have any SQL servers on machines in this subscription, no charges will be incurred.
If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for SQL servers on machines.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all SQL servers on machines in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"SQL servers on machines\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Storage should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa\",\r\n \"description\": \"Azure Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.

Important: Remediating this recommendation will result in charges for protecting your Azure Storage accounts. If you don't have any Azure Storage accounts in this subscription, no charges will be incurred.
If you create any Azure Storage accounts on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Storage\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure Storage accounts in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select pricing tier by resource type\\\", set \\\"Storage\\\" to \\\"Enabled\\\"\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb\",\r\n \"description\": \"Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
Azure Defender for App Service can discover attacks on your applications and identify emerging attacks.

Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred.
If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for App Service.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all App Service plans in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"App Service\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/53572822-d3fc-4363-bfb9-248645841612\",\r\n \"name\": \"53572822-d3fc-4363-bfb9-248645841612\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for container registries should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\",\r\n \"description\": \"To build secure containerized workloads, ensure the images that they're based on are free of known vulnerabilities.
Azure Defender for container registries scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image.
To improve your containers' security posture and protect them from attacks, enable Azure Defender for container registries.

Important: Remediating this recommendation will result in charges for protecting your container registries. If you don't have any container registries in this subscription, no charges will be incurred.
If you create any container registries on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for container registries.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all container registries in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Container Registries\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"name\": \"86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Kubernetes should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a\",\r\n \"description\": \"Azure Defender for Kubernetes provides real-time threat protection for your containerized environments and generates alerts for suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your containers.

Important: Remediating this recommendation will result in charges for protecting your Kubernetes clusters. If you don't have any Kubernetes clusters in this subscription, no charges will be incurred.
If you create any Kubernetes clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Kubernetes.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Kubernetes clusters in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Kubernetes\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d\",\r\n \"description\": \"Azure Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your servers.

Important: Remediating this recommendation will result in charges for protecting your servers. If you don't have any servers in this subscription, no charges will be incurred.
If you create any servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for servers.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all servers in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Servers\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation:
1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'.
2. Review the recommended classifications.
3. Apply the relevant recommendations and dismiss the ones that are not applicable.
4. Please note that the updated health status for the database will not be reflected immediately and can take up to a week to refresh. You can make this happen faster by triggering a database Vulnerability Assessment scan: in your SQL database go to 'Advanced Data Security', click 'Vulnerability Assessment' and click 'Scan'. The health status of the database will be updated within 1 day from scan completion.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment findings on your SQL servers on machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities:
1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by a vulnerability assessment solution.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment findings on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities:
1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"
1. Click an identified outstanding update.
2. In the Missing system updates pane, click the support link (when exists) and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/en-us/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- Endpoint protection assessment is documented here - https://docs.microsoft.com/en-us/azure/security-center/security-center-endpoint-protection\",\r\n \"remediationDescription\": \"
1. Confirm that your solution is on the list of tools supported by Security Center.
2. For a list of possible health issues with your solution and advice on how to resolve the health issues, consult this page of the Security Center documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"name\": \"08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d\",\r\n \"description\": \"Azure Policy Add-on for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.

Security Center requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. Learn more.

Requires Kubernetes v1.14.0 or later.

\",\r\n \"remediationDescription\": \"

To configure the Azure Policy Add-on for use with your Azure Kubernetes Service cluster, follow the instructions in Install Azure Policy Add-on for AKS.

\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"name\": \"405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container CPU and memory limits should be enforced\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\r\n \"description\": \"Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).

We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods without CPU and memory limits. To control a pod's limits, set quotas at the container level. Each container of a pod can specify one or both of the following:
  • spec.containers[].resources.limits.cpu
  • spec.containers[].resources.limits.memory

After making your changes, redeploy the pod with the new limits.

Note: Although requests and limits can only be specified on individual containers, it is convenient to talk about pod resource limits. A Pod resource limit is the sum of the resource limits for all the containers in the pod. Learn more.

\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"DenialOfService\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"name\": \"5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Privileged containers should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\r\n \"description\": \"To prevent unrestricted host access, avoid privileged containers whenever possible.

Privileged containers have all of the root capabilities of a host machine. They can be used as entry points for attacks and to spread malicious code or malware to compromised applications, hosts and networks.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods running privileged containers.

For these pods, set the privileged flag to 'false' on the security context of the container's spec. After making your changes, redeploy the pod with the updated spec.

\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"name\": \"8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container images should be deployed from trusted registries only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\r\n \"description\": \"Images running on your Kubernetes cluster should come from known and monitored container image registries. Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.\",\r\n \"remediationDescription\": \"
  1. Ensure a regex, defining your organization private registries is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods running images from untrusted registries. If you see a pod running an unfamiliar image, remove it and report the incident to your security admin. Otherwise, move all images to a trusted private registry and redeploy the pods with the updated registry.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f88450f-9546-4b78-a181-a2d9162bb441\",\r\n \"name\": \"5f88450f-9546-4b78-a181-a2d9162bb441\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting containers access to the configured ports.\",\r\n \"remediationDescription\": \"
  1. Ensure a list of ports on which your containers are allowed to listen, is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Security Centers lists the pods running containers which listen on ports outside the configured list.
  3. Limit the containers' ports. After making your changes, redeploy the pods with the updated ports.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"name\": \"add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Services should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services access to the configured ports.\",\r\n \"remediationDescription\": \"
  1. Ensure a list of ports on which your services are allowed to listen, is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Security Center lists the services which listen on ports outside the configured list.
  3. Limit the services' ports. After making your changes, redeploy the services with the updated ports.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"name\": \"11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Least privileged Linux capabilities should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\r\n \"description\": \"To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user. We recommend dropping all capabilities, then adding those that are required\",\r\n \"remediationDescription\": \"
1. Make sure lists of dropped capabilities and allowed capabilities are configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the running containers with capabilities outside the configured list.
3. Limit the containers' Linux capabilities. To add or remove Linux capabilities for a container, include a capabilities section in the securityContext section of the container manifest with the relevant capabilities set e.g. Drop: ALL ; add: ['NET_ADMIN', 'SYS_TIME'].
4. After making your changes, redeploy the pod with the updated capabilities.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"name\": \"27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Immutable (read-only) root filesystem should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80\",\r\n \"description\": \"Containers should run with a read only root file system in your Kubernetes cluster. Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers without read only root file system.
2. For these pods, set the readOnlyRootFilesystem flag to 'true' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"name\": \"f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75\",\r\n \"description\": \"We recommend limiting pod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths. In case of compromise, the container node access from the containers should be restricted\",\r\n \"remediationDescription\": \"
1. Ensure a list of allowed host paths is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running pods with hostPath volume violating the configured list.
3. Update hostPath and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"name\": \"9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running containers as root user should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042\",\r\n \"description\": \"Containers should run as a non-root users in your Kubernetes cluster. Running a process as the root user inside a container runs it as root on the host. In case of compromise, an attacker has root in the container, and any mis-configurations become easier to exploit.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers missing the 'MustRunAsNonRoot' rule.
2. For these pods, add rule: 'MustRunAsNonRoot' in a runAsUser section of the container's spec.
3. After making your changes, redeploy the pod with the updated rule. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"name\": \"ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of host networking and ports should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe\",\r\n \"description\": \"Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. Pods created with the hostNetwork attribute enabled will share the node’s network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node’s network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.\",\r\n \"remediationDescription\": \"
1. Ensure the following are all configured in the security policy parameters: allow host network usage, and min and max host ports.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers with host networking violating the configured list.
3. Validate the host networking using the hostNetwork and hostPort attributes (when applicable) of the container's spec.
4. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"name\": \"802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers sharing sensitive host namespaces should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\r\n \"description\": \"To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods sharing host process ID or host IPC.
2. Set the host process ID and host IPC to 'false' on the pod's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"name\": \"43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container with privilege escalation should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\r\n \"description\": \"Containers shouldn't run with privilege escalation to root in your Kubernetes cluster.<br>The AllowPrivilegeEscalation attribute controls whether a process can gain more privileges than its parent process.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers with privilege escalation to root in your Kubernetes cluster.
2. For these pods, set the AllowPrivilegeEscalation flag to 'false' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"name\": \"86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Overriding or disabling of containers AppArmor profile should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e\",\r\n \"description\": \"Containers running on your Kubernetes cluster should be limited to allowed AppArmor profiles only.<br>AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program.\",\r\n \"remediationDescription\": \"
1. Ensure a list of AppArmor profiles containers are allowed to use is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the running pods with AppArmor profile violating the configured list.
3. Update AppArmor annotation in the Pod's metadata and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8\",\r\n \"description\": \"To protect machines from threats and vulnerabilities, install a supported endpoint protection solution.
Learn more about how endpoint protection for machines is evaluated in Endpoint protection assessment and recommendations in Microsoft Defender for Cloud.\",\r\n \"remediationDescription\": \"To remediate missing endpoint protection:
1. Confirm that your solution is on the list of tools supported by Defender for Cloud.
2. Install the supported endpoint protection solution or enable an existing tool.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b26b102-ccde-4697-aa30-f0621f865f99\",\r\n \"name\": \"9b26b102-ccde-4697-aa30-f0621f865f99\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of EC2 instances should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Cloud has identified some overly-permissive inbound rules for management ports in your network. Enable just-in-time access control to protect your Instances from internet-based brute-force attacks. Learn more.\",\r\n \"remediationDescription\": \"To enable just-in-time instance access:
  • Select one or more Instances from the list below and click \\\"Remediate\\\", or click \\\"Take action\\\" if you've arrived from a recommendation for a specific instance.
  • On the \\\"JIT instance access configuration\\\" page, define the ports for which the just-in-time instance access will be applicable.
    • To add additional ports, click the \\\"Add\\\" button on the top left, or click an existing port and edit it.
    • On the \\\"Add port configuration\\\" blade, enter the required parameters.
  • Click \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"11/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2cac0072-6f56-46f0-9518-ddec3660ee56\",\r\n \"name\": \"2cac0072-6f56-46f0-9518-ddec3660ee56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST and WebSocket API logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled.
The control fails if logging is not enabled for all methods of a stage or if logging Level is neither ERROR nor INFO.
API Gateway REST or WebSocket API stages should have relevant logs enabled. API Gateway REST and WebSocket API execution logging provides detailed records of requests made to API Gateway REST and WebSocket API stages.
The stages include API integration backend responses, Lambda authorizer responses, and the requestId for AWS integration endpoints.\",\r\n \"remediationDescription\": \"To enable logging for REST and WebSocket API operations, Set up CloudWatch API logging using the API Gateway console in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec268d38-c94b-4df3-8b4e-5248fcaaf3fc\",\r\n \"name\": \"ec268d38-c94b-4df3-8b4e-5248fcaaf3fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API stages should be configured to use SSL certificates for backend authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon API Gateway REST API stages have SSL certificates configured.
Backend systems use these certificates to authenticate that incoming requests are from API Gateway.
API Gateway REST API stages should be configured with SSL certificates to allow backend systems to authenticate that requests originate from API Gateway.\",\r\n \"remediationDescription\": \"For detailed instructions on how to generate and configure API Gateway REST API SSL certificates, see Generate and configure an SSL certificate for backend authentication in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5cbaff4f-f8d5-49fe-9fdc-63c4507ac670\",\r\n \"name\": \"5cbaff4f-f8d5-49fe-9fdc-63c4507ac670\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API stages should have AWS X-Ray tracing enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages.
X-Ray active tracing enables a more rapid response to performance changes in the underlying infrastructure. Changes in performance could result in a lack of availability of the API.
X-Ray active tracing provides real-time metrics of user requests that flow through your API Gateway REST API operations and connected services.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable X-Ray active tracing for API Gateway REST API operations, see Amazon API Gateway active tracing support for AWS X-Ray in the AWS X-Ray Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d69eb8b0-79ba-4963-a683-a96a8ea787e2\",\r\n \"name\": \"d69eb8b0-79ba-4963-a683-a96a8ea787e2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway should be associated with an AWS WAF web ACL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an API Gateway stage uses an AWS WAF web access control list (ACL).
This control fails if an AWS WAF web ACL is not attached to a REST API Gateway stage.
AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It enables you to configure an ACL, which is a set of rules that allow, block, or count web requests based on customizable web security rules and conditions that you define.
Ensure that your API Gateway stage is associated with an AWS WAF web ACL to help protect it from malicious attacks.\",\r\n \"remediationDescription\": \"For information on how to use the API Gateway console to associate an AWS WAF Regional web ACL with an existing API Gateway API stage, see Using AWS WAF to protect your APIs in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a0ce4e0-b61e-4ec7-ab65-aeaff3893bd3\",\r\n \"name\": \"1a0ce4e0-b61e-4ec7-ab65-aeaff3893bd3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API cache data should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It adds another set of access controls to limit unauthorized users ability access the data. For example, API permissions are required to decrypt the data before it can be read.
API Gateway REST API caches should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"To remediate this control, configure the stage to encrypt the cache data.
To configure API caching for a given stage
1. Open the API Gateway console.
2. Choose the API.
3. Choose \\\"Stages\\\".
4. In the \\\"Stages\\\" list for the API, choose the stage to add caching to.
5. Choose \\\"Settings\\\".
6. Choose \\\"Enable API cache\\\".
7. Update the desired settings, then select \\\"Encrypt cache data\\\".
Choose \\\"Save Changes\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/186509dc-f326-415f-b085-4d27f1342849\",\r\n \"name\": \"186509dc-f326-415f-b085-4d27f1342849\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have a default root object configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured.
A user might sometimes request the distributions root URL instead of an object in the distribution. When this happens, specifying a default root object can help you to avoid exposing the contents of your web distribution.\",\r\n \"remediationDescription\": \"For detailed instructions on how to specify a default root object for your distribution, see How to specify a default root object in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a0ab1f4e-bafb-4947-a7d1-13a9c35c7d82\",\r\n \"name\": \"a0ab1f4e-bafb-4947-a7d1-13a9c35c7d82\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin access identity enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured.
CloudFront OAI prevents users from accessing S3 bucket content directly. When users access an S3 bucket directly, they effectively bypass the CloudFront distribution and any permissions that are applied to the underlying S3 bucket content.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Creating a CloudFront OAI and adding it to your distribution in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a67adff8-625f-4891-9f61-43f837d18ad2\",\r\n \"name\": \"a67adff8-625f-4891-9f61-43f837d18ad2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should require encryption in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors.
HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Requiring HTTPS for communication between viewers and CloudFront in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4779e962-2ea3-4126-aa76-379ea271887c\",\r\n \"name\": \"4779e962-2ea3-4126-aa76-379ea271887c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin failover configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins.
CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Creating an origin group in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88114970-36db-42b3-9549-20608b1ab8ad\",\r\n \"name\": \"88114970-36db-42b3-9549-20608b1ab8ad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether server access logging is enabled on CloudFront distributions. The control fails if access logging is not enabled for a distribution.
CloudFront access logs provide detailed information about every user request that CloudFront receives. Each log contains information such as the date and time the request was received, the IP address of the viewer that made the request, the source of the request, and the port number of the request from the viewer.
These logs are useful for applications such as security and access audits and forensics investigation. For additional guidance on how to analyze access logs, see Querying Amazon CloudFront logs in the Amazon Athena User Guide.\",\r\n \"remediationDescription\": \"For information on how to configure access logging for a CloudFront distribution, see Configuring and using standard logs (access logs) in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e0d5964-2895-45b1-b646-fcded8d567be\",\r\n \"name\": \"0e0d5964-2895-45b1-b646-fcded8d567be\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have AWS WAF enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudFront distributions are associated with either AWS WAF or AWS WAFv2 web ACLs. The control fails if the distribution is not associated with a web ACL.
AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It allows you to configure a set of rules, called a web access control list (web ACL), that allow, block, or count web requests based on customizable web security rules and conditions that you define. Ensure your CloudFront distribution is associated with an AWS WAF web ACL to help protect it from malicious attacks.\",\r\n \"remediationDescription\": \"For information on how to associate a web ACL with a CloudFront distribution, see Using AWS WAF to control access to your content in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d088fb9f-11dc-451e-8f79-393916e42bb2\",\r\n \"name\": \"d088fb9f-11dc-451e-8f79-393916e42bb2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies should not allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts.This control fails if the \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies.
With AWS KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data.
Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, do not allow \\\"kms:Decrypt\\\" permission on all KMS keys. Instead, allow \\\"kms:Decrypt\\\" only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"To remediate this issue, you modify the IAM customer managed policies to restrict access to the keys.

To modify an IAM customer managed policy

1. Open the IAM console at https://console.aws.amazon.com/iam/
2. In the IAM navigation pane, choose \\\"Policies\\\".
3. Choose the arrow next to the policy you want to modify.
4. Choose \\\"Edit policy\\\".
5. Choose the \\\"JSON\\\" tab.
6. Change the \\\"Resource\\\" value to the specific key or keys that you want to allow.
7. After you modify the policy, choose \\\"Review policy\\\".
8. Choose \\\"Save changes\\\".

For more information, see Using IAM policies with AWS KMS in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/18be55d0-b681-4693-af8d-b8815518d758\",\r\n \"name\": \"18be55d0-b681-4693-af8d-b8815518d758\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts.
This control fails if \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" actions are allowed on all KMS keys in an inline policy.
With AWS KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the permissions they need and only for keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data.
Instead of granting permission for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow the users to use only those keys. For example, do not allow \\\"kms:Decrypt\\\" permission on all KMS keys. Instead, allow them only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"To remediate this issue, you modify the inline policy to restrict access to the keys.

To modify an IAM inline policy

1. Open the IAM console at https://console.aws.amazon.com/iam/
2. In the IAM navigation pane, choose \\\"Users, Groups\\\", or \\\"Roles\\\".
3. Choose the name of the user, group or role for which to modify IAM inline policies.
4. Choose the arrow next to the policy to modify.
5. Choose \\\"Edit policy\\\".
6. Choose the \\\"JSON\\\" tab.
7. Change the \\\"Resource\\\" value to the specific keys you want to allow.
8. After you modify the policy, choose \\\"Review policy\\\".
9. Choose \\\"Save changes\\\".

For more information, see Using IAM policies with AWS KMS in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10c59743-84c4-4711-adb7-ba895dc57339\",\r\n \"name\": \"10c59743-84c4-4711-adb7-ba895dc57339\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS keys should not be unintentionally deleted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether KMS keys are scheduled for deletion. The control fails if a KMS key is scheduled for deletion.
KMS keys cannot be recovered once deleted. Data encrypted under a KMS key is also permanently unrecoverable if the KMS key is deleted. If meaningful data has been encrypted under a KMS key scheduled for deletion, consider decrypting the data or re-encrypting the data under a new KMS key unless you are intentionally performing a cryptographic erasure.
When a KMS key is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS key is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS key will not be deleted.
For additional information regarding deleting KMS keys, see Deleting KMS keys in the AWS Key Management Service Developer Guide.\",\r\n \"remediationDescription\": \"For detailed remediation instructions to cancel a scheduled KMS key deletion, see \\\"To cancel key deletion\\\" under Scheduling and canceling key deletion (console) in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe770214-7b47-48f7-a78c-1279c35d8279\",\r\n \"name\": \"fe770214-7b47-48f7-a78c-1279c35d8279\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EMR cluster master nodes should not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether master nodes on Amazon EMR clusters have public IP addresses.
The control fails if the master node has public IP addresses that are associated with any of its instances. Public IP addresses are designated in the PublicIp field of the NetworkInterfaces configuration for the instance.
This control only checks Amazon EMR clusters that are in a RUNNING or WAITING state.\",\r\n \"remediationDescription\": \"During launch, you can control whether your instance in a default or nondefault subnet is assigned a public IPv4 address.
By default, default subnets have this attribute set to true. Nondefault subnets have the IPv4 public addressing attribute set to false, unless it was created by the Amazon EC2 launch instance wizard. In that case, the wizard sets the attribute to true.
You need to launch your cluster in a VPC with a private subnet that has the IPv4 public addressing attribute set to false.
After launch, you cannot manually disassociate a public IPv4 address from your instance.
To remediate this finding, you need to create a new cluster in VPC private subnet. For information on how to launch a cluster in into a VPC private subnet, see Launch clusters into a VPC in the Amazon EMR Management Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a0476c5-a14b-4195-8c31-633511234b38\",\r\n \"name\": \"5a0476c5-a14b-4195-8c31-633511234b38\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies that you create should not allow wildcard actions for services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the IAM identity-based policies that you create have Allow statements that use the * wildcard to grant permissions for all actions on any service. The control fails if any policy statement includes 'Effect': 'Allow' with 'Action': 'Service:*'.
For example, the following statement in a policy results in a failed finding.
'Statement': [
{
'Sid': 'EC2-Wildcard',
'Effect': 'Allow',
'Action': 'ec2:*',
'Resource': '*'
}
The control also fails if you use 'Effect': 'Allow' with 'NotAction': 'service:*'. In that case, the NotAction element provides access to all of the actions in an AWS service, except for the actions specified in NotAction.
This control only applies to customer managed IAM policies. It does not apply to IAM policies that are managed by AWS.
When you assign permissions to AWS services, it is important to scope the allowed IAM actions in your IAM policies. You should restrict IAM actions to only those actions that are needed. This helps you to provision least privilege permissions. Overly permissive policies might lead to privilege escalation if the policies are attached to an IAM principal that might not require the permission.
In some cases, you might want to allow IAM actions that have a similar prefix, such as DescribeFlowLogs and DescribeAvailabilityZones. In these authorized cases, you can add a suffixed wildcard to the common prefix. For example, ec2:Describe*.

This control passes if you use a prefixed IAM action with a suffixed wildcard. For example, the following statement in a policy results in a passed finding.
'Statement': [
{
'Sid': 'EC2-Wildcard',
'Effect': 'Allow',
'Action': 'ec2:Describe*',
'Resource': '*'
}
When you group related IAM actions in this way, you can also avoid exceeding the IAM policy size limits.\",\r\n \"remediationDescription\": \"To remediate this issue, update your IAM policies so that they do not allow full '*' administrative privileges.
For details on how to edit an IAM policy, see Editing IAM policies in the IAM User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bde343a-0681-4ee2-883a-027cc1e655b8\",\r\n \"name\": \"0bde343a-0681-4ee2-883a-027cc1e655b8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Attached EBS volumes should be encrypted at-rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check.
For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.
To learn more about Amazon EBS encryption, see Amazon EBS encryption in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"remediationDescription\": \"There is no direct way to encrypt an existing unencrypted volume or snapshot. You can only encrypt a new volume or snapshot when you create it.
If you enabled encryption by default, Amazon EBS encrypts the resulting new volume or snapshot using your default key for Amazon EBS encryption. Even if you have not enabled encryption by default, you can enable encryption when you create an individual volume or snapshot. In both cases, you can override the default key for Amazon EBS encryption and choose a symmetric customer managed CMK.
For more information, see Creating an Amazon EBS volume and Copying an Amazon EBS snapshot in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a3340b3-8916-40fe-942d-a937e60f5d4c\",\r\n \"name\": \"1a3340b3-8916-40fe-942d-a937e60f5d4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Stopped EC2 instances should be removed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days.
A failed finding indicates that an EC2 instance has not run for a significant period of time. This creates a security risk because the EC2 instance is not being actively maintained (analyzed, patched, updated). If it is later launched, the lack of proper maintenance could result in unexpected issues in your AWS environment. To safely maintain an EC2 instance over time in a nonrunning state, start it periodically for maintenance and then stop it after maintenance. Ideally this is an automated process.\",\r\n \"remediationDescription\": \"You can terminate an EC2 instance using either the console or the command line.
Before you terminate the EC2 instance, verify that you won't lose any data:
* Check that your Amazon EBS volumes will not be deleted on termination.
* Copy any data that you need from your EC2 instance store volumes to Amazon EBS or Amazon S3.
To terminate an EC2 instance (console)
1. Open the Amazon EC2 console.
2. In the navigation pane, under Instances, choose \\\"Instances\\\".
3. Select the instance, and then choose \\\"Actions\\\", \\\"Instance State\\\", \\\"Terminate\\\".
4. When prompted for confirmation, choose \\\"Yes, Terminate\\\".
To terminate an EC2 instance (AWS CLI, Tools for Windows PowerShell)
Use one of the following commands. For more information about the command line interface, see Accessing Amazon EC2 in the Amazon EC2 User Guide for Linux Instances.
- From the AWS CLI, use terminate-instances
- From the Tools for Windows PowerShell, use Stop-EC2Instance.
To learn more about terminating instances, see Terminating an instancein the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56406d4c-87b4-4aeb-b1cc-7f6312d78e0a\",\r\n \"name\": \"56406d4c-87b4-4aeb-b1cc-7f6312d78e0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS default encryption should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS).
The control fails if the account level encryption is not enabled.
When encryption is enabled for your account, Amazon EBS volumes and snapshot copies are encrypted at rest. This adds an additional layer of protection for your data.
For more information, see Encryption by default in the Amazon EC2 User Guide for Linux Instances.
Note that following instance types do not support encryption: R1, C1, and M1.\",\r\n \"remediationDescription\": \"You can use the Amazon EC2 console to enable default encryption for Amazon EBS volumes.

To configure the default encryption for Amazon EBS encryption for a Region
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
2. From the navigation pane, select \\\"EC2 Dashboard\\\".
3. In the upper-right corner of the page, choose \\\"Account Attributes\\\", \\\"EBS encryption\\\".
4. Choose \\\"Manage\\\".
5. Select \\\"Enable\\\". You can keep the AWS managed key with the alias alias/aws/ebs created on your behalf as the default encryption key, or choose a symmetric customer managed key.
6. Choose \\\"Update EBS encryption\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea3248a-8af5-4df3-8e08-f7d1925ea147\",\r\n \"name\": \"5ea3248a-8af5-4df3-8e08-f7d1925ea147\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should use IMDSv2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if \\\"HttpTokens\\\" is set to \\\"required\\\" for IMDSv2. The control fails if \\\"HttpTokens\\\" is set to \\\"optional\\\".
You use instance metadata to configure or manage the running instance. The IMDS provides access to temporary, frequently rotated credentials. These credentials remove the need to hard code or distribute sensitive credentials to instances manually or programmatically. The IMDS is attached locally to every EC2 instance. It runs on a special 'link local' IP address of 169.254.169.254. This IP address is only accessible by software that runs on the instance.
Version 2 of the IMDS adds new protections for the following types of vulnerabilities. These vulnerabilities could be used to try to access the IMDS.
* Open website application firewalls
* Open reverse proxies
* Server-side request forgery (SSRF) vulnerabilities
* Open Layer 3 firewalls and network address translation (NAT)
Security Hub recommends that you configure your EC2 instances with IMDSv2.\",\r\n \"remediationDescription\": \"To remediate an EC2 instance that is not configured with IMDSv2, you can require the use of IMDSv2.
To require IMDSv2 on an existing instance, when you request instance metadata, modify the Amazon EC2 metadata options. Follow the instructions in Configuring instance metadata options for existing instances in the Amazon EC2 User Guide for Linux Instances.
To require the use of IMDSv2 on a new instance when you launch it, follow the instructions in Configuring instance metadata options for new instances in the Amazon EC2 User Guide for Linux Instances.
To configure your new EC2 instance with IMDSv2 from the console
1. Open the Amazon EC2 console.
2. Choose \\\"Launch instance\\\" and then choose \\\"Launch instance\\\".
3. In the \\\"Configure Instance Details\\\" step, under \\\"Advanced Details\\\", for \\\"Metadata version\\\", choose \\\"V2 (token required)\\\".
4. Choose \\\"Review and Launch\\\".
If your software uses IMDSv1, you can reconfigure your software to use IMDSv2. For details, see Transitioning to using Instance Metadata Service Version 2 in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/63afb20c-4e8e-42ad-bc6d-dc48d4bebc5f\",\r\n \"name\": \"63afb20c-4e8e-42ad-bc6d-dc48d4bebc5f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not have a public IP address\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether EC2 instances have a public IP address. The control fails if the \\\"publicIp\\\" field is present in the EC2 instance configuration item. This control applies to IPv4 addresses only.
A public IPv4 address is an IP address that is reachable from the internet. If you launch your instance with a public IP address, then your EC2 instance is reachable from the internet. A private IPv4 address is an IP address that is not reachable from the internet. You can use private IPv4 addresses for communication between EC2 instances in the same VPC or in your connected private network.
IPv6 addresses are globally unique, and therefore are reachable from the internet. However, by default all subnets have the IPv6 addressing attribute set to false. For more information about IPv6, see IP addressing in your VPC in the Amazon VPC User Guide.
If you have a legitimate use case to maintain EC2 instances with public IP addresses, then you can suppress the findings from this control. For more information about front-end architecture options, see the AWS Architecture Blog or the This Is My Architecture series.\",\r\n \"remediationDescription\": \"Use a non-default VPC so that your instance is not assigned a public IP address by default.
When you launch an EC2 instance into a default VPC, it is assigned a public IP address. When you launch an EC2 instance into a non-default VPC, the subnet configuration determines whether it receives a public IP address. The subnet has an attribute to determine if new EC2 instances in the subnet receive a public IP address from the public IPv4 address pool.
You cannot manually associate or disassociate an automatically-assigned public IP address from your EC2 instance. To control whether your EC2 instance receives a public IP address, do one of the following:
- Modify the public IP addressing attribute of your subnet. For more information, see Modifying the public IPv4 addressing attribute for your subnet in the Amazon VPC User Guide.
- Enable or disable the public IP addressing feature during launch. This overrides the subnet's public IP addressing attribute. For more information, see Assign a public IPv4 address during instance launch in the Amazon EC2 User Guide for Linux Instances.
For more information, see Public IPv4 addresses and external DNS hostnames in the Amazon EC2 User Guide for Linux Instances.
If your EC2 instance is associated with an Elastic IP address, then your EC2 instance is reachable from the internet. You can disassociate an Elastic IP address from an instance or network interface at any time.
To disassociate an Elastic IP address
1. Open the Amazon EC2 console
2. In the navigation pane, choose \\\"Elastic IPs\\\".
3. Select the Elastic IP address to disassociate.
4. From \\\"Actions\\\", choose \\\"Disassociate Elastic IP address\\\".
5. Choose \\\"Disassociate\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e700ddd4-bb55-4602-b93a-d75895fbf7c6\",\r\n \"name\": \"e700ddd4-bb55-4602-b93a-d75895fbf7c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 should be configured to use VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service.
To improve the security posture of your VPC, you can configure Amazon EC2 to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to access Amazon EC2 API operations privately. It restricts all network traffic between your VPC and Amazon EC2 to the Amazon network. Because endpoints are supported within the same Region only, you cannot create an endpoint between a VPC and a service in a different Region. This prevents unintended Amazon EC2 API calls to other Regions.
To learn more about creating VPC endpoints for Amazon EC2, see Amazon EC2 and interface VPC endpoints in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"remediationDescription\": \"To remediate this issue, you can create an interface VPC endpoint to Amazon EC2.
To create an interface endpoint to Amazon EC2 from the Amazon VPC console
1. Open the Amazon VPC console
2. In the navigation pane, choose \\\"Endpoints\\\".
3. Choose \\\"Create Endpoint\\\".
4. For \\\"Service category\\\", choose \\\"AWS services\\\".
5. For \\\"Service Name\\\", choose \\\"com.amazonaws.<region>.ec2\\\".
6. For \\\"Type\\\", choose \\\"Interface\\\".
7. Complete the following information.
  1. For \\\"VPC\\\", select a VPC in which to create the endpoint.
  2. For \\\"Subnets\\\", select the subnets (Availability Zones) in which to create the endpoint network interfaces. Not all Availability Zones are supported for all AWS services.
  3. To enable private DNS for the interface endpoint, select the check box for \\\"Enable DNS Name\\\". This option is enabled by default.
    To use the private DNS option, the following attributes of your VPC must be set to true:
    - \\\"enableDnsHostnames\\\"
    - \\\"enableDnsSupport\\\"
    For more information, see Viewing and updating DNS support for your VPC in the Amazon VPC User Guide.
  4. For \\\"Security group\\\", select the security groups to associate with the endpoint network interfaces.
  5. (Optional) Add or remove a tag. To add a tag, choose \\\"Add tag\\\" and do the following:
    - For \\\"Key\\\", enter the tag name.
    - For \\\"Value\\\", enter the tag value.
  6.  To remove a tag, choose the delete button (x) to the right of the tag Key and Value.
8. Choose \\\"Create endpoint\\\".
To create an interface VPC endpoint policy
You can attach a policy to your VPC endpoint to control access to the Amazon EC2 API. The policy specifies the following:
- The principal that can perform actions
- The actions that can be performed
- The resource on which the actions can be performed
For more details on creating a VPC endpoint policy, see Amazon EC2 and interface VPC endpoints In the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ace790eb-39b9-4b4f-b53d-26d0f77d4ab8\",\r\n \"name\": \"ace790eb-39b9-4b4f-b53d-26d0f77d4ab8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 subnets should not automatically assign public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the assignment of public IPs in Amazon Virtual Private Cloud (Amazon VPC) subnets have \\\"MapPublicIpOnLaunch\\\" set to \\\"FALSE\\\". The control passes if the flag is set to \\\"FALSE\\\".
All subnets have an attribute that determines whether a network interface created in the subnet automatically receives a public IPv4 address. Instances that are launched into subnets that have this attribute enabled have a public IP address assigned to their primary network interface.\",\r\n \"remediationDescription\": \"You can configure a subnet from the Amazon VPC console.
To configure a subnet to not assign public IP addresses
1. Open the Amazon VPC console.
2. In the navigation pane, choose \\\"Subnets\\\".
3. Select your subnet and then choose \\\"Subnet Actions\\\", \\\"Modify auto-assign IP settings\\\".
4. Clear the \\\"Enable auto-assign public IPv4 address\\\" check box and then choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f9a7d87-ec2e-409a-991a-48c29484d6b5\",\r\n \"name\": \"5f9a7d87-ec2e-409a-991a-48c29484d6b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused network access control lists should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether there are any unused network access control lists (ACLs).
The control checks the item configuration of the resource \\\"AWS::EC2::NetworkAcl\\\" and determines the relationships of the network ACL.
If the only relationship is the VPC of the network ACL, then the control fails.
If other relationships are listed, then the control passes.\",\r\n \"remediationDescription\": \"For instructions on how to delete an unused network ACL, see Deleting a network ACL in the Amazon VPC User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fead4128-7325-4b82-beda-3fd42de36920\",\r\n \"name\": \"fead4128-7325-4b82-beda-3fd42de36920\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not use multiple ENIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs).This control passes if a single network adapter is used. The control includes an optional parameter list to identify the allowed ENIs.
Multiple ENIs can cause dual-homed instances, meaning instances that have multiple subnets. This can add network security complexity and introduce unintended network paths and access.\",\r\n \"remediationDescription\": \"To remediate this issue, detach the additional ENIs.
To detach a network interface
1. Open the Amazon EC2 console.
2. Under \\\"Network & Security\\\", choose \\\"Network Interfaces\\\".
3. Filter the list by the noncompliant instance IDs to see the associated ENIs.
4. Select the ENIs that you want to remove.
5. From the \\\"Actions\\\" menu, choose \\\"Detach\\\".
6. If you see the prompt \\\"Are you sure that you want to detach the following network interface?\\\", choose \\\"Detach\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8b328664-f3f1-45ab-976d-f6c66647b3b8\",\r\n \"name\": \"8b328664-f3f1-45ab-976d-f6c66647b3b8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should only allow unrestricted incoming traffic for authorized ports\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the security groups that are in use allow unrestricted incoming traffic. Optionally the rule checks whether the port numbers are listed in the \\\"authorizedTcpPorts\\\" parameter.
- If the security group rule port number allows unrestricted incoming traffic, but the port number is specified in \\\"authorizedTcpPorts\\\", then the control passes. The default value for \\\"authorizedTcpPorts\\\" is 80, 443.
- If the security group rule port number allows unrestricted incoming traffic, but the port number is not specified in authorizedTcpPorts input parameter, then the control fails.
- If the parameter is not used, then the control fails for any security group that has an unrestricted inbound rule.
Security groups provide stateful filtering of ingress and egress network traffic to AWS. Security group rules should follow the principal of least privileged access. Unrestricted access (IP address with a /0 suffix) increases the opportunity for malicious activity such as hacking, denial-of-service attacks, and loss of data.
Unless a port is specifically allowed, the port should deny unrestricted access.\",\r\n \"remediationDescription\": \"For information on how to modify a security group, see Add, remove, or update rules in the Amazon VPC User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/194fd099-90fa-43e1-8d06-6b4f5138e952\",\r\n \"name\": \"194fd099-90fa-43e1-8d06-6b4f5138e952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow unrestricted access to ports with high risk\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for those ports.
Unrestricted access (0.0.0.0/0) increases opportunities for malicious activity, such as hacking, denial-of-service attacks, and loss of data.
Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. No security group should allow unrestricted ingress access to the following ports:
- 3389 (RDP)
- 20, 21 (FTP)
- 22 (SSH)
- 23 (Telnet)
- 110 (POP3)
- 143 (IMAP)
- 3306 (mySQL)
- 8080 (proxy)
- 1433, 1434 (MSSQL)
- 9200 or 9300 (Elasticsearch)
- 5601 (Kibana)
- 25 (SMTP)
- 445 (CIFS)
- 135 (RPC)
- 4333 (ahsp)
- 5432 (postgresql)
- 5500 (fcp-addr-srvr1)\",\r\n \"remediationDescription\": \"For information on how to delete rules from a security group, see Delete rules from a security group in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bfa7d2aa-f362-11eb-9a03-0242ac130003\",\r\n \"name\": \"bfa7d2aa-f362-11eb-9a03-0242ac130003\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether storage encryption is enabled for your Amazon RDS DB instances.
This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
For an added layer of security for your sensitive data in RDS DB instances, you should configure your RDS DB instances to be encrypted at rest. To encrypt your RDS DB instances and snapshots at rest, enable the encryption option for your RDS DB instances. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots.
RDS encrypted DB instances use the open standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You do not need to modify your database client applications to use encryption.
Amazon RDS encryption is currently available for all database engines and storage types. Amazon RDS encryption is available for most DB instance classes. To learn about DB instance classes that do not support Amazon RDS encryption, see Encrypting Amazon RDS resources in the Amazon RDS User Guide.
\",\r\n \"remediationDescription\": \"For information about encrypting DB instances in Amazon RDS, see Encrypting Amazon RDS resources in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4f4fbc5e-0b10-4208-b52f-1f47f1c73b6a\",\r\n \"name\": \"4f4fbc5e-0b10-4208-b52f-1f47f1c73b6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS cluster snapshots and database snapshots should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB snapshots are encrypted.
This control is intended for RDS DB instances. However, it can also generate findings for snapshots of Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. Data in RDS snapshots should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"To encrypt an unencrypted RDS snapshot: 1. Open the  Amazon RDS console. 2. In the navigation pane, choose \\\"Snapshots\\\". 3. Find the snapshot to encrypt under \\\"Manual\\\" or \\\"System\\\". 4. Select the check box next to the snapshot to encrypt. 5. Choose \\\"Actions\\\", then choose \\\"Copy Snapshot\\\". 6. Under \\\"New DB Snapshot Identifier\\\", type a name for the new snapshot.7. Under \\\"Encryption\\\", select \\\"Enable Encryption\\\". 8. Choose the KMS key to use to encrypt the snapshot. 9. Choose \\\"Copy Snapshot\\\". 10. After the new snapshot is created, delete the original snapshot. 11. For \\\"Backup Retention Period\\\", choose a positive nonzero value. For example, 30 days.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/70ebbd01-cd79-4bc8-ae85-49f47ccdd5ad\",\r\n \"name\": \"70ebbd01-cd79-4bc8-ae85-49f47ccdd5ad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured with multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether high availability is enabled for your RDS DB instances.
RDS DB instances should be configured for multiple Availability Zones (AZs). This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover if there is an issue with Availability Zone availability and during regular RDS maintenance.\",\r\n \"remediationDescription\": \"To enable multiple Availability Zones for a DB instance: 1. Open the Amazon RDS console at Amazon RDS console. 2. In the navigation pane, choose \\\"Databases\\\", and then choose the DB instance that you want to modify.3. Choose \\\"Modify\\\". The \\\"Modify DB Instance\\\" page appears.4. Under Instance Specifications, set \\\"Multi-AZ deployment \\\" to \\\"Yes\\\" .5. Choose \\\"Continue\\\" and then check the summary of modifications. 6. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide. 7. On the confirmation page, review your changes. If they are correct, choose \\\"Modify DB Instance\\\" to save your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93e5a579-dd2f-4a56-b827-ebbfe7376b16\",\r\n \"name\": \"93e5a579-dd2f-4a56-b827-ebbfe7376b16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enhanced monitoring should be configured for RDS DB instances and clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced monitoring is enabled for your RDS DB instances.
In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer.
Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU. For more information, see Enhanced Monitoring in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable Enhanced Monitoring for your DB instance, see Setting up for and enabling Enhanced Monitoring in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e769650-868c-46f5-b8c0-1a8ba12a4c92\",\r\n \"name\": \"9e769650-868c-46f5-b8c0-1a8ba12a4c92\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS clusters should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS clusters have deletion protection enabled.
This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
Enabling cluster deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity.
When deletion protection is enabled, an RDS cluster cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"To enable deletion protection for an RDS DB cluster:
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/. 2. In the navigation pane, choose \\\"Databases\\\", then choose the DB cluster that you want to modify. 3. Choose \\\"Modify\\\". 4. Under \\\"Deletion protection\\\", choose \\\"Enable deletion protection\\\".5. Choose \\\"Continue\\\" 6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\". 7. Choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e1f7933-faa9-4379-a9bd-697740dedac8\",\r\n \"name\": \"8e1f7933-faa9-4379-a9bd-697740dedac8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your RDS DB instances that use one of the listed database engines have deletion protection enabled.
Enabling instance deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity.
While deletion protection is enabled, an RDS DB instance cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"To enable deletion protection for an RDS DB instance: 1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/. 2. In the navigation pane, choose \\\"Databases\\\", then choose the DB instance that you want to modify. 3. Choose \\\"Modify\\\". 4. Under \\\"Deletion protection\\\", choose \\\"Enable deletion protection\\\". 5. Choose \\\"Continue\\\". 6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\". 7. Choose \\\"Modify DB Instance\\\"\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdf441dd-0ab7-4ef2-a643-de12725e5d5d\",\r\n \"name\": \"cdf441dd-0ab7-4ef2-a643-de12725e5d5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB clusters should be configured for multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"RDS DB clusters should be configured for multiple the data that is stored.
Deployment to multiple Availability Zones allows for automate Availability Zones to ensure availability of ed failover in the event of an Availability Zone availability issue and during regular RDS maintenance events.\",\r\n \"remediationDescription\": \"To enable multi-AZ for a DB cluster (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Databases\\\", and then choose the DB instance to modify.
3. choose \\\"Modify\\\", The \\\"Modify DB Instance\\\" page appears.
4. Under \\\"Instance Specifications\\\", set \\\"Multi-AZ deploymen\\\" to \\\"Yes\\\".
5. Choose \\\"Continue\\\" and check the summary of modifications.
6. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide.
On the confirmation page, review your changes. If they are correct, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b9ed02d0-afca-4bed-838d-70bf31ecf19a\",\r\n \"name\": \"b9ed02d0-afca-4bed-838d-70bf31ecf19a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB clusters should be configured to copy tags to snapshots\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identification and inventory of your IT assets is a crucial aspect of governance and security.
You need to have visibility of all your RDS DB clusters so that you can assess their security posture and act on potential areas of weakness.
Snapshots should be tagged in the same way as their parent RDS database clusters.
Enabling this setting ensures that snapshots inherit the tags of their parent database clusters.\",\r\n \"remediationDescription\": \"To enable automatic tag copying to snapshots for a DB cluster
1. Open theAmazon RDS console at https://console.aws.amazon.com/rds/.
2. Choose \\\"Databases\\\"
3. Select the DB cluster to modify.
4. choose \\\"Modify\\\".
5. Under \\\"Backup\\\", select \\\"Copy tags to snapshots\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fcd891e5-c6a2-41ce-bca6-f49ec582f3ce\",\r\n \"name\": \"fcd891e5-c6a2-41ce-bca6-f49ec582f3ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured to copy tags to snapshots\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created.
Identification and inventory of your IT assets is a crucial aspect of governance and security.
You need to have visibility of all your RDS DB instances so that you can assess their security posture and take action on potential areas of weakness.
Snapshots should be tagged in the same way as their parent RDS database instances. Enabling this setting ensures that snapshots inherit the tags of their parent database instances.\",\r\n \"remediationDescription\": \"To enable automatic tag copying to snapshots for a DB instance
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Databases\\\".
3. Select the DB instance to modify.
4. Under \\\"Backup\\\", select \\\"Copy tags to snapshots\\\".
5. Choose \\\"Continue\\\".
6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9a84b879-8aab-4b82-80f2-22e637a26813\",\r\n \"name\": \"9a84b879-8aab-4b82-80f2-22e637a26813\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS instances should be deployed in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPCs provide a number of network controls to secure access to RDS resources.
These controls include VPC Endpoints, network ACLs, and security groups.
To take advantage of these controls, we recommend that you move EC2-Classic RDS instances to EC2-VPC.\",\r\n \"remediationDescription\": \"For detailed instructions on how to move RDS instances to VPC, see Updating the VPC for a DB instance in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\",\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/65659c22-6588-405b-b118-614c2b4ead5b\",\r\n \"name\": \"65659c22-6588-405b-b118-614c2b4ead5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical cluster events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists that has notifications enabled for the following source type,
event category key-value pairs. DBCluster: [\\\"maintenance\\\" and \\\"failure\\\"].
RDS event notifications uses Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \" To subscribe to RDS cluster event notifications.
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Clusters\\\".
  d. Under \\\"Instances to include\\\", select \\\"All Clusters\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"maintenance\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff4f3ab3-8ed7-4b4f-a721-4c3b66a59140\",\r\n \"name\": \"ff4f3ab3-8ed7-4b4f-a721-4c3b66a59140\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database instance events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type.
event category key-value pairs. DBInstance: [\\\"maintenance\\\", \\\"configuration change\\\" and \\\"failure\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Instances\\\".
  d. Under \\\"Instances to include\\\", select \\\"All Instances\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"maintenance\\\", \\\"configuration change\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6f24bb0-b696-451c-a26e-0cc9ea8e97e3\",\r\n \"name\": \"c6f24bb0-b696-451c-a26e-0cc9ea8e97e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database parameter group events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type.
event category key-value pairs. DBParameterGroup: [\\\"configuration\\\",\\\"change\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create \\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Parameter groups\\\".
  d. Under \\\"Instances to include\\\", select \\\"All parameter groups\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"configuration change\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ab5c51fb-ecdb-46de-b8df-c28ae46ce5bc\",\r\n \"name\": \"ab5c51fb-ecdb-46de-b8df-c28ae46ce5bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database security group events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.DBSecurityGroup: [\\\"configuration\\\",\\\"change\\\",\\\"failure\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for a rapid response.
For additional information about RDS event notifications , see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event\\\",\\\"subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Security groups\\\".
  d. Under \\\"Instances to include\\\", select \\\"All security groups\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"configuration change\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47476790-2527-4bdb-b839-3b48ed18dccf\",\r\n \"name\": \"47476790-2527-4bdb-b839-3b48ed18dccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should automatically scale capacity with demand\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured.
Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications.\",\r\n \"remediationDescription\": \"For detailed instructions on enabling DynamoDB automatic scaling on existing tables in capacity mode, see Enabling DynamoDB auto scaling on existing tables. in the Amazon DynamoDB Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc873508-40c1-41b6-8507-8a431d74f831\",\r\n \"name\": \"cc873508-40c1-41b6-8507-8a431d74f831\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should have point-in-time recovery enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table.
Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. DynamoDB point-in-time recovery automates backups for DynamoDB tables. It reduces the time to recover from accidental delete or write operations.
DynamoDB tables that have PITR enabled can be restored to any point in time in the last 35 days.\",\r\n \"remediationDescription\": \"To remediate this issue, add point-in-time recovery to your DynamoDB table.
To enable DynamoDB \\\"point-in-time recovery\\\" for an existing table:
1. Open the DynamoDB console at https://console.aws.amazon.com/dynamodb/. 2. Choose the table that you want to work with, and then choose \\\"Backups\\\". 3. In the Point-in-time Recovery section, under Status, choose \\\"Enable\\\". 4. Choose \\\"Enable\\\" again to confirm the change.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58e67d3d-8b17-4c1c-9bc4-550b10f0328a\",\r\n \"name\": \"58e67d3d-8b17-4c1c-9bc4-550b10f0328a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB Accelerator (DAX) clusters should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a DAX cluster is encrypted at rest.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data.
For example, API permissions are required to decrypt the data before it can be read.\",\r\n \"remediationDescription\": \"You cannot enable or disable encryption at rest after a cluster is created. You must recreate the cluster in order to enable encryption at rest.
For detailed instructions on how to create a DAX cluster with encryption at rest enabled, see Enabling encryption at rest using the AWS Management Console in the Amazon DynamoDB Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e482075-311f-401e-adc7-f8a8affc5635\",\r\n \"name\": \"4e482075-311f-401e-adc7-f8a8affc5635\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be configured to encrypt file data at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. The check fails in the following cases:
*\\\"Encrypted\\\" is set to \\\"false\\\" in the DescribeFileSystems response.
The \\\"KmsKeyId\\\" key in the DescribeFileSystems response does not match the KmsKeyId parameter for efs-encrypted-check.
Note that this control does not use the \\\"KmsKeyId\\\" parameter for efs-encrypted-check. It only checks the value of \\\"Encrypted\\\". For an added layer of security for your sensitive data in Amazon EFS, you should create encrypted file systems.
Amazon EFS supports encryption for file systems at-rest. You can enable encryption of data at rest when you create an Amazon EFS file system.
To learn more about Amazon EFS encryption, see Data encryption in Amazon EFS in the Amazon Elastic File System User Guide.\",\r\n \"remediationDescription\": \"For details on how to encrypt a new Amazon EFS file system, see Encrypting data at rest in the Amazon Elastic File System User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e864e460-158b-4a4a-beb9-16ebc25c1240\",\r\n \"name\": \"e864e460-158b-4a4a-beb9-16ebc25c1240\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS volumes should be in backup plans\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup. The control fails if Amazon EFS file systems are not included in the backup plans.
Including EFS file systems in the backup plans helps you to protect your data from deletion and data loss.\",\r\n \"remediationDescription\": \"To remediate this issue, update your file system to enable automatic backups.
To enable automatic backups for an existing file system:
1.Open the Amazon Elastic File System console. 2. On the \\\"File systems\\\" page, choose the file system for which to enable automatic backups. The \\\"File system details\\\" page is displayed. 3. Under \\\"General\\\", choose \\\"Edit\\\". 4. To enable automatic backups, select \\\"Enable automatic backups\\\". 5. Choose \\\"Save changes\\\".
To learn more, visit Using AWS Backup with Amazon EFS in the Amazon Elastic File System User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e656e5b7-130c-4fb4-be90-9bdd4f82fdfb\",\r\n \"name\": \"e656e5b7-130c-4fb4-be90-9bdd4f82fdfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should use supported runtimes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the Lambda function settings for runtimes match the expected values set for the supported runtimes for each language. This control checks for the following runtimes:
nodejs14.x, nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, ruby2.7, ruby2.5, java11, java8, java8.al2, go1.x, dotnetcore3.1, dotnetcore2.1
Lambda runtimes are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When a runtime component is no longer supported for security updates, Lambda deprecates the runtime. Even though you cannot create functions that use the deprecated runtime, the function is still available to process invocation events. Make sure that your Lambda functions are current and do not use out-of-date runtime environments.
To learn more about the supported runtimes that this control checks for the supported languages, see AWS Lambda runtimes in the AWS Lambda Developer Guide.\",\r\n \"remediationDescription\": \"For more information on supported runtimes and deprecation schedules, see the Runtime support policy section of the AWS Lambda Developer Guide.
When you migrate your runtimes to the latest version, follow the syntax and guidance from the publishers of the language.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Persistence\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Proxy\",\r\n \"Account Manipulation\",\r\n \"Scheduled Task/Job\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dcf10b98-798f-4734-9afd-800916bf1e65\",\r\n \"name\": \"dcf10b98-798f-4734-9afd-800916bf1e65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should have a dead-letter queue configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is configured with a dead-letter queue. The control fails if the Lambda function is not configured with a dead-letter queue.
As an alternative to an on-failure destination, you can configure your function with a dead-letter queue to save discarded events for further processing.
A dead-letter queue acts the same as an on-failure destination. It is used when an event fails all processing attempts or expires without being processed.
A dead-letter queue allows you to look back at errors or failed requests to your Lambda function to debug or identify unusual behavior.
From a security perspective, it is important to understand why your function failed and to ensure that your function does not drop data or compromise data security as a result.
For example, if your function cannot communicate to an underlying resource, that could be a symptom of a denial of service (DoS) attack elsewhere in the network.\",\r\n \"remediationDescription\": \"You can configure a dead-letter queue from the AWS Lambda console.
To configure a dead-letter queue
1. Open the AWS Lambda console.
2. In the navigation pane, choose \\\"Functions\\\".
3. Choose a function.
4. Choose \\\"Configuration\\\" and then choose \\\"Asynchronous invocation\\\".
5. Under \\\"Asynchronous invocation\\\", choose \\\"Edit\\\".
6. Set \\\"DLQ resource\\\" to Amazon SQS or Amazon SNS.
7. Choose the target queue or topic.
8. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"plannedDeprecationDate\": \"12/2022\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90917e06-2781-4857-9d74-9043c6475d03\",\r\n \"name\": \"90917e06-2781-4857-9d74-9043c6475d03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SNS topics should be encrypted at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an SNS topic is encrypted at rest using AWS KMS.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It also adds another set of access controls to limit the ability of unauthorized users to access the data.
For example, API permissions are required to decrypt the data before it can be read. SNS topics should be encrypted at-rest for an added layer of security. For more information, see Encryption at rest in the Amazon Simple Notification Service Developer Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your SNS topic to enable encryption.
To encrypt an unencrypted SNS topic
1. Open the Amazon SNS console.
2. In the navigation pane, choose \\\"Topics\\\".
4. Choose the name of the topic to encrypt.
5. Choose \\\"Edit\\\".
6. Under \\\"Encryption\\\", choose Enable Encryption.
7. Choose the KMS key to use to encrypt the topic.
8. Choose \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"File and Directory Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/773667f7-6511-4aec-ae9c-e3286c56a254\",\r\n \"name\": \"773667f7-6511-4aec-ae9c-e3286c56a254\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancer listeners should be configured with HTTPS or TLS termination\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. The control is applicable if a Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the control does not report any findings.
The control passes if the Classic Load Balancer listeners are configured with TLS or HTTPS for front-end connections.
The control fails if the listener is not configured with TLS or HTTPS for front-end connections.
Before you start to use a load balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners can support both HTTP and HTTPS/TLS protocols. You should always use an HTTPS or TLS listener, so that the load balancer does the work of encryption and decryption in transit.\",\r\n \"remediationDescription\": \"To remediate this issue, update your listeners to use the TLS or HTTPS protocol.
To change all noncompliant listeners to TLS/HTTPS listeners
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load Balancers. Then choose your Classic Load Balancer.
3. Choose the Listeners tab, and then choose Edit.
4. For all listeners where Load Balancer Protocol is not set to HTTPS or SSL, change the setting to HTTPS or SSL.
5. For all modified listeners, under SSL Certificate, choose Change.
6. For all modified listeners, select Choose a certificate from ACM.
7. Select the certificate from the Certificates drop-down list. Then choose Saveb.
8. After you update all of the listeners, choose Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca924610-5a8e-4c5e-9f17-8dff1ab1757b\",\r\n \"name\": \"ca924610-5a8e-4c5e-9f17-8dff1ab1757b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application load balancers should be configured to drop HTTP headers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop invalid HTTP headers. The control fails if the value of routing.http.drop_invalid_header_fields.enabled is set to false.
By default, ALBs are not configured to drop invalid HTTP header values. Removing these header values prevents HTTP desync attacks.\",\r\n \"remediationDescription\": \"To remediate this issue, configure your load balancer to drop invalid header fields.
To configure the load balancer to drop invalid header fields
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load balancers.
3. Choose an Application Load Balancer.
4. From Actions, choose Edit attributes.
5. Under Drop Invalid Header Fields, choose Enable.
6. Choose Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ba5c359-495f-4ba6-9897-7fdbc0aed675\",\r\n \"name\": \"4ba5c359-495f-4ba6-9897-7fdbc0aed675\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application and Classic Load Balancers logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if access_logs.s3.enabled is false.
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.
To learn more, see Access logs for your Classic Load Balancer in User Guide for Classic Load Balancers.
\",\r\n \"remediationDescription\": \"To remediate this issue, configure your load balancer to drop invalid header fields.
To configure the load balancer to drop invalid header fields
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load balancers.
3. Choose an Application Load Balancer.
4. From Actions, choose Edit attributes.
5. Under Access logs, choose Enable.
6. Enter your S3 location. This location can exist or it can be created for you. If you do not specify a prefix, the access logs are stored in the root of the S3 bucket.
7. Choose Save\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5c508bf1-26f9-4696-bb61-8341d395e3de\",\r\n \"name\": \"5c508bf1-26f9-4696-bb61-8341d395e3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer deletion protection should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured.
Enable deletion protection to protect your Application Load Balancer from deletion.\",\r\n \"remediationDescription\": \"To prevent your load balancer from being deleted accidentally, you can enable deletion protection. By default, deletion protection is disabled for your load balancer.
If you enable deletion protection for your load balancer, you must disable delete protection before you can delete the load balancer.
To enable deletion protection from the console
1. Open the Amazon EC2 console.
2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.
3. Choose the load balancer.
4. On the Description tab, choose Edit attributes.
5. On the Edit load balancer attributes page, select Enable for Delete Protection, and then choose Save.
6. Choose Save.
To learn more, see Deletion protection in User Guide for Application Load Balancers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dd60e31e-073a-42b6-9b23-db7ca86fd5e0\",\r\n \"name\": \"dd60e31e-073a-42b6-9b23-db7ca86fd5e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancers should have connection draining enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Classic Load Balancers have connection draining enabled.
Enabling connection draining on Classic Load Balancers ensures that the load balancer stops sending requests to instances that are de-registering or unhealthy. It keeps the existing connections open. This is particularly useful for instances in Auto Scaling groups, to ensure that connections aren't severed abruptly.\",\r\n \"remediationDescription\": \"To enable connection draining on Classic Load Balancers, following the steps in Configure connection draining for your Classic Load Balancer in User Guide for Classic Load Balancers.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b63a099-6c0c-4354-848b-17de1f3c8ae3\",\r\n \"name\": \"9b63a099-6c0c-4354-848b-17de1f3c8ae3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should encrypt data sent between nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have node-to-node encryption enabled. HTTPS (TLS) can be used to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. Only encrypted connections over HTTPS (TLS) should be allowed. Enabling node-to-node encryption for Amazon ES domains ensures that intra-cluster communications are encrypted in transit. There can be a performance penalty associated with this configuration. You should be aware of and test the performance trade-off before enabling this option.\",\r\n \"remediationDescription\": \"Node-to-node encryption can only be enabled on a new domain. To remediate this finding, first create a new domain with the Node-to-node encryption check box selected. Then follow Using a snapshot to migrate data to migrate your data to the new domain.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/de8ae504-ec39-4ffb-b3ef-6e36fdcbb455\",\r\n \"name\": \"de8ae504-ec39-4ffb-b3ef-6e36fdcbb455\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker. The 'blacklistedactionpatterns' parameter allows for successful evaluation of the rule for S3 buckets. The parameter grants access to external accounts for action patterns that are not included in the 'blacklistedactionpatterns' list.\",\r\n \"remediationDescription\": \"To remediate this issue, edit the S3 bucket policy to remove the permissions.

To edit an S3 bucket policy

1. Open the Amazon S3 console.
2. In the Bucket name list, choose the name of the S3 bucket for which you want to edit the policy.
3. Choose Permissions, and then choose Bucket Policy.
4. In the Bucket policy editor text box, do one of the following:
* Remove the statements that grant access to denied actions to other AWS accounts
* Remove the permitted denied actions from the statements
5. Choose Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11d0f4af-6924-4a2e-8b66-781a4553c828\",\r\n \"name\": \"11d0f4af-6924-4a2e-8b66-781a4553c828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled on AWS connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides real-time threat protection for containerized environments and generates alerts about suspicious activities.
Use this information to harden the security of Kubernetes clusters and remediate security issues.

Important: When you've enabled Microsoft Defender for Containers and deployed Azure Arc to your EKS clusters, the protections - and charges - will begin. If you don't deploy Azure Arc on a cluster, Defender for Containers will not protect it and no charges will be incurred for this Microsoft Defender plan for that cluster.\",\r\n \"remediationDescription\": \"To enable Defender for Containers on all EKS clusters in an AWS account connected to Microsoft Defender for Cloud:
1. From the Azure portal, open Microsoft Defender for Cloud.
2. Open the \\\"Environment settings\\\" page and select the relevant AWS account.
3. Under \\\"Select plans\\\", set \\\"Containers\\\" to \\\"On\\\".
4. Select \\\"Next: Configure access\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/38307993-84fb-4636-8ce7-3a64466bb5cc\",\r\n \"name\": \"38307993-84fb-4636-8ce7-3a64466bb5cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EKS clusters should have Microsoft Defender's extension for Azure Arc installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender's cluster extension provides security capabilities for your EKS clusters. The extension collects data from a cluster and its nodes to identify security vulnerabilities and threats.
The extension works with Azure Arc-enabled Kubernetes.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct EKS cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
Note: When the process completes, it may take up to 12 hours until your resource moves to the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d3a977e-46f1-419a-9046-4bd44db80aac\",\r\n \"name\": \"7d3a977e-46f1-419a-9046-4bd44db80aac\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EKS clusters should grant the required AWS permissions to Microsoft Defender for Cloud\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides protections for your EKS clusters.
To monitor your cluster for security vulnerabilities and threats, Defender for Containers needs permissions for your AWS account. These permissions will be used to enable Kubernetes control plane logging on your cluster and establish a reliable pipeline between your cluster and Defender for Cloud's backend in the cloud.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"To grant the required permissions:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. 2. Open the \\\"Environment settings\\\" page and select the relevant AWS account.
  3. In the edit connector wizard, skip to step 3, \\\"Configure access\\\".
  4. Download the CloudFormation template.
  5. Open the template and copy the ARNs for the following roles:
    AzureDefenderKubernetesRole
    AzureDefenderKubernetesScubaReaderRole
    AzureDefenderCloudWatchToKinesisRole
    AzureDefenderKinesisToS3Role
  6. Folow the steps in \\\"Create Stack in AWS\\\" for those roles.
  7. In the connector wizard, update the role ARNs with the ARNs copied from the template.
  8. Save the changes.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4aa0f6dc-40be-43b2-92f1-3a52ad9d68d1\",\r\n \"name\": \"4aa0f6dc-40be-43b2-92f1-3a52ad9d68d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should have automatic rotation enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation.
Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically.
Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently. To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, you enable automatic rotation for your secrets.
To enable automatic rotation for secrets
1. Open the Secrets Manager console.
2. To find the secret that requires rotating, enter the secret name in the search field.
3. Choose the secret you want to rotate, which displays the secrets details page.
4. Under Rotation configuration, choose Edit rotation.
5. From Edit rotation configuration, choose Enable automatic rotation.
6. For Select Rotation Interval, choose a rotation interval.
7. Choose a Lambda function for rotation. For information about customizing your Lambda rotation function, see Understanding and customizing your Lambda rotation function in the AWS Secrets Manager User Guide.
8. To configure the secret for rotation, choose Next.
To learn more about Secrets Manager rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bec42e2d-956b-4940-a37d-7c1b1e8c525f\",\r\n \"name\": \"bec42e2d-956b-4940-a37d-7c1b1e8c525f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets configured with automatic rotation should rotate successfully\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The control fails if RotationOccurringAsScheduled is false. The control does not evaluate secrets that do not have rotation configured.
Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically.
Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently.
In addition to configuring secrets to rotate automatically, you should ensure that those secrets rotate successfully based on the rotation schedule.
To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"If the automatic rotation fails, then Secrets Manager might have encountered errors with the configuration.
To rotate secrets in Secrets Manager, you use a Lambda function that defines how to interact with the database or service that owns the secret.
For help on how to diagnose and fix common errors related to secrets rotation, see Troubleshooting AWS Secrets Manager rotation of secrets in the AWS Secrets Manager User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bfa82db5-c112-44f0-89e6-a9adfb9a4028\",\r\n \"name\": \"bfa82db5-c112-44f0-89e6-a9adfb9a4028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remove unused Secrets Manager secrets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your secrets have been accessed within a specified number of days. The default value is 90 days. If a secret was not accessed within the defined number of days, this control fails.
Deleting unused secrets is as important as rotating secrets. Unused secrets can be abused by their former users, who no longer need access to these secrets. Also, as more users get access to a secret, someone might have mishandled and leaked it to an unauthorized entity, which increases the risk of abuse. Deleting unused secrets helps revoke secret access from users who no longer need it. It also helps to reduce the cost of using Secrets Manager. Therefore, it is essential to routinely delete unused secrets.\",\r\n \"remediationDescription\": \"You can delete inactive secrets from the Secrets Manager console.
To delete inactive secrets
1. Open the Secrets Manager console
2. To locate the secret, enter the secret name in the search box.
3. Choose the secret to delete.
4. Under Secret details, from Actions, choose Delete secret.
5. Under Schedule secret deletion, enter the number of days to wait before the secret is deleted.
6. Choose Schedule deletion.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/323f0eb4-ea19-4b55-83e9-d104009616b4\",\r\n \"name\": \"323f0eb4-ea19-4b55-83e9-d104009616b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should be rotated within a specified number of days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your secrets have been rotated at least once within 90 days.
Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised.
As more users get access to a secret, it can become more likely that someone mishandled and leaked it to an unauthorized entity. Secrets can be leaked through logs and cache data. They can be shared for debugging purposes and not changed or revoked once the debugging completes. For all these reasons, secrets should be rotated frequently.
You can configure your secrets for automatic rotation in AWS Secrets Manager. With automatic rotation, you can replace long-term secrets with short-term ones, significantly reducing the risk of compromise.
Security Hub recommends that you enable rotation for your Secrets Manager secrets. To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"You can enable automatic secret rotation in the Secrets Manager console.
To enable secret rotation
1. Open the Secrets Manager console.
2. To locate the secret, enter the secret name in the search box.
3. Choose the secret to display.
4. Under Rotation configuration, choose Edit rotation.
5. From Edit rotation configuration, choose Enable automatic rotation.
6. From Select Rotation Interval, choose the rotation interval.
7. Choose a Lambda function to use for rotation.
8. Choose Next.
After you configure the secret for automatic rotation, under Rotation Configuration, choose Rotate secret immediately.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad593449-a095-47b5-91b8-894396a1aa7f\",\r\n \"name\": \"ad593449-a095-47b5-91b8-894396a1aa7f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS WAF Classic global web ACL logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether logging is enabled for an AWS WAF global Web ACL. This control fails if logging is not enabled for the web ACL.
Logging is an important part of maintaining the reliability, availability, and performance of AWS WAF globally. It is a business and compliance requirement in many organizations, and allows you to troubleshoot application behavior. It also provides detailed information about the traffic that is analyzed by the web ACL that is attached to AWS WAF.\",\r\n \"remediationDescription\": \"You can enable logging for a web ACL from the Kinesis Data Firehose console.
To enable logging for a web ACL
1. Open the Kinesis Data Firehose console.
2. Create a Kinesis Data Firehose delivery stream.
The name must start with the prefix aws-waf-logs-. For example, aws-waf-logs-us-east-2-analytics.
Create the Kinesis Data Firehose delivery stream with a PUT source and in the Region where you operate. If you capture logs for Amazon CloudFront, create the delivery stream in US East (N. Virginia). For more information, see Creating an Amazon Kinesis Data Firehose delivery stream in the Amazon Kinesis Data Firehose Developer Guide.
3. From \\\"Services\\\", choose \\\"WAF & Shield\\\". Then choose \\\"Switch to AWS WAF Classic\\\".
4. From \\\"Filter\\\", choose \\\"Global (CloudFront)\\\".
5. Choose the web ACL to enable logging for.
6. Under \\\"Logging\\\", choose \\\"Enable logging\\\".
7. Choose the Kinesis Data Firehose delivery stream that you created earlier. You must choose a delivery stream that has a name that begins with aws-waf-logs-.
8. Choose \\\"Enable logging\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/678b2afa-7fc7-45e5-ad4e-2c49efb57ac8\",\r\n \"name\": \"678b2afa-7fc7-45e5-ad4e-2c49efb57ac8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following logs of Amazon RDS are enabled and sent to CloudWatch Logs:
- Oracle: (Alert, Audit, Trace, Listener)
- PostgreSQL: (Postgresql, Upgrade)
- MySQL: (Audit, Error, General, SlowQuery)
- MariaDB: (Audit, Error, General, SlowQuery)
- SQL Server: (Error, Agent)
- Aurora: (Audit, Error, General, SlowQuery)
- Aurora-MySQL: (Audit, Error, General, SlowQuery)
- Aurora-PostgreSQL: (Postgresql, Upgrade).
RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"Logging options are contained in the DB parameter group associated with the RDS DB cluster or instance. To enable logging when the default parameter group for the database engine is used, you must create a new DB parameter group that has the required parameter values. You must then associate the customer DB parameter group with the DB cluster or instance.
To enable and publish MariaDB, MySQL, or PostgreSQL logs to CloudWatch Logs from the AWS Management Console, set the following parameters in a custom DB Parameter Group:

Database engineParameters
MariaDBgeneral_log=1
slow_query_log=1
log_output = FILE
- MariaDB also requires a custom options group, explained below.
MySQLgeneral_log=1
slow_query_log=1
log_output = FILE
PostgreSQLlog_statement=all
log_min_duration_statement=minimum query duration (ms) to log

To create a custom DB parameter group
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Parameter groups\\\".
3. Choose \\\"Create parameter group\\\". The \\\"Create parameter group\\\" window appears.
4. In the \\\"Parameter group\\\" family list, choose a DB parameter group family.
5. In the \\\"Type\\\" list, choose \\\"DB Parameter Group\\\".
6. In \\\"Group name\\\", enter the name of the new DB parameter group.
7. In \\\"Description\\\", enter a description for the new DB parameter group.
8. Choose \\\"Create\\\".

To create a new option group for MariaDB logging by using the console
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Option groups\\\".
3. Choose \\\"Create group\\\".
4. In the \\\"Create option group\\\" window, do the following:
  • For \\\"Name\\\", type a name for the option group that is unique within your AWS account. The name can contain only letters, digits, and hyphens.
  • For \\\"Description\\\", type a brief description of the option group. The description is used for display purposes.
  • For \\\"Engine\\\", choose the DB engine that you want.
  • For \\\"Major engine version\\\", choose the major version of the DB engine that you want.
5. To continue, choose \\\"Create\\\".
6. Choose the name of the option group you just created.
7. Choose \\\"Add option\\\".
8. Choose \\\"MARIADB_AUDIT_PLUGIN\\\" from the \\\"Option name\\\" list.
9. Set \\\"SERVER_AUDIT_EVENTS\\\" to \\\"CONNECT\\\", \\\"QUERY\\\", \\\"TABLE\\\", \\\"QUERY_DDL\\\", \\\"QUERY_DML\\\", \\\"QUERY_DCL\\\".
10. Choose Add option.

To publish SQL Server DB, Oracle DB, or PostgreSQL logs to CloudWatch Logs from the AWS Management Console
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Databases\\\".
3. Choose the DB instance that you want to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Log exports\\\", choose all of the log files to start publishing to CloudWatch Logs.
\\\"Log exports\\\" is available only for database engine versions that support publishing to CloudWatch Logs.
6. Choose \\\"Continue\\\". Then on the summary page, choose \\\"Modify DB Instance\\\".

To apply a new DB parameter group or DB options group to an RDS DB instance
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Databases\\\".
3. Choose the DB instance that you want to modify.
4. Choose \\\"Modify\\\". The \\\"Modify DB Instance\\\" page appears.
5. Under \\\"Database options\\\", change the DB parameter group and DB options group as needed.
6. When you finish you changes, choose \\\"Continue\\\". Check the summary of modifications.
7. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide.
8. Choose \\\"Modify DB Instance\\\" to save your changes.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cd307f02-2ca7-44b4-8c1b-b580251d613c\",\r\n \"name\": \"cd307f02-2ca7-44b4-8c1b-b580251d613c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB instance has IAM database authentication enabled.
IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL. For more information, see IAM database authentication in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your DB instance to enable IAM authentication.
To enable IAM authentication for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Select the DB instance to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", choose \\\"Enable IAM DB authentication\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ac30502-52e5-4fc6-af40-095dddfbc8b9\",\r\n \"name\": \"3ac30502-52e5-4fc6-af40-095dddfbc8b9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB cluster has IAM database authentication enabled.
IAM database authentication allows for password-free authentication to database instances. The authentication uses an authentication token. Network traffic to and from the database is encrypted using SSL. For more information, see IAM database authentication in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your DB instance to enable IAM authentication.
To enable IAM authentication for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Select the DB cluster to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", choose \\\"Enable IAM DB authentication\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d352afac-cebc-4e02-b474-7ef402fb1d65\",\r\n \"name\": \"d352afac-cebc-4e02-b474-7ef402fb1d65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS automatic minor version upgrades should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic minor version upgrades are enabled for the RDS database instance.
Enabling automatic minor version upgrades ensures that the latest minor version updates to the relational database management system (RDBMS) are installed. These upgrades might include security patches and bug fixes. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"You can enable minor version upgrades for a DB instance from the Amazon RDS console.
To enable automatic minor version upgrades for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Choose the DB instance to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Maintenance\\\", select \\\"Yes\\\" for \\\"Auto minor version upgrade\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications: \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. Choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d0ef47dc-95aa-4765-a075-72c07df8acff\",\r\n \"name\": \"d0ef47dc-95aa-4765-a075-72c07df8acff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Aurora clusters should have backtracking enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Aurora clusters have backtracking enabled.
Backups help you to recover more quickly from a security incident. They also strengthens the resilience of your systems. Aurora backtracking reduces the time to recover a database to a point in time. It does not require a database restore to do so.
For more information about backtracking in Aurora, see Backtracking an Aurora DB cluster in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable Aurora backtracking, see Configuring backtracking in the Amazon Aurora User Guide.
Note that you cannot enable backtracking on an existing cluster. Instead, you can create a clone that has backtracking enabled. For more information about the limitations of Aurora backtracking, see the list of limitations in Overview of backtracking.For information about pricing for backtracking, see the Aurora pricing page.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/176f9062-64d0-4edd-bb0f-915012a6ef16\",\r\n \"name\": \"176f9062-64d0-4edd-bb0f-915012a6ef16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift should have automatic upgrades to major versions enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster.
Enabling automatic major version upgrades ensures that the latest major version updates to Amazon Redshift clusters are installed during the maintenance window.
These updates might include security patches and bug fixes. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"To remediate this issue from the AWS CLI, use the Amazon Redshift modify-cluster command to set the --allow-version-upgrade attribute.
Copy the following command aws redshift modify-cluster --cluster-identifier clustername --allow-version-upgrade Where clustername is the name of your Amazon Redshift cluster.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ee72ceb-2cb7-4686-84e6-0e1ac1c27241\",\r\n \"name\": \"1ee72ceb-2cb7-4686-84e6-0e1ac1c27241\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should use enhanced VPC routing\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon Redshift cluster has EnhancedVpcRouting enabled.
Enhanced VPC routing forces all COPY and UNLOAD traffic between the cluster and data repositories to go through your VPC. You can then use VPC features such as security groups and network access control lists to secure network traffic. You can also use VPC Flow Logs to monitor network traffic.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Enabling enhanced VPC routing in the Amazon Redshift Cluster Management Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/036bb56b-c442-4352-bb4c-5bd0353ad314\",\r\n \"name\": \"036bb56b-c442-4352-bb4c-5bd0353ad314\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Amazon Redshift clusters should be encrypted in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit. The check fails if the Amazon Redshift cluster parameter require_SSL is not set to '1'.
TLS can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over TLS should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"To remediate this issue, update the parameter group to require encryption.
To modify a parameter group
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose Config, then choose Workload management to display the Workload management page.
3. Choose the parameter group that you want to modify.
4. Choose Parameters.
5. Choose Edit parameters then set require_ssl to '1'.
6. Enter your changes and then choose Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a152832-6600-49d1-89be-82e474190e13\",\r\n \"name\": \"7a152832-6600-49d1-89be-82e474190e13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have automatic snapshots enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven.
Backups help you to recover more quickly from a security incident. They strengthen the resilience of your systems. Amazon Redshift takes periodic snapshots by default. This control checks whether automatic snapshots are enabled and retained for at least seven days. For more details on Amazon Redshift automated snapshots, see Automated snapshots in the Amazon Redshift Cluster Management Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update the snapshot retention period to at least 7.
To modify the snapshot retention period
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose \\\"Clusters\\\", then choose the name of the cluster to modify.
3. Choose \\\"Edit\\\".
4. Under \\\"Backup\\\", set \\\"Snapshot retention\\\" to a value of 7 or greater.
5. Choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e2a0ec17-447b-44b6-8646-c0b5584b6b0a\",\r\n \"name\": \"e2a0ec17-447b-44b6-8646-c0b5584b6b0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have audit logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon Redshift cluster has audit logging enabled.
Amazon Redshift audit logging provides additional information about connections and user activities in your cluster. This data can be stored and secured in Amazon S3 and can be helpful in security audits and investigations. For more information, see Database audit logging in the Amazon Redshift Cluster Management Guide.\",\r\n \"remediationDescription\": \"To enable cluster audit logging
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose \\\"Clusters\\\", then choose the name of the cluster to modify.
3. Choose \\\"Maintenance and monitoring\\\"
4. Under \\\"Audit logging\\\", choose \\\"Edit\\\".
5. Set \\\"Enable audit logging\\\" to \\\"yes\\\", then enter the log destination bucket details.
6. Choose \\\"Confirm\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4170067b-345d-47ed-ab4a-c6b6046881f1\",\r\n \"name\": \"4170067b-345d-47ed-ab4a-c6b6046881f1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Beanstalk environments should have enhanced health reporting enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced health reporting is enabled for your AWS Elastic Beanstalk environments.
Elastic Beanstalk enhanced health reporting enables a more rapid response to changes in the health of the underlying infrastructure. These changes could result in a lack of availability of the application.
Elastic Beanstalk enhanced health reporting provides a status descriptor to gauge the severity of the identified issues and identify possible causes to investigate. The Elastic Beanstalk health agent, included in supported Amazon Machine Images (AMIs), evaluates logs and metrics of environment EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to enable enhanced health reporting, see Enabling enhanced health reporting using the Elastic Beanstalk console in the AWS Elastic Beanstalk Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"10/04/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/820f6c6e-f73f-432c-8c60-cae1794ea150\",\r\n \"name\": \"820f6c6e-f73f-432c-8c60-cae1794ea150\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Beanstalk managed platform updates should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"his control checks whether managed platform updates are enabled for the Elastic Beanstalk environment.
Enabling managed platform updates ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"For instructions on how to enable managed platform updates, see To configure managed platform updates under Managed platform updates in the AWS Elastic Beanstalk Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"10/04/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f48af569-2e67-464b-9a62-b8df0f85bc5e\",\r\n \"name\": \"f48af569-2e67-464b-9a62-b8df0f85bc5e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domain error logging to CloudWatch Logs should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs.
You should enable error logs for Elasticsearch domains and send those logs to CloudWatch Logs for retention and response. Domain error logs can assist with security and access audits, and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"For information on how to enable log publishing, see Enabling log publishing (console) in the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12ebb4cd-34b6-4c3a-bee9-7e35f4f6caff\",\r\n \"name\": \"12ebb4cd-34b6-4c3a-bee9-7e35f4f6caff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have audit logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled.
Audit logs are highly customizable. They allow you to track user activity on your Elasticsearch clusters, including authentication successes and failures, requests to OpenSearch, index changes, and incoming search queries.\",\r\n \"remediationDescription\": \"For detailed instructions on enabling audit logs, see Enabling audit logs in the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/994cbcb3-43d4-419d-b5c4-9adc558f3ca2\",\r\n \"name\": \"994cbcb3-43d4-419d-b5c4-9adc558f3ca2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have at least three data nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true.
An Elasticsearch domain requires at least three data nodes for high availability and fault-tolerance. Deploying an Elasticsearch domain with at least three data nodes ensures cluster operations if a node fails.\",\r\n \"remediationDescription\": \"To modify the number of data nodes in an Elasticsearch domain
1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/es/.
2. Under \\\"My domains\\\", choose the name of the domain to edit.
3. Choose \\\"Edit domain\\\".
4. Under \\\"Data nodes\\\", set \\\"Number of nodes\\\" to a number greater than or equal to three. For three Availability Zone deployments, set to a multiple of three to ensure equal distribution across Availability Zones.
5. Choose \\\"Submit\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b4b9a67c-c315-4f9b-b06b-04867a453aab\",\r\n \"name\": \"b4b9a67c-c315-4f9b-b06b-04867a453aab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should be configured with at least three dedicated master nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. This control passes if Elasticsearch domains have five dedicated master nodes. However, using more than three master nodes might be unnecessary to mitigate the availability risk, and will result in additional cost.
An Elasticsearch domain requires at least three dedicated master nodes for high availability and fault-tolerance. Dedicated master node resources can be strained during data node blue/green deployments because there are additional nodes to manage. Deploying an Elasticsearch domain with at least three dedicated master nodes ensures sufficient master node resource capacity and cluster operations if a node fails.\",\r\n \"remediationDescription\": \"To modify the number of dedicated master nodes in an OpenSearch domain
1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/es/.
2. Under \\\"My domains\\\", choose the name of the domain to edit.
3. Choose \\\"Edit domain\\\".
4. Under \\\"Dedicated master nodes\\\", set \\\"Instance type\\\" to the desired instance type.
5. Set \\\"Number of master nodes\\\" equal to three or greater.
6. Choose \\\"Submit\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/effb5011-f8db-45ac-b981-b5bdfd7beb88\",\r\n \"name\": \"effb5011-f8db-45ac-b981-b5bdfd7beb88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Elasticsearch domains should be encrypted using TLS 1.2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07.
HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS. TLS 1.2 provides several security enhancements over previous versions of TLS.\",\r\n \"remediationDescription\": \"To enable TLS encryption, use the UpdateDomainConfig API operation to configure the DomainEndpointOptions in order to set the TLSSecurityPolicy. For more information, see the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f16376-e2dd-487d-b5ee-ba67fef4c5c0\",\r\n \"name\": \"83f16376-e2dd-487d-b5ee-ba67fef4c5c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled at the bucket level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether S3 buckets have bucket-level public access blocks applied. This control fails is if any of the following settings are set to false:
* ignorePublicAcls
* blockPublicPolicy
* blockPublicAcls
* restrictPublicBuckets
Block Public Access at the S3 bucket level provides controls to ensure that objects never have public access. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both.
Unless you intend to have your S3 buckets publicly accessible, you should configure the bucket level Amazon S3 Block Public Access feature.\",\r\n \"remediationDescription\": \"For information on how to remove public access at a bucket level, see Blocking public access to your Amazon S3 storage in the Amazon S3 User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/340a07a1-7d68-4562-ac25-df77c214fe13\",\r\n \"name\": \"340a07a1-7d68-4562-ac25-df77c214fe13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SQS queues should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon SQS queues are encrypted at rest.
Server-side encryption (SSE) allows you to transmit sensitive data in encrypted queues. To protect the content of messages in queues, SSE uses keys managed in AWS KMS.
For more information, see Encryption at rest in the Amazon Simple Queue Service Developer Guide.\",\r\n \"remediationDescription\": \"For information about managing SSE using the AWS Management Console, see  Configuring server-side encryption (SSE) for a queue (console) in the Amazon Simple Queue Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/882a80f0-943f-473e-b6d7-40c7a625540e\",\r\n \"name\": \"882a80f0-943f-473e-b6d7-40c7a625540e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS accounts should have Azure Arc auto provisioning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For full visibility of the security content from Microsoft Defender for servers, EC2 instances should be connected to Azure Arc. To ensure that all eligible EC2 instances automatically receive Azure Arc, enable auto-provisioning from Defender for Cloud at the AWS account level. Learn more about Azure Arc, and Microsoft Defender for Servers.\",\r\n \"remediationDescription\": \"1. From the Defender for Cloud, open \\\"Environment settings\\\".
2. For the relevant AWS account, select the three dots at the end of the row, and select \\\"Edit settings\\\".
3. For the \\\"Servers\\\" plan, select \\\"View configuration\\\".
4. Enable auto-provisioning for the Azure Arc agent and click on the \\\"Save\\\" button.
5. Select \\\"Next\\\" and follow the instructions.
Note: To enable auto-provisioning, you'll need owner permissions for the relevant subscription.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"25/10/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/231dee23-84db-44d2-bd9d-c32fbcfb42a3\",\r\n \"name\": \"231dee23-84db-44d2-bd9d-c32fbcfb42a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be connected to Azure Arc\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Connect your EC2 instances to Azure Arc in order to have full visibility to Microsoft Defender for Servers security content. Learn more about Azure Arc, and about Microsoft Defender for Servers on hybrid-cloud environment.\",\r\n \"remediationDescription\": \"1. From the Azure portal, open \\\"Servers - Azure Arc\\\".
2. From the top left corner, select \\\"Add\\\".
3. From \\\"Add a single server\\\", select \\\"Generate script\\\".
4. In the \\\"Resource details\\\" page, select the subscription and resource group to which you have connected the machine's AWS account.
5. Select \\\"Next\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"25/10/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1736090-65fc-454f-a437-af58fd91ad1e\",\r\n \"name\": \"f1736090-65fc-454f-a437-af58fd91ad1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS databases and clusters should not use a database engine default port\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the RDS cluster or instance uses a port other than the default port of the database engine.
If you use a known port to deploy an RDS cluster or instance, an attacker can guess information about the cluster or instance.
The attacker can use this information in conjunction with other information to connect to an RDS cluster or instance or gain additional information about your application.
When you change the port, you must also update the existing connection strings that were used to connect to the old port.
You should also check the security group of the DB instance to ensure that it includes an ingress rule that allows connectivity on the new port.\",\r\n \"remediationDescription\": \"To modify the default port of an existing DB instance
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/
2. Choose \\\"Databases\\\".
3. Select the DB instance to modify
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", change \\\"Database port\\\" to a non-default value.
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify cluster\\\". For instances, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0dc124a8-2a69-47c5-a4e1-678d725a33ab\",\r\n \"name\": \"0dc124a8-2a69-47c5-a4e1-678d725a33ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon ECS task definitions should have secure networking modes and user definitions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an active Amazon ECS task definition that has host networking mode also has privileged or user container definitions.
The control fails for task definitions that have host network mode and container definitions where privileged=false or is empty and user=root or is empty.
If a task definition has elevated privileges, it is because the customer has specifically opted in to that configuration.
This control checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted in to elevated privileges.\",\r\n \"remediationDescription\": \"For information on how to update a task definition, see Updating a task definition in the Amazon Elastic Container Service Developer Guide.
Note that when you update a task definition, it does not update running tasks that were launched from the previous task definition. To update a running task, you must redeploy the task with the new task definition.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9bb205cd-a931-4f77-a620-0a263479732b\",\r\n \"name\": \"9bb205cd-a931-4f77-a620-0a263479732b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon ECS services should not have public IP addresses assigned to them automatically\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A public IP address is an IP address that is reachable from the internet.
If you launch your Amazon ECS instances with a public IP address, then your Amazon ECS instances are reachable from the internet.
Amazon ECS services should not be publicly accessible, as this may allow unintended access to your container application servers.\",\r\n \"remediationDescription\": \"To disable automatic public IP assignment, see To configure VPC and security group settings for your service in the Amazon Elastic Container Service Developer Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e68b4d8-1a5e-47fc-a3eb-b3542fea43f1\",\r\n \"name\": \"0e68b4d8-1a5e-47fc-a3eb-b3542fea43f1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Imported ACM certificates should be renewed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager.
ACM can automatically renew certificates that use DNS validation. For certificates that use email validation, you must respond to a domain validation email.
ACM also does not automatically renew certificates that you import. You must renew imported certificates manually.
For more information about managed renewal for ACM certificates, see Managed renewal for ACM certificates in the AWS Certificate Manager User Guide.\",\r\n \"remediationDescription\": \"ACM provides managed renewal for your Amazon-issued SSL/TLS certificates.
This means that ACM either renews your certificates automatically (if you use DNS validation), or it sends you email notices when the certificate expiration approaches. These services are provided for both public and private ACM certificates.
\\\"For domains validated by email\\\"
When a certificate is 45 days from expiration, ACM sends to the domain owner an email for each domain name.
To validate the domains and complete the renewal, you must respond to the email notifications.
For more information, see Renewal for domains validated by email in the AWS Certificate Manager User Guide.
\\\"For domains validated by DNS\\\"
ACM automatically renews certificates that use DNS validation. 60 days before the expiration, ACM verifies that the certificate can be renewed.
If it cannot validate a domain name, then ACM sends a notification that manual validation is required.
It sends these notifications 45 days, 30 days, 7days, and 1 day before the expiration.
For more information, see Renewal for domains validated by DNS in the AWS Certificate Manager User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aad436f2-f0a2-46d8-acf1-19452fb732d2\",\r\n \"name\": \"aad436f2-f0a2-46d8-acf1-19452fb732d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC subnets should not allow automatic public IP assignment\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC subnets which allow automatic public IP assignment.
VPC subnet is a part of the VPC having its own rules for traffic.
Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. In the console, select the specific region from \\\"region drop down\\\" on the top right corner, for which the alert is generated. 3. Navigate to the \\\"VPC\\\" service. 4. In the navigation pane, click on \\\"Subnets\\\". 5. Select the identified Subnet and choose the option \\\"Modify auto-assign IP settings\\\" under the Subnet Actions. 6. Disable the \\\"Auto-Assign IP\\\" option and save it.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a3697e4-d854-41a5-a3df-d6a5fc664689\",\r\n \"name\": \"1a3697e4-d854-41a5-a3df-d6a5fc664689\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 bucket should not be configured with policy overly permissive to VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies S3 buckets that have the bucket policy overly permissive to VPC endpoints. It is a leading practice to follow the principle of least privileges ensuring that the VPC endpoints have only necessary permissions instead of full permission on S3 operations.
NOTE: When working with Amazon S3 bucket policies for VPC endpoints, you might block your access to that bucket without intending to do so.
Bucket permissions that are intended to specifically limit bucket access to connections originating from your VPC endpoint can block all connections to the bucket.
Additionally, The Amazon S3 bucket policy might disable console access to the specified bucket because console requests don't originate from the specified VPC endpoint.
Hence, additional care should be taken while remediating any such overly permissive policies.
For more details refer https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the S3 dashboard. 3. Choose the reported S3 bucket. 4. In the \\\"Permissions\\\" tab, click on the \\\"Bucket Policy\\\". 5. Update the S3 bucket policy for the VPC endpoint so that it has only required permissions instead of full S3 permission.
Refer for example: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ca6e24c-b113-429c-83e1-38e8c4b91396\",\r\n \"name\": \"0ca6e24c-b113-429c-83e1-38e8c4b91396\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC enpoint should not be configured with policy overly permissive to any principal\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC endpoints that have a VPC endpoint (VPCE) policy that is overly permissive.
When the Principal element value is set to '*' within the access policy, the VPC endpoint allows full access to any IAM user or service within the VPC using credentials from any AWS accounts.
It is a leading practice to follow the principle of least privileged VPCE policy ensuring security against any data leakage and unauthorized access.

For more details refer:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. In the console, select the specific region from the region drop-down on the top right corner, for which the alert is generated. 3. Navigate to the \\\"VPC dashboard\\\". 4. Go to \\\"Endpoints\\\", from the left panel VIRTUAL PRIVATE CLOUD section. 5. Select the reported VPC endpoint. 6. On the \\\"Actions\\\" drop-down button, click on the \\\"Edit policy\\\". 7. On the \\\"Edit Policy\\\" page, Choose \\\"Custom\\\" policy.
a. Then add policy, without the \\\"Everyone\\\" grantee (i.e. '*' or 'AWS': '*') from the Principal element value with an AWS account ID (e.g. '123456789'), an AWS account ARN (e.g. 'arn:aws:iam::123456789:root') or an IAM user ARN (e.g. 'arn:aws:iam::123456789:user/vpce-admin').
b. Add a Condition clause to the policy statement to filter the endpoint access to specific entities. 8. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ed36584a-91d9-4639-ae8d-893d0f2cb462\",\r\n \"name\": \"ed36584a-91d9-4639-ae8d-893d0f2cb462\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cloudfront distribution should have WAF enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Amazon CloudFront web distributions which don't have AWS Web Application Firewall (AWS WAF) protection enabled.
it is a leading practice to enable the AWS WAF service on CloudFront web distributions to protect web applications from common web exploits, application layer attacks that could affect application availability, compromise security, or consume excessive resources.
To block malicious requests to your Cloudfront Content Delivery Network you should define the 'block' criteria in the WAF web access control list (web ACL).\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Go to the CloudFront Distributions Dashboard. 3. Click on the reported web distribution. 4. On \\\"General\\\" tab, Click on \\\"Edit\\\" button. 5. On \\\"Edit Distribution\\\" page, Choose a \\\"AWS WAF Web ACL\\\" from dropdown. 6. Click on \\\"Yes, Edit\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45f50501-deed-438b-b931-340078d0022f\",\r\n \"name\": \"45f50501-deed-438b-b931-340078d0022f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cloudfront should have AWS WAF V2 enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS cloudfront distribution not configured with AWS WAF V2 web acl.
As a leading practice it is recommended to configure AWS WAF v2 on the cloudfront to protect against application-layer attacks.
To block malicious requests to your cloudfront, define the block criteria in the WAFv2 web acl.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Go to the CloudFront Distributions Dashboard. 3. Click on the reported web distribution. 4. On \\\"General\\\" tab, Click on \\\"Edit\\\" button under \\\"Settings\\\". 5. On \\\"Edit Distribution\\\" page, from \\\"AWS WAF Web ACL\\\" dropdown select WAFv2 ACL which you want to apply.
Note: In case no WAFv2 ACL found from \\\"AWS WAF Web ACL\\\" dropdown list, Please follow below URL to create WAFv2 ACL:
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-creating.html. 6. Click on \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b288b879-d5e3-49d0-9bad-a9ddf738838a\",\r\n \"name\": \"b288b879-d5e3-49d0-9bad-a9ddf738838a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API should have AWS WAF V2 enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS API Gateway REST API which is not configured with AWS Web Application Firewall protection.
As a leading practice, you should enable the AWS WAF service on API Gateway REST API to protect against common web exploits, application layer attacks.
To block malicious requests to your API Gateway REST API, define the block criteria in the WAF web access control list (web ACL).\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Make sure your the reported API Gateway REST API requires WAF based on your requirement and Note down the API Gateway REST API name Follow steps given in below URL to associate API Gateway REST API to WAF Web ACL ,
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eb2a1621-6fe5-4b17-be36-082897f04987\",\r\n \"name\": \"eb2a1621-6fe5-4b17-be36-082897f04987\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"ELB v2 should not have SSL negotiation policy configured with weak cipher\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers v2 (ELBv2) which are configured with SSL negotiation policy containing weak ciphers.
To simplify, An SSL cipher, or an SSL cipher suite, is a set of algorithms or a set of instructions/steps that uses encryption keys to establish a secure connection between two entities usually the client (a user's browser) and the web server they are connecting to (your website).
As many of the other ciphers are not secure as per industry standards, it is recommended to use only the ciphers recommended in the following AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Go to the EC2 Dashboard, and select \\\"Load Balancers\\\". 4. Click on the reported Load Balancer. 5. On the 'Listeners' tab, Choose the \\\"HTTPS\\\" or 'SSL' rule; Click on \\\"Edit\\\", Change 'Security policy' to other than \\\"ELBSecurityPolicy-TLS-1-0-2015-04\\\" as it contains DES-CBC3-SHA cipher, which is a weak cipher. 6. Click on \\\"Update\\\" to save your changes.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d13e510-5e69-43ec-921f-fe52e2ecc36b\",\r\n \"name\": \"9d13e510-5e69-43ec-921f-fe52e2ecc36b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC route table should not allow VPC peering overly permissive to all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC route tables with overly permissive peering connection to all traffic.
It is a leading practice to ensure selective peering connection route tables to reduce the attack surface as resources outside of these routes are inaccessible to the peered VPC.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to \\\"VPC\\\" dashboard from \\\"Services\\\" dropdown. 4. From left menu, select \\\"Route Tables\\\". 5. Click on the alerted route table. 6. From top click on \\\"Action\\\" button. 7. From the Action menu dropdown, select \\\"Edit routes\\\". 8. From the list of destination remove the extra permissive destination by clicking the cross symbol available for that destination. 9. Add a destination with \\\"least access\\\". 10. Click on \\\"Save Routes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5e4503df-e4f7-4055-a38e-ff8ae44dfd1e\",\r\n \"name\": \"5e4503df-e4f7-4055-a38e-ff8ae44dfd1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS key automatic rotation is not enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS KMS key that are not enabled with key rotation.
As a security leading practice, it is important to rotate the keys periodically so that if the keys are compromised, the data in the underlying service is still secure with the new keys.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Key Management Service (KMS). 4. Click on \\\"Customer managed keys\\\" (Left Panel). 5. Select reported KMS Customer managed key. 6. Under the \\\"Key Rotation\\\" tab, Enable \\\"Automatically rotate this KMS every year\\\". 7. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c548e51-ca15-4b21-92b7-80acef51da37\",\r\n \"name\": \"4c548e51-ca15-4b21-92b7-80acef51da37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrails logs should be encrypted using AWS KMS key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check ensures that CloudTrail logs are encrypted using AWS KMS key.
AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account.
It is a compliance and security leading practice to encrypt the CloudTrail data with AWS KMS key as it may contain sensitive information.\",\r\n \"remediationDescription\": \"1. Login to AWS Console and navigate to the \\\"CloudTrail\\\" service. 2. For each trail, under Configuration > Storage Location, select \\\"Yes\\\" to \\\"Encrypt log files\\\" setting. 3.Choose and existing KMS key or create a new one to encrypt the logs with.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a102936-e0ab-4ab6-ab05-0cb15a6587f6\",\r\n \"name\": \"2a102936-e0ab-4ab6-ab05-0cb15a6587f6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RedShift cluster should be encrypted using customer-managed keys (CMKs)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Redshift Clusters which are encrypted with default KMS keys and not with customer-managed key.
It is a leading practice to use customer managed KMS Keys to encrypt your Redshift databases data.
Customer-managed CMKs give you more flexibility, including the ability to create, rotate, disable, define access control for,
and audit the encryption keys used to help protect your data.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift. 2. On the navigation menu, choose \\\"Clusters\\\", then choose the cluster that you want to modify encryption. 3. Choose \\\"Properties\\\". 4. In the Database configurations section, choose \\\"Edit\\\" then choose \\\"Edit encryption\\\". 5. Choose \\\"customer-managed key encryption options\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/885a3b62-d0de-4e54-aaba-f58875fb7888\",\r\n \"name\": \"885a3b62-d0de-4e54-aaba-f58875fb7888\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be encrypted using CMK\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic File Systems (EFSs) which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your EFS data. It gives you full control over the encrypted data.\",\r\n \"remediationDescription\": \"AWS EFS Encryption of data at rest can only be enabled during file system creation. In order to resolve this alert, create a new EFS with encryption enabled with the customer-managed key, then migrate all required data from the reported EFS to this newly created EFS and delete reported EFS.

To create new EFS with encryption enabled, perform the following:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to EFS dashboard and click on \\\"File systems\\\" on the left panel. 4. Click on \\\"Create file system\\\" button. 5. On the \\\"Configure file system access\\\" step, specify EFS details as per your requirements and Click on \\\"Next Step\\\". 6. On the \\\"Configure optional settings\\\" step, Under \\\"Enable encryption\\\" Choose \\\"Enable encryption of data at rest\\\" and Select customer managed key from \\\"Select KMS master key\\\" dropdown list along with other parameters and Click on \\\"Next Step\\\". 7. On the \\\"Review and create\\\" step, Review all your setting and Click on \\\"Create File System\\\" button.

To delete reported EFS which does not has encryption, perform the following:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to EFS dashboard and click on \\\"File systems\\\" on the left panel. 4. Select the reported file system. 5. Click on \\\"Actions\\\" drop-down. 6. Click on \\\"Delete file system\\\". 7. In the \\\"Permanently delete file system\\\" popup box, To confirm the deletion enter the file system's ID and Click on \\\"Delete File System\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/db0cfb9d-c281-4301-92aa-3d6d12837d8d\",\r\n \"name\": \"db0cfb9d-c281-4301-92aa-3d6d12837d8d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policy should not allow assume role permission across all services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS IAM policy which allows assume role permission across all services. Typically, AssumeRole is used if you have multiple accounts and need to access resources from each account then you can create long term credentials in one account and then use temporary security credentials to access all the other accounts by assuming roles in those accounts.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Navigate to the \\\"IAM\\\" service. 3. Identify the reported policy. 4. Change the Service element of the policy document to be more restrictive so that it only allows AssumeRole permission on select services.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/894259c2-c1d5-47dc-b5c6-b242d5c76fdf\",\r\n \"name\": \"894259c2-c1d5-47dc-b5c6-b242d5c76fdf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon RDS instance should be configured with automatic backup settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies RDS instances which are not set with the automatic backup setting. If Automatic Backup is set, RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases which provide for point-in-time recovery. The automatic backup will happen during the specified backup window time and keeps the backups for a limited period of time as defined in the retention period. It is recommended to set automatic backups for your critical RDS servers that will help in the data restoration process.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated. 3. Navigate to \\\"Amazon RDS\\\" console. 4. Choose \\\"DB Instances\\\", and then select the \\\"reported DB\\\" instance. 5. On \\\"Instance Actions\\\" drop-down list, choose \\\"Modify\\\". 6. In \\\"Backup\\\" section,
a. From the \\\"Backup Retention Period\\\" drop-down list, select the number of days you want RDS should retain automatic backups of this DB instance. b. Choose \\\"Start Time\\\" and \\\"Duration\\\" in \\\"Backup window\\\" which is the daily time range (in UTC) during which automated backups created. 7. Click on \\\"Continue\\\". 8. On the confirmation page, choose \\\"Modify DB Instance\\\" to save your changes\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a5e0d700-3de1-469a-96d2-6536d9a92604\",\r\n \"name\": \"a5e0d700-3de1-469a-96d2-6536d9a92604\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Load Balancer should not have ACM certificate expired or expiring in 90 days.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (ELB) which are using ACM certificates expired or expiring in 90 days. AWS Certificate Manager (ACM) is the preferred tool to provision, manage, and deploy your server certificates. With ACM you can request a certificate or deploy an existing ACM or external certificate to AWS resources. As a best practice, it is recommended to reimport expiring/expired certificates while preserving the ELB associations of the original certificate.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service dashboard. 4. Choose the reported certificate. 5. Under \\\"Actions\\\" drop-down click on 'Reimport certificate'. 6. On the \\\"Import a certificate\\\" page:
6a. For \\\"Certificate body*\\\", paste the PEM-encoded certificate to import. 6b. For \\\"Certificate private key*\\\", paste the PEM-encoded, unencrypted private key that matches the SSL/TLS certificate public key. 6c. (Optional) For \\\"Certificate chain\\\", paste the PEM-encoded certificate chain delivered. 6d. Click Review and import button to continue the process. 7. On the \\\"Review and import\\\" page, review the imported certificate details then click on \\\"Import\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9137f5de-aac8-4cee-a22f-8d81f19be67f\",\r\n \"name\": \"9137f5de-aac8-4cee-a22f-8d81f19be67f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon RDS database should be encrypted using customer managed key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies RDS databases that are encrypted with default KMS keys and not with customer managed keys. As a leading practice, use customer managed keys to encrypt the data on your RDS databases and maintain control of your keys and data on sensitive workloads.\",\r\n \"remediationDescription\": \"You can set AWS RDS database encryption only during database creation. Thus, the steps for resolving this alert requires you to create a new RDS database with a customer managed key for encryption, migrate the data from the identified database to this newly created database, and delete the RDS database identified in the alert.

To create a new RDS database with encryption using a customer managed key:
1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the Amazon RDS Dashboard. 4. Select \\\"Create database\\\". 5. On the \\\"Select engine\\\" page, select \\\"Engine options\\\" and \\\"Next\\\". 6. On the \\\"Choose use case\\\" page, select \\\"Use case\\\" of database and \\\"Next\\\". 7. On the \\\"Specify DB details\\\" page, specify the database details you need and click \\\"Next\\\". 8. On the \\\"Configure advanced settings\\\" page, Under \\\"Encryption\\\", select \\\"Enable encryption\\\" and select the customer managed key from \\\"Master key\\\" dropdown list. 9. Select \\\"Create database\\\".

To delete the RDS database that uses the default KMS keys, which triggered the alert:
1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the Amazon RDS Dashboard. 4. Click on Instances, and select the reported RDS database. 5. Select the \\\"Instance actions\\\" drop-down and click \\\"Delete\\\". 6. In the \\\"Delete\\\" dialog, select the \\\"Create final snapshot?\\\" checkbox, if you want a backup. Provide a name for the final snapshot, confirm deletion and select \\\"Delete\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03a8f33c-b01c-4dfc-b627-f98114715ae0\",\r\n \"name\": \"03a8f33c-b01c-4dfc-b627-f98114715ae0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM should not have expired SSL/TLS certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies expired SSL/TLS certificates. To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. This check generates alerts if there are any expired SSL/TLS certificates stored in AWS IAM. As a best practice, it is recommended to delete expired certificates.\",\r\n \"remediationDescription\": \"Removing invalid certificates through AWS Management Console is currently not supported. To delete SSL/TLS certificates stored in IAM through the AWS API i.e. the Command Line Interface (CLI).

Remediation CLI:
1. Run describe-load-balancers command to make sure that the expired server certificate is not currently used by any active load balancer.
aws elb describe-load-balancers --region 'COMPUTE_REGION' --load-balancer-names 'ELB_NAME' --query 'LoadBalancerDescriptions[*].ListenerDescriptions [*].Listener.SSLCertificateId'

- This command output will return the Amazon Resource Name (ARN) for the SSL certificate currently used by the selected ELB:
arn:aws:iam::1234567890:server-certificate/MyCertificate

- If the load balancer listener using the reported expired certificate is not removed before the certificate, the ELB may continue to use the same certificate and work improperly. Thus, to delete the ELB listener that is using the expired SSL certificate, run following command:
aws elb delete-load-balancer-listeners --region 'COMPUTE_REGION' --load-balancer-name 'ELB_NAME' --load-balancer-ports 443

2. Now that is safe to remove the expired SSL/TLS certificate from AWS IAM, To delete it run:
aws iam delete-server-certificate --server-certificate-name 'CERTIFICATE_NAME'\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0cd8771b-44a7-46bd-b8ba-2fb84d20d8d1\",\r\n \"name\": \"0cd8771b-44a7-46bd-b8ba-2fb84d20d8d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 Classic instance should be configured with VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS EC2 instances which are still using EC2 Classic. With EC2-Classic(if your AWS Account supports it), your instances run in a single, flat network that you share with other customers.
Where as with Amazon VPC, your instances run in a virtual private cloud (VPC) that's logically isolated to your AWS account.
It is a security good practice that deploying VPCs will enable you to leverage enhanced infrastructure security controls.
Note: This alert only triggers in regions that support launching into AWS Classic\",\r\n \"remediationDescription\": \"1. Open the AWS Systems Manager console, and then choose \\\"Automation\\\" from the navigation pane. 2. Choose \\\"Execute automation\\\". 3. On the Owned by \\\"Amazon tab\\\", in the \\\"Automation document search box\\\", enter MigrateEC2Classic. 4. Select the \\\"radio button\\\" for the AWSSupport-MigrateEC2ClassicToVPC document, and then choose \\\"Next\\\". 5. Under Input parameters, for \\\"InstanceId\\\", enter your source \\\"EC2-Classic instance ID\\\". 6. For \\\"AutomationAssumeRole\\\" and \\\"TargetInstanceType\\\", choose your required parameters. By default, \\\"TargetInstanceType\\\" is set to t2.xlarge.
Note:: For more information about the AWS Identity and Access Management (IAM) permissions that are required for AutomationAssumeRole to successfully run the Automation, see AWSSupport-MigrateEC2ClassicToVPC. 7. For \\\"MigrationType\\\", select \\\"Test\\\" or \\\"CutOver\\\". 8. If you select \\\"CutOver\\\" for \\\"MigrationType\\\", then \\\"set\\\" the following parameters:
\\\"SNSNotificationARNForApproval\\\": Enter the ARN of the SNS topic used to send Approval notifications to stop the source instance.
\\\"ApproverIAM\\\": Enter the ARN of the IAM users or roles that can approve or reject the action to stop the source instance. 9. Choose \\\"Execute\\\".
Note: You should also consider disable EC2 Classic in the region to prevent further use.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04bf6bba-7661-45b7-8d81-a25d34330b7a\",\r\n \"name\": \"04bf6bba-7661-45b7-8d81-a25d34330b7a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AppSync should be configured with AWS WAF V2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS AppSync which is not configured with AWS Web Application Firewall V2.
As a leading practice, enable the AWS WAF service on AppSync to protect against application layer attacks.
To block malicious requests to your AppSync, you can define the block criteria in the WAF web access control list (web ACL) for granular control.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console and open the \\\"AppSync Console\\\". 2. Choose the \\\"API\\\" that you want to associate with a \\\"web ACL\\\". 3. In the navigation \\\"pane\\\", choose \\\"Settings\\\". 4. In the \\\"Web application firewall\\\" section, turn on \\\"Enable AWS WAF\\\". 5. In the \\\"Web ACL\\\" dropdown list, choose the \\\"name\\\" of the \\\"web ACL\\\" to associate with your API. 6. Choose \\\"Save\\\" to associate the web ACL with your API.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9a947ba-7d72-482d-9a73-f426e931d4ff\",\r\n \"name\": \"f9a947ba-7d72-482d-9a73-f426e931d4ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Application Load Balancer should be configured with AWS WAF V2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS ALB(Application Load Balancer) which is not configured with AWS Web Application Firewall V2.
As a leading practice, enable the AWS WAF service on AWS ALB to protect against application layer attacks.
To block malicious requests to your AppSync, you can define the block criteria in the WAF web access control list (web ACL) for granular control.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Make sure your the reported \\\"Application Load Balancer\\\" requires \\\"WAF\\\" based on your requirement and Note down the load balancer name. 3. Navigate to \\\"WAF & Shield\\\" dashboard. 4. Click on \\\"Web ACLs\\\", under \\\"AWS WAF\\\" section from left panel. 5. If Web ACL is not created; create a new \\\"Web ACL\\\" and add reported \\\"Application Load Balancer\\\" to \\\"Associated AWS resources\\\". 6. If you have Web ACL already created; Click on \\\"Web ACL\\\" and add your reported Application \\\"Load Balancer\\\" to \\\"Associated AWS resources\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ab12a85-37fc-47f3-a570-4688945ac7c8\",\r\n \"name\": \"2ab12a85-37fc-47f3-a570-4688945ac7c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Classic Load Balancer should not have SSL negotiation configured with vulnerable SSL protocol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (Classic) which are configured with SSL negotiation policy containing vulnerable SSL protocol.
The SSL protocol establishes a secure connection between a client and a server and ensures that all the data passed between the client and your load balancer is private.
As a security leading practice, it is important to use the latest version SSL protocol.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to \\\"EC2 Dashboard\\\" and click on \\\"Load Balancers\\\" (Left Panel). 4. Click on the reported Load Balancer's \\\"Listeners\\\" tab and Click on \\\"Edit\\\" button. 5. On \\\"Edit Listeners\\\" popup for rule \\\"HTTPS/SSL\\\", - If your cipher is \\\"Predefined Security Policy\\\", change \\\"Cipher\\\" to \\\"ELBSecurityPolicy-TLS-1-2-2017-01 or latest\\\" (OR) - If your cipher is \\\"Custom Security Policy\\\", Choose \\\"Protocol-TLSv1.2\\\" only on \\\"SSL Protocols\\\" section. 6. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e44dfbce-8551-4935-8016-ccad8701ad12\",\r\n \"name\": \"e44dfbce-8551-4935-8016-ccad8701ad12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Classic Load Balancer should not have SSL negotiation policy configured with weak cipher\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (Classic) which are configured with SSL negotiation policy containing insecure ciphers.
An SSL cipher is an encryption algorithm that uses encryption keys to create a coded message.
SSL protocols use several SSL ciphers to encrypt data over the Internet.
As many of the other ciphers are not secure, it is a leading practice to use only the ciphers recommended in the following AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Go to the \\\"EC2 Dashboard\\\", and select \\\"Load Balancers\\\". 4. Click on the reported \\\"Load Balancer\\\". 5. On \\\"Listeners\\\" tab, Change the cipher for the \\\"HTTPS/SSL\\\" rule. - For a \\\"Predefined Security Policy', change \\\"Cipher\\\" to \\\"ELBSecurityPolicy-TLS-1-2-2017-01' or latest\\\" - For a \\\"Custom Security Policy\\\", select from the secure ciphers as recommended in the below AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html. 6. \\\"Save\\\" your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fef14c73-c63f-4bcb-883b-113288b6d77b\",\r\n \"name\": \"fef14c73-c63f-4bcb-883b-113288b6d77b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC should not allow unauthorized peering connection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the VPCs which have unauthorized peering. The leading practice is to disallow VPC peering between two VPCs from different AWS accounts, as this potentially enables unauthorized access to private resources.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS Console and navigate to AWS VPC service console. 2. In the left navigation panel, select \\\"Peering Connection\\\". 3. Choose the reported \\\"Peering Connection\\\". 4. Click on \\\"Actions\\\" and select \\\"Delete VPC Peering Connection\\\". 5. click on \\\"Yes, Delete\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/470dc8a8-f118-40a1-96ed-a30f026c3d01\",\r\n \"name\": \"470dc8a8-f118-40a1-96ed-a30f026c3d01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Route53 having public hosted zone with private records\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A hosted zone is a container for records (An object in a hosted zone that you use to define how you want to route traffic for the domain or a subdomain), which include information about how you want to route traffic for a domain (such as example.com) and all of its subdomains (such as www.example.com, retail.example.com, and seattle.accounting.example.com). A hosted zone has the same name as the corresponding domain. A public hosted zone is a container that holds information about how you want to route traffic on the internet for a specific domain. It is best practice to avoid AWS Route 53 Public Hosted Zones containing DNS records for private IPs or resources within your AWS account to overcome information leakage of your internal network and resources.\",\r\n \"remediationDescription\": \"You can not convert a public hosted zone into a private hosted zone. Hence, it is a leading practice to create and configure a Private Hosted Zone to manage private IPs within your Virtual Private Cloud (VPC) as Amazon Route 53 service will only return your private DNS records when queried from within the associated VPC, and delete the associated public hosted zone once the Private hosted zone is configured with all the records.

To create a private hosted zone using the Route 53 console:
1. Sign into the AWS console and navigate to Route53 console. 2. choose Hosted Zones in the navigation pane. 3. Choose \\\"Create Hosted Zone\\\". 4. In the Create Private Hosted Zone pane, enter a \\\"domain name\\\". 5. In the Type list, choose \\\"Private Hosted Zone\\\" for Amazon VPC. 6. In the VPC ID list, choose the \\\"VPC\\\" that you want to associate with the hosted zone. If you want to associate more than one VPC with the hosted zone, you can add VPCs after you create the hosted zone. 7. Choose \\\"Create\\\".

To delete a public hosted zone using the Route 53 console:

1. Sign into the AWS console and navigate to Route53 console. 2. Confirm that the hosted zone that you want to delete contains only an NS and an \\\"SOA record\\\". If it contains additional records, \\\"delete\\\" them. 3. On the Hosted Zones page, choose the \\\"row for the hosted zone\\\" that you want to delete. 4. Choose \\\"Delete Hosted Zone\\\". 5. Choose \\\"OK\\\" to confirm.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a5f791e6-be98-47ed-a865-538c759c62b4\",\r\n \"name\": \"a5f791e6-be98-47ed-a865-538c759c62b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Certificate Manager certificate should not have wildcard domain name\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies ACM Certificates which are using wildcard certificates for wildcard domain name instead of single domain name certificates. ACM allows you to use an asterisk (*) in the domain name to create an ACM Certificate containing a wildcard name that can protect several sites in the same domain. For example, a wildcard certificate issued for *.prismacloud.io can match both www.prismacloud.io and images.prismacloud.io. When you use wildcard certificates, if the private key of a certificate is compromised, then all domain and subdomains that use the compromised certificate are potentially impacted. So it is recommended to use single domain name certificates instead of wildcard certificates to reduce the associated risks with a compromised domain or subdomain.\",\r\n \"remediationDescription\": \"To remediate this finding, you have to replace the reported wildcard certificate with single domain name certificate for all the first-level subdomains resulted from the domain name of the website secured with the wildcard certificate and delete the reported wildcard domain certificate.

To create a new certificate with a single domain:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service. 4. In \\\"Request a certificate\\\" page enter the information requested:
a. On Step 1: \\\"Add domain names\\\" page, in the \\\"Domain name\\\" box, type the fully qualified domain name. Click on \\\"Next\\\". b. On Step 2: \\\"Select validation method\\\" page, Select the validation method. Click on \\\"Review\\\". c. On Step 3: \\\"Review\\\" page, review the domain name and validation method details. click on \\\"Confirm\\\". d. On Step 4: \\\"Validation\\\" page, validate the certificate request based on the validation method selected. then click on \\\"Continue\\\".

The certificate status should change from \\\"Pending validation\\\" to \\\"Issued\\\". Now access your application's web server configuration and replace the wildcard certificate with the newly issued single domain name certificate.

To delete the reported wildcard certificate:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service. 4. Choose the reported certificate. 5. Under \\\"Actions\\\" drop-down click on \\\"Delete\\\". 6. On \\\"Delete certificate\\\" popup windows, Click on \\\"Delete\\\" button.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad7b369-2c97-406d-ac70-5d9f22bfcbd9\",\r\n \"name\": \"0ad7b369-2c97-406d-ac70-5d9f22bfcbd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM Access Analyzer should be configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS regions in which the IAM Access Analyzer is not configured. AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity and identify unintended access to your resources and data. So it is recommended to configure the Access analyzer in all regions in your account.\\n\\nNOTE: Access Analyzer analyzes only policies that are applied to resources in the same AWS Region that it's enabled in. To monitor all resources in your AWS environment, you must create an analyzer to enable Access Analyzer in each Region where you're using supported AWS resources.

For more details:
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the IAM dashboard. 4. Go to \\\"Access analyzer\\\", from the left panel. 5. Click on the \\\"Create analyzer\\\" button. 6. On the Create analyzer page, enter the parameters as per your requirements. 7. Click on the \\\"Create analyzer\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/851c1c56-3a4a-422d-b86b-efa629b043b0\",\r\n \"name\": \"851c1c56-3a4a-422d-b86b-efa629b043b0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon private ECR repository policy should not be overly permissive\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS Private ECR repositories that have overly permissive registry policies. An ECR(Elastic Container Registry) repository is a collection of Docker images available on the AWS cloud. These images might contain sensitive information which should be restricted to unauthorized users.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the AWS ECR Repository service dashboard. 4. Go to \\\"Repository\\\", from the left panel. 5. Select the repository for which alert is being generated. 6. Select the \\\"Permissions\\\" option from left menu below 'repositories'. 7. Click on \\\"Edit policy JSON\\\" to modify the JSON so that Principal is restrictive. 8. After modifications, click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e4dc63-ee46-405b-a02a-2a8395fe233d\",\r\n \"name\": \"04e4dc63-ee46-405b-a02a-2a8395fe233d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS ECR Repository should not be publicly accessible through IAM policies.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS ECR Repository resources which are publicly accessible through IAM policies. Ensure that the AWS ECR Repository resources provisioned in your AWS account are not publicly accessible from the Internet to avoid sensitive data exposure and minimize security risks.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the AWS ECR Repository service dashboard. 3. Find resource-based policy of the AWS ECR Repository resource. 4. Update the \\\"Principal\\\" section of the policy to avoid public access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1bd970e0-1d18-4aed-8216-d0005f6595c2\",\r\n \"name\": \"1bd970e0-1d18-4aed-8216-d0005f6595c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFormation template should not contain globally open resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This alert triggers if a CloudFormation template that when launched will result in resources allowing global network access. Below are three common causes:\\n\\n- Security Group with a {0.0.0.0/0, ::/0} rule\\n- Network Access Control List with a {0.0.0.0/0, ::/0} rule\\n- Network Access Control List with -1 IpProtocol\",\r\n \"remediationDescription\": \"It is a leading practice to review the template and ensure this is the intended behavior.
1. Goto the AWS CloudFormation dashboard. 2. Click on the Stack you want to modify. 3. Select the \\\"Template\\\" tab and then View in \\\"Designer\\\". 4. Make your template modifications. 5. Check for \\\"syntax errors\\\" in your template by choosing \\\"Validate template\\\" near the top of the page and save. 6. Choose \\\"Amazon S3 bucket\\\", name your template and Save. 7. Copy the bucket URL and click OK. 8. Select \\\"Close\\\" to close Designer. 9. Click on the \\\"Stack\\\" you want to modify. 10. From the \\\"Actions\\\" pull down menu, select \\\"Update stack\\\". 11. Choose \\\"Replace current template\\\" and paste the URL from Designer into the Amazon S3 URL field. Then click on \\\"Next\\\". 12. Specify stack details, then click on \\\"Next\\\". 13. Configure stack options, then click on \\\"Next\\\". 14. Review, then select \\\"Update\\\" stack near the bottom of the page.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/baad8309-83f2-437a-a131-6e357c8db91f\",\r\n \"name\": \"baad8309-83f2-437a-a131-6e357c8db91f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Secret Manager resource IAM policy allow secret publically accessible.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS Secret Manager Secret resources which are publicly accessible through IAM policies. Ensure that the AWS Secret Manager Secret resources provisioned in your AWS account are not publicly accessible from the Internet to avoid sensitive data exposure and minimize security risks.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the AWS Secret Manager Secret service. 3. Find resource-based policy of the AWS Secret Manager Secret resource. 4. Update the \\\"Principal\\\" section of the policy to avoid public access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7b076bd-9747-490f-b04d-1cf0418bc428\",\r\n \"name\": \"f7b076bd-9747-490f-b04d-1cf0418bc428\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Domain transfer lock is not enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The domain registries for all generic TLDs and many geographic TLDs let you lock a domain to prevent someone from transferring the domain to another registrar without your permission.
It is a leading practice to lock your domain.\",\r\n \"remediationDescription\": \"To lock a domain to prevent unauthorized transfer to another registrar:

1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/. 2. In the navigation pane, choose \\\"Registered Domains\\\". 3. Choose the name of the domain that you want to update. 4. Choose \\\"Enable\\\" (to lock the domain) or \\\"Disable\\\" (to unlock the domain). 5. Choose \\\"Save\\\". \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/06ee058b-9ba9-4a54-a6d3-7214703d309f\",\r\n \"name\": \"06ee058b-9ba9-4a54-a6d3-7214703d309f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open CASSANDRA port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:7000-7001, 7199, 8888, 9042, 9160, 61620-61621.\",\r\n \"remediationDescription\": \"Configuring firewall rules to allow any IP address to connect to Cassandra ports can expose Cassandra services to attackers.
For more information, see VPC firewall rules overview.

This recommendation is generated for vulnerable firewall rules, even if they were intentionally disabled. Disabled firewall rules alert you to unsafe configurations which could allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87cb47d9-eb93-4413-be7f-2f89112d3e22\",\r\n \"name\": \"87cb47d9-eb93-4413-be7f-2f89112d3e22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open CISCOSECURE_WEBSM port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:9090.\",\r\n \"remediationDescription\": \"Configuring Firewall rules to allow any IP address to connect to CiscoSecure/WebSM ports can expose your CiscoSecure/WebSM services to attackers. For more information, see VPC firewall rules overview

This recommendation is generated for vulnerable firewall rules, even if they were intentionally disabled. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c59d6ae-79c9-4f74-bacd-9bb8d2b05576\",\r\n \"name\": \"9c59d6ae-79c9-4f74-bacd-9bb8d2b05576\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open DIRECTORY_SERVICES port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:445 and UDP:445.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Directory ports might expose your Directory services to attackers. For more information, see VPC firewall rules overview.
The Directory service ports are:
TCP - 445
UDP - 445

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/99fa8cd5-10fc-4051-909c-62a6d1272956\",\r\n \"name\": \"99fa8cd5-10fc-4051-909c-62a6d1272956\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open DNS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:53 and UDP:53.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to DNS ports might expose your DNS services to attackers.
For more information, see VPC firewall rules overview.
The DNS service ports are:
TCP - 53
UDP - 53

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c39d3a7-a11d-4f1e-a5b8-8c3be23fe0d1\",\r\n \"name\": \"9c39d3a7-a11d-4f1e-a5b8-8c3be23fe0d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open ELASTICSEARCH port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:9200, 9300.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Elasticsearch ports might expose your Elasticsearch services to attackers. For more information, see VPC firewall rules overview.

The Elasticsearch service ports are:
TCP - 9200, 9300

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/98c71657-9a57-4a9c-8cc0-e69136b9ec13\",\r\n \"name\": \"98c71657-9a57-4a9c-8cc0-e69136b9ec13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to be open to public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the sourceRanges and allowed properties for one of two configurations:

The sourceRanges property contains 0.0.0.0/0 and the allowed property contains a combination of rules that includes any protocol or protocol:port, except the following:
icmp
tcp:22
tcp:443
tcp:3389
udp:3389
sctp:22

The sourceRanges property contains a combination of IP ranges that includes any non-private IP address and the allowed property contains a combination of rules that permit either all tcp ports or all udp ports.\",\r\n \"remediationDescription\": \"Firewall rules that allow connections from all IP addresses, like 0.0.0.0/0, or from all ports can unnecessarily expose resources to attacks from unintended sources. These rules should be removed or scoped explicitly to the intended source IP ranges or ports.
For example, in applications intended to be public, consider restricting allowed ports to those needed for the application, like 80 and 443. If your application needs to allow connections from all IP addresses or ports, consider adding the asset to an allowlist. Learn more about Updating firewall rules.

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. Click the firewall rule listed in the Security Health Analytics finding, and then click \\\"Edit\\\". 3. Under \\\"Source IP ranges\\\", \\\"edit\\\" the IP values to restrict the range of IPs that is allowed. 4. Under \\\"Protocols and ports\\\", \\\"select\\\" \\\"Specified protocols and ports\\\", \\\"select\\\" the allowed protocols, and enter ports that are allowed. 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14dae408-be1b-4ab9-8645-1d9eba885a3e\",\r\n \"name\": \"14dae408-be1b-4ab9-8645-1d9eba885a3e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open FTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:21.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to FTP ports might expose your FTP services to attackers. For more information, see VPC firewall rules overview.

The FTP service ports are:
TCP - 21

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d6e19ca8-7446-4b1a-87e9-fb0bee876c80\",\r\n \"name\": \"d6e19ca8-7446-4b1a-87e9-fb0bee876c80\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open HTTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:80.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to HTTP ports might expose your HTTP services to attackers. For more information, see VPC firewall rules overview.

The HTTP service ports are:
TCP - 80

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/114491f8-1760-40b9-ad56-04be9c0be1d6\",\r\n \"name\": \"114491f8-1760-40b9-ad56-04be9c0be1d6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open LDAP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:389, 636 and UDP:389.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to LDAP ports might expose your LDAP services to attackers. For more information, see VPC firewall rules overview.

The LDAP service ports are:
TCP - 389, 636
UDP - 389

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dcbfebbd-0d89-4605-b29c-a8b94a11ca4c\",\r\n \"name\": \"dcbfebbd-0d89-4605-b29c-a8b94a11ca4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MEMCACHED port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:11211, 11214-11215 and UDP:11211, 11214-11215.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Memcached ports might expose your Memcached services to attackers. For more information, see VPC firewall rules overview.

The Memcached service ports are:
TCP - 11211, 11214, 11215
UDP - 11211, 11214, 11215

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0088a052-38cd-4ef3-80bc-982871756481\",\r\n \"name\": \"0088a052-38cd-4ef3-80bc-982871756481\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MONGODB port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:27017-27019.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to MongoDB ports might expose your MongoDB services to attackers. For more information, see VPC firewall rules overview.

The MongoDB service ports are:
TCP - 27017, 27018, 27019

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/184a6210-9eb3-4d41-9453-84fd7f01186e\",\r\n \"name\": \"184a6210-9eb3-4d41-9453-84fd7f01186e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MYSQL port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:3306.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to MySQL ports might expose your MySQL services to attackers. For more information, see VPC firewall rules overview.

The MySQL service ports are:
TCP - 3306

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f39b9212-7c2e-4265-85ad-14701b0209e3\",\r\n \"name\": \"f39b9212-7c2e-4265-85ad-14701b0209e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open NETBIOS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:137-139 and UDP:137-139.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to NetBIOS ports might expose your NetBIOS services to attackers. For more information, see VPC firewall rules overview.

The NetBIOS service ports are:
TCP - 137, 138, 139
UDP - 137, 138, 139

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802bc806-5136-461f-a95d-dd65f8725af0\",\r\n \"name\": \"802bc806-5136-461f-a95d-dd65f8725af0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open ORACLEDB port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:1521, 2483-2484 and UDP:2483-2484.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to OracleDB ports might expose your OracleDB services to attackers. SeFor more information, see VPC firewall rules overview.

The OracleDB service ports are:
TCP - 1521, 2483, 2484
UDP - 2483, 2484

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4f5e97a0-d563-4c0a-8aca-958753dfbeb6\",\r\n \"name\": \"4f5e97a0-d563-4c0a-8aca-958753dfbeb6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open POP3 port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:110.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to POP3 ports might expose your POP3 services to attackers. For more information, see VPC firewall rules overview.

The POP3 service ports are:
TCP - 110

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d1143d-a7ab-405c-a80c-8b9da25bc5e4\",\r\n \"name\": \"27d1143d-a7ab-405c-a80c-8b9da25bc5e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open PostgreSQL port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:5432 and UDP:5432.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to PostgreSQL ports might expose your PostgreSQL services to attackers. For more information, see VPC firewall rules overview.

The PostgreSQL service ports are:
TCP - 5432
UDP - 5432

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9a7b9056-30af-476f-bdc8-8b421d29b5e3\",\r\n \"name\": \"9a7b9056-30af-476f-bdc8-8b421d29b5e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open REDIS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:6379.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Redis ports might expose your Redis services to attackers. For more information, see VPC firewall rules overview.

The Redis service ports are:
TCP - 6379

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5855b7ce-fded-464c-894c-d34bd834f17e\",\r\n \"name\": \"5855b7ce-fded-464c-894c-d34bd834f17e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open SMTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:25.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to SMTP ports might expose your SMTP services to attackers. For more information, see VPC firewall rules overview.

The SMTP service ports are:
TCP - 25

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c8753af-c7d5-404f-abdf-8e8bef018dc9\",\r\n \"name\": \"4c8753af-c7d5-404f-abdf-8e8bef018dc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open SSH port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocols and ports: TCP:22 and SCTP:22.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to SSH ports might expose your SSH services to attackers. For more information, see VPC firewall rules overview.

The SSH service ports are:
SCTP - 22
TCP - 22

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bdb01af7-e42a-49c6-952f-b83ce13914a7\",\r\n \"name\": \"bdb01af7-e42a-49c6-952f-b83ce13914a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open TELNET port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:23.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Telnet ports might expose your Telnet services to attackers. For more information, see VPC firewall rules overview.

The Telnet service ports are:
TCP - 23

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3be77f6-6fa9-45bd-9bdb-420484420235\",\r\n \"name\": \"c3be77f6-6fa9-45bd-9bdb-420484420235\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Compute instances should use a load balancer that is configured to use a target HTTPS proxy\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates if the selfLink property of the targetHttpProxy resource matches the target attribute in the forwarding rule, and if the forwarding rule contains a loadBalancingScheme field set to External.\",\r\n \"remediationDescription\": \"A Compute Engine instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy.

To protect the integrity of your data and prevent intruders from tampering with your communications, configure your HTTP(S) load balancers to allow only HTTPS traffic. For more information, see External HTTP(S) Load Balancing overview.

To remediate this finding, complete the following steps:
1. Go to the \\\"Target proxies\\\" page in the GCP Cloud Console. Go to Target proxies. 2. In the list of target proxies, click the name of the target proxy in the finding. 3. Click the link under the \\\"URL map\\\". 4. Click \\\"Edit\\\". 5. Click \\\"Frontend configuration\\\". 6. Delete all \\\"Frontend IP\\\" and port configurations that allow HTTP traffic and create new ones that allow HTTPS traffic.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6aeb69dc-0d01-4228-88e9-7e610891d5dd\",\r\n \"name\": \"6aeb69dc-0d01-4228-88e9-7e610891d5dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE cluster's auto repair feature should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the management property of a node pool for the key-value pair, 'key': 'autoRepair', 'value': true.\",\r\n \"remediationDescription\": \"A Google Kubernetes Engine (GKE) cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled.

When enabled, GKE makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, GKE initiates a repair process for that node. For more information, see Auto-repairing nodes.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Click the \\\"Nodes\\\" tab. 3. For each node pool:
1. Click the name of the node pool to go to its detail page. 2. Click \\\"Edit\\\". 3. Under \\\"Management\\\", select \\\"Enable auto-repair\\\". 4. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1680e053-2e9b-4e77-a1c7-793ae286155e\",\r\n \"name\": \"1680e053-2e9b-4e77-a1c7-793ae286155e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE cluster's auto upgrade feature should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the management property of a node pool for the key-value pair, 'key': 'autoUpgrade', 'value': true.\",\r\n \"remediationDescription\": \"A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled.

For more information, see Auto-upgrading nodes.

To remediate this finding, complete the following steps:
1. Go to the Kubernetes clusters page in the GCP Cloud Console. Go to Kubernetes clusters
2. In the list of clusters, click the name of the cluster.
3. Click the Nodes tab.
For each node pool:
1. Click the name of the node pool to go to its detail page.
2. Click \\\"Edit\\\".
3. Under \\\"Management\\\", select \\\"Enable auto-upgrade\\\".
4. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa160a2c-e976-41cb-acff-1e1e3f1ed032\",\r\n \"name\": \"fa160a2c-e976-41cb-acff-1e1e3f1ed032\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Logging for GKE clusters should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the loggingService property of a cluster contains the location Cloud Logging should use to write logs.\",\r\n \"remediationDescription\": \"Logging isn't enabled for a GKE cluster.

To help investigate security issues and monitor usage, enable Cloud Logging on your clusters.

Depending on the quantity of information, Cloud Logging costs can be significant. To understand your usage of the service and its cost,
see Cost optimization for Google Cloud's operations suite.

To remediate this finding, complete the following steps:
1. Go to the Kubernetes clusters page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Stackdriver Logging\\\" or \\\"Stackdriver Kubernetes Engine Monitoring\\\" drop-down list, select \\\"Enabled\\\".
These options aren't compatible. Make sure that you use either \\\"Stackdriver Kubernetes Engine Monitoring\\\" alone, or \\\"Legacy Stackdriver Logging\\\" with \\\"Legacy Stackdriver Monitoring\\\". 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a7b7361-5100-4a8c-b23e-f712d7dad39b\",\r\n \"name\": \"6a7b7361-5100-4a8c-b23e-f712d7dad39b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring on GKE clusters should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the monitoringService property of a cluster contains the location Cloud Monitoring should use to write metrics.\",\r\n \"remediationDescription\": \"Monitoring is disabled on GKE clusters.

To help investigate security issues and monitor usage, enable Cloud Monitoring on your clusters.

Depending on the quantity of information, Cloud Monitoring costs can be significant. To understand your usage of the service and its costs, see Cost optimization for Google Cloud's operations suite.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Stackdriver Monitoring\\\" or \\\"Stackdriver Kubernetes Engine Monitoring\\\" drop-down list, select \\\"Enabled\\\".
These options aren't compatible. Make sure that you use either \\\"Stackdriver Kubernetes Engine Monitoring\\\" alone, or \\\"Legacy Stackdriver Monitoring\\\" with \\\"Legacy Stackdriver Logging\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fae39f34-d931-4026-b09c-b0a785bb1ff9\",\r\n \"name\": \"fae39f34-d931-4026-b09c-b0a785bb1ff9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cluster hosts should be configured to use only private, internal IP addresses to access Google APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the privateIpGoogleAccess property of a subnetwork is set to false.\",\r\n \"remediationDescription\": \"Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs.

Private Google Access enables virtual machine (VM) instances with only private, internal IP addresses to reach the public IP addresses of Google APIs and services. For more information, see Configuring Google Private Access.

To remediate this finding, complete the following steps:
1. Go to the \\\"Virtual Private Cloud networks\\\" page in the GCP Cloud Console. Go to VPC networks . 2. In the list of networks, click the name of the desired network. 3. On the \\\"VPC network details\\\" page, click the \\\"Subnets\\\" tab. 4. In the list of subnets, click the name of the subnet associated with the Kubernetes cluster in the finding. 5. On the \\\"Subnet details\\\" page, click \\\"Edit\\\". 6. Under \\\"Private Google Access\\\", select \\\"On\\\". 7. Click \\\"Save\\\". 8. To remove public (external) IPs from VM instances whose only external traffic is to Google APIs, see Unassigning a static external IP address.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3e33004b-f0b8-488d-85ed-61336c7ad4ca\",\r\n \"name\": \"3e33004b-f0b8-488d-85ed-61336c7ad4ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Compute Engine VMs should use the Container-Optimized OS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the config property of a node pool for the key-value pair, 'imageType': 'COS'.\",\r\n \"remediationDescription\": \"Compute Engine VMs aren't using the Container-Optimized OS, which is designed to run Docker containers on Google Cloud securely.

Container-Optimized OS is Google's recommended OS for hosting and running containers on Google Cloud. Its small OS footprint minimizes security exposure, while automatic updates patch security vulnerabilities in a timely manner. For more information, see Container-Optimized OS Overview.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters 2. In the list of clusters, click the name of the cluster in the finding. 3. Click the \\\"Nodes\\\" tab. 4. For each node pool:
1. Click the name of the node pool to go to its detail page. 2. Click \\\"Edit\\\". 3. Under \\\"Nodes\\\" -> \\\"Image type\\\", click \\\"Change\\\". 4. Select \\\"Container-Optimized OS\\\", and then click \\\"Change\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/49016ecd-d4d6-4f48-a64f-42af93e15120\",\r\n \"name\": \"49016ecd-d4d6-4f48-a64f-42af93e15120\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have alias IP ranges enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the useIPAliases field of the ipAllocationPolicy in a cluster is set to false.\",\r\n \"remediationDescription\": \"A GKE cluster was created with alias IP ranges disabled.

When you enable alias IP ranges, GKE clusters allocate IP addresses from a known CIDR block, so your cluster is scalable and interacts better with Google Cloud products and entities. For more information, see Alias IP ranges overview .

To remediate this finding, complete the following steps:
You cannot migrate an existing cluster to use alias IPs. To create a new cluster with alias IPs enabled, do the following:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Click \\\"Create\\\". 3. From the navigation pane, under \\\"Cluster\\\", click \\\"Networking\\\". 4. Under \\\"Advanced networking options\\\", select \\\"Enable VPC-native traffic routing (uses alias IP)\\\". 5. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd1096e1-73cf-41ab-8f2a-257b78aed9dc\",\r\n \"name\": \"bd1096e1-73cf-41ab-8f2a-257b78aed9dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Legacy Authorization should be disabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the legacyAbac property of a cluster for the key-value pair, 'enabled': true.\",\r\n \"remediationDescription\": \"Legacy Authorization is enabled on GKE clusters.

In Kubernetes, role-based access control (RBAC) lets you define roles with rules containing a set of permissions, and grant permissions at the cluster and namespace level. This feature provides better security by ensuring that users only have access to specific resources. Consider disabling legacy attribute-based access control (ABAC).

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Authorization\\\" drop-down list, select \\\"Disabled\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24df9ba4-8c98-42f2-9f64-50b095eca06f\",\r\n \"name\": \"24df9ba4-8c98-42f2-9f64-50b095eca06f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Control Plane Authorized Networks should be enabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the masterAuthorizedNetworksConfig property of a cluster for the key-value pair, 'enabled': false.\",\r\n \"remediationDescription\": \"Control Plane Authorized Networks is not enabled on GKE clusters.

Control Plane Authorized Networks improves security for your container cluster by blocking specified IP addresses from accessing your cluster's control plane.
For more information, see Adding authorized networks for control plane access.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Control Plane Authorized Networks\\\" drop-down list, select \\\"Enabled\\\". 5. Click \\\"Add authorized network\\\". 6. Specify the authorized networks you want to use.
7. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd06513a-1e03-4d40-9159-243f76dcdcb7\",\r\n \"name\": \"fd06513a-1e03-4d40-9159-243f76dcdcb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network policy should be enabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the networkPolicy field of the addonsConfig property for the key-value pair, 'disabled': true.\",\r\n \"remediationDescription\": \"Network policy is disabled on GKE clusters.

By default, pod to pod communication is open. Open communication allows pods to connect directly across nodes, with or without network address translation. A NetworkPolicy resource is like a pod-level firewall that restricts connections between pods, unless the NetworkPolicy resource explicitly allows the connection. Learn how to define a network policy.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Click the name of the cluster listed in the Security Health Analytics finding. 3. Under \\\"Networking\\\", in the row for \\\"Network policy\\\", click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. In the dialog, select \\\"Enable network policy for control plane\\\" and \\\"Enable network policy for nodes\\\". 5. Click \\\"Save Changes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b73bad4f-4ea7-4d04-bab0-d400cb3ad639\",\r\n \"name\": \"b73bad4f-4ea7-4d04-bab0-d400cb3ad639\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service accounts should have restricted project access in a cluster\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the config property of a node pool to check if no service account is specified or if the default service account is used.\",\r\n \"remediationDescription\": \"A GKE node is using the Compute Engine default service node, which has broad access by default and might be over-privileged for running your GKE cluster.

To remediate this finding, complete the following steps:
Follow the instructions to Use least privilege Google service accounts.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d3e70cff-e4db-47b1-b646-0ac5ed8ada36\",\r\n \"name\": \"d3e70cff-e4db-47b1-b646-0ac5ed8ada36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have Private clusters enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the enablePrivateNodes field of the privateClusterConfig property is set to false.\",\r\n \"remediationDescription\": \"A GKE cluster has a private cluster disabled.

Private clusters allow nodes to only have private IP addresses. This feature limits outbound internet access for nodes. If a cluster node doesn't have a public IP address, it isn't discoverable or exposed to the public internet. You can still route traffic to a node by using an internal load balancer. For more information, see Private clusters

You can't make an existing cluster private. To remediate this finding, create a new private cluster:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters 2. Click \\\"Create Cluster\\\". 3. In the navigation menu, under \\\"Cluster\\\", select \\\"Networking\\\". 4. Select the radio button for \\\"Private cluster\\\". 5. Under \\\"Advanced networking options\\\", select the checkbox for \\\"Enable VPC-native traffic routing (uses alias IP)\\\". 6. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8fa5c03-a8e8-467b-992c-ad8b2db0f55e\",\r\n \"name\": \"d8fa5c03-a8e8-467b-992c-ad8b2db0f55e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE web dashboard should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the kubernetesDashboard field of the addonsConfig property for the key-value pair, 'disabled': false.\",\r\n \"remediationDescription\": \"The GKE web UI (dashboard) is enabled.

A highly privileged Kubernetes Service Accounts backs the Kubernetes web interface. If compromised, the service account can be abused. If you are already using the Cloud Console, the Kubernetes web interface extends your attack surface unnecessarily. Learn about Disabling the Kubernetes web interface.

To remediate this finding, disable the Kubernetes web interface:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Click the name of the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. Click \\\"Add-ons\\\". The section expands to display available add-ons. 5. On the \\\"Kubernetes dashboard\\\" drop-down list, select \\\"Disabled\\\". 6. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc6ce9-c9a7-4d91-b7c8-f2314ecbf8af\",\r\n \"name\": \"2acc6ce9-c9a7-4d91-b7c8-f2314ecbf8af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Egress deny rule should be set on a firewall to block unwanted outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the destinationRanges property in the firewall is set to 0.0.0.0/0 and the denied property contains the key-value pair, 'IPProtocol': 'all'.\",\r\n \"remediationDescription\": \"An egress deny rule is not set on a firewall.

A firewall that denies all egress network traffic prevents any unwanted outbound network connections, except those connections other firewalls explicitly authorize. For more information, see Egress cases.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. Click \\\"Create Firewall Rule\\\". 3. Give the firewall a name and, optionally, a description. 4. Under \\\"Direction of traffic\\\", select \\\"Egress\\\". 5. Under \\\"Action on match\\\", select \\\"Deny\\\". 6. In the \\\"Targets\\\" drop-down menu, select \\\"All instances in the network\\\". 7. In the \\\"Destination filter\\\" drop-down menu, select \\\"IP ranges\\\", and then type 0.0.0.0/0 into the \\\"Destination IP ranges\\\" box. 8. Under \\\"Protocols and ports\\\", select \\\"Deny all\\\". 9. Click \\\"Disable Rule\\\" then, under \\\"Enforcement\\\", select \\\"Enabled\\\". 10. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37e5206e-a928-416b-9851-3689f506f73f\",\r\n \"name\": \"37e5206e-a928-416b-9851-3689f506f73f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall rule logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the logConfig property in firewall metadata to see if it's empty or contains the key-value pair 'enable': false.\",\r\n \"remediationDescription\": \"Firewall rules logging is disabled.

Firewall rules logging lets you audit, verify, and analyze the effects of your firewall rules. It can be useful for auditing network access or providing early warning that the network is being used in an unapproved manner. The cost of logs can be significant. For more information on Firewall Rules Logging and its cost, see Using Firewall Rules Logging.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, click the name of the desired firewall rule. 3. Click \\\"Edit\\\". 4. Under \\\"Logs\\\", select \\\"On\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a7771a9-a2dd-40e8-87a2-921259d68667\",\r\n \"name\": \"4a7771a9-a2dd-40e8-87a2-921259d68667\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Users should have least privilege access with granular IAM roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM policy in resource metadata for any principals assigned roles/Owner, roles/Writer, or roles/Reader.\",\r\n \"remediationDescription\": \"A user has one of the following IAM basic roles: roles/owner, roles/editor, or roles/viewer.
These roles are too permissive and shouldn't be used. Instead, they should be assigned per project only.

For more information, see Understanding roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM policy\\\" page in the GCP Cloud Console. Go to IAM policy. 2. For each user assigned a primitive role, consider using more granular roles instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24eb0365-d63d-43c0-b11f-8b0a1a0842f7\",\r\n \"name\": \"24eb0365-d63d-43c0-b11f-8b0a1a0842f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cryptographic keys should not have more than three users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates IAM policies for key rings, projects, and organizations, and retrieves principals with roles that allow them to encrypt, decrypt or sign data using Cloud KMS keys: roles/owner, roles/cloudkms.cryptoKeyEncrypterDecrypter, roles/cloudkms.cryptoKeyEncrypter, roles/cloudkms.cryptoKeyDecrypter, roles/cloudkms.signer, and roles/cloudkms.signerVerifier.\",\r\n \"remediationDescription\": \"Limit the number of principal users that can use cryptographic keys to three.

The following predefined roles grant permissions to encrypt, decrypt, or sign data using cryptographic keys:
1. roles/owner 2. roles/cloudkms.cryptoKeyEncrypterDecrypter 3. roles/cloudkms.cryptoKeyEncrypter 4. roles/cloudkms.cryptoKeyDecrypter 5. roles/cloudkms.signer
6. roles/cloudkms.signerVerifier

For more information, see Permissions and roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"Cloud KMS keys\\\" page in the GCP Cloud Console. Go to Cloud KMS keys. 2. Click the \\\"name\\\" of the key ring indicated in the finding. 3. Click the \\\"name\\\" of the key indicated in the finding. 4. Select the box next to the primary version, and then click \\\"Show Info Panel\\\". 5. Reduce the number of principals having permissions to encrypt, decrypt, or sign data to three or fewer.
To revoke permissions, click \\\"Delete\\\" delete next to each principal.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e836b239-c7dc-476a-9a85-829b565cbc59\",\r\n \"name\": \"e836b239-c7dc-476a-9a85-829b565cbc59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Object versioning should be enabled on storage buckets where sinks are configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the enabled field in the bucket's versioning property is set to true.\",\r\n \"remediationDescription\": \"Object versioning isn't enabled on a storage bucket where sinks are configured.

To support the retrieval of objects that are deleted or overwritten, GCP Cloud Storage offers the Object Versioning feature. Enable Object Versioning to protect your Cloud Storage data from being overwritten or accidentally deleted. Learn how to Enable Object Versioning.

To remediate this finding, use the gsutil versioning set on command with the appropriate value:
gsutil versioning set on gs://finding.assetDisplayName
Replace finding.assetDisplayName with the name of the relevant bucket.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76261631-76ea-4bd4-b064-34a619be1de0\",\r\n \"name\": \"76261631-76ea-4bd4-b064-34a619be1de0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage buckets used as a log sink should not be publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM policy of a bucket for the principals allUsers or allAuthenticatedUsers, which grant public access.\",\r\n \"remediationDescription\": \"A storage bucket is public and used as a log sink, meaning that anyone on the internet can access logs stored in this bucket.
allUsers represents anyone on the internet and allAuthenticatedUsers represents anyone who is logged into a Google service;
neither is constrained to users within your organization.

For more information, see Overview of access control.

To remediate this finding, complete the following steps:
1. Go to the \\\"Cloud Storage browser\\\" page in the GCP Cloud Console. Go to Cloud Storage browser . 2. In the list of buckets, click the name of the bucket indicated in the finding. 3. Click the \\\"Permissions\\\" tab. 4. Remove \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" from the list of principals.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7c20b7aa-be3d-4a4b-af45-1b432c02f86b\",\r\n \"name\": \"7c20b7aa-be3d-4a4b-af45-1b432c02f86b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redis IAM role should not be assigned at the organization or folder level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM allow policy in resource metadata for principals assigned roles/redis.admin, roles/redis.editor, roles/redis.viewer at the organization or folder level.\",\r\n \"remediationDescription\": \"A Redis IAM role is assigned at the organization or folder level.

The following Redis IAM roles should be assigned per project only, not at the organization or folder level:
1. roles/redis.admin
2. roles/redis.viewer
3. roles/redis.editor

For more information, see Access control and permissions.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM policy\\\" page in the GCP Cloud Console. Go to IAM policy. 2. Remove the \\\"Redis IAM roles\\\" indicated in the finding and add them on the individual projects instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/986fe72e-466a-462d-a06e-c77b439c53c0\",\r\n \"name\": \"986fe72e-466a-462d-a06e-c77b439c53c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Projects that have cryptographic keys should not have users with Owner permissions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM allow policy in project metadata for principals assigned roles/Owner.\",\r\n \"remediationDescription\": \"A user has roles/Owner permissions on a project that has cryptographic keys. For more information, see Permissions and roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM page\\\" in the GCP Cloud Console. Go IAM page. 2. If necessary, select the project in the finding. 3. For each principal assigned the \\\"Owner\\\" role:
1. Click \\\"Edit\\\". 2. In the \\\"Edit permissions\\\" panel, next to the \\\"Owner\\\" role, click \\\"Delete\\\". 3. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67ebdf6b-6197-4e42-bbbf-eaf4e6c20b4c\",\r\n \"name\": \"67ebdf6b-6197-4e42-bbbf-eaf4e6c20b4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Use corporate login credentials instead of personal accounts, such as Gmail accounts.
It is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources.
Gmail accounts based outside of the user's organization, such as personal accounts, should not be used for business purposes.\",\r\n \"remediationDescription\": \"Follow the documentation and setup corporate login accounts Manage Identities.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6991b2e9-ae9e-4e99-acb6-037c4b575215\",\r\n \"name\": \"6991b2e9-ae9e-4e99-acb6-037c4b575215\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that there are only GCP-managed service account keys for each service account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"User managed service accounts should not have user-managed keys.
Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis.
User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.
For user-managed keys, the user has to take ownership of key management activities which include:
  • Key storage
  • Key distribution
  • Key revocation
  • Key rotation
  • Protecting the keys from unauthorized users
  • Key recovery
Even with key owner precautions, keys can be easily leaked by common development malpractices like checking keys into the source code or leaving them in the Downloads directory, or accidentally leaving them on support blogs/channels. It is recommended to prevent user-managed service account keys.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the IAM page in the GCP Console using https://console.cloud.google.com/apis/credentials. 2. In the left navigation pane, click \\\"Service accounts\\\". All service accounts and their corresponding keys are listed. 3. Click the service account. 4. Click the \\\"edit\\\" and delete the keys.

From CLI:
To delete a user managed Service Account Key, run gcloud iam service-accounts keys delete --iam-account=<user-managed-service-account-EMAIL> <KEY-ID>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/54c381fe-a80a-4038-8a9d-c166d2922ea9\",\r\n \"name\": \"54c381fe-a80a-4038-8a9d-c166d2922ea9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to assign the \\\"Service Account User (iam.serviceAccountUser)\\\" and \\\"Service Account Token Creator (iam.serviceAccountTokenCreator)\\\" roles to a user for a specific service account rather than assigning the role to a user at project level.
A service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end-user.
Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved.
In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.
Users with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access.
Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/Service account.
Based on business needs, there could be multiple user-managed service accounts configured for a project.
Granting the \\\"iam.serviceAccountUser\\\" or \\\"iam.serviceAserviceAccountTokenCreatorccountUser\\\" roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future.
This can result in elevation of privileges by using service accounts and corresponding \\\"Compute Engine instances\\\".
In order to implement \\\"least privileges\\\" best practices, IAM users should not be assigned the \\\"Service Account User\\\" or \\\"Service Account Token Creator\\\" roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The \\\"Service Account User\\\" allows a user to bind a service account to a long-running job service, whereas the \\\"Service Account Token Creator\\\" role allows a user to directly impersonate (or assert) the identity of a service account.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the IAM page in the GCP Console by visiting: GCP Console IAM. 2. Click on the filter table text bar. Type \\\"Role: Service Account User\\\" 3. Click the \\\"Delete Bin\\\" icon in front of the role \\\"Service Account User\\\" for every user listed as a result of a filter. 4. Click on the filter table text bar. Type \\\"Role: Service Account Token Creator\\\" 5. Click the \\\"Delete Bin\\\" icon in front of the role \\\"Service Account Token Creator\\\" for every user listed as a result of a filter.

From Command Line:
1. Using a text editor, remove the bindings with the \\\"roles/iam.serviceAccountUser\\\" or \\\"roles/iam.serviceAccountTokenCreator\\\".
For example, you can use the iam.json file shown below as follows:
{ "bindings": [ { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", ], "role": "roles/appengine.appViewer" }, { "members": [ "user:email1@gmail.com" ], "role": "roles/owner" }, { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", "serviceAccount:123456789012-compute@developer.gserviceaccount.com" ], "role": "roles/editor" } ], "etag": "BwUjMhCsNvY=" }
2. Update the project's IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0007dd31-9e95-460d-82bd-ae3e9e623161\",\r\n \"name\": \"0007dd31-9e95-460d-82bd-ae3e9e623161\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests users make to Google cloud services accessible to that particular service account.
It is recommended that all Service Account keys are regularly rotated.
Rotating Service Account keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.
Each service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.
GCP provides the option to create one or more user-managed (also called external key pairs) key pairs for use from outside GCP (for example, for use with Application Default Credentials). When a new key pair is created, the user is required to download the private key (which is not retained by Google).
With external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, gcloud command-line tool, or the Service Accounts page in the Google Cloud Platform Console.
GCP facilitates up to 10 external service account keys per service account to facilitate key rotation.\",\r\n \"remediationDescription\": \"From Console:
Delete any external (user-managed) Service Account Key older than 90 days: 1. Go to APIs & Services\\\\Credentials using https://console.cloud.google.com/apis/credentials
2. In the Section \\\"Service Account Keys\\\", for every external (user-managed) service account key where \\\"creation date is\\\" greater than or equal to the past 90 days, click \\\"Delete Bin Icon\\\" to Delete Service Account key.
Create a new external (user-managed) Service Account Key for a Service Account:
1. Go to \\\"APIs & Services\\\\Credentials\\\" using https://console.cloud.google.com/apis/credentials
2. Click \\\"Create Credentials\\\" and Select \\\"Service Account Key\\\". 3. Choose the service account in the drop-down list for which an External (user-anaged) Service Account key needs to be created. 4. Select the desired key type format among \\\"JSON\\\" or \\\"P12\\\". 5. Click \\\"Create\\\". It will download the private key. Keep it safe. 6. Click \\\"Close\\\" if prompted. 7. The site will redirect to the \\\"APIs & Services\\\\Credentials\\\" page. Make a note of the new ID displayed in the Service account keys section.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e8cb9ac-87ee-424b-a9d2-0d41e411d18f\",\r\n \"name\": \"9e8cb9ac-87ee-424b-a9d2-0d41e411d18f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users.
The built-in/predefined IAM role \\\"Service Account admin\\\" allows the user/identity to create, delete, and manage service account(s).
The built-in/predefined IAM role \\\"Service Account User\\\" allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances.
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action.
In Cloud IAM - service accounts, this could be an action such as using a service account to access resources that user should not normally have access to.
Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.
No user should have \\\"Service Account Admin\\\" and \\\"Service Account User\\\" roles assigned at the same time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to IAM & Admin/IAM. 2. For any member having both \\\"Service Account Admin\\\" and \\\"Service account User\\\" roles granted/assigned, click the \\\"Delete Bin icon\\\" to remove either role from the member.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fcbcaef9-4bb0-49db-a932-afd64ed221d4\",\r\n \"name\": \"fcbcaef9-4bb0-49db-a932-afd64ed221d4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the IAM policy on Cloud KMS \\\"cryptokeys\\\" should restrict anonymous and/or public access.
Granting permissions to \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\" allows anyone to access the dataset.
Such access might not be desirable if sensitive data is stored at the location.
In this case, ensure that anonymous and/or public access to a Cloud KMS \\\"cryptokey\\\" is not allowed.\",\r\n \"remediationDescription\": \"From Command Line:
1. List all Cloud KMS \\\"Cryptokeys\\\".
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'. 2. Remove IAM policy binding for a KMS key to remove access to \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" using the below command.
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f756937d-b790-4718-8dd7-fa995930c4a1\",\r\n \"name\": \"f756937d-b790-4718-8dd7-fa995930c4a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.
The format for the rotation schedule depends on the client library that is used.
For the gcloud command-line tool, the next rotation time must be in \\\"ISO\\\" or \\\"RFC3339\\\" format, and the rotation period must be in the form \\\"INTEGER[UNIT]\\\", where units can be one of seconds (s), minutes (m), hours (h) or days (d).
Set a key rotation period and starting time. A key can be created with a specified \\\"rotation period\\\", which is the time between when new key versions are generated automatically.
A key can also be created with a specified next rotation time.
A key is a named object representing a \\\"cryptographic key\\\" used for a specific purpose.
The key material, the actual bits used for \\\"encryption\\\", can change over time as new key versions are created.
A key is used to protect some \\\"corpus of data\\\". A collection of files could be encrypted with the same key and people with \\\"decrypt\\\" permissions on that key would be able to decrypt those files.
Therefore, it's necessary to make sure the \\\"rotation period\\\" is set to a specific time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to Cryptographic Keys. 2. Click on the specific key ring. 3. From the list of keys, choose the specific key and Click on \\\"Right side pop up the blade (3 dots)\\\". 4. Click on \\\"Edit rotation period\\\". 5. On the pop-up window, \\\"Select a new rotation period\\\" in days which should be less than 90 and then choose \\\"Starting on\\\" date (date from which the rotation period begins).

From Command Line:
1. Update and schedule rotation by \\\"ROTATION_PERIOD\\\" and \\\"NEXT_ROTATION_TIME\\\" for each key:
gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next-rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14007242-eadd-4d15-ad54-97201351c0ec\",\r\n \"name\": \"14007242-eadd-4d15-ad54-97201351c0ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.
The built-in/predefined IAM role \\\"Cloud KMS Admin\\\" allows the user/identity to create, delete, and manage service account(s).
The built-in/predefined IAM role \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\" allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).
The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).
The built-in/predefined IAM role \\\"Cloud KMS CryptoKey Decrypter\\\" allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action.
In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to.
Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors.
It is considered best practice. No user(s) should have Cloud KMS Admin and any of the \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\", \\\"Cloud KMS CryptoKey Encrypter\\\", \\\"Cloud KMS CryptoKey Decrypter\\\" roles assigned at the same time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to IAM & Admin/IAM. 2. For any member having \\\"Cloud KMS Admin\\\" and any of the \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\", \\\"Cloud KMS CryptoKey Encrypter\\\", \\\"Cloud KMS CryptoKey Decrypter\\\" roles granted/assigned, click the \\\"Delete Bin\\\" icon to remove the role from the member.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b9173aa-68d9-4581-814f-fab4a91aa9af\",\r\n \"name\": \"0b9173aa-68d9-4581-814f-fab4a91aa9af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that Cloud Audit Logging is configured to track all admin activities and read, write access to user data.
Cloud Audit Logging maintains two audit logs for each project, folder, and organization: Admin Activity and Data Access.
1. Admin Activity logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources.
Admin Activity audit logs are enabled for all services and cannot be configured. 2. Data Access audit logs record API calls that create, modify, or read user-provided data. These are disabled by default and should be enabled.
There are three kinds of Data Access audit log information:
  • Admin read: Records operations that read metadata or configuration information. Admin Activity audit logs record writes of metadata and configuration information that cannot be disabled.
  • Data read: Records operations that read user-provided data.
  • Data write: Records operations that write user-provided data.
It is recommended to have an effective default audit config configured in such a way that:
1. logtype is set to DATA_READ (to log user activity tracking) and DATA_WRITES (to log changes/tampering to user data). 2. audit config is enabled for all the services supported by the Data Access audit logs feature. 3. Logs should be captured for all users, i.e., there are no exempted users in any of the audit config sections. This will ensure overriding the audit config will not contradict the requirement.\",\r\n \"remediationDescription\": \"From Console:
1. Go to Audit Logs. 2. Follow the steps at Configure Data Access to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.

From Command Line:
1. To read the project's IAM policy and store it in a file run a command:
gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml
Alternatively, the policy can be set at the organization or folder level. If setting the policy at the organization level, it is not necessary to also set it for each folder or project.
gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml
gcloud resource-manager folders get-iam-policy FOLDER_ID > /tmp/folder_policy.yaml
2. Edit policy in /tmp/policy.yaml, adding or changing only the audit logs configuration to:
auditConfigs: - auditLogConfigs: - logType: DATA_WRITE - logType: DATA_READ service: allServices

Note: \\\"exemptedMembers\\\": is not set as audit logging should be enabled for all the users
3. To write new IAM policy run command:
gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml
gcloud resource-manager folders set-iam-policy FOLDER_ID /tmp/folder_policy.yaml
gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml

If the preceding command reports a conflict with another change, then repeat these steps, starting with the first step.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/194b473e-7c5a-4754-b1ae-76591fe11b5c\",\r\n \"name\": \"194b473e-7c5a-4754-b1ae-76591fe11b5c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).
Log entries are held in Stackdriver Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. Exporting involves writing a filter that selects the log entries to export, and choosing a destination in Cloud Storage, BigQuery, or Cloud Pub/Sub.
The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts. \",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"Logging/Logs\\\" by visiting: GCP Logs explorer. 2. Click the down arrow symbol on \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. This step converts \\\"Filter Bar\\\" to \\\"Advanced Filter Bar\\\".4.Clear any text from the \\\"Advanced Filter\\\" field. This ensures that the \\\"log-filter\\\" is set to empty and captures all the logs. 5. Click \\\"Submit Filter\\\" and the result should display all logs. 6. Click \\\"Create Sink\\\", which opens a menu on the right. 7. Fill out the fields and click \\\"Create Sink\\\".
For more information, see GCP Logging Documentation.

From Command Line:
To create a sink to export all log entries in a Google Cloud Storage bucket:
gcloud logging sinks create <sink-name>
storage.googleapis.com/DESTINATION_BUCKET_NAME
Sinks can be created for a folder or organization, which will include all projects.
gcloud logging sinks create <sink-name>
storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children --folder=FOLDER_ID | --organization=ORGANIZATION_ID \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/07ca1398-d477-400a-a9fc-4cfc78f723f9\",\r\n \"name\": \"07ca1398-d477-400a-a9fc-4cfc78f723f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that retention policies on log buckets are configured using Bucket Lock\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted.
It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.
Logs can be exported by creating one or more sinks that include a log filter and a destination. As Stackdriver Logging receives new log entries, they are compared against each sink.
If a log entry matches a sink's filter, then a copy of the log entry is written to the destination.
Sinks can be configured to export logs in storage buckets.
It is recommended to configure a data retention policy for these cloud storage buckets and to lock the data retention policy; thus permanently preventing the policy from being reduced or removed.
This way, if the system is ever compromised by an attacker or a malicious insider who wants to cover their tracks, the activity logs are definitely preserved for forensics and security investigations.\",\r\n \"remediationDescription\": \" From the Console:
1. If sinks are not configured, first follow the instructions in the recommendation: \\\"Ensure that sinks are configured for all Log entries\\\". 2. For each storage bucket configured as a sink, go to the Cloud Storage browser at \\\"https://console.cloud.google.com/storage/browser/<BUCKET_NAME>\\\". 3. Select the Bucket Lock tab near the top of the page. 4. In the Retention policy entry, click the Add Duration link. The \\\"Set a retention policy\\\" dialog box appears. 5. Enter the desired length of time for the retention period and click \\\"Save policy\\\". 6. Set the \\\"Lock status\\\" for this retention policy to \\\"Locked\\\".

From Command Line:
1.To list all sinks destined to storage buckets:
gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID | --project=PROJECT_ID
2. For each storage bucket listed above, set a retention policy and lock it:
gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]
gsutil retention lock gs://[BUCKET_NAME]
For more information, see Bucket lock retention policy.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f42c20a6-8012-4e1e-bf4d-19b977e8c8d7\",\r\n \"name\": \"f42c20a6-8012-4e1e-bf4d-19b977e8c8d7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all \\\"roles/Owner\\\" assignments should be monitored.
Members (users/Service-Accounts) with a role assignment to primitive role \\\"roles/Owner\\\" are project owners.
The project owner has all the privileges on the project the role belongs to. These are summarized below:
- All viewer permissions on all GCP Services within the project
- Permissions for actions that modify the state of all GCP services within the project
- Manage roles and permissions for a project and all resources within the project
- Set up billing for a project
Granting the owner role to a member (user/Service-Account) will allow that member to modify the Identity and Access Management (IAM) policy. Therefore, grant the owner role only if the member has a legitimate purpose to manage the IAM policy. This is because the project IAM policy contains sensitive access control data. Having a minimal set of users allowed to manage IAM policy will simplify any auditing that may be necessary.
Project ownership has the highest level of privileges on a project. To avoid misuse of project resources, the project ownership assignment/change actions mentioned above should be monitored and alerted to concerned recipients.
- Sending project ownership invites
- Acceptance/Rejection of project ownership invite by user
- Adding `role\\\\Owner` to a user/service-account
- Removing a user/Service account from `role\\\\Owner`\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
(protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\")
AND (ProjectOwnership OR projectOwnerInvitee)
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\")
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\")
 4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/34ed4dfb-fc6d-498f-b2b0-d1099704775d\",\r\n \"name\": \"34ed4dfb-fc6d-498f-b2b0-d1099704775d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data Access logs to help answer the questions of, \\\"who did what, where, and when?\\\" within GCP projects.
Cloud audit logging records information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by GCP services. Cloud audit logging provides a history of GCP API calls for an account, including API calls made via the console, SDKs, command-line tools, and other GCP services.
Admin activity and data access logs produced by cloud audit logging enable security analysis, resource change tracking, and compliance auditing.
Configuring the metric filter and alerts for audit configuration changes ensures the recommended state of audit configuration is maintained so that all activities in the project are audit-able at any point in time.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
protoPayload.methodName=\\\"SetIamPolicy\\\" AND
protoPayload.serviceData.policyDelta.auditConfigDeltas:*
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba27e90d-311d-409d-8c69-7dfac0a1351c\",\r\n \"name\": \"ba27e90d-311d-409d-8c69-7dfac0a1351c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for changes to Identity and Access Management (IAM) role creation, deletion and updating activities.
Google Cloud IAM provides predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources. However, to cater to organization-specific needs, Cloud IAM also provides the ability to create custom roles. Project owners and administrators with the Organization Role Administrator role or the IAM Role Administrator role can create custom roles. Monitoring role creation, deletion and updating activities will help in identifying any over-privileged role at early stages.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"iam_role\\\"
AND protoPayload.methodName=\\\"google.iam.admin.v1.CreateRole\\\"
OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\"
OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a7723f9-ee51-4a2b-a4e5-2497a20c1964\",\r\n \"name\": \"4a7723f9-ee51-4a2b-a4e5-2497a20c1964\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes.
Monitoring for Create or Update Firewall rule events gives insight to network access changes and may reduce the time it takes to detect suspicious activity.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"gce_firewall_rule\\\"
AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\"
OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b5c8e32b-a400-4d4b-8d2d-c5afbd4a6997\",\r\n \"name\": \"b5c8e32b-a400-4d4b-8d2d-c5afbd4a6997\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network route changes.
Google Cloud Platform (GCP) routes define the paths network traffic takes from a VM instance to another destination. The other destination can be inside the organization VPC network (such as another VM) or outside of it. Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop for delivery.
Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"gce_route\\\"
AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\"
OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/59aef38a-19c2-4663-97a7-4c82a98dbab5\",\r\n \"name\": \"59aef38a-19c2-4663-97a7-4c82a98dbab5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network changes.
It is possible to have more than one VPC within a project. In addition, it is also possible to create a peer connection between two VPCs enabling network traffic to route between VPCs.
Monitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=gce_network
AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2e14266c-76ea-4479-915e-4edaae7d78ec\",\r\n \"name\": \"2e14266c-76ea-4479-915e-4edaae7d78ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.
Monitoring changes to cloud storage bucket permissions may reduce the time needed to detect and correct permissions on sensitive cloud storage buckets and objects inside the bucket.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=gcs_bucket
AND protoPayload.methodName=\\\"storage.setIamPermissions\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dce022e-f7f9-4725-8a63-c0d4a868b4d3\",\r\n \"name\": \"9dce022e-f7f9-4725-8a63-c0d4a868b4d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for SQL instance configuration changes.
Monitoring changes to SQL instance configuration changes may reduce the time needed to detect and correct misconfigurations done on the SQL server.
Below are a few of the configurable options which may the impact security posture of an SQL instance:
* Enable auto backups and high availability: Misconfiguration may adversely impact business continuity, disaster recovery, and high availability
* Authorize networks: Misconfiguration may increase exposure to untrusted networks\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
protoPayload.methodName=\\\"cloudsql.instances.update\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9f88a5b8-2853-4b3f-a4c7-33f225cae99a\",\r\n \"name\": \"9f88a5b8-2853-4b3f-a4c7-33f225cae99a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic.
When specifying a source for an ingress rule or a destination for an egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using SSH on Port 22 can be avoided.
GCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network.
Egress and ingresstraffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication).
For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified.
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default Port '22'.
Generic access from the Internet to a specific IP Range needs to be restricted.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to VPC Network. 2. Go to the Firewall Rules. 3. Click the Firewall Rule you want to modify. 4. Click Edit. 5. Modify Source IP ranges to specific IP. 6. Click Save.

From Command Line:
gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[- PORT]],...] --source-ranges=[CIDR_RANGE,...] \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc8464f-f32a-4b3c-954e-48f9db2d9bcf\",\r\n \"name\": \"8bc8464f-f32a-4b3c-954e-48f9db2d9bcf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic.
When specifying a source for an ingress rule or a destination for an egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming raffic from the Internet to a VPC or VM instance using RDP on Port 3389 can be avoided.
GCP Firewall Rules within a VPC Network. These rules apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network.
Egress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication). For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified.
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default Port 3389. Generic access from the Internet to a specific IP Range should be restricted.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to VPC Network. 2. Go to the Firewall Rules. 3. Click the Firewall Rule to be modified. 4. Click Edit. 5. Modify Source IP ranges to specific IP. 6. Click Save.

From Command Line:
1.Update RDP Firewall rule with new SOURCE_RANGE from the below command:
gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ea1989f3-de6c-4389-8b6c-c8b9a3df1595\",\r\n \"name\": \"ea1989f3-de6c-4389-8b6c-c8b9a3df1595\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent use of \\\"default\\\" network, a project should not have a \\\"default\\\" network.
The default network has a preconfigured network configuration and automatically generates the following insecure firewall rules:
  • default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.
  • default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.
  • default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.
  • default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.
These automatically created firewall rules do not get audit logged and cannot be configured to enable firewall rule logging.
Furthermore, the default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses, and as a result, it's not possible to use Cloud VPN or VPC Network Peering with the default network.
Based on organization security and networking requirements, the organization should create a new network and delete the default network.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the \\\"VPC networks\\\" page by visiting:
VPC networks. 2. Click the network named default. 3. On the network detail page, click \\\"EDIT\\\". 4. Click \\\"DELETE VPC NETWORK\\\". 5. If needed, create a new network to replace the default network.

From Command Line:
For each Google Cloud Platform project,
1. Delete the default network:
gcloud compute networks delete default
2. If needed, create a new network to replace it:
gcloud compute networks create NETWORK_NAME\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/44995f9b-5963-4a92-8e99-6d68acbc187c\",\r\n \"name\": \"44995f9b-5963-4a92-8e99-6d68acbc187c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In order to prevent use of legacy networks, a project should not have a legacy network configured.
Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions.
Subnetworks cannot be created in a legacy network and are unable to switch from legacy to auto or custom subnet networks. Legacy networks can have an impact for high network traffic projects and are subject to a single point of contention or failure.\",\r\n \"remediationDescription\": \"For each Google Cloud Platform project,
1. Follow the documentation and create a non-legacy network suitable for the organization's requirements. 2. Follow the documentation and delete the networks in the \\\"legacy\\\" mode.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33509176-9e4d-4238-84ec-984ba67019fa\",\r\n \"name\": \"33509176-9e4d-4238-84ec-984ba67019fa\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet.
Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.
Domain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling DNS responses to be validated.
Having a trustworthy DNS that translates a domain name like www.example.com into its associated IP address is an increasingly important building block of today's web-based applications.
Attackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks.
DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records.
As a result, it prevents attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"Cloud DNS\\\" by visiting Cloud DNS. 2. For each zone of Type Public, set DNSSEC to \\\"On\\\".

From Command Line:
Use the below command to enable \\\"DNSSEC\\\" for Cloud DNS Zone Name.
gcloud dns managed-zones update ZONE_NAME --dnssec-state on \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87356ecc-b718-442d-af22-677bceaeae06\",\r\n \"name\": \"87356ecc-b718-442d-af22-677bceaeae06\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
Domain Name System Security Extensions (DNSSEC) algorithm numbers in this registry may be used in CERT RRs.
Zonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the user can select the DNSSEC signing algorithms and the denial-of-existence type.
Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled.
If there is a need to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.\",\r\n \"remediationDescription\": \"1. If it is necessary to change the settings for a managed zone where it has been enabled, NSSEC must be turned off and re-enabled with different settings.
To turn off DNSSEC, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state off
2. To update key-signing for a reported managed DNS Zone, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM - -zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE

Algorithm KSK Length ZSK Length
RSASHA1 1024,2048 1024,2048
RSASHA256 1024,2048 1024,2048
RSASHA512 1024,2048 1024,2048
ECDSAP256SHA256 256 256
ECDSAP384SHA384 384 384
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/117ad72e-fed7-4dc8-995d-39919b9ba2d9\",\r\n \"name\": \"117ad72e-fed7-4dc8-995d-39919b9ba2d9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the DNSSEC signing algorithms and the denial-of-existence type can be selected.
Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled.
If the need exists to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.\",\r\n \"remediationDescription\": \"1. If it is necessary to change the settings for a managed zone where it has been enabled, DNSSEC must be turned off and re-enabled with different settings.
To turn off DNSSEC, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state off
2. To update zone-signing for a reported managed DNS Zone, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM - -zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE

Algorithm KSK Length ZSK Length
RSASHA1 1024,2048 1024,2048
RSASHA256 1024,2048 1024,2048
RSASHA512 1024,2048 1024,2048
ECDSAP256SHA256 256 256
ECDSAP384SHA384 384 384
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a107c44c-75e4-4607-b1b0-cd5cfcf249e0\",\r\n \"name\": \"a107c44c-75e4-4607-b1b0-cd5cfcf249e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.
The default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services.
To defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended to not use the default Compute Engine service account.
Instead, you should create a new service account and assigning only the permissions needed by your instance.
The default Compute Engine service account is named [PROJECT_NUMBER]- compute@developer.gserviceaccount.com.
VMs created by GKE should be excluded. These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to go to its \\\"VM instance details\\\" page. 3. Click \\\"STOP\\\" and then click \\\"EDIT\\\". 4. Under the section \\\"Service Account\\\", select a service account other that the default Compute Engine service account. You may first need to create a new service account. 5. Click \\\"Save\\\" and then click \\\"START\\\".

From Command Line:
1. Stop the instance: gcloud compute instances stop INSTANCE_NAME
2. Update the instance: gcloud compute instances set-service-account INSTANCE_NAME --serviceaccount=SERVICE_ACCOUNT
3. Restart the instance: gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c1fcf1-ca66-4fc1-b5e6-51d7f4f76782\",\r\n \"name\": \"a8c1fcf1-ca66-4fc1-b5e6-51d7f4f76782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account \\\"Compute Engine default service account\\\" with Scope \\\"Allow full access to all Cloud APIs\\\".
Along with ability to optionally create, manage and use user managed custom service accounts, Google Compute Engine provides default service account \\\"Compute Engine default service account\\\" for an instances to access necessary cloud services.
\\\"Project Editor\\\" role is assigned to \\\"Compute Engine default service account\\\" hence, This service account has almost all capabilities over all cloud services except billing.
However, when \\\"Compute Engine default service account\\\" assigned to an instance it can operate in 3 scopes.
1. Allow default access: Allows only minimum access required to run an Instance (Least Privileges) 2. Allow full access to all Cloud APIs: Allow full access to all the cloud APIs/Services (Too much access) 3. Set access for each API: Allows Instance administrator to choose only those APIs that are needed to perform specific business functionality expected by instance
When an instance is configured with \\\"Compute Engine default service account\\\" with Scope \\\"Allow full access to all Cloud APIs\\\", based on IAM roles assigned to the user(s) accessing Instance,
it may allow user to perform cloud operations/API calls that user is not supposed to perform leading to successful privilege escalation.
VMs created by GKE should be excluded. These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the impacted VM instance. 3. If the instance is not stopped, click the \\\"Stop\\\" button. Wait for the instance to be stopped. 4. Next, click the \\\"Edit\\\" button. 5. Scroll down to the \\\"Service Account\\\" section. 6. Select a different service account or ensure that \\\"Allow full access to all Cloud APIs\\\" is not selected.  7. Click the \\\"Save\\\" button to save your changes and then click \\\"START\\\".

From Command Line:
1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
2. Update the instance:
gcloud compute instances set-service-account INSTANCE_NAME --serviceaccount=SERVICE_ACCOUNT --scopes [SCOPE1, SCOPE2...]
3. Restart the instance:
gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/49cb12f0-3dd3-4220-9cfb-5c3fd514a6d8\",\r\n \"name\": \"49cb12f0-3dd3-4220-9cfb-5c3fd514a6d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user.
It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.
To find out which instance causes the project to be unhealthy see recommendation \\\"Ensure oslogin is enabled for all instances\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM compute metadata page. 2. Click \\\"Edit\\\". 3. Add a metadata entry where the key is \\\"enable-oslogin\\\" and the value is \\\"TRUE\\\". 4. Click \\\"Save\\\" to apply the changes. 5. For every instance that overrides the project setting, go to the VM instances page. 6. Click the name of the instance on which you want to remove the metadata value. 7. At the top of the instance details page, click \\\"Edit\\\" to edit the instance settings. 8. Under \\\"Custom metadata\\\", remove any entry with key \\\"enable-oslogin\\\" and the value is \\\"FALSE\\\" 9. At the bottom of the instance details page, click \\\"Save\\\" to apply your changes to the instance.

From Command Line:
1. Configure oslogin on the project:
gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE
2. Remove instance metadata that overrides the project settings.
gcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin
Optionally, you can enable two factor authentication for OS login. For more information, see here.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/569ef64e-d7aa-4d7e-aa0b-5b3e045ca2c3\",\r\n \"name\": \"569ef64e-d7aa-4d7e-aa0b-5b3e045ca2c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for all instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user.
It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click the name of the instance on which you want to remove the metadata value. 3. At the top of the instance details page, click \\\"Edit\\\" to edit the instance settings. 4. Under \\\"Custom metadata\\\", remove any entry with key \\\"enable-oslogin\\\" and the value is \\\"FALSE\\\" 5. At the bottom of the instance details page, click \\\"Save\\\" to apply your changes to the instance.

From Command Line:
Remove instance metadata that overrides the project settings.
gcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin
Optionally, you can enable two factor authentication for OS login. For more information, see here.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e060336-2c9e-4289-a2a6-8d301bad47bb\",\r\n \"name\": \"7e060336-2c9e-4289-a2a6-8d301bad47bb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.
If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.
A virtual machine instance has four virtual serial ports. Interacting with a serial port is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.
The instance's operating system, BIOS, and other system-level entities often write output to the serial ports, and can accept input such as commands or answers to prompts.
Typically, these system-level entities use the first serial port (port 1) and serial port 1 is often referred to as the serial console.
The interactive serial console does not support IP-based access restrictions such as IP whitelists. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address.
This allows anybody to connect to that instance if they know the correct SSH key, username, project ID, zone, and instance name.
Therefore interactive serial console support should be disabled.\",\r\n \"remediationDescription\": \"From Console:
1. Login to Google Cloud console 2. Go to Computer Engine 3. Go to VM instances 4. Click on the Specific VM 5. Click \\\"EDIT\\\" 6. Unselect \\\"Enable connecting to serial ports\\\" below \\\"Remote access\\\" block. 7. Click \\\"Save\\\".

From Command Line:
Use the below command to disable
gcloud compute instances add-metadata INSTANCE_NAME --zone=ZONE --metadata=serial-port-enable=false
or
gcloud compute instances add-metadata INSTANCE_NAME --zone=ZONE --metadata=serial-port-enable=0\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a4b3b3a-7de9-4aa4-a29b-580d59b43f79\",\r\n \"name\": \"1a4b3b3a-7de9-4aa4-a29b-580d59b43f79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To defend against against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.
Shielded VMs are virtual machines (VMs) on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits.
Shielded VM offers verifiable integrity of your Compute Engine VM instances, so you can be confident your instances haven't been compromised by boot- or kernel-level malware or rootkits.
Shielded VM's verifiable integrity is achieved through the use of Secure Boot, virtual trusted platform module (vTPM)-enabled Measured Boot, and integrity monitoring.
Shielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishing the root of trust for Secure Boot.
Integrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, called the integrity policy baseline.
The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.
Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to see its \\\"VM instance details\\\" page. 3. Click \\\"STOP\\\" to stop the instance. 4. When the instance has stopped, click \\\"EDIT\\\". 5. In the Shielded VM section, select \\\"Turn on vTPM\\\" and \\\"Turn on Integrity Monitoring\\\". 6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select \\\"Turn on Secure Boot\\\". 7. Click the \\\"Save\\\" button to modify the instance and then click \\\"START\\\" to restart it.

From Command Line:
You can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:
gcloud compute images list --project gce-uefi-images --no-standard-images
1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
2. Update the instance:
gcloud compute instances update INSTANCE_NAME --shielded-vtpm --shielded-vmintegrity-monitoring
3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on secure boot.
gcloud compute instances update INSTANCE_NAME --shielded-vm-secure-boot
4. Restart the instance:
gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bdd13ad-a9d2-4910-8b06-9c4cddb55abb\",\r\n \"name\": \"8bdd13ad-a9d2-4910-8b06-9c4cddb55abb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances should not be configured to have external IP addresses.
To reduce your attack surface, Compute instances should not have public IP addresses. Instead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.
Instances created by GKE should be excluded because some of them have external IP addresses and cannot be changed by editing the instance settings.
These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to go the the Instance detail page. 3. Click \\\"Edit\\\". 4. For each Network interface, ensure that External IP is set to None. 5. Click \\\"Done\\\" and then click \\\"Save\\\".

From Command Line:
1. Describe the instance properties: gcloud compute instances describe INSTANCE_NAME --zone=ZONE
2. Identify the access config name that contains the external IP address. This access config appears in the following format:
networkInterfaces: - accessConfigs: - kind: compute#accessConfig name: External NAT natIP: 130.211.181.55 type: ONE_TO_ONE_NAT
3. Delete the access config.
gcloud compute instances delete-access-config INSTANCE_NAME --zone=ZONE --access-config-name \\\"ACCESS_CONFIG_NAME\\\"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8305d96-2aa5-458d-92b7-f8418f5f3328\",\r\n \"name\": \"d8305d96-2aa5-458d-92b7-f8418f5f3328\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.
Allowing anonymous or public access grants permissions to anyone to access bucket content.
Such access might not be desired if you are storing any sensitive data.
Hence, ensure that anonymous or public access to a bucket is not allowed.\",\r\n \"remediationDescription\": \"From Console:
1. Go to \\\"Storage browser\\\" by visiting GCP Storage browser. 2. Click on the bucket name to go to its \\\"Bucket details\\\" page. 3. Click on the \\\"Permissions\\\" tab. 4. Click \\\"Delete\\\" button in front of \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" to remove that particular role assignment.
From Command Line:
Remove \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" access.
gsutil iam ch -d allUsers gs://BUCKET_NAME
gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b5cdbc-0633-49af-b63d-a9dc90560196\",\r\n \"name\": \"64b5cdbc-0633-49af-b63d-a9dc90560196\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.
It is recommended to use uniform bucket-level access to unify and simplify how you grant access to your Cloud Storage resources.
Cloud Storage offers two systems for granting users permission to access your buckets and objects:
Cloud Identity and Access Management (Cloud IAM) and Access Control Lists (ACLs).
These systems act in parallel - in order for a user to access a Cloud Storage resource, only one of the systems needs to grant the user permission.
Cloud IAM is used throughout Google Cloud and allows you to grant a variety of permissions at the bucket and project levels.
ACLs are used only by Cloud Storage and have limited permission options, but they allow you to grant permissions on a per-object basis.

In order to support a uniform permissioning system, Cloud Storage has uniform bucket-level access.
Using this feature disables ACLs for all Cloud Storage resources:
access to Cloud Storage resources then is granted exclusively through Cloud IAM.
Enabling uniform bucket-level access guarantees that if a Storage bucket is not publicly accessible,
no object in the bucket is publicly accessible either.\",\r\n \"remediationDescription\": \"From Console:
1. Open the \\\"Cloud Storage browser\\\" in the Google Cloud Console by visiting: GCP Storage browser. 2. In the list of buckets, click on the name of the desired bucket. 3. Select the \\\"Permissions\\\" tab near the top of the page. 4. In the text box that starts with \\\"This bucket uses fine-grained access control...\\\", click \\\"Edit\\\". 5. In the pop-up menu that appears, select \\\"Uniform\\\". 6. Click \\\"Save\\\".
From Command Line:
Use the \\\"on\\\" option in a uniformbucketlevelaccess set command:
gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dab1eea3-7693-4da3-af1b-2f73832655fa\",\r\n \"name\": \"dab1eea3-7693-4da3-af1b-2f73832655fa\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.
Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset.
Such access might not be desirable if sensitive data is being stored in the dataset.
Therefore, ensure that anonymous and/or public access to a dataset is not allowed.\",\r\n \"remediationDescription\": \"From Console:
1. Go to \\\"BigQuery\\\" by visiting: BigQuery. 2. Select the dataset from \\\"Resources\\\". 3. Click \\\"SHARE DATASET\\\" near the right side of the window. 4. Review each attached role. 5. Click the \\\"delete\\\" icon for each member \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\". On the popup click \\\"Remove\\\".
From Command Line:
1. Retrieve the data set information:
bq show --format=prettyjson PROJECT_ID:DATASET_NAME > PATH_TO_FILE
2. In the access section of the JSON file, update the dataset information to remove all roles containing \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\". 3. Update the dataset:
bq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8191f530-fde7-4177-827a-43ce0f69ffe7\",\r\n \"name\": \"8191f530-fde7-4177-827a-43ce0f69ffe7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the \\\"log_lock_waits\\\" flag for a PostgreSQL instance creates a log for any session waits that take longer than the alloted \\\"deadlock_timeout\\\" time to acquire a lock.
The deadlock timeout defines the time to wait on a lock before checking for any conditions. Frequent run overs on deadlock timeout can be an indication of an underlying issue.
Logging such waits on locks by enabling the log_lock_waits flag can be used to identify poor performance due to locking delays or if a specially-crafted SQL is attempting to starve resources through holding locks for excessive amounts of time.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_lock_waits\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_lock_waits\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_lock_waits=on

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/492fed4e-1871-4c12-948d-074ee0f07559\",\r\n \"name\": \"492fed4e-1871-4c12-948d-074ee0f07559\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_error_statement\\\" flag defines the minimum message severity level that is considered as an error statement.
Messages for error statements are logged with the SQL statement.
Valid values include \\\"DEBUG5\\\", \\\"DEBUG4\\\", \\\"DEBUG3\\\", \\\"DEBUG2\\\", \\\"DEBUG1\\\", \\\"INFO\\\", \\\"NOTICE\\\", \\\"WARNING\\\", \\\"ERROR\\\", \\\"LOG\\\", \\\"FATAL\\\", and \\\"PANIC\\\".
Each severity level includes the subsequent levels mentioned above.
Note: To effectively turn off logging failing statements, set this parameter to PANIC.
ERROR is considered the best practice setting. Changes should only be made in accordance with the organization's logging policy.
Auditing helps in troubleshooting operational problems and also permits forensic analysis.
If \\\"log_min_error_statement\\\" is not set to the correct value, messages may not be classified as error messages appropriately.
Considering general log messages as error messages would make it difficult to find actual errors, while considering only stricter severity levels as error messages may skip actual errors to log their SQL statements.
The \\\"log_min_error_statement\\\" flag should be set in accordance with the organization's logging policy.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_error_statement\\\" from the drop-down menu and set appropriate value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_min_error_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_error_statement=

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/29622fc0-14dc-4d65-a5a8-e9a39ffc4b62\",\r\n \"name\": \"29622fc0-14dc-4d65-a5a8-e9a39ffc4b62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' \",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"PostgreSQL can create a temporary file for actions such as sorting, hashing and temporary query results when these operations exceed \\\"work_mem\\\".
The \\\"log_temp_files\\\" flag controls logging names and the file size when it is deleted.
Configuring \\\"log_temp_files\\\" to 0 causes all temporary file information to be logged, while positive values log only files whose size is greater than or equal to the specified number of kilobytes.
A value of \\\"-1\\\" disables temporary file information logging.
If all temporary files are not logged, it may be more difficult to identify potential performance issues that may be due to either poor application coding or deliberate resource starvation attempts.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_temp_files\\\" from the drop-down menu and set the value as 0. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_temp_files\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_temp_files=`0`

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c9e237b-419f-4e73-b43a-94b5863dd73e\",\r\n \"name\": \"1c9e237b-419f-4e73-b43a-94b5863dd73e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_duration_statement\\\" flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that \\\"log_min_duration_statement\\\" is disabled, i.e., a value of -1 is set.
Logging SQL statements may include sensitive information that should not be recorded in logs. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_duration_statement\\\" from the drop-down menu and set the value of \\\"-1\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Configure the \\\"log_min_duration_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_duration_statement=-1

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/26973a34-79a6-46a0-874f-358c8c00af05\",\r\n \"name\": \"26973a34-79a6-46a0-874f-358c8c00af05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"cross db ownership chaining\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
Use the \\\"cross db ownership\\\" for chaining option to configure cross-database ownership chaining for an instance of Microsoft SQL Server.
This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases.
Enabling \\\"cross db ownership\\\" is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining and you are aware of the security implications of this setting.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance for which you want to enable to database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"cross db ownership chaining\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"cross db ownership chaining\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"cross db ownership chaining=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/658ce98f-ecf1-4c14-967f-3c4faf130fbf\",\r\n \"name\": \"658ce98f-ecf1-4c14-967f-3c4faf130fbf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"contained database authentication\\\" database flag for Cloud SQL on the SQL Server instance is set to \\\"off\\\".
A contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed.
Users can connect to the database without authenticating a login at the Database Engine level.
Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server.
Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators.
Most of the threats are related to the USER WITH PASSWORD authentication process, which moves the authentication boundary from the Database Engine level to the database level, hence this is recommended to disable this flag.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance for which you want to enable to database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"contained database authentication\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Configure the \\\"contained database authentication\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"contained database authentication=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/13872d43-aac6-4018-9c89-507b8fe9be54\",\r\n \"name\": \"13872d43-aac6-4018-9c89-507b8fe9be54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to enforce all incoming connections to SQL database instance to use SSL.
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc.
For security, it is recommended to always use SSL encryption when connecting to your instance.
This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to Cloud SQL Instances. 2. Click on an instance name to see its configuration overview. 3. In the left-side panel, select \\\"Connections\\\". 4. In the \\\"SSL connections\\\" section, click \\\"Allow only SSL connections\\\". 5. Under \\\"Configure SSL server certificates\\\" click \\\"Create new certificate\\\". 6. Under \\\"Configure SSL client certificates\\\" click \\\"Create a client certificate\\\". 7. Follow the instructions shown to learn how to connect to your instance.

From Command Line:
To enforce SSL encryption for an instance run the command:
gcloud sql instances patch INSTANCE_NAME --require-ssl

Note:
\\\"RESTART\\\" is required for type MySQL Generation 1 Instances (\\\"backendType: FIRST_GEN\\\") to get this configuration in effect.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/de78ebca-1ec6-4872-8061-8fcfb27752fc\",\r\n \"name\": \"de78ebca-1ec6-4872-8061-8fcfb27752fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from the world.
To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it.
An authorized network should not have IPs/networks configured to \\\"0.0.0.0/0\\\" which will allow access to the instance from anywhere in the world. Note that authorized networks apply only to instances with public IPs.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Click the instance name to open its \\\"Instance details\\\" page. 3. Under the \\\"Configuration\\\" section click \\\"Edit configurations\\\". 4. Under \\\"Configuration options\\\" expand the \\\"Connectivity\\\" section. 5. Click the \\\"delete\\\" icon for the authorized network \\\"0.0.0.0/0\\\". 6. Click \\\"Save\\\" to update the instance.

From Command Line:
Update the authorized network list by dropping off any addresses.
oud sql instances patch INSTANCE_NAME --authorized-networks=IP_ADDR1,IP_ADDR2... \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1658239d-caf7-471d-83c5-2e4c44afdcff\",\r\n \"name\": \"1658239d-caf7-471d-83c5-2e4c44afdcff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.
To lower the organization's attack surface, Cloud SQL databases should not have public IPs.
Private IPs provide improved network security and lower latency for your application.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Click the instance name to open its Instance details page. 3. Select the \\\"Connections\\\" tab. 4. Deselect the \\\"Public IP\\\" checkbox. 5. Click \\\"Save\\\" to update the instance.

From Command Line:
1. For every instance remove its public IP and assign a private IP instead:
gcloud beta sql instances patch INSTANCE_NAME --network=VPC_NETWOR_NAME --no-assign-ip 2. Confirm the changes using the following command:
gcloud sql instances describe INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/afaac6e6-6240-48a2-9f62-4e257b851311\",\r\n \"name\": \"afaac6e6-6240-48a2-9f62-4e257b851311\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to have all SQL database instances set to enable automated backups.
Backups provide a way to restore a Cloud SQL instance to recover lost data or recover from a problem with that instance.
Automated backups need to be set for any instance that contains data that should be protected from loss or damage.
This recommendation is applicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2 instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the instance where the backups need to be configured. 3. Click \\\"Edit\\\". 4. In the \\\"Backups\\\" section, check \\\"Enable automated backups\\\", and choose a backup window. 5. Click \\\"Save\\\".
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Enable \\\"Automated backups\\\" for every Cloud SQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --backup-start-time [HH:MM] The \\\"backup-start-time\\\" parameter is specified in 24-hour time, in the UTC+00 time zone, and specifies the start of a 4-hour backup window. Backups can start any time during the backup window.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/633a87f4-bd71-45ce-9eca-c6bb8cbe8b21\",\r\n \"name\": \"633a87f4-bd71-45ce-9eca-c6bb8cbe8b21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.
The local_infile flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the local_infile setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.
To explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with local_infile disabled. local_infile can also be set at runtime.
Due to security issues associated with the local_infile flag, it is recommended to disable it. This recommendation is applicable to MySQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the MySQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"local_infile\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the local_infile database flag for every Cloud SQL Mysql database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off
Note:
This command will overwrite all database flags that were previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2404629-0132-4ab3-839e-8389dbe9fe98\",\r\n \"name\": \"a2404629-0132-4ab3-839e-8389dbe9fe98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log_checkpoints database flag for the Cloud SQL PostgreSQL instance is set to on.
Enabling log_checkpoints causes checkpoints and restart points to be logged in the server log. Some statistics are included in the log messages, including the number of buffers written and the time spent writing them.
This parameter can only be set in the postgresql.conf file or on the server command line. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_checkpoints\\\" from the drop-down menu, and set its value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_checkpoints database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_checkpoints=on
Note: This command will overwrite all previously set database flags. To keep those and add new ones, include the values for all flags to be set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4016e27f-a451-4e24-9222-39d7d107ad74\",\r\n \"name\": \"4016e27f-a451-4e24-9222-39d7d107ad74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.
PostgreSQL does not log attempted connections by default. Enabling the log_connections setting will create log entries for each attempted connection as well as successful completion of client authentication which can be useful in troubleshooting issues and to determine any unusual connection attempts to the server.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance for which you want to enable the database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_connections\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_connections database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_connections=on
Note:
This command will overwrite all previously set database flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a86f62be-7402-4797-91dc-8ba2b976cb74\",\r\n \"name\": \"a86f62be-7402-4797-91dc-8ba2b976cb74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_disconnections setting logs the end of each session, including the session duration.
PostgreSQL does not log session details such as duration and session end by default. Enabling the log_disconnections setting will create log entries at the end of each session which can be useful in troubleshooting issues and determine any unusual activity across a time period.
The log_disconnections and log_connections work hand in hand and generally, the pair would be enabled/disabled together. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_disconnections\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_disconnections database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_disconnections=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ae77cb8b-0b43-4e86-8b5c-f5afcf95766a\",\r\n \"name\": \"ae77cb8b-0b43-4e86-8b5c-f5afcf95766a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user.
The application uses the service account to call the service's Google API so that users aren't directly involved.
It's recommended not to use admin access for ServiceAccount.
Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it.
Enrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM.
A ServiceAccount Access holder can perform critical actions like delete, update change settings, etc.
without user intervention.
For this reason, it's recommended that service accounts not have Admin rights.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to IAM & admin/IAM. 2. Go to the \\\"Members\\\". 3. Identify \\\"User-Managed user created\\\" service account with roles containing \\\"*Admin\\\" or \\\"*admin\\\" or role matching \\\"Editor\\\" or role matching \\\"Owner\\\". 4. Click the \\\"Delete bin\\\" icon to remove the role from the member (service account in this case)
From Command Line:
1. Using a text editor, Remove \\\"Role\\\" which contains \\\"roles/*Admin\\\" or \\\"roles/*admin\\\" or matched \\\"roles/editor\\\" or matches \\\"roles/owner\\\". Add a role to the bindings array that defines the group members and the role for those members.
For example, to grant the role roles/appengine.appViewer to the \\\"ServiceAccount\\\" which is roles/editor, you would change the example shown below as follows:
{ 'bindings': [ { 'members': [ 'serviceAccount:our-project-123@appspot.gserviceaccount.com', ], 'role': 'roles/appengine.appViewer' }, { 'members': [ 'user:email1@gmail.com' ], 'role': 'roles/owner' }, { 'members': [ 'serviceAccount:our-project-123@appspot.gserviceaccount.com', 'serviceAccount:123456789012-compute@developer.gserviceaccount.com' ], 'role': 'roles/editor' } ], 'etag': 'BwUjMhCsNvY=' }
2. Update the project's IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e5b33de-bcfa-4044-93ce-4937bf8f0bbd\",\r\n \"name\": \"9e5b33de-bcfa-4044-93ce-4937bf8f0bbd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"skip_show_database\\\" database flag for Cloud SQL Mysql instance to \\\"on\\\".
'skip_show_database' database flag prevents people from using the SHOW DATABASES statement if they do not have the SHOW DATABASES privilege.
This can improve security if you have concerns about users being able to see databases belonging to other users.
Its effect depends on the SHOW DATABASES privilege: If the variable value is ON, the SHOW DATABASES statement is permitted only to users who have the SHOW DATABASES privilege, and the statement displays all database names.
If the value is OFF, SHOW DATABASES is permitted to all users, but displays the names of only those databases for which the user has the SHOW DATABASES or other privilege.
This recommendation is applicable to Mysql database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the Mysql instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"skip_show_database\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"skip_show_database\\\" database flag for every Cloud SQL Mysql database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags skip_show_database=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/272820a7-06ce-44b3-8318-4ec1f82237dc\",\r\n \"name\": \"272820a7-06ce-44b3-8318-4ec1f82237dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_hostname setting causes the duration of each completed statement to be logged.
This does not logs the text of the query and thus behaves different from the log_min_duration_statement flag.
This parameter cannot be changed after session start.
Monitoring the time taken to execute the queries can be crucial in identifying any resource hogging queries and assessing the performance of the server.
Further steps such as load balancing and use of optimized queries can be taken to ensure the performance and stability of the server.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_duration\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_duration\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_duration=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/989db7d6-71d5-4928-a9a6-c9ab7b8044e9\",\r\n \"name\": \"989db7d6-71d5-4928-a9a6-c9ab7b8044e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"PostgreSQL logs only the IP address of the connecting hosts.
The \\\"log_hostname\\\" flag controls the logging of \\\"hostnames\\\" in addition to the IP addresses logged.
The performance hit is dependent on the configuration of the environment and the host name resolution setup.
This parameter can only be set in the \\\"postgresql.conf\\\" file or on the server command line.
Logging hostnames can incur overhead on server performance as for each statement logged, DNS resolution will be required to convert IP address to hostname.
Depending on the setup, this may be non-negligible.
Additionally, the IP addresses that are logged can be resolved to their DNS names later when reviewing the logs excluding the cases where dynamic hostnames are used.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_hostname\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_hostname\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_hostname=
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Gather Victim Host Information\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a6efc275-b1c1-4003-8e85-2f30b2eb56e6\",\r\n \"name\": \"a6efc275-b1c1-4003-8e85-2f30b2eb56e6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The PostgreSQL planner/optimizer is responsible to parse and verify the syntax of each query received by the server.
If the syntax is correct a \\\"parse tree\\\" is built up else an error is generated.
The \\\"log_parser_stats\\\" flag controls the inclusion of parser performance statistics in the PostgreSQL logs for each query.
The \\\"log_parser_stats\\\" flag enables a crude profiling method for logging parser performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_parser_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_parser_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_parser_stats=off
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/25631aaa-3866-43ac-860f-22c12bff1a4b\",\r\n \"name\": \"25631aaa-3866-43ac-860f-22c12bff1a4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging.
It is recommended that Flow Logs be enabled for every business-critical VPC subnet.
VPC networks and subnetworks provide logically isolated and secure network partitions where GCP resources can be launched. When Flow Logs is enabled for a subnet, VMs within that subnet start reporting on all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows.
Each VM samples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or from another VM, a host in the on-premises datacenter, a Google service, or a host on the Internet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow Logs enabled, both VMs report the flows.
Flow Logs supports the following use cases: 1. Network monitoring. 2. Understanding network usage and optimizing network traffic expenses. 3. Network forensics. 4. Real-time security analysis
Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the VPC network GCP Console visiting https://console.cloud.google.com/networking/networks/list. 2. Click the \\\"name\\\" of a subnet, The Subnet details page displays. 3. Click the \\\"EDIT\\\" button. 4. Set \\\"Flow Logs\\\" to On. 5. Click \\\"Save\\\".

From Command Line:
To set Private Google access for a network subnet, run the following command::
gcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --enable-flow-logs \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00f8a6a6-cf69-4c11-822e-3ebf4910e545\",\r\n \"name\": \"00f8a6a6-cf69-4c11-822e-3ebf4910e545\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Block Project-wide SSH keys' is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project.
It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.It will list all the instances in your project. 2. Click on the \\\"name\\\" of the Impacted instance. 3. Click \\\"Edit\\\" in the toolbar. 4. Under \\\"SSH Keys\\\", go to the \\\"Block project-wide\\\" SSH keys checkbox. 5. To block users with project-wide SSH keys from connecting to this instance, select \\\"Block project-wide\\\" SSH keys. 6. Click \\\"Save\\\" at the bottom of the page. 7. Repeat steps for every impacted Instance.

From Command Line:
Block project-wide public SSH keys, set the metadata value to TRUE:
gcloud compute instances add-metadata INSTANCE_NAME --metadata block-project-ssh-keys=TRUE \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ba588a6-4539-4e67-bc62-d7b2b51300fb\",\r\n \"name\": \"0ba588a6-4539-4e67-bc62-d7b2b51300fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet.
However, both capabilities are required if you want to use instances to help route packets.
Forwarding of data packets should be disabled to prevent data loss or information disclosure.
Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet.
However, both capabilities are required if you want to use instances to help route packets. To enable this source and destination IP check, disable the canIpForward field, which allows an instance to send and receive packets with non-matching destination or source IPs.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the \\\"VM Instances\\\" page by visiting: https://console.cloud.google.com/compute/instances. 2. Select the \\\"VM Instance\\\" you want to remediate 3. Click the \\\"Delete\\\" button. 4. On the \\\"VM Instances\\\" page, click \\\"CREATE INSTANCE\\\". 5. Create a new instance with the desired configuration. By default, the instance is configured to not allow IP forwarding.

From Command Line:
Delete the instance
gcloud compute instances delete INSTANCE_NAME
Create a new instance to replace it, with IP forwarding set to Off
gcloud compute instances create \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"techniques\": [\r\n \"Exfiltration over C2 Channel\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d87879a-d498-4e61-b552-b34463f87f83\",\r\n \"name\": \"7d87879a-d498-4e61-b552-b34463f87f83\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The same SQL query can be excuted in multiple ways and still produce different results.
The PostgreSQL planner/optimizer is responsible to create an optimal execution plan for each query.
The \\\"log_planner_stats\\\" flag controls the inclusion of PostgreSQL planner performance statistics in the PostgreSQL logs for each query.
The \\\"log_planner_stats\\\" flag enables a crude profiling method for logging PostgreSQL planner performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_planner_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_planner_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_planner_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19711549-76eb-4f1f-b43b-b1048e66c1f0\",\r\n \"name\": \"19711549-76eb-4f1f-b43b-b1048e66c1f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The PostgreSQL executor is responsible to execute the plan handed over by the PostgreSQL planner.
The executor processes the plan recursively to extract the required set of rows.
The \\\"log_executor_stats\\\" flag controls the inclusion of PostgreSQL executor performance statistics in the PostgreSQL logs for each query.
The \\\"log_executor_stats\\\" flag enables a crude profiling method for logging PostgreSQL executor performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_executor_stats\\\" from the drop-down menu and set appropriate value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_executor_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_executor_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c36e73b7-ee30-4684-a1ad-2b878d2b10bf\",\r\n \"name\": \"c36e73b7-ee30-4684-a1ad-2b878d2b10bf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_statement_stats\\\" flag controls the inclusion of end to end performance statistics of a SQL query in the PostgreSQL logs for each query.
This cannot be enabled with other module statistics (\\\"log_parser_stats\\\", \\\"log_planner_stats\\\", \\\"log_executor_stats\\\").
The \\\"log_statement_stats\\\" flag enables a crude profiling method for logging end to end performance statistics of a SQL query.
This can be useful for troubleshooting but may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_statement_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_statement_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_statement_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/50a1058e-925b-4998-9d93-5eaa8f7021a3\",\r\n \"name\": \"50a1058e-925b-4998-9d93-5eaa8f7021a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_error_statement\\\" flag defines the minimum message severity level that are considered as an error statement.
Messages for error statements are logged with the SQL statement.
Valid values include \\\"DEBUG5\\\", \\\"DEBUG4\\\", \\\"DEBUG3\\\", \\\"DEBUG2\\\", \\\"DEBUG1\\\", \\\"INFO\\\", \\\"NOTICE\\\", \\\"WARNING\\\", \\\"ERROR\\\", \\\"LOG\\\", \\\"FATAL\\\", and \\\"PANIC\\\".
Each severity level includes the subsequent levels mentioned above.
Ensure a value of ERROR or stricter is set.
Auditing helps in troubleshooting operational problems and also permits forensic analysis.
If \\\"log_min_error_statement\\\" is not set to the correct value, messages may not be classified as error messages appropriately.
Considering general log messages as error messages would make is difficult to find actual errors and considering only stricter severity levels as error messages may skip actual errors to log their SQL statements.
The \\\"log_min_error_statement\\\" flag should be set to \\\"ERROR\\\" or stricter.
This recommendation is applicable to PostgreSQL database instances. \",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_error_statement\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_min_error_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_error_statement=

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/98b8908a-18b9-46ea-8c52-3f8db1da996f\",\r\n \"name\": \"98b8908a-18b9-46ea-8c52-3f8db1da996f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"external scripts enabled\\\" database flag for Cloud SQL SQL Server instance to off.
\\\"external scripts enabled\\\" enable the execution of scripts with certain remote language extensions.
This property is OFF by default.
When Advanced Analytics Services is installed, setup can optionally set this property to true.
As the \\\"External Scripts Enabled\\\" feature allows scripts external to SQL such as files located in an R library to be executed, which could adversely affect the security of the system, hence this should be disabled.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"external scripts enabled\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"external scripts enabled\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"external scripts enabled=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91f55b07-083c-4ec5-a2be-4b52bbc2e2df\",\r\n \"name\": \"91f55b07-083c-4ec5-a2be-4b52bbc2e2df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"user connections\\\" database flag for Cloud SQL SQL Server instance according organization-defined value.
The \\\"user connections\\\" option specifies the maximum number of simultaneous user connections that are allowed on an instance of SQL Server.
The actual number of user connections allowed also depends on the version of SQL Server that you are using, and also the limits of your application or applications and hardware.
SQL Server allows a maximum of 32,767 user connections.
Because user connections is a dynamic (self-configuring) option, SQL Server adjusts the maximum number of user connections automatically as needed, up to the maximum value allowable.
For example, if only 10 users are logged in, 10 user connection objects are allocated.
In most cases, you do not have to change the value for this option.
The default is 0, which means that the maximum (32,767) user connections are allowed.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"user connections\\\" from the drop-down menu and set the value as organization recommended value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"user connections\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"user connections=[0-32,767]\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fab1e680-86f0-4616-bee9-1b7394e49ade\",\r\n \"name\": \"fab1e680-86f0-4616-bee9-1b7394e49ade\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that, \\\"user options\\\" database flag for Cloud SQL SQL Server instance should not be configured.
The \\\"user options\\\" option specifies global defaults for all users.
A list of default query processing options is established for the duration of a user's work session.
The user options option allows you to change the default values of the SET options (if the server's default settings are not appropriate).
A user can override these defaults by using the SET statement.
You can configure user options dynamically for new logins.
After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. Click the X next \\\"user options\\\" flag shown. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands:
1.Clearing all flags to their default value:
gcloud sql instances patch [INSTANCE_NAME] --clear-database-flags
OR
2. To clear only \\\"user options\\\" database flag, configure the database flag by overriding the \\\"user options\\\". Exclude \\\"user options\\\" flag and its value, and keep all other flags you want to configure:
gcloud sql instances patch [INSTANCE_NAME] --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dddbbe7d-7e32-47d8-b319-39cbb70b8f88\",\r\n \"name\": \"dddbbe7d-7e32-47d8-b319-39cbb70b8f88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"remote access\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
The \\\"remote access\\\" option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running.
This default value for this option is 1.
This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server.
To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled.
The Remote Access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server.
'Remote access' functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, hence this should be disabled.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"remote access\\\" from the drop-down menu and set the value as \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"remote access\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"remote access=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/631246fb-7192-4709-a0b3-b83e65e6b550\",\r\n \"name\": \"631246fb-7192-4709-a0b3-b83e65e6b550\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"3625 (trace flag)\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
Trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload.
All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed.
\\\"3625(trace log)\\\" Limits the amount of information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'.
This can help prevent disclosure of sensitive information, hence this is recommended to disable this flag.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"3625\\\" from the drop-down menu and set the value as \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"3625\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"3625=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"System Information Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58c07fca-9c6e-46fa-84a7-642f224a1d18\",\r\n \"name\": \"58c07fca-9c6e-46fa-84a7-642f224a1d18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Secure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS) features clients are permitted to use when connecting to load balancers.
To prevent usage of insecure features, SSL policies should use (a) at least TLS 1.2 with the MODERN profile;
or (b) the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version;
or (3) a CUSTOM profile that does not support any of the following features:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

Load balancers are used to efficiently distribute traffic across multiple servers.
Both SSL proxy and HTTPS load balancers are external load balancers, meaning they distribute traffic from the Internet to a GCP network.
GCP customers can configure load balancer SSL policies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a connection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies permissible cipher suites.
To comply with users using outdated protocols, GCP load balancers can be configured to permit insecure cipher suites.
In fact, the GCP default SSL policy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the widest range of insecure cipher suites.
As a result, it is easy for customers to configure a load balancer without even knowing that they are permitting outdated cipher suites.\",\r\n \"remediationDescription\": \" From the Console:
1. If the \\\"TargetSSLProxy\\\" or \\\"TargetHttpsProxy\\\" does not have an SSL policy configured, create a new \\\"SSL policy\\\". Otherwise, modify the existing insecure policy. 2. Navigate to the \\\"SSL Policies\\\" page by visiting: https://console.cloud.google.com/net-security/sslpolicies. 3. Click on the name of the \\\"insecure policy\\\" to go to its \\\"SSL policy\\\" details page. 4. Click \\\"EDIT\\\". 5. Set \\\"Minimum TLS version\\\" to \\\"TLS 1.2\\\". 6. Set \\\"Profile\\\" to \\\"Modern\\\" or \\\"Restricted\\\". 7. Alternatively, if teh user selects the profile \\\"Custom\\\", make sure that the following features are disabled:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

From Command Line:
For each insecure SSL policy, update it to use secure cyphers:
gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]
If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it:
gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME
gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ca40f30-2508-4c90-85b6-36564b909364\",\r\n \"name\": \"6ca40f30-2508-4c90-85b6-36564b909364\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine.
If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data.
By default, Google Compute Engine encrypts all data at rest.
Compute Engine handles and manages this encryption for you without any additional actions on your part.
However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.
By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part.
However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.
If you provide your own encryption keys, Compute Engine uses your key to protect the Google-generated keys used to encrypt and decrypt your data.
Only users who can provide the correct key can use resources protected by a customer-supplied encryption key.
Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.
At least business critical VMs should have VM disks encrypted with CSEK.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to Compute Engine \\\"Disks\\\" by visiting: https://console.cloud.google.com/compute/disks. 2. Click \\\"CREATE DISK\\\". 3. Set \\\"Encryption\\\" type to \\\"Customer supplied\\\". 4. Provide the \\\"Key\\\" in the box. 5. Select \\\"Wrapped key\\\". 6. Click \\\"Create\\\".

From Command Line:
In the gcloud compute tool, encrypt a disk using the --csek-key-file flag during instance creation. If you are using an RSA-wrapped key, use the gcloud beta component:
gcloud (beta) compute instances create INSTANCE_NAME --csek-key-file example-file.json
To encrypt a standalone persistent disk:
gcloud (beta) compute disks create DISK_NAME --csek-key-file example-file.json \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Collection\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\",\r\n \"Data from Local System\",\r\n \"Data Encrypted for Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c10bad5f-cd86-4ea0-a40c-5d31510da525\",\r\n \"name\": \"c10bad5f-cd86-4ea0-a40c-5d31510da525\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud DNS logging is enabled for all VPC networks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver.
Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.
Security monitoring and forensics cannot depend solely on IP addresses from VPC flow logs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual host routing,
and other technology that can obscure the DNS name used by a client from the IP address.
Monitoring of Cloud DNS logs provides visibility to DNS names requested by the clients within the VPC.
These logs can be monitored for anomalous domain names, evaluated against threat intelligence, and
Note: For full capture of DNS, firewall must block egress UDP/53 (DNS)
and TCP/443 (DNS over HTTPS) to prevent client from using external DNS name server for resolution.\",\r\n \"remediationDescription\": \" From Command Line:
Add New DNS Policy With Logging Enabled
For each VPC network that needs a DNS policy with logging enabled:
gcloud dns policies create enable-dns-logging --enable-logging --description='Enable DNS Logging' --networks=VPC_NETWORK_NAME The VPC_NETWORK_NAME can be one or more networks in comma-separated list
Enable Logging for Existing DNS Policy For each VPC network that has an existing DNS policy that needs logging enabled:
gcloud dns policies update POLICY_NAME --enable-logging --networks=VPC_NETWORK_NAME
The VPC_NETWORK_NAME can be one or more networks in comma-separated list\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/814c3346-91c9-4e70-90b6-985cfd3e0478\",\r\n \"name\": \"814c3346-91c9-4e70-90b6-985cfd3e0478\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access to VMs should be restricted by firewall rules that allow only IAP traffic by ensuring only connections proxied by the IAP are allowed.
To ensure that load balancing works correctly health checks should also be allowed.
IAP ensure that access to VMs is controlled by authenticating incoming requests.
However if the VM is still accessible from IP addresses other than the IAP it may still be possible to send unauthenticated requests to the instance.
Care must be taken to ensure that loadblancer health checks are not blocked as this would stop the loadbalancer from correctly knowing the health of the VM and loadbalancing correctly.\",\r\n \"remediationDescription\": \" From the Console: 1. Go to the Cloud Console VPC network > Firewall rules. 2. Select the \\\"checkbox\\\" next to the following rules:
default-allow-http
default-allow-https
default-allow-internal. 3. Click \\\"Delete\\\". 4. Click \\\"Create\\\" firewall rule and set the following values:
\\\"Name:\\\" allow-iap-traffic
\\\"Targets:\\\" All instances in the network
\\\"Source IP ranges\\\" (press Enter after you paste each value in the box):
130.211.0.0/22
35.191.0.0/16
\\\"Protocols and ports:\\\"
Specified protocols and ports
tcp:80 5. When you're finished updating values, click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/171e9492-73a7-43de-adce-6bd0a3cf6045\",\r\n \"name\": \"171e9492-73a7-43de-adce-6bd0a3cf6045\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances have Confidential Computing enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use-while it is being processed.
Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).
Confidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD EPYC CPUs.
Customer data will stay encrypted while it is used, indexed, queried, or trained on.
Encryption keys are generated in hardware, per VM, and not exportable. Thanks to built-in hardware optimizations of both performance and security, there is no significant performance penalty to Confidential Computing workloads.
Confidential Computing enables customers' sensitive code and other data encrypted in memory during processing. Google does not have access to the encryption keys.
Confidential VM can help alleviate concerns about risk related to either dependency on Google infrastructure or Google insiders' access to customer data in the clear.\",\r\n \"remediationDescription\": \" From the Console: 1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances. 2. Click \\\"DCREATE INSTANCE\\\". 3. Fill out the desired \\\"configuration\\\" for your instance. 4. Under the \\\"Confidential VM service\\\" section, check the option \\\"Enable the Confidential Computing service on this VM instance\\\". 5. Click \\\"Create\\\".

From Command Line:
Create a new instance with Confidential Compute enabled.
gcloud beta compute instances create INSTANCE_NAME --zone ZONE --confidential-compute --maintenance-policy=TERMINATE \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f4cfc689-cac8-4f45-8355-652dcda3ec55\",\r\n \"name\": \"f4cfc689-cac8-4f45-8355-652dcda3ec55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys.
This is seamless and do not require any additional input from the user.
However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
This is seamless and does not require any additional input from the user.
For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery tables.
The CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.
BigQuery stores the table and CMEK association and the encryption/decryption is done automatically.
Applying the Default Customer-managed keys on BigQuery data sets ensures that all the new tables created in the future will be encrypted using CMEK but existing tables need to be updated to use CMEK individually.
Note: Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.\",\r\n \"remediationDescription\": \"Currently, there is no way to update the encryption of existing data in the table.
The data needs to be copied to either an original table or another table while specifying the customer managed encryption key (CMEK).
From Command Line:
Use the following command to copy the data. The source and the destination needs to be same in case copying to the original table.
bq cp --destination_kms_key 'customer_managed_key' source_dataset.source_table destination_dataset.destination_table \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f024ea22-7e48-4b3b-a824-d61794c14bb4\",\r\n \"name\": \"f024ea22-7e48-4b3b-a824-d61794c14bb4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys.
This is seamless and do not require any additional input from the user.
However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
This is seamless and does not require any additional input from the user.
For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
Setting a Default Customer-managed encryption key (CMEK) for a data set ensure any tables created in future will use the specified CMEK if none other is provided.
Note: Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.\",\r\n \"remediationDescription\": \"The default CMEK for existing data sets can be updated by specifying the default key in the EncryptionConfiguration.kmsKeyName field when calling the datasets.insert or datasets.patch methods\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0faf27b6-f1d5-4f50-b22a-5d129cba0113\",\r\n \"name\": \"0faf27b6-f1d5-4f50-b22a-5d129cba0113\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have Microsoft Defender's extension for Azure Arc installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender's cluster extension provides security capabilities for your GKE clusters. The extension collects data from a cluster and its nodes to identify security vulnerabilities and threats.
The extension works with Azure Arc-enabled Kubernetes.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct GKE cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6273e20b-8814-4fda-a297-42a70b16fcbf\",\r\n \"name\": \"6273e20b-8814-4fda-a297-42a70b16fcbf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have the Azure Policy extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Azure Policy extension for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
The extension works with Azure Arc-enabled Kubernetes.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct GKE cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9bbe2f0f-d6c6-48e8-b4d0-cf25d2c50206\",\r\n \"name\": \"9bbe2f0f-d6c6-48e8-b4d0-cf25d2c50206\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP VM instances should be connected to Azure Arc\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Connect your GCP Virtual Machines to Azure Arc in order to have full visibility to Microsoft Defender for Servers security content. Learn more about Azure Arc, and about Microsoft Defender for Servers on hybrid-cloud environment.\",\r\n \"remediationDescription\": \"1. From the Azure portal, open \\\"Servers - Azure Arc\\\". 2. From the top left corner, select \\\"Add\\\". 3. From \\\"Add a single server\\\", select \\\"Generate script\\\". 4. In the \\\"Resource details\\\" page, select the subscription and resource group to which you have connected the machine's GCP Project. 5. Select \\\"Next\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20622d8c-2a4f-4a03-9896-a5f2f7ede717\",\r\n \"name\": \"20622d8c-2a4f-4a03-9896-a5f2f7ede717\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP VM instances should have OS config agent installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To receive the full Defender for Servers capabilities using Azure Arc auto-provisioning, GCP VMs should have OS config agent enabled\",\r\n \"remediationDescription\": \"Follow the steps described in GCP documentation to install the OS config agent. Learn more\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1716d754-8d50-4b90-87b6-0404cad9b4e3\",\r\n \"name\": \"1716d754-8d50-4b90-87b6-0404cad9b4e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP projects should have Azure Arc auto provisioning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For full visibility of the security content from Microsoft Defender for servers, GCP VM instances should be connected to Azure Arc. To ensure that all eligible VM instances automatically receive Azure Arc, enable auto-provisioning from Defender for Cloud at the GCP project level. Learn more about Azure Arc, and Microsoft Defender for Servers.\",\r\n \"remediationDescription\": \"1. From the Defender for Cloud, open \\\"Environment settings\\\". 2. For the relevant GCP project, select the three dots at the end of the row, and select \\\"Edit settings\\\". 3. For the \\\"Servers\\\" plan, select \\\"View configuration\\\". 4. Enable auto-provisioning for the Azure Arc agent and click on the \\\"Save\\\" button. 5. Select \\\"Next\\\" and follow the instructions.
Note: To enable auto-provisioning, you'll need owner permissions for the relevant subscription.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/29ed3416-2035-4d44-986e-0bcbb7de172e\",\r\n \"name\": \"29ed3416-2035-4d44-986e-0bcbb7de172e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead.

Security risks involved in using API-Keys appear below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

To avoid the security risk in using API keys, it is recommended to use standard authentication flow instead.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", to delete API Keys: Click the \\\"Delete Bin Icon\\\" in front of every \\\"API Key Name\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/63e0e2db-70c3-4edc-becf-93961d3156ed\",\r\n \"name\": \"63e0e2db-70c3-4edc-becf-93961d3156ed\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API key usage to trusted hosts, HTTP referrers and apps.

Security risks involved in using API-Keys appear below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

In light of these potential risks, Google recommends using the standard authentication flow instead of API keys. However, there are limited cases where API keys are more appropriat.
For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

In order to reduce attack vectors, API-Keys can be restricted only to trusted hosts, HTTP referrers and applications.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. In the \\\"Key restrictions\\\" section, set the application restrictions to any of \\\"HTTP referrers\\\", \\\"IP Adresses\\\", \\\"Android Apps\\\", \\\"iOs Apps\\\". 4. Click \\\"Save\\\". 5. Repeat steps 2,3,4 for every unrestricted API key.

\\\"Note\\\": Do not set \\\"HTTP referrers\\\" to wild-cards (* or *.[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s).
Do not set \\\"IP addresses\\\" and referrer to any host \\\"(0.0.0.0 or 0.0.0.0/0 or ::0)\\\"\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Steal Application Access Token\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/54d3b0ae-67b3-4fee-9ac4-f6c784b9d16b\",\r\n \"name\": \"54d3b0ae-67b3-4fee-9ac4-f6c784b9d16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"API keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API keys to use (call) only APIs required by an application.

Security risks involved in using API-Keys are below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

In light of these potential risks, Google recommends using the standard authentication flow instead of API-Keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

In order to reduce attack surfaces by providing least privileges, API-Keys can be restricted to use (call) only APIs required by an application.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. In the \\\"Key restrictions\\\" section go to \\\"API restrictions\\\". 4. Click the \\\"Select API\\\" drop-down to choose an API. 5. Click \\\"Save\\\". 6. Repeat steps 2,3,4,5 for every unrestricted API key.

\\\"Note\\\": Do not set API restrictions to Google Cloud APIs, as this option allows access to all services offered by Google cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Steal Application Access Token\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fbc1ef5d-989e-4b64-8e9d-221b422f9c43\",\r\n \"name\": \"fbc1ef5d-989e-4b64-8e9d-221b422f9c43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to rotate API keys every 90 days.

Security risks involved in using API-Keys are listed below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

Because of these potential risks, Google recommends using the standard authentication flow instead of API Keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

Once a key is stolen, it has no expiration, meaning it may be used indefinitely unless the project owner revokes or regenerates the key. Rotating API keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.

API keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. Click \\\"REGENERATE KEY\\\" to rotate API key. 4. Click \\\"Save\\\". 5. Repeat steps 2,3,4 for every API key that has not been rotated in the last 90 days.

\\\"Note\\\": Do not set \\\"HTTP referrers\\\" to wild-cards (* or *.[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s).
Do not set \\\"IP addresses\\\" and referrer to \\\"any host (0.0.0.0 or 0.0.0.0/0 or ::0)\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a47a6c3b-0629-406c-ad09-d91f7d9f78a3\",\r\n \"name\": \"a47a6c3b-0629-406c-ad09-d91f7d9f78a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"root\\\" account has unrestricted access to all resources in the AWS account. It is highly recommend that the use of this account be avoided.
The \\\"root\\\" account is the most privileged AWS account. Minimizing the use of this account and adopting the principle of least privilege for access management will reduce the risk of accidental changes and unintended disclosure of highly privileged credentials.\",\r\n \"remediationDescription\": \"Follow the remediation instructions of the \\\"Ensure IAM policies are attached only to groups or roles\\\" recommendation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b73d3c97-01e1-43b4-bf01-a459e5eed3de\",\r\n \"name\": \"b73d3c97-01e1-43b4-bf01-a459e5eed3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password.
With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.
It is recommended that MFA be enabled for all accounts that have a console password.
Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.\",\r\n \"remediationDescription\": \"Perform the following to enable MFA: 1. Sign in to the AWS Management Console and open the IAM console. 2. In the navigation pane, choose Users. 3. In the User Name list, choose the name of the intended MFA user. 4. Choose the Security Credentials tab, and then choose Manage MFA Device. 5. In the Manage MFA Device wizard, choose A virtual MFA device, and then chooseNext Step. IAM generates and displays configuration information for the virtual MFA device, includinga QR code graphic. The graphic is a representation of the 'secret configuration key' that isavailable for manual entry on devices that do not support QR codes. 6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications.) If the virtual MFA application support smultiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following:
* Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.
* In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.
When you are finished, the virtual MFA device starts generating one-time passwords. 8. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Active Virtual MFA.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f13dc885-79aa-456b-ba28-3428147ecf55\",\r\n \"name\": \"f13dc885-79aa-456b-ba28-3428147ecf55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys.
It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated.
Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.\",\r\n \"remediationDescription\": \"Perform the following to remove or deactivate credentials:
1. Login to the AWS Management Console:
2. Click \\\"Services\\\"
3. Click \\\"IAM\\\"
4. Click on \\\"Users\\\"
5. Click on \\\"Security Credentials\\\"
6. As an Administrator: Click on \\\"Make Inactive\\\" for credentials that have not been used in 90 Days
7. As an IAM User: Click on \\\"Make Inactive\\\" or \\\"Delete\\\" for credentials which have not been used in 90 Days\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d72f547e-c011-4cdb-9dda-8c4d6dc09bf2\",\r\n \"name\": \"d72f547e-c011-4cdb-9dda-8c4d6dc09bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS.
AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services.
It is recommended that all access keys be regularly rotated.
Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.
Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"Perform the following to rotate access keys:
1. Login to the AWS Management Console:
2. Click \\\"Services\\\"
3. Click \\\"IAM\\\"
4.Click on \\\"Users\\\"
5. Click on \\\"Security Credentials\\\"
6. As an Administrator: Click on \\\"Make Inactive\\\" for keys that have not been rotated in 90 Days
7. As an IAM User: Click on \\\"MakeInactive\\\" or \\\"Delete\\\" for keys which have not been rotated or used in 90 Days
8. Click on \\\"Create Access Key\\\"
9. Update programmatic call with new Access Key credentials
Via CLI:
aws iam update-access-key
aws iam create-access-key
aws iam delete-access-key \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6e5ebe18-e026-4c26-875c-fcbea8089071\",\r\n \"name\": \"6e5ebe18-e026-4c26-875c-fcbea8089071\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one uppercase letter.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one uppercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-uppercase-characters
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c420241-9bec-4af8-afb7-038a711b7d22\",\r\n \"name\": \"1c420241-9bec-4af8-afb7-038a711b7d22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one lowercase letter.
Setting a password complexity policy increases account resiliency against brute force login attempts\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via the AWS Console
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one lowercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-lowercase-characters
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1919c309-1c8b-4fab-bd8c-7ff77521db40\",\r\n \"name\": \"1919c309-1c8b-4fab-bd8c-7ff77521db40\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements.
IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one symbol.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via the AWS Console
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one lowercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-symbols
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/84fb0ae8-4785-449c-b9ac-e106a2509540\",\r\n \"name\": \"84fb0ae8-4785-449c-b9ac-e106a2509540\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one number.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Require at least one number\\\" 5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-numbers
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e109af9f-128b-4774-a40c-aab8eff3934c\",\r\n \"name\": \"e109af9f-128b-4774-a40c-aab8eff3934c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length.
It is recommended that the password policy require a minimum password length '14'.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Set \\\"Minimum password length\\\" to 14 or greater.
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --minimum-password-length 14
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e99393-671c-4979-a08a-cd1533da9ece\",\r\n \"name\": \"22e99393-671c-4979-a08a-cd1533da9ece\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can prevent the reuse of a given password by the same user.
It is recommended that the password policy prevent the reuse of passwords.
Preventing password reuse increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Prevent password reuse\\\" 5. Set \\\"Number of passwords to remember\\\" is set to '24'.
Via CLI:
aws iam update-account-password-policy --password-reuse-prevention 24
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/729c20d1-fe7c-4e1b-8c9c-ab5ad56d7f96\",\r\n \"name\": \"729c20d1-fe7c-4e1b-8c9c-ab5ad56d7f96\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can require passwords to be rotated or expired after a given number of days.
It is recommended that the password policy expire passwords after 90 days or less.
Reducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help in the following scenarios:
* Passwords can be stolen or compromised sometimes without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat.
* Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted.
* Many people use the same password for many systems such as work, email, and personal.
* Compromised end user workstations might have a keystroke logger.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Enable password expiration\\\" 5. Set \\\"Password expiration period (in days):\\\" to 90 or less
Via CLI:
aws iam update-account-password-policy --max-password-age 90
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/412835f5-0339-4180-9c22-ea8735dc6c24\",\r\n \"name\": \"412835f5-0339-4180-9c22-ea8735dc6c24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Root account access key shouldn't exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account.
It is recommended that all access keys associated with the root account be removed.
Removing access keys associated with the root account limits vectors by which the account can be compromised.
Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.\",\r\n \"remediationDescription\": \"To delete access keys:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\".
4. Select \\\"Access keys (access key ID and secret access key)\\\".
5. To permanently delete the key, select \\\"Delete\\\" and then select \\\"Yes\\\". You cannot recover deleted keys.
6. If there is more than one root user access key, then repeat steps 4 and 5 for each key.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c9ea4ef-3bb5-4f02-b8b9-55e788e1a21a\",\r\n \"name\": \"1c9ea4ef-3bb5-4f02-b8b9-55e788e1a21a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.
When you use virtual MFA for root accounts, it is recommended that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices.
This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\",\r\n \"remediationDescription\": \"To enable MFA for the root account:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\".
4. Select \\\"Multi-factor authentication (MFA)\\\".
\\t5. Select \\\"Activate MFA\\\".
6. Select the type of device to use for MFA and then select \\\"Continue\\\".
7. Complete the steps to configure the device type appropriate to your selection.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eb39e935-38fc-4b0c-8cf2-d6affab0306a\",\r\n \"name\": \"eb39e935-38fc-4b0c-8cf2-d6affab0306a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.
For Level 2, it is recommended that you protect the root account with a hardware MFA. A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA doesn't suffer the attack surface introduced by the mobile smartphone that a virtual MFA resides on.
Using hardware MFA for many, many accounts might create a logistical device management issue. If this occurs, consider implementing this Level 2 recommendation selectively to the highest security accounts. You can then apply the Level 1 recommendation to the remaining accounts.\",\r\n \"remediationDescription\": \"To enable hardware-based MFA for the root account:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\". 4. Select \\\"Multi-factor authentication (MFA)\\\".
5. Select \\\"Activate MFA\\\".
6. Select a hardware-based (not virtual) device to use for MFA and then select \\\"Continue\\\".
7. Complete the steps to configure the device type appropriate to your selection.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a773f81a-0b2d-4f8e-826a-77fc432416c3\",\r\n \"name\": \"a773f81a-0b2d-4f8e-826a-77fc432416c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should be attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles.
It is recommended that IAM policies be applied directly to groups and roles but not users.
Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow.
Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.\",\r\n \"remediationDescription\": \"To remediate, create an IAM group, assign the policy to the group, and then add the users to the group. The policy is applied to each user in the group.

To create an IAM group:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Groups\\\" and then select \\\"Create New Group\\\".
\\t3. Enter a name for the group to create and then select \\\"Next Step\\\".
4. Select each policy to assign to the group and then select \\\"Next Step\\\".
The policies that you Select should include any policies currently attached directly to a user account.
The next step to resolve a failed check is to add users to a group and then assign the policies to that group.
Each user in the group gets assigned the policies assigned to the group.
5. Confirm the details on the \\\"Review\\\" page and then select \\\"Create Group\\\".
For more information about creating groups, see Creating IAM groups [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_create.html] in the IAM User Guide.

To add users to an IAM group:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Groups\\\".
3. select \\\"Group Actions\\\" and then select \\\"Add Users to Group\\\".
4. Select the users to add to the group and then select \\\"Add Users\\\".
For more information about adding users to groups, see Adding and removing users in an IAM group [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_add-remove-users.html].

To remove a policy attached directly to a user:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Users\\\".
3. For the user to detach a policy from, select the name in the \\\"User name\\\" column.
4. For each policy listed under \\\"Attached directly\\\", select the \\\"X\\\" on the right side of the page to remove the policy from the user and then select \\\"Remove\\\".
5. Confirm that the user can still use AWS services as expected.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6614c30d-c9f3-4acd-8371-c8f362148398\",\r\n \"name\": \"6614c30d-c9f3-4acd-8371-c8f362148398\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services.
Create an IAM Role to allow authorized users to manage incidents with AWS Support.
By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.\",\r\n \"remediationDescription\": \"Using the Amazon unified command line interface:
Create an IAM role for managing incidents with AWS:
* Create a trust relationship policy document that allows \\\"iam_user\\\" to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:
{ \\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [ { \\\"Effect\\\": \\\"Allow\\\", \\\"Principal\\\": { \\\"AWS\\\": \\\"<span style=\\\"font-style: italic;\\\"><iam_user></span>\\\" }, \\\"Action\\\": \\\"sts:AssumeRole\\\" } ] }
* Create the IAM role using the above trust policy:
aws iam create-role --role-name <aws_support_iam_role> --assume-rolepolicy-document file:///tmp/TrustPolicy.json
* Attach \\\"AWSSupportAccess\\\" managed policy to the created IAM role:
aws iam attach-role-policy --policy-arn <iam_policy_arn> --role-name<aws_support_iam_role>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/655f9340-184f-4b6e-8214-b835003ab0b1\",\r\n \"name\": \"655f9340-184f-4b6e-8214-b835003ab0b1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Do not setup access keys during initial user setup for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily.
In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys.
Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization\",\r\n \"remediationDescription\": \"Perform the following to delete access keys that do not pass the audit: 1. Login to the AWS Management Console: 2. Click \\\"Services\\\" 3. Click \\\"IAM\\\" 4. Click on \\\"Users\\\" 5. Click on \\\"Security Credentials\\\" 6. As an Administrator
* Click on \\\"Delete\\\" for keys that were created at the same time as the user profile but have not been used. 7. As an IAM User
* Click on \\\"Delete\\\" for keys that were created at the same time as the user profile but have not been used.
Via CLI:
aws iam delete-access-key\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Persistence\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1d08b362-7e24-46b0-bed1-4a6c1d1526a5\",\r\n \"name\": \"1d08b362-7e24-46b0-bed1-4a6c1d1526a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies that allow full \\\"*:*\\\" administrative privileges should not be created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies are the means by which privileges are granted to users, groups, or roles.
It is recommended and considered a standard security advice to grant least privilege-that is, granting only the permissions required to perform a task.
Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.
It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.
Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.
IAM policies that have a statement with \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\" should be removed.\",\r\n \"remediationDescription\": \"To modify an IAM policy:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Policies\\\".
3. Select the radio button next to the policy to remove. 4. From the \\\"Policy actions\\\" drop-down menu, select \\\"Detach\\\".
5. On the \\\"Detach policy\\\" page, select the radio button next to each user to detach the policy from and then select \\\"Detach policy\\\".
Confirm that the user that you detached the policy from can still access AWS services and resources as expected.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3d8e09b-83a6-417a-ae1e-3f5b54576965\",\r\n \"name\": \"b3d8e09b-83a6-417a-ae1e-3f5b54576965\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you.
The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).
The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally,
* ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected
* ensuring that a multi-regions trail exists will ensure that \\\"Global Service Logging\\\" is enabled for a trail by default to capture recording of events generated on AWS global services
* for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account.\",\r\n \"remediationDescription\": \"Perform the following to enable global (Multi-region) CloudTrail logging:
Via the management Console:
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
2. Click on \\\"Trails\\\" on the left navigation pane.
3. Click \\\"Get Started Now\\\", if presented
* Click \\\"Add new trail\\\"
* Enter a trail name in the \\\"Trail name\\\" box.
* Set the \\\"Apply trail to all regions\\\" option to \\\"Yes\\\".
* Specify an S3 bucket name in the \\\"S3 bucket\\\" box.
* Click \\\"Create\\\".
4. If 1 or more trails already exist, select the target trail to enable for global logging.
5. Click the edit icon (pencil) next to \\\"Apply trail to all regions\\\", Click \\\"Yes\\\" and Click \\\"Save\\\". 6. Click the edit icon (pencil) next to \\\"Management Events\\\", click \\\"All\\\" for setting \\\"Read/Write Events\\\" and Click \\\"Save\\\".
Via CLI:
aws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail

Note: Creating CloudTrail via CLI without providing any overriding options configures
Management Events to set All type of Read/Writes by default.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/324ec96c-9719-46ce-b6a9-e7f4fed7dd6e\",\r\n \"name\": \"324ec96c-9719-46ce-b6a9-e7f4fed7dd6e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure additional integrity checking of CloudTrail logs, we recommend enabling file validation on all CloudTrails.\",\r\n \"remediationDescription\": \"Enable log file validation on a given trail:
Via the management Console
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
2. Select on \\\"Trails\\\" on the left navigation pane
3. Select the target trail
4. Within the \\\"S3\\\" section select the edit icon (pencil)
5. Select \\\"Advanced\\\"
6. Select \\\"Yes\\\" radio button in section \\\"Enable log file validation\\\"
7. Click \\\"Save\\\"
Via CLI
aws cloudtrail update-trail --name --enable-log-file-validation

Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn --start-time --end-time\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a41f2846-4a59-44e9-89bb-1f62d4b03a85\",\r\n \"name\": \"a41f2846-4a59-44e9-89bb-1f62d4b03a85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs a record of every API call made in your AWS account. These log files are stored in an S3 bucket.
It is recommended that the bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs.
Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.\",\r\n \"remediationDescription\": \"Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:
1. Go to Amazon S3 console at https://console.aws.amazon.com/s3/home
2. Right-click on the bucket and click Properties.
3. In the \\\"Properties\\\" pane, click the \\\"Permissions\\\" tab.
4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.
5. Select the row that grants permission to \\\"Everyone\\\" or \\\"Any Authenticated User\\\".
6. Uncheck all the permissions granted to \\\"Everyone\\\" or \\\"Any Authenticated User\\\" (click x to delete the row).
7. Click \\\"Save\\\" to save the ACL.
8. If the \\\"Edit bucket policy\\\" button is present, click it.
9. Remove any \\\"Statement\\\" having an \\\"Effect\\\" set to \\\"Allow\\\" and a \\\"Principal\\\" set to \\\"*\\\" or {\\\"AWS\\\" : \\\"*\\\"}.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/842be2e5-2cd8-420f-969a-6d6b4096c580\",\r\n \"name\": \"842be2e5-2cd8-420f-969a-6d6b4096c580\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, real-time analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs.
For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. We recommended that CloudTrail logs will be sent to CloudWatch Logs to ensure AWS account activity is being captured, monitored, and appropriately alarmed on.
Sending CloudTrail logs to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.\",\r\n \"remediationDescription\": \"Via the AWS management Console:
1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/
2. Under All Buckets, select the target bucket you wish to evaluate.
3. Select Properties on the top right of the console.
4. Select Trails\\\" in the left menu.
5. Click on each trail where no \\\"CloudWatch Logs\\\" are defined.
6. Go to the \\\"CloudWatch Logs\\\" section and then select \\\"Configure\\\".
7. Define a new or select an existing log group.
8. Click on \\\"Continue\\\".
9. Configure \\\"IAM Role\\\" which will deliver CloudTrail events to CloudWatch Logs
* Create/Select an \\\"IAM Role\\\" and \\\"Policy Name\\\".
* Select \\\"Allow\\\" to continue.
Note that it can also be enabled via CLI:
aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-grouparn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff06f36-f8fd-4af5-bd02-5195593423fb\",\r\n \"name\": \"3ff06f36-f8fd-4af5-bd02-5195593423fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you.
The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources.
It is recommended to enable AWS Config be enabled in all regions.

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"To implement AWS Config configuration:
Via AWS Management Console:
1. Select the region you want to focus on in the top right of the console.
2. Click \\\"Services\\\".
3. Click \\\"Config\\\".
4. Define which resources you want to record in the selected region.
5. Choose to include global resources (IAM resources).
6. Specify an S3 bucket in the same account or in another managed AWS account.
7. Create an SNS Topic from the same AWS account or another managed AWS account.

Via AWS Command Line Interface:
1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.
2. Run this command to set up the configuration recorder:
aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole
3. Run this command to start the configuration recorder:
start-configuration-recorder --configuration-recorder-name <value>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/759e80dc-92c2-4afd-afa3-c01294999363\",\r\n \"name\": \"759e80dc-92c2-4afd-afa3-c01294999363\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 Bucket Access Logging generates a log that contains access records Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket for each request made to your S3 bucket.
An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed.
It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.
By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within an target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.\",\r\n \"remediationDescription\": \"Perform the following to enable S3 bucket logging:
Via the Management Console.
1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.
2. Under \\\"All Buckets\\\" click on the target S3 bucket.
3. Click on \\\"Properties\\\" in the top right of the console.
4. Under \\\"Bucket\\\": <s3_bucket_for_cloudtrail> click on \\\"Logging\\\".
5. Configure bucket logging.
* Click on \\\"Enabled\\\" checkbox.
* Select Target Bucket from list.
* Enter a Target Prefix.
6. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/190f732b-c68e-4816-9961-aba074272627\",\r\n \"name\": \"190f732b-c68e-4816-9961-aba074272627\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommended to configure CloudTrail use SSE-KMS.
Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.\",\r\n \"remediationDescription\": \"To configure CloudTrail SSE-KMS:
Via the Management Console:
1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail.
2. In the left navigation pane, select \\\"Trails\\\".
3. Click on a Trail.
4. Under the \\\"S3\\\"section click on the edit button (pencil icon).
5. Click \\\"Advanced\\\".
6. Select an existing CMK from the \\\"KMS key Id\\\" drop-down menu.
* Note: Ensure the CMK is located in the same region as the S3 bucket
* Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided here for editing the selected CMK Key policy.
7. Click \\\"Save\\\".
8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files.
9. Click \\\"Yes\\\".

Via CLI:
aws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key> aws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66748314-d51c-4d9c-b789-eebef29a7039\",\r\n \"name\": \"66748314-d51c-4d9c-b789-eebef29a7039\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK).
It is the backing key that is used to perform cryptographic operations such as encryption and decryption.
Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled.
Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\",\r\n \"remediationDescription\": \"Via the Management Console:
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam.
2. In the left navigation pane, choose \\\"Encryption Keys\\\".
3. Select a customer created master key (CMK).
4. Under the \\\"Key Policy\\\" section, move down to \\\"Key Rotation\\\".
5. Check the \\\"Rotate this key every year\\\" checkbox.

Via CLI
Run the following command to enable key rotation:
aws kms enable-key-rotation --key-id <kms_key_id>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3428e584-0fa6-48c0-817e-6d689d7bb879\",\r\n \"name\": \"3428e584-0fa6-48c0-817e-6d689d7bb879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC Flow Logs provide visibility into network traffic that passes through the VPC and can be used to detect anomalous traffic or insight during security events.\",\r\n \"remediationDescription\": \"1. Sign into the management console.
2. Select \\\"Services\\\" then \\\"VPC\\\".
3. In the left navigation pane, select \\\"Your VPCs\\\".
4. Select a VPC.
5. In the right pane, select the \\\"Flow Logs\\\" tab.
6. If no Flow Log exists, select \\\"Create Flow Log\\\".
7. For Filter, select Reject.
8. Enter in a \\\"Role\\\" and \\\"Destination Log Group\\\".
9. Select \\\"Create Log Flow\\\".
10. Select \\\"CloudWatch Logs Group\\\".

Note: Setting the filter to \\\"Reject\\\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/231951ea-e9db-41cd-a7d0-611105fa4fb9\",\r\n \"name\": \"231951ea-e9db-41cd-a7d0-611105fa4fb9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for unauthorized API calls.
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<unauthorized_api_calls_metric>` --metric-transformations metricName= `<unauthorized_api_calls_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.errorCode = \\\"*UnauthorizedOperation\\\") || ($.errorCode = \\\"AccessDenied*\\\")}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<unauthorized_api_calls_alarm>` --metric-name `<unauthorized_api_calls_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/001ddfe0-1b98-443f-819d-99f060fd67d5\",\r\n \"name\": \"001ddfe0-1b98-443f-819d-99f060fd67d5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).
Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>`,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = \\\"ConsoleLogin\\\") && ($.additionalEventData.MFAUsed != \\\"Yes\\\") }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<no_mfa_console_signin_alarm>` --metric-name `<no_mfa_console_signin_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/59f84fbd-7946-41b3-88b1-d899dcac92bc\",\r\n \"name\": \"59f84fbd-7946-41b3-88b1-d899dcac92bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of 'root' account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for root login attempts.

Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for \\\"Root\\\" account usage and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<root_usage_metric>` --metric-transformations metricName= `<root_usage_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filterpattern '{ $.userIdentity.type = \\\"Root\\\" && $.userIdentity.invokedBy NOTEXISTS && $.eventType != \\\"AwsServiceEvent\\\" }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<root_usage_alarm>` --metricname `<root_usage_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e5ad1a9-3803-4399-baf2-a7eb9483b954\",\r\n \"name\": \"8e5ad1a9-3803-4399-baf2-a7eb9483b954\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.
Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<iam_changes_metric>` --metric-transformations metricName=`<iam_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name `<iam_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0dc3b824-092a-4fc6-b8b4-31d5c2403024\",\r\n \"name\": \"0dc3b824-092a-4fc6-b8b4-31d5c2403024\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.

Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<cloudtrail_cfg_changes_metric>` --metric-transformations metricName= `<cloudtrail_cfg_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging)}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name aws cloudwatch put-metric-alarm --alarm-name `<cloudtrail_cfg_changes_alarm>` --metric-name `<cloudtrail_cfg_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e09bb35-54a3-48a1-855d-9fd3239deaf7\",\r\n \"name\": \"0e09bb35-54a3-48a1-855d-9fd3239deaf7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for failed console authentication attempts.
Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<console_signin_failure_metric>` --metric-transformations metricName= `<console_signin_failure_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = ConsoleLogin) && ($.errorMessage = \\\"Failed authentication\\\") }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<console_signin_failure_alarm>` --metric-name `<console_signin_failure_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d12e97c1-1f3e-4c69-8cc1-6e4cc6a9b167\",\r\n \"name\": \"d12e97c1-1f3e-4c69-8cc1-6e4cc6a9b167\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.
Data encrypted with disabled or deleted keys will no longer be accessible.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<disable_or_delete_cmk_changes_metric>` --metrictransformations metricName= `<disable_or_delete_cmk_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<disable_or_delete_cmk_changes_alarm>` --metric-name `<disable_or_delete_cmk_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69ed2dc0-6f39-4a33-a747-20a28f85b33c\",\r\n \"name\": \"69ed2dc0-6f39-4a33-a747-20a28f85b33c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.
Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<s3_bucket_policy_changes_metric>` --metric-transformations metricName= `<s3_bucket_policy_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<s3_bucket_policy_changes_alarm>` --metric-name `<s3_bucket_policy_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/965a7c7f-e6da-4062-83f4-9c1800e51e44\",\r\n \"name\": \"965a7c7f-e6da-4062-83f4-9c1800e51e44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.
Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<aws_config_changes_metric>` --metric-transformations metricName= `<aws_config_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel) ||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `` - -metric-name `` --statistic Sum --period 300 -- threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aedabb63-8bdb-47f9-955c-72b652a75e2a\",\r\n \"name\": \"aedabb63-8bdb-47f9-955c-72b652a75e2a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC.
It is recommended that a metric filter and alarm be established changes to Security Groups.
Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for security groups changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<security_group_changes_metric>` --metric-transformations metricName= `<security_group_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<security_group_changes_alarm>` --metric-name `<security_group_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec356185-75b9-4ff2-a284-9f64fc885e72\",\r\n \"name\": \"ec356185-75b9-4ff2-a284-9f64fc885e72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC.
It is recommended that a metric filter and alarm be established for changes made to NACLs.
Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for NACL changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<nacl_changes_metric>` --metric-transformations metricName = `<nacl_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<nacl_changes_alarm>` --metric-name `<nacl_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c7156050-6f51-4d3f-a880-9f2363648cfb\",\r\n \"name\": \"c7156050-6f51-4d3f-a880-9f2363648cfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC.
It is recommended that a metric filter and alarm be established for changes to network gateways.
Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<network_gw_changes_metric>` --metric-transformations metricName= `<network_gw_changes_metric>`,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<network_gw_changes_alarm>` --metric-name `<network_gw_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e70666f-4bec-4ca0-8b59-c6c8b9b3cc1e\",\r\n \"name\": \"7e70666f-4bec-4ca0-8b59-c6c8b9b3cc1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways.
It is recommended that a metric filter and alarm be established for changes to route tables.
Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for route table changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<route_table_changes_metric>` --metric-transformations metricName= `<route_table_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<route_table_changes_alarm>` --metric-name `<route_table_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4b4bfa9b-fd2a-43f1-961f-654b9d5c9a60\",\r\n \"name\": \"4b4bfa9b-fd2a-43f1-961f-654b9d5c9a60\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.
Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact. \",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for VPC changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<vpc_changes_metric>` --metric-transformations metricName = `<vpc_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<vpc_changes_alarm>` --metric-name `<vpc_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e1f4bba6-5f43-4dc5-ab15-f2a9f5807fea\",\r\n \"name\": \"e1f4bba6-5f43-4dc5-ab15-f2a9f5807fea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To reduce the server's exposure, it is recommended not to allow unrestricted ingress access to port '22'.\",\r\n \"remediationDescription\": \"1. Login to the AWS Management Console at VPC
2. In the left pane, select \\\"Security Groups\\\"
3. For each security group, perform the following:
4. Select the security group
5. Select the \\\"Inbound Rules\\\" tab
6. Identify the rules to be removed
7. Select the \\\"x\\\" in the \\\"Remove\\\" column
8. Select \\\"Save\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79082bbe-34fc-480a-a7fc-3aad94954609\",\r\n \"name\": \"79082bbe-34fc-480a-a7fc-3aad94954609\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389.
Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"Perform the following to implement the prescribed state:
1. Login to the AWS Management Console at VPC
2. In the left pane, click \\\"Security Groups\\\"
3. For each security group, perform the following:
4. Select the security group
5.Click the \\\"Inbound Rules\\\" tab
6. Identify the rules to be removed
7. Click the \\\"x\\\" in the \\\"Remove\\\" column
8. Click \\\"Save\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/500c4d2e-9baf-4081-b8a8-936ac85771a5\",\r\n \"name\": \"500c4d2e-9baf-4081-b8a8-936ac85771a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC's default security group should restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security group should restrict all traffic to reduce resource exposure.\",\r\n \"remediationDescription\": \"1. Identify AWS resources that exist within the default security group 2. Create a set of least privilege security groups for those resources 3. Place the resources in those security groups 4. Remove the resources noted in #1 from the default security group

Security Group State:
1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:
3. In the left pane, select \\\"Security Groups\\\"
4. For each default security group, perform the following:
5. Select the \\\"default\\\" security group
6. Select the \\\"Inbound Rules\\\" tab
7. Remove any inbound rules
8. Select the \\\"Outbound Rules\\\" tab
9. Remove any outbound rules\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/837d6a45-503f-4c95-bf42-323763960b62\",\r\n \"name\": \"837d6a45-503f-4c95-bf42-323763960b62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto Scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.
PCI DSS does not require load balancing or highly available configurations. This is recommended by AWS best practices.\",\r\n \"remediationDescription\": \"To enable Elastic Load Balancing health checks:
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. On the navigation pane, under \\\"Auto Scaling\\\", choose \\\"Auto Scaling Groups\\\".
3. To select the group from the list, choose the right box.
4. From \\\"Actions\\\", choose \\\"Edit\\\"
5. For \\\"Health Check Type\\\", choose \\\"ELB\\\".
6. For \\\"Health Check Grace Period\\\", enter \\\"300\\\".
7. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2917bcec-6991-4ea4-9e73-156e6ef831e4\",\r\n \"name\": \"2917bcec-6991-4ea4-9e73-156e6ef831e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. Not all services enable logging by default for all APIs and events.
You should implement any additional audit trails other than CloudTrail and review the documentation for each service in CloudTrail Supported Services and Integrations.\",\r\n \"remediationDescription\": \"To create a new trail in CloudTrail
1. Sign in to the AWS Management Console using the IAM user you configured for CloudTrail administration.
2. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
3. Select the AWS Region where you want your trail to be created.
4. In the navigation pane, select \\\"Trails\\\".
5. On the \\\"Trails\\\" page, select \\\"Get Started Now\\\". If you do not see that option, select \\\"Create Trail\\\".
6. In\\\" Trail name\\\", provide your trail a name, such as My-Management-Events-Trail. As a best practice, use a name that quickly identifies the purpose of the trail. In this case, you're creating a trail that logs management events.
7. In \\\"Management Events\\\", make sure \\\"Read/Write\\\" events is set to \\\"All\\\".
8. In \\\"Data Events\\\", do not make any changes. This trail will not log any data events.
9. Create a new S3 bucket for the logs:
a. In \\\"Storage Location\\\", in \\\"Create a new S3 bucket\\\", select \\\"Yes\\\".
b. In \\\"S3 bucket\\\", provide your bucket a name.
c. Under \\\"Advanced\\\", choose \\\"Yes\\\" for both \\\"Encrypt log files with SSE-KMS\\\" and \\\"Enable log file validation\\\".
10. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/132a70b8-ffda-457a-b7a3-e6f2e01fc0af\",\r\n \"name\": \"132a70b8-ffda-457a-b7a3-e6f2e01fc0af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect your replicated instances from threats. A private replication instance should have a private IP address that you cannot access outside of the replication network.
A replication instance should have a private IP address when the source and target databases are in the same network, and the network is connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering.
You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users.
To do this, restrict users' IAM permissions to modify AWS DMS settings and resources.\",\r\n \"remediationDescription\": \"To configure the AWS DMS replication instances setting to be not publicly accessible:
1. Open the AWS Database Migration Service console at https://console.aws.amazon.com/dms/.
2. In the left navigation pane, under \\\"Resource management\\\", navigate to \\\"Replication instances\\\".
3. To delete the public instance, select the check box for the instance, choose \\\"Actions\\\", then choose \\\"delete\\\".
4. Choose \\\"Create replication instance\\\". Provide the configuration details.
5.To disable public access, make sure that \\\"Publicly accessible\\\" is not selected.
6. Choose \\\"Create\\\",
Note: public access setting cannot be changed once a replication instance is created. It must be deleted and recreated.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/02e8de17-1a01-45cb-b906-6d07a78f4b3c\",\r\n \"name\": \"02e8de17-1a01-45cb-b906-6d07a78f4b3c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Amazon EBS snapshots should not be publicly restorable by everyone unless explicitly allowed, to avoid accidental exposure of data. Additionally, permission to change Amazon EBS configurations should be restricted to authorized AWS accounts only.\",\r\n \"remediationDescription\": \"Make a public Amazon EBS snapshot private
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Elastic Block Store\\\", select \\\"Snapshots\\\" and then select your public snapshot.
3. Select \\\"Actions\\\", then select \\\"Modify permissions\\\".
4. Select \\\"Private\\\".
5. (Optional) Add AWS account numbers for authorized accounts to share your snapshot with.
6. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f065cc7b-f63b-4865-b8ff-4a1292e1a5cb\",\r\n \"name\": \"f065cc7b-f63b-4865-b8ff-4a1292e1a5cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups should be attached to Amazon EC2 instances or to an ENI.
healthy finding can indicate there are unused Amazon EC2 security groups.\",\r\n \"remediationDescription\": \"The following steps should be applied to each security group not attached to an ENI.
To delete a security group:
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, under \\\"Security\\\", select \\\"Security groups\\\".
3. Select the check box for the security group to delete.
4. From \\\"Actions\\\", select \\\"Delete security group\\\".
5. Select \\\"Delete\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/601406b5-110c-41be-ad69-9c5661ba5f7c\",\r\n \"name\": \"601406b5-110c-41be-ad69-9c5661ba5f7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Elastic IP addresses that are allocated to a VPC should be attached to Amazon EC2 instances or in-use elastic network interfaces (ENIs).\",\r\n \"remediationDescription\": \"To release an Elastic IP address follow the following steps. Note that in oder to release an address, it shouldn't be associated with an instance
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Network & Security\\\", select \\\"Elastic IPs\\\".
3. Select the Elastic IP address, select \\\"Actions\\\", and then select \\\"Release Elastic IP address\\\".
4. When prompted, select \\\"Release\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fce0daac-96e4-47ab-ab35-18ac6b7dcc70\",\r\n \"name\": \"fce0daac-96e4-47ab-ab35-18ac6b7dcc70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To enforce encryption in transit, you should use redirect actions with Application Load Balancers to redirect client HTTP requests to an HTTPS request on port 443.\",\r\n \"remediationDescription\": \"To redirect HTTP requests to HTTPS on an Application Load Balancer:
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Load Balancing\\\", select \\\"Load balancers\\\".
3. Select an Application Load Balancer.
4. Select \\\"Listeners\\\".
5. Enable the check box for an HTTP listener (port 80 TCP) and then select \\\"Edit\\\".
6. If there is an existing rule, you must delete it. Otherwise, select \\\"Add action\\\" and then select \\\"Redirect to...\\\".
7. Select \\\"HTTPS\\\" and then enter 443.
8. Select the check mark in a circle symbol and then select \\\"Update\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df952171-786d-44b5-b309-9c982bddeb7c\",\r\n \"name\": \"df952171-786d-44b5-b309-9c982bddeb7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC cannot contain domains with a public endpoint.
Note: this does not evaluate the VPC subnet routing configuration to determine public reachability.\",\r\n \"remediationDescription\": \"If you create a domain with a public endpoint, you cannot later place it within a VPC. Instead, you must create a new domain and migrate your data.
The reverse is also true. If you create a domain within a VPC, it cannot have a public endpoint. Instead, you must either create another domain or disable this control.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cf747c91-14f3-4b30-aafe-eb12c18fd030\",\r\n \"name\": \"cf747c91-14f3-4b30-aafe-eb12c18fd030\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is important to enable encryptions rest of Amazon ES domains to protect sensitive data\",\r\n \"remediationDescription\": \"By default, domains do not encrypt data at rest.
To enable the feature, you must create another domain and migrate your data.
Note: existing domains cannot be configured to use the feature.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4b32e0a4-44a7-4f18-ad92-549f7d219061\",\r\n \"name\": \"4b32e0a4-44a7-4f18-ad92-549f7d219061\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To provide additional protection against intrusions, GuardDuty should be enabled on your AWS account and region.
Note: GuardDuty might not be a complete solution for every environment\",\r\n \"remediationDescription\": \"To enable GuardDuty:
1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/ \\t
2. Choose \\\"Get Started\\\".
Choose \\\"Enable GuardDuty\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c676d6f-60cb-4c7b-a484-17164c598016\",\r\n \"name\": \"9c676d6f-60cb-4c7b-a484-17164c598016\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"All IAM users should have multi-factor authentication (MFA) enabled.\",\r\n \"remediationDescription\": \"To configure MFA for a user:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Users\\\".
3. Select the user name of the user to configure MFA for.
4. Select \\\"Security credentials\\\" and then Select \\\"Manage\\\" next to \\\"Assigned MFA device\\\".
5. Follow the \\\"Manage MFA Device\\\" wizard to assign the type of device appropriate for your environments.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd751d04-8378-4cf8-8f1b-594ee340ae08\",\r\n \"name\": \"fd751d04-8378-4cf8-8f1b-594ee340ae08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the account password policy for IAM users uses the following minimum configurations.
* RequireUppercaseCharacters- Require at least one uppercase character in password. (Default = true)
* RequireLowercaseCharacters- Require at least one lowercase character in password. (Default = true)
* RequireNumbers- Require at least one number in password. (Default = true)
* MinimumPasswordLength- Password minimum length. (Default = 7 or longer)
* PasswordReusePrevention- Number of passwords before allowing reuse. (Default = 4)
* MaxPasswordAge- Number of days before password expiration. (Default = 90)\",\r\n \"remediationDescription\": \"To modify the password policy:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Under \\\"Access management\\\", select \\\"Account settings\\\".
3. Select \\\"Prevent password reuse\\\". For \\\"Number of passwords to remember\\\", enter \\\"24\\\".
\\t4. Select \\\"Change password policy\\\".
5. Select \\\"Require at least one uppercase letter from Latin alphabet (A-Z)\\\".
6. Select \\\"Require at least one lowercase letter from Latin alphabet (a-z)\\\".
7. Select \\\"Require at least one non-alphanumeric character (!@#$%^&*()_+-=[]{}|')\\\".
8. Select \\\"Require at least one number\\\".
9. For \\\"Enforce minimum password length\\\", enter \\\"14\\\".
10. Select \\\"Enable password expiration\\\". For \\\"Expire passwords in day(s)\\\", enter \\\"90\\\".
11. Select \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b236a0-f9d7-454a-942a-8c2ba3943cf7\",\r\n \"name\": \"64b236a0-f9d7-454a-942a-8c2ba3943cf7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should restrict public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Lambda function resource-based policy should restrict public access. This recommendation does not check access by internal principals.
Ensure access to the function is restricted to authorized principals only by using least privilege resource-based policies.\",\r\n \"remediationDescription\": \"To use the AWS CLI to revoke function-use permission from an AWS service or another account:
1. Get the statement ID from the output of GetPolicy, from the AWS CLI and run the following:
aws lambda get-policy --function-name yourfunctionname
This returns the policy string associated with the publicly accessible Lambda function.
2. From the policy statement returned by the get-policy command, copy the string value of the Sid field, and run from the AWS CLI, run
aws lambda remove-permission --function-name yourfunctionname --statement-id youridvalue

To use the Lambda console to restrict access to the Lambda function:
1. Open the AWS Lambda console at https://console.aws.amazon.com/lambda/, Navigate to \\\"Functions\\\" and then select your publicly accessible Lambda function.
2. Under \\\"Designer\\\" select the key icon at the top left, that has the tool-tip \\\"View permissions\\\".
3. Under \\\"Function policy\\\", Consider adding the following IAM condition to scope access to your account only.
\\\"Condition\\\":{\\\"StringEquals\\\":{\\\"AWS:SourceAccount\\\":\\\"account_id\\\"}}\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10445918-c305-4c6a-9851-250e8ec7b872\",\r\n \"name\": \"10445918-c305-4c6a-9851-250e8ec7b872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Configure Lambda functions to a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability.
Note that if Lambda@Edge is found in the account, then this control generates failed findings. To prevent these findings, you can disable this control.\",\r\n \"remediationDescription\": \"To configure a function to connect to private subnets in a virtual private cloud (VPC) in your account:
1. From the AWS Lambda console, https://console.aws.amazon.com/lambda/, open \\\"Functions\\\" and select your Lambda function.
2. From the \\\"Network\\\" section, select a VPC with the connectivity requirements of the function.
3. To run your functions in high availability mode, select at least two subnets.
4. Select at least one security group that has the connectivity requirements of the function.
5. Save your changes.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f64521fc-a9f1-4d43-b667-8d94b4a202af\",\r\n \"name\": \"f64521fc-a9f1-4d43-b667-8d94b4a202af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend only allowing authorized principals to access the snapshot and change Amazon RDS configuration.\",\r\n \"remediationDescription\": \"To remove public access for Amazon RDS Snapshots:
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Snapshots\\\" and select the public Snapshot to modify.
2. From the \\\"Actions\\\" list, select \\\"Share Snapshots\\\".
3. From \\\"DB snapshot visibility\\\", select \\\"Private\\\" and \\\"for all\\\".
4. Save your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/72f3b7f1-76b8-4cf5-8da5-4ba5745b512c\",\r\n \"name\": \"72f3b7f1-76b8-4cf5-8da5-4ba5745b512c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend that you also ensure that access to your RDS instance's configuration is limited to authorized users only, by restricting users' IAM permissions to modify RDS instances' settings and resources.\",\r\n \"remediationDescription\": \"To remove public access for an Amazon RDS Database, follow one of these procedures:

\\\"Modify the DB instance's publicly accessible configuration:\\\"
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Databases\\\" and select the public database.
2. Select \\\"Modify\\\".
3. Scroll to \\\"Network & Security\\\".
4. For the Public accessibility option, select \\\"No\\\".
5. Scroll to the bottom and select \\\"Continue\\\".
6. From \\\"Scheduling of modifications\\\", select \\\"Apply immediately\\\".
7. Select \\\"Modify DB Instance\\\".
\\\"Configure the VPC subnet security group to prohibit public access:\\\"
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Databases\\\" and select the public database.
2. From \\\"Connectivity & Security\\\", select the configured VPC security group.
3. From the \\\"Actions\\\" list, select \\\"Edit inbound rules\\\".
4. Define rules to prohibit public access (you can choose between specific IPs, ranges of IPs and security groups).
5. Select \\\"Save rules\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f5ac036-11e1-4cda-89b5-a115b9ae4f72\",\r\n \"name\": \"7f5ac036-11e1-4cda-89b5-a115b9ae4f72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend Amazon Redshift clusters to avoid public accessibility by evaluating the 'publiclyAccessible' field in the cluster configuration item.\",\r\n \"remediationDescription\": \"To disable public access for an Amazon Redshift cluster:
1. From the Amazon RDS console, https://console.aws.amazon.com/redshift/, open \\\"Clusters\\\" and select your public Amazon Redshift cluster.
2. From the \\\"Cluster\\\" drop-down menu, select \\\"Modify cluster\\\".
3. For the \\\"Publicly accessible\\\" option, select \\\"No\\\".
4. Select \\\"Modify\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/994d14f1-b8d7-4cb3-ad4e-a7ccb08065d5\",\r\n \"name\": \"994d14f1-b8d7-4cb3-ad4e-a7ccb08065d5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets public write access should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Allowing public write access to your S3 bucket can leave you vulnerable to malicious actions such as storing data at your expense, encrypting your files for ransom, or using your bucket to operate malware.\",\r\n \"remediationDescription\": \"To remove public write access for an S3 bucket
1. Open the AWS console at https://console.aws.amazon.com/s3/ and select the name of the bucket identified in the recommendation.
2. Select the \\\"Permissions\\\" tab and then select \\\"Public access settings\\\".
3. Select \\\"Edit\\\", select all four options, and then select \\\"save\\\".
4. If prompted, enter \\\"confirm\\\" and then choose \\\"confirm\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f65de27c-1b77-4a2d-bc89-8631ff9ee786\",\r\n \"name\": \"f65de27c-1b77-4a2d-bc89-8631ff9ee786\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets public read access should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Removing public read access to your S3 bucket can help protect your data and prevent a data breach.\",\r\n \"remediationDescription\": \"To remove public read access for an S3 bucket
1. Open the AWS console at https://console.aws.amazon.com/s3/, and select the name of the bucket identified in the recommendation.
2. Select the \\\"Permissions\\\" tab and then select \\\"Public access settings\\\".
3. Select \\\"Edit\\\", select all four options, and then select \\\"save\\\".
4. If prompted, enter \\\"confirm\\\" and then choose \\\"confirm\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35713036-bd12-4646-9b92-4c56a761a710\",\r\n \"name\": \"35713036-bd12-4646-9b92-4c56a761a710\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling S3 cross-region replication ensures that multiple versions of the data are available in different distinct Regions.
This allows you to protect your S3 bucket against DDoS attacks and data corruption events.\",\r\n \"remediationDescription\": \"To enable S3 bucket replication:
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and Select the name of the bucket identified in the recommendation.
2. Select \\\"Management\\\" and then select \\\"Replication\\\".
3. Select \\\"add rule\\\", and then select \\\"Entire bucket\\\" as your source bucket.
4. Select your destination bucket (Versioning should be enabled on the destination bucket as well).
5. Select an IAM role.
6. Enter a name for the rule, select \\\"Enabled\\\" for the status, then select \\\"Next\\\".
7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3cb793ab-20d3-4677-9723-024c8fed0c23\",\r\n \"name\": \"3cb793ab-20d3-4677-9723-024c8fed0c23\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enable server-side encryption to protect data in your S3 buckets.
Encrypting the data can prevent access to sensitive data in the event of a data breach.\",\r\n \"remediationDescription\": \"To enable default encryption on an S3 bucket
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and Select the name of the bucket identified in the recommendation.
2. Select \\\"Properties\\\" and then under the \\\"Default encryption\\\" section, select either \\\"AES-256\\\" to use keys that are managed by Amazon S3, or \\\"AWS-KMS\\\" to use keys that are managed by AWS-KMS.
*If you use AWS-KMS for default encryption, you need to choose a master key from the list of the AWS KMS master keys that you have created.
*Please note that if you use the AWS KMS you are subject to the requests per second limits. For more information about the AWS KMS limits, see the AWS Key Management Service Developer Guide.
3.Select \\\"save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fb7ea50-412e-4dd4-ac79-94d54bd8f21e\",\r\n \"name\": \"1fb7ea50-412e-4dd4-ac79-94d54bd8f21e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend to require requests to use Secure Socket Layer (SSL) on all Amazon S3 bucket.
S3 buckets should have policies that require all requests ('Action: S3:*') to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key 'aws:SecureTransport'.\",\r\n \"remediationDescription\": \"To configure an S3 bucket to deny nonsecure transport
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.
2. Navigate to the noncompliant bucket, and then choose the bucket name.
3. Choose \\\"Permissions\\\", then choose \\\"Bucket Policy\\\".
4. Add a similar policy statement to that in the policy below. Replace \\\"awsexamplebucket\\\" with the name of the bucket you are modifying.
{\\\"Id\\\":\\\"ExamplePolicy\\\",\\\"Version\\\":\\\"2012-10-17\\\",\\\"Statement\\\":[{\\\"Sid\\\":\\\"AllowSSLRequestsOnly\\\",\\\"Action\\\":\\\"s3:*\\\",\\\"Effect\\\":\\\"Deny\\\",\\\"Resource\\\":[\\\"arn:aws:s3:::awsexamplebucket\\\",\\\"arn:aws:s3:::awsexamplebucket/*\\\"],\\\"Condition\\\": {\\\"Bool\\\":{\\\"aws:SecureTransport\\\":\\\"false\\\"}},\\\"Principal\\\": \\\"*\\\"}]}
5. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ac66d910-ae29-4cab-967b-c3f0810b7642\",\r\n \"name\": \"ac66d910-ae29-4cab-967b-c3f0810b7642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling Block Public Access setting for your S3 bucket can help prevent sensitive data leaks and protect your bucket from malicious actions.\",\r\n \"remediationDescription\": \"To enable Amazon S3 Block Public Access:
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and then select \\\"Block public access\\\" under \\\"account settings\\\".
2. Select \\\"Edit\\\" and then select \\\"Block all public access\\\".
3. Select \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0991c64b-ccf5-4408-aee9-2ef03d460020\",\r\n \"name\": \"0991c64b-ccf5-4408-aee9-2ef03d460020\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disable direct internet access for Amazon SageMaker notebook instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Direct internet access should be disabled for an SageMaker notebook instance.
This checks whether the 'DirectInternetAccess' field is disabled for the notebook instance.
Your instance should be configured with a VPC and the default setting should be Disable - Access the internet through a VPC.
In order to enable internet access to train or host models from a notebook, make sure that your VPC has a NAT gateway and your security group allows outbound connections. Ensure access to your SageMaker configuration is limited to only authorized users, and restrict users' IAM permissions to modify SageMaker settings and resources.\",\r\n \"remediationDescription\": \"Note that you can't change the internet access setting after a notebook instance is created. It must be stopped, deleted, and recreated.
To configure an SageMaker notebook instance to deny direct internet access:
1. From the SageMaker console, https://console.aws.amazon.com/sagemaker/, open \\\"Notebook instances\\\" and delete the instance that has direct internet access enabled.
2. Select the instance, open \\\"Actions\\\", and select \\\"Stop\\\". When the instance has stopped, open \\\"Actions\\\", and select \\\"Delete\\\".
3. Select \\\"Create notebook instance\\\" and enter the configuration details.
4. Expand the \\\"Network\\\" section and select the VPC, subnet, and security group. Under \\\"Direct internet access\\\", select \\\"Disable — Access the internet through a VPC\\\".
5. Select \\\"Create notebook instance\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5b3c2887-d7b7-4887-b074-4e6057027709\",\r\n \"name\": \"5b3c2887-d7b7-4887-b074-4e6057027709\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance.
It only checks instances that are managed by AWS Systems Manager Patch Manager.
It does not check whether the patch was applied within the 30-day limit prescribed by PCI DSS requirement '6.2'.
It also does not validate whether the patches applied were classified as security patches.
You should create patching groups with the appropriate baseline settings and ensure in-scope systems are managed by those patch groups in Systems Manager. For more information about patch groups, see the AWS Systems Manager User Guide.\",\r\n \"remediationDescription\": \"\\\"To remediate noncompliant patches\\\"
This rule checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT. To find out more about patch compliance states, see the AWS Systems Manager User Guide.
1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
2. In the navigation pane, under \\\"Node Management\\\", choose \\\"Run Command\\\".
3. Choose \\\"Run command\\\".
4. Choose the radio button next to AWS-RunPatchBaseline and then change the \\\"Operation\\\" to \\\"Install\\\".
5. Choose \\\"Choose instances manually\\\" and then choose the noncompliant instance(s).
6. Scroll to the bottom and then choose \\\"Run\\\".
7. After the command has completed, to monitor the new compliance status of your patched instances, in the navigation pane, choose \\\"Compliance\\\".
See the AWS Systems Manager User Guide for more information about the following
* Using Systems Manager documents to patch a managed instance
* Running commands using the Systems Manager Run command\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67a90ae0-b3d1-44f0-9dcf-a03234ebeb65\",\r\n \"name\": \"67a90ae0-b3d1-44f0-9dcf-a03234ebeb65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association is run on an instance. The control passes if the association compliance status is COMPLIANT.
A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed.
After you create one or more State Manager associations, compliance status information is immediately available to you in the console or in response to AWS CLI commands or corresponding Systems Manager API operations. For associations, \\\"Configuration\\\" Compliance shows statuses of Compliant or Non-compliant and the severity level assigned to the association, such as \\\"Critical\\\" or \\\"Medium\\\". To learn more about State Manager association compliance, see About About State Manager association compliance in the AWS Systems Manager User Guide.
You must configure your in-scope EC2 instances for Systems Manager association. You must also configure the patch baseline for the security rating of the vendor of patches, and set the autoapproval date to meet PCI DSS '3.2.1' requirement '6.2'. For additional guidance on how to Create an association, see Create an association in the AWS Systems Manager User Guide. For additional information on working with patching in Systems Manager, see AWS Systems Manager Patch Manager in the AWS Systems Manager User Guide.\",\r\n \"remediationDescription\": \"A failed association can be related to different things, including targets and SSM document names. To remediate this issue, you must first identify and investigate the association. You can then update the association to correct the specific issue.
You can edit an association to specify a new name, schedule, severity level, or targets. After you edit an association, Systems Manager creates a new version.
\\\"To investigate and update a failed association\\\"
1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
2. In the navigation pane, under \\\"Node Management\\\", choose \\\"Fleet Manager\\\".
3. Choose the instance ID that has an \\\"Association status\\\" of \\\"Failed\\\".
4. Choose \\\"View details\\\".
5. Choose \\\"Associations\\\".
6. Note the name of the association that has an \\\"Association status\\\" of \\\"Failed\\\". This is the association that you need to investigate. You need to use the association name in the next step.
7. In the navigation pane,under \\\"Node Management\\\", choose \\\"State Manager\\\". Search for the association name, then select the association. After you determine the issue, edit the failed association to correct the problem. For information on how to edit an association, see Edit an association.
For more information on creating and editing State Manager associations, see Working with associations in Systems Manager in the AWS Systems Manager User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4be5393d-cc33-4ef7-acae-80295bc3ae35\",\r\n \"name\": \"4be5393d-cc33-4ef7-acae-80295bc3ae35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Status of the Amazon EC2 Systems Manager patch compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the patch installation on the instance.
Only instances that are managed by AWS Systems Manager Patch Manager are checked. Patches that were applied within the 30-day limit prescribed by PCI DSS requirement '6' are not checked. \",\r\n \"remediationDescription\": \"To ensure EC2 instances are managed by Systems Manager:
1. From the AWS Systems Manager console, https://console.aws.amazon.com/systems-manager/, select \\\"Quick setup\\\".
2. Leave the default options.
3. Select \\\"Set up Systems Manager\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9694d4ef-f21a-40b7-b535-618ac5c5d21e\",\r\n \"name\": \"9694d4ef-f21a-40b7-b535-618ac5c5d21e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.
Authentication credentials should never be stored or transmitted in clear text or appear in the repository URL. Instead of personal access tokens or user name and password, you should use OAuth to grant authorization for accessing GitHub or Bitbucket repositories.
Using personal access tokens or a user name and password could expose your credentials to unintended data exposure and unauthorized access.\",\r\n \"remediationDescription\": \"You can update your CodeBuild project to use OAuth.
To remove basic authentication / (GitHub) Personal Access Token from CodeBuild project source
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Choose the build project that contains personal access tokens or a user name and password.
3. From \\\"Edit\\\", choose \\\"Source\\\".
4. Choose \\\"Disconnect from GitHub / Bitbucket\\\".
5. Choose \\\"Connect using OAuth\\\", then choose \\\"Connect to GitHub / Bitbucket\\\".
6. When prompted, choose \\\"authorize as appropriate\\\".
7. Reconfigure your repository URL and additional configuration settings, as needed.
8. Choose \\\"Update source\\\".
For more information, refer to CodeBuild use case-based samples the AWS CodeBuild User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a88b4b72-b461-4b5e-b024-91da1cbe500f\",\r\n \"name\": \"a88b4b72-b461-4b5e-b024-91da1cbe500f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the project contains the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
Authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY should never be stored in clear text, as this could lead to unintended data exposure and unauthorized access.\",\r\n \"remediationDescription\": \"To remediate this issue, update your CodeBuild project to remove the environment variable.
To remove environment variables from a CodeBuild project
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Expand \\\"Build\\\".
3. Choose \\\"Build project\\\", and then choose the build project that contains plaintext credentials.
4. From \\\"Edit\\\", choose \\\"Environment\\\".
5. Expand \\\"Additional configuration\\\".
6. Choose \\\"Update environment\\\".

To store sensitive values in the Amazon EC2 Systems Manager Parameter Store and then retrieve them from your build spec
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Expand \\\"Build\\\".
3. Choose \\\"Build project\\\", and then choose the build project that contains plaintext credentials.
4. From \\\"Edit\\\", choose \\\"Environment\\\".
5. Expand \\\"Additional configuration\\\" and scroll to \\\"Environment variables\\\".
6. Follow this tutorial to create a Systems Manager parameter that contains your sensitive data.
7. After you create the parameter, copy the parameter name.
8. Back in the CodeBuild console, choose \\\"Create environmental variable\\\".
9. Enter the name of your variable as it appears in your build spec.
10. For \\\"Value\\\", paste the name of your parameter.
11. For \\\"Type\\\", choose \\\"Parameter\\\".
12. To remove your noncompliant environmental variable that contains plaintext credentials, choose \\\"Remove\\\".
13. Choose \\\"Update environment\\\".
For more information, see Environment variables in build environments in the AWS CodeBuild User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should use Secure Boot\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against the installation of malware-based rootkits and boot kits, enable Secure Boot on supported Linux virtual machines. Secure Boot ensures that only signed operating systems and drivers will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"Enabling Secure Boot will trigger an immediate system reboot. To enable it:
1. From Azure Virtual Machines, open your machine.
2. From the VM details page, open the 'Configuration' tab and select 'Secure boot'.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e2f798b8-621a-4d46-99d7-1310e09eba26\",\r\n \"name\": \"e2f798b8-621a-4d46-99d7-1310e09eba26\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should enforce kernel module signature validation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To help mitigate against the execution of malicious or unauthorized code in kernel mode, enforce kernel module signature validation on supported Linux virtual machines. Kernel module signature validation ensures that only trusted kernel modules will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"Enforcing kernel module signature validation requires a system reboot. To enforce it:
1. From Azure Virtual Machines, open your machine.
2. Run:
sudo azsecd remediate -r enforce-kernelmodule-ci
3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d79a60ef-d490-484e-91ed-f45ceb0e7cfb\",\r\n \"name\": \"d79a60ef-d490-484e-91ed-f45ceb0e7cfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be restarted to apply security configuration updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To apply security configuration updates and protect against vulnerabilities, restart your machines. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"To restart the machine:
1. From Azure Virtual Machines, open your machine.
2. Select 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b7604066-ed76-45f9-a5c1-c97e4812dc55\",\r\n \"name\": \"b7604066-ed76-45f9-a5c1-c97e4812dc55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines guest attestation status should be healthy\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Guest attestation is performed by sending a trusted log (TCGLog) to an attestation server. The server uses these logs to determine whether boot components are trustworthy. This assessment is intended to detect compromises of the boot chain which might be the result of a bootkit or rootkit infection.
This assessment applies to Trusted Launch and Confidential virtual machines that have the Guest Attestation extension installed.\",\r\n \"remediationDescription\": \"1. Scan your machine to ensure it isn't infected with malicious software.
2. Verify across your organization whether components of your operating system have been manually replaced.
3. Verify that a TPM device is installed on your machine: on Windows, run the PowerShell command \\\"Get-tpm\\\" as admin, and on Linux, use \\\"ls /dev/tpm0\\\" (with \\\"/dev/tpm0\\\" returning).
4. Remove any untrusted software or drivers with admin access.
5. Restart your machine in normal mode.
6. If all else fails, securely back up your data and create a new machine from a known-good image.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an Azure Function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Select Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access Function Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the Function App custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access API Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the API App custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys;
temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources.
For a comparison of different disk encryption technologies in Azure, see https://aka.ms/diskencryptioncomparison.
Use Azure Disk Encryption to encrypt all this data.
Disregard this recommendation if:
1. You're using the encryption-at-host feature, or 2. Server-side encryption on Managed Disks meets your security requirements.
Learn more in Server-side encryption of Azure Disk Storage.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Click any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Defender for Cloud protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Select Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases:
1. Select the SQL database.
2. Under Data encryption, select On.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
1. Go to 'SQL servers' page in the Azure portal and select your SQL server.
2. From the top left menu, select 'Auditing' and choose 'Enable Azure SQL Auditing'.
3. Select one of the options to store the Audit logs and follow the instructions.
4. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499\",\r\n \"description\": \"Defender for Cloud collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. This agent is also required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. We recommend configuring auto-provisioning to automatically deploy the agent. If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.\",\r\n \"remediationDescription\": \"For multiple ways to install and configure your Log Analytics agent see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"To reduce the potential for breaches by compromised owner accounts, we recommend limiting the number of owner accounts to a maximum of 3\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click the Role assignments tab and set the 'Role' filter to 'Owner'.
2. Select the owners you want to remove.
3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled
1. In the 'Role' drop-down list, select the Owner role.
2. In the Select list, select a user.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Signed Binary Proxy Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container hosts should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Privilege Escalation\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Local System\",\r\n \"Remote Services\",\r\n \"Network Sniffing\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"File and Directory Discovery\",\r\n \"Implant Container Image\",\r\n \"Abuse Elevation Control Mechanism\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers:
1. Select the SQL server.
2. Open 'Microsoft Defender for Cloud' under 'Security'
3. Make sure Microsoft Defender for Cloud's status is 'enabled at the server-level' or 'enabled at the subscription-level'
4. Open '(Configure)'
5. Under 'Vulnerability assessment settings', turn Periodic recurring scans to On, and configure a storage account for storing vulnerability assessment scan results.
6. Select 'Save'\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"SQL Stored Procedures\",\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on SQL servers: 1. Select the SQL server. 2. Under 'Defender for Cloud', set Microsoft Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Select 'Save'.
Note: Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.
Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.

To view all affected classic VMs make sure to select all your Azure subscriptions under 'directories + subscriptions' tab.

Available resources and information about this tool & migration:
Overview of Virtual machines (classic) deprecation, step by step process for migration & available Microsoft resources.
Details about Migrate to Azure Resource Manager migration tool.
Migrate to Azure Resource Manager migration tool using PowerShell.\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources:
1. Go to the Virtual machines (classic) Portal Blade.
2. Under Subscriptions, select all available subscriptions to get full list of affected classic VMs.
3. Click on Migrate to ARM.
4. Click on Validate. If validate failed, use the suggested methods in the error messages or at Migration Overview document to fix the errors.
5. Click on Prepare. If prepare failed, use the suggested methods in the error messages or at Migration Overview document to fix the errors.
6. View migrated virtual machines at Virtual Machines Portal Blade and Test their operation.
7. (Optional) Click on Abort to rollback migration.
8. Click on Commit. Commit finalizes the migration and cannot be rolled back.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics:
1. Go to Data Lake Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL managed instances should have vulnerability assessment configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance:
1. Select the SQL managed instance.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"SQL Stored Procedures\",\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected SQL Managed Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on managed SQL servers:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Microsoft Defender for SQL to On.
3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set Periodic recurring scans to On.4. Select Save.
Note: Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redis Cache should allow access only via SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps:
1. Go to the Redis Caches, and select your redis cache.
2. Select 'Advanced settings'.
3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics:
1. Go to Batch and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics:
1. Go to Stream Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics:
1. Go to the Service Bus.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"You should encrypt Automation Account Variables that store sensitive data. This step can only be taken at creation time.
If you have Automation Account Variables storing sensitive data that are not already encrypted, then you will need to delete them and recreate them as encrypted variables.
To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics:
1. Go to Data Lake Store and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics:
1. Go to Search and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign':
1. Go to the Service fabric cluster.
2. Click on 'Custom fabric settings'.
3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bb318338-de6a-42ff-8428-8274c897d564\",\r\n \"name\": \"bb318338-de6a-42ff-8428-8274c897d564\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Kubernetes services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c\",\r\n \"description\": \"Enable diagnostic logs in your Kubernetes services and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs.\",\r\n \"remediationDescription\": \"To enable diagnostics logs in one of your Kubernetes services: 1. Go to Kubernetes services and select one of your Kubernetes clusters. 2. From the left menu, open the diagnostic settings and select Add diagnostic setting. 3. Select one of the options to store the diagnostics logs and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"10/07/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"To ensure you can recreate activity trails for investigation purposes when a security incident occurs or your network is compromised, enable logging. If your diagnostic logs aren't being sent to a Log Analytics workspace, Azure Storage account, or Azure Event Hub, ensure you've configured diagnostic settings to send platform metrics and platform logs to the relevant destinations. Learn more in Create diagnostic settings to send platform logs and metrics to different destinations.\",\r\n \"remediationDescription\": \"To enable diagnostics for a logic app: 1. Open Azure Logic Apps and select the logic app. 2. From the menu, select Diagnostic settings. 3. Select Edit setting if you have an existing setting or select Add diagnostic setting to create a new configuration. 4. Select the options to define what to log and where to store it. 5. Save your settings.
Note : If you use storage accounts, we recommend setting a retention for the logs. To ensure the recommendation evaluates the retention dates across all resources, open the ASC default initiative assignment and set the parameter \\\"Required retention (in days) for logs..\\\" to the desired retention dates that you want the recommendation to evaluate.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"plannedDeprecationDate\": \"12/2022\",\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources :
1. Go to the Storage Account
2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics:
1. Go to Key Vault and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. We recommended configuring network rules so that only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"
1. In your storage account, go to 'Firewalls and virtual networks'.
2. Under 'Allow access from', choose 'Selected networks'.
3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account.
4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required:
1. In your storage account, go to the 'Configuration' page.
2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates:
1. Review the list of missing system updates.
2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Software Deployment Tools\",\r\n \"Exploit Public-Facing Application\",\r\n \"Supply Chain Compromise\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Drive-by Compromise\",\r\n \"Endpoint Denial of Service\",\r\n \"Compromise Client Software Binary\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b\",\r\n \"description\": \"Defender for Cloud collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. You'll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets. To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"For information on how to add the Log Analytics agent as an extension to your virtual machine scale set, see the following instructions. For information on how to deploy the log analytics agent at scale on virtual machine scale set using Azure Policy please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machine scale sets should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution:
1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on virtual machine scale sets should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Microsoft Defender for Cloud. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c\",\r\n \"description\": \"To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more.\",\r\n \"remediationDescription\": \"1. Register your subscription to Guest Configuration resource provider. 2. Install the Guest Configuration extension on your machine. 3. Enable a system-assigned managed identity, if one doesn't exist. Learn more in Enable Guest Configuration.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69133b6b-695a-43eb-a763-221e19556755\",\r\n \"name\": \"69133b6b-695a-43eb-a763-221e19556755\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a\",\r\n \"description\": \"The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more\",\r\n \"remediationDescription\": \"To enable a system-assigned managed identity, deploy the 'Enable a system-assigned managed identity' initiative: 1. Register the resource provider. 2. Deploy requirements for Azure virtual machines. Learn more about configuring the Guest Configuration prerequisites in Enable Guest Configuration.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"1. Enable controlled folder access.
2. Configure the following attack surface reduction rules: 'Block executable content from email client and webmail', 'Block untrusted and unsigned processes that run from USB', 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)', ' Block all Office applications from creating child processes', 'Block JavaScript or VBScript from launching downloaded executable content', 'Block execution of potentially obfuscated scripts ', 'Block Office applications from creating executable content', 'Block Office communication application from creating child processes', 'Block Win32 API calls from Office macros', 'Block Adobe Reader from creating child processes', 'Block Office applications from injecting code into other processes'.
Learn more in Use attack surface reduction rules to prevent malware infection.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Privilege Escalation\",\r\n \"Lateral Movement\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Taint Shared Content\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploit Public-Facing Application\",\r\n \"Drive-by Compromise\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4078e558-bda6-41fb-9b3c-361e8875200d\",\r\n \"description\": \"Defender for Cloud uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Windows.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on Linux-based Azure Arc-enabled machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/1e7fed80-8321-4605-b42c-65fc300f23a3\",\r\n \"description\": \"Defender for Cloud uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Linux.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"name\": \"fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Validity period of certificates stored in Azure Key Vault should not exceed 12 months\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\r\n \"description\": \"Ensure your certificates do not have a validity period that exceeds 12 months.\",\r\n \"remediationDescription\": \"To remediate you must create a new version of the certificate. Ensure that your application or service will be able to get a new version of the certificate before proceeding. Select a key vault from the list below. The list of certificates with a validity period that exceeds 12 months will appear. From the Azure Portal, open Azure Key Vault and select the vault with the certificate that needs to be replaced. Select the relevant certificate and the certificate details page opens. 1. On the certificate details page, select \\\"+ New Version\\\". The \\\"Create a Certificate\\\" pane opens. 2. Change the \\\"Validity period (in months)\\\" field to 12 or less. 3. Select \\\"Create\\\". 4. Ensure that you have set up auto-renewal, or have a process to renew your certificate prior to expiration.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Credentials from Password Stores\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\r\n \"description\": \"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.\",\r\n \"remediationDescription\": \"To prevent public access to containers and blobs in your storage account:
1. In the Azure portal, navigate to your storage account.
2. From the settings menu, select \\\"Configuration\\\".
3. Set \\\"Allow Blob public access\\\" to \\\"Disabled\\\".
Learn more about public access
Note: It might take several minutes after remediation completes until the resource appears in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for servers brings threat detection and advanced defenses for your Windows and Linux machines.
With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for servers but missing out on some of the benefits.
When you enable Microsoft Defender for servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for servers on the identified workspaces, select the workspaces and select Remediate.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for servers brings threat detection and advanced defenses for your Windows and Linux machines.
With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for servers but missing out on some of the benefits.
When you enable Microsoft Defender for servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on machines on the identified workspaces, select the workspaces and select Remediate.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"09/29/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"name\": \"14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\r\n \"description\": \"The best way to authenticate to Azure services is by using Role-Based Access Control (RBAC). RBAC allows you to maintain the minimum privilege principle and supports the ability to revoke permissions as an effective method of response when compromised. You can configure your Azure Cosmos DB account to enforce RBAC as the only authentication method. When the enforcement is configured, all other methods of access will be denied (primary/secondary keys and access tokens).\",\r\n \"remediationDescription\": \"Change your resource authentication method to RBAC. After RBAC is enabled, edit the configuration settings to enforce RBAC as the only authentication method.
  1. Change the resources' authentication method from primary key to Azure Active Directory (AAD):

    1. Map all the resources that currently access to the Azure Cosmos DB account with keys or access tokens.
    2. Create an Azure Active Directory (AAD) identity for each of these resources:
      1. For Azure resources, you can create a managed identity . You may choose between system-assigned and user-assigned managed identities.
      2. For non-Azure resources, create an AAD identity.
    3. Grant each AAD identity the minimum permission it requires. When possible, we recommend you use one of the 2 built-in role definitions: Cosmos DB Built-in Data Reader or Cosmos DB Built-in Data Contributor.
    4. Validate that the new resource is functioning correctly. After new permissions are granted to identities, it may take a few hours until they propagate. When all resources are working correctly with the new identities, continue to the next step.

    You can read more about configuring role-based access control with Azure Active Directory for your Azure Cosmos DB account.

  2. Enforce RBAC as the only authentication method:
    You may choose one of the two options listed below:
    1. You can use the az resource update powershell command:
      $cosmosdbname = \\\"cosmos-db-account-name\\\"
      $resourcegroup = \\\"resource-group-name\\\"
      $cosmosdb = az cosmosdb show --name $cosmosdbname --resource-group $resourcegroup | ConvertFrom-Json

      az resource update --ids $cosmosdb.id --set properties.disableLocalAuth=true --latest-include-preview

    2. Deploy these changes in your ARM template to enforce RBAC as the only authentication method.

      You can read more about using ARM templates on existing resources.

    After these changes have been implemented, all access attempts that use primary/secondary key or access tokens authentication will be denied.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2482620f-f324-4add-af68-2e01e27485e9\",\r\n \"name\": \"2482620f-f324-4add-af68-2e01e27485e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d103537b-9f3d-4658-a568-31dd66eb05cb\",\r\n \"name\": \"d103537b-9f3d-4658-a568-31dd66eb05cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in subscription should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a6cd9b98-3b29-4213-b880-43f0b0897b83\",\r\n \"name\": \"a6cd9b98-3b29-4213-b880-43f0b0897b83\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in projects should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in projects should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\r\n \"description\": \"Protect the data on your Azure virtual machines with Azure Backup.
Azure Backup is an Azure-native, cost-effective, data protection solution.
It creates recovery points that are stored in geo-redundant recovery vaults.
When you restore from a recovery point, you can restore the whole VM or specific files.\",\r\n \"remediationDescription\": \"1. To enable Azure Backup for a virtual machine, navigate to the virtual machine on the Azure portal and select 'Backup' from the menu. In the screen that appears, choose whether to backup the machine to a new or existing Recovery Services vault in the same location and subscription. Learn more at https://aka.ms/AzureVMBackupDoc 2. To enable Azure Backup for multiple virtual machines, assign the policy 'Configure backup on VMs of a location to an existing central Vault in the same location' to the relevant scope. This policy can be assigned to one subscription-location pair at a time. Learn more at http://aka.ms/AzureBackupVMGovernance. Charges are based on the number and size of VMs being protected. Learn more about pricing at https://azure.microsoft.com/pricing/details/backup/\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Disk Wipe\",\r\n \"Defacement\",\r\n \"Data Encrypted for Impact\",\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your function app:
1. Go to the App Service for your API app 2. Navigate to Platform features 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"name\": \"2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MariaDB\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\r\n \"description\": \"Azure Database for MariaDB allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MariaDB server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=2086853\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your web app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"name\": \"95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for PostgreSQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\r\n \"description\": \"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for PostgreSQL server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867615\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests.
Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Web App:
1. Navigate to Azure App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require.
For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"name\": \"8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MySQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\r\n \"description\": \"Azure Database for MySQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MySQL server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867608\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"name\": \"5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your API app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/91a78b24-f231-4a8a-8da9-02c35b2b6510\",\r\n \"description\": \"Audit enabling of diagnostic logs on the app.
This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised\",\r\n \"remediationDescription\": \"To enable resource logs for an App Service: 1. Navigate to your App Service. 2. Go to 'Diagnostic Settings' tab. 3. Enable necessary auditing services for your specified apps. For more information, please go to https://aka.ms/enabling-diagnostic-settings.\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"name\": \"cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your API app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"name\": \"1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for PostgreSQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\r\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for PostgreSQL:
1. Select your Azure Database for PostgreSQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848213\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"name\": \"1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for MySQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\r\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for MySQL:
1. Select your Azure Database for MySQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848211\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your web app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your function app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"name\": \"6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"name\": \"7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"name\": \"39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your web app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"name\": \"f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your function app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"name\": \"08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\r\n \"description\": \"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your API app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"name\": \"e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"name\": \"96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your function app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"name\": \"c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"name\": \"c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for PostgreSQL:
1. Navigate to your Azure Database for PostgreSQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/postgresql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/pgprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"name\": \"ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MariaDB:
1. Navigate to your Azure Database for MariaDB. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mariadbprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"name\": \"cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MySQL:
1. Navigate to your Azure Database for MySQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mysql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mysqlprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\r\n \"description\": \"Audit SQL servers configured with an auditing retention period of less than 90 days.\",\r\n \"remediationDescription\": \"To configure auditing retention on your Azure SQL server or Azure Synapse server:
1.From the Azure portal, select the Azure SQL Server or Azure Synapse resource. 2.From the menu, select Auditing. 3.Select Storage details. 4.To set a new retention period of 90 days or higher, manually enter a value or move the slider for Retention (Days). 5.Select OK.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your function app:
1. Navigate to the Configurations for your Function app.
2. Select Configuration, and go to the General Settings tab.
3. Select the General Settings tab.
4. Under the FTP state section, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp
Learn more about Azure Functions Deployment Technology Availability\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your web app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"name\": \"67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your API app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"name\": \"c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function apps should have Client Certificates (Incoming client certificates) enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Function App: 1. Navigate to your App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"name\": \"4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key vaults should have purge protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\r\n \"description\": \"Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.\",\r\n \"remediationDescription\": \"To enable purge protection for your key vault: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Properties' tab. 3. Select the radio button corresponding to \\\"Enable purge protection\\\". 4. Select 'Save'. Soft delete is a pre-requisite for purge protection, if you have not already enabled this option, please select the radio button corresponding to \\\"Enable soft delete\\\" first. Please visit https://aka.ms/keyvaultsoftdelete for detailed configuration steps.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"name\": \"9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Email notification to subscription owner for high severity alerts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d\",\r\n \"description\": \"To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Defender for Cloud.\",\r\n \"remediationDescription\": \"To configure email notifications: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/13e7d036-6903-821c-6018-962938929bf0\",\r\n \"name\": \"13e7d036-6903-821c-6018-962938929bf0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registries should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.\",\r\n \"remediationDescription\": \"To enable private links for a registry: 1. Ensure the registry's SKU is set to Premium (SKUs can be upgraded) 2. In the Private endpoints tab, under Network Settings, add basic endpoint information such as name and region 3. On the next page, add registry resource information (such as: name, resource type and subscription) 4. On the next page, add networking and private dns configuration. 5. Create the private endpoint resource. For more information, see: https://aka.ms/acr/privatelink\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/d85c6833-7d33-4cf5-a915-aaa2de84405f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5d090f1-7d5c-9b38-7344-0ede8343276d\",\r\n \"name\": \"d5d090f1-7d5c-9b38-7344-0ede8343276d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for MySQL is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for MySQL server to deny all public network access and allow connections ONLY through private endpoints: 1. Select the Azure Database for MySQL. 2. In Connection security, set deny public network access to 'Yes'. For details, see: https://go.microsoft.com/fwlink/?linkid=2120014.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/06ac6ef4-1e66-1334-5418-6e79ab444ce0\",\r\n \"name\": \"06ac6ef4-1e66-1334-5418-6e79ab444ce0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] SQL managed instances should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\r\n \"remediationDescription\": \"To configure your own encryption key for SQL Server Transparent Data encryption: 1. Select the SQL server. 2. On the Transparent data encryption page, select Customer-managed key. 3. For Key selection method, choose Select a key or Enter a key identifier if you have one. 4. If you chose Select a key, configure the desired Key vault and Key. For more information, see this article: https://docs.microsoft.com/azure/sql-database/transparent-data-encryption-byok-azure-sql\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b51b7f7-cbed-75bf-8a02-43384bf47562\",\r\n \"name\": \"6b51b7f7-cbed-75bf-8a02-43384bf47562\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] MySQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\r\n \"remediationDescription\": \"Azure automatically encrypts data at rest with service-managed keys. To use a customer-managed key to protect and control access to the key that encrypts your data: 1. Create a key vault with soft delete and purge protection enabled. 2. Create your own encryption key or use the Azure Key Vault API to generate a key. 3. Grant the Azure Database for MySQL access to the key vault with the get, wrapKey, and unwrapKey permissions by using its unique managed identity. 4. Select the Azure Database for MySQL, go to data encryption, and pass the key vault and key information. Learn more https://aka.ms/mysqlbyok\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19d45f8f-245c-852e-dbf9-d4aab4758b1f\",\r\n \"name\": \"19d45f8f-245c-852e-dbf9-d4aab4758b1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\r\n \"remediationDescription\": \"Azure automatically encrypts data at rest with service-managed keys. To use a customer-managed key to protect and control access to the key that encrypts your data: 1. Create a key vault with soft delete and purge protection enabled. 2. Create your own encryption key or use the Azure Key Vault API to generate a key. 3. Grant the Azure Database for PostgreSQL access to the key vault with the get, wrapKey, and unwrapKey permissions by using its unique managed identity. 4. Select the Azure Database for PostgreSQL, go to data encryption, and pass the key vault and key information. Learn more https://aka.ms/postgresqlbyok\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ab153e43-2fb5-0670-2117-70340851ea9b\",\r\n \"name\": \"ab153e43-2fb5-0670-2117-70340851ea9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for MariaDB is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for MariaDB server to deny all public network access and allow connections ONLY through private endpoints: 1. Select the Azure Database for MariaDB. 2. In Connection security, set deny public network access to 'Yes'. For more information, see: https://go.microsoft.com/fwlink/?linkid=2119542\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a93e945-3675-aef6-075d-c661498e1046\",\r\n \"name\": \"1a93e945-3675-aef6-075d-c661498e1046\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] SQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\r\n \"remediationDescription\": \"To configure your own encryption key for SQL Server Transparent Data encryption: 1. Select the SQL server. 2. On the Transparent data encryption page, select Customer-managed key. 3. For Key selection method, choose Select a key or Enter a key identifier if you have one. 4. If you chose Select a key, configure the desired Key vault and Key. For more information, see this article: https://docs.microsoft.com/azure/sql-database/transparent-data-encryption-byok-azure-sql\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/be264018-593c-1162-bd5e-b74a39396652\",\r\n \"name\": \"be264018-593c-1162-bd5e-b74a39396652\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cache for Redis should reside within a virtual network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d092e0a-7acd-40d2-a975-dca21cae48c4\",\r\n \"description\": \"Azure Virtual Network (VNet) deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access. When an Azure Cache for Redis instance is configured with a VNet, it is not publicly addressable and can only be accessed from virtual machines and applications within the VNet.\",\r\n \"remediationDescription\": \"Injection into your custom Virtual Network/Subnet can only be done at cache creation time, so take these steps to mitigate: 1. Create and configure a new VNet-injected cache into your custom subnet for the Azure Cache for Redis. 2. Either embed your client application into the same virtual network or allow access for your client application to communicate with the cache instance within your subnet using NSG rules. Follow the guidance here: https://aka.ms/redis/vnet-faq 3. If necessary, export the data from your instance and import it into the new Azure Cache for Redis instance. Learn more about the import/export feature here: https://aka.ms/redis/import-export.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"name\": \"af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto provisioning of the Log Analytics agent should be enabled on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17\",\r\n \"description\": \"To monitor for security vulnerabilities and threats, Microsoft Defender for Cloud collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.\",\r\n \"remediationDescription\": \"To configure auto provisioning:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. Open the Auto provisioning page and set the toggle to On for the Log Analytics agent.
3. Select the workspace to receive the data from the machines.
Learn more in Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"name\": \"77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subscriptions should have a contact email address for security issues\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\",\r\n \"description\": \"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Defender for Cloud.\",\r\n \"remediationDescription\": \"To set up a security contact:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/af560c4d-9c05-e073-b9f1-f7a94958ff25\",\r\n \"name\": \"af560c4d-9c05-e073-b9f1-f7a94958ff25\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Container registries should be encrypted with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\",\r\n \"remediationDescription\": \"Azure automatically encrypts registry Contents. To encrypt a registry using a customer-managed key (CMK): 1. Create a user-assigned managed identity. 2. Create a Key Vault with soft delete and purge protection enabled. 3. Give the Managed Identity (Get, Unwrap and Wrap) Key Permissions to the key vault by adding a key vault Access Policy. 4. Create a key for encryption. 5. Create the registry: enable customer-managed key, add the managed identity, and provid the created key's version. For more information, see: https://aka.ms/acr/cmk\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8318c3a1-fcac-2e1d-9582-50912e5578e5\",\r\n \"name\": \"8318c3a1-fcac-2e1d-9582-50912e5578e5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"App Configuration should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint.\",\r\n \"remediationDescription\": \"To enable private link for Azure App Configuration: 1. In the Azure portal, open the App Configuration instance. 2. Navigate to Settings --> Private endpoint connections 3. Click on Add and configure the private endpoint. For details, see https://aka.ms/appconfig/private-endpoint\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/614ffa75-862c-456e-ad8b-eaa1b0844b07\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"name\": \"3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Email notification for high severity alerts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899\",\r\n \"description\": \"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Defender for Cloud.\",\r\n \"remediationDescription\": \"To configure email notifications: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. In the 'Notification type' area, ensure mails are sent regarding security alerts from severity 'high'.
4. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b34f9fe7-80cd-6fb3-2c5b-951993746ca8\",\r\n \"name\": \"b34f9fe7-80cd-6fb3-2c5b-951993746ca8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for PostgreSQL is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for PostgreSQL server to deny all public network access and allow connections only through private endpoints: 1. Select the Azure Database for PostgreSQL. 2. In Connection security, set deny public network access to 'Yes'. For more information, see: https://go.microsoft.com/fwlink/?linkid=2120015.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"name\": \"9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registries should not allow unrestricted network access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\r\n \"description\": \"Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet.\",\r\n \"remediationDescription\": \"To enable VNet/Firewall rules for a registry: 1. In the Azure Portal, navigate to your registry in the Azure portal 2. Under Networking settings, on the Public access tab, select allow public access from 'Selected networks' instead of 'All Networks' 3. Under Firewall, enter a public IP address, such as the public IP address of a VM in a virtual network. Or, enter an address range in CIDR notation that contains the VM's IP address 4. Select save. For more information, see: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bef092f5-bea7-3df3-1ee8-4376dd9c111e\",\r\n \"name\": \"bef092f5-bea7-3df3-1ee8-4376dd9c111e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Event Grid domains should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domains instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure Event Grid Domain resource: 1. In the Azure portal, find your Event Grid Domain resource. 2. Navigate to Settings --> Networking, 3. Select \\\"+ Public network access\\\" and choose \\\"+ Private endpoints only\\\" to restrict access only via private endpoint connections, 4. Select \\\"+ Private endpoint connections\\\" to configure the values. For details, see https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/36f4658a-848a-467b-881c-e6fa20cf75fc\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bdac9c7b-b9b8-f572-0450-f161c430861c\",\r\n \"name\": \"bdac9c7b-b9b8-f572-0450-f161c430861c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Event Grid topics should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your topics instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure Event Grid Topic resource: 1. In the Azure portal, find your Event Grid Topic resource. 2. Navigate to Settings --> Networking, 3. Select \\\"+ Public network access\\\" and choose \\\"+ Private endpoints only\\\" to restrict access only via private endpoint connections, 4. Select \\\"+ Private endpoint connections\\\" to configure the values. For details, see https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6fcec95c-fbdf-45e8-91e1-e3175d9c9eca\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/18bf29b3-a844-e170-2826-4e95d0ba4dc9\",\r\n \"name\": \"18bf29b3-a844-e170-2826-4e95d0ba4dc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\r\n \"remediationDescription\": \"To enable customer-managed keys for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using customer-managed keys. Learn more about configuring customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b6f84d18-0137-3176-6aa1-f4d9ac95155c\",\r\n \"name\": \"b6f84d18-0137-3176-6aa1-f4d9ac95155c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure SignalR Service should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/53503636-bcc9-4748-9663-5348217f160f\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your SignalR resources instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/asrs/privatelink.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure SignalR service resource: 1.. Find your SignalR resource in the Azure portal, 2. Navigate to Settings --> Private endpoint connections, 3 Click \\\"+ Private endpoint\\\" to configure the values. Learn more here: https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/ef45854f-b33f-49a3-8041-9057e915d88f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/814df446-7128-eff0-9177-fa52ac035b74\",\r\n \"name\": \"814df446-7128-eff0-9177-fa52ac035b74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\r\n \"remediationDescription\": \"To enable customer-managed keys on an Azure Cosmos DB account, create an encryption key in Azure Key Vault then pass the key identifier when creating the account. For details, see https://aka.ms/cosmosdb-cmk.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\r\n \"description\": \"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.\",\r\n \"remediationDescription\": \"Azure Web Application Firewall is a paid solution, refer to https://aka.ms/applicationgateway-pricing for full pricing details. To manually add an Azure Web Application Firewall to Azure Application Gateway: 1. If you want to use an existing Azure Web Application Firewall for Azure Application Gateway policy, proceed to Step 2. Otherwise, open the Azure Web Application Firewall service and select 'add'. 3. On the Basics tab, in 'Policy for', select 'Regional WAF (Application Gateway)'. Customize the Azure Web Application Firewall as required. To finish, select 'Review + create' and 'create' the Azure Web Application Firewall. 4. Go to the Azure Application Gateway and select the Azure Application Gateway that does not have an Azure Web Application Firewall. 5. From the left sidebar, select settings, and select 'Web application firewall'. If your current tier is not 'WAF V2' change your tier to 'WAF V2'. There are differences in pricing when changing WAF tiers, refer to https://aka.ms/applicationgateway-pricing for full details. 6. Return to the Web Application Firewall created earlier. Select 'Associated application gateways on the sidebar'. 7. Select 'Associate an application gateway' and add your application gateway. To save the changes, Select 'Save'. An Azure Web Application Firewall is now protecting your application gateway resource. For details, see https://aka.ms/applicationgateway-waf.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Reconnaissance\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Scanning\",\r\n \"Application Layer Protocol\",\r\n \"Active Scanning\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0c02a769-03f1-c4d7-85a5-db5dca505c49\",\r\n \"name\": \"0c02a769-03f1-c4d7-85a5-db5dca505c49\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Azure Front Door Service service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\r\n \"description\": \"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.\",\r\n \"remediationDescription\": \"Azure Web Application Firewall is a paid solution, refer to https://aka.ms/frontdoor-pricing for full pricing details. To manually add an Azure Web Application Firewall to your Azure Front Door Service 1. If you want to use an existing Azure Web Application Firewall for Azure Front Door Service policy, proceed to Step 2. Otherwise, open the Azure Web Application Firewall service and select 'add'. 3. On the Basics tab, in 'Policy for', select 'Global WAF (Front Door)' and in 'Policy state' select 'Enabled'. Customize the Azure Web Application Firewall as required. To finish, select 'Review + create' and 'create' the Azure Web Application Firewall. 4. Go to the Front Door service and select the Front Door service that does not have an Azure Web Application Firewall. 5. From the left sidebar, select 'Web application firewall'. 6. Select the frontend to which you're adding an Azure Web Application Firewall policy. Select 'Apply policy'. From the dropdown, select the Azure Web Application Firewall policy. Select 'Add'. 7. To save the Azure Web Application Firewall for the chosen frontend, select 'Save'. An Azure Web Application Firewall will now be applied to the Azure Front Door Service. For details, see https://aka.ms/waf-frontdoor-tutorial\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Reconnaissance\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Scanning\",\r\n \"Application Layer Protocol\",\r\n \"Active Scanning\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f6b0e473-eb23-c3be-fe61-2ae3e8309530\",\r\n \"name\": \"f6b0e473-eb23-c3be-fe61-2ae3e8309530\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VM Image Builder templates should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa\",\r\n \"description\": \"Audit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead, which may directly expose resources to the internet and increase the potential attack surface.\",\r\n \"remediationDescription\": \"To enable private link connection when building VM Image Builder templates, add vnetConfig to templates. For details, see http://aka.ms/azvmimagebuildertmplref.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9\",\r\n \"description\": \"Private links enforce secure communication, by providing private connectivity to the storage account\",\r\n \"remediationDescription\": \"To enforce secure communications for your storage accounts, add a private endpoint as described here: https://aka.ms/connectprivatelytostorageaccount.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/9f766f00-8d11-464e-80e1-4091d7874074\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca98bba7-719e-48ee-e193-0b76766cdb07\",\r\n \"name\": \"ca98bba7-719e-48ee-e193-0b76766cdb07\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Storage accounts should use customer-managed key (CMK) for encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\",\r\n \"remediationDescription\": \"To enable customer-managed keys on your storage accounts, create an encryption key in your key vault then pass the key identifier to the storage account. For details, see https://aka.ms/storageencryptionkeys.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c768356-5ad2-e3cc-c799-252b27d3865a\",\r\n \"name\": \"4c768356-5ad2-e3cc-c799-252b27d3865a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Spring Cloud should use network injection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4\",\r\n \"description\": \"Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.\",\r\n \"remediationDescription\": \"Virtual network injection brings the following benefits to your Azure Spring Cloud instances: 1. Isolates Azure Spring Cloud from the internet. 2. Enables Azure Spring Cloud to interact with systems in either on- premises data centers or Azure services in other virtual networks. 3. Provides greater control over inbound and outbound network communications for Azure Spring Cloud.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Trusted Relationship\",\r\n \"Exploitation of Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Non-Standard Port\",\r\n \"Lateral Tool Transfer\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\r\n \"description\": \"Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.\",\r\n \"remediationDescription\": \"To protect your storage account from potential threats using virtual network rules: 1. In the Azure portal, open your storage account. 2. From the left sidebar, select 'Networking'. 3. From the 'Allow access from' section, select 'Selected networks'. 4. Add a Virtual network under the 'Virtual networks' section. Do not add allowed IP ranges/ or addresses in the firewall. This is to prevent public IPs from accessing your storage account. For details, see: https://aka.ms/storagenetworksecurity.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbd14f11-6228-4588-82a4-517b8d77b23f\",\r\n \"name\": \"bbd14f11-6228-4588-82a4-517b8d77b23f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\",\r\n \"remediationDescription\": \"To setup CMK on Azure Machine Learning workspaces, follow the instructions. here: https://aka.ms/azureml-workspaces-cmk\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/692343df-7e70-b082-7b0e-67f97146cea3\",\r\n \"name\": \"692343df-7e70-b082-7b0e-67f97146cea3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Machine Learning workspaces should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Machine Learning workspaces instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/azureml-workspaces-privatelink.\",\r\n \"remediationDescription\": \"To enable private link on Azure Machine Learning workspaces, follow the instructions here: https://aka.ms/azureml-workspaces-privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/7838fd83-5cbb-4b5d-888c-bfa240972597\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"name\": \"2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be configured for Key Vault\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0bc445-3935-4915-9981-011aa2b46147\",\r\n \"description\": \"Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.\",\r\n \"remediationDescription\": \"For detailed steps, see https://aka.ms/akvprivatelink.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"name\": \"52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should be enabled on Key Vault\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\r\n \"description\": \"Key vault's firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the firewall to make sure that only traffic from allowed networks can access your key vault.\",\r\n \"remediationDescription\": \"To enable the key vault firewall: 1. In the Azure portal, open your key vault. 2.From the left sidebar, select Networking (located under the \\\"Settings\\\" section). 3. Set the radio button to Private endpoint and selected networks and select Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1aabfa0d-7585-f9f5-1d92-ecb40291d9f2\",\r\n \"name\": \"1aabfa0d-7585-f9f5-1d92-ecb40291d9f2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key Vault keys should have an expiration date\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\r\n \"description\": \"Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.\",\r\n \"remediationDescription\": \"To enable an expiration date on your key: 1. Log in to the Azure portal and select your key vault. 2. Open the 'Keys' tab. 3. Find all keys in the table that do not have an expiration date. 4. Select a key. 5. Select the current version of the key. 6. Select the box corresponding to 'Set expiration date'. 7. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Credentials from Password Stores\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"name\": \"14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key Vault secrets should have an expiration date\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\r\n \"description\": \"Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.\",\r\n \"remediationDescription\": \"To enable an expiration date on your secret: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Secrets' tab. 3. Find all secrets in the table that do not have an expiration date. 4. Click on a secret. 5. Click the current version of the secret. 6. Check the box corresponding to 'Set expiration date'. 7. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Credentials from Password Stores\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"name\": \"78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key vaults should have soft delete enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\r\n \"description\": \"Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.\",\r\n \"remediationDescription\": \"To enable soft delete protection for your key vault: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Properties' tab. 3. Select the radio button corresponding to \\\"Enable soft delete\\\". 4. Enter a retention period in days. Select 'Save'. Please visit https://aka.ms/keyvaultsoftdelete for detailed configuration steps.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6\",\r\n \"description\": \"Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more in Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure.\",\r\n \"remediationDescription\": \"To use SSH for authentication to your Linux virtual machine: 1. Create an SSH key pair for the Linux virtual machine. 2. Disable password authentication in the Linux virtual machine's configuration. 3. Update the SSH key in your Azure Resource Manager template (replace the admin password with the adminSSHKey parameter) or via the Azure CLI (with the --generate-ssh-keys command). Learn more in Create and use an SSH public-private key pair for Linux VMs in Azure.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.\",\r\n \"remediationDescription\": \"To enable Private Endpoint Connections: 1. Open Azure SQL Database and browse to the server blade 2. Navigate to Security --> Private endpoint connections blade via the navigation menu 3. Select the \\\"+ Private Endpoint\\\" button 4. Follow the instructions here: https://docs.microsoft.com/azure/azure-sql/database/private-endpoint-overview#how-to-set-up-private-link-for-azure-sql-database.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\r\n \"description\": \"Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.\",\r\n \"remediationDescription\": \"To disable Public Network Access: 1. Open Azure SQL Database and browse to the server blade 2. Navigate to Security --> Firewalls and virtual networks blade via the navigation menu on the left. 3. Select Deny Public Network Access control and change the value to Yes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce2768c3-a7c7-1bbf-22cd-f9db675a9807\",\r\n \"name\": \"ce2768c3-a7c7-1bbf-22cd-f9db675a9807\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API app has Client Certificates Incoming client certificates set to On\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your API App: 1. Navigate to your App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112\",\r\n \"description\": \"To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.\",\r\n \"remediationDescription\": \"To ensure your windows web server is using secure communication protocol: 1. Enable Guest Configuration extension and system assigned identity: https://docs.microsoft.com/azure/virtual-machines/extensions/guest-configuration 2. Enable TLS on your machine. For Windows Server 2008 R2, Windows Server 2012, or Windows 7, install the update at https://support.microsoft.com/help/3140245. For Windows 2012 R2 Server or later, no updates are necessary. 3. Update the Windows and WinHTTP registry keys (or verify that they're correct) according to the information here: https://docs.microsoft.com/dotnet/framework/network-programming/tls#configuring-schannel-protocols-in-the-windows-registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f738efb8-005f-680d-3d43-b3db762d6243\",\r\n \"name\": \"f738efb8-005f-680d-3d43-b3db762d6243\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should restrict network access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\r\n \"description\": \"Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"To restrict access for Cognitive Services from public networks: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"Networking\\\" page, 3. In \\\"Firewalls and virtual networks\\\" select \\\"Selected Networks and Private Endpoints\\\" or \\\"Disabled\\\". Learn more about Private Endpoints in https://go.microsoft.com/fwlink/?linkid=2129800. Learn more about configuration Virtual Networks for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2110097.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Trusted Relationship\",\r\n \"Exploitation of Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Non-Standard Port\",\r\n \"Lateral Tool Transfer\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aa395469-1687-78a7-bf76-f4614ef72977\",\r\n \"name\": \"aa395469-1687-78a7-bf76-f4614ef72977\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should use customer owned storage or enable data encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11566b39-f7f7-4b82-ab06-68d8700eb0a4\",\r\n \"description\": \"This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption.\",\r\n \"remediationDescription\": \"To enable encryption for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using either Microsoft-managed keys or customer-managed keys. Learn more about configuration customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321. To request access to bring your own storage, fill out and submit the request form from https://aka.ms/cogsvc-cmk.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684a5b6d-a270-61ce-306e-5cea400dc3a7\",\r\n \"name\": \"684a5b6d-a270-61ce-306e-5cea400dc3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for Cognitive Services accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\r\n \"description\": \"This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed.\",\r\n \"remediationDescription\": \"To only allow access for Cognitive Services from Private Endpoints: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"Networking\\\" page, 3. In \\\"Firewalls and virtual networks\\\" select \\\"Disabled\\\". Learn more about Private Endpoints in https://go.microsoft.com/fwlink/?linkid=2129800.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdcf4f71-60d3-540b-91e3-aa19792da364\",\r\n \"name\": \"cdcf4f71-60d3-540b-91e3-aa19792da364\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should enable data encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2bdd0062-9d75-436e-89df-487dd8e4b3c7\",\r\n \"description\": \"This policy audits any Cognitive Services account not using data encryption. For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key.\",\r\n \"remediationDescription\": \"To enable encryption for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using either Microsoft-managed keys or customer-managed keys. Learn more about configuration customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/74e7dcff-317f-9635-41d2-ead5019acc99\",\r\n \"name\": \"74e7dcff-317f-9635-41d2-ead5019acc99\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Management services should use a virtual network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\r\n \"description\": \"Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.\",\r\n \"remediationDescription\": \"To enable Virtual Network on API Management Service: 1. In the Azure portal, open API Management services, 2. Select the desired service from the list, and open the \\\"Virtual Network\\\" page, 3. Setup virtual network along with desired type of virtual network. Learn more about configuring virtual network for API Management Services at https://aka.ms/apim-vnet\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Create Account\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"name\": \"276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cosmos DB accounts should have firewall rules\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\r\n \"description\": \"Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.\",\r\n \"remediationDescription\": \"To configure your Azure Cosmos DB firewall and add IP rules: 1. Go to the \\\"Firewall and virtual networks\\\" section of your Cosmos DB account. 2. Select \\\"Selected networks\\\". 3. Add the IP addresses or ranges you want to allow. For more details, follow the instructions in https://aka.ms/cosmosdb-firewall\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Initial Access\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Fallback Channels\",\r\n \"Remote System Discovery\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Non-Standard Port\",\r\n \"Gather Victim Network Information\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\",\r\n \"description\": \"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end-to-end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure.\",\r\n \"remediationDescription\": \"To enable Network Watcher: 1. Navigate to the Network Watcher page on the Azure portal 2. Select the relevant subscription and click on the region drop down 3. For any regions that are listed as Disabled, enable them by selecting \\\"Enable network watcher\\\" in the context menu For more information, visit here: https://docs.microsoft.com/azure/network-watcher/network-watcher-create\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"name\": \"f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Resource Manager should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99\",\r\n \"description\": \"Microsoft Defender for Resource Manager automatically monitors the resource management operations in your organization. Defender for Cloud detects threats and alerts you about suspicious activity. Learn more in Introduction to Microsoft Defender for Resource Manager. Enabling this Defender plan results in charges. Learn about the pricing details per region on Defender for Cloud's pricing page: https://azure.microsoft.com/services/defender-for-cloud/#pricing.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for Resource Manager on your subscription: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Resource Manager to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\",\r\n \"Permission Groups Discovery\",\r\n \"Account Discovery\",\r\n \"Cloud Service Discovery\",\r\n \"Credentials from Password Stores\",\r\n \"Impair Defenses\",\r\n \"Cloud Infrastructure Discovery\",\r\n \"Cloud Service Dashboard\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"name\": \"aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for DNS should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bdc59948-5574-49b3-bb91-76b7c986428d\",\r\n \"description\": \"Microsoft Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Defender for DNS alerts you about suspicious activity at the DNS layer. Learn more in Introduction to Microsoft Defender for DNS. Enabling this Defender plan results in charges. Learn about the pricing details per region on Defender for Cloud's pricing page: https://azure.microsoft.com/services/defender-for-cloud/#pricing.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for DNS on your subscription: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set DNS to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Exfiltration\",\r\n \"Command and Control\"\r\n ],\r\n \"techniques\": [\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Application Layer Protocol\",\r\n \"Proxy\",\r\n \"Dynamic Resolution\",\r\n \"Protocol Tunneling\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3\",\r\n \"description\": \"Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.\",\r\n \"remediationDescription\": \"Enabling vTPM will trigger an immediate SYSTEM REBOOT. To enable it: 1. Select the VM. 2. On the VM page, navigate to the 'Configuration' tab. 3. On the 'Configuration' page, check 'vTPM'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/e494853f-93c3-4e44-9210-d12f61a64b34\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121\",\r\n \"description\": \"Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.\",\r\n \"remediationDescription\": \"Enabling Secure Boot will trigger an immediate SYSTEM REBOOT. To enable it: 1. Select the VM. 2. On the VM page, navigate to the 'Configuration' tab. 3. On the 'Configuration' page, check 'Secure boot'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/7cb1b219-61c6-47e0-b80c-4472cadeeb5f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e94a7421-fc27-7a4d-e9ba-2ba01384cacd\",\r\n \"name\": \"e94a7421-fc27-7a4d-e9ba-2ba01384cacd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/672fe5a1-2fcd-42d7-b85d-902b6e28c6ff\",\r\n \"description\": \"Install Guest Attestation extension on supported Linux virtual machines to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Linux virtual machines: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vm extension set --name GuestAttestation --publisher Microsoft.Azure.Security.LinuxAttestation --vm-name MyVM --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6074e9a3-c711-4856-976d-24d51f9e065b\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a53f4f-26b6-3d68-33f3-2ec1f2452b5d\",\r\n \"name\": \"a9a53f4f-26b6-3d68-33f3-2ec1f2452b5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Linux virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a21f8c92-9e22-4f09-b759-50500d1d2dda\",\r\n \"description\": \"Install Guest Attestation extension on supported Linux virtual machine scale sets to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Linux virtual machine scale sets: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vmss extension set --name GuestAttestation --publisher Microsoft.Azure.Security.LinuxAttestation' --vmss-name MyVMSS --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/874b14bd-b49e-495a-88c6-46acb89b0a33\",\r\n \"name\": \"874b14bd-b49e-495a-88c6-46acb89b0a33\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cb4d9c2-f88f-4069-bee0-dba239a57b09\",\r\n \"description\": \"Install Guest Attestation extension on supported virtual machines to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Windows virtual machines: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vm extension set --name GuestAttestation --publisher Microsoft.Azure.Security.WindowsAttestation --vm-name MyVM --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/98ea2fc7-6fc6-4fd1-9d8d-6331154da071\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/02e8ca50-0e7e-cc34-0b91-215af2904248\",\r\n \"name\": \"02e8ca50-0e7e-cc34-0b91-215af2904248\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Windows virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f655e522-adff-494d-95c2-52d4f6d56a42\",\r\n \"description\": \"Install Guest Attestation extension on supported virtual machine scale sets to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Windows virtual machine scale sets: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vmss extension set --name GuestAttestation --publisher Microsoft.Azure.Security.WindowsAttestation' --vmss-name MyVMSS --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"name\": \"506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The control fails if any of the HTTP listeners of Application Load Balancers do not have HTTP to HTTPS redirection configured. Before you start to use your Application Load Balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners support both the HTTP and HTTPS protocols. You can use an HTTPS listener to offload the work of encryption and decryption to your load balancer. To enforce encryption in transit, you should use redirect actions with Application Load Balancers to redirect client HTTP requests to an HTTPS request on port 443.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"name\": \"4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon S3 buckets have policies that require requests to use Secure Socket Layer (SSL). S3 buckets should have policies that require all requests ('Action: S3:*') to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key 'aws:SecureTransport'. This does not check the SSL or TLS version. You should not allow early versions of SSL or TLS (SSLv3, TLS1.0) per PCI DSS requirements.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"name\": \"b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server-side encryption. When you set default encryption on a bucket, all new objects stored in the bucket are encrypted when they are stored, including clear text PAN data. Server-side encryption for all of the objects stored in a bucket can also be enforced using a bucket policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"name\": \"c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Config should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS Config is enabled in the account for the local Region and is recording all resources. It does not check for change detection for all critical system files and content files, as AWS Config supports only a subset of resource types. The AWS Config service performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items, and any configuration changes between resources. Security Hub recommends that you enable AWS Config in all Regions. The AWS configuration item history that AWS Config captures enables security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"name\": \"bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root user credentials. It does not check whether you are using virtual MFA. To address PCI DSS requirement 8.3.1, you can choose between hardware MFA (this control) or virtual MFA.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"name\": \"9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the IAM users have multi-factor authentication (MFA) enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"name\": \"b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root user credentials. It does not check whether you are using hardware MFA. To address PCI DSS requirement 8.3.1, you can choose between virtual MFA (this control) or hardware MFA.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"name\": \"5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public write access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your S3 buckets allow public write access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). It does not check for write access to the bucket by internal principals, such as IAM roles. You should ensure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"name\": \"7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public read access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). Unless you explicitly require everyone on the internet to be able to write to your S3 bucket, you should ensure that your S3 bucket is not publicly writable. It does not check for read access to the bucket by internal principals, such as IAM roles. You should ensure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"name\": \"7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM user credentials should be disabled if not used within a pre-defined number days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your IAM users have passwords or active access keys that have not been used within a specified number of days. The default is 90 days. Security Hub strongly recommends that you do not generate and remove all access keys in your account. Instead, the recommended best practice is to either create one or more IAM roles or to use federation. These practices allow your users to use their existing corporate credentials to sign in to the AWS Management Console console and AWS CLI. Each approach has its use cases. Federation is generally better for enterprises that have an existing central directory or who plan to need more than the current quota of IAM users. Applications running outside of an AWS environment need access keys for programmatic access to AWS resources. However, if the resources that need programmatic access run inside AWS, the best practice is to use IAM roles. You can use roles to grant a resource access without hardcoding an access key ID and secret access key into the configuration. If you already have an access key, we recommend that you remove or deactivate unused user credentials that are inactive for 90 days or longer. This control only checks for inactive passwords or active access keys. It does not disable the account from use after 90 days. Customers are responsible for taking action and disabling the unused credentials.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"name\": \"d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the account password policy for IAM users uses the following minimum PCI DSS configurations: 'RequireUppercaseCharacters' - Require at least one uppercase character in password. (Default = 'true'); 'RequireLowercaseCharacters' - Require at least one lowercase character in password. (Default = 'true'); 'RequireNumbers' - Require at least one number in password. (Default = 'true'); 'MinimumPasswordLength' - Password minimum length. (Default = 7 or longer); 'PasswordReusePrevention' - Number of passwords before allowing reuse. (Default = 4); MaxPasswordAge - Number of days before password expiration. (Default = 90).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"name\": \"d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM root user access key should not exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether user access keys exist for the root user.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"name\": \"7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users should not have IAM policies attached\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles. It does not check whether least privileged policies are applied to IAM roles and groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"name\": \"c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should not allow full \\\"*\\\" administrative privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the default version of AWS Identity and Access Management policies (also known as customer managed policies) do not have administrator access with a statement that has \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\". It only checks for the customer managed policies that you created, but does not check for full access to individual services, such as \\\"S3:*\\\". It does not check for inline and AWS managed policies.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"name\": \"a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer master key (CMK) rotation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that key rotation is enabled for each customer master key (CMK). It does not check CMKs that have imported key material. You should ensure keys that have imported material and those that are not stored in AWS KMS are rotated. AWS managed customer master keys are rotated once every 3 years.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"name\": \"b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Lambda function resource-based policy prohibits public access. It does not check for access to the Lambda function by internal principals, such as IAM roles. You should ensure that access to the Lambda function is restricted to authorized principals only by using least privilege Lambda resource-based policies.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"name\": \"e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS DB snapshots prohibit access by other accounts. You should also ensure that access to the snapshot and permission to change Amazon RDS configuration is restricted to authorized principals only. Note that if the configuration is changed to allow public access, the AWS Config rule may not be able to detect the change for up to 12 hours. Until the AWS Config rule detects the change, the check passes even though the configuration violates the rule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"name\": \"ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS instances are publicly accessible by evaluating the publiclyAccessible field in the instance configuration item. The value of publiclyAccessible indicates whether the DB instance is publicly accessible. When the DB instance is publicly accessible, it is an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. When the DB instance isn't publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. The control does not check VPC subnet routing settings or the Security Group rules. You should also ensure VPC subnet routing does not allow public access, and that the security group inbound rule associated with the RDS instance does not allow unrestricted access (0.0.0.0/0). You should also ensure that access to your RDS instance configuration is limited to only authorized users by restricting users' IAM permissions to modify RDS instances settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"name\": \"d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters are publicly accessible by evaluating the 'publiclyAccessible' field in the cluster configuration item.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"name\": \"529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"name\": \"8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS DMS replication instances are public. To do this, it examines the value of the PubliclyAccessible field. A private replication instance has a private IP address that you cannot access outside of the replication network. A replication instance should have a private IP address when the source and target databases are in the same network, and the network is connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering. You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users. To do this, restrict users' IAM permissions to modify AWS DMS settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"name\": \"b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic Block Store snapshots are not publicly restorable by everyone, which makes them public. Amazon EBS snapshots should not be publicly restorable by everyone unless you explicitly allow it, to avoid accidental exposure of your company's sensitive data. You should also ensure that permission to change Amazon EBS configurations are restricted to authorized AWS accounts only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"name\": \"3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following public access block settings are configured at the account level: 'ignorePublicAcls': 'true'; 'blockPublicPolicy': 'true'; 'blockPublicAcls': 'true'; 'restrictPublicBuckets': 'true'. As an AWS best practice, S3 buckets should block public access. Unless you explicitly require everyone on the internet to be able to access your S3 bucket, you should ensure that your S3 bucket is not publicly accessible.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"name\": \"93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC default security group should prohibit inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the default security group of a VPC does not allow inbound or outbound traffic. It does not check for access restrictions for other security groups that are not default, and other VPC configurations.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"name\": \"390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether security groups in use disallow unrestricted incoming SSH traffic. It does not evaluate outbound traffic. Note that security groups are stateful. If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out regardless of outbound rules.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"name\": \"86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control helps you maintain an accurate asset inventory of needed security groups in your cardholder data environment (CDE). It does so by checking that security groups are attached to Amazon EC2 instances or to an ENI. A failed finding indicates you may have unused Amazon EC2 security groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/099e9ded-7834-43ad-be02-30114c800211\",\r\n \"name\": \"099e9ded-7834-43ad-be02-30114c800211\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability. This AWS control also does not check whether the Amazon ES resource-based policy permits public access by other accounts or external entities. You should ensure that Amazon ES domains are not attached to public subnets. You should also ensure that your VPC is configured according to the recommended best practices.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"name\": \"40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability. Note that if Lambda@Edge is found in the account, then this control generates failed findings. To prevent these findings, you can disable this control.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"name\": \"5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain clear text credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the project contains environment variables 'AWS_ACCESS_KEY_ID' and 'AWS_SECRET_ACCESS_KEY'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"name\": \"ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elastic IP addresses that are allocated to a VPC are attached to Amazon EC2 instances or in-use elastic network interfaces (ENIs). A failed finding indicates you may have unused Amazon EC2 EIPs. This will help you maintain an accurate asset inventory of EIPs in your cardholder data environment (CDE).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"name\": \"023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SageMaker notebook instances should not have direct internet access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether direct internet access is disabled for an SageMaker notebook instance. To do this, it checks whether the 'DirectInternetAccess' field is disabled for the notebook instance. If you configure your SageMaker instance without a VPC, then by default direct internet access is enabled on your instance. You should configure your instance with a VPC and change the default setting to Disable - Access the internet through a VPC. To train or host models from a notebook, you need internet access. To enable internet access, make sure that your VPC has a NAT gateway and your security group allows outbound connections. You should also ensure that access to your SageMaker configuration is limited to only authorized users. Restrict users' IAM permissions to modify SageMaker settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"name\": \"0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS CloudTrail is configured to use the server-side encryption (SSE) AWS KMS customer master key (CMK) encryption. If you are only using the default encryption option, you can choose to disable this check.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"name\": \"f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have encryption at rest configuration enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"name\": \"336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A log metric filter and alarm should exist for usage of the \\\"root\\\" user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks for the CloudWatch metric filters using the following pattern: '{ $.userIdentity.type = \\\"Root\\\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \\\"AwsServiceEvent\\\" }'. It checks the following: The log group name is configured for use with active multi-Region CloudTrail; There is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All; There is at least one active subscriber to an Amazon SNS topic associated with the alarm.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"name\": \"5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether VPC flow logs are found and enabled for VPCs. The traffic type is set to REJECT. With VPC Flow Logs, you can capture information about the IP address traffic to and from network interfaces in your VPC. After you create a flow log, you can use CloudWatch Logs to view and retrieve the log data. Security Hub recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC. They can detect anomalous traffic and provide insight into security workflows. By default, the record includes values for the different components of the IP address flow, including the source, destination, and protocol.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"name\": \"4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail trails are configured to send logs to CloudWatch Logs. It does not check for user permissions to alter logs or log groups. You should create specific CloudWatch rules to alert when CloudTrail logs are altered. This control also does not check for any additional audit log sources other than CloudTrail being sent to a CloudWatch Logs group.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"name\": \"6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail is enabled in your AWS account. However, some AWS services do not enable logging of all APIs and events. You should implement any additional audit trails other than CloudTrail and review the documentation for each service in CloudTrail Supported Services and Integrations.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"name\": \"21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail log file validation is enabled. It does not check when configurations are altered. To monitor and alert on log file changes, you can use Amazon EventBridge or CloudWatch metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"name\": \"75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the patch installation on the instance. It only checks instances that are managed by AWS Systems Manager Patch Manager. It does not check whether the patch was applied within the 30-day limit prescribed by PCI DSS requirement 6.2. It also does not validate whether the patches applied were classified as security patches. You should create patching groups with the appropriate baseline settings and ensure in-scope systems are managed by those patch groups in Systems Manager.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"name\": \"6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EC2 instances in your account are managed by Systems Manager. AWS Systems Manager is an AWS service that you can use to view and control your AWS infrastructure. To help you to maintain security and compliance, Systems Manager scans your managed instances. A managed instance is a machine that is configured for use with Systems Manager. Systems Manager then reports or takes corrective action on any policy violations that it detects. Systems Manager also helps you to configure and maintain your managed instances. Additional configuration is needed in Systems Manager for patch deployment to managed EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"name\": \"32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the status of the AWS Systems Manager association compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the association is run on an instance. The control passes if the association compliance status is COMPLIANT. A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed. After you create one or more State Manager associations, compliance status information is immediately available to you in the console or in response to AWS CLI commands or corresponding Systems Manager API operations. For associations, Configuration Compliance shows statuses of Compliant or Non-compliant and the severity level assigned to the association, such as Critical or Medium. You must configure your in-scope EC2 instances for Systems Manager association. You must also configure the patch baseline for the security rating of the vendor of patches, and set the autoapproval date to meet PCI DSS 3.2.1 requirement 6.2.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"name\": \"5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether S3 buckets have cross-region replication enabled. PCI DSS does not require data replication or highly available configurations. However, this check aligns with AWS best practices for this control. In addition to availability, you should consider other systems hardening settings.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"name\": \"94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. PCI DSS does not require load balancing or highly available configurations. However, this check aligns with AWS best practices.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"name\": \"d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon GuardDuty is enabled in your AWS account and Region. While GuardDuty can be effective against attacks that an intrusion detection system would typically protect, it might not be a complete solution for every environment. This rule also does not check for the generation of alerts to personnel.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"name\": \"bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SSM agent should be installed on your AWS EC2 instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Systems Manager is an AWS service that can be used to control and view your AWS infrastructure. The AWS Systems Manager Agent (SSM Agent) is a software that can be installed and configured on a machine and makes it possible for Systems Manager to update and configure these resources. Defender for Cloud leverages the SSM Agent for automatic installation of Azure Arc, that enables greater parity for AWS instances to Azure VMs.\",\r\n \"remediationDescription\": \"First, Make sure EC2 instances are managed by Systems Manager: 1.Open AWS System Manager.
2. Choose Quick setup
3. keep the default options on the configuration screen.
4. Choose Set up Systems Manager.
For directions on installing and configuring the SSM Agent on Windows instances visit this page For directions on installing and configuring the SSM Agent on Linux instances visit this page \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"name\": \"a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled in every region in your AWS accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub is a regional service and customer must enable Security Hub in each region to view findings in that region. You should continuously monitor all regions across all of your AWS accounts for unauthorized behavior or misconfigurations, including regions you don't use heavily.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"name\": \"20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled for all AWS member accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. Integrating it into Defender for Cloud enables a comprehensive view across multiple cloud environments. any AWS member account related to an onboarded account should have Security Hub enabled as well.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"name\": \"726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Make sure to log in using the credentials of a fully-managed corporate account and not a personal account.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select the checkbox next to non-corporate users, and then click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"name\": \"4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that multi-factor authentication is enabled for all non-service accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) must be enabled for all Google Cloud Platform accounts, excluding service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP Security Settings and set up multi-factor authentication for all non-service accounts within the project.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"name\": \"0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service accounts are not configured with administrative roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select Members and make sure that there aren't any 'User-Managed user created service account' accounts with one of the following roles: admin, editor, or owner.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"name\": \"90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the 'Service Account User' and 'Service Account Token Creator' roles are not granted to users at a project level. Instead, grant these roles to users in the context of specific service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. In the filter table field, enter 'Role: Service Account User' and click 'Delete' (bin icon) for every user listed. Similarly, filter using 'Role: Service Account Token Creator' and delete every user listed.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"name\": \"ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service account keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'Service Account Keys', for every External (user-managed) service account where the creation date is 90 days or more, delete the service account key and create a new one instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"name\": \"f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties. Also, make sure that users are not assigned with both 'Service Account Admin' and other 'Service Account User' roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Edit members with both 'Service Account Admin' and 'Service Account User', delete one of the roles, and then click 'Save'. \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"name\": \"3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud KMS encryption keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to GCP Security Kms. For every key ring, for every key in the key ring, do the following: Select 'Right side pop up the blade' > 'Edit rotation period' > 'Select a new rotation period' and specify a period of less than 90 days, and then specify a 'Starting on' date.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"name\": \"3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties and that there are no users assigned with both the 'Cloud KMS Admin' role and any of the following roles: 'Cloud KMS CryptoKey', 'Cloud KMS Encrypter/Decrypter', 'Cloud KMS CryptoKey Encrypter' or 'Cloud KMS CryptoKey Decrypterer'.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. For the member that is listed at the recommendation, click 'Edit'. For the 'Cloud KMS Admin' role, click 'Delete', and then Click 'Save'. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"name\": \"52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all API keys are not used within the scope of projects. The standard authentication flow should be implemented, since the use of API keys presents many security risks.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', delete the relevant API Keys. These API keys should be replaced by a standard authentication flow as described In the Authentication overview [GCP docs authentication]\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"name\": \"76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted, and used only by trusted hosts, HTTP referrers, or applications.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. Under 'Key restrictions', set application restriction to HTTP referrers, IP Addresses, Android Apps, or iOS Apps, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"name\": \"0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted to only access API endpoints that are essential to the calling application.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. For every API key, make sure that the 'Key restrictions' parameter 'API restrictions' is not set to 'None'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"name\": \"5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys'. Select 'API Key Name'. Click 'REGENERATE KEY' to rotate the API key, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"name\": \"f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud Audit Logging is configured to track read and write activities across all supported services and for all users. Configured this way, all administrative activities, or attempts to access user data, will be tracked.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin Audit. On the 'Audit Log' page, select the 'Log type' tab. Select 'Admin read', 'Data read', and 'Data write', and then click 'Save'. Make sure there are no exemptions.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"name\": \"cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all resource have a log sink configured, exporting copies of all the log entries to a centralized location such as a SIEM.\",\r\n \"remediationDescription\": \"Browse to GCP Logs viewer. Switch to the 'Advanced' filter bar, clear any text from the filter field, and then click 'Submit Filter'. Click 'Create Sink', fill out the required details, and then click 'Create Sink'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"name\": \"bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filters and alerts are configured to monitor project ownership assignment/change actions.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browse to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, and run the following query: (protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'. Finally, edit the alert policy and update the 'Target Aggregation' option to 'Count'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"name\": \"3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filter and alerts are configured for Audit Configuration changes. Audit logging data is required for security analysis. Tracking the log metric filters and alerts is important to ensure that all activities in the projects are being audited as planned.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"SetIamPolicy\\\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*. In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"name\": \"f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Custom Role changes. Monitoring role creation, update, or deletion may help to identify over-privileged or misused roles. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"iam_role\\\" AND protoPayload.methodName = \\\"google.iam.admin.v1.CreateRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"name\": \"c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Virtual Private Cloud (VPC) Network Firewall rule changes. Firewall create or update rule events indicate network access changes, which may indicate suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_firewall_rule\\\" AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\" OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to https://console.cloud.google.com/logs/metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"name\": \"7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network route changes. Monitoring network route changes to route tables may indicate of a suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_route\\\" AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\" OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Creat Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"name\": \"0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network changes. Monitoring network changes to the VPC is important to make sure it is not compromised.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gce_network AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\" OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\" OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\" OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\" OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add 'Alert Triggers', and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"name\": \"46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"\\\"Ensure that the log metric filter and alerts are configured for Cloud Storage IAM permission changes. Monitoring changes to a storage bucket permissions can help identify malicious attempts to access a sensitive storage buckets and objects inside buckets.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gcs_bucket AND protoPayload.methodName=\\\"storage.setIamPermissions\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"name\": \"b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for SQL instance configuration changes. Monitoring changes to an SQL instance can help identify malicious attempts to access a sensitive data stored in an SQL instance. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"cloudsql.instances.update\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"name\": \"ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that projects do not have a default network. A default predefined network generates multiple unsecure firewall rules that are not audit logged, cannot be configured to enable firewall rule logging, and do not allow the use of a Cloud VPN or VPC Network Peering with the default network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the 'default' network. On the network detail page, click 'edit', and then click 'Delete VPC network'. If required, you can to create a new network with custom firewall rules to replace the 'default' network.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"name\": \"3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all projects do not have a legacy network. Legacy networks may have an impact for high network traffic projects and pose a single point of contention or failure.\",\r\n \"remediationDescription\": \"Create a non-legacy network and then delete the legacy networks using the following command: 'gcloud compute networks delete my-legacy-network'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"name\": \"e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Domain Name System Security Extensions (DNSSEC) is enabled for Cloud DNS zones. DNSSEC helps mitigate the risk of a DNS hijacking and man-in-the-middle attacks, by preventing attackers from issuing fake DNS responses that may misdirect browsers to malicious websites.\",\r\n \"remediationDescription\": \"Browse to GCP DNS zones. For each zone of type 'Public', set DNSSEC to 'On'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"name\": \"049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the key-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the key-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"name\": \"cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the zone-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the zone-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"name\": \"0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that SSH access is restricted from the internet because it can be used as initial access to the network. Prevent inbound traffic via SSH (port 22) from the internet using the generic IP address (0.0.0.0/0).\",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"name\": \"684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RDP access is restricted from the internet, as is may be used for initial access to the network. Prevent inbound traffic via RDP (port 3389) from the internet using the generic IP address (0.0.0.0/0). \",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"name\": \"3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all VPC Flow Logs are enabled, for every subnet in a VPC Network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the relevant subnet, click 'Edit', set 'Flow Logs' to 'On', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"name\": \"c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there are no HTTPS or SSL Proxy Load Balancers that use weak SSL policies with TLS or 1.1.\",\r\n \"remediationDescription\": \"Browser to GCP SSL Policies. Select the relevant policy, click 'Edit', set 'Minimum TLS version' to 'TLS 1.2', set 'Profile' to 'Modern' or 'Restricted', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"name\": \"233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all instances are not configured to use the default service account with full access to all Google Cloud APIs.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant VM instance, stop the instance if it is currently started, and then click 'Edit'. Under 'Service Account', select 'Compute Engine default service account', make sure that 'Allow full access to all Cloud APIs' is not selected, click 'Save' and then 'Start'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"name\": \"1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure \\\"Block Project-wide SSH keys\\\" is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that no project-wide SSH keys are used for VM instances, as they enable login to all instances in the project.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the impacted instance, click 'Edit', under 'SSH Keys', select 'Block project-wide SSH keys', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"name\": \"fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that OS login is enabled for all projects, as this pairs the SSH keys in use with IAM users. \",\r\n \"remediationDescription\": \"Browse to GCP Compute metadata. Click 'Edit', add metadata key for 'enable-oslogin' with value 'TRUE', and then click 'Save'. For every instances that overrides the project setting, browse to GCP Compute instances. Select the relevant instance name, click 'Edit', under 'custom metadata', remove 'enable-oslogin' keys with the value 'FALSE', and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"name\": \"c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that 'Enable connecting to serial ports' is not enabled for all VM Instance. When the interactive serial console is enabled for an instance, clients can connect to the instance from any IP address using the proper username and SSH key.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Remote access', make sure that 'Enable connecting to serial ports' is not selected.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"name\": \"3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent data loss, forwarding of data packets should not be enabled on instances.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Network interfaces', make sure that 'IP forwarding' is set to 'Off' for every network interface.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"name\": \"6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, all data at rest is encrypted by Google Compute Engine. Make sure that VM disks are encrypted using Customer-Supplied Encryption Keys (CSEK) enabling you to control and manage the encryption keys yourself.\",\r\n \"remediationDescription\": \"Browse to GCP Compute disks. Select the relevant disk and make sure that the 'Encryption type' is set to 'Customer supplied'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"name\": \"9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against advanced threats, a Compute Engine instance using a public image and must be launched with a Shielded VM. It is also important to verify that the boot loader and firmware on the VMs are signed and untampered.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Shielded VM', make sure that 'Turn on vTPM' and 'Turn on Integrity Monitoring' are enabled.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"name\": \"0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances must not be configured with public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"name\": \"79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that an IAM policy on Cloud Storage buckets does not allow anonymous or public access so sensitive data.\",\r\n \"remediationDescription\": \"To restrict access to Cloud Storage Buckets: Browse to GCP Storage browser. Select the relevant bucket, select 'Permissions', and then under 'Role(s)', remove all Cloud IAM permissions that were granted to 'allUsers' and 'allAuthenticatedUsers'. To restrict access from public addresses: browse to GCP Firewalls List.. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP adress values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"name\": \"a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For simple and unified resource access, ensure that Cloud Storage buckets have uniform bucket-level access enabled.\",\r\n \"remediationDescription\": \"Browse to GCP Storage browser. Edit the relevant bucket, under 'Access Control', select 'Uniform', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"name\": \"a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the Cloud SQL Database instance requires all incoming connections to always use SSL encryption.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances, select the relevant instance and under 'Connections', select 'Allow only SSL connections'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"name\": \"1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to only accept connections from trustworthy networks and/or IP addresses and restrict all other access. \",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"name\": \"2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to use private IP addresses, and not public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"name\": \"664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL database instances must be configured with automated backups.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances. Select the relevant instance, and under 'Backups', make sure that 'Automated backups' is set to 'Enabled' and that the 'Backup time' is set.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"name\": \"5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure that sensitive data is not compromised, IAM policies on BigQuery datasets must not allow anonymous or public access.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"name\": \"582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account has unrestricted access to all resources in the AWS account. We highly recommend that you avoid using this account. The root account is the most privileged account. Minimizing the use of this account and adopting the principle of least privilege for access management reduces the risk of accidental changes and unintended disclosure of highly privileged credentials. As a best practice, use your root credentials only when required to perform account and service management tasks. Apply IAM policies directly to groups and roles but not users. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.3 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"name\": \"1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-factor authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password as well as for an authentication code from their AWS MFA device. Security Hub recommends enabling MFA for all accounts that have a console password. Enabling MFA provides increased security for console access because it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"name\": \"8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM users can access AWS resources using different types of credentials, such as passwords or access keys. Security Hub recommends that you remove or deactivate all credentials that have been unused in 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used. The AWS Config rule for this control uses the 'GetCredentialReport; and 'GenerateCredentialReport' API operations, which are only updated every four hours. Changes to IAM users can take up to four hours to be visible to this control.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"name\": \"9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. Security Hub recommends that you regularly rotate all access keys. Rotating access keys reduces the chance for an access key that is associated with a compromised or terminated account to be used. Rotate access keys to ensure that data can't be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"name\": \"554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one uppercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"name\": \"66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one lowercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"name\": \"b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one symbol. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5425052d-cc0d-4424-af71-050311f99634\",\r\n \"name\": \"5425052d-cc0d-4424-af71-050311f99634\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one number. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"name\": \"09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum password length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords are at least a given length. Security Hub recommends that the password policy require a minimum password length of 14 characters. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"name\": \"01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the number of passwords to remember is set to 24. The control fails if the value is not 24. IAM password policies can prevent the reuse of a given password by the same user. Security Hub recommends that the password policy prevent the reuse of passwords. Preventing password reuse increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"name\": \"0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can require passwords to be rotated or expired after a given number of days. Security Hub recommends that the password policy expire passwords after 90 days or less. Reducing the password lifetime increases account resiliency against brute force login attempts. Requiring regular password changes also helps in the following scenarios: Passwords can be stolen or compromised without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat; Certain corporate and government web filters or proxy servers can intercept and record traffic even if it's encrypted; Many people use the same password for many systems such as work, email, and personal; Compromised end-user workstations might have a keystroke logger.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"name\": \"8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no root account access key exists\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given account. Security Hub recommends that all access keys be associated with the root account be removed. Removing access keys associated with the root account limits vectors that the account can be compromised by. Removing the root access keys also encourages the creation and use of role-based accounts that are least privileged.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"name\": \"8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device. When you use virtual MFA for root accounts, Security Hub recommends that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices. This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"name\": \"8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure hardware MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device. For Level 2, Security Hub recommends that you protect the root account with a hardware MFA. A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA doesn't suffer the attack surface introduced by the mobile smartphone that a virtual MFA resides on. Using hardware MFA for many, many accounts might create a logistical device management issue. If this occurs, consider implementing this Level 2 recommendation selectively to the highest security accounts. You can then apply the Level 1 recommendation to the remaining accounts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"name\": \"c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies are attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. Security Hub recommends that you apply IAM policies directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity might in turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"name\": \"bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM role to allow authorized users to manage incidents with AWS Support. By implementing least privilege for access control, an IAM role will require an appropriate IAM policy to allow support center access in order to manage incidents with AWS Support.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"name\": \"9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies define a set of privileges granted to users, groups, or roles. It's recommended and considered a standard security advice to grant least privilege-that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges. It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. You should remove IAM policies that have a statement with '\\\"Effect\\\": \\\"Allow\\\"' with '\\\"Action\\\": \\\"*\\\"' over '\\\"Resource\\\": \\\"*\\\"'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"name\": \"22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the AWS Management Console, AWS SDKs, command-line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally: Ensuring that a multi-Region trail exists ensures that unexpected activity occurring in otherwise unused Regions is detected; Ensuring that a multi-Region trail exists ensures that Global Service Logging is enabled for a trail by default to capture recording of events generated on AWS global services; For a multi-Region trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"name\": \"fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail log file validation is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. You can use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. Security Hub recommends that you enable file validation on all trails. Enabling log file validation provides additional integrity checking of CloudTrail logs.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"name\": \"0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket CloudTrail logs to is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. Security Hub recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account's use or configuration. To run this check, Security Hub first uses custom logic to look for the S3 bucket where your CloudTrail logs are stored. It then uses the AWS Config managed rules to check that bucket is publicly accessible. If you aggregate your logs into a single centralized S3 bucket, then Security Hub only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is 'No data'. If the bucket is publicly accessible, the check generates a failed finding.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"name\": \"5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a web service that records AWS API calls made in a given account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs in a specified Amazon S3 bucket for long-term analysis, you can perform real-time analysis by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all Regions in an account, CloudTrail sends log files from all those Regions to a CloudWatch Logs log group. Security Hub recommends that you send CloudTrail logs to CloudWatch Logs.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"name\": \"dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. Security Hub recommends that you enable AWS Config in all Regions. The AWS configuration item history that AWS Config captures enables security analysis, resource change tracking, and compliance auditing. To run this check, Security Hub performs custom logic to perform the audit steps prescribed for it in the CIS AWS Foundations Benchmark v1.2. Security Hub also requires that global resources are recorded in each Region, because Security Hub is a regional service and performs its security checks on a Region-by-Region basis.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"name\": \"30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Amazon S3 bucket access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. Security Hub recommends that you enable bucket access logging on the CloudTrail S3 bucket. By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows. To run this check, Security Hub first uses custom logic to look for the bucket where your CloudTrail logs are stored and then uses the AWS Config managed rule to check if logging is enabled. If you aggregate your logs into a single centralized S3 bucket, then Security Hub only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is 'No data'. If the bucket is publicly accessible, the check generates a failed finding.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"name\": \"c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (AWS KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses hardware security modules (HSMs) to protect the security of encryption keys. You can configure CloudTrail logs to leverage server-side encryption (SSE) and AWS KMS customer-created master keys (CMKs) to further protect CloudTrail logs. Security Hub recommends that you configure CloudTrail to use SSE-KMS. Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data because a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"name\": \"23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS KMS enables customers to rotate the backing key, which is key material stored in AWS KMS and is tied to the key ID of the CMK. It's the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all previous backing keys so that decryption of encrypted data can take place transparently. Security Hub recommends that you enable CMK key rotation. Rotating encryption keys helps reduce the potential impact of a compromised key because data encrypted with a new key can't be accessed with a previous key that might have been exposed.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"name\": \"a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VPC flow logging is enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC flow logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you have created a flow log, you can view and retrieve its data in CloudWatch Logs. Security Hub recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC and can detect anomalous traffic or insight during security workflows.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"name\": \"00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm unauthorized API calls. Monitoring unauthorized API calls helps reveal application errors and might reduce time to detect malicious activity. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.1 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"name\": \"83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm console logins that aren't protected by MFA. Monitoring for single-factor console logins increases visibility into accounts that aren't protected by MFA. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.2 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"name\": \"a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for root login attempts. Monitoring for root account logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.3 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"name\": \"5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes made to IAM policies. Monitoring these changes helps ensure that authentication and authorization controls remain intact. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.4 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"name\": \"011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to CloudTrail configuration settings. Monitoring these changes helps ensure sustained visibility to activities in the account. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.5 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"name\": \"c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for failed console authentication attempts. Monitoring failed console logins might decrease lead time to detect an attempt to brute-force a credential, which might provide an indicator, such as source IP, that you can use in other event correlations. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.6 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"name\": \"293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for customer-created CMKs that have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys is no longer accessible. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.7 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"name\": \"0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to S3 bucket policies. Monitoring these changes might reduce time to detect and correct permissive policies on sensitive S3 buckets. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.8 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"name\": \"7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to AWS Config configuration settings. Monitoring these changes helps ensure sustained visibility of configuration items in the account. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.9 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"name\": \"b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security groups are a stateful packet filter that controls ingress and egress traffic in a VPC. Security Hub recommends that you create a metric filter and alarm for changes to security groups. Monitoring these changes helps ensure that resources and services aren't unintentionally exposed. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.10 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"name\": \"022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets in a VPC. Security Hub recommends that you create a metric filter and alarm for changes to NACLs. Monitoring these changes helps ensure that AWS resources and services aren't unintentionally exposed. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.11 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"name\": \"3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send and receive traffic to a destination outside a VPC. Security Hub recommends that you create a metric filter and alarm for changes to network gateways. Monitoring these changes helps ensure that all ingress and egress traffic traverses the VPC border via a controlled path. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.12 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"name\": \"33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables route network traffic between subnets and to network gateways. Security Hub recommends that you create a metric filter and alarm for changes to route tables. Monitoring these changes helps ensure that all VPC traffic flows through an expected path. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.13 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"name\": \"9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs. Security Hub recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.14 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"name\": \"b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that no security group allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"name\": \"9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that no security group allow unrestricted ingress access to port 3389. Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"name\": \"ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the default security group of every VPC restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A VPC comes with a default security group with initial settings that deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that the default security group restrict all traffic. Update the default security group for the default VPC in every Region to comply. Any new VPCs automatically contain a default security group that you need to remediate to comply with this recommendation. Configuring all VPC default security groups to restrict all traffic encourages least-privilege security group development and mindful placement of AWS resources into security groups, which in turn reduces the exposure of those resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47a6d30e-79c4-411b-920a-06a7eab22bad\",\r\n \"name\": \"47a6d30e-79c4-411b-920a-06a7eab22bad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Imported ACM certificates should be renewed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager. Certificates provided by ACM are automatically renewed. If you're using certificates provided by ACM, you do not need to rotate SSL/TLS certificates. ACM manages certificate renewals for you. ACM does not automatically renew certificates that you import. You must renew imported certificates manually.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f74c50e7-84a3-4e64-ac2b-c4ec74e0cb71\",\r\n \"name\": \"f74c50e7-84a3-4e64-ac2b-c4ec74e0cb71\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST and HTTP API logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all methods of an Amazon API Gateway REST or HTTP API stage have logging enabled. The control fails if logging is not enabled for all methods of a stage or if 'loggingLevel' is neither 'ERROR' nor 'INFO'. API Gateway REST or HTTP API stages should have relevant logs enabled. API Gateway REST API execution logging provides detailed records of requests made to API Gateway REST API stages. The stages include API integration backend responses, Lambda authorizer responses, and the 'requestId' for AWS integration endpoints. HTTP API access logs include information about requests made to the HTTP API. The information includes the IP address of the caller, the method of the request, the time of the request, and the HTTP status code response. Logs can assist with security and access audits, power additional threat detections, and aid in diagnosing availability issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8127ddad-f29f-4207-a9d3-9bb3ba3f1485\",\r\n \"name\": \"8127ddad-f29f-4207-a9d3-9bb3ba3f1485\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto Scaling groups associated with a load balancer should use load balancer health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. This ensures that the group can determine an instance's health based on additional tests provided by the load balancer. Using Elastic Load Balancing health checks can help support the availability of applications that use EC2 Auto Scaling groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/73c17f13-ba0c-4227-84ee-f34eb85431ca\",\r\n \"name\": \"73c17f13-ba0c-4227-84ee-f34eb85431ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have a default root object configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured. A user might sometimes request the distribution's root URL instead of an object in the distribution. When this happens, specifying a default root object can help you to avoid exposing the contents of your web distribution.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1fb3f16-5849-4b9d-a7e6-03df4a2235bb\",\r\n \"name\": \"c1fb3f16-5849-4b9d-a7e6-03df4a2235bb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin access identity enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured. CloudFront OAI prevents users from accessing S3 bucket content directly. When users access an S3 bucket directly, they effectively bypass the CloudFront distribution and any permissions that are applied to the underlying S3 bucket content.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbadae9a-7672-4ab2-821a-71f13d319b3b\",\r\n \"name\": \"bbadae9a-7672-4ab2-821a-71f13d319b3b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should require encryption in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if 'ViewerProtocolPolicy' is set to 'allow-all' for 'defaultCacheBehavior' or for 'cacheBehaviors'. HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7196e4f7-7136-4003-b3e5-a8156d160a3f\",\r\n \"name\": \"7196e4f7-7136-4003-b3e5-a8156d160a3f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin failover configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins. CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ce0c201-fc34-43ba-85ef-d47406a9ca05\",\r\n \"name\": \"3ce0c201-fc34-43ba-85ef-d47406a9ca05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled and configured with at least one multi-Region trail\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that there is at least one multi-Region CloudTrail trail.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4788ce7d-f39d-40e4-8a46-4308a5bd80ea\",\r\n \"name\": \"4788ce7d-f39d-40e4-8a46-4308a5bd80ea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should have encryption at-rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail is configured to use the server-side encryption (SSE) AWS Key Management Service customer master key (CMK) encryption. The check passes if the 'KmsKeyId' is defined. For an added layer of security for your sensitive CloudTrail log files, you should use server-side encryption with AWS KMS-managed keys (SSE-KMS) for your CloudTrail log files for encryption at rest. Note that by default, the log files delivered by CloudTrail to your buckets are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03c0e8b8-fcb4-48d1-ae1a-d35e08748340\",\r\n \"name\": \"03c0e8b8-fcb4-48d1-ae1a-d35e08748340\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should automatically scale capacity with demand\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured. Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cf8a0486-5ef6-42f1-8403-35ecd324153f\",\r\n \"name\": \"cf8a0486-5ef6-42f1-8403-35ecd324153f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should have point-in-time recovery enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. DynamoDB point-in-time recovery automates backups for DynamoDB tables. It reduces the time to recover from accidental delete or write operations. DynamoDB tables that have PITR enabled can be restored to any point in time in the last 35 days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ae2524f-9c45-49d6-af31-ec19df32bbe4\",\r\n \"name\": \"5ae2524f-9c45-49d6-af31-ec19df32bbe4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB Accelerator (DAX) clusters should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a DAX cluster is encrypted at rest. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data. For example, API permissions are required to decrypt the data before it can be read.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eaca2aff-0681-4c41-8d7f-04c71577f298\",\r\n \"name\": \"eaca2aff-0681-4c41-8d7f-04c71577f298\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that Amazon Elastic Block Store snapshots are not public, as determined by the ability to be restorable by anyone. EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a specific point in time. You can use the snapshots to restore previous states of EBS volumes. It is rarely acceptable to share a snapshot with the public. Typically the decision to share a snapshot publicly was made in error or without a complete understanding of the implications. This check helps ensure that all such sharing was fully planned and intentional.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b31e09dd-677c-4e14-8ab1-0a9f13e54218\",\r\n \"name\": \"b31e09dd-677c-4e14-8ab1-0a9f13e54218\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"The VPC default security group should not allow inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the default security group of a VPC does not allow inbound or outbound traffic. The rules for the default security group allow all outbound and inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. We do not recommend using the default security group. Because the default security group cannot be deleted, you should change the default security group rules setting to restrict inbound and outbound traffic. This prevents unintended traffic if the default security group is accidentally configured for resources such as EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d828e79-c441-43c3-807e-38ce88a728a5\",\r\n \"name\": \"5d828e79-c441-43c3-807e-38ce88a728a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Attached EBS volumes should be encrypted at-rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check. For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1a7dd27-bb23-4de0-a249-adc3c14aa144\",\r\n \"name\": \"f1a7dd27-bb23-4de0-a249-adc3c14aa144\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Stopped EC2 instances should be removed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days. A failed finding indicates that an EC2 instance has not run for a significant period of time. This creates a security risk because the EC2 instance is not being actively maintained (analyzed, patched, updated). If it is later launched, the lack of proper maintenance could result in unexpected issues in your AWS environment. To safely maintain an EC2 instance over time in a nonrunning state, start it periodically for maintenance and then stop it after maintenance. Ideally this is an automated process.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3f15179b-8414-407a-9432-2b0c131695f3\",\r\n \"name\": \"3f15179b-8414-407a-9432-2b0c131695f3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS default encryption should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS). The control fails if the account level encryption is not enabled. When encryption is enabled for your account, Amazon EBS volumes and snapshot copies are encrypted at rest. This adds an additional layer of protection for your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91ffef5d-42a9-4e34-b1d0-68cdc160748d\",\r\n \"name\": \"91ffef5d-42a9-4e34-b1d0-68cdc160748d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should use IMDSv2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if 'HttpTokens' is set to required for IMDSv2. The control fails if 'HttpTokens' is set to 'optional'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f53022b-ffee-44cc-b84e-6bcc1bcef11f\",\r\n \"name\": \"6f53022b-ffee-44cc-b84e-6bcc1bcef11f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not have a public IP address\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether EC2 instances have a public IP address. The control fails if the publicIp field is present in the EC2 instance configuration item. This control applies to IPv4 addresses only. A public IPv4 address is an IP address that is reachable from the internet. If you launch your instance with a public IP address, then your EC2 instance is reachable from the internet. A private IPv4 address is an IP address that is not reachable from the internet. You can use private IPv4 addresses for communication between EC2 instances in the same VPC or in your connected private network. IPv6 addresses are globally unique, and therefore are reachable from the internet. However, by default all subnets have the IPv6 addressing attribute set to false.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aa3fb42f-04c9-4e17-b05b-e4e4f1f90f15\",\r\n \"name\": \"aa3fb42f-04c9-4e17-b05b-e4e4f1f90f15\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 should be configured to use VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service. To improve the security posture of your VPC, you can configure Amazon EC2 to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to access Amazon EC2 APIs privately. It restricts all network traffic between your VPC and Amazon EC2 to the Amazon network. Because endpoints are supported within the same Region only, you cannot create an endpoint between a VPC and a service in a different Region. This prevents unintended Amazon EC2 API calls to other Regions.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d9e95363-3a8a-498b-bef3-b869869b20b5\",\r\n \"name\": \"d9e95363-3a8a-498b-bef3-b869869b20b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be configured to encrypt file data at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. The check fails in the following cases: 'Encrypted' is set to 'false' in the 'DescribeFileSystems' response; The 'KmsKeyId' key in the 'DescribeFileSystems' response does not match the 'KmsKeyId' parameter for 'efs-encrypted-check'. Note that this control does not use the 'KmsKeyId' parameter for 'efs-encrypted-check'. It only checks the value of 'Encrypted'. For an added layer of security for your sensitive data in Amazon EFS, you should create encrypted file systems. Amazon EFS supports encryption for file systems at-rest. You can enable encryption of data at rest when you create an Amazon EFS file system.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f5375c36-4d39-436b-a5fc-42576f9c4c24\",\r\n \"name\": \"f5375c36-4d39-436b-a5fc-42576f9c4c24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS volumes should be in backup plans\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup. The control fails if Amazon EFS file systems are not included in the backup plans. Including EFS file systems in the backup plans helps you to protect your data from deletion and data loss.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10b9bd1a-d845-4d29-a8f0-aa9386f93226\",\r\n \"name\": \"10b9bd1a-d845-4d29-a8f0-aa9386f93226\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancer listeners should be configured with HTTPS or TLS termination\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. The control is applicable if a Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the control does not report any findings. The control passes if the Classic Load Balancer listeners are configured with TLS or HTTPS for front-end connections. The control fails if the listener is not configured with TLS or HTTPS for front-end connections. Before you start to use a load balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners can support both HTTP and HTTPS/TLS protocols. You should always use an HTTPS or TLS listener, so that the load balancer does the work of encryption and decryption in transit.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4d75936d-e541-4a75-a183-99cc54462cf1\",\r\n \"name\": \"4d75936d-e541-4a75-a183-99cc54462cf1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application load balancers should be configured to drop HTTP headers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop invalid HTTP headers. The control fails if the value of 'routing.http.drop_invalid_header_fields.enabled' is set to 'false'. By default, ALBs are not configured to drop invalid HTTP header values. Removing these header values prevents HTTP desync attacks.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cbc0dd46-9b4b-4078-8340-b20283037770\",\r\n \"name\": \"cbc0dd46-9b4b-4078-8340-b20283037770\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application and Classic Load Balancers logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if 'access_logs.s3.enabled' is 'false'. Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fbec0eb1-0e7e-4df0-8f3c-bf9ac1601927\",\r\n \"name\": \"fbec0eb1-0e7e-4df0-8f3c-bf9ac1601927\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer deletion protection should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured. Enable deletion protection to protect your Application Load Balancer from deletion.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f4705af2-9651-47f1-8797-2050c0870f35\",\r\n \"name\": \"f4705af2-9651-47f1-8797-2050c0870f35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EMR cluster master nodes should not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether master nodes on Amazon EMR clusters have public IP addresses. The control fails if the master node has public IP addresses that are associated with any of its instances. Public IP addresses are designated in the 'PublicIp' field of the 'NetworkInterfaces' configuration for the instance. This control only checks Amazon EMR clusters that are in a 'RUNNING' or 'WAITING' state.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c459de6-4a24-4f24-93bb-6533935019f5\",\r\n \"name\": \"4c459de6-4a24-4f24-93bb-6533935019f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have encryption at-rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled. The check fails if encryption at rest is not enabled. For an added layer of security for your sensitive data in Elasticsearch, you should configure your Elasticsearch to be encrypted at rest. Elasticsearch domains offer encryption of data at rest. The feature uses AWS KMS to store and manage your encryption keys. To perform the encryption, it uses the Advanced Encryption Standard algorithm with 256-bit keys (AES-256).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ecae3088-3cc5-4b7a-bc19-2c20719ab4fb\",\r\n \"name\": \"ecae3088-3cc5-4b7a-bc19-2c20719ab4fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. You should ensure that Amazon ES domains are not attached to public subnets. You should also ensure that your VPC is configured according to the recommended best practices. Amazon ES domains deployed within a VPC can communicate with VPC resources over the private AWS network, without the need to traverse the public internet. This configuration increases the security posture by limiting access to the data in transit. VPCs provide a number of network controls to secure access to Amazon ES domains, including network ACL and security groups. Security Hub recommends that you migrate public Amazon ES domains to VPCs to take advantage of these controls.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1518211b-17f4-46bc-9538-d6ccd8efa3c4\",\r\n \"name\": \"1518211b-17f4-46bc-9538-d6ccd8efa3c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should encrypt data sent between nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have node-to-node encryption enabled. HTTPS (TLS) can be used to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. Only encrypted connections over HTTPS (TLS) should be allowed. Enabling node-to-node encryption for Amazon ES domains ensures that intra-cluster communications are encrypted in transit. There can be a performance penalty associated with this configuration. You should be aware of and test the performance trade-off before enabling this option.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233d2b0e-27cd-4589-aed5-b76e73744071\",\r\n \"name\": \"233d2b0e-27cd-4589-aed5-b76e73744071\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users' access keys should be rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the active access keys are rotated within 90 days. We highly recommend that you do not generate and remove all access keys in your account. Instead, the recommended best practice is to either create one or more IAM roles or to use federation. You can use these methods to allow your users to use their existing corporate credentials to log into the AWS Management Console and AWS CLI. Each approach has its use cases. Federation is generally better for enterprises that have an existing central directory or plan to need more than the current limit IAM users. Applications that run outside of an AWS environment need access keys for programmatic access to AWS resources. However, if the resources that need programmatic access run inside AWS, the best practice is to use IAM roles. Roles allow you to grant a resource access without hardcoding an access key ID and secret access key into the configuration. If you already have an access key, Security Hub recommends that you rotate the access keys every 90 days. Rotating access keys reduces the chance that an access key that is associated with a compromised or terminated account is used. It also ensures that data cannot be accessed with an old key that might have been lost, cracked, or stolen. Always update your applications after you rotate access keys. Access keys consist of an access key ID and a secret access key. They are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS CLI, Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. If your organization uses AWS Single Sign-On (AWS SSO), your users can sign in to Active Directory, a built-in AWS SSO directory, or another identity provider (IdP) connected to AWS SSO. They can then be mapped to an IAM role that enables them to run AWS CLI commands or call AWS APIs without the need for IAM user access keys.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e5c918c8-d7f6-4d5d-b91f-9b9736457ce9\",\r\n \"name\": \"e5c918c8-d7f6-4d5d-b91f-9b9736457ce9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS Multi-Factor Authentication (MFA) is enabled for all IAM users that use a console password. Multi-factor authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password. In addition, they are prompted for an authentication code from their AWS MFA device. We recommend that you enable MFA for all accounts that have a console password. MFA is designed to provide increased security for console access. The authenticating principal must possess a device that emits a time-sensitive key and must have knowledge of a credential.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2af5aa8e-6e0a-4cf4-82e7-ad17ba327c3c\",\r\n \"name\": \"2af5aa8e-6e0a-4cf4-82e7-ad17ba327c3c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused IAM user credentials should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your IAM users have passwords or active access keys that have not been used for 90 days. IAM users can access AWS resources using different types of credentials, such as passwords or access keys. Security Hub recommends that you remove or deactivate all credentials that were unused for 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d945fb4-6cf1-431b-8e96-66dba76ab2b1\",\r\n \"name\": \"9d945fb4-6cf1-431b-8e96-66dba76ab2b1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies should not allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if the 'kms:Decrypt' or 'kms:ReEncryptFrom' actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies. With AWS KMS, you control who can use your customer master keys (CMKs) and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the 'kms:Decrypt' or 'kms:ReEncryptFrom' permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data. Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, do not allow 'kms:Decrypt' permission on all KMS keys. Instead, allow 'kms:Decrypt' only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d3746ffb-51b3-4cc9-8b5d-2ac1f9192d37\",\r\n \"name\": \"d3746ffb-51b3-4cc9-8b5d-2ac1f9192d37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if 'kms:Decrypt' or 'kms:ReEncryptFrom' actions are allowed on all KMS keys in an inline policy. With AWS KMS, you control who can use your customer master keys (CMKs) and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the permissions they need and only for keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data. Instead of granting permission for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow the users to use only those keys. For example, do not allow 'kms:Decrypt' permission on all KMS keys. Instead, allow them only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91b8d230-94ad-4df8-b737-f585df30fa30\",\r\n \"name\": \"91b8d230-94ad-4df8-b737-f585df30fa30\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS keys should not be unintentionally deleted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS KMS customer managed keys (CMK) are scheduled for deletion. The control fails if a CMK is scheduled for deletion. CMKs cannot be recovered once deleted. Data encrypted under a KMS CMK is also permanently unrecoverable if the CMK is deleted. If meaningful data has been encrypted under a CMK scheduled for deletion, consider decrypting the data or re-encrypting the data under a new CMK unless you are intentionally performing a cryptographic erasure. When a CMK is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS CMK is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS CMK will not be deleted.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/706a0138-900e-4c53-8114-bb5f19eccd09\",\r\n \"name\": \"706a0138-900e-4c53-8114-bb5f19eccd09\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda function policies should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Lambda function resource-based policy prohibits public access outside of your account. The Lambda function should not be publicly accessible, as this may allow unintended access to your code stored in the function.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ac49a0a5-db33-4be7-9738-301783b6bba9\",\r\n \"name\": \"ac49a0a5-db33-4be7-9738-301783b6bba9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should use latest runtimes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the Lambda function settings for runtimes match the expected values set for the latest runtimes for each supported language. This control checks for the following runtimes: nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, ruby2.5, ruby2.7,java11, java8, go1.x, dotnetcore2.1, dotnetcore3.1 Lambda runtimes are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When a runtime component is no longer supported for security updates, Lambda deprecates the runtime. Even though you cannot create functions that use the deprecated runtime, the function is still available to process invocation events. Make sure that your Lambda functions are current and do not use out-of-date runtime environments.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/480c2cd4-467d-4ea5-8ffa-c459cf8503c0\",\r\n \"name\": \"480c2cd4-467d-4ea5-8ffa-c459cf8503c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should be private\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS snapshots are public. RDS snapshots are used to back up the data on your RDS instances at a specific point in time. They can be used to restore previous states of RDS instances. An RDS snapshot must not be public unless intended. If you share an unencrypted manual snapshot as public, this makes the snapshot available to all AWS accounts. This may result in unintended data exposure of your RDS instance. Note that if the configuration is changed to allow public access, the AWS Config rule may not be able to detect the change for up to 12 hours. Until the AWS Config rule detects the change, the check passes even though the configuration violates the rule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/efe6ff8c-8247-4705-9a06-097d57b93305\",\r\n \"name\": \"efe6ff8c-8247-4705-9a06-097d57b93305\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS instances are publicly accessible by evaluating the 'PubliclyAccessible' field in the instance configuration item. The 'PubliclyAccessible' value in the RDS instance configuration indicates whether the DB instance is publicly accessible. When the DB instance is configured with 'PubliclyAccessible', it is an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. When the DB instance isn't publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your RDS instance to be publicly accessible, the RDS instance should not be configured with 'PubliclyAccessible' value. Doing so might allow unnecessary traffic to your database instance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52a194fc-4cc6-4bc3-92c0-7c2454dd1043\",\r\n \"name\": \"52a194fc-4cc6-4bc3-92c0-7c2454dd1043\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether storage encryption is enabled for your Amazon RDS DB instances. For an added layer of security for your sensitive data in RDS DB instances, you should configure your RDS DB instances to be encrypted at rest. To encrypt your RDS DB instances and snapshots at rest, enable the encryption option for your RDS DB instances. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots. RDS encrypted DB instances use the open standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You do not need to modify your database client applications to use encryption. Amazon RDS encryption is currently available for all database engines and storage types. Amazon RDS encryption is available for most DB instance classes.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a9abb2d-5fdd-4264-8770-91c66cf58ecf\",\r\n \"name\": \"5a9abb2d-5fdd-4264-8770-91c66cf58ecf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS cluster snapshots and database snapshots should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB snapshots are encrypted. Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. Data in RDS snapshots should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f3b277d1-0c86-445b-acf1-bc0a405b193b\",\r\n \"name\": \"f3b277d1-0c86-445b-acf1-bc0a405b193b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured with multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether high availability is enabled for your RDS DB instances. RDS DB instances should be configured for multiple Availability Zones (AZs). This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover if there is an issue with Availability Zone availability and during regular RDS maintenance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e91ce41-1c19-4950-8a76-cfe3c6596250\",\r\n \"name\": \"7e91ce41-1c19-4950-8a76-cfe3c6596250\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enhanced monitoring should be configured for RDS DB instances and clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced monitoring is enabled for your RDS DB instances. In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer. Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1d16fd74-7014-464b-b981-6242a4c2be32\",\r\n \"name\": \"1d16fd74-7014-464b-b981-6242a4c2be32\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS clusters should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS clusters have deletion protection enabled. Enabling cluster deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity. When deletion protection is enabled, an RDS cluster cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1831430a-6cf6-4341-b2cc-1e66168bdd21\",\r\n \"name\": \"1831430a-6cf6-4341-b2cc-1e66168bdd21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your RDS DB instances have deletion protection enabled. Enabling instance deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity. While deletion protection is enabled, an RDS DB instance cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3c0f7022-8906-4a8c-b993-9675f89d8d3e\",\r\n \"name\": \"3c0f7022-8906-4a8c-b993-9675f89d8d3e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following logs of Amazon RDS are enabled and sent to CloudWatch Logs: Oracle: (Alert, Audit, Trace, Listener), PostgreSQL: (Postgresql, Upgrade), MySQL: (Audit, Error, General, SlowQuery), MariaDB: (Audit, Error, General, SlowQuery), SQL Server: (Error, Agent), Aurora: (Audit, Error, General, SlowQuery), Aurora-MySQL: (Audit, Error, General, SlowQuery), Aurora-PostgreSQL: (Postgresql, Upgrade). RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a9c7f5-85ba-4091-b15a-c06bec33faf8\",\r\n \"name\": \"66a9c7f5-85ba-4091-b15a-c06bec33faf8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB instance has IAM database authentication enabled. IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b948796-172f-426e-a3bd-3f0b1999d0e0\",\r\n \"name\": \"7b948796-172f-426e-a3bd-3f0b1999d0e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS instances should have automatic backups enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB instances have automated backups enabled and whether the backup retention period is greater than or equal to seven. Optionally, you can supply a 'retentionPeriod' to compare against. The control passes if all of the following are true: Backups are enabled, The backup retention period is greater than or equal to retentionPeriod, The retention period is greater than or equal to seven. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. Amazon RDS provides an easy way to configure daily full instance volume snapshots. This control checks that backups are enabled and retained for at least seven days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/53af35b0-2338-4783-9ba9-8399f610a783\",\r\n \"name\": \"53af35b0-2338-4783-9ba9-8399f610a783\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters are publicly accessible. It evaluates the 'PubliclyAccessible' field in the cluster configuration item. The 'PubliclyAccessible' attribute of the Amazon Redshift cluster configuration indicates whether the cluster is publicly accessible. When the cluster is configured with 'PubliclyAccessible' set to 'true', it is an Internet-facing instance that has a publicly resolvable DNS name, which resolves to a public IP address. When the cluster is not publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your cluster to be publicly accessible, the cluster should not be configured with 'PubliclyAccessible' set to 'true'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4bd4c29c-8565-4052-96b4-5405e68f51ba\",\r\n \"name\": \"4bd4c29c-8565-4052-96b4-5405e68f51ba\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Amazon Redshift clusters should be encrypted in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit. The check fails if the Amazon Redshift cluster parameter require_SSL is not set to 1. TLS can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over TLS should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b032ed58-d158-401f-b820-424a48414f93\",\r\n \"name\": \"b032ed58-d158-401f-b820-424a48414f93\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have automatic snapshots enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven. Backups help you to recover more quickly from a security incident. They strengthen the resilience of your systems. Amazon Redshift takes periodic snapshots by default. This control checks whether automatic snapshots are enabled and retained for at least seven days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/643a00cb-3da3-43ef-b523-15a0f3198e45\",\r\n \"name\": \"643a00cb-3da3-43ef-b523-15a0f3198e45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift should have automatic upgrades to major versions enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster. Enabling automatic major version upgrades ensures that the latest major version updates to Amazon Redshift clusters are installed during the maintenance window. These updates might include security patches and bug fixes. Keeping up-to-date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c816f41-886f-4e31-87f2-41cfb091d59b\",\r\n \"name\": \"2c816f41-886f-4e31-87f2-41cfb091d59b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker. The 'blacklistedactionpatterns' parameter allows for successful evaluation of the rule for S3 buckets. The parameter grants access to external accounts for action patterns that are not included in the 'blacklistedactionpatterns' list.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df8e8066-1415-40c7-9844-f495a1ad179e\",\r\n \"name\": \"df8e8066-1415-40c7-9844-f495a1ad179e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should have automatic rotation enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically. Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5110f9f8-2bf7-444f-81d7-321bfeceec06\",\r\n \"name\": \"5110f9f8-2bf7-444f-81d7-321bfeceec06\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets configured with automatic rotation should rotate successfully\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The control fails if 'RotationOccurringAsScheduled' is 'false'. The control does not evaluate secrets that do not have rotation configured. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically. Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently. In addition to configuring secrets to rotate automatically, you should ensure that those secrets rotate successfully based on the rotation schedule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad8217e9-5e93-4be2-88bc-3e538960209d\",\r\n \"name\": \"ad8217e9-5e93-4be2-88bc-3e538960209d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SNS topics should be encrypted at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an SNS topic is encrypted at rest using AWS KMS. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It also adds another set of access controls to limit the ability of unauthorized users to access the data. For example, API permissions are required to decrypt the data before it can be read. SNS topics should be encrypted at-rest for an added layer of security.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c3f3c8-3c13-48be-9ee5-67b6865e7462\",\r\n \"name\": \"11c3f3c8-3c13-48be-9ee5-67b6865e7462\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All EC2 instances managed by Systems Manager should be compliant with patching requirements\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. It only checks instances that are managed by Systems Manager Patch Manager. Having your EC2 instances fully patched as required by your organization reduces the attack surface of your AWS accounts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.
Note that the following subnet types will be listed as not applicable: GatewaySubnet, AzureFirewallSubnet, AzureBastionSubnet.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your subnets:
1. Select a subnet to enable NSG on.
2. Click the 'Network security group' section.
3. Follow the steps and select an existing network security group to attach to this specific subnet.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Defender for Cloud has discovered virtual networks with Application Gateway resources unprotected by the DDoS protection service. These resources contain public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"
1. Select a virtual network to enable the DDoS protection service standard on.
2. Select the Standard option.
3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\",\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Defender for Cloud uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls:
1. Open the Workload protections dashboard and from the advanced protection area, select Adaptive application controls.
2. To see the groups of machines that Defender for Cloud recommends protecting with adaptive application controls, select the Recommended3. Create a new applications control policy according to the instructions in Defender for Cloud's documentation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Defender for Cloud's adaptive application controls. Defender for Cloud uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your list of known-safe applications:
1. From the portal, open Defender for Cloud.
2. Select \\\"Adaptive application controls\\\" from Defender for Cloud's sidebar.
3. To see the groups of machines for which Defender for Cloud recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines.
4. The current policy will be displayed together with the new rules that Defender for Cloud recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Defender for Cloud has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly-permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Defender for Cloud's threat intelligence sources. Learn more in Improve your network security posture with adaptive network hardening.\",\r\n \"remediationDescription\": \"To review the recommended changes to the traffic rules for your network security groups, select a machine or select 'Take action'\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"Defender for Cloud has identified some overly-permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks. Learn more in Understanding just-in-time (JIT) VM access.\",\r\n \"remediationDescription\": \"To enable just-in-time VM access:
  • Select one or more VMs from the list below and select \\\"Remediate\\\", or select \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
  • On the \\\"JIT VM access configuration\\\" page, define the ports for which the just-in-time VM access will be applicable.
    • To add additional ports, select the \\\"Add\\\" button on the top left, or select an existing port and edit it.
    • On the \\\"Add port configuration\\\" pane, enter the required parameters.
  • Select \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click on each of the rules that allow management ports (for example, RDP-3389, WINRM-5985, SSH-22).
3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges.
4. Click 'Save'.
Use Defender for Cloud's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Learn more in Understanding just-in-time (JIT) VM access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Defender for Cloud has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding:
1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade.
2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left).
3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'.
4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Defender for Cloud has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click the Network Security Group with overly permissive rules.
3. In the 'Network security group' blade, click on each of the rules that are overly permissive.
4. Improve the rule by applying less permissive source IP ranges.
5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
To keep your machine as secure as possible, the VM access to the internet must be restricted and an NSG should be enabled on the subnet.
VMs with 'High' severity are internet-facing VMs.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a Network Security Group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the Network Security Group to assign to the subnet and click \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Click 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the Network Security Group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a network security group:
1. Select a VM from the list below, or select \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the network security group to assign to the subnet and select \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Select 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the network security group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Defender for Cloud regularly checks your connected machines to ensure they're running vulnerability assessment tools. Use this recommendation to deploy a vulnerability assessment solution.\",\r\n \"remediationDescription\": \"To deploy a vulnerability assessment solution, in the \\\"Unhealthy resources\\\" tab, select the resources, then select \\\"Remediate\\\". Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several hours after remediation completes to see the resources in the 'Healthy resources' tab\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c\",\r\n \"description\": \"Some of your virtual networks aren't protected with a firewall. Use Azure Firewall to restrict access to your virtual networks and prevent potential threats. Learn more about Azure Firewall.\",\r\n \"remediationDescription\": \"To protect your virtual networks with Azure Firewall:
1. From the list below, select a network. Or select Take action if you've arrived here from a specific virtual network page.
2. Follow the Azure Firewall deployment instructions. Make sure to configure all default routes properly.
Important: Azure Firewall is billed separately from Defender for Cloud. Learn more about Azure Firewall pricing.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Initial Access\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Fallback Channels\",\r\n \"Remote System Discovery\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Non-Standard Port\",\r\n \"Gather Victim Network Information\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for Cloud has identified machines that are missing a file integrity monitoring solution. To monitor changes to critical files, registry keys, and more on your servers, enable file integrity monitoring.
When the file integrity monitoring solution is enabled, a data collection rule is assigned to your machines, and defines the files to be monitored. To edit rules, or see the files changed on machines with existing rules, go to the file integrity monitoring management page\",\r\n \"remediationDescription\": \"To enable file integrity monitoring:
From the list below, select one or more virtual machines and select Remediate\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Privilege Escalation\",\r\n \"Execution\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"OS Credential Dumping\",\r\n \"Boot or Logon Initialization Scripts\",\r\n \"Scheduled Task/Job\",\r\n \"Account Manipulation\",\r\n \"Office Application Startup\",\r\n \"File and Directory Permissions Modification\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Subvert Trust Controls\",\r\n \"Modify Authentication Process\",\r\n \"Impair Defenses\",\r\n \"Hijack Execution Flow\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047\",\r\n \"description\": \"Microsoft Defender for Cloud includes Microsoft Defender for Key Vault, providing an additional layer of security intelligence.
Microsoft Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any key vaults in this subscription, you won't be charged. If you later create key vaults on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for Key Vault.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for Key Vault on all key vaults in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Key Vault to On.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Credentials from Password Stores\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Azure SQL Database servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any Azure SQL Database servers in this subscription, you won't be charged. If you later create Azure SQL Database servers on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for SQL.\",\r\n \"remediationDescription\": \"To enable this plan on all Azure SQL Database servers in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Azure SQL Database servers to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Defense Evasion\",\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Modify Registry\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL servers on machines should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.

Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. If you don't have any SQL servers on machines in this subscription, no charges will be incurred.
If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Microsoft Defender for SQL servers on machines.\",\r\n \"remediationDescription\": \"To enable this plan on all SQL servers on machines in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set SQL servers on machines to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Defense Evasion\",\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Modify Registry\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Storage should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa\",\r\n \"description\": \"Microsoft Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any Azure Storage accounts in this subscription, you won't be charged. If you later create Azure Storage accounts on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for Storage.\",\r\n \"remediationDescription\": \"To enable this plan on all Azure Storage accounts in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Storage to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Lateral Movement\",\r\n \"Command and Control\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Taint Shared Content\",\r\n \"Ingress Tool Transfer\",\r\n \"Data Destruction\",\r\n \"Data from Cloud Storage Object\",\r\n \"Transfer Data to Cloud Account\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb\",\r\n \"description\": \"Microsoft Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
Microsoft Defender for App Service can discover attacks on your applications and identify emerging attacks.

Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred.
If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Protect your web apps and APIs.\",\r\n \"remediationDescription\": \"To enable this plan on all App Service plans in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set App Service to On.\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Collection\",\r\n \"Discovery\",\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Privilege Escalation\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Resource Development\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"OS Credential Dumping\",\r\n \"Data from Local System\",\r\n \"Query Registry\",\r\n \"Obfuscated Files or Information\",\r\n \"Masquerading\",\r\n \"Windows Management Instrumentation\",\r\n \"Scheduled Task/Job\",\r\n \"Process Injection\",\r\n \"Input Capture\",\r\n \"Process Discovery\",\r\n \"Command and Scripting Interpreter\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Account Discovery\",\r\n \"Ingress Tool Transfer\",\r\n \"Screen Capture\",\r\n \"Audio Capture\",\r\n \"Access Token Manipulation\",\r\n \"Deobfuscate/Decode Files or Information\",\r\n \"Drive-by Compromise\",\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"User Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Domain Trust Discovery\",\r\n \"Resource Hijacking\",\r\n \"Create or Modify System Process\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Unsecured Credentials\",\r\n \"Steal or Forge Kerberos Tickets\",\r\n \"Inter-Process Communication\",\r\n \"Phishing\",\r\n \"Hijack Execution Flow\",\r\n \"Compromise Infrastructure\",\r\n \"Search Victim-Owned Websites\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"name\": \"e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38\",\r\n \"description\": \"Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.
You can use this information to quickly remediate security issues and improve the security of your containers.

Important: Remediating this recommendation will result in charges for protecting your Kubernetes clusters. If you don't have any Kubernetes clusters in this subscription, no charges will be incurred.
If you create any Kubernetes clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Introduction to Microsoft Defender for Containers.\",\r\n \"remediationDescription\": \"To enable this plan on all Kubernetes clusters in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Containers to On.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"DenialOfService\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"11/01/2021\",\r\n \"public\": \"11/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Indicator Removal on Host\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Implant Container Image\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d\",\r\n \"description\": \"Microsoft Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your servers.

Important: Remediating this recommendation will result in charges for protecting your servers. If you don't have any servers in this subscription, no charges will be incurred.
If you create any servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable this plan on all servers in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Servers to On.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\",\r\n \"Execution\",\r\n \"Defense Evasion\",\r\n \"Exfiltration\",\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Hijack Execution Flow\",\r\n \"Modify Authentication Process\",\r\n \"Boot or Logon Initialization Scripts\",\r\n \"Scheduled Task/Job\",\r\n \"Account Manipulation\",\r\n \"Office Application Startup\",\r\n \"OS Credential Dumping\",\r\n \"Obfuscated Files or Information\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Process Injection\",\r\n \"Command and Scripting Interpreter\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Indicator Removal on Host\",\r\n \"Valid Accounts\",\r\n \"System Information Discovery\",\r\n \"Account Discovery\",\r\n \"Ingress Tool Transfer\",\r\n \"Modify Registry\",\r\n \"Create Account\",\r\n \"Deobfuscate/Decode Files or Information\",\r\n \"Drive-by Compromise\",\r\n \"Indirect Command Execution\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Signed Binary Proxy Execution\",\r\n \"File and Directory Permissions Modification\",\r\n \"Service Stop\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Steal or Forge Kerberos Tickets\",\r\n \"Impair Defenses\",\r\n \"Remote Service Session Hijacking\",\r\n \"Hide Artifacts\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Brute Force\",\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"name\": \"b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for open-source relational databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835\",\r\n \"description\": \"Microsoft Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more in Introduction to Microsoft Defender for open-source relational databases.

Important: Enabling this plan will result in charges for protecting your open-source relational databases. If you don't have any open-source relational databases in this subscription, no charges will be incurred. If you create any open-source relational databases on this subscription in the future, they will automatically be protected and charges will begin at that time.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for open-source relational databases on your subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Open-source relational databases to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"09/19/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ebc815f-7bc7-4573-994d-e1cc46fb4a35\",\r\n \"name\": \"2ebc815f-7bc7-4573-994d-e1cc46fb4a35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have infrastructure as code scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found infrastructure as code security configuration issues in repositories. The issues shown below have been detected in template files. To improve the security posture of the related cloud resources, it is highly recommended to remediate these issues.\",\r\n \"remediationDescription\": \"Security issues and vulnerabilities in infrastructure as code can lead to compliance violations and data breaches in production environments. It is recommended to improve the security posture by remediating and fixing these findings to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c68a8c2a-6ed4-454b-9e37-4b7654f2165f\",\r\n \"name\": \"c68a8c2a-6ed4-454b-9e37-4b7654f2165f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have code scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found vulnerabilities in code repositories. To improve the security posture of the repositories, it is highly recommended to remediate these vulnerabilities.\",\r\n \"remediationDescription\": \"The vulnerabilities detected in code repositories can lead to compliance violations and data breaches. It is highly recommended to remediate these vulnerabilities to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27\",\r\n \"name\": \"4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have secret scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found a secret in code repositories. This should be remediated immediately to prevent a security breach. Secrets found in repositories can be leaked or discovered by adversaries, leading to compromise of an application or service. For Azure DevOps, the Microsoft Security DevOps CredScan tool only scans builds on which it has been configured to run. Therefore, results may not reflect the complete status of secrets in your repositories.\",\r\n \"remediationDescription\": \"Invalidate the secrets, tokens, and/or passwords that were found by the secret scanner.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/822425e3-827f-4f35-bc33-33749257f851\",\r\n \"name\": \"822425e3-827f-4f35-bc33-33749257f851\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have Dependabot scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found vulnerabilities in code repositories. To improve the security posture of the repositories, it is highly recommended to remediate these vulnerabilities.\",\r\n \"remediationDescription\": \"The vulnerabilities detected in the code repositories can lead to compliance violations and data breaches. It is recommended to remediate these vulnerabilities to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dbf49ec-ce06-476d-ab70-7bd612c4a52c\",\r\n \"name\": \"9dbf49ec-ce06-476d-ab70-7bd612c4a52c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DevOps security posture findings should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps security posture checks helps you keep your ADO artifacts such as various org/project settings, build/release configurations, service connections, agent pools, etc., configured securely.\",\r\n \"remediationDescription\": \"The security posture checks found can lead to compliance violations and data breaches. It is recommended to improve the security posture by remediating and fixing these configuration findings to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MissingCoverage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"02/06/2023\",\r\n \"public\": \"10/01/2022\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Reconnaissance\",\r\n \"Exfiltration\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Application Layer Protocol\",\r\n \"Compromise Infrastructure\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03587042-5d4b-44ff-af42-ae99e3c71c87\",\r\n \"name\": \"03587042-5d4b-44ff-af42-ae99e3c71c87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic container registry images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"23/06/2022\",\r\n \"public\": \"23/06/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registry images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Resolve the findings from the vulnerability assessment solutions on your virtual machines.\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by the vulnerability assessment solutions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77a4a140-e051-481a-84cc-d4bf2109bd65\",\r\n \"name\": \"77a4a140-e051-481a-84cc-d4bf2109bd65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Resolve the findings from the vulnerability assessment solutions on your EC2 instances.\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by the vulnerability assessment solutions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/14/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL databases should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. Learn more\",\r\n \"remediationDescription\": \"To remediate SQL vulnerabilities and mitigate risks:
1. Navigate to a database in the Unhealthy databases list.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Valid Accounts\",\r\n \"Modify Registry\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers on machines should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. Learn more\",\r\n \"remediationDescription\": \"To remediate SQL vulnerabilities and mitigate risks:
1. Navigate to a database in the Unhealthy databases list.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Valid Accounts\",\r\n \"Modify Registry\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your Windows machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Select any of the findings below.
2. On the right pane opened, follow the instructions under 'Remediation' if exist.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Lateral Movement\",\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your Linux machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Select any of the findings below.
2. On the right pane opened, follow the instructions under 'Remediation' if exist.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Lateral Movement\",\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"
1. Click an identified outstanding update.
2. In the Missing system updates pane, click the support link (when exists) and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Software Deployment Tools\",\r\n \"Exploit Public-Facing Application\",\r\n \"Supply Chain Compromise\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Drive-by Compromise\",\r\n \"Endpoint Denial of Service\",\r\n \"Compromise Client Software Binary\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b\",\r\n \"description\": \"Ensure your machines are up to date by installing missing security and critical OS updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install missing system updates on a selected machine: 1. From \\\"Affected resources\\\", select a virtual machine. 2. Select the \\\"Fix\\\" button. This will redirect you to Update management center (preview). 3. In update management center (preview), select \\\"One-time update\\\" or \\\"Schedule updates\\\", and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Click any of the configuration vulnerability rules 2. In the Vulnerability details pane, see the remediation description and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"10/24/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2\",\r\n \"description\": \"Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. See the documentation for the endpoint protection solutions supported by Defender for Cloud and the endpoint protection assessments.\",\r\n \"remediationDescription\": \"
1. Confirm that your solution is on the list of tools supported by Defender for Cloud.
2. For a list of possible health issues with your solution and advice on how to resolve the health issues, consult this page of the Defender for Cloud documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad50b498-f90c-451f-886f-d0a169cc5002\",\r\n \"name\": \"ad50b498-f90c-451f-886f-d0a169cc5002\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should use only signed and trusted boot components\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"With Secure Boot enabled, all OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Defender for Cloud has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allow list or remove the identified components.\",\r\n \"remediationDescription\": \"Investigate the untrusted boot components. If they are legitimate, add them to the allow list. Otherwise, remove them.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"name\": \"dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with read permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have read permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"name\": \"c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with write permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/931e118d-50a1-4457-a5e4-78550e086c52\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have write permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"name\": \"6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with owner permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have owner permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"name\": \"fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with read permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52\",\r\n \"description\": \"Accounts with read permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"name\": \"0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with write permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87\",\r\n \"description\": \"Accounts with write permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"name\": \"20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with owner permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/339353f6-2387-4a45-abe4-7f529d121046\",\r\n \"description\": \"Accounts with owner permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"name\": \"1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Blocked accounts with read and write permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be\",\r\n \"description\": \"Accounts that have been blocked from signing in on Active Directory, should be removed from your Azure resources.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of accounts that are blocked from signing in on the Accounts section. Click on each account to view its role definitions and locate the source scope. If you accept the risk for specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the blocked user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"name\": \"050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Blocked accounts with owner permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5\",\r\n \"description\": \"Accounts that have been blocked from signing in on Active Directory, should be removed from your Azure resources.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of accounts that are blocked from signing in on the Accounts section. Click on each account to view its role definitions and locate the source scope. If you accept the risk for specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the blocked user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af99038c-02fd-4a2f-ac24-386b62bf32de\",\r\n \"description\": \" Azure's terms of use prohibit the use of Azure services in ways that could damage, disable, overburden, or impair any Microsoft server or the network. This recommendation lists exposed ports that need to be closed for your continued security. It also illustrates the potential threat to each port.\",\r\n \"remediationDescription\": \"Review the findings and evaluate if any ports need to remain open for your service to function or if they can be closed to protect your resources. Please, opt out of the recommendation by using the exemption workflow for any ports that need to remain open.
For all other findings, remediate per instructions below:
• Need to secure network traffic for a single VNet, please follow instruction to setup Network Security Groups (NSG).
• Need to secure network traffic for one or more peered VNet, please follow instruction to setup Azure Firewall.
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"04/04/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/41503391-efa5-47ee-9282-4eff6131462c\",\r\n \"name\": \"41503391-efa5-47ee-9282-4eff6131462c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running container images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fc39691-5a3f-4e3e-94ee-2e6447309ad9\",\r\n \"description\": \"Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.
7. Use the new image across all pods where it is currently being used.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ElevationOfPrivilege\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"12/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/afd071f0-ebaa-422b-bb2f-8a772a31db75\",\r\n \"name\": \"afd071f0-ebaa-422b-bb2f-8a772a31db75\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function apps should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Runtime vulnerability scanning for functions scans your function apps for security vulnerabilities and exposes detailed findings. Resolving the vulnerabilities can greatly improve your serverless applications security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve function app vulnerabilities:
1. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
2. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [],\r\n \"publishDates\": {\r\n \"public\": \"03/18/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"name\": \"08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d\",\r\n \"description\": \"Azure Policy add-on for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.

Defender for Cloud requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. Learn more.

Requires Kubernetes v1.14.0 or later.

\",\r\n \"remediationDescription\": \"To configure the Azure Policy Add-on for use with your Azure Kubernetes Service cluster, follow the instructions in Install Azure Policy Add-on for AKS.

Auto provisioning:
You can also auto deploy this add-on as explained in Enable auto provisioning of extensions.
When auto provisioning for the add-on is set to On, the extension is enabled by default in all existing and future clusters (that meet the add-on installation requirements).\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0642d770-b189-42ef-a2ce-9dcc3ec6c169\",\r\n \"name\": \"0642d770-b189-42ef-a2ce-9dcc3ec6c169\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b2122c1-8120-4ff5-801b-17625a355590\",\r\n \"description\": \"Azure Policy extension for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.\",\r\n \"remediationDescription\": \"To configure the Azure Policy extension for use with your Azure Arc-enabled Kubernetes cluster, follow the instructions in #Install Azure Policy Extension for Azure Arc-enabled Kubernetes.

Auto provisioning:
You can also auto deploy this extension as explained in Enable auto provisioning of extensions .
When auto provisioning for the extension is set to \\\"on\\\", the extension is enabled by default in all existing and future clusters (that meet the extension installation requirements).\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2022\",\r\n \"public\": \"06/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/0adc5395-9169-4b9b-8687-af838d69410a\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"name\": \"405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container CPU and memory limits should be enforced\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\r\n \"description\": \"Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).

We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods without CPU and memory limits. To control a pod's limits, set quotas at the container level. Each container of a pod can specify one or both of the following:
  • spec.containers[].resources.limits.cpu
  • spec.containers[].resources.limits.memory

After making your changes, redeploy the pod with the new limits.

Note: Although requests and limits can only be specified on individual containers, it is convenient to talk about pod resource limits. A Pod resource limit is the sum of the resource limits for all the containers in the pod. Learn more.

\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"DenialOfService\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"name\": \"5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Privileged containers should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\r\n \"description\": \"To prevent unrestricted host access, avoid privileged containers whenever possible.

Privileged containers have all of the root capabilities of a host machine. They can be used as entry points for attacks and to spread malicious code or malware to compromised applications, hosts and networks.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods running privileged containers.

For these pods, set the privileged flag to 'false' or remove this property on the security context of the container's spec. After making your changes, redeploy the pod with the updated spec.

\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"name\": \"8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container images should be deployed from trusted registries only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\r\n \"description\": \"Images running on your Kubernetes cluster should come from known and monitored container image registries. Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.\",\r\n \"remediationDescription\": \"
  1. Ensure a regex, defining your organization private registries is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods running images from untrusted registries. If you see a pod running an unfamiliar image, remove it and report the incident to your security admin. Otherwise, move all images to a trusted private registry and redeploy the pods with the updated registry.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"name\": \"add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Services should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services access to the configured ports.\",\r\n \"remediationDescription\": \"
  1. Ensure a list of ports on which your services are allowed to listen, is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the services which listen on ports outside the configured list.
  3. Limit the services' ports. After making your changes, redeploy the services with the updated ports.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\",\r\n \"Non-Standard Port\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"name\": \"11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Least privileged Linux capabilities should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\r\n \"description\": \"To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user. We recommend dropping all capabilities, then adding those that are required\",\r\n \"remediationDescription\": \"
1. Make sure lists of dropped capabilities and allowed capabilities are configured, via the security policy parameters. Recommend to set parameter 'Required drop capabilities' as [\\\"ALL\\\"] to enforce to drop all capabilities. The recommendation by default will only block to add capacities.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the running containers with capabilities outside the configured list.
3. Limit the containers' Linux capabilities. To add or remove Linux capabilities for a container, include a capabilities section in the securityContext section of the container manifest with the relevant capabilities set e.g. Drop: ALL ; add: [\\\"NET_ADMIN\\\", \\\"SYS_TIME\\\"].
4. After making your changes, redeploy the pod with the updated capabilities.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"name\": \"27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Immutable (read-only) root filesystem should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80\",\r\n \"description\": \"Containers should run with a read only root file system in your Kubernetes cluster. Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers without read only root file system.
2. For these pods, set the readOnlyRootFilesystem flag to 'true' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Collection\",\r\n \"Lateral Movement\",\r\n \"Persistence\",\r\n \"Defense Evasion\",\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Scheduled Task/Job\",\r\n \"Data Staged\",\r\n \"Taint Shared Content\",\r\n \"Account Manipulation\",\r\n \"Create Account\",\r\n \"File and Directory Permissions Modification\",\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Server Software Component\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Compromise Client Software Binary\",\r\n \"Modify Authentication Process\",\r\n \"Hide Artifacts\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"name\": \"f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75\",\r\n \"description\": \"We recommend limiting pod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths. If there's a compromise, the container node access from the containers should be restricted.\",\r\n \"remediationDescription\": \"
1. Ensure a list of allowed host paths is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running pods with hostPath volume violating the configured list.
3. Update hostPath and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Taint Shared Content\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"name\": \"9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running containers as root user should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042\",\r\n \"description\": \"Containers shouldn't run as root users in your Kubernetes cluster. Running a process as the root user inside a container runs it as root on the host. If there's a compromise, an attacker has root in the container, and any misconfigurations become easier to exploit.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the relevant pods.
2. For these pods, ensure the runAsUser property is set to a non-zero value or set property runAsNonRoot=true.
3. After making your changes, redeploy the pod with the updated rule.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"name\": \"ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of host networking and ports should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe\",\r\n \"description\": \"Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. Pods created with the hostNetwork attribute enabled will share the node's network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node's network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.\",\r\n \"remediationDescription\": \"
1. Ensure the following are all configured in the security policy parameters: allow host network usage, and min and max host ports.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers with host networking violating the configured list.
3. Validate the host networking using the hostNetwork and hostPort attributes (when applicable) of the container's spec.
4. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"name\": \"802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers sharing sensitive host namespaces should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\r\n \"description\": \"To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods sharing host process ID or host IPC.
2. Set the host process ID and host IPC to 'false' on the pod's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"name\": \"43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container with privilege escalation should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\r\n \"description\": \"Containers shouldn't run with privilege escalation to root in your Kubernetes cluster.
The AllowPrivilegeEscalation attribute controls whether a process can gain more privileges than its parent process.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers with privilege escalation to root in your Kubernetes cluster.
2. For these pods, set the AllowPrivilegeEscalation flag to 'false' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"name\": \"86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers should only use allowed AppArmor profiles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e\",\r\n \"description\": \"Containers running on Kubernetes clusters should be limited to allowed AppArmor profiles only.
;AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program.\",\r\n \"remediationDescription\": \"
1. Ensure a list of AppArmor profiles containers are allowed to use is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the running pods with AppArmor profile violating the configured list.
3. Update AppArmor annotation in the Pod's metadata and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Process Injection\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/111cb068-89df-48bd-9493-2e6773444af8\",\r\n \"name\": \"111cb068-89df-48bd-9493-2e6773444af8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should gate deployment of vulnerable images\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759\",\r\n \"description\": \"Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Defender for Cloud's CI/CD scanning and Microsoft Defender for container registries to identify and patch vulnerabilities prior to deployment.
Evaluation prerequisite: Azure policy add-on/extension and the Defender profile/extension.
Applicable only for private preview customers.\",\r\n \"remediationDescription\": \"Configuration

Use the Settings tab to ensure the recommendation policy meets your requirement.

Monitor and resolve violations in audit mode
  1. Click on a cluster to see violating pods.
  2. For each non-compliant pod, extract used images using 'kubectl get pods <pod name> -n <pod namespace> -o json'
  3. Retrieve list of vulnerabilities per pod using the 'Container registry images should have vulnerability findings resolved' recommendation:
    1. If an image is unscanned, push/import image to registry protected by Defender for Containers and re-deploy pod.
    2. If scan result violates security policy, follow scan findings remediation steps to remediate image and re-deploy pod.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"10/25/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes API server should be configured with restricted access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes API server. You can restrict access by defining authorized IP ranges, or by setting up your API servers as private clusters as explained inCreate a private Azure Kubernetes Service cluster.\",\r\n \"remediationDescription\": \"To manually configure authorized IP ranges, follow the steps in Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS). If your existing cluster uses a Basic SKU Load Balancer, you'll need to redeploy or migrate to a new AKS cluster using the Standard SKU Load Balancer as explained in Moving from a basic SKU load balancer to standard SKU. If you decide not to redeploy, and you want to move these clusters to the 'not applicable' tab, follow the steps in Define an exemption.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Container and Resource Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows:
1. Go to Azure Kubernetes Services.
2. Select 'Add' and enter your cluster's configuration.
3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6d87087-9ebe-b31f-b452-0bf3bbbaccd2\",\r\n \"name\": \"c6d87087-9ebe-b31f-b452-0bf3bbbaccd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should be accessible only over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\r\n \"description\": \"Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc-enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc\",\r\n \"remediationDescription\": \"From the unhealthy resources tab, select the cluster. Defender for Cloud lists the ingress objects that are accessible without HTTPS. 1. If the ingress controlled by nginx ingress controller, must first set annotation \\\"nginx.ingress.kubernetes.io/force-ssl-redirect\\\"=true. 2. Add the Transport Layer Security (TLS) configuration to your ingress manifest. After making your changes, redeploy the updated ingress object.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6\",\r\n \"name\": \"3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Arc-enabled Kubernetes clusters should have the Defender extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8dfab9c4-fe7b-49ad-85e4-1e9be085358f\",\r\n \"description\": \"Defender's extension for Azure Arc provides threat protection for your Arc-enabled Kubernetes clusters. The extension collects data from all control plane (master) nodes in the cluster and sends it to the Microsoft Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-kubernetes-azure-arc?wt.mc_id=defenderforcloud_inproduct_portal_recoremediation.\",\r\n \"remediationDescription\": \"To install the Defender extension on your Arc-enabled Kubernetes clusters, select an unhealthy cluster and select Remediate.
To manually deploy the extension with Azure Resource Manager, Azure CLI, or the REST API, see the instructions in Microsoft Defender for Arc-enabled Kubernetes.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/708b60a6-d253-4fe0-9114-4be4c00f012c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a83a6e-c417-42ec-b567-1e6fcb3d09a9\",\r\n \"name\": \"56a83a6e-c417-42ec-b567-1e6fcb3d09a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Kubernetes Service clusters should have Defender profile enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1840de2-8088-4ea8-b153-b4c723e9cb01\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection.
When you enable the SecurityProfile.AzureDefender profile on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data.
Learn more about [Microsoft Defender for Containers](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks#architecture-overview).\",\r\n \"remediationDescription\": \"To enable the profile using Azure CLI, Azure Resource Manager, or the REST API, follow the instructions in Enable the SecurityProfile.AzureDefender profile.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"12/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff87e0b4-17df-d338-5b19-80e71e0dcc9d\",\r\n \"name\": \"ff87e0b4-17df-d338-5b19-80e71e0dcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should not use the default namespace\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\r\n \"description\": \"Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"Defender for Cloud lists the components using the default namespace.
1. From the unhealthy resources tab, select a cluster.
2. Define a namespace for the components.
3. After making your changes, redeploy the components with the updated namespace. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/namespaces/#creating-a-new-namespace\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32060ac3-f17f-4848-db8e-e7cf2c9a53eb\",\r\n \"name\": \"32060ac3-f17f-4848-db8e-e7cf2c9a53eb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should disable automounting API credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/423dd1ba-798e-40e4-9c4d-b6902674b423\",\r\n \"description\": \"Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"From the unhealthy resources tab, select the cluster. Defender for Cloud lists the pods missing the automountServiceAccountToken: false flag. There are multiple ways to opt out of automounting API credentials for a service account. To opt out of automounting API credentials for a single pod, set automountServiceAccountToken: false in PodSpec. After making your changes, redeploy your updated pod or service account.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aba14f78-27c5-af84-848e-9105d18dfd92\",\r\n \"name\": \"aba14f78-27c5-af84-848e-9105d18dfd92\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should not grant CAPSYSADMIN security capabilities\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d2e7ea85-6b44-4317-a0be-1b951587f626\",\r\n \"description\": \"To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"Defender for Cloud lists the pods running containers that have the CAP_SYS_ADMIN Linux security capability. To remove containers' CAP_SYS_ADMIN Linux security capabilities: 1. From the unhealthy resources tab, select the cluster. 2. Insert a capabilities section in the securityContext section of the container manifest with Drop: SYS_ADMIN. 3. After making your changes, redeploy the pod with the updated capabilities\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b7683ca3-3a11-49b6-b9d4-a112713edfa3\",\r\n \"name\": \"b7683ca3-3a11-49b6-b9d4-a112713edfa3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced configuration of Defender for Containers should be enabled on GCP connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. To ensure you the solution is provisioned properly, and the full set of capabilities are available, enable all advanced configuration settings.\",\r\n \"remediationDescription\": \"To enable advanced configuration of the Containers plan for a GCP account connected to Microsoft Defender for Cloud:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. Navigate to the \\\"Environment settings\\\" page, and select the relevant GCP account.
  3. Navigate to \\\"Select plans\\\"> \\\"Containers\\\" row, and select \\\"Configure >\\\".
  4. Enable the missing auto provision features and select Save.
  5. Select \\\"Next: Configure access\\\" and follow the instructions.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"03/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d42ac63d-0592-43b2-8bfa-ff9199da595e\",\r\n \"name\": \"d42ac63d-0592-43b2-8bfa-ff9199da595e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled on GCP connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. Enable Containers plan on your GCP connector, to harden the security of Kubernetes clusters and remediate security issues. Learn more about Microsoft Defender for Containers.\",\r\n \"remediationDescription\": \"To enable Defender for Containers on all GKE clusters in an GCP project connected to Microsoft Defender for Cloud:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. Navigate to the \\\"Environment settings\\\" page, and select the relevant GCP account.
  3. Navigate to \\\"Select plans\\\", and toggle \\\"Containers\\\" to \\\"On\\\".
  4. Select \\\"Next: Configure access\\\" and follow the instructions.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"03/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6672df26-ff2e-4282-83c3-e2f20571bd11\",\r\n \"name\": \"6672df26-ff2e-4282-83c3-e2f20571bd11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have code scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub uses code scanning to analyze code in order to find security vulnerabilities and errors in code. Code scanning can be used to find, triage, and prioritize fixes for existing problems in your code. Code scanning can also prevent developers from introducing new problems. Scans can be scheduled for specific days and times, or scans can be triggered when a specific event occurs in the repository, such as a push. If code scanning finds a potential vulnerability or error in code, GitHub displays an alert in the repository. A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project.\",\r\n \"remediationDescription\": \"1. On GitHub.com, navigate to the main page of the repository. 2. Under your repository name, click Security. 3. To the right of Code scanning alerts, click Set up code scanning. If code scanning is missing, you need to ask an organization owner or repository administrator to enable GitHub Advanced Security. 4. Under 'Get started with code scanning', click Set up this workflow on the CodeQL analysis workflow or on a third-party workflow. 5.To customize how code scanning scans your code, edit the workflow. 6. Use the Start commit drop-down, and type a commit message. 7. Click Commit new file or Propose new file\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/92643c1f-1a95-4b68-bbd2-5117f92d6e35\",\r\n \"name\": \"92643c1f-1a95-4b68-bbd2-5117f92d6e35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have Dependabot scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub sends Dependabot alerts when it detects vulnerabilities in code dependencies that affect repositories. A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. Vulnerabilities vary in type, severity, and method of attack. When code depends on a package that has a security vulnerability, this vulnerable dependency can cause a range of problems.\",\r\n \"remediationDescription\": \"1. Browse to a GitHub repository. 2. Click on the Settings. 3. Click 'Security & analysis'. 4. Enable Dependabot alerts\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a600c61-6443-4ab4-bd28-7a6b6fb4691d\",\r\n \"name\": \"1a600c61-6443-4ab4-bd28-7a6b6fb4691d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have secret scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were accidentally committed to repositories. Secret scanning will scan the entire Git history on all branches present in the GitHub repository for any secrets. Examples of secrets are tokens and private keys that a service provider can issue for authentication. If a secret is checked into a repository, anyone who has read access to the repository can use the secret to access the external service with those privileges. Secrets should be stored in a dedicated, secure location outside the repository for the project.\",\r\n \"remediationDescription\": \"1. On GitHub.com, navigate to the main page of the repository. 2. Under your repository name, click Settings. 3.In the left sidebar, click Security and analysis. 4. If Advanced Security is not already enabled for the repository, to the right of GitHub Advanced Security, click Enable. 5. Review the impact of enabling Advanced Security, then click Enable GitHub Advanced Security for this repository. 6. When you enable Advanced Security, secret scanning may automatically be enabled for the repository due to the organization's settings. If Secret scanning is shown with an Enable button, you still need to enable secret scanning by clicking Enable. If you see a Disable button, secret scanning is already enabled\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c0ba94f-e732-43c7-bf3a-05e80f45d642\",\r\n \"name\": \"1c0ba94f-e732-43c7-bf3a-05e80f45d642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure API Management APIs should be onboarded to Defender for APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfiguration.
In order to enable security monitoring & coverage on your APIs within Azure API Management, please remediate this recommendation through steps below.
Important: Enabling Defender for APIs monitoring coverage will require compute & memory utilization on the Azure API Management service.
Please monitor the performance of your Azure API Management service while onboarding APIs, and scale out your Azure API Managment resources when needed.\",\r\n \"remediationDescription\": \"Select the unhealthy resources and click \\\"Fix\\\" to launch \\\"Quick fix\\\" remediation. Note: After the process completes, it may take up 3 hurs until your resources move to the \\\"Healthy resources\\\" tab.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e8c00a2-e8bc-42a8-9e12-99584a51ad10\",\r\n \"name\": \"4e8c00a2-e8bc-42a8-9e12-99584a51ad10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API endpoints that are unused should be disabled and removed from the Azure API Management service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"API endpoints that are no longer in use should be removed from the Azure API Management service as a best practice. API endpoints that are unused (haven't received traffic for a threshold of 30 days) may pose a risk to an organization. These may be APIs that should have been deprecated from the Azure API Management service, but may have been accidently left as active and they may not be receiving the most up to date security coverage.\",\r\n \"remediationDescription\": \"Note: Manually verify that the API endpoint is unused and consider any potential impact this may cause before removing the API endpoint from the Azure API Management service.
1. Navigate to the Azure API Management resource to locate the unhealthy resources within the Azure Portal.
2. In the left pane, select APIs.
3. Select the API with the associated API collection name that is hosting the affected API endpoint (in Azure API Management, known as \\\"API operation\\\").
4. Select the ellipses next to the endpoint and select \\\"Delete\\\" to remove the unused API endpoint.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91af2040-7874-4659-abf0-578e1f8d07dc\",\r\n \"name\": \"91af2040-7874-4659-abf0-578e1f8d07dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API endpoints in Azure API Management should be authenticated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Authentication mechanisms are often implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. API endpoints published within Azure API Management should enforce authentication to help minimize this risk. Learn More\",\r\n \"remediationDescription\": \"1. Verify the configuration of the authentication on the API endpoint. For APIs published in Azure API Management, this recommendation assesses the execution of authentication via the Subscription Keys, JWT and Client Certificate configured within Azure API Management. If none of these authentication mechanisms are present, or if none of these authentication mechanisms are executed, the API will receive this recommendation.
2. After the assessment, if the API is verified and is missing or incorrectly configured authentication, enable & ensure the proper configuration of authentication for the API endpoint. For Azure API Management, steps and a reference example regarding how to enable authentication can be found here in this document: API Management authentication policies\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer managed metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Customer managed description\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"[elgrady] custom assessment metadata description\",\r\n \"remediationDescription\": \"[elgrady] custom assessment remediationDescription\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"name\": \"9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer managed metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Customer managed description\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"[elgrady] custom assessment metadata description\",\r\n \"remediationDescription\": \"[elgrady] custom assessment remediationDescription\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n }\r\n ]\r\n}", "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata?api-version=2020-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata?api-version=2021-06-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhP2FwaS12ZXJzaW9uPTIwMjEtMDYtMDE=", "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "f6a71b0f-d1a1-47a3-970d-36647027d08b" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "749" + ], + "x-ms-request-id": [ + "d6923109-1770-42b0-9359-8bda6b602e95" + ], + "x-ms-correlation-request-id": [ + "d6923109-1770-42b0-9359-8bda6b602e95" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T095103Z:d6923109-1770-42b0-9359-8bda6b602e95" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:51:03 GMT" + ], + "Content-Length": [ + "1308608" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8\",\r\n \"description\": \"To protect machines from threats and vulnerabilities, install a supported endpoint protection solution.
Learn more about how endpoint protection for machines is evaluated in Endpoint protection assessment and recommendations in Microsoft Defender for Cloud.\",\r\n \"remediationDescription\": \"To remediate missing endpoint protection:
1. Confirm that your solution is on the list of tools supported by Defender for Cloud.
2. Install the supported endpoint protection solution or enable an existing tool.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b26b102-ccde-4697-aa30-f0621f865f99\",\r\n \"name\": \"9b26b102-ccde-4697-aa30-f0621f865f99\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of EC2 instances should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Cloud has identified some overly-permissive inbound rules for management ports in your network. Enable just-in-time access control to protect your Instances from internet-based brute-force attacks. Learn more.\",\r\n \"remediationDescription\": \"To enable just-in-time instance access:
  • Select one or more Instances from the list below and click \\\"Remediate\\\", or click \\\"Take action\\\" if you've arrived from a recommendation for a specific instance.
  • On the \\\"JIT instance access configuration\\\" page, define the ports for which the just-in-time instance access will be applicable.
    • To add additional ports, click the \\\"Add\\\" button on the top left, or click an existing port and edit it.
    • On the \\\"Add port configuration\\\" blade, enter the required parameters.
  • Click \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"11/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2cac0072-6f56-46f0-9518-ddec3660ee56\",\r\n \"name\": \"2cac0072-6f56-46f0-9518-ddec3660ee56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST and WebSocket API logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled.
The control fails if logging is not enabled for all methods of a stage or if logging Level is neither ERROR nor INFO.
API Gateway REST or WebSocket API stages should have relevant logs enabled. API Gateway REST and WebSocket API execution logging provides detailed records of requests made to API Gateway REST and WebSocket API stages.
The stages include API integration backend responses, Lambda authorizer responses, and the requestId for AWS integration endpoints.\",\r\n \"remediationDescription\": \"To enable logging for REST and WebSocket API operations, Set up CloudWatch API logging using the API Gateway console in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec268d38-c94b-4df3-8b4e-5248fcaaf3fc\",\r\n \"name\": \"ec268d38-c94b-4df3-8b4e-5248fcaaf3fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API stages should be configured to use SSL certificates for backend authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon API Gateway REST API stages have SSL certificates configured.
Backend systems use these certificates to authenticate that incoming requests are from API Gateway.
API Gateway REST API stages should be configured with SSL certificates to allow backend systems to authenticate that requests originate from API Gateway.\",\r\n \"remediationDescription\": \"For detailed instructions on how to generate and configure API Gateway REST API SSL certificates, see Generate and configure an SSL certificate for backend authentication in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5cbaff4f-f8d5-49fe-9fdc-63c4507ac670\",\r\n \"name\": \"5cbaff4f-f8d5-49fe-9fdc-63c4507ac670\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API stages should have AWS X-Ray tracing enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages.
X-Ray active tracing enables a more rapid response to performance changes in the underlying infrastructure. Changes in performance could result in a lack of availability of the API.
X-Ray active tracing provides real-time metrics of user requests that flow through your API Gateway REST API operations and connected services.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable X-Ray active tracing for API Gateway REST API operations, see Amazon API Gateway active tracing support for AWS X-Ray in the AWS X-Ray Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d69eb8b0-79ba-4963-a683-a96a8ea787e2\",\r\n \"name\": \"d69eb8b0-79ba-4963-a683-a96a8ea787e2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway should be associated with an AWS WAF web ACL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an API Gateway stage uses an AWS WAF web access control list (ACL).
This control fails if an AWS WAF web ACL is not attached to a REST API Gateway stage.
AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It enables you to configure an ACL, which is a set of rules that allow, block, or count web requests based on customizable web security rules and conditions that you define.
Ensure that your API Gateway stage is associated with an AWS WAF web ACL to help protect it from malicious attacks.\",\r\n \"remediationDescription\": \"For information on how to use the API Gateway console to associate an AWS WAF Regional web ACL with an existing API Gateway API stage, see Using AWS WAF to protect your APIs in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a0ce4e0-b61e-4ec7-ab65-aeaff3893bd3\",\r\n \"name\": \"1a0ce4e0-b61e-4ec7-ab65-aeaff3893bd3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API cache data should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It adds another set of access controls to limit unauthorized users ability access the data. For example, API permissions are required to decrypt the data before it can be read.
API Gateway REST API caches should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"To remediate this control, configure the stage to encrypt the cache data.
To configure API caching for a given stage
1. Open the API Gateway console.
2. Choose the API.
3. Choose \\\"Stages\\\".
4. In the \\\"Stages\\\" list for the API, choose the stage to add caching to.
5. Choose \\\"Settings\\\".
6. Choose \\\"Enable API cache\\\".
7. Update the desired settings, then select \\\"Encrypt cache data\\\".
Choose \\\"Save Changes\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/186509dc-f326-415f-b085-4d27f1342849\",\r\n \"name\": \"186509dc-f326-415f-b085-4d27f1342849\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have a default root object configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured.
A user might sometimes request the distributions root URL instead of an object in the distribution. When this happens, specifying a default root object can help you to avoid exposing the contents of your web distribution.\",\r\n \"remediationDescription\": \"For detailed instructions on how to specify a default root object for your distribution, see How to specify a default root object in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a0ab1f4e-bafb-4947-a7d1-13a9c35c7d82\",\r\n \"name\": \"a0ab1f4e-bafb-4947-a7d1-13a9c35c7d82\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin access identity enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured.
CloudFront OAI prevents users from accessing S3 bucket content directly. When users access an S3 bucket directly, they effectively bypass the CloudFront distribution and any permissions that are applied to the underlying S3 bucket content.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Creating a CloudFront OAI and adding it to your distribution in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a67adff8-625f-4891-9f61-43f837d18ad2\",\r\n \"name\": \"a67adff8-625f-4891-9f61-43f837d18ad2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should require encryption in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors.
HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Requiring HTTPS for communication between viewers and CloudFront in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4779e962-2ea3-4126-aa76-379ea271887c\",\r\n \"name\": \"4779e962-2ea3-4126-aa76-379ea271887c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin failover configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins.
CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Creating an origin group in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88114970-36db-42b3-9549-20608b1ab8ad\",\r\n \"name\": \"88114970-36db-42b3-9549-20608b1ab8ad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether server access logging is enabled on CloudFront distributions. The control fails if access logging is not enabled for a distribution.
CloudFront access logs provide detailed information about every user request that CloudFront receives. Each log contains information such as the date and time the request was received, the IP address of the viewer that made the request, the source of the request, and the port number of the request from the viewer.
These logs are useful for applications such as security and access audits and forensics investigation. For additional guidance on how to analyze access logs, see Querying Amazon CloudFront logs in the Amazon Athena User Guide.\",\r\n \"remediationDescription\": \"For information on how to configure access logging for a CloudFront distribution, see Configuring and using standard logs (access logs) in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e0d5964-2895-45b1-b646-fcded8d567be\",\r\n \"name\": \"0e0d5964-2895-45b1-b646-fcded8d567be\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have AWS WAF enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudFront distributions are associated with either AWS WAF or AWS WAFv2 web ACLs. The control fails if the distribution is not associated with a web ACL.
AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It allows you to configure a set of rules, called a web access control list (web ACL), that allow, block, or count web requests based on customizable web security rules and conditions that you define. Ensure your CloudFront distribution is associated with an AWS WAF web ACL to help protect it from malicious attacks.\",\r\n \"remediationDescription\": \"For information on how to associate a web ACL with a CloudFront distribution, see Using AWS WAF to control access to your content in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d088fb9f-11dc-451e-8f79-393916e42bb2\",\r\n \"name\": \"d088fb9f-11dc-451e-8f79-393916e42bb2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies should not allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts.This control fails if the \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies.
With AWS KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data.
Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, do not allow \\\"kms:Decrypt\\\" permission on all KMS keys. Instead, allow \\\"kms:Decrypt\\\" only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"To remediate this issue, you modify the IAM customer managed policies to restrict access to the keys.

To modify an IAM customer managed policy

1. Open the IAM console at https://console.aws.amazon.com/iam/
2. In the IAM navigation pane, choose \\\"Policies\\\".
3. Choose the arrow next to the policy you want to modify.
4. Choose \\\"Edit policy\\\".
5. Choose the \\\"JSON\\\" tab.
6. Change the \\\"Resource\\\" value to the specific key or keys that you want to allow.
7. After you modify the policy, choose \\\"Review policy\\\".
8. Choose \\\"Save changes\\\".

For more information, see Using IAM policies with AWS KMS in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/18be55d0-b681-4693-af8d-b8815518d758\",\r\n \"name\": \"18be55d0-b681-4693-af8d-b8815518d758\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts.
This control fails if \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" actions are allowed on all KMS keys in an inline policy.
With AWS KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the permissions they need and only for keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data.
Instead of granting permission for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow the users to use only those keys. For example, do not allow \\\"kms:Decrypt\\\" permission on all KMS keys. Instead, allow them only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"To remediate this issue, you modify the inline policy to restrict access to the keys.

To modify an IAM inline policy

1. Open the IAM console at https://console.aws.amazon.com/iam/
2. In the IAM navigation pane, choose \\\"Users, Groups\\\", or \\\"Roles\\\".
3. Choose the name of the user, group or role for which to modify IAM inline policies.
4. Choose the arrow next to the policy to modify.
5. Choose \\\"Edit policy\\\".
6. Choose the \\\"JSON\\\" tab.
7. Change the \\\"Resource\\\" value to the specific keys you want to allow.
8. After you modify the policy, choose \\\"Review policy\\\".
9. Choose \\\"Save changes\\\".

For more information, see Using IAM policies with AWS KMS in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10c59743-84c4-4711-adb7-ba895dc57339\",\r\n \"name\": \"10c59743-84c4-4711-adb7-ba895dc57339\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS keys should not be unintentionally deleted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether KMS keys are scheduled for deletion. The control fails if a KMS key is scheduled for deletion.
KMS keys cannot be recovered once deleted. Data encrypted under a KMS key is also permanently unrecoverable if the KMS key is deleted. If meaningful data has been encrypted under a KMS key scheduled for deletion, consider decrypting the data or re-encrypting the data under a new KMS key unless you are intentionally performing a cryptographic erasure.
When a KMS key is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS key is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS key will not be deleted.
For additional information regarding deleting KMS keys, see Deleting KMS keys in the AWS Key Management Service Developer Guide.\",\r\n \"remediationDescription\": \"For detailed remediation instructions to cancel a scheduled KMS key deletion, see \\\"To cancel key deletion\\\" under Scheduling and canceling key deletion (console) in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe770214-7b47-48f7-a78c-1279c35d8279\",\r\n \"name\": \"fe770214-7b47-48f7-a78c-1279c35d8279\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EMR cluster master nodes should not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether master nodes on Amazon EMR clusters have public IP addresses.
The control fails if the master node has public IP addresses that are associated with any of its instances. Public IP addresses are designated in the PublicIp field of the NetworkInterfaces configuration for the instance.
This control only checks Amazon EMR clusters that are in a RUNNING or WAITING state.\",\r\n \"remediationDescription\": \"During launch, you can control whether your instance in a default or nondefault subnet is assigned a public IPv4 address.
By default, default subnets have this attribute set to true. Nondefault subnets have the IPv4 public addressing attribute set to false, unless it was created by the Amazon EC2 launch instance wizard. In that case, the wizard sets the attribute to true.
You need to launch your cluster in a VPC with a private subnet that has the IPv4 public addressing attribute set to false.
After launch, you cannot manually disassociate a public IPv4 address from your instance.
To remediate this finding, you need to create a new cluster in VPC private subnet. For information on how to launch a cluster in into a VPC private subnet, see Launch clusters into a VPC in the Amazon EMR Management Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a0476c5-a14b-4195-8c31-633511234b38\",\r\n \"name\": \"5a0476c5-a14b-4195-8c31-633511234b38\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies that you create should not allow wildcard actions for services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the IAM identity-based policies that you create have Allow statements that use the * wildcard to grant permissions for all actions on any service. The control fails if any policy statement includes 'Effect': 'Allow' with 'Action': 'Service:*'.
For example, the following statement in a policy results in a failed finding.
'Statement': [
{
'Sid': 'EC2-Wildcard',
'Effect': 'Allow',
'Action': 'ec2:*',
'Resource': '*'
}
The control also fails if you use 'Effect': 'Allow' with 'NotAction': 'service:*'. In that case, the NotAction element provides access to all of the actions in an AWS service, except for the actions specified in NotAction.
This control only applies to customer managed IAM policies. It does not apply to IAM policies that are managed by AWS.
When you assign permissions to AWS services, it is important to scope the allowed IAM actions in your IAM policies. You should restrict IAM actions to only those actions that are needed. This helps you to provision least privilege permissions. Overly permissive policies might lead to privilege escalation if the policies are attached to an IAM principal that might not require the permission.
In some cases, you might want to allow IAM actions that have a similar prefix, such as DescribeFlowLogs and DescribeAvailabilityZones. In these authorized cases, you can add a suffixed wildcard to the common prefix. For example, ec2:Describe*.

This control passes if you use a prefixed IAM action with a suffixed wildcard. For example, the following statement in a policy results in a passed finding.
'Statement': [
{
'Sid': 'EC2-Wildcard',
'Effect': 'Allow',
'Action': 'ec2:Describe*',
'Resource': '*'
}
When you group related IAM actions in this way, you can also avoid exceeding the IAM policy size limits.\",\r\n \"remediationDescription\": \"To remediate this issue, update your IAM policies so that they do not allow full '*' administrative privileges.
For details on how to edit an IAM policy, see Editing IAM policies in the IAM User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bde343a-0681-4ee2-883a-027cc1e655b8\",\r\n \"name\": \"0bde343a-0681-4ee2-883a-027cc1e655b8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Attached EBS volumes should be encrypted at-rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check.
For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.
To learn more about Amazon EBS encryption, see Amazon EBS encryption in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"remediationDescription\": \"There is no direct way to encrypt an existing unencrypted volume or snapshot. You can only encrypt a new volume or snapshot when you create it.
If you enabled encryption by default, Amazon EBS encrypts the resulting new volume or snapshot using your default key for Amazon EBS encryption. Even if you have not enabled encryption by default, you can enable encryption when you create an individual volume or snapshot. In both cases, you can override the default key for Amazon EBS encryption and choose a symmetric customer managed CMK.
For more information, see Creating an Amazon EBS volume and Copying an Amazon EBS snapshot in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a3340b3-8916-40fe-942d-a937e60f5d4c\",\r\n \"name\": \"1a3340b3-8916-40fe-942d-a937e60f5d4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Stopped EC2 instances should be removed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days.
A failed finding indicates that an EC2 instance has not run for a significant period of time. This creates a security risk because the EC2 instance is not being actively maintained (analyzed, patched, updated). If it is later launched, the lack of proper maintenance could result in unexpected issues in your AWS environment. To safely maintain an EC2 instance over time in a nonrunning state, start it periodically for maintenance and then stop it after maintenance. Ideally this is an automated process.\",\r\n \"remediationDescription\": \"You can terminate an EC2 instance using either the console or the command line.
Before you terminate the EC2 instance, verify that you won't lose any data:
* Check that your Amazon EBS volumes will not be deleted on termination.
* Copy any data that you need from your EC2 instance store volumes to Amazon EBS or Amazon S3.
To terminate an EC2 instance (console)
1. Open the Amazon EC2 console.
2. In the navigation pane, under Instances, choose \\\"Instances\\\".
3. Select the instance, and then choose \\\"Actions\\\", \\\"Instance State\\\", \\\"Terminate\\\".
4. When prompted for confirmation, choose \\\"Yes, Terminate\\\".
To terminate an EC2 instance (AWS CLI, Tools for Windows PowerShell)
Use one of the following commands. For more information about the command line interface, see Accessing Amazon EC2 in the Amazon EC2 User Guide for Linux Instances.
- From the AWS CLI, use terminate-instances
- From the Tools for Windows PowerShell, use Stop-EC2Instance.
To learn more about terminating instances, see Terminating an instancein the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56406d4c-87b4-4aeb-b1cc-7f6312d78e0a\",\r\n \"name\": \"56406d4c-87b4-4aeb-b1cc-7f6312d78e0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS default encryption should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS).
The control fails if the account level encryption is not enabled.
When encryption is enabled for your account, Amazon EBS volumes and snapshot copies are encrypted at rest. This adds an additional layer of protection for your data.
For more information, see Encryption by default in the Amazon EC2 User Guide for Linux Instances.
Note that following instance types do not support encryption: R1, C1, and M1.\",\r\n \"remediationDescription\": \"You can use the Amazon EC2 console to enable default encryption for Amazon EBS volumes.

To configure the default encryption for Amazon EBS encryption for a Region
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
2. From the navigation pane, select \\\"EC2 Dashboard\\\".
3. In the upper-right corner of the page, choose \\\"Account Attributes\\\", \\\"EBS encryption\\\".
4. Choose \\\"Manage\\\".
5. Select \\\"Enable\\\". You can keep the AWS managed key with the alias alias/aws/ebs created on your behalf as the default encryption key, or choose a symmetric customer managed key.
6. Choose \\\"Update EBS encryption\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea3248a-8af5-4df3-8e08-f7d1925ea147\",\r\n \"name\": \"5ea3248a-8af5-4df3-8e08-f7d1925ea147\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should use IMDSv2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if \\\"HttpTokens\\\" is set to \\\"required\\\" for IMDSv2. The control fails if \\\"HttpTokens\\\" is set to \\\"optional\\\".
You use instance metadata to configure or manage the running instance. The IMDS provides access to temporary, frequently rotated credentials. These credentials remove the need to hard code or distribute sensitive credentials to instances manually or programmatically. The IMDS is attached locally to every EC2 instance. It runs on a special 'link local' IP address of 169.254.169.254. This IP address is only accessible by software that runs on the instance.
Version 2 of the IMDS adds new protections for the following types of vulnerabilities. These vulnerabilities could be used to try to access the IMDS.
* Open website application firewalls
* Open reverse proxies
* Server-side request forgery (SSRF) vulnerabilities
* Open Layer 3 firewalls and network address translation (NAT)
Security Hub recommends that you configure your EC2 instances with IMDSv2.\",\r\n \"remediationDescription\": \"To remediate an EC2 instance that is not configured with IMDSv2, you can require the use of IMDSv2.
To require IMDSv2 on an existing instance, when you request instance metadata, modify the Amazon EC2 metadata options. Follow the instructions in Configuring instance metadata options for existing instances in the Amazon EC2 User Guide for Linux Instances.
To require the use of IMDSv2 on a new instance when you launch it, follow the instructions in Configuring instance metadata options for new instances in the Amazon EC2 User Guide for Linux Instances.
To configure your new EC2 instance with IMDSv2 from the console
1. Open the Amazon EC2 console.
2. Choose \\\"Launch instance\\\" and then choose \\\"Launch instance\\\".
3. In the \\\"Configure Instance Details\\\" step, under \\\"Advanced Details\\\", for \\\"Metadata version\\\", choose \\\"V2 (token required)\\\".
4. Choose \\\"Review and Launch\\\".
If your software uses IMDSv1, you can reconfigure your software to use IMDSv2. For details, see Transitioning to using Instance Metadata Service Version 2 in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/63afb20c-4e8e-42ad-bc6d-dc48d4bebc5f\",\r\n \"name\": \"63afb20c-4e8e-42ad-bc6d-dc48d4bebc5f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not have a public IP address\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether EC2 instances have a public IP address. The control fails if the \\\"publicIp\\\" field is present in the EC2 instance configuration item. This control applies to IPv4 addresses only.
A public IPv4 address is an IP address that is reachable from the internet. If you launch your instance with a public IP address, then your EC2 instance is reachable from the internet. A private IPv4 address is an IP address that is not reachable from the internet. You can use private IPv4 addresses for communication between EC2 instances in the same VPC or in your connected private network.
IPv6 addresses are globally unique, and therefore are reachable from the internet. However, by default all subnets have the IPv6 addressing attribute set to false. For more information about IPv6, see IP addressing in your VPC in the Amazon VPC User Guide.
If you have a legitimate use case to maintain EC2 instances with public IP addresses, then you can suppress the findings from this control. For more information about front-end architecture options, see the AWS Architecture Blog or the This Is My Architecture series.\",\r\n \"remediationDescription\": \"Use a non-default VPC so that your instance is not assigned a public IP address by default.
When you launch an EC2 instance into a default VPC, it is assigned a public IP address. When you launch an EC2 instance into a non-default VPC, the subnet configuration determines whether it receives a public IP address. The subnet has an attribute to determine if new EC2 instances in the subnet receive a public IP address from the public IPv4 address pool.
You cannot manually associate or disassociate an automatically-assigned public IP address from your EC2 instance. To control whether your EC2 instance receives a public IP address, do one of the following:
- Modify the public IP addressing attribute of your subnet. For more information, see Modifying the public IPv4 addressing attribute for your subnet in the Amazon VPC User Guide.
- Enable or disable the public IP addressing feature during launch. This overrides the subnet's public IP addressing attribute. For more information, see Assign a public IPv4 address during instance launch in the Amazon EC2 User Guide for Linux Instances.
For more information, see Public IPv4 addresses and external DNS hostnames in the Amazon EC2 User Guide for Linux Instances.
If your EC2 instance is associated with an Elastic IP address, then your EC2 instance is reachable from the internet. You can disassociate an Elastic IP address from an instance or network interface at any time.
To disassociate an Elastic IP address
1. Open the Amazon EC2 console
2. In the navigation pane, choose \\\"Elastic IPs\\\".
3. Select the Elastic IP address to disassociate.
4. From \\\"Actions\\\", choose \\\"Disassociate Elastic IP address\\\".
5. Choose \\\"Disassociate\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e700ddd4-bb55-4602-b93a-d75895fbf7c6\",\r\n \"name\": \"e700ddd4-bb55-4602-b93a-d75895fbf7c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 should be configured to use VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service.
To improve the security posture of your VPC, you can configure Amazon EC2 to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to access Amazon EC2 API operations privately. It restricts all network traffic between your VPC and Amazon EC2 to the Amazon network. Because endpoints are supported within the same Region only, you cannot create an endpoint between a VPC and a service in a different Region. This prevents unintended Amazon EC2 API calls to other Regions.
To learn more about creating VPC endpoints for Amazon EC2, see Amazon EC2 and interface VPC endpoints in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"remediationDescription\": \"To remediate this issue, you can create an interface VPC endpoint to Amazon EC2.
To create an interface endpoint to Amazon EC2 from the Amazon VPC console
1. Open the Amazon VPC console
2. In the navigation pane, choose \\\"Endpoints\\\".
3. Choose \\\"Create Endpoint\\\".
4. For \\\"Service category\\\", choose \\\"AWS services\\\".
5. For \\\"Service Name\\\", choose \\\"com.amazonaws.<region>.ec2\\\".
6. For \\\"Type\\\", choose \\\"Interface\\\".
7. Complete the following information.
  1. For \\\"VPC\\\", select a VPC in which to create the endpoint.
  2. For \\\"Subnets\\\", select the subnets (Availability Zones) in which to create the endpoint network interfaces. Not all Availability Zones are supported for all AWS services.
  3. To enable private DNS for the interface endpoint, select the check box for \\\"Enable DNS Name\\\". This option is enabled by default.
    To use the private DNS option, the following attributes of your VPC must be set to true:
    - \\\"enableDnsHostnames\\\"
    - \\\"enableDnsSupport\\\"
    For more information, see Viewing and updating DNS support for your VPC in the Amazon VPC User Guide.
  4. For \\\"Security group\\\", select the security groups to associate with the endpoint network interfaces.
  5. (Optional) Add or remove a tag. To add a tag, choose \\\"Add tag\\\" and do the following:
    - For \\\"Key\\\", enter the tag name.
    - For \\\"Value\\\", enter the tag value.
  6.  To remove a tag, choose the delete button (x) to the right of the tag Key and Value.
8. Choose \\\"Create endpoint\\\".
To create an interface VPC endpoint policy
You can attach a policy to your VPC endpoint to control access to the Amazon EC2 API. The policy specifies the following:
- The principal that can perform actions
- The actions that can be performed
- The resource on which the actions can be performed
For more details on creating a VPC endpoint policy, see Amazon EC2 and interface VPC endpoints In the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ace790eb-39b9-4b4f-b53d-26d0f77d4ab8\",\r\n \"name\": \"ace790eb-39b9-4b4f-b53d-26d0f77d4ab8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 subnets should not automatically assign public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the assignment of public IPs in Amazon Virtual Private Cloud (Amazon VPC) subnets have \\\"MapPublicIpOnLaunch\\\" set to \\\"FALSE\\\". The control passes if the flag is set to \\\"FALSE\\\".
All subnets have an attribute that determines whether a network interface created in the subnet automatically receives a public IPv4 address. Instances that are launched into subnets that have this attribute enabled have a public IP address assigned to their primary network interface.\",\r\n \"remediationDescription\": \"You can configure a subnet from the Amazon VPC console.
To configure a subnet to not assign public IP addresses
1. Open the Amazon VPC console.
2. In the navigation pane, choose \\\"Subnets\\\".
3. Select your subnet and then choose \\\"Subnet Actions\\\", \\\"Modify auto-assign IP settings\\\".
4. Clear the \\\"Enable auto-assign public IPv4 address\\\" check box and then choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f9a7d87-ec2e-409a-991a-48c29484d6b5\",\r\n \"name\": \"5f9a7d87-ec2e-409a-991a-48c29484d6b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused network access control lists should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether there are any unused network access control lists (ACLs).
The control checks the item configuration of the resource \\\"AWS::EC2::NetworkAcl\\\" and determines the relationships of the network ACL.
If the only relationship is the VPC of the network ACL, then the control fails.
If other relationships are listed, then the control passes.\",\r\n \"remediationDescription\": \"For instructions on how to delete an unused network ACL, see Deleting a network ACL in the Amazon VPC User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fead4128-7325-4b82-beda-3fd42de36920\",\r\n \"name\": \"fead4128-7325-4b82-beda-3fd42de36920\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not use multiple ENIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs).This control passes if a single network adapter is used. The control includes an optional parameter list to identify the allowed ENIs.
Multiple ENIs can cause dual-homed instances, meaning instances that have multiple subnets. This can add network security complexity and introduce unintended network paths and access.\",\r\n \"remediationDescription\": \"To remediate this issue, detach the additional ENIs.
To detach a network interface
1. Open the Amazon EC2 console.
2. Under \\\"Network & Security\\\", choose \\\"Network Interfaces\\\".
3. Filter the list by the noncompliant instance IDs to see the associated ENIs.
4. Select the ENIs that you want to remove.
5. From the \\\"Actions\\\" menu, choose \\\"Detach\\\".
6. If you see the prompt \\\"Are you sure that you want to detach the following network interface?\\\", choose \\\"Detach\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8b328664-f3f1-45ab-976d-f6c66647b3b8\",\r\n \"name\": \"8b328664-f3f1-45ab-976d-f6c66647b3b8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should only allow unrestricted incoming traffic for authorized ports\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the security groups that are in use allow unrestricted incoming traffic. Optionally the rule checks whether the port numbers are listed in the \\\"authorizedTcpPorts\\\" parameter.
- If the security group rule port number allows unrestricted incoming traffic, but the port number is specified in \\\"authorizedTcpPorts\\\", then the control passes. The default value for \\\"authorizedTcpPorts\\\" is 80, 443.
- If the security group rule port number allows unrestricted incoming traffic, but the port number is not specified in authorizedTcpPorts input parameter, then the control fails.
- If the parameter is not used, then the control fails for any security group that has an unrestricted inbound rule.
Security groups provide stateful filtering of ingress and egress network traffic to AWS. Security group rules should follow the principal of least privileged access. Unrestricted access (IP address with a /0 suffix) increases the opportunity for malicious activity such as hacking, denial-of-service attacks, and loss of data.
Unless a port is specifically allowed, the port should deny unrestricted access.\",\r\n \"remediationDescription\": \"For information on how to modify a security group, see Add, remove, or update rules in the Amazon VPC User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/194fd099-90fa-43e1-8d06-6b4f5138e952\",\r\n \"name\": \"194fd099-90fa-43e1-8d06-6b4f5138e952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow unrestricted access to ports with high risk\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for those ports.
Unrestricted access (0.0.0.0/0) increases opportunities for malicious activity, such as hacking, denial-of-service attacks, and loss of data.
Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. No security group should allow unrestricted ingress access to the following ports:
- 3389 (RDP)
- 20, 21 (FTP)
- 22 (SSH)
- 23 (Telnet)
- 110 (POP3)
- 143 (IMAP)
- 3306 (mySQL)
- 8080 (proxy)
- 1433, 1434 (MSSQL)
- 9200 or 9300 (Elasticsearch)
- 5601 (Kibana)
- 25 (SMTP)
- 445 (CIFS)
- 135 (RPC)
- 4333 (ahsp)
- 5432 (postgresql)
- 5500 (fcp-addr-srvr1)\",\r\n \"remediationDescription\": \"For information on how to delete rules from a security group, see Delete rules from a security group in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bfa7d2aa-f362-11eb-9a03-0242ac130003\",\r\n \"name\": \"bfa7d2aa-f362-11eb-9a03-0242ac130003\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether storage encryption is enabled for your Amazon RDS DB instances.
This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
For an added layer of security for your sensitive data in RDS DB instances, you should configure your RDS DB instances to be encrypted at rest. To encrypt your RDS DB instances and snapshots at rest, enable the encryption option for your RDS DB instances. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots.
RDS encrypted DB instances use the open standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You do not need to modify your database client applications to use encryption.
Amazon RDS encryption is currently available for all database engines and storage types. Amazon RDS encryption is available for most DB instance classes. To learn about DB instance classes that do not support Amazon RDS encryption, see Encrypting Amazon RDS resources in the Amazon RDS User Guide.
\",\r\n \"remediationDescription\": \"For information about encrypting DB instances in Amazon RDS, see Encrypting Amazon RDS resources in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4f4fbc5e-0b10-4208-b52f-1f47f1c73b6a\",\r\n \"name\": \"4f4fbc5e-0b10-4208-b52f-1f47f1c73b6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS cluster snapshots and database snapshots should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB snapshots are encrypted.
This control is intended for RDS DB instances. However, it can also generate findings for snapshots of Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. Data in RDS snapshots should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"To encrypt an unencrypted RDS snapshot: 1. Open the  Amazon RDS console. 2. In the navigation pane, choose \\\"Snapshots\\\". 3. Find the snapshot to encrypt under \\\"Manual\\\" or \\\"System\\\". 4. Select the check box next to the snapshot to encrypt. 5. Choose \\\"Actions\\\", then choose \\\"Copy Snapshot\\\". 6. Under \\\"New DB Snapshot Identifier\\\", type a name for the new snapshot.7. Under \\\"Encryption\\\", select \\\"Enable Encryption\\\". 8. Choose the KMS key to use to encrypt the snapshot. 9. Choose \\\"Copy Snapshot\\\". 10. After the new snapshot is created, delete the original snapshot. 11. For \\\"Backup Retention Period\\\", choose a positive nonzero value. For example, 30 days.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/70ebbd01-cd79-4bc8-ae85-49f47ccdd5ad\",\r\n \"name\": \"70ebbd01-cd79-4bc8-ae85-49f47ccdd5ad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured with multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether high availability is enabled for your RDS DB instances.
RDS DB instances should be configured for multiple Availability Zones (AZs). This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover if there is an issue with Availability Zone availability and during regular RDS maintenance.\",\r\n \"remediationDescription\": \"To enable multiple Availability Zones for a DB instance: 1. Open the Amazon RDS console at Amazon RDS console. 2. In the navigation pane, choose \\\"Databases\\\", and then choose the DB instance that you want to modify.3. Choose \\\"Modify\\\". The \\\"Modify DB Instance\\\" page appears.4. Under Instance Specifications, set \\\"Multi-AZ deployment \\\" to \\\"Yes\\\" .5. Choose \\\"Continue\\\" and then check the summary of modifications. 6. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide. 7. On the confirmation page, review your changes. If they are correct, choose \\\"Modify DB Instance\\\" to save your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93e5a579-dd2f-4a56-b827-ebbfe7376b16\",\r\n \"name\": \"93e5a579-dd2f-4a56-b827-ebbfe7376b16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enhanced monitoring should be configured for RDS DB instances and clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced monitoring is enabled for your RDS DB instances.
In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer.
Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU. For more information, see Enhanced Monitoring in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable Enhanced Monitoring for your DB instance, see Setting up for and enabling Enhanced Monitoring in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e769650-868c-46f5-b8c0-1a8ba12a4c92\",\r\n \"name\": \"9e769650-868c-46f5-b8c0-1a8ba12a4c92\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS clusters should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS clusters have deletion protection enabled.
This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
Enabling cluster deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity.
When deletion protection is enabled, an RDS cluster cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"To enable deletion protection for an RDS DB cluster:
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/. 2. In the navigation pane, choose \\\"Databases\\\", then choose the DB cluster that you want to modify. 3. Choose \\\"Modify\\\". 4. Under \\\"Deletion protection\\\", choose \\\"Enable deletion protection\\\".5. Choose \\\"Continue\\\" 6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\". 7. Choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e1f7933-faa9-4379-a9bd-697740dedac8\",\r\n \"name\": \"8e1f7933-faa9-4379-a9bd-697740dedac8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your RDS DB instances that use one of the listed database engines have deletion protection enabled.
Enabling instance deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity.
While deletion protection is enabled, an RDS DB instance cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"To enable deletion protection for an RDS DB instance: 1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/. 2. In the navigation pane, choose \\\"Databases\\\", then choose the DB instance that you want to modify. 3. Choose \\\"Modify\\\". 4. Under \\\"Deletion protection\\\", choose \\\"Enable deletion protection\\\". 5. Choose \\\"Continue\\\". 6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\". 7. Choose \\\"Modify DB Instance\\\"\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdf441dd-0ab7-4ef2-a643-de12725e5d5d\",\r\n \"name\": \"cdf441dd-0ab7-4ef2-a643-de12725e5d5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB clusters should be configured for multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"RDS DB clusters should be configured for multiple the data that is stored.
Deployment to multiple Availability Zones allows for automate Availability Zones to ensure availability of ed failover in the event of an Availability Zone availability issue and during regular RDS maintenance events.\",\r\n \"remediationDescription\": \"To enable multi-AZ for a DB cluster (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Databases\\\", and then choose the DB instance to modify.
3. choose \\\"Modify\\\", The \\\"Modify DB Instance\\\" page appears.
4. Under \\\"Instance Specifications\\\", set \\\"Multi-AZ deploymen\\\" to \\\"Yes\\\".
5. Choose \\\"Continue\\\" and check the summary of modifications.
6. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide.
On the confirmation page, review your changes. If they are correct, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b9ed02d0-afca-4bed-838d-70bf31ecf19a\",\r\n \"name\": \"b9ed02d0-afca-4bed-838d-70bf31ecf19a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB clusters should be configured to copy tags to snapshots\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identification and inventory of your IT assets is a crucial aspect of governance and security.
You need to have visibility of all your RDS DB clusters so that you can assess their security posture and act on potential areas of weakness.
Snapshots should be tagged in the same way as their parent RDS database clusters.
Enabling this setting ensures that snapshots inherit the tags of their parent database clusters.\",\r\n \"remediationDescription\": \"To enable automatic tag copying to snapshots for a DB cluster
1. Open theAmazon RDS console at https://console.aws.amazon.com/rds/.
2. Choose \\\"Databases\\\"
3. Select the DB cluster to modify.
4. choose \\\"Modify\\\".
5. Under \\\"Backup\\\", select \\\"Copy tags to snapshots\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fcd891e5-c6a2-41ce-bca6-f49ec582f3ce\",\r\n \"name\": \"fcd891e5-c6a2-41ce-bca6-f49ec582f3ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured to copy tags to snapshots\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created.
Identification and inventory of your IT assets is a crucial aspect of governance and security.
You need to have visibility of all your RDS DB instances so that you can assess their security posture and take action on potential areas of weakness.
Snapshots should be tagged in the same way as their parent RDS database instances. Enabling this setting ensures that snapshots inherit the tags of their parent database instances.\",\r\n \"remediationDescription\": \"To enable automatic tag copying to snapshots for a DB instance
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Databases\\\".
3. Select the DB instance to modify.
4. Under \\\"Backup\\\", select \\\"Copy tags to snapshots\\\".
5. Choose \\\"Continue\\\".
6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9a84b879-8aab-4b82-80f2-22e637a26813\",\r\n \"name\": \"9a84b879-8aab-4b82-80f2-22e637a26813\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS instances should be deployed in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPCs provide a number of network controls to secure access to RDS resources.
These controls include VPC Endpoints, network ACLs, and security groups.
To take advantage of these controls, we recommend that you move EC2-Classic RDS instances to EC2-VPC.\",\r\n \"remediationDescription\": \"For detailed instructions on how to move RDS instances to VPC, see Updating the VPC for a DB instance in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\",\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/65659c22-6588-405b-b118-614c2b4ead5b\",\r\n \"name\": \"65659c22-6588-405b-b118-614c2b4ead5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical cluster events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists that has notifications enabled for the following source type,
event category key-value pairs. DBCluster: [\\\"maintenance\\\" and \\\"failure\\\"].
RDS event notifications uses Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \" To subscribe to RDS cluster event notifications.
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Clusters\\\".
  d. Under \\\"Instances to include\\\", select \\\"All Clusters\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"maintenance\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff4f3ab3-8ed7-4b4f-a721-4c3b66a59140\",\r\n \"name\": \"ff4f3ab3-8ed7-4b4f-a721-4c3b66a59140\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database instance events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type.
event category key-value pairs. DBInstance: [\\\"maintenance\\\", \\\"configuration change\\\" and \\\"failure\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Instances\\\".
  d. Under \\\"Instances to include\\\", select \\\"All Instances\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"maintenance\\\", \\\"configuration change\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6f24bb0-b696-451c-a26e-0cc9ea8e97e3\",\r\n \"name\": \"c6f24bb0-b696-451c-a26e-0cc9ea8e97e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database parameter group events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type.
event category key-value pairs. DBParameterGroup: [\\\"configuration\\\",\\\"change\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create \\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Parameter groups\\\".
  d. Under \\\"Instances to include\\\", select \\\"All parameter groups\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"configuration change\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ab5c51fb-ecdb-46de-b8df-c28ae46ce5bc\",\r\n \"name\": \"ab5c51fb-ecdb-46de-b8df-c28ae46ce5bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database security group events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.DBSecurityGroup: [\\\"configuration\\\",\\\"change\\\",\\\"failure\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for a rapid response.
For additional information about RDS event notifications , see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event\\\",\\\"subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Security groups\\\".
  d. Under \\\"Instances to include\\\", select \\\"All security groups\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"configuration change\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47476790-2527-4bdb-b839-3b48ed18dccf\",\r\n \"name\": \"47476790-2527-4bdb-b839-3b48ed18dccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should automatically scale capacity with demand\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured.
Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications.\",\r\n \"remediationDescription\": \"For detailed instructions on enabling DynamoDB automatic scaling on existing tables in capacity mode, see Enabling DynamoDB auto scaling on existing tables. in the Amazon DynamoDB Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc873508-40c1-41b6-8507-8a431d74f831\",\r\n \"name\": \"cc873508-40c1-41b6-8507-8a431d74f831\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should have point-in-time recovery enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table.
Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. DynamoDB point-in-time recovery automates backups for DynamoDB tables. It reduces the time to recover from accidental delete or write operations.
DynamoDB tables that have PITR enabled can be restored to any point in time in the last 35 days.\",\r\n \"remediationDescription\": \"To remediate this issue, add point-in-time recovery to your DynamoDB table.
To enable DynamoDB \\\"point-in-time recovery\\\" for an existing table:
1. Open the DynamoDB console at https://console.aws.amazon.com/dynamodb/. 2. Choose the table that you want to work with, and then choose \\\"Backups\\\". 3. In the Point-in-time Recovery section, under Status, choose \\\"Enable\\\". 4. Choose \\\"Enable\\\" again to confirm the change.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58e67d3d-8b17-4c1c-9bc4-550b10f0328a\",\r\n \"name\": \"58e67d3d-8b17-4c1c-9bc4-550b10f0328a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB Accelerator (DAX) clusters should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a DAX cluster is encrypted at rest.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data.
For example, API permissions are required to decrypt the data before it can be read.\",\r\n \"remediationDescription\": \"You cannot enable or disable encryption at rest after a cluster is created. You must recreate the cluster in order to enable encryption at rest.
For detailed instructions on how to create a DAX cluster with encryption at rest enabled, see Enabling encryption at rest using the AWS Management Console in the Amazon DynamoDB Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e482075-311f-401e-adc7-f8a8affc5635\",\r\n \"name\": \"4e482075-311f-401e-adc7-f8a8affc5635\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be configured to encrypt file data at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. The check fails in the following cases:
*\\\"Encrypted\\\" is set to \\\"false\\\" in the DescribeFileSystems response.
The \\\"KmsKeyId\\\" key in the DescribeFileSystems response does not match the KmsKeyId parameter for efs-encrypted-check.
Note that this control does not use the \\\"KmsKeyId\\\" parameter for efs-encrypted-check. It only checks the value of \\\"Encrypted\\\". For an added layer of security for your sensitive data in Amazon EFS, you should create encrypted file systems.
Amazon EFS supports encryption for file systems at-rest. You can enable encryption of data at rest when you create an Amazon EFS file system.
To learn more about Amazon EFS encryption, see Data encryption in Amazon EFS in the Amazon Elastic File System User Guide.\",\r\n \"remediationDescription\": \"For details on how to encrypt a new Amazon EFS file system, see Encrypting data at rest in the Amazon Elastic File System User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e864e460-158b-4a4a-beb9-16ebc25c1240\",\r\n \"name\": \"e864e460-158b-4a4a-beb9-16ebc25c1240\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS volumes should be in backup plans\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup. The control fails if Amazon EFS file systems are not included in the backup plans.
Including EFS file systems in the backup plans helps you to protect your data from deletion and data loss.\",\r\n \"remediationDescription\": \"To remediate this issue, update your file system to enable automatic backups.
To enable automatic backups for an existing file system:
1.Open the Amazon Elastic File System console. 2. On the \\\"File systems\\\" page, choose the file system for which to enable automatic backups. The \\\"File system details\\\" page is displayed. 3. Under \\\"General\\\", choose \\\"Edit\\\". 4. To enable automatic backups, select \\\"Enable automatic backups\\\". 5. Choose \\\"Save changes\\\".
To learn more, visit Using AWS Backup with Amazon EFS in the Amazon Elastic File System User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e656e5b7-130c-4fb4-be90-9bdd4f82fdfb\",\r\n \"name\": \"e656e5b7-130c-4fb4-be90-9bdd4f82fdfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should use supported runtimes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the Lambda function settings for runtimes match the expected values set for the supported runtimes for each language. This control checks for the following runtimes:
nodejs14.x, nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, ruby2.7, ruby2.5, java11, java8, java8.al2, go1.x, dotnetcore3.1, dotnetcore2.1
Lambda runtimes are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When a runtime component is no longer supported for security updates, Lambda deprecates the runtime. Even though you cannot create functions that use the deprecated runtime, the function is still available to process invocation events. Make sure that your Lambda functions are current and do not use out-of-date runtime environments.
To learn more about the supported runtimes that this control checks for the supported languages, see AWS Lambda runtimes in the AWS Lambda Developer Guide.\",\r\n \"remediationDescription\": \"For more information on supported runtimes and deprecation schedules, see the Runtime support policy section of the AWS Lambda Developer Guide.
When you migrate your runtimes to the latest version, follow the syntax and guidance from the publishers of the language.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Persistence\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Proxy\",\r\n \"Account Manipulation\",\r\n \"Scheduled Task/Job\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dcf10b98-798f-4734-9afd-800916bf1e65\",\r\n \"name\": \"dcf10b98-798f-4734-9afd-800916bf1e65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should have a dead-letter queue configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is configured with a dead-letter queue. The control fails if the Lambda function is not configured with a dead-letter queue.
As an alternative to an on-failure destination, you can configure your function with a dead-letter queue to save discarded events for further processing.
A dead-letter queue acts the same as an on-failure destination. It is used when an event fails all processing attempts or expires without being processed.
A dead-letter queue allows you to look back at errors or failed requests to your Lambda function to debug or identify unusual behavior.
From a security perspective, it is important to understand why your function failed and to ensure that your function does not drop data or compromise data security as a result.
For example, if your function cannot communicate to an underlying resource, that could be a symptom of a denial of service (DoS) attack elsewhere in the network.\",\r\n \"remediationDescription\": \"You can configure a dead-letter queue from the AWS Lambda console.
To configure a dead-letter queue
1. Open the AWS Lambda console.
2. In the navigation pane, choose \\\"Functions\\\".
3. Choose a function.
4. Choose \\\"Configuration\\\" and then choose \\\"Asynchronous invocation\\\".
5. Under \\\"Asynchronous invocation\\\", choose \\\"Edit\\\".
6. Set \\\"DLQ resource\\\" to Amazon SQS or Amazon SNS.
7. Choose the target queue or topic.
8. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"plannedDeprecationDate\": \"12/2022\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90917e06-2781-4857-9d74-9043c6475d03\",\r\n \"name\": \"90917e06-2781-4857-9d74-9043c6475d03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SNS topics should be encrypted at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an SNS topic is encrypted at rest using AWS KMS.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It also adds another set of access controls to limit the ability of unauthorized users to access the data.
For example, API permissions are required to decrypt the data before it can be read. SNS topics should be encrypted at-rest for an added layer of security. For more information, see Encryption at rest in the Amazon Simple Notification Service Developer Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your SNS topic to enable encryption.
To encrypt an unencrypted SNS topic
1. Open the Amazon SNS console.
2. In the navigation pane, choose \\\"Topics\\\".
4. Choose the name of the topic to encrypt.
5. Choose \\\"Edit\\\".
6. Under \\\"Encryption\\\", choose Enable Encryption.
7. Choose the KMS key to use to encrypt the topic.
8. Choose \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"File and Directory Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/773667f7-6511-4aec-ae9c-e3286c56a254\",\r\n \"name\": \"773667f7-6511-4aec-ae9c-e3286c56a254\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancer listeners should be configured with HTTPS or TLS termination\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. The control is applicable if a Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the control does not report any findings.
The control passes if the Classic Load Balancer listeners are configured with TLS or HTTPS for front-end connections.
The control fails if the listener is not configured with TLS or HTTPS for front-end connections.
Before you start to use a load balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners can support both HTTP and HTTPS/TLS protocols. You should always use an HTTPS or TLS listener, so that the load balancer does the work of encryption and decryption in transit.\",\r\n \"remediationDescription\": \"To remediate this issue, update your listeners to use the TLS or HTTPS protocol.
To change all noncompliant listeners to TLS/HTTPS listeners
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load Balancers. Then choose your Classic Load Balancer.
3. Choose the Listeners tab, and then choose Edit.
4. For all listeners where Load Balancer Protocol is not set to HTTPS or SSL, change the setting to HTTPS or SSL.
5. For all modified listeners, under SSL Certificate, choose Change.
6. For all modified listeners, select Choose a certificate from ACM.
7. Select the certificate from the Certificates drop-down list. Then choose Saveb.
8. After you update all of the listeners, choose Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca924610-5a8e-4c5e-9f17-8dff1ab1757b\",\r\n \"name\": \"ca924610-5a8e-4c5e-9f17-8dff1ab1757b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application load balancers should be configured to drop HTTP headers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop invalid HTTP headers. The control fails if the value of routing.http.drop_invalid_header_fields.enabled is set to false.
By default, ALBs are not configured to drop invalid HTTP header values. Removing these header values prevents HTTP desync attacks.\",\r\n \"remediationDescription\": \"To remediate this issue, configure your load balancer to drop invalid header fields.
To configure the load balancer to drop invalid header fields
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load balancers.
3. Choose an Application Load Balancer.
4. From Actions, choose Edit attributes.
5. Under Drop Invalid Header Fields, choose Enable.
6. Choose Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ba5c359-495f-4ba6-9897-7fdbc0aed675\",\r\n \"name\": \"4ba5c359-495f-4ba6-9897-7fdbc0aed675\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application and Classic Load Balancers logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if access_logs.s3.enabled is false.
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.
To learn more, see Access logs for your Classic Load Balancer in User Guide for Classic Load Balancers.
\",\r\n \"remediationDescription\": \"To remediate this issue, configure your load balancer to drop invalid header fields.
To configure the load balancer to drop invalid header fields
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load balancers.
3. Choose an Application Load Balancer.
4. From Actions, choose Edit attributes.
5. Under Access logs, choose Enable.
6. Enter your S3 location. This location can exist or it can be created for you. If you do not specify a prefix, the access logs are stored in the root of the S3 bucket.
7. Choose Save\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5c508bf1-26f9-4696-bb61-8341d395e3de\",\r\n \"name\": \"5c508bf1-26f9-4696-bb61-8341d395e3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer deletion protection should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured.
Enable deletion protection to protect your Application Load Balancer from deletion.\",\r\n \"remediationDescription\": \"To prevent your load balancer from being deleted accidentally, you can enable deletion protection. By default, deletion protection is disabled for your load balancer.
If you enable deletion protection for your load balancer, you must disable delete protection before you can delete the load balancer.
To enable deletion protection from the console
1. Open the Amazon EC2 console.
2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.
3. Choose the load balancer.
4. On the Description tab, choose Edit attributes.
5. On the Edit load balancer attributes page, select Enable for Delete Protection, and then choose Save.
6. Choose Save.
To learn more, see Deletion protection in User Guide for Application Load Balancers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dd60e31e-073a-42b6-9b23-db7ca86fd5e0\",\r\n \"name\": \"dd60e31e-073a-42b6-9b23-db7ca86fd5e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancers should have connection draining enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Classic Load Balancers have connection draining enabled.
Enabling connection draining on Classic Load Balancers ensures that the load balancer stops sending requests to instances that are de-registering or unhealthy. It keeps the existing connections open. This is particularly useful for instances in Auto Scaling groups, to ensure that connections aren't severed abruptly.\",\r\n \"remediationDescription\": \"To enable connection draining on Classic Load Balancers, following the steps in Configure connection draining for your Classic Load Balancer in User Guide for Classic Load Balancers.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b63a099-6c0c-4354-848b-17de1f3c8ae3\",\r\n \"name\": \"9b63a099-6c0c-4354-848b-17de1f3c8ae3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should encrypt data sent between nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have node-to-node encryption enabled. HTTPS (TLS) can be used to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. Only encrypted connections over HTTPS (TLS) should be allowed. Enabling node-to-node encryption for Amazon ES domains ensures that intra-cluster communications are encrypted in transit. There can be a performance penalty associated with this configuration. You should be aware of and test the performance trade-off before enabling this option.\",\r\n \"remediationDescription\": \"Node-to-node encryption can only be enabled on a new domain. To remediate this finding, first create a new domain with the Node-to-node encryption check box selected. Then follow Using a snapshot to migrate data to migrate your data to the new domain.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/de8ae504-ec39-4ffb-b3ef-6e36fdcbb455\",\r\n \"name\": \"de8ae504-ec39-4ffb-b3ef-6e36fdcbb455\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker. The 'blacklistedactionpatterns' parameter allows for successful evaluation of the rule for S3 buckets. The parameter grants access to external accounts for action patterns that are not included in the 'blacklistedactionpatterns' list.\",\r\n \"remediationDescription\": \"To remediate this issue, edit the S3 bucket policy to remove the permissions.

To edit an S3 bucket policy

1. Open the Amazon S3 console.
2. In the Bucket name list, choose the name of the S3 bucket for which you want to edit the policy.
3. Choose Permissions, and then choose Bucket Policy.
4. In the Bucket policy editor text box, do one of the following:
* Remove the statements that grant access to denied actions to other AWS accounts
* Remove the permitted denied actions from the statements
5. Choose Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11d0f4af-6924-4a2e-8b66-781a4553c828\",\r\n \"name\": \"11d0f4af-6924-4a2e-8b66-781a4553c828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled on AWS connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides real-time threat protection for containerized environments and generates alerts about suspicious activities.
Use this information to harden the security of Kubernetes clusters and remediate security issues.

Important: When you've enabled Microsoft Defender for Containers and deployed Azure Arc to your EKS clusters, the protections - and charges - will begin. If you don't deploy Azure Arc on a cluster, Defender for Containers will not protect it and no charges will be incurred for this Microsoft Defender plan for that cluster.\",\r\n \"remediationDescription\": \"To enable Defender for Containers on all EKS clusters in an AWS account connected to Microsoft Defender for Cloud:
1. From the Azure portal, open Microsoft Defender for Cloud.
2. Open the \\\"Environment settings\\\" page and select the relevant AWS account.
3. Under \\\"Select plans\\\", set \\\"Containers\\\" to \\\"On\\\".
4. Select \\\"Next: Configure access\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/38307993-84fb-4636-8ce7-3a64466bb5cc\",\r\n \"name\": \"38307993-84fb-4636-8ce7-3a64466bb5cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EKS clusters should have Microsoft Defender's extension for Azure Arc installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender's cluster extension provides security capabilities for your EKS clusters. The extension collects data from a cluster and its nodes to identify security vulnerabilities and threats.
The extension works with Azure Arc-enabled Kubernetes.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct EKS cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
Note: When the process completes, it may take up to 12 hours until your resource moves to the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d3a977e-46f1-419a-9046-4bd44db80aac\",\r\n \"name\": \"7d3a977e-46f1-419a-9046-4bd44db80aac\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EKS clusters should grant the required AWS permissions to Microsoft Defender for Cloud\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides protections for your EKS clusters.
To monitor your cluster for security vulnerabilities and threats, Defender for Containers needs permissions for your AWS account. These permissions will be used to enable Kubernetes control plane logging on your cluster and establish a reliable pipeline between your cluster and Defender for Cloud's backend in the cloud.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"To grant the required permissions:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. 2. Open the \\\"Environment settings\\\" page and select the relevant AWS account.
  3. In the edit connector wizard, skip to step 3, \\\"Configure access\\\".
  4. Download the CloudFormation template.
  5. Open the template and copy the ARNs for the following roles:
    AzureDefenderKubernetesRole
    AzureDefenderKubernetesScubaReaderRole
    AzureDefenderCloudWatchToKinesisRole
    AzureDefenderKinesisToS3Role
  6. Folow the steps in \\\"Create Stack in AWS\\\" for those roles.
  7. In the connector wizard, update the role ARNs with the ARNs copied from the template.
  8. Save the changes.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4aa0f6dc-40be-43b2-92f1-3a52ad9d68d1\",\r\n \"name\": \"4aa0f6dc-40be-43b2-92f1-3a52ad9d68d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should have automatic rotation enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation.
Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically.
Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently. To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, you enable automatic rotation for your secrets.
To enable automatic rotation for secrets
1. Open the Secrets Manager console.
2. To find the secret that requires rotating, enter the secret name in the search field.
3. Choose the secret you want to rotate, which displays the secrets details page.
4. Under Rotation configuration, choose Edit rotation.
5. From Edit rotation configuration, choose Enable automatic rotation.
6. For Select Rotation Interval, choose a rotation interval.
7. Choose a Lambda function for rotation. For information about customizing your Lambda rotation function, see Understanding and customizing your Lambda rotation function in the AWS Secrets Manager User Guide.
8. To configure the secret for rotation, choose Next.
To learn more about Secrets Manager rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bec42e2d-956b-4940-a37d-7c1b1e8c525f\",\r\n \"name\": \"bec42e2d-956b-4940-a37d-7c1b1e8c525f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets configured with automatic rotation should rotate successfully\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The control fails if RotationOccurringAsScheduled is false. The control does not evaluate secrets that do not have rotation configured.
Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically.
Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently.
In addition to configuring secrets to rotate automatically, you should ensure that those secrets rotate successfully based on the rotation schedule.
To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"If the automatic rotation fails, then Secrets Manager might have encountered errors with the configuration.
To rotate secrets in Secrets Manager, you use a Lambda function that defines how to interact with the database or service that owns the secret.
For help on how to diagnose and fix common errors related to secrets rotation, see Troubleshooting AWS Secrets Manager rotation of secrets in the AWS Secrets Manager User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bfa82db5-c112-44f0-89e6-a9adfb9a4028\",\r\n \"name\": \"bfa82db5-c112-44f0-89e6-a9adfb9a4028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remove unused Secrets Manager secrets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your secrets have been accessed within a specified number of days. The default value is 90 days. If a secret was not accessed within the defined number of days, this control fails.
Deleting unused secrets is as important as rotating secrets. Unused secrets can be abused by their former users, who no longer need access to these secrets. Also, as more users get access to a secret, someone might have mishandled and leaked it to an unauthorized entity, which increases the risk of abuse. Deleting unused secrets helps revoke secret access from users who no longer need it. It also helps to reduce the cost of using Secrets Manager. Therefore, it is essential to routinely delete unused secrets.\",\r\n \"remediationDescription\": \"You can delete inactive secrets from the Secrets Manager console.
To delete inactive secrets
1. Open the Secrets Manager console
2. To locate the secret, enter the secret name in the search box.
3. Choose the secret to delete.
4. Under Secret details, from Actions, choose Delete secret.
5. Under Schedule secret deletion, enter the number of days to wait before the secret is deleted.
6. Choose Schedule deletion.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/323f0eb4-ea19-4b55-83e9-d104009616b4\",\r\n \"name\": \"323f0eb4-ea19-4b55-83e9-d104009616b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should be rotated within a specified number of days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your secrets have been rotated at least once within 90 days.
Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised.
As more users get access to a secret, it can become more likely that someone mishandled and leaked it to an unauthorized entity. Secrets can be leaked through logs and cache data. They can be shared for debugging purposes and not changed or revoked once the debugging completes. For all these reasons, secrets should be rotated frequently.
You can configure your secrets for automatic rotation in AWS Secrets Manager. With automatic rotation, you can replace long-term secrets with short-term ones, significantly reducing the risk of compromise.
Security Hub recommends that you enable rotation for your Secrets Manager secrets. To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"You can enable automatic secret rotation in the Secrets Manager console.
To enable secret rotation
1. Open the Secrets Manager console.
2. To locate the secret, enter the secret name in the search box.
3. Choose the secret to display.
4. Under Rotation configuration, choose Edit rotation.
5. From Edit rotation configuration, choose Enable automatic rotation.
6. From Select Rotation Interval, choose the rotation interval.
7. Choose a Lambda function to use for rotation.
8. Choose Next.
After you configure the secret for automatic rotation, under Rotation Configuration, choose Rotate secret immediately.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad593449-a095-47b5-91b8-894396a1aa7f\",\r\n \"name\": \"ad593449-a095-47b5-91b8-894396a1aa7f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS WAF Classic global web ACL logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether logging is enabled for an AWS WAF global Web ACL. This control fails if logging is not enabled for the web ACL.
Logging is an important part of maintaining the reliability, availability, and performance of AWS WAF globally. It is a business and compliance requirement in many organizations, and allows you to troubleshoot application behavior. It also provides detailed information about the traffic that is analyzed by the web ACL that is attached to AWS WAF.\",\r\n \"remediationDescription\": \"You can enable logging for a web ACL from the Kinesis Data Firehose console.
To enable logging for a web ACL
1. Open the Kinesis Data Firehose console.
2. Create a Kinesis Data Firehose delivery stream.
The name must start with the prefix aws-waf-logs-. For example, aws-waf-logs-us-east-2-analytics.
Create the Kinesis Data Firehose delivery stream with a PUT source and in the Region where you operate. If you capture logs for Amazon CloudFront, create the delivery stream in US East (N. Virginia). For more information, see Creating an Amazon Kinesis Data Firehose delivery stream in the Amazon Kinesis Data Firehose Developer Guide.
3. From \\\"Services\\\", choose \\\"WAF & Shield\\\". Then choose \\\"Switch to AWS WAF Classic\\\".
4. From \\\"Filter\\\", choose \\\"Global (CloudFront)\\\".
5. Choose the web ACL to enable logging for.
6. Under \\\"Logging\\\", choose \\\"Enable logging\\\".
7. Choose the Kinesis Data Firehose delivery stream that you created earlier. You must choose a delivery stream that has a name that begins with aws-waf-logs-.
8. Choose \\\"Enable logging\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/678b2afa-7fc7-45e5-ad4e-2c49efb57ac8\",\r\n \"name\": \"678b2afa-7fc7-45e5-ad4e-2c49efb57ac8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following logs of Amazon RDS are enabled and sent to CloudWatch Logs:
- Oracle: (Alert, Audit, Trace, Listener)
- PostgreSQL: (Postgresql, Upgrade)
- MySQL: (Audit, Error, General, SlowQuery)
- MariaDB: (Audit, Error, General, SlowQuery)
- SQL Server: (Error, Agent)
- Aurora: (Audit, Error, General, SlowQuery)
- Aurora-MySQL: (Audit, Error, General, SlowQuery)
- Aurora-PostgreSQL: (Postgresql, Upgrade).
RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"Logging options are contained in the DB parameter group associated with the RDS DB cluster or instance. To enable logging when the default parameter group for the database engine is used, you must create a new DB parameter group that has the required parameter values. You must then associate the customer DB parameter group with the DB cluster or instance.
To enable and publish MariaDB, MySQL, or PostgreSQL logs to CloudWatch Logs from the AWS Management Console, set the following parameters in a custom DB Parameter Group:

Database engineParameters
MariaDBgeneral_log=1
slow_query_log=1
log_output = FILE
- MariaDB also requires a custom options group, explained below.
MySQLgeneral_log=1
slow_query_log=1
log_output = FILE
PostgreSQLlog_statement=all
log_min_duration_statement=minimum query duration (ms) to log

To create a custom DB parameter group
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Parameter groups\\\".
3. Choose \\\"Create parameter group\\\". The \\\"Create parameter group\\\" window appears.
4. In the \\\"Parameter group\\\" family list, choose a DB parameter group family.
5. In the \\\"Type\\\" list, choose \\\"DB Parameter Group\\\".
6. In \\\"Group name\\\", enter the name of the new DB parameter group.
7. In \\\"Description\\\", enter a description for the new DB parameter group.
8. Choose \\\"Create\\\".

To create a new option group for MariaDB logging by using the console
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Option groups\\\".
3. Choose \\\"Create group\\\".
4. In the \\\"Create option group\\\" window, do the following:
  • For \\\"Name\\\", type a name for the option group that is unique within your AWS account. The name can contain only letters, digits, and hyphens.
  • For \\\"Description\\\", type a brief description of the option group. The description is used for display purposes.
  • For \\\"Engine\\\", choose the DB engine that you want.
  • For \\\"Major engine version\\\", choose the major version of the DB engine that you want.
5. To continue, choose \\\"Create\\\".
6. Choose the name of the option group you just created.
7. Choose \\\"Add option\\\".
8. Choose \\\"MARIADB_AUDIT_PLUGIN\\\" from the \\\"Option name\\\" list.
9. Set \\\"SERVER_AUDIT_EVENTS\\\" to \\\"CONNECT\\\", \\\"QUERY\\\", \\\"TABLE\\\", \\\"QUERY_DDL\\\", \\\"QUERY_DML\\\", \\\"QUERY_DCL\\\".
10. Choose Add option.

To publish SQL Server DB, Oracle DB, or PostgreSQL logs to CloudWatch Logs from the AWS Management Console
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Databases\\\".
3. Choose the DB instance that you want to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Log exports\\\", choose all of the log files to start publishing to CloudWatch Logs.
\\\"Log exports\\\" is available only for database engine versions that support publishing to CloudWatch Logs.
6. Choose \\\"Continue\\\". Then on the summary page, choose \\\"Modify DB Instance\\\".

To apply a new DB parameter group or DB options group to an RDS DB instance
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Databases\\\".
3. Choose the DB instance that you want to modify.
4. Choose \\\"Modify\\\". The \\\"Modify DB Instance\\\" page appears.
5. Under \\\"Database options\\\", change the DB parameter group and DB options group as needed.
6. When you finish you changes, choose \\\"Continue\\\". Check the summary of modifications.
7. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide.
8. Choose \\\"Modify DB Instance\\\" to save your changes.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cd307f02-2ca7-44b4-8c1b-b580251d613c\",\r\n \"name\": \"cd307f02-2ca7-44b4-8c1b-b580251d613c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB instance has IAM database authentication enabled.
IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL. For more information, see IAM database authentication in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your DB instance to enable IAM authentication.
To enable IAM authentication for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Select the DB instance to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", choose \\\"Enable IAM DB authentication\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ac30502-52e5-4fc6-af40-095dddfbc8b9\",\r\n \"name\": \"3ac30502-52e5-4fc6-af40-095dddfbc8b9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB cluster has IAM database authentication enabled.
IAM database authentication allows for password-free authentication to database instances. The authentication uses an authentication token. Network traffic to and from the database is encrypted using SSL. For more information, see IAM database authentication in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your DB instance to enable IAM authentication.
To enable IAM authentication for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Select the DB cluster to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", choose \\\"Enable IAM DB authentication\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d352afac-cebc-4e02-b474-7ef402fb1d65\",\r\n \"name\": \"d352afac-cebc-4e02-b474-7ef402fb1d65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS automatic minor version upgrades should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic minor version upgrades are enabled for the RDS database instance.
Enabling automatic minor version upgrades ensures that the latest minor version updates to the relational database management system (RDBMS) are installed. These upgrades might include security patches and bug fixes. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"You can enable minor version upgrades for a DB instance from the Amazon RDS console.
To enable automatic minor version upgrades for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Choose the DB instance to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Maintenance\\\", select \\\"Yes\\\" for \\\"Auto minor version upgrade\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications: \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. Choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d0ef47dc-95aa-4765-a075-72c07df8acff\",\r\n \"name\": \"d0ef47dc-95aa-4765-a075-72c07df8acff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Aurora clusters should have backtracking enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Aurora clusters have backtracking enabled.
Backups help you to recover more quickly from a security incident. They also strengthens the resilience of your systems. Aurora backtracking reduces the time to recover a database to a point in time. It does not require a database restore to do so.
For more information about backtracking in Aurora, see Backtracking an Aurora DB cluster in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable Aurora backtracking, see Configuring backtracking in the Amazon Aurora User Guide.
Note that you cannot enable backtracking on an existing cluster. Instead, you can create a clone that has backtracking enabled. For more information about the limitations of Aurora backtracking, see the list of limitations in Overview of backtracking.For information about pricing for backtracking, see the Aurora pricing page.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/176f9062-64d0-4edd-bb0f-915012a6ef16\",\r\n \"name\": \"176f9062-64d0-4edd-bb0f-915012a6ef16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift should have automatic upgrades to major versions enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster.
Enabling automatic major version upgrades ensures that the latest major version updates to Amazon Redshift clusters are installed during the maintenance window.
These updates might include security patches and bug fixes. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"To remediate this issue from the AWS CLI, use the Amazon Redshift modify-cluster command to set the --allow-version-upgrade attribute.
Copy the following command aws redshift modify-cluster --cluster-identifier clustername --allow-version-upgrade Where clustername is the name of your Amazon Redshift cluster.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ee72ceb-2cb7-4686-84e6-0e1ac1c27241\",\r\n \"name\": \"1ee72ceb-2cb7-4686-84e6-0e1ac1c27241\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should use enhanced VPC routing\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon Redshift cluster has EnhancedVpcRouting enabled.
Enhanced VPC routing forces all COPY and UNLOAD traffic between the cluster and data repositories to go through your VPC. You can then use VPC features such as security groups and network access control lists to secure network traffic. You can also use VPC Flow Logs to monitor network traffic.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Enabling enhanced VPC routing in the Amazon Redshift Cluster Management Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/036bb56b-c442-4352-bb4c-5bd0353ad314\",\r\n \"name\": \"036bb56b-c442-4352-bb4c-5bd0353ad314\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Amazon Redshift clusters should be encrypted in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit. The check fails if the Amazon Redshift cluster parameter require_SSL is not set to '1'.
TLS can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over TLS should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"To remediate this issue, update the parameter group to require encryption.
To modify a parameter group
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose Config, then choose Workload management to display the Workload management page.
3. Choose the parameter group that you want to modify.
4. Choose Parameters.
5. Choose Edit parameters then set require_ssl to '1'.
6. Enter your changes and then choose Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a152832-6600-49d1-89be-82e474190e13\",\r\n \"name\": \"7a152832-6600-49d1-89be-82e474190e13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have automatic snapshots enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven.
Backups help you to recover more quickly from a security incident. They strengthen the resilience of your systems. Amazon Redshift takes periodic snapshots by default. This control checks whether automatic snapshots are enabled and retained for at least seven days. For more details on Amazon Redshift automated snapshots, see Automated snapshots in the Amazon Redshift Cluster Management Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update the snapshot retention period to at least 7.
To modify the snapshot retention period
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose \\\"Clusters\\\", then choose the name of the cluster to modify.
3. Choose \\\"Edit\\\".
4. Under \\\"Backup\\\", set \\\"Snapshot retention\\\" to a value of 7 or greater.
5. Choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e2a0ec17-447b-44b6-8646-c0b5584b6b0a\",\r\n \"name\": \"e2a0ec17-447b-44b6-8646-c0b5584b6b0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have audit logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon Redshift cluster has audit logging enabled.
Amazon Redshift audit logging provides additional information about connections and user activities in your cluster. This data can be stored and secured in Amazon S3 and can be helpful in security audits and investigations. For more information, see Database audit logging in the Amazon Redshift Cluster Management Guide.\",\r\n \"remediationDescription\": \"To enable cluster audit logging
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose \\\"Clusters\\\", then choose the name of the cluster to modify.
3. Choose \\\"Maintenance and monitoring\\\"
4. Under \\\"Audit logging\\\", choose \\\"Edit\\\".
5. Set \\\"Enable audit logging\\\" to \\\"yes\\\", then enter the log destination bucket details.
6. Choose \\\"Confirm\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4170067b-345d-47ed-ab4a-c6b6046881f1\",\r\n \"name\": \"4170067b-345d-47ed-ab4a-c6b6046881f1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Beanstalk environments should have enhanced health reporting enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced health reporting is enabled for your AWS Elastic Beanstalk environments.
Elastic Beanstalk enhanced health reporting enables a more rapid response to changes in the health of the underlying infrastructure. These changes could result in a lack of availability of the application.
Elastic Beanstalk enhanced health reporting provides a status descriptor to gauge the severity of the identified issues and identify possible causes to investigate. The Elastic Beanstalk health agent, included in supported Amazon Machine Images (AMIs), evaluates logs and metrics of environment EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to enable enhanced health reporting, see Enabling enhanced health reporting using the Elastic Beanstalk console in the AWS Elastic Beanstalk Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"10/04/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/820f6c6e-f73f-432c-8c60-cae1794ea150\",\r\n \"name\": \"820f6c6e-f73f-432c-8c60-cae1794ea150\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Beanstalk managed platform updates should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"his control checks whether managed platform updates are enabled for the Elastic Beanstalk environment.
Enabling managed platform updates ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"For instructions on how to enable managed platform updates, see To configure managed platform updates under Managed platform updates in the AWS Elastic Beanstalk Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"10/04/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f48af569-2e67-464b-9a62-b8df0f85bc5e\",\r\n \"name\": \"f48af569-2e67-464b-9a62-b8df0f85bc5e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domain error logging to CloudWatch Logs should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs.
You should enable error logs for Elasticsearch domains and send those logs to CloudWatch Logs for retention and response. Domain error logs can assist with security and access audits, and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"For information on how to enable log publishing, see Enabling log publishing (console) in the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12ebb4cd-34b6-4c3a-bee9-7e35f4f6caff\",\r\n \"name\": \"12ebb4cd-34b6-4c3a-bee9-7e35f4f6caff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have audit logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled.
Audit logs are highly customizable. They allow you to track user activity on your Elasticsearch clusters, including authentication successes and failures, requests to OpenSearch, index changes, and incoming search queries.\",\r\n \"remediationDescription\": \"For detailed instructions on enabling audit logs, see Enabling audit logs in the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/994cbcb3-43d4-419d-b5c4-9adc558f3ca2\",\r\n \"name\": \"994cbcb3-43d4-419d-b5c4-9adc558f3ca2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have at least three data nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true.
An Elasticsearch domain requires at least three data nodes for high availability and fault-tolerance. Deploying an Elasticsearch domain with at least three data nodes ensures cluster operations if a node fails.\",\r\n \"remediationDescription\": \"To modify the number of data nodes in an Elasticsearch domain
1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/es/.
2. Under \\\"My domains\\\", choose the name of the domain to edit.
3. Choose \\\"Edit domain\\\".
4. Under \\\"Data nodes\\\", set \\\"Number of nodes\\\" to a number greater than or equal to three. For three Availability Zone deployments, set to a multiple of three to ensure equal distribution across Availability Zones.
5. Choose \\\"Submit\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b4b9a67c-c315-4f9b-b06b-04867a453aab\",\r\n \"name\": \"b4b9a67c-c315-4f9b-b06b-04867a453aab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should be configured with at least three dedicated master nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. This control passes if Elasticsearch domains have five dedicated master nodes. However, using more than three master nodes might be unnecessary to mitigate the availability risk, and will result in additional cost.
An Elasticsearch domain requires at least three dedicated master nodes for high availability and fault-tolerance. Dedicated master node resources can be strained during data node blue/green deployments because there are additional nodes to manage. Deploying an Elasticsearch domain with at least three dedicated master nodes ensures sufficient master node resource capacity and cluster operations if a node fails.\",\r\n \"remediationDescription\": \"To modify the number of dedicated master nodes in an OpenSearch domain
1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/es/.
2. Under \\\"My domains\\\", choose the name of the domain to edit.
3. Choose \\\"Edit domain\\\".
4. Under \\\"Dedicated master nodes\\\", set \\\"Instance type\\\" to the desired instance type.
5. Set \\\"Number of master nodes\\\" equal to three or greater.
6. Choose \\\"Submit\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/effb5011-f8db-45ac-b981-b5bdfd7beb88\",\r\n \"name\": \"effb5011-f8db-45ac-b981-b5bdfd7beb88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Elasticsearch domains should be encrypted using TLS 1.2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07.
HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS. TLS 1.2 provides several security enhancements over previous versions of TLS.\",\r\n \"remediationDescription\": \"To enable TLS encryption, use the UpdateDomainConfig API operation to configure the DomainEndpointOptions in order to set the TLSSecurityPolicy. For more information, see the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f16376-e2dd-487d-b5ee-ba67fef4c5c0\",\r\n \"name\": \"83f16376-e2dd-487d-b5ee-ba67fef4c5c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled at the bucket level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether S3 buckets have bucket-level public access blocks applied. This control fails is if any of the following settings are set to false:
* ignorePublicAcls
* blockPublicPolicy
* blockPublicAcls
* restrictPublicBuckets
Block Public Access at the S3 bucket level provides controls to ensure that objects never have public access. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both.
Unless you intend to have your S3 buckets publicly accessible, you should configure the bucket level Amazon S3 Block Public Access feature.\",\r\n \"remediationDescription\": \"For information on how to remove public access at a bucket level, see Blocking public access to your Amazon S3 storage in the Amazon S3 User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/340a07a1-7d68-4562-ac25-df77c214fe13\",\r\n \"name\": \"340a07a1-7d68-4562-ac25-df77c214fe13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SQS queues should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon SQS queues are encrypted at rest.
Server-side encryption (SSE) allows you to transmit sensitive data in encrypted queues. To protect the content of messages in queues, SSE uses keys managed in AWS KMS.
For more information, see Encryption at rest in the Amazon Simple Queue Service Developer Guide.\",\r\n \"remediationDescription\": \"For information about managing SSE using the AWS Management Console, see  Configuring server-side encryption (SSE) for a queue (console) in the Amazon Simple Queue Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/882a80f0-943f-473e-b6d7-40c7a625540e\",\r\n \"name\": \"882a80f0-943f-473e-b6d7-40c7a625540e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS accounts should have Azure Arc auto provisioning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For full visibility of the security content from Microsoft Defender for servers, EC2 instances should be connected to Azure Arc. To ensure that all eligible EC2 instances automatically receive Azure Arc, enable auto-provisioning from Defender for Cloud at the AWS account level. Learn more about Azure Arc, and Microsoft Defender for Servers.\",\r\n \"remediationDescription\": \"1. From the Defender for Cloud, open \\\"Environment settings\\\".
2. For the relevant AWS account, select the three dots at the end of the row, and select \\\"Edit settings\\\".
3. For the \\\"Servers\\\" plan, select \\\"View configuration\\\".
4. Enable auto-provisioning for the Azure Arc agent and click on the \\\"Save\\\" button.
5. Select \\\"Next\\\" and follow the instructions.
Note: To enable auto-provisioning, you'll need owner permissions for the relevant subscription.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"25/10/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/231dee23-84db-44d2-bd9d-c32fbcfb42a3\",\r\n \"name\": \"231dee23-84db-44d2-bd9d-c32fbcfb42a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be connected to Azure Arc\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Connect your EC2 instances to Azure Arc in order to have full visibility to Microsoft Defender for Servers security content. Learn more about Azure Arc, and about Microsoft Defender for Servers on hybrid-cloud environment.\",\r\n \"remediationDescription\": \"1. From the Azure portal, open \\\"Servers - Azure Arc\\\".
2. From the top left corner, select \\\"Add\\\".
3. From \\\"Add a single server\\\", select \\\"Generate script\\\".
4. In the \\\"Resource details\\\" page, select the subscription and resource group to which you have connected the machine's AWS account.
5. Select \\\"Next\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"25/10/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1736090-65fc-454f-a437-af58fd91ad1e\",\r\n \"name\": \"f1736090-65fc-454f-a437-af58fd91ad1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS databases and clusters should not use a database engine default port\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the RDS cluster or instance uses a port other than the default port of the database engine.
If you use a known port to deploy an RDS cluster or instance, an attacker can guess information about the cluster or instance.
The attacker can use this information in conjunction with other information to connect to an RDS cluster or instance or gain additional information about your application.
When you change the port, you must also update the existing connection strings that were used to connect to the old port.
You should also check the security group of the DB instance to ensure that it includes an ingress rule that allows connectivity on the new port.\",\r\n \"remediationDescription\": \"To modify the default port of an existing DB instance
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/
2. Choose \\\"Databases\\\".
3. Select the DB instance to modify
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", change \\\"Database port\\\" to a non-default value.
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify cluster\\\". For instances, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0dc124a8-2a69-47c5-a4e1-678d725a33ab\",\r\n \"name\": \"0dc124a8-2a69-47c5-a4e1-678d725a33ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon ECS task definitions should have secure networking modes and user definitions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an active Amazon ECS task definition that has host networking mode also has privileged or user container definitions.
The control fails for task definitions that have host network mode and container definitions where privileged=false or is empty and user=root or is empty.
If a task definition has elevated privileges, it is because the customer has specifically opted in to that configuration.
This control checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted in to elevated privileges.\",\r\n \"remediationDescription\": \"For information on how to update a task definition, see Updating a task definition in the Amazon Elastic Container Service Developer Guide.
Note that when you update a task definition, it does not update running tasks that were launched from the previous task definition. To update a running task, you must redeploy the task with the new task definition.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9bb205cd-a931-4f77-a620-0a263479732b\",\r\n \"name\": \"9bb205cd-a931-4f77-a620-0a263479732b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon ECS services should not have public IP addresses assigned to them automatically\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A public IP address is an IP address that is reachable from the internet.
If you launch your Amazon ECS instances with a public IP address, then your Amazon ECS instances are reachable from the internet.
Amazon ECS services should not be publicly accessible, as this may allow unintended access to your container application servers.\",\r\n \"remediationDescription\": \"To disable automatic public IP assignment, see To configure VPC and security group settings for your service in the Amazon Elastic Container Service Developer Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e68b4d8-1a5e-47fc-a3eb-b3542fea43f1\",\r\n \"name\": \"0e68b4d8-1a5e-47fc-a3eb-b3542fea43f1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Imported ACM certificates should be renewed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager.
ACM can automatically renew certificates that use DNS validation. For certificates that use email validation, you must respond to a domain validation email.
ACM also does not automatically renew certificates that you import. You must renew imported certificates manually.
For more information about managed renewal for ACM certificates, see Managed renewal for ACM certificates in the AWS Certificate Manager User Guide.\",\r\n \"remediationDescription\": \"ACM provides managed renewal for your Amazon-issued SSL/TLS certificates.
This means that ACM either renews your certificates automatically (if you use DNS validation), or it sends you email notices when the certificate expiration approaches. These services are provided for both public and private ACM certificates.
\\\"For domains validated by email\\\"
When a certificate is 45 days from expiration, ACM sends to the domain owner an email for each domain name.
To validate the domains and complete the renewal, you must respond to the email notifications.
For more information, see Renewal for domains validated by email in the AWS Certificate Manager User Guide.
\\\"For domains validated by DNS\\\"
ACM automatically renews certificates that use DNS validation. 60 days before the expiration, ACM verifies that the certificate can be renewed.
If it cannot validate a domain name, then ACM sends a notification that manual validation is required.
It sends these notifications 45 days, 30 days, 7days, and 1 day before the expiration.
For more information, see Renewal for domains validated by DNS in the AWS Certificate Manager User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aad436f2-f0a2-46d8-acf1-19452fb732d2\",\r\n \"name\": \"aad436f2-f0a2-46d8-acf1-19452fb732d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC subnets should not allow automatic public IP assignment\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC subnets which allow automatic public IP assignment.
VPC subnet is a part of the VPC having its own rules for traffic.
Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. In the console, select the specific region from \\\"region drop down\\\" on the top right corner, for which the alert is generated. 3. Navigate to the \\\"VPC\\\" service. 4. In the navigation pane, click on \\\"Subnets\\\". 5. Select the identified Subnet and choose the option \\\"Modify auto-assign IP settings\\\" under the Subnet Actions. 6. Disable the \\\"Auto-Assign IP\\\" option and save it.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a3697e4-d854-41a5-a3df-d6a5fc664689\",\r\n \"name\": \"1a3697e4-d854-41a5-a3df-d6a5fc664689\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 bucket should not be configured with policy overly permissive to VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies S3 buckets that have the bucket policy overly permissive to VPC endpoints. It is a leading practice to follow the principle of least privileges ensuring that the VPC endpoints have only necessary permissions instead of full permission on S3 operations.
NOTE: When working with Amazon S3 bucket policies for VPC endpoints, you might block your access to that bucket without intending to do so.
Bucket permissions that are intended to specifically limit bucket access to connections originating from your VPC endpoint can block all connections to the bucket.
Additionally, The Amazon S3 bucket policy might disable console access to the specified bucket because console requests don't originate from the specified VPC endpoint.
Hence, additional care should be taken while remediating any such overly permissive policies.
For more details refer https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the S3 dashboard. 3. Choose the reported S3 bucket. 4. In the \\\"Permissions\\\" tab, click on the \\\"Bucket Policy\\\". 5. Update the S3 bucket policy for the VPC endpoint so that it has only required permissions instead of full S3 permission.
Refer for example: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ca6e24c-b113-429c-83e1-38e8c4b91396\",\r\n \"name\": \"0ca6e24c-b113-429c-83e1-38e8c4b91396\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC enpoint should not be configured with policy overly permissive to any principal\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC endpoints that have a VPC endpoint (VPCE) policy that is overly permissive.
When the Principal element value is set to '*' within the access policy, the VPC endpoint allows full access to any IAM user or service within the VPC using credentials from any AWS accounts.
It is a leading practice to follow the principle of least privileged VPCE policy ensuring security against any data leakage and unauthorized access.

For more details refer:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. In the console, select the specific region from the region drop-down on the top right corner, for which the alert is generated. 3. Navigate to the \\\"VPC dashboard\\\". 4. Go to \\\"Endpoints\\\", from the left panel VIRTUAL PRIVATE CLOUD section. 5. Select the reported VPC endpoint. 6. On the \\\"Actions\\\" drop-down button, click on the \\\"Edit policy\\\". 7. On the \\\"Edit Policy\\\" page, Choose \\\"Custom\\\" policy.
a. Then add policy, without the \\\"Everyone\\\" grantee (i.e. '*' or 'AWS': '*') from the Principal element value with an AWS account ID (e.g. '123456789'), an AWS account ARN (e.g. 'arn:aws:iam::123456789:root') or an IAM user ARN (e.g. 'arn:aws:iam::123456789:user/vpce-admin').
b. Add a Condition clause to the policy statement to filter the endpoint access to specific entities. 8. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ed36584a-91d9-4639-ae8d-893d0f2cb462\",\r\n \"name\": \"ed36584a-91d9-4639-ae8d-893d0f2cb462\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cloudfront distribution should have WAF enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Amazon CloudFront web distributions which don't have AWS Web Application Firewall (AWS WAF) protection enabled.
it is a leading practice to enable the AWS WAF service on CloudFront web distributions to protect web applications from common web exploits, application layer attacks that could affect application availability, compromise security, or consume excessive resources.
To block malicious requests to your Cloudfront Content Delivery Network you should define the 'block' criteria in the WAF web access control list (web ACL).\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Go to the CloudFront Distributions Dashboard. 3. Click on the reported web distribution. 4. On \\\"General\\\" tab, Click on \\\"Edit\\\" button. 5. On \\\"Edit Distribution\\\" page, Choose a \\\"AWS WAF Web ACL\\\" from dropdown. 6. Click on \\\"Yes, Edit\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45f50501-deed-438b-b931-340078d0022f\",\r\n \"name\": \"45f50501-deed-438b-b931-340078d0022f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cloudfront should have AWS WAF V2 enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS cloudfront distribution not configured with AWS WAF V2 web acl.
As a leading practice it is recommended to configure AWS WAF v2 on the cloudfront to protect against application-layer attacks.
To block malicious requests to your cloudfront, define the block criteria in the WAFv2 web acl.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Go to the CloudFront Distributions Dashboard. 3. Click on the reported web distribution. 4. On \\\"General\\\" tab, Click on \\\"Edit\\\" button under \\\"Settings\\\". 5. On \\\"Edit Distribution\\\" page, from \\\"AWS WAF Web ACL\\\" dropdown select WAFv2 ACL which you want to apply.
Note: In case no WAFv2 ACL found from \\\"AWS WAF Web ACL\\\" dropdown list, Please follow below URL to create WAFv2 ACL:
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-creating.html. 6. Click on \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b288b879-d5e3-49d0-9bad-a9ddf738838a\",\r\n \"name\": \"b288b879-d5e3-49d0-9bad-a9ddf738838a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API should have AWS WAF V2 enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS API Gateway REST API which is not configured with AWS Web Application Firewall protection.
As a leading practice, you should enable the AWS WAF service on API Gateway REST API to protect against common web exploits, application layer attacks.
To block malicious requests to your API Gateway REST API, define the block criteria in the WAF web access control list (web ACL).\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Make sure your the reported API Gateway REST API requires WAF based on your requirement and Note down the API Gateway REST API name Follow steps given in below URL to associate API Gateway REST API to WAF Web ACL ,
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eb2a1621-6fe5-4b17-be36-082897f04987\",\r\n \"name\": \"eb2a1621-6fe5-4b17-be36-082897f04987\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"ELB v2 should not have SSL negotiation policy configured with weak cipher\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers v2 (ELBv2) which are configured with SSL negotiation policy containing weak ciphers.
To simplify, An SSL cipher, or an SSL cipher suite, is a set of algorithms or a set of instructions/steps that uses encryption keys to establish a secure connection between two entities usually the client (a user's browser) and the web server they are connecting to (your website).
As many of the other ciphers are not secure as per industry standards, it is recommended to use only the ciphers recommended in the following AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Go to the EC2 Dashboard, and select \\\"Load Balancers\\\". 4. Click on the reported Load Balancer. 5. On the 'Listeners' tab, Choose the \\\"HTTPS\\\" or 'SSL' rule; Click on \\\"Edit\\\", Change 'Security policy' to other than \\\"ELBSecurityPolicy-TLS-1-0-2015-04\\\" as it contains DES-CBC3-SHA cipher, which is a weak cipher. 6. Click on \\\"Update\\\" to save your changes.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d13e510-5e69-43ec-921f-fe52e2ecc36b\",\r\n \"name\": \"9d13e510-5e69-43ec-921f-fe52e2ecc36b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC route table should not allow VPC peering overly permissive to all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC route tables with overly permissive peering connection to all traffic.
It is a leading practice to ensure selective peering connection route tables to reduce the attack surface as resources outside of these routes are inaccessible to the peered VPC.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to \\\"VPC\\\" dashboard from \\\"Services\\\" dropdown. 4. From left menu, select \\\"Route Tables\\\". 5. Click on the alerted route table. 6. From top click on \\\"Action\\\" button. 7. From the Action menu dropdown, select \\\"Edit routes\\\". 8. From the list of destination remove the extra permissive destination by clicking the cross symbol available for that destination. 9. Add a destination with \\\"least access\\\". 10. Click on \\\"Save Routes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5e4503df-e4f7-4055-a38e-ff8ae44dfd1e\",\r\n \"name\": \"5e4503df-e4f7-4055-a38e-ff8ae44dfd1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS key automatic rotation is not enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS KMS key that are not enabled with key rotation.
As a security leading practice, it is important to rotate the keys periodically so that if the keys are compromised, the data in the underlying service is still secure with the new keys.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Key Management Service (KMS). 4. Click on \\\"Customer managed keys\\\" (Left Panel). 5. Select reported KMS Customer managed key. 6. Under the \\\"Key Rotation\\\" tab, Enable \\\"Automatically rotate this KMS every year\\\". 7. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c548e51-ca15-4b21-92b7-80acef51da37\",\r\n \"name\": \"4c548e51-ca15-4b21-92b7-80acef51da37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrails logs should be encrypted using AWS KMS key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check ensures that CloudTrail logs are encrypted using AWS KMS key.
AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account.
It is a compliance and security leading practice to encrypt the CloudTrail data with AWS KMS key as it may contain sensitive information.\",\r\n \"remediationDescription\": \"1. Login to AWS Console and navigate to the \\\"CloudTrail\\\" service. 2. For each trail, under Configuration > Storage Location, select \\\"Yes\\\" to \\\"Encrypt log files\\\" setting. 3.Choose and existing KMS key or create a new one to encrypt the logs with.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a102936-e0ab-4ab6-ab05-0cb15a6587f6\",\r\n \"name\": \"2a102936-e0ab-4ab6-ab05-0cb15a6587f6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RedShift cluster should be encrypted using customer-managed keys (CMKs)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Redshift Clusters which are encrypted with default KMS keys and not with customer-managed key.
It is a leading practice to use customer managed KMS Keys to encrypt your Redshift databases data.
Customer-managed CMKs give you more flexibility, including the ability to create, rotate, disable, define access control for,
and audit the encryption keys used to help protect your data.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift. 2. On the navigation menu, choose \\\"Clusters\\\", then choose the cluster that you want to modify encryption. 3. Choose \\\"Properties\\\". 4. In the Database configurations section, choose \\\"Edit\\\" then choose \\\"Edit encryption\\\". 5. Choose \\\"customer-managed key encryption options\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/885a3b62-d0de-4e54-aaba-f58875fb7888\",\r\n \"name\": \"885a3b62-d0de-4e54-aaba-f58875fb7888\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be encrypted using CMK\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic File Systems (EFSs) which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your EFS data. It gives you full control over the encrypted data.\",\r\n \"remediationDescription\": \"AWS EFS Encryption of data at rest can only be enabled during file system creation. In order to resolve this alert, create a new EFS with encryption enabled with the customer-managed key, then migrate all required data from the reported EFS to this newly created EFS and delete reported EFS.

To create new EFS with encryption enabled, perform the following:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to EFS dashboard and click on \\\"File systems\\\" on the left panel. 4. Click on \\\"Create file system\\\" button. 5. On the \\\"Configure file system access\\\" step, specify EFS details as per your requirements and Click on \\\"Next Step\\\". 6. On the \\\"Configure optional settings\\\" step, Under \\\"Enable encryption\\\" Choose \\\"Enable encryption of data at rest\\\" and Select customer managed key from \\\"Select KMS master key\\\" dropdown list along with other parameters and Click on \\\"Next Step\\\". 7. On the \\\"Review and create\\\" step, Review all your setting and Click on \\\"Create File System\\\" button.

To delete reported EFS which does not has encryption, perform the following:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to EFS dashboard and click on \\\"File systems\\\" on the left panel. 4. Select the reported file system. 5. Click on \\\"Actions\\\" drop-down. 6. Click on \\\"Delete file system\\\". 7. In the \\\"Permanently delete file system\\\" popup box, To confirm the deletion enter the file system's ID and Click on \\\"Delete File System\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/db0cfb9d-c281-4301-92aa-3d6d12837d8d\",\r\n \"name\": \"db0cfb9d-c281-4301-92aa-3d6d12837d8d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policy should not allow assume role permission across all services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS IAM policy which allows assume role permission across all services. Typically, AssumeRole is used if you have multiple accounts and need to access resources from each account then you can create long term credentials in one account and then use temporary security credentials to access all the other accounts by assuming roles in those accounts.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Navigate to the \\\"IAM\\\" service. 3. Identify the reported policy. 4. Change the Service element of the policy document to be more restrictive so that it only allows AssumeRole permission on select services.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/894259c2-c1d5-47dc-b5c6-b242d5c76fdf\",\r\n \"name\": \"894259c2-c1d5-47dc-b5c6-b242d5c76fdf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon RDS instance should be configured with automatic backup settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies RDS instances which are not set with the automatic backup setting. If Automatic Backup is set, RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases which provide for point-in-time recovery. The automatic backup will happen during the specified backup window time and keeps the backups for a limited period of time as defined in the retention period. It is recommended to set automatic backups for your critical RDS servers that will help in the data restoration process.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated. 3. Navigate to \\\"Amazon RDS\\\" console. 4. Choose \\\"DB Instances\\\", and then select the \\\"reported DB\\\" instance. 5. On \\\"Instance Actions\\\" drop-down list, choose \\\"Modify\\\". 6. In \\\"Backup\\\" section,
a. From the \\\"Backup Retention Period\\\" drop-down list, select the number of days you want RDS should retain automatic backups of this DB instance. b. Choose \\\"Start Time\\\" and \\\"Duration\\\" in \\\"Backup window\\\" which is the daily time range (in UTC) during which automated backups created. 7. Click on \\\"Continue\\\". 8. On the confirmation page, choose \\\"Modify DB Instance\\\" to save your changes\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a5e0d700-3de1-469a-96d2-6536d9a92604\",\r\n \"name\": \"a5e0d700-3de1-469a-96d2-6536d9a92604\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Load Balancer should not have ACM certificate expired or expiring in 90 days.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (ELB) which are using ACM certificates expired or expiring in 90 days. AWS Certificate Manager (ACM) is the preferred tool to provision, manage, and deploy your server certificates. With ACM you can request a certificate or deploy an existing ACM or external certificate to AWS resources. As a best practice, it is recommended to reimport expiring/expired certificates while preserving the ELB associations of the original certificate.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service dashboard. 4. Choose the reported certificate. 5. Under \\\"Actions\\\" drop-down click on 'Reimport certificate'. 6. On the \\\"Import a certificate\\\" page:
6a. For \\\"Certificate body*\\\", paste the PEM-encoded certificate to import. 6b. For \\\"Certificate private key*\\\", paste the PEM-encoded, unencrypted private key that matches the SSL/TLS certificate public key. 6c. (Optional) For \\\"Certificate chain\\\", paste the PEM-encoded certificate chain delivered. 6d. Click Review and import button to continue the process. 7. On the \\\"Review and import\\\" page, review the imported certificate details then click on \\\"Import\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9137f5de-aac8-4cee-a22f-8d81f19be67f\",\r\n \"name\": \"9137f5de-aac8-4cee-a22f-8d81f19be67f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon RDS database should be encrypted using customer managed key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies RDS databases that are encrypted with default KMS keys and not with customer managed keys. As a leading practice, use customer managed keys to encrypt the data on your RDS databases and maintain control of your keys and data on sensitive workloads.\",\r\n \"remediationDescription\": \"You can set AWS RDS database encryption only during database creation. Thus, the steps for resolving this alert requires you to create a new RDS database with a customer managed key for encryption, migrate the data from the identified database to this newly created database, and delete the RDS database identified in the alert.

To create a new RDS database with encryption using a customer managed key:
1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the Amazon RDS Dashboard. 4. Select \\\"Create database\\\". 5. On the \\\"Select engine\\\" page, select \\\"Engine options\\\" and \\\"Next\\\". 6. On the \\\"Choose use case\\\" page, select \\\"Use case\\\" of database and \\\"Next\\\". 7. On the \\\"Specify DB details\\\" page, specify the database details you need and click \\\"Next\\\". 8. On the \\\"Configure advanced settings\\\" page, Under \\\"Encryption\\\", select \\\"Enable encryption\\\" and select the customer managed key from \\\"Master key\\\" dropdown list. 9. Select \\\"Create database\\\".

To delete the RDS database that uses the default KMS keys, which triggered the alert:
1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the Amazon RDS Dashboard. 4. Click on Instances, and select the reported RDS database. 5. Select the \\\"Instance actions\\\" drop-down and click \\\"Delete\\\". 6. In the \\\"Delete\\\" dialog, select the \\\"Create final snapshot?\\\" checkbox, if you want a backup. Provide a name for the final snapshot, confirm deletion and select \\\"Delete\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03a8f33c-b01c-4dfc-b627-f98114715ae0\",\r\n \"name\": \"03a8f33c-b01c-4dfc-b627-f98114715ae0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM should not have expired SSL/TLS certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies expired SSL/TLS certificates. To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. This check generates alerts if there are any expired SSL/TLS certificates stored in AWS IAM. As a best practice, it is recommended to delete expired certificates.\",\r\n \"remediationDescription\": \"Removing invalid certificates through AWS Management Console is currently not supported. To delete SSL/TLS certificates stored in IAM through the AWS API i.e. the Command Line Interface (CLI).

Remediation CLI:
1. Run describe-load-balancers command to make sure that the expired server certificate is not currently used by any active load balancer.
aws elb describe-load-balancers --region 'COMPUTE_REGION' --load-balancer-names 'ELB_NAME' --query 'LoadBalancerDescriptions[*].ListenerDescriptions [*].Listener.SSLCertificateId'

- This command output will return the Amazon Resource Name (ARN) for the SSL certificate currently used by the selected ELB:
arn:aws:iam::1234567890:server-certificate/MyCertificate

- If the load balancer listener using the reported expired certificate is not removed before the certificate, the ELB may continue to use the same certificate and work improperly. Thus, to delete the ELB listener that is using the expired SSL certificate, run following command:
aws elb delete-load-balancer-listeners --region 'COMPUTE_REGION' --load-balancer-name 'ELB_NAME' --load-balancer-ports 443

2. Now that is safe to remove the expired SSL/TLS certificate from AWS IAM, To delete it run:
aws iam delete-server-certificate --server-certificate-name 'CERTIFICATE_NAME'\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0cd8771b-44a7-46bd-b8ba-2fb84d20d8d1\",\r\n \"name\": \"0cd8771b-44a7-46bd-b8ba-2fb84d20d8d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 Classic instance should be configured with VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS EC2 instances which are still using EC2 Classic. With EC2-Classic(if your AWS Account supports it), your instances run in a single, flat network that you share with other customers.
Where as with Amazon VPC, your instances run in a virtual private cloud (VPC) that's logically isolated to your AWS account.
It is a security good practice that deploying VPCs will enable you to leverage enhanced infrastructure security controls.
Note: This alert only triggers in regions that support launching into AWS Classic\",\r\n \"remediationDescription\": \"1. Open the AWS Systems Manager console, and then choose \\\"Automation\\\" from the navigation pane. 2. Choose \\\"Execute automation\\\". 3. On the Owned by \\\"Amazon tab\\\", in the \\\"Automation document search box\\\", enter MigrateEC2Classic. 4. Select the \\\"radio button\\\" for the AWSSupport-MigrateEC2ClassicToVPC document, and then choose \\\"Next\\\". 5. Under Input parameters, for \\\"InstanceId\\\", enter your source \\\"EC2-Classic instance ID\\\". 6. For \\\"AutomationAssumeRole\\\" and \\\"TargetInstanceType\\\", choose your required parameters. By default, \\\"TargetInstanceType\\\" is set to t2.xlarge.
Note:: For more information about the AWS Identity and Access Management (IAM) permissions that are required for AutomationAssumeRole to successfully run the Automation, see AWSSupport-MigrateEC2ClassicToVPC. 7. For \\\"MigrationType\\\", select \\\"Test\\\" or \\\"CutOver\\\". 8. If you select \\\"CutOver\\\" for \\\"MigrationType\\\", then \\\"set\\\" the following parameters:
\\\"SNSNotificationARNForApproval\\\": Enter the ARN of the SNS topic used to send Approval notifications to stop the source instance.
\\\"ApproverIAM\\\": Enter the ARN of the IAM users or roles that can approve or reject the action to stop the source instance. 9. Choose \\\"Execute\\\".
Note: You should also consider disable EC2 Classic in the region to prevent further use.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04bf6bba-7661-45b7-8d81-a25d34330b7a\",\r\n \"name\": \"04bf6bba-7661-45b7-8d81-a25d34330b7a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AppSync should be configured with AWS WAF V2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS AppSync which is not configured with AWS Web Application Firewall V2.
As a leading practice, enable the AWS WAF service on AppSync to protect against application layer attacks.
To block malicious requests to your AppSync, you can define the block criteria in the WAF web access control list (web ACL) for granular control.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console and open the \\\"AppSync Console\\\". 2. Choose the \\\"API\\\" that you want to associate with a \\\"web ACL\\\". 3. In the navigation \\\"pane\\\", choose \\\"Settings\\\". 4. In the \\\"Web application firewall\\\" section, turn on \\\"Enable AWS WAF\\\". 5. In the \\\"Web ACL\\\" dropdown list, choose the \\\"name\\\" of the \\\"web ACL\\\" to associate with your API. 6. Choose \\\"Save\\\" to associate the web ACL with your API.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9a947ba-7d72-482d-9a73-f426e931d4ff\",\r\n \"name\": \"f9a947ba-7d72-482d-9a73-f426e931d4ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Application Load Balancer should be configured with AWS WAF V2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS ALB(Application Load Balancer) which is not configured with AWS Web Application Firewall V2.
As a leading practice, enable the AWS WAF service on AWS ALB to protect against application layer attacks.
To block malicious requests to your AppSync, you can define the block criteria in the WAF web access control list (web ACL) for granular control.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Make sure your the reported \\\"Application Load Balancer\\\" requires \\\"WAF\\\" based on your requirement and Note down the load balancer name. 3. Navigate to \\\"WAF & Shield\\\" dashboard. 4. Click on \\\"Web ACLs\\\", under \\\"AWS WAF\\\" section from left panel. 5. If Web ACL is not created; create a new \\\"Web ACL\\\" and add reported \\\"Application Load Balancer\\\" to \\\"Associated AWS resources\\\". 6. If you have Web ACL already created; Click on \\\"Web ACL\\\" and add your reported Application \\\"Load Balancer\\\" to \\\"Associated AWS resources\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ab12a85-37fc-47f3-a570-4688945ac7c8\",\r\n \"name\": \"2ab12a85-37fc-47f3-a570-4688945ac7c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Classic Load Balancer should not have SSL negotiation configured with vulnerable SSL protocol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (Classic) which are configured with SSL negotiation policy containing vulnerable SSL protocol.
The SSL protocol establishes a secure connection between a client and a server and ensures that all the data passed between the client and your load balancer is private.
As a security leading practice, it is important to use the latest version SSL protocol.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to \\\"EC2 Dashboard\\\" and click on \\\"Load Balancers\\\" (Left Panel). 4. Click on the reported Load Balancer's \\\"Listeners\\\" tab and Click on \\\"Edit\\\" button. 5. On \\\"Edit Listeners\\\" popup for rule \\\"HTTPS/SSL\\\", - If your cipher is \\\"Predefined Security Policy\\\", change \\\"Cipher\\\" to \\\"ELBSecurityPolicy-TLS-1-2-2017-01 or latest\\\" (OR) - If your cipher is \\\"Custom Security Policy\\\", Choose \\\"Protocol-TLSv1.2\\\" only on \\\"SSL Protocols\\\" section. 6. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e44dfbce-8551-4935-8016-ccad8701ad12\",\r\n \"name\": \"e44dfbce-8551-4935-8016-ccad8701ad12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Classic Load Balancer should not have SSL negotiation policy configured with weak cipher\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (Classic) which are configured with SSL negotiation policy containing insecure ciphers.
An SSL cipher is an encryption algorithm that uses encryption keys to create a coded message.
SSL protocols use several SSL ciphers to encrypt data over the Internet.
As many of the other ciphers are not secure, it is a leading practice to use only the ciphers recommended in the following AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Go to the \\\"EC2 Dashboard\\\", and select \\\"Load Balancers\\\". 4. Click on the reported \\\"Load Balancer\\\". 5. On \\\"Listeners\\\" tab, Change the cipher for the \\\"HTTPS/SSL\\\" rule. - For a \\\"Predefined Security Policy', change \\\"Cipher\\\" to \\\"ELBSecurityPolicy-TLS-1-2-2017-01' or latest\\\" - For a \\\"Custom Security Policy\\\", select from the secure ciphers as recommended in the below AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html. 6. \\\"Save\\\" your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fef14c73-c63f-4bcb-883b-113288b6d77b\",\r\n \"name\": \"fef14c73-c63f-4bcb-883b-113288b6d77b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC should not allow unauthorized peering connection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the VPCs which have unauthorized peering. The leading practice is to disallow VPC peering between two VPCs from different AWS accounts, as this potentially enables unauthorized access to private resources.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS Console and navigate to AWS VPC service console. 2. In the left navigation panel, select \\\"Peering Connection\\\". 3. Choose the reported \\\"Peering Connection\\\". 4. Click on \\\"Actions\\\" and select \\\"Delete VPC Peering Connection\\\". 5. click on \\\"Yes, Delete\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/470dc8a8-f118-40a1-96ed-a30f026c3d01\",\r\n \"name\": \"470dc8a8-f118-40a1-96ed-a30f026c3d01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Route53 having public hosted zone with private records\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A hosted zone is a container for records (An object in a hosted zone that you use to define how you want to route traffic for the domain or a subdomain), which include information about how you want to route traffic for a domain (such as example.com) and all of its subdomains (such as www.example.com, retail.example.com, and seattle.accounting.example.com). A hosted zone has the same name as the corresponding domain. A public hosted zone is a container that holds information about how you want to route traffic on the internet for a specific domain. It is best practice to avoid AWS Route 53 Public Hosted Zones containing DNS records for private IPs or resources within your AWS account to overcome information leakage of your internal network and resources.\",\r\n \"remediationDescription\": \"You can not convert a public hosted zone into a private hosted zone. Hence, it is a leading practice to create and configure a Private Hosted Zone to manage private IPs within your Virtual Private Cloud (VPC) as Amazon Route 53 service will only return your private DNS records when queried from within the associated VPC, and delete the associated public hosted zone once the Private hosted zone is configured with all the records.

To create a private hosted zone using the Route 53 console:
1. Sign into the AWS console and navigate to Route53 console. 2. choose Hosted Zones in the navigation pane. 3. Choose \\\"Create Hosted Zone\\\". 4. In the Create Private Hosted Zone pane, enter a \\\"domain name\\\". 5. In the Type list, choose \\\"Private Hosted Zone\\\" for Amazon VPC. 6. In the VPC ID list, choose the \\\"VPC\\\" that you want to associate with the hosted zone. If you want to associate more than one VPC with the hosted zone, you can add VPCs after you create the hosted zone. 7. Choose \\\"Create\\\".

To delete a public hosted zone using the Route 53 console:

1. Sign into the AWS console and navigate to Route53 console. 2. Confirm that the hosted zone that you want to delete contains only an NS and an \\\"SOA record\\\". If it contains additional records, \\\"delete\\\" them. 3. On the Hosted Zones page, choose the \\\"row for the hosted zone\\\" that you want to delete. 4. Choose \\\"Delete Hosted Zone\\\". 5. Choose \\\"OK\\\" to confirm.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a5f791e6-be98-47ed-a865-538c759c62b4\",\r\n \"name\": \"a5f791e6-be98-47ed-a865-538c759c62b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Certificate Manager certificate should not have wildcard domain name\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies ACM Certificates which are using wildcard certificates for wildcard domain name instead of single domain name certificates. ACM allows you to use an asterisk (*) in the domain name to create an ACM Certificate containing a wildcard name that can protect several sites in the same domain. For example, a wildcard certificate issued for *.prismacloud.io can match both www.prismacloud.io and images.prismacloud.io. When you use wildcard certificates, if the private key of a certificate is compromised, then all domain and subdomains that use the compromised certificate are potentially impacted. So it is recommended to use single domain name certificates instead of wildcard certificates to reduce the associated risks with a compromised domain or subdomain.\",\r\n \"remediationDescription\": \"To remediate this finding, you have to replace the reported wildcard certificate with single domain name certificate for all the first-level subdomains resulted from the domain name of the website secured with the wildcard certificate and delete the reported wildcard domain certificate.

To create a new certificate with a single domain:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service. 4. In \\\"Request a certificate\\\" page enter the information requested:
a. On Step 1: \\\"Add domain names\\\" page, in the \\\"Domain name\\\" box, type the fully qualified domain name. Click on \\\"Next\\\". b. On Step 2: \\\"Select validation method\\\" page, Select the validation method. Click on \\\"Review\\\". c. On Step 3: \\\"Review\\\" page, review the domain name and validation method details. click on \\\"Confirm\\\". d. On Step 4: \\\"Validation\\\" page, validate the certificate request based on the validation method selected. then click on \\\"Continue\\\".

The certificate status should change from \\\"Pending validation\\\" to \\\"Issued\\\". Now access your application's web server configuration and replace the wildcard certificate with the newly issued single domain name certificate.

To delete the reported wildcard certificate:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service. 4. Choose the reported certificate. 5. Under \\\"Actions\\\" drop-down click on \\\"Delete\\\". 6. On \\\"Delete certificate\\\" popup windows, Click on \\\"Delete\\\" button.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad7b369-2c97-406d-ac70-5d9f22bfcbd9\",\r\n \"name\": \"0ad7b369-2c97-406d-ac70-5d9f22bfcbd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM Access Analyzer should be configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS regions in which the IAM Access Analyzer is not configured. AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity and identify unintended access to your resources and data. So it is recommended to configure the Access analyzer in all regions in your account.\\n\\nNOTE: Access Analyzer analyzes only policies that are applied to resources in the same AWS Region that it's enabled in. To monitor all resources in your AWS environment, you must create an analyzer to enable Access Analyzer in each Region where you're using supported AWS resources.

For more details:
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the IAM dashboard. 4. Go to \\\"Access analyzer\\\", from the left panel. 5. Click on the \\\"Create analyzer\\\" button. 6. On the Create analyzer page, enter the parameters as per your requirements. 7. Click on the \\\"Create analyzer\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/851c1c56-3a4a-422d-b86b-efa629b043b0\",\r\n \"name\": \"851c1c56-3a4a-422d-b86b-efa629b043b0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon private ECR repository policy should not be overly permissive\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS Private ECR repositories that have overly permissive registry policies. An ECR(Elastic Container Registry) repository is a collection of Docker images available on the AWS cloud. These images might contain sensitive information which should be restricted to unauthorized users.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the AWS ECR Repository service dashboard. 4. Go to \\\"Repository\\\", from the left panel. 5. Select the repository for which alert is being generated. 6. Select the \\\"Permissions\\\" option from left menu below 'repositories'. 7. Click on \\\"Edit policy JSON\\\" to modify the JSON so that Principal is restrictive. 8. After modifications, click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e4dc63-ee46-405b-a02a-2a8395fe233d\",\r\n \"name\": \"04e4dc63-ee46-405b-a02a-2a8395fe233d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS ECR Repository should not be publicly accessible through IAM policies.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS ECR Repository resources which are publicly accessible through IAM policies. Ensure that the AWS ECR Repository resources provisioned in your AWS account are not publicly accessible from the Internet to avoid sensitive data exposure and minimize security risks.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the AWS ECR Repository service dashboard. 3. Find resource-based policy of the AWS ECR Repository resource. 4. Update the \\\"Principal\\\" section of the policy to avoid public access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1bd970e0-1d18-4aed-8216-d0005f6595c2\",\r\n \"name\": \"1bd970e0-1d18-4aed-8216-d0005f6595c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFormation template should not contain globally open resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This alert triggers if a CloudFormation template that when launched will result in resources allowing global network access. Below are three common causes:\\n\\n- Security Group with a {0.0.0.0/0, ::/0} rule\\n- Network Access Control List with a {0.0.0.0/0, ::/0} rule\\n- Network Access Control List with -1 IpProtocol\",\r\n \"remediationDescription\": \"It is a leading practice to review the template and ensure this is the intended behavior.
1. Goto the AWS CloudFormation dashboard. 2. Click on the Stack you want to modify. 3. Select the \\\"Template\\\" tab and then View in \\\"Designer\\\". 4. Make your template modifications. 5. Check for \\\"syntax errors\\\" in your template by choosing \\\"Validate template\\\" near the top of the page and save. 6. Choose \\\"Amazon S3 bucket\\\", name your template and Save. 7. Copy the bucket URL and click OK. 8. Select \\\"Close\\\" to close Designer. 9. Click on the \\\"Stack\\\" you want to modify. 10. From the \\\"Actions\\\" pull down menu, select \\\"Update stack\\\". 11. Choose \\\"Replace current template\\\" and paste the URL from Designer into the Amazon S3 URL field. Then click on \\\"Next\\\". 12. Specify stack details, then click on \\\"Next\\\". 13. Configure stack options, then click on \\\"Next\\\". 14. Review, then select \\\"Update\\\" stack near the bottom of the page.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/baad8309-83f2-437a-a131-6e357c8db91f\",\r\n \"name\": \"baad8309-83f2-437a-a131-6e357c8db91f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Secret Manager resource IAM policy allow secret publically accessible.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS Secret Manager Secret resources which are publicly accessible through IAM policies. Ensure that the AWS Secret Manager Secret resources provisioned in your AWS account are not publicly accessible from the Internet to avoid sensitive data exposure and minimize security risks.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the AWS Secret Manager Secret service. 3. Find resource-based policy of the AWS Secret Manager Secret resource. 4. Update the \\\"Principal\\\" section of the policy to avoid public access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7b076bd-9747-490f-b04d-1cf0418bc428\",\r\n \"name\": \"f7b076bd-9747-490f-b04d-1cf0418bc428\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Domain transfer lock is not enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The domain registries for all generic TLDs and many geographic TLDs let you lock a domain to prevent someone from transferring the domain to another registrar without your permission.
It is a leading practice to lock your domain.\",\r\n \"remediationDescription\": \"To lock a domain to prevent unauthorized transfer to another registrar:

1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/. 2. In the navigation pane, choose \\\"Registered Domains\\\". 3. Choose the name of the domain that you want to update. 4. Choose \\\"Enable\\\" (to lock the domain) or \\\"Disable\\\" (to unlock the domain). 5. Choose \\\"Save\\\". \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/06ee058b-9ba9-4a54-a6d3-7214703d309f\",\r\n \"name\": \"06ee058b-9ba9-4a54-a6d3-7214703d309f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open CASSANDRA port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:7000-7001, 7199, 8888, 9042, 9160, 61620-61621.\",\r\n \"remediationDescription\": \"Configuring firewall rules to allow any IP address to connect to Cassandra ports can expose Cassandra services to attackers.
For more information, see VPC firewall rules overview.

This recommendation is generated for vulnerable firewall rules, even if they were intentionally disabled. Disabled firewall rules alert you to unsafe configurations which could allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87cb47d9-eb93-4413-be7f-2f89112d3e22\",\r\n \"name\": \"87cb47d9-eb93-4413-be7f-2f89112d3e22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open CISCOSECURE_WEBSM port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:9090.\",\r\n \"remediationDescription\": \"Configuring Firewall rules to allow any IP address to connect to CiscoSecure/WebSM ports can expose your CiscoSecure/WebSM services to attackers. For more information, see VPC firewall rules overview

This recommendation is generated for vulnerable firewall rules, even if they were intentionally disabled. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c59d6ae-79c9-4f74-bacd-9bb8d2b05576\",\r\n \"name\": \"9c59d6ae-79c9-4f74-bacd-9bb8d2b05576\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open DIRECTORY_SERVICES port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:445 and UDP:445.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Directory ports might expose your Directory services to attackers. For more information, see VPC firewall rules overview.
The Directory service ports are:
TCP - 445
UDP - 445

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/99fa8cd5-10fc-4051-909c-62a6d1272956\",\r\n \"name\": \"99fa8cd5-10fc-4051-909c-62a6d1272956\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open DNS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:53 and UDP:53.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to DNS ports might expose your DNS services to attackers.
For more information, see VPC firewall rules overview.
The DNS service ports are:
TCP - 53
UDP - 53

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c39d3a7-a11d-4f1e-a5b8-8c3be23fe0d1\",\r\n \"name\": \"9c39d3a7-a11d-4f1e-a5b8-8c3be23fe0d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open ELASTICSEARCH port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:9200, 9300.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Elasticsearch ports might expose your Elasticsearch services to attackers. For more information, see VPC firewall rules overview.

The Elasticsearch service ports are:
TCP - 9200, 9300

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/98c71657-9a57-4a9c-8cc0-e69136b9ec13\",\r\n \"name\": \"98c71657-9a57-4a9c-8cc0-e69136b9ec13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to be open to public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the sourceRanges and allowed properties for one of two configurations:

The sourceRanges property contains 0.0.0.0/0 and the allowed property contains a combination of rules that includes any protocol or protocol:port, except the following:
icmp
tcp:22
tcp:443
tcp:3389
udp:3389
sctp:22

The sourceRanges property contains a combination of IP ranges that includes any non-private IP address and the allowed property contains a combination of rules that permit either all tcp ports or all udp ports.\",\r\n \"remediationDescription\": \"Firewall rules that allow connections from all IP addresses, like 0.0.0.0/0, or from all ports can unnecessarily expose resources to attacks from unintended sources. These rules should be removed or scoped explicitly to the intended source IP ranges or ports.
For example, in applications intended to be public, consider restricting allowed ports to those needed for the application, like 80 and 443. If your application needs to allow connections from all IP addresses or ports, consider adding the asset to an allowlist. Learn more about Updating firewall rules.

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. Click the firewall rule listed in the Security Health Analytics finding, and then click \\\"Edit\\\". 3. Under \\\"Source IP ranges\\\", \\\"edit\\\" the IP values to restrict the range of IPs that is allowed. 4. Under \\\"Protocols and ports\\\", \\\"select\\\" \\\"Specified protocols and ports\\\", \\\"select\\\" the allowed protocols, and enter ports that are allowed. 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14dae408-be1b-4ab9-8645-1d9eba885a3e\",\r\n \"name\": \"14dae408-be1b-4ab9-8645-1d9eba885a3e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open FTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:21.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to FTP ports might expose your FTP services to attackers. For more information, see VPC firewall rules overview.

The FTP service ports are:
TCP - 21

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d6e19ca8-7446-4b1a-87e9-fb0bee876c80\",\r\n \"name\": \"d6e19ca8-7446-4b1a-87e9-fb0bee876c80\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open HTTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:80.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to HTTP ports might expose your HTTP services to attackers. For more information, see VPC firewall rules overview.

The HTTP service ports are:
TCP - 80

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/114491f8-1760-40b9-ad56-04be9c0be1d6\",\r\n \"name\": \"114491f8-1760-40b9-ad56-04be9c0be1d6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open LDAP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:389, 636 and UDP:389.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to LDAP ports might expose your LDAP services to attackers. For more information, see VPC firewall rules overview.

The LDAP service ports are:
TCP - 389, 636
UDP - 389

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dcbfebbd-0d89-4605-b29c-a8b94a11ca4c\",\r\n \"name\": \"dcbfebbd-0d89-4605-b29c-a8b94a11ca4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MEMCACHED port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:11211, 11214-11215 and UDP:11211, 11214-11215.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Memcached ports might expose your Memcached services to attackers. For more information, see VPC firewall rules overview.

The Memcached service ports are:
TCP - 11211, 11214, 11215
UDP - 11211, 11214, 11215

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0088a052-38cd-4ef3-80bc-982871756481\",\r\n \"name\": \"0088a052-38cd-4ef3-80bc-982871756481\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MONGODB port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:27017-27019.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to MongoDB ports might expose your MongoDB services to attackers. For more information, see VPC firewall rules overview.

The MongoDB service ports are:
TCP - 27017, 27018, 27019

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/184a6210-9eb3-4d41-9453-84fd7f01186e\",\r\n \"name\": \"184a6210-9eb3-4d41-9453-84fd7f01186e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MYSQL port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:3306.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to MySQL ports might expose your MySQL services to attackers. For more information, see VPC firewall rules overview.

The MySQL service ports are:
TCP - 3306

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f39b9212-7c2e-4265-85ad-14701b0209e3\",\r\n \"name\": \"f39b9212-7c2e-4265-85ad-14701b0209e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open NETBIOS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:137-139 and UDP:137-139.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to NetBIOS ports might expose your NetBIOS services to attackers. For more information, see VPC firewall rules overview.

The NetBIOS service ports are:
TCP - 137, 138, 139
UDP - 137, 138, 139

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802bc806-5136-461f-a95d-dd65f8725af0\",\r\n \"name\": \"802bc806-5136-461f-a95d-dd65f8725af0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open ORACLEDB port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:1521, 2483-2484 and UDP:2483-2484.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to OracleDB ports might expose your OracleDB services to attackers. SeFor more information, see VPC firewall rules overview.

The OracleDB service ports are:
TCP - 1521, 2483, 2484
UDP - 2483, 2484

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4f5e97a0-d563-4c0a-8aca-958753dfbeb6\",\r\n \"name\": \"4f5e97a0-d563-4c0a-8aca-958753dfbeb6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open POP3 port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:110.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to POP3 ports might expose your POP3 services to attackers. For more information, see VPC firewall rules overview.

The POP3 service ports are:
TCP - 110

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d1143d-a7ab-405c-a80c-8b9da25bc5e4\",\r\n \"name\": \"27d1143d-a7ab-405c-a80c-8b9da25bc5e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open PostgreSQL port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:5432 and UDP:5432.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to PostgreSQL ports might expose your PostgreSQL services to attackers. For more information, see VPC firewall rules overview.

The PostgreSQL service ports are:
TCP - 5432
UDP - 5432

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9a7b9056-30af-476f-bdc8-8b421d29b5e3\",\r\n \"name\": \"9a7b9056-30af-476f-bdc8-8b421d29b5e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open REDIS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:6379.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Redis ports might expose your Redis services to attackers. For more information, see VPC firewall rules overview.

The Redis service ports are:
TCP - 6379

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5855b7ce-fded-464c-894c-d34bd834f17e\",\r\n \"name\": \"5855b7ce-fded-464c-894c-d34bd834f17e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open SMTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:25.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to SMTP ports might expose your SMTP services to attackers. For more information, see VPC firewall rules overview.

The SMTP service ports are:
TCP - 25

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c8753af-c7d5-404f-abdf-8e8bef018dc9\",\r\n \"name\": \"4c8753af-c7d5-404f-abdf-8e8bef018dc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open SSH port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocols and ports: TCP:22 and SCTP:22.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to SSH ports might expose your SSH services to attackers. For more information, see VPC firewall rules overview.

The SSH service ports are:
SCTP - 22
TCP - 22

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bdb01af7-e42a-49c6-952f-b83ce13914a7\",\r\n \"name\": \"bdb01af7-e42a-49c6-952f-b83ce13914a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open TELNET port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:23.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Telnet ports might expose your Telnet services to attackers. For more information, see VPC firewall rules overview.

The Telnet service ports are:
TCP - 23

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3be77f6-6fa9-45bd-9bdb-420484420235\",\r\n \"name\": \"c3be77f6-6fa9-45bd-9bdb-420484420235\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Compute instances should use a load balancer that is configured to use a target HTTPS proxy\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates if the selfLink property of the targetHttpProxy resource matches the target attribute in the forwarding rule, and if the forwarding rule contains a loadBalancingScheme field set to External.\",\r\n \"remediationDescription\": \"A Compute Engine instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy.

To protect the integrity of your data and prevent intruders from tampering with your communications, configure your HTTP(S) load balancers to allow only HTTPS traffic. For more information, see External HTTP(S) Load Balancing overview.

To remediate this finding, complete the following steps:
1. Go to the \\\"Target proxies\\\" page in the GCP Cloud Console. Go to Target proxies. 2. In the list of target proxies, click the name of the target proxy in the finding. 3. Click the link under the \\\"URL map\\\". 4. Click \\\"Edit\\\". 5. Click \\\"Frontend configuration\\\". 6. Delete all \\\"Frontend IP\\\" and port configurations that allow HTTP traffic and create new ones that allow HTTPS traffic.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6aeb69dc-0d01-4228-88e9-7e610891d5dd\",\r\n \"name\": \"6aeb69dc-0d01-4228-88e9-7e610891d5dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE cluster's auto repair feature should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the management property of a node pool for the key-value pair, 'key': 'autoRepair', 'value': true.\",\r\n \"remediationDescription\": \"A Google Kubernetes Engine (GKE) cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled.

When enabled, GKE makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, GKE initiates a repair process for that node. For more information, see Auto-repairing nodes.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Click the \\\"Nodes\\\" tab. 3. For each node pool:
1. Click the name of the node pool to go to its detail page. 2. Click \\\"Edit\\\". 3. Under \\\"Management\\\", select \\\"Enable auto-repair\\\". 4. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1680e053-2e9b-4e77-a1c7-793ae286155e\",\r\n \"name\": \"1680e053-2e9b-4e77-a1c7-793ae286155e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE cluster's auto upgrade feature should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the management property of a node pool for the key-value pair, 'key': 'autoUpgrade', 'value': true.\",\r\n \"remediationDescription\": \"A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled.

For more information, see Auto-upgrading nodes.

To remediate this finding, complete the following steps:
1. Go to the Kubernetes clusters page in the GCP Cloud Console. Go to Kubernetes clusters
2. In the list of clusters, click the name of the cluster.
3. Click the Nodes tab.
For each node pool:
1. Click the name of the node pool to go to its detail page.
2. Click \\\"Edit\\\".
3. Under \\\"Management\\\", select \\\"Enable auto-upgrade\\\".
4. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa160a2c-e976-41cb-acff-1e1e3f1ed032\",\r\n \"name\": \"fa160a2c-e976-41cb-acff-1e1e3f1ed032\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Logging for GKE clusters should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the loggingService property of a cluster contains the location Cloud Logging should use to write logs.\",\r\n \"remediationDescription\": \"Logging isn't enabled for a GKE cluster.

To help investigate security issues and monitor usage, enable Cloud Logging on your clusters.

Depending on the quantity of information, Cloud Logging costs can be significant. To understand your usage of the service and its cost,
see Cost optimization for Google Cloud's operations suite.

To remediate this finding, complete the following steps:
1. Go to the Kubernetes clusters page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Stackdriver Logging\\\" or \\\"Stackdriver Kubernetes Engine Monitoring\\\" drop-down list, select \\\"Enabled\\\".
These options aren't compatible. Make sure that you use either \\\"Stackdriver Kubernetes Engine Monitoring\\\" alone, or \\\"Legacy Stackdriver Logging\\\" with \\\"Legacy Stackdriver Monitoring\\\". 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a7b7361-5100-4a8c-b23e-f712d7dad39b\",\r\n \"name\": \"6a7b7361-5100-4a8c-b23e-f712d7dad39b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring on GKE clusters should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the monitoringService property of a cluster contains the location Cloud Monitoring should use to write metrics.\",\r\n \"remediationDescription\": \"Monitoring is disabled on GKE clusters.

To help investigate security issues and monitor usage, enable Cloud Monitoring on your clusters.

Depending on the quantity of information, Cloud Monitoring costs can be significant. To understand your usage of the service and its costs, see Cost optimization for Google Cloud's operations suite.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Stackdriver Monitoring\\\" or \\\"Stackdriver Kubernetes Engine Monitoring\\\" drop-down list, select \\\"Enabled\\\".
These options aren't compatible. Make sure that you use either \\\"Stackdriver Kubernetes Engine Monitoring\\\" alone, or \\\"Legacy Stackdriver Monitoring\\\" with \\\"Legacy Stackdriver Logging\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fae39f34-d931-4026-b09c-b0a785bb1ff9\",\r\n \"name\": \"fae39f34-d931-4026-b09c-b0a785bb1ff9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cluster hosts should be configured to use only private, internal IP addresses to access Google APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the privateIpGoogleAccess property of a subnetwork is set to false.\",\r\n \"remediationDescription\": \"Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs.

Private Google Access enables virtual machine (VM) instances with only private, internal IP addresses to reach the public IP addresses of Google APIs and services. For more information, see Configuring Google Private Access.

To remediate this finding, complete the following steps:
1. Go to the \\\"Virtual Private Cloud networks\\\" page in the GCP Cloud Console. Go to VPC networks . 2. In the list of networks, click the name of the desired network. 3. On the \\\"VPC network details\\\" page, click the \\\"Subnets\\\" tab. 4. In the list of subnets, click the name of the subnet associated with the Kubernetes cluster in the finding. 5. On the \\\"Subnet details\\\" page, click \\\"Edit\\\". 6. Under \\\"Private Google Access\\\", select \\\"On\\\". 7. Click \\\"Save\\\". 8. To remove public (external) IPs from VM instances whose only external traffic is to Google APIs, see Unassigning a static external IP address.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3e33004b-f0b8-488d-85ed-61336c7ad4ca\",\r\n \"name\": \"3e33004b-f0b8-488d-85ed-61336c7ad4ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Compute Engine VMs should use the Container-Optimized OS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the config property of a node pool for the key-value pair, 'imageType': 'COS'.\",\r\n \"remediationDescription\": \"Compute Engine VMs aren't using the Container-Optimized OS, which is designed to run Docker containers on Google Cloud securely.

Container-Optimized OS is Google's recommended OS for hosting and running containers on Google Cloud. Its small OS footprint minimizes security exposure, while automatic updates patch security vulnerabilities in a timely manner. For more information, see Container-Optimized OS Overview.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters 2. In the list of clusters, click the name of the cluster in the finding. 3. Click the \\\"Nodes\\\" tab. 4. For each node pool:
1. Click the name of the node pool to go to its detail page. 2. Click \\\"Edit\\\". 3. Under \\\"Nodes\\\" -> \\\"Image type\\\", click \\\"Change\\\". 4. Select \\\"Container-Optimized OS\\\", and then click \\\"Change\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/49016ecd-d4d6-4f48-a64f-42af93e15120\",\r\n \"name\": \"49016ecd-d4d6-4f48-a64f-42af93e15120\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have alias IP ranges enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the useIPAliases field of the ipAllocationPolicy in a cluster is set to false.\",\r\n \"remediationDescription\": \"A GKE cluster was created with alias IP ranges disabled.

When you enable alias IP ranges, GKE clusters allocate IP addresses from a known CIDR block, so your cluster is scalable and interacts better with Google Cloud products and entities. For more information, see Alias IP ranges overview .

To remediate this finding, complete the following steps:
You cannot migrate an existing cluster to use alias IPs. To create a new cluster with alias IPs enabled, do the following:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Click \\\"Create\\\". 3. From the navigation pane, under \\\"Cluster\\\", click \\\"Networking\\\". 4. Under \\\"Advanced networking options\\\", select \\\"Enable VPC-native traffic routing (uses alias IP)\\\". 5. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd1096e1-73cf-41ab-8f2a-257b78aed9dc\",\r\n \"name\": \"bd1096e1-73cf-41ab-8f2a-257b78aed9dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Legacy Authorization should be disabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the legacyAbac property of a cluster for the key-value pair, 'enabled': true.\",\r\n \"remediationDescription\": \"Legacy Authorization is enabled on GKE clusters.

In Kubernetes, role-based access control (RBAC) lets you define roles with rules containing a set of permissions, and grant permissions at the cluster and namespace level. This feature provides better security by ensuring that users only have access to specific resources. Consider disabling legacy attribute-based access control (ABAC).

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Authorization\\\" drop-down list, select \\\"Disabled\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24df9ba4-8c98-42f2-9f64-50b095eca06f\",\r\n \"name\": \"24df9ba4-8c98-42f2-9f64-50b095eca06f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Control Plane Authorized Networks should be enabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the masterAuthorizedNetworksConfig property of a cluster for the key-value pair, 'enabled': false.\",\r\n \"remediationDescription\": \"Control Plane Authorized Networks is not enabled on GKE clusters.

Control Plane Authorized Networks improves security for your container cluster by blocking specified IP addresses from accessing your cluster's control plane.
For more information, see Adding authorized networks for control plane access.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Control Plane Authorized Networks\\\" drop-down list, select \\\"Enabled\\\". 5. Click \\\"Add authorized network\\\". 6. Specify the authorized networks you want to use.
7. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd06513a-1e03-4d40-9159-243f76dcdcb7\",\r\n \"name\": \"fd06513a-1e03-4d40-9159-243f76dcdcb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network policy should be enabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the networkPolicy field of the addonsConfig property for the key-value pair, 'disabled': true.\",\r\n \"remediationDescription\": \"Network policy is disabled on GKE clusters.

By default, pod to pod communication is open. Open communication allows pods to connect directly across nodes, with or without network address translation. A NetworkPolicy resource is like a pod-level firewall that restricts connections between pods, unless the NetworkPolicy resource explicitly allows the connection. Learn how to define a network policy.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Click the name of the cluster listed in the Security Health Analytics finding. 3. Under \\\"Networking\\\", in the row for \\\"Network policy\\\", click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. In the dialog, select \\\"Enable network policy for control plane\\\" and \\\"Enable network policy for nodes\\\". 5. Click \\\"Save Changes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b73bad4f-4ea7-4d04-bab0-d400cb3ad639\",\r\n \"name\": \"b73bad4f-4ea7-4d04-bab0-d400cb3ad639\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service accounts should have restricted project access in a cluster\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the config property of a node pool to check if no service account is specified or if the default service account is used.\",\r\n \"remediationDescription\": \"A GKE node is using the Compute Engine default service node, which has broad access by default and might be over-privileged for running your GKE cluster.

To remediate this finding, complete the following steps:
Follow the instructions to Use least privilege Google service accounts.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d3e70cff-e4db-47b1-b646-0ac5ed8ada36\",\r\n \"name\": \"d3e70cff-e4db-47b1-b646-0ac5ed8ada36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have Private clusters enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the enablePrivateNodes field of the privateClusterConfig property is set to false.\",\r\n \"remediationDescription\": \"A GKE cluster has a private cluster disabled.

Private clusters allow nodes to only have private IP addresses. This feature limits outbound internet access for nodes. If a cluster node doesn't have a public IP address, it isn't discoverable or exposed to the public internet. You can still route traffic to a node by using an internal load balancer. For more information, see Private clusters

You can't make an existing cluster private. To remediate this finding, create a new private cluster:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters 2. Click \\\"Create Cluster\\\". 3. In the navigation menu, under \\\"Cluster\\\", select \\\"Networking\\\". 4. Select the radio button for \\\"Private cluster\\\". 5. Under \\\"Advanced networking options\\\", select the checkbox for \\\"Enable VPC-native traffic routing (uses alias IP)\\\". 6. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8fa5c03-a8e8-467b-992c-ad8b2db0f55e\",\r\n \"name\": \"d8fa5c03-a8e8-467b-992c-ad8b2db0f55e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE web dashboard should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the kubernetesDashboard field of the addonsConfig property for the key-value pair, 'disabled': false.\",\r\n \"remediationDescription\": \"The GKE web UI (dashboard) is enabled.

A highly privileged Kubernetes Service Accounts backs the Kubernetes web interface. If compromised, the service account can be abused. If you are already using the Cloud Console, the Kubernetes web interface extends your attack surface unnecessarily. Learn about Disabling the Kubernetes web interface.

To remediate this finding, disable the Kubernetes web interface:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Click the name of the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. Click \\\"Add-ons\\\". The section expands to display available add-ons. 5. On the \\\"Kubernetes dashboard\\\" drop-down list, select \\\"Disabled\\\". 6. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc6ce9-c9a7-4d91-b7c8-f2314ecbf8af\",\r\n \"name\": \"2acc6ce9-c9a7-4d91-b7c8-f2314ecbf8af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Egress deny rule should be set on a firewall to block unwanted outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the destinationRanges property in the firewall is set to 0.0.0.0/0 and the denied property contains the key-value pair, 'IPProtocol': 'all'.\",\r\n \"remediationDescription\": \"An egress deny rule is not set on a firewall.

A firewall that denies all egress network traffic prevents any unwanted outbound network connections, except those connections other firewalls explicitly authorize. For more information, see Egress cases.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. Click \\\"Create Firewall Rule\\\". 3. Give the firewall a name and, optionally, a description. 4. Under \\\"Direction of traffic\\\", select \\\"Egress\\\". 5. Under \\\"Action on match\\\", select \\\"Deny\\\". 6. In the \\\"Targets\\\" drop-down menu, select \\\"All instances in the network\\\". 7. In the \\\"Destination filter\\\" drop-down menu, select \\\"IP ranges\\\", and then type 0.0.0.0/0 into the \\\"Destination IP ranges\\\" box. 8. Under \\\"Protocols and ports\\\", select \\\"Deny all\\\". 9. Click \\\"Disable Rule\\\" then, under \\\"Enforcement\\\", select \\\"Enabled\\\". 10. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37e5206e-a928-416b-9851-3689f506f73f\",\r\n \"name\": \"37e5206e-a928-416b-9851-3689f506f73f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall rule logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the logConfig property in firewall metadata to see if it's empty or contains the key-value pair 'enable': false.\",\r\n \"remediationDescription\": \"Firewall rules logging is disabled.

Firewall rules logging lets you audit, verify, and analyze the effects of your firewall rules. It can be useful for auditing network access or providing early warning that the network is being used in an unapproved manner. The cost of logs can be significant. For more information on Firewall Rules Logging and its cost, see Using Firewall Rules Logging.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, click the name of the desired firewall rule. 3. Click \\\"Edit\\\". 4. Under \\\"Logs\\\", select \\\"On\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a7771a9-a2dd-40e8-87a2-921259d68667\",\r\n \"name\": \"4a7771a9-a2dd-40e8-87a2-921259d68667\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Users should have least privilege access with granular IAM roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM policy in resource metadata for any principals assigned roles/Owner, roles/Writer, or roles/Reader.\",\r\n \"remediationDescription\": \"A user has one of the following IAM basic roles: roles/owner, roles/editor, or roles/viewer.
These roles are too permissive and shouldn't be used. Instead, they should be assigned per project only.

For more information, see Understanding roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM policy\\\" page in the GCP Cloud Console. Go to IAM policy. 2. For each user assigned a primitive role, consider using more granular roles instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24eb0365-d63d-43c0-b11f-8b0a1a0842f7\",\r\n \"name\": \"24eb0365-d63d-43c0-b11f-8b0a1a0842f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cryptographic keys should not have more than three users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates IAM policies for key rings, projects, and organizations, and retrieves principals with roles that allow them to encrypt, decrypt or sign data using Cloud KMS keys: roles/owner, roles/cloudkms.cryptoKeyEncrypterDecrypter, roles/cloudkms.cryptoKeyEncrypter, roles/cloudkms.cryptoKeyDecrypter, roles/cloudkms.signer, and roles/cloudkms.signerVerifier.\",\r\n \"remediationDescription\": \"Limit the number of principal users that can use cryptographic keys to three.

The following predefined roles grant permissions to encrypt, decrypt, or sign data using cryptographic keys:
1. roles/owner 2. roles/cloudkms.cryptoKeyEncrypterDecrypter 3. roles/cloudkms.cryptoKeyEncrypter 4. roles/cloudkms.cryptoKeyDecrypter 5. roles/cloudkms.signer
6. roles/cloudkms.signerVerifier

For more information, see Permissions and roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"Cloud KMS keys\\\" page in the GCP Cloud Console. Go to Cloud KMS keys. 2. Click the \\\"name\\\" of the key ring indicated in the finding. 3. Click the \\\"name\\\" of the key indicated in the finding. 4. Select the box next to the primary version, and then click \\\"Show Info Panel\\\". 5. Reduce the number of principals having permissions to encrypt, decrypt, or sign data to three or fewer.
To revoke permissions, click \\\"Delete\\\" delete next to each principal.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e836b239-c7dc-476a-9a85-829b565cbc59\",\r\n \"name\": \"e836b239-c7dc-476a-9a85-829b565cbc59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Object versioning should be enabled on storage buckets where sinks are configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the enabled field in the bucket's versioning property is set to true.\",\r\n \"remediationDescription\": \"Object versioning isn't enabled on a storage bucket where sinks are configured.

To support the retrieval of objects that are deleted or overwritten, GCP Cloud Storage offers the Object Versioning feature. Enable Object Versioning to protect your Cloud Storage data from being overwritten or accidentally deleted. Learn how to Enable Object Versioning.

To remediate this finding, use the gsutil versioning set on command with the appropriate value:
gsutil versioning set on gs://finding.assetDisplayName
Replace finding.assetDisplayName with the name of the relevant bucket.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76261631-76ea-4bd4-b064-34a619be1de0\",\r\n \"name\": \"76261631-76ea-4bd4-b064-34a619be1de0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage buckets used as a log sink should not be publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM policy of a bucket for the principals allUsers or allAuthenticatedUsers, which grant public access.\",\r\n \"remediationDescription\": \"A storage bucket is public and used as a log sink, meaning that anyone on the internet can access logs stored in this bucket.
allUsers represents anyone on the internet and allAuthenticatedUsers represents anyone who is logged into a Google service;
neither is constrained to users within your organization.

For more information, see Overview of access control.

To remediate this finding, complete the following steps:
1. Go to the \\\"Cloud Storage browser\\\" page in the GCP Cloud Console. Go to Cloud Storage browser . 2. In the list of buckets, click the name of the bucket indicated in the finding. 3. Click the \\\"Permissions\\\" tab. 4. Remove \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" from the list of principals.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7c20b7aa-be3d-4a4b-af45-1b432c02f86b\",\r\n \"name\": \"7c20b7aa-be3d-4a4b-af45-1b432c02f86b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redis IAM role should not be assigned at the organization or folder level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM allow policy in resource metadata for principals assigned roles/redis.admin, roles/redis.editor, roles/redis.viewer at the organization or folder level.\",\r\n \"remediationDescription\": \"A Redis IAM role is assigned at the organization or folder level.

The following Redis IAM roles should be assigned per project only, not at the organization or folder level:
1. roles/redis.admin
2. roles/redis.viewer
3. roles/redis.editor

For more information, see Access control and permissions.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM policy\\\" page in the GCP Cloud Console. Go to IAM policy. 2. Remove the \\\"Redis IAM roles\\\" indicated in the finding and add them on the individual projects instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/986fe72e-466a-462d-a06e-c77b439c53c0\",\r\n \"name\": \"986fe72e-466a-462d-a06e-c77b439c53c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Projects that have cryptographic keys should not have users with Owner permissions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM allow policy in project metadata for principals assigned roles/Owner.\",\r\n \"remediationDescription\": \"A user has roles/Owner permissions on a project that has cryptographic keys. For more information, see Permissions and roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM page\\\" in the GCP Cloud Console. Go IAM page. 2. If necessary, select the project in the finding. 3. For each principal assigned the \\\"Owner\\\" role:
1. Click \\\"Edit\\\". 2. In the \\\"Edit permissions\\\" panel, next to the \\\"Owner\\\" role, click \\\"Delete\\\". 3. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67ebdf6b-6197-4e42-bbbf-eaf4e6c20b4c\",\r\n \"name\": \"67ebdf6b-6197-4e42-bbbf-eaf4e6c20b4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Use corporate login credentials instead of personal accounts, such as Gmail accounts.
It is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources.
Gmail accounts based outside of the user's organization, such as personal accounts, should not be used for business purposes.\",\r\n \"remediationDescription\": \"Follow the documentation and setup corporate login accounts Manage Identities.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6991b2e9-ae9e-4e99-acb6-037c4b575215\",\r\n \"name\": \"6991b2e9-ae9e-4e99-acb6-037c4b575215\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that there are only GCP-managed service account keys for each service account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"User managed service accounts should not have user-managed keys.
Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis.
User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.
For user-managed keys, the user has to take ownership of key management activities which include:
  • Key storage
  • Key distribution
  • Key revocation
  • Key rotation
  • Protecting the keys from unauthorized users
  • Key recovery
Even with key owner precautions, keys can be easily leaked by common development malpractices like checking keys into the source code or leaving them in the Downloads directory, or accidentally leaving them on support blogs/channels. It is recommended to prevent user-managed service account keys.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the IAM page in the GCP Console using https://console.cloud.google.com/apis/credentials. 2. In the left navigation pane, click \\\"Service accounts\\\". All service accounts and their corresponding keys are listed. 3. Click the service account. 4. Click the \\\"edit\\\" and delete the keys.

From CLI:
To delete a user managed Service Account Key, run gcloud iam service-accounts keys delete --iam-account=<user-managed-service-account-EMAIL> <KEY-ID>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/54c381fe-a80a-4038-8a9d-c166d2922ea9\",\r\n \"name\": \"54c381fe-a80a-4038-8a9d-c166d2922ea9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to assign the \\\"Service Account User (iam.serviceAccountUser)\\\" and \\\"Service Account Token Creator (iam.serviceAccountTokenCreator)\\\" roles to a user for a specific service account rather than assigning the role to a user at project level.
A service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end-user.
Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved.
In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.
Users with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access.
Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/Service account.
Based on business needs, there could be multiple user-managed service accounts configured for a project.
Granting the \\\"iam.serviceAccountUser\\\" or \\\"iam.serviceAserviceAccountTokenCreatorccountUser\\\" roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future.
This can result in elevation of privileges by using service accounts and corresponding \\\"Compute Engine instances\\\".
In order to implement \\\"least privileges\\\" best practices, IAM users should not be assigned the \\\"Service Account User\\\" or \\\"Service Account Token Creator\\\" roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The \\\"Service Account User\\\" allows a user to bind a service account to a long-running job service, whereas the \\\"Service Account Token Creator\\\" role allows a user to directly impersonate (or assert) the identity of a service account.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the IAM page in the GCP Console by visiting: GCP Console IAM. 2. Click on the filter table text bar. Type \\\"Role: Service Account User\\\" 3. Click the \\\"Delete Bin\\\" icon in front of the role \\\"Service Account User\\\" for every user listed as a result of a filter. 4. Click on the filter table text bar. Type \\\"Role: Service Account Token Creator\\\" 5. Click the \\\"Delete Bin\\\" icon in front of the role \\\"Service Account Token Creator\\\" for every user listed as a result of a filter.

From Command Line:
1. Using a text editor, remove the bindings with the \\\"roles/iam.serviceAccountUser\\\" or \\\"roles/iam.serviceAccountTokenCreator\\\".
For example, you can use the iam.json file shown below as follows:
{ "bindings": [ { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", ], "role": "roles/appengine.appViewer" }, { "members": [ "user:email1@gmail.com" ], "role": "roles/owner" }, { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", "serviceAccount:123456789012-compute@developer.gserviceaccount.com" ], "role": "roles/editor" } ], "etag": "BwUjMhCsNvY=" }
2. Update the project's IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0007dd31-9e95-460d-82bd-ae3e9e623161\",\r\n \"name\": \"0007dd31-9e95-460d-82bd-ae3e9e623161\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests users make to Google cloud services accessible to that particular service account.
It is recommended that all Service Account keys are regularly rotated.
Rotating Service Account keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.
Each service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.
GCP provides the option to create one or more user-managed (also called external key pairs) key pairs for use from outside GCP (for example, for use with Application Default Credentials). When a new key pair is created, the user is required to download the private key (which is not retained by Google).
With external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, gcloud command-line tool, or the Service Accounts page in the Google Cloud Platform Console.
GCP facilitates up to 10 external service account keys per service account to facilitate key rotation.\",\r\n \"remediationDescription\": \"From Console:
Delete any external (user-managed) Service Account Key older than 90 days: 1. Go to APIs & Services\\\\Credentials using https://console.cloud.google.com/apis/credentials
2. In the Section \\\"Service Account Keys\\\", for every external (user-managed) service account key where \\\"creation date is\\\" greater than or equal to the past 90 days, click \\\"Delete Bin Icon\\\" to Delete Service Account key.
Create a new external (user-managed) Service Account Key for a Service Account:
1. Go to \\\"APIs & Services\\\\Credentials\\\" using https://console.cloud.google.com/apis/credentials
2. Click \\\"Create Credentials\\\" and Select \\\"Service Account Key\\\". 3. Choose the service account in the drop-down list for which an External (user-anaged) Service Account key needs to be created. 4. Select the desired key type format among \\\"JSON\\\" or \\\"P12\\\". 5. Click \\\"Create\\\". It will download the private key. Keep it safe. 6. Click \\\"Close\\\" if prompted. 7. The site will redirect to the \\\"APIs & Services\\\\Credentials\\\" page. Make a note of the new ID displayed in the Service account keys section.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e8cb9ac-87ee-424b-a9d2-0d41e411d18f\",\r\n \"name\": \"9e8cb9ac-87ee-424b-a9d2-0d41e411d18f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users.
The built-in/predefined IAM role \\\"Service Account admin\\\" allows the user/identity to create, delete, and manage service account(s).
The built-in/predefined IAM role \\\"Service Account User\\\" allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances.
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action.
In Cloud IAM - service accounts, this could be an action such as using a service account to access resources that user should not normally have access to.
Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.
No user should have \\\"Service Account Admin\\\" and \\\"Service Account User\\\" roles assigned at the same time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to IAM & Admin/IAM. 2. For any member having both \\\"Service Account Admin\\\" and \\\"Service account User\\\" roles granted/assigned, click the \\\"Delete Bin icon\\\" to remove either role from the member.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fcbcaef9-4bb0-49db-a932-afd64ed221d4\",\r\n \"name\": \"fcbcaef9-4bb0-49db-a932-afd64ed221d4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the IAM policy on Cloud KMS \\\"cryptokeys\\\" should restrict anonymous and/or public access.
Granting permissions to \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\" allows anyone to access the dataset.
Such access might not be desirable if sensitive data is stored at the location.
In this case, ensure that anonymous and/or public access to a Cloud KMS \\\"cryptokey\\\" is not allowed.\",\r\n \"remediationDescription\": \"From Command Line:
1. List all Cloud KMS \\\"Cryptokeys\\\".
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'. 2. Remove IAM policy binding for a KMS key to remove access to \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" using the below command.
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f756937d-b790-4718-8dd7-fa995930c4a1\",\r\n \"name\": \"f756937d-b790-4718-8dd7-fa995930c4a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.
The format for the rotation schedule depends on the client library that is used.
For the gcloud command-line tool, the next rotation time must be in \\\"ISO\\\" or \\\"RFC3339\\\" format, and the rotation period must be in the form \\\"INTEGER[UNIT]\\\", where units can be one of seconds (s), minutes (m), hours (h) or days (d).
Set a key rotation period and starting time. A key can be created with a specified \\\"rotation period\\\", which is the time between when new key versions are generated automatically.
A key can also be created with a specified next rotation time.
A key is a named object representing a \\\"cryptographic key\\\" used for a specific purpose.
The key material, the actual bits used for \\\"encryption\\\", can change over time as new key versions are created.
A key is used to protect some \\\"corpus of data\\\". A collection of files could be encrypted with the same key and people with \\\"decrypt\\\" permissions on that key would be able to decrypt those files.
Therefore, it's necessary to make sure the \\\"rotation period\\\" is set to a specific time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to Cryptographic Keys. 2. Click on the specific key ring. 3. From the list of keys, choose the specific key and Click on \\\"Right side pop up the blade (3 dots)\\\". 4. Click on \\\"Edit rotation period\\\". 5. On the pop-up window, \\\"Select a new rotation period\\\" in days which should be less than 90 and then choose \\\"Starting on\\\" date (date from which the rotation period begins).

From Command Line:
1. Update and schedule rotation by \\\"ROTATION_PERIOD\\\" and \\\"NEXT_ROTATION_TIME\\\" for each key:
gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next-rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14007242-eadd-4d15-ad54-97201351c0ec\",\r\n \"name\": \"14007242-eadd-4d15-ad54-97201351c0ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.
The built-in/predefined IAM role \\\"Cloud KMS Admin\\\" allows the user/identity to create, delete, and manage service account(s).
The built-in/predefined IAM role \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\" allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).
The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).
The built-in/predefined IAM role \\\"Cloud KMS CryptoKey Decrypter\\\" allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action.
In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to.
Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors.
It is considered best practice. No user(s) should have Cloud KMS Admin and any of the \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\", \\\"Cloud KMS CryptoKey Encrypter\\\", \\\"Cloud KMS CryptoKey Decrypter\\\" roles assigned at the same time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to IAM & Admin/IAM. 2. For any member having \\\"Cloud KMS Admin\\\" and any of the \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\", \\\"Cloud KMS CryptoKey Encrypter\\\", \\\"Cloud KMS CryptoKey Decrypter\\\" roles granted/assigned, click the \\\"Delete Bin\\\" icon to remove the role from the member.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b9173aa-68d9-4581-814f-fab4a91aa9af\",\r\n \"name\": \"0b9173aa-68d9-4581-814f-fab4a91aa9af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that Cloud Audit Logging is configured to track all admin activities and read, write access to user data.
Cloud Audit Logging maintains two audit logs for each project, folder, and organization: Admin Activity and Data Access.
1. Admin Activity logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources.
Admin Activity audit logs are enabled for all services and cannot be configured. 2. Data Access audit logs record API calls that create, modify, or read user-provided data. These are disabled by default and should be enabled.
There are three kinds of Data Access audit log information:
  • Admin read: Records operations that read metadata or configuration information. Admin Activity audit logs record writes of metadata and configuration information that cannot be disabled.
  • Data read: Records operations that read user-provided data.
  • Data write: Records operations that write user-provided data.
It is recommended to have an effective default audit config configured in such a way that:
1. logtype is set to DATA_READ (to log user activity tracking) and DATA_WRITES (to log changes/tampering to user data). 2. audit config is enabled for all the services supported by the Data Access audit logs feature. 3. Logs should be captured for all users, i.e., there are no exempted users in any of the audit config sections. This will ensure overriding the audit config will not contradict the requirement.\",\r\n \"remediationDescription\": \"From Console:
1. Go to Audit Logs. 2. Follow the steps at Configure Data Access to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.

From Command Line:
1. To read the project's IAM policy and store it in a file run a command:
gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml
Alternatively, the policy can be set at the organization or folder level. If setting the policy at the organization level, it is not necessary to also set it for each folder or project.
gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml
gcloud resource-manager folders get-iam-policy FOLDER_ID > /tmp/folder_policy.yaml
2. Edit policy in /tmp/policy.yaml, adding or changing only the audit logs configuration to:
auditConfigs: - auditLogConfigs: - logType: DATA_WRITE - logType: DATA_READ service: allServices

Note: \\\"exemptedMembers\\\": is not set as audit logging should be enabled for all the users
3. To write new IAM policy run command:
gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml
gcloud resource-manager folders set-iam-policy FOLDER_ID /tmp/folder_policy.yaml
gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml

If the preceding command reports a conflict with another change, then repeat these steps, starting with the first step.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/194b473e-7c5a-4754-b1ae-76591fe11b5c\",\r\n \"name\": \"194b473e-7c5a-4754-b1ae-76591fe11b5c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).
Log entries are held in Stackdriver Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. Exporting involves writing a filter that selects the log entries to export, and choosing a destination in Cloud Storage, BigQuery, or Cloud Pub/Sub.
The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts. \",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"Logging/Logs\\\" by visiting: GCP Logs explorer. 2. Click the down arrow symbol on \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. This step converts \\\"Filter Bar\\\" to \\\"Advanced Filter Bar\\\".4.Clear any text from the \\\"Advanced Filter\\\" field. This ensures that the \\\"log-filter\\\" is set to empty and captures all the logs. 5. Click \\\"Submit Filter\\\" and the result should display all logs. 6. Click \\\"Create Sink\\\", which opens a menu on the right. 7. Fill out the fields and click \\\"Create Sink\\\".
For more information, see GCP Logging Documentation.

From Command Line:
To create a sink to export all log entries in a Google Cloud Storage bucket:
gcloud logging sinks create <sink-name>
storage.googleapis.com/DESTINATION_BUCKET_NAME
Sinks can be created for a folder or organization, which will include all projects.
gcloud logging sinks create <sink-name>
storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children --folder=FOLDER_ID | --organization=ORGANIZATION_ID \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/07ca1398-d477-400a-a9fc-4cfc78f723f9\",\r\n \"name\": \"07ca1398-d477-400a-a9fc-4cfc78f723f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that retention policies on log buckets are configured using Bucket Lock\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted.
It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.
Logs can be exported by creating one or more sinks that include a log filter and a destination. As Stackdriver Logging receives new log entries, they are compared against each sink.
If a log entry matches a sink's filter, then a copy of the log entry is written to the destination.
Sinks can be configured to export logs in storage buckets.
It is recommended to configure a data retention policy for these cloud storage buckets and to lock the data retention policy; thus permanently preventing the policy from being reduced or removed.
This way, if the system is ever compromised by an attacker or a malicious insider who wants to cover their tracks, the activity logs are definitely preserved for forensics and security investigations.\",\r\n \"remediationDescription\": \" From the Console:
1. If sinks are not configured, first follow the instructions in the recommendation: \\\"Ensure that sinks are configured for all Log entries\\\". 2. For each storage bucket configured as a sink, go to the Cloud Storage browser at \\\"https://console.cloud.google.com/storage/browser/<BUCKET_NAME>\\\". 3. Select the Bucket Lock tab near the top of the page. 4. In the Retention policy entry, click the Add Duration link. The \\\"Set a retention policy\\\" dialog box appears. 5. Enter the desired length of time for the retention period and click \\\"Save policy\\\". 6. Set the \\\"Lock status\\\" for this retention policy to \\\"Locked\\\".

From Command Line:
1.To list all sinks destined to storage buckets:
gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID | --project=PROJECT_ID
2. For each storage bucket listed above, set a retention policy and lock it:
gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]
gsutil retention lock gs://[BUCKET_NAME]
For more information, see Bucket lock retention policy.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f42c20a6-8012-4e1e-bf4d-19b977e8c8d7\",\r\n \"name\": \"f42c20a6-8012-4e1e-bf4d-19b977e8c8d7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all \\\"roles/Owner\\\" assignments should be monitored.
Members (users/Service-Accounts) with a role assignment to primitive role \\\"roles/Owner\\\" are project owners.
The project owner has all the privileges on the project the role belongs to. These are summarized below:
- All viewer permissions on all GCP Services within the project
- Permissions for actions that modify the state of all GCP services within the project
- Manage roles and permissions for a project and all resources within the project
- Set up billing for a project
Granting the owner role to a member (user/Service-Account) will allow that member to modify the Identity and Access Management (IAM) policy. Therefore, grant the owner role only if the member has a legitimate purpose to manage the IAM policy. This is because the project IAM policy contains sensitive access control data. Having a minimal set of users allowed to manage IAM policy will simplify any auditing that may be necessary.
Project ownership has the highest level of privileges on a project. To avoid misuse of project resources, the project ownership assignment/change actions mentioned above should be monitored and alerted to concerned recipients.
- Sending project ownership invites
- Acceptance/Rejection of project ownership invite by user
- Adding `role\\\\Owner` to a user/service-account
- Removing a user/Service account from `role\\\\Owner`\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
(protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\")
AND (ProjectOwnership OR projectOwnerInvitee)
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\")
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\")
 4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/34ed4dfb-fc6d-498f-b2b0-d1099704775d\",\r\n \"name\": \"34ed4dfb-fc6d-498f-b2b0-d1099704775d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data Access logs to help answer the questions of, \\\"who did what, where, and when?\\\" within GCP projects.
Cloud audit logging records information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by GCP services. Cloud audit logging provides a history of GCP API calls for an account, including API calls made via the console, SDKs, command-line tools, and other GCP services.
Admin activity and data access logs produced by cloud audit logging enable security analysis, resource change tracking, and compliance auditing.
Configuring the metric filter and alerts for audit configuration changes ensures the recommended state of audit configuration is maintained so that all activities in the project are audit-able at any point in time.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
protoPayload.methodName=\\\"SetIamPolicy\\\" AND
protoPayload.serviceData.policyDelta.auditConfigDeltas:*
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba27e90d-311d-409d-8c69-7dfac0a1351c\",\r\n \"name\": \"ba27e90d-311d-409d-8c69-7dfac0a1351c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for changes to Identity and Access Management (IAM) role creation, deletion and updating activities.
Google Cloud IAM provides predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources. However, to cater to organization-specific needs, Cloud IAM also provides the ability to create custom roles. Project owners and administrators with the Organization Role Administrator role or the IAM Role Administrator role can create custom roles. Monitoring role creation, deletion and updating activities will help in identifying any over-privileged role at early stages.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"iam_role\\\"
AND protoPayload.methodName=\\\"google.iam.admin.v1.CreateRole\\\"
OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\"
OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a7723f9-ee51-4a2b-a4e5-2497a20c1964\",\r\n \"name\": \"4a7723f9-ee51-4a2b-a4e5-2497a20c1964\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes.
Monitoring for Create or Update Firewall rule events gives insight to network access changes and may reduce the time it takes to detect suspicious activity.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"gce_firewall_rule\\\"
AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\"
OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b5c8e32b-a400-4d4b-8d2d-c5afbd4a6997\",\r\n \"name\": \"b5c8e32b-a400-4d4b-8d2d-c5afbd4a6997\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network route changes.
Google Cloud Platform (GCP) routes define the paths network traffic takes from a VM instance to another destination. The other destination can be inside the organization VPC network (such as another VM) or outside of it. Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop for delivery.
Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"gce_route\\\"
AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\"
OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/59aef38a-19c2-4663-97a7-4c82a98dbab5\",\r\n \"name\": \"59aef38a-19c2-4663-97a7-4c82a98dbab5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network changes.
It is possible to have more than one VPC within a project. In addition, it is also possible to create a peer connection between two VPCs enabling network traffic to route between VPCs.
Monitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=gce_network
AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2e14266c-76ea-4479-915e-4edaae7d78ec\",\r\n \"name\": \"2e14266c-76ea-4479-915e-4edaae7d78ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.
Monitoring changes to cloud storage bucket permissions may reduce the time needed to detect and correct permissions on sensitive cloud storage buckets and objects inside the bucket.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=gcs_bucket
AND protoPayload.methodName=\\\"storage.setIamPermissions\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dce022e-f7f9-4725-8a63-c0d4a868b4d3\",\r\n \"name\": \"9dce022e-f7f9-4725-8a63-c0d4a868b4d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for SQL instance configuration changes.
Monitoring changes to SQL instance configuration changes may reduce the time needed to detect and correct misconfigurations done on the SQL server.
Below are a few of the configurable options which may the impact security posture of an SQL instance:
* Enable auto backups and high availability: Misconfiguration may adversely impact business continuity, disaster recovery, and high availability
* Authorize networks: Misconfiguration may increase exposure to untrusted networks\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
protoPayload.methodName=\\\"cloudsql.instances.update\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9f88a5b8-2853-4b3f-a4c7-33f225cae99a\",\r\n \"name\": \"9f88a5b8-2853-4b3f-a4c7-33f225cae99a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic.
When specifying a source for an ingress rule or a destination for an egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using SSH on Port 22 can be avoided.
GCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network.
Egress and ingresstraffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication).
For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified.
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default Port '22'.
Generic access from the Internet to a specific IP Range needs to be restricted.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to VPC Network. 2. Go to the Firewall Rules. 3. Click the Firewall Rule you want to modify. 4. Click Edit. 5. Modify Source IP ranges to specific IP. 6. Click Save.

From Command Line:
gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[- PORT]],...] --source-ranges=[CIDR_RANGE,...] \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc8464f-f32a-4b3c-954e-48f9db2d9bcf\",\r\n \"name\": \"8bc8464f-f32a-4b3c-954e-48f9db2d9bcf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic.
When specifying a source for an ingress rule or a destination for an egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming raffic from the Internet to a VPC or VM instance using RDP on Port 3389 can be avoided.
GCP Firewall Rules within a VPC Network. These rules apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network.
Egress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication). For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified.
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default Port 3389. Generic access from the Internet to a specific IP Range should be restricted.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to VPC Network. 2. Go to the Firewall Rules. 3. Click the Firewall Rule to be modified. 4. Click Edit. 5. Modify Source IP ranges to specific IP. 6. Click Save.

From Command Line:
1.Update RDP Firewall rule with new SOURCE_RANGE from the below command:
gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ea1989f3-de6c-4389-8b6c-c8b9a3df1595\",\r\n \"name\": \"ea1989f3-de6c-4389-8b6c-c8b9a3df1595\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent use of \\\"default\\\" network, a project should not have a \\\"default\\\" network.
The default network has a preconfigured network configuration and automatically generates the following insecure firewall rules:
  • default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.
  • default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.
  • default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.
  • default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.
These automatically created firewall rules do not get audit logged and cannot be configured to enable firewall rule logging.
Furthermore, the default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses, and as a result, it's not possible to use Cloud VPN or VPC Network Peering with the default network.
Based on organization security and networking requirements, the organization should create a new network and delete the default network.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the \\\"VPC networks\\\" page by visiting:
VPC networks. 2. Click the network named default. 3. On the network detail page, click \\\"EDIT\\\". 4. Click \\\"DELETE VPC NETWORK\\\". 5. If needed, create a new network to replace the default network.

From Command Line:
For each Google Cloud Platform project,
1. Delete the default network:
gcloud compute networks delete default
2. If needed, create a new network to replace it:
gcloud compute networks create NETWORK_NAME\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/44995f9b-5963-4a92-8e99-6d68acbc187c\",\r\n \"name\": \"44995f9b-5963-4a92-8e99-6d68acbc187c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In order to prevent use of legacy networks, a project should not have a legacy network configured.
Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions.
Subnetworks cannot be created in a legacy network and are unable to switch from legacy to auto or custom subnet networks. Legacy networks can have an impact for high network traffic projects and are subject to a single point of contention or failure.\",\r\n \"remediationDescription\": \"For each Google Cloud Platform project,
1. Follow the documentation and create a non-legacy network suitable for the organization's requirements. 2. Follow the documentation and delete the networks in the \\\"legacy\\\" mode.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33509176-9e4d-4238-84ec-984ba67019fa\",\r\n \"name\": \"33509176-9e4d-4238-84ec-984ba67019fa\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet.
Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.
Domain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling DNS responses to be validated.
Having a trustworthy DNS that translates a domain name like www.example.com into its associated IP address is an increasingly important building block of today's web-based applications.
Attackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks.
DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records.
As a result, it prevents attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"Cloud DNS\\\" by visiting Cloud DNS. 2. For each zone of Type Public, set DNSSEC to \\\"On\\\".

From Command Line:
Use the below command to enable \\\"DNSSEC\\\" for Cloud DNS Zone Name.
gcloud dns managed-zones update ZONE_NAME --dnssec-state on \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87356ecc-b718-442d-af22-677bceaeae06\",\r\n \"name\": \"87356ecc-b718-442d-af22-677bceaeae06\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
Domain Name System Security Extensions (DNSSEC) algorithm numbers in this registry may be used in CERT RRs.
Zonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the user can select the DNSSEC signing algorithms and the denial-of-existence type.
Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled.
If there is a need to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.\",\r\n \"remediationDescription\": \"1. If it is necessary to change the settings for a managed zone where it has been enabled, NSSEC must be turned off and re-enabled with different settings.
To turn off DNSSEC, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state off
2. To update key-signing for a reported managed DNS Zone, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM - -zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE

Algorithm KSK Length ZSK Length
RSASHA1 1024,2048 1024,2048
RSASHA256 1024,2048 1024,2048
RSASHA512 1024,2048 1024,2048
ECDSAP256SHA256 256 256
ECDSAP384SHA384 384 384
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/117ad72e-fed7-4dc8-995d-39919b9ba2d9\",\r\n \"name\": \"117ad72e-fed7-4dc8-995d-39919b9ba2d9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the DNSSEC signing algorithms and the denial-of-existence type can be selected.
Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled.
If the need exists to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.\",\r\n \"remediationDescription\": \"1. If it is necessary to change the settings for a managed zone where it has been enabled, DNSSEC must be turned off and re-enabled with different settings.
To turn off DNSSEC, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state off
2. To update zone-signing for a reported managed DNS Zone, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM - -zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE

Algorithm KSK Length ZSK Length
RSASHA1 1024,2048 1024,2048
RSASHA256 1024,2048 1024,2048
RSASHA512 1024,2048 1024,2048
ECDSAP256SHA256 256 256
ECDSAP384SHA384 384 384
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a107c44c-75e4-4607-b1b0-cd5cfcf249e0\",\r\n \"name\": \"a107c44c-75e4-4607-b1b0-cd5cfcf249e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.
The default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services.
To defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended to not use the default Compute Engine service account.
Instead, you should create a new service account and assigning only the permissions needed by your instance.
The default Compute Engine service account is named [PROJECT_NUMBER]- compute@developer.gserviceaccount.com.
VMs created by GKE should be excluded. These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to go to its \\\"VM instance details\\\" page. 3. Click \\\"STOP\\\" and then click \\\"EDIT\\\". 4. Under the section \\\"Service Account\\\", select a service account other that the default Compute Engine service account. You may first need to create a new service account. 5. Click \\\"Save\\\" and then click \\\"START\\\".

From Command Line:
1. Stop the instance: gcloud compute instances stop INSTANCE_NAME
2. Update the instance: gcloud compute instances set-service-account INSTANCE_NAME --serviceaccount=SERVICE_ACCOUNT
3. Restart the instance: gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c1fcf1-ca66-4fc1-b5e6-51d7f4f76782\",\r\n \"name\": \"a8c1fcf1-ca66-4fc1-b5e6-51d7f4f76782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account \\\"Compute Engine default service account\\\" with Scope \\\"Allow full access to all Cloud APIs\\\".
Along with ability to optionally create, manage and use user managed custom service accounts, Google Compute Engine provides default service account \\\"Compute Engine default service account\\\" for an instances to access necessary cloud services.
\\\"Project Editor\\\" role is assigned to \\\"Compute Engine default service account\\\" hence, This service account has almost all capabilities over all cloud services except billing.
However, when \\\"Compute Engine default service account\\\" assigned to an instance it can operate in 3 scopes.
1. Allow default access: Allows only minimum access required to run an Instance (Least Privileges) 2. Allow full access to all Cloud APIs: Allow full access to all the cloud APIs/Services (Too much access) 3. Set access for each API: Allows Instance administrator to choose only those APIs that are needed to perform specific business functionality expected by instance
When an instance is configured with \\\"Compute Engine default service account\\\" with Scope \\\"Allow full access to all Cloud APIs\\\", based on IAM roles assigned to the user(s) accessing Instance,
it may allow user to perform cloud operations/API calls that user is not supposed to perform leading to successful privilege escalation.
VMs created by GKE should be excluded. These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the impacted VM instance. 3. If the instance is not stopped, click the \\\"Stop\\\" button. Wait for the instance to be stopped. 4. Next, click the \\\"Edit\\\" button. 5. Scroll down to the \\\"Service Account\\\" section. 6. Select a different service account or ensure that \\\"Allow full access to all Cloud APIs\\\" is not selected.  7. Click the \\\"Save\\\" button to save your changes and then click \\\"START\\\".

From Command Line:
1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
2. Update the instance:
gcloud compute instances set-service-account INSTANCE_NAME --serviceaccount=SERVICE_ACCOUNT --scopes [SCOPE1, SCOPE2...]
3. Restart the instance:
gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/49cb12f0-3dd3-4220-9cfb-5c3fd514a6d8\",\r\n \"name\": \"49cb12f0-3dd3-4220-9cfb-5c3fd514a6d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user.
It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.
To find out which instance causes the project to be unhealthy see recommendation \\\"Ensure oslogin is enabled for all instances\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM compute metadata page. 2. Click \\\"Edit\\\". 3. Add a metadata entry where the key is \\\"enable-oslogin\\\" and the value is \\\"TRUE\\\". 4. Click \\\"Save\\\" to apply the changes. 5. For every instance that overrides the project setting, go to the VM instances page. 6. Click the name of the instance on which you want to remove the metadata value. 7. At the top of the instance details page, click \\\"Edit\\\" to edit the instance settings. 8. Under \\\"Custom metadata\\\", remove any entry with key \\\"enable-oslogin\\\" and the value is \\\"FALSE\\\" 9. At the bottom of the instance details page, click \\\"Save\\\" to apply your changes to the instance.

From Command Line:
1. Configure oslogin on the project:
gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE
2. Remove instance metadata that overrides the project settings.
gcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin
Optionally, you can enable two factor authentication for OS login. For more information, see here.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/569ef64e-d7aa-4d7e-aa0b-5b3e045ca2c3\",\r\n \"name\": \"569ef64e-d7aa-4d7e-aa0b-5b3e045ca2c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for all instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user.
It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click the name of the instance on which you want to remove the metadata value. 3. At the top of the instance details page, click \\\"Edit\\\" to edit the instance settings. 4. Under \\\"Custom metadata\\\", remove any entry with key \\\"enable-oslogin\\\" and the value is \\\"FALSE\\\" 5. At the bottom of the instance details page, click \\\"Save\\\" to apply your changes to the instance.

From Command Line:
Remove instance metadata that overrides the project settings.
gcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin
Optionally, you can enable two factor authentication for OS login. For more information, see here.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e060336-2c9e-4289-a2a6-8d301bad47bb\",\r\n \"name\": \"7e060336-2c9e-4289-a2a6-8d301bad47bb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.
If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.
A virtual machine instance has four virtual serial ports. Interacting with a serial port is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.
The instance's operating system, BIOS, and other system-level entities often write output to the serial ports, and can accept input such as commands or answers to prompts.
Typically, these system-level entities use the first serial port (port 1) and serial port 1 is often referred to as the serial console.
The interactive serial console does not support IP-based access restrictions such as IP whitelists. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address.
This allows anybody to connect to that instance if they know the correct SSH key, username, project ID, zone, and instance name.
Therefore interactive serial console support should be disabled.\",\r\n \"remediationDescription\": \"From Console:
1. Login to Google Cloud console 2. Go to Computer Engine 3. Go to VM instances 4. Click on the Specific VM 5. Click \\\"EDIT\\\" 6. Unselect \\\"Enable connecting to serial ports\\\" below \\\"Remote access\\\" block. 7. Click \\\"Save\\\".

From Command Line:
Use the below command to disable
gcloud compute instances add-metadata INSTANCE_NAME --zone=ZONE --metadata=serial-port-enable=false
or
gcloud compute instances add-metadata INSTANCE_NAME --zone=ZONE --metadata=serial-port-enable=0\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a4b3b3a-7de9-4aa4-a29b-580d59b43f79\",\r\n \"name\": \"1a4b3b3a-7de9-4aa4-a29b-580d59b43f79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To defend against against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.
Shielded VMs are virtual machines (VMs) on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits.
Shielded VM offers verifiable integrity of your Compute Engine VM instances, so you can be confident your instances haven't been compromised by boot- or kernel-level malware or rootkits.
Shielded VM's verifiable integrity is achieved through the use of Secure Boot, virtual trusted platform module (vTPM)-enabled Measured Boot, and integrity monitoring.
Shielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishing the root of trust for Secure Boot.
Integrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, called the integrity policy baseline.
The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.
Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to see its \\\"VM instance details\\\" page. 3. Click \\\"STOP\\\" to stop the instance. 4. When the instance has stopped, click \\\"EDIT\\\". 5. In the Shielded VM section, select \\\"Turn on vTPM\\\" and \\\"Turn on Integrity Monitoring\\\". 6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select \\\"Turn on Secure Boot\\\". 7. Click the \\\"Save\\\" button to modify the instance and then click \\\"START\\\" to restart it.

From Command Line:
You can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:
gcloud compute images list --project gce-uefi-images --no-standard-images
1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
2. Update the instance:
gcloud compute instances update INSTANCE_NAME --shielded-vtpm --shielded-vmintegrity-monitoring
3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on secure boot.
gcloud compute instances update INSTANCE_NAME --shielded-vm-secure-boot
4. Restart the instance:
gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bdd13ad-a9d2-4910-8b06-9c4cddb55abb\",\r\n \"name\": \"8bdd13ad-a9d2-4910-8b06-9c4cddb55abb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances should not be configured to have external IP addresses.
To reduce your attack surface, Compute instances should not have public IP addresses. Instead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.
Instances created by GKE should be excluded because some of them have external IP addresses and cannot be changed by editing the instance settings.
These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to go the the Instance detail page. 3. Click \\\"Edit\\\". 4. For each Network interface, ensure that External IP is set to None. 5. Click \\\"Done\\\" and then click \\\"Save\\\".

From Command Line:
1. Describe the instance properties: gcloud compute instances describe INSTANCE_NAME --zone=ZONE
2. Identify the access config name that contains the external IP address. This access config appears in the following format:
networkInterfaces: - accessConfigs: - kind: compute#accessConfig name: External NAT natIP: 130.211.181.55 type: ONE_TO_ONE_NAT
3. Delete the access config.
gcloud compute instances delete-access-config INSTANCE_NAME --zone=ZONE --access-config-name \\\"ACCESS_CONFIG_NAME\\\"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8305d96-2aa5-458d-92b7-f8418f5f3328\",\r\n \"name\": \"d8305d96-2aa5-458d-92b7-f8418f5f3328\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.
Allowing anonymous or public access grants permissions to anyone to access bucket content.
Such access might not be desired if you are storing any sensitive data.
Hence, ensure that anonymous or public access to a bucket is not allowed.\",\r\n \"remediationDescription\": \"From Console:
1. Go to \\\"Storage browser\\\" by visiting GCP Storage browser. 2. Click on the bucket name to go to its \\\"Bucket details\\\" page. 3. Click on the \\\"Permissions\\\" tab. 4. Click \\\"Delete\\\" button in front of \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" to remove that particular role assignment.
From Command Line:
Remove \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" access.
gsutil iam ch -d allUsers gs://BUCKET_NAME
gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b5cdbc-0633-49af-b63d-a9dc90560196\",\r\n \"name\": \"64b5cdbc-0633-49af-b63d-a9dc90560196\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.
It is recommended to use uniform bucket-level access to unify and simplify how you grant access to your Cloud Storage resources.
Cloud Storage offers two systems for granting users permission to access your buckets and objects:
Cloud Identity and Access Management (Cloud IAM) and Access Control Lists (ACLs).
These systems act in parallel - in order for a user to access a Cloud Storage resource, only one of the systems needs to grant the user permission.
Cloud IAM is used throughout Google Cloud and allows you to grant a variety of permissions at the bucket and project levels.
ACLs are used only by Cloud Storage and have limited permission options, but they allow you to grant permissions on a per-object basis.

In order to support a uniform permissioning system, Cloud Storage has uniform bucket-level access.
Using this feature disables ACLs for all Cloud Storage resources:
access to Cloud Storage resources then is granted exclusively through Cloud IAM.
Enabling uniform bucket-level access guarantees that if a Storage bucket is not publicly accessible,
no object in the bucket is publicly accessible either.\",\r\n \"remediationDescription\": \"From Console:
1. Open the \\\"Cloud Storage browser\\\" in the Google Cloud Console by visiting: GCP Storage browser. 2. In the list of buckets, click on the name of the desired bucket. 3. Select the \\\"Permissions\\\" tab near the top of the page. 4. In the text box that starts with \\\"This bucket uses fine-grained access control...\\\", click \\\"Edit\\\". 5. In the pop-up menu that appears, select \\\"Uniform\\\". 6. Click \\\"Save\\\".
From Command Line:
Use the \\\"on\\\" option in a uniformbucketlevelaccess set command:
gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dab1eea3-7693-4da3-af1b-2f73832655fa\",\r\n \"name\": \"dab1eea3-7693-4da3-af1b-2f73832655fa\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.
Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset.
Such access might not be desirable if sensitive data is being stored in the dataset.
Therefore, ensure that anonymous and/or public access to a dataset is not allowed.\",\r\n \"remediationDescription\": \"From Console:
1. Go to \\\"BigQuery\\\" by visiting: BigQuery. 2. Select the dataset from \\\"Resources\\\". 3. Click \\\"SHARE DATASET\\\" near the right side of the window. 4. Review each attached role. 5. Click the \\\"delete\\\" icon for each member \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\". On the popup click \\\"Remove\\\".
From Command Line:
1. Retrieve the data set information:
bq show --format=prettyjson PROJECT_ID:DATASET_NAME > PATH_TO_FILE
2. In the access section of the JSON file, update the dataset information to remove all roles containing \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\". 3. Update the dataset:
bq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8191f530-fde7-4177-827a-43ce0f69ffe7\",\r\n \"name\": \"8191f530-fde7-4177-827a-43ce0f69ffe7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the \\\"log_lock_waits\\\" flag for a PostgreSQL instance creates a log for any session waits that take longer than the alloted \\\"deadlock_timeout\\\" time to acquire a lock.
The deadlock timeout defines the time to wait on a lock before checking for any conditions. Frequent run overs on deadlock timeout can be an indication of an underlying issue.
Logging such waits on locks by enabling the log_lock_waits flag can be used to identify poor performance due to locking delays or if a specially-crafted SQL is attempting to starve resources through holding locks for excessive amounts of time.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_lock_waits\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_lock_waits\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_lock_waits=on

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/492fed4e-1871-4c12-948d-074ee0f07559\",\r\n \"name\": \"492fed4e-1871-4c12-948d-074ee0f07559\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_error_statement\\\" flag defines the minimum message severity level that is considered as an error statement.
Messages for error statements are logged with the SQL statement.
Valid values include \\\"DEBUG5\\\", \\\"DEBUG4\\\", \\\"DEBUG3\\\", \\\"DEBUG2\\\", \\\"DEBUG1\\\", \\\"INFO\\\", \\\"NOTICE\\\", \\\"WARNING\\\", \\\"ERROR\\\", \\\"LOG\\\", \\\"FATAL\\\", and \\\"PANIC\\\".
Each severity level includes the subsequent levels mentioned above.
Note: To effectively turn off logging failing statements, set this parameter to PANIC.
ERROR is considered the best practice setting. Changes should only be made in accordance with the organization's logging policy.
Auditing helps in troubleshooting operational problems and also permits forensic analysis.
If \\\"log_min_error_statement\\\" is not set to the correct value, messages may not be classified as error messages appropriately.
Considering general log messages as error messages would make it difficult to find actual errors, while considering only stricter severity levels as error messages may skip actual errors to log their SQL statements.
The \\\"log_min_error_statement\\\" flag should be set in accordance with the organization's logging policy.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_error_statement\\\" from the drop-down menu and set appropriate value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_min_error_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_error_statement=

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/29622fc0-14dc-4d65-a5a8-e9a39ffc4b62\",\r\n \"name\": \"29622fc0-14dc-4d65-a5a8-e9a39ffc4b62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' \",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"PostgreSQL can create a temporary file for actions such as sorting, hashing and temporary query results when these operations exceed \\\"work_mem\\\".
The \\\"log_temp_files\\\" flag controls logging names and the file size when it is deleted.
Configuring \\\"log_temp_files\\\" to 0 causes all temporary file information to be logged, while positive values log only files whose size is greater than or equal to the specified number of kilobytes.
A value of \\\"-1\\\" disables temporary file information logging.
If all temporary files are not logged, it may be more difficult to identify potential performance issues that may be due to either poor application coding or deliberate resource starvation attempts.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_temp_files\\\" from the drop-down menu and set the value as 0. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_temp_files\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_temp_files=`0`

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c9e237b-419f-4e73-b43a-94b5863dd73e\",\r\n \"name\": \"1c9e237b-419f-4e73-b43a-94b5863dd73e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_duration_statement\\\" flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that \\\"log_min_duration_statement\\\" is disabled, i.e., a value of -1 is set.
Logging SQL statements may include sensitive information that should not be recorded in logs. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_duration_statement\\\" from the drop-down menu and set the value of \\\"-1\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Configure the \\\"log_min_duration_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_duration_statement=-1

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/26973a34-79a6-46a0-874f-358c8c00af05\",\r\n \"name\": \"26973a34-79a6-46a0-874f-358c8c00af05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"cross db ownership chaining\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
Use the \\\"cross db ownership\\\" for chaining option to configure cross-database ownership chaining for an instance of Microsoft SQL Server.
This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases.
Enabling \\\"cross db ownership\\\" is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining and you are aware of the security implications of this setting.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance for which you want to enable to database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"cross db ownership chaining\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"cross db ownership chaining\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"cross db ownership chaining=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/658ce98f-ecf1-4c14-967f-3c4faf130fbf\",\r\n \"name\": \"658ce98f-ecf1-4c14-967f-3c4faf130fbf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"contained database authentication\\\" database flag for Cloud SQL on the SQL Server instance is set to \\\"off\\\".
A contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed.
Users can connect to the database without authenticating a login at the Database Engine level.
Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server.
Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators.
Most of the threats are related to the USER WITH PASSWORD authentication process, which moves the authentication boundary from the Database Engine level to the database level, hence this is recommended to disable this flag.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance for which you want to enable to database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"contained database authentication\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Configure the \\\"contained database authentication\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"contained database authentication=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/13872d43-aac6-4018-9c89-507b8fe9be54\",\r\n \"name\": \"13872d43-aac6-4018-9c89-507b8fe9be54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to enforce all incoming connections to SQL database instance to use SSL.
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc.
For security, it is recommended to always use SSL encryption when connecting to your instance.
This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to Cloud SQL Instances. 2. Click on an instance name to see its configuration overview. 3. In the left-side panel, select \\\"Connections\\\". 4. In the \\\"SSL connections\\\" section, click \\\"Allow only SSL connections\\\". 5. Under \\\"Configure SSL server certificates\\\" click \\\"Create new certificate\\\". 6. Under \\\"Configure SSL client certificates\\\" click \\\"Create a client certificate\\\". 7. Follow the instructions shown to learn how to connect to your instance.

From Command Line:
To enforce SSL encryption for an instance run the command:
gcloud sql instances patch INSTANCE_NAME --require-ssl

Note:
\\\"RESTART\\\" is required for type MySQL Generation 1 Instances (\\\"backendType: FIRST_GEN\\\") to get this configuration in effect.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/de78ebca-1ec6-4872-8061-8fcfb27752fc\",\r\n \"name\": \"de78ebca-1ec6-4872-8061-8fcfb27752fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from the world.
To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it.
An authorized network should not have IPs/networks configured to \\\"0.0.0.0/0\\\" which will allow access to the instance from anywhere in the world. Note that authorized networks apply only to instances with public IPs.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Click the instance name to open its \\\"Instance details\\\" page. 3. Under the \\\"Configuration\\\" section click \\\"Edit configurations\\\". 4. Under \\\"Configuration options\\\" expand the \\\"Connectivity\\\" section. 5. Click the \\\"delete\\\" icon for the authorized network \\\"0.0.0.0/0\\\". 6. Click \\\"Save\\\" to update the instance.

From Command Line:
Update the authorized network list by dropping off any addresses.
oud sql instances patch INSTANCE_NAME --authorized-networks=IP_ADDR1,IP_ADDR2... \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1658239d-caf7-471d-83c5-2e4c44afdcff\",\r\n \"name\": \"1658239d-caf7-471d-83c5-2e4c44afdcff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.
To lower the organization's attack surface, Cloud SQL databases should not have public IPs.
Private IPs provide improved network security and lower latency for your application.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Click the instance name to open its Instance details page. 3. Select the \\\"Connections\\\" tab. 4. Deselect the \\\"Public IP\\\" checkbox. 5. Click \\\"Save\\\" to update the instance.

From Command Line:
1. For every instance remove its public IP and assign a private IP instead:
gcloud beta sql instances patch INSTANCE_NAME --network=VPC_NETWOR_NAME --no-assign-ip 2. Confirm the changes using the following command:
gcloud sql instances describe INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/afaac6e6-6240-48a2-9f62-4e257b851311\",\r\n \"name\": \"afaac6e6-6240-48a2-9f62-4e257b851311\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to have all SQL database instances set to enable automated backups.
Backups provide a way to restore a Cloud SQL instance to recover lost data or recover from a problem with that instance.
Automated backups need to be set for any instance that contains data that should be protected from loss or damage.
This recommendation is applicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2 instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the instance where the backups need to be configured. 3. Click \\\"Edit\\\". 4. In the \\\"Backups\\\" section, check \\\"Enable automated backups\\\", and choose a backup window. 5. Click \\\"Save\\\".
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Enable \\\"Automated backups\\\" for every Cloud SQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --backup-start-time [HH:MM] The \\\"backup-start-time\\\" parameter is specified in 24-hour time, in the UTC+00 time zone, and specifies the start of a 4-hour backup window. Backups can start any time during the backup window.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/633a87f4-bd71-45ce-9eca-c6bb8cbe8b21\",\r\n \"name\": \"633a87f4-bd71-45ce-9eca-c6bb8cbe8b21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.
The local_infile flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the local_infile setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.
To explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with local_infile disabled. local_infile can also be set at runtime.
Due to security issues associated with the local_infile flag, it is recommended to disable it. This recommendation is applicable to MySQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the MySQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"local_infile\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the local_infile database flag for every Cloud SQL Mysql database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off
Note:
This command will overwrite all database flags that were previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2404629-0132-4ab3-839e-8389dbe9fe98\",\r\n \"name\": \"a2404629-0132-4ab3-839e-8389dbe9fe98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log_checkpoints database flag for the Cloud SQL PostgreSQL instance is set to on.
Enabling log_checkpoints causes checkpoints and restart points to be logged in the server log. Some statistics are included in the log messages, including the number of buffers written and the time spent writing them.
This parameter can only be set in the postgresql.conf file or on the server command line. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_checkpoints\\\" from the drop-down menu, and set its value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_checkpoints database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_checkpoints=on
Note: This command will overwrite all previously set database flags. To keep those and add new ones, include the values for all flags to be set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4016e27f-a451-4e24-9222-39d7d107ad74\",\r\n \"name\": \"4016e27f-a451-4e24-9222-39d7d107ad74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.
PostgreSQL does not log attempted connections by default. Enabling the log_connections setting will create log entries for each attempted connection as well as successful completion of client authentication which can be useful in troubleshooting issues and to determine any unusual connection attempts to the server.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance for which you want to enable the database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_connections\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_connections database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_connections=on
Note:
This command will overwrite all previously set database flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a86f62be-7402-4797-91dc-8ba2b976cb74\",\r\n \"name\": \"a86f62be-7402-4797-91dc-8ba2b976cb74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_disconnections setting logs the end of each session, including the session duration.
PostgreSQL does not log session details such as duration and session end by default. Enabling the log_disconnections setting will create log entries at the end of each session which can be useful in troubleshooting issues and determine any unusual activity across a time period.
The log_disconnections and log_connections work hand in hand and generally, the pair would be enabled/disabled together. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_disconnections\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_disconnections database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_disconnections=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ae77cb8b-0b43-4e86-8b5c-f5afcf95766a\",\r\n \"name\": \"ae77cb8b-0b43-4e86-8b5c-f5afcf95766a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user.
The application uses the service account to call the service's Google API so that users aren't directly involved.
It's recommended not to use admin access for ServiceAccount.
Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it.
Enrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM.
A ServiceAccount Access holder can perform critical actions like delete, update change settings, etc.
without user intervention.
For this reason, it's recommended that service accounts not have Admin rights.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to IAM & admin/IAM. 2. Go to the \\\"Members\\\". 3. Identify \\\"User-Managed user created\\\" service account with roles containing \\\"*Admin\\\" or \\\"*admin\\\" or role matching \\\"Editor\\\" or role matching \\\"Owner\\\". 4. Click the \\\"Delete bin\\\" icon to remove the role from the member (service account in this case)
From Command Line:
1. Using a text editor, Remove \\\"Role\\\" which contains \\\"roles/*Admin\\\" or \\\"roles/*admin\\\" or matched \\\"roles/editor\\\" or matches \\\"roles/owner\\\". Add a role to the bindings array that defines the group members and the role for those members.
For example, to grant the role roles/appengine.appViewer to the \\\"ServiceAccount\\\" which is roles/editor, you would change the example shown below as follows:
{ 'bindings': [ { 'members': [ 'serviceAccount:our-project-123@appspot.gserviceaccount.com', ], 'role': 'roles/appengine.appViewer' }, { 'members': [ 'user:email1@gmail.com' ], 'role': 'roles/owner' }, { 'members': [ 'serviceAccount:our-project-123@appspot.gserviceaccount.com', 'serviceAccount:123456789012-compute@developer.gserviceaccount.com' ], 'role': 'roles/editor' } ], 'etag': 'BwUjMhCsNvY=' }
2. Update the project's IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e5b33de-bcfa-4044-93ce-4937bf8f0bbd\",\r\n \"name\": \"9e5b33de-bcfa-4044-93ce-4937bf8f0bbd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"skip_show_database\\\" database flag for Cloud SQL Mysql instance to \\\"on\\\".
'skip_show_database' database flag prevents people from using the SHOW DATABASES statement if they do not have the SHOW DATABASES privilege.
This can improve security if you have concerns about users being able to see databases belonging to other users.
Its effect depends on the SHOW DATABASES privilege: If the variable value is ON, the SHOW DATABASES statement is permitted only to users who have the SHOW DATABASES privilege, and the statement displays all database names.
If the value is OFF, SHOW DATABASES is permitted to all users, but displays the names of only those databases for which the user has the SHOW DATABASES or other privilege.
This recommendation is applicable to Mysql database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the Mysql instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"skip_show_database\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"skip_show_database\\\" database flag for every Cloud SQL Mysql database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags skip_show_database=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/272820a7-06ce-44b3-8318-4ec1f82237dc\",\r\n \"name\": \"272820a7-06ce-44b3-8318-4ec1f82237dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_hostname setting causes the duration of each completed statement to be logged.
This does not logs the text of the query and thus behaves different from the log_min_duration_statement flag.
This parameter cannot be changed after session start.
Monitoring the time taken to execute the queries can be crucial in identifying any resource hogging queries and assessing the performance of the server.
Further steps such as load balancing and use of optimized queries can be taken to ensure the performance and stability of the server.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_duration\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_duration\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_duration=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/989db7d6-71d5-4928-a9a6-c9ab7b8044e9\",\r\n \"name\": \"989db7d6-71d5-4928-a9a6-c9ab7b8044e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"PostgreSQL logs only the IP address of the connecting hosts.
The \\\"log_hostname\\\" flag controls the logging of \\\"hostnames\\\" in addition to the IP addresses logged.
The performance hit is dependent on the configuration of the environment and the host name resolution setup.
This parameter can only be set in the \\\"postgresql.conf\\\" file or on the server command line.
Logging hostnames can incur overhead on server performance as for each statement logged, DNS resolution will be required to convert IP address to hostname.
Depending on the setup, this may be non-negligible.
Additionally, the IP addresses that are logged can be resolved to their DNS names later when reviewing the logs excluding the cases where dynamic hostnames are used.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_hostname\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_hostname\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_hostname=
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Gather Victim Host Information\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a6efc275-b1c1-4003-8e85-2f30b2eb56e6\",\r\n \"name\": \"a6efc275-b1c1-4003-8e85-2f30b2eb56e6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The PostgreSQL planner/optimizer is responsible to parse and verify the syntax of each query received by the server.
If the syntax is correct a \\\"parse tree\\\" is built up else an error is generated.
The \\\"log_parser_stats\\\" flag controls the inclusion of parser performance statistics in the PostgreSQL logs for each query.
The \\\"log_parser_stats\\\" flag enables a crude profiling method for logging parser performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_parser_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_parser_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_parser_stats=off
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/25631aaa-3866-43ac-860f-22c12bff1a4b\",\r\n \"name\": \"25631aaa-3866-43ac-860f-22c12bff1a4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging.
It is recommended that Flow Logs be enabled for every business-critical VPC subnet.
VPC networks and subnetworks provide logically isolated and secure network partitions where GCP resources can be launched. When Flow Logs is enabled for a subnet, VMs within that subnet start reporting on all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows.
Each VM samples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or from another VM, a host in the on-premises datacenter, a Google service, or a host on the Internet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow Logs enabled, both VMs report the flows.
Flow Logs supports the following use cases: 1. Network monitoring. 2. Understanding network usage and optimizing network traffic expenses. 3. Network forensics. 4. Real-time security analysis
Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the VPC network GCP Console visiting https://console.cloud.google.com/networking/networks/list. 2. Click the \\\"name\\\" of a subnet, The Subnet details page displays. 3. Click the \\\"EDIT\\\" button. 4. Set \\\"Flow Logs\\\" to On. 5. Click \\\"Save\\\".

From Command Line:
To set Private Google access for a network subnet, run the following command::
gcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --enable-flow-logs \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00f8a6a6-cf69-4c11-822e-3ebf4910e545\",\r\n \"name\": \"00f8a6a6-cf69-4c11-822e-3ebf4910e545\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Block Project-wide SSH keys' is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project.
It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.It will list all the instances in your project. 2. Click on the \\\"name\\\" of the Impacted instance. 3. Click \\\"Edit\\\" in the toolbar. 4. Under \\\"SSH Keys\\\", go to the \\\"Block project-wide\\\" SSH keys checkbox. 5. To block users with project-wide SSH keys from connecting to this instance, select \\\"Block project-wide\\\" SSH keys. 6. Click \\\"Save\\\" at the bottom of the page. 7. Repeat steps for every impacted Instance.

From Command Line:
Block project-wide public SSH keys, set the metadata value to TRUE:
gcloud compute instances add-metadata INSTANCE_NAME --metadata block-project-ssh-keys=TRUE \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ba588a6-4539-4e67-bc62-d7b2b51300fb\",\r\n \"name\": \"0ba588a6-4539-4e67-bc62-d7b2b51300fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet.
However, both capabilities are required if you want to use instances to help route packets.
Forwarding of data packets should be disabled to prevent data loss or information disclosure.
Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet.
However, both capabilities are required if you want to use instances to help route packets. To enable this source and destination IP check, disable the canIpForward field, which allows an instance to send and receive packets with non-matching destination or source IPs.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the \\\"VM Instances\\\" page by visiting: https://console.cloud.google.com/compute/instances. 2. Select the \\\"VM Instance\\\" you want to remediate 3. Click the \\\"Delete\\\" button. 4. On the \\\"VM Instances\\\" page, click \\\"CREATE INSTANCE\\\". 5. Create a new instance with the desired configuration. By default, the instance is configured to not allow IP forwarding.

From Command Line:
Delete the instance
gcloud compute instances delete INSTANCE_NAME
Create a new instance to replace it, with IP forwarding set to Off
gcloud compute instances create \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"techniques\": [\r\n \"Exfiltration over C2 Channel\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d87879a-d498-4e61-b552-b34463f87f83\",\r\n \"name\": \"7d87879a-d498-4e61-b552-b34463f87f83\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The same SQL query can be excuted in multiple ways and still produce different results.
The PostgreSQL planner/optimizer is responsible to create an optimal execution plan for each query.
The \\\"log_planner_stats\\\" flag controls the inclusion of PostgreSQL planner performance statistics in the PostgreSQL logs for each query.
The \\\"log_planner_stats\\\" flag enables a crude profiling method for logging PostgreSQL planner performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_planner_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_planner_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_planner_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19711549-76eb-4f1f-b43b-b1048e66c1f0\",\r\n \"name\": \"19711549-76eb-4f1f-b43b-b1048e66c1f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The PostgreSQL executor is responsible to execute the plan handed over by the PostgreSQL planner.
The executor processes the plan recursively to extract the required set of rows.
The \\\"log_executor_stats\\\" flag controls the inclusion of PostgreSQL executor performance statistics in the PostgreSQL logs for each query.
The \\\"log_executor_stats\\\" flag enables a crude profiling method for logging PostgreSQL executor performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_executor_stats\\\" from the drop-down menu and set appropriate value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_executor_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_executor_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c36e73b7-ee30-4684-a1ad-2b878d2b10bf\",\r\n \"name\": \"c36e73b7-ee30-4684-a1ad-2b878d2b10bf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_statement_stats\\\" flag controls the inclusion of end to end performance statistics of a SQL query in the PostgreSQL logs for each query.
This cannot be enabled with other module statistics (\\\"log_parser_stats\\\", \\\"log_planner_stats\\\", \\\"log_executor_stats\\\").
The \\\"log_statement_stats\\\" flag enables a crude profiling method for logging end to end performance statistics of a SQL query.
This can be useful for troubleshooting but may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_statement_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_statement_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_statement_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/50a1058e-925b-4998-9d93-5eaa8f7021a3\",\r\n \"name\": \"50a1058e-925b-4998-9d93-5eaa8f7021a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_error_statement\\\" flag defines the minimum message severity level that are considered as an error statement.
Messages for error statements are logged with the SQL statement.
Valid values include \\\"DEBUG5\\\", \\\"DEBUG4\\\", \\\"DEBUG3\\\", \\\"DEBUG2\\\", \\\"DEBUG1\\\", \\\"INFO\\\", \\\"NOTICE\\\", \\\"WARNING\\\", \\\"ERROR\\\", \\\"LOG\\\", \\\"FATAL\\\", and \\\"PANIC\\\".
Each severity level includes the subsequent levels mentioned above.
Ensure a value of ERROR or stricter is set.
Auditing helps in troubleshooting operational problems and also permits forensic analysis.
If \\\"log_min_error_statement\\\" is not set to the correct value, messages may not be classified as error messages appropriately.
Considering general log messages as error messages would make is difficult to find actual errors and considering only stricter severity levels as error messages may skip actual errors to log their SQL statements.
The \\\"log_min_error_statement\\\" flag should be set to \\\"ERROR\\\" or stricter.
This recommendation is applicable to PostgreSQL database instances. \",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_error_statement\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_min_error_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_error_statement=

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/98b8908a-18b9-46ea-8c52-3f8db1da996f\",\r\n \"name\": \"98b8908a-18b9-46ea-8c52-3f8db1da996f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"external scripts enabled\\\" database flag for Cloud SQL SQL Server instance to off.
\\\"external scripts enabled\\\" enable the execution of scripts with certain remote language extensions.
This property is OFF by default.
When Advanced Analytics Services is installed, setup can optionally set this property to true.
As the \\\"External Scripts Enabled\\\" feature allows scripts external to SQL such as files located in an R library to be executed, which could adversely affect the security of the system, hence this should be disabled.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"external scripts enabled\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"external scripts enabled\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"external scripts enabled=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91f55b07-083c-4ec5-a2be-4b52bbc2e2df\",\r\n \"name\": \"91f55b07-083c-4ec5-a2be-4b52bbc2e2df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"user connections\\\" database flag for Cloud SQL SQL Server instance according organization-defined value.
The \\\"user connections\\\" option specifies the maximum number of simultaneous user connections that are allowed on an instance of SQL Server.
The actual number of user connections allowed also depends on the version of SQL Server that you are using, and also the limits of your application or applications and hardware.
SQL Server allows a maximum of 32,767 user connections.
Because user connections is a dynamic (self-configuring) option, SQL Server adjusts the maximum number of user connections automatically as needed, up to the maximum value allowable.
For example, if only 10 users are logged in, 10 user connection objects are allocated.
In most cases, you do not have to change the value for this option.
The default is 0, which means that the maximum (32,767) user connections are allowed.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"user connections\\\" from the drop-down menu and set the value as organization recommended value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"user connections\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"user connections=[0-32,767]\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fab1e680-86f0-4616-bee9-1b7394e49ade\",\r\n \"name\": \"fab1e680-86f0-4616-bee9-1b7394e49ade\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that, \\\"user options\\\" database flag for Cloud SQL SQL Server instance should not be configured.
The \\\"user options\\\" option specifies global defaults for all users.
A list of default query processing options is established for the duration of a user's work session.
The user options option allows you to change the default values of the SET options (if the server's default settings are not appropriate).
A user can override these defaults by using the SET statement.
You can configure user options dynamically for new logins.
After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. Click the X next \\\"user options\\\" flag shown. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands:
1.Clearing all flags to their default value:
gcloud sql instances patch [INSTANCE_NAME] --clear-database-flags
OR
2. To clear only \\\"user options\\\" database flag, configure the database flag by overriding the \\\"user options\\\". Exclude \\\"user options\\\" flag and its value, and keep all other flags you want to configure:
gcloud sql instances patch [INSTANCE_NAME] --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dddbbe7d-7e32-47d8-b319-39cbb70b8f88\",\r\n \"name\": \"dddbbe7d-7e32-47d8-b319-39cbb70b8f88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"remote access\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
The \\\"remote access\\\" option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running.
This default value for this option is 1.
This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server.
To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled.
The Remote Access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server.
'Remote access' functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, hence this should be disabled.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"remote access\\\" from the drop-down menu and set the value as \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"remote access\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"remote access=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/631246fb-7192-4709-a0b3-b83e65e6b550\",\r\n \"name\": \"631246fb-7192-4709-a0b3-b83e65e6b550\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"3625 (trace flag)\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
Trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload.
All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed.
\\\"3625(trace log)\\\" Limits the amount of information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'.
This can help prevent disclosure of sensitive information, hence this is recommended to disable this flag.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"3625\\\" from the drop-down menu and set the value as \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"3625\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"3625=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"System Information Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58c07fca-9c6e-46fa-84a7-642f224a1d18\",\r\n \"name\": \"58c07fca-9c6e-46fa-84a7-642f224a1d18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Secure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS) features clients are permitted to use when connecting to load balancers.
To prevent usage of insecure features, SSL policies should use (a) at least TLS 1.2 with the MODERN profile;
or (b) the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version;
or (3) a CUSTOM profile that does not support any of the following features:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

Load balancers are used to efficiently distribute traffic across multiple servers.
Both SSL proxy and HTTPS load balancers are external load balancers, meaning they distribute traffic from the Internet to a GCP network.
GCP customers can configure load balancer SSL policies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a connection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies permissible cipher suites.
To comply with users using outdated protocols, GCP load balancers can be configured to permit insecure cipher suites.
In fact, the GCP default SSL policy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the widest range of insecure cipher suites.
As a result, it is easy for customers to configure a load balancer without even knowing that they are permitting outdated cipher suites.\",\r\n \"remediationDescription\": \" From the Console:
1. If the \\\"TargetSSLProxy\\\" or \\\"TargetHttpsProxy\\\" does not have an SSL policy configured, create a new \\\"SSL policy\\\". Otherwise, modify the existing insecure policy. 2. Navigate to the \\\"SSL Policies\\\" page by visiting: https://console.cloud.google.com/net-security/sslpolicies. 3. Click on the name of the \\\"insecure policy\\\" to go to its \\\"SSL policy\\\" details page. 4. Click \\\"EDIT\\\". 5. Set \\\"Minimum TLS version\\\" to \\\"TLS 1.2\\\". 6. Set \\\"Profile\\\" to \\\"Modern\\\" or \\\"Restricted\\\". 7. Alternatively, if teh user selects the profile \\\"Custom\\\", make sure that the following features are disabled:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

From Command Line:
For each insecure SSL policy, update it to use secure cyphers:
gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]
If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it:
gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME
gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ca40f30-2508-4c90-85b6-36564b909364\",\r\n \"name\": \"6ca40f30-2508-4c90-85b6-36564b909364\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine.
If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data.
By default, Google Compute Engine encrypts all data at rest.
Compute Engine handles and manages this encryption for you without any additional actions on your part.
However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.
By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part.
However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.
If you provide your own encryption keys, Compute Engine uses your key to protect the Google-generated keys used to encrypt and decrypt your data.
Only users who can provide the correct key can use resources protected by a customer-supplied encryption key.
Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.
At least business critical VMs should have VM disks encrypted with CSEK.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to Compute Engine \\\"Disks\\\" by visiting: https://console.cloud.google.com/compute/disks. 2. Click \\\"CREATE DISK\\\". 3. Set \\\"Encryption\\\" type to \\\"Customer supplied\\\". 4. Provide the \\\"Key\\\" in the box. 5. Select \\\"Wrapped key\\\". 6. Click \\\"Create\\\".

From Command Line:
In the gcloud compute tool, encrypt a disk using the --csek-key-file flag during instance creation. If you are using an RSA-wrapped key, use the gcloud beta component:
gcloud (beta) compute instances create INSTANCE_NAME --csek-key-file example-file.json
To encrypt a standalone persistent disk:
gcloud (beta) compute disks create DISK_NAME --csek-key-file example-file.json \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Collection\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\",\r\n \"Data from Local System\",\r\n \"Data Encrypted for Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c10bad5f-cd86-4ea0-a40c-5d31510da525\",\r\n \"name\": \"c10bad5f-cd86-4ea0-a40c-5d31510da525\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud DNS logging is enabled for all VPC networks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver.
Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.
Security monitoring and forensics cannot depend solely on IP addresses from VPC flow logs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual host routing,
and other technology that can obscure the DNS name used by a client from the IP address.
Monitoring of Cloud DNS logs provides visibility to DNS names requested by the clients within the VPC.
These logs can be monitored for anomalous domain names, evaluated against threat intelligence, and
Note: For full capture of DNS, firewall must block egress UDP/53 (DNS)
and TCP/443 (DNS over HTTPS) to prevent client from using external DNS name server for resolution.\",\r\n \"remediationDescription\": \" From Command Line:
Add New DNS Policy With Logging Enabled
For each VPC network that needs a DNS policy with logging enabled:
gcloud dns policies create enable-dns-logging --enable-logging --description='Enable DNS Logging' --networks=VPC_NETWORK_NAME The VPC_NETWORK_NAME can be one or more networks in comma-separated list
Enable Logging for Existing DNS Policy For each VPC network that has an existing DNS policy that needs logging enabled:
gcloud dns policies update POLICY_NAME --enable-logging --networks=VPC_NETWORK_NAME
The VPC_NETWORK_NAME can be one or more networks in comma-separated list\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/814c3346-91c9-4e70-90b6-985cfd3e0478\",\r\n \"name\": \"814c3346-91c9-4e70-90b6-985cfd3e0478\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access to VMs should be restricted by firewall rules that allow only IAP traffic by ensuring only connections proxied by the IAP are allowed.
To ensure that load balancing works correctly health checks should also be allowed.
IAP ensure that access to VMs is controlled by authenticating incoming requests.
However if the VM is still accessible from IP addresses other than the IAP it may still be possible to send unauthenticated requests to the instance.
Care must be taken to ensure that loadblancer health checks are not blocked as this would stop the loadbalancer from correctly knowing the health of the VM and loadbalancing correctly.\",\r\n \"remediationDescription\": \" From the Console: 1. Go to the Cloud Console VPC network > Firewall rules. 2. Select the \\\"checkbox\\\" next to the following rules:
default-allow-http
default-allow-https
default-allow-internal. 3. Click \\\"Delete\\\". 4. Click \\\"Create\\\" firewall rule and set the following values:
\\\"Name:\\\" allow-iap-traffic
\\\"Targets:\\\" All instances in the network
\\\"Source IP ranges\\\" (press Enter after you paste each value in the box):
130.211.0.0/22
35.191.0.0/16
\\\"Protocols and ports:\\\"
Specified protocols and ports
tcp:80 5. When you're finished updating values, click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/171e9492-73a7-43de-adce-6bd0a3cf6045\",\r\n \"name\": \"171e9492-73a7-43de-adce-6bd0a3cf6045\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances have Confidential Computing enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use-while it is being processed.
Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).
Confidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD EPYC CPUs.
Customer data will stay encrypted while it is used, indexed, queried, or trained on.
Encryption keys are generated in hardware, per VM, and not exportable. Thanks to built-in hardware optimizations of both performance and security, there is no significant performance penalty to Confidential Computing workloads.
Confidential Computing enables customers' sensitive code and other data encrypted in memory during processing. Google does not have access to the encryption keys.
Confidential VM can help alleviate concerns about risk related to either dependency on Google infrastructure or Google insiders' access to customer data in the clear.\",\r\n \"remediationDescription\": \" From the Console: 1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances. 2. Click \\\"DCREATE INSTANCE\\\". 3. Fill out the desired \\\"configuration\\\" for your instance. 4. Under the \\\"Confidential VM service\\\" section, check the option \\\"Enable the Confidential Computing service on this VM instance\\\". 5. Click \\\"Create\\\".

From Command Line:
Create a new instance with Confidential Compute enabled.
gcloud beta compute instances create INSTANCE_NAME --zone ZONE --confidential-compute --maintenance-policy=TERMINATE \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f4cfc689-cac8-4f45-8355-652dcda3ec55\",\r\n \"name\": \"f4cfc689-cac8-4f45-8355-652dcda3ec55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys.
This is seamless and do not require any additional input from the user.
However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
This is seamless and does not require any additional input from the user.
For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery tables.
The CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.
BigQuery stores the table and CMEK association and the encryption/decryption is done automatically.
Applying the Default Customer-managed keys on BigQuery data sets ensures that all the new tables created in the future will be encrypted using CMEK but existing tables need to be updated to use CMEK individually.
Note: Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.\",\r\n \"remediationDescription\": \"Currently, there is no way to update the encryption of existing data in the table.
The data needs to be copied to either an original table or another table while specifying the customer managed encryption key (CMEK).
From Command Line:
Use the following command to copy the data. The source and the destination needs to be same in case copying to the original table.
bq cp --destination_kms_key 'customer_managed_key' source_dataset.source_table destination_dataset.destination_table \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f024ea22-7e48-4b3b-a824-d61794c14bb4\",\r\n \"name\": \"f024ea22-7e48-4b3b-a824-d61794c14bb4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys.
This is seamless and do not require any additional input from the user.
However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
This is seamless and does not require any additional input from the user.
For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
Setting a Default Customer-managed encryption key (CMEK) for a data set ensure any tables created in future will use the specified CMEK if none other is provided.
Note: Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.\",\r\n \"remediationDescription\": \"The default CMEK for existing data sets can be updated by specifying the default key in the EncryptionConfiguration.kmsKeyName field when calling the datasets.insert or datasets.patch methods\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0faf27b6-f1d5-4f50-b22a-5d129cba0113\",\r\n \"name\": \"0faf27b6-f1d5-4f50-b22a-5d129cba0113\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have Microsoft Defender's extension for Azure Arc installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender's cluster extension provides security capabilities for your GKE clusters. The extension collects data from a cluster and its nodes to identify security vulnerabilities and threats.
The extension works with Azure Arc-enabled Kubernetes.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct GKE cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6273e20b-8814-4fda-a297-42a70b16fcbf\",\r\n \"name\": \"6273e20b-8814-4fda-a297-42a70b16fcbf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have the Azure Policy extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Azure Policy extension for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
The extension works with Azure Arc-enabled Kubernetes.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct GKE cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9bbe2f0f-d6c6-48e8-b4d0-cf25d2c50206\",\r\n \"name\": \"9bbe2f0f-d6c6-48e8-b4d0-cf25d2c50206\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP VM instances should be connected to Azure Arc\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Connect your GCP Virtual Machines to Azure Arc in order to have full visibility to Microsoft Defender for Servers security content. Learn more about Azure Arc, and about Microsoft Defender for Servers on hybrid-cloud environment.\",\r\n \"remediationDescription\": \"1. From the Azure portal, open \\\"Servers - Azure Arc\\\". 2. From the top left corner, select \\\"Add\\\". 3. From \\\"Add a single server\\\", select \\\"Generate script\\\". 4. In the \\\"Resource details\\\" page, select the subscription and resource group to which you have connected the machine's GCP Project. 5. Select \\\"Next\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20622d8c-2a4f-4a03-9896-a5f2f7ede717\",\r\n \"name\": \"20622d8c-2a4f-4a03-9896-a5f2f7ede717\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP VM instances should have OS config agent installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To receive the full Defender for Servers capabilities using Azure Arc auto-provisioning, GCP VMs should have OS config agent enabled\",\r\n \"remediationDescription\": \"Follow the steps described in GCP documentation to install the OS config agent. Learn more\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1716d754-8d50-4b90-87b6-0404cad9b4e3\",\r\n \"name\": \"1716d754-8d50-4b90-87b6-0404cad9b4e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP projects should have Azure Arc auto provisioning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For full visibility of the security content from Microsoft Defender for servers, GCP VM instances should be connected to Azure Arc. To ensure that all eligible VM instances automatically receive Azure Arc, enable auto-provisioning from Defender for Cloud at the GCP project level. Learn more about Azure Arc, and Microsoft Defender for Servers.\",\r\n \"remediationDescription\": \"1. From the Defender for Cloud, open \\\"Environment settings\\\". 2. For the relevant GCP project, select the three dots at the end of the row, and select \\\"Edit settings\\\". 3. For the \\\"Servers\\\" plan, select \\\"View configuration\\\". 4. Enable auto-provisioning for the Azure Arc agent and click on the \\\"Save\\\" button. 5. Select \\\"Next\\\" and follow the instructions.
Note: To enable auto-provisioning, you'll need owner permissions for the relevant subscription.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/29ed3416-2035-4d44-986e-0bcbb7de172e\",\r\n \"name\": \"29ed3416-2035-4d44-986e-0bcbb7de172e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead.

Security risks involved in using API-Keys appear below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

To avoid the security risk in using API keys, it is recommended to use standard authentication flow instead.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", to delete API Keys: Click the \\\"Delete Bin Icon\\\" in front of every \\\"API Key Name\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/63e0e2db-70c3-4edc-becf-93961d3156ed\",\r\n \"name\": \"63e0e2db-70c3-4edc-becf-93961d3156ed\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API key usage to trusted hosts, HTTP referrers and apps.

Security risks involved in using API-Keys appear below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

In light of these potential risks, Google recommends using the standard authentication flow instead of API keys. However, there are limited cases where API keys are more appropriat.
For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

In order to reduce attack vectors, API-Keys can be restricted only to trusted hosts, HTTP referrers and applications.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. In the \\\"Key restrictions\\\" section, set the application restrictions to any of \\\"HTTP referrers\\\", \\\"IP Adresses\\\", \\\"Android Apps\\\", \\\"iOs Apps\\\". 4. Click \\\"Save\\\". 5. Repeat steps 2,3,4 for every unrestricted API key.

\\\"Note\\\": Do not set \\\"HTTP referrers\\\" to wild-cards (* or *.[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s).
Do not set \\\"IP addresses\\\" and referrer to any host \\\"(0.0.0.0 or 0.0.0.0/0 or ::0)\\\"\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Steal Application Access Token\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/54d3b0ae-67b3-4fee-9ac4-f6c784b9d16b\",\r\n \"name\": \"54d3b0ae-67b3-4fee-9ac4-f6c784b9d16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"API keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API keys to use (call) only APIs required by an application.

Security risks involved in using API-Keys are below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

In light of these potential risks, Google recommends using the standard authentication flow instead of API-Keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

In order to reduce attack surfaces by providing least privileges, API-Keys can be restricted to use (call) only APIs required by an application.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. In the \\\"Key restrictions\\\" section go to \\\"API restrictions\\\". 4. Click the \\\"Select API\\\" drop-down to choose an API. 5. Click \\\"Save\\\". 6. Repeat steps 2,3,4,5 for every unrestricted API key.

\\\"Note\\\": Do not set API restrictions to Google Cloud APIs, as this option allows access to all services offered by Google cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Steal Application Access Token\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fbc1ef5d-989e-4b64-8e9d-221b422f9c43\",\r\n \"name\": \"fbc1ef5d-989e-4b64-8e9d-221b422f9c43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to rotate API keys every 90 days.

Security risks involved in using API-Keys are listed below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

Because of these potential risks, Google recommends using the standard authentication flow instead of API Keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

Once a key is stolen, it has no expiration, meaning it may be used indefinitely unless the project owner revokes or regenerates the key. Rotating API keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.

API keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. Click \\\"REGENERATE KEY\\\" to rotate API key. 4. Click \\\"Save\\\". 5. Repeat steps 2,3,4 for every API key that has not been rotated in the last 90 days.

\\\"Note\\\": Do not set \\\"HTTP referrers\\\" to wild-cards (* or *.[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s).
Do not set \\\"IP addresses\\\" and referrer to \\\"any host (0.0.0.0 or 0.0.0.0/0 or ::0)\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a47a6c3b-0629-406c-ad09-d91f7d9f78a3\",\r\n \"name\": \"a47a6c3b-0629-406c-ad09-d91f7d9f78a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"root\\\" account has unrestricted access to all resources in the AWS account. It is highly recommend that the use of this account be avoided.
The \\\"root\\\" account is the most privileged AWS account. Minimizing the use of this account and adopting the principle of least privilege for access management will reduce the risk of accidental changes and unintended disclosure of highly privileged credentials.\",\r\n \"remediationDescription\": \"Follow the remediation instructions of the \\\"Ensure IAM policies are attached only to groups or roles\\\" recommendation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b73d3c97-01e1-43b4-bf01-a459e5eed3de\",\r\n \"name\": \"b73d3c97-01e1-43b4-bf01-a459e5eed3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password.
With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.
It is recommended that MFA be enabled for all accounts that have a console password.
Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.\",\r\n \"remediationDescription\": \"Perform the following to enable MFA: 1. Sign in to the AWS Management Console and open the IAM console. 2. In the navigation pane, choose Users. 3. In the User Name list, choose the name of the intended MFA user. 4. Choose the Security Credentials tab, and then choose Manage MFA Device. 5. In the Manage MFA Device wizard, choose A virtual MFA device, and then chooseNext Step. IAM generates and displays configuration information for the virtual MFA device, includinga QR code graphic. The graphic is a representation of the 'secret configuration key' that isavailable for manual entry on devices that do not support QR codes. 6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications.) If the virtual MFA application support smultiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following:
* Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.
* In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.
When you are finished, the virtual MFA device starts generating one-time passwords. 8. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Active Virtual MFA.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f13dc885-79aa-456b-ba28-3428147ecf55\",\r\n \"name\": \"f13dc885-79aa-456b-ba28-3428147ecf55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys.
It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated.
Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.\",\r\n \"remediationDescription\": \"Perform the following to remove or deactivate credentials:
1. Login to the AWS Management Console:
2. Click \\\"Services\\\"
3. Click \\\"IAM\\\"
4. Click on \\\"Users\\\"
5. Click on \\\"Security Credentials\\\"
6. As an Administrator: Click on \\\"Make Inactive\\\" for credentials that have not been used in 90 Days
7. As an IAM User: Click on \\\"Make Inactive\\\" or \\\"Delete\\\" for credentials which have not been used in 90 Days\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d72f547e-c011-4cdb-9dda-8c4d6dc09bf2\",\r\n \"name\": \"d72f547e-c011-4cdb-9dda-8c4d6dc09bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS.
AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services.
It is recommended that all access keys be regularly rotated.
Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.
Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"Perform the following to rotate access keys:
1. Login to the AWS Management Console:
2. Click \\\"Services\\\"
3. Click \\\"IAM\\\"
4.Click on \\\"Users\\\"
5. Click on \\\"Security Credentials\\\"
6. As an Administrator: Click on \\\"Make Inactive\\\" for keys that have not been rotated in 90 Days
7. As an IAM User: Click on \\\"MakeInactive\\\" or \\\"Delete\\\" for keys which have not been rotated or used in 90 Days
8. Click on \\\"Create Access Key\\\"
9. Update programmatic call with new Access Key credentials
Via CLI:
aws iam update-access-key
aws iam create-access-key
aws iam delete-access-key \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6e5ebe18-e026-4c26-875c-fcbea8089071\",\r\n \"name\": \"6e5ebe18-e026-4c26-875c-fcbea8089071\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one uppercase letter.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one uppercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-uppercase-characters
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c420241-9bec-4af8-afb7-038a711b7d22\",\r\n \"name\": \"1c420241-9bec-4af8-afb7-038a711b7d22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one lowercase letter.
Setting a password complexity policy increases account resiliency against brute force login attempts\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via the AWS Console
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one lowercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-lowercase-characters
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1919c309-1c8b-4fab-bd8c-7ff77521db40\",\r\n \"name\": \"1919c309-1c8b-4fab-bd8c-7ff77521db40\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements.
IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one symbol.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via the AWS Console
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one lowercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-symbols
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/84fb0ae8-4785-449c-b9ac-e106a2509540\",\r\n \"name\": \"84fb0ae8-4785-449c-b9ac-e106a2509540\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one number.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Require at least one number\\\" 5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-numbers
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e109af9f-128b-4774-a40c-aab8eff3934c\",\r\n \"name\": \"e109af9f-128b-4774-a40c-aab8eff3934c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length.
It is recommended that the password policy require a minimum password length '14'.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Set \\\"Minimum password length\\\" to 14 or greater.
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --minimum-password-length 14
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e99393-671c-4979-a08a-cd1533da9ece\",\r\n \"name\": \"22e99393-671c-4979-a08a-cd1533da9ece\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can prevent the reuse of a given password by the same user.
It is recommended that the password policy prevent the reuse of passwords.
Preventing password reuse increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Prevent password reuse\\\" 5. Set \\\"Number of passwords to remember\\\" is set to '24'.
Via CLI:
aws iam update-account-password-policy --password-reuse-prevention 24
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/729c20d1-fe7c-4e1b-8c9c-ab5ad56d7f96\",\r\n \"name\": \"729c20d1-fe7c-4e1b-8c9c-ab5ad56d7f96\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can require passwords to be rotated or expired after a given number of days.
It is recommended that the password policy expire passwords after 90 days or less.
Reducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help in the following scenarios:
* Passwords can be stolen or compromised sometimes without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat.
* Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted.
* Many people use the same password for many systems such as work, email, and personal.
* Compromised end user workstations might have a keystroke logger.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Enable password expiration\\\" 5. Set \\\"Password expiration period (in days):\\\" to 90 or less
Via CLI:
aws iam update-account-password-policy --max-password-age 90
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/412835f5-0339-4180-9c22-ea8735dc6c24\",\r\n \"name\": \"412835f5-0339-4180-9c22-ea8735dc6c24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Root account access key shouldn't exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account.
It is recommended that all access keys associated with the root account be removed.
Removing access keys associated with the root account limits vectors by which the account can be compromised.
Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.\",\r\n \"remediationDescription\": \"To delete access keys:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\".
4. Select \\\"Access keys (access key ID and secret access key)\\\".
5. To permanently delete the key, select \\\"Delete\\\" and then select \\\"Yes\\\". You cannot recover deleted keys.
6. If there is more than one root user access key, then repeat steps 4 and 5 for each key.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c9ea4ef-3bb5-4f02-b8b9-55e788e1a21a\",\r\n \"name\": \"1c9ea4ef-3bb5-4f02-b8b9-55e788e1a21a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.
When you use virtual MFA for root accounts, it is recommended that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices.
This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\",\r\n \"remediationDescription\": \"To enable MFA for the root account:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\".
4. Select \\\"Multi-factor authentication (MFA)\\\".
\\t5. Select \\\"Activate MFA\\\".
6. Select the type of device to use for MFA and then select \\\"Continue\\\".
7. Complete the steps to configure the device type appropriate to your selection.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eb39e935-38fc-4b0c-8cf2-d6affab0306a\",\r\n \"name\": \"eb39e935-38fc-4b0c-8cf2-d6affab0306a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.
For Level 2, it is recommended that you protect the root account with a hardware MFA. A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA doesn't suffer the attack surface introduced by the mobile smartphone that a virtual MFA resides on.
Using hardware MFA for many, many accounts might create a logistical device management issue. If this occurs, consider implementing this Level 2 recommendation selectively to the highest security accounts. You can then apply the Level 1 recommendation to the remaining accounts.\",\r\n \"remediationDescription\": \"To enable hardware-based MFA for the root account:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\". 4. Select \\\"Multi-factor authentication (MFA)\\\".
5. Select \\\"Activate MFA\\\".
6. Select a hardware-based (not virtual) device to use for MFA and then select \\\"Continue\\\".
7. Complete the steps to configure the device type appropriate to your selection.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a773f81a-0b2d-4f8e-826a-77fc432416c3\",\r\n \"name\": \"a773f81a-0b2d-4f8e-826a-77fc432416c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should be attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles.
It is recommended that IAM policies be applied directly to groups and roles but not users.
Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow.
Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.\",\r\n \"remediationDescription\": \"To remediate, create an IAM group, assign the policy to the group, and then add the users to the group. The policy is applied to each user in the group.

To create an IAM group:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Groups\\\" and then select \\\"Create New Group\\\".
\\t3. Enter a name for the group to create and then select \\\"Next Step\\\".
4. Select each policy to assign to the group and then select \\\"Next Step\\\".
The policies that you Select should include any policies currently attached directly to a user account.
The next step to resolve a failed check is to add users to a group and then assign the policies to that group.
Each user in the group gets assigned the policies assigned to the group.
5. Confirm the details on the \\\"Review\\\" page and then select \\\"Create Group\\\".
For more information about creating groups, see Creating IAM groups [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_create.html] in the IAM User Guide.

To add users to an IAM group:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Groups\\\".
3. select \\\"Group Actions\\\" and then select \\\"Add Users to Group\\\".
4. Select the users to add to the group and then select \\\"Add Users\\\".
For more information about adding users to groups, see Adding and removing users in an IAM group [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_add-remove-users.html].

To remove a policy attached directly to a user:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Users\\\".
3. For the user to detach a policy from, select the name in the \\\"User name\\\" column.
4. For each policy listed under \\\"Attached directly\\\", select the \\\"X\\\" on the right side of the page to remove the policy from the user and then select \\\"Remove\\\".
5. Confirm that the user can still use AWS services as expected.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6614c30d-c9f3-4acd-8371-c8f362148398\",\r\n \"name\": \"6614c30d-c9f3-4acd-8371-c8f362148398\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services.
Create an IAM Role to allow authorized users to manage incidents with AWS Support.
By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.\",\r\n \"remediationDescription\": \"Using the Amazon unified command line interface:
Create an IAM role for managing incidents with AWS:
* Create a trust relationship policy document that allows \\\"iam_user\\\" to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:
{ \\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [ { \\\"Effect\\\": \\\"Allow\\\", \\\"Principal\\\": { \\\"AWS\\\": \\\"<span style=\\\"font-style: italic;\\\"><iam_user></span>\\\" }, \\\"Action\\\": \\\"sts:AssumeRole\\\" } ] }
* Create the IAM role using the above trust policy:
aws iam create-role --role-name <aws_support_iam_role> --assume-rolepolicy-document file:///tmp/TrustPolicy.json
* Attach \\\"AWSSupportAccess\\\" managed policy to the created IAM role:
aws iam attach-role-policy --policy-arn <iam_policy_arn> --role-name<aws_support_iam_role>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/655f9340-184f-4b6e-8214-b835003ab0b1\",\r\n \"name\": \"655f9340-184f-4b6e-8214-b835003ab0b1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Do not setup access keys during initial user setup for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily.
In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys.
Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization\",\r\n \"remediationDescription\": \"Perform the following to delete access keys that do not pass the audit: 1. Login to the AWS Management Console: 2. Click \\\"Services\\\" 3. Click \\\"IAM\\\" 4. Click on \\\"Users\\\" 5. Click on \\\"Security Credentials\\\" 6. As an Administrator
* Click on \\\"Delete\\\" for keys that were created at the same time as the user profile but have not been used. 7. As an IAM User
* Click on \\\"Delete\\\" for keys that were created at the same time as the user profile but have not been used.
Via CLI:
aws iam delete-access-key\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Persistence\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1d08b362-7e24-46b0-bed1-4a6c1d1526a5\",\r\n \"name\": \"1d08b362-7e24-46b0-bed1-4a6c1d1526a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies that allow full \\\"*:*\\\" administrative privileges should not be created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies are the means by which privileges are granted to users, groups, or roles.
It is recommended and considered a standard security advice to grant least privilege-that is, granting only the permissions required to perform a task.
Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.
It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.
Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.
IAM policies that have a statement with \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\" should be removed.\",\r\n \"remediationDescription\": \"To modify an IAM policy:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Policies\\\".
3. Select the radio button next to the policy to remove. 4. From the \\\"Policy actions\\\" drop-down menu, select \\\"Detach\\\".
5. On the \\\"Detach policy\\\" page, select the radio button next to each user to detach the policy from and then select \\\"Detach policy\\\".
Confirm that the user that you detached the policy from can still access AWS services and resources as expected.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3d8e09b-83a6-417a-ae1e-3f5b54576965\",\r\n \"name\": \"b3d8e09b-83a6-417a-ae1e-3f5b54576965\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you.
The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).
The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally,
* ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected
* ensuring that a multi-regions trail exists will ensure that \\\"Global Service Logging\\\" is enabled for a trail by default to capture recording of events generated on AWS global services
* for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account.\",\r\n \"remediationDescription\": \"Perform the following to enable global (Multi-region) CloudTrail logging:
Via the management Console:
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
2. Click on \\\"Trails\\\" on the left navigation pane.
3. Click \\\"Get Started Now\\\", if presented
* Click \\\"Add new trail\\\"
* Enter a trail name in the \\\"Trail name\\\" box.
* Set the \\\"Apply trail to all regions\\\" option to \\\"Yes\\\".
* Specify an S3 bucket name in the \\\"S3 bucket\\\" box.
* Click \\\"Create\\\".
4. If 1 or more trails already exist, select the target trail to enable for global logging.
5. Click the edit icon (pencil) next to \\\"Apply trail to all regions\\\", Click \\\"Yes\\\" and Click \\\"Save\\\". 6. Click the edit icon (pencil) next to \\\"Management Events\\\", click \\\"All\\\" for setting \\\"Read/Write Events\\\" and Click \\\"Save\\\".
Via CLI:
aws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail

Note: Creating CloudTrail via CLI without providing any overriding options configures
Management Events to set All type of Read/Writes by default.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/324ec96c-9719-46ce-b6a9-e7f4fed7dd6e\",\r\n \"name\": \"324ec96c-9719-46ce-b6a9-e7f4fed7dd6e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure additional integrity checking of CloudTrail logs, we recommend enabling file validation on all CloudTrails.\",\r\n \"remediationDescription\": \"Enable log file validation on a given trail:
Via the management Console
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
2. Select on \\\"Trails\\\" on the left navigation pane
3. Select the target trail
4. Within the \\\"S3\\\" section select the edit icon (pencil)
5. Select \\\"Advanced\\\"
6. Select \\\"Yes\\\" radio button in section \\\"Enable log file validation\\\"
7. Click \\\"Save\\\"
Via CLI
aws cloudtrail update-trail --name --enable-log-file-validation

Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn --start-time --end-time\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a41f2846-4a59-44e9-89bb-1f62d4b03a85\",\r\n \"name\": \"a41f2846-4a59-44e9-89bb-1f62d4b03a85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs a record of every API call made in your AWS account. These log files are stored in an S3 bucket.
It is recommended that the bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs.
Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.\",\r\n \"remediationDescription\": \"Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:
1. Go to Amazon S3 console at https://console.aws.amazon.com/s3/home
2. Right-click on the bucket and click Properties.
3. In the \\\"Properties\\\" pane, click the \\\"Permissions\\\" tab.
4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.
5. Select the row that grants permission to \\\"Everyone\\\" or \\\"Any Authenticated User\\\".
6. Uncheck all the permissions granted to \\\"Everyone\\\" or \\\"Any Authenticated User\\\" (click x to delete the row).
7. Click \\\"Save\\\" to save the ACL.
8. If the \\\"Edit bucket policy\\\" button is present, click it.
9. Remove any \\\"Statement\\\" having an \\\"Effect\\\" set to \\\"Allow\\\" and a \\\"Principal\\\" set to \\\"*\\\" or {\\\"AWS\\\" : \\\"*\\\"}.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/842be2e5-2cd8-420f-969a-6d6b4096c580\",\r\n \"name\": \"842be2e5-2cd8-420f-969a-6d6b4096c580\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, real-time analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs.
For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. We recommended that CloudTrail logs will be sent to CloudWatch Logs to ensure AWS account activity is being captured, monitored, and appropriately alarmed on.
Sending CloudTrail logs to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.\",\r\n \"remediationDescription\": \"Via the AWS management Console:
1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/
2. Under All Buckets, select the target bucket you wish to evaluate.
3. Select Properties on the top right of the console.
4. Select Trails\\\" in the left menu.
5. Click on each trail where no \\\"CloudWatch Logs\\\" are defined.
6. Go to the \\\"CloudWatch Logs\\\" section and then select \\\"Configure\\\".
7. Define a new or select an existing log group.
8. Click on \\\"Continue\\\".
9. Configure \\\"IAM Role\\\" which will deliver CloudTrail events to CloudWatch Logs
* Create/Select an \\\"IAM Role\\\" and \\\"Policy Name\\\".
* Select \\\"Allow\\\" to continue.
Note that it can also be enabled via CLI:
aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-grouparn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff06f36-f8fd-4af5-bd02-5195593423fb\",\r\n \"name\": \"3ff06f36-f8fd-4af5-bd02-5195593423fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you.
The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources.
It is recommended to enable AWS Config be enabled in all regions.

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"To implement AWS Config configuration:
Via AWS Management Console:
1. Select the region you want to focus on in the top right of the console.
2. Click \\\"Services\\\".
3. Click \\\"Config\\\".
4. Define which resources you want to record in the selected region.
5. Choose to include global resources (IAM resources).
6. Specify an S3 bucket in the same account or in another managed AWS account.
7. Create an SNS Topic from the same AWS account or another managed AWS account.

Via AWS Command Line Interface:
1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.
2. Run this command to set up the configuration recorder:
aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole
3. Run this command to start the configuration recorder:
start-configuration-recorder --configuration-recorder-name <value>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/759e80dc-92c2-4afd-afa3-c01294999363\",\r\n \"name\": \"759e80dc-92c2-4afd-afa3-c01294999363\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 Bucket Access Logging generates a log that contains access records Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket for each request made to your S3 bucket.
An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed.
It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.
By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within an target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.\",\r\n \"remediationDescription\": \"Perform the following to enable S3 bucket logging:
Via the Management Console.
1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.
2. Under \\\"All Buckets\\\" click on the target S3 bucket.
3. Click on \\\"Properties\\\" in the top right of the console.
4. Under \\\"Bucket\\\": <s3_bucket_for_cloudtrail> click on \\\"Logging\\\".
5. Configure bucket logging.
* Click on \\\"Enabled\\\" checkbox.
* Select Target Bucket from list.
* Enter a Target Prefix.
6. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/190f732b-c68e-4816-9961-aba074272627\",\r\n \"name\": \"190f732b-c68e-4816-9961-aba074272627\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommended to configure CloudTrail use SSE-KMS.
Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.\",\r\n \"remediationDescription\": \"To configure CloudTrail SSE-KMS:
Via the Management Console:
1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail.
2. In the left navigation pane, select \\\"Trails\\\".
3. Click on a Trail.
4. Under the \\\"S3\\\"section click on the edit button (pencil icon).
5. Click \\\"Advanced\\\".
6. Select an existing CMK from the \\\"KMS key Id\\\" drop-down menu.
* Note: Ensure the CMK is located in the same region as the S3 bucket
* Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided here for editing the selected CMK Key policy.
7. Click \\\"Save\\\".
8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files.
9. Click \\\"Yes\\\".

Via CLI:
aws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key> aws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66748314-d51c-4d9c-b789-eebef29a7039\",\r\n \"name\": \"66748314-d51c-4d9c-b789-eebef29a7039\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK).
It is the backing key that is used to perform cryptographic operations such as encryption and decryption.
Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled.
Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\",\r\n \"remediationDescription\": \"Via the Management Console:
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam.
2. In the left navigation pane, choose \\\"Encryption Keys\\\".
3. Select a customer created master key (CMK).
4. Under the \\\"Key Policy\\\" section, move down to \\\"Key Rotation\\\".
5. Check the \\\"Rotate this key every year\\\" checkbox.

Via CLI
Run the following command to enable key rotation:
aws kms enable-key-rotation --key-id <kms_key_id>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3428e584-0fa6-48c0-817e-6d689d7bb879\",\r\n \"name\": \"3428e584-0fa6-48c0-817e-6d689d7bb879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC Flow Logs provide visibility into network traffic that passes through the VPC and can be used to detect anomalous traffic or insight during security events.\",\r\n \"remediationDescription\": \"1. Sign into the management console.
2. Select \\\"Services\\\" then \\\"VPC\\\".
3. In the left navigation pane, select \\\"Your VPCs\\\".
4. Select a VPC.
5. In the right pane, select the \\\"Flow Logs\\\" tab.
6. If no Flow Log exists, select \\\"Create Flow Log\\\".
7. For Filter, select Reject.
8. Enter in a \\\"Role\\\" and \\\"Destination Log Group\\\".
9. Select \\\"Create Log Flow\\\".
10. Select \\\"CloudWatch Logs Group\\\".

Note: Setting the filter to \\\"Reject\\\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/231951ea-e9db-41cd-a7d0-611105fa4fb9\",\r\n \"name\": \"231951ea-e9db-41cd-a7d0-611105fa4fb9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for unauthorized API calls.
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<unauthorized_api_calls_metric>` --metric-transformations metricName= `<unauthorized_api_calls_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.errorCode = \\\"*UnauthorizedOperation\\\") || ($.errorCode = \\\"AccessDenied*\\\")}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<unauthorized_api_calls_alarm>` --metric-name `<unauthorized_api_calls_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/001ddfe0-1b98-443f-819d-99f060fd67d5\",\r\n \"name\": \"001ddfe0-1b98-443f-819d-99f060fd67d5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).
Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>`,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = \\\"ConsoleLogin\\\") && ($.additionalEventData.MFAUsed != \\\"Yes\\\") }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<no_mfa_console_signin_alarm>` --metric-name `<no_mfa_console_signin_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/59f84fbd-7946-41b3-88b1-d899dcac92bc\",\r\n \"name\": \"59f84fbd-7946-41b3-88b1-d899dcac92bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of 'root' account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for root login attempts.

Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for \\\"Root\\\" account usage and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<root_usage_metric>` --metric-transformations metricName= `<root_usage_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filterpattern '{ $.userIdentity.type = \\\"Root\\\" && $.userIdentity.invokedBy NOTEXISTS && $.eventType != \\\"AwsServiceEvent\\\" }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<root_usage_alarm>` --metricname `<root_usage_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e5ad1a9-3803-4399-baf2-a7eb9483b954\",\r\n \"name\": \"8e5ad1a9-3803-4399-baf2-a7eb9483b954\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.
Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<iam_changes_metric>` --metric-transformations metricName=`<iam_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name `<iam_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0dc3b824-092a-4fc6-b8b4-31d5c2403024\",\r\n \"name\": \"0dc3b824-092a-4fc6-b8b4-31d5c2403024\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.

Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<cloudtrail_cfg_changes_metric>` --metric-transformations metricName= `<cloudtrail_cfg_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging)}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name aws cloudwatch put-metric-alarm --alarm-name `<cloudtrail_cfg_changes_alarm>` --metric-name `<cloudtrail_cfg_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e09bb35-54a3-48a1-855d-9fd3239deaf7\",\r\n \"name\": \"0e09bb35-54a3-48a1-855d-9fd3239deaf7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for failed console authentication attempts.
Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<console_signin_failure_metric>` --metric-transformations metricName= `<console_signin_failure_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = ConsoleLogin) && ($.errorMessage = \\\"Failed authentication\\\") }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<console_signin_failure_alarm>` --metric-name `<console_signin_failure_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d12e97c1-1f3e-4c69-8cc1-6e4cc6a9b167\",\r\n \"name\": \"d12e97c1-1f3e-4c69-8cc1-6e4cc6a9b167\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.
Data encrypted with disabled or deleted keys will no longer be accessible.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<disable_or_delete_cmk_changes_metric>` --metrictransformations metricName= `<disable_or_delete_cmk_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<disable_or_delete_cmk_changes_alarm>` --metric-name `<disable_or_delete_cmk_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69ed2dc0-6f39-4a33-a747-20a28f85b33c\",\r\n \"name\": \"69ed2dc0-6f39-4a33-a747-20a28f85b33c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.
Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<s3_bucket_policy_changes_metric>` --metric-transformations metricName= `<s3_bucket_policy_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<s3_bucket_policy_changes_alarm>` --metric-name `<s3_bucket_policy_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/965a7c7f-e6da-4062-83f4-9c1800e51e44\",\r\n \"name\": \"965a7c7f-e6da-4062-83f4-9c1800e51e44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.
Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<aws_config_changes_metric>` --metric-transformations metricName= `<aws_config_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel) ||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `` - -metric-name `` --statistic Sum --period 300 -- threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aedabb63-8bdb-47f9-955c-72b652a75e2a\",\r\n \"name\": \"aedabb63-8bdb-47f9-955c-72b652a75e2a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC.
It is recommended that a metric filter and alarm be established changes to Security Groups.
Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for security groups changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<security_group_changes_metric>` --metric-transformations metricName= `<security_group_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<security_group_changes_alarm>` --metric-name `<security_group_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec356185-75b9-4ff2-a284-9f64fc885e72\",\r\n \"name\": \"ec356185-75b9-4ff2-a284-9f64fc885e72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC.
It is recommended that a metric filter and alarm be established for changes made to NACLs.
Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for NACL changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<nacl_changes_metric>` --metric-transformations metricName = `<nacl_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<nacl_changes_alarm>` --metric-name `<nacl_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c7156050-6f51-4d3f-a880-9f2363648cfb\",\r\n \"name\": \"c7156050-6f51-4d3f-a880-9f2363648cfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC.
It is recommended that a metric filter and alarm be established for changes to network gateways.
Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<network_gw_changes_metric>` --metric-transformations metricName= `<network_gw_changes_metric>`,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<network_gw_changes_alarm>` --metric-name `<network_gw_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e70666f-4bec-4ca0-8b59-c6c8b9b3cc1e\",\r\n \"name\": \"7e70666f-4bec-4ca0-8b59-c6c8b9b3cc1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways.
It is recommended that a metric filter and alarm be established for changes to route tables.
Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for route table changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<route_table_changes_metric>` --metric-transformations metricName= `<route_table_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<route_table_changes_alarm>` --metric-name `<route_table_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4b4bfa9b-fd2a-43f1-961f-654b9d5c9a60\",\r\n \"name\": \"4b4bfa9b-fd2a-43f1-961f-654b9d5c9a60\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.
Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact. \",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for VPC changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<vpc_changes_metric>` --metric-transformations metricName = `<vpc_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<vpc_changes_alarm>` --metric-name `<vpc_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e1f4bba6-5f43-4dc5-ab15-f2a9f5807fea\",\r\n \"name\": \"e1f4bba6-5f43-4dc5-ab15-f2a9f5807fea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To reduce the server's exposure, it is recommended not to allow unrestricted ingress access to port '22'.\",\r\n \"remediationDescription\": \"1. Login to the AWS Management Console at VPC
2. In the left pane, select \\\"Security Groups\\\"
3. For each security group, perform the following:
4. Select the security group
5. Select the \\\"Inbound Rules\\\" tab
6. Identify the rules to be removed
7. Select the \\\"x\\\" in the \\\"Remove\\\" column
8. Select \\\"Save\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79082bbe-34fc-480a-a7fc-3aad94954609\",\r\n \"name\": \"79082bbe-34fc-480a-a7fc-3aad94954609\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389.
Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"Perform the following to implement the prescribed state:
1. Login to the AWS Management Console at VPC
2. In the left pane, click \\\"Security Groups\\\"
3. For each security group, perform the following:
4. Select the security group
5.Click the \\\"Inbound Rules\\\" tab
6. Identify the rules to be removed
7. Click the \\\"x\\\" in the \\\"Remove\\\" column
8. Click \\\"Save\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/500c4d2e-9baf-4081-b8a8-936ac85771a5\",\r\n \"name\": \"500c4d2e-9baf-4081-b8a8-936ac85771a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC's default security group should restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security group should restrict all traffic to reduce resource exposure.\",\r\n \"remediationDescription\": \"1. Identify AWS resources that exist within the default security group 2. Create a set of least privilege security groups for those resources 3. Place the resources in those security groups 4. Remove the resources noted in #1 from the default security group

Security Group State:
1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:
3. In the left pane, select \\\"Security Groups\\\"
4. For each default security group, perform the following:
5. Select the \\\"default\\\" security group
6. Select the \\\"Inbound Rules\\\" tab
7. Remove any inbound rules
8. Select the \\\"Outbound Rules\\\" tab
9. Remove any outbound rules\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/837d6a45-503f-4c95-bf42-323763960b62\",\r\n \"name\": \"837d6a45-503f-4c95-bf42-323763960b62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto Scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.
PCI DSS does not require load balancing or highly available configurations. This is recommended by AWS best practices.\",\r\n \"remediationDescription\": \"To enable Elastic Load Balancing health checks:
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. On the navigation pane, under \\\"Auto Scaling\\\", choose \\\"Auto Scaling Groups\\\".
3. To select the group from the list, choose the right box.
4. From \\\"Actions\\\", choose \\\"Edit\\\"
5. For \\\"Health Check Type\\\", choose \\\"ELB\\\".
6. For \\\"Health Check Grace Period\\\", enter \\\"300\\\".
7. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2917bcec-6991-4ea4-9e73-156e6ef831e4\",\r\n \"name\": \"2917bcec-6991-4ea4-9e73-156e6ef831e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. Not all services enable logging by default for all APIs and events.
You should implement any additional audit trails other than CloudTrail and review the documentation for each service in CloudTrail Supported Services and Integrations.\",\r\n \"remediationDescription\": \"To create a new trail in CloudTrail
1. Sign in to the AWS Management Console using the IAM user you configured for CloudTrail administration.
2. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
3. Select the AWS Region where you want your trail to be created.
4. In the navigation pane, select \\\"Trails\\\".
5. On the \\\"Trails\\\" page, select \\\"Get Started Now\\\". If you do not see that option, select \\\"Create Trail\\\".
6. In\\\" Trail name\\\", provide your trail a name, such as My-Management-Events-Trail. As a best practice, use a name that quickly identifies the purpose of the trail. In this case, you're creating a trail that logs management events.
7. In \\\"Management Events\\\", make sure \\\"Read/Write\\\" events is set to \\\"All\\\".
8. In \\\"Data Events\\\", do not make any changes. This trail will not log any data events.
9. Create a new S3 bucket for the logs:
a. In \\\"Storage Location\\\", in \\\"Create a new S3 bucket\\\", select \\\"Yes\\\".
b. In \\\"S3 bucket\\\", provide your bucket a name.
c. Under \\\"Advanced\\\", choose \\\"Yes\\\" for both \\\"Encrypt log files with SSE-KMS\\\" and \\\"Enable log file validation\\\".
10. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/132a70b8-ffda-457a-b7a3-e6f2e01fc0af\",\r\n \"name\": \"132a70b8-ffda-457a-b7a3-e6f2e01fc0af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect your replicated instances from threats. A private replication instance should have a private IP address that you cannot access outside of the replication network.
A replication instance should have a private IP address when the source and target databases are in the same network, and the network is connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering.
You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users.
To do this, restrict users' IAM permissions to modify AWS DMS settings and resources.\",\r\n \"remediationDescription\": \"To configure the AWS DMS replication instances setting to be not publicly accessible:
1. Open the AWS Database Migration Service console at https://console.aws.amazon.com/dms/.
2. In the left navigation pane, under \\\"Resource management\\\", navigate to \\\"Replication instances\\\".
3. To delete the public instance, select the check box for the instance, choose \\\"Actions\\\", then choose \\\"delete\\\".
4. Choose \\\"Create replication instance\\\". Provide the configuration details.
5.To disable public access, make sure that \\\"Publicly accessible\\\" is not selected.
6. Choose \\\"Create\\\",
Note: public access setting cannot be changed once a replication instance is created. It must be deleted and recreated.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/02e8de17-1a01-45cb-b906-6d07a78f4b3c\",\r\n \"name\": \"02e8de17-1a01-45cb-b906-6d07a78f4b3c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Amazon EBS snapshots should not be publicly restorable by everyone unless explicitly allowed, to avoid accidental exposure of data. Additionally, permission to change Amazon EBS configurations should be restricted to authorized AWS accounts only.\",\r\n \"remediationDescription\": \"Make a public Amazon EBS snapshot private
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Elastic Block Store\\\", select \\\"Snapshots\\\" and then select your public snapshot.
3. Select \\\"Actions\\\", then select \\\"Modify permissions\\\".
4. Select \\\"Private\\\".
5. (Optional) Add AWS account numbers for authorized accounts to share your snapshot with.
6. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f065cc7b-f63b-4865-b8ff-4a1292e1a5cb\",\r\n \"name\": \"f065cc7b-f63b-4865-b8ff-4a1292e1a5cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups should be attached to Amazon EC2 instances or to an ENI.
healthy finding can indicate there are unused Amazon EC2 security groups.\",\r\n \"remediationDescription\": \"The following steps should be applied to each security group not attached to an ENI.
To delete a security group:
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, under \\\"Security\\\", select \\\"Security groups\\\".
3. Select the check box for the security group to delete.
4. From \\\"Actions\\\", select \\\"Delete security group\\\".
5. Select \\\"Delete\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/601406b5-110c-41be-ad69-9c5661ba5f7c\",\r\n \"name\": \"601406b5-110c-41be-ad69-9c5661ba5f7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Elastic IP addresses that are allocated to a VPC should be attached to Amazon EC2 instances or in-use elastic network interfaces (ENIs).\",\r\n \"remediationDescription\": \"To release an Elastic IP address follow the following steps. Note that in oder to release an address, it shouldn't be associated with an instance
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Network & Security\\\", select \\\"Elastic IPs\\\".
3. Select the Elastic IP address, select \\\"Actions\\\", and then select \\\"Release Elastic IP address\\\".
4. When prompted, select \\\"Release\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fce0daac-96e4-47ab-ab35-18ac6b7dcc70\",\r\n \"name\": \"fce0daac-96e4-47ab-ab35-18ac6b7dcc70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To enforce encryption in transit, you should use redirect actions with Application Load Balancers to redirect client HTTP requests to an HTTPS request on port 443.\",\r\n \"remediationDescription\": \"To redirect HTTP requests to HTTPS on an Application Load Balancer:
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Load Balancing\\\", select \\\"Load balancers\\\".
3. Select an Application Load Balancer.
4. Select \\\"Listeners\\\".
5. Enable the check box for an HTTP listener (port 80 TCP) and then select \\\"Edit\\\".
6. If there is an existing rule, you must delete it. Otherwise, select \\\"Add action\\\" and then select \\\"Redirect to...\\\".
7. Select \\\"HTTPS\\\" and then enter 443.
8. Select the check mark in a circle symbol and then select \\\"Update\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df952171-786d-44b5-b309-9c982bddeb7c\",\r\n \"name\": \"df952171-786d-44b5-b309-9c982bddeb7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC cannot contain domains with a public endpoint.
Note: this does not evaluate the VPC subnet routing configuration to determine public reachability.\",\r\n \"remediationDescription\": \"If you create a domain with a public endpoint, you cannot later place it within a VPC. Instead, you must create a new domain and migrate your data.
The reverse is also true. If you create a domain within a VPC, it cannot have a public endpoint. Instead, you must either create another domain or disable this control.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cf747c91-14f3-4b30-aafe-eb12c18fd030\",\r\n \"name\": \"cf747c91-14f3-4b30-aafe-eb12c18fd030\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is important to enable encryptions rest of Amazon ES domains to protect sensitive data\",\r\n \"remediationDescription\": \"By default, domains do not encrypt data at rest.
To enable the feature, you must create another domain and migrate your data.
Note: existing domains cannot be configured to use the feature.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4b32e0a4-44a7-4f18-ad92-549f7d219061\",\r\n \"name\": \"4b32e0a4-44a7-4f18-ad92-549f7d219061\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To provide additional protection against intrusions, GuardDuty should be enabled on your AWS account and region.
Note: GuardDuty might not be a complete solution for every environment\",\r\n \"remediationDescription\": \"To enable GuardDuty:
1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/ \\t
2. Choose \\\"Get Started\\\".
Choose \\\"Enable GuardDuty\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c676d6f-60cb-4c7b-a484-17164c598016\",\r\n \"name\": \"9c676d6f-60cb-4c7b-a484-17164c598016\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"All IAM users should have multi-factor authentication (MFA) enabled.\",\r\n \"remediationDescription\": \"To configure MFA for a user:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Users\\\".
3. Select the user name of the user to configure MFA for.
4. Select \\\"Security credentials\\\" and then Select \\\"Manage\\\" next to \\\"Assigned MFA device\\\".
5. Follow the \\\"Manage MFA Device\\\" wizard to assign the type of device appropriate for your environments.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd751d04-8378-4cf8-8f1b-594ee340ae08\",\r\n \"name\": \"fd751d04-8378-4cf8-8f1b-594ee340ae08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the account password policy for IAM users uses the following minimum configurations.
* RequireUppercaseCharacters- Require at least one uppercase character in password. (Default = true)
* RequireLowercaseCharacters- Require at least one lowercase character in password. (Default = true)
* RequireNumbers- Require at least one number in password. (Default = true)
* MinimumPasswordLength- Password minimum length. (Default = 7 or longer)
* PasswordReusePrevention- Number of passwords before allowing reuse. (Default = 4)
* MaxPasswordAge- Number of days before password expiration. (Default = 90)\",\r\n \"remediationDescription\": \"To modify the password policy:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Under \\\"Access management\\\", select \\\"Account settings\\\".
3. Select \\\"Prevent password reuse\\\". For \\\"Number of passwords to remember\\\", enter \\\"24\\\".
\\t4. Select \\\"Change password policy\\\".
5. Select \\\"Require at least one uppercase letter from Latin alphabet (A-Z)\\\".
6. Select \\\"Require at least one lowercase letter from Latin alphabet (a-z)\\\".
7. Select \\\"Require at least one non-alphanumeric character (!@#$%^&*()_+-=[]{}|')\\\".
8. Select \\\"Require at least one number\\\".
9. For \\\"Enforce minimum password length\\\", enter \\\"14\\\".
10. Select \\\"Enable password expiration\\\". For \\\"Expire passwords in day(s)\\\", enter \\\"90\\\".
11. Select \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b236a0-f9d7-454a-942a-8c2ba3943cf7\",\r\n \"name\": \"64b236a0-f9d7-454a-942a-8c2ba3943cf7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should restrict public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Lambda function resource-based policy should restrict public access. This recommendation does not check access by internal principals.
Ensure access to the function is restricted to authorized principals only by using least privilege resource-based policies.\",\r\n \"remediationDescription\": \"To use the AWS CLI to revoke function-use permission from an AWS service or another account:
1. Get the statement ID from the output of GetPolicy, from the AWS CLI and run the following:
aws lambda get-policy --function-name yourfunctionname
This returns the policy string associated with the publicly accessible Lambda function.
2. From the policy statement returned by the get-policy command, copy the string value of the Sid field, and run from the AWS CLI, run
aws lambda remove-permission --function-name yourfunctionname --statement-id youridvalue

To use the Lambda console to restrict access to the Lambda function:
1. Open the AWS Lambda console at https://console.aws.amazon.com/lambda/, Navigate to \\\"Functions\\\" and then select your publicly accessible Lambda function.
2. Under \\\"Designer\\\" select the key icon at the top left, that has the tool-tip \\\"View permissions\\\".
3. Under \\\"Function policy\\\", Consider adding the following IAM condition to scope access to your account only.
\\\"Condition\\\":{\\\"StringEquals\\\":{\\\"AWS:SourceAccount\\\":\\\"account_id\\\"}}\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10445918-c305-4c6a-9851-250e8ec7b872\",\r\n \"name\": \"10445918-c305-4c6a-9851-250e8ec7b872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Configure Lambda functions to a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability.
Note that if Lambda@Edge is found in the account, then this control generates failed findings. To prevent these findings, you can disable this control.\",\r\n \"remediationDescription\": \"To configure a function to connect to private subnets in a virtual private cloud (VPC) in your account:
1. From the AWS Lambda console, https://console.aws.amazon.com/lambda/, open \\\"Functions\\\" and select your Lambda function.
2. From the \\\"Network\\\" section, select a VPC with the connectivity requirements of the function.
3. To run your functions in high availability mode, select at least two subnets.
4. Select at least one security group that has the connectivity requirements of the function.
5. Save your changes.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f64521fc-a9f1-4d43-b667-8d94b4a202af\",\r\n \"name\": \"f64521fc-a9f1-4d43-b667-8d94b4a202af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend only allowing authorized principals to access the snapshot and change Amazon RDS configuration.\",\r\n \"remediationDescription\": \"To remove public access for Amazon RDS Snapshots:
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Snapshots\\\" and select the public Snapshot to modify.
2. From the \\\"Actions\\\" list, select \\\"Share Snapshots\\\".
3. From \\\"DB snapshot visibility\\\", select \\\"Private\\\" and \\\"for all\\\".
4. Save your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/72f3b7f1-76b8-4cf5-8da5-4ba5745b512c\",\r\n \"name\": \"72f3b7f1-76b8-4cf5-8da5-4ba5745b512c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend that you also ensure that access to your RDS instance's configuration is limited to authorized users only, by restricting users' IAM permissions to modify RDS instances' settings and resources.\",\r\n \"remediationDescription\": \"To remove public access for an Amazon RDS Database, follow one of these procedures:

\\\"Modify the DB instance's publicly accessible configuration:\\\"
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Databases\\\" and select the public database.
2. Select \\\"Modify\\\".
3. Scroll to \\\"Network & Security\\\".
4. For the Public accessibility option, select \\\"No\\\".
5. Scroll to the bottom and select \\\"Continue\\\".
6. From \\\"Scheduling of modifications\\\", select \\\"Apply immediately\\\".
7. Select \\\"Modify DB Instance\\\".
\\\"Configure the VPC subnet security group to prohibit public access:\\\"
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Databases\\\" and select the public database.
2. From \\\"Connectivity & Security\\\", select the configured VPC security group.
3. From the \\\"Actions\\\" list, select \\\"Edit inbound rules\\\".
4. Define rules to prohibit public access (you can choose between specific IPs, ranges of IPs and security groups).
5. Select \\\"Save rules\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f5ac036-11e1-4cda-89b5-a115b9ae4f72\",\r\n \"name\": \"7f5ac036-11e1-4cda-89b5-a115b9ae4f72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend Amazon Redshift clusters to avoid public accessibility by evaluating the 'publiclyAccessible' field in the cluster configuration item.\",\r\n \"remediationDescription\": \"To disable public access for an Amazon Redshift cluster:
1. From the Amazon RDS console, https://console.aws.amazon.com/redshift/, open \\\"Clusters\\\" and select your public Amazon Redshift cluster.
2. From the \\\"Cluster\\\" drop-down menu, select \\\"Modify cluster\\\".
3. For the \\\"Publicly accessible\\\" option, select \\\"No\\\".
4. Select \\\"Modify\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/994d14f1-b8d7-4cb3-ad4e-a7ccb08065d5\",\r\n \"name\": \"994d14f1-b8d7-4cb3-ad4e-a7ccb08065d5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets public write access should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Allowing public write access to your S3 bucket can leave you vulnerable to malicious actions such as storing data at your expense, encrypting your files for ransom, or using your bucket to operate malware.\",\r\n \"remediationDescription\": \"To remove public write access for an S3 bucket
1. Open the AWS console at https://console.aws.amazon.com/s3/ and select the name of the bucket identified in the recommendation.
2. Select the \\\"Permissions\\\" tab and then select \\\"Public access settings\\\".
3. Select \\\"Edit\\\", select all four options, and then select \\\"save\\\".
4. If prompted, enter \\\"confirm\\\" and then choose \\\"confirm\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f65de27c-1b77-4a2d-bc89-8631ff9ee786\",\r\n \"name\": \"f65de27c-1b77-4a2d-bc89-8631ff9ee786\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets public read access should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Removing public read access to your S3 bucket can help protect your data and prevent a data breach.\",\r\n \"remediationDescription\": \"To remove public read access for an S3 bucket
1. Open the AWS console at https://console.aws.amazon.com/s3/, and select the name of the bucket identified in the recommendation.
2. Select the \\\"Permissions\\\" tab and then select \\\"Public access settings\\\".
3. Select \\\"Edit\\\", select all four options, and then select \\\"save\\\".
4. If prompted, enter \\\"confirm\\\" and then choose \\\"confirm\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35713036-bd12-4646-9b92-4c56a761a710\",\r\n \"name\": \"35713036-bd12-4646-9b92-4c56a761a710\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling S3 cross-region replication ensures that multiple versions of the data are available in different distinct Regions.
This allows you to protect your S3 bucket against DDoS attacks and data corruption events.\",\r\n \"remediationDescription\": \"To enable S3 bucket replication:
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and Select the name of the bucket identified in the recommendation.
2. Select \\\"Management\\\" and then select \\\"Replication\\\".
3. Select \\\"add rule\\\", and then select \\\"Entire bucket\\\" as your source bucket.
4. Select your destination bucket (Versioning should be enabled on the destination bucket as well).
5. Select an IAM role.
6. Enter a name for the rule, select \\\"Enabled\\\" for the status, then select \\\"Next\\\".
7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3cb793ab-20d3-4677-9723-024c8fed0c23\",\r\n \"name\": \"3cb793ab-20d3-4677-9723-024c8fed0c23\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enable server-side encryption to protect data in your S3 buckets.
Encrypting the data can prevent access to sensitive data in the event of a data breach.\",\r\n \"remediationDescription\": \"To enable default encryption on an S3 bucket
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and Select the name of the bucket identified in the recommendation.
2. Select \\\"Properties\\\" and then under the \\\"Default encryption\\\" section, select either \\\"AES-256\\\" to use keys that are managed by Amazon S3, or \\\"AWS-KMS\\\" to use keys that are managed by AWS-KMS.
*If you use AWS-KMS for default encryption, you need to choose a master key from the list of the AWS KMS master keys that you have created.
*Please note that if you use the AWS KMS you are subject to the requests per second limits. For more information about the AWS KMS limits, see the AWS Key Management Service Developer Guide.
3.Select \\\"save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fb7ea50-412e-4dd4-ac79-94d54bd8f21e\",\r\n \"name\": \"1fb7ea50-412e-4dd4-ac79-94d54bd8f21e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend to require requests to use Secure Socket Layer (SSL) on all Amazon S3 bucket.
S3 buckets should have policies that require all requests ('Action: S3:*') to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key 'aws:SecureTransport'.\",\r\n \"remediationDescription\": \"To configure an S3 bucket to deny nonsecure transport
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.
2. Navigate to the noncompliant bucket, and then choose the bucket name.
3. Choose \\\"Permissions\\\", then choose \\\"Bucket Policy\\\".
4. Add a similar policy statement to that in the policy below. Replace \\\"awsexamplebucket\\\" with the name of the bucket you are modifying.
{\\\"Id\\\":\\\"ExamplePolicy\\\",\\\"Version\\\":\\\"2012-10-17\\\",\\\"Statement\\\":[{\\\"Sid\\\":\\\"AllowSSLRequestsOnly\\\",\\\"Action\\\":\\\"s3:*\\\",\\\"Effect\\\":\\\"Deny\\\",\\\"Resource\\\":[\\\"arn:aws:s3:::awsexamplebucket\\\",\\\"arn:aws:s3:::awsexamplebucket/*\\\"],\\\"Condition\\\": {\\\"Bool\\\":{\\\"aws:SecureTransport\\\":\\\"false\\\"}},\\\"Principal\\\": \\\"*\\\"}]}
5. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ac66d910-ae29-4cab-967b-c3f0810b7642\",\r\n \"name\": \"ac66d910-ae29-4cab-967b-c3f0810b7642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling Block Public Access setting for your S3 bucket can help prevent sensitive data leaks and protect your bucket from malicious actions.\",\r\n \"remediationDescription\": \"To enable Amazon S3 Block Public Access:
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and then select \\\"Block public access\\\" under \\\"account settings\\\".
2. Select \\\"Edit\\\" and then select \\\"Block all public access\\\".
3. Select \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0991c64b-ccf5-4408-aee9-2ef03d460020\",\r\n \"name\": \"0991c64b-ccf5-4408-aee9-2ef03d460020\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disable direct internet access for Amazon SageMaker notebook instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Direct internet access should be disabled for an SageMaker notebook instance.
This checks whether the 'DirectInternetAccess' field is disabled for the notebook instance.
Your instance should be configured with a VPC and the default setting should be Disable - Access the internet through a VPC.
In order to enable internet access to train or host models from a notebook, make sure that your VPC has a NAT gateway and your security group allows outbound connections. Ensure access to your SageMaker configuration is limited to only authorized users, and restrict users' IAM permissions to modify SageMaker settings and resources.\",\r\n \"remediationDescription\": \"Note that you can't change the internet access setting after a notebook instance is created. It must be stopped, deleted, and recreated.
To configure an SageMaker notebook instance to deny direct internet access:
1. From the SageMaker console, https://console.aws.amazon.com/sagemaker/, open \\\"Notebook instances\\\" and delete the instance that has direct internet access enabled.
2. Select the instance, open \\\"Actions\\\", and select \\\"Stop\\\". When the instance has stopped, open \\\"Actions\\\", and select \\\"Delete\\\".
3. Select \\\"Create notebook instance\\\" and enter the configuration details.
4. Expand the \\\"Network\\\" section and select the VPC, subnet, and security group. Under \\\"Direct internet access\\\", select \\\"Disable — Access the internet through a VPC\\\".
5. Select \\\"Create notebook instance\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5b3c2887-d7b7-4887-b074-4e6057027709\",\r\n \"name\": \"5b3c2887-d7b7-4887-b074-4e6057027709\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance.
It only checks instances that are managed by AWS Systems Manager Patch Manager.
It does not check whether the patch was applied within the 30-day limit prescribed by PCI DSS requirement '6.2'.
It also does not validate whether the patches applied were classified as security patches.
You should create patching groups with the appropriate baseline settings and ensure in-scope systems are managed by those patch groups in Systems Manager. For more information about patch groups, see the AWS Systems Manager User Guide.\",\r\n \"remediationDescription\": \"\\\"To remediate noncompliant patches\\\"
This rule checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT. To find out more about patch compliance states, see the AWS Systems Manager User Guide.
1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
2. In the navigation pane, under \\\"Node Management\\\", choose \\\"Run Command\\\".
3. Choose \\\"Run command\\\".
4. Choose the radio button next to AWS-RunPatchBaseline and then change the \\\"Operation\\\" to \\\"Install\\\".
5. Choose \\\"Choose instances manually\\\" and then choose the noncompliant instance(s).
6. Scroll to the bottom and then choose \\\"Run\\\".
7. After the command has completed, to monitor the new compliance status of your patched instances, in the navigation pane, choose \\\"Compliance\\\".
See the AWS Systems Manager User Guide for more information about the following
* Using Systems Manager documents to patch a managed instance
* Running commands using the Systems Manager Run command\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67a90ae0-b3d1-44f0-9dcf-a03234ebeb65\",\r\n \"name\": \"67a90ae0-b3d1-44f0-9dcf-a03234ebeb65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association is run on an instance. The control passes if the association compliance status is COMPLIANT.
A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed.
After you create one or more State Manager associations, compliance status information is immediately available to you in the console or in response to AWS CLI commands or corresponding Systems Manager API operations. For associations, \\\"Configuration\\\" Compliance shows statuses of Compliant or Non-compliant and the severity level assigned to the association, such as \\\"Critical\\\" or \\\"Medium\\\". To learn more about State Manager association compliance, see About About State Manager association compliance in the AWS Systems Manager User Guide.
You must configure your in-scope EC2 instances for Systems Manager association. You must also configure the patch baseline for the security rating of the vendor of patches, and set the autoapproval date to meet PCI DSS '3.2.1' requirement '6.2'. For additional guidance on how to Create an association, see Create an association in the AWS Systems Manager User Guide. For additional information on working with patching in Systems Manager, see AWS Systems Manager Patch Manager in the AWS Systems Manager User Guide.\",\r\n \"remediationDescription\": \"A failed association can be related to different things, including targets and SSM document names. To remediate this issue, you must first identify and investigate the association. You can then update the association to correct the specific issue.
You can edit an association to specify a new name, schedule, severity level, or targets. After you edit an association, Systems Manager creates a new version.
\\\"To investigate and update a failed association\\\"
1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
2. In the navigation pane, under \\\"Node Management\\\", choose \\\"Fleet Manager\\\".
3. Choose the instance ID that has an \\\"Association status\\\" of \\\"Failed\\\".
4. Choose \\\"View details\\\".
5. Choose \\\"Associations\\\".
6. Note the name of the association that has an \\\"Association status\\\" of \\\"Failed\\\". This is the association that you need to investigate. You need to use the association name in the next step.
7. In the navigation pane,under \\\"Node Management\\\", choose \\\"State Manager\\\". Search for the association name, then select the association. After you determine the issue, edit the failed association to correct the problem. For information on how to edit an association, see Edit an association.
For more information on creating and editing State Manager associations, see Working with associations in Systems Manager in the AWS Systems Manager User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4be5393d-cc33-4ef7-acae-80295bc3ae35\",\r\n \"name\": \"4be5393d-cc33-4ef7-acae-80295bc3ae35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Status of the Amazon EC2 Systems Manager patch compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the patch installation on the instance.
Only instances that are managed by AWS Systems Manager Patch Manager are checked. Patches that were applied within the 30-day limit prescribed by PCI DSS requirement '6' are not checked. \",\r\n \"remediationDescription\": \"To ensure EC2 instances are managed by Systems Manager:
1. From the AWS Systems Manager console, https://console.aws.amazon.com/systems-manager/, select \\\"Quick setup\\\".
2. Leave the default options.
3. Select \\\"Set up Systems Manager\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9694d4ef-f21a-40b7-b535-618ac5c5d21e\",\r\n \"name\": \"9694d4ef-f21a-40b7-b535-618ac5c5d21e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.
Authentication credentials should never be stored or transmitted in clear text or appear in the repository URL. Instead of personal access tokens or user name and password, you should use OAuth to grant authorization for accessing GitHub or Bitbucket repositories.
Using personal access tokens or a user name and password could expose your credentials to unintended data exposure and unauthorized access.\",\r\n \"remediationDescription\": \"You can update your CodeBuild project to use OAuth.
To remove basic authentication / (GitHub) Personal Access Token from CodeBuild project source
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Choose the build project that contains personal access tokens or a user name and password.
3. From \\\"Edit\\\", choose \\\"Source\\\".
4. Choose \\\"Disconnect from GitHub / Bitbucket\\\".
5. Choose \\\"Connect using OAuth\\\", then choose \\\"Connect to GitHub / Bitbucket\\\".
6. When prompted, choose \\\"authorize as appropriate\\\".
7. Reconfigure your repository URL and additional configuration settings, as needed.
8. Choose \\\"Update source\\\".
For more information, refer to CodeBuild use case-based samples the AWS CodeBuild User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a88b4b72-b461-4b5e-b024-91da1cbe500f\",\r\n \"name\": \"a88b4b72-b461-4b5e-b024-91da1cbe500f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the project contains the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
Authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY should never be stored in clear text, as this could lead to unintended data exposure and unauthorized access.\",\r\n \"remediationDescription\": \"To remediate this issue, update your CodeBuild project to remove the environment variable.
To remove environment variables from a CodeBuild project
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Expand \\\"Build\\\".
3. Choose \\\"Build project\\\", and then choose the build project that contains plaintext credentials.
4. From \\\"Edit\\\", choose \\\"Environment\\\".
5. Expand \\\"Additional configuration\\\".
6. Choose \\\"Update environment\\\".

To store sensitive values in the Amazon EC2 Systems Manager Parameter Store and then retrieve them from your build spec
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Expand \\\"Build\\\".
3. Choose \\\"Build project\\\", and then choose the build project that contains plaintext credentials.
4. From \\\"Edit\\\", choose \\\"Environment\\\".
5. Expand \\\"Additional configuration\\\" and scroll to \\\"Environment variables\\\".
6. Follow this tutorial to create a Systems Manager parameter that contains your sensitive data.
7. After you create the parameter, copy the parameter name.
8. Back in the CodeBuild console, choose \\\"Create environmental variable\\\".
9. Enter the name of your variable as it appears in your build spec.
10. For \\\"Value\\\", paste the name of your parameter.
11. For \\\"Type\\\", choose \\\"Parameter\\\".
12. To remove your noncompliant environmental variable that contains plaintext credentials, choose \\\"Remove\\\".
13. Choose \\\"Update environment\\\".
For more information, see Environment variables in build environments in the AWS CodeBuild User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should use Secure Boot\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against the installation of malware-based rootkits and boot kits, enable Secure Boot on supported Linux virtual machines. Secure Boot ensures that only signed operating systems and drivers will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"Enabling Secure Boot will trigger an immediate system reboot. To enable it:
1. From Azure Virtual Machines, open your machine.
2. From the VM details page, open the 'Configuration' tab and select 'Secure boot'.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e2f798b8-621a-4d46-99d7-1310e09eba26\",\r\n \"name\": \"e2f798b8-621a-4d46-99d7-1310e09eba26\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should enforce kernel module signature validation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To help mitigate against the execution of malicious or unauthorized code in kernel mode, enforce kernel module signature validation on supported Linux virtual machines. Kernel module signature validation ensures that only trusted kernel modules will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"Enforcing kernel module signature validation requires a system reboot. To enforce it:
1. From Azure Virtual Machines, open your machine.
2. Run:
sudo azsecd remediate -r enforce-kernelmodule-ci
3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d79a60ef-d490-484e-91ed-f45ceb0e7cfb\",\r\n \"name\": \"d79a60ef-d490-484e-91ed-f45ceb0e7cfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be restarted to apply security configuration updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To apply security configuration updates and protect against vulnerabilities, restart your machines. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"To restart the machine:
1. From Azure Virtual Machines, open your machine.
2. Select 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b7604066-ed76-45f9-a5c1-c97e4812dc55\",\r\n \"name\": \"b7604066-ed76-45f9-a5c1-c97e4812dc55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines guest attestation status should be healthy\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Guest attestation is performed by sending a trusted log (TCGLog) to an attestation server. The server uses these logs to determine whether boot components are trustworthy. This assessment is intended to detect compromises of the boot chain which might be the result of a bootkit or rootkit infection.
This assessment applies to Trusted Launch and Confidential virtual machines that have the Guest Attestation extension installed.\",\r\n \"remediationDescription\": \"1. Scan your machine to ensure it isn't infected with malicious software.
2. Verify across your organization whether components of your operating system have been manually replaced.
3. Verify that a TPM device is installed on your machine: on Windows, run the PowerShell command \\\"Get-tpm\\\" as admin, and on Linux, use \\\"ls /dev/tpm0\\\" (with \\\"/dev/tpm0\\\" returning).
4. Remove any untrusted software or drivers with admin access.
5. Restart your machine in normal mode.
6. If all else fails, securely back up your data and create a new machine from a known-good image.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an Azure Function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Select Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access Function Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the Function App custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access API Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the API App custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys;
temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources.
For a comparison of different disk encryption technologies in Azure, see https://aka.ms/diskencryptioncomparison.
Use Azure Disk Encryption to encrypt all this data.
Disregard this recommendation if:
1. You're using the encryption-at-host feature, or 2. Server-side encryption on Managed Disks meets your security requirements.
Learn more in Server-side encryption of Azure Disk Storage.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Click any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Defender for Cloud protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Select Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases:
1. Select the SQL database.
2. Under Data encryption, select On.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
1. Go to 'SQL servers' page in the Azure portal and select your SQL server.
2. From the top left menu, select 'Auditing' and choose 'Enable Azure SQL Auditing'.
3. Select one of the options to store the Audit logs and follow the instructions.
4. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499\",\r\n \"description\": \"Defender for Cloud collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. This agent is also required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. We recommend configuring auto-provisioning to automatically deploy the agent. If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.\",\r\n \"remediationDescription\": \"For multiple ways to install and configure your Log Analytics agent see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"To reduce the potential for breaches by compromised owner accounts, we recommend limiting the number of owner accounts to a maximum of 3\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click the Role assignments tab and set the 'Role' filter to 'Owner'.
2. Select the owners you want to remove.
3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled
1. In the 'Role' drop-down list, select the Owner role.
2. In the Select list, select a user.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Signed Binary Proxy Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container hosts should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Privilege Escalation\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Local System\",\r\n \"Remote Services\",\r\n \"Network Sniffing\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"File and Directory Discovery\",\r\n \"Implant Container Image\",\r\n \"Abuse Elevation Control Mechanism\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers:
1. Select the SQL server.
2. Open 'Microsoft Defender for Cloud' under 'Security'
3. Make sure Microsoft Defender for Cloud's status is 'enabled at the server-level' or 'enabled at the subscription-level'
4. Open '(Configure)'
5. Under 'Vulnerability assessment settings', turn Periodic recurring scans to On, and configure a storage account for storing vulnerability assessment scan results.
6. Select 'Save'\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"SQL Stored Procedures\",\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on SQL servers: 1. Select the SQL server. 2. Under 'Defender for Cloud', set Microsoft Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Select 'Save'.
Note: Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.
Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.

To view all affected classic VMs make sure to select all your Azure subscriptions under 'directories + subscriptions' tab.

Available resources and information about this tool & migration:
Overview of Virtual machines (classic) deprecation, step by step process for migration & available Microsoft resources.
Details about Migrate to Azure Resource Manager migration tool.
Migrate to Azure Resource Manager migration tool using PowerShell.\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources:
1. Go to the Virtual machines (classic) Portal Blade.
2. Under Subscriptions, select all available subscriptions to get full list of affected classic VMs.
3. Click on Migrate to ARM.
4. Click on Validate. If validate failed, use the suggested methods in the error messages or at Migration Overview document to fix the errors.
5. Click on Prepare. If prepare failed, use the suggested methods in the error messages or at Migration Overview document to fix the errors.
6. View migrated virtual machines at Virtual Machines Portal Blade and Test their operation.
7. (Optional) Click on Abort to rollback migration.
8. Click on Commit. Commit finalizes the migration and cannot be rolled back.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics:
1. Go to Data Lake Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL managed instances should have vulnerability assessment configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance:
1. Select the SQL managed instance.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"SQL Stored Procedures\",\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected SQL Managed Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on managed SQL servers:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Microsoft Defender for SQL to On.
3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set Periodic recurring scans to On.4. Select Save.
Note: Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redis Cache should allow access only via SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps:
1. Go to the Redis Caches, and select your redis cache.
2. Select 'Advanced settings'.
3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics:
1. Go to Batch and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics:
1. Go to Stream Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics:
1. Go to the Service Bus.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"You should encrypt Automation Account Variables that store sensitive data. This step can only be taken at creation time.
If you have Automation Account Variables storing sensitive data that are not already encrypted, then you will need to delete them and recreate them as encrypted variables.
To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics:
1. Go to Data Lake Store and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics:
1. Go to Search and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign':
1. Go to the Service fabric cluster.
2. Click on 'Custom fabric settings'.
3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bb318338-de6a-42ff-8428-8274c897d564\",\r\n \"name\": \"bb318338-de6a-42ff-8428-8274c897d564\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Kubernetes services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c\",\r\n \"description\": \"Enable diagnostic logs in your Kubernetes services and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs.\",\r\n \"remediationDescription\": \"To enable diagnostics logs in one of your Kubernetes services: 1. Go to Kubernetes services and select one of your Kubernetes clusters. 2. From the left menu, open the diagnostic settings and select Add diagnostic setting. 3. Select one of the options to store the diagnostics logs and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"10/07/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"To ensure you can recreate activity trails for investigation purposes when a security incident occurs or your network is compromised, enable logging. If your diagnostic logs aren't being sent to a Log Analytics workspace, Azure Storage account, or Azure Event Hub, ensure you've configured diagnostic settings to send platform metrics and platform logs to the relevant destinations. Learn more in Create diagnostic settings to send platform logs and metrics to different destinations.\",\r\n \"remediationDescription\": \"To enable diagnostics for a logic app: 1. Open Azure Logic Apps and select the logic app. 2. From the menu, select Diagnostic settings. 3. Select Edit setting if you have an existing setting or select Add diagnostic setting to create a new configuration. 4. Select the options to define what to log and where to store it. 5. Save your settings.
Note : If you use storage accounts, we recommend setting a retention for the logs. To ensure the recommendation evaluates the retention dates across all resources, open the ASC default initiative assignment and set the parameter \\\"Required retention (in days) for logs..\\\" to the desired retention dates that you want the recommendation to evaluate.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"plannedDeprecationDate\": \"12/2022\",\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources :
1. Go to the Storage Account
2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics:
1. Go to Key Vault and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. We recommended configuring network rules so that only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"
1. In your storage account, go to 'Firewalls and virtual networks'.
2. Under 'Allow access from', choose 'Selected networks'.
3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account.
4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required:
1. In your storage account, go to the 'Configuration' page.
2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates:
1. Review the list of missing system updates.
2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Software Deployment Tools\",\r\n \"Exploit Public-Facing Application\",\r\n \"Supply Chain Compromise\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Drive-by Compromise\",\r\n \"Endpoint Denial of Service\",\r\n \"Compromise Client Software Binary\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b\",\r\n \"description\": \"Defender for Cloud collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. You'll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets. To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"For information on how to add the Log Analytics agent as an extension to your virtual machine scale set, see the following instructions. For information on how to deploy the log analytics agent at scale on virtual machine scale set using Azure Policy please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machine scale sets should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution:
1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on virtual machine scale sets should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Microsoft Defender for Cloud. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c\",\r\n \"description\": \"To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more.\",\r\n \"remediationDescription\": \"1. Register your subscription to Guest Configuration resource provider. 2. Install the Guest Configuration extension on your machine. 3. Enable a system-assigned managed identity, if one doesn't exist. Learn more in Enable Guest Configuration.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69133b6b-695a-43eb-a763-221e19556755\",\r\n \"name\": \"69133b6b-695a-43eb-a763-221e19556755\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a\",\r\n \"description\": \"The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more\",\r\n \"remediationDescription\": \"To enable a system-assigned managed identity, deploy the 'Enable a system-assigned managed identity' initiative: 1. Register the resource provider. 2. Deploy requirements for Azure virtual machines. Learn more about configuring the Guest Configuration prerequisites in Enable Guest Configuration.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"1. Enable controlled folder access.
2. Configure the following attack surface reduction rules: 'Block executable content from email client and webmail', 'Block untrusted and unsigned processes that run from USB', 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)', ' Block all Office applications from creating child processes', 'Block JavaScript or VBScript from launching downloaded executable content', 'Block execution of potentially obfuscated scripts ', 'Block Office applications from creating executable content', 'Block Office communication application from creating child processes', 'Block Win32 API calls from Office macros', 'Block Adobe Reader from creating child processes', 'Block Office applications from injecting code into other processes'.
Learn more in Use attack surface reduction rules to prevent malware infection.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Privilege Escalation\",\r\n \"Lateral Movement\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Taint Shared Content\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploit Public-Facing Application\",\r\n \"Drive-by Compromise\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4078e558-bda6-41fb-9b3c-361e8875200d\",\r\n \"description\": \"Defender for Cloud uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Windows.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on Linux-based Azure Arc-enabled machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/1e7fed80-8321-4605-b42c-65fc300f23a3\",\r\n \"description\": \"Defender for Cloud uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Linux.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"name\": \"fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Validity period of certificates stored in Azure Key Vault should not exceed 12 months\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\r\n \"description\": \"Ensure your certificates do not have a validity period that exceeds 12 months.\",\r\n \"remediationDescription\": \"To remediate you must create a new version of the certificate. Ensure that your application or service will be able to get a new version of the certificate before proceeding. Select a key vault from the list below. The list of certificates with a validity period that exceeds 12 months will appear. From the Azure Portal, open Azure Key Vault and select the vault with the certificate that needs to be replaced. Select the relevant certificate and the certificate details page opens. 1. On the certificate details page, select \\\"+ New Version\\\". The \\\"Create a Certificate\\\" pane opens. 2. Change the \\\"Validity period (in months)\\\" field to 12 or less. 3. Select \\\"Create\\\". 4. Ensure that you have set up auto-renewal, or have a process to renew your certificate prior to expiration.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Credentials from Password Stores\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\r\n \"description\": \"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.\",\r\n \"remediationDescription\": \"To prevent public access to containers and blobs in your storage account:
1. In the Azure portal, navigate to your storage account.
2. From the settings menu, select \\\"Configuration\\\".
3. Set \\\"Allow Blob public access\\\" to \\\"Disabled\\\".
Learn more about public access
Note: It might take several minutes after remediation completes until the resource appears in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for servers brings threat detection and advanced defenses for your Windows and Linux machines.
With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for servers but missing out on some of the benefits.
When you enable Microsoft Defender for servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for servers on the identified workspaces, select the workspaces and select Remediate.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for servers brings threat detection and advanced defenses for your Windows and Linux machines.
With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for servers but missing out on some of the benefits.
When you enable Microsoft Defender for servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on machines on the identified workspaces, select the workspaces and select Remediate.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"09/29/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"name\": \"14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\r\n \"description\": \"The best way to authenticate to Azure services is by using Role-Based Access Control (RBAC). RBAC allows you to maintain the minimum privilege principle and supports the ability to revoke permissions as an effective method of response when compromised. You can configure your Azure Cosmos DB account to enforce RBAC as the only authentication method. When the enforcement is configured, all other methods of access will be denied (primary/secondary keys and access tokens).\",\r\n \"remediationDescription\": \"Change your resource authentication method to RBAC. After RBAC is enabled, edit the configuration settings to enforce RBAC as the only authentication method.
  1. Change the resources' authentication method from primary key to Azure Active Directory (AAD):

    1. Map all the resources that currently access to the Azure Cosmos DB account with keys or access tokens.
    2. Create an Azure Active Directory (AAD) identity for each of these resources:
      1. For Azure resources, you can create a managed identity . You may choose between system-assigned and user-assigned managed identities.
      2. For non-Azure resources, create an AAD identity.
    3. Grant each AAD identity the minimum permission it requires. When possible, we recommend you use one of the 2 built-in role definitions: Cosmos DB Built-in Data Reader or Cosmos DB Built-in Data Contributor.
    4. Validate that the new resource is functioning correctly. After new permissions are granted to identities, it may take a few hours until they propagate. When all resources are working correctly with the new identities, continue to the next step.

    You can read more about configuring role-based access control with Azure Active Directory for your Azure Cosmos DB account.

  2. Enforce RBAC as the only authentication method:
    You may choose one of the two options listed below:
    1. You can use the az resource update powershell command:
      $cosmosdbname = \\\"cosmos-db-account-name\\\"
      $resourcegroup = \\\"resource-group-name\\\"
      $cosmosdb = az cosmosdb show --name $cosmosdbname --resource-group $resourcegroup | ConvertFrom-Json

      az resource update --ids $cosmosdb.id --set properties.disableLocalAuth=true --latest-include-preview

    2. Deploy these changes in your ARM template to enforce RBAC as the only authentication method.

      You can read more about using ARM templates on existing resources.

    After these changes have been implemented, all access attempts that use primary/secondary key or access tokens authentication will be denied.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2482620f-f324-4add-af68-2e01e27485e9\",\r\n \"name\": \"2482620f-f324-4add-af68-2e01e27485e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d103537b-9f3d-4658-a568-31dd66eb05cb\",\r\n \"name\": \"d103537b-9f3d-4658-a568-31dd66eb05cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in subscription should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a6cd9b98-3b29-4213-b880-43f0b0897b83\",\r\n \"name\": \"a6cd9b98-3b29-4213-b880-43f0b0897b83\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in projects should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in projects should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\r\n \"description\": \"Protect the data on your Azure virtual machines with Azure Backup.
Azure Backup is an Azure-native, cost-effective, data protection solution.
It creates recovery points that are stored in geo-redundant recovery vaults.
When you restore from a recovery point, you can restore the whole VM or specific files.\",\r\n \"remediationDescription\": \"1. To enable Azure Backup for a virtual machine, navigate to the virtual machine on the Azure portal and select 'Backup' from the menu. In the screen that appears, choose whether to backup the machine to a new or existing Recovery Services vault in the same location and subscription. Learn more at https://aka.ms/AzureVMBackupDoc 2. To enable Azure Backup for multiple virtual machines, assign the policy 'Configure backup on VMs of a location to an existing central Vault in the same location' to the relevant scope. This policy can be assigned to one subscription-location pair at a time. Learn more at http://aka.ms/AzureBackupVMGovernance. Charges are based on the number and size of VMs being protected. Learn more about pricing at https://azure.microsoft.com/pricing/details/backup/\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Disk Wipe\",\r\n \"Defacement\",\r\n \"Data Encrypted for Impact\",\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your function app:
1. Go to the App Service for your API app 2. Navigate to Platform features 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"name\": \"2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MariaDB\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\r\n \"description\": \"Azure Database for MariaDB allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MariaDB server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=2086853\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your web app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"name\": \"95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for PostgreSQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\r\n \"description\": \"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for PostgreSQL server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867615\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests.
Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Web App:
1. Navigate to Azure App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require.
For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"name\": \"8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MySQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\r\n \"description\": \"Azure Database for MySQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MySQL server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867608\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"name\": \"5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your API app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/91a78b24-f231-4a8a-8da9-02c35b2b6510\",\r\n \"description\": \"Audit enabling of diagnostic logs on the app.
This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised\",\r\n \"remediationDescription\": \"To enable resource logs for an App Service: 1. Navigate to your App Service. 2. Go to 'Diagnostic Settings' tab. 3. Enable necessary auditing services for your specified apps. For more information, please go to https://aka.ms/enabling-diagnostic-settings.\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"name\": \"cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your API app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"name\": \"1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for PostgreSQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\r\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for PostgreSQL:
1. Select your Azure Database for PostgreSQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848213\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"name\": \"1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for MySQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\r\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for MySQL:
1. Select your Azure Database for MySQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848211\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your web app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your function app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"name\": \"6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"name\": \"7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"name\": \"39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your web app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"name\": \"f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your function app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"name\": \"08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\r\n \"description\": \"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your API app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"name\": \"e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"name\": \"96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your function app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"name\": \"c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"name\": \"c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for PostgreSQL:
1. Navigate to your Azure Database for PostgreSQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/postgresql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/pgprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"name\": \"ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MariaDB:
1. Navigate to your Azure Database for MariaDB. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mariadbprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"name\": \"cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MySQL:
1. Navigate to your Azure Database for MySQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mysql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mysqlprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\r\n \"description\": \"Audit SQL servers configured with an auditing retention period of less than 90 days.\",\r\n \"remediationDescription\": \"To configure auditing retention on your Azure SQL server or Azure Synapse server:
1.From the Azure portal, select the Azure SQL Server or Azure Synapse resource. 2.From the menu, select Auditing. 3.Select Storage details. 4.To set a new retention period of 90 days or higher, manually enter a value or move the slider for Retention (Days). 5.Select OK.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your function app:
1. Navigate to the Configurations for your Function app.
2. Select Configuration, and go to the General Settings tab.
3. Select the General Settings tab.
4. Under the FTP state section, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp
Learn more about Azure Functions Deployment Technology Availability\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your web app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"name\": \"67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your API app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"name\": \"c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function apps should have Client Certificates (Incoming client certificates) enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Function App: 1. Navigate to your App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"name\": \"4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key vaults should have purge protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\r\n \"description\": \"Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.\",\r\n \"remediationDescription\": \"To enable purge protection for your key vault: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Properties' tab. 3. Select the radio button corresponding to \\\"Enable purge protection\\\". 4. Select 'Save'. Soft delete is a pre-requisite for purge protection, if you have not already enabled this option, please select the radio button corresponding to \\\"Enable soft delete\\\" first. Please visit https://aka.ms/keyvaultsoftdelete for detailed configuration steps.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"name\": \"9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Email notification to subscription owner for high severity alerts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d\",\r\n \"description\": \"To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Defender for Cloud.\",\r\n \"remediationDescription\": \"To configure email notifications: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/13e7d036-6903-821c-6018-962938929bf0\",\r\n \"name\": \"13e7d036-6903-821c-6018-962938929bf0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registries should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.\",\r\n \"remediationDescription\": \"To enable private links for a registry: 1. Ensure the registry's SKU is set to Premium (SKUs can be upgraded) 2. In the Private endpoints tab, under Network Settings, add basic endpoint information such as name and region 3. On the next page, add registry resource information (such as: name, resource type and subscription) 4. On the next page, add networking and private dns configuration. 5. Create the private endpoint resource. For more information, see: https://aka.ms/acr/privatelink\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/d85c6833-7d33-4cf5-a915-aaa2de84405f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5d090f1-7d5c-9b38-7344-0ede8343276d\",\r\n \"name\": \"d5d090f1-7d5c-9b38-7344-0ede8343276d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for MySQL is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for MySQL server to deny all public network access and allow connections ONLY through private endpoints: 1. Select the Azure Database for MySQL. 2. In Connection security, set deny public network access to 'Yes'. For details, see: https://go.microsoft.com/fwlink/?linkid=2120014.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/06ac6ef4-1e66-1334-5418-6e79ab444ce0\",\r\n \"name\": \"06ac6ef4-1e66-1334-5418-6e79ab444ce0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] SQL managed instances should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\r\n \"remediationDescription\": \"To configure your own encryption key for SQL Server Transparent Data encryption: 1. Select the SQL server. 2. On the Transparent data encryption page, select Customer-managed key. 3. For Key selection method, choose Select a key or Enter a key identifier if you have one. 4. If you chose Select a key, configure the desired Key vault and Key. For more information, see this article: https://docs.microsoft.com/azure/sql-database/transparent-data-encryption-byok-azure-sql\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b51b7f7-cbed-75bf-8a02-43384bf47562\",\r\n \"name\": \"6b51b7f7-cbed-75bf-8a02-43384bf47562\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] MySQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\r\n \"remediationDescription\": \"Azure automatically encrypts data at rest with service-managed keys. To use a customer-managed key to protect and control access to the key that encrypts your data: 1. Create a key vault with soft delete and purge protection enabled. 2. Create your own encryption key or use the Azure Key Vault API to generate a key. 3. Grant the Azure Database for MySQL access to the key vault with the get, wrapKey, and unwrapKey permissions by using its unique managed identity. 4. Select the Azure Database for MySQL, go to data encryption, and pass the key vault and key information. Learn more https://aka.ms/mysqlbyok\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19d45f8f-245c-852e-dbf9-d4aab4758b1f\",\r\n \"name\": \"19d45f8f-245c-852e-dbf9-d4aab4758b1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\r\n \"remediationDescription\": \"Azure automatically encrypts data at rest with service-managed keys. To use a customer-managed key to protect and control access to the key that encrypts your data: 1. Create a key vault with soft delete and purge protection enabled. 2. Create your own encryption key or use the Azure Key Vault API to generate a key. 3. Grant the Azure Database for PostgreSQL access to the key vault with the get, wrapKey, and unwrapKey permissions by using its unique managed identity. 4. Select the Azure Database for PostgreSQL, go to data encryption, and pass the key vault and key information. Learn more https://aka.ms/postgresqlbyok\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ab153e43-2fb5-0670-2117-70340851ea9b\",\r\n \"name\": \"ab153e43-2fb5-0670-2117-70340851ea9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for MariaDB is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for MariaDB server to deny all public network access and allow connections ONLY through private endpoints: 1. Select the Azure Database for MariaDB. 2. In Connection security, set deny public network access to 'Yes'. For more information, see: https://go.microsoft.com/fwlink/?linkid=2119542\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a93e945-3675-aef6-075d-c661498e1046\",\r\n \"name\": \"1a93e945-3675-aef6-075d-c661498e1046\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] SQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\r\n \"remediationDescription\": \"To configure your own encryption key for SQL Server Transparent Data encryption: 1. Select the SQL server. 2. On the Transparent data encryption page, select Customer-managed key. 3. For Key selection method, choose Select a key or Enter a key identifier if you have one. 4. If you chose Select a key, configure the desired Key vault and Key. For more information, see this article: https://docs.microsoft.com/azure/sql-database/transparent-data-encryption-byok-azure-sql\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/be264018-593c-1162-bd5e-b74a39396652\",\r\n \"name\": \"be264018-593c-1162-bd5e-b74a39396652\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cache for Redis should reside within a virtual network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d092e0a-7acd-40d2-a975-dca21cae48c4\",\r\n \"description\": \"Azure Virtual Network (VNet) deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access. When an Azure Cache for Redis instance is configured with a VNet, it is not publicly addressable and can only be accessed from virtual machines and applications within the VNet.\",\r\n \"remediationDescription\": \"Injection into your custom Virtual Network/Subnet can only be done at cache creation time, so take these steps to mitigate: 1. Create and configure a new VNet-injected cache into your custom subnet for the Azure Cache for Redis. 2. Either embed your client application into the same virtual network or allow access for your client application to communicate with the cache instance within your subnet using NSG rules. Follow the guidance here: https://aka.ms/redis/vnet-faq 3. If necessary, export the data from your instance and import it into the new Azure Cache for Redis instance. Learn more about the import/export feature here: https://aka.ms/redis/import-export.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"name\": \"af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto provisioning of the Log Analytics agent should be enabled on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17\",\r\n \"description\": \"To monitor for security vulnerabilities and threats, Microsoft Defender for Cloud collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.\",\r\n \"remediationDescription\": \"To configure auto provisioning:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. Open the Auto provisioning page and set the toggle to On for the Log Analytics agent.
3. Select the workspace to receive the data from the machines.
Learn more in Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"name\": \"77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subscriptions should have a contact email address for security issues\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\",\r\n \"description\": \"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Defender for Cloud.\",\r\n \"remediationDescription\": \"To set up a security contact:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/af560c4d-9c05-e073-b9f1-f7a94958ff25\",\r\n \"name\": \"af560c4d-9c05-e073-b9f1-f7a94958ff25\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Container registries should be encrypted with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\",\r\n \"remediationDescription\": \"Azure automatically encrypts registry Contents. To encrypt a registry using a customer-managed key (CMK): 1. Create a user-assigned managed identity. 2. Create a Key Vault with soft delete and purge protection enabled. 3. Give the Managed Identity (Get, Unwrap and Wrap) Key Permissions to the key vault by adding a key vault Access Policy. 4. Create a key for encryption. 5. Create the registry: enable customer-managed key, add the managed identity, and provid the created key's version. For more information, see: https://aka.ms/acr/cmk\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8318c3a1-fcac-2e1d-9582-50912e5578e5\",\r\n \"name\": \"8318c3a1-fcac-2e1d-9582-50912e5578e5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"App Configuration should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint.\",\r\n \"remediationDescription\": \"To enable private link for Azure App Configuration: 1. In the Azure portal, open the App Configuration instance. 2. Navigate to Settings --> Private endpoint connections 3. Click on Add and configure the private endpoint. For details, see https://aka.ms/appconfig/private-endpoint\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/614ffa75-862c-456e-ad8b-eaa1b0844b07\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"name\": \"3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Email notification for high severity alerts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899\",\r\n \"description\": \"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Defender for Cloud.\",\r\n \"remediationDescription\": \"To configure email notifications: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. In the 'Notification type' area, ensure mails are sent regarding security alerts from severity 'high'.
4. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b34f9fe7-80cd-6fb3-2c5b-951993746ca8\",\r\n \"name\": \"b34f9fe7-80cd-6fb3-2c5b-951993746ca8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for PostgreSQL is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for PostgreSQL server to deny all public network access and allow connections only through private endpoints: 1. Select the Azure Database for PostgreSQL. 2. In Connection security, set deny public network access to 'Yes'. For more information, see: https://go.microsoft.com/fwlink/?linkid=2120015.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"name\": \"9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registries should not allow unrestricted network access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\r\n \"description\": \"Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet.\",\r\n \"remediationDescription\": \"To enable VNet/Firewall rules for a registry: 1. In the Azure Portal, navigate to your registry in the Azure portal 2. Under Networking settings, on the Public access tab, select allow public access from 'Selected networks' instead of 'All Networks' 3. Under Firewall, enter a public IP address, such as the public IP address of a VM in a virtual network. Or, enter an address range in CIDR notation that contains the VM's IP address 4. Select save. For more information, see: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bef092f5-bea7-3df3-1ee8-4376dd9c111e\",\r\n \"name\": \"bef092f5-bea7-3df3-1ee8-4376dd9c111e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Event Grid domains should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domains instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure Event Grid Domain resource: 1. In the Azure portal, find your Event Grid Domain resource. 2. Navigate to Settings --> Networking, 3. Select \\\"+ Public network access\\\" and choose \\\"+ Private endpoints only\\\" to restrict access only via private endpoint connections, 4. Select \\\"+ Private endpoint connections\\\" to configure the values. For details, see https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/36f4658a-848a-467b-881c-e6fa20cf75fc\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bdac9c7b-b9b8-f572-0450-f161c430861c\",\r\n \"name\": \"bdac9c7b-b9b8-f572-0450-f161c430861c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Event Grid topics should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your topics instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure Event Grid Topic resource: 1. In the Azure portal, find your Event Grid Topic resource. 2. Navigate to Settings --> Networking, 3. Select \\\"+ Public network access\\\" and choose \\\"+ Private endpoints only\\\" to restrict access only via private endpoint connections, 4. Select \\\"+ Private endpoint connections\\\" to configure the values. For details, see https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6fcec95c-fbdf-45e8-91e1-e3175d9c9eca\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/18bf29b3-a844-e170-2826-4e95d0ba4dc9\",\r\n \"name\": \"18bf29b3-a844-e170-2826-4e95d0ba4dc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\r\n \"remediationDescription\": \"To enable customer-managed keys for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using customer-managed keys. Learn more about configuring customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b6f84d18-0137-3176-6aa1-f4d9ac95155c\",\r\n \"name\": \"b6f84d18-0137-3176-6aa1-f4d9ac95155c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure SignalR Service should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/53503636-bcc9-4748-9663-5348217f160f\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your SignalR resources instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/asrs/privatelink.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure SignalR service resource: 1.. Find your SignalR resource in the Azure portal, 2. Navigate to Settings --> Private endpoint connections, 3 Click \\\"+ Private endpoint\\\" to configure the values. Learn more here: https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/ef45854f-b33f-49a3-8041-9057e915d88f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/814df446-7128-eff0-9177-fa52ac035b74\",\r\n \"name\": \"814df446-7128-eff0-9177-fa52ac035b74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\r\n \"remediationDescription\": \"To enable customer-managed keys on an Azure Cosmos DB account, create an encryption key in Azure Key Vault then pass the key identifier when creating the account. For details, see https://aka.ms/cosmosdb-cmk.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\r\n \"description\": \"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.\",\r\n \"remediationDescription\": \"Azure Web Application Firewall is a paid solution, refer to https://aka.ms/applicationgateway-pricing for full pricing details. To manually add an Azure Web Application Firewall to Azure Application Gateway: 1. If you want to use an existing Azure Web Application Firewall for Azure Application Gateway policy, proceed to Step 2. Otherwise, open the Azure Web Application Firewall service and select 'add'. 3. On the Basics tab, in 'Policy for', select 'Regional WAF (Application Gateway)'. Customize the Azure Web Application Firewall as required. To finish, select 'Review + create' and 'create' the Azure Web Application Firewall. 4. Go to the Azure Application Gateway and select the Azure Application Gateway that does not have an Azure Web Application Firewall. 5. From the left sidebar, select settings, and select 'Web application firewall'. If your current tier is not 'WAF V2' change your tier to 'WAF V2'. There are differences in pricing when changing WAF tiers, refer to https://aka.ms/applicationgateway-pricing for full details. 6. Return to the Web Application Firewall created earlier. Select 'Associated application gateways on the sidebar'. 7. Select 'Associate an application gateway' and add your application gateway. To save the changes, Select 'Save'. An Azure Web Application Firewall is now protecting your application gateway resource. For details, see https://aka.ms/applicationgateway-waf.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Reconnaissance\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Scanning\",\r\n \"Application Layer Protocol\",\r\n \"Active Scanning\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0c02a769-03f1-c4d7-85a5-db5dca505c49\",\r\n \"name\": \"0c02a769-03f1-c4d7-85a5-db5dca505c49\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Azure Front Door Service service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\r\n \"description\": \"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.\",\r\n \"remediationDescription\": \"Azure Web Application Firewall is a paid solution, refer to https://aka.ms/frontdoor-pricing for full pricing details. To manually add an Azure Web Application Firewall to your Azure Front Door Service 1. If you want to use an existing Azure Web Application Firewall for Azure Front Door Service policy, proceed to Step 2. Otherwise, open the Azure Web Application Firewall service and select 'add'. 3. On the Basics tab, in 'Policy for', select 'Global WAF (Front Door)' and in 'Policy state' select 'Enabled'. Customize the Azure Web Application Firewall as required. To finish, select 'Review + create' and 'create' the Azure Web Application Firewall. 4. Go to the Front Door service and select the Front Door service that does not have an Azure Web Application Firewall. 5. From the left sidebar, select 'Web application firewall'. 6. Select the frontend to which you're adding an Azure Web Application Firewall policy. Select 'Apply policy'. From the dropdown, select the Azure Web Application Firewall policy. Select 'Add'. 7. To save the Azure Web Application Firewall for the chosen frontend, select 'Save'. An Azure Web Application Firewall will now be applied to the Azure Front Door Service. For details, see https://aka.ms/waf-frontdoor-tutorial\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Reconnaissance\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Scanning\",\r\n \"Application Layer Protocol\",\r\n \"Active Scanning\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f6b0e473-eb23-c3be-fe61-2ae3e8309530\",\r\n \"name\": \"f6b0e473-eb23-c3be-fe61-2ae3e8309530\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VM Image Builder templates should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa\",\r\n \"description\": \"Audit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead, which may directly expose resources to the internet and increase the potential attack surface.\",\r\n \"remediationDescription\": \"To enable private link connection when building VM Image Builder templates, add vnetConfig to templates. For details, see http://aka.ms/azvmimagebuildertmplref.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9\",\r\n \"description\": \"Private links enforce secure communication, by providing private connectivity to the storage account\",\r\n \"remediationDescription\": \"To enforce secure communications for your storage accounts, add a private endpoint as described here: https://aka.ms/connectprivatelytostorageaccount.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/9f766f00-8d11-464e-80e1-4091d7874074\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca98bba7-719e-48ee-e193-0b76766cdb07\",\r\n \"name\": \"ca98bba7-719e-48ee-e193-0b76766cdb07\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Storage accounts should use customer-managed key (CMK) for encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\",\r\n \"remediationDescription\": \"To enable customer-managed keys on your storage accounts, create an encryption key in your key vault then pass the key identifier to the storage account. For details, see https://aka.ms/storageencryptionkeys.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c768356-5ad2-e3cc-c799-252b27d3865a\",\r\n \"name\": \"4c768356-5ad2-e3cc-c799-252b27d3865a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Spring Cloud should use network injection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4\",\r\n \"description\": \"Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.\",\r\n \"remediationDescription\": \"Virtual network injection brings the following benefits to your Azure Spring Cloud instances: 1. Isolates Azure Spring Cloud from the internet. 2. Enables Azure Spring Cloud to interact with systems in either on- premises data centers or Azure services in other virtual networks. 3. Provides greater control over inbound and outbound network communications for Azure Spring Cloud.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Trusted Relationship\",\r\n \"Exploitation of Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Non-Standard Port\",\r\n \"Lateral Tool Transfer\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\r\n \"description\": \"Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.\",\r\n \"remediationDescription\": \"To protect your storage account from potential threats using virtual network rules: 1. In the Azure portal, open your storage account. 2. From the left sidebar, select 'Networking'. 3. From the 'Allow access from' section, select 'Selected networks'. 4. Add a Virtual network under the 'Virtual networks' section. Do not add allowed IP ranges/ or addresses in the firewall. This is to prevent public IPs from accessing your storage account. For details, see: https://aka.ms/storagenetworksecurity.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbd14f11-6228-4588-82a4-517b8d77b23f\",\r\n \"name\": \"bbd14f11-6228-4588-82a4-517b8d77b23f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\",\r\n \"remediationDescription\": \"To setup CMK on Azure Machine Learning workspaces, follow the instructions. here: https://aka.ms/azureml-workspaces-cmk\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/692343df-7e70-b082-7b0e-67f97146cea3\",\r\n \"name\": \"692343df-7e70-b082-7b0e-67f97146cea3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Machine Learning workspaces should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Machine Learning workspaces instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/azureml-workspaces-privatelink.\",\r\n \"remediationDescription\": \"To enable private link on Azure Machine Learning workspaces, follow the instructions here: https://aka.ms/azureml-workspaces-privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/7838fd83-5cbb-4b5d-888c-bfa240972597\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"name\": \"2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be configured for Key Vault\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0bc445-3935-4915-9981-011aa2b46147\",\r\n \"description\": \"Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.\",\r\n \"remediationDescription\": \"For detailed steps, see https://aka.ms/akvprivatelink.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"name\": \"52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should be enabled on Key Vault\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\r\n \"description\": \"Key vault's firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the firewall to make sure that only traffic from allowed networks can access your key vault.\",\r\n \"remediationDescription\": \"To enable the key vault firewall: 1. In the Azure portal, open your key vault. 2.From the left sidebar, select Networking (located under the \\\"Settings\\\" section). 3. Set the radio button to Private endpoint and selected networks and select Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1aabfa0d-7585-f9f5-1d92-ecb40291d9f2\",\r\n \"name\": \"1aabfa0d-7585-f9f5-1d92-ecb40291d9f2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key Vault keys should have an expiration date\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\r\n \"description\": \"Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.\",\r\n \"remediationDescription\": \"To enable an expiration date on your key: 1. Log in to the Azure portal and select your key vault. 2. Open the 'Keys' tab. 3. Find all keys in the table that do not have an expiration date. 4. Select a key. 5. Select the current version of the key. 6. Select the box corresponding to 'Set expiration date'. 7. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Credentials from Password Stores\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"name\": \"14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key Vault secrets should have an expiration date\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\r\n \"description\": \"Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.\",\r\n \"remediationDescription\": \"To enable an expiration date on your secret: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Secrets' tab. 3. Find all secrets in the table that do not have an expiration date. 4. Click on a secret. 5. Click the current version of the secret. 6. Check the box corresponding to 'Set expiration date'. 7. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Credentials from Password Stores\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"name\": \"78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key vaults should have soft delete enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\r\n \"description\": \"Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.\",\r\n \"remediationDescription\": \"To enable soft delete protection for your key vault: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Properties' tab. 3. Select the radio button corresponding to \\\"Enable soft delete\\\". 4. Enter a retention period in days. Select 'Save'. Please visit https://aka.ms/keyvaultsoftdelete for detailed configuration steps.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6\",\r\n \"description\": \"Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more in Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure.\",\r\n \"remediationDescription\": \"To use SSH for authentication to your Linux virtual machine: 1. Create an SSH key pair for the Linux virtual machine. 2. Disable password authentication in the Linux virtual machine's configuration. 3. Update the SSH key in your Azure Resource Manager template (replace the admin password with the adminSSHKey parameter) or via the Azure CLI (with the --generate-ssh-keys command). Learn more in Create and use an SSH public-private key pair for Linux VMs in Azure.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.\",\r\n \"remediationDescription\": \"To enable Private Endpoint Connections: 1. Open Azure SQL Database and browse to the server blade 2. Navigate to Security --> Private endpoint connections blade via the navigation menu 3. Select the \\\"+ Private Endpoint\\\" button 4. Follow the instructions here: https://docs.microsoft.com/azure/azure-sql/database/private-endpoint-overview#how-to-set-up-private-link-for-azure-sql-database.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\r\n \"description\": \"Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.\",\r\n \"remediationDescription\": \"To disable Public Network Access: 1. Open Azure SQL Database and browse to the server blade 2. Navigate to Security --> Firewalls and virtual networks blade via the navigation menu on the left. 3. Select Deny Public Network Access control and change the value to Yes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce2768c3-a7c7-1bbf-22cd-f9db675a9807\",\r\n \"name\": \"ce2768c3-a7c7-1bbf-22cd-f9db675a9807\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API app has Client Certificates Incoming client certificates set to On\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your API App: 1. Navigate to your App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112\",\r\n \"description\": \"To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.\",\r\n \"remediationDescription\": \"To ensure your windows web server is using secure communication protocol: 1. Enable Guest Configuration extension and system assigned identity: https://docs.microsoft.com/azure/virtual-machines/extensions/guest-configuration 2. Enable TLS on your machine. For Windows Server 2008 R2, Windows Server 2012, or Windows 7, install the update at https://support.microsoft.com/help/3140245. For Windows 2012 R2 Server or later, no updates are necessary. 3. Update the Windows and WinHTTP registry keys (or verify that they're correct) according to the information here: https://docs.microsoft.com/dotnet/framework/network-programming/tls#configuring-schannel-protocols-in-the-windows-registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f738efb8-005f-680d-3d43-b3db762d6243\",\r\n \"name\": \"f738efb8-005f-680d-3d43-b3db762d6243\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should restrict network access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\r\n \"description\": \"Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"To restrict access for Cognitive Services from public networks: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"Networking\\\" page, 3. In \\\"Firewalls and virtual networks\\\" select \\\"Selected Networks and Private Endpoints\\\" or \\\"Disabled\\\". Learn more about Private Endpoints in https://go.microsoft.com/fwlink/?linkid=2129800. Learn more about configuration Virtual Networks for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2110097.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Trusted Relationship\",\r\n \"Exploitation of Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Non-Standard Port\",\r\n \"Lateral Tool Transfer\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aa395469-1687-78a7-bf76-f4614ef72977\",\r\n \"name\": \"aa395469-1687-78a7-bf76-f4614ef72977\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should use customer owned storage or enable data encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11566b39-f7f7-4b82-ab06-68d8700eb0a4\",\r\n \"description\": \"This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption.\",\r\n \"remediationDescription\": \"To enable encryption for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using either Microsoft-managed keys or customer-managed keys. Learn more about configuration customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321. To request access to bring your own storage, fill out and submit the request form from https://aka.ms/cogsvc-cmk.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684a5b6d-a270-61ce-306e-5cea400dc3a7\",\r\n \"name\": \"684a5b6d-a270-61ce-306e-5cea400dc3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for Cognitive Services accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\r\n \"description\": \"This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed.\",\r\n \"remediationDescription\": \"To only allow access for Cognitive Services from Private Endpoints: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"Networking\\\" page, 3. In \\\"Firewalls and virtual networks\\\" select \\\"Disabled\\\". Learn more about Private Endpoints in https://go.microsoft.com/fwlink/?linkid=2129800.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdcf4f71-60d3-540b-91e3-aa19792da364\",\r\n \"name\": \"cdcf4f71-60d3-540b-91e3-aa19792da364\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should enable data encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2bdd0062-9d75-436e-89df-487dd8e4b3c7\",\r\n \"description\": \"This policy audits any Cognitive Services account not using data encryption. For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key.\",\r\n \"remediationDescription\": \"To enable encryption for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using either Microsoft-managed keys or customer-managed keys. Learn more about configuration customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/74e7dcff-317f-9635-41d2-ead5019acc99\",\r\n \"name\": \"74e7dcff-317f-9635-41d2-ead5019acc99\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Management services should use a virtual network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\r\n \"description\": \"Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.\",\r\n \"remediationDescription\": \"To enable Virtual Network on API Management Service: 1. In the Azure portal, open API Management services, 2. Select the desired service from the list, and open the \\\"Virtual Network\\\" page, 3. Setup virtual network along with desired type of virtual network. Learn more about configuring virtual network for API Management Services at https://aka.ms/apim-vnet\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Create Account\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"name\": \"276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cosmos DB accounts should have firewall rules\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\r\n \"description\": \"Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.\",\r\n \"remediationDescription\": \"To configure your Azure Cosmos DB firewall and add IP rules: 1. Go to the \\\"Firewall and virtual networks\\\" section of your Cosmos DB account. 2. Select \\\"Selected networks\\\". 3. Add the IP addresses or ranges you want to allow. For more details, follow the instructions in https://aka.ms/cosmosdb-firewall\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Initial Access\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Fallback Channels\",\r\n \"Remote System Discovery\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Non-Standard Port\",\r\n \"Gather Victim Network Information\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\",\r\n \"description\": \"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end-to-end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure.\",\r\n \"remediationDescription\": \"To enable Network Watcher: 1. Navigate to the Network Watcher page on the Azure portal 2. Select the relevant subscription and click on the region drop down 3. For any regions that are listed as Disabled, enable them by selecting \\\"Enable network watcher\\\" in the context menu For more information, visit here: https://docs.microsoft.com/azure/network-watcher/network-watcher-create\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"name\": \"f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Resource Manager should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99\",\r\n \"description\": \"Microsoft Defender for Resource Manager automatically monitors the resource management operations in your organization. Defender for Cloud detects threats and alerts you about suspicious activity. Learn more in Introduction to Microsoft Defender for Resource Manager. Enabling this Defender plan results in charges. Learn about the pricing details per region on Defender for Cloud's pricing page: https://azure.microsoft.com/services/defender-for-cloud/#pricing.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for Resource Manager on your subscription: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Resource Manager to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\",\r\n \"Permission Groups Discovery\",\r\n \"Account Discovery\",\r\n \"Cloud Service Discovery\",\r\n \"Credentials from Password Stores\",\r\n \"Impair Defenses\",\r\n \"Cloud Infrastructure Discovery\",\r\n \"Cloud Service Dashboard\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"name\": \"aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for DNS should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bdc59948-5574-49b3-bb91-76b7c986428d\",\r\n \"description\": \"Microsoft Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Defender for DNS alerts you about suspicious activity at the DNS layer. Learn more in Introduction to Microsoft Defender for DNS. Enabling this Defender plan results in charges. Learn about the pricing details per region on Defender for Cloud's pricing page: https://azure.microsoft.com/services/defender-for-cloud/#pricing.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for DNS on your subscription: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set DNS to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Exfiltration\",\r\n \"Command and Control\"\r\n ],\r\n \"techniques\": [\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Application Layer Protocol\",\r\n \"Proxy\",\r\n \"Dynamic Resolution\",\r\n \"Protocol Tunneling\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3\",\r\n \"description\": \"Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.\",\r\n \"remediationDescription\": \"Enabling vTPM will trigger an immediate SYSTEM REBOOT. To enable it: 1. Select the VM. 2. On the VM page, navigate to the 'Configuration' tab. 3. On the 'Configuration' page, check 'vTPM'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/e494853f-93c3-4e44-9210-d12f61a64b34\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121\",\r\n \"description\": \"Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.\",\r\n \"remediationDescription\": \"Enabling Secure Boot will trigger an immediate SYSTEM REBOOT. To enable it: 1. Select the VM. 2. On the VM page, navigate to the 'Configuration' tab. 3. On the 'Configuration' page, check 'Secure boot'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/7cb1b219-61c6-47e0-b80c-4472cadeeb5f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e94a7421-fc27-7a4d-e9ba-2ba01384cacd\",\r\n \"name\": \"e94a7421-fc27-7a4d-e9ba-2ba01384cacd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/672fe5a1-2fcd-42d7-b85d-902b6e28c6ff\",\r\n \"description\": \"Install Guest Attestation extension on supported Linux virtual machines to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Linux virtual machines: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vm extension set --name GuestAttestation --publisher Microsoft.Azure.Security.LinuxAttestation --vm-name MyVM --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6074e9a3-c711-4856-976d-24d51f9e065b\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a53f4f-26b6-3d68-33f3-2ec1f2452b5d\",\r\n \"name\": \"a9a53f4f-26b6-3d68-33f3-2ec1f2452b5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Linux virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a21f8c92-9e22-4f09-b759-50500d1d2dda\",\r\n \"description\": \"Install Guest Attestation extension on supported Linux virtual machine scale sets to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Linux virtual machine scale sets: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vmss extension set --name GuestAttestation --publisher Microsoft.Azure.Security.LinuxAttestation' --vmss-name MyVMSS --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/874b14bd-b49e-495a-88c6-46acb89b0a33\",\r\n \"name\": \"874b14bd-b49e-495a-88c6-46acb89b0a33\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cb4d9c2-f88f-4069-bee0-dba239a57b09\",\r\n \"description\": \"Install Guest Attestation extension on supported virtual machines to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Windows virtual machines: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vm extension set --name GuestAttestation --publisher Microsoft.Azure.Security.WindowsAttestation --vm-name MyVM --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/98ea2fc7-6fc6-4fd1-9d8d-6331154da071\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/02e8ca50-0e7e-cc34-0b91-215af2904248\",\r\n \"name\": \"02e8ca50-0e7e-cc34-0b91-215af2904248\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Windows virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f655e522-adff-494d-95c2-52d4f6d56a42\",\r\n \"description\": \"Install Guest Attestation extension on supported virtual machine scale sets to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Windows virtual machine scale sets: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vmss extension set --name GuestAttestation --publisher Microsoft.Azure.Security.WindowsAttestation' --vmss-name MyVMSS --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"name\": \"506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The control fails if any of the HTTP listeners of Application Load Balancers do not have HTTP to HTTPS redirection configured. Before you start to use your Application Load Balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners support both the HTTP and HTTPS protocols. You can use an HTTPS listener to offload the work of encryption and decryption to your load balancer. To enforce encryption in transit, you should use redirect actions with Application Load Balancers to redirect client HTTP requests to an HTTPS request on port 443.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"name\": \"4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon S3 buckets have policies that require requests to use Secure Socket Layer (SSL). S3 buckets should have policies that require all requests ('Action: S3:*') to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key 'aws:SecureTransport'. This does not check the SSL or TLS version. You should not allow early versions of SSL or TLS (SSLv3, TLS1.0) per PCI DSS requirements.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"name\": \"b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server-side encryption. When you set default encryption on a bucket, all new objects stored in the bucket are encrypted when they are stored, including clear text PAN data. Server-side encryption for all of the objects stored in a bucket can also be enforced using a bucket policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"name\": \"c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Config should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS Config is enabled in the account for the local Region and is recording all resources. It does not check for change detection for all critical system files and content files, as AWS Config supports only a subset of resource types. The AWS Config service performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items, and any configuration changes between resources. Security Hub recommends that you enable AWS Config in all Regions. The AWS configuration item history that AWS Config captures enables security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"name\": \"bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root user credentials. It does not check whether you are using virtual MFA. To address PCI DSS requirement 8.3.1, you can choose between hardware MFA (this control) or virtual MFA.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"name\": \"9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the IAM users have multi-factor authentication (MFA) enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"name\": \"b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root user credentials. It does not check whether you are using hardware MFA. To address PCI DSS requirement 8.3.1, you can choose between virtual MFA (this control) or hardware MFA.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"name\": \"5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public write access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your S3 buckets allow public write access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). It does not check for write access to the bucket by internal principals, such as IAM roles. You should ensure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"name\": \"7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public read access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). Unless you explicitly require everyone on the internet to be able to write to your S3 bucket, you should ensure that your S3 bucket is not publicly writable. It does not check for read access to the bucket by internal principals, such as IAM roles. You should ensure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"name\": \"7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM user credentials should be disabled if not used within a pre-defined number days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your IAM users have passwords or active access keys that have not been used within a specified number of days. The default is 90 days. Security Hub strongly recommends that you do not generate and remove all access keys in your account. Instead, the recommended best practice is to either create one or more IAM roles or to use federation. These practices allow your users to use their existing corporate credentials to sign in to the AWS Management Console console and AWS CLI. Each approach has its use cases. Federation is generally better for enterprises that have an existing central directory or who plan to need more than the current quota of IAM users. Applications running outside of an AWS environment need access keys for programmatic access to AWS resources. However, if the resources that need programmatic access run inside AWS, the best practice is to use IAM roles. You can use roles to grant a resource access without hardcoding an access key ID and secret access key into the configuration. If you already have an access key, we recommend that you remove or deactivate unused user credentials that are inactive for 90 days or longer. This control only checks for inactive passwords or active access keys. It does not disable the account from use after 90 days. Customers are responsible for taking action and disabling the unused credentials.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"name\": \"d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the account password policy for IAM users uses the following minimum PCI DSS configurations: 'RequireUppercaseCharacters' - Require at least one uppercase character in password. (Default = 'true'); 'RequireLowercaseCharacters' - Require at least one lowercase character in password. (Default = 'true'); 'RequireNumbers' - Require at least one number in password. (Default = 'true'); 'MinimumPasswordLength' - Password minimum length. (Default = 7 or longer); 'PasswordReusePrevention' - Number of passwords before allowing reuse. (Default = 4); MaxPasswordAge - Number of days before password expiration. (Default = 90).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"name\": \"d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM root user access key should not exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether user access keys exist for the root user.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"name\": \"7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users should not have IAM policies attached\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles. It does not check whether least privileged policies are applied to IAM roles and groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"name\": \"c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should not allow full \\\"*\\\" administrative privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the default version of AWS Identity and Access Management policies (also known as customer managed policies) do not have administrator access with a statement that has \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\". It only checks for the customer managed policies that you created, but does not check for full access to individual services, such as \\\"S3:*\\\". It does not check for inline and AWS managed policies.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"name\": \"a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer master key (CMK) rotation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that key rotation is enabled for each customer master key (CMK). It does not check CMKs that have imported key material. You should ensure keys that have imported material and those that are not stored in AWS KMS are rotated. AWS managed customer master keys are rotated once every 3 years.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"name\": \"b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Lambda function resource-based policy prohibits public access. It does not check for access to the Lambda function by internal principals, such as IAM roles. You should ensure that access to the Lambda function is restricted to authorized principals only by using least privilege Lambda resource-based policies.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"name\": \"e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS DB snapshots prohibit access by other accounts. You should also ensure that access to the snapshot and permission to change Amazon RDS configuration is restricted to authorized principals only. Note that if the configuration is changed to allow public access, the AWS Config rule may not be able to detect the change for up to 12 hours. Until the AWS Config rule detects the change, the check passes even though the configuration violates the rule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"name\": \"ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS instances are publicly accessible by evaluating the publiclyAccessible field in the instance configuration item. The value of publiclyAccessible indicates whether the DB instance is publicly accessible. When the DB instance is publicly accessible, it is an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. When the DB instance isn't publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. The control does not check VPC subnet routing settings or the Security Group rules. You should also ensure VPC subnet routing does not allow public access, and that the security group inbound rule associated with the RDS instance does not allow unrestricted access (0.0.0.0/0). You should also ensure that access to your RDS instance configuration is limited to only authorized users by restricting users' IAM permissions to modify RDS instances settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"name\": \"d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters are publicly accessible by evaluating the 'publiclyAccessible' field in the cluster configuration item.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"name\": \"529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"name\": \"8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS DMS replication instances are public. To do this, it examines the value of the PubliclyAccessible field. A private replication instance has a private IP address that you cannot access outside of the replication network. A replication instance should have a private IP address when the source and target databases are in the same network, and the network is connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering. You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users. To do this, restrict users' IAM permissions to modify AWS DMS settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"name\": \"b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic Block Store snapshots are not publicly restorable by everyone, which makes them public. Amazon EBS snapshots should not be publicly restorable by everyone unless you explicitly allow it, to avoid accidental exposure of your company's sensitive data. You should also ensure that permission to change Amazon EBS configurations are restricted to authorized AWS accounts only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"name\": \"3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following public access block settings are configured at the account level: 'ignorePublicAcls': 'true'; 'blockPublicPolicy': 'true'; 'blockPublicAcls': 'true'; 'restrictPublicBuckets': 'true'. As an AWS best practice, S3 buckets should block public access. Unless you explicitly require everyone on the internet to be able to access your S3 bucket, you should ensure that your S3 bucket is not publicly accessible.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"name\": \"93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC default security group should prohibit inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the default security group of a VPC does not allow inbound or outbound traffic. It does not check for access restrictions for other security groups that are not default, and other VPC configurations.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"name\": \"390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether security groups in use disallow unrestricted incoming SSH traffic. It does not evaluate outbound traffic. Note that security groups are stateful. If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out regardless of outbound rules.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"name\": \"86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control helps you maintain an accurate asset inventory of needed security groups in your cardholder data environment (CDE). It does so by checking that security groups are attached to Amazon EC2 instances or to an ENI. A failed finding indicates you may have unused Amazon EC2 security groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/099e9ded-7834-43ad-be02-30114c800211\",\r\n \"name\": \"099e9ded-7834-43ad-be02-30114c800211\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability. This AWS control also does not check whether the Amazon ES resource-based policy permits public access by other accounts or external entities. You should ensure that Amazon ES domains are not attached to public subnets. You should also ensure that your VPC is configured according to the recommended best practices.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"name\": \"40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability. Note that if Lambda@Edge is found in the account, then this control generates failed findings. To prevent these findings, you can disable this control.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"name\": \"5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain clear text credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the project contains environment variables 'AWS_ACCESS_KEY_ID' and 'AWS_SECRET_ACCESS_KEY'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"name\": \"ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elastic IP addresses that are allocated to a VPC are attached to Amazon EC2 instances or in-use elastic network interfaces (ENIs). A failed finding indicates you may have unused Amazon EC2 EIPs. This will help you maintain an accurate asset inventory of EIPs in your cardholder data environment (CDE).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"name\": \"023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SageMaker notebook instances should not have direct internet access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether direct internet access is disabled for an SageMaker notebook instance. To do this, it checks whether the 'DirectInternetAccess' field is disabled for the notebook instance. If you configure your SageMaker instance without a VPC, then by default direct internet access is enabled on your instance. You should configure your instance with a VPC and change the default setting to Disable - Access the internet through a VPC. To train or host models from a notebook, you need internet access. To enable internet access, make sure that your VPC has a NAT gateway and your security group allows outbound connections. You should also ensure that access to your SageMaker configuration is limited to only authorized users. Restrict users' IAM permissions to modify SageMaker settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"name\": \"0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS CloudTrail is configured to use the server-side encryption (SSE) AWS KMS customer master key (CMK) encryption. If you are only using the default encryption option, you can choose to disable this check.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"name\": \"f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have encryption at rest configuration enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"name\": \"336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A log metric filter and alarm should exist for usage of the \\\"root\\\" user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks for the CloudWatch metric filters using the following pattern: '{ $.userIdentity.type = \\\"Root\\\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \\\"AwsServiceEvent\\\" }'. It checks the following: The log group name is configured for use with active multi-Region CloudTrail; There is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All; There is at least one active subscriber to an Amazon SNS topic associated with the alarm.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"name\": \"5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether VPC flow logs are found and enabled for VPCs. The traffic type is set to REJECT. With VPC Flow Logs, you can capture information about the IP address traffic to and from network interfaces in your VPC. After you create a flow log, you can use CloudWatch Logs to view and retrieve the log data. Security Hub recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC. They can detect anomalous traffic and provide insight into security workflows. By default, the record includes values for the different components of the IP address flow, including the source, destination, and protocol.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"name\": \"4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail trails are configured to send logs to CloudWatch Logs. It does not check for user permissions to alter logs or log groups. You should create specific CloudWatch rules to alert when CloudTrail logs are altered. This control also does not check for any additional audit log sources other than CloudTrail being sent to a CloudWatch Logs group.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"name\": \"6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail is enabled in your AWS account. However, some AWS services do not enable logging of all APIs and events. You should implement any additional audit trails other than CloudTrail and review the documentation for each service in CloudTrail Supported Services and Integrations.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"name\": \"21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail log file validation is enabled. It does not check when configurations are altered. To monitor and alert on log file changes, you can use Amazon EventBridge or CloudWatch metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"name\": \"75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the patch installation on the instance. It only checks instances that are managed by AWS Systems Manager Patch Manager. It does not check whether the patch was applied within the 30-day limit prescribed by PCI DSS requirement 6.2. It also does not validate whether the patches applied were classified as security patches. You should create patching groups with the appropriate baseline settings and ensure in-scope systems are managed by those patch groups in Systems Manager.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"name\": \"6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EC2 instances in your account are managed by Systems Manager. AWS Systems Manager is an AWS service that you can use to view and control your AWS infrastructure. To help you to maintain security and compliance, Systems Manager scans your managed instances. A managed instance is a machine that is configured for use with Systems Manager. Systems Manager then reports or takes corrective action on any policy violations that it detects. Systems Manager also helps you to configure and maintain your managed instances. Additional configuration is needed in Systems Manager for patch deployment to managed EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"name\": \"32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the status of the AWS Systems Manager association compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the association is run on an instance. The control passes if the association compliance status is COMPLIANT. A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed. After you create one or more State Manager associations, compliance status information is immediately available to you in the console or in response to AWS CLI commands or corresponding Systems Manager API operations. For associations, Configuration Compliance shows statuses of Compliant or Non-compliant and the severity level assigned to the association, such as Critical or Medium. You must configure your in-scope EC2 instances for Systems Manager association. You must also configure the patch baseline for the security rating of the vendor of patches, and set the autoapproval date to meet PCI DSS 3.2.1 requirement 6.2.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"name\": \"5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether S3 buckets have cross-region replication enabled. PCI DSS does not require data replication or highly available configurations. However, this check aligns with AWS best practices for this control. In addition to availability, you should consider other systems hardening settings.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"name\": \"94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. PCI DSS does not require load balancing or highly available configurations. However, this check aligns with AWS best practices.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"name\": \"d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon GuardDuty is enabled in your AWS account and Region. While GuardDuty can be effective against attacks that an intrusion detection system would typically protect, it might not be a complete solution for every environment. This rule also does not check for the generation of alerts to personnel.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"name\": \"bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SSM agent should be installed on your AWS EC2 instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Systems Manager is an AWS service that can be used to control and view your AWS infrastructure. The AWS Systems Manager Agent (SSM Agent) is a software that can be installed and configured on a machine and makes it possible for Systems Manager to update and configure these resources. Defender for Cloud leverages the SSM Agent for automatic installation of Azure Arc, that enables greater parity for AWS instances to Azure VMs.\",\r\n \"remediationDescription\": \"First, Make sure EC2 instances are managed by Systems Manager: 1.Open AWS System Manager.
2. Choose Quick setup
3. keep the default options on the configuration screen.
4. Choose Set up Systems Manager.
For directions on installing and configuring the SSM Agent on Windows instances visit this page For directions on installing and configuring the SSM Agent on Linux instances visit this page \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"name\": \"a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled in every region in your AWS accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub is a regional service and customer must enable Security Hub in each region to view findings in that region. You should continuously monitor all regions across all of your AWS accounts for unauthorized behavior or misconfigurations, including regions you don't use heavily.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"name\": \"20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled for all AWS member accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. Integrating it into Defender for Cloud enables a comprehensive view across multiple cloud environments. any AWS member account related to an onboarded account should have Security Hub enabled as well.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"name\": \"726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Make sure to log in using the credentials of a fully-managed corporate account and not a personal account.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select the checkbox next to non-corporate users, and then click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"name\": \"4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that multi-factor authentication is enabled for all non-service accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) must be enabled for all Google Cloud Platform accounts, excluding service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP Security Settings and set up multi-factor authentication for all non-service accounts within the project.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"name\": \"0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service accounts are not configured with administrative roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select Members and make sure that there aren't any 'User-Managed user created service account' accounts with one of the following roles: admin, editor, or owner.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"name\": \"90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the 'Service Account User' and 'Service Account Token Creator' roles are not granted to users at a project level. Instead, grant these roles to users in the context of specific service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. In the filter table field, enter 'Role: Service Account User' and click 'Delete' (bin icon) for every user listed. Similarly, filter using 'Role: Service Account Token Creator' and delete every user listed.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"name\": \"ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service account keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'Service Account Keys', for every External (user-managed) service account where the creation date is 90 days or more, delete the service account key and create a new one instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"name\": \"f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties. Also, make sure that users are not assigned with both 'Service Account Admin' and other 'Service Account User' roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Edit members with both 'Service Account Admin' and 'Service Account User', delete one of the roles, and then click 'Save'. \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"name\": \"3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud KMS encryption keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to GCP Security Kms. For every key ring, for every key in the key ring, do the following: Select 'Right side pop up the blade' > 'Edit rotation period' > 'Select a new rotation period' and specify a period of less than 90 days, and then specify a 'Starting on' date.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"name\": \"3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties and that there are no users assigned with both the 'Cloud KMS Admin' role and any of the following roles: 'Cloud KMS CryptoKey', 'Cloud KMS Encrypter/Decrypter', 'Cloud KMS CryptoKey Encrypter' or 'Cloud KMS CryptoKey Decrypterer'.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. For the member that is listed at the recommendation, click 'Edit'. For the 'Cloud KMS Admin' role, click 'Delete', and then Click 'Save'. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"name\": \"52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all API keys are not used within the scope of projects. The standard authentication flow should be implemented, since the use of API keys presents many security risks.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', delete the relevant API Keys. These API keys should be replaced by a standard authentication flow as described In the Authentication overview [GCP docs authentication]\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"name\": \"76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted, and used only by trusted hosts, HTTP referrers, or applications.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. Under 'Key restrictions', set application restriction to HTTP referrers, IP Addresses, Android Apps, or iOS Apps, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"name\": \"0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted to only access API endpoints that are essential to the calling application.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. For every API key, make sure that the 'Key restrictions' parameter 'API restrictions' is not set to 'None'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"name\": \"5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys'. Select 'API Key Name'. Click 'REGENERATE KEY' to rotate the API key, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"name\": \"f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud Audit Logging is configured to track read and write activities across all supported services and for all users. Configured this way, all administrative activities, or attempts to access user data, will be tracked.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin Audit. On the 'Audit Log' page, select the 'Log type' tab. Select 'Admin read', 'Data read', and 'Data write', and then click 'Save'. Make sure there are no exemptions.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"name\": \"cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all resource have a log sink configured, exporting copies of all the log entries to a centralized location such as a SIEM.\",\r\n \"remediationDescription\": \"Browse to GCP Logs viewer. Switch to the 'Advanced' filter bar, clear any text from the filter field, and then click 'Submit Filter'. Click 'Create Sink', fill out the required details, and then click 'Create Sink'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"name\": \"bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filters and alerts are configured to monitor project ownership assignment/change actions.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browse to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, and run the following query: (protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'. Finally, edit the alert policy and update the 'Target Aggregation' option to 'Count'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"name\": \"3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filter and alerts are configured for Audit Configuration changes. Audit logging data is required for security analysis. Tracking the log metric filters and alerts is important to ensure that all activities in the projects are being audited as planned.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"SetIamPolicy\\\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*. In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"name\": \"f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Custom Role changes. Monitoring role creation, update, or deletion may help to identify over-privileged or misused roles. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"iam_role\\\" AND protoPayload.methodName = \\\"google.iam.admin.v1.CreateRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"name\": \"c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Virtual Private Cloud (VPC) Network Firewall rule changes. Firewall create or update rule events indicate network access changes, which may indicate suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_firewall_rule\\\" AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\" OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to https://console.cloud.google.com/logs/metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"name\": \"7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network route changes. Monitoring network route changes to route tables may indicate of a suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_route\\\" AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\" OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Creat Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"name\": \"0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network changes. Monitoring network changes to the VPC is important to make sure it is not compromised.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gce_network AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\" OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\" OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\" OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\" OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add 'Alert Triggers', and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"name\": \"46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"\\\"Ensure that the log metric filter and alerts are configured for Cloud Storage IAM permission changes. Monitoring changes to a storage bucket permissions can help identify malicious attempts to access a sensitive storage buckets and objects inside buckets.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gcs_bucket AND protoPayload.methodName=\\\"storage.setIamPermissions\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"name\": \"b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for SQL instance configuration changes. Monitoring changes to an SQL instance can help identify malicious attempts to access a sensitive data stored in an SQL instance. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"cloudsql.instances.update\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"name\": \"ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that projects do not have a default network. A default predefined network generates multiple unsecure firewall rules that are not audit logged, cannot be configured to enable firewall rule logging, and do not allow the use of a Cloud VPN or VPC Network Peering with the default network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the 'default' network. On the network detail page, click 'edit', and then click 'Delete VPC network'. If required, you can to create a new network with custom firewall rules to replace the 'default' network.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"name\": \"3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all projects do not have a legacy network. Legacy networks may have an impact for high network traffic projects and pose a single point of contention or failure.\",\r\n \"remediationDescription\": \"Create a non-legacy network and then delete the legacy networks using the following command: 'gcloud compute networks delete my-legacy-network'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"name\": \"e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Domain Name System Security Extensions (DNSSEC) is enabled for Cloud DNS zones. DNSSEC helps mitigate the risk of a DNS hijacking and man-in-the-middle attacks, by preventing attackers from issuing fake DNS responses that may misdirect browsers to malicious websites.\",\r\n \"remediationDescription\": \"Browse to GCP DNS zones. For each zone of type 'Public', set DNSSEC to 'On'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"name\": \"049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the key-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the key-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"name\": \"cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the zone-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the zone-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"name\": \"0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that SSH access is restricted from the internet because it can be used as initial access to the network. Prevent inbound traffic via SSH (port 22) from the internet using the generic IP address (0.0.0.0/0).\",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"name\": \"684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RDP access is restricted from the internet, as is may be used for initial access to the network. Prevent inbound traffic via RDP (port 3389) from the internet using the generic IP address (0.0.0.0/0). \",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"name\": \"3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all VPC Flow Logs are enabled, for every subnet in a VPC Network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the relevant subnet, click 'Edit', set 'Flow Logs' to 'On', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"name\": \"c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there are no HTTPS or SSL Proxy Load Balancers that use weak SSL policies with TLS or 1.1.\",\r\n \"remediationDescription\": \"Browser to GCP SSL Policies. Select the relevant policy, click 'Edit', set 'Minimum TLS version' to 'TLS 1.2', set 'Profile' to 'Modern' or 'Restricted', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"name\": \"233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all instances are not configured to use the default service account with full access to all Google Cloud APIs.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant VM instance, stop the instance if it is currently started, and then click 'Edit'. Under 'Service Account', select 'Compute Engine default service account', make sure that 'Allow full access to all Cloud APIs' is not selected, click 'Save' and then 'Start'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"name\": \"1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure \\\"Block Project-wide SSH keys\\\" is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that no project-wide SSH keys are used for VM instances, as they enable login to all instances in the project.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the impacted instance, click 'Edit', under 'SSH Keys', select 'Block project-wide SSH keys', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"name\": \"fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that OS login is enabled for all projects, as this pairs the SSH keys in use with IAM users. \",\r\n \"remediationDescription\": \"Browse to GCP Compute metadata. Click 'Edit', add metadata key for 'enable-oslogin' with value 'TRUE', and then click 'Save'. For every instances that overrides the project setting, browse to GCP Compute instances. Select the relevant instance name, click 'Edit', under 'custom metadata', remove 'enable-oslogin' keys with the value 'FALSE', and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"name\": \"c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that 'Enable connecting to serial ports' is not enabled for all VM Instance. When the interactive serial console is enabled for an instance, clients can connect to the instance from any IP address using the proper username and SSH key.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Remote access', make sure that 'Enable connecting to serial ports' is not selected.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"name\": \"3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent data loss, forwarding of data packets should not be enabled on instances.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Network interfaces', make sure that 'IP forwarding' is set to 'Off' for every network interface.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"name\": \"6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, all data at rest is encrypted by Google Compute Engine. Make sure that VM disks are encrypted using Customer-Supplied Encryption Keys (CSEK) enabling you to control and manage the encryption keys yourself.\",\r\n \"remediationDescription\": \"Browse to GCP Compute disks. Select the relevant disk and make sure that the 'Encryption type' is set to 'Customer supplied'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"name\": \"9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against advanced threats, a Compute Engine instance using a public image and must be launched with a Shielded VM. It is also important to verify that the boot loader and firmware on the VMs are signed and untampered.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Shielded VM', make sure that 'Turn on vTPM' and 'Turn on Integrity Monitoring' are enabled.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"name\": \"0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances must not be configured with public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"name\": \"79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that an IAM policy on Cloud Storage buckets does not allow anonymous or public access so sensitive data.\",\r\n \"remediationDescription\": \"To restrict access to Cloud Storage Buckets: Browse to GCP Storage browser. Select the relevant bucket, select 'Permissions', and then under 'Role(s)', remove all Cloud IAM permissions that were granted to 'allUsers' and 'allAuthenticatedUsers'. To restrict access from public addresses: browse to GCP Firewalls List.. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP adress values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"name\": \"a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For simple and unified resource access, ensure that Cloud Storage buckets have uniform bucket-level access enabled.\",\r\n \"remediationDescription\": \"Browse to GCP Storage browser. Edit the relevant bucket, under 'Access Control', select 'Uniform', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"name\": \"a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the Cloud SQL Database instance requires all incoming connections to always use SSL encryption.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances, select the relevant instance and under 'Connections', select 'Allow only SSL connections'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"name\": \"1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to only accept connections from trustworthy networks and/or IP addresses and restrict all other access. \",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"name\": \"2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to use private IP addresses, and not public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"name\": \"664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL database instances must be configured with automated backups.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances. Select the relevant instance, and under 'Backups', make sure that 'Automated backups' is set to 'Enabled' and that the 'Backup time' is set.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"name\": \"5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure that sensitive data is not compromised, IAM policies on BigQuery datasets must not allow anonymous or public access.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"name\": \"582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account has unrestricted access to all resources in the AWS account. We highly recommend that you avoid using this account. The root account is the most privileged account. Minimizing the use of this account and adopting the principle of least privilege for access management reduces the risk of accidental changes and unintended disclosure of highly privileged credentials. As a best practice, use your root credentials only when required to perform account and service management tasks. Apply IAM policies directly to groups and roles but not users. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.3 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"name\": \"1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-factor authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password as well as for an authentication code from their AWS MFA device. Security Hub recommends enabling MFA for all accounts that have a console password. Enabling MFA provides increased security for console access because it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"name\": \"8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM users can access AWS resources using different types of credentials, such as passwords or access keys. Security Hub recommends that you remove or deactivate all credentials that have been unused in 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used. The AWS Config rule for this control uses the 'GetCredentialReport; and 'GenerateCredentialReport' API operations, which are only updated every four hours. Changes to IAM users can take up to four hours to be visible to this control.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"name\": \"9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. Security Hub recommends that you regularly rotate all access keys. Rotating access keys reduces the chance for an access key that is associated with a compromised or terminated account to be used. Rotate access keys to ensure that data can't be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"name\": \"554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one uppercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"name\": \"66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one lowercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"name\": \"b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one symbol. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5425052d-cc0d-4424-af71-050311f99634\",\r\n \"name\": \"5425052d-cc0d-4424-af71-050311f99634\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one number. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"name\": \"09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum password length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords are at least a given length. Security Hub recommends that the password policy require a minimum password length of 14 characters. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"name\": \"01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the number of passwords to remember is set to 24. The control fails if the value is not 24. IAM password policies can prevent the reuse of a given password by the same user. Security Hub recommends that the password policy prevent the reuse of passwords. Preventing password reuse increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"name\": \"0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can require passwords to be rotated or expired after a given number of days. Security Hub recommends that the password policy expire passwords after 90 days or less. Reducing the password lifetime increases account resiliency against brute force login attempts. Requiring regular password changes also helps in the following scenarios: Passwords can be stolen or compromised without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat; Certain corporate and government web filters or proxy servers can intercept and record traffic even if it's encrypted; Many people use the same password for many systems such as work, email, and personal; Compromised end-user workstations might have a keystroke logger.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"name\": \"8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no root account access key exists\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given account. Security Hub recommends that all access keys be associated with the root account be removed. Removing access keys associated with the root account limits vectors that the account can be compromised by. Removing the root access keys also encourages the creation and use of role-based accounts that are least privileged.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"name\": \"8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device. When you use virtual MFA for root accounts, Security Hub recommends that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices. This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"name\": \"8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure hardware MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device. For Level 2, Security Hub recommends that you protect the root account with a hardware MFA. A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA doesn't suffer the attack surface introduced by the mobile smartphone that a virtual MFA resides on. Using hardware MFA for many, many accounts might create a logistical device management issue. If this occurs, consider implementing this Level 2 recommendation selectively to the highest security accounts. You can then apply the Level 1 recommendation to the remaining accounts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"name\": \"c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies are attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. Security Hub recommends that you apply IAM policies directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity might in turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"name\": \"bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM role to allow authorized users to manage incidents with AWS Support. By implementing least privilege for access control, an IAM role will require an appropriate IAM policy to allow support center access in order to manage incidents with AWS Support.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"name\": \"9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies define a set of privileges granted to users, groups, or roles. It's recommended and considered a standard security advice to grant least privilege-that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges. It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. You should remove IAM policies that have a statement with '\\\"Effect\\\": \\\"Allow\\\"' with '\\\"Action\\\": \\\"*\\\"' over '\\\"Resource\\\": \\\"*\\\"'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"name\": \"22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the AWS Management Console, AWS SDKs, command-line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally: Ensuring that a multi-Region trail exists ensures that unexpected activity occurring in otherwise unused Regions is detected; Ensuring that a multi-Region trail exists ensures that Global Service Logging is enabled for a trail by default to capture recording of events generated on AWS global services; For a multi-Region trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"name\": \"fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail log file validation is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. You can use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. Security Hub recommends that you enable file validation on all trails. Enabling log file validation provides additional integrity checking of CloudTrail logs.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"name\": \"0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket CloudTrail logs to is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. Security Hub recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account's use or configuration. To run this check, Security Hub first uses custom logic to look for the S3 bucket where your CloudTrail logs are stored. It then uses the AWS Config managed rules to check that bucket is publicly accessible. If you aggregate your logs into a single centralized S3 bucket, then Security Hub only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is 'No data'. If the bucket is publicly accessible, the check generates a failed finding.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"name\": \"5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a web service that records AWS API calls made in a given account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs in a specified Amazon S3 bucket for long-term analysis, you can perform real-time analysis by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all Regions in an account, CloudTrail sends log files from all those Regions to a CloudWatch Logs log group. Security Hub recommends that you send CloudTrail logs to CloudWatch Logs.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"name\": \"dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. Security Hub recommends that you enable AWS Config in all Regions. The AWS configuration item history that AWS Config captures enables security analysis, resource change tracking, and compliance auditing. To run this check, Security Hub performs custom logic to perform the audit steps prescribed for it in the CIS AWS Foundations Benchmark v1.2. Security Hub also requires that global resources are recorded in each Region, because Security Hub is a regional service and performs its security checks on a Region-by-Region basis.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"name\": \"30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Amazon S3 bucket access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. Security Hub recommends that you enable bucket access logging on the CloudTrail S3 bucket. By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows. To run this check, Security Hub first uses custom logic to look for the bucket where your CloudTrail logs are stored and then uses the AWS Config managed rule to check if logging is enabled. If you aggregate your logs into a single centralized S3 bucket, then Security Hub only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is 'No data'. If the bucket is publicly accessible, the check generates a failed finding.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"name\": \"c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (AWS KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses hardware security modules (HSMs) to protect the security of encryption keys. You can configure CloudTrail logs to leverage server-side encryption (SSE) and AWS KMS customer-created master keys (CMKs) to further protect CloudTrail logs. Security Hub recommends that you configure CloudTrail to use SSE-KMS. Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data because a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"name\": \"23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS KMS enables customers to rotate the backing key, which is key material stored in AWS KMS and is tied to the key ID of the CMK. It's the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all previous backing keys so that decryption of encrypted data can take place transparently. Security Hub recommends that you enable CMK key rotation. Rotating encryption keys helps reduce the potential impact of a compromised key because data encrypted with a new key can't be accessed with a previous key that might have been exposed.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"name\": \"a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VPC flow logging is enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC flow logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you have created a flow log, you can view and retrieve its data in CloudWatch Logs. Security Hub recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC and can detect anomalous traffic or insight during security workflows.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"name\": \"00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm unauthorized API calls. Monitoring unauthorized API calls helps reveal application errors and might reduce time to detect malicious activity. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.1 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"name\": \"83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm console logins that aren't protected by MFA. Monitoring for single-factor console logins increases visibility into accounts that aren't protected by MFA. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.2 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"name\": \"a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for root login attempts. Monitoring for root account logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.3 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"name\": \"5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes made to IAM policies. Monitoring these changes helps ensure that authentication and authorization controls remain intact. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.4 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"name\": \"011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to CloudTrail configuration settings. Monitoring these changes helps ensure sustained visibility to activities in the account. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.5 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"name\": \"c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for failed console authentication attempts. Monitoring failed console logins might decrease lead time to detect an attempt to brute-force a credential, which might provide an indicator, such as source IP, that you can use in other event correlations. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.6 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"name\": \"293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for customer-created CMKs that have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys is no longer accessible. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.7 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"name\": \"0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to S3 bucket policies. Monitoring these changes might reduce time to detect and correct permissive policies on sensitive S3 buckets. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.8 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"name\": \"7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to AWS Config configuration settings. Monitoring these changes helps ensure sustained visibility of configuration items in the account. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.9 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"name\": \"b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security groups are a stateful packet filter that controls ingress and egress traffic in a VPC. Security Hub recommends that you create a metric filter and alarm for changes to security groups. Monitoring these changes helps ensure that resources and services aren't unintentionally exposed. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.10 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"name\": \"022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets in a VPC. Security Hub recommends that you create a metric filter and alarm for changes to NACLs. Monitoring these changes helps ensure that AWS resources and services aren't unintentionally exposed. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.11 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"name\": \"3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send and receive traffic to a destination outside a VPC. Security Hub recommends that you create a metric filter and alarm for changes to network gateways. Monitoring these changes helps ensure that all ingress and egress traffic traverses the VPC border via a controlled path. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.12 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"name\": \"33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables route network traffic between subnets and to network gateways. Security Hub recommends that you create a metric filter and alarm for changes to route tables. Monitoring these changes helps ensure that all VPC traffic flows through an expected path. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.13 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"name\": \"9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs. Security Hub recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.14 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"name\": \"b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that no security group allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"name\": \"9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that no security group allow unrestricted ingress access to port 3389. Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"name\": \"ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the default security group of every VPC restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A VPC comes with a default security group with initial settings that deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that the default security group restrict all traffic. Update the default security group for the default VPC in every Region to comply. Any new VPCs automatically contain a default security group that you need to remediate to comply with this recommendation. Configuring all VPC default security groups to restrict all traffic encourages least-privilege security group development and mindful placement of AWS resources into security groups, which in turn reduces the exposure of those resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47a6d30e-79c4-411b-920a-06a7eab22bad\",\r\n \"name\": \"47a6d30e-79c4-411b-920a-06a7eab22bad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Imported ACM certificates should be renewed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager. Certificates provided by ACM are automatically renewed. If you're using certificates provided by ACM, you do not need to rotate SSL/TLS certificates. ACM manages certificate renewals for you. ACM does not automatically renew certificates that you import. You must renew imported certificates manually.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f74c50e7-84a3-4e64-ac2b-c4ec74e0cb71\",\r\n \"name\": \"f74c50e7-84a3-4e64-ac2b-c4ec74e0cb71\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST and HTTP API logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all methods of an Amazon API Gateway REST or HTTP API stage have logging enabled. The control fails if logging is not enabled for all methods of a stage or if 'loggingLevel' is neither 'ERROR' nor 'INFO'. API Gateway REST or HTTP API stages should have relevant logs enabled. API Gateway REST API execution logging provides detailed records of requests made to API Gateway REST API stages. The stages include API integration backend responses, Lambda authorizer responses, and the 'requestId' for AWS integration endpoints. HTTP API access logs include information about requests made to the HTTP API. The information includes the IP address of the caller, the method of the request, the time of the request, and the HTTP status code response. Logs can assist with security and access audits, power additional threat detections, and aid in diagnosing availability issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8127ddad-f29f-4207-a9d3-9bb3ba3f1485\",\r\n \"name\": \"8127ddad-f29f-4207-a9d3-9bb3ba3f1485\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto Scaling groups associated with a load balancer should use load balancer health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. This ensures that the group can determine an instance's health based on additional tests provided by the load balancer. Using Elastic Load Balancing health checks can help support the availability of applications that use EC2 Auto Scaling groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/73c17f13-ba0c-4227-84ee-f34eb85431ca\",\r\n \"name\": \"73c17f13-ba0c-4227-84ee-f34eb85431ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have a default root object configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured. A user might sometimes request the distribution's root URL instead of an object in the distribution. When this happens, specifying a default root object can help you to avoid exposing the contents of your web distribution.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1fb3f16-5849-4b9d-a7e6-03df4a2235bb\",\r\n \"name\": \"c1fb3f16-5849-4b9d-a7e6-03df4a2235bb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin access identity enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured. CloudFront OAI prevents users from accessing S3 bucket content directly. When users access an S3 bucket directly, they effectively bypass the CloudFront distribution and any permissions that are applied to the underlying S3 bucket content.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbadae9a-7672-4ab2-821a-71f13d319b3b\",\r\n \"name\": \"bbadae9a-7672-4ab2-821a-71f13d319b3b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should require encryption in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if 'ViewerProtocolPolicy' is set to 'allow-all' for 'defaultCacheBehavior' or for 'cacheBehaviors'. HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7196e4f7-7136-4003-b3e5-a8156d160a3f\",\r\n \"name\": \"7196e4f7-7136-4003-b3e5-a8156d160a3f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin failover configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins. CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ce0c201-fc34-43ba-85ef-d47406a9ca05\",\r\n \"name\": \"3ce0c201-fc34-43ba-85ef-d47406a9ca05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled and configured with at least one multi-Region trail\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that there is at least one multi-Region CloudTrail trail.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4788ce7d-f39d-40e4-8a46-4308a5bd80ea\",\r\n \"name\": \"4788ce7d-f39d-40e4-8a46-4308a5bd80ea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should have encryption at-rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail is configured to use the server-side encryption (SSE) AWS Key Management Service customer master key (CMK) encryption. The check passes if the 'KmsKeyId' is defined. For an added layer of security for your sensitive CloudTrail log files, you should use server-side encryption with AWS KMS-managed keys (SSE-KMS) for your CloudTrail log files for encryption at rest. Note that by default, the log files delivered by CloudTrail to your buckets are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03c0e8b8-fcb4-48d1-ae1a-d35e08748340\",\r\n \"name\": \"03c0e8b8-fcb4-48d1-ae1a-d35e08748340\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should automatically scale capacity with demand\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured. Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cf8a0486-5ef6-42f1-8403-35ecd324153f\",\r\n \"name\": \"cf8a0486-5ef6-42f1-8403-35ecd324153f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should have point-in-time recovery enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. DynamoDB point-in-time recovery automates backups for DynamoDB tables. It reduces the time to recover from accidental delete or write operations. DynamoDB tables that have PITR enabled can be restored to any point in time in the last 35 days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ae2524f-9c45-49d6-af31-ec19df32bbe4\",\r\n \"name\": \"5ae2524f-9c45-49d6-af31-ec19df32bbe4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB Accelerator (DAX) clusters should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a DAX cluster is encrypted at rest. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data. For example, API permissions are required to decrypt the data before it can be read.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eaca2aff-0681-4c41-8d7f-04c71577f298\",\r\n \"name\": \"eaca2aff-0681-4c41-8d7f-04c71577f298\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that Amazon Elastic Block Store snapshots are not public, as determined by the ability to be restorable by anyone. EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a specific point in time. You can use the snapshots to restore previous states of EBS volumes. It is rarely acceptable to share a snapshot with the public. Typically the decision to share a snapshot publicly was made in error or without a complete understanding of the implications. This check helps ensure that all such sharing was fully planned and intentional.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b31e09dd-677c-4e14-8ab1-0a9f13e54218\",\r\n \"name\": \"b31e09dd-677c-4e14-8ab1-0a9f13e54218\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"The VPC default security group should not allow inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the default security group of a VPC does not allow inbound or outbound traffic. The rules for the default security group allow all outbound and inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. We do not recommend using the default security group. Because the default security group cannot be deleted, you should change the default security group rules setting to restrict inbound and outbound traffic. This prevents unintended traffic if the default security group is accidentally configured for resources such as EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d828e79-c441-43c3-807e-38ce88a728a5\",\r\n \"name\": \"5d828e79-c441-43c3-807e-38ce88a728a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Attached EBS volumes should be encrypted at-rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check. For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1a7dd27-bb23-4de0-a249-adc3c14aa144\",\r\n \"name\": \"f1a7dd27-bb23-4de0-a249-adc3c14aa144\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Stopped EC2 instances should be removed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days. A failed finding indicates that an EC2 instance has not run for a significant period of time. This creates a security risk because the EC2 instance is not being actively maintained (analyzed, patched, updated). If it is later launched, the lack of proper maintenance could result in unexpected issues in your AWS environment. To safely maintain an EC2 instance over time in a nonrunning state, start it periodically for maintenance and then stop it after maintenance. Ideally this is an automated process.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3f15179b-8414-407a-9432-2b0c131695f3\",\r\n \"name\": \"3f15179b-8414-407a-9432-2b0c131695f3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS default encryption should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS). The control fails if the account level encryption is not enabled. When encryption is enabled for your account, Amazon EBS volumes and snapshot copies are encrypted at rest. This adds an additional layer of protection for your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91ffef5d-42a9-4e34-b1d0-68cdc160748d\",\r\n \"name\": \"91ffef5d-42a9-4e34-b1d0-68cdc160748d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should use IMDSv2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if 'HttpTokens' is set to required for IMDSv2. The control fails if 'HttpTokens' is set to 'optional'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f53022b-ffee-44cc-b84e-6bcc1bcef11f\",\r\n \"name\": \"6f53022b-ffee-44cc-b84e-6bcc1bcef11f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not have a public IP address\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether EC2 instances have a public IP address. The control fails if the publicIp field is present in the EC2 instance configuration item. This control applies to IPv4 addresses only. A public IPv4 address is an IP address that is reachable from the internet. If you launch your instance with a public IP address, then your EC2 instance is reachable from the internet. A private IPv4 address is an IP address that is not reachable from the internet. You can use private IPv4 addresses for communication between EC2 instances in the same VPC or in your connected private network. IPv6 addresses are globally unique, and therefore are reachable from the internet. However, by default all subnets have the IPv6 addressing attribute set to false.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aa3fb42f-04c9-4e17-b05b-e4e4f1f90f15\",\r\n \"name\": \"aa3fb42f-04c9-4e17-b05b-e4e4f1f90f15\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 should be configured to use VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service. To improve the security posture of your VPC, you can configure Amazon EC2 to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to access Amazon EC2 APIs privately. It restricts all network traffic between your VPC and Amazon EC2 to the Amazon network. Because endpoints are supported within the same Region only, you cannot create an endpoint between a VPC and a service in a different Region. This prevents unintended Amazon EC2 API calls to other Regions.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d9e95363-3a8a-498b-bef3-b869869b20b5\",\r\n \"name\": \"d9e95363-3a8a-498b-bef3-b869869b20b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be configured to encrypt file data at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. The check fails in the following cases: 'Encrypted' is set to 'false' in the 'DescribeFileSystems' response; The 'KmsKeyId' key in the 'DescribeFileSystems' response does not match the 'KmsKeyId' parameter for 'efs-encrypted-check'. Note that this control does not use the 'KmsKeyId' parameter for 'efs-encrypted-check'. It only checks the value of 'Encrypted'. For an added layer of security for your sensitive data in Amazon EFS, you should create encrypted file systems. Amazon EFS supports encryption for file systems at-rest. You can enable encryption of data at rest when you create an Amazon EFS file system.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f5375c36-4d39-436b-a5fc-42576f9c4c24\",\r\n \"name\": \"f5375c36-4d39-436b-a5fc-42576f9c4c24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS volumes should be in backup plans\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup. The control fails if Amazon EFS file systems are not included in the backup plans. Including EFS file systems in the backup plans helps you to protect your data from deletion and data loss.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10b9bd1a-d845-4d29-a8f0-aa9386f93226\",\r\n \"name\": \"10b9bd1a-d845-4d29-a8f0-aa9386f93226\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancer listeners should be configured with HTTPS or TLS termination\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. The control is applicable if a Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the control does not report any findings. The control passes if the Classic Load Balancer listeners are configured with TLS or HTTPS for front-end connections. The control fails if the listener is not configured with TLS or HTTPS for front-end connections. Before you start to use a load balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners can support both HTTP and HTTPS/TLS protocols. You should always use an HTTPS or TLS listener, so that the load balancer does the work of encryption and decryption in transit.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4d75936d-e541-4a75-a183-99cc54462cf1\",\r\n \"name\": \"4d75936d-e541-4a75-a183-99cc54462cf1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application load balancers should be configured to drop HTTP headers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop invalid HTTP headers. The control fails if the value of 'routing.http.drop_invalid_header_fields.enabled' is set to 'false'. By default, ALBs are not configured to drop invalid HTTP header values. Removing these header values prevents HTTP desync attacks.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cbc0dd46-9b4b-4078-8340-b20283037770\",\r\n \"name\": \"cbc0dd46-9b4b-4078-8340-b20283037770\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application and Classic Load Balancers logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if 'access_logs.s3.enabled' is 'false'. Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fbec0eb1-0e7e-4df0-8f3c-bf9ac1601927\",\r\n \"name\": \"fbec0eb1-0e7e-4df0-8f3c-bf9ac1601927\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer deletion protection should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured. Enable deletion protection to protect your Application Load Balancer from deletion.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f4705af2-9651-47f1-8797-2050c0870f35\",\r\n \"name\": \"f4705af2-9651-47f1-8797-2050c0870f35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EMR cluster master nodes should not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether master nodes on Amazon EMR clusters have public IP addresses. The control fails if the master node has public IP addresses that are associated with any of its instances. Public IP addresses are designated in the 'PublicIp' field of the 'NetworkInterfaces' configuration for the instance. This control only checks Amazon EMR clusters that are in a 'RUNNING' or 'WAITING' state.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c459de6-4a24-4f24-93bb-6533935019f5\",\r\n \"name\": \"4c459de6-4a24-4f24-93bb-6533935019f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have encryption at-rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled. The check fails if encryption at rest is not enabled. For an added layer of security for your sensitive data in Elasticsearch, you should configure your Elasticsearch to be encrypted at rest. Elasticsearch domains offer encryption of data at rest. The feature uses AWS KMS to store and manage your encryption keys. To perform the encryption, it uses the Advanced Encryption Standard algorithm with 256-bit keys (AES-256).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ecae3088-3cc5-4b7a-bc19-2c20719ab4fb\",\r\n \"name\": \"ecae3088-3cc5-4b7a-bc19-2c20719ab4fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. You should ensure that Amazon ES domains are not attached to public subnets. You should also ensure that your VPC is configured according to the recommended best practices. Amazon ES domains deployed within a VPC can communicate with VPC resources over the private AWS network, without the need to traverse the public internet. This configuration increases the security posture by limiting access to the data in transit. VPCs provide a number of network controls to secure access to Amazon ES domains, including network ACL and security groups. Security Hub recommends that you migrate public Amazon ES domains to VPCs to take advantage of these controls.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1518211b-17f4-46bc-9538-d6ccd8efa3c4\",\r\n \"name\": \"1518211b-17f4-46bc-9538-d6ccd8efa3c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should encrypt data sent between nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have node-to-node encryption enabled. HTTPS (TLS) can be used to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. Only encrypted connections over HTTPS (TLS) should be allowed. Enabling node-to-node encryption for Amazon ES domains ensures that intra-cluster communications are encrypted in transit. There can be a performance penalty associated with this configuration. You should be aware of and test the performance trade-off before enabling this option.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233d2b0e-27cd-4589-aed5-b76e73744071\",\r\n \"name\": \"233d2b0e-27cd-4589-aed5-b76e73744071\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users' access keys should be rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the active access keys are rotated within 90 days. We highly recommend that you do not generate and remove all access keys in your account. Instead, the recommended best practice is to either create one or more IAM roles or to use federation. You can use these methods to allow your users to use their existing corporate credentials to log into the AWS Management Console and AWS CLI. Each approach has its use cases. Federation is generally better for enterprises that have an existing central directory or plan to need more than the current limit IAM users. Applications that run outside of an AWS environment need access keys for programmatic access to AWS resources. However, if the resources that need programmatic access run inside AWS, the best practice is to use IAM roles. Roles allow you to grant a resource access without hardcoding an access key ID and secret access key into the configuration. If you already have an access key, Security Hub recommends that you rotate the access keys every 90 days. Rotating access keys reduces the chance that an access key that is associated with a compromised or terminated account is used. It also ensures that data cannot be accessed with an old key that might have been lost, cracked, or stolen. Always update your applications after you rotate access keys. Access keys consist of an access key ID and a secret access key. They are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS CLI, Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. If your organization uses AWS Single Sign-On (AWS SSO), your users can sign in to Active Directory, a built-in AWS SSO directory, or another identity provider (IdP) connected to AWS SSO. They can then be mapped to an IAM role that enables them to run AWS CLI commands or call AWS APIs without the need for IAM user access keys.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e5c918c8-d7f6-4d5d-b91f-9b9736457ce9\",\r\n \"name\": \"e5c918c8-d7f6-4d5d-b91f-9b9736457ce9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS Multi-Factor Authentication (MFA) is enabled for all IAM users that use a console password. Multi-factor authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password. In addition, they are prompted for an authentication code from their AWS MFA device. We recommend that you enable MFA for all accounts that have a console password. MFA is designed to provide increased security for console access. The authenticating principal must possess a device that emits a time-sensitive key and must have knowledge of a credential.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2af5aa8e-6e0a-4cf4-82e7-ad17ba327c3c\",\r\n \"name\": \"2af5aa8e-6e0a-4cf4-82e7-ad17ba327c3c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused IAM user credentials should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your IAM users have passwords or active access keys that have not been used for 90 days. IAM users can access AWS resources using different types of credentials, such as passwords or access keys. Security Hub recommends that you remove or deactivate all credentials that were unused for 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d945fb4-6cf1-431b-8e96-66dba76ab2b1\",\r\n \"name\": \"9d945fb4-6cf1-431b-8e96-66dba76ab2b1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies should not allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if the 'kms:Decrypt' or 'kms:ReEncryptFrom' actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies. With AWS KMS, you control who can use your customer master keys (CMKs) and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the 'kms:Decrypt' or 'kms:ReEncryptFrom' permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data. Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, do not allow 'kms:Decrypt' permission on all KMS keys. Instead, allow 'kms:Decrypt' only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d3746ffb-51b3-4cc9-8b5d-2ac1f9192d37\",\r\n \"name\": \"d3746ffb-51b3-4cc9-8b5d-2ac1f9192d37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if 'kms:Decrypt' or 'kms:ReEncryptFrom' actions are allowed on all KMS keys in an inline policy. With AWS KMS, you control who can use your customer master keys (CMKs) and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the permissions they need and only for keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data. Instead of granting permission for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow the users to use only those keys. For example, do not allow 'kms:Decrypt' permission on all KMS keys. Instead, allow them only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91b8d230-94ad-4df8-b737-f585df30fa30\",\r\n \"name\": \"91b8d230-94ad-4df8-b737-f585df30fa30\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS keys should not be unintentionally deleted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS KMS customer managed keys (CMK) are scheduled for deletion. The control fails if a CMK is scheduled for deletion. CMKs cannot be recovered once deleted. Data encrypted under a KMS CMK is also permanently unrecoverable if the CMK is deleted. If meaningful data has been encrypted under a CMK scheduled for deletion, consider decrypting the data or re-encrypting the data under a new CMK unless you are intentionally performing a cryptographic erasure. When a CMK is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS CMK is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS CMK will not be deleted.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/706a0138-900e-4c53-8114-bb5f19eccd09\",\r\n \"name\": \"706a0138-900e-4c53-8114-bb5f19eccd09\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda function policies should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Lambda function resource-based policy prohibits public access outside of your account. The Lambda function should not be publicly accessible, as this may allow unintended access to your code stored in the function.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ac49a0a5-db33-4be7-9738-301783b6bba9\",\r\n \"name\": \"ac49a0a5-db33-4be7-9738-301783b6bba9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should use latest runtimes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the Lambda function settings for runtimes match the expected values set for the latest runtimes for each supported language. This control checks for the following runtimes: nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, ruby2.5, ruby2.7,java11, java8, go1.x, dotnetcore2.1, dotnetcore3.1 Lambda runtimes are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When a runtime component is no longer supported for security updates, Lambda deprecates the runtime. Even though you cannot create functions that use the deprecated runtime, the function is still available to process invocation events. Make sure that your Lambda functions are current and do not use out-of-date runtime environments.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/480c2cd4-467d-4ea5-8ffa-c459cf8503c0\",\r\n \"name\": \"480c2cd4-467d-4ea5-8ffa-c459cf8503c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should be private\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS snapshots are public. RDS snapshots are used to back up the data on your RDS instances at a specific point in time. They can be used to restore previous states of RDS instances. An RDS snapshot must not be public unless intended. If you share an unencrypted manual snapshot as public, this makes the snapshot available to all AWS accounts. This may result in unintended data exposure of your RDS instance. Note that if the configuration is changed to allow public access, the AWS Config rule may not be able to detect the change for up to 12 hours. Until the AWS Config rule detects the change, the check passes even though the configuration violates the rule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/efe6ff8c-8247-4705-9a06-097d57b93305\",\r\n \"name\": \"efe6ff8c-8247-4705-9a06-097d57b93305\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS instances are publicly accessible by evaluating the 'PubliclyAccessible' field in the instance configuration item. The 'PubliclyAccessible' value in the RDS instance configuration indicates whether the DB instance is publicly accessible. When the DB instance is configured with 'PubliclyAccessible', it is an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. When the DB instance isn't publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your RDS instance to be publicly accessible, the RDS instance should not be configured with 'PubliclyAccessible' value. Doing so might allow unnecessary traffic to your database instance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52a194fc-4cc6-4bc3-92c0-7c2454dd1043\",\r\n \"name\": \"52a194fc-4cc6-4bc3-92c0-7c2454dd1043\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether storage encryption is enabled for your Amazon RDS DB instances. For an added layer of security for your sensitive data in RDS DB instances, you should configure your RDS DB instances to be encrypted at rest. To encrypt your RDS DB instances and snapshots at rest, enable the encryption option for your RDS DB instances. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots. RDS encrypted DB instances use the open standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You do not need to modify your database client applications to use encryption. Amazon RDS encryption is currently available for all database engines and storage types. Amazon RDS encryption is available for most DB instance classes.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a9abb2d-5fdd-4264-8770-91c66cf58ecf\",\r\n \"name\": \"5a9abb2d-5fdd-4264-8770-91c66cf58ecf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS cluster snapshots and database snapshots should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB snapshots are encrypted. Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. Data in RDS snapshots should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f3b277d1-0c86-445b-acf1-bc0a405b193b\",\r\n \"name\": \"f3b277d1-0c86-445b-acf1-bc0a405b193b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured with multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether high availability is enabled for your RDS DB instances. RDS DB instances should be configured for multiple Availability Zones (AZs). This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover if there is an issue with Availability Zone availability and during regular RDS maintenance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e91ce41-1c19-4950-8a76-cfe3c6596250\",\r\n \"name\": \"7e91ce41-1c19-4950-8a76-cfe3c6596250\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enhanced monitoring should be configured for RDS DB instances and clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced monitoring is enabled for your RDS DB instances. In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer. Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1d16fd74-7014-464b-b981-6242a4c2be32\",\r\n \"name\": \"1d16fd74-7014-464b-b981-6242a4c2be32\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS clusters should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS clusters have deletion protection enabled. Enabling cluster deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity. When deletion protection is enabled, an RDS cluster cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1831430a-6cf6-4341-b2cc-1e66168bdd21\",\r\n \"name\": \"1831430a-6cf6-4341-b2cc-1e66168bdd21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your RDS DB instances have deletion protection enabled. Enabling instance deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity. While deletion protection is enabled, an RDS DB instance cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3c0f7022-8906-4a8c-b993-9675f89d8d3e\",\r\n \"name\": \"3c0f7022-8906-4a8c-b993-9675f89d8d3e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following logs of Amazon RDS are enabled and sent to CloudWatch Logs: Oracle: (Alert, Audit, Trace, Listener), PostgreSQL: (Postgresql, Upgrade), MySQL: (Audit, Error, General, SlowQuery), MariaDB: (Audit, Error, General, SlowQuery), SQL Server: (Error, Agent), Aurora: (Audit, Error, General, SlowQuery), Aurora-MySQL: (Audit, Error, General, SlowQuery), Aurora-PostgreSQL: (Postgresql, Upgrade). RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a9c7f5-85ba-4091-b15a-c06bec33faf8\",\r\n \"name\": \"66a9c7f5-85ba-4091-b15a-c06bec33faf8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB instance has IAM database authentication enabled. IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b948796-172f-426e-a3bd-3f0b1999d0e0\",\r\n \"name\": \"7b948796-172f-426e-a3bd-3f0b1999d0e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS instances should have automatic backups enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB instances have automated backups enabled and whether the backup retention period is greater than or equal to seven. Optionally, you can supply a 'retentionPeriod' to compare against. The control passes if all of the following are true: Backups are enabled, The backup retention period is greater than or equal to retentionPeriod, The retention period is greater than or equal to seven. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. Amazon RDS provides an easy way to configure daily full instance volume snapshots. This control checks that backups are enabled and retained for at least seven days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/53af35b0-2338-4783-9ba9-8399f610a783\",\r\n \"name\": \"53af35b0-2338-4783-9ba9-8399f610a783\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters are publicly accessible. It evaluates the 'PubliclyAccessible' field in the cluster configuration item. The 'PubliclyAccessible' attribute of the Amazon Redshift cluster configuration indicates whether the cluster is publicly accessible. When the cluster is configured with 'PubliclyAccessible' set to 'true', it is an Internet-facing instance that has a publicly resolvable DNS name, which resolves to a public IP address. When the cluster is not publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your cluster to be publicly accessible, the cluster should not be configured with 'PubliclyAccessible' set to 'true'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4bd4c29c-8565-4052-96b4-5405e68f51ba\",\r\n \"name\": \"4bd4c29c-8565-4052-96b4-5405e68f51ba\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Amazon Redshift clusters should be encrypted in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit. The check fails if the Amazon Redshift cluster parameter require_SSL is not set to 1. TLS can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over TLS should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b032ed58-d158-401f-b820-424a48414f93\",\r\n \"name\": \"b032ed58-d158-401f-b820-424a48414f93\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have automatic snapshots enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven. Backups help you to recover more quickly from a security incident. They strengthen the resilience of your systems. Amazon Redshift takes periodic snapshots by default. This control checks whether automatic snapshots are enabled and retained for at least seven days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/643a00cb-3da3-43ef-b523-15a0f3198e45\",\r\n \"name\": \"643a00cb-3da3-43ef-b523-15a0f3198e45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift should have automatic upgrades to major versions enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster. Enabling automatic major version upgrades ensures that the latest major version updates to Amazon Redshift clusters are installed during the maintenance window. These updates might include security patches and bug fixes. Keeping up-to-date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c816f41-886f-4e31-87f2-41cfb091d59b\",\r\n \"name\": \"2c816f41-886f-4e31-87f2-41cfb091d59b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker. The 'blacklistedactionpatterns' parameter allows for successful evaluation of the rule for S3 buckets. The parameter grants access to external accounts for action patterns that are not included in the 'blacklistedactionpatterns' list.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df8e8066-1415-40c7-9844-f495a1ad179e\",\r\n \"name\": \"df8e8066-1415-40c7-9844-f495a1ad179e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should have automatic rotation enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically. Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5110f9f8-2bf7-444f-81d7-321bfeceec06\",\r\n \"name\": \"5110f9f8-2bf7-444f-81d7-321bfeceec06\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets configured with automatic rotation should rotate successfully\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The control fails if 'RotationOccurringAsScheduled' is 'false'. The control does not evaluate secrets that do not have rotation configured. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically. Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently. In addition to configuring secrets to rotate automatically, you should ensure that those secrets rotate successfully based on the rotation schedule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad8217e9-5e93-4be2-88bc-3e538960209d\",\r\n \"name\": \"ad8217e9-5e93-4be2-88bc-3e538960209d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SNS topics should be encrypted at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an SNS topic is encrypted at rest using AWS KMS. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It also adds another set of access controls to limit the ability of unauthorized users to access the data. For example, API permissions are required to decrypt the data before it can be read. SNS topics should be encrypted at-rest for an added layer of security.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c3f3c8-3c13-48be-9ee5-67b6865e7462\",\r\n \"name\": \"11c3f3c8-3c13-48be-9ee5-67b6865e7462\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All EC2 instances managed by Systems Manager should be compliant with patching requirements\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. It only checks instances that are managed by Systems Manager Patch Manager. Having your EC2 instances fully patched as required by your organization reduces the attack surface of your AWS accounts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.
Note that the following subnet types will be listed as not applicable: GatewaySubnet, AzureFirewallSubnet, AzureBastionSubnet.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your subnets:
1. Select a subnet to enable NSG on.
2. Click the 'Network security group' section.
3. Follow the steps and select an existing network security group to attach to this specific subnet.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Defender for Cloud has discovered virtual networks with Application Gateway resources unprotected by the DDoS protection service. These resources contain public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"
1. Select a virtual network to enable the DDoS protection service standard on.
2. Select the Standard option.
3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\",\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Defender for Cloud uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls:
1. Open the Workload protections dashboard and from the advanced protection area, select Adaptive application controls.
2. To see the groups of machines that Defender for Cloud recommends protecting with adaptive application controls, select the Recommended3. Create a new applications control policy according to the instructions in Defender for Cloud's documentation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Defender for Cloud's adaptive application controls. Defender for Cloud uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your list of known-safe applications:
1. From the portal, open Defender for Cloud.
2. Select \\\"Adaptive application controls\\\" from Defender for Cloud's sidebar.
3. To see the groups of machines for which Defender for Cloud recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines.
4. The current policy will be displayed together with the new rules that Defender for Cloud recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Defender for Cloud has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly-permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Defender for Cloud's threat intelligence sources. Learn more in Improve your network security posture with adaptive network hardening.\",\r\n \"remediationDescription\": \"To review the recommended changes to the traffic rules for your network security groups, select a machine or select 'Take action'\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"Defender for Cloud has identified some overly-permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks. Learn more in Understanding just-in-time (JIT) VM access.\",\r\n \"remediationDescription\": \"To enable just-in-time VM access:
  • Select one or more VMs from the list below and select \\\"Remediate\\\", or select \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
  • On the \\\"JIT VM access configuration\\\" page, define the ports for which the just-in-time VM access will be applicable.
    • To add additional ports, select the \\\"Add\\\" button on the top left, or select an existing port and edit it.
    • On the \\\"Add port configuration\\\" pane, enter the required parameters.
  • Select \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click on each of the rules that allow management ports (for example, RDP-3389, WINRM-5985, SSH-22).
3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges.
4. Click 'Save'.
Use Defender for Cloud's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Learn more in Understanding just-in-time (JIT) VM access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Defender for Cloud has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding:
1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade.
2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left).
3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'.
4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Defender for Cloud has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click the Network Security Group with overly permissive rules.
3. In the 'Network security group' blade, click on each of the rules that are overly permissive.
4. Improve the rule by applying less permissive source IP ranges.
5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
To keep your machine as secure as possible, the VM access to the internet must be restricted and an NSG should be enabled on the subnet.
VMs with 'High' severity are internet-facing VMs.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a Network Security Group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the Network Security Group to assign to the subnet and click \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Click 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the Network Security Group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a network security group:
1. Select a VM from the list below, or select \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the network security group to assign to the subnet and select \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Select 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the network security group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Defender for Cloud regularly checks your connected machines to ensure they're running vulnerability assessment tools. Use this recommendation to deploy a vulnerability assessment solution.\",\r\n \"remediationDescription\": \"To deploy a vulnerability assessment solution, in the \\\"Unhealthy resources\\\" tab, select the resources, then select \\\"Remediate\\\". Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several hours after remediation completes to see the resources in the 'Healthy resources' tab\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c\",\r\n \"description\": \"Some of your virtual networks aren't protected with a firewall. Use Azure Firewall to restrict access to your virtual networks and prevent potential threats. Learn more about Azure Firewall.\",\r\n \"remediationDescription\": \"To protect your virtual networks with Azure Firewall:
1. From the list below, select a network. Or select Take action if you've arrived here from a specific virtual network page.
2. Follow the Azure Firewall deployment instructions. Make sure to configure all default routes properly.
Important: Azure Firewall is billed separately from Defender for Cloud. Learn more about Azure Firewall pricing.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Initial Access\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Fallback Channels\",\r\n \"Remote System Discovery\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Non-Standard Port\",\r\n \"Gather Victim Network Information\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for Cloud has identified machines that are missing a file integrity monitoring solution. To monitor changes to critical files, registry keys, and more on your servers, enable file integrity monitoring.
When the file integrity monitoring solution is enabled, a data collection rule is assigned to your machines, and defines the files to be monitored. To edit rules, or see the files changed on machines with existing rules, go to the file integrity monitoring management page\",\r\n \"remediationDescription\": \"To enable file integrity monitoring:
From the list below, select one or more virtual machines and select Remediate\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Privilege Escalation\",\r\n \"Execution\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"OS Credential Dumping\",\r\n \"Boot or Logon Initialization Scripts\",\r\n \"Scheduled Task/Job\",\r\n \"Account Manipulation\",\r\n \"Office Application Startup\",\r\n \"File and Directory Permissions Modification\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Subvert Trust Controls\",\r\n \"Modify Authentication Process\",\r\n \"Impair Defenses\",\r\n \"Hijack Execution Flow\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047\",\r\n \"description\": \"Microsoft Defender for Cloud includes Microsoft Defender for Key Vault, providing an additional layer of security intelligence.
Microsoft Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any key vaults in this subscription, you won't be charged. If you later create key vaults on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for Key Vault.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for Key Vault on all key vaults in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Key Vault to On.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Credentials from Password Stores\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Azure SQL Database servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any Azure SQL Database servers in this subscription, you won't be charged. If you later create Azure SQL Database servers on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for SQL.\",\r\n \"remediationDescription\": \"To enable this plan on all Azure SQL Database servers in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Azure SQL Database servers to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Defense Evasion\",\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Modify Registry\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL servers on machines should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.

Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. If you don't have any SQL servers on machines in this subscription, no charges will be incurred.
If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Microsoft Defender for SQL servers on machines.\",\r\n \"remediationDescription\": \"To enable this plan on all SQL servers on machines in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set SQL servers on machines to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Defense Evasion\",\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Modify Registry\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Storage should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa\",\r\n \"description\": \"Microsoft Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any Azure Storage accounts in this subscription, you won't be charged. If you later create Azure Storage accounts on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for Storage.\",\r\n \"remediationDescription\": \"To enable this plan on all Azure Storage accounts in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Storage to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Lateral Movement\",\r\n \"Command and Control\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Taint Shared Content\",\r\n \"Ingress Tool Transfer\",\r\n \"Data Destruction\",\r\n \"Data from Cloud Storage Object\",\r\n \"Transfer Data to Cloud Account\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb\",\r\n \"description\": \"Microsoft Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
Microsoft Defender for App Service can discover attacks on your applications and identify emerging attacks.

Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred.
If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Protect your web apps and APIs.\",\r\n \"remediationDescription\": \"To enable this plan on all App Service plans in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set App Service to On.\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Collection\",\r\n \"Discovery\",\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Privilege Escalation\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Resource Development\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"OS Credential Dumping\",\r\n \"Data from Local System\",\r\n \"Query Registry\",\r\n \"Obfuscated Files or Information\",\r\n \"Masquerading\",\r\n \"Windows Management Instrumentation\",\r\n \"Scheduled Task/Job\",\r\n \"Process Injection\",\r\n \"Input Capture\",\r\n \"Process Discovery\",\r\n \"Command and Scripting Interpreter\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Account Discovery\",\r\n \"Ingress Tool Transfer\",\r\n \"Screen Capture\",\r\n \"Audio Capture\",\r\n \"Access Token Manipulation\",\r\n \"Deobfuscate/Decode Files or Information\",\r\n \"Drive-by Compromise\",\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"User Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Domain Trust Discovery\",\r\n \"Resource Hijacking\",\r\n \"Create or Modify System Process\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Unsecured Credentials\",\r\n \"Steal or Forge Kerberos Tickets\",\r\n \"Inter-Process Communication\",\r\n \"Phishing\",\r\n \"Hijack Execution Flow\",\r\n \"Compromise Infrastructure\",\r\n \"Search Victim-Owned Websites\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"name\": \"e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38\",\r\n \"description\": \"Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.
You can use this information to quickly remediate security issues and improve the security of your containers.

Important: Remediating this recommendation will result in charges for protecting your Kubernetes clusters. If you don't have any Kubernetes clusters in this subscription, no charges will be incurred.
If you create any Kubernetes clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Introduction to Microsoft Defender for Containers.\",\r\n \"remediationDescription\": \"To enable this plan on all Kubernetes clusters in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Containers to On.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"DenialOfService\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"11/01/2021\",\r\n \"public\": \"11/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Indicator Removal on Host\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Implant Container Image\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d\",\r\n \"description\": \"Microsoft Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your servers.

Important: Remediating this recommendation will result in charges for protecting your servers. If you don't have any servers in this subscription, no charges will be incurred.
If you create any servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable this plan on all servers in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Servers to On.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\",\r\n \"Execution\",\r\n \"Defense Evasion\",\r\n \"Exfiltration\",\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Hijack Execution Flow\",\r\n \"Modify Authentication Process\",\r\n \"Boot or Logon Initialization Scripts\",\r\n \"Scheduled Task/Job\",\r\n \"Account Manipulation\",\r\n \"Office Application Startup\",\r\n \"OS Credential Dumping\",\r\n \"Obfuscated Files or Information\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Process Injection\",\r\n \"Command and Scripting Interpreter\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Indicator Removal on Host\",\r\n \"Valid Accounts\",\r\n \"System Information Discovery\",\r\n \"Account Discovery\",\r\n \"Ingress Tool Transfer\",\r\n \"Modify Registry\",\r\n \"Create Account\",\r\n \"Deobfuscate/Decode Files or Information\",\r\n \"Drive-by Compromise\",\r\n \"Indirect Command Execution\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Signed Binary Proxy Execution\",\r\n \"File and Directory Permissions Modification\",\r\n \"Service Stop\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Steal or Forge Kerberos Tickets\",\r\n \"Impair Defenses\",\r\n \"Remote Service Session Hijacking\",\r\n \"Hide Artifacts\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Brute Force\",\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"name\": \"b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for open-source relational databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835\",\r\n \"description\": \"Microsoft Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more in Introduction to Microsoft Defender for open-source relational databases.

Important: Enabling this plan will result in charges for protecting your open-source relational databases. If you don't have any open-source relational databases in this subscription, no charges will be incurred. If you create any open-source relational databases on this subscription in the future, they will automatically be protected and charges will begin at that time.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for open-source relational databases on your subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Open-source relational databases to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"09/19/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ebc815f-7bc7-4573-994d-e1cc46fb4a35\",\r\n \"name\": \"2ebc815f-7bc7-4573-994d-e1cc46fb4a35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have infrastructure as code scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found infrastructure as code security configuration issues in repositories. The issues shown below have been detected in template files. To improve the security posture of the related cloud resources, it is highly recommended to remediate these issues.\",\r\n \"remediationDescription\": \"Security issues and vulnerabilities in infrastructure as code can lead to compliance violations and data breaches in production environments. It is recommended to improve the security posture by remediating and fixing these findings to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c68a8c2a-6ed4-454b-9e37-4b7654f2165f\",\r\n \"name\": \"c68a8c2a-6ed4-454b-9e37-4b7654f2165f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have code scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found vulnerabilities in code repositories. To improve the security posture of the repositories, it is highly recommended to remediate these vulnerabilities.\",\r\n \"remediationDescription\": \"The vulnerabilities detected in code repositories can lead to compliance violations and data breaches. It is highly recommended to remediate these vulnerabilities to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27\",\r\n \"name\": \"4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have secret scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found a secret in code repositories. This should be remediated immediately to prevent a security breach. Secrets found in repositories can be leaked or discovered by adversaries, leading to compromise of an application or service. For Azure DevOps, the Microsoft Security DevOps CredScan tool only scans builds on which it has been configured to run. Therefore, results may not reflect the complete status of secrets in your repositories.\",\r\n \"remediationDescription\": \"Invalidate the secrets, tokens, and/or passwords that were found by the secret scanner.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/822425e3-827f-4f35-bc33-33749257f851\",\r\n \"name\": \"822425e3-827f-4f35-bc33-33749257f851\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have Dependabot scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found vulnerabilities in code repositories. To improve the security posture of the repositories, it is highly recommended to remediate these vulnerabilities.\",\r\n \"remediationDescription\": \"The vulnerabilities detected in the code repositories can lead to compliance violations and data breaches. It is recommended to remediate these vulnerabilities to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dbf49ec-ce06-476d-ab70-7bd612c4a52c\",\r\n \"name\": \"9dbf49ec-ce06-476d-ab70-7bd612c4a52c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DevOps security posture findings should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps security posture checks helps you keep your ADO artifacts such as various org/project settings, build/release configurations, service connections, agent pools, etc., configured securely.\",\r\n \"remediationDescription\": \"The security posture checks found can lead to compliance violations and data breaches. It is recommended to improve the security posture by remediating and fixing these configuration findings to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MissingCoverage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"02/06/2023\",\r\n \"public\": \"10/01/2022\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Reconnaissance\",\r\n \"Exfiltration\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Application Layer Protocol\",\r\n \"Compromise Infrastructure\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03587042-5d4b-44ff-af42-ae99e3c71c87\",\r\n \"name\": \"03587042-5d4b-44ff-af42-ae99e3c71c87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic container registry images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"23/06/2022\",\r\n \"public\": \"23/06/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registry images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Resolve the findings from the vulnerability assessment solutions on your virtual machines.\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by the vulnerability assessment solutions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77a4a140-e051-481a-84cc-d4bf2109bd65\",\r\n \"name\": \"77a4a140-e051-481a-84cc-d4bf2109bd65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Resolve the findings from the vulnerability assessment solutions on your EC2 instances.\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by the vulnerability assessment solutions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/14/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL databases should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. Learn more\",\r\n \"remediationDescription\": \"To remediate SQL vulnerabilities and mitigate risks:
1. Navigate to a database in the Unhealthy databases list.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Valid Accounts\",\r\n \"Modify Registry\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers on machines should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. Learn more\",\r\n \"remediationDescription\": \"To remediate SQL vulnerabilities and mitigate risks:
1. Navigate to a database in the Unhealthy databases list.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Valid Accounts\",\r\n \"Modify Registry\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your Windows machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Select any of the findings below.
2. On the right pane opened, follow the instructions under 'Remediation' if exist.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Lateral Movement\",\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your Linux machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Select any of the findings below.
2. On the right pane opened, follow the instructions under 'Remediation' if exist.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Lateral Movement\",\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"
1. Click an identified outstanding update.
2. In the Missing system updates pane, click the support link (when exists) and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Software Deployment Tools\",\r\n \"Exploit Public-Facing Application\",\r\n \"Supply Chain Compromise\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Drive-by Compromise\",\r\n \"Endpoint Denial of Service\",\r\n \"Compromise Client Software Binary\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b\",\r\n \"description\": \"Ensure your machines are up to date by installing missing security and critical OS updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install missing system updates on a selected machine: 1. From \\\"Affected resources\\\", select a virtual machine. 2. Select the \\\"Fix\\\" button. This will redirect you to Update management center (preview). 3. In update management center (preview), select \\\"One-time update\\\" or \\\"Schedule updates\\\", and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Click any of the configuration vulnerability rules 2. In the Vulnerability details pane, see the remediation description and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"10/24/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2\",\r\n \"description\": \"Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. See the documentation for the endpoint protection solutions supported by Defender for Cloud and the endpoint protection assessments.\",\r\n \"remediationDescription\": \"
1. Confirm that your solution is on the list of tools supported by Defender for Cloud.
2. For a list of possible health issues with your solution and advice on how to resolve the health issues, consult this page of the Defender for Cloud documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad50b498-f90c-451f-886f-d0a169cc5002\",\r\n \"name\": \"ad50b498-f90c-451f-886f-d0a169cc5002\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should use only signed and trusted boot components\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"With Secure Boot enabled, all OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Defender for Cloud has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allow list or remove the identified components.\",\r\n \"remediationDescription\": \"Investigate the untrusted boot components. If they are legitimate, add them to the allow list. Otherwise, remove them.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"name\": \"dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with read permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have read permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"name\": \"c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with write permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/931e118d-50a1-4457-a5e4-78550e086c52\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have write permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"name\": \"6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with owner permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have owner permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"name\": \"fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with read permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52\",\r\n \"description\": \"Accounts with read permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"name\": \"0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with write permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87\",\r\n \"description\": \"Accounts with write permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"name\": \"20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with owner permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/339353f6-2387-4a45-abe4-7f529d121046\",\r\n \"description\": \"Accounts with owner permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"name\": \"1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Blocked accounts with read and write permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be\",\r\n \"description\": \"Accounts that have been blocked from signing in on Active Directory, should be removed from your Azure resources.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of accounts that are blocked from signing in on the Accounts section. Click on each account to view its role definitions and locate the source scope. If you accept the risk for specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the blocked user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"name\": \"050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Blocked accounts with owner permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5\",\r\n \"description\": \"Accounts that have been blocked from signing in on Active Directory, should be removed from your Azure resources.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of accounts that are blocked from signing in on the Accounts section. Click on each account to view its role definitions and locate the source scope. If you accept the risk for specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the blocked user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af99038c-02fd-4a2f-ac24-386b62bf32de\",\r\n \"description\": \" Azure's terms of use prohibit the use of Azure services in ways that could damage, disable, overburden, or impair any Microsoft server or the network. This recommendation lists exposed ports that need to be closed for your continued security. It also illustrates the potential threat to each port.\",\r\n \"remediationDescription\": \"Review the findings and evaluate if any ports need to remain open for your service to function or if they can be closed to protect your resources. Please, opt out of the recommendation by using the exemption workflow for any ports that need to remain open.
For all other findings, remediate per instructions below:
• Need to secure network traffic for a single VNet, please follow instruction to setup Network Security Groups (NSG).
• Need to secure network traffic for one or more peered VNet, please follow instruction to setup Azure Firewall.
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"04/04/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/41503391-efa5-47ee-9282-4eff6131462c\",\r\n \"name\": \"41503391-efa5-47ee-9282-4eff6131462c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running container images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fc39691-5a3f-4e3e-94ee-2e6447309ad9\",\r\n \"description\": \"Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.
7. Use the new image across all pods where it is currently being used.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ElevationOfPrivilege\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"12/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/afd071f0-ebaa-422b-bb2f-8a772a31db75\",\r\n \"name\": \"afd071f0-ebaa-422b-bb2f-8a772a31db75\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function apps should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Runtime vulnerability scanning for functions scans your function apps for security vulnerabilities and exposes detailed findings. Resolving the vulnerabilities can greatly improve your serverless applications security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve function app vulnerabilities:
1. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
2. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [],\r\n \"publishDates\": {\r\n \"public\": \"03/18/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"name\": \"08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d\",\r\n \"description\": \"Azure Policy add-on for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.

Defender for Cloud requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. Learn more.

Requires Kubernetes v1.14.0 or later.

\",\r\n \"remediationDescription\": \"To configure the Azure Policy Add-on for use with your Azure Kubernetes Service cluster, follow the instructions in Install Azure Policy Add-on for AKS.

Auto provisioning:
You can also auto deploy this add-on as explained in Enable auto provisioning of extensions.
When auto provisioning for the add-on is set to On, the extension is enabled by default in all existing and future clusters (that meet the add-on installation requirements).\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0642d770-b189-42ef-a2ce-9dcc3ec6c169\",\r\n \"name\": \"0642d770-b189-42ef-a2ce-9dcc3ec6c169\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b2122c1-8120-4ff5-801b-17625a355590\",\r\n \"description\": \"Azure Policy extension for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.\",\r\n \"remediationDescription\": \"To configure the Azure Policy extension for use with your Azure Arc-enabled Kubernetes cluster, follow the instructions in #Install Azure Policy Extension for Azure Arc-enabled Kubernetes.

Auto provisioning:
You can also auto deploy this extension as explained in Enable auto provisioning of extensions .
When auto provisioning for the extension is set to \\\"on\\\", the extension is enabled by default in all existing and future clusters (that meet the extension installation requirements).\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2022\",\r\n \"public\": \"06/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/0adc5395-9169-4b9b-8687-af838d69410a\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"name\": \"405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container CPU and memory limits should be enforced\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\r\n \"description\": \"Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).

We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods without CPU and memory limits. To control a pod's limits, set quotas at the container level. Each container of a pod can specify one or both of the following:
  • spec.containers[].resources.limits.cpu
  • spec.containers[].resources.limits.memory

After making your changes, redeploy the pod with the new limits.

Note: Although requests and limits can only be specified on individual containers, it is convenient to talk about pod resource limits. A Pod resource limit is the sum of the resource limits for all the containers in the pod. Learn more.

\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"DenialOfService\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"name\": \"5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Privileged containers should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\r\n \"description\": \"To prevent unrestricted host access, avoid privileged containers whenever possible.

Privileged containers have all of the root capabilities of a host machine. They can be used as entry points for attacks and to spread malicious code or malware to compromised applications, hosts and networks.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods running privileged containers.

For these pods, set the privileged flag to 'false' or remove this property on the security context of the container's spec. After making your changes, redeploy the pod with the updated spec.

\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"name\": \"8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container images should be deployed from trusted registries only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\r\n \"description\": \"Images running on your Kubernetes cluster should come from known and monitored container image registries. Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.\",\r\n \"remediationDescription\": \"
  1. Ensure a regex, defining your organization private registries is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods running images from untrusted registries. If you see a pod running an unfamiliar image, remove it and report the incident to your security admin. Otherwise, move all images to a trusted private registry and redeploy the pods with the updated registry.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"name\": \"add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Services should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services access to the configured ports.\",\r\n \"remediationDescription\": \"
  1. Ensure a list of ports on which your services are allowed to listen, is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the services which listen on ports outside the configured list.
  3. Limit the services' ports. After making your changes, redeploy the services with the updated ports.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\",\r\n \"Non-Standard Port\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"name\": \"11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Least privileged Linux capabilities should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\r\n \"description\": \"To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user. We recommend dropping all capabilities, then adding those that are required\",\r\n \"remediationDescription\": \"
1. Make sure lists of dropped capabilities and allowed capabilities are configured, via the security policy parameters. Recommend to set parameter 'Required drop capabilities' as [\\\"ALL\\\"] to enforce to drop all capabilities. The recommendation by default will only block to add capacities.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the running containers with capabilities outside the configured list.
3. Limit the containers' Linux capabilities. To add or remove Linux capabilities for a container, include a capabilities section in the securityContext section of the container manifest with the relevant capabilities set e.g. Drop: ALL ; add: [\\\"NET_ADMIN\\\", \\\"SYS_TIME\\\"].
4. After making your changes, redeploy the pod with the updated capabilities.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"name\": \"27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Immutable (read-only) root filesystem should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80\",\r\n \"description\": \"Containers should run with a read only root file system in your Kubernetes cluster. Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers without read only root file system.
2. For these pods, set the readOnlyRootFilesystem flag to 'true' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Collection\",\r\n \"Lateral Movement\",\r\n \"Persistence\",\r\n \"Defense Evasion\",\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Scheduled Task/Job\",\r\n \"Data Staged\",\r\n \"Taint Shared Content\",\r\n \"Account Manipulation\",\r\n \"Create Account\",\r\n \"File and Directory Permissions Modification\",\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Server Software Component\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Compromise Client Software Binary\",\r\n \"Modify Authentication Process\",\r\n \"Hide Artifacts\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"name\": \"f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75\",\r\n \"description\": \"We recommend limiting pod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths. If there's a compromise, the container node access from the containers should be restricted.\",\r\n \"remediationDescription\": \"
1. Ensure a list of allowed host paths is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running pods with hostPath volume violating the configured list.
3. Update hostPath and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Taint Shared Content\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"name\": \"9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running containers as root user should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042\",\r\n \"description\": \"Containers shouldn't run as root users in your Kubernetes cluster. Running a process as the root user inside a container runs it as root on the host. If there's a compromise, an attacker has root in the container, and any misconfigurations become easier to exploit.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the relevant pods.
2. For these pods, ensure the runAsUser property is set to a non-zero value or set property runAsNonRoot=true.
3. After making your changes, redeploy the pod with the updated rule.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"name\": \"ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of host networking and ports should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe\",\r\n \"description\": \"Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. Pods created with the hostNetwork attribute enabled will share the node's network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node's network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.\",\r\n \"remediationDescription\": \"
1. Ensure the following are all configured in the security policy parameters: allow host network usage, and min and max host ports.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers with host networking violating the configured list.
3. Validate the host networking using the hostNetwork and hostPort attributes (when applicable) of the container's spec.
4. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"name\": \"802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers sharing sensitive host namespaces should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\r\n \"description\": \"To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods sharing host process ID or host IPC.
2. Set the host process ID and host IPC to 'false' on the pod's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"name\": \"43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container with privilege escalation should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\r\n \"description\": \"Containers shouldn't run with privilege escalation to root in your Kubernetes cluster.
The AllowPrivilegeEscalation attribute controls whether a process can gain more privileges than its parent process.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers with privilege escalation to root in your Kubernetes cluster.
2. For these pods, set the AllowPrivilegeEscalation flag to 'false' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"name\": \"86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers should only use allowed AppArmor profiles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e\",\r\n \"description\": \"Containers running on Kubernetes clusters should be limited to allowed AppArmor profiles only.
;AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program.\",\r\n \"remediationDescription\": \"
1. Ensure a list of AppArmor profiles containers are allowed to use is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the running pods with AppArmor profile violating the configured list.
3. Update AppArmor annotation in the Pod's metadata and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Process Injection\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/111cb068-89df-48bd-9493-2e6773444af8\",\r\n \"name\": \"111cb068-89df-48bd-9493-2e6773444af8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should gate deployment of vulnerable images\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759\",\r\n \"description\": \"Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Defender for Cloud's CI/CD scanning and Microsoft Defender for container registries to identify and patch vulnerabilities prior to deployment.
Evaluation prerequisite: Azure policy add-on/extension and the Defender profile/extension.
Applicable only for private preview customers.\",\r\n \"remediationDescription\": \"Configuration

Use the Settings tab to ensure the recommendation policy meets your requirement.

Monitor and resolve violations in audit mode
  1. Click on a cluster to see violating pods.
  2. For each non-compliant pod, extract used images using 'kubectl get pods <pod name> -n <pod namespace> -o json'
  3. Retrieve list of vulnerabilities per pod using the 'Container registry images should have vulnerability findings resolved' recommendation:
    1. If an image is unscanned, push/import image to registry protected by Defender for Containers and re-deploy pod.
    2. If scan result violates security policy, follow scan findings remediation steps to remediate image and re-deploy pod.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"10/25/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes API server should be configured with restricted access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes API server. You can restrict access by defining authorized IP ranges, or by setting up your API servers as private clusters as explained inCreate a private Azure Kubernetes Service cluster.\",\r\n \"remediationDescription\": \"To manually configure authorized IP ranges, follow the steps in Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS). If your existing cluster uses a Basic SKU Load Balancer, you'll need to redeploy or migrate to a new AKS cluster using the Standard SKU Load Balancer as explained in Moving from a basic SKU load balancer to standard SKU. If you decide not to redeploy, and you want to move these clusters to the 'not applicable' tab, follow the steps in Define an exemption.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Container and Resource Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows:
1. Go to Azure Kubernetes Services.
2. Select 'Add' and enter your cluster's configuration.
3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6d87087-9ebe-b31f-b452-0bf3bbbaccd2\",\r\n \"name\": \"c6d87087-9ebe-b31f-b452-0bf3bbbaccd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should be accessible only over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\r\n \"description\": \"Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc-enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc\",\r\n \"remediationDescription\": \"From the unhealthy resources tab, select the cluster. Defender for Cloud lists the ingress objects that are accessible without HTTPS. 1. If the ingress controlled by nginx ingress controller, must first set annotation \\\"nginx.ingress.kubernetes.io/force-ssl-redirect\\\"=true. 2. Add the Transport Layer Security (TLS) configuration to your ingress manifest. After making your changes, redeploy the updated ingress object.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6\",\r\n \"name\": \"3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Arc-enabled Kubernetes clusters should have the Defender extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8dfab9c4-fe7b-49ad-85e4-1e9be085358f\",\r\n \"description\": \"Defender's extension for Azure Arc provides threat protection for your Arc-enabled Kubernetes clusters. The extension collects data from all control plane (master) nodes in the cluster and sends it to the Microsoft Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-kubernetes-azure-arc?wt.mc_id=defenderforcloud_inproduct_portal_recoremediation.\",\r\n \"remediationDescription\": \"To install the Defender extension on your Arc-enabled Kubernetes clusters, select an unhealthy cluster and select Remediate.
To manually deploy the extension with Azure Resource Manager, Azure CLI, or the REST API, see the instructions in Microsoft Defender for Arc-enabled Kubernetes.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/708b60a6-d253-4fe0-9114-4be4c00f012c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a83a6e-c417-42ec-b567-1e6fcb3d09a9\",\r\n \"name\": \"56a83a6e-c417-42ec-b567-1e6fcb3d09a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Kubernetes Service clusters should have Defender profile enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1840de2-8088-4ea8-b153-b4c723e9cb01\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection.
When you enable the SecurityProfile.AzureDefender profile on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data.
Learn more about [Microsoft Defender for Containers](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks#architecture-overview).\",\r\n \"remediationDescription\": \"To enable the profile using Azure CLI, Azure Resource Manager, or the REST API, follow the instructions in Enable the SecurityProfile.AzureDefender profile.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"12/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff87e0b4-17df-d338-5b19-80e71e0dcc9d\",\r\n \"name\": \"ff87e0b4-17df-d338-5b19-80e71e0dcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should not use the default namespace\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\r\n \"description\": \"Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"Defender for Cloud lists the components using the default namespace.
1. From the unhealthy resources tab, select a cluster.
2. Define a namespace for the components.
3. After making your changes, redeploy the components with the updated namespace. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/namespaces/#creating-a-new-namespace\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32060ac3-f17f-4848-db8e-e7cf2c9a53eb\",\r\n \"name\": \"32060ac3-f17f-4848-db8e-e7cf2c9a53eb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should disable automounting API credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/423dd1ba-798e-40e4-9c4d-b6902674b423\",\r\n \"description\": \"Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"From the unhealthy resources tab, select the cluster. Defender for Cloud lists the pods missing the automountServiceAccountToken: false flag. There are multiple ways to opt out of automounting API credentials for a service account. To opt out of automounting API credentials for a single pod, set automountServiceAccountToken: false in PodSpec. After making your changes, redeploy your updated pod or service account.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aba14f78-27c5-af84-848e-9105d18dfd92\",\r\n \"name\": \"aba14f78-27c5-af84-848e-9105d18dfd92\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should not grant CAPSYSADMIN security capabilities\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d2e7ea85-6b44-4317-a0be-1b951587f626\",\r\n \"description\": \"To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"Defender for Cloud lists the pods running containers that have the CAP_SYS_ADMIN Linux security capability. To remove containers' CAP_SYS_ADMIN Linux security capabilities: 1. From the unhealthy resources tab, select the cluster. 2. Insert a capabilities section in the securityContext section of the container manifest with Drop: SYS_ADMIN. 3. After making your changes, redeploy the pod with the updated capabilities\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b7683ca3-3a11-49b6-b9d4-a112713edfa3\",\r\n \"name\": \"b7683ca3-3a11-49b6-b9d4-a112713edfa3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced configuration of Defender for Containers should be enabled on GCP connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. To ensure you the solution is provisioned properly, and the full set of capabilities are available, enable all advanced configuration settings.\",\r\n \"remediationDescription\": \"To enable advanced configuration of the Containers plan for a GCP account connected to Microsoft Defender for Cloud:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. Navigate to the \\\"Environment settings\\\" page, and select the relevant GCP account.
  3. Navigate to \\\"Select plans\\\"> \\\"Containers\\\" row, and select \\\"Configure >\\\".
  4. Enable the missing auto provision features and select Save.
  5. Select \\\"Next: Configure access\\\" and follow the instructions.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"03/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d42ac63d-0592-43b2-8bfa-ff9199da595e\",\r\n \"name\": \"d42ac63d-0592-43b2-8bfa-ff9199da595e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled on GCP connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. Enable Containers plan on your GCP connector, to harden the security of Kubernetes clusters and remediate security issues. Learn more about Microsoft Defender for Containers.\",\r\n \"remediationDescription\": \"To enable Defender for Containers on all GKE clusters in an GCP project connected to Microsoft Defender for Cloud:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. Navigate to the \\\"Environment settings\\\" page, and select the relevant GCP account.
  3. Navigate to \\\"Select plans\\\", and toggle \\\"Containers\\\" to \\\"On\\\".
  4. Select \\\"Next: Configure access\\\" and follow the instructions.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"03/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6672df26-ff2e-4282-83c3-e2f20571bd11\",\r\n \"name\": \"6672df26-ff2e-4282-83c3-e2f20571bd11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have code scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub uses code scanning to analyze code in order to find security vulnerabilities and errors in code. Code scanning can be used to find, triage, and prioritize fixes for existing problems in your code. Code scanning can also prevent developers from introducing new problems. Scans can be scheduled for specific days and times, or scans can be triggered when a specific event occurs in the repository, such as a push. If code scanning finds a potential vulnerability or error in code, GitHub displays an alert in the repository. A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project.\",\r\n \"remediationDescription\": \"1. On GitHub.com, navigate to the main page of the repository. 2. Under your repository name, click Security. 3. To the right of Code scanning alerts, click Set up code scanning. If code scanning is missing, you need to ask an organization owner or repository administrator to enable GitHub Advanced Security. 4. Under 'Get started with code scanning', click Set up this workflow on the CodeQL analysis workflow or on a third-party workflow. 5.To customize how code scanning scans your code, edit the workflow. 6. Use the Start commit drop-down, and type a commit message. 7. Click Commit new file or Propose new file\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/92643c1f-1a95-4b68-bbd2-5117f92d6e35\",\r\n \"name\": \"92643c1f-1a95-4b68-bbd2-5117f92d6e35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have Dependabot scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub sends Dependabot alerts when it detects vulnerabilities in code dependencies that affect repositories. A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. Vulnerabilities vary in type, severity, and method of attack. When code depends on a package that has a security vulnerability, this vulnerable dependency can cause a range of problems.\",\r\n \"remediationDescription\": \"1. Browse to a GitHub repository. 2. Click on the Settings. 3. Click 'Security & analysis'. 4. Enable Dependabot alerts\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a600c61-6443-4ab4-bd28-7a6b6fb4691d\",\r\n \"name\": \"1a600c61-6443-4ab4-bd28-7a6b6fb4691d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have secret scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were accidentally committed to repositories. Secret scanning will scan the entire Git history on all branches present in the GitHub repository for any secrets. Examples of secrets are tokens and private keys that a service provider can issue for authentication. If a secret is checked into a repository, anyone who has read access to the repository can use the secret to access the external service with those privileges. Secrets should be stored in a dedicated, secure location outside the repository for the project.\",\r\n \"remediationDescription\": \"1. On GitHub.com, navigate to the main page of the repository. 2. Under your repository name, click Settings. 3.In the left sidebar, click Security and analysis. 4. If Advanced Security is not already enabled for the repository, to the right of GitHub Advanced Security, click Enable. 5. Review the impact of enabling Advanced Security, then click Enable GitHub Advanced Security for this repository. 6. When you enable Advanced Security, secret scanning may automatically be enabled for the repository due to the organization's settings. If Secret scanning is shown with an Enable button, you still need to enable secret scanning by clicking Enable. If you see a Disable button, secret scanning is already enabled\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c0ba94f-e732-43c7-bf3a-05e80f45d642\",\r\n \"name\": \"1c0ba94f-e732-43c7-bf3a-05e80f45d642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure API Management APIs should be onboarded to Defender for APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfiguration.
In order to enable security monitoring & coverage on your APIs within Azure API Management, please remediate this recommendation through steps below.
Important: Enabling Defender for APIs monitoring coverage will require compute & memory utilization on the Azure API Management service.
Please monitor the performance of your Azure API Management service while onboarding APIs, and scale out your Azure API Managment resources when needed.\",\r\n \"remediationDescription\": \"Select the unhealthy resources and click \\\"Fix\\\" to launch \\\"Quick fix\\\" remediation. Note: After the process completes, it may take up 3 hurs until your resources move to the \\\"Healthy resources\\\" tab.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e8c00a2-e8bc-42a8-9e12-99584a51ad10\",\r\n \"name\": \"4e8c00a2-e8bc-42a8-9e12-99584a51ad10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API endpoints that are unused should be disabled and removed from the Azure API Management service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"API endpoints that are no longer in use should be removed from the Azure API Management service as a best practice. API endpoints that are unused (haven't received traffic for a threshold of 30 days) may pose a risk to an organization. These may be APIs that should have been deprecated from the Azure API Management service, but may have been accidently left as active and they may not be receiving the most up to date security coverage.\",\r\n \"remediationDescription\": \"Note: Manually verify that the API endpoint is unused and consider any potential impact this may cause before removing the API endpoint from the Azure API Management service.
1. Navigate to the Azure API Management resource to locate the unhealthy resources within the Azure Portal.
2. In the left pane, select APIs.
3. Select the API with the associated API collection name that is hosting the affected API endpoint (in Azure API Management, known as \\\"API operation\\\").
4. Select the ellipses next to the endpoint and select \\\"Delete\\\" to remove the unused API endpoint.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91af2040-7874-4659-abf0-578e1f8d07dc\",\r\n \"name\": \"91af2040-7874-4659-abf0-578e1f8d07dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API endpoints in Azure API Management should be authenticated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Authentication mechanisms are often implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. API endpoints published within Azure API Management should enforce authentication to help minimize this risk. Learn More\",\r\n \"remediationDescription\": \"1. Verify the configuration of the authentication on the API endpoint. For APIs published in Azure API Management, this recommendation assesses the execution of authentication via the Subscription Keys, JWT and Client Certificate configured within Azure API Management. If none of these authentication mechanisms are present, or if none of these authentication mechanisms are executed, the API will receive this recommendation.
2. After the assessment, if the API is verified and is missing or incorrectly configured authentication, enable & ensure the proper configuration of authentication for the API endpoint. For Azure API Management, steps and a reference example regarding how to enable authentication can be found here in this document: API Management authentication policies\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/45fb078b-a96e-4d0b-90cb-f3ed8a5530c0\",\r\n \"name\": \"45fb078b-a96e-4d0b-90cb-f3ed8a5530c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Testing the cmdlet\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Testing that creating a new metadata is working\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer managed metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Customer managed description\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"[elgrady] custom assessment metadata description\",\r\n \"remediationDescription\": \"[elgrady] custom assessment remediationDescription\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"name\": \"9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer managed metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Customer managed description\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"[elgrady] custom assessment metadata description\",\r\n \"remediationDescription\": \"[elgrady] custom assessment remediationDescription\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n }\r\n ]\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata?api-version=2021-06-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhP2FwaS12ZXJzaW9uPTIwMjEtMDYtMDE=", + "RequestMethod": "GET", "RequestHeaders": { "x-ms-client-request-id": [ - "361f00d7-844c-44dd-b414-49cd7f5627db" + "5fa6cf7e-3bed-42e5-bc00-221a3e4a0219" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.29321.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.19042.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.2.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -90,13 +150,13 @@ "748" ], "x-ms-request-id": [ - "13f8e7d3-f857-4a81-aa49-8f38e2a6c8e0" + "fc451027-ca72-4cf9-991c-19bd9363a5cd" ], "x-ms-correlation-request-id": [ - "13f8e7d3-f857-4a81-aa49-8f38e2a6c8e0" + "fc451027-ca72-4cf9-991c-19bd9363a5cd" ], "x-ms-routing-request-id": [ - "UKSOUTH:20201130T144745Z:13f8e7d3-f857-4a81-aa49-8f38e2a6c8e0" + "FRANCESOUTH:20221117T095111Z:fc451027-ca72-4cf9-991c-19bd9363a5cd" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -105,10 +165,10 @@ "nosniff" ], "Date": [ - "Mon, 30 Nov 2020 14:47:45 GMT" + "Thu, 17 Nov 2022 09:51:10 GMT" ], "Content-Length": [ - "345844" + "1308177" ], "Content-Type": [ "application/json; charset=utf-8" @@ -117,28 +177,28 @@ "-1" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.
Learn more about how Endpoint Protection for machines is evaluated.\",\r\n \"remediationDescription\": \"To remediate missing endpoint protection:
1. Confirm that your solution is on the list of tools supported by Security Center.
2. Install the supported endpoint protection solution or enable an existing tool.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine:
1. Stop your VM when it is safe to do so.
2. Enable Secure Boot for the VM.
3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
1. Go to Virtual machines and click on your machine.
2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases:
1. Select the SQL database.
2. Under Data encryption, select On.
3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
1. Select the SQL server.
2. Under Auditing, select On.
3. Select Storage details and configure a storage account for the audit log.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5a913c68-0590-402c-a531-e57e19379da3\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65\",\r\n \"description\": \"Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is both installed on the virtual machines and properly collects security events to the configured workspace.\",\r\n \"remediationDescription\": \"To resolve Log Analytics agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499\",\r\n \"description\": \"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. This agent is also is required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. We recommend configuring auto-provisioning to automatically deploy the agent. If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.\",\r\n \"remediationDescription\": \"For multiple ways to install and configure your Log Analytics agent please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click the Role assignments tab and set the 'Role' filter to 'Owner'.
2. Select the owners you want to remove.
3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled
1. In the 'Role' drop-down list, select the Owner role.
2. In the Select list, select a user.
3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"remediationDescription\": \"To enable Azure Defender for SQL on SQL servers: 1. Select the SQL server. 2. Under 'Security Center', set Azure Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Click Save.
Note: Azure Defender for SQL is billed as shown on the pricing page\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.
Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.

Available resources and information about this tool & migration:
1. Overview of Virtual machines (classic) deprecation, step by step process for migration & available microsoft resources.
2. Details about Migrate to ARM migration tool.
3. Migrate to ARM migration tool using Power shell.\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources:
1. Go to the Virtual machines (classic) Portal Blade.
2. Click on Migrate to ARM.
3. Click on Validate. If validate failed, use the suggested methods in the error messages or Migration Overview document to fix the errors.
4. Click on Prepare. If prepare failed, use the suggested methods in the error messages or Migration Overview document to fix the errors.
5. (Optional) Click on Abort to rollback migration.
6. Click on Commit. Commit finalizes the migration and cannot be rolled back.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal:
1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service.
2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS). If you are using Basic load balancer, you need to first migrate to Standard to use authorized IP ranges.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services (Deprecated)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"(Deprecated) Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows:
1. Go to Azure Kubernetes Services.
2. Click 'Add' and enter your cluster's configuration.
3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics:
1. Go to Data Lake Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance:
1. Select the SQL managed instance.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"remediationDescription\": \"To enable Azure Defender for SQL on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Security Center', set Azure Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Click Save.
Note: Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps:
1. Go to the Redis Caches, and select your redis cache.
2. Select 'Advanced settings'.
3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics:
1. Go to Batch and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics:
1. Go to Stream Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics:
1. Go to the Service Bus.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"You should encrypt Automation Account Variables that store sensitive data. This step can only be taken at creation time.
If you have Automation Account Variables storing sensitive data that are not already encrypted, then you will need to delete them and recreate them as encrypted variables.
To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics:
1. Go to Data Lake Store and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics:
1. Go to Search and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign':
1. Go to the Service fabric cluster.
2. Click on 'Custom fabric settings'.
3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics:
1. Go to Logic Apps and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources :
1. Go to the Storage Account
2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics:
1. Go to Key Vault and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"
1. In your storage account, go to 'Firewalls and virtual networks'.
2. Under 'Allow access from', choose 'Selected networks'.
3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account.
4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required:
1. In your storage account, go to the 'Configuration' page.
2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates:
1. Review the list of missing system updates.
2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b\",\r\n \"description\": \"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. You’ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets. To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"For information on how to add the Log analytics agent as an extension to your virtual machine scale set please see the following instructions. For information on how to deploy the log analytics agent at scale on virtual machine scale set using Azure Policy please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution:
1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as:
  • The configuration of the operating system
  • Application configuration or presence
  • Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:Learn more\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Windows.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Linux.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"name\": \"fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Validity period of certificates stored in Azure Key Vault should not exceed 12 months\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\r\n \"description\": \"Ensure your certificates do not have a validity period that exceeds 12 months.\",\r\n \"remediationDescription\": \"To remediate you must create a new version of the certificate. Ensure that your application or service will be able to get a new version of the certificate before proceeding. Select a key vault from the list below. The list of certificates with a validity period that exceeds 12 months will appear. From the Azure Portal, open Azure Key Vault and select the vault with the certificate that needs to be replaced. Select the relevant certificate and the certificate details page opens. 1. On the certificate details page, select \\\"+ New Version\\\". The \\\"Create a Certificate\\\" pane opens. 2. Change the \\\"Validity period (in months)\\\" field to 12 or less. 3. Select \\\"Create\\\". 4. Ensure that you have set up auto-renewal, or have a process to renew your certificate prior to expiration.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\r\n \"description\": \"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.\",\r\n \"remediationDescription\": \"To prevent public access to containers and blobs in your storage account:
1. In the Azure portal, navigate to your storage account.
2. From the settings menu, select \\\"Configuration\\\".
3. Set \\\"Allow Blob public access\\\" to \\\"Disabled\\\".
Learn more about public access
Note: It might take several minutes after remediation completes until the resource appears in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\r\n \"description\": \"Protect the data on your Azure virtual machines with Azure Backup.
Azure Backup is an Azure-native, cost-effective, data protection solution.
It creates recovery points that are stored in geo-redundant recovery vaults.
When you restore from a recovery point, you can restore the whole VM or specific files.\",\r\n \"remediationDescription\": \"1. To enable Azure Backup for an individual virtual machine, navigate to the virtual machine on the Azure portal and select 'Backup' from the menu.
In the screen that appears, you can then choose to backup the machine to a new or existing Recovery Services vault in the same location and subscription.
Learn more at https://aka.ms/AzureVMBackupDoc 2. To enable Azure Backup for virtual machines at scale, you can assign the policy 'Configure backup on VMs of a location to an existing central Vault in the same location' to a given scope.
This policy can be assigned to one subscription-location pair at a time.
Learn more at http://aka.ms/AzureBackupVMGovernance\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your function app:
1. Go to the App Service for your API app 2. Navigate to Platform features 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"name\": \"2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MariaDB\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\r\n \"description\": \"Azure Database for MariaDB allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MariaDB server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=2086853\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your web app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"name\": \"95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for PostgreSQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\r\n \"description\": \"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for PostgreSQL server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867615\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests.
Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Web App:
1. Navigate to Azure App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require.
For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"name\": \"8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MySQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\r\n \"description\": \"Azure Database for MySQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MySQL server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867608\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"name\": \"5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your API app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs should be enabled in App Service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\",\r\n \"description\": \"Audit enabling of diagnostic logs on the app.
This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised\",\r\n \"remediationDescription\": \"To enable App Service diagnostics:
1. Navigate to Azure App Service and select App Service logs 2. In Application logging, select File System 3. Specify the retention period for the logs 4. If using Azure monitor select Diagnostic settings and click Add diagnostic setting 5. Select one or more catagories of logs to collect 6. Select one of the options to store the diagnostics logs and follow the instructions.
For more information, visit https://aka.ms/enable-logs\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"name\": \"cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your API app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"name\": \"1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for PostgreSQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\r\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for PostgreSQL:
1. Select your Azure Database for PostgreSQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848213\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"name\": \"1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for MySQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\r\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for MySQL:
1. Select your Azure Database for MySQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848211\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your web app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your function app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"name\": \"6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"name\": \"7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"name\": \"39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your web app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"name\": \"f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your function app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"name\": \"08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\r\n \"description\": \"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your API app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"name\": \"e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"name\": \"96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your function app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"name\": \"c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"name\": \"c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for PostgreSQL:
1. Navigate to your Azure Database for PostgreSQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/postgresql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/pgprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"name\": \"ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MariaDB:
1. Navigate to your Azure Database for MariaDB. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mariadbprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"name\": \"cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MySQL:
1. Navigate to your Azure Database for MySQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mysql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mysqlprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\r\n \"description\": \"Audit SQL servers configured with an auditing retention period of less than 90 days.\",\r\n \"remediationDescription\": \"To configure auditing retention on your Azure SQL server or Azure Synapse server:
1.From the Azure portal, select the Azure SQL Server or Azure Synapse resource. 2.From the menu, select Auditing. 3.Select Storage details. 4.To set a new retention period of 90 days or higher, manually enter a value or move the slider for Retention (Days). 5.Select OK.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your function app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your web App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your web app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"name\": \"67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your API app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:
1. Follow the guidance here to create service principals with a certificate.
2. Select a subscription from the list of subscriptions below or navigate to the specific subscription.
3. You need to have co-admin access in order to complete this step. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"name\": \"506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if redirection from HTTP to HTTPS is configured on all HTTP listeners of Application Load Balancers.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"name\": \"4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 buckets should have policies enabled that require all requests to accept only transmission of data over HTTPS in the S3 resource policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"name\": \"b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your Amazon S3 buckets have Amazon S3 default encryption configured or if the S3 bucket policy explicitly denies put-object requests without an encryption on server side\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"name\": \"c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Config should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Config is enabled for the current account and region. The AWS Config service manages configuration of supported AWS resources in your account and sends log files to you. Security Hub recommends AWS Config should be enabled in all regions.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"name\": \"bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. MFA adds a layer of protection on top of a user name and password for accessing cardholder data environment. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"name\": \"9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"name\": \"b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"name\": \"5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public write access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your S3 buckets enable public write access by checking the bucket policy, the Block Public Access settings, and the bucket access control list (ACL). Make sure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"name\": \"7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public read access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your S3 buckets enable public read access by checking the bucket policy, the Block Public Access settings, and the bucket access control list (ACL).Make sure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"name\": \"7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM user credentials should be disabled if not used within a pre-defined number days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your AWS Identity and Access Management (IAM) users have inactive credentials that have not been used within a specified number of days, default is 90 days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"name\": \"d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the account password policy for IAM users uses the following configurations: Require at least one uppercase character in password (Default = true), Require at least one lowercase character in password (Default = true), Require at least one number in password (Default = true), Password minimum length (Default = 7 or longer), Number of passwords before allowing reuse (Default = 4), Number of days before password expiration (Default = 90).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"name\": \"d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM root user access key should not exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the root user access key is available.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"name\": \"7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users should not have IAM policies attached\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that none of your IAM users have attached policies, they must inherit permissions from IAM groups or roles.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"name\": \"c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should not allow full \\\"*\\\" administrative privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the AWS Identity and Access Management (IAM) policies default version (also known as customer managed policies) do not have administrator access with a statement that has \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\". It does not check inline and AWS Managed Policies, only for the Customer Managed Policies that you created.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"name\": \"a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer master key (CMK) rotation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if key rotation is enabled for each customer master key (CMK). It doesn't check CMKs that have imported key material.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"name\": \"b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the Lambda resource has a Lambda function policy attached that prohibits public access\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"name\": \"e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"name\": \"ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if RDS instances are publicly accessible by checking the publiclyAccessible field in the instance configuration item.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"name\": \"d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Redshift clusters are publicly accessible by checking the publiclyAccessible field in the cluster configuration item\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"name\": \"529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the GitHub or Bitbucket source repository URL includes personal access tokens or user name and password.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"name\": \"8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Database Migration Service replication instances are public by checking the field value of PubliclyAccessible.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"name\": \"b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elastic Block Store snapshots aren't publicly restorable.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"name\": \"3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 buckets should block public access, this checks if the following public access block settings are configured from an account level: ignorePublicAcls: True, blockPublicPolicy: True, blockPublicAcls: True, restrictPublicBuckets: True.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"name\": \"93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC default security group should prohibit inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that the default security group of a VPC doesn't allow inbound or outbound traffic\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"name\": \"390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as SSH, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"name\": \"86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that security groups are attached to Amazon EC2 instances or to an ENI and are surfaces unused security groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/099e9ded-7834-43ad-be02-30114c800211\",\r\n \"name\": \"099e9ded-7834-43ad-be02-30114c800211\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elasticsearch Service domains are in a VPC.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"name\": \"40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if all Lambda function are in a VPC\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"name\": \"5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain clear text credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if a CodeBuild project includes environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"name\": \"ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An accurate asset inventory of EIPs should be maintained by checking if Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs)\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"name\": \"023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SageMaker notebook instances should not have direct internet access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if direct internet access is disabled for an Amazon SageMaker notebook instance by checking the DirectInternetAccess field is set to disabled for an Amazon SageMaker notebook instance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"name\": \"0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"name\": \"f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configured.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"name\": \"336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A log metric filter and alarm should exist for usage of the \\\"root\\\" user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks the following metric filters : That the log group name is configured for use with multi-region CloudTrail activated, that there is at least one Event Selector for a Trail with IncludeManagementEvents configured to true and ReadWriteType configured to All, and that there is at least one subscriber active to an SNS topic associated to the alarm.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"name\": \"5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC(s) for packet rejects. VPC Flow Logs enable you to capture information about the IP address traffic to and from network interfaces in your VPC, and can help detect anomalous traffic.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"name\": \"4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail trails are set to send logs to Amazon CloudWatch Logs\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"name\": \"6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail is enabled in your AWS account\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"name\": \"21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if CloudTrail log file validation is enabled\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"name\": \"75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks only EC2 instances managed by AWS Systems Manager, if after patch installation on the instances they are compliant . AWS Systems Manager is an AWS service that can be used control and view your AWS resources. Systems Manager scans the managed EC2 instances in order to maintain security and compliance, by reporting or taking action on a policy violation that is discovered. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"name\": \"6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Systems Manager is configured to manage your EC2 instances. AWS Systems Manager is an AWS service that can be used control and view your AWS resources. Systems Manager scans the managed EC2 instances in order to maintain security and compliance, by reporting or taking action on a policy violation that is discovered. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"name\": \"32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association has been executed on an instance\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"name\": \"5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if S3 buckets have cross-region replication enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"name\": \"94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"name\": \"d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon GuardDuty is enabled in your AWS account and region. Amazon GuardDuty is a continuous security monitoring service that can identify unexpected and potentially unauthorized and malicious activity within your AWS environment \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"name\": \"bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SSM agent should be installed on your AWS EC2 instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Systems Manager is an AWS service that can be used to control and view your AWS infrastructure. The AWS Systems Manager Agent (SSM Agent) is a software that can be installed and configured on a machine and makes it possible for Systems Manager to update and configure these resources. Security Center leverages the SSM Agent for automatic installation of Azure Arc, that enables greater parity for AWS instances to Azure VMs.\",\r\n \"remediationDescription\": \"First, Make sure EC2 instances are managed by Systems Manager: 1.Open AWS System Manager.
2. Choose Quick setup
3. keep the default options on the configuration screen.
4. Choose Set up Systems Manager.
For directions on installing and configuring the SSM Agent on Windows instances visit this page For directions on installing and configuring the SSM Agent on Linux instances visit this page \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"name\": \"a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled in every region in your AWS accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub is a regional service and customer must enable Security Hub in each region to view findings in that region. You should continuously monitor all regions across all of your AWS accounts for unauthorized behavior or misconfigurations, including regions you don’t use heavily.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"name\": \"20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled for all AWS member accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. Integrating it into Security Center enables a comprehensive view across multiple cloud environments. any AWS member account related to an onboarded account should have Security Hub enabled as well.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"name\": \"726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Make sure to log in using the credentials of a fully-managed corporate account and not a personal account.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select the checkbox next to non-corporate users, and then click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"name\": \"4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that multi-factor authentication is enabled for all non-service accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) must be enabled for all Google Cloud Platform accounts, excluding service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP Security Settings and set up multi-factor authentication for all non-service accounts within the project.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"name\": \"0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service accounts are not configured with administrative roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select Members and make sure that there aren't any 'User-Managed user created service account' accounts with one of the following roles: admin, editor, or owner.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"name\": \"90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the 'Service Account User' and 'Service Account Token Creator' roles are not granted to users at a project level. Instead, grant these roles to users in the context of specific service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. In the filter table field, enter 'Role: Service Account User' and click 'Delete' (bin icon) for every user listed. Similarly, filter using 'Role: Service Account Token Creator' and delete every user listed.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"name\": \"ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service account keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'Service Account Keys', for every External (user-managed) service account where the creation date is 90 days or more, delete the service account key and create a new one instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"name\": \"f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties. Also, make sure that users are not assigned with both 'Service Account Admin' and other 'Service Account User' roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Edit members with both 'Service Account Admin' and 'Service Account User', delete one of the roles, and then click 'Save'. \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"name\": \"3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud KMS encryption keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to GCP Security Kms. For every key ring, for every key in the key ring, do the following: Select 'Right side pop up the blade' > 'Edit rotation period' > 'Select a new rotation period' and specify a period of less than 90 days, and then specify a 'Starting on' date.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"name\": \"3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties and that there are no users assigned with both the 'Cloud KMS Admin' role and any of the following roles: 'Cloud KMS CryptoKey', 'Cloud KMS Encrypter/Decrypter', 'Cloud KMS CryptoKey Encrypter' or 'Cloud KMS CryptoKey Decrypterer'.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. For the member that is listed at the recommendation, click 'Edit'. For the 'Cloud KMS Admin' role, click 'Delete', and then Click 'Save'. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"name\": \"52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all API keys are not used within the scope of projects. The standard authentication flow should be implemented, since the use of API keys presents many security risks.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', delete the relevant API Keys. These API keys should be replaced by a standard authentication flow as described In the Authentication overview [GCP docs authentication]\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"name\": \"76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted, and used only by trusted hosts, HTTP referrers, or applications.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. Under 'Key restrictions', set application restriction to HTTP referrers, IP Addresses, Android Apps, or iOS Apps, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"name\": \"0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted to only access API endpoints that are essential to the calling application.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. For every API key, make sure that the 'Key restrictions' parameter 'API restrictions' is not set to 'None'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"name\": \"5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys'. Select 'API Key Name'. Click 'REGENERATE KEY' to rotate the API key, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"name\": \"f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud Audit Logging is configured to track read and write activities across all supported services and for all users. Configured this way, all administrative activities, or attempts to access user data, will be tracked.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin Audit. On the 'Audit Log' page, select the 'Log type' tab. Select 'Admin read', 'Data read', and 'Data write', and then click 'Save'. Make sure there are no exemptions.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"name\": \"cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all resource have a log sink configured, exporting copies of all the log entries to a centralized location such as a SIEM.\",\r\n \"remediationDescription\": \"Browse to GCP Logs viewer. Switch to the 'Advanced' filter bar, clear any text from the filter field, and then click 'Submit Filter'. Click 'Create Sink', fill out the required details, and then click 'Create Sink'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"name\": \"bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filters and alerts are configured to monitor project ownership assignment/change actions.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browse to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, and run the following query: (protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'. Finally, edit the alert policy and update the 'Target Aggregation' option to 'Count'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"name\": \"3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filter and alerts are configured for Audit Configuration changes. Audit logging data is required for security analysis. Tracking the log metric filters and alerts is important to ensure that all activities in the projects are being audited as planned.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"SetIamPolicy\\\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*. In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"name\": \"f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Custom Role changes. Monitoring role creation, update, or deletion may help to identify over-privileged or misused roles. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"iam_role\\\" AND protoPayload.methodName = \\\"google.iam.admin.v1.CreateRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"name\": \"c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Virtual Private Cloud (VPC) Network Firewall rule changes. Firewall create or update rule events indicate network access changes, which may indicate suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_firewall_rule\\\" AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\" OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to https://console.cloud.google.com/logs/metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"name\": \"7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network route changes. Monitoring network route changes to route tables may indicate of a suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_route\\\" AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\" OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Creat Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"name\": \"0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network changes. Monitoring network changes to the VPC is important to make sure it is not compromised.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gce_network AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\" OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\" OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\" OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\" OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add 'Alert Triggers', and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"name\": \"46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"\\\"Ensure that the log metric filter and alerts are configured for Cloud Storage IAM permission changes. Monitoring changes to a storage bucket permissions can help identify malicious attempts to access a sensitive storage buckets and objects inside buckets.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gcs_bucket AND protoPayload.methodName=\\\"storage.setIamPermissions\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"name\": \"b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for SQL instance configuration changes. Monitoring changes to an SQL instance can help identify malicious attempts to access a sensitive data stored in an SQL instance. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"cloudsql.instances.update\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"name\": \"ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that projects do not have a default network. A default predefined network generates multiple unsecure firewall rules that are not audit logged, cannot be configured to enable firewall rule logging, and do not allow the use of a Cloud VPN or VPC Network Peering with the default network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the 'default' network. On the network detail page, click 'edit', and then click 'Delete VPC network'. If required, you can to create a new network with custom firewall rules to replace the 'default' network.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"name\": \"3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all projects do not have a legacy network. Legacy networks may have an impact for high network traffic projects and pose a single point of contention or failure.\",\r\n \"remediationDescription\": \"Create a non-legacy network and then delete the legacy networks using the following command: 'gcloud compute networks delete my-legacy-network'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"name\": \"e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Domain Name System Security Extensions (DNSSEC) is enabled for Cloud DNS zones. DNSSEC helps mitigate the risk of a DNS hijacking and man-in-the-middle attacks, by preventing attackers from issuing fake DNS responses that may misdirect browsers to malicious websites.\",\r\n \"remediationDescription\": \"Browse to GCP DNS zones. For each zone of type 'Public', set DNSSEC to 'On'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"name\": \"049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the key-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the key-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"name\": \"cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the zone-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the zone-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"name\": \"0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that SSH access is restricted from the internet because it can be used as initial access to the network. Prevent inbound traffic via SSH (port 22) from the internet using the generic IP address (0.0.0.0/0).\",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"name\": \"684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RDP access is restricted from the internet, as is may be used for initial access to the network. Prevent inbound traffic via RDP (port 3389) from the internet using the generic IP address (0.0.0.0/0). \",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"name\": \"3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all VPC Flow Logs are enabled, for every subnet in a VPC Network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the relevant subnet, click 'Edit', set 'Flow Logs' to 'On', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"name\": \"c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there are no HTTPS or SSL Proxy Load Balancers that use weak SSL policies with TLS or 1.1.\",\r\n \"remediationDescription\": \"Browser to GCP SSL Policies. Select the relevant policy, click 'Edit', set 'Minimum TLS version' to 'TLS 1.2', set 'Profile' to 'Modern' or 'Restricted', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"name\": \"233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all instances are not configured to use the default service account with full access to all Google Cloud APIs.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant VM instance, stop the instance if it is currently started, and then click 'Edit'. Under 'Service Account', select 'Compute Engine default service account', make sure that 'Allow full access to all Cloud APIs' is not selected, click 'Save' and then 'Start'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"name\": \"1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure \\\"Block Project-wide SSH keys\\\" is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that no project-wide SSH keys are used for VM instances, as they enable login to all instances in the project.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the impacted instance, click 'Edit', under 'SSH Keys', select 'Block project-wide SSH keys', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"name\": \"fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that OS login is enabled for all projects, as this pairs the SSH keys in use with IAM users. \",\r\n \"remediationDescription\": \"Browse to GCP Compute metadata. Click 'Edit', add metadata key for 'enable-oslogin' with value 'TRUE', and then click 'Save'. For every instances that overrides the project setting, browse to GCP Compute instances. Select the relevant instance name, click 'Edit', under 'custom metadata', remove 'enable-oslogin' keys with the value 'FALSE', and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"name\": \"c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that 'Enable connecting to serial ports' is not enabled for all VM Instance. When the interactive serial console is enabled for an instance, clients can connect to the instance from any IP address using the proper username and SSH key.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Remote access', make sure that 'Enable connecting to serial ports' is not selected.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"name\": \"3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent data loss, forwarding of data packets should not be enabled on instances.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Network interfaces', make sure that 'IP forwarding' is set to 'Off' for every network interface.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"name\": \"6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, all data at rest is encrypted by Google Compute Engine. Make sure that VM disks are encrypted using Customer-Supplied Encryption Keys (CSEK) enabling you to control and manage the encryption keys yourself.\",\r\n \"remediationDescription\": \"Browse to GCP Compute disks. Select the relevant disk and make sure that the 'Encryption type' is set to 'Customer supplied'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"name\": \"9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against advanced threats, a Compute Engine instance using a public image and must be launched with a Shielded VM. It is also important to verify that the boot loader and firmware on the VMs are signed and untampered.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Shielded VM', make sure that 'Turn on vTPM' and 'Turn on Integrity Monitoring' are enabled.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"name\": \"0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances must not be configured with public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"name\": \"79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that an IAM policy on Cloud Storage buckets does not allow anonymous or public access so sensitive data.\",\r\n \"remediationDescription\": \"To restrict access to Cloud Storage Buckets: Browse to GCP Storage browser. Select the relevant bucket, select 'Permissions', and then under 'Role(s)', remove all Cloud IAM permissions that were granted to 'allUsers' and 'allAuthenticatedUsers'. To restrict access from public addresses: browse to GCP Firewalls List.. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP adress values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"name\": \"a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For simple and unified resource access, ensure that Cloud Storage buckets have uniform bucket-level access enabled.\",\r\n \"remediationDescription\": \"Browse to GCP Storage browser. Edit the relevant bucket, under 'Access Control', select 'Uniform', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"name\": \"a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the Cloud SQL Database instance requires all incoming connections to always use SSL encryption.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances, select the relevant instance and under 'Connections', select 'Allow only SSL connections'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"name\": \"1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to only accept connections from trustworthy networks and/or IP addresses and restrict all other access. \",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"name\": \"2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to use private IP addresses, and not public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"name\": \"664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL database instances must be configured with automated backups.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances. Select the relevant instance, and under 'Backups', make sure that 'Automated backups' is set to 'Enabled' and that the 'Backup time' is set.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"name\": \"5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure that sensitive data is not compromised, IAM policies on BigQuery datasets must not allow anonymous or public access.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"name\": \"582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"root\\\" account is the most privileged account and has unrestricted access to all resources in the AWS account. It is highly recommended to avoid use of this account.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"name\": \"1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled on all accounts that have a console password.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"name\": \"8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS resources can be accessed by using different types of credentials by AWS IAm users. Credentials such as passwords or access keys that haven't been used in 90 days or more should be deactivated or removed.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"name\": \"9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key. they are used to sign programmatic requests made to AWS. Access keys should be regularly rotated to reduce chance of access key used that is associated with a compromised or terminated account and ensure that data can't be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"name\": \"554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one uppercase letter to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"name\": \"66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one lowercase letter to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"name\": \"b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one symbol to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5425052d-cc0d-4424-af71-050311f99634\",\r\n \"name\": \"5425052d-cc0d-4424-af71-050311f99634\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one number to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"name\": \"09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum password length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require a length of 14 or greater to enforce password complexity requirements.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"name\": \"01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policy should prevent the reuse of passwords to prevent reuse of given password by the same user.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"name\": \"0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies should require passwords to expire after 90 days or less.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"name\": \"8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no root account access key exists\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to an AWS account. All access keys associated with the root account should be removed.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"name\": \"8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"MFA should be enabled for a root account to increase console security. When a user signs in to an AWS website, they will be prompted for their user name, password as well as for an authentication code\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"name\": \"8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure hardware MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"MFA should be enabled for a root account to increase console security. When a user signs in to an AWS website, they will be prompted for their user name, password as well as for an authentication code. The account should be protected with a hardware MFA\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"name\": \"c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies are attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles don't have access to AWS resources. IAM policies are used to grant privileges to users, groups, or roles. IAM policies should be applied directly to groups and roles but not users\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"name\": \"bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. IAM Role should be created to allow authorized users to manage incidents with AWS Support.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"name\": \"9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies are the way in which privileges are granted to users, groups, or roles. Granting only the permissions needed to perform a task should be done instead of allowing full administrative privileges.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"name\": \"22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. CloudTrail should be enabled to allow security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"name\": \"fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail log file validation is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A digitally signed digest file is created by CloudTrail log file validation, containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"name\": \"0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket CloudTrail logs to is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling public access to CloudTrail log content could assist an adversary in identifying weaknesses in the affected account's use or configuration.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"name\": \"5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, sending these logs to CloudWatch should be done to enable realtime analysis. \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"name\": \"dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you that can be used for security analysis, resource change tracking, and compliance auditing and should be enabled across all regions.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"name\": \"30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket and could be used for security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"name\": \"c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs should be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"name\": \"23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Key Management Service (KMS) enables customers to rotate the backing key, a key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). The backing key is used to perform cryptographic operations such as encryption and decryption.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"name\": \"a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VPC flow logging is enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC Flow Logs enables you to gather information about the IP traffic going to and from network interfaces in your VPC. After a flow log has been created, you can view and retrieve its data in Amazon CloudWatch Logs. VPC Flow Logs should be enabled for packet \\\"Rejects\\\" for VPCs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"name\": \"00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for unauthorized API calls.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"name\": \"83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for console logins that are not protected by multi-factor authentication (MFA).\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"name\": \"a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for root account login attempts.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"name\": \"5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to Identity and Access Management (IAM) policies\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"name\": \"011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to CloudTrail's configurations\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"name\": \"c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for failed console authentication attempts.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"name\": \"293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for customer created CMKs which have changed state to disabled or scheduled deletion.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"name\": \"0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to S3 bucket policies.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"name\": \"7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to AWS Config configuration settings\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"name\": \"b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to Security Groups.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"name\": \"022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to NACLs\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"name\": \"3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to network gateways.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"name\": \"33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to route tables.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"name\": \"9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to VPCs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"name\": \"b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as SSH, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"name\": \"9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as RDP, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"name\": \"ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the default security group of every VPC restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"When an instance is launched and no security group is specified, the instance is automatically assign to a default security group. A default security group should restrict all traffic\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your subnets:
1. Select a subnet to enable NSG on.
2. Click the 'Network security group' section.
3. Follow the steps and select an existing network security group to attach to this specific subnet.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with Application Gateway resources unprotected by the DDoS protection service. These resources contain public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"
1. Select a virtual network to enable the DDoS protection service standard on.
2. Select the Standard option.
3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls:
1. From the portal, open Security Center.
2. Select \\\"Adaptive application controls\\\" from Security Center's sidebar.
3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect.
4. Create a new applications control policy according to the instructions in Security Center's documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your list of known-safe applications:
1. From the portal, open Security Center.
2. Select \\\"Adaptive application controls\\\" from Security Center's sidebar.
3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines.
4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
  1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
  2. Click the \\\"Rules\\\" tab.
  3. If you want to modify a recommended rule's parameters:
    • In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
    • Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
  4. If you want to create a new rule:
    • Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
    • Fill in the parameters and click \\\"Add rule\\\". The blade closes and the new rule is listed in the Rules tab.
  5. Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"Azure Security Center has identified some overly-permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks. Learn more.\",\r\n \"remediationDescription\": \"To enable just-in-time VM access:
  • Select one or more VMs from the list below and click \\\"Remediate\\\", or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
  • On the \\\"JIT VM access configuration\\\" page, define the ports for which the just-in-time VM access will be applicable.
    • To add additional ports, click the \\\"Add\\\" button on the top left, or click an existing port and edit it.
    • On the \\\"Add port configuration\\\" blade, enter the required parameters.
  • Click \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"Install a vulnerability assessment solution on your virtual machines\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"Virtual machines for which a vulnerability assessment 3rd party solution is deployed are being continuously assessed against application and OS vulnerabilities. Whenever such vulnerabilities are found, these are available for more information as part of the recommendation.\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22).
3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges.
4. Click 'Save'.
Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding:
1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade.
2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left).
3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'.
4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click the Network Security Group with overly permissive rules.
3. In the 'Network security group' blade, click on each of the rules that are overly permissive.
4. Improve the rule by applying less permissive source IP ranges.
5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a Network Security Group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the Network Security Group to assign to the subnet and click \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Click 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the Network Security Group to assign to this NIC.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a network security group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the network security group to assign to the subnet and select \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Select 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the network security group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the extension to enable a vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several hours after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"Installation of the dependency agent and enabling data collection in Security Center can be done in several ways:
  • Using Security Center automatic provisioning on your subscription(s).
    • This will automatically provision the Microsoft Monitoring Dependency Agent on current and future-created virtual machines on your subscription(s). Learn more
    • You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Pricing & settings' menu item
      • click on a subscription and enable auto provisioning in the 'data collection' menu item.
  • Install the Microsoft Monitoring Dependency agent on your Virtual machines as a VM extension or directly, by following these instructions:
    • Provision the Microsoft Monitoring Dependency agent with Azure Policies. The applicable policy definitions are:
      • '[Preview]: Deploy Microsoft Monitoring Dependency Agent for Windows VMs.'
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"Installation of the dependency agent and enabling data collection in Security Center can be done in several ways:
  • Using Security Center automatic provisioning on your subscription(s).
    • This will automatically provision the Microsoft Monitoring Dependency Agent on current and future-created virtual machines on your subscription(s). Learn more
    • You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Pricing & settings' menu item
      • click on a subscription and enable auto provisioning in the 'data collection' menu item.
  • Install the Microsoft Monitoring Dependency agent on your Virtual machines as a VM extension or directly, by following these instructions:
    • Provision the Microsoft Monitoring Dependency agent with Azure Policies. The applicable policy definitions are:
      • '[Preview]: Deploy Microsoft Monitoring Dependency Agent for Linux VMs.'
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c\",\r\n \"description\": \"Some of your virtual networks aren't protected with a firewall. Use Azure Firewall to restricting access to your virtual networks and prevent potential threats. To learn more about Azure Firewall,
Click here\",\r\n \"remediationDescription\": \"To protect your virtual networks with Azure Firewall:
1. From the list below, select a network. Or select Take action if you've arrived here from a specific virtual network page.
2. Follow the Azure Firewall deployment instructions. Make sure to configure all default routes properly.
Important: Azure Firewall is billed separately from Azure Security Center. Learn more about Azure Firewall pricing.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047\",\r\n \"description\": \"Azure Security Center includes Azure Defender for Key Vault, providing an additional layer of security intelligence.
Azure Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.

Important: Remediating this recommendation will result in charges for protecting your key vaults. If you don't have any key vaults in this subscription, no charges will be incurred.
If you create any key vaults on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Key Vault.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure Key Vault vaults in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Key Vault\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Azure SQL Database servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.

Important: Remediating this recommendation will result in charges for protecting your Azure SQL Database servers. If you don't have any Azure SQL Database servers in this subscription, no charges will be incurred.
If you create any Azure SQL Database servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Azure SQL Database servers.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure SQL Database servers in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Azure SQL Database servers\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL servers on machines should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.

Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. If you don't have any SQL servers on machines in this subscription, no charges will be incurred.
If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for SQL servers on machines.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all SQL servers on machines in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"SQL servers on machines\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Storage should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa\",\r\n \"description\": \"Azure Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.

Important: Remediating this recommendation will result in charges for protecting your Azure Storage accounts. If you don't have any Azure Storage accounts in this subscription, no charges will be incurred.
If you create any Azure Storage accounts on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Storage\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure Storage accounts in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select pricing tier by resource type\\\", set \\\"Storage\\\" to \\\"Enabled\\\"\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb\",\r\n \"description\": \"Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
Azure Defender for App Service can discover attacks on your applications and identify emerging attacks.

Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred.
If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for App Service.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all App Service plans in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"App Service\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/53572822-d3fc-4363-bfb9-248645841612\",\r\n \"name\": \"53572822-d3fc-4363-bfb9-248645841612\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for container registries should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\",\r\n \"description\": \"To build secure containerized workloads, ensure the images that they're based on are free of known vulnerabilities.
Azure Defender for container registries scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image.
To improve your containers' security posture and protect them from attacks, enable Azure Defender for container registries.

Important: Remediating this recommendation will result in charges for protecting your container registries. If you don't have any container registries in this subscription, no charges will be incurred.
If you create any container registries on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for container registries.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all container registries in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Container Registries\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"name\": \"86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Kubernetes should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a\",\r\n \"description\": \"Azure Defender for Kubernetes provides real-time threat protection for your containerized environments and generates alerts for suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your containers.

Important: Remediating this recommendation will result in charges for protecting your Kubernetes clusters. If you don't have any Kubernetes clusters in this subscription, no charges will be incurred.
If you create any Kubernetes clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Kubernetes.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Kubernetes clusters in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Kubernetes\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d\",\r\n \"description\": \"Azure Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your servers.

Important: Remediating this recommendation will result in charges for protecting your servers. If you don't have any servers in this subscription, no charges will be incurred.
If you create any servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for servers.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all servers in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Servers\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation:
1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'.
2. Review the recommended classifications.
3. Apply the relevant recommendations and dismiss the ones that are not applicable.
4. Please note that the updated health status for the database will not be reflected immediately and can take up to a week to refresh. You can make this happen faster by triggering a database Vulnerability Assessment scan: in your SQL database go to 'Advanced Data Security', click 'Vulnerability Assessment' and click 'Scan'. The health status of the database will be updated within 1 day from scan completion.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment findings on your SQL servers on machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities:
1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by a vulnerability assessment solution.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment findings on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities:
1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"
1. Click an identified outstanding update.
2. In the Missing system updates pane, click the support link (when exists) and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/en-us/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- Endpoint protection assessment is documented here - https://docs.microsoft.com/en-us/azure/security-center/security-center-endpoint-protection\",\r\n \"remediationDescription\": \"
1. Confirm that your solution is on the list of tools supported by Security Center.
2. For a list of possible health issues with your solution and advice on how to resolve the health issues, consult this page of the Security Center documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"name\": \"08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d\",\r\n \"description\": \"Azure Policy Add-on for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.

Security Center requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. Learn more.

Requires Kubernetes v1.14.0 or later.

\",\r\n \"remediationDescription\": \"

To configure the Azure Policy Add-on for use with your Azure Kubernetes Service cluster, follow the instructions in Install Azure Policy Add-on for AKS.

\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"name\": \"405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container CPU and memory limits should be enforced\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\r\n \"description\": \"Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).

We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods without CPU and memory limits. To control a pod's limits, set quotas at the container level. Each container of a pod can specify one or both of the following:
  • spec.containers[].resources.limits.cpu
  • spec.containers[].resources.limits.memory

After making your changes, redeploy the pod with the new limits.

Note: Although requests and limits can only be specified on individual containers, it is convenient to talk about pod resource limits. A Pod resource limit is the sum of the resource limits for all the containers in the pod. Learn more.

\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"DenialOfService\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"name\": \"5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Privileged containers should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\r\n \"description\": \"To prevent unrestricted host access, avoid privileged containers whenever possible.

Privileged containers have all of the root capabilities of a host machine. They can be used as entry points for attacks and to spread malicious code or malware to compromised applications, hosts and networks.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods running privileged containers.

For these pods, set the privileged flag to 'false' on the security context of the container's spec. After making your changes, redeploy the pod with the updated spec.

\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"name\": \"8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container images should be deployed from trusted registries only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\r\n \"description\": \"Images running on your Kubernetes cluster should come from known and monitored container image registries. Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.\",\r\n \"remediationDescription\": \"
  1. Ensure a regex, defining your organization private registries is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods running images from untrusted registries. If you see a pod running an unfamiliar image, remove it and report the incident to your security admin. Otherwise, move all images to a trusted private registry and redeploy the pods with the updated registry.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f88450f-9546-4b78-a181-a2d9162bb441\",\r\n \"name\": \"5f88450f-9546-4b78-a181-a2d9162bb441\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting containers access to the configured ports.\",\r\n \"remediationDescription\": \"
  1. Ensure a list of ports on which your containers are allowed to listen, is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Security Centers lists the pods running containers which listen on ports outside the configured list.
  3. Limit the containers' ports. After making your changes, redeploy the pods with the updated ports.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"name\": \"add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Services should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services access to the configured ports.\",\r\n \"remediationDescription\": \"
  1. Ensure a list of ports on which your services are allowed to listen, is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Security Center lists the services which listen on ports outside the configured list.
  3. Limit the services' ports. After making your changes, redeploy the services with the updated ports.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"name\": \"11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Least privileged Linux capabilities should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\r\n \"description\": \"To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user. We recommend dropping all capabilities, then adding those that are required\",\r\n \"remediationDescription\": \"
1. Make sure lists of dropped capabilities and allowed capabilities are configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the running containers with capabilities outside the configured list.
3. Limit the containers' Linux capabilities. To add or remove Linux capabilities for a container, include a capabilities section in the securityContext section of the container manifest with the relevant capabilities set e.g. Drop: ALL ; add: ['NET_ADMIN', 'SYS_TIME'].
4. After making your changes, redeploy the pod with the updated capabilities.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"name\": \"27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Immutable (read-only) root filesystem should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80\",\r\n \"description\": \"Containers should run with a read only root file system in your Kubernetes cluster. Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers without read only root file system.
2. For these pods, set the readOnlyRootFilesystem flag to 'true' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"name\": \"f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75\",\r\n \"description\": \"We recommend limiting pod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths. In case of compromise, the container node access from the containers should be restricted\",\r\n \"remediationDescription\": \"
1. Ensure a list of allowed host paths is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running pods with hostPath volume violating the configured list.
3. Update hostPath and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"name\": \"9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running containers as root user should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042\",\r\n \"description\": \"Containers should run as a non-root users in your Kubernetes cluster. Running a process as the root user inside a container runs it as root on the host. In case of compromise, an attacker has root in the container, and any mis-configurations become easier to exploit.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers missing the 'MustRunAsNonRoot' rule.
2. For these pods, add rule: 'MustRunAsNonRoot' in a runAsUser section of the container's spec.
3. After making your changes, redeploy the pod with the updated rule. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"name\": \"ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of host networking and ports should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe\",\r\n \"description\": \"Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. Pods created with the hostNetwork attribute enabled will share the node’s network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node’s network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.\",\r\n \"remediationDescription\": \"
1. Ensure the following are all configured in the security policy parameters: allow host network usage, and min and max host ports.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers with host networking violating the configured list.
3. Validate the host networking using the hostNetwork and hostPort attributes (when applicable) of the container's spec.
4. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"name\": \"802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers sharing sensitive host namespaces should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\r\n \"description\": \"To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods sharing host process ID or host IPC.
2. Set the host process ID and host IPC to 'false' on the pod's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"name\": \"43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container with privilege escalation should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\r\n \"description\": \"Containers shouldn't run with privilege escalation to root in your Kubernetes cluster.<br>The AllowPrivilegeEscalation attribute controls whether a process can gain more privileges than its parent process.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers with privilege escalation to root in your Kubernetes cluster.
2. For these pods, set the AllowPrivilegeEscalation flag to 'false' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"name\": \"86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Overriding or disabling of containers AppArmor profile should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e\",\r\n \"description\": \"Containers running on your Kubernetes cluster should be limited to allowed AppArmor profiles only.<br>AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program.\",\r\n \"remediationDescription\": \"
1. Ensure a list of AppArmor profiles containers are allowed to use is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the running pods with AppArmor profile violating the configured list.
3. Update AppArmor annotation in the Pod's metadata and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/0338728b-bc5c-41d6-ab83-29cf28652680\",\r\n \"name\": \"0338728b-bc5c-41d6-ab83-29cf28652680\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Testing the cmdlet\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Testing that creating a new metadata is working\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"High\"\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8\",\r\n \"description\": \"To protect machines from threats and vulnerabilities, install a supported endpoint protection solution.
Learn more about how endpoint protection for machines is evaluated in Endpoint protection assessment and recommendations in Microsoft Defender for Cloud.\",\r\n \"remediationDescription\": \"To remediate missing endpoint protection:
1. Confirm that your solution is on the list of tools supported by Defender for Cloud.
2. Install the supported endpoint protection solution or enable an existing tool.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b26b102-ccde-4697-aa30-f0621f865f99\",\r\n \"name\": \"9b26b102-ccde-4697-aa30-f0621f865f99\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of EC2 instances should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Cloud has identified some overly-permissive inbound rules for management ports in your network. Enable just-in-time access control to protect your Instances from internet-based brute-force attacks. Learn more.\",\r\n \"remediationDescription\": \"To enable just-in-time instance access:
  • Select one or more Instances from the list below and click \\\"Remediate\\\", or click \\\"Take action\\\" if you've arrived from a recommendation for a specific instance.
  • On the \\\"JIT instance access configuration\\\" page, define the ports for which the just-in-time instance access will be applicable.
    • To add additional ports, click the \\\"Add\\\" button on the top left, or click an existing port and edit it.
    • On the \\\"Add port configuration\\\" blade, enter the required parameters.
  • Click \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"11/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2cac0072-6f56-46f0-9518-ddec3660ee56\",\r\n \"name\": \"2cac0072-6f56-46f0-9518-ddec3660ee56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST and WebSocket API logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled.
The control fails if logging is not enabled for all methods of a stage or if logging Level is neither ERROR nor INFO.
API Gateway REST or WebSocket API stages should have relevant logs enabled. API Gateway REST and WebSocket API execution logging provides detailed records of requests made to API Gateway REST and WebSocket API stages.
The stages include API integration backend responses, Lambda authorizer responses, and the requestId for AWS integration endpoints.\",\r\n \"remediationDescription\": \"To enable logging for REST and WebSocket API operations, Set up CloudWatch API logging using the API Gateway console in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec268d38-c94b-4df3-8b4e-5248fcaaf3fc\",\r\n \"name\": \"ec268d38-c94b-4df3-8b4e-5248fcaaf3fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API stages should be configured to use SSL certificates for backend authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon API Gateway REST API stages have SSL certificates configured.
Backend systems use these certificates to authenticate that incoming requests are from API Gateway.
API Gateway REST API stages should be configured with SSL certificates to allow backend systems to authenticate that requests originate from API Gateway.\",\r\n \"remediationDescription\": \"For detailed instructions on how to generate and configure API Gateway REST API SSL certificates, see Generate and configure an SSL certificate for backend authentication in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5cbaff4f-f8d5-49fe-9fdc-63c4507ac670\",\r\n \"name\": \"5cbaff4f-f8d5-49fe-9fdc-63c4507ac670\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API stages should have AWS X-Ray tracing enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages.
X-Ray active tracing enables a more rapid response to performance changes in the underlying infrastructure. Changes in performance could result in a lack of availability of the API.
X-Ray active tracing provides real-time metrics of user requests that flow through your API Gateway REST API operations and connected services.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable X-Ray active tracing for API Gateway REST API operations, see Amazon API Gateway active tracing support for AWS X-Ray in the AWS X-Ray Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d69eb8b0-79ba-4963-a683-a96a8ea787e2\",\r\n \"name\": \"d69eb8b0-79ba-4963-a683-a96a8ea787e2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway should be associated with an AWS WAF web ACL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an API Gateway stage uses an AWS WAF web access control list (ACL).
This control fails if an AWS WAF web ACL is not attached to a REST API Gateway stage.
AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It enables you to configure an ACL, which is a set of rules that allow, block, or count web requests based on customizable web security rules and conditions that you define.
Ensure that your API Gateway stage is associated with an AWS WAF web ACL to help protect it from malicious attacks.\",\r\n \"remediationDescription\": \"For information on how to use the API Gateway console to associate an AWS WAF Regional web ACL with an existing API Gateway API stage, see Using AWS WAF to protect your APIs in the API Gateway Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a0ce4e0-b61e-4ec7-ab65-aeaff3893bd3\",\r\n \"name\": \"1a0ce4e0-b61e-4ec7-ab65-aeaff3893bd3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API cache data should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It adds another set of access controls to limit unauthorized users ability access the data. For example, API permissions are required to decrypt the data before it can be read.
API Gateway REST API caches should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"To remediate this control, configure the stage to encrypt the cache data.
To configure API caching for a given stage
1. Open the API Gateway console.
2. Choose the API.
3. Choose \\\"Stages\\\".
4. In the \\\"Stages\\\" list for the API, choose the stage to add caching to.
5. Choose \\\"Settings\\\".
6. Choose \\\"Enable API cache\\\".
7. Update the desired settings, then select \\\"Encrypt cache data\\\".
Choose \\\"Save Changes\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/186509dc-f326-415f-b085-4d27f1342849\",\r\n \"name\": \"186509dc-f326-415f-b085-4d27f1342849\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have a default root object configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured.
A user might sometimes request the distributions root URL instead of an object in the distribution. When this happens, specifying a default root object can help you to avoid exposing the contents of your web distribution.\",\r\n \"remediationDescription\": \"For detailed instructions on how to specify a default root object for your distribution, see How to specify a default root object in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a0ab1f4e-bafb-4947-a7d1-13a9c35c7d82\",\r\n \"name\": \"a0ab1f4e-bafb-4947-a7d1-13a9c35c7d82\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin access identity enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured.
CloudFront OAI prevents users from accessing S3 bucket content directly. When users access an S3 bucket directly, they effectively bypass the CloudFront distribution and any permissions that are applied to the underlying S3 bucket content.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Creating a CloudFront OAI and adding it to your distribution in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a67adff8-625f-4891-9f61-43f837d18ad2\",\r\n \"name\": \"a67adff8-625f-4891-9f61-43f837d18ad2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should require encryption in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors.
HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Requiring HTTPS for communication between viewers and CloudFront in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4779e962-2ea3-4126-aa76-379ea271887c\",\r\n \"name\": \"4779e962-2ea3-4126-aa76-379ea271887c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin failover configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins.
CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Creating an origin group in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88114970-36db-42b3-9549-20608b1ab8ad\",\r\n \"name\": \"88114970-36db-42b3-9549-20608b1ab8ad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether server access logging is enabled on CloudFront distributions. The control fails if access logging is not enabled for a distribution.
CloudFront access logs provide detailed information about every user request that CloudFront receives. Each log contains information such as the date and time the request was received, the IP address of the viewer that made the request, the source of the request, and the port number of the request from the viewer.
These logs are useful for applications such as security and access audits and forensics investigation. For additional guidance on how to analyze access logs, see Querying Amazon CloudFront logs in the Amazon Athena User Guide.\",\r\n \"remediationDescription\": \"For information on how to configure access logging for a CloudFront distribution, see Configuring and using standard logs (access logs) in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e0d5964-2895-45b1-b646-fcded8d567be\",\r\n \"name\": \"0e0d5964-2895-45b1-b646-fcded8d567be\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have AWS WAF enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudFront distributions are associated with either AWS WAF or AWS WAFv2 web ACLs. The control fails if the distribution is not associated with a web ACL.
AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It allows you to configure a set of rules, called a web access control list (web ACL), that allow, block, or count web requests based on customizable web security rules and conditions that you define. Ensure your CloudFront distribution is associated with an AWS WAF web ACL to help protect it from malicious attacks.\",\r\n \"remediationDescription\": \"For information on how to associate a web ACL with a CloudFront distribution, see Using AWS WAF to control access to your content in the Amazon CloudFront Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d088fb9f-11dc-451e-8f79-393916e42bb2\",\r\n \"name\": \"d088fb9f-11dc-451e-8f79-393916e42bb2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies should not allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts.This control fails if the \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies.
With AWS KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data.
Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, do not allow \\\"kms:Decrypt\\\" permission on all KMS keys. Instead, allow \\\"kms:Decrypt\\\" only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"To remediate this issue, you modify the IAM customer managed policies to restrict access to the keys.

To modify an IAM customer managed policy

1. Open the IAM console at https://console.aws.amazon.com/iam/
2. In the IAM navigation pane, choose \\\"Policies\\\".
3. Choose the arrow next to the policy you want to modify.
4. Choose \\\"Edit policy\\\".
5. Choose the \\\"JSON\\\" tab.
6. Change the \\\"Resource\\\" value to the specific key or keys that you want to allow.
7. After you modify the policy, choose \\\"Review policy\\\".
8. Choose \\\"Save changes\\\".

For more information, see Using IAM policies with AWS KMS in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/18be55d0-b681-4693-af8d-b8815518d758\",\r\n \"name\": \"18be55d0-b681-4693-af8d-b8815518d758\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts.
This control fails if \\\"kms:Decrypt\\\" or \\\"kms:ReEncryptFrom\\\" actions are allowed on all KMS keys in an inline policy.
With AWS KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the permissions they need and only for keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data.
Instead of granting permission for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow the users to use only those keys. For example, do not allow \\\"kms:Decrypt\\\" permission on all KMS keys. Instead, allow them only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"To remediate this issue, you modify the inline policy to restrict access to the keys.

To modify an IAM inline policy

1. Open the IAM console at https://console.aws.amazon.com/iam/
2. In the IAM navigation pane, choose \\\"Users, Groups\\\", or \\\"Roles\\\".
3. Choose the name of the user, group or role for which to modify IAM inline policies.
4. Choose the arrow next to the policy to modify.
5. Choose \\\"Edit policy\\\".
6. Choose the \\\"JSON\\\" tab.
7. Change the \\\"Resource\\\" value to the specific keys you want to allow.
8. After you modify the policy, choose \\\"Review policy\\\".
9. Choose \\\"Save changes\\\".

For more information, see Using IAM policies with AWS KMS in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10c59743-84c4-4711-adb7-ba895dc57339\",\r\n \"name\": \"10c59743-84c4-4711-adb7-ba895dc57339\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS keys should not be unintentionally deleted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether KMS keys are scheduled for deletion. The control fails if a KMS key is scheduled for deletion.
KMS keys cannot be recovered once deleted. Data encrypted under a KMS key is also permanently unrecoverable if the KMS key is deleted. If meaningful data has been encrypted under a KMS key scheduled for deletion, consider decrypting the data or re-encrypting the data under a new KMS key unless you are intentionally performing a cryptographic erasure.
When a KMS key is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS key is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS key will not be deleted.
For additional information regarding deleting KMS keys, see Deleting KMS keys in the AWS Key Management Service Developer Guide.\",\r\n \"remediationDescription\": \"For detailed remediation instructions to cancel a scheduled KMS key deletion, see \\\"To cancel key deletion\\\" under Scheduling and canceling key deletion (console) in the AWS Key Management Service Developer Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Encrypted for Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fe770214-7b47-48f7-a78c-1279c35d8279\",\r\n \"name\": \"fe770214-7b47-48f7-a78c-1279c35d8279\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EMR cluster master nodes should not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether master nodes on Amazon EMR clusters have public IP addresses.
The control fails if the master node has public IP addresses that are associated with any of its instances. Public IP addresses are designated in the PublicIp field of the NetworkInterfaces configuration for the instance.
This control only checks Amazon EMR clusters that are in a RUNNING or WAITING state.\",\r\n \"remediationDescription\": \"During launch, you can control whether your instance in a default or nondefault subnet is assigned a public IPv4 address.
By default, default subnets have this attribute set to true. Nondefault subnets have the IPv4 public addressing attribute set to false, unless it was created by the Amazon EC2 launch instance wizard. In that case, the wizard sets the attribute to true.
You need to launch your cluster in a VPC with a private subnet that has the IPv4 public addressing attribute set to false.
After launch, you cannot manually disassociate a public IPv4 address from your instance.
To remediate this finding, you need to create a new cluster in VPC private subnet. For information on how to launch a cluster in into a VPC private subnet, see Launch clusters into a VPC in the Amazon EMR Management Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a0476c5-a14b-4195-8c31-633511234b38\",\r\n \"name\": \"5a0476c5-a14b-4195-8c31-633511234b38\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies that you create should not allow wildcard actions for services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the IAM identity-based policies that you create have Allow statements that use the * wildcard to grant permissions for all actions on any service. The control fails if any policy statement includes 'Effect': 'Allow' with 'Action': 'Service:*'.
For example, the following statement in a policy results in a failed finding.
'Statement': [
{
'Sid': 'EC2-Wildcard',
'Effect': 'Allow',
'Action': 'ec2:*',
'Resource': '*'
}
The control also fails if you use 'Effect': 'Allow' with 'NotAction': 'service:*'. In that case, the NotAction element provides access to all of the actions in an AWS service, except for the actions specified in NotAction.
This control only applies to customer managed IAM policies. It does not apply to IAM policies that are managed by AWS.
When you assign permissions to AWS services, it is important to scope the allowed IAM actions in your IAM policies. You should restrict IAM actions to only those actions that are needed. This helps you to provision least privilege permissions. Overly permissive policies might lead to privilege escalation if the policies are attached to an IAM principal that might not require the permission.
In some cases, you might want to allow IAM actions that have a similar prefix, such as DescribeFlowLogs and DescribeAvailabilityZones. In these authorized cases, you can add a suffixed wildcard to the common prefix. For example, ec2:Describe*.

This control passes if you use a prefixed IAM action with a suffixed wildcard. For example, the following statement in a policy results in a passed finding.
'Statement': [
{
'Sid': 'EC2-Wildcard',
'Effect': 'Allow',
'Action': 'ec2:Describe*',
'Resource': '*'
}
When you group related IAM actions in this way, you can also avoid exceeding the IAM policy size limits.\",\r\n \"remediationDescription\": \"To remediate this issue, update your IAM policies so that they do not allow full '*' administrative privileges.
For details on how to edit an IAM policy, see Editing IAM policies in the IAM User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bde343a-0681-4ee2-883a-027cc1e655b8\",\r\n \"name\": \"0bde343a-0681-4ee2-883a-027cc1e655b8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Attached EBS volumes should be encrypted at-rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check.
For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.
To learn more about Amazon EBS encryption, see Amazon EBS encryption in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"remediationDescription\": \"There is no direct way to encrypt an existing unencrypted volume or snapshot. You can only encrypt a new volume or snapshot when you create it.
If you enabled encryption by default, Amazon EBS encrypts the resulting new volume or snapshot using your default key for Amazon EBS encryption. Even if you have not enabled encryption by default, you can enable encryption when you create an individual volume or snapshot. In both cases, you can override the default key for Amazon EBS encryption and choose a symmetric customer managed CMK.
For more information, see Creating an Amazon EBS volume and Copying an Amazon EBS snapshot in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a3340b3-8916-40fe-942d-a937e60f5d4c\",\r\n \"name\": \"1a3340b3-8916-40fe-942d-a937e60f5d4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Stopped EC2 instances should be removed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days.
A failed finding indicates that an EC2 instance has not run for a significant period of time. This creates a security risk because the EC2 instance is not being actively maintained (analyzed, patched, updated). If it is later launched, the lack of proper maintenance could result in unexpected issues in your AWS environment. To safely maintain an EC2 instance over time in a nonrunning state, start it periodically for maintenance and then stop it after maintenance. Ideally this is an automated process.\",\r\n \"remediationDescription\": \"You can terminate an EC2 instance using either the console or the command line.
Before you terminate the EC2 instance, verify that you won't lose any data:
* Check that your Amazon EBS volumes will not be deleted on termination.
* Copy any data that you need from your EC2 instance store volumes to Amazon EBS or Amazon S3.
To terminate an EC2 instance (console)
1. Open the Amazon EC2 console.
2. In the navigation pane, under Instances, choose \\\"Instances\\\".
3. Select the instance, and then choose \\\"Actions\\\", \\\"Instance State\\\", \\\"Terminate\\\".
4. When prompted for confirmation, choose \\\"Yes, Terminate\\\".
To terminate an EC2 instance (AWS CLI, Tools for Windows PowerShell)
Use one of the following commands. For more information about the command line interface, see Accessing Amazon EC2 in the Amazon EC2 User Guide for Linux Instances.
- From the AWS CLI, use terminate-instances
- From the Tools for Windows PowerShell, use Stop-EC2Instance.
To learn more about terminating instances, see Terminating an instancein the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56406d4c-87b4-4aeb-b1cc-7f6312d78e0a\",\r\n \"name\": \"56406d4c-87b4-4aeb-b1cc-7f6312d78e0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS default encryption should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS).
The control fails if the account level encryption is not enabled.
When encryption is enabled for your account, Amazon EBS volumes and snapshot copies are encrypted at rest. This adds an additional layer of protection for your data.
For more information, see Encryption by default in the Amazon EC2 User Guide for Linux Instances.
Note that following instance types do not support encryption: R1, C1, and M1.\",\r\n \"remediationDescription\": \"You can use the Amazon EC2 console to enable default encryption for Amazon EBS volumes.

To configure the default encryption for Amazon EBS encryption for a Region
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
2. From the navigation pane, select \\\"EC2 Dashboard\\\".
3. In the upper-right corner of the page, choose \\\"Account Attributes\\\", \\\"EBS encryption\\\".
4. Choose \\\"Manage\\\".
5. Select \\\"Enable\\\". You can keep the AWS managed key with the alias alias/aws/ebs created on your behalf as the default encryption key, or choose a symmetric customer managed key.
6. Choose \\\"Update EBS encryption\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea3248a-8af5-4df3-8e08-f7d1925ea147\",\r\n \"name\": \"5ea3248a-8af5-4df3-8e08-f7d1925ea147\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should use IMDSv2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if \\\"HttpTokens\\\" is set to \\\"required\\\" for IMDSv2. The control fails if \\\"HttpTokens\\\" is set to \\\"optional\\\".
You use instance metadata to configure or manage the running instance. The IMDS provides access to temporary, frequently rotated credentials. These credentials remove the need to hard code or distribute sensitive credentials to instances manually or programmatically. The IMDS is attached locally to every EC2 instance. It runs on a special 'link local' IP address of 169.254.169.254. This IP address is only accessible by software that runs on the instance.
Version 2 of the IMDS adds new protections for the following types of vulnerabilities. These vulnerabilities could be used to try to access the IMDS.
* Open website application firewalls
* Open reverse proxies
* Server-side request forgery (SSRF) vulnerabilities
* Open Layer 3 firewalls and network address translation (NAT)
Security Hub recommends that you configure your EC2 instances with IMDSv2.\",\r\n \"remediationDescription\": \"To remediate an EC2 instance that is not configured with IMDSv2, you can require the use of IMDSv2.
To require IMDSv2 on an existing instance, when you request instance metadata, modify the Amazon EC2 metadata options. Follow the instructions in Configuring instance metadata options for existing instances in the Amazon EC2 User Guide for Linux Instances.
To require the use of IMDSv2 on a new instance when you launch it, follow the instructions in Configuring instance metadata options for new instances in the Amazon EC2 User Guide for Linux Instances.
To configure your new EC2 instance with IMDSv2 from the console
1. Open the Amazon EC2 console.
2. Choose \\\"Launch instance\\\" and then choose \\\"Launch instance\\\".
3. In the \\\"Configure Instance Details\\\" step, under \\\"Advanced Details\\\", for \\\"Metadata version\\\", choose \\\"V2 (token required)\\\".
4. Choose \\\"Review and Launch\\\".
If your software uses IMDSv1, you can reconfigure your software to use IMDSv2. For details, see Transitioning to using Instance Metadata Service Version 2 in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/63afb20c-4e8e-42ad-bc6d-dc48d4bebc5f\",\r\n \"name\": \"63afb20c-4e8e-42ad-bc6d-dc48d4bebc5f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not have a public IP address\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether EC2 instances have a public IP address. The control fails if the \\\"publicIp\\\" field is present in the EC2 instance configuration item. This control applies to IPv4 addresses only.
A public IPv4 address is an IP address that is reachable from the internet. If you launch your instance with a public IP address, then your EC2 instance is reachable from the internet. A private IPv4 address is an IP address that is not reachable from the internet. You can use private IPv4 addresses for communication between EC2 instances in the same VPC or in your connected private network.
IPv6 addresses are globally unique, and therefore are reachable from the internet. However, by default all subnets have the IPv6 addressing attribute set to false. For more information about IPv6, see IP addressing in your VPC in the Amazon VPC User Guide.
If you have a legitimate use case to maintain EC2 instances with public IP addresses, then you can suppress the findings from this control. For more information about front-end architecture options, see the AWS Architecture Blog or the This Is My Architecture series.\",\r\n \"remediationDescription\": \"Use a non-default VPC so that your instance is not assigned a public IP address by default.
When you launch an EC2 instance into a default VPC, it is assigned a public IP address. When you launch an EC2 instance into a non-default VPC, the subnet configuration determines whether it receives a public IP address. The subnet has an attribute to determine if new EC2 instances in the subnet receive a public IP address from the public IPv4 address pool.
You cannot manually associate or disassociate an automatically-assigned public IP address from your EC2 instance. To control whether your EC2 instance receives a public IP address, do one of the following:
- Modify the public IP addressing attribute of your subnet. For more information, see Modifying the public IPv4 addressing attribute for your subnet in the Amazon VPC User Guide.
- Enable or disable the public IP addressing feature during launch. This overrides the subnet's public IP addressing attribute. For more information, see Assign a public IPv4 address during instance launch in the Amazon EC2 User Guide for Linux Instances.
For more information, see Public IPv4 addresses and external DNS hostnames in the Amazon EC2 User Guide for Linux Instances.
If your EC2 instance is associated with an Elastic IP address, then your EC2 instance is reachable from the internet. You can disassociate an Elastic IP address from an instance or network interface at any time.
To disassociate an Elastic IP address
1. Open the Amazon EC2 console
2. In the navigation pane, choose \\\"Elastic IPs\\\".
3. Select the Elastic IP address to disassociate.
4. From \\\"Actions\\\", choose \\\"Disassociate Elastic IP address\\\".
5. Choose \\\"Disassociate\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e700ddd4-bb55-4602-b93a-d75895fbf7c6\",\r\n \"name\": \"e700ddd4-bb55-4602-b93a-d75895fbf7c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 should be configured to use VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service.
To improve the security posture of your VPC, you can configure Amazon EC2 to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to access Amazon EC2 API operations privately. It restricts all network traffic between your VPC and Amazon EC2 to the Amazon network. Because endpoints are supported within the same Region only, you cannot create an endpoint between a VPC and a service in a different Region. This prevents unintended Amazon EC2 API calls to other Regions.
To learn more about creating VPC endpoints for Amazon EC2, see Amazon EC2 and interface VPC endpoints in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"remediationDescription\": \"To remediate this issue, you can create an interface VPC endpoint to Amazon EC2.
To create an interface endpoint to Amazon EC2 from the Amazon VPC console
1. Open the Amazon VPC console
2. In the navigation pane, choose \\\"Endpoints\\\".
3. Choose \\\"Create Endpoint\\\".
4. For \\\"Service category\\\", choose \\\"AWS services\\\".
5. For \\\"Service Name\\\", choose \\\"com.amazonaws.<region>.ec2\\\".
6. For \\\"Type\\\", choose \\\"Interface\\\".
7. Complete the following information.
  1. For \\\"VPC\\\", select a VPC in which to create the endpoint.
  2. For \\\"Subnets\\\", select the subnets (Availability Zones) in which to create the endpoint network interfaces. Not all Availability Zones are supported for all AWS services.
  3. To enable private DNS for the interface endpoint, select the check box for \\\"Enable DNS Name\\\". This option is enabled by default.
    To use the private DNS option, the following attributes of your VPC must be set to true:
    - \\\"enableDnsHostnames\\\"
    - \\\"enableDnsSupport\\\"
    For more information, see Viewing and updating DNS support for your VPC in the Amazon VPC User Guide.
  4. For \\\"Security group\\\", select the security groups to associate with the endpoint network interfaces.
  5. (Optional) Add or remove a tag. To add a tag, choose \\\"Add tag\\\" and do the following:
    - For \\\"Key\\\", enter the tag name.
    - For \\\"Value\\\", enter the tag value.
  6.  To remove a tag, choose the delete button (x) to the right of the tag Key and Value.
8. Choose \\\"Create endpoint\\\".
To create an interface VPC endpoint policy
You can attach a policy to your VPC endpoint to control access to the Amazon EC2 API. The policy specifies the following:
- The principal that can perform actions
- The actions that can be performed
- The resource on which the actions can be performed
For more details on creating a VPC endpoint policy, see Amazon EC2 and interface VPC endpoints In the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ace790eb-39b9-4b4f-b53d-26d0f77d4ab8\",\r\n \"name\": \"ace790eb-39b9-4b4f-b53d-26d0f77d4ab8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 subnets should not automatically assign public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the assignment of public IPs in Amazon Virtual Private Cloud (Amazon VPC) subnets have \\\"MapPublicIpOnLaunch\\\" set to \\\"FALSE\\\". The control passes if the flag is set to \\\"FALSE\\\".
All subnets have an attribute that determines whether a network interface created in the subnet automatically receives a public IPv4 address. Instances that are launched into subnets that have this attribute enabled have a public IP address assigned to their primary network interface.\",\r\n \"remediationDescription\": \"You can configure a subnet from the Amazon VPC console.
To configure a subnet to not assign public IP addresses
1. Open the Amazon VPC console.
2. In the navigation pane, choose \\\"Subnets\\\".
3. Select your subnet and then choose \\\"Subnet Actions\\\", \\\"Modify auto-assign IP settings\\\".
4. Clear the \\\"Enable auto-assign public IPv4 address\\\" check box and then choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f9a7d87-ec2e-409a-991a-48c29484d6b5\",\r\n \"name\": \"5f9a7d87-ec2e-409a-991a-48c29484d6b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused network access control lists should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether there are any unused network access control lists (ACLs).
The control checks the item configuration of the resource \\\"AWS::EC2::NetworkAcl\\\" and determines the relationships of the network ACL.
If the only relationship is the VPC of the network ACL, then the control fails.
If other relationships are listed, then the control passes.\",\r\n \"remediationDescription\": \"For instructions on how to delete an unused network ACL, see Deleting a network ACL in the Amazon VPC User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fead4128-7325-4b82-beda-3fd42de36920\",\r\n \"name\": \"fead4128-7325-4b82-beda-3fd42de36920\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not use multiple ENIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs).This control passes if a single network adapter is used. The control includes an optional parameter list to identify the allowed ENIs.
Multiple ENIs can cause dual-homed instances, meaning instances that have multiple subnets. This can add network security complexity and introduce unintended network paths and access.\",\r\n \"remediationDescription\": \"To remediate this issue, detach the additional ENIs.
To detach a network interface
1. Open the Amazon EC2 console.
2. Under \\\"Network & Security\\\", choose \\\"Network Interfaces\\\".
3. Filter the list by the noncompliant instance IDs to see the associated ENIs.
4. Select the ENIs that you want to remove.
5. From the \\\"Actions\\\" menu, choose \\\"Detach\\\".
6. If you see the prompt \\\"Are you sure that you want to detach the following network interface?\\\", choose \\\"Detach\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8b328664-f3f1-45ab-976d-f6c66647b3b8\",\r\n \"name\": \"8b328664-f3f1-45ab-976d-f6c66647b3b8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should only allow unrestricted incoming traffic for authorized ports\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the security groups that are in use allow unrestricted incoming traffic. Optionally the rule checks whether the port numbers are listed in the \\\"authorizedTcpPorts\\\" parameter.
- If the security group rule port number allows unrestricted incoming traffic, but the port number is specified in \\\"authorizedTcpPorts\\\", then the control passes. The default value for \\\"authorizedTcpPorts\\\" is 80, 443.
- If the security group rule port number allows unrestricted incoming traffic, but the port number is not specified in authorizedTcpPorts input parameter, then the control fails.
- If the parameter is not used, then the control fails for any security group that has an unrestricted inbound rule.
Security groups provide stateful filtering of ingress and egress network traffic to AWS. Security group rules should follow the principal of least privileged access. Unrestricted access (IP address with a /0 suffix) increases the opportunity for malicious activity such as hacking, denial-of-service attacks, and loss of data.
Unless a port is specifically allowed, the port should deny unrestricted access.\",\r\n \"remediationDescription\": \"For information on how to modify a security group, see Add, remove, or update rules in the Amazon VPC User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/194fd099-90fa-43e1-8d06-6b4f5138e952\",\r\n \"name\": \"194fd099-90fa-43e1-8d06-6b4f5138e952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow unrestricted access to ports with high risk\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for those ports.
Unrestricted access (0.0.0.0/0) increases opportunities for malicious activity, such as hacking, denial-of-service attacks, and loss of data.
Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. No security group should allow unrestricted ingress access to the following ports:
- 3389 (RDP)
- 20, 21 (FTP)
- 22 (SSH)
- 23 (Telnet)
- 110 (POP3)
- 143 (IMAP)
- 3306 (mySQL)
- 8080 (proxy)
- 1433, 1434 (MSSQL)
- 9200 or 9300 (Elasticsearch)
- 5601 (Kibana)
- 25 (SMTP)
- 445 (CIFS)
- 135 (RPC)
- 4333 (ahsp)
- 5432 (postgresql)
- 5500 (fcp-addr-srvr1)\",\r\n \"remediationDescription\": \"For information on how to delete rules from a security group, see Delete rules from a security group in the Amazon EC2 User Guide for Linux Instances.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\",\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bfa7d2aa-f362-11eb-9a03-0242ac130003\",\r\n \"name\": \"bfa7d2aa-f362-11eb-9a03-0242ac130003\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether storage encryption is enabled for your Amazon RDS DB instances.
This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
For an added layer of security for your sensitive data in RDS DB instances, you should configure your RDS DB instances to be encrypted at rest. To encrypt your RDS DB instances and snapshots at rest, enable the encryption option for your RDS DB instances. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots.
RDS encrypted DB instances use the open standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You do not need to modify your database client applications to use encryption.
Amazon RDS encryption is currently available for all database engines and storage types. Amazon RDS encryption is available for most DB instance classes. To learn about DB instance classes that do not support Amazon RDS encryption, see Encrypting Amazon RDS resources in the Amazon RDS User Guide.
\",\r\n \"remediationDescription\": \"For information about encrypting DB instances in Amazon RDS, see Encrypting Amazon RDS resources in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4f4fbc5e-0b10-4208-b52f-1f47f1c73b6a\",\r\n \"name\": \"4f4fbc5e-0b10-4208-b52f-1f47f1c73b6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS cluster snapshots and database snapshots should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB snapshots are encrypted.
This control is intended for RDS DB instances. However, it can also generate findings for snapshots of Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. Data in RDS snapshots should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"To encrypt an unencrypted RDS snapshot: 1. Open the  Amazon RDS console. 2. In the navigation pane, choose \\\"Snapshots\\\". 3. Find the snapshot to encrypt under \\\"Manual\\\" or \\\"System\\\". 4. Select the check box next to the snapshot to encrypt. 5. Choose \\\"Actions\\\", then choose \\\"Copy Snapshot\\\". 6. Under \\\"New DB Snapshot Identifier\\\", type a name for the new snapshot.7. Under \\\"Encryption\\\", select \\\"Enable Encryption\\\". 8. Choose the KMS key to use to encrypt the snapshot. 9. Choose \\\"Copy Snapshot\\\". 10. After the new snapshot is created, delete the original snapshot. 11. For \\\"Backup Retention Period\\\", choose a positive nonzero value. For example, 30 days.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/70ebbd01-cd79-4bc8-ae85-49f47ccdd5ad\",\r\n \"name\": \"70ebbd01-cd79-4bc8-ae85-49f47ccdd5ad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured with multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether high availability is enabled for your RDS DB instances.
RDS DB instances should be configured for multiple Availability Zones (AZs). This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover if there is an issue with Availability Zone availability and during regular RDS maintenance.\",\r\n \"remediationDescription\": \"To enable multiple Availability Zones for a DB instance: 1. Open the Amazon RDS console at Amazon RDS console. 2. In the navigation pane, choose \\\"Databases\\\", and then choose the DB instance that you want to modify.3. Choose \\\"Modify\\\". The \\\"Modify DB Instance\\\" page appears.4. Under Instance Specifications, set \\\"Multi-AZ deployment \\\" to \\\"Yes\\\" .5. Choose \\\"Continue\\\" and then check the summary of modifications. 6. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide. 7. On the confirmation page, review your changes. If they are correct, choose \\\"Modify DB Instance\\\" to save your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93e5a579-dd2f-4a56-b827-ebbfe7376b16\",\r\n \"name\": \"93e5a579-dd2f-4a56-b827-ebbfe7376b16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enhanced monitoring should be configured for RDS DB instances and clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced monitoring is enabled for your RDS DB instances.
In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer.
Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU. For more information, see Enhanced Monitoring in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable Enhanced Monitoring for your DB instance, see Setting up for and enabling Enhanced Monitoring in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e769650-868c-46f5-b8c0-1a8ba12a4c92\",\r\n \"name\": \"9e769650-868c-46f5-b8c0-1a8ba12a4c92\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS clusters should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS clusters have deletion protection enabled.
This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
Enabling cluster deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity.
When deletion protection is enabled, an RDS cluster cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"To enable deletion protection for an RDS DB cluster:
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/. 2. In the navigation pane, choose \\\"Databases\\\", then choose the DB cluster that you want to modify. 3. Choose \\\"Modify\\\". 4. Under \\\"Deletion protection\\\", choose \\\"Enable deletion protection\\\".5. Choose \\\"Continue\\\" 6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\". 7. Choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e1f7933-faa9-4379-a9bd-697740dedac8\",\r\n \"name\": \"8e1f7933-faa9-4379-a9bd-697740dedac8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your RDS DB instances that use one of the listed database engines have deletion protection enabled.
Enabling instance deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity.
While deletion protection is enabled, an RDS DB instance cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"To enable deletion protection for an RDS DB instance: 1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/. 2. In the navigation pane, choose \\\"Databases\\\", then choose the DB instance that you want to modify. 3. Choose \\\"Modify\\\". 4. Under \\\"Deletion protection\\\", choose \\\"Enable deletion protection\\\". 5. Choose \\\"Continue\\\". 6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\". 7. Choose \\\"Modify DB Instance\\\"\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdf441dd-0ab7-4ef2-a643-de12725e5d5d\",\r\n \"name\": \"cdf441dd-0ab7-4ef2-a643-de12725e5d5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB clusters should be configured for multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"RDS DB clusters should be configured for multiple the data that is stored.
Deployment to multiple Availability Zones allows for automate Availability Zones to ensure availability of ed failover in the event of an Availability Zone availability issue and during regular RDS maintenance events.\",\r\n \"remediationDescription\": \"To enable multi-AZ for a DB cluster (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Databases\\\", and then choose the DB instance to modify.
3. choose \\\"Modify\\\", The \\\"Modify DB Instance\\\" page appears.
4. Under \\\"Instance Specifications\\\", set \\\"Multi-AZ deploymen\\\" to \\\"Yes\\\".
5. Choose \\\"Continue\\\" and check the summary of modifications.
6. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide.
On the confirmation page, review your changes. If they are correct, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b9ed02d0-afca-4bed-838d-70bf31ecf19a\",\r\n \"name\": \"b9ed02d0-afca-4bed-838d-70bf31ecf19a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB clusters should be configured to copy tags to snapshots\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identification and inventory of your IT assets is a crucial aspect of governance and security.
You need to have visibility of all your RDS DB clusters so that you can assess their security posture and act on potential areas of weakness.
Snapshots should be tagged in the same way as their parent RDS database clusters.
Enabling this setting ensures that snapshots inherit the tags of their parent database clusters.\",\r\n \"remediationDescription\": \"To enable automatic tag copying to snapshots for a DB cluster
1. Open theAmazon RDS console at https://console.aws.amazon.com/rds/.
2. Choose \\\"Databases\\\"
3. Select the DB cluster to modify.
4. choose \\\"Modify\\\".
5. Under \\\"Backup\\\", select \\\"Copy tags to snapshots\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fcd891e5-c6a2-41ce-bca6-f49ec582f3ce\",\r\n \"name\": \"fcd891e5-c6a2-41ce-bca6-f49ec582f3ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured to copy tags to snapshots\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created.
Identification and inventory of your IT assets is a crucial aspect of governance and security.
You need to have visibility of all your RDS DB instances so that you can assess their security posture and take action on potential areas of weakness.
Snapshots should be tagged in the same way as their parent RDS database instances. Enabling this setting ensures that snapshots inherit the tags of their parent database instances.\",\r\n \"remediationDescription\": \"To enable automatic tag copying to snapshots for a DB instance
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Databases\\\".
3. Select the DB instance to modify.
4. Under \\\"Backup\\\", select \\\"Copy tags to snapshots\\\".
5. Choose \\\"Continue\\\".
6. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9a84b879-8aab-4b82-80f2-22e637a26813\",\r\n \"name\": \"9a84b879-8aab-4b82-80f2-22e637a26813\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS instances should be deployed in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPCs provide a number of network controls to secure access to RDS resources.
These controls include VPC Endpoints, network ACLs, and security groups.
To take advantage of these controls, we recommend that you move EC2-Classic RDS instances to EC2-VPC.\",\r\n \"remediationDescription\": \"For detailed instructions on how to move RDS instances to VPC, see Updating the VPC for a DB instance in the Amazon RDS User Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\",\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/65659c22-6588-405b-b118-614c2b4ead5b\",\r\n \"name\": \"65659c22-6588-405b-b118-614c2b4ead5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical cluster events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists that has notifications enabled for the following source type,
event category key-value pairs. DBCluster: [\\\"maintenance\\\" and \\\"failure\\\"].
RDS event notifications uses Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \" To subscribe to RDS cluster event notifications.
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Clusters\\\".
  d. Under \\\"Instances to include\\\", select \\\"All Clusters\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"maintenance\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff4f3ab3-8ed7-4b4f-a721-4c3b66a59140\",\r\n \"name\": \"ff4f3ab3-8ed7-4b4f-a721-4c3b66a59140\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database instance events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type.
event category key-value pairs. DBInstance: [\\\"maintenance\\\", \\\"configuration change\\\" and \\\"failure\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Instances\\\".
  d. Under \\\"Instances to include\\\", select \\\"All Instances\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"maintenance\\\", \\\"configuration change\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6f24bb0-b696-451c-a26e-0cc9ea8e97e3\",\r\n \"name\": \"c6f24bb0-b696-451c-a26e-0cc9ea8e97e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database parameter group events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type.
event category key-value pairs. DBParameterGroup: [\\\"configuration\\\",\\\"change\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response.
For additional information about RDS event notifications, see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create \\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Parameter groups\\\".
  d. Under \\\"Instances to include\\\", select \\\"All parameter groups\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"configuration change\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ab5c51fb-ecdb-46de-b8df-c28ae46ce5bc\",\r\n \"name\": \"ab5c51fb-ecdb-46de-b8df-c28ae46ce5bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An RDS event notifications subscription should be configured for critical database security group events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.DBSecurityGroup: [\\\"configuration\\\",\\\"change\\\",\\\"failure\\\"].
RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for a rapid response.
For additional information about RDS event notifications , see Using Amazon RDS event notification in the Amazon RDS User Guide.\",\r\n \"remediationDescription\": \"To subscribe to RDS cluster event notifications (console)
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
2. In the navigation pane, choose \\\"Event\\\",\\\"subscriptions\\\".
3. Under \\\"Event subscriptions\\\" choose \\\"Create event subscription\\\".
4. In the \\\"Create event subscription\\\" dialog, do the following:
  a. For \\\"Name\\\", enter a name for the event notification subscription.
  b. For \\\"Send notifications to\\\", choose an existing Amazon SNS ARN for an SNS topic, To use a new topic, choose \\\"create topic\\\" to enter the name of a topic and a list of recipients.
  c. For \\\"Source type\\\", choose \\\"Security groups\\\".
  d. Under \\\"Instances to include\\\", select \\\"All security groups\\\".
  e. Under \\\"Event categories to include\\\", select \\\"Specific event categories\\\".The control also passes if you select \\\"All event categories\\\".
  f. Select \\\"configuration change\\\" and \\\"failure\\\".
  g. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47476790-2527-4bdb-b839-3b48ed18dccf\",\r\n \"name\": \"47476790-2527-4bdb-b839-3b48ed18dccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should automatically scale capacity with demand\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured.
Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications.\",\r\n \"remediationDescription\": \"For detailed instructions on enabling DynamoDB automatic scaling on existing tables in capacity mode, see Enabling DynamoDB auto scaling on existing tables. in the Amazon DynamoDB Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc873508-40c1-41b6-8507-8a431d74f831\",\r\n \"name\": \"cc873508-40c1-41b6-8507-8a431d74f831\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should have point-in-time recovery enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table.
Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. DynamoDB point-in-time recovery automates backups for DynamoDB tables. It reduces the time to recover from accidental delete or write operations.
DynamoDB tables that have PITR enabled can be restored to any point in time in the last 35 days.\",\r\n \"remediationDescription\": \"To remediate this issue, add point-in-time recovery to your DynamoDB table.
To enable DynamoDB \\\"point-in-time recovery\\\" for an existing table:
1. Open the DynamoDB console at https://console.aws.amazon.com/dynamodb/. 2. Choose the table that you want to work with, and then choose \\\"Backups\\\". 3. In the Point-in-time Recovery section, under Status, choose \\\"Enable\\\". 4. Choose \\\"Enable\\\" again to confirm the change.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58e67d3d-8b17-4c1c-9bc4-550b10f0328a\",\r\n \"name\": \"58e67d3d-8b17-4c1c-9bc4-550b10f0328a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB Accelerator (DAX) clusters should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a DAX cluster is encrypted at rest.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data.
For example, API permissions are required to decrypt the data before it can be read.\",\r\n \"remediationDescription\": \"You cannot enable or disable encryption at rest after a cluster is created. You must recreate the cluster in order to enable encryption at rest.
For detailed instructions on how to create a DAX cluster with encryption at rest enabled, see Enabling encryption at rest using the AWS Management Console in the Amazon DynamoDB Developer Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e482075-311f-401e-adc7-f8a8affc5635\",\r\n \"name\": \"4e482075-311f-401e-adc7-f8a8affc5635\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be configured to encrypt file data at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. The check fails in the following cases:
*\\\"Encrypted\\\" is set to \\\"false\\\" in the DescribeFileSystems response.
The \\\"KmsKeyId\\\" key in the DescribeFileSystems response does not match the KmsKeyId parameter for efs-encrypted-check.
Note that this control does not use the \\\"KmsKeyId\\\" parameter for efs-encrypted-check. It only checks the value of \\\"Encrypted\\\". For an added layer of security for your sensitive data in Amazon EFS, you should create encrypted file systems.
Amazon EFS supports encryption for file systems at-rest. You can enable encryption of data at rest when you create an Amazon EFS file system.
To learn more about Amazon EFS encryption, see Data encryption in Amazon EFS in the Amazon Elastic File System User Guide.\",\r\n \"remediationDescription\": \"For details on how to encrypt a new Amazon EFS file system, see Encrypting data at rest in the Amazon Elastic File System User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e864e460-158b-4a4a-beb9-16ebc25c1240\",\r\n \"name\": \"e864e460-158b-4a4a-beb9-16ebc25c1240\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS volumes should be in backup plans\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup. The control fails if Amazon EFS file systems are not included in the backup plans.
Including EFS file systems in the backup plans helps you to protect your data from deletion and data loss.\",\r\n \"remediationDescription\": \"To remediate this issue, update your file system to enable automatic backups.
To enable automatic backups for an existing file system:
1.Open the Amazon Elastic File System console. 2. On the \\\"File systems\\\" page, choose the file system for which to enable automatic backups. The \\\"File system details\\\" page is displayed. 3. Under \\\"General\\\", choose \\\"Edit\\\". 4. To enable automatic backups, select \\\"Enable automatic backups\\\". 5. Choose \\\"Save changes\\\".
To learn more, visit Using AWS Backup with Amazon EFS in the Amazon Elastic File System User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e656e5b7-130c-4fb4-be90-9bdd4f82fdfb\",\r\n \"name\": \"e656e5b7-130c-4fb4-be90-9bdd4f82fdfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should use supported runtimes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the Lambda function settings for runtimes match the expected values set for the supported runtimes for each language. This control checks for the following runtimes:
nodejs14.x, nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, ruby2.7, ruby2.5, java11, java8, java8.al2, go1.x, dotnetcore3.1, dotnetcore2.1
Lambda runtimes are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When a runtime component is no longer supported for security updates, Lambda deprecates the runtime. Even though you cannot create functions that use the deprecated runtime, the function is still available to process invocation events. Make sure that your Lambda functions are current and do not use out-of-date runtime environments.
To learn more about the supported runtimes that this control checks for the supported languages, see AWS Lambda runtimes in the AWS Lambda Developer Guide.\",\r\n \"remediationDescription\": \"For more information on supported runtimes and deprecation schedules, see the Runtime support policy section of the AWS Lambda Developer Guide.
When you migrate your runtimes to the latest version, follow the syntax and guidance from the publishers of the language.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Persistence\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Proxy\",\r\n \"Account Manipulation\",\r\n \"Scheduled Task/Job\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dcf10b98-798f-4734-9afd-800916bf1e65\",\r\n \"name\": \"dcf10b98-798f-4734-9afd-800916bf1e65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should have a dead-letter queue configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is configured with a dead-letter queue. The control fails if the Lambda function is not configured with a dead-letter queue.
As an alternative to an on-failure destination, you can configure your function with a dead-letter queue to save discarded events for further processing.
A dead-letter queue acts the same as an on-failure destination. It is used when an event fails all processing attempts or expires without being processed.
A dead-letter queue allows you to look back at errors or failed requests to your Lambda function to debug or identify unusual behavior.
From a security perspective, it is important to understand why your function failed and to ensure that your function does not drop data or compromise data security as a result.
For example, if your function cannot communicate to an underlying resource, that could be a symptom of a denial of service (DoS) attack elsewhere in the network.\",\r\n \"remediationDescription\": \"You can configure a dead-letter queue from the AWS Lambda console.
To configure a dead-letter queue
1. Open the AWS Lambda console.
2. In the navigation pane, choose \\\"Functions\\\".
3. Choose a function.
4. Choose \\\"Configuration\\\" and then choose \\\"Asynchronous invocation\\\".
5. Under \\\"Asynchronous invocation\\\", choose \\\"Edit\\\".
6. Set \\\"DLQ resource\\\" to Amazon SQS or Amazon SNS.
7. Choose the target queue or topic.
8. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"plannedDeprecationDate\": \"12/2022\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90917e06-2781-4857-9d74-9043c6475d03\",\r\n \"name\": \"90917e06-2781-4857-9d74-9043c6475d03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SNS topics should be encrypted at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an SNS topic is encrypted at rest using AWS KMS.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It also adds another set of access controls to limit the ability of unauthorized users to access the data.
For example, API permissions are required to decrypt the data before it can be read. SNS topics should be encrypted at-rest for an added layer of security. For more information, see Encryption at rest in the Amazon Simple Notification Service Developer Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your SNS topic to enable encryption.
To encrypt an unencrypted SNS topic
1. Open the Amazon SNS console.
2. In the navigation pane, choose \\\"Topics\\\".
4. Choose the name of the topic to encrypt.
5. Choose \\\"Edit\\\".
6. Under \\\"Encryption\\\", choose Enable Encryption.
7. Choose the KMS key to use to encrypt the topic.
8. Choose \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"File and Directory Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/773667f7-6511-4aec-ae9c-e3286c56a254\",\r\n \"name\": \"773667f7-6511-4aec-ae9c-e3286c56a254\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancer listeners should be configured with HTTPS or TLS termination\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. The control is applicable if a Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the control does not report any findings.
The control passes if the Classic Load Balancer listeners are configured with TLS or HTTPS for front-end connections.
The control fails if the listener is not configured with TLS or HTTPS for front-end connections.
Before you start to use a load balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners can support both HTTP and HTTPS/TLS protocols. You should always use an HTTPS or TLS listener, so that the load balancer does the work of encryption and decryption in transit.\",\r\n \"remediationDescription\": \"To remediate this issue, update your listeners to use the TLS or HTTPS protocol.
To change all noncompliant listeners to TLS/HTTPS listeners
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load Balancers. Then choose your Classic Load Balancer.
3. Choose the Listeners tab, and then choose Edit.
4. For all listeners where Load Balancer Protocol is not set to HTTPS or SSL, change the setting to HTTPS or SSL.
5. For all modified listeners, under SSL Certificate, choose Change.
6. For all modified listeners, select Choose a certificate from ACM.
7. Select the certificate from the Certificates drop-down list. Then choose Saveb.
8. After you update all of the listeners, choose Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca924610-5a8e-4c5e-9f17-8dff1ab1757b\",\r\n \"name\": \"ca924610-5a8e-4c5e-9f17-8dff1ab1757b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application load balancers should be configured to drop HTTP headers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop invalid HTTP headers. The control fails if the value of routing.http.drop_invalid_header_fields.enabled is set to false.
By default, ALBs are not configured to drop invalid HTTP header values. Removing these header values prevents HTTP desync attacks.\",\r\n \"remediationDescription\": \"To remediate this issue, configure your load balancer to drop invalid header fields.
To configure the load balancer to drop invalid header fields
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load balancers.
3. Choose an Application Load Balancer.
4. From Actions, choose Edit attributes.
5. Under Drop Invalid Header Fields, choose Enable.
6. Choose Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ba5c359-495f-4ba6-9897-7fdbc0aed675\",\r\n \"name\": \"4ba5c359-495f-4ba6-9897-7fdbc0aed675\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application and Classic Load Balancers logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if access_logs.s3.enabled is false.
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.
To learn more, see Access logs for your Classic Load Balancer in User Guide for Classic Load Balancers.
\",\r\n \"remediationDescription\": \"To remediate this issue, configure your load balancer to drop invalid header fields.
To configure the load balancer to drop invalid header fields
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load balancers.
3. Choose an Application Load Balancer.
4. From Actions, choose Edit attributes.
5. Under Access logs, choose Enable.
6. Enter your S3 location. This location can exist or it can be created for you. If you do not specify a prefix, the access logs are stored in the root of the S3 bucket.
7. Choose Save\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5c508bf1-26f9-4696-bb61-8341d395e3de\",\r\n \"name\": \"5c508bf1-26f9-4696-bb61-8341d395e3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer deletion protection should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured.
Enable deletion protection to protect your Application Load Balancer from deletion.\",\r\n \"remediationDescription\": \"To prevent your load balancer from being deleted accidentally, you can enable deletion protection. By default, deletion protection is disabled for your load balancer.
If you enable deletion protection for your load balancer, you must disable delete protection before you can delete the load balancer.
To enable deletion protection from the console
1. Open the Amazon EC2 console.
2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.
3. Choose the load balancer.
4. On the Description tab, choose Edit attributes.
5. On the Edit load balancer attributes page, select Enable for Delete Protection, and then choose Save.
6. Choose Save.
To learn more, see Deletion protection in User Guide for Application Load Balancers.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dd60e31e-073a-42b6-9b23-db7ca86fd5e0\",\r\n \"name\": \"dd60e31e-073a-42b6-9b23-db7ca86fd5e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancers should have connection draining enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Classic Load Balancers have connection draining enabled.
Enabling connection draining on Classic Load Balancers ensures that the load balancer stops sending requests to instances that are de-registering or unhealthy. It keeps the existing connections open. This is particularly useful for instances in Auto Scaling groups, to ensure that connections aren't severed abruptly.\",\r\n \"remediationDescription\": \"To enable connection draining on Classic Load Balancers, following the steps in Configure connection draining for your Classic Load Balancer in User Guide for Classic Load Balancers.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b63a099-6c0c-4354-848b-17de1f3c8ae3\",\r\n \"name\": \"9b63a099-6c0c-4354-848b-17de1f3c8ae3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should encrypt data sent between nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have node-to-node encryption enabled. HTTPS (TLS) can be used to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. Only encrypted connections over HTTPS (TLS) should be allowed. Enabling node-to-node encryption for Amazon ES domains ensures that intra-cluster communications are encrypted in transit. There can be a performance penalty associated with this configuration. You should be aware of and test the performance trade-off before enabling this option.\",\r\n \"remediationDescription\": \"Node-to-node encryption can only be enabled on a new domain. To remediate this finding, first create a new domain with the Node-to-node encryption check box selected. Then follow Using a snapshot to migrate data to migrate your data to the new domain.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/de8ae504-ec39-4ffb-b3ef-6e36fdcbb455\",\r\n \"name\": \"de8ae504-ec39-4ffb-b3ef-6e36fdcbb455\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker. The 'blacklistedactionpatterns' parameter allows for successful evaluation of the rule for S3 buckets. The parameter grants access to external accounts for action patterns that are not included in the 'blacklistedactionpatterns' list.\",\r\n \"remediationDescription\": \"To remediate this issue, edit the S3 bucket policy to remove the permissions.

To edit an S3 bucket policy

1. Open the Amazon S3 console.
2. In the Bucket name list, choose the name of the S3 bucket for which you want to edit the policy.
3. Choose Permissions, and then choose Bucket Policy.
4. In the Bucket policy editor text box, do one of the following:
* Remove the statements that grant access to denied actions to other AWS accounts
* Remove the permitted denied actions from the statements
5. Choose Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11d0f4af-6924-4a2e-8b66-781a4553c828\",\r\n \"name\": \"11d0f4af-6924-4a2e-8b66-781a4553c828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled on AWS connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides real-time threat protection for containerized environments and generates alerts about suspicious activities.
Use this information to harden the security of Kubernetes clusters and remediate security issues.

Important: When you've enabled Microsoft Defender for Containers and deployed Azure Arc to your EKS clusters, the protections - and charges - will begin. If you don't deploy Azure Arc on a cluster, Defender for Containers will not protect it and no charges will be incurred for this Microsoft Defender plan for that cluster.\",\r\n \"remediationDescription\": \"To enable Defender for Containers on all EKS clusters in an AWS account connected to Microsoft Defender for Cloud:
1. From the Azure portal, open Microsoft Defender for Cloud.
2. Open the \\\"Environment settings\\\" page and select the relevant AWS account.
3. Under \\\"Select plans\\\", set \\\"Containers\\\" to \\\"On\\\".
4. Select \\\"Next: Configure access\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/38307993-84fb-4636-8ce7-3a64466bb5cc\",\r\n \"name\": \"38307993-84fb-4636-8ce7-3a64466bb5cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EKS clusters should have Microsoft Defender's extension for Azure Arc installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender's cluster extension provides security capabilities for your EKS clusters. The extension collects data from a cluster and its nodes to identify security vulnerabilities and threats.
The extension works with Azure Arc-enabled Kubernetes.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct EKS cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
Note: When the process completes, it may take up to 12 hours until your resource moves to the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d3a977e-46f1-419a-9046-4bd44db80aac\",\r\n \"name\": \"7d3a977e-46f1-419a-9046-4bd44db80aac\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EKS clusters should grant the required AWS permissions to Microsoft Defender for Cloud\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides protections for your EKS clusters.
To monitor your cluster for security vulnerabilities and threats, Defender for Containers needs permissions for your AWS account. These permissions will be used to enable Kubernetes control plane logging on your cluster and establish a reliable pipeline between your cluster and Defender for Cloud's backend in the cloud.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"To grant the required permissions:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. 2. Open the \\\"Environment settings\\\" page and select the relevant AWS account.
  3. In the edit connector wizard, skip to step 3, \\\"Configure access\\\".
  4. Download the CloudFormation template.
  5. Open the template and copy the ARNs for the following roles:
    AzureDefenderKubernetesRole
    AzureDefenderKubernetesScubaReaderRole
    AzureDefenderCloudWatchToKinesisRole
    AzureDefenderKinesisToS3Role
  6. Folow the steps in \\\"Create Stack in AWS\\\" for those roles.
  7. In the connector wizard, update the role ARNs with the ARNs copied from the template.
  8. Save the changes.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/30/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4aa0f6dc-40be-43b2-92f1-3a52ad9d68d1\",\r\n \"name\": \"4aa0f6dc-40be-43b2-92f1-3a52ad9d68d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should have automatic rotation enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation.
Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically.
Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently. To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, you enable automatic rotation for your secrets.
To enable automatic rotation for secrets
1. Open the Secrets Manager console.
2. To find the secret that requires rotating, enter the secret name in the search field.
3. Choose the secret you want to rotate, which displays the secrets details page.
4. Under Rotation configuration, choose Edit rotation.
5. From Edit rotation configuration, choose Enable automatic rotation.
6. For Select Rotation Interval, choose a rotation interval.
7. Choose a Lambda function for rotation. For information about customizing your Lambda rotation function, see Understanding and customizing your Lambda rotation function in the AWS Secrets Manager User Guide.
8. To configure the secret for rotation, choose Next.
To learn more about Secrets Manager rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bec42e2d-956b-4940-a37d-7c1b1e8c525f\",\r\n \"name\": \"bec42e2d-956b-4940-a37d-7c1b1e8c525f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets configured with automatic rotation should rotate successfully\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The control fails if RotationOccurringAsScheduled is false. The control does not evaluate secrets that do not have rotation configured.
Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically.
Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently.
In addition to configuring secrets to rotate automatically, you should ensure that those secrets rotate successfully based on the rotation schedule.
To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"If the automatic rotation fails, then Secrets Manager might have encountered errors with the configuration.
To rotate secrets in Secrets Manager, you use a Lambda function that defines how to interact with the database or service that owns the secret.
For help on how to diagnose and fix common errors related to secrets rotation, see Troubleshooting AWS Secrets Manager rotation of secrets in the AWS Secrets Manager User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bfa82db5-c112-44f0-89e6-a9adfb9a4028\",\r\n \"name\": \"bfa82db5-c112-44f0-89e6-a9adfb9a4028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remove unused Secrets Manager secrets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your secrets have been accessed within a specified number of days. The default value is 90 days. If a secret was not accessed within the defined number of days, this control fails.
Deleting unused secrets is as important as rotating secrets. Unused secrets can be abused by their former users, who no longer need access to these secrets. Also, as more users get access to a secret, someone might have mishandled and leaked it to an unauthorized entity, which increases the risk of abuse. Deleting unused secrets helps revoke secret access from users who no longer need it. It also helps to reduce the cost of using Secrets Manager. Therefore, it is essential to routinely delete unused secrets.\",\r\n \"remediationDescription\": \"You can delete inactive secrets from the Secrets Manager console.
To delete inactive secrets
1. Open the Secrets Manager console
2. To locate the secret, enter the secret name in the search box.
3. Choose the secret to delete.
4. Under Secret details, from Actions, choose Delete secret.
5. Under Schedule secret deletion, enter the number of days to wait before the secret is deleted.
6. Choose Schedule deletion.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/323f0eb4-ea19-4b55-83e9-d104009616b4\",\r\n \"name\": \"323f0eb4-ea19-4b55-83e9-d104009616b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should be rotated within a specified number of days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your secrets have been rotated at least once within 90 days.
Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised.
As more users get access to a secret, it can become more likely that someone mishandled and leaked it to an unauthorized entity. Secrets can be leaked through logs and cache data. They can be shared for debugging purposes and not changed or revoked once the debugging completes. For all these reasons, secrets should be rotated frequently.
You can configure your secrets for automatic rotation in AWS Secrets Manager. With automatic rotation, you can replace long-term secrets with short-term ones, significantly reducing the risk of compromise.
Security Hub recommends that you enable rotation for your Secrets Manager secrets. To learn more about rotation, see Rotating your AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.\",\r\n \"remediationDescription\": \"You can enable automatic secret rotation in the Secrets Manager console.
To enable secret rotation
1. Open the Secrets Manager console.
2. To locate the secret, enter the secret name in the search box.
3. Choose the secret to display.
4. Under Rotation configuration, choose Edit rotation.
5. From Edit rotation configuration, choose Enable automatic rotation.
6. From Select Rotation Interval, choose the rotation interval.
7. Choose a Lambda function to use for rotation.
8. Choose Next.
After you configure the secret for automatic rotation, under Rotation Configuration, choose Rotate secret immediately.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad593449-a095-47b5-91b8-894396a1aa7f\",\r\n \"name\": \"ad593449-a095-47b5-91b8-894396a1aa7f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS WAF Classic global web ACL logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether logging is enabled for an AWS WAF global Web ACL. This control fails if logging is not enabled for the web ACL.
Logging is an important part of maintaining the reliability, availability, and performance of AWS WAF globally. It is a business and compliance requirement in many organizations, and allows you to troubleshoot application behavior. It also provides detailed information about the traffic that is analyzed by the web ACL that is attached to AWS WAF.\",\r\n \"remediationDescription\": \"You can enable logging for a web ACL from the Kinesis Data Firehose console.
To enable logging for a web ACL
1. Open the Kinesis Data Firehose console.
2. Create a Kinesis Data Firehose delivery stream.
The name must start with the prefix aws-waf-logs-. For example, aws-waf-logs-us-east-2-analytics.
Create the Kinesis Data Firehose delivery stream with a PUT source and in the Region where you operate. If you capture logs for Amazon CloudFront, create the delivery stream in US East (N. Virginia). For more information, see Creating an Amazon Kinesis Data Firehose delivery stream in the Amazon Kinesis Data Firehose Developer Guide.
3. From \\\"Services\\\", choose \\\"WAF & Shield\\\". Then choose \\\"Switch to AWS WAF Classic\\\".
4. From \\\"Filter\\\", choose \\\"Global (CloudFront)\\\".
5. Choose the web ACL to enable logging for.
6. Under \\\"Logging\\\", choose \\\"Enable logging\\\".
7. Choose the Kinesis Data Firehose delivery stream that you created earlier. You must choose a delivery stream that has a name that begins with aws-waf-logs-.
8. Choose \\\"Enable logging\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/678b2afa-7fc7-45e5-ad4e-2c49efb57ac8\",\r\n \"name\": \"678b2afa-7fc7-45e5-ad4e-2c49efb57ac8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following logs of Amazon RDS are enabled and sent to CloudWatch Logs:
- Oracle: (Alert, Audit, Trace, Listener)
- PostgreSQL: (Postgresql, Upgrade)
- MySQL: (Audit, Error, General, SlowQuery)
- MariaDB: (Audit, Error, General, SlowQuery)
- SQL Server: (Error, Agent)
- Aurora: (Audit, Error, General, SlowQuery)
- Aurora-MySQL: (Audit, Error, General, SlowQuery)
- Aurora-PostgreSQL: (Postgresql, Upgrade).
RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"Logging options are contained in the DB parameter group associated with the RDS DB cluster or instance. To enable logging when the default parameter group for the database engine is used, you must create a new DB parameter group that has the required parameter values. You must then associate the customer DB parameter group with the DB cluster or instance.
To enable and publish MariaDB, MySQL, or PostgreSQL logs to CloudWatch Logs from the AWS Management Console, set the following parameters in a custom DB Parameter Group:

Database engineParameters
MariaDBgeneral_log=1
slow_query_log=1
log_output = FILE
- MariaDB also requires a custom options group, explained below.
MySQLgeneral_log=1
slow_query_log=1
log_output = FILE
PostgreSQLlog_statement=all
log_min_duration_statement=minimum query duration (ms) to log

To create a custom DB parameter group
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Parameter groups\\\".
3. Choose \\\"Create parameter group\\\". The \\\"Create parameter group\\\" window appears.
4. In the \\\"Parameter group\\\" family list, choose a DB parameter group family.
5. In the \\\"Type\\\" list, choose \\\"DB Parameter Group\\\".
6. In \\\"Group name\\\", enter the name of the new DB parameter group.
7. In \\\"Description\\\", enter a description for the new DB parameter group.
8. Choose \\\"Create\\\".

To create a new option group for MariaDB logging by using the console
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Option groups\\\".
3. Choose \\\"Create group\\\".
4. In the \\\"Create option group\\\" window, do the following:
  • For \\\"Name\\\", type a name for the option group that is unique within your AWS account. The name can contain only letters, digits, and hyphens.
  • For \\\"Description\\\", type a brief description of the option group. The description is used for display purposes.
  • For \\\"Engine\\\", choose the DB engine that you want.
  • For \\\"Major engine version\\\", choose the major version of the DB engine that you want.
5. To continue, choose \\\"Create\\\".
6. Choose the name of the option group you just created.
7. Choose \\\"Add option\\\".
8. Choose \\\"MARIADB_AUDIT_PLUGIN\\\" from the \\\"Option name\\\" list.
9. Set \\\"SERVER_AUDIT_EVENTS\\\" to \\\"CONNECT\\\", \\\"QUERY\\\", \\\"TABLE\\\", \\\"QUERY_DDL\\\", \\\"QUERY_DML\\\", \\\"QUERY_DCL\\\".
10. Choose Add option.

To publish SQL Server DB, Oracle DB, or PostgreSQL logs to CloudWatch Logs from the AWS Management Console
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Databases\\\".
3. Choose the DB instance that you want to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Log exports\\\", choose all of the log files to start publishing to CloudWatch Logs.
\\\"Log exports\\\" is available only for database engine versions that support publishing to CloudWatch Logs.
6. Choose \\\"Continue\\\". Then on the summary page, choose \\\"Modify DB Instance\\\".

To apply a new DB parameter group or DB options group to an RDS DB instance
1. Open the Amazon RDS console.
2. In the navigation pane, choose \\\"Databases\\\".
3. Choose the DB instance that you want to modify.
4. Choose \\\"Modify\\\". The \\\"Modify DB Instance\\\" page appears.
5. Under \\\"Database options\\\", change the DB parameter group and DB options group as needed.
6. When you finish you changes, choose \\\"Continue\\\". Check the summary of modifications.
7. (Optional) Choose \\\"Apply immediately\\\" to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting in the Amazon RDS User Guide.
8. Choose \\\"Modify DB Instance\\\" to save your changes.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cd307f02-2ca7-44b4-8c1b-b580251d613c\",\r\n \"name\": \"cd307f02-2ca7-44b4-8c1b-b580251d613c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB instance has IAM database authentication enabled.
IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL. For more information, see IAM database authentication in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your DB instance to enable IAM authentication.
To enable IAM authentication for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Select the DB instance to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", choose \\\"Enable IAM DB authentication\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ac30502-52e5-4fc6-af40-095dddfbc8b9\",\r\n \"name\": \"3ac30502-52e5-4fc6-af40-095dddfbc8b9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB cluster has IAM database authentication enabled.
IAM database authentication allows for password-free authentication to database instances. The authentication uses an authentication token. Network traffic to and from the database is encrypted using SSL. For more information, see IAM database authentication in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update your DB instance to enable IAM authentication.
To enable IAM authentication for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Select the DB cluster to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", choose \\\"Enable IAM DB authentication\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. The options are \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d352afac-cebc-4e02-b474-7ef402fb1d65\",\r\n \"name\": \"d352afac-cebc-4e02-b474-7ef402fb1d65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS automatic minor version upgrades should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic minor version upgrades are enabled for the RDS database instance.
Enabling automatic minor version upgrades ensures that the latest minor version updates to the relational database management system (RDBMS) are installed. These upgrades might include security patches and bug fixes. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"You can enable minor version upgrades for a DB instance from the Amazon RDS console.
To enable automatic minor version upgrades for an existing DB instance
1. Open the Amazon RDS console.
2. Choose \\\"Databases\\\".
3. Choose the DB instance to modify.
4. Choose \\\"Modify\\\".
5. Under \\\"Maintenance\\\", select \\\"Yes\\\" for \\\"Auto minor version upgrade\\\".
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications: \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. Choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d0ef47dc-95aa-4765-a075-72c07df8acff\",\r\n \"name\": \"d0ef47dc-95aa-4765-a075-72c07df8acff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Aurora clusters should have backtracking enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Aurora clusters have backtracking enabled.
Backups help you to recover more quickly from a security incident. They also strengthens the resilience of your systems. Aurora backtracking reduces the time to recover a database to a point in time. It does not require a database restore to do so.
For more information about backtracking in Aurora, see Backtracking an Aurora DB cluster in the Amazon Aurora User Guide.\",\r\n \"remediationDescription\": \"For detailed instructions on how to enable Aurora backtracking, see Configuring backtracking in the Amazon Aurora User Guide.
Note that you cannot enable backtracking on an existing cluster. Instead, you can create a clone that has backtracking enabled. For more information about the limitations of Aurora backtracking, see the list of limitations in Overview of backtracking.For information about pricing for backtracking, see the Aurora pricing page.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/176f9062-64d0-4edd-bb0f-915012a6ef16\",\r\n \"name\": \"176f9062-64d0-4edd-bb0f-915012a6ef16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift should have automatic upgrades to major versions enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster.
Enabling automatic major version upgrades ensures that the latest major version updates to Amazon Redshift clusters are installed during the maintenance window.
These updates might include security patches and bug fixes. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"To remediate this issue from the AWS CLI, use the Amazon Redshift modify-cluster command to set the --allow-version-upgrade attribute.
Copy the following command aws redshift modify-cluster --cluster-identifier clustername --allow-version-upgrade Where clustername is the name of your Amazon Redshift cluster.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ee72ceb-2cb7-4686-84e6-0e1ac1c27241\",\r\n \"name\": \"1ee72ceb-2cb7-4686-84e6-0e1ac1c27241\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should use enhanced VPC routing\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon Redshift cluster has EnhancedVpcRouting enabled.
Enhanced VPC routing forces all COPY and UNLOAD traffic between the cluster and data repositories to go through your VPC. You can then use VPC features such as security groups and network access control lists to secure network traffic. You can also use VPC Flow Logs to monitor network traffic.\",\r\n \"remediationDescription\": \"For detailed remediation instructions, see Enabling enhanced VPC routing in the Amazon Redshift Cluster Management Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/036bb56b-c442-4352-bb4c-5bd0353ad314\",\r\n \"name\": \"036bb56b-c442-4352-bb4c-5bd0353ad314\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Amazon Redshift clusters should be encrypted in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit. The check fails if the Amazon Redshift cluster parameter require_SSL is not set to '1'.
TLS can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over TLS should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"To remediate this issue, update the parameter group to require encryption.
To modify a parameter group
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose Config, then choose Workload management to display the Workload management page.
3. Choose the parameter group that you want to modify.
4. Choose Parameters.
5. Choose Edit parameters then set require_ssl to '1'.
6. Enter your changes and then choose Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a152832-6600-49d1-89be-82e474190e13\",\r\n \"name\": \"7a152832-6600-49d1-89be-82e474190e13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have automatic snapshots enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven.
Backups help you to recover more quickly from a security incident. They strengthen the resilience of your systems. Amazon Redshift takes periodic snapshots by default. This control checks whether automatic snapshots are enabled and retained for at least seven days. For more details on Amazon Redshift automated snapshots, see Automated snapshots in the Amazon Redshift Cluster Management Guide.\",\r\n \"remediationDescription\": \"To remediate this issue, update the snapshot retention period to at least 7.
To modify the snapshot retention period
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose \\\"Clusters\\\", then choose the name of the cluster to modify.
3. Choose \\\"Edit\\\".
4. Under \\\"Backup\\\", set \\\"Snapshot retention\\\" to a value of 7 or greater.
5. Choose \\\"Modify Cluster\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e2a0ec17-447b-44b6-8646-c0b5584b6b0a\",\r\n \"name\": \"e2a0ec17-447b-44b6-8646-c0b5584b6b0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have audit logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon Redshift cluster has audit logging enabled.
Amazon Redshift audit logging provides additional information about connections and user activities in your cluster. This data can be stored and secured in Amazon S3 and can be helpful in security audits and investigations. For more information, see Database audit logging in the Amazon Redshift Cluster Management Guide.\",\r\n \"remediationDescription\": \"To enable cluster audit logging
1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
2. In the navigation menu, choose \\\"Clusters\\\", then choose the name of the cluster to modify.
3. Choose \\\"Maintenance and monitoring\\\"
4. Under \\\"Audit logging\\\", choose \\\"Edit\\\".
5. Set \\\"Enable audit logging\\\" to \\\"yes\\\", then enter the log destination bucket details.
6. Choose \\\"Confirm\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4170067b-345d-47ed-ab4a-c6b6046881f1\",\r\n \"name\": \"4170067b-345d-47ed-ab4a-c6b6046881f1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Beanstalk environments should have enhanced health reporting enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced health reporting is enabled for your AWS Elastic Beanstalk environments.
Elastic Beanstalk enhanced health reporting enables a more rapid response to changes in the health of the underlying infrastructure. These changes could result in a lack of availability of the application.
Elastic Beanstalk enhanced health reporting provides a status descriptor to gauge the severity of the identified issues and identify possible causes to investigate. The Elastic Beanstalk health agent, included in supported Amazon Machine Images (AMIs), evaluates logs and metrics of environment EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to enable enhanced health reporting, see Enabling enhanced health reporting using the Elastic Beanstalk console in the AWS Elastic Beanstalk Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"10/04/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/820f6c6e-f73f-432c-8c60-cae1794ea150\",\r\n \"name\": \"820f6c6e-f73f-432c-8c60-cae1794ea150\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Beanstalk managed platform updates should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"his control checks whether managed platform updates are enabled for the Elastic Beanstalk environment.
Enabling managed platform updates ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"For instructions on how to enable managed platform updates, see To configure managed platform updates under Managed platform updates in the AWS Elastic Beanstalk Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"10/04/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f48af569-2e67-464b-9a62-b8df0f85bc5e\",\r\n \"name\": \"f48af569-2e67-464b-9a62-b8df0f85bc5e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domain error logging to CloudWatch Logs should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs.
You should enable error logs for Elasticsearch domains and send those logs to CloudWatch Logs for retention and response. Domain error logs can assist with security and access audits, and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"For information on how to enable log publishing, see Enabling log publishing (console) in the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12ebb4cd-34b6-4c3a-bee9-7e35f4f6caff\",\r\n \"name\": \"12ebb4cd-34b6-4c3a-bee9-7e35f4f6caff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have audit logging enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled.
Audit logs are highly customizable. They allow you to track user activity on your Elasticsearch clusters, including authentication successes and failures, requests to OpenSearch, index changes, and incoming search queries.\",\r\n \"remediationDescription\": \"For detailed instructions on enabling audit logs, see Enabling audit logs in the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/994cbcb3-43d4-419d-b5c4-9adc558f3ca2\",\r\n \"name\": \"994cbcb3-43d4-419d-b5c4-9adc558f3ca2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have at least three data nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true.
An Elasticsearch domain requires at least three data nodes for high availability and fault-tolerance. Deploying an Elasticsearch domain with at least three data nodes ensures cluster operations if a node fails.\",\r\n \"remediationDescription\": \"To modify the number of data nodes in an Elasticsearch domain
1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/es/.
2. Under \\\"My domains\\\", choose the name of the domain to edit.
3. Choose \\\"Edit domain\\\".
4. Under \\\"Data nodes\\\", set \\\"Number of nodes\\\" to a number greater than or equal to three. For three Availability Zone deployments, set to a multiple of three to ensure equal distribution across Availability Zones.
5. Choose \\\"Submit\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b4b9a67c-c315-4f9b-b06b-04867a453aab\",\r\n \"name\": \"b4b9a67c-c315-4f9b-b06b-04867a453aab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should be configured with at least three dedicated master nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. This control passes if Elasticsearch domains have five dedicated master nodes. However, using more than three master nodes might be unnecessary to mitigate the availability risk, and will result in additional cost.
An Elasticsearch domain requires at least three dedicated master nodes for high availability and fault-tolerance. Dedicated master node resources can be strained during data node blue/green deployments because there are additional nodes to manage. Deploying an Elasticsearch domain with at least three dedicated master nodes ensures sufficient master node resource capacity and cluster operations if a node fails.\",\r\n \"remediationDescription\": \"To modify the number of dedicated master nodes in an OpenSearch domain
1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/es/.
2. Under \\\"My domains\\\", choose the name of the domain to edit.
3. Choose \\\"Edit domain\\\".
4. Under \\\"Dedicated master nodes\\\", set \\\"Instance type\\\" to the desired instance type.
5. Set \\\"Number of master nodes\\\" equal to three or greater.
6. Choose \\\"Submit\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/effb5011-f8db-45ac-b981-b5bdfd7beb88\",\r\n \"name\": \"effb5011-f8db-45ac-b981-b5bdfd7beb88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Elasticsearch domains should be encrypted using TLS 1.2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07.
HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS. TLS 1.2 provides several security enhancements over previous versions of TLS.\",\r\n \"remediationDescription\": \"To enable TLS encryption, use the UpdateDomainConfig API operation to configure the DomainEndpointOptions in order to set the TLSSecurityPolicy. For more information, see the Amazon OpenSearch Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f16376-e2dd-487d-b5ee-ba67fef4c5c0\",\r\n \"name\": \"83f16376-e2dd-487d-b5ee-ba67fef4c5c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled at the bucket level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether S3 buckets have bucket-level public access blocks applied. This control fails is if any of the following settings are set to false:
* ignorePublicAcls
* blockPublicPolicy
* blockPublicAcls
* restrictPublicBuckets
Block Public Access at the S3 bucket level provides controls to ensure that objects never have public access. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both.
Unless you intend to have your S3 buckets publicly accessible, you should configure the bucket level Amazon S3 Block Public Access feature.\",\r\n \"remediationDescription\": \"For information on how to remove public access at a bucket level, see Blocking public access to your Amazon S3 storage in the Amazon S3 User Guide.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/340a07a1-7d68-4562-ac25-df77c214fe13\",\r\n \"name\": \"340a07a1-7d68-4562-ac25-df77c214fe13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SQS queues should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon SQS queues are encrypted at rest.
Server-side encryption (SSE) allows you to transmit sensitive data in encrypted queues. To protect the content of messages in queues, SSE uses keys managed in AWS KMS.
For more information, see Encryption at rest in the Amazon Simple Queue Service Developer Guide.\",\r\n \"remediationDescription\": \"For information about managing SSE using the AWS Management Console, see  Configuring server-side encryption (SSE) for a queue (console) in the Amazon Simple Queue Service Developer Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/882a80f0-943f-473e-b6d7-40c7a625540e\",\r\n \"name\": \"882a80f0-943f-473e-b6d7-40c7a625540e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS accounts should have Azure Arc auto provisioning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For full visibility of the security content from Microsoft Defender for servers, EC2 instances should be connected to Azure Arc. To ensure that all eligible EC2 instances automatically receive Azure Arc, enable auto-provisioning from Defender for Cloud at the AWS account level. Learn more about Azure Arc, and Microsoft Defender for Servers.\",\r\n \"remediationDescription\": \"1. From the Defender for Cloud, open \\\"Environment settings\\\".
2. For the relevant AWS account, select the three dots at the end of the row, and select \\\"Edit settings\\\".
3. For the \\\"Servers\\\" plan, select \\\"View configuration\\\".
4. Enable auto-provisioning for the Azure Arc agent and click on the \\\"Save\\\" button.
5. Select \\\"Next\\\" and follow the instructions.
Note: To enable auto-provisioning, you'll need owner permissions for the relevant subscription.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"25/10/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/231dee23-84db-44d2-bd9d-c32fbcfb42a3\",\r\n \"name\": \"231dee23-84db-44d2-bd9d-c32fbcfb42a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be connected to Azure Arc\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Connect your EC2 instances to Azure Arc in order to have full visibility to Microsoft Defender for Servers security content. Learn more about Azure Arc, and about Microsoft Defender for Servers on hybrid-cloud environment.\",\r\n \"remediationDescription\": \"1. From the Azure portal, open \\\"Servers - Azure Arc\\\".
2. From the top left corner, select \\\"Add\\\".
3. From \\\"Add a single server\\\", select \\\"Generate script\\\".
4. In the \\\"Resource details\\\" page, select the subscription and resource group to which you have connected the machine's AWS account.
5. Select \\\"Next\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"25/10/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1736090-65fc-454f-a437-af58fd91ad1e\",\r\n \"name\": \"f1736090-65fc-454f-a437-af58fd91ad1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS databases and clusters should not use a database engine default port\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the RDS cluster or instance uses a port other than the default port of the database engine.
If you use a known port to deploy an RDS cluster or instance, an attacker can guess information about the cluster or instance.
The attacker can use this information in conjunction with other information to connect to an RDS cluster or instance or gain additional information about your application.
When you change the port, you must also update the existing connection strings that were used to connect to the old port.
You should also check the security group of the DB instance to ensure that it includes an ingress rule that allows connectivity on the new port.\",\r\n \"remediationDescription\": \"To modify the default port of an existing DB instance
1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/
2. Choose \\\"Databases\\\".
3. Select the DB instance to modify
4. Choose \\\"Modify\\\".
5. Under \\\"Database options\\\", change \\\"Database port\\\" to a non-default value.
6. Choose \\\"Continue\\\".
7. Under \\\"Scheduling of modifications\\\", choose when to apply modifications. You can choose either \\\"Apply during the next scheduled maintenance window\\\" or \\\"Apply immediately\\\".
8. For clusters, choose \\\"Modify cluster\\\". For instances, choose \\\"Modify DB Instance\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0dc124a8-2a69-47c5-a4e1-678d725a33ab\",\r\n \"name\": \"0dc124a8-2a69-47c5-a4e1-678d725a33ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon ECS task definitions should have secure networking modes and user definitions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an active Amazon ECS task definition that has host networking mode also has privileged or user container definitions.
The control fails for task definitions that have host network mode and container definitions where privileged=false or is empty and user=root or is empty.
If a task definition has elevated privileges, it is because the customer has specifically opted in to that configuration.
This control checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted in to elevated privileges.\",\r\n \"remediationDescription\": \"For information on how to update a task definition, see Updating a task definition in the Amazon Elastic Container Service Developer Guide.
Note that when you update a task definition, it does not update running tasks that were launched from the previous task definition. To update a running task, you must redeploy the task with the new task definition.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9bb205cd-a931-4f77-a620-0a263479732b\",\r\n \"name\": \"9bb205cd-a931-4f77-a620-0a263479732b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon ECS services should not have public IP addresses assigned to them automatically\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A public IP address is an IP address that is reachable from the internet.
If you launch your Amazon ECS instances with a public IP address, then your Amazon ECS instances are reachable from the internet.
Amazon ECS services should not be publicly accessible, as this may allow unintended access to your container application servers.\",\r\n \"remediationDescription\": \"To disable automatic public IP assignment, see To configure VPC and security group settings for your service in the Amazon Elastic Container Service Developer Guide.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e68b4d8-1a5e-47fc-a3eb-b3542fea43f1\",\r\n \"name\": \"0e68b4d8-1a5e-47fc-a3eb-b3542fea43f1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Imported ACM certificates should be renewed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager.
ACM can automatically renew certificates that use DNS validation. For certificates that use email validation, you must respond to a domain validation email.
ACM also does not automatically renew certificates that you import. You must renew imported certificates manually.
For more information about managed renewal for ACM certificates, see Managed renewal for ACM certificates in the AWS Certificate Manager User Guide.\",\r\n \"remediationDescription\": \"ACM provides managed renewal for your Amazon-issued SSL/TLS certificates.
This means that ACM either renews your certificates automatically (if you use DNS validation), or it sends you email notices when the certificate expiration approaches. These services are provided for both public and private ACM certificates.
\\\"For domains validated by email\\\"
When a certificate is 45 days from expiration, ACM sends to the domain owner an email for each domain name.
To validate the domains and complete the renewal, you must respond to the email notifications.
For more information, see Renewal for domains validated by email in the AWS Certificate Manager User Guide.
\\\"For domains validated by DNS\\\"
ACM automatically renews certificates that use DNS validation. 60 days before the expiration, ACM verifies that the certificate can be renewed.
If it cannot validate a domain name, then ACM sends a notification that manual validation is required.
It sends these notifications 45 days, 30 days, 7days, and 1 day before the expiration.
For more information, see Renewal for domains validated by DNS in the AWS Certificate Manager User Guide.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aad436f2-f0a2-46d8-acf1-19452fb732d2\",\r\n \"name\": \"aad436f2-f0a2-46d8-acf1-19452fb732d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC subnets should not allow automatic public IP assignment\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC subnets which allow automatic public IP assignment.
VPC subnet is a part of the VPC having its own rules for traffic.
Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. In the console, select the specific region from \\\"region drop down\\\" on the top right corner, for which the alert is generated. 3. Navigate to the \\\"VPC\\\" service. 4. In the navigation pane, click on \\\"Subnets\\\". 5. Select the identified Subnet and choose the option \\\"Modify auto-assign IP settings\\\" under the Subnet Actions. 6. Disable the \\\"Auto-Assign IP\\\" option and save it.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a3697e4-d854-41a5-a3df-d6a5fc664689\",\r\n \"name\": \"1a3697e4-d854-41a5-a3df-d6a5fc664689\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 bucket should not be configured with policy overly permissive to VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies S3 buckets that have the bucket policy overly permissive to VPC endpoints. It is a leading practice to follow the principle of least privileges ensuring that the VPC endpoints have only necessary permissions instead of full permission on S3 operations.
NOTE: When working with Amazon S3 bucket policies for VPC endpoints, you might block your access to that bucket without intending to do so.
Bucket permissions that are intended to specifically limit bucket access to connections originating from your VPC endpoint can block all connections to the bucket.
Additionally, The Amazon S3 bucket policy might disable console access to the specified bucket because console requests don't originate from the specified VPC endpoint.
Hence, additional care should be taken while remediating any such overly permissive policies.
For more details refer https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the S3 dashboard. 3. Choose the reported S3 bucket. 4. In the \\\"Permissions\\\" tab, click on the \\\"Bucket Policy\\\". 5. Update the S3 bucket policy for the VPC endpoint so that it has only required permissions instead of full S3 permission.
Refer for example: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ca6e24c-b113-429c-83e1-38e8c4b91396\",\r\n \"name\": \"0ca6e24c-b113-429c-83e1-38e8c4b91396\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC enpoint should not be configured with policy overly permissive to any principal\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC endpoints that have a VPC endpoint (VPCE) policy that is overly permissive.
When the Principal element value is set to '*' within the access policy, the VPC endpoint allows full access to any IAM user or service within the VPC using credentials from any AWS accounts.
It is a leading practice to follow the principle of least privileged VPCE policy ensuring security against any data leakage and unauthorized access.

For more details refer:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. In the console, select the specific region from the region drop-down on the top right corner, for which the alert is generated. 3. Navigate to the \\\"VPC dashboard\\\". 4. Go to \\\"Endpoints\\\", from the left panel VIRTUAL PRIVATE CLOUD section. 5. Select the reported VPC endpoint. 6. On the \\\"Actions\\\" drop-down button, click on the \\\"Edit policy\\\". 7. On the \\\"Edit Policy\\\" page, Choose \\\"Custom\\\" policy.
a. Then add policy, without the \\\"Everyone\\\" grantee (i.e. '*' or 'AWS': '*') from the Principal element value with an AWS account ID (e.g. '123456789'), an AWS account ARN (e.g. 'arn:aws:iam::123456789:root') or an IAM user ARN (e.g. 'arn:aws:iam::123456789:user/vpce-admin').
b. Add a Condition clause to the policy statement to filter the endpoint access to specific entities. 8. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ed36584a-91d9-4639-ae8d-893d0f2cb462\",\r\n \"name\": \"ed36584a-91d9-4639-ae8d-893d0f2cb462\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cloudfront distribution should have WAF enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Amazon CloudFront web distributions which don't have AWS Web Application Firewall (AWS WAF) protection enabled.
it is a leading practice to enable the AWS WAF service on CloudFront web distributions to protect web applications from common web exploits, application layer attacks that could affect application availability, compromise security, or consume excessive resources.
To block malicious requests to your Cloudfront Content Delivery Network you should define the 'block' criteria in the WAF web access control list (web ACL).\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Go to the CloudFront Distributions Dashboard. 3. Click on the reported web distribution. 4. On \\\"General\\\" tab, Click on \\\"Edit\\\" button. 5. On \\\"Edit Distribution\\\" page, Choose a \\\"AWS WAF Web ACL\\\" from dropdown. 6. Click on \\\"Yes, Edit\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45f50501-deed-438b-b931-340078d0022f\",\r\n \"name\": \"45f50501-deed-438b-b931-340078d0022f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cloudfront should have AWS WAF V2 enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS cloudfront distribution not configured with AWS WAF V2 web acl.
As a leading practice it is recommended to configure AWS WAF v2 on the cloudfront to protect against application-layer attacks.
To block malicious requests to your cloudfront, define the block criteria in the WAFv2 web acl.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Go to the CloudFront Distributions Dashboard. 3. Click on the reported web distribution. 4. On \\\"General\\\" tab, Click on \\\"Edit\\\" button under \\\"Settings\\\". 5. On \\\"Edit Distribution\\\" page, from \\\"AWS WAF Web ACL\\\" dropdown select WAFv2 ACL which you want to apply.
Note: In case no WAFv2 ACL found from \\\"AWS WAF Web ACL\\\" dropdown list, Please follow below URL to create WAFv2 ACL:
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-creating.html. 6. Click on \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b288b879-d5e3-49d0-9bad-a9ddf738838a\",\r\n \"name\": \"b288b879-d5e3-49d0-9bad-a9ddf738838a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST API should have AWS WAF V2 enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS API Gateway REST API which is not configured with AWS Web Application Firewall protection.
As a leading practice, you should enable the AWS WAF service on API Gateway REST API to protect against common web exploits, application layer attacks.
To block malicious requests to your API Gateway REST API, define the block criteria in the WAF web access control list (web ACL).\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Make sure your the reported API Gateway REST API requires WAF based on your requirement and Note down the API Gateway REST API name Follow steps given in below URL to associate API Gateway REST API to WAF Web ACL ,
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eb2a1621-6fe5-4b17-be36-082897f04987\",\r\n \"name\": \"eb2a1621-6fe5-4b17-be36-082897f04987\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"ELB v2 should not have SSL negotiation policy configured with weak cipher\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers v2 (ELBv2) which are configured with SSL negotiation policy containing weak ciphers.
To simplify, An SSL cipher, or an SSL cipher suite, is a set of algorithms or a set of instructions/steps that uses encryption keys to establish a secure connection between two entities usually the client (a user's browser) and the web server they are connecting to (your website).
As many of the other ciphers are not secure as per industry standards, it is recommended to use only the ciphers recommended in the following AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Go to the EC2 Dashboard, and select \\\"Load Balancers\\\". 4. Click on the reported Load Balancer. 5. On the 'Listeners' tab, Choose the \\\"HTTPS\\\" or 'SSL' rule; Click on \\\"Edit\\\", Change 'Security policy' to other than \\\"ELBSecurityPolicy-TLS-1-0-2015-04\\\" as it contains DES-CBC3-SHA cipher, which is a weak cipher. 6. Click on \\\"Update\\\" to save your changes.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d13e510-5e69-43ec-921f-fe52e2ecc36b\",\r\n \"name\": \"9d13e510-5e69-43ec-921f-fe52e2ecc36b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC route table should not allow VPC peering overly permissive to all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies VPC route tables with overly permissive peering connection to all traffic.
It is a leading practice to ensure selective peering connection route tables to reduce the attack surface as resources outside of these routes are inaccessible to the peered VPC.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to \\\"VPC\\\" dashboard from \\\"Services\\\" dropdown. 4. From left menu, select \\\"Route Tables\\\". 5. Click on the alerted route table. 6. From top click on \\\"Action\\\" button. 7. From the Action menu dropdown, select \\\"Edit routes\\\". 8. From the list of destination remove the extra permissive destination by clicking the cross symbol available for that destination. 9. Add a destination with \\\"least access\\\". 10. Click on \\\"Save Routes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5e4503df-e4f7-4055-a38e-ff8ae44dfd1e\",\r\n \"name\": \"5e4503df-e4f7-4055-a38e-ff8ae44dfd1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS key automatic rotation is not enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS KMS key that are not enabled with key rotation.
As a security leading practice, it is important to rotate the keys periodically so that if the keys are compromised, the data in the underlying service is still secure with the new keys.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Key Management Service (KMS). 4. Click on \\\"Customer managed keys\\\" (Left Panel). 5. Select reported KMS Customer managed key. 6. Under the \\\"Key Rotation\\\" tab, Enable \\\"Automatically rotate this KMS every year\\\". 7. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c548e51-ca15-4b21-92b7-80acef51da37\",\r\n \"name\": \"4c548e51-ca15-4b21-92b7-80acef51da37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrails logs should be encrypted using AWS KMS key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check ensures that CloudTrail logs are encrypted using AWS KMS key.
AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account.
It is a compliance and security leading practice to encrypt the CloudTrail data with AWS KMS key as it may contain sensitive information.\",\r\n \"remediationDescription\": \"1. Login to AWS Console and navigate to the \\\"CloudTrail\\\" service. 2. For each trail, under Configuration > Storage Location, select \\\"Yes\\\" to \\\"Encrypt log files\\\" setting. 3.Choose and existing KMS key or create a new one to encrypt the logs with.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a102936-e0ab-4ab6-ab05-0cb15a6587f6\",\r\n \"name\": \"2a102936-e0ab-4ab6-ab05-0cb15a6587f6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RedShift cluster should be encrypted using customer-managed keys (CMKs)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Redshift Clusters which are encrypted with default KMS keys and not with customer-managed key.
It is a leading practice to use customer managed KMS Keys to encrypt your Redshift databases data.
Customer-managed CMKs give you more flexibility, including the ability to create, rotate, disable, define access control for,
and audit the encryption keys used to help protect your data.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift. 2. On the navigation menu, choose \\\"Clusters\\\", then choose the cluster that you want to modify encryption. 3. Choose \\\"Properties\\\". 4. In the Database configurations section, choose \\\"Edit\\\" then choose \\\"Edit encryption\\\". 5. Choose \\\"customer-managed key encryption options\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/885a3b62-d0de-4e54-aaba-f58875fb7888\",\r\n \"name\": \"885a3b62-d0de-4e54-aaba-f58875fb7888\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be encrypted using CMK\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic File Systems (EFSs) which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your EFS data. It gives you full control over the encrypted data.\",\r\n \"remediationDescription\": \"AWS EFS Encryption of data at rest can only be enabled during file system creation. In order to resolve this alert, create a new EFS with encryption enabled with the customer-managed key, then migrate all required data from the reported EFS to this newly created EFS and delete reported EFS.

To create new EFS with encryption enabled, perform the following:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to EFS dashboard and click on \\\"File systems\\\" on the left panel. 4. Click on \\\"Create file system\\\" button. 5. On the \\\"Configure file system access\\\" step, specify EFS details as per your requirements and Click on \\\"Next Step\\\". 6. On the \\\"Configure optional settings\\\" step, Under \\\"Enable encryption\\\" Choose \\\"Enable encryption of data at rest\\\" and Select customer managed key from \\\"Select KMS master key\\\" dropdown list along with other parameters and Click on \\\"Next Step\\\". 7. On the \\\"Review and create\\\" step, Review all your setting and Click on \\\"Create File System\\\" button.

To delete reported EFS which does not has encryption, perform the following:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to EFS dashboard and click on \\\"File systems\\\" on the left panel. 4. Select the reported file system. 5. Click on \\\"Actions\\\" drop-down. 6. Click on \\\"Delete file system\\\". 7. In the \\\"Permanently delete file system\\\" popup box, To confirm the deletion enter the file system's ID and Click on \\\"Delete File System\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/db0cfb9d-c281-4301-92aa-3d6d12837d8d\",\r\n \"name\": \"db0cfb9d-c281-4301-92aa-3d6d12837d8d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policy should not allow assume role permission across all services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS IAM policy which allows assume role permission across all services. Typically, AssumeRole is used if you have multiple accounts and need to access resources from each account then you can create long term credentials in one account and then use temporary security credentials to access all the other accounts by assuming roles in those accounts.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Navigate to the \\\"IAM\\\" service. 3. Identify the reported policy. 4. Change the Service element of the policy document to be more restrictive so that it only allows AssumeRole permission on select services.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/894259c2-c1d5-47dc-b5c6-b242d5c76fdf\",\r\n \"name\": \"894259c2-c1d5-47dc-b5c6-b242d5c76fdf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon RDS instance should be configured with automatic backup settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies RDS instances which are not set with the automatic backup setting. If Automatic Backup is set, RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases which provide for point-in-time recovery. The automatic backup will happen during the specified backup window time and keeps the backups for a limited period of time as defined in the retention period. It is recommended to set automatic backups for your critical RDS servers that will help in the data restoration process.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated. 3. Navigate to \\\"Amazon RDS\\\" console. 4. Choose \\\"DB Instances\\\", and then select the \\\"reported DB\\\" instance. 5. On \\\"Instance Actions\\\" drop-down list, choose \\\"Modify\\\". 6. In \\\"Backup\\\" section,
a. From the \\\"Backup Retention Period\\\" drop-down list, select the number of days you want RDS should retain automatic backups of this DB instance. b. Choose \\\"Start Time\\\" and \\\"Duration\\\" in \\\"Backup window\\\" which is the daily time range (in UTC) during which automated backups created. 7. Click on \\\"Continue\\\". 8. On the confirmation page, choose \\\"Modify DB Instance\\\" to save your changes\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a5e0d700-3de1-469a-96d2-6536d9a92604\",\r\n \"name\": \"a5e0d700-3de1-469a-96d2-6536d9a92604\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic Load Balancer should not have ACM certificate expired or expiring in 90 days.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (ELB) which are using ACM certificates expired or expiring in 90 days. AWS Certificate Manager (ACM) is the preferred tool to provision, manage, and deploy your server certificates. With ACM you can request a certificate or deploy an existing ACM or external certificate to AWS resources. As a best practice, it is recommended to reimport expiring/expired certificates while preserving the ELB associations of the original certificate.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service dashboard. 4. Choose the reported certificate. 5. Under \\\"Actions\\\" drop-down click on 'Reimport certificate'. 6. On the \\\"Import a certificate\\\" page:
6a. For \\\"Certificate body*\\\", paste the PEM-encoded certificate to import. 6b. For \\\"Certificate private key*\\\", paste the PEM-encoded, unencrypted private key that matches the SSL/TLS certificate public key. 6c. (Optional) For \\\"Certificate chain\\\", paste the PEM-encoded certificate chain delivered. 6d. Click Review and import button to continue the process. 7. On the \\\"Review and import\\\" page, review the imported certificate details then click on \\\"Import\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9137f5de-aac8-4cee-a22f-8d81f19be67f\",\r\n \"name\": \"9137f5de-aac8-4cee-a22f-8d81f19be67f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon RDS database should be encrypted using customer managed key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies RDS databases that are encrypted with default KMS keys and not with customer managed keys. As a leading practice, use customer managed keys to encrypt the data on your RDS databases and maintain control of your keys and data on sensitive workloads.\",\r\n \"remediationDescription\": \"You can set AWS RDS database encryption only during database creation. Thus, the steps for resolving this alert requires you to create a new RDS database with a customer managed key for encryption, migrate the data from the identified database to this newly created database, and delete the RDS database identified in the alert.

To create a new RDS database with encryption using a customer managed key:
1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the Amazon RDS Dashboard. 4. Select \\\"Create database\\\". 5. On the \\\"Select engine\\\" page, select \\\"Engine options\\\" and \\\"Next\\\". 6. On the \\\"Choose use case\\\" page, select \\\"Use case\\\" of database and \\\"Next\\\". 7. On the \\\"Specify DB details\\\" page, specify the database details you need and click \\\"Next\\\". 8. On the \\\"Configure advanced settings\\\" page, Under \\\"Encryption\\\", select \\\"Enable encryption\\\" and select the customer managed key from \\\"Master key\\\" dropdown list. 9. Select \\\"Create database\\\".

To delete the RDS database that uses the default KMS keys, which triggered the alert:
1. Log in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the Amazon RDS Dashboard. 4. Click on Instances, and select the reported RDS database. 5. Select the \\\"Instance actions\\\" drop-down and click \\\"Delete\\\". 6. In the \\\"Delete\\\" dialog, select the \\\"Create final snapshot?\\\" checkbox, if you want a backup. Provide a name for the final snapshot, confirm deletion and select \\\"Delete\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03a8f33c-b01c-4dfc-b627-f98114715ae0\",\r\n \"name\": \"03a8f33c-b01c-4dfc-b627-f98114715ae0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM should not have expired SSL/TLS certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies expired SSL/TLS certificates. To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. This check generates alerts if there are any expired SSL/TLS certificates stored in AWS IAM. As a best practice, it is recommended to delete expired certificates.\",\r\n \"remediationDescription\": \"Removing invalid certificates through AWS Management Console is currently not supported. To delete SSL/TLS certificates stored in IAM through the AWS API i.e. the Command Line Interface (CLI).

Remediation CLI:
1. Run describe-load-balancers command to make sure that the expired server certificate is not currently used by any active load balancer.
aws elb describe-load-balancers --region 'COMPUTE_REGION' --load-balancer-names 'ELB_NAME' --query 'LoadBalancerDescriptions[*].ListenerDescriptions [*].Listener.SSLCertificateId'

- This command output will return the Amazon Resource Name (ARN) for the SSL certificate currently used by the selected ELB:
arn:aws:iam::1234567890:server-certificate/MyCertificate

- If the load balancer listener using the reported expired certificate is not removed before the certificate, the ELB may continue to use the same certificate and work improperly. Thus, to delete the ELB listener that is using the expired SSL certificate, run following command:
aws elb delete-load-balancer-listeners --region 'COMPUTE_REGION' --load-balancer-name 'ELB_NAME' --load-balancer-ports 443

2. Now that is safe to remove the expired SSL/TLS certificate from AWS IAM, To delete it run:
aws iam delete-server-certificate --server-certificate-name 'CERTIFICATE_NAME'\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0cd8771b-44a7-46bd-b8ba-2fb84d20d8d1\",\r\n \"name\": \"0cd8771b-44a7-46bd-b8ba-2fb84d20d8d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 Classic instance should be configured with VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS EC2 instances which are still using EC2 Classic. With EC2-Classic(if your AWS Account supports it), your instances run in a single, flat network that you share with other customers.
Where as with Amazon VPC, your instances run in a virtual private cloud (VPC) that's logically isolated to your AWS account.
It is a security good practice that deploying VPCs will enable you to leverage enhanced infrastructure security controls.
Note: This alert only triggers in regions that support launching into AWS Classic\",\r\n \"remediationDescription\": \"1. Open the AWS Systems Manager console, and then choose \\\"Automation\\\" from the navigation pane. 2. Choose \\\"Execute automation\\\". 3. On the Owned by \\\"Amazon tab\\\", in the \\\"Automation document search box\\\", enter MigrateEC2Classic. 4. Select the \\\"radio button\\\" for the AWSSupport-MigrateEC2ClassicToVPC document, and then choose \\\"Next\\\". 5. Under Input parameters, for \\\"InstanceId\\\", enter your source \\\"EC2-Classic instance ID\\\". 6. For \\\"AutomationAssumeRole\\\" and \\\"TargetInstanceType\\\", choose your required parameters. By default, \\\"TargetInstanceType\\\" is set to t2.xlarge.
Note:: For more information about the AWS Identity and Access Management (IAM) permissions that are required for AutomationAssumeRole to successfully run the Automation, see AWSSupport-MigrateEC2ClassicToVPC. 7. For \\\"MigrationType\\\", select \\\"Test\\\" or \\\"CutOver\\\". 8. If you select \\\"CutOver\\\" for \\\"MigrationType\\\", then \\\"set\\\" the following parameters:
\\\"SNSNotificationARNForApproval\\\": Enter the ARN of the SNS topic used to send Approval notifications to stop the source instance.
\\\"ApproverIAM\\\": Enter the ARN of the IAM users or roles that can approve or reject the action to stop the source instance. 9. Choose \\\"Execute\\\".
Note: You should also consider disable EC2 Classic in the region to prevent further use.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04bf6bba-7661-45b7-8d81-a25d34330b7a\",\r\n \"name\": \"04bf6bba-7661-45b7-8d81-a25d34330b7a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AppSync should be configured with AWS WAF V2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS AppSync which is not configured with AWS Web Application Firewall V2.
As a leading practice, enable the AWS WAF service on AppSync to protect against application layer attacks.
To block malicious requests to your AppSync, you can define the block criteria in the WAF web access control list (web ACL) for granular control.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console and open the \\\"AppSync Console\\\". 2. Choose the \\\"API\\\" that you want to associate with a \\\"web ACL\\\". 3. In the navigation \\\"pane\\\", choose \\\"Settings\\\". 4. In the \\\"Web application firewall\\\" section, turn on \\\"Enable AWS WAF\\\". 5. In the \\\"Web ACL\\\" dropdown list, choose the \\\"name\\\" of the \\\"web ACL\\\" to associate with your API. 6. Choose \\\"Save\\\" to associate the web ACL with your API.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9a947ba-7d72-482d-9a73-f426e931d4ff\",\r\n \"name\": \"f9a947ba-7d72-482d-9a73-f426e931d4ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Application Load Balancer should be configured with AWS WAF V2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS ALB(Application Load Balancer) which is not configured with AWS Web Application Firewall V2.
As a leading practice, enable the AWS WAF service on AWS ALB to protect against application layer attacks.
To block malicious requests to your AppSync, you can define the block criteria in the WAF web access control list (web ACL) for granular control.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Make sure your the reported \\\"Application Load Balancer\\\" requires \\\"WAF\\\" based on your requirement and Note down the load balancer name. 3. Navigate to \\\"WAF & Shield\\\" dashboard. 4. Click on \\\"Web ACLs\\\", under \\\"AWS WAF\\\" section from left panel. 5. If Web ACL is not created; create a new \\\"Web ACL\\\" and add reported \\\"Application Load Balancer\\\" to \\\"Associated AWS resources\\\". 6. If you have Web ACL already created; Click on \\\"Web ACL\\\" and add your reported Application \\\"Load Balancer\\\" to \\\"Associated AWS resources\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ab12a85-37fc-47f3-a570-4688945ac7c8\",\r\n \"name\": \"2ab12a85-37fc-47f3-a570-4688945ac7c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Classic Load Balancer should not have SSL negotiation configured with vulnerable SSL protocol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (Classic) which are configured with SSL negotiation policy containing vulnerable SSL protocol.
The SSL protocol establishes a secure connection between a client and a server and ensures that all the data passed between the client and your load balancer is private.
As a security leading practice, it is important to use the latest version SSL protocol.\",\r\n \"remediationDescription\": \"1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to \\\"EC2 Dashboard\\\" and click on \\\"Load Balancers\\\" (Left Panel). 4. Click on the reported Load Balancer's \\\"Listeners\\\" tab and Click on \\\"Edit\\\" button. 5. On \\\"Edit Listeners\\\" popup for rule \\\"HTTPS/SSL\\\", - If your cipher is \\\"Predefined Security Policy\\\", change \\\"Cipher\\\" to \\\"ELBSecurityPolicy-TLS-1-2-2017-01 or latest\\\" (OR) - If your cipher is \\\"Custom Security Policy\\\", Choose \\\"Protocol-TLSv1.2\\\" only on \\\"SSL Protocols\\\" section. 6. Click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e44dfbce-8551-4935-8016-ccad8701ad12\",\r\n \"name\": \"e44dfbce-8551-4935-8016-ccad8701ad12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Classic Load Balancer should not have SSL negotiation policy configured with weak cipher\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies Elastic Load Balancers (Classic) which are configured with SSL negotiation policy containing insecure ciphers.
An SSL cipher is an encryption algorithm that uses encryption keys to create a coded message.
SSL protocols use several SSL ciphers to encrypt data over the Internet.
As many of the other ciphers are not secure, it is a leading practice to use only the ciphers recommended in the following AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html\",\r\n \"remediationDescription\": \"1. Sign in to the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Go to the \\\"EC2 Dashboard\\\", and select \\\"Load Balancers\\\". 4. Click on the reported \\\"Load Balancer\\\". 5. On \\\"Listeners\\\" tab, Change the cipher for the \\\"HTTPS/SSL\\\" rule. - For a \\\"Predefined Security Policy', change \\\"Cipher\\\" to \\\"ELBSecurityPolicy-TLS-1-2-2017-01' or latest\\\" - For a \\\"Custom Security Policy\\\", select from the secure ciphers as recommended in the below AWS link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html. 6. \\\"Save\\\" your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fef14c73-c63f-4bcb-883b-113288b6d77b\",\r\n \"name\": \"fef14c73-c63f-4bcb-883b-113288b6d77b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC should not allow unauthorized peering connection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the VPCs which have unauthorized peering. The leading practice is to disallow VPC peering between two VPCs from different AWS accounts, as this potentially enables unauthorized access to private resources.\",\r\n \"remediationDescription\": \"1. Sign in to the AWS Console and navigate to AWS VPC service console. 2. In the left navigation panel, select \\\"Peering Connection\\\". 3. Choose the reported \\\"Peering Connection\\\". 4. Click on \\\"Actions\\\" and select \\\"Delete VPC Peering Connection\\\". 5. click on \\\"Yes, Delete\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/470dc8a8-f118-40a1-96ed-a30f026c3d01\",\r\n \"name\": \"470dc8a8-f118-40a1-96ed-a30f026c3d01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Route53 having public hosted zone with private records\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A hosted zone is a container for records (An object in a hosted zone that you use to define how you want to route traffic for the domain or a subdomain), which include information about how you want to route traffic for a domain (such as example.com) and all of its subdomains (such as www.example.com, retail.example.com, and seattle.accounting.example.com). A hosted zone has the same name as the corresponding domain. A public hosted zone is a container that holds information about how you want to route traffic on the internet for a specific domain. It is best practice to avoid AWS Route 53 Public Hosted Zones containing DNS records for private IPs or resources within your AWS account to overcome information leakage of your internal network and resources.\",\r\n \"remediationDescription\": \"You can not convert a public hosted zone into a private hosted zone. Hence, it is a leading practice to create and configure a Private Hosted Zone to manage private IPs within your Virtual Private Cloud (VPC) as Amazon Route 53 service will only return your private DNS records when queried from within the associated VPC, and delete the associated public hosted zone once the Private hosted zone is configured with all the records.

To create a private hosted zone using the Route 53 console:
1. Sign into the AWS console and navigate to Route53 console. 2. choose Hosted Zones in the navigation pane. 3. Choose \\\"Create Hosted Zone\\\". 4. In the Create Private Hosted Zone pane, enter a \\\"domain name\\\". 5. In the Type list, choose \\\"Private Hosted Zone\\\" for Amazon VPC. 6. In the VPC ID list, choose the \\\"VPC\\\" that you want to associate with the hosted zone. If you want to associate more than one VPC with the hosted zone, you can add VPCs after you create the hosted zone. 7. Choose \\\"Create\\\".

To delete a public hosted zone using the Route 53 console:

1. Sign into the AWS console and navigate to Route53 console. 2. Confirm that the hosted zone that you want to delete contains only an NS and an \\\"SOA record\\\". If it contains additional records, \\\"delete\\\" them. 3. On the Hosted Zones page, choose the \\\"row for the hosted zone\\\" that you want to delete. 4. Choose \\\"Delete Hosted Zone\\\". 5. Choose \\\"OK\\\" to confirm.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a5f791e6-be98-47ed-a865-538c759c62b4\",\r\n \"name\": \"a5f791e6-be98-47ed-a865-538c759c62b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Certificate Manager certificate should not have wildcard domain name\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies ACM Certificates which are using wildcard certificates for wildcard domain name instead of single domain name certificates. ACM allows you to use an asterisk (*) in the domain name to create an ACM Certificate containing a wildcard name that can protect several sites in the same domain. For example, a wildcard certificate issued for *.prismacloud.io can match both www.prismacloud.io and images.prismacloud.io. When you use wildcard certificates, if the private key of a certificate is compromised, then all domain and subdomains that use the compromised certificate are potentially impacted. So it is recommended to use single domain name certificates instead of wildcard certificates to reduce the associated risks with a compromised domain or subdomain.\",\r\n \"remediationDescription\": \"To remediate this finding, you have to replace the reported wildcard certificate with single domain name certificate for all the first-level subdomains resulted from the domain name of the website secured with the wildcard certificate and delete the reported wildcard domain certificate.

To create a new certificate with a single domain:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service. 4. In \\\"Request a certificate\\\" page enter the information requested:
a. On Step 1: \\\"Add domain names\\\" page, in the \\\"Domain name\\\" box, type the fully qualified domain name. Click on \\\"Next\\\". b. On Step 2: \\\"Select validation method\\\" page, Select the validation method. Click on \\\"Review\\\". c. On Step 3: \\\"Review\\\" page, review the domain name and validation method details. click on \\\"Confirm\\\". d. On Step 4: \\\"Validation\\\" page, validate the certificate request based on the validation method selected. then click on \\\"Continue\\\".

The certificate status should change from \\\"Pending validation\\\" to \\\"Issued\\\". Now access your application's web server configuration and replace the wildcard certificate with the newly issued single domain name certificate.

To delete the reported wildcard certificate:
1. Sign into the AWS console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to Amazon Certificate Manager(ACM) service. 4. Choose the reported certificate. 5. Under \\\"Actions\\\" drop-down click on \\\"Delete\\\". 6. On \\\"Delete certificate\\\" popup windows, Click on \\\"Delete\\\" button.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad7b369-2c97-406d-ac70-5d9f22bfcbd9\",\r\n \"name\": \"0ad7b369-2c97-406d-ac70-5d9f22bfcbd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM Access Analyzer should be configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS regions in which the IAM Access Analyzer is not configured. AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity and identify unintended access to your resources and data. So it is recommended to configure the Access analyzer in all regions in your account.\\n\\nNOTE: Access Analyzer analyzes only policies that are applied to resources in the same AWS Region that it's enabled in. To monitor all resources in your AWS environment, you must create an analyzer to enable Access Analyzer in each Region where you're using supported AWS resources.

For more details:
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the IAM dashboard. 4. Go to \\\"Access analyzer\\\", from the left panel. 5. Click on the \\\"Create analyzer\\\" button. 6. On the Create analyzer page, enter the parameters as per your requirements. 7. Click on the \\\"Create analyzer\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/851c1c56-3a4a-422d-b86b-efa629b043b0\",\r\n \"name\": \"851c1c56-3a4a-422d-b86b-efa629b043b0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon private ECR repository policy should not be overly permissive\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies AWS Private ECR repositories that have overly permissive registry policies. An ECR(Elastic Container Registry) repository is a collection of Docker images available on the AWS cloud. These images might contain sensitive information which should be restricted to unauthorized users.\",\r\n \"remediationDescription\": \"1. Log in to the AWS Console. 2. Choose the region from the top right corner, for which the alert is generated. 3. Navigate to the AWS ECR Repository service dashboard. 4. Go to \\\"Repository\\\", from the left panel. 5. Select the repository for which alert is being generated. 6. Select the \\\"Permissions\\\" option from left menu below 'repositories'. 7. Click on \\\"Edit policy JSON\\\" to modify the JSON so that Principal is restrictive. 8. After modifications, click on \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e4dc63-ee46-405b-a02a-2a8395fe233d\",\r\n \"name\": \"04e4dc63-ee46-405b-a02a-2a8395fe233d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS ECR Repository should not be publicly accessible through IAM policies.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS ECR Repository resources which are publicly accessible through IAM policies. Ensure that the AWS ECR Repository resources provisioned in your AWS account are not publicly accessible from the Internet to avoid sensitive data exposure and minimize security risks.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the AWS ECR Repository service dashboard. 3. Find resource-based policy of the AWS ECR Repository resource. 4. Update the \\\"Principal\\\" section of the policy to avoid public access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1bd970e0-1d18-4aed-8216-d0005f6595c2\",\r\n \"name\": \"1bd970e0-1d18-4aed-8216-d0005f6595c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFormation template should not contain globally open resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This alert triggers if a CloudFormation template that when launched will result in resources allowing global network access. Below are three common causes:\\n\\n- Security Group with a {0.0.0.0/0, ::/0} rule\\n- Network Access Control List with a {0.0.0.0/0, ::/0} rule\\n- Network Access Control List with -1 IpProtocol\",\r\n \"remediationDescription\": \"It is a leading practice to review the template and ensure this is the intended behavior.
1. Goto the AWS CloudFormation dashboard. 2. Click on the Stack you want to modify. 3. Select the \\\"Template\\\" tab and then View in \\\"Designer\\\". 4. Make your template modifications. 5. Check for \\\"syntax errors\\\" in your template by choosing \\\"Validate template\\\" near the top of the page and save. 6. Choose \\\"Amazon S3 bucket\\\", name your template and Save. 7. Copy the bucket URL and click OK. 8. Select \\\"Close\\\" to close Designer. 9. Click on the \\\"Stack\\\" you want to modify. 10. From the \\\"Actions\\\" pull down menu, select \\\"Update stack\\\". 11. Choose \\\"Replace current template\\\" and paste the URL from Designer into the Amazon S3 URL field. Then click on \\\"Next\\\". 12. Specify stack details, then click on \\\"Next\\\". 13. Configure stack options, then click on \\\"Next\\\". 14. Review, then select \\\"Update\\\" stack near the bottom of the page.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/baad8309-83f2-437a-a131-6e357c8db91f\",\r\n \"name\": \"baad8309-83f2-437a-a131-6e357c8db91f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Secret Manager resource IAM policy allow secret publically accessible.\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This check identifies the AWS Secret Manager Secret resources which are publicly accessible through IAM policies. Ensure that the AWS Secret Manager Secret resources provisioned in your AWS account are not publicly accessible from the Internet to avoid sensitive data exposure and minimize security risks.\",\r\n \"remediationDescription\": \"1. Log in to the AWS console. 2. Navigate to the AWS Secret Manager Secret service. 3. Find resource-based policy of the AWS Secret Manager Secret resource. 4. Update the \\\"Principal\\\" section of the policy to avoid public access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7b076bd-9747-490f-b04d-1cf0418bc428\",\r\n \"name\": \"f7b076bd-9747-490f-b04d-1cf0418bc428\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Domain transfer lock is not enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The domain registries for all generic TLDs and many geographic TLDs let you lock a domain to prevent someone from transferring the domain to another registrar without your permission.
It is a leading practice to lock your domain.\",\r\n \"remediationDescription\": \"To lock a domain to prevent unauthorized transfer to another registrar:

1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/. 2. In the navigation pane, choose \\\"Registered Domains\\\". 3. Choose the name of the domain that you want to update. 4. Choose \\\"Enable\\\" (to lock the domain) or \\\"Disable\\\" (to unlock the domain). 5. Choose \\\"Save\\\". \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/06ee058b-9ba9-4a54-a6d3-7214703d309f\",\r\n \"name\": \"06ee058b-9ba9-4a54-a6d3-7214703d309f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open CASSANDRA port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:7000-7001, 7199, 8888, 9042, 9160, 61620-61621.\",\r\n \"remediationDescription\": \"Configuring firewall rules to allow any IP address to connect to Cassandra ports can expose Cassandra services to attackers.
For more information, see VPC firewall rules overview.

This recommendation is generated for vulnerable firewall rules, even if they were intentionally disabled. Disabled firewall rules alert you to unsafe configurations which could allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87cb47d9-eb93-4413-be7f-2f89112d3e22\",\r\n \"name\": \"87cb47d9-eb93-4413-be7f-2f89112d3e22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open CISCOSECURE_WEBSM port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:9090.\",\r\n \"remediationDescription\": \"Configuring Firewall rules to allow any IP address to connect to CiscoSecure/WebSM ports can expose your CiscoSecure/WebSM services to attackers. For more information, see VPC firewall rules overview

This recommendation is generated for vulnerable firewall rules, even if they were intentionally disabled. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c59d6ae-79c9-4f74-bacd-9bb8d2b05576\",\r\n \"name\": \"9c59d6ae-79c9-4f74-bacd-9bb8d2b05576\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open DIRECTORY_SERVICES port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:445 and UDP:445.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Directory ports might expose your Directory services to attackers. For more information, see VPC firewall rules overview.
The Directory service ports are:
TCP - 445
UDP - 445

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/99fa8cd5-10fc-4051-909c-62a6d1272956\",\r\n \"name\": \"99fa8cd5-10fc-4051-909c-62a6d1272956\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open DNS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:53 and UDP:53.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to DNS ports might expose your DNS services to attackers.
For more information, see VPC firewall rules overview.
The DNS service ports are:
TCP - 53
UDP - 53

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c39d3a7-a11d-4f1e-a5b8-8c3be23fe0d1\",\r\n \"name\": \"9c39d3a7-a11d-4f1e-a5b8-8c3be23fe0d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open ELASTICSEARCH port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:9200, 9300.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Elasticsearch ports might expose your Elasticsearch services to attackers. For more information, see VPC firewall rules overview.

The Elasticsearch service ports are:
TCP - 9200, 9300

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/98c71657-9a57-4a9c-8cc0-e69136b9ec13\",\r\n \"name\": \"98c71657-9a57-4a9c-8cc0-e69136b9ec13\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to be open to public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the sourceRanges and allowed properties for one of two configurations:

The sourceRanges property contains 0.0.0.0/0 and the allowed property contains a combination of rules that includes any protocol or protocol:port, except the following:
icmp
tcp:22
tcp:443
tcp:3389
udp:3389
sctp:22

The sourceRanges property contains a combination of IP ranges that includes any non-private IP address and the allowed property contains a combination of rules that permit either all tcp ports or all udp ports.\",\r\n \"remediationDescription\": \"Firewall rules that allow connections from all IP addresses, like 0.0.0.0/0, or from all ports can unnecessarily expose resources to attacks from unintended sources. These rules should be removed or scoped explicitly to the intended source IP ranges or ports.
For example, in applications intended to be public, consider restricting allowed ports to those needed for the application, like 80 and 443. If your application needs to allow connections from all IP addresses or ports, consider adding the asset to an allowlist. Learn more about Updating firewall rules.

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. Click the firewall rule listed in the Security Health Analytics finding, and then click \\\"Edit\\\". 3. Under \\\"Source IP ranges\\\", \\\"edit\\\" the IP values to restrict the range of IPs that is allowed. 4. Under \\\"Protocols and ports\\\", \\\"select\\\" \\\"Specified protocols and ports\\\", \\\"select\\\" the allowed protocols, and enter ports that are allowed. 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14dae408-be1b-4ab9-8645-1d9eba885a3e\",\r\n \"name\": \"14dae408-be1b-4ab9-8645-1d9eba885a3e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open FTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:21.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to FTP ports might expose your FTP services to attackers. For more information, see VPC firewall rules overview.

The FTP service ports are:
TCP - 21

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d6e19ca8-7446-4b1a-87e9-fb0bee876c80\",\r\n \"name\": \"d6e19ca8-7446-4b1a-87e9-fb0bee876c80\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open HTTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:80.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to HTTP ports might expose your HTTP services to attackers. For more information, see VPC firewall rules overview.

The HTTP service ports are:
TCP - 80

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/114491f8-1760-40b9-ad56-04be9c0be1d6\",\r\n \"name\": \"114491f8-1760-40b9-ad56-04be9c0be1d6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open LDAP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:389, 636 and UDP:389.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to LDAP ports might expose your LDAP services to attackers. For more information, see VPC firewall rules overview.

The LDAP service ports are:
TCP - 389, 636
UDP - 389

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dcbfebbd-0d89-4605-b29c-a8b94a11ca4c\",\r\n \"name\": \"dcbfebbd-0d89-4605-b29c-a8b94a11ca4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MEMCACHED port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:11211, 11214-11215 and UDP:11211, 11214-11215.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Memcached ports might expose your Memcached services to attackers. For more information, see VPC firewall rules overview.

The Memcached service ports are:
TCP - 11211, 11214, 11215
UDP - 11211, 11214, 11215

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0088a052-38cd-4ef3-80bc-982871756481\",\r\n \"name\": \"0088a052-38cd-4ef3-80bc-982871756481\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MONGODB port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:27017-27019.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to MongoDB ports might expose your MongoDB services to attackers. For more information, see VPC firewall rules overview.

The MongoDB service ports are:
TCP - 27017, 27018, 27019

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/184a6210-9eb3-4d41-9453-84fd7f01186e\",\r\n \"name\": \"184a6210-9eb3-4d41-9453-84fd7f01186e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open MYSQL port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:3306.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to MySQL ports might expose your MySQL services to attackers. For more information, see VPC firewall rules overview.

The MySQL service ports are:
TCP - 3306

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f39b9212-7c2e-4265-85ad-14701b0209e3\",\r\n \"name\": \"f39b9212-7c2e-4265-85ad-14701b0209e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open NETBIOS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:137-139 and UDP:137-139.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to NetBIOS ports might expose your NetBIOS services to attackers. For more information, see VPC firewall rules overview.

The NetBIOS service ports are:
TCP - 137, 138, 139
UDP - 137, 138, 139

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802bc806-5136-461f-a95d-dd65f8725af0\",\r\n \"name\": \"802bc806-5136-461f-a95d-dd65f8725af0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open ORACLEDB port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:1521, 2483-2484 and UDP:2483-2484.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to OracleDB ports might expose your OracleDB services to attackers. SeFor more information, see VPC firewall rules overview.

The OracleDB service ports are:
TCP - 1521, 2483, 2484
UDP - 2483, 2484

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4f5e97a0-d563-4c0a-8aca-958753dfbeb6\",\r\n \"name\": \"4f5e97a0-d563-4c0a-8aca-958753dfbeb6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open POP3 port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocol and port: TCP:110.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to POP3 ports might expose your POP3 services to attackers. For more information, see VPC firewall rules overview.

The POP3 service ports are:
TCP - 110

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d1143d-a7ab-405c-a80c-8b9da25bc5e4\",\r\n \"name\": \"27d1143d-a7ab-405c-a80c-8b9da25bc5e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open PostgreSQL port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the allowed property in firewall metadata for the following protocols and ports: TCP:5432 and UDP:5432.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to PostgreSQL ports might expose your PostgreSQL services to attackers. For more information, see VPC firewall rules overview.

The PostgreSQL service ports are:
TCP - 5432
UDP - 5432

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9a7b9056-30af-476f-bdc8-8b421d29b5e3\",\r\n \"name\": \"9a7b9056-30af-476f-bdc8-8b421d29b5e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open REDIS port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:6379.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Redis ports might expose your Redis services to attackers. For more information, see VPC firewall rules overview.

The Redis service ports are:
TCP - 6379

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5855b7ce-fded-464c-894c-d34bd834f17e\",\r\n \"name\": \"5855b7ce-fded-464c-894c-d34bd834f17e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open SMTP port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:25.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to SMTP ports might expose your SMTP services to attackers. For more information, see VPC firewall rules overview.

The SMTP service ports are:
TCP - 25

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c8753af-c7d5-404f-abdf-8e8bef018dc9\",\r\n \"name\": \"4c8753af-c7d5-404f-abdf-8e8bef018dc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open SSH port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocols and ports: TCP:22 and SCTP:22.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to SSH ports might expose your SSH services to attackers. For more information, see VPC firewall rules overview.

The SSH service ports are:
SCTP - 22
TCP - 22

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bdb01af7-e42a-49c6-952f-b83ce13914a7\",\r\n \"name\": \"bdb01af7-e42a-49c6-952f-b83ce13914a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should not be configured to have an open TELNET port that allows generic access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the allowed property in firewall metadata contains the following protocol and port: TCP:23.\",\r\n \"remediationDescription\": \"Firewall rules that allow any IP address to connect to Telnet ports might expose your Telnet services to attackers. For more information, see VPC firewall rules overview.

The Telnet service ports are:
TCP - 23

This finding is generated for vulnerable firewall rules, even if you intentionally disable the rules. Active findings for disabled firewall rules alert you to unsafe configurations that will allow undesired traffic if enabled.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, select the name of the firewall rule in the finding. 3. Select \\\"Edit\\\". 4. Under \\\"Source IP ranges\\\", \\\"delete\\\" 0.0.0.0/0. 5. \\\"Add\\\" specific IP addresses or IP ranges that you want to allow to connect to the instance. 6. \\\"Add\\\" specific protocols and ports you want to open on your instance. 7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3be77f6-6fa9-45bd-9bdb-420484420235\",\r\n \"name\": \"c3be77f6-6fa9-45bd-9bdb-420484420235\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Compute instances should use a load balancer that is configured to use a target HTTPS proxy\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates if the selfLink property of the targetHttpProxy resource matches the target attribute in the forwarding rule, and if the forwarding rule contains a loadBalancingScheme field set to External.\",\r\n \"remediationDescription\": \"A Compute Engine instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy.

To protect the integrity of your data and prevent intruders from tampering with your communications, configure your HTTP(S) load balancers to allow only HTTPS traffic. For more information, see External HTTP(S) Load Balancing overview.

To remediate this finding, complete the following steps:
1. Go to the \\\"Target proxies\\\" page in the GCP Cloud Console. Go to Target proxies. 2. In the list of target proxies, click the name of the target proxy in the finding. 3. Click the link under the \\\"URL map\\\". 4. Click \\\"Edit\\\". 5. Click \\\"Frontend configuration\\\". 6. Delete all \\\"Frontend IP\\\" and port configurations that allow HTTP traffic and create new ones that allow HTTPS traffic.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6aeb69dc-0d01-4228-88e9-7e610891d5dd\",\r\n \"name\": \"6aeb69dc-0d01-4228-88e9-7e610891d5dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE cluster's auto repair feature should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the management property of a node pool for the key-value pair, 'key': 'autoRepair', 'value': true.\",\r\n \"remediationDescription\": \"A Google Kubernetes Engine (GKE) cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled.

When enabled, GKE makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, GKE initiates a repair process for that node. For more information, see Auto-repairing nodes.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Click the \\\"Nodes\\\" tab. 3. For each node pool:
1. Click the name of the node pool to go to its detail page. 2. Click \\\"Edit\\\". 3. Under \\\"Management\\\", select \\\"Enable auto-repair\\\". 4. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1680e053-2e9b-4e77-a1c7-793ae286155e\",\r\n \"name\": \"1680e053-2e9b-4e77-a1c7-793ae286155e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE cluster's auto upgrade feature should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the management property of a node pool for the key-value pair, 'key': 'autoUpgrade', 'value': true.\",\r\n \"remediationDescription\": \"A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled.

For more information, see Auto-upgrading nodes.

To remediate this finding, complete the following steps:
1. Go to the Kubernetes clusters page in the GCP Cloud Console. Go to Kubernetes clusters
2. In the list of clusters, click the name of the cluster.
3. Click the Nodes tab.
For each node pool:
1. Click the name of the node pool to go to its detail page.
2. Click \\\"Edit\\\".
3. Under \\\"Management\\\", select \\\"Enable auto-upgrade\\\".
4. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa160a2c-e976-41cb-acff-1e1e3f1ed032\",\r\n \"name\": \"fa160a2c-e976-41cb-acff-1e1e3f1ed032\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Logging for GKE clusters should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the loggingService property of a cluster contains the location Cloud Logging should use to write logs.\",\r\n \"remediationDescription\": \"Logging isn't enabled for a GKE cluster.

To help investigate security issues and monitor usage, enable Cloud Logging on your clusters.

Depending on the quantity of information, Cloud Logging costs can be significant. To understand your usage of the service and its cost,
see Cost optimization for Google Cloud's operations suite.

To remediate this finding, complete the following steps:
1. Go to the Kubernetes clusters page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Stackdriver Logging\\\" or \\\"Stackdriver Kubernetes Engine Monitoring\\\" drop-down list, select \\\"Enabled\\\".
These options aren't compatible. Make sure that you use either \\\"Stackdriver Kubernetes Engine Monitoring\\\" alone, or \\\"Legacy Stackdriver Logging\\\" with \\\"Legacy Stackdriver Monitoring\\\". 5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a7b7361-5100-4a8c-b23e-f712d7dad39b\",\r\n \"name\": \"6a7b7361-5100-4a8c-b23e-f712d7dad39b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring on GKE clusters should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the monitoringService property of a cluster contains the location Cloud Monitoring should use to write metrics.\",\r\n \"remediationDescription\": \"Monitoring is disabled on GKE clusters.

To help investigate security issues and monitor usage, enable Cloud Monitoring on your clusters.

Depending on the quantity of information, Cloud Monitoring costs can be significant. To understand your usage of the service and its costs, see Cost optimization for Google Cloud's operations suite.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Stackdriver Monitoring\\\" or \\\"Stackdriver Kubernetes Engine Monitoring\\\" drop-down list, select \\\"Enabled\\\".
These options aren't compatible. Make sure that you use either \\\"Stackdriver Kubernetes Engine Monitoring\\\" alone, or \\\"Legacy Stackdriver Monitoring\\\" with \\\"Legacy Stackdriver Logging\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fae39f34-d931-4026-b09c-b0a785bb1ff9\",\r\n \"name\": \"fae39f34-d931-4026-b09c-b0a785bb1ff9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cluster hosts should be configured to use only private, internal IP addresses to access Google APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the privateIpGoogleAccess property of a subnetwork is set to false.\",\r\n \"remediationDescription\": \"Cluster hosts are not configured to use only private, internal IP addresses to access Google APIs.

Private Google Access enables virtual machine (VM) instances with only private, internal IP addresses to reach the public IP addresses of Google APIs and services. For more information, see Configuring Google Private Access.

To remediate this finding, complete the following steps:
1. Go to the \\\"Virtual Private Cloud networks\\\" page in the GCP Cloud Console. Go to VPC networks . 2. In the list of networks, click the name of the desired network. 3. On the \\\"VPC network details\\\" page, click the \\\"Subnets\\\" tab. 4. In the list of subnets, click the name of the subnet associated with the Kubernetes cluster in the finding. 5. On the \\\"Subnet details\\\" page, click \\\"Edit\\\". 6. Under \\\"Private Google Access\\\", select \\\"On\\\". 7. Click \\\"Save\\\". 8. To remove public (external) IPs from VM instances whose only external traffic is to Google APIs, see Unassigning a static external IP address.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3e33004b-f0b8-488d-85ed-61336c7ad4ca\",\r\n \"name\": \"3e33004b-f0b8-488d-85ed-61336c7ad4ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Compute Engine VMs should use the Container-Optimized OS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the config property of a node pool for the key-value pair, 'imageType': 'COS'.\",\r\n \"remediationDescription\": \"Compute Engine VMs aren't using the Container-Optimized OS, which is designed to run Docker containers on Google Cloud securely.

Container-Optimized OS is Google's recommended OS for hosting and running containers on Google Cloud. Its small OS footprint minimizes security exposure, while automatic updates patch security vulnerabilities in a timely manner. For more information, see Container-Optimized OS Overview.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters 2. In the list of clusters, click the name of the cluster in the finding. 3. Click the \\\"Nodes\\\" tab. 4. For each node pool:
1. Click the name of the node pool to go to its detail page. 2. Click \\\"Edit\\\". 3. Under \\\"Nodes\\\" -> \\\"Image type\\\", click \\\"Change\\\". 4. Select \\\"Container-Optimized OS\\\", and then click \\\"Change\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/49016ecd-d4d6-4f48-a64f-42af93e15120\",\r\n \"name\": \"49016ecd-d4d6-4f48-a64f-42af93e15120\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have alias IP ranges enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the useIPAliases field of the ipAllocationPolicy in a cluster is set to false.\",\r\n \"remediationDescription\": \"A GKE cluster was created with alias IP ranges disabled.

When you enable alias IP ranges, GKE clusters allocate IP addresses from a known CIDR block, so your cluster is scalable and interacts better with Google Cloud products and entities. For more information, see Alias IP ranges overview .

To remediate this finding, complete the following steps:
You cannot migrate an existing cluster to use alias IPs. To create a new cluster with alias IPs enabled, do the following:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Click \\\"Create\\\". 3. From the navigation pane, under \\\"Cluster\\\", click \\\"Networking\\\". 4. Under \\\"Advanced networking options\\\", select \\\"Enable VPC-native traffic routing (uses alias IP)\\\". 5. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd1096e1-73cf-41ab-8f2a-257b78aed9dc\",\r\n \"name\": \"bd1096e1-73cf-41ab-8f2a-257b78aed9dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Legacy Authorization should be disabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the legacyAbac property of a cluster for the key-value pair, 'enabled': true.\",\r\n \"remediationDescription\": \"Legacy Authorization is enabled on GKE clusters.

In Kubernetes, role-based access control (RBAC) lets you define roles with rules containing a set of permissions, and grant permissions at the cluster and namespace level. This feature provides better security by ensuring that users only have access to specific resources. Consider disabling legacy attribute-based access control (ABAC).

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters . 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Legacy Authorization\\\" drop-down list, select \\\"Disabled\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24df9ba4-8c98-42f2-9f64-50b095eca06f\",\r\n \"name\": \"24df9ba4-8c98-42f2-9f64-50b095eca06f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Control Plane Authorized Networks should be enabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the masterAuthorizedNetworksConfig property of a cluster for the key-value pair, 'enabled': false.\",\r\n \"remediationDescription\": \"Control Plane Authorized Networks is not enabled on GKE clusters.

Control Plane Authorized Networks improves security for your container cluster by blocking specified IP addresses from accessing your cluster's control plane.
For more information, see Adding authorized networks for control plane access.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Select the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. On the \\\"Control Plane Authorized Networks\\\" drop-down list, select \\\"Enabled\\\". 5. Click \\\"Add authorized network\\\". 6. Specify the authorized networks you want to use.
7. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd06513a-1e03-4d40-9159-243f76dcdcb7\",\r\n \"name\": \"fd06513a-1e03-4d40-9159-243f76dcdcb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network policy should be enabled on GKE clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the networkPolicy field of the addonsConfig property for the key-value pair, 'disabled': true.\",\r\n \"remediationDescription\": \"Network policy is disabled on GKE clusters.

By default, pod to pod communication is open. Open communication allows pods to connect directly across nodes, with or without network address translation. A NetworkPolicy resource is like a pod-level firewall that restricts connections between pods, unless the NetworkPolicy resource explicitly allows the connection. Learn how to define a network policy.

To remediate this finding, complete the following steps:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Click the name of the cluster listed in the Security Health Analytics finding. 3. Under \\\"Networking\\\", in the row for \\\"Network policy\\\", click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. In the dialog, select \\\"Enable network policy for control plane\\\" and \\\"Enable network policy for nodes\\\". 5. Click \\\"Save Changes\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b73bad4f-4ea7-4d04-bab0-d400cb3ad639\",\r\n \"name\": \"b73bad4f-4ea7-4d04-bab0-d400cb3ad639\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service accounts should have restricted project access in a cluster\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the config property of a node pool to check if no service account is specified or if the default service account is used.\",\r\n \"remediationDescription\": \"A GKE node is using the Compute Engine default service node, which has broad access by default and might be over-privileged for running your GKE cluster.

To remediate this finding, complete the following steps:
Follow the instructions to Use least privilege Google service accounts.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d3e70cff-e4db-47b1-b646-0ac5ed8ada36\",\r\n \"name\": \"d3e70cff-e4db-47b1-b646-0ac5ed8ada36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have Private clusters enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the enablePrivateNodes field of the privateClusterConfig property is set to false.\",\r\n \"remediationDescription\": \"A GKE cluster has a private cluster disabled.

Private clusters allow nodes to only have private IP addresses. This feature limits outbound internet access for nodes. If a cluster node doesn't have a public IP address, it isn't discoverable or exposed to the public internet. You can still route traffic to a node by using an internal load balancer. For more information, see Private clusters

You can't make an existing cluster private. To remediate this finding, create a new private cluster:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters 2. Click \\\"Create Cluster\\\". 3. In the navigation menu, under \\\"Cluster\\\", select \\\"Networking\\\". 4. Select the radio button for \\\"Private cluster\\\". 5. Under \\\"Advanced networking options\\\", select the checkbox for \\\"Enable VPC-native traffic routing (uses alias IP)\\\". 6. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8fa5c03-a8e8-467b-992c-ad8b2db0f55e\",\r\n \"name\": \"d8fa5c03-a8e8-467b-992c-ad8b2db0f55e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE web dashboard should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the kubernetesDashboard field of the addonsConfig property for the key-value pair, 'disabled': false.\",\r\n \"remediationDescription\": \"The GKE web UI (dashboard) is enabled.

A highly privileged Kubernetes Service Accounts backs the Kubernetes web interface. If compromised, the service account can be abused. If you are already using the Cloud Console, the Kubernetes web interface extends your attack surface unnecessarily. Learn about Disabling the Kubernetes web interface.

To remediate this finding, disable the Kubernetes web interface:
1. Go to the \\\"Kubernetes clusters\\\" page in the GCP Cloud Console. Go to Kubernetes clusters. 2. Click the name of the cluster listed in the Security Health Analytics finding. 3. Click \\\"Edit\\\".
If the cluster configuration recently changed, the edit button might be disabled. If you aren't able to edit the cluster settings, wait a few minutes and then try again. 4. Click \\\"Add-ons\\\". The section expands to display available add-ons. 5. On the \\\"Kubernetes dashboard\\\" drop-down list, select \\\"Disabled\\\". 6. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc6ce9-c9a7-4d91-b7c8-f2314ecbf8af\",\r\n \"name\": \"2acc6ce9-c9a7-4d91-b7c8-f2314ecbf8af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Egress deny rule should be set on a firewall to block unwanted outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the destinationRanges property in the firewall is set to 0.0.0.0/0 and the denied property contains the key-value pair, 'IPProtocol': 'all'.\",\r\n \"remediationDescription\": \"An egress deny rule is not set on a firewall.

A firewall that denies all egress network traffic prevents any unwanted outbound network connections, except those connections other firewalls explicitly authorize. For more information, see Egress cases.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. Click \\\"Create Firewall Rule\\\". 3. Give the firewall a name and, optionally, a description. 4. Under \\\"Direction of traffic\\\", select \\\"Egress\\\". 5. Under \\\"Action on match\\\", select \\\"Deny\\\". 6. In the \\\"Targets\\\" drop-down menu, select \\\"All instances in the network\\\". 7. In the \\\"Destination filter\\\" drop-down menu, select \\\"IP ranges\\\", and then type 0.0.0.0/0 into the \\\"Destination IP ranges\\\" box. 8. Under \\\"Protocols and ports\\\", select \\\"Deny all\\\". 9. Click \\\"Disable Rule\\\" then, under \\\"Enforcement\\\", select \\\"Enabled\\\". 10. Click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37e5206e-a928-416b-9851-3689f506f73f\",\r\n \"name\": \"37e5206e-a928-416b-9851-3689f506f73f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall rule logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the logConfig property in firewall metadata to see if it's empty or contains the key-value pair 'enable': false.\",\r\n \"remediationDescription\": \"Firewall rules logging is disabled.

Firewall rules logging lets you audit, verify, and analyze the effects of your firewall rules. It can be useful for auditing network access or providing early warning that the network is being used in an unapproved manner. The cost of logs can be significant. For more information on Firewall Rules Logging and its cost, see Using Firewall Rules Logging.

To remediate this finding, complete the following steps:
1. Go to the \\\"Firewall\\\" page in the GCP Cloud Console. Go to Firewall. 2. In the list of firewall rules, click the name of the desired firewall rule. 3. Click \\\"Edit\\\". 4. Under \\\"Logs\\\", select \\\"On\\\". 5. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a7771a9-a2dd-40e8-87a2-921259d68667\",\r\n \"name\": \"4a7771a9-a2dd-40e8-87a2-921259d68667\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Users should have least privilege access with granular IAM roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM policy in resource metadata for any principals assigned roles/Owner, roles/Writer, or roles/Reader.\",\r\n \"remediationDescription\": \"A user has one of the following IAM basic roles: roles/owner, roles/editor, or roles/viewer.
These roles are too permissive and shouldn't be used. Instead, they should be assigned per project only.

For more information, see Understanding roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM policy\\\" page in the GCP Cloud Console. Go to IAM policy. 2. For each user assigned a primitive role, consider using more granular roles instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24eb0365-d63d-43c0-b11f-8b0a1a0842f7\",\r\n \"name\": \"24eb0365-d63d-43c0-b11f-8b0a1a0842f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cryptographic keys should not have more than three users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates IAM policies for key rings, projects, and organizations, and retrieves principals with roles that allow them to encrypt, decrypt or sign data using Cloud KMS keys: roles/owner, roles/cloudkms.cryptoKeyEncrypterDecrypter, roles/cloudkms.cryptoKeyEncrypter, roles/cloudkms.cryptoKeyDecrypter, roles/cloudkms.signer, and roles/cloudkms.signerVerifier.\",\r\n \"remediationDescription\": \"Limit the number of principal users that can use cryptographic keys to three.

The following predefined roles grant permissions to encrypt, decrypt, or sign data using cryptographic keys:
1. roles/owner 2. roles/cloudkms.cryptoKeyEncrypterDecrypter 3. roles/cloudkms.cryptoKeyEncrypter 4. roles/cloudkms.cryptoKeyDecrypter 5. roles/cloudkms.signer
6. roles/cloudkms.signerVerifier

For more information, see Permissions and roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"Cloud KMS keys\\\" page in the GCP Cloud Console. Go to Cloud KMS keys. 2. Click the \\\"name\\\" of the key ring indicated in the finding. 3. Click the \\\"name\\\" of the key indicated in the finding. 4. Select the box next to the primary version, and then click \\\"Show Info Panel\\\". 5. Reduce the number of principals having permissions to encrypt, decrypt, or sign data to three or fewer.
To revoke permissions, click \\\"Delete\\\" delete next to each principal.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e836b239-c7dc-476a-9a85-829b565cbc59\",\r\n \"name\": \"e836b239-c7dc-476a-9a85-829b565cbc59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Object versioning should be enabled on storage buckets where sinks are configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates whether the enabled field in the bucket's versioning property is set to true.\",\r\n \"remediationDescription\": \"Object versioning isn't enabled on a storage bucket where sinks are configured.

To support the retrieval of objects that are deleted or overwritten, GCP Cloud Storage offers the Object Versioning feature. Enable Object Versioning to protect your Cloud Storage data from being overwritten or accidentally deleted. Learn how to Enable Object Versioning.

To remediate this finding, use the gsutil versioning set on command with the appropriate value:
gsutil versioning set on gs://finding.assetDisplayName
Replace finding.assetDisplayName with the name of the relevant bucket.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76261631-76ea-4bd4-b064-34a619be1de0\",\r\n \"name\": \"76261631-76ea-4bd4-b064-34a619be1de0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage buckets used as a log sink should not be publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM policy of a bucket for the principals allUsers or allAuthenticatedUsers, which grant public access.\",\r\n \"remediationDescription\": \"A storage bucket is public and used as a log sink, meaning that anyone on the internet can access logs stored in this bucket.
allUsers represents anyone on the internet and allAuthenticatedUsers represents anyone who is logged into a Google service;
neither is constrained to users within your organization.

For more information, see Overview of access control.

To remediate this finding, complete the following steps:
1. Go to the \\\"Cloud Storage browser\\\" page in the GCP Cloud Console. Go to Cloud Storage browser . 2. In the list of buckets, click the name of the bucket indicated in the finding. 3. Click the \\\"Permissions\\\" tab. 4. Remove \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" from the list of principals.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7c20b7aa-be3d-4a4b-af45-1b432c02f86b\",\r\n \"name\": \"7c20b7aa-be3d-4a4b-af45-1b432c02f86b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redis IAM role should not be assigned at the organization or folder level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM allow policy in resource metadata for principals assigned roles/redis.admin, roles/redis.editor, roles/redis.viewer at the organization or folder level.\",\r\n \"remediationDescription\": \"A Redis IAM role is assigned at the organization or folder level.

The following Redis IAM roles should be assigned per project only, not at the organization or folder level:
1. roles/redis.admin
2. roles/redis.viewer
3. roles/redis.editor

For more information, see Access control and permissions.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM policy\\\" page in the GCP Cloud Console. Go to IAM policy. 2. Remove the \\\"Redis IAM roles\\\" indicated in the finding and add them on the individual projects instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/986fe72e-466a-462d-a06e-c77b439c53c0\",\r\n \"name\": \"986fe72e-466a-462d-a06e-c77b439c53c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Projects that have cryptographic keys should not have users with Owner permissions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This recommendation evaluates the IAM allow policy in project metadata for principals assigned roles/Owner.\",\r\n \"remediationDescription\": \"A user has roles/Owner permissions on a project that has cryptographic keys. For more information, see Permissions and roles.

To remediate this finding, complete the following steps:
1. Go to the \\\"IAM page\\\" in the GCP Cloud Console. Go IAM page. 2. If necessary, select the project in the finding. 3. For each principal assigned the \\\"Owner\\\" role:
1. Click \\\"Edit\\\". 2. In the \\\"Edit permissions\\\" panel, next to the \\\"Owner\\\" role, click \\\"Delete\\\". 3. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67ebdf6b-6197-4e42-bbbf-eaf4e6c20b4c\",\r\n \"name\": \"67ebdf6b-6197-4e42-bbbf-eaf4e6c20b4c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Use corporate login credentials instead of personal accounts, such as Gmail accounts.
It is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources.
Gmail accounts based outside of the user's organization, such as personal accounts, should not be used for business purposes.\",\r\n \"remediationDescription\": \"Follow the documentation and setup corporate login accounts Manage Identities.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6991b2e9-ae9e-4e99-acb6-037c4b575215\",\r\n \"name\": \"6991b2e9-ae9e-4e99-acb6-037c4b575215\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that there are only GCP-managed service account keys for each service account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"User managed service accounts should not have user-managed keys.
Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis.
User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.
For user-managed keys, the user has to take ownership of key management activities which include:
  • Key storage
  • Key distribution
  • Key revocation
  • Key rotation
  • Protecting the keys from unauthorized users
  • Key recovery
Even with key owner precautions, keys can be easily leaked by common development malpractices like checking keys into the source code or leaving them in the Downloads directory, or accidentally leaving them on support blogs/channels. It is recommended to prevent user-managed service account keys.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the IAM page in the GCP Console using https://console.cloud.google.com/apis/credentials. 2. In the left navigation pane, click \\\"Service accounts\\\". All service accounts and their corresponding keys are listed. 3. Click the service account. 4. Click the \\\"edit\\\" and delete the keys.

From CLI:
To delete a user managed Service Account Key, run gcloud iam service-accounts keys delete --iam-account=<user-managed-service-account-EMAIL> <KEY-ID>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/54c381fe-a80a-4038-8a9d-c166d2922ea9\",\r\n \"name\": \"54c381fe-a80a-4038-8a9d-c166d2922ea9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to assign the \\\"Service Account User (iam.serviceAccountUser)\\\" and \\\"Service Account Token Creator (iam.serviceAccountTokenCreator)\\\" roles to a user for a specific service account rather than assigning the role to a user at project level.
A service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end-user.
Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved.
In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.
Users with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access.
Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/Service account.
Based on business needs, there could be multiple user-managed service accounts configured for a project.
Granting the \\\"iam.serviceAccountUser\\\" or \\\"iam.serviceAserviceAccountTokenCreatorccountUser\\\" roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future.
This can result in elevation of privileges by using service accounts and corresponding \\\"Compute Engine instances\\\".
In order to implement \\\"least privileges\\\" best practices, IAM users should not be assigned the \\\"Service Account User\\\" or \\\"Service Account Token Creator\\\" roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The \\\"Service Account User\\\" allows a user to bind a service account to a long-running job service, whereas the \\\"Service Account Token Creator\\\" role allows a user to directly impersonate (or assert) the identity of a service account.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the IAM page in the GCP Console by visiting: GCP Console IAM. 2. Click on the filter table text bar. Type \\\"Role: Service Account User\\\" 3. Click the \\\"Delete Bin\\\" icon in front of the role \\\"Service Account User\\\" for every user listed as a result of a filter. 4. Click on the filter table text bar. Type \\\"Role: Service Account Token Creator\\\" 5. Click the \\\"Delete Bin\\\" icon in front of the role \\\"Service Account Token Creator\\\" for every user listed as a result of a filter.

From Command Line:
1. Using a text editor, remove the bindings with the \\\"roles/iam.serviceAccountUser\\\" or \\\"roles/iam.serviceAccountTokenCreator\\\".
For example, you can use the iam.json file shown below as follows:
{ "bindings": [ { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", ], "role": "roles/appengine.appViewer" }, { "members": [ "user:email1@gmail.com" ], "role": "roles/owner" }, { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", "serviceAccount:123456789012-compute@developer.gserviceaccount.com" ], "role": "roles/editor" } ], "etag": "BwUjMhCsNvY=" }
2. Update the project's IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0007dd31-9e95-460d-82bd-ae3e9e623161\",\r\n \"name\": \"0007dd31-9e95-460d-82bd-ae3e9e623161\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests users make to Google cloud services accessible to that particular service account.
It is recommended that all Service Account keys are regularly rotated.
Rotating Service Account keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.
Each service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.
GCP provides the option to create one or more user-managed (also called external key pairs) key pairs for use from outside GCP (for example, for use with Application Default Credentials). When a new key pair is created, the user is required to download the private key (which is not retained by Google).
With external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, gcloud command-line tool, or the Service Accounts page in the Google Cloud Platform Console.
GCP facilitates up to 10 external service account keys per service account to facilitate key rotation.\",\r\n \"remediationDescription\": \"From Console:
Delete any external (user-managed) Service Account Key older than 90 days: 1. Go to APIs & Services\\\\Credentials using https://console.cloud.google.com/apis/credentials
2. In the Section \\\"Service Account Keys\\\", for every external (user-managed) service account key where \\\"creation date is\\\" greater than or equal to the past 90 days, click \\\"Delete Bin Icon\\\" to Delete Service Account key.
Create a new external (user-managed) Service Account Key for a Service Account:
1. Go to \\\"APIs & Services\\\\Credentials\\\" using https://console.cloud.google.com/apis/credentials
2. Click \\\"Create Credentials\\\" and Select \\\"Service Account Key\\\". 3. Choose the service account in the drop-down list for which an External (user-anaged) Service Account key needs to be created. 4. Select the desired key type format among \\\"JSON\\\" or \\\"P12\\\". 5. Click \\\"Create\\\". It will download the private key. Keep it safe. 6. Click \\\"Close\\\" if prompted. 7. The site will redirect to the \\\"APIs & Services\\\\Credentials\\\" page. Make a note of the new ID displayed in the Service account keys section.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e8cb9ac-87ee-424b-a9d2-0d41e411d18f\",\r\n \"name\": \"9e8cb9ac-87ee-424b-a9d2-0d41e411d18f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users.
The built-in/predefined IAM role \\\"Service Account admin\\\" allows the user/identity to create, delete, and manage service account(s).
The built-in/predefined IAM role \\\"Service Account User\\\" allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances.
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action.
In Cloud IAM - service accounts, this could be an action such as using a service account to access resources that user should not normally have access to.
Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.
No user should have \\\"Service Account Admin\\\" and \\\"Service Account User\\\" roles assigned at the same time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to IAM & Admin/IAM. 2. For any member having both \\\"Service Account Admin\\\" and \\\"Service account User\\\" roles granted/assigned, click the \\\"Delete Bin icon\\\" to remove either role from the member.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fcbcaef9-4bb0-49db-a932-afd64ed221d4\",\r\n \"name\": \"fcbcaef9-4bb0-49db-a932-afd64ed221d4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the IAM policy on Cloud KMS \\\"cryptokeys\\\" should restrict anonymous and/or public access.
Granting permissions to \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\" allows anyone to access the dataset.
Such access might not be desirable if sensitive data is stored at the location.
In this case, ensure that anonymous and/or public access to a Cloud KMS \\\"cryptokey\\\" is not allowed.\",\r\n \"remediationDescription\": \"From Command Line:
1. List all Cloud KMS \\\"Cryptokeys\\\".
gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'. 2. Remove IAM policy binding for a KMS key to remove access to \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" using the below command.
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'
gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f756937d-b790-4718-8dd7-fa995930c4a1\",\r\n \"name\": \"f756937d-b790-4718-8dd7-fa995930c4a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.
The format for the rotation schedule depends on the client library that is used.
For the gcloud command-line tool, the next rotation time must be in \\\"ISO\\\" or \\\"RFC3339\\\" format, and the rotation period must be in the form \\\"INTEGER[UNIT]\\\", where units can be one of seconds (s), minutes (m), hours (h) or days (d).
Set a key rotation period and starting time. A key can be created with a specified \\\"rotation period\\\", which is the time between when new key versions are generated automatically.
A key can also be created with a specified next rotation time.
A key is a named object representing a \\\"cryptographic key\\\" used for a specific purpose.
The key material, the actual bits used for \\\"encryption\\\", can change over time as new key versions are created.
A key is used to protect some \\\"corpus of data\\\". A collection of files could be encrypted with the same key and people with \\\"decrypt\\\" permissions on that key would be able to decrypt those files.
Therefore, it's necessary to make sure the \\\"rotation period\\\" is set to a specific time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to Cryptographic Keys. 2. Click on the specific key ring. 3. From the list of keys, choose the specific key and Click on \\\"Right side pop up the blade (3 dots)\\\". 4. Click on \\\"Edit rotation period\\\". 5. On the pop-up window, \\\"Select a new rotation period\\\" in days which should be less than 90 and then choose \\\"Starting on\\\" date (date from which the rotation period begins).

From Command Line:
1. Update and schedule rotation by \\\"ROTATION_PERIOD\\\" and \\\"NEXT_ROTATION_TIME\\\" for each key:
gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next-rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14007242-eadd-4d15-ad54-97201351c0ec\",\r\n \"name\": \"14007242-eadd-4d15-ad54-97201351c0ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.
The built-in/predefined IAM role \\\"Cloud KMS Admin\\\" allows the user/identity to create, delete, and manage service account(s).
The built-in/predefined IAM role \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\" allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).
The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).
The built-in/predefined IAM role \\\"Cloud KMS CryptoKey Decrypter\\\" allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action.
In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to.
Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors.
It is considered best practice. No user(s) should have Cloud KMS Admin and any of the \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\", \\\"Cloud KMS CryptoKey Encrypter\\\", \\\"Cloud KMS CryptoKey Decrypter\\\" roles assigned at the same time.\",\r\n \"remediationDescription\": \"From Console:
1. Go to IAM & Admin/IAM. 2. For any member having \\\"Cloud KMS Admin\\\" and any of the \\\"Cloud KMS CryptoKey Encrypter/Decrypter\\\", \\\"Cloud KMS CryptoKey Encrypter\\\", \\\"Cloud KMS CryptoKey Decrypter\\\" roles granted/assigned, click the \\\"Delete Bin\\\" icon to remove the role from the member.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b9173aa-68d9-4581-814f-fab4a91aa9af\",\r\n \"name\": \"0b9173aa-68d9-4581-814f-fab4a91aa9af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that Cloud Audit Logging is configured to track all admin activities and read, write access to user data.
Cloud Audit Logging maintains two audit logs for each project, folder, and organization: Admin Activity and Data Access.
1. Admin Activity logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources.
Admin Activity audit logs are enabled for all services and cannot be configured. 2. Data Access audit logs record API calls that create, modify, or read user-provided data. These are disabled by default and should be enabled.
There are three kinds of Data Access audit log information:
  • Admin read: Records operations that read metadata or configuration information. Admin Activity audit logs record writes of metadata and configuration information that cannot be disabled.
  • Data read: Records operations that read user-provided data.
  • Data write: Records operations that write user-provided data.
It is recommended to have an effective default audit config configured in such a way that:
1. logtype is set to DATA_READ (to log user activity tracking) and DATA_WRITES (to log changes/tampering to user data). 2. audit config is enabled for all the services supported by the Data Access audit logs feature. 3. Logs should be captured for all users, i.e., there are no exempted users in any of the audit config sections. This will ensure overriding the audit config will not contradict the requirement.\",\r\n \"remediationDescription\": \"From Console:
1. Go to Audit Logs. 2. Follow the steps at Configure Data Access to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.

From Command Line:
1. To read the project's IAM policy and store it in a file run a command:
gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml
Alternatively, the policy can be set at the organization or folder level. If setting the policy at the organization level, it is not necessary to also set it for each folder or project.
gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml
gcloud resource-manager folders get-iam-policy FOLDER_ID > /tmp/folder_policy.yaml
2. Edit policy in /tmp/policy.yaml, adding or changing only the audit logs configuration to:
auditConfigs: - auditLogConfigs: - logType: DATA_WRITE - logType: DATA_READ service: allServices

Note: \\\"exemptedMembers\\\": is not set as audit logging should be enabled for all the users
3. To write new IAM policy run command:
gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml
gcloud resource-manager folders set-iam-policy FOLDER_ID /tmp/folder_policy.yaml
gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml

If the preceding command reports a conflict with another change, then repeat these steps, starting with the first step.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/194b473e-7c5a-4754-b1ae-76591fe11b5c\",\r\n \"name\": \"194b473e-7c5a-4754-b1ae-76591fe11b5c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).
Log entries are held in Stackdriver Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. Exporting involves writing a filter that selects the log entries to export, and choosing a destination in Cloud Storage, BigQuery, or Cloud Pub/Sub.
The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts. \",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"Logging/Logs\\\" by visiting: GCP Logs explorer. 2. Click the down arrow symbol on \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. This step converts \\\"Filter Bar\\\" to \\\"Advanced Filter Bar\\\".4.Clear any text from the \\\"Advanced Filter\\\" field. This ensures that the \\\"log-filter\\\" is set to empty and captures all the logs. 5. Click \\\"Submit Filter\\\" and the result should display all logs. 6. Click \\\"Create Sink\\\", which opens a menu on the right. 7. Fill out the fields and click \\\"Create Sink\\\".
For more information, see GCP Logging Documentation.

From Command Line:
To create a sink to export all log entries in a Google Cloud Storage bucket:
gcloud logging sinks create <sink-name>
storage.googleapis.com/DESTINATION_BUCKET_NAME
Sinks can be created for a folder or organization, which will include all projects.
gcloud logging sinks create <sink-name>
storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children --folder=FOLDER_ID | --organization=ORGANIZATION_ID \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/07ca1398-d477-400a-a9fc-4cfc78f723f9\",\r\n \"name\": \"07ca1398-d477-400a-a9fc-4cfc78f723f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that retention policies on log buckets are configured using Bucket Lock\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted.
It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.
Logs can be exported by creating one or more sinks that include a log filter and a destination. As Stackdriver Logging receives new log entries, they are compared against each sink.
If a log entry matches a sink's filter, then a copy of the log entry is written to the destination.
Sinks can be configured to export logs in storage buckets.
It is recommended to configure a data retention policy for these cloud storage buckets and to lock the data retention policy; thus permanently preventing the policy from being reduced or removed.
This way, if the system is ever compromised by an attacker or a malicious insider who wants to cover their tracks, the activity logs are definitely preserved for forensics and security investigations.\",\r\n \"remediationDescription\": \" From the Console:
1. If sinks are not configured, first follow the instructions in the recommendation: \\\"Ensure that sinks are configured for all Log entries\\\". 2. For each storage bucket configured as a sink, go to the Cloud Storage browser at \\\"https://console.cloud.google.com/storage/browser/<BUCKET_NAME>\\\". 3. Select the Bucket Lock tab near the top of the page. 4. In the Retention policy entry, click the Add Duration link. The \\\"Set a retention policy\\\" dialog box appears. 5. Enter the desired length of time for the retention period and click \\\"Save policy\\\". 6. Set the \\\"Lock status\\\" for this retention policy to \\\"Locked\\\".

From Command Line:
1.To list all sinks destined to storage buckets:
gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID | --project=PROJECT_ID
2. For each storage bucket listed above, set a retention policy and lock it:
gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]
gsutil retention lock gs://[BUCKET_NAME]
For more information, see Bucket lock retention policy.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f42c20a6-8012-4e1e-bf4d-19b977e8c8d7\",\r\n \"name\": \"f42c20a6-8012-4e1e-bf4d-19b977e8c8d7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all \\\"roles/Owner\\\" assignments should be monitored.
Members (users/Service-Accounts) with a role assignment to primitive role \\\"roles/Owner\\\" are project owners.
The project owner has all the privileges on the project the role belongs to. These are summarized below:
- All viewer permissions on all GCP Services within the project
- Permissions for actions that modify the state of all GCP services within the project
- Manage roles and permissions for a project and all resources within the project
- Set up billing for a project
Granting the owner role to a member (user/Service-Account) will allow that member to modify the Identity and Access Management (IAM) policy. Therefore, grant the owner role only if the member has a legitimate purpose to manage the IAM policy. This is because the project IAM policy contains sensitive access control data. Having a minimal set of users allowed to manage IAM policy will simplify any auditing that may be necessary.
Project ownership has the highest level of privileges on a project. To avoid misuse of project resources, the project ownership assignment/change actions mentioned above should be monitored and alerted to concerned recipients.
- Sending project ownership invites
- Acceptance/Rejection of project ownership invite by user
- Adding `role\\\\Owner` to a user/service-account
- Removing a user/Service account from `role\\\\Owner`\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
(protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\")
AND (ProjectOwnership OR projectOwnerInvitee)
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\")
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\")
 4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/34ed4dfb-fc6d-498f-b2b0-d1099704775d\",\r\n \"name\": \"34ed4dfb-fc6d-498f-b2b0-d1099704775d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data Access logs to help answer the questions of, \\\"who did what, where, and when?\\\" within GCP projects.
Cloud audit logging records information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by GCP services. Cloud audit logging provides a history of GCP API calls for an account, including API calls made via the console, SDKs, command-line tools, and other GCP services.
Admin activity and data access logs produced by cloud audit logging enable security analysis, resource change tracking, and compliance auditing.
Configuring the metric filter and alerts for audit configuration changes ensures the recommended state of audit configuration is maintained so that all activities in the project are audit-able at any point in time.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
protoPayload.methodName=\\\"SetIamPolicy\\\" AND
protoPayload.serviceData.policyDelta.auditConfigDeltas:*
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba27e90d-311d-409d-8c69-7dfac0a1351c\",\r\n \"name\": \"ba27e90d-311d-409d-8c69-7dfac0a1351c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for changes to Identity and Access Management (IAM) role creation, deletion and updating activities.
Google Cloud IAM provides predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources. However, to cater to organization-specific needs, Cloud IAM also provides the ability to create custom roles. Project owners and administrators with the Organization Role Administrator role or the IAM Role Administrator role can create custom roles. Monitoring role creation, deletion and updating activities will help in identifying any over-privileged role at early stages.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"iam_role\\\"
AND protoPayload.methodName=\\\"google.iam.admin.v1.CreateRole\\\"
OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\"
OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a7723f9-ee51-4a2b-a4e5-2497a20c1964\",\r\n \"name\": \"4a7723f9-ee51-4a2b-a4e5-2497a20c1964\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes.
Monitoring for Create or Update Firewall rule events gives insight to network access changes and may reduce the time it takes to detect suspicious activity.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"gce_firewall_rule\\\"
AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\"
OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b5c8e32b-a400-4d4b-8d2d-c5afbd4a6997\",\r\n \"name\": \"b5c8e32b-a400-4d4b-8d2d-c5afbd4a6997\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network route changes.
Google Cloud Platform (GCP) routes define the paths network traffic takes from a VM instance to another destination. The other destination can be inside the organization VPC network (such as another VM) or outside of it. Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop for delivery.
Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=\\\"gce_route\\\"
AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\"
OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/59aef38a-19c2-4663-97a7-4c82a98dbab5\",\r\n \"name\": \"59aef38a-19c2-4663-97a7-4c82a98dbab5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network changes.
It is possible to have more than one VPC within a project. In addition, it is also possible to create a peer connection between two VPCs enabling network traffic to route between VPCs.
Monitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=gce_network
AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\"
OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2e14266c-76ea-4479-915e-4edaae7d78ec\",\r\n \"name\": \"2e14266c-76ea-4479-915e-4edaae7d78ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.
Monitoring changes to cloud storage bucket permissions may reduce the time needed to detect and correct permissions on sensitive cloud storage buckets and objects inside the bucket.\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
resource.type=gcs_bucket
AND protoPayload.methodName=\\\"storage.setIamPermissions\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dce022e-f7f9-4725-8a63-c0d4a868b4d3\",\r\n \"name\": \"9dce022e-f7f9-4725-8a63-c0d4a868b4d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that a metric filter and alarm be established for SQL instance configuration changes.
Monitoring changes to SQL instance configuration changes may reduce the time needed to detect and correct misconfigurations done on the SQL server.
Below are a few of the configurable options which may the impact security posture of an SQL instance:
* Enable auto backups and high availability: Misconfiguration may adversely impact business continuity, disaster recovery, and high availability
* Authorize networks: Misconfiguration may increase exposure to untrusted networks\",\r\n \"remediationDescription\": \"From Console:
Create the prescribed log metric:
1. Go to \\\"Logging/Logs\\\" by visiting Metrics and click \\\"CREATE METRIC\\\". 2. Click the down arrow symbol on the \\\"Filter Bar\\\" at the rightmost corner and select \\\"Convert to Advanced Filter\\\". 3. Clear any text and add:
protoPayload.methodName=\\\"cloudsql.instances.update\\\"
4. Click \\\"Submit Filter\\\". Display logs appear based on the filter text entered by the user. 5. In the \\\"Metric Editor\\\" menu on the right, fill out the name field. Set \\\"Units\\\" to \\\"1\\\" (default) and the \\\"Type\\\" to \\\"Counter\\\". This ensures that the log metric counts the number of log entries matching the advanced logs query. 6. Click \\\"Create Metric\\\".
Create the display prescribed Alert Policy:
1. Identify the newly created metric under the section \\\"User-defined Metrics\\\" at Metrics. 2. Click the 3-dot icon in the rightmost column for the desired metric and select \\\"Create alert from Metric\\\". A new page opens. 3. Fill out the alert policy configuration and click \\\"Save\\\". Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
 4. Configure the desired notifications channels in the section \\\"Notifications\\\". 5. Name the policy and click \\\"Save\\\".

From Command Line:
Create a prescribed Log Metric:
* Use the command: gcloud beta logging metrics create
* Reference for Command Usage: Reference
Create prescribed Alert Policy
* Use the command: gcloud alpha monitoring policies create
* Reference for Command Usage: Reference\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9f88a5b8-2853-4b3f-a4c7-33f225cae99a\",\r\n \"name\": \"9f88a5b8-2853-4b3f-a4c7-33f225cae99a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic.
When specifying a source for an ingress rule or a destination for an egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using SSH on Port 22 can be avoided.
GCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network.
Egress and ingresstraffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication).
For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified.
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default Port '22'.
Generic access from the Internet to a specific IP Range needs to be restricted.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to VPC Network. 2. Go to the Firewall Rules. 3. Click the Firewall Rule you want to modify. 4. Click Edit. 5. Modify Source IP ranges to specific IP. 6. Click Save.

From Command Line:
gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[- PORT]],...] --source-ranges=[CIDR_RANGE,...] \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc8464f-f32a-4b3c-954e-48f9db2d9bcf\",\r\n \"name\": \"8bc8464f-f32a-4b3c-954e-48f9db2d9bcf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic.
When specifying a source for an ingress rule or a destination for an egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming raffic from the Internet to a VPC or VM instance using RDP on Port 3389 can be avoided.
GCP Firewall Rules within a VPC Network. These rules apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network.
Egress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication). For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified.
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default Port 3389. Generic access from the Internet to a specific IP Range should be restricted.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to VPC Network. 2. Go to the Firewall Rules. 3. Click the Firewall Rule to be modified. 4. Click Edit. 5. Modify Source IP ranges to specific IP. 6. Click Save.

From Command Line:
1.Update RDP Firewall rule with new SOURCE_RANGE from the below command:
gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ea1989f3-de6c-4389-8b6c-c8b9a3df1595\",\r\n \"name\": \"ea1989f3-de6c-4389-8b6c-c8b9a3df1595\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent use of \\\"default\\\" network, a project should not have a \\\"default\\\" network.
The default network has a preconfigured network configuration and automatically generates the following insecure firewall rules:
  • default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.
  • default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.
  • default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.
  • default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.
These automatically created firewall rules do not get audit logged and cannot be configured to enable firewall rule logging.
Furthermore, the default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses, and as a result, it's not possible to use Cloud VPN or VPC Network Peering with the default network.
Based on organization security and networking requirements, the organization should create a new network and delete the default network.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the \\\"VPC networks\\\" page by visiting:
VPC networks. 2. Click the network named default. 3. On the network detail page, click \\\"EDIT\\\". 4. Click \\\"DELETE VPC NETWORK\\\". 5. If needed, create a new network to replace the default network.

From Command Line:
For each Google Cloud Platform project,
1. Delete the default network:
gcloud compute networks delete default
2. If needed, create a new network to replace it:
gcloud compute networks create NETWORK_NAME\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/44995f9b-5963-4a92-8e99-6d68acbc187c\",\r\n \"name\": \"44995f9b-5963-4a92-8e99-6d68acbc187c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In order to prevent use of legacy networks, a project should not have a legacy network configured.
Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions.
Subnetworks cannot be created in a legacy network and are unable to switch from legacy to auto or custom subnet networks. Legacy networks can have an impact for high network traffic projects and are subject to a single point of contention or failure.\",\r\n \"remediationDescription\": \"For each Google Cloud Platform project,
1. Follow the documentation and create a non-legacy network suitable for the organization's requirements. 2. Follow the documentation and delete the networks in the \\\"legacy\\\" mode.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33509176-9e4d-4238-84ec-984ba67019fa\",\r\n \"name\": \"33509176-9e4d-4238-84ec-984ba67019fa\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet.
Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.
Domain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling DNS responses to be validated.
Having a trustworthy DNS that translates a domain name like www.example.com into its associated IP address is an increasingly important building block of today's web-based applications.
Attackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks.
DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records.
As a result, it prevents attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"Cloud DNS\\\" by visiting Cloud DNS. 2. For each zone of Type Public, set DNSSEC to \\\"On\\\".

From Command Line:
Use the below command to enable \\\"DNSSEC\\\" for Cloud DNS Zone Name.
gcloud dns managed-zones update ZONE_NAME --dnssec-state on \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87356ecc-b718-442d-af22-677bceaeae06\",\r\n \"name\": \"87356ecc-b718-442d-af22-677bceaeae06\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
Domain Name System Security Extensions (DNSSEC) algorithm numbers in this registry may be used in CERT RRs.
Zonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the user can select the DNSSEC signing algorithms and the denial-of-existence type.
Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled.
If there is a need to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.\",\r\n \"remediationDescription\": \"1. If it is necessary to change the settings for a managed zone where it has been enabled, NSSEC must be turned off and re-enabled with different settings.
To turn off DNSSEC, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state off
2. To update key-signing for a reported managed DNS Zone, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM - -zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE

Algorithm KSK Length ZSK Length
RSASHA1 1024,2048 1024,2048
RSASHA256 1024,2048 1024,2048
RSASHA512 1024,2048 1024,2048
ECDSAP256SHA256 256 256
ECDSAP384SHA384 384 384
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/117ad72e-fed7-4dc8-995d-39919b9ba2d9\",\r\n \"name\": \"117ad72e-fed7-4dc8-995d-39919b9ba2d9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
DNSSEC algorithm numbers in this registry may be used in CERT RRs.
Zonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.
The algorithm used for key signing should be a recommended one and it should be strong.
When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the DNSSEC signing algorithms and the denial-of-existence type can be selected.
Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled.
If the need exists to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.\",\r\n \"remediationDescription\": \"1. If it is necessary to change the settings for a managed zone where it has been enabled, DNSSEC must be turned off and re-enabled with different settings.
To turn off DNSSEC, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state off
2. To update zone-signing for a reported managed DNS Zone, run the following command:
gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM - -zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE

Algorithm KSK Length ZSK Length
RSASHA1 1024,2048 1024,2048
RSASHA256 1024,2048 1024,2048
RSASHA512 1024,2048 1024,2048
ECDSAP256SHA256 256 256
ECDSAP384SHA384 384 384
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a107c44c-75e4-4607-b1b0-cd5cfcf249e0\",\r\n \"name\": \"a107c44c-75e4-4607-b1b0-cd5cfcf249e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.
The default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services.
To defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended to not use the default Compute Engine service account.
Instead, you should create a new service account and assigning only the permissions needed by your instance.
The default Compute Engine service account is named [PROJECT_NUMBER]- compute@developer.gserviceaccount.com.
VMs created by GKE should be excluded. These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to go to its \\\"VM instance details\\\" page. 3. Click \\\"STOP\\\" and then click \\\"EDIT\\\". 4. Under the section \\\"Service Account\\\", select a service account other that the default Compute Engine service account. You may first need to create a new service account. 5. Click \\\"Save\\\" and then click \\\"START\\\".

From Command Line:
1. Stop the instance: gcloud compute instances stop INSTANCE_NAME
2. Update the instance: gcloud compute instances set-service-account INSTANCE_NAME --serviceaccount=SERVICE_ACCOUNT
3. Restart the instance: gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c1fcf1-ca66-4fc1-b5e6-51d7f4f76782\",\r\n \"name\": \"a8c1fcf1-ca66-4fc1-b5e6-51d7f4f76782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account \\\"Compute Engine default service account\\\" with Scope \\\"Allow full access to all Cloud APIs\\\".
Along with ability to optionally create, manage and use user managed custom service accounts, Google Compute Engine provides default service account \\\"Compute Engine default service account\\\" for an instances to access necessary cloud services.
\\\"Project Editor\\\" role is assigned to \\\"Compute Engine default service account\\\" hence, This service account has almost all capabilities over all cloud services except billing.
However, when \\\"Compute Engine default service account\\\" assigned to an instance it can operate in 3 scopes.
1. Allow default access: Allows only minimum access required to run an Instance (Least Privileges) 2. Allow full access to all Cloud APIs: Allow full access to all the cloud APIs/Services (Too much access) 3. Set access for each API: Allows Instance administrator to choose only those APIs that are needed to perform specific business functionality expected by instance
When an instance is configured with \\\"Compute Engine default service account\\\" with Scope \\\"Allow full access to all Cloud APIs\\\", based on IAM roles assigned to the user(s) accessing Instance,
it may allow user to perform cloud operations/API calls that user is not supposed to perform leading to successful privilege escalation.
VMs created by GKE should be excluded. These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the impacted VM instance. 3. If the instance is not stopped, click the \\\"Stop\\\" button. Wait for the instance to be stopped. 4. Next, click the \\\"Edit\\\" button. 5. Scroll down to the \\\"Service Account\\\" section. 6. Select a different service account or ensure that \\\"Allow full access to all Cloud APIs\\\" is not selected.  7. Click the \\\"Save\\\" button to save your changes and then click \\\"START\\\".

From Command Line:
1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
2. Update the instance:
gcloud compute instances set-service-account INSTANCE_NAME --serviceaccount=SERVICE_ACCOUNT --scopes [SCOPE1, SCOPE2...]
3. Restart the instance:
gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/49cb12f0-3dd3-4220-9cfb-5c3fd514a6d8\",\r\n \"name\": \"49cb12f0-3dd3-4220-9cfb-5c3fd514a6d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user.
It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.
To find out which instance causes the project to be unhealthy see recommendation \\\"Ensure oslogin is enabled for all instances\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM compute metadata page. 2. Click \\\"Edit\\\". 3. Add a metadata entry where the key is \\\"enable-oslogin\\\" and the value is \\\"TRUE\\\". 4. Click \\\"Save\\\" to apply the changes. 5. For every instance that overrides the project setting, go to the VM instances page. 6. Click the name of the instance on which you want to remove the metadata value. 7. At the top of the instance details page, click \\\"Edit\\\" to edit the instance settings. 8. Under \\\"Custom metadata\\\", remove any entry with key \\\"enable-oslogin\\\" and the value is \\\"FALSE\\\" 9. At the bottom of the instance details page, click \\\"Save\\\" to apply your changes to the instance.

From Command Line:
1. Configure oslogin on the project:
gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE
2. Remove instance metadata that overrides the project settings.
gcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin
Optionally, you can enable two factor authentication for OS login. For more information, see here.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/569ef64e-d7aa-4d7e-aa0b-5b3e045ca2c3\",\r\n \"name\": \"569ef64e-d7aa-4d7e-aa0b-5b3e045ca2c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for all instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user.
It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click the name of the instance on which you want to remove the metadata value. 3. At the top of the instance details page, click \\\"Edit\\\" to edit the instance settings. 4. Under \\\"Custom metadata\\\", remove any entry with key \\\"enable-oslogin\\\" and the value is \\\"FALSE\\\" 5. At the bottom of the instance details page, click \\\"Save\\\" to apply your changes to the instance.

From Command Line:
Remove instance metadata that overrides the project settings.
gcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin
Optionally, you can enable two factor authentication for OS login. For more information, see here.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e060336-2c9e-4289-a2a6-8d301bad47bb\",\r\n \"name\": \"7e060336-2c9e-4289-a2a6-8d301bad47bb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.
If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.
A virtual machine instance has four virtual serial ports. Interacting with a serial port is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.
The instance's operating system, BIOS, and other system-level entities often write output to the serial ports, and can accept input such as commands or answers to prompts.
Typically, these system-level entities use the first serial port (port 1) and serial port 1 is often referred to as the serial console.
The interactive serial console does not support IP-based access restrictions such as IP whitelists. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address.
This allows anybody to connect to that instance if they know the correct SSH key, username, project ID, zone, and instance name.
Therefore interactive serial console support should be disabled.\",\r\n \"remediationDescription\": \"From Console:
1. Login to Google Cloud console 2. Go to Computer Engine 3. Go to VM instances 4. Click on the Specific VM 5. Click \\\"EDIT\\\" 6. Unselect \\\"Enable connecting to serial ports\\\" below \\\"Remote access\\\" block. 7. Click \\\"Save\\\".

From Command Line:
Use the below command to disable
gcloud compute instances add-metadata INSTANCE_NAME --zone=ZONE --metadata=serial-port-enable=false
or
gcloud compute instances add-metadata INSTANCE_NAME --zone=ZONE --metadata=serial-port-enable=0\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a4b3b3a-7de9-4aa4-a29b-580d59b43f79\",\r\n \"name\": \"1a4b3b3a-7de9-4aa4-a29b-580d59b43f79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To defend against against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.
Shielded VMs are virtual machines (VMs) on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits.
Shielded VM offers verifiable integrity of your Compute Engine VM instances, so you can be confident your instances haven't been compromised by boot- or kernel-level malware or rootkits.
Shielded VM's verifiable integrity is achieved through the use of Secure Boot, virtual trusted platform module (vTPM)-enabled Measured Boot, and integrity monitoring.
Shielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishing the root of trust for Secure Boot.
Integrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, called the integrity policy baseline.
The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.
Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to see its \\\"VM instance details\\\" page. 3. Click \\\"STOP\\\" to stop the instance. 4. When the instance has stopped, click \\\"EDIT\\\". 5. In the Shielded VM section, select \\\"Turn on vTPM\\\" and \\\"Turn on Integrity Monitoring\\\". 6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select \\\"Turn on Secure Boot\\\". 7. Click the \\\"Save\\\" button to modify the instance and then click \\\"START\\\" to restart it.

From Command Line:
You can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:
gcloud compute images list --project gce-uefi-images --no-standard-images
1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
2. Update the instance:
gcloud compute instances update INSTANCE_NAME --shielded-vtpm --shielded-vmintegrity-monitoring
3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on secure boot.
gcloud compute instances update INSTANCE_NAME --shielded-vm-secure-boot
4. Restart the instance:
gcloud compute instances start INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bdd13ad-a9d2-4910-8b06-9c4cddb55abb\",\r\n \"name\": \"8bdd13ad-a9d2-4910-8b06-9c4cddb55abb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances should not be configured to have external IP addresses.
To reduce your attack surface, Compute instances should not have public IP addresses. Instead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.
Instances created by GKE should be excluded because some of them have external IP addresses and cannot be changed by editing the instance settings.
These VMs have names that start with \\\"gke-\\\" and are labeled \\\"goog-gke-node\\\".\",\r\n \"remediationDescription\": \"From Console:
1. Go to the VM instances page. 2. Click on the instance name to go the the Instance detail page. 3. Click \\\"Edit\\\". 4. For each Network interface, ensure that External IP is set to None. 5. Click \\\"Done\\\" and then click \\\"Save\\\".

From Command Line:
1. Describe the instance properties: gcloud compute instances describe INSTANCE_NAME --zone=ZONE
2. Identify the access config name that contains the external IP address. This access config appears in the following format:
networkInterfaces: - accessConfigs: - kind: compute#accessConfig name: External NAT natIP: 130.211.181.55 type: ONE_TO_ONE_NAT
3. Delete the access config.
gcloud compute instances delete-access-config INSTANCE_NAME --zone=ZONE --access-config-name \\\"ACCESS_CONFIG_NAME\\\"\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8305d96-2aa5-458d-92b7-f8418f5f3328\",\r\n \"name\": \"d8305d96-2aa5-458d-92b7-f8418f5f3328\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.
Allowing anonymous or public access grants permissions to anyone to access bucket content.
Such access might not be desired if you are storing any sensitive data.
Hence, ensure that anonymous or public access to a bucket is not allowed.\",\r\n \"remediationDescription\": \"From Console:
1. Go to \\\"Storage browser\\\" by visiting GCP Storage browser. 2. Click on the bucket name to go to its \\\"Bucket details\\\" page. 3. Click on the \\\"Permissions\\\" tab. 4. Click \\\"Delete\\\" button in front of \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" to remove that particular role assignment.
From Command Line:
Remove \\\"allUsers\\\" and \\\"allAuthenticatedUsers\\\" access.
gsutil iam ch -d allUsers gs://BUCKET_NAME
gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b5cdbc-0633-49af-b63d-a9dc90560196\",\r\n \"name\": \"64b5cdbc-0633-49af-b63d-a9dc90560196\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.
It is recommended to use uniform bucket-level access to unify and simplify how you grant access to your Cloud Storage resources.
Cloud Storage offers two systems for granting users permission to access your buckets and objects:
Cloud Identity and Access Management (Cloud IAM) and Access Control Lists (ACLs).
These systems act in parallel - in order for a user to access a Cloud Storage resource, only one of the systems needs to grant the user permission.
Cloud IAM is used throughout Google Cloud and allows you to grant a variety of permissions at the bucket and project levels.
ACLs are used only by Cloud Storage and have limited permission options, but they allow you to grant permissions on a per-object basis.

In order to support a uniform permissioning system, Cloud Storage has uniform bucket-level access.
Using this feature disables ACLs for all Cloud Storage resources:
access to Cloud Storage resources then is granted exclusively through Cloud IAM.
Enabling uniform bucket-level access guarantees that if a Storage bucket is not publicly accessible,
no object in the bucket is publicly accessible either.\",\r\n \"remediationDescription\": \"From Console:
1. Open the \\\"Cloud Storage browser\\\" in the Google Cloud Console by visiting: GCP Storage browser. 2. In the list of buckets, click on the name of the desired bucket. 3. Select the \\\"Permissions\\\" tab near the top of the page. 4. In the text box that starts with \\\"This bucket uses fine-grained access control...\\\", click \\\"Edit\\\". 5. In the pop-up menu that appears, select \\\"Uniform\\\". 6. Click \\\"Save\\\".
From Command Line:
Use the \\\"on\\\" option in a uniformbucketlevelaccess set command:
gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dab1eea3-7693-4da3-af1b-2f73832655fa\",\r\n \"name\": \"dab1eea3-7693-4da3-af1b-2f73832655fa\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.
Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset.
Such access might not be desirable if sensitive data is being stored in the dataset.
Therefore, ensure that anonymous and/or public access to a dataset is not allowed.\",\r\n \"remediationDescription\": \"From Console:
1. Go to \\\"BigQuery\\\" by visiting: BigQuery. 2. Select the dataset from \\\"Resources\\\". 3. Click \\\"SHARE DATASET\\\" near the right side of the window. 4. Review each attached role. 5. Click the \\\"delete\\\" icon for each member \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\". On the popup click \\\"Remove\\\".
From Command Line:
1. Retrieve the data set information:
bq show --format=prettyjson PROJECT_ID:DATASET_NAME > PATH_TO_FILE
2. In the access section of the JSON file, update the dataset information to remove all roles containing \\\"allUsers\\\" or \\\"allAuthenticatedUsers\\\". 3. Update the dataset:
bq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8191f530-fde7-4177-827a-43ce0f69ffe7\",\r\n \"name\": \"8191f530-fde7-4177-827a-43ce0f69ffe7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the \\\"log_lock_waits\\\" flag for a PostgreSQL instance creates a log for any session waits that take longer than the alloted \\\"deadlock_timeout\\\" time to acquire a lock.
The deadlock timeout defines the time to wait on a lock before checking for any conditions. Frequent run overs on deadlock timeout can be an indication of an underlying issue.
Logging such waits on locks by enabling the log_lock_waits flag can be used to identify poor performance due to locking delays or if a specially-crafted SQL is attempting to starve resources through holding locks for excessive amounts of time.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_lock_waits\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_lock_waits\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_lock_waits=on

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/492fed4e-1871-4c12-948d-074ee0f07559\",\r\n \"name\": \"492fed4e-1871-4c12-948d-074ee0f07559\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_error_statement\\\" flag defines the minimum message severity level that is considered as an error statement.
Messages for error statements are logged with the SQL statement.
Valid values include \\\"DEBUG5\\\", \\\"DEBUG4\\\", \\\"DEBUG3\\\", \\\"DEBUG2\\\", \\\"DEBUG1\\\", \\\"INFO\\\", \\\"NOTICE\\\", \\\"WARNING\\\", \\\"ERROR\\\", \\\"LOG\\\", \\\"FATAL\\\", and \\\"PANIC\\\".
Each severity level includes the subsequent levels mentioned above.
Note: To effectively turn off logging failing statements, set this parameter to PANIC.
ERROR is considered the best practice setting. Changes should only be made in accordance with the organization's logging policy.
Auditing helps in troubleshooting operational problems and also permits forensic analysis.
If \\\"log_min_error_statement\\\" is not set to the correct value, messages may not be classified as error messages appropriately.
Considering general log messages as error messages would make it difficult to find actual errors, while considering only stricter severity levels as error messages may skip actual errors to log their SQL statements.
The \\\"log_min_error_statement\\\" flag should be set in accordance with the organization's logging policy.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_error_statement\\\" from the drop-down menu and set appropriate value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_min_error_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_error_statement=

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/29622fc0-14dc-4d65-a5a8-e9a39ffc4b62\",\r\n \"name\": \"29622fc0-14dc-4d65-a5a8-e9a39ffc4b62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' \",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"PostgreSQL can create a temporary file for actions such as sorting, hashing and temporary query results when these operations exceed \\\"work_mem\\\".
The \\\"log_temp_files\\\" flag controls logging names and the file size when it is deleted.
Configuring \\\"log_temp_files\\\" to 0 causes all temporary file information to be logged, while positive values log only files whose size is greater than or equal to the specified number of kilobytes.
A value of \\\"-1\\\" disables temporary file information logging.
If all temporary files are not logged, it may be more difficult to identify potential performance issues that may be due to either poor application coding or deliberate resource starvation attempts.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_temp_files\\\" from the drop-down menu and set the value as 0. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_temp_files\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_temp_files=`0`

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c9e237b-419f-4e73-b43a-94b5863dd73e\",\r\n \"name\": \"1c9e237b-419f-4e73-b43a-94b5863dd73e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_duration_statement\\\" flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that \\\"log_min_duration_statement\\\" is disabled, i.e., a value of -1 is set.
Logging SQL statements may include sensitive information that should not be recorded in logs. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_duration_statement\\\" from the drop-down menu and set the value of \\\"-1\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Configure the \\\"log_min_duration_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_duration_statement=-1

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/26973a34-79a6-46a0-874f-358c8c00af05\",\r\n \"name\": \"26973a34-79a6-46a0-874f-358c8c00af05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"cross db ownership chaining\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
Use the \\\"cross db ownership\\\" for chaining option to configure cross-database ownership chaining for an instance of Microsoft SQL Server.
This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases.
Enabling \\\"cross db ownership\\\" is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining and you are aware of the security implications of this setting.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance for which you want to enable to database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"cross db ownership chaining\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"cross db ownership chaining\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"cross db ownership chaining=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/658ce98f-ecf1-4c14-967f-3c4faf130fbf\",\r\n \"name\": \"658ce98f-ecf1-4c14-967f-3c4faf130fbf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"contained database authentication\\\" database flag for Cloud SQL on the SQL Server instance is set to \\\"off\\\".
A contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed.
Users can connect to the database without authenticating a login at the Database Engine level.
Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server.
Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators.
Most of the threats are related to the USER WITH PASSWORD authentication process, which moves the authentication boundary from the Database Engine level to the database level, hence this is recommended to disable this flag.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance for which you want to enable to database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"contained database authentication\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Configure the \\\"contained database authentication\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"contained database authentication=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/13872d43-aac6-4018-9c89-507b8fe9be54\",\r\n \"name\": \"13872d43-aac6-4018-9c89-507b8fe9be54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to enforce all incoming connections to SQL database instance to use SSL.
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc.
For security, it is recommended to always use SSL encryption when connecting to your instance.
This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to Cloud SQL Instances. 2. Click on an instance name to see its configuration overview. 3. In the left-side panel, select \\\"Connections\\\". 4. In the \\\"SSL connections\\\" section, click \\\"Allow only SSL connections\\\". 5. Under \\\"Configure SSL server certificates\\\" click \\\"Create new certificate\\\". 6. Under \\\"Configure SSL client certificates\\\" click \\\"Create a client certificate\\\". 7. Follow the instructions shown to learn how to connect to your instance.

From Command Line:
To enforce SSL encryption for an instance run the command:
gcloud sql instances patch INSTANCE_NAME --require-ssl

Note:
\\\"RESTART\\\" is required for type MySQL Generation 1 Instances (\\\"backendType: FIRST_GEN\\\") to get this configuration in effect.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/de78ebca-1ec6-4872-8061-8fcfb27752fc\",\r\n \"name\": \"de78ebca-1ec6-4872-8061-8fcfb27752fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from the world.
To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it.
An authorized network should not have IPs/networks configured to \\\"0.0.0.0/0\\\" which will allow access to the instance from anywhere in the world. Note that authorized networks apply only to instances with public IPs.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Click the instance name to open its \\\"Instance details\\\" page. 3. Under the \\\"Configuration\\\" section click \\\"Edit configurations\\\". 4. Under \\\"Configuration options\\\" expand the \\\"Connectivity\\\" section. 5. Click the \\\"delete\\\" icon for the authorized network \\\"0.0.0.0/0\\\". 6. Click \\\"Save\\\" to update the instance.

From Command Line:
Update the authorized network list by dropping off any addresses.
oud sql instances patch INSTANCE_NAME --authorized-networks=IP_ADDR1,IP_ADDR2... \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1658239d-caf7-471d-83c5-2e4c44afdcff\",\r\n \"name\": \"1658239d-caf7-471d-83c5-2e4c44afdcff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.
To lower the organization's attack surface, Cloud SQL databases should not have public IPs.
Private IPs provide improved network security and lower latency for your application.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Click the instance name to open its Instance details page. 3. Select the \\\"Connections\\\" tab. 4. Deselect the \\\"Public IP\\\" checkbox. 5. Click \\\"Save\\\" to update the instance.

From Command Line:
1. For every instance remove its public IP and assign a private IP instead:
gcloud beta sql instances patch INSTANCE_NAME --network=VPC_NETWOR_NAME --no-assign-ip 2. Confirm the changes using the following command:
gcloud sql instances describe INSTANCE_NAME\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/afaac6e6-6240-48a2-9f62-4e257b851311\",\r\n \"name\": \"afaac6e6-6240-48a2-9f62-4e257b851311\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to have all SQL database instances set to enable automated backups.
Backups provide a way to restore a Cloud SQL instance to recover lost data or recover from a problem with that instance.
Automated backups need to be set for any instance that contains data that should be protected from loss or damage.
This recommendation is applicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2 instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the instance where the backups need to be configured. 3. Click \\\"Edit\\\". 4. In the \\\"Backups\\\" section, check \\\"Enable automated backups\\\", and choose a backup window. 5. Click \\\"Save\\\".
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list 2. Enable \\\"Automated backups\\\" for every Cloud SQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --backup-start-time [HH:MM] The \\\"backup-start-time\\\" parameter is specified in 24-hour time, in the UTC+00 time zone, and specifies the start of a 4-hour backup window. Backups can start any time during the backup window.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/633a87f4-bd71-45ce-9eca-c6bb8cbe8b21\",\r\n \"name\": \"633a87f4-bd71-45ce-9eca-c6bb8cbe8b21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.
The local_infile flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the local_infile setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.
To explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with local_infile disabled. local_infile can also be set at runtime.
Due to security issues associated with the local_infile flag, it is recommended to disable it. This recommendation is applicable to MySQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the MySQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"local_infile\\\" from the drop-down menu, and set its value to \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the local_infile database flag for every Cloud SQL Mysql database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off
Note:
This command will overwrite all database flags that were previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2404629-0132-4ab3-839e-8389dbe9fe98\",\r\n \"name\": \"a2404629-0132-4ab3-839e-8389dbe9fe98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log_checkpoints database flag for the Cloud SQL PostgreSQL instance is set to on.
Enabling log_checkpoints causes checkpoints and restart points to be logged in the server log. Some statistics are included in the log messages, including the number of buffers written and the time spent writing them.
This parameter can only be set in the postgresql.conf file or on the server command line. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_checkpoints\\\" from the drop-down menu, and set its value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_checkpoints database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_checkpoints=on
Note: This command will overwrite all previously set database flags. To keep those and add new ones, include the values for all flags to be set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4016e27f-a451-4e24-9222-39d7d107ad74\",\r\n \"name\": \"4016e27f-a451-4e24-9222-39d7d107ad74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.
PostgreSQL does not log attempted connections by default. Enabling the log_connections setting will create log entries for each attempted connection as well as successful completion of client authentication which can be useful in troubleshooting issues and to determine any unusual connection attempts to the server.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance for which you want to enable the database flag. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_connections\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_connections database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_connections=on
Note:
This command will overwrite all previously set database flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a86f62be-7402-4797-91dc-8ba2b976cb74\",\r\n \"name\": \"a86f62be-7402-4797-91dc-8ba2b976cb74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_disconnections setting logs the end of each session, including the session duration.
PostgreSQL does not log session details such as duration and session end by default. Enabling the log_disconnections setting will create log entries at the end of each session which can be useful in troubleshooting issues and determine any unusual activity across a time period.
The log_disconnections and log_connections work hand in hand and generally, the pair would be enabled/disabled together. This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_disconnections\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
List all Cloud SQL database instances using the following command:
gcloud sql instances list
Configure the log_disconnections database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_disconnections=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ae77cb8b-0b43-4e86-8b5c-f5afcf95766a\",\r\n \"name\": \"ae77cb8b-0b43-4e86-8b5c-f5afcf95766a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user.
The application uses the service account to call the service's Google API so that users aren't directly involved.
It's recommended not to use admin access for ServiceAccount.
Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it.
Enrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM.
A ServiceAccount Access holder can perform critical actions like delete, update change settings, etc.
without user intervention.
For this reason, it's recommended that service accounts not have Admin rights.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to IAM & admin/IAM. 2. Go to the \\\"Members\\\". 3. Identify \\\"User-Managed user created\\\" service account with roles containing \\\"*Admin\\\" or \\\"*admin\\\" or role matching \\\"Editor\\\" or role matching \\\"Owner\\\". 4. Click the \\\"Delete bin\\\" icon to remove the role from the member (service account in this case)
From Command Line:
1. Using a text editor, Remove \\\"Role\\\" which contains \\\"roles/*Admin\\\" or \\\"roles/*admin\\\" or matched \\\"roles/editor\\\" or matches \\\"roles/owner\\\". Add a role to the bindings array that defines the group members and the role for those members.
For example, to grant the role roles/appengine.appViewer to the \\\"ServiceAccount\\\" which is roles/editor, you would change the example shown below as follows:
{ 'bindings': [ { 'members': [ 'serviceAccount:our-project-123@appspot.gserviceaccount.com', ], 'role': 'roles/appengine.appViewer' }, { 'members': [ 'user:email1@gmail.com' ], 'role': 'roles/owner' }, { 'members': [ 'serviceAccount:our-project-123@appspot.gserviceaccount.com', 'serviceAccount:123456789012-compute@developer.gserviceaccount.com' ], 'role': 'roles/editor' } ], 'etag': 'BwUjMhCsNvY=' }
2. Update the project's IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e5b33de-bcfa-4044-93ce-4937bf8f0bbd\",\r\n \"name\": \"9e5b33de-bcfa-4044-93ce-4937bf8f0bbd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"skip_show_database\\\" database flag for Cloud SQL Mysql instance to \\\"on\\\".
'skip_show_database' database flag prevents people from using the SHOW DATABASES statement if they do not have the SHOW DATABASES privilege.
This can improve security if you have concerns about users being able to see databases belonging to other users.
Its effect depends on the SHOW DATABASES privilege: If the variable value is ON, the SHOW DATABASES statement is permitted only to users who have the SHOW DATABASES privilege, and the statement displays all database names.
If the value is OFF, SHOW DATABASES is permitted to all users, but displays the names of only those databases for which the user has the SHOW DATABASES or other privilege.
This recommendation is applicable to Mysql database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the Mysql instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"skip_show_database\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"skip_show_database\\\" database flag for every Cloud SQL Mysql database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags skip_show_database=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/272820a7-06ce-44b3-8318-4ec1f82237dc\",\r\n \"name\": \"272820a7-06ce-44b3-8318-4ec1f82237dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling the log_hostname setting causes the duration of each completed statement to be logged.
This does not logs the text of the query and thus behaves different from the log_min_duration_statement flag.
This parameter cannot be changed after session start.
Monitoring the time taken to execute the queries can be crucial in identifying any resource hogging queries and assessing the performance of the server.
Further steps such as load balancing and use of optimized queries can be taken to ensure the performance and stability of the server.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_duration\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_duration\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_duration=on
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/989db7d6-71d5-4928-a9a6-c9ab7b8044e9\",\r\n \"name\": \"989db7d6-71d5-4928-a9a6-c9ab7b8044e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"PostgreSQL logs only the IP address of the connecting hosts.
The \\\"log_hostname\\\" flag controls the logging of \\\"hostnames\\\" in addition to the IP addresses logged.
The performance hit is dependent on the configuration of the environment and the host name resolution setup.
This parameter can only be set in the \\\"postgresql.conf\\\" file or on the server command line.
Logging hostnames can incur overhead on server performance as for each statement logged, DNS resolution will be required to convert IP address to hostname.
Depending on the setup, this may be non-negligible.
Additionally, the IP addresses that are logged can be resolved to their DNS names later when reviewing the logs excluding the cases where dynamic hostnames are used.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_hostname\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_hostname\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_hostname=
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Gather Victim Host Information\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a6efc275-b1c1-4003-8e85-2f30b2eb56e6\",\r\n \"name\": \"a6efc275-b1c1-4003-8e85-2f30b2eb56e6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The PostgreSQL planner/optimizer is responsible to parse and verify the syntax of each query received by the server.
If the syntax is correct a \\\"parse tree\\\" is built up else an error is generated.
The \\\"log_parser_stats\\\" flag controls the inclusion of parser performance statistics in the PostgreSQL logs for each query.
The \\\"log_parser_stats\\\" flag enables a crude profiling method for logging parser performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. 2. Select the PosgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_parser_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.
From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_parser_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_parser_stats=off
Note:
This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/25631aaa-3866-43ac-860f-22c12bff1a4b\",\r\n \"name\": \"25631aaa-3866-43ac-860f-22c12bff1a4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging.
It is recommended that Flow Logs be enabled for every business-critical VPC subnet.
VPC networks and subnetworks provide logically isolated and secure network partitions where GCP resources can be launched. When Flow Logs is enabled for a subnet, VMs within that subnet start reporting on all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows.
Each VM samples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or from another VM, a host in the on-premises datacenter, a Google service, or a host on the Internet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow Logs enabled, both VMs report the flows.
Flow Logs supports the following use cases: 1. Network monitoring. 2. Understanding network usage and optimizing network traffic expenses. 3. Network forensics. 4. Real-time security analysis
Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the VPC network GCP Console visiting https://console.cloud.google.com/networking/networks/list. 2. Click the \\\"name\\\" of a subnet, The Subnet details page displays. 3. Click the \\\"EDIT\\\" button. 4. Set \\\"Flow Logs\\\" to On. 5. Click \\\"Save\\\".

From Command Line:
To set Private Google access for a network subnet, run the following command::
gcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --enable-flow-logs \",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00f8a6a6-cf69-4c11-822e-3ebf4910e545\",\r\n \"name\": \"00f8a6a6-cf69-4c11-822e-3ebf4910e545\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Block Project-wide SSH keys' is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project.
It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.It will list all the instances in your project. 2. Click on the \\\"name\\\" of the Impacted instance. 3. Click \\\"Edit\\\" in the toolbar. 4. Under \\\"SSH Keys\\\", go to the \\\"Block project-wide\\\" SSH keys checkbox. 5. To block users with project-wide SSH keys from connecting to this instance, select \\\"Block project-wide\\\" SSH keys. 6. Click \\\"Save\\\" at the bottom of the page. 7. Repeat steps for every impacted Instance.

From Command Line:
Block project-wide public SSH keys, set the metadata value to TRUE:
gcloud compute instances add-metadata INSTANCE_NAME --metadata block-project-ssh-keys=TRUE \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ba588a6-4539-4e67-bc62-d7b2b51300fb\",\r\n \"name\": \"0ba588a6-4539-4e67-bc62-d7b2b51300fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet.
However, both capabilities are required if you want to use instances to help route packets.
Forwarding of data packets should be disabled to prevent data loss or information disclosure.
Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet.
However, both capabilities are required if you want to use instances to help route packets. To enable this source and destination IP check, disable the canIpForward field, which allows an instance to send and receive packets with non-matching destination or source IPs.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the \\\"VM Instances\\\" page by visiting: https://console.cloud.google.com/compute/instances. 2. Select the \\\"VM Instance\\\" you want to remediate 3. Click the \\\"Delete\\\" button. 4. On the \\\"VM Instances\\\" page, click \\\"CREATE INSTANCE\\\". 5. Create a new instance with the desired configuration. By default, the instance is configured to not allow IP forwarding.

From Command Line:
Delete the instance
gcloud compute instances delete INSTANCE_NAME
Create a new instance to replace it, with IP forwarding set to Off
gcloud compute instances create \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"techniques\": [\r\n \"Exfiltration over C2 Channel\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d87879a-d498-4e61-b552-b34463f87f83\",\r\n \"name\": \"7d87879a-d498-4e61-b552-b34463f87f83\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The same SQL query can be excuted in multiple ways and still produce different results.
The PostgreSQL planner/optimizer is responsible to create an optimal execution plan for each query.
The \\\"log_planner_stats\\\" flag controls the inclusion of PostgreSQL planner performance statistics in the PostgreSQL logs for each query.
The \\\"log_planner_stats\\\" flag enables a crude profiling method for logging PostgreSQL planner performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_planner_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_planner_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_planner_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19711549-76eb-4f1f-b43b-b1048e66c1f0\",\r\n \"name\": \"19711549-76eb-4f1f-b43b-b1048e66c1f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The PostgreSQL executor is responsible to execute the plan handed over by the PostgreSQL planner.
The executor processes the plan recursively to extract the required set of rows.
The \\\"log_executor_stats\\\" flag controls the inclusion of PostgreSQL executor performance statistics in the PostgreSQL logs for each query.
The \\\"log_executor_stats\\\" flag enables a crude profiling method for logging PostgreSQL executor performance statistics which even though can be useful for troubleshooting, it may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_executor_stats\\\" from the drop-down menu and set appropriate value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_executor_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_executor_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c36e73b7-ee30-4684-a1ad-2b878d2b10bf\",\r\n \"name\": \"c36e73b7-ee30-4684-a1ad-2b878d2b10bf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_statement_stats\\\" flag controls the inclusion of end to end performance statistics of a SQL query in the PostgreSQL logs for each query.
This cannot be enabled with other module statistics (\\\"log_parser_stats\\\", \\\"log_planner_stats\\\", \\\"log_executor_stats\\\").
The \\\"log_statement_stats\\\" flag enables a crude profiling method for logging end to end performance statistics of a SQL query.
This can be useful for troubleshooting but may increase the amount of logs significantly and have performance overhead.
This recommendation is applicable to PostgreSQL database instances.
\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_statement_stats\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_statement_stats\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_statement_stats=off

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/50a1058e-925b-4998-9d93-5eaa8f7021a3\",\r\n \"name\": \"50a1058e-925b-4998-9d93-5eaa8f7021a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"log_min_error_statement\\\" flag defines the minimum message severity level that are considered as an error statement.
Messages for error statements are logged with the SQL statement.
Valid values include \\\"DEBUG5\\\", \\\"DEBUG4\\\", \\\"DEBUG3\\\", \\\"DEBUG2\\\", \\\"DEBUG1\\\", \\\"INFO\\\", \\\"NOTICE\\\", \\\"WARNING\\\", \\\"ERROR\\\", \\\"LOG\\\", \\\"FATAL\\\", and \\\"PANIC\\\".
Each severity level includes the subsequent levels mentioned above.
Ensure a value of ERROR or stricter is set.
Auditing helps in troubleshooting operational problems and also permits forensic analysis.
If \\\"log_min_error_statement\\\" is not set to the correct value, messages may not be classified as error messages appropriately.
Considering general log messages as error messages would make is difficult to find actual errors and considering only stricter severity levels as error messages may skip actual errors to log their SQL statements.
The \\\"log_min_error_statement\\\" flag should be set to \\\"ERROR\\\" or stricter.
This recommendation is applicable to PostgreSQL database instances. \",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"log_min_error_statement\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"log_min_error_statement\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags log_min_error_statement=

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/98b8908a-18b9-46ea-8c52-3f8db1da996f\",\r\n \"name\": \"98b8908a-18b9-46ea-8c52-3f8db1da996f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"external scripts enabled\\\" database flag for Cloud SQL SQL Server instance to off.
\\\"external scripts enabled\\\" enable the execution of scripts with certain remote language extensions.
This property is OFF by default.
When Advanced Analytics Services is installed, setup can optionally set this property to true.
As the \\\"External Scripts Enabled\\\" feature allows scripts external to SQL such as files located in an R library to be executed, which could adversely affect the security of the system, hence this should be disabled.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"external scripts enabled\\\" from the drop-down menu and set the value as \\\"on\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"external scripts enabled\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"external scripts enabled=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91f55b07-083c-4ec5-a2be-4b52bbc2e2df\",\r\n \"name\": \"91f55b07-083c-4ec5-a2be-4b52bbc2e2df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"user connections\\\" database flag for Cloud SQL SQL Server instance according organization-defined value.
The \\\"user connections\\\" option specifies the maximum number of simultaneous user connections that are allowed on an instance of SQL Server.
The actual number of user connections allowed also depends on the version of SQL Server that you are using, and also the limits of your application or applications and hardware.
SQL Server allows a maximum of 32,767 user connections.
Because user connections is a dynamic (self-configuring) option, SQL Server adjusts the maximum number of user connections automatically as needed, up to the maximum value allowable.
For example, if only 10 users are logged in, 10 user connection objects are allocated.
In most cases, you do not have to change the value for this option.
The default is 0, which means that the maximum (32,767) user connections are allowed.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the SQL Server instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"user connections\\\" from the drop-down menu and set the value as organization recommended value. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"user connections\\\" database flag for every Cloud SQL SQL Server database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"user connections=[0-32,767]\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fab1e680-86f0-4616-bee9-1b7394e49ade\",\r\n \"name\": \"fab1e680-86f0-4616-bee9-1b7394e49ade\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended that, \\\"user options\\\" database flag for Cloud SQL SQL Server instance should not be configured.
The \\\"user options\\\" option specifies global defaults for all users.
A list of default query processing options is established for the duration of a user's work session.
The user options option allows you to change the default values of the SET options (if the server's default settings are not appropriate).
A user can override these defaults by using the SET statement.
You can configure user options dynamically for new logins.
After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. Click the X next \\\"user options\\\" flag shown. 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands:
1.Clearing all flags to their default value:
gcloud sql instances patch [INSTANCE_NAME] --clear-database-flags
OR
2. To clear only \\\"user options\\\" database flag, configure the database flag by overriding the \\\"user options\\\". Exclude \\\"user options\\\" flag and its value, and keep all other flags you want to configure:
gcloud sql instances patch [INSTANCE_NAME] --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dddbbe7d-7e32-47d8-b319-39cbb70b8f88\",\r\n \"name\": \"dddbbe7d-7e32-47d8-b319-39cbb70b8f88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"remote access\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
The \\\"remote access\\\" option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running.
This default value for this option is 1.
This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server.
To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled.
The Remote Access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server.
'Remote access' functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, hence this should be disabled.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"remote access\\\" from the drop-down menu and set the value as \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"remote access\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"remote access=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/631246fb-7192-4709-a0b3-b83e65e6b550\",\r\n \"name\": \"631246fb-7192-4709-a0b3-b83e65e6b550\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to set \\\"3625 (trace flag)\\\" database flag for Cloud SQL SQL Server instance to \\\"off\\\".
Trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload.
All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed.
\\\"3625(trace log)\\\" Limits the amount of information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'.
This can help prevent disclosure of sensitive information, hence this is recommended to disable this flag.
This recommendation is applicable to SQL Server database instances.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting: Cloud SQL Instances. 2. Select the PostgreSQL instance where the database flag needs to be enabled. 3. Click \\\"Edit\\\". 4. Scroll down to the \\\"Flags\\\" section. 5. To set a flag that has not been set on the instance before, click \\\"Add item\\\", choose the flag \\\"3625\\\" from the drop-down menu and set the value as \\\"off\\\". 6. Click \\\"Save\\\". 7. Confirm the changes under \\\"Flags\\\" on the Overview page.

From Command Line:
1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
2. Configure the \\\"3625\\\" database flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch INSTANCE_NAME --database-flags \\\"3625=off\\\"

Note:
This command will overwrite all database flags previously set.
To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.
For flags that do not take a value, specify the flag name followed by an equals sign (\\\"=\\\").\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"System Information Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58c07fca-9c6e-46fa-84a7-642f224a1d18\",\r\n \"name\": \"58c07fca-9c6e-46fa-84a7-642f224a1d18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Secure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS) features clients are permitted to use when connecting to load balancers.
To prevent usage of insecure features, SSL policies should use (a) at least TLS 1.2 with the MODERN profile;
or (b) the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version;
or (3) a CUSTOM profile that does not support any of the following features:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

Load balancers are used to efficiently distribute traffic across multiple servers.
Both SSL proxy and HTTPS load balancers are external load balancers, meaning they distribute traffic from the Internet to a GCP network.
GCP customers can configure load balancer SSL policies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a connection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies permissible cipher suites.
To comply with users using outdated protocols, GCP load balancers can be configured to permit insecure cipher suites.
In fact, the GCP default SSL policy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the widest range of insecure cipher suites.
As a result, it is easy for customers to configure a load balancer without even knowing that they are permitting outdated cipher suites.\",\r\n \"remediationDescription\": \" From the Console:
1. If the \\\"TargetSSLProxy\\\" or \\\"TargetHttpsProxy\\\" does not have an SSL policy configured, create a new \\\"SSL policy\\\". Otherwise, modify the existing insecure policy. 2. Navigate to the \\\"SSL Policies\\\" page by visiting: https://console.cloud.google.com/net-security/sslpolicies. 3. Click on the name of the \\\"insecure policy\\\" to go to its \\\"SSL policy\\\" details page. 4. Click \\\"EDIT\\\". 5. Set \\\"Minimum TLS version\\\" to \\\"TLS 1.2\\\". 6. Set \\\"Profile\\\" to \\\"Modern\\\" or \\\"Restricted\\\". 7. Alternatively, if teh user selects the profile \\\"Custom\\\", make sure that the following features are disabled:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

From Command Line:
For each insecure SSL policy, update it to use secure cyphers:
gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]
If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it:
gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME
gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Weaken Encryption\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ca40f30-2508-4c90-85b6-36564b909364\",\r\n \"name\": \"6ca40f30-2508-4c90-85b6-36564b909364\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Key\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine.
If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data.
By default, Google Compute Engine encrypts all data at rest.
Compute Engine handles and manages this encryption for you without any additional actions on your part.
However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.
By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part.
However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.
If you provide your own encryption keys, Compute Engine uses your key to protect the Google-generated keys used to encrypt and decrypt your data.
Only users who can provide the correct key can use resources protected by a customer-supplied encryption key.
Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.
At least business critical VMs should have VM disks encrypted with CSEK.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to Compute Engine \\\"Disks\\\" by visiting: https://console.cloud.google.com/compute/disks. 2. Click \\\"CREATE DISK\\\". 3. Set \\\"Encryption\\\" type to \\\"Customer supplied\\\". 4. Provide the \\\"Key\\\" in the box. 5. Select \\\"Wrapped key\\\". 6. Click \\\"Create\\\".

From Command Line:
In the gcloud compute tool, encrypt a disk using the --csek-key-file flag during instance creation. If you are using an RSA-wrapped key, use the gcloud beta component:
gcloud (beta) compute instances create INSTANCE_NAME --csek-key-file example-file.json
To encrypt a standalone persistent disk:
gcloud (beta) compute disks create DISK_NAME --csek-key-file example-file.json \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Collection\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\",\r\n \"Data from Local System\",\r\n \"Data Encrypted for Impact\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c10bad5f-cd86-4ea0-a40c-5d31510da525\",\r\n \"name\": \"c10bad5f-cd86-4ea0-a40c-5d31510da525\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud DNS logging is enabled for all VPC networks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver.
Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.
Security monitoring and forensics cannot depend solely on IP addresses from VPC flow logs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual host routing,
and other technology that can obscure the DNS name used by a client from the IP address.
Monitoring of Cloud DNS logs provides visibility to DNS names requested by the clients within the VPC.
These logs can be monitored for anomalous domain names, evaluated against threat intelligence, and
Note: For full capture of DNS, firewall must block egress UDP/53 (DNS)
and TCP/443 (DNS over HTTPS) to prevent client from using external DNS name server for resolution.\",\r\n \"remediationDescription\": \" From Command Line:
Add New DNS Policy With Logging Enabled
For each VPC network that needs a DNS policy with logging enabled:
gcloud dns policies create enable-dns-logging --enable-logging --description='Enable DNS Logging' --networks=VPC_NETWORK_NAME The VPC_NETWORK_NAME can be one or more networks in comma-separated list
Enable Logging for Existing DNS Policy For each VPC network that has an existing DNS policy that needs logging enabled:
gcloud dns policies update POLICY_NAME --enable-logging --networks=VPC_NETWORK_NAME
The VPC_NETWORK_NAME can be one or more networks in comma-separated list\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/814c3346-91c9-4e70-90b6-985cfd3e0478\",\r\n \"name\": \"814c3346-91c9-4e70-90b6-985cfd3e0478\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access to VMs should be restricted by firewall rules that allow only IAP traffic by ensuring only connections proxied by the IAP are allowed.
To ensure that load balancing works correctly health checks should also be allowed.
IAP ensure that access to VMs is controlled by authenticating incoming requests.
However if the VM is still accessible from IP addresses other than the IAP it may still be possible to send unauthenticated requests to the instance.
Care must be taken to ensure that loadblancer health checks are not blocked as this would stop the loadbalancer from correctly knowing the health of the VM and loadbalancing correctly.\",\r\n \"remediationDescription\": \" From the Console: 1. Go to the Cloud Console VPC network > Firewall rules. 2. Select the \\\"checkbox\\\" next to the following rules:
default-allow-http
default-allow-https
default-allow-internal. 3. Click \\\"Delete\\\". 4. Click \\\"Create\\\" firewall rule and set the following values:
\\\"Name:\\\" allow-iap-traffic
\\\"Targets:\\\" All instances in the network
\\\"Source IP ranges\\\" (press Enter after you paste each value in the box):
130.211.0.0/22
35.191.0.0/16
\\\"Protocols and ports:\\\"
Specified protocols and ports
tcp:80 5. When you're finished updating values, click \\\"Create\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/171e9492-73a7-43de-adce-6bd0a3cf6045\",\r\n \"name\": \"171e9492-73a7-43de-adce-6bd0a3cf6045\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances have Confidential Computing enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use-while it is being processed.
Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).
Confidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD EPYC CPUs.
Customer data will stay encrypted while it is used, indexed, queried, or trained on.
Encryption keys are generated in hardware, per VM, and not exportable. Thanks to built-in hardware optimizations of both performance and security, there is no significant performance penalty to Confidential Computing workloads.
Confidential Computing enables customers' sensitive code and other data encrypted in memory during processing. Google does not have access to the encryption keys.
Confidential VM can help alleviate concerns about risk related to either dependency on Google infrastructure or Google insiders' access to customer data in the clear.\",\r\n \"remediationDescription\": \" From the Console: 1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances. 2. Click \\\"DCREATE INSTANCE\\\". 3. Fill out the desired \\\"configuration\\\" for your instance. 4. Under the \\\"Confidential VM service\\\" section, check the option \\\"Enable the Confidential Computing service on this VM instance\\\". 5. Click \\\"Create\\\".

From Command Line:
Create a new instance with Confidential Compute enabled.
gcloud beta compute instances create INSTANCE_NAME --zone ZONE --confidential-compute --maintenance-policy=TERMINATE \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f4cfc689-cac8-4f45-8355-652dcda3ec55\",\r\n \"name\": \"f4cfc689-cac8-4f45-8355-652dcda3ec55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys.
This is seamless and do not require any additional input from the user.
However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
This is seamless and does not require any additional input from the user.
For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery tables.
The CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.
BigQuery stores the table and CMEK association and the encryption/decryption is done automatically.
Applying the Default Customer-managed keys on BigQuery data sets ensures that all the new tables created in the future will be encrypted using CMEK but existing tables need to be updated to use CMEK individually.
Note: Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.\",\r\n \"remediationDescription\": \"Currently, there is no way to update the encryption of existing data in the table.
The data needs to be copied to either an original table or another table while specifying the customer managed encryption key (CMEK).
From Command Line:
Use the following command to copy the data. The source and the destination needs to be same in case copying to the original table.
bq cp --destination_kms_key 'customer_managed_key' source_dataset.source_table destination_dataset.destination_table \",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f024ea22-7e48-4b3b-a824-d61794c14bb4\",\r\n \"name\": \"f024ea22-7e48-4b3b-a824-d61794c14bb4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys.
This is seamless and do not require any additional input from the user.
However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys.
This is seamless and does not require any additional input from the user.
For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
Setting a Default Customer-managed encryption key (CMEK) for a data set ensure any tables created in future will use the specified CMEK if none other is provided.
Note: Google does not store your keys on its servers and cannot access your protected data unless you provide the key.
This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.\",\r\n \"remediationDescription\": \"The default CMEK for existing data sets can be updated by specifying the default key in the EncryptionConfiguration.kmsKeyName field when calling the datasets.insert or datasets.patch methods\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0faf27b6-f1d5-4f50-b22a-5d129cba0113\",\r\n \"name\": \"0faf27b6-f1d5-4f50-b22a-5d129cba0113\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have Microsoft Defender's extension for Azure Arc installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender's cluster extension provides security capabilities for your GKE clusters. The extension collects data from a cluster and its nodes to identify security vulnerabilities and threats.
The extension works with Azure Arc-enabled Kubernetes.
Learn more about Microsoft Defender for Cloud's security features for containerized environments.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct GKE cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6273e20b-8814-4fda-a297-42a70b16fcbf\",\r\n \"name\": \"6273e20b-8814-4fda-a297-42a70b16fcbf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GKE clusters should have the Azure Policy extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Azure Policy extension for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
The extension works with Azure Arc-enabled Kubernetes.\",\r\n \"remediationDescription\": \"
  1. Review the recommended Arc-enabled Kubernetes parameters.
  2. Run kubectl config current-context and verify you are working with the correct GKE cluster.
  3. Download the installation script for the relevant environment (Bash or PowerShell).
  4. Run the installation script
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9bbe2f0f-d6c6-48e8-b4d0-cf25d2c50206\",\r\n \"name\": \"9bbe2f0f-d6c6-48e8-b4d0-cf25d2c50206\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP VM instances should be connected to Azure Arc\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Connect your GCP Virtual Machines to Azure Arc in order to have full visibility to Microsoft Defender for Servers security content. Learn more about Azure Arc, and about Microsoft Defender for Servers on hybrid-cloud environment.\",\r\n \"remediationDescription\": \"1. From the Azure portal, open \\\"Servers - Azure Arc\\\". 2. From the top left corner, select \\\"Add\\\". 3. From \\\"Add a single server\\\", select \\\"Generate script\\\". 4. In the \\\"Resource details\\\" page, select the subscription and resource group to which you have connected the machine's GCP Project. 5. Select \\\"Next\\\" and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20622d8c-2a4f-4a03-9896-a5f2f7ede717\",\r\n \"name\": \"20622d8c-2a4f-4a03-9896-a5f2f7ede717\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP VM instances should have OS config agent installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To receive the full Defender for Servers capabilities using Azure Arc auto-provisioning, GCP VMs should have OS config agent enabled\",\r\n \"remediationDescription\": \"Follow the steps described in GCP documentation to install the OS config agent. Learn more\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1716d754-8d50-4b90-87b6-0404cad9b4e3\",\r\n \"name\": \"1716d754-8d50-4b90-87b6-0404cad9b4e3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GCP projects should have Azure Arc auto provisioning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For full visibility of the security content from Microsoft Defender for servers, GCP VM instances should be connected to Azure Arc. To ensure that all eligible VM instances automatically receive Azure Arc, enable auto-provisioning from Defender for Cloud at the GCP project level. Learn more about Azure Arc, and Microsoft Defender for Servers.\",\r\n \"remediationDescription\": \"1. From the Defender for Cloud, open \\\"Environment settings\\\". 2. For the relevant GCP project, select the three dots at the end of the row, and select \\\"Edit settings\\\". 3. For the \\\"Servers\\\" plan, select \\\"View configuration\\\". 4. Enable auto-provisioning for the Azure Arc agent and click on the \\\"Save\\\" button. 5. Select \\\"Next\\\" and follow the instructions.
Note: To enable auto-provisioning, you'll need owner permissions for the relevant subscription.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"01/19/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/29ed3416-2035-4d44-986e-0bcbb7de172e\",\r\n \"name\": \"29ed3416-2035-4d44-986e-0bcbb7de172e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead.

Security risks involved in using API-Keys appear below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

To avoid the security risk in using API keys, it is recommended to use standard authentication flow instead.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", to delete API Keys: Click the \\\"Delete Bin Icon\\\" in front of every \\\"API Key Name\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/63e0e2db-70c3-4edc-becf-93961d3156ed\",\r\n \"name\": \"63e0e2db-70c3-4edc-becf-93961d3156ed\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API key usage to trusted hosts, HTTP referrers and apps.

Security risks involved in using API-Keys appear below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

In light of these potential risks, Google recommends using the standard authentication flow instead of API keys. However, there are limited cases where API keys are more appropriat.
For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

In order to reduce attack vectors, API-Keys can be restricted only to trusted hosts, HTTP referrers and applications.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. In the \\\"Key restrictions\\\" section, set the application restrictions to any of \\\"HTTP referrers\\\", \\\"IP Adresses\\\", \\\"Android Apps\\\", \\\"iOs Apps\\\". 4. Click \\\"Save\\\". 5. Repeat steps 2,3,4 for every unrestricted API key.

\\\"Note\\\": Do not set \\\"HTTP referrers\\\" to wild-cards (* or *.[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s).
Do not set \\\"IP addresses\\\" and referrer to any host \\\"(0.0.0.0 or 0.0.0.0/0 or ::0)\\\"\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Steal Application Access Token\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/54d3b0ae-67b3-4fee-9ac4-f6c784b9d16b\",\r\n \"name\": \"54d3b0ae-67b3-4fee-9ac4-f6c784b9d16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"API keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API keys to use (call) only APIs required by an application.

Security risks involved in using API-Keys are below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

In light of these potential risks, Google recommends using the standard authentication flow instead of API-Keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

In order to reduce attack surfaces by providing least privileges, API-Keys can be restricted to use (call) only APIs required by an application.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. In the \\\"Key restrictions\\\" section go to \\\"API restrictions\\\". 4. Click the \\\"Select API\\\" drop-down to choose an API. 5. Click \\\"Save\\\". 6. Repeat steps 2,3,4,5 for every unrestricted API key.

\\\"Note\\\": Do not set API restrictions to Google Cloud APIs, as this option allows access to all services offered by Google cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Steal Application Access Token\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fbc1ef5d-989e-4b64-8e9d-221b422f9c43\",\r\n \"name\": \"fbc1ef5d-989e-4b64-8e9d-221b422f9c43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is recommended to rotate API keys every 90 days.

Security risks involved in using API-Keys are listed below:
1. API keys are simple encrypted strings
2. API keys do not identify the user or the application making the API request
3. API keys are typically accessible to clients, making it easy to discover and steal an API key

Because of these potential risks, Google recommends using the standard authentication flow instead of API Keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.

Once a key is stolen, it has no expiration, meaning it may be used indefinitely unless the project owner revokes or regenerates the key. Rotating API keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.

API keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \" From the Console:
1. Go to \\\"APIs & Services - Credentials\\\" using https://console.cloud.google.com/apis/credentials. 2. In the section \\\"API Keys\\\", Click the \\\"API Key Name\\\". The API Key properties display on a new page. 3. Click \\\"REGENERATE KEY\\\" to rotate API key. 4. Click \\\"Save\\\". 5. Repeat steps 2,3,4 for every API key that has not been rotated in the last 90 days.

\\\"Note\\\": Do not set \\\"HTTP referrers\\\" to wild-cards (* or *.[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s).
Do not set \\\"IP addresses\\\" and referrer to \\\"any host (0.0.0.0 or 0.0.0.0/0 or ::0)\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"02/15/2022\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a47a6c3b-0629-406c-ad09-d91f7d9f78a3\",\r\n \"name\": \"a47a6c3b-0629-406c-ad09-d91f7d9f78a3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"root\\\" account has unrestricted access to all resources in the AWS account. It is highly recommend that the use of this account be avoided.
The \\\"root\\\" account is the most privileged AWS account. Minimizing the use of this account and adopting the principle of least privilege for access management will reduce the risk of accidental changes and unintended disclosure of highly privileged credentials.\",\r\n \"remediationDescription\": \"Follow the remediation instructions of the \\\"Ensure IAM policies are attached only to groups or roles\\\" recommendation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b73d3c97-01e1-43b4-bf01-a459e5eed3de\",\r\n \"name\": \"b73d3c97-01e1-43b4-bf01-a459e5eed3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password.
With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.
It is recommended that MFA be enabled for all accounts that have a console password.
Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.\",\r\n \"remediationDescription\": \"Perform the following to enable MFA: 1. Sign in to the AWS Management Console and open the IAM console. 2. In the navigation pane, choose Users. 3. In the User Name list, choose the name of the intended MFA user. 4. Choose the Security Credentials tab, and then choose Manage MFA Device. 5. In the Manage MFA Device wizard, choose A virtual MFA device, and then chooseNext Step. IAM generates and displays configuration information for the virtual MFA device, includinga QR code graphic. The graphic is a representation of the 'secret configuration key' that isavailable for manual entry on devices that do not support QR codes. 6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications.) If the virtual MFA application support smultiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following:
* Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.
* In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.
When you are finished, the virtual MFA device starts generating one-time passwords. 8. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Active Virtual MFA.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f13dc885-79aa-456b-ba28-3428147ecf55\",\r\n \"name\": \"f13dc885-79aa-456b-ba28-3428147ecf55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys.
It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated.
Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.\",\r\n \"remediationDescription\": \"Perform the following to remove or deactivate credentials:
1. Login to the AWS Management Console:
2. Click \\\"Services\\\"
3. Click \\\"IAM\\\"
4. Click on \\\"Users\\\"
5. Click on \\\"Security Credentials\\\"
6. As an Administrator: Click on \\\"Make Inactive\\\" for credentials that have not been used in 90 Days
7. As an IAM User: Click on \\\"Make Inactive\\\" or \\\"Delete\\\" for credentials which have not been used in 90 Days\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d72f547e-c011-4cdb-9dda-8c4d6dc09bf2\",\r\n \"name\": \"d72f547e-c011-4cdb-9dda-8c4d6dc09bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS.
AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services.
It is recommended that all access keys be regularly rotated.
Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.
Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"Perform the following to rotate access keys:
1. Login to the AWS Management Console:
2. Click \\\"Services\\\"
3. Click \\\"IAM\\\"
4.Click on \\\"Users\\\"
5. Click on \\\"Security Credentials\\\"
6. As an Administrator: Click on \\\"Make Inactive\\\" for keys that have not been rotated in 90 Days
7. As an IAM User: Click on \\\"MakeInactive\\\" or \\\"Delete\\\" for keys which have not been rotated or used in 90 Days
8. Click on \\\"Create Access Key\\\"
9. Update programmatic call with new Access Key credentials
Via CLI:
aws iam update-access-key
aws iam create-access-key
aws iam delete-access-key \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6e5ebe18-e026-4c26-875c-fcbea8089071\",\r\n \"name\": \"6e5ebe18-e026-4c26-875c-fcbea8089071\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one uppercase letter.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one uppercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-uppercase-characters
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c420241-9bec-4af8-afb7-038a711b7d22\",\r\n \"name\": \"1c420241-9bec-4af8-afb7-038a711b7d22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one lowercase letter.
Setting a password complexity policy increases account resiliency against brute force login attempts\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via the AWS Console
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one lowercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-lowercase-characters
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1919c309-1c8b-4fab-bd8c-7ff77521db40\",\r\n \"name\": \"1919c309-1c8b-4fab-bd8c-7ff77521db40\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements.
IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one symbol.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed: Via the AWS Console
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Check \\\"Requires at least one lowercase letter\\\"
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-symbols
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/84fb0ae8-4785-449c-b9ac-e106a2509540\",\r\n \"name\": \"84fb0ae8-4785-449c-b9ac-e106a2509540\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
It is recommended that the password policy require at least one number.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Require at least one number\\\" 5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --require-numbers
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e109af9f-128b-4774-a40c-aab8eff3934c\",\r\n \"name\": \"e109af9f-128b-4774-a40c-aab8eff3934c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length.
It is recommended that the password policy require a minimum password length '14'.
Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on \\\"Account Settings\\\" on the Left Pane
4. Set \\\"Minimum password length\\\" to 14 or greater.
5. Click \\\"Apply password policy\\\"
Via CLI:
aws iam update-account-password-policy --minimum-password-length 14
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e99393-671c-4979-a08a-cd1533da9ece\",\r\n \"name\": \"22e99393-671c-4979-a08a-cd1533da9ece\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can prevent the reuse of a given password by the same user.
It is recommended that the password policy prevent the reuse of passwords.
Preventing password reuse increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Prevent password reuse\\\" 5. Set \\\"Number of passwords to remember\\\" is set to '24'.
Via CLI:
aws iam update-account-password-policy --password-reuse-prevention 24
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/729c20d1-fe7c-4e1b-8c9c-ab5ad56d7f96\",\r\n \"name\": \"729c20d1-fe7c-4e1b-8c9c-ab5ad56d7f96\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can require passwords to be rotated or expired after a given number of days.
It is recommended that the password policy expire passwords after 90 days or less.
Reducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help in the following scenarios:
* Passwords can be stolen or compromised sometimes without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat.
* Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted.
* Many people use the same password for many systems such as work, email, and personal.
* Compromised end user workstations might have a keystroke logger.\",\r\n \"remediationDescription\": \"Perform the following to set the password policy as prescribed:
Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on \\\"Account Settings\\\" on the Left Pane 4. Check \\\"Enable password expiration\\\" 5. Set \\\"Password expiration period (in days):\\\" to 90 or less
Via CLI:
aws iam update-account-password-policy --max-password-age 90
Note: All commands starting with aws iam update-account-password-policy can be combined into a single command.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/412835f5-0339-4180-9c22-ea8735dc6c24\",\r\n \"name\": \"412835f5-0339-4180-9c22-ea8735dc6c24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Root account access key shouldn't exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account.
It is recommended that all access keys associated with the root account be removed.
Removing access keys associated with the root account limits vectors by which the account can be compromised.
Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.\",\r\n \"remediationDescription\": \"To delete access keys:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\".
4. Select \\\"Access keys (access key ID and secret access key)\\\".
5. To permanently delete the key, select \\\"Delete\\\" and then select \\\"Yes\\\". You cannot recover deleted keys.
6. If there is more than one root user access key, then repeat steps 4 and 5 for each key.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c9ea4ef-3bb5-4f02-b8b9-55e788e1a21a\",\r\n \"name\": \"1c9ea4ef-3bb5-4f02-b8b9-55e788e1a21a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.
When you use virtual MFA for root accounts, it is recommended that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices.
This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\",\r\n \"remediationDescription\": \"To enable MFA for the root account:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\".
4. Select \\\"Multi-factor authentication (MFA)\\\".
\\t5. Select \\\"Activate MFA\\\".
6. Select the type of device to use for MFA and then select \\\"Continue\\\".
7. Complete the steps to configure the device type appropriate to your selection.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eb39e935-38fc-4b0c-8cf2-d6affab0306a\",\r\n \"name\": \"eb39e935-38fc-4b0c-8cf2-d6affab0306a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.
For Level 2, it is recommended that you protect the root account with a hardware MFA. A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA doesn't suffer the attack surface introduced by the mobile smartphone that a virtual MFA resides on.
Using hardware MFA for many, many accounts might create a logistical device management issue. If this occurs, consider implementing this Level 2 recommendation selectively to the highest security accounts. You can then apply the Level 1 recommendation to the remaining accounts.\",\r\n \"remediationDescription\": \"To enable hardware-based MFA for the root account:
1. Log in to your account using the root credentials.
2. Select the account name near the top-right corner of the page and then select \\\"My Security Credentials\\\".
3. In the pop-up warning, select \\\"Continue to Security Credentials\\\". 4. Select \\\"Multi-factor authentication (MFA)\\\".
5. Select \\\"Activate MFA\\\".
6. Select a hardware-based (not virtual) device to use for MFA and then select \\\"Continue\\\".
7. Complete the steps to configure the device type appropriate to your selection.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a773f81a-0b2d-4f8e-826a-77fc432416c3\",\r\n \"name\": \"a773f81a-0b2d-4f8e-826a-77fc432416c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should be attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles.
It is recommended that IAM policies be applied directly to groups and roles but not users.
Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow.
Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.\",\r\n \"remediationDescription\": \"To remediate, create an IAM group, assign the policy to the group, and then add the users to the group. The policy is applied to each user in the group.

To create an IAM group:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Groups\\\" and then select \\\"Create New Group\\\".
\\t3. Enter a name for the group to create and then select \\\"Next Step\\\".
4. Select each policy to assign to the group and then select \\\"Next Step\\\".
The policies that you Select should include any policies currently attached directly to a user account.
The next step to resolve a failed check is to add users to a group and then assign the policies to that group.
Each user in the group gets assigned the policies assigned to the group.
5. Confirm the details on the \\\"Review\\\" page and then select \\\"Create Group\\\".
For more information about creating groups, see Creating IAM groups [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_create.html] in the IAM User Guide.

To add users to an IAM group:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Groups\\\".
3. select \\\"Group Actions\\\" and then select \\\"Add Users to Group\\\".
4. Select the users to add to the group and then select \\\"Add Users\\\".
For more information about adding users to groups, see Adding and removing users in an IAM group [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_add-remove-users.html].

To remove a policy attached directly to a user:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Users\\\".
3. For the user to detach a policy from, select the name in the \\\"User name\\\" column.
4. For each policy listed under \\\"Attached directly\\\", select the \\\"X\\\" on the right side of the page to remove the policy from the user and then select \\\"Remove\\\".
5. Confirm that the user can still use AWS services as expected.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6614c30d-c9f3-4acd-8371-c8f362148398\",\r\n \"name\": \"6614c30d-c9f3-4acd-8371-c8f362148398\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services.
Create an IAM Role to allow authorized users to manage incidents with AWS Support.
By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.\",\r\n \"remediationDescription\": \"Using the Amazon unified command line interface:
Create an IAM role for managing incidents with AWS:
* Create a trust relationship policy document that allows \\\"iam_user\\\" to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:
{ \\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [ { \\\"Effect\\\": \\\"Allow\\\", \\\"Principal\\\": { \\\"AWS\\\": \\\"<span style=\\\"font-style: italic;\\\"><iam_user></span>\\\" }, \\\"Action\\\": \\\"sts:AssumeRole\\\" } ] }
* Create the IAM role using the above trust policy:
aws iam create-role --role-name <aws_support_iam_role> --assume-rolepolicy-document file:///tmp/TrustPolicy.json
* Attach \\\"AWSSupportAccess\\\" managed policy to the created IAM role:
aws iam attach-role-policy --policy-arn <iam_policy_arn> --role-name<aws_support_iam_role>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/655f9340-184f-4b6e-8214-b835003ab0b1\",\r\n \"name\": \"655f9340-184f-4b6e-8214-b835003ab0b1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Do not setup access keys during initial user setup for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily.
In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys.
Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization\",\r\n \"remediationDescription\": \"Perform the following to delete access keys that do not pass the audit: 1. Login to the AWS Management Console: 2. Click \\\"Services\\\" 3. Click \\\"IAM\\\" 4. Click on \\\"Users\\\" 5. Click on \\\"Security Credentials\\\" 6. As an Administrator
* Click on \\\"Delete\\\" for keys that were created at the same time as the user profile but have not been used. 7. As an IAM User
* Click on \\\"Delete\\\" for keys that were created at the same time as the user profile but have not been used.
Via CLI:
aws iam delete-access-key\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Persistence\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1d08b362-7e24-46b0-bed1-4a6c1d1526a5\",\r\n \"name\": \"1d08b362-7e24-46b0-bed1-4a6c1d1526a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies that allow full \\\"*:*\\\" administrative privileges should not be created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies are the means by which privileges are granted to users, groups, or roles.
It is recommended and considered a standard security advice to grant least privilege-that is, granting only the permissions required to perform a task.
Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.
It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.
Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.
IAM policies that have a statement with \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\" should be removed.\",\r\n \"remediationDescription\": \"To modify an IAM policy:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Policies\\\".
3. Select the radio button next to the policy to remove. 4. From the \\\"Policy actions\\\" drop-down menu, select \\\"Detach\\\".
5. On the \\\"Detach policy\\\" page, select the radio button next to each user to detach the policy from and then select \\\"Detach policy\\\".
Confirm that the user that you detached the policy from can still access AWS services and resources as expected.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3d8e09b-83a6-417a-ae1e-3f5b54576965\",\r\n \"name\": \"b3d8e09b-83a6-417a-ae1e-3f5b54576965\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you.
The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).
The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally,
* ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected
* ensuring that a multi-regions trail exists will ensure that \\\"Global Service Logging\\\" is enabled for a trail by default to capture recording of events generated on AWS global services
* for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account.\",\r\n \"remediationDescription\": \"Perform the following to enable global (Multi-region) CloudTrail logging:
Via the management Console:
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
2. Click on \\\"Trails\\\" on the left navigation pane.
3. Click \\\"Get Started Now\\\", if presented
* Click \\\"Add new trail\\\"
* Enter a trail name in the \\\"Trail name\\\" box.
* Set the \\\"Apply trail to all regions\\\" option to \\\"Yes\\\".
* Specify an S3 bucket name in the \\\"S3 bucket\\\" box.
* Click \\\"Create\\\".
4. If 1 or more trails already exist, select the target trail to enable for global logging.
5. Click the edit icon (pencil) next to \\\"Apply trail to all regions\\\", Click \\\"Yes\\\" and Click \\\"Save\\\". 6. Click the edit icon (pencil) next to \\\"Management Events\\\", click \\\"All\\\" for setting \\\"Read/Write Events\\\" and Click \\\"Save\\\".
Via CLI:
aws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail

Note: Creating CloudTrail via CLI without providing any overriding options configures
Management Events to set All type of Read/Writes by default.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/324ec96c-9719-46ce-b6a9-e7f4fed7dd6e\",\r\n \"name\": \"324ec96c-9719-46ce-b6a9-e7f4fed7dd6e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure additional integrity checking of CloudTrail logs, we recommend enabling file validation on all CloudTrails.\",\r\n \"remediationDescription\": \"Enable log file validation on a given trail:
Via the management Console
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
2. Select on \\\"Trails\\\" on the left navigation pane
3. Select the target trail
4. Within the \\\"S3\\\" section select the edit icon (pencil)
5. Select \\\"Advanced\\\"
6. Select \\\"Yes\\\" radio button in section \\\"Enable log file validation\\\"
7. Click \\\"Save\\\"
Via CLI
aws cloudtrail update-trail --name --enable-log-file-validation

Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn --start-time --end-time\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a41f2846-4a59-44e9-89bb-1f62d4b03a85\",\r\n \"name\": \"a41f2846-4a59-44e9-89bb-1f62d4b03a85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs a record of every API call made in your AWS account. These log files are stored in an S3 bucket.
It is recommended that the bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs.
Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.\",\r\n \"remediationDescription\": \"Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:
1. Go to Amazon S3 console at https://console.aws.amazon.com/s3/home
2. Right-click on the bucket and click Properties.
3. In the \\\"Properties\\\" pane, click the \\\"Permissions\\\" tab.
4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.
5. Select the row that grants permission to \\\"Everyone\\\" or \\\"Any Authenticated User\\\".
6. Uncheck all the permissions granted to \\\"Everyone\\\" or \\\"Any Authenticated User\\\" (click x to delete the row).
7. Click \\\"Save\\\" to save the ACL.
8. If the \\\"Edit bucket policy\\\" button is present, click it.
9. Remove any \\\"Statement\\\" having an \\\"Effect\\\" set to \\\"Allow\\\" and a \\\"Principal\\\" set to \\\"*\\\" or {\\\"AWS\\\" : \\\"*\\\"}.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/842be2e5-2cd8-420f-969a-6d6b4096c580\",\r\n \"name\": \"842be2e5-2cd8-420f-969a-6d6b4096c580\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, real-time analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs.
For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. We recommended that CloudTrail logs will be sent to CloudWatch Logs to ensure AWS account activity is being captured, monitored, and appropriately alarmed on.
Sending CloudTrail logs to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.\",\r\n \"remediationDescription\": \"Via the AWS management Console:
1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/
2. Under All Buckets, select the target bucket you wish to evaluate.
3. Select Properties on the top right of the console.
4. Select Trails\\\" in the left menu.
5. Click on each trail where no \\\"CloudWatch Logs\\\" are defined.
6. Go to the \\\"CloudWatch Logs\\\" section and then select \\\"Configure\\\".
7. Define a new or select an existing log group.
8. Click on \\\"Continue\\\".
9. Configure \\\"IAM Role\\\" which will deliver CloudTrail events to CloudWatch Logs
* Create/Select an \\\"IAM Role\\\" and \\\"Policy Name\\\".
* Select \\\"Allow\\\" to continue.
Note that it can also be enabled via CLI:
aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-grouparn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff06f36-f8fd-4af5-bd02-5195593423fb\",\r\n \"name\": \"3ff06f36-f8fd-4af5-bd02-5195593423fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you.
The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources.
It is recommended to enable AWS Config be enabled in all regions.

The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"To implement AWS Config configuration:
Via AWS Management Console:
1. Select the region you want to focus on in the top right of the console.
2. Click \\\"Services\\\".
3. Click \\\"Config\\\".
4. Define which resources you want to record in the selected region.
5. Choose to include global resources (IAM resources).
6. Specify an S3 bucket in the same account or in another managed AWS account.
7. Create an SNS Topic from the same AWS account or another managed AWS account.

Via AWS Command Line Interface:
1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the AWS Config Service prerequisites.
2. Run this command to set up the configuration recorder:
aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole
3. Run this command to start the configuration recorder:
start-configuration-recorder --configuration-recorder-name <value>\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/759e80dc-92c2-4afd-afa3-c01294999363\",\r\n \"name\": \"759e80dc-92c2-4afd-afa3-c01294999363\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 Bucket Access Logging generates a log that contains access records Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket for each request made to your S3 bucket.
An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed.
It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.
By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within an target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.\",\r\n \"remediationDescription\": \"Perform the following to enable S3 bucket logging:
Via the Management Console.
1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.
2. Under \\\"All Buckets\\\" click on the target S3 bucket.
3. Click on \\\"Properties\\\" in the top right of the console.
4. Under \\\"Bucket\\\": <s3_bucket_for_cloudtrail> click on \\\"Logging\\\".
5. Configure bucket logging.
* Click on \\\"Enabled\\\" checkbox.
* Select Target Bucket from list.
* Enter a Target Prefix.
6. Click \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/190f732b-c68e-4816-9961-aba074272627\",\r\n \"name\": \"190f732b-c68e-4816-9961-aba074272627\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommended to configure CloudTrail use SSE-KMS.
Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.\",\r\n \"remediationDescription\": \"To configure CloudTrail SSE-KMS:
Via the Management Console:
1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail.
2. In the left navigation pane, select \\\"Trails\\\".
3. Click on a Trail.
4. Under the \\\"S3\\\"section click on the edit button (pencil icon).
5. Click \\\"Advanced\\\".
6. Select an existing CMK from the \\\"KMS key Id\\\" drop-down menu.
* Note: Ensure the CMK is located in the same region as the S3 bucket
* Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided here for editing the selected CMK Key policy.
7. Click \\\"Save\\\".
8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files.
9. Click \\\"Yes\\\".

Via CLI:
aws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key> aws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66748314-d51c-4d9c-b789-eebef29a7039\",\r\n \"name\": \"66748314-d51c-4d9c-b789-eebef29a7039\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK).
It is the backing key that is used to perform cryptographic operations such as encryption and decryption.
Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled.
Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\",\r\n \"remediationDescription\": \"Via the Management Console:
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam.
2. In the left navigation pane, choose \\\"Encryption Keys\\\".
3. Select a customer created master key (CMK).
4. Under the \\\"Key Policy\\\" section, move down to \\\"Key Rotation\\\".
5. Check the \\\"Rotate this key every year\\\" checkbox.

Via CLI
Run the following command to enable key rotation:
aws kms enable-key-rotation --key-id <kms_key_id>\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3428e584-0fa6-48c0-817e-6d689d7bb879\",\r\n \"name\": \"3428e584-0fa6-48c0-817e-6d689d7bb879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC Flow Logs provide visibility into network traffic that passes through the VPC and can be used to detect anomalous traffic or insight during security events.\",\r\n \"remediationDescription\": \"1. Sign into the management console.
2. Select \\\"Services\\\" then \\\"VPC\\\".
3. In the left navigation pane, select \\\"Your VPCs\\\".
4. Select a VPC.
5. In the right pane, select the \\\"Flow Logs\\\" tab.
6. If no Flow Log exists, select \\\"Create Flow Log\\\".
7. For Filter, select Reject.
8. Enter in a \\\"Role\\\" and \\\"Destination Log Group\\\".
9. Select \\\"Create Log Flow\\\".
10. Select \\\"CloudWatch Logs Group\\\".

Note: Setting the filter to \\\"Reject\\\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/231951ea-e9db-41cd-a7d0-611105fa4fb9\",\r\n \"name\": \"231951ea-e9db-41cd-a7d0-611105fa4fb9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for unauthorized API calls.
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<unauthorized_api_calls_metric>` --metric-transformations metricName= `<unauthorized_api_calls_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.errorCode = \\\"*UnauthorizedOperation\\\") || ($.errorCode = \\\"AccessDenied*\\\")}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<unauthorized_api_calls_alarm>` --metric-name `<unauthorized_api_calls_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/001ddfe0-1b98-443f-819d-99f060fd67d5\",\r\n \"name\": \"001ddfe0-1b98-443f-819d-99f060fd67d5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).
Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>`,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = \\\"ConsoleLogin\\\") && ($.additionalEventData.MFAUsed != \\\"Yes\\\") }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<no_mfa_console_signin_alarm>` --metric-name `<no_mfa_console_signin_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/59f84fbd-7946-41b3-88b1-d899dcac92bc\",\r\n \"name\": \"59f84fbd-7946-41b3-88b1-d899dcac92bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of 'root' account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for root login attempts.

Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for \\\"Root\\\" account usage and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<root_usage_metric>` --metric-transformations metricName= `<root_usage_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filterpattern '{ $.userIdentity.type = \\\"Root\\\" && $.userIdentity.invokedBy NOTEXISTS && $.eventType != \\\"AwsServiceEvent\\\" }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<root_usage_alarm>` --metricname `<root_usage_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e5ad1a9-3803-4399-baf2-a7eb9483b954\",\r\n \"name\": \"8e5ad1a9-3803-4399-baf2-a7eb9483b954\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.
Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<iam_changes_metric>` --metric-transformations metricName=`<iam_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name `<iam_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0dc3b824-092a-4fc6-b8b4-31d5c2403024\",\r\n \"name\": \"0dc3b824-092a-4fc6-b8b4-31d5c2403024\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.

Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<cloudtrail_cfg_changes_metric>` --metric-transformations metricName= `<cloudtrail_cfg_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging)}'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name aws cloudwatch put-metric-alarm --alarm-name `<cloudtrail_cfg_changes_alarm>` --metric-name `<cloudtrail_cfg_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0e09bb35-54a3-48a1-855d-9fd3239deaf7\",\r\n \"name\": \"0e09bb35-54a3-48a1-855d-9fd3239deaf7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for failed console authentication attempts.
Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<console_signin_failure_metric>` --metric-transformations metricName= `<console_signin_failure_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = ConsoleLogin) && ($.errorMessage = \\\"Failed authentication\\\") }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<console_signin_failure_alarm>` --metric-name `<console_signin_failure_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d12e97c1-1f3e-4c69-8cc1-6e4cc6a9b167\",\r\n \"name\": \"d12e97c1-1f3e-4c69-8cc1-6e4cc6a9b167\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.
Data encrypted with disabled or deleted keys will no longer be accessible.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<disable_or_delete_cmk_changes_metric>` --metrictransformations metricName= `<disable_or_delete_cmk_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<disable_or_delete_cmk_changes_alarm>` --metric-name `<disable_or_delete_cmk_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69ed2dc0-6f39-4a33-a747-20a28f85b33c\",\r\n \"name\": \"69ed2dc0-6f39-4a33-a747-20a28f85b33c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.
Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<s3_bucket_policy_changes_metric>` --metric-transformations metricName= `<s3_bucket_policy_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<s3_bucket_policy_changes_alarm>` --metric-name `<s3_bucket_policy_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/965a7c7f-e6da-4062-83f4-9c1800e51e44\",\r\n \"name\": \"965a7c7f-e6da-4062-83f4-9c1800e51e44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.
Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<aws_config_changes_metric>` --metric-transformations metricName= `<aws_config_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel) ||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `` - -metric-name `` --statistic Sum --period 300 -- threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aedabb63-8bdb-47f9-955c-72b652a75e2a\",\r\n \"name\": \"aedabb63-8bdb-47f9-955c-72b652a75e2a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC.
It is recommended that a metric filter and alarm be established changes to Security Groups.
Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for security groups changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<security_group_changes_metric>` --metric-transformations metricName= `<security_group_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<security_group_changes_alarm>` --metric-name `<security_group_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec356185-75b9-4ff2-a284-9f64fc885e72\",\r\n \"name\": \"ec356185-75b9-4ff2-a284-9f64fc885e72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC.
It is recommended that a metric filter and alarm be established for changes made to NACLs.
Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for NACL changes and the log group name taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<nacl_changes_metric>` --metric-transformations metricName = `<nacl_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<nacl_changes_alarm>` --metric-name `<nacl_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c7156050-6f51-4d3f-a880-9f2363648cfb\",\r\n \"name\": \"c7156050-6f51-4d3f-a880-9f2363648cfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC.
It is recommended that a metric filter and alarm be established for changes to network gateways.
Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<network_gw_changes_metric>` --metric-transformations metricName= `<network_gw_changes_metric>`,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<network_gw_changes_alarm>` --metric-name `<network_gw_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluationperiods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e70666f-4bec-4ca0-8b59-c6c8b9b3cc1e\",\r\n \"name\": \"7e70666f-4bec-4ca0-8b59-c6c8b9b3cc1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways.
It is recommended that a metric filter and alarm be established for changes to route tables.
Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.\",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for route table changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<route_table_changes_metric>` --metric-transformations metricName= `<route_table_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<route_table_changes_alarm>` --metric-name `<route_table_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4b4bfa9b-fd2a-43f1-961f-654b9d5c9a60\",\r\n \"name\": \"4b4bfa9b-fd2a-43f1-961f-654b9d5c9a60\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.
Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact. \",\r\n \"remediationDescription\": \"Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern provided which checks for VPC changes and the <cloudtrail_log_group_name> taken from audit step '1'.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<vpc_changes_metric>` --metric-transformations metricName = `<vpc_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify.
aws sns create-topic --name <sns_topic_name>
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step '2'.
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step '1' and an SNS topic created in step '2'.
aws cloudwatch put-metric-alarm --alarm-name `<vpc_changes_alarm>` --metric-name `<vpc_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e1f4bba6-5f43-4dc5-ab15-f2a9f5807fea\",\r\n \"name\": \"e1f4bba6-5f43-4dc5-ab15-f2a9f5807fea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To reduce the server's exposure, it is recommended not to allow unrestricted ingress access to port '22'.\",\r\n \"remediationDescription\": \"1. Login to the AWS Management Console at VPC
2. In the left pane, select \\\"Security Groups\\\"
3. For each security group, perform the following:
4. Select the security group
5. Select the \\\"Inbound Rules\\\" tab
6. Identify the rules to be removed
7. Select the \\\"x\\\" in the \\\"Remove\\\" column
8. Select \\\"Save\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79082bbe-34fc-480a-a7fc-3aad94954609\",\r\n \"name\": \"79082bbe-34fc-480a-a7fc-3aad94954609\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389.
Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"Perform the following to implement the prescribed state:
1. Login to the AWS Management Console at VPC
2. In the left pane, click \\\"Security Groups\\\"
3. For each security group, perform the following:
4. Select the security group
5.Click the \\\"Inbound Rules\\\" tab
6. Identify the rules to be removed
7. Click the \\\"x\\\" in the \\\"Remove\\\" column
8. Click \\\"Save\\\"\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/500c4d2e-9baf-4081-b8a8-936ac85771a5\",\r\n \"name\": \"500c4d2e-9baf-4081-b8a8-936ac85771a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC's default security group should restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security group should restrict all traffic to reduce resource exposure.\",\r\n \"remediationDescription\": \"1. Identify AWS resources that exist within the default security group 2. Create a set of least privilege security groups for those resources 3. Place the resources in those security groups 4. Remove the resources noted in #1 from the default security group

Security Group State:
1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:
3. In the left pane, select \\\"Security Groups\\\"
4. For each default security group, perform the following:
5. Select the \\\"default\\\" security group
6. Select the \\\"Inbound Rules\\\" tab
7. Remove any inbound rules
8. Select the \\\"Outbound Rules\\\" tab
9. Remove any outbound rules\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation of Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/837d6a45-503f-4c95-bf42-323763960b62\",\r\n \"name\": \"837d6a45-503f-4c95-bf42-323763960b62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto Scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.
PCI DSS does not require load balancing or highly available configurations. This is recommended by AWS best practices.\",\r\n \"remediationDescription\": \"To enable Elastic Load Balancing health checks:
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. On the navigation pane, under \\\"Auto Scaling\\\", choose \\\"Auto Scaling Groups\\\".
3. To select the group from the list, choose the right box.
4. From \\\"Actions\\\", choose \\\"Edit\\\"
5. For \\\"Health Check Type\\\", choose \\\"ELB\\\".
6. For \\\"Health Check Grace Period\\\", enter \\\"300\\\".
7. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2917bcec-6991-4ea4-9e73-156e6ef831e4\",\r\n \"name\": \"2917bcec-6991-4ea4-9e73-156e6ef831e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. Not all services enable logging by default for all APIs and events.
You should implement any additional audit trails other than CloudTrail and review the documentation for each service in CloudTrail Supported Services and Integrations.\",\r\n \"remediationDescription\": \"To create a new trail in CloudTrail
1. Sign in to the AWS Management Console using the IAM user you configured for CloudTrail administration.
2. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
3. Select the AWS Region where you want your trail to be created.
4. In the navigation pane, select \\\"Trails\\\".
5. On the \\\"Trails\\\" page, select \\\"Get Started Now\\\". If you do not see that option, select \\\"Create Trail\\\".
6. In\\\" Trail name\\\", provide your trail a name, such as My-Management-Events-Trail. As a best practice, use a name that quickly identifies the purpose of the trail. In this case, you're creating a trail that logs management events.
7. In \\\"Management Events\\\", make sure \\\"Read/Write\\\" events is set to \\\"All\\\".
8. In \\\"Data Events\\\", do not make any changes. This trail will not log any data events.
9. Create a new S3 bucket for the logs:
a. In \\\"Storage Location\\\", in \\\"Create a new S3 bucket\\\", select \\\"Yes\\\".
b. In \\\"S3 bucket\\\", provide your bucket a name.
c. Under \\\"Advanced\\\", choose \\\"Yes\\\" for both \\\"Encrypt log files with SSE-KMS\\\" and \\\"Enable log file validation\\\".
10. Choose \\\"Create\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/132a70b8-ffda-457a-b7a3-e6f2e01fc0af\",\r\n \"name\": \"132a70b8-ffda-457a-b7a3-e6f2e01fc0af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect your replicated instances from threats. A private replication instance should have a private IP address that you cannot access outside of the replication network.
A replication instance should have a private IP address when the source and target databases are in the same network, and the network is connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering.
You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users.
To do this, restrict users' IAM permissions to modify AWS DMS settings and resources.\",\r\n \"remediationDescription\": \"To configure the AWS DMS replication instances setting to be not publicly accessible:
1. Open the AWS Database Migration Service console at https://console.aws.amazon.com/dms/.
2. In the left navigation pane, under \\\"Resource management\\\", navigate to \\\"Replication instances\\\".
3. To delete the public instance, select the check box for the instance, choose \\\"Actions\\\", then choose \\\"delete\\\".
4. Choose \\\"Create replication instance\\\". Provide the configuration details.
5.To disable public access, make sure that \\\"Publicly accessible\\\" is not selected.
6. Choose \\\"Create\\\",
Note: public access setting cannot be changed once a replication instance is created. It must be deleted and recreated.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/02e8de17-1a01-45cb-b906-6d07a78f4b3c\",\r\n \"name\": \"02e8de17-1a01-45cb-b906-6d07a78f4b3c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Amazon EBS snapshots should not be publicly restorable by everyone unless explicitly allowed, to avoid accidental exposure of data. Additionally, permission to change Amazon EBS configurations should be restricted to authorized AWS accounts only.\",\r\n \"remediationDescription\": \"Make a public Amazon EBS snapshot private
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Elastic Block Store\\\", select \\\"Snapshots\\\" and then select your public snapshot.
3. Select \\\"Actions\\\", then select \\\"Modify permissions\\\".
4. Select \\\"Private\\\".
5. (Optional) Add AWS account numbers for authorized accounts to share your snapshot with.
6. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f065cc7b-f63b-4865-b8ff-4a1292e1a5cb\",\r\n \"name\": \"f065cc7b-f63b-4865-b8ff-4a1292e1a5cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups should be attached to Amazon EC2 instances or to an ENI.
healthy finding can indicate there are unused Amazon EC2 security groups.\",\r\n \"remediationDescription\": \"The following steps should be applied to each security group not attached to an ENI.
To delete a security group:
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, under \\\"Security\\\", select \\\"Security groups\\\".
3. Select the check box for the security group to delete.
4. From \\\"Actions\\\", select \\\"Delete security group\\\".
5. Select \\\"Delete\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/601406b5-110c-41be-ad69-9c5661ba5f7c\",\r\n \"name\": \"601406b5-110c-41be-ad69-9c5661ba5f7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Elastic IP addresses that are allocated to a VPC should be attached to Amazon EC2 instances or in-use elastic network interfaces (ENIs).\",\r\n \"remediationDescription\": \"To release an Elastic IP address follow the following steps. Note that in oder to release an address, it shouldn't be associated with an instance
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Network & Security\\\", select \\\"Elastic IPs\\\".
3. Select the Elastic IP address, select \\\"Actions\\\", and then select \\\"Release Elastic IP address\\\".
4. When prompted, select \\\"Release\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fce0daac-96e4-47ab-ab35-18ac6b7dcc70\",\r\n \"name\": \"fce0daac-96e4-47ab-ab35-18ac6b7dcc70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To enforce encryption in transit, you should use redirect actions with Application Load Balancers to redirect client HTTP requests to an HTTPS request on port 443.\",\r\n \"remediationDescription\": \"To redirect HTTP requests to HTTPS on an Application Load Balancer:
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under \\\"Load Balancing\\\", select \\\"Load balancers\\\".
3. Select an Application Load Balancer.
4. Select \\\"Listeners\\\".
5. Enable the check box for an HTTP listener (port 80 TCP) and then select \\\"Edit\\\".
6. If there is an existing rule, you must delete it. Otherwise, select \\\"Add action\\\" and then select \\\"Redirect to...\\\".
7. Select \\\"HTTPS\\\" and then enter 443.
8. Select the check mark in a circle symbol and then select \\\"Update\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df952171-786d-44b5-b309-9c982bddeb7c\",\r\n \"name\": \"df952171-786d-44b5-b309-9c982bddeb7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC cannot contain domains with a public endpoint.
Note: this does not evaluate the VPC subnet routing configuration to determine public reachability.\",\r\n \"remediationDescription\": \"If you create a domain with a public endpoint, you cannot later place it within a VPC. Instead, you must create a new domain and migrate your data.
The reverse is also true. If you create a domain within a VPC, it cannot have a public endpoint. Instead, you must either create another domain or disable this control.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cf747c91-14f3-4b30-aafe-eb12c18fd030\",\r\n \"name\": \"cf747c91-14f3-4b30-aafe-eb12c18fd030\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"It is important to enable encryptions rest of Amazon ES domains to protect sensitive data\",\r\n \"remediationDescription\": \"By default, domains do not encrypt data at rest.
To enable the feature, you must create another domain and migrate your data.
Note: existing domains cannot be configured to use the feature.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4b32e0a4-44a7-4f18-ad92-549f7d219061\",\r\n \"name\": \"4b32e0a4-44a7-4f18-ad92-549f7d219061\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To provide additional protection against intrusions, GuardDuty should be enabled on your AWS account and region.
Note: GuardDuty might not be a complete solution for every environment\",\r\n \"remediationDescription\": \"To enable GuardDuty:
1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/ \\t
2. Choose \\\"Get Started\\\".
Choose \\\"Enable GuardDuty\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c676d6f-60cb-4c7b-a484-17164c598016\",\r\n \"name\": \"9c676d6f-60cb-4c7b-a484-17164c598016\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"All IAM users should have multi-factor authentication (MFA) enabled.\",\r\n \"remediationDescription\": \"To configure MFA for a user:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Select \\\"Users\\\".
3. Select the user name of the user to configure MFA for.
4. Select \\\"Security credentials\\\" and then Select \\\"Manage\\\" next to \\\"Assigned MFA device\\\".
5. Follow the \\\"Manage MFA Device\\\" wizard to assign the type of device appropriate for your environments.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd751d04-8378-4cf8-8f1b-594ee340ae08\",\r\n \"name\": \"fd751d04-8378-4cf8-8f1b-594ee340ae08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the account password policy for IAM users uses the following minimum configurations.
* RequireUppercaseCharacters- Require at least one uppercase character in password. (Default = true)
* RequireLowercaseCharacters- Require at least one lowercase character in password. (Default = true)
* RequireNumbers- Require at least one number in password. (Default = true)
* MinimumPasswordLength- Password minimum length. (Default = 7 or longer)
* PasswordReusePrevention- Number of passwords before allowing reuse. (Default = 4)
* MaxPasswordAge- Number of days before password expiration. (Default = 90)\",\r\n \"remediationDescription\": \"To modify the password policy:
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Under \\\"Access management\\\", select \\\"Account settings\\\".
3. Select \\\"Prevent password reuse\\\". For \\\"Number of passwords to remember\\\", enter \\\"24\\\".
\\t4. Select \\\"Change password policy\\\".
5. Select \\\"Require at least one uppercase letter from Latin alphabet (A-Z)\\\".
6. Select \\\"Require at least one lowercase letter from Latin alphabet (a-z)\\\".
7. Select \\\"Require at least one non-alphanumeric character (!@#$%^&*()_+-=[]{}|')\\\".
8. Select \\\"Require at least one number\\\".
9. For \\\"Enforce minimum password length\\\", enter \\\"14\\\".
10. Select \\\"Enable password expiration\\\". For \\\"Expire passwords in day(s)\\\", enter \\\"90\\\".
11. Select \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b236a0-f9d7-454a-942a-8c2ba3943cf7\",\r\n \"name\": \"64b236a0-f9d7-454a-942a-8c2ba3943cf7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should restrict public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Lambda function resource-based policy should restrict public access. This recommendation does not check access by internal principals.
Ensure access to the function is restricted to authorized principals only by using least privilege resource-based policies.\",\r\n \"remediationDescription\": \"To use the AWS CLI to revoke function-use permission from an AWS service or another account:
1. Get the statement ID from the output of GetPolicy, from the AWS CLI and run the following:
aws lambda get-policy --function-name yourfunctionname
This returns the policy string associated with the publicly accessible Lambda function.
2. From the policy statement returned by the get-policy command, copy the string value of the Sid field, and run from the AWS CLI, run
aws lambda remove-permission --function-name yourfunctionname --statement-id youridvalue

To use the Lambda console to restrict access to the Lambda function:
1. Open the AWS Lambda console at https://console.aws.amazon.com/lambda/, Navigate to \\\"Functions\\\" and then select your publicly accessible Lambda function.
2. Under \\\"Designer\\\" select the key icon at the top left, that has the tool-tip \\\"View permissions\\\".
3. Under \\\"Function policy\\\", Consider adding the following IAM condition to scope access to your account only.
\\\"Condition\\\":{\\\"StringEquals\\\":{\\\"AWS:SourceAccount\\\":\\\"account_id\\\"}}\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10445918-c305-4c6a-9851-250e8ec7b872\",\r\n \"name\": \"10445918-c305-4c6a-9851-250e8ec7b872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Configure Lambda functions to a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability.
Note that if Lambda@Edge is found in the account, then this control generates failed findings. To prevent these findings, you can disable this control.\",\r\n \"remediationDescription\": \"To configure a function to connect to private subnets in a virtual private cloud (VPC) in your account:
1. From the AWS Lambda console, https://console.aws.amazon.com/lambda/, open \\\"Functions\\\" and select your Lambda function.
2. From the \\\"Network\\\" section, select a VPC with the connectivity requirements of the function.
3. To run your functions in high availability mode, select at least two subnets.
4. Select at least one security group that has the connectivity requirements of the function.
5. Save your changes.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f64521fc-a9f1-4d43-b667-8d94b4a202af\",\r\n \"name\": \"f64521fc-a9f1-4d43-b667-8d94b4a202af\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend only allowing authorized principals to access the snapshot and change Amazon RDS configuration.\",\r\n \"remediationDescription\": \"To remove public access for Amazon RDS Snapshots:
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Snapshots\\\" and select the public Snapshot to modify.
2. From the \\\"Actions\\\" list, select \\\"Share Snapshots\\\".
3. From \\\"DB snapshot visibility\\\", select \\\"Private\\\" and \\\"for all\\\".
4. Save your changes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/72f3b7f1-76b8-4cf5-8da5-4ba5745b512c\",\r\n \"name\": \"72f3b7f1-76b8-4cf5-8da5-4ba5745b512c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend that you also ensure that access to your RDS instance's configuration is limited to authorized users only, by restricting users' IAM permissions to modify RDS instances' settings and resources.\",\r\n \"remediationDescription\": \"To remove public access for an Amazon RDS Database, follow one of these procedures:

\\\"Modify the DB instance's publicly accessible configuration:\\\"
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Databases\\\" and select the public database.
2. Select \\\"Modify\\\".
3. Scroll to \\\"Network & Security\\\".
4. For the Public accessibility option, select \\\"No\\\".
5. Scroll to the bottom and select \\\"Continue\\\".
6. From \\\"Scheduling of modifications\\\", select \\\"Apply immediately\\\".
7. Select \\\"Modify DB Instance\\\".
\\\"Configure the VPC subnet security group to prohibit public access:\\\"
1. From the Amazon RDS console, https://console.aws.amazon.com/rds/, open \\\"Databases\\\" and select the public database.
2. From \\\"Connectivity & Security\\\", select the configured VPC security group.
3. From the \\\"Actions\\\" list, select \\\"Edit inbound rules\\\".
4. Define rules to prohibit public access (you can choose between specific IPs, ranges of IPs and security groups).
5. Select \\\"Save rules\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f5ac036-11e1-4cda-89b5-a115b9ae4f72\",\r\n \"name\": \"7f5ac036-11e1-4cda-89b5-a115b9ae4f72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend Amazon Redshift clusters to avoid public accessibility by evaluating the 'publiclyAccessible' field in the cluster configuration item.\",\r\n \"remediationDescription\": \"To disable public access for an Amazon Redshift cluster:
1. From the Amazon RDS console, https://console.aws.amazon.com/redshift/, open \\\"Clusters\\\" and select your public Amazon Redshift cluster.
2. From the \\\"Cluster\\\" drop-down menu, select \\\"Modify cluster\\\".
3. For the \\\"Publicly accessible\\\" option, select \\\"No\\\".
4. Select \\\"Modify\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Infrastructure Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/994d14f1-b8d7-4cb3-ad4e-a7ccb08065d5\",\r\n \"name\": \"994d14f1-b8d7-4cb3-ad4e-a7ccb08065d5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets public write access should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Allowing public write access to your S3 bucket can leave you vulnerable to malicious actions such as storing data at your expense, encrypting your files for ransom, or using your bucket to operate malware.\",\r\n \"remediationDescription\": \"To remove public write access for an S3 bucket
1. Open the AWS console at https://console.aws.amazon.com/s3/ and select the name of the bucket identified in the recommendation.
2. Select the \\\"Permissions\\\" tab and then select \\\"Public access settings\\\".
3. Select \\\"Edit\\\", select all four options, and then select \\\"save\\\".
4. If prompted, enter \\\"confirm\\\" and then choose \\\"confirm\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f65de27c-1b77-4a2d-bc89-8631ff9ee786\",\r\n \"name\": \"f65de27c-1b77-4a2d-bc89-8631ff9ee786\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets public read access should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Removing public read access to your S3 bucket can help protect your data and prevent a data breach.\",\r\n \"remediationDescription\": \"To remove public read access for an S3 bucket
1. Open the AWS console at https://console.aws.amazon.com/s3/, and select the name of the bucket identified in the recommendation.
2. Select the \\\"Permissions\\\" tab and then select \\\"Public access settings\\\".
3. Select \\\"Edit\\\", select all four options, and then select \\\"save\\\".
4. If prompted, enter \\\"confirm\\\" and then choose \\\"confirm\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35713036-bd12-4646-9b92-4c56a761a710\",\r\n \"name\": \"35713036-bd12-4646-9b92-4c56a761a710\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling S3 cross-region replication ensures that multiple versions of the data are available in different distinct Regions.
This allows you to protect your S3 bucket against DDoS attacks and data corruption events.\",\r\n \"remediationDescription\": \"To enable S3 bucket replication:
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and Select the name of the bucket identified in the recommendation.
2. Select \\\"Management\\\" and then select \\\"Replication\\\".
3. Select \\\"add rule\\\", and then select \\\"Entire bucket\\\" as your source bucket.
4. Select your destination bucket (Versioning should be enabled on the destination bucket as well).
5. Select an IAM role.
6. Enter a name for the rule, select \\\"Enabled\\\" for the status, then select \\\"Next\\\".
7. Select \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3cb793ab-20d3-4677-9723-024c8fed0c23\",\r\n \"name\": \"3cb793ab-20d3-4677-9723-024c8fed0c23\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enable server-side encryption to protect data in your S3 buckets.
Encrypting the data can prevent access to sensitive data in the event of a data breach.\",\r\n \"remediationDescription\": \"To enable default encryption on an S3 bucket
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and Select the name of the bucket identified in the recommendation.
2. Select \\\"Properties\\\" and then under the \\\"Default encryption\\\" section, select either \\\"AES-256\\\" to use keys that are managed by Amazon S3, or \\\"AWS-KMS\\\" to use keys that are managed by AWS-KMS.
*If you use AWS-KMS for default encryption, you need to choose a master key from the list of the AWS KMS master keys that you have created.
*Please note that if you use the AWS KMS you are subject to the requests per second limits. For more information about the AWS KMS limits, see the AWS Key Management Service Developer Guide.
3.Select \\\"save\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Cloud Storage Object\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fb7ea50-412e-4dd4-ac79-94d54bd8f21e\",\r\n \"name\": \"1fb7ea50-412e-4dd4-ac79-94d54bd8f21e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"We recommend to require requests to use Secure Socket Layer (SSL) on all Amazon S3 bucket.
S3 buckets should have policies that require all requests ('Action: S3:*') to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key 'aws:SecureTransport'.\",\r\n \"remediationDescription\": \"To configure an S3 bucket to deny nonsecure transport
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.
2. Navigate to the noncompliant bucket, and then choose the bucket name.
3. Choose \\\"Permissions\\\", then choose \\\"Bucket Policy\\\".
4. Add a similar policy statement to that in the policy below. Replace \\\"awsexamplebucket\\\" with the name of the bucket you are modifying.
{\\\"Id\\\":\\\"ExamplePolicy\\\",\\\"Version\\\":\\\"2012-10-17\\\",\\\"Statement\\\":[{\\\"Sid\\\":\\\"AllowSSLRequestsOnly\\\",\\\"Action\\\":\\\"s3:*\\\",\\\"Effect\\\":\\\"Deny\\\",\\\"Resource\\\":[\\\"arn:aws:s3:::awsexamplebucket\\\",\\\"arn:aws:s3:::awsexamplebucket/*\\\"],\\\"Condition\\\": {\\\"Bool\\\":{\\\"aws:SecureTransport\\\":\\\"false\\\"}},\\\"Principal\\\": \\\"*\\\"}]}
5. Choose \\\"Save\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ac66d910-ae29-4cab-967b-c3f0810b7642\",\r\n \"name\": \"ac66d910-ae29-4cab-967b-c3f0810b7642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling Block Public Access setting for your S3 bucket can help prevent sensitive data leaks and protect your bucket from malicious actions.\",\r\n \"remediationDescription\": \"To enable Amazon S3 Block Public Access:
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and then select \\\"Block public access\\\" under \\\"account settings\\\".
2. Select \\\"Edit\\\" and then select \\\"Block all public access\\\".
3. Select \\\"Save changes\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Cloud Storage Object Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0991c64b-ccf5-4408-aee9-2ef03d460020\",\r\n \"name\": \"0991c64b-ccf5-4408-aee9-2ef03d460020\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disable direct internet access for Amazon SageMaker notebook instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Direct internet access should be disabled for an SageMaker notebook instance.
This checks whether the 'DirectInternetAccess' field is disabled for the notebook instance.
Your instance should be configured with a VPC and the default setting should be Disable - Access the internet through a VPC.
In order to enable internet access to train or host models from a notebook, make sure that your VPC has a NAT gateway and your security group allows outbound connections. Ensure access to your SageMaker configuration is limited to only authorized users, and restrict users' IAM permissions to modify SageMaker settings and resources.\",\r\n \"remediationDescription\": \"Note that you can't change the internet access setting after a notebook instance is created. It must be stopped, deleted, and recreated.
To configure an SageMaker notebook instance to deny direct internet access:
1. From the SageMaker console, https://console.aws.amazon.com/sagemaker/, open \\\"Notebook instances\\\" and delete the instance that has direct internet access enabled.
2. Select the instance, open \\\"Actions\\\", and select \\\"Stop\\\". When the instance has stopped, open \\\"Actions\\\", and select \\\"Delete\\\".
3. Select \\\"Create notebook instance\\\" and enter the configuration details.
4. Expand the \\\"Network\\\" section and select the VPC, subnet, and security group. Under \\\"Direct internet access\\\", select \\\"Disable — Access the internet through a VPC\\\".
5. Select \\\"Create notebook instance\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Cloud Service Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5b3c2887-d7b7-4887-b074-4e6057027709\",\r\n \"name\": \"5b3c2887-d7b7-4887-b074-4e6057027709\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance.
It only checks instances that are managed by AWS Systems Manager Patch Manager.
It does not check whether the patch was applied within the 30-day limit prescribed by PCI DSS requirement '6.2'.
It also does not validate whether the patches applied were classified as security patches.
You should create patching groups with the appropriate baseline settings and ensure in-scope systems are managed by those patch groups in Systems Manager. For more information about patch groups, see the AWS Systems Manager User Guide.\",\r\n \"remediationDescription\": \"\\\"To remediate noncompliant patches\\\"
This rule checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT. To find out more about patch compliance states, see the AWS Systems Manager User Guide.
1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
2. In the navigation pane, under \\\"Node Management\\\", choose \\\"Run Command\\\".
3. Choose \\\"Run command\\\".
4. Choose the radio button next to AWS-RunPatchBaseline and then change the \\\"Operation\\\" to \\\"Install\\\".
5. Choose \\\"Choose instances manually\\\" and then choose the noncompliant instance(s).
6. Scroll to the bottom and then choose \\\"Run\\\".
7. After the command has completed, to monitor the new compliance status of your patched instances, in the navigation pane, choose \\\"Compliance\\\".
See the AWS Systems Manager User Guide for more information about the following
* Using Systems Manager documents to patch a managed instance
* Running commands using the Systems Manager Run command\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67a90ae0-b3d1-44f0-9dcf-a03234ebeb65\",\r\n \"name\": \"67a90ae0-b3d1-44f0-9dcf-a03234ebeb65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association is run on an instance. The control passes if the association compliance status is COMPLIANT.
A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed.
After you create one or more State Manager associations, compliance status information is immediately available to you in the console or in response to AWS CLI commands or corresponding Systems Manager API operations. For associations, \\\"Configuration\\\" Compliance shows statuses of Compliant or Non-compliant and the severity level assigned to the association, such as \\\"Critical\\\" or \\\"Medium\\\". To learn more about State Manager association compliance, see About About State Manager association compliance in the AWS Systems Manager User Guide.
You must configure your in-scope EC2 instances for Systems Manager association. You must also configure the patch baseline for the security rating of the vendor of patches, and set the autoapproval date to meet PCI DSS '3.2.1' requirement '6.2'. For additional guidance on how to Create an association, see Create an association in the AWS Systems Manager User Guide. For additional information on working with patching in Systems Manager, see AWS Systems Manager Patch Manager in the AWS Systems Manager User Guide.\",\r\n \"remediationDescription\": \"A failed association can be related to different things, including targets and SSM document names. To remediate this issue, you must first identify and investigate the association. You can then update the association to correct the specific issue.
You can edit an association to specify a new name, schedule, severity level, or targets. After you edit an association, Systems Manager creates a new version.
\\\"To investigate and update a failed association\\\"
1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
2. In the navigation pane, under \\\"Node Management\\\", choose \\\"Fleet Manager\\\".
3. Choose the instance ID that has an \\\"Association status\\\" of \\\"Failed\\\".
4. Choose \\\"View details\\\".
5. Choose \\\"Associations\\\".
6. Note the name of the association that has an \\\"Association status\\\" of \\\"Failed\\\". This is the association that you need to investigate. You need to use the association name in the next step.
7. In the navigation pane,under \\\"Node Management\\\", choose \\\"State Manager\\\". Search for the association name, then select the association. After you determine the issue, edit the failed association to correct the problem. For information on how to edit an association, see Edit an association.
For more information on creating and editing State Manager associations, see Working with associations in Systems Manager in the AWS Systems Manager User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4be5393d-cc33-4ef7-acae-80295bc3ae35\",\r\n \"name\": \"4be5393d-cc33-4ef7-acae-80295bc3ae35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Status of the Amazon EC2 Systems Manager patch compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the patch installation on the instance.
Only instances that are managed by AWS Systems Manager Patch Manager are checked. Patches that were applied within the 30-day limit prescribed by PCI DSS requirement '6' are not checked. \",\r\n \"remediationDescription\": \"To ensure EC2 instances are managed by Systems Manager:
1. From the AWS Systems Manager console, https://console.aws.amazon.com/systems-manager/, select \\\"Quick setup\\\".
2. Leave the default options.
3. Select \\\"Set up Systems Manager\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9694d4ef-f21a-40b7-b535-618ac5c5d21e\",\r\n \"name\": \"9694d4ef-f21a-40b7-b535-618ac5c5d21e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.
Authentication credentials should never be stored or transmitted in clear text or appear in the repository URL. Instead of personal access tokens or user name and password, you should use OAuth to grant authorization for accessing GitHub or Bitbucket repositories.
Using personal access tokens or a user name and password could expose your credentials to unintended data exposure and unauthorized access.\",\r\n \"remediationDescription\": \"You can update your CodeBuild project to use OAuth.
To remove basic authentication / (GitHub) Personal Access Token from CodeBuild project source
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Choose the build project that contains personal access tokens or a user name and password.
3. From \\\"Edit\\\", choose \\\"Source\\\".
4. Choose \\\"Disconnect from GitHub / Bitbucket\\\".
5. Choose \\\"Connect using OAuth\\\", then choose \\\"Connect to GitHub / Bitbucket\\\".
6. When prompted, choose \\\"authorize as appropriate\\\".
7. Reconfigure your repository URL and additional configuration settings, as needed.
8. Choose \\\"Update source\\\".
For more information, refer to CodeBuild use case-based samples the AWS CodeBuild User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a88b4b72-b461-4b5e-b024-91da1cbe500f\",\r\n \"name\": \"a88b4b72-b461-4b5e-b024-91da1cbe500f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the project contains the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
Authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY should never be stored in clear text, as this could lead to unintended data exposure and unauthorized access.\",\r\n \"remediationDescription\": \"To remediate this issue, update your CodeBuild project to remove the environment variable.
To remove environment variables from a CodeBuild project
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Expand \\\"Build\\\".
3. Choose \\\"Build project\\\", and then choose the build project that contains plaintext credentials.
4. From \\\"Edit\\\", choose \\\"Environment\\\".
5. Expand \\\"Additional configuration\\\".
6. Choose \\\"Update environment\\\".

To store sensitive values in the Amazon EC2 Systems Manager Parameter Store and then retrieve them from your build spec
1. Open the CodeBuild console at https://console.aws.amazon.com/codebuild/.
2. Expand \\\"Build\\\".
3. Choose \\\"Build project\\\", and then choose the build project that contains plaintext credentials.
4. From \\\"Edit\\\", choose \\\"Environment\\\".
5. Expand \\\"Additional configuration\\\" and scroll to \\\"Environment variables\\\".
6. Follow this tutorial to create a Systems Manager parameter that contains your sensitive data.
7. After you create the parameter, copy the parameter name.
8. Back in the CodeBuild console, choose \\\"Create environmental variable\\\".
9. Enter the name of your variable as it appears in your build spec.
10. For \\\"Value\\\", paste the name of your parameter.
11. For \\\"Type\\\", choose \\\"Parameter\\\".
12. To remove your noncompliant environmental variable that contains plaintext credentials, choose \\\"Remove\\\".
13. Choose \\\"Update environment\\\".
For more information, see Environment variables in build environments in the AWS CodeBuild User Guide.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"09/15/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should use Secure Boot\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against the installation of malware-based rootkits and boot kits, enable Secure Boot on supported Linux virtual machines. Secure Boot ensures that only signed operating systems and drivers will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"Enabling Secure Boot will trigger an immediate system reboot. To enable it:
1. From Azure Virtual Machines, open your machine.
2. From the VM details page, open the 'Configuration' tab and select 'Secure boot'.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e2f798b8-621a-4d46-99d7-1310e09eba26\",\r\n \"name\": \"e2f798b8-621a-4d46-99d7-1310e09eba26\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should enforce kernel module signature validation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To help mitigate against the execution of malicious or unauthorized code in kernel mode, enforce kernel module signature validation on supported Linux virtual machines. Kernel module signature validation ensures that only trusted kernel modules will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"Enforcing kernel module signature validation requires a system reboot. To enforce it:
1. From Azure Virtual Machines, open your machine.
2. Run:
sudo azsecd remediate -r enforce-kernelmodule-ci
3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d79a60ef-d490-484e-91ed-f45ceb0e7cfb\",\r\n \"name\": \"d79a60ef-d490-484e-91ed-f45ceb0e7cfb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be restarted to apply security configuration updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To apply security configuration updates and protect against vulnerabilities, restart your machines. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.\",\r\n \"remediationDescription\": \"To restart the machine:
1. From Azure Virtual Machines, open your machine.
2. Select 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b7604066-ed76-45f9-a5c1-c97e4812dc55\",\r\n \"name\": \"b7604066-ed76-45f9-a5c1-c97e4812dc55\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines guest attestation status should be healthy\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Guest attestation is performed by sending a trusted log (TCGLog) to an attestation server. The server uses these logs to determine whether boot components are trustworthy. This assessment is intended to detect compromises of the boot chain which might be the result of a bootkit or rootkit infection.
This assessment applies to Trusted Launch and Confidential virtual machines that have the Guest Attestation extension installed.\",\r\n \"remediationDescription\": \"1. Scan your machine to ensure it isn't infected with malicious software.
2. Verify across your organization whether components of your operating system have been manually replaced.
3. Verify that a TPM device is installed on your machine: on Windows, run the PowerShell command \\\"Get-tpm\\\" as admin, and on Linux, use \\\"ls /dev/tpm0\\\" (with \\\"/dev/tpm0\\\" returning).
4. Remove any untrusted software or drivers with admin access.
5. Restart your machine in normal mode.
6. If all else fails, securely back up your data and create a new machine from a known-good image.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an Azure Function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Select Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access Function Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the Function App custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access API Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the API App custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys;
temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources.
For a comparison of different disk encryption technologies in Azure, see https://aka.ms/diskencryptioncomparison.
Use Azure Disk Encryption to encrypt all this data.
Disregard this recommendation if:
1. You're using the encryption-at-host feature, or 2. Server-side encryption on Managed Disks meets your security requirements.
Learn more in Server-side encryption of Azure Disk Storage.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Click any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Defender for Cloud protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Select Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases:
1. Select the SQL database.
2. Under Data encryption, select On.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
1. Go to 'SQL servers' page in the Azure portal and select your SQL server.
2. From the top left menu, select 'Auditing' and choose 'Enable Azure SQL Auditing'.
3. Select one of the options to store the Audit logs and follow the instructions.
4. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499\",\r\n \"description\": \"Defender for Cloud collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. This agent is also required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. We recommend configuring auto-provisioning to automatically deploy the agent. If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.\",\r\n \"remediationDescription\": \"For multiple ways to install and configure your Log Analytics agent see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Application Id for 'Microsoft Azure Management' App or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"To reduce the potential for breaches by compromised owner accounts, we recommend limiting the number of owner accounts to a maximum of 3\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click the Role assignments tab and set the 'Role' filter to 'Owner'.
2. Select the owners you want to remove.
3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled
1. In the 'Role' drop-down list, select the Owner role.
2. In the Select list, select a user.
3. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Signed Binary Proxy Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container hosts should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Privilege Escalation\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Data from Local System\",\r\n \"Remote Services\",\r\n \"Network Sniffing\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"File and Directory Discovery\",\r\n \"Implant Container Image\",\r\n \"Abuse Elevation Control Mechanism\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers:
1. Select the SQL server.
2. Open 'Microsoft Defender for Cloud' under 'Security'
3. Make sure Microsoft Defender for Cloud's status is 'enabled at the server-level' or 'enabled at the subscription-level'
4. Open '(Configure)'
5. Under 'Vulnerability assessment settings', turn Periodic recurring scans to On, and configure a storage account for storing vulnerability assessment scan results.
6. Select 'Save'\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"SQL Stored Procedures\",\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on SQL servers: 1. Select the SQL server. 2. Under 'Defender for Cloud', set Microsoft Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Select 'Save'.
Note: Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.
Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.

To view all affected classic VMs make sure to select all your Azure subscriptions under 'directories + subscriptions' tab.

Available resources and information about this tool & migration:
Overview of Virtual machines (classic) deprecation, step by step process for migration & available Microsoft resources.
Details about Migrate to Azure Resource Manager migration tool.
Migrate to Azure Resource Manager migration tool using PowerShell.\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources:
1. Go to the Virtual machines (classic) Portal Blade.
2. Under Subscriptions, select all available subscriptions to get full list of affected classic VMs.
3. Click on Migrate to ARM.
4. Click on Validate. If validate failed, use the suggested methods in the error messages or at Migration Overview document to fix the errors.
5. Click on Prepare. If prepare failed, use the suggested methods in the error messages or at Migration Overview document to fix the errors.
6. View migrated virtual machines at Virtual Machines Portal Blade and Test their operation.
7. (Optional) Click on Abort to rollback migration.
8. Click on Commit. Commit finalizes the migration and cannot be rolled back.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics:
1. Go to Data Lake Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL managed instances should have vulnerability assessment configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance:
1. Select the SQL managed instance.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Select 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"SQL Stored Procedures\",\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected SQL Managed Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on managed SQL servers:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Microsoft Defender for SQL to On.
3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set Periodic recurring scans to On.4. Select Save.
Note: Microsoft Defender for SQL is billed as shown on pricing details per region.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redis Cache should allow access only via SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps:
1. Go to the Redis Caches, and select your redis cache.
2. Select 'Advanced settings'.
3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics:
1. Go to Batch and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics:
1. Go to Stream Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics:
1. Go to the Service Bus.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"You should encrypt Automation Account Variables that store sensitive data. This step can only be taken at creation time.
If you have Automation Account Variables storing sensitive data that are not already encrypted, then you will need to delete them and recreate them as encrypted variables.
To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics:
1. Go to Data Lake Store and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics:
1. Go to Search and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign':
1. Go to the Service fabric cluster.
2. Click on 'Custom fabric settings'.
3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bb318338-de6a-42ff-8428-8274c897d564\",\r\n \"name\": \"bb318338-de6a-42ff-8428-8274c897d564\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Kubernetes services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c\",\r\n \"description\": \"Enable diagnostic logs in your Kubernetes services and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs.\",\r\n \"remediationDescription\": \"To enable diagnostics logs in one of your Kubernetes services: 1. Go to Kubernetes services and select one of your Kubernetes clusters. 2. From the left menu, open the diagnostic settings and select Add diagnostic setting. 3. Select one of the options to store the diagnostics logs and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"10/07/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"To ensure you can recreate activity trails for investigation purposes when a security incident occurs or your network is compromised, enable logging. If your diagnostic logs aren't being sent to a Log Analytics workspace, Azure Storage account, or Azure Event Hub, ensure you've configured diagnostic settings to send platform metrics and platform logs to the relevant destinations. Learn more in Create diagnostic settings to send platform logs and metrics to different destinations.\",\r\n \"remediationDescription\": \"To enable diagnostics for a logic app: 1. Open Azure Logic Apps and select the logic app. 2. From the menu, select Diagnostic settings. 3. Select Edit setting if you have an existing setting or select Add diagnostic setting to create a new configuration. 4. Select the options to define what to log and where to store it. 5. Save your settings.
Note : If you use storage accounts, we recommend setting a retention for the logs. To ensure the recommendation evaluates the retention dates across all resources, open the ASC default initiative assignment and set the parameter \\\"Required retention (in days) for logs..\\\" to the desired retention dates that you want the recommendation to evaluate.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"plannedDeprecationDate\": \"12/2022\",\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources :
1. Go to the Storage Account
2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics:
1. Go to Key Vault and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. We recommended configuring network rules so that only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"
1. In your storage account, go to 'Firewalls and virtual networks'.
2. Under 'Allow access from', choose 'Selected networks'.
3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account.
4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required:
1. In your storage account, go to the 'Configuration' page.
2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates:
1. Review the list of missing system updates.
2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Software Deployment Tools\",\r\n \"Exploit Public-Facing Application\",\r\n \"Supply Chain Compromise\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Drive-by Compromise\",\r\n \"Endpoint Denial of Service\",\r\n \"Compromise Client Software Binary\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b\",\r\n \"description\": \"Defender for Cloud collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. You'll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets. To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"For information on how to add the Log Analytics agent as an extension to your virtual machine scale set, see the following instructions. For information on how to deploy the log analytics agent at scale on virtual machine scale set using Azure Policy please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machine scale sets should be configured securely\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution:
1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Execution\"\r\n ],\r\n \"techniques\": [\r\n \"Obfuscated Files or Information\",\r\n \"Ingress Tool Transfer\",\r\n \"Phishing\",\r\n \"User Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on virtual machine scale sets should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Microsoft Defender for Cloud. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c\",\r\n \"description\": \"To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more.\",\r\n \"remediationDescription\": \"1. Register your subscription to Guest Configuration resource provider. 2. Install the Guest Configuration extension on your machine. 3. Enable a system-assigned managed identity, if one doesn't exist. Learn more in Enable Guest Configuration.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69133b6b-695a-43eb-a763-221e19556755\",\r\n \"name\": \"69133b6b-695a-43eb-a763-221e19556755\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a\",\r\n \"description\": \"The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more\",\r\n \"remediationDescription\": \"To enable a system-assigned managed identity, deploy the 'Enable a system-assigned managed identity' initiative: 1. Register the resource provider. 2. Deploy requirements for Azure virtual machines. Learn more about configuring the Guest Configuration prerequisites in Enable Guest Configuration.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"1. Enable controlled folder access.
2. Configure the following attack surface reduction rules: 'Block executable content from email client and webmail', 'Block untrusted and unsigned processes that run from USB', 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)', ' Block all Office applications from creating child processes', 'Block JavaScript or VBScript from launching downloaded executable content', 'Block execution of potentially obfuscated scripts ', 'Block Office applications from creating executable content', 'Block Office communication application from creating child processes', 'Block Win32 API calls from Office macros', 'Block Adobe Reader from creating child processes', 'Block Office applications from injecting code into other processes'.
Learn more in Use attack surface reduction rules to prevent malware infection.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Privilege Escalation\",\r\n \"Lateral Movement\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Taint Shared Content\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploit Public-Facing Application\",\r\n \"Drive-by Compromise\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4078e558-bda6-41fb-9b3c-361e8875200d\",\r\n \"description\": \"Defender for Cloud uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Windows.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on Linux-based Azure Arc-enabled machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/1e7fed80-8321-4605-b42c-65fc300f23a3\",\r\n \"description\": \"Defender for Cloud uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Linux.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"name\": \"fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Validity period of certificates stored in Azure Key Vault should not exceed 12 months\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\r\n \"description\": \"Ensure your certificates do not have a validity period that exceeds 12 months.\",\r\n \"remediationDescription\": \"To remediate you must create a new version of the certificate. Ensure that your application or service will be able to get a new version of the certificate before proceeding. Select a key vault from the list below. The list of certificates with a validity period that exceeds 12 months will appear. From the Azure Portal, open Azure Key Vault and select the vault with the certificate that needs to be replaced. Select the relevant certificate and the certificate details page opens. 1. On the certificate details page, select \\\"+ New Version\\\". The \\\"Create a Certificate\\\" pane opens. 2. Change the \\\"Validity period (in months)\\\" field to 12 or less. 3. Select \\\"Create\\\". 4. Ensure that you have set up auto-renewal, or have a process to renew your certificate prior to expiration.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Credentials from Password Stores\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\r\n \"description\": \"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.\",\r\n \"remediationDescription\": \"To prevent public access to containers and blobs in your storage account:
1. In the Azure portal, navigate to your storage account.
2. From the settings menu, select \\\"Configuration\\\".
3. Set \\\"Allow Blob public access\\\" to \\\"Disabled\\\".
Learn more about public access
Note: It might take several minutes after remediation completes until the resource appears in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for servers brings threat detection and advanced defenses for your Windows and Linux machines.
With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for servers but missing out on some of the benefits.
When you enable Microsoft Defender for servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for servers on the identified workspaces, select the workspaces and select Remediate.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for servers brings threat detection and advanced defenses for your Windows and Linux machines.
With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for servers but missing out on some of the benefits.
When you enable Microsoft Defender for servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for SQL on machines on the identified workspaces, select the workspaces and select Remediate.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"09/29/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"name\": \"14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\r\n \"description\": \"The best way to authenticate to Azure services is by using Role-Based Access Control (RBAC). RBAC allows you to maintain the minimum privilege principle and supports the ability to revoke permissions as an effective method of response when compromised. You can configure your Azure Cosmos DB account to enforce RBAC as the only authentication method. When the enforcement is configured, all other methods of access will be denied (primary/secondary keys and access tokens).\",\r\n \"remediationDescription\": \"Change your resource authentication method to RBAC. After RBAC is enabled, edit the configuration settings to enforce RBAC as the only authentication method.
  1. Change the resources' authentication method from primary key to Azure Active Directory (AAD):

    1. Map all the resources that currently access to the Azure Cosmos DB account with keys or access tokens.
    2. Create an Azure Active Directory (AAD) identity for each of these resources:
      1. For Azure resources, you can create a managed identity . You may choose between system-assigned and user-assigned managed identities.
      2. For non-Azure resources, create an AAD identity.
    3. Grant each AAD identity the minimum permission it requires. When possible, we recommend you use one of the 2 built-in role definitions: Cosmos DB Built-in Data Reader or Cosmos DB Built-in Data Contributor.
    4. Validate that the new resource is functioning correctly. After new permissions are granted to identities, it may take a few hours until they propagate. When all resources are working correctly with the new identities, continue to the next step.

    You can read more about configuring role-based access control with Azure Active Directory for your Azure Cosmos DB account.

  2. Enforce RBAC as the only authentication method:
    You may choose one of the two options listed below:
    1. You can use the az resource update powershell command:
      $cosmosdbname = \\\"cosmos-db-account-name\\\"
      $resourcegroup = \\\"resource-group-name\\\"
      $cosmosdb = az cosmosdb show --name $cosmosdbname --resource-group $resourcegroup | ConvertFrom-Json

      az resource update --ids $cosmosdb.id --set properties.disableLocalAuth=true --latest-include-preview

    2. Deploy these changes in your ARM template to enforce RBAC as the only authentication method.

      You can read more about using ARM templates on existing resources.

    After these changes have been implemented, all access attempts that use primary/secondary key or access tokens authentication will be denied.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2482620f-f324-4add-af68-2e01e27485e9\",\r\n \"name\": \"2482620f-f324-4add-af68-2e01e27485e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d103537b-9f3d-4658-a568-31dd66eb05cb\",\r\n \"name\": \"d103537b-9f3d-4658-a568-31dd66eb05cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in subscription should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a6cd9b98-3b29-4213-b880-43f0b0897b83\",\r\n \"name\": \"a6cd9b98-3b29-4213-b880-43f0b0897b83\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Over-provisioned identities in projects should be investigated to reduce the Permission Creep Index (PCI)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Over-provisioned identities in projects should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage\",\r\n \"remediationDescription\": \"Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. Login to your [Entra permissions Management account](https://pm.cloudknox.io) for remediation.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"07/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\r\n \"description\": \"Protect the data on your Azure virtual machines with Azure Backup.
Azure Backup is an Azure-native, cost-effective, data protection solution.
It creates recovery points that are stored in geo-redundant recovery vaults.
When you restore from a recovery point, you can restore the whole VM or specific files.\",\r\n \"remediationDescription\": \"1. To enable Azure Backup for a virtual machine, navigate to the virtual machine on the Azure portal and select 'Backup' from the menu. In the screen that appears, choose whether to backup the machine to a new or existing Recovery Services vault in the same location and subscription. Learn more at https://aka.ms/AzureVMBackupDoc 2. To enable Azure Backup for multiple virtual machines, assign the policy 'Configure backup on VMs of a location to an existing central Vault in the same location' to the relevant scope. This policy can be assigned to one subscription-location pair at a time. Learn more at http://aka.ms/AzureBackupVMGovernance. Charges are based on the number and size of VMs being protected. Learn more about pricing at https://azure.microsoft.com/pricing/details/backup/\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Disk Wipe\",\r\n \"Defacement\",\r\n \"Data Encrypted for Impact\",\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your function app:
1. Go to the App Service for your API app 2. Navigate to Platform features 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"name\": \"2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MariaDB\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\r\n \"description\": \"Azure Database for MariaDB allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MariaDB server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=2086853\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your web app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"name\": \"95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for PostgreSQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\r\n \"description\": \"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for PostgreSQL server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867615\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests.
Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Web App:
1. Navigate to Azure App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require.
For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"name\": \"8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MySQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\r\n \"description\": \"Azure Database for MySQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MySQL server with geo-redundant backup during server creation, select the 'Geo-Redundant' option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867608\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Defacement\",\r\n \"Disk Wipe\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"name\": \"5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your API app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/91a78b24-f231-4a8a-8da9-02c35b2b6510\",\r\n \"description\": \"Audit enabling of diagnostic logs on the app.
This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised\",\r\n \"remediationDescription\": \"To enable resource logs for an App Service: 1. Navigate to your App Service. 2. Go to 'Diagnostic Settings' tab. 3. Enable necessary auditing services for your specified apps. For more information, please go to https://aka.ms/enabling-diagnostic-settings.\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"name\": \"cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your API app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Unsecured Credentials\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"name\": \"1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for PostgreSQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\r\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for PostgreSQL:
1. Select your Azure Database for PostgreSQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848213\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"name\": \"1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for MySQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\r\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for MySQL:
1. Select your Azure Database for MySQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848211\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your web app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your function app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"name\": \"6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"name\": \"7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"name\": \"39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your web app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"name\": \"f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your function app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"name\": \"08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\r\n \"description\": \"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your API app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"name\": \"e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"name\": \"96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your function app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"name\": \"c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"name\": \"c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for PostgreSQL:
1. Navigate to your Azure Database for PostgreSQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/postgresql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/pgprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"name\": \"ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MariaDB:
1. Navigate to your Azure Database for MariaDB. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mariadbprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"name\": \"cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MySQL:
1. Navigate to your Azure Database for MySQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mysql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mysqlprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\r\n \"description\": \"Audit SQL servers configured with an auditing retention period of less than 90 days.\",\r\n \"remediationDescription\": \"To configure auditing retention on your Azure SQL server or Azure Synapse server:
1.From the Azure portal, select the Azure SQL Server or Azure Synapse resource. 2.From the menu, select Auditing. 3.Select Storage details. 4.To set a new retention period of 90 days or higher, manually enter a value or move the slider for Retention (Days). 5.Select OK.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in function apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your function app:
1. Navigate to the Configurations for your Function app.
2. Select Configuration, and go to the General Settings tab.
3. Select the General Settings tab.
4. Under the FTP state section, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp
Learn more about Azure Functions Deployment Technology Availability\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in web apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your web app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"name\": \"67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in API apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your API app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"name\": \"c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function apps should have Client Certificates (Incoming client certificates) enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Function App: 1. Navigate to your App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"name\": \"4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key vaults should have purge protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\r\n \"description\": \"Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.\",\r\n \"remediationDescription\": \"To enable purge protection for your key vault: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Properties' tab. 3. Select the radio button corresponding to \\\"Enable purge protection\\\". 4. Select 'Save'. Soft delete is a pre-requisite for purge protection, if you have not already enabled this option, please select the radio button corresponding to \\\"Enable soft delete\\\" first. Please visit https://aka.ms/keyvaultsoftdelete for detailed configuration steps.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"name\": \"9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Email notification to subscription owner for high severity alerts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d\",\r\n \"description\": \"To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Defender for Cloud.\",\r\n \"remediationDescription\": \"To configure email notifications: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/13e7d036-6903-821c-6018-962938929bf0\",\r\n \"name\": \"13e7d036-6903-821c-6018-962938929bf0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registries should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.\",\r\n \"remediationDescription\": \"To enable private links for a registry: 1. Ensure the registry's SKU is set to Premium (SKUs can be upgraded) 2. In the Private endpoints tab, under Network Settings, add basic endpoint information such as name and region 3. On the next page, add registry resource information (such as: name, resource type and subscription) 4. On the next page, add networking and private dns configuration. 5. Create the private endpoint resource. For more information, see: https://aka.ms/acr/privatelink\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/d85c6833-7d33-4cf5-a915-aaa2de84405f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5d090f1-7d5c-9b38-7344-0ede8343276d\",\r\n \"name\": \"d5d090f1-7d5c-9b38-7344-0ede8343276d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for MySQL is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for MySQL server to deny all public network access and allow connections ONLY through private endpoints: 1. Select the Azure Database for MySQL. 2. In Connection security, set deny public network access to 'Yes'. For details, see: https://go.microsoft.com/fwlink/?linkid=2120014.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/06ac6ef4-1e66-1334-5418-6e79ab444ce0\",\r\n \"name\": \"06ac6ef4-1e66-1334-5418-6e79ab444ce0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] SQL managed instances should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\r\n \"remediationDescription\": \"To configure your own encryption key for SQL Server Transparent Data encryption: 1. Select the SQL server. 2. On the Transparent data encryption page, select Customer-managed key. 3. For Key selection method, choose Select a key or Enter a key identifier if you have one. 4. If you chose Select a key, configure the desired Key vault and Key. For more information, see this article: https://docs.microsoft.com/azure/sql-database/transparent-data-encryption-byok-azure-sql\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b51b7f7-cbed-75bf-8a02-43384bf47562\",\r\n \"name\": \"6b51b7f7-cbed-75bf-8a02-43384bf47562\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] MySQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\r\n \"remediationDescription\": \"Azure automatically encrypts data at rest with service-managed keys. To use a customer-managed key to protect and control access to the key that encrypts your data: 1. Create a key vault with soft delete and purge protection enabled. 2. Create your own encryption key or use the Azure Key Vault API to generate a key. 3. Grant the Azure Database for MySQL access to the key vault with the get, wrapKey, and unwrapKey permissions by using its unique managed identity. 4. Select the Azure Database for MySQL, go to data encryption, and pass the key vault and key information. Learn more https://aka.ms/mysqlbyok\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19d45f8f-245c-852e-dbf9-d4aab4758b1f\",\r\n \"name\": \"19d45f8f-245c-852e-dbf9-d4aab4758b1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\r\n \"remediationDescription\": \"Azure automatically encrypts data at rest with service-managed keys. To use a customer-managed key to protect and control access to the key that encrypts your data: 1. Create a key vault with soft delete and purge protection enabled. 2. Create your own encryption key or use the Azure Key Vault API to generate a key. 3. Grant the Azure Database for PostgreSQL access to the key vault with the get, wrapKey, and unwrapKey permissions by using its unique managed identity. 4. Select the Azure Database for PostgreSQL, go to data encryption, and pass the key vault and key information. Learn more https://aka.ms/postgresqlbyok\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ab153e43-2fb5-0670-2117-70340851ea9b\",\r\n \"name\": \"ab153e43-2fb5-0670-2117-70340851ea9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for MariaDB is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for MariaDB server to deny all public network access and allow connections ONLY through private endpoints: 1. Select the Azure Database for MariaDB. 2. In Connection security, set deny public network access to 'Yes'. For more information, see: https://go.microsoft.com/fwlink/?linkid=2119542\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a93e945-3675-aef6-075d-c661498e1046\",\r\n \"name\": \"1a93e945-3675-aef6-075d-c661498e1046\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] SQL servers should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\r\n \"remediationDescription\": \"To configure your own encryption key for SQL Server Transparent Data encryption: 1. Select the SQL server. 2. On the Transparent data encryption page, select Customer-managed key. 3. For Key selection method, choose Select a key or Enter a key identifier if you have one. 4. If you chose Select a key, configure the desired Key vault and Key. For more information, see this article: https://docs.microsoft.com/azure/sql-database/transparent-data-encryption-byok-azure-sql\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/be264018-593c-1162-bd5e-b74a39396652\",\r\n \"name\": \"be264018-593c-1162-bd5e-b74a39396652\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cache for Redis should reside within a virtual network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d092e0a-7acd-40d2-a975-dca21cae48c4\",\r\n \"description\": \"Azure Virtual Network (VNet) deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access. When an Azure Cache for Redis instance is configured with a VNet, it is not publicly addressable and can only be accessed from virtual machines and applications within the VNet.\",\r\n \"remediationDescription\": \"Injection into your custom Virtual Network/Subnet can only be done at cache creation time, so take these steps to mitigate: 1. Create and configure a new VNet-injected cache into your custom subnet for the Azure Cache for Redis. 2. Either embed your client application into the same virtual network or allow access for your client application to communicate with the cache instance within your subnet using NSG rules. Follow the guidance here: https://aka.ms/redis/vnet-faq 3. If necessary, export the data from your instance and import it into the new Azure Cache for Redis instance. Learn more about the import/export feature here: https://aka.ms/redis/import-export.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"name\": \"af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto provisioning of the Log Analytics agent should be enabled on subscriptions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17\",\r\n \"description\": \"To monitor for security vulnerabilities and threats, Microsoft Defender for Cloud collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.\",\r\n \"remediationDescription\": \"To configure auto provisioning:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. Open the Auto provisioning page and set the toggle to On for the Log Analytics agent.
3. Select the workspace to receive the data from the machines.
Learn more in Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"name\": \"77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subscriptions should have a contact email address for security issues\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\",\r\n \"description\": \"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Defender for Cloud.\",\r\n \"remediationDescription\": \"To set up a security contact:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/af560c4d-9c05-e073-b9f1-f7a94958ff25\",\r\n \"name\": \"af560c4d-9c05-e073-b9f1-f7a94958ff25\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Container registries should be encrypted with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\",\r\n \"remediationDescription\": \"Azure automatically encrypts registry Contents. To encrypt a registry using a customer-managed key (CMK): 1. Create a user-assigned managed identity. 2. Create a Key Vault with soft delete and purge protection enabled. 3. Give the Managed Identity (Get, Unwrap and Wrap) Key Permissions to the key vault by adding a key vault Access Policy. 4. Create a key for encryption. 5. Create the registry: enable customer-managed key, add the managed identity, and provid the created key's version. For more information, see: https://aka.ms/acr/cmk\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8318c3a1-fcac-2e1d-9582-50912e5578e5\",\r\n \"name\": \"8318c3a1-fcac-2e1d-9582-50912e5578e5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"App Configuration should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint.\",\r\n \"remediationDescription\": \"To enable private link for Azure App Configuration: 1. In the Azure portal, open the App Configuration instance. 2. Navigate to Settings --> Private endpoint connections 3. Click on Add and configure the private endpoint. For details, see https://aka.ms/appconfig/private-endpoint\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/614ffa75-862c-456e-ad8b-eaa1b0844b07\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"name\": \"3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Email notification for high severity alerts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899\",\r\n \"description\": \"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Defender for Cloud.\",\r\n \"remediationDescription\": \"To configure email notifications: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Email notifications page, select the recipients and notification types.
3. In the 'Notification type' area, ensure mails are sent regarding security alerts from severity 'high'.
4. Select Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b34f9fe7-80cd-6fb3-2c5b-951993746ca8\",\r\n \"name\": \"b34f9fe7-80cd-6fb3-2c5b-951993746ca8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\r\n \"description\": \"Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.\",\r\n \"remediationDescription\": \"By default, Azure Database for PostgreSQL is provisioned with no access from any IP sources. To further enhance network security and configure your Azure Database for PostgreSQL server to deny all public network access and allow connections only through private endpoints: 1. Select the Azure Database for PostgreSQL. 2. In Connection security, set deny public network access to 'Yes'. For more information, see: https://go.microsoft.com/fwlink/?linkid=2120015.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"name\": \"9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registries should not allow unrestricted network access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\r\n \"description\": \"Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet.\",\r\n \"remediationDescription\": \"To enable VNet/Firewall rules for a registry: 1. In the Azure Portal, navigate to your registry in the Azure portal 2. Under Networking settings, on the Public access tab, select allow public access from 'Selected networks' instead of 'All Networks' 3. Under Firewall, enter a public IP address, such as the public IP address of a VM in a virtual network. Or, enter an address range in CIDR notation that contains the VM's IP address 4. Select save. For more information, see: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bef092f5-bea7-3df3-1ee8-4376dd9c111e\",\r\n \"name\": \"bef092f5-bea7-3df3-1ee8-4376dd9c111e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Event Grid domains should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domains instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure Event Grid Domain resource: 1. In the Azure portal, find your Event Grid Domain resource. 2. Navigate to Settings --> Networking, 3. Select \\\"+ Public network access\\\" and choose \\\"+ Private endpoints only\\\" to restrict access only via private endpoint connections, 4. Select \\\"+ Private endpoint connections\\\" to configure the values. For details, see https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/36f4658a-848a-467b-881c-e6fa20cf75fc\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bdac9c7b-b9b8-f572-0450-f161c430861c\",\r\n \"name\": \"bdac9c7b-b9b8-f572-0450-f161c430861c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Event Grid topics should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your topics instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure Event Grid Topic resource: 1. In the Azure portal, find your Event Grid Topic resource. 2. Navigate to Settings --> Networking, 3. Select \\\"+ Public network access\\\" and choose \\\"+ Private endpoints only\\\" to restrict access only via private endpoint connections, 4. Select \\\"+ Private endpoint connections\\\" to configure the values. For details, see https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6fcec95c-fbdf-45e8-91e1-e3175d9c9eca\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/18bf29b3-a844-e170-2826-4e95d0ba4dc9\",\r\n \"name\": \"18bf29b3-a844-e170-2826-4e95d0ba4dc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\r\n \"remediationDescription\": \"To enable customer-managed keys for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using customer-managed keys. Learn more about configuring customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b6f84d18-0137-3176-6aa1-f4d9ac95155c\",\r\n \"name\": \"b6f84d18-0137-3176-6aa1-f4d9ac95155c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure SignalR Service should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/53503636-bcc9-4748-9663-5348217f160f\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your SignalR resources instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/asrs/privatelink.\",\r\n \"remediationDescription\": \"To enable private link connections for your Azure SignalR service resource: 1.. Find your SignalR resource in the Azure portal, 2. Navigate to Settings --> Private endpoint connections, 3 Click \\\"+ Private endpoint\\\" to configure the values. Learn more here: https://aka.ms/asrs/privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/ef45854f-b33f-49a3-8041-9057e915d88f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/814df446-7128-eff0-9177-fa52ac035b74\",\r\n \"name\": \"814df446-7128-eff0-9177-fa52ac035b74\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\r\n \"remediationDescription\": \"To enable customer-managed keys on an Azure Cosmos DB account, create an encryption key in Azure Key Vault then pass the key identifier when creating the account. For details, see https://aka.ms/cosmosdb-cmk.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\r\n \"description\": \"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.\",\r\n \"remediationDescription\": \"Azure Web Application Firewall is a paid solution, refer to https://aka.ms/applicationgateway-pricing for full pricing details. To manually add an Azure Web Application Firewall to Azure Application Gateway: 1. If you want to use an existing Azure Web Application Firewall for Azure Application Gateway policy, proceed to Step 2. Otherwise, open the Azure Web Application Firewall service and select 'add'. 3. On the Basics tab, in 'Policy for', select 'Regional WAF (Application Gateway)'. Customize the Azure Web Application Firewall as required. To finish, select 'Review + create' and 'create' the Azure Web Application Firewall. 4. Go to the Azure Application Gateway and select the Azure Application Gateway that does not have an Azure Web Application Firewall. 5. From the left sidebar, select settings, and select 'Web application firewall'. If your current tier is not 'WAF V2' change your tier to 'WAF V2'. There are differences in pricing when changing WAF tiers, refer to https://aka.ms/applicationgateway-pricing for full details. 6. Return to the Web Application Firewall created earlier. Select 'Associated application gateways on the sidebar'. 7. Select 'Associate an application gateway' and add your application gateway. To save the changes, Select 'Save'. An Azure Web Application Firewall is now protecting your application gateway resource. For details, see https://aka.ms/applicationgateway-waf.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Reconnaissance\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Scanning\",\r\n \"Application Layer Protocol\",\r\n \"Active Scanning\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0c02a769-03f1-c4d7-85a5-db5dca505c49\",\r\n \"name\": \"0c02a769-03f1-c4d7-85a5-db5dca505c49\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Azure Front Door Service service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\r\n \"description\": \"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.\",\r\n \"remediationDescription\": \"Azure Web Application Firewall is a paid solution, refer to https://aka.ms/frontdoor-pricing for full pricing details. To manually add an Azure Web Application Firewall to your Azure Front Door Service 1. If you want to use an existing Azure Web Application Firewall for Azure Front Door Service policy, proceed to Step 2. Otherwise, open the Azure Web Application Firewall service and select 'add'. 3. On the Basics tab, in 'Policy for', select 'Global WAF (Front Door)' and in 'Policy state' select 'Enabled'. Customize the Azure Web Application Firewall as required. To finish, select 'Review + create' and 'create' the Azure Web Application Firewall. 4. Go to the Front Door service and select the Front Door service that does not have an Azure Web Application Firewall. 5. From the left sidebar, select 'Web application firewall'. 6. Select the frontend to which you're adding an Azure Web Application Firewall policy. Select 'Apply policy'. From the dropdown, select the Azure Web Application Firewall policy. Select 'Add'. 7. To save the Azure Web Application Firewall for the chosen frontend, select 'Save'. An Azure Web Application Firewall will now be applied to the Azure Front Door Service. For details, see https://aka.ms/waf-frontdoor-tutorial\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Reconnaissance\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Service Scanning\",\r\n \"Application Layer Protocol\",\r\n \"Active Scanning\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f6b0e473-eb23-c3be-fe61-2ae3e8309530\",\r\n \"name\": \"f6b0e473-eb23-c3be-fe61-2ae3e8309530\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VM Image Builder templates should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa\",\r\n \"description\": \"Audit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead, which may directly expose resources to the internet and increase the potential attack surface.\",\r\n \"remediationDescription\": \"To enable private link connection when building VM Image Builder templates, add vnetConfig to templates. For details, see http://aka.ms/azvmimagebuildertmplref.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9\",\r\n \"description\": \"Private links enforce secure communication, by providing private connectivity to the storage account\",\r\n \"remediationDescription\": \"To enforce secure communications for your storage accounts, add a private endpoint as described here: https://aka.ms/connectprivatelytostorageaccount.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/9f766f00-8d11-464e-80e1-4091d7874074\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca98bba7-719e-48ee-e193-0b76766cdb07\",\r\n \"name\": \"ca98bba7-719e-48ee-e193-0b76766cdb07\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Storage accounts should use customer-managed key (CMK) for encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\",\r\n \"remediationDescription\": \"To enable customer-managed keys on your storage accounts, create an encryption key in your key vault then pass the key identifier to the storage account. For details, see https://aka.ms/storageencryptionkeys.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c768356-5ad2-e3cc-c799-252b27d3865a\",\r\n \"name\": \"4c768356-5ad2-e3cc-c799-252b27d3865a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Spring Cloud should use network injection\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4\",\r\n \"description\": \"Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.\",\r\n \"remediationDescription\": \"Virtual network injection brings the following benefits to your Azure Spring Cloud instances: 1. Isolates Azure Spring Cloud from the internet. 2. Enables Azure Spring Cloud to interact with systems in either on- premises data centers or Azure services in other virtual networks. 3. Provides greater control over inbound and outbound network communications for Azure Spring Cloud.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Trusted Relationship\",\r\n \"Exploitation of Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Non-Standard Port\",\r\n \"Lateral Tool Transfer\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\r\n \"description\": \"Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.\",\r\n \"remediationDescription\": \"To protect your storage account from potential threats using virtual network rules: 1. In the Azure portal, open your storage account. 2. From the left sidebar, select 'Networking'. 3. From the 'Allow access from' section, select 'Selected networks'. 4. Add a Virtual network under the 'Virtual networks' section. Do not add allowed IP ranges/ or addresses in the firewall. This is to prevent public IPs from accessing your storage account. For details, see: https://aka.ms/storagenetworksecurity.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbd14f11-6228-4588-82a4-517b8d77b23f\",\r\n \"name\": \"bbd14f11-6228-4588-82a4-517b8d77b23f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[Enable if required] Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\r\n \"description\": \"Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in Manage security policies.
Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\",\r\n \"remediationDescription\": \"To setup CMK on Azure Machine Learning workspaces, follow the instructions. here: https://aka.ms/azureml-workspaces-cmk\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/692343df-7e70-b082-7b0e-67f97146cea3\",\r\n \"name\": \"692343df-7e70-b082-7b0e-67f97146cea3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Machine Learning workspaces should use private link\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab\",\r\n \"description\": \"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Machine Learning workspaces instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/azureml-workspaces-privatelink.\",\r\n \"remediationDescription\": \"To enable private link on Azure Machine Learning workspaces, follow the instructions here: https://aka.ms/azureml-workspaces-privatelink.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/7838fd83-5cbb-4b5d-888c-bfa240972597\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"name\": \"2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be configured for Key Vault\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0bc445-3935-4915-9981-011aa2b46147\",\r\n \"description\": \"Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.\",\r\n \"remediationDescription\": \"For detailed steps, see https://aka.ms/akvprivatelink.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"name\": \"52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Firewall should be enabled on Key Vault\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\r\n \"description\": \"Key vault's firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the firewall to make sure that only traffic from allowed networks can access your key vault.\",\r\n \"remediationDescription\": \"To enable the key vault firewall: 1. In the Azure portal, open your key vault. 2.From the left sidebar, select Networking (located under the \\\"Settings\\\" section). 3. Set the radio button to Private endpoint and selected networks and select Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1aabfa0d-7585-f9f5-1d92-ecb40291d9f2\",\r\n \"name\": \"1aabfa0d-7585-f9f5-1d92-ecb40291d9f2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key Vault keys should have an expiration date\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\r\n \"description\": \"Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.\",\r\n \"remediationDescription\": \"To enable an expiration date on your key: 1. Log in to the Azure portal and select your key vault. 2. Open the 'Keys' tab. 3. Find all keys in the table that do not have an expiration date. 4. Select a key. 5. Select the current version of the key. 6. Select the box corresponding to 'Set expiration date'. 7. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Credentials from Password Stores\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"name\": \"14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key Vault secrets should have an expiration date\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\r\n \"description\": \"Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.\",\r\n \"remediationDescription\": \"To enable an expiration date on your secret: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Secrets' tab. 3. Find all secrets in the table that do not have an expiration date. 4. Click on a secret. 5. Click the current version of the secret. 6. Check the box corresponding to 'Set expiration date'. 7. Select 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Credentials from Password Stores\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"name\": \"78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Key vaults should have soft delete enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\r\n \"description\": \"Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.\",\r\n \"remediationDescription\": \"To enable soft delete protection for your key vault: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Properties' tab. 3. Select the radio button corresponding to \\\"Enable soft delete\\\". 4. Enter a retention period in days. Select 'Save'. Please visit https://aka.ms/keyvaultsoftdelete for detailed configuration steps.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Data Destruction\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6\",\r\n \"description\": \"Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more in Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure.\",\r\n \"remediationDescription\": \"To use SSH for authentication to your Linux virtual machine: 1. Create an SSH key pair for the Linux virtual machine. 2. Disable password authentication in the Linux virtual machine's configuration. 3. Update the SSH key in your Azure Resource Manager template (replace the admin password with the adminSSHKey parameter) or via the Azure CLI (with the --generate-ssh-keys command). Learn more in Create and use an SSH public-private key pair for Linux VMs in Azure.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.\",\r\n \"remediationDescription\": \"To enable Private Endpoint Connections: 1. Open Azure SQL Database and browse to the server blade 2. Navigate to Security --> Private endpoint connections blade via the navigation menu 3. Select the \\\"+ Private Endpoint\\\" button 4. Follow the instructions here: https://docs.microsoft.com/azure/azure-sql/database/private-endpoint-overview#how-to-set-up-private-link-for-azure-sql-database.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Data Manipulation\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\r\n \"description\": \"Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.\",\r\n \"remediationDescription\": \"To disable Public Network Access: 1. Open Azure SQL Database and browse to the server blade 2. Navigate to Security --> Firewalls and virtual networks blade via the navigation menu on the left. 3. Select Deny Public Network Access control and change the value to Yes.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce2768c3-a7c7-1bbf-22cd-f9db675a9807\",\r\n \"name\": \"ce2768c3-a7c7-1bbf-22cd-f9db675a9807\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API app has Client Certificates Incoming client certificates set to On\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your API App: 1. Navigate to your App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Trusted Relationship\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112\",\r\n \"description\": \"To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.\",\r\n \"remediationDescription\": \"To ensure your windows web server is using secure communication protocol: 1. Enable Guest Configuration extension and system assigned identity: https://docs.microsoft.com/azure/virtual-machines/extensions/guest-configuration 2. Enable TLS on your machine. For Windows Server 2008 R2, Windows Server 2012, or Windows 7, install the update at https://support.microsoft.com/help/3140245. For Windows 2012 R2 Server or later, no updates are necessary. 3. Update the Windows and WinHTTP registry keys (or verify that they're correct) according to the information here: https://docs.microsoft.com/dotnet/framework/network-programming/tls#configuring-schannel-protocols-in-the-windows-registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f738efb8-005f-680d-3d43-b3db762d6243\",\r\n \"name\": \"f738efb8-005f-680d-3d43-b3db762d6243\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should restrict network access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\r\n \"description\": \"Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"To restrict access for Cognitive Services from public networks: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"Networking\\\" page, 3. In \\\"Firewalls and virtual networks\\\" select \\\"Selected Networks and Private Endpoints\\\" or \\\"Disabled\\\". Learn more about Private Endpoints in https://go.microsoft.com/fwlink/?linkid=2129800. Learn more about configuration Virtual Networks for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2110097.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Trusted Relationship\",\r\n \"Exploitation of Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Non-Standard Port\",\r\n \"Lateral Tool Transfer\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aa395469-1687-78a7-bf76-f4614ef72977\",\r\n \"name\": \"aa395469-1687-78a7-bf76-f4614ef72977\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should use customer owned storage or enable data encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11566b39-f7f7-4b82-ab06-68d8700eb0a4\",\r\n \"description\": \"This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption.\",\r\n \"remediationDescription\": \"To enable encryption for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using either Microsoft-managed keys or customer-managed keys. Learn more about configuration customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321. To request access to bring your own storage, fill out and submit the request form from https://aka.ms/cogsvc-cmk.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684a5b6d-a270-61ce-306e-5cea400dc3a7\",\r\n \"name\": \"684a5b6d-a270-61ce-306e-5cea400dc3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Public network access should be disabled for Cognitive Services accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\r\n \"description\": \"This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed.\",\r\n \"remediationDescription\": \"To only allow access for Cognitive Services from Private Endpoints: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"Networking\\\" page, 3. In \\\"Firewalls and virtual networks\\\" select \\\"Disabled\\\". Learn more about Private Endpoints in https://go.microsoft.com/fwlink/?linkid=2129800.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdcf4f71-60d3-540b-91e3-aa19792da364\",\r\n \"name\": \"cdcf4f71-60d3-540b-91e3-aa19792da364\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Cognitive Services accounts should enable data encryption\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2bdd0062-9d75-436e-89df-487dd8e4b3c7\",\r\n \"description\": \"This policy audits any Cognitive Services account not using data encryption. For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key.\",\r\n \"remediationDescription\": \"To enable encryption for Cognitive Services: 1. In the Azure portal, open Cognitive Services, 2. Select an item from the list, and open the \\\"encryption\\\" page, 3. Setup encryption using either Microsoft-managed keys or customer-managed keys. Learn more about configuration customer-managed keys for Cognitive Services in https://go.microsoft.com/fwlink/?linkid=2121321.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/74e7dcff-317f-9635-41d2-ead5019acc99\",\r\n \"name\": \"74e7dcff-317f-9635-41d2-ead5019acc99\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Management services should use a virtual network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\r\n \"description\": \"Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.\",\r\n \"remediationDescription\": \"To enable Virtual Network on API Management Service: 1. In the Azure portal, open API Management services, 2. Select the desired service from the list, and open the \\\"Virtual Network\\\" page, 3. Setup virtual network along with desired type of virtual network. Learn more about configuring virtual network for API Management Services at https://aka.ms/apim-vnet\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Create Account\",\r\n \"Account Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"name\": \"276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Cosmos DB accounts should have firewall rules\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\r\n \"description\": \"Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.\",\r\n \"remediationDescription\": \"To configure your Azure Cosmos DB firewall and add IP rules: 1. Go to the \\\"Firewall and virtual networks\\\" section of your Cosmos DB account. 2. Select \\\"Selected networks\\\". 3. Add the IP addresses or ranges you want to allow. For more details, follow the instructions in https://aka.ms/cosmosdb-firewall\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Initial Access\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Fallback Channels\",\r\n \"Remote System Discovery\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Non-Standard Port\",\r\n \"Gather Victim Network Information\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\",\r\n \"description\": \"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end-to-end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure.\",\r\n \"remediationDescription\": \"To enable Network Watcher: 1. Navigate to the Network Watcher page on the Azure portal 2. Select the relevant subscription and click on the region drop down 3. For any regions that are listed as Disabled, enable them by selecting \\\"Enable network watcher\\\" in the context menu For more information, visit here: https://docs.microsoft.com/azure/network-watcher/network-watcher-create\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"name\": \"f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Resource Manager should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99\",\r\n \"description\": \"Microsoft Defender for Resource Manager automatically monitors the resource management operations in your organization. Defender for Cloud detects threats and alerts you about suspicious activity. Learn more in Introduction to Microsoft Defender for Resource Manager. Enabling this Defender plan results in charges. Learn about the pricing details per region on Defender for Cloud's pricing page: https://azure.microsoft.com/services/defender-for-cloud/#pricing.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for Resource Manager on your subscription: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Resource Manager to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\",\r\n \"Permission Groups Discovery\",\r\n \"Account Discovery\",\r\n \"Cloud Service Discovery\",\r\n \"Credentials from Password Stores\",\r\n \"Impair Defenses\",\r\n \"Cloud Infrastructure Discovery\",\r\n \"Cloud Service Dashboard\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"name\": \"aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for DNS should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bdc59948-5574-49b3-bb91-76b7c986428d\",\r\n \"description\": \"Microsoft Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Defender for DNS alerts you about suspicious activity at the DNS layer. Learn more in Introduction to Microsoft Defender for DNS. Enabling this Defender plan results in charges. Learn about the pricing details per region on Defender for Cloud's pricing page: https://azure.microsoft.com/services/defender-for-cloud/#pricing.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for DNS on your subscription: 1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set DNS to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Exfiltration\",\r\n \"Command and Control\"\r\n ],\r\n \"techniques\": [\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Application Layer Protocol\",\r\n \"Proxy\",\r\n \"Dynamic Resolution\",\r\n \"Protocol Tunneling\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3\",\r\n \"description\": \"Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.\",\r\n \"remediationDescription\": \"Enabling vTPM will trigger an immediate SYSTEM REBOOT. To enable it: 1. Select the VM. 2. On the VM page, navigate to the 'Configuration' tab. 3. On the 'Configuration' page, check 'vTPM'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/e494853f-93c3-4e44-9210-d12f61a64b34\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121\",\r\n \"description\": \"Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.\",\r\n \"remediationDescription\": \"Enabling Secure Boot will trigger an immediate SYSTEM REBOOT. To enable it: 1. Select the VM. 2. On the VM page, navigate to the 'Configuration' tab. 3. On the 'Configuration' page, check 'Secure boot'. 4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/7cb1b219-61c6-47e0-b80c-4472cadeeb5f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e94a7421-fc27-7a4d-e9ba-2ba01384cacd\",\r\n \"name\": \"e94a7421-fc27-7a4d-e9ba-2ba01384cacd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/672fe5a1-2fcd-42d7-b85d-902b6e28c6ff\",\r\n \"description\": \"Install Guest Attestation extension on supported Linux virtual machines to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Linux virtual machines: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vm extension set --name GuestAttestation --publisher Microsoft.Azure.Security.LinuxAttestation --vm-name MyVM --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/6074e9a3-c711-4856-976d-24d51f9e065b\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a53f4f-26b6-3d68-33f3-2ec1f2452b5d\",\r\n \"name\": \"a9a53f4f-26b6-3d68-33f3-2ec1f2452b5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Linux virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a21f8c92-9e22-4f09-b759-50500d1d2dda\",\r\n \"description\": \"Install Guest Attestation extension on supported Linux virtual machine scale sets to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Linux virtual machine scale sets: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vmss extension set --name GuestAttestation --publisher Microsoft.Azure.Security.LinuxAttestation' --vmss-name MyVMSS --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/874b14bd-b49e-495a-88c6-46acb89b0a33\",\r\n \"name\": \"874b14bd-b49e-495a-88c6-46acb89b0a33\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cb4d9c2-f88f-4069-bee0-dba239a57b09\",\r\n \"description\": \"Install Guest Attestation extension on supported virtual machines to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Windows virtual machines: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vm extension set --name GuestAttestation --publisher Microsoft.Azure.Security.WindowsAttestation --vm-name MyVM --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/98ea2fc7-6fc6-4fd1-9d8d-6331154da071\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/02e8ca50-0e7e-cc34-0b91-215af2904248\",\r\n \"name\": \"02e8ca50-0e7e-cc34-0b91-215af2904248\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest Attestation extension should be installed on supported Windows virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f655e522-adff-494d-95c2-52d4f6d56a42\",\r\n \"description\": \"Install Guest Attestation extension on supported virtual machine scale sets to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install Guest Attestation extension on supported Windows virtual machine scale sets: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vmss extension set --name GuestAttestation --publisher Microsoft.Azure.Security.WindowsAttestation' --vmss-name MyVMSS --resource-group MyResourceGroup'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"name\": \"506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The control fails if any of the HTTP listeners of Application Load Balancers do not have HTTP to HTTPS redirection configured. Before you start to use your Application Load Balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners support both the HTTP and HTTPS protocols. You can use an HTTPS listener to offload the work of encryption and decryption to your load balancer. To enforce encryption in transit, you should use redirect actions with Application Load Balancers to redirect client HTTP requests to an HTTPS request on port 443.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"name\": \"4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon S3 buckets have policies that require requests to use Secure Socket Layer (SSL). S3 buckets should have policies that require all requests ('Action: S3:*') to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key 'aws:SecureTransport'. This does not check the SSL or TLS version. You should not allow early versions of SSL or TLS (SSLv3, TLS1.0) per PCI DSS requirements.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"name\": \"b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server-side encryption. When you set default encryption on a bucket, all new objects stored in the bucket are encrypted when they are stored, including clear text PAN data. Server-side encryption for all of the objects stored in a bucket can also be enforced using a bucket policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"name\": \"c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Config should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS Config is enabled in the account for the local Region and is recording all resources. It does not check for change detection for all critical system files and content files, as AWS Config supports only a subset of resource types. The AWS Config service performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items, and any configuration changes between resources. Security Hub recommends that you enable AWS Config in all Regions. The AWS configuration item history that AWS Config captures enables security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"name\": \"bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root user credentials. It does not check whether you are using virtual MFA. To address PCI DSS requirement 8.3.1, you can choose between hardware MFA (this control) or virtual MFA.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"name\": \"9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the IAM users have multi-factor authentication (MFA) enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"name\": \"b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root user credentials. It does not check whether you are using hardware MFA. To address PCI DSS requirement 8.3.1, you can choose between virtual MFA (this control) or hardware MFA.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"name\": \"5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public write access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your S3 buckets allow public write access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). It does not check for write access to the bucket by internal principals, such as IAM roles. You should ensure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"name\": \"7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public read access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). Unless you explicitly require everyone on the internet to be able to write to your S3 bucket, you should ensure that your S3 bucket is not publicly writable. It does not check for read access to the bucket by internal principals, such as IAM roles. You should ensure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"name\": \"7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM user credentials should be disabled if not used within a pre-defined number days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your IAM users have passwords or active access keys that have not been used within a specified number of days. The default is 90 days. Security Hub strongly recommends that you do not generate and remove all access keys in your account. Instead, the recommended best practice is to either create one or more IAM roles or to use federation. These practices allow your users to use their existing corporate credentials to sign in to the AWS Management Console console and AWS CLI. Each approach has its use cases. Federation is generally better for enterprises that have an existing central directory or who plan to need more than the current quota of IAM users. Applications running outside of an AWS environment need access keys for programmatic access to AWS resources. However, if the resources that need programmatic access run inside AWS, the best practice is to use IAM roles. You can use roles to grant a resource access without hardcoding an access key ID and secret access key into the configuration. If you already have an access key, we recommend that you remove or deactivate unused user credentials that are inactive for 90 days or longer. This control only checks for inactive passwords or active access keys. It does not disable the account from use after 90 days. Customers are responsible for taking action and disabling the unused credentials.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"name\": \"d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the account password policy for IAM users uses the following minimum PCI DSS configurations: 'RequireUppercaseCharacters' - Require at least one uppercase character in password. (Default = 'true'); 'RequireLowercaseCharacters' - Require at least one lowercase character in password. (Default = 'true'); 'RequireNumbers' - Require at least one number in password. (Default = 'true'); 'MinimumPasswordLength' - Password minimum length. (Default = 7 or longer); 'PasswordReusePrevention' - Number of passwords before allowing reuse. (Default = 4); MaxPasswordAge - Number of days before password expiration. (Default = 90).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"name\": \"d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM root user access key should not exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether user access keys exist for the root user.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"name\": \"7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users should not have IAM policies attached\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles. It does not check whether least privileged policies are applied to IAM roles and groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"name\": \"c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should not allow full \\\"*\\\" administrative privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the default version of AWS Identity and Access Management policies (also known as customer managed policies) do not have administrator access with a statement that has \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\". It only checks for the customer managed policies that you created, but does not check for full access to individual services, such as \\\"S3:*\\\". It does not check for inline and AWS managed policies.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"name\": \"a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer master key (CMK) rotation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that key rotation is enabled for each customer master key (CMK). It does not check CMKs that have imported key material. You should ensure keys that have imported material and those that are not stored in AWS KMS are rotated. AWS managed customer master keys are rotated once every 3 years.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"name\": \"b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Lambda function resource-based policy prohibits public access. It does not check for access to the Lambda function by internal principals, such as IAM roles. You should ensure that access to the Lambda function is restricted to authorized principals only by using least privilege Lambda resource-based policies.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"name\": \"e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS DB snapshots prohibit access by other accounts. You should also ensure that access to the snapshot and permission to change Amazon RDS configuration is restricted to authorized principals only. Note that if the configuration is changed to allow public access, the AWS Config rule may not be able to detect the change for up to 12 hours. Until the AWS Config rule detects the change, the check passes even though the configuration violates the rule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"name\": \"ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS instances are publicly accessible by evaluating the publiclyAccessible field in the instance configuration item. The value of publiclyAccessible indicates whether the DB instance is publicly accessible. When the DB instance is publicly accessible, it is an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. When the DB instance isn't publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. The control does not check VPC subnet routing settings or the Security Group rules. You should also ensure VPC subnet routing does not allow public access, and that the security group inbound rule associated with the RDS instance does not allow unrestricted access (0.0.0.0/0). You should also ensure that access to your RDS instance configuration is limited to only authorized users by restricting users' IAM permissions to modify RDS instances settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"name\": \"d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters are publicly accessible by evaluating the 'publiclyAccessible' field in the cluster configuration item.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"name\": \"529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"name\": \"8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS DMS replication instances are public. To do this, it examines the value of the PubliclyAccessible field. A private replication instance has a private IP address that you cannot access outside of the replication network. A replication instance should have a private IP address when the source and target databases are in the same network, and the network is connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering. You should also ensure that access to your AWS DMS instance configuration is limited to only authorized users. To do this, restrict users' IAM permissions to modify AWS DMS settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"name\": \"b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic Block Store snapshots are not publicly restorable by everyone, which makes them public. Amazon EBS snapshots should not be publicly restorable by everyone unless you explicitly allow it, to avoid accidental exposure of your company's sensitive data. You should also ensure that permission to change Amazon EBS configurations are restricted to authorized AWS accounts only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"name\": \"3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following public access block settings are configured at the account level: 'ignorePublicAcls': 'true'; 'blockPublicPolicy': 'true'; 'blockPublicAcls': 'true'; 'restrictPublicBuckets': 'true'. As an AWS best practice, S3 buckets should block public access. Unless you explicitly require everyone on the internet to be able to access your S3 bucket, you should ensure that your S3 bucket is not publicly accessible.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"name\": \"93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC default security group should prohibit inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the default security group of a VPC does not allow inbound or outbound traffic. It does not check for access restrictions for other security groups that are not default, and other VPC configurations.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"name\": \"390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether security groups in use disallow unrestricted incoming SSH traffic. It does not evaluate outbound traffic. Note that security groups are stateful. If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out regardless of outbound rules.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"name\": \"86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control helps you maintain an accurate asset inventory of needed security groups in your cardholder data environment (CDE). It does so by checking that security groups are attached to Amazon EC2 instances or to an ENI. A failed finding indicates you may have unused Amazon EC2 security groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/099e9ded-7834-43ad-be02-30114c800211\",\r\n \"name\": \"099e9ded-7834-43ad-be02-30114c800211\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability. This AWS control also does not check whether the Amazon ES resource-based policy permits public access by other accounts or external entities. You should ensure that Amazon ES domains are not attached to public subnets. You should also ensure that your VPC is configured according to the recommended best practices.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"name\": \"40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a Lambda function is in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability. Note that if Lambda@Edge is found in the account, then this control generates failed findings. To prevent these findings, you can disable this control.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"name\": \"5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain clear text credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the project contains environment variables 'AWS_ACCESS_KEY_ID' and 'AWS_SECRET_ACCESS_KEY'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"name\": \"ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Elastic IP addresses that are allocated to a VPC are attached to Amazon EC2 instances or in-use elastic network interfaces (ENIs). A failed finding indicates you may have unused Amazon EC2 EIPs. This will help you maintain an accurate asset inventory of EIPs in your cardholder data environment (CDE).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"name\": \"023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SageMaker notebook instances should not have direct internet access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether direct internet access is disabled for an SageMaker notebook instance. To do this, it checks whether the 'DirectInternetAccess' field is disabled for the notebook instance. If you configure your SageMaker instance without a VPC, then by default direct internet access is enabled on your instance. You should configure your instance with a VPC and change the default setting to Disable - Access the internet through a VPC. To train or host models from a notebook, you need internet access. To enable internet access, make sure that your VPC has a NAT gateway and your security group allows outbound connections. You should also ensure that access to your SageMaker configuration is limited to only authorized users. Restrict users' IAM permissions to modify SageMaker settings and resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"name\": \"0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS CloudTrail is configured to use the server-side encryption (SSE) AWS KMS customer master key (CMK) encryption. If you are only using the default encryption option, you can choose to disable this check.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"name\": \"f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have encryption at rest configuration enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"name\": \"336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A log metric filter and alarm should exist for usage of the \\\"root\\\" user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks for the CloudWatch metric filters using the following pattern: '{ $.userIdentity.type = \\\"Root\\\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \\\"AwsServiceEvent\\\" }'. It checks the following: The log group name is configured for use with active multi-Region CloudTrail; There is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All; There is at least one active subscriber to an Amazon SNS topic associated with the alarm.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"name\": \"5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether VPC flow logs are found and enabled for VPCs. The traffic type is set to REJECT. With VPC Flow Logs, you can capture information about the IP address traffic to and from network interfaces in your VPC. After you create a flow log, you can use CloudWatch Logs to view and retrieve the log data. Security Hub recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC. They can detect anomalous traffic and provide insight into security workflows. By default, the record includes values for the different components of the IP address flow, including the source, destination, and protocol.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"name\": \"4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail trails are configured to send logs to CloudWatch Logs. It does not check for user permissions to alter logs or log groups. You should create specific CloudWatch rules to alert when CloudTrail logs are altered. This control also does not check for any additional audit log sources other than CloudTrail being sent to a CloudWatch Logs group.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"name\": \"6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail is enabled in your AWS account. However, some AWS services do not enable logging of all APIs and events. You should implement any additional audit trails other than CloudTrail and review the documentation for each service in CloudTrail Supported Services and Integrations.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"name\": \"21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail log file validation is enabled. It does not check when configurations are altered. To monitor and alert on log file changes, you can use Amazon EventBridge or CloudWatch metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"name\": \"75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the patch installation on the instance. It only checks instances that are managed by AWS Systems Manager Patch Manager. It does not check whether the patch was applied within the 30-day limit prescribed by PCI DSS requirement 6.2. It also does not validate whether the patches applied were classified as security patches. You should create patching groups with the appropriate baseline settings and ensure in-scope systems are managed by those patch groups in Systems Manager.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"name\": \"6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EC2 instances in your account are managed by Systems Manager. AWS Systems Manager is an AWS service that you can use to view and control your AWS infrastructure. To help you to maintain security and compliance, Systems Manager scans your managed instances. A managed instance is a machine that is configured for use with Systems Manager. Systems Manager then reports or takes corrective action on any policy violations that it detects. Systems Manager also helps you to configure and maintain your managed instances. Additional configuration is needed in Systems Manager for patch deployment to managed EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"name\": \"32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the status of the AWS Systems Manager association compliance is 'COMPLIANT' or 'NON_COMPLIANT' after the association is run on an instance. The control passes if the association compliance status is COMPLIANT. A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed. After you create one or more State Manager associations, compliance status information is immediately available to you in the console or in response to AWS CLI commands or corresponding Systems Manager API operations. For associations, Configuration Compliance shows statuses of Compliant or Non-compliant and the severity level assigned to the association, such as Critical or Medium. You must configure your in-scope EC2 instances for Systems Manager association. You must also configure the patch baseline for the security rating of the vendor of patches, and set the autoapproval date to meet PCI DSS 3.2.1 requirement 6.2.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"name\": \"5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether S3 buckets have cross-region replication enabled. PCI DSS does not require data replication or highly available configurations. However, this check aligns with AWS best practices for this control. In addition to availability, you should consider other systems hardening settings.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"name\": \"94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. PCI DSS does not require load balancing or highly available configurations. However, this check aligns with AWS best practices.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"name\": \"d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon GuardDuty is enabled in your AWS account and Region. While GuardDuty can be effective against attacks that an intrusion detection system would typically protect, it might not be a complete solution for every environment. This rule also does not check for the generation of alerts to personnel.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"name\": \"bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SSM agent should be installed on your AWS EC2 instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Systems Manager is an AWS service that can be used to control and view your AWS infrastructure. The AWS Systems Manager Agent (SSM Agent) is a software that can be installed and configured on a machine and makes it possible for Systems Manager to update and configure these resources. Defender for Cloud leverages the SSM Agent for automatic installation of Azure Arc, that enables greater parity for AWS instances to Azure VMs.\",\r\n \"remediationDescription\": \"First, Make sure EC2 instances are managed by Systems Manager: 1.Open AWS System Manager.
2. Choose Quick setup
3. keep the default options on the configuration screen.
4. Choose Set up Systems Manager.
For directions on installing and configuring the SSM Agent on Windows instances visit this page For directions on installing and configuring the SSM Agent on Linux instances visit this page \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"name\": \"a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled in every region in your AWS accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub is a regional service and customer must enable Security Hub in each region to view findings in that region. You should continuously monitor all regions across all of your AWS accounts for unauthorized behavior or misconfigurations, including regions you don't use heavily.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"name\": \"20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled for all AWS member accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. Integrating it into Defender for Cloud enables a comprehensive view across multiple cloud environments. any AWS member account related to an onboarded account should have Security Hub enabled as well.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"name\": \"726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Make sure to log in using the credentials of a fully-managed corporate account and not a personal account.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select the checkbox next to non-corporate users, and then click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"name\": \"4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that multi-factor authentication is enabled for all non-service accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) must be enabled for all Google Cloud Platform accounts, excluding service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP Security Settings and set up multi-factor authentication for all non-service accounts within the project.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"name\": \"0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service accounts are not configured with administrative roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select Members and make sure that there aren't any 'User-Managed user created service account' accounts with one of the following roles: admin, editor, or owner.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"name\": \"90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the 'Service Account User' and 'Service Account Token Creator' roles are not granted to users at a project level. Instead, grant these roles to users in the context of specific service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. In the filter table field, enter 'Role: Service Account User' and click 'Delete' (bin icon) for every user listed. Similarly, filter using 'Role: Service Account Token Creator' and delete every user listed.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"name\": \"ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service account keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'Service Account Keys', for every External (user-managed) service account where the creation date is 90 days or more, delete the service account key and create a new one instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"name\": \"f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties. Also, make sure that users are not assigned with both 'Service Account Admin' and other 'Service Account User' roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Edit members with both 'Service Account Admin' and 'Service Account User', delete one of the roles, and then click 'Save'. \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"name\": \"3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud KMS encryption keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to GCP Security Kms. For every key ring, for every key in the key ring, do the following: Select 'Right side pop up the blade' > 'Edit rotation period' > 'Select a new rotation period' and specify a period of less than 90 days, and then specify a 'Starting on' date.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"name\": \"3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties and that there are no users assigned with both the 'Cloud KMS Admin' role and any of the following roles: 'Cloud KMS CryptoKey', 'Cloud KMS Encrypter/Decrypter', 'Cloud KMS CryptoKey Encrypter' or 'Cloud KMS CryptoKey Decrypterer'.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. For the member that is listed at the recommendation, click 'Edit'. For the 'Cloud KMS Admin' role, click 'Delete', and then Click 'Save'. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"name\": \"52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all API keys are not used within the scope of projects. The standard authentication flow should be implemented, since the use of API keys presents many security risks.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', delete the relevant API Keys. These API keys should be replaced by a standard authentication flow as described In the Authentication overview [GCP docs authentication]\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"name\": \"76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted, and used only by trusted hosts, HTTP referrers, or applications.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. Under 'Key restrictions', set application restriction to HTTP referrers, IP Addresses, Android Apps, or iOS Apps, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"name\": \"0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted to only access API endpoints that are essential to the calling application.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. For every API key, make sure that the 'Key restrictions' parameter 'API restrictions' is not set to 'None'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"name\": \"5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys'. Select 'API Key Name'. Click 'REGENERATE KEY' to rotate the API key, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"name\": \"f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud Audit Logging is configured to track read and write activities across all supported services and for all users. Configured this way, all administrative activities, or attempts to access user data, will be tracked.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin Audit. On the 'Audit Log' page, select the 'Log type' tab. Select 'Admin read', 'Data read', and 'Data write', and then click 'Save'. Make sure there are no exemptions.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"name\": \"cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all resource have a log sink configured, exporting copies of all the log entries to a centralized location such as a SIEM.\",\r\n \"remediationDescription\": \"Browse to GCP Logs viewer. Switch to the 'Advanced' filter bar, clear any text from the filter field, and then click 'Submit Filter'. Click 'Create Sink', fill out the required details, and then click 'Create Sink'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"name\": \"bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filters and alerts are configured to monitor project ownership assignment/change actions.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browse to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, and run the following query: (protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'. Finally, edit the alert policy and update the 'Target Aggregation' option to 'Count'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"name\": \"3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filter and alerts are configured for Audit Configuration changes. Audit logging data is required for security analysis. Tracking the log metric filters and alerts is important to ensure that all activities in the projects are being audited as planned.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"SetIamPolicy\\\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*. In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"name\": \"f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Custom Role changes. Monitoring role creation, update, or deletion may help to identify over-privileged or misused roles. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"iam_role\\\" AND protoPayload.methodName = \\\"google.iam.admin.v1.CreateRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"name\": \"c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Virtual Private Cloud (VPC) Network Firewall rule changes. Firewall create or update rule events indicate network access changes, which may indicate suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_firewall_rule\\\" AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\" OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to https://console.cloud.google.com/logs/metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"name\": \"7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network route changes. Monitoring network route changes to route tables may indicate of a suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_route\\\" AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\" OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Creat Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"name\": \"0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network changes. Monitoring network changes to the VPC is important to make sure it is not compromised.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gce_network AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\" OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\" OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\" OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\" OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add 'Alert Triggers', and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"name\": \"46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"\\\"Ensure that the log metric filter and alerts are configured for Cloud Storage IAM permission changes. Monitoring changes to a storage bucket permissions can help identify malicious attempts to access a sensitive storage buckets and objects inside buckets.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gcs_bucket AND protoPayload.methodName=\\\"storage.setIamPermissions\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"name\": \"b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for SQL instance configuration changes. Monitoring changes to an SQL instance can help identify malicious attempts to access a sensitive data stored in an SQL instance. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"cloudsql.instances.update\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"name\": \"ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that projects do not have a default network. A default predefined network generates multiple unsecure firewall rules that are not audit logged, cannot be configured to enable firewall rule logging, and do not allow the use of a Cloud VPN or VPC Network Peering with the default network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the 'default' network. On the network detail page, click 'edit', and then click 'Delete VPC network'. If required, you can to create a new network with custom firewall rules to replace the 'default' network.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"name\": \"3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all projects do not have a legacy network. Legacy networks may have an impact for high network traffic projects and pose a single point of contention or failure.\",\r\n \"remediationDescription\": \"Create a non-legacy network and then delete the legacy networks using the following command: 'gcloud compute networks delete my-legacy-network'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"name\": \"e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Domain Name System Security Extensions (DNSSEC) is enabled for Cloud DNS zones. DNSSEC helps mitigate the risk of a DNS hijacking and man-in-the-middle attacks, by preventing attackers from issuing fake DNS responses that may misdirect browsers to malicious websites.\",\r\n \"remediationDescription\": \"Browse to GCP DNS zones. For each zone of type 'Public', set DNSSEC to 'On'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"name\": \"049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the key-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the key-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"name\": \"cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the zone-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the zone-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"name\": \"0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that SSH access is restricted from the internet because it can be used as initial access to the network. Prevent inbound traffic via SSH (port 22) from the internet using the generic IP address (0.0.0.0/0).\",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"name\": \"684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RDP access is restricted from the internet, as is may be used for initial access to the network. Prevent inbound traffic via RDP (port 3389) from the internet using the generic IP address (0.0.0.0/0). \",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"name\": \"3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all VPC Flow Logs are enabled, for every subnet in a VPC Network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the relevant subnet, click 'Edit', set 'Flow Logs' to 'On', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"name\": \"c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there are no HTTPS or SSL Proxy Load Balancers that use weak SSL policies with TLS or 1.1.\",\r\n \"remediationDescription\": \"Browser to GCP SSL Policies. Select the relevant policy, click 'Edit', set 'Minimum TLS version' to 'TLS 1.2', set 'Profile' to 'Modern' or 'Restricted', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"name\": \"233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all instances are not configured to use the default service account with full access to all Google Cloud APIs.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant VM instance, stop the instance if it is currently started, and then click 'Edit'. Under 'Service Account', select 'Compute Engine default service account', make sure that 'Allow full access to all Cloud APIs' is not selected, click 'Save' and then 'Start'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"name\": \"1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure \\\"Block Project-wide SSH keys\\\" is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that no project-wide SSH keys are used for VM instances, as they enable login to all instances in the project.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the impacted instance, click 'Edit', under 'SSH Keys', select 'Block project-wide SSH keys', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"name\": \"fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that OS login is enabled for all projects, as this pairs the SSH keys in use with IAM users. \",\r\n \"remediationDescription\": \"Browse to GCP Compute metadata. Click 'Edit', add metadata key for 'enable-oslogin' with value 'TRUE', and then click 'Save'. For every instances that overrides the project setting, browse to GCP Compute instances. Select the relevant instance name, click 'Edit', under 'custom metadata', remove 'enable-oslogin' keys with the value 'FALSE', and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"name\": \"c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that 'Enable connecting to serial ports' is not enabled for all VM Instance. When the interactive serial console is enabled for an instance, clients can connect to the instance from any IP address using the proper username and SSH key.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Remote access', make sure that 'Enable connecting to serial ports' is not selected.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"name\": \"3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent data loss, forwarding of data packets should not be enabled on instances.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Network interfaces', make sure that 'IP forwarding' is set to 'Off' for every network interface.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"name\": \"6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, all data at rest is encrypted by Google Compute Engine. Make sure that VM disks are encrypted using Customer-Supplied Encryption Keys (CSEK) enabling you to control and manage the encryption keys yourself.\",\r\n \"remediationDescription\": \"Browse to GCP Compute disks. Select the relevant disk and make sure that the 'Encryption type' is set to 'Customer supplied'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"name\": \"9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against advanced threats, a Compute Engine instance using a public image and must be launched with a Shielded VM. It is also important to verify that the boot loader and firmware on the VMs are signed and untampered.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Shielded VM', make sure that 'Turn on vTPM' and 'Turn on Integrity Monitoring' are enabled.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"name\": \"0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances must not be configured with public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"name\": \"79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that an IAM policy on Cloud Storage buckets does not allow anonymous or public access so sensitive data.\",\r\n \"remediationDescription\": \"To restrict access to Cloud Storage Buckets: Browse to GCP Storage browser. Select the relevant bucket, select 'Permissions', and then under 'Role(s)', remove all Cloud IAM permissions that were granted to 'allUsers' and 'allAuthenticatedUsers'. To restrict access from public addresses: browse to GCP Firewalls List.. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP adress values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"name\": \"a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For simple and unified resource access, ensure that Cloud Storage buckets have uniform bucket-level access enabled.\",\r\n \"remediationDescription\": \"Browse to GCP Storage browser. Edit the relevant bucket, under 'Access Control', select 'Uniform', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"name\": \"a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the Cloud SQL Database instance requires all incoming connections to always use SSL encryption.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances, select the relevant instance and under 'Connections', select 'Allow only SSL connections'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"name\": \"1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to only accept connections from trustworthy networks and/or IP addresses and restrict all other access. \",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"name\": \"2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to use private IP addresses, and not public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"name\": \"664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL database instances must be configured with automated backups.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances. Select the relevant instance, and under 'Backups', make sure that 'Automated backups' is set to 'Enabled' and that the 'Backup time' is set.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"name\": \"5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure that sensitive data is not compromised, IAM policies on BigQuery datasets must not allow anonymous or public access.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"name\": \"582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account has unrestricted access to all resources in the AWS account. We highly recommend that you avoid using this account. The root account is the most privileged account. Minimizing the use of this account and adopting the principle of least privilege for access management reduces the risk of accidental changes and unintended disclosure of highly privileged credentials. As a best practice, use your root credentials only when required to perform account and service management tasks. Apply IAM policies directly to groups and roles but not users. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.3 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"name\": \"1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-factor authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password as well as for an authentication code from their AWS MFA device. Security Hub recommends enabling MFA for all accounts that have a console password. Enabling MFA provides increased security for console access because it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"name\": \"8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM users can access AWS resources using different types of credentials, such as passwords or access keys. Security Hub recommends that you remove or deactivate all credentials that have been unused in 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used. The AWS Config rule for this control uses the 'GetCredentialReport; and 'GenerateCredentialReport' API operations, which are only updated every four hours. Changes to IAM users can take up to four hours to be visible to this control.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"name\": \"9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. Security Hub recommends that you regularly rotate all access keys. Rotating access keys reduces the chance for an access key that is associated with a compromised or terminated account to be used. Rotate access keys to ensure that data can't be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"name\": \"554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one uppercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"name\": \"66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one lowercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"name\": \"b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one symbol. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5425052d-cc0d-4424-af71-050311f99634\",\r\n \"name\": \"5425052d-cc0d-4424-af71-050311f99634\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one number. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"name\": \"09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum password length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords are at least a given length. Security Hub recommends that the password policy require a minimum password length of 14 characters. Setting a password complexity policy increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"name\": \"01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the number of passwords to remember is set to 24. The control fails if the value is not 24. IAM password policies can prevent the reuse of a given password by the same user. Security Hub recommends that the password policy prevent the reuse of passwords. Preventing password reuse increases account resiliency against brute force login attempts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"name\": \"0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies can require passwords to be rotated or expired after a given number of days. Security Hub recommends that the password policy expire passwords after 90 days or less. Reducing the password lifetime increases account resiliency against brute force login attempts. Requiring regular password changes also helps in the following scenarios: Passwords can be stolen or compromised without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat; Certain corporate and government web filters or proxy servers can intercept and record traffic even if it's encrypted; Many people use the same password for many systems such as work, email, and personal; Compromised end-user workstations might have a keystroke logger.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"name\": \"8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no root account access key exists\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given account. Security Hub recommends that all access keys be associated with the root account be removed. Removing access keys associated with the root account limits vectors that the account can be compromised by. Removing the root access keys also encourages the creation and use of role-based accounts that are least privileged.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"name\": \"8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device. When you use virtual MFA for root accounts, Security Hub recommends that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices. This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"name\": \"8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure hardware MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device. For Level 2, Security Hub recommends that you protect the root account with a hardware MFA. A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA doesn't suffer the attack surface introduced by the mobile smartphone that a virtual MFA resides on. Using hardware MFA for many, many accounts might create a logistical device management issue. If this occurs, consider implementing this Level 2 recommendation selectively to the highest security accounts. You can then apply the Level 1 recommendation to the remaining accounts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"name\": \"c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies are attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. Security Hub recommends that you apply IAM policies directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity might in turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"name\": \"bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM role to allow authorized users to manage incidents with AWS Support. By implementing least privilege for access control, an IAM role will require an appropriate IAM policy to allow support center access in order to manage incidents with AWS Support.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"name\": \"9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies define a set of privileges granted to users, groups, or roles. It's recommended and considered a standard security advice to grant least privilege-that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges. It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. You should remove IAM policies that have a statement with '\\\"Effect\\\": \\\"Allow\\\"' with '\\\"Action\\\": \\\"*\\\"' over '\\\"Resource\\\": \\\"*\\\"'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"name\": \"22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the AWS Management Console, AWS SDKs, command-line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally: Ensuring that a multi-Region trail exists ensures that unexpected activity occurring in otherwise unused Regions is detected; Ensuring that a multi-Region trail exists ensures that Global Service Logging is enabled for a trail by default to capture recording of events generated on AWS global services; For a multi-Region trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"name\": \"fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail log file validation is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. You can use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. Security Hub recommends that you enable file validation on all trails. Enabling log file validation provides additional integrity checking of CloudTrail logs.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"name\": \"0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket CloudTrail logs to is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. Security Hub recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account's use or configuration. To run this check, Security Hub first uses custom logic to look for the S3 bucket where your CloudTrail logs are stored. It then uses the AWS Config managed rules to check that bucket is publicly accessible. If you aggregate your logs into a single centralized S3 bucket, then Security Hub only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is 'No data'. If the bucket is publicly accessible, the check generates a failed finding.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"name\": \"5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a web service that records AWS API calls made in a given account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs in a specified Amazon S3 bucket for long-term analysis, you can perform real-time analysis by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all Regions in an account, CloudTrail sends log files from all those Regions to a CloudWatch Logs log group. Security Hub recommends that you send CloudTrail logs to CloudWatch Logs.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"name\": \"dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. Security Hub recommends that you enable AWS Config in all Regions. The AWS configuration item history that AWS Config captures enables security analysis, resource change tracking, and compliance auditing. To run this check, Security Hub performs custom logic to perform the audit steps prescribed for it in the CIS AWS Foundations Benchmark v1.2. Security Hub also requires that global resources are recorded in each Region, because Security Hub is a regional service and performs its security checks on a Region-by-Region basis.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"name\": \"30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Amazon S3 bucket access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. Security Hub recommends that you enable bucket access logging on the CloudTrail S3 bucket. By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows. To run this check, Security Hub first uses custom logic to look for the bucket where your CloudTrail logs are stored and then uses the AWS Config managed rule to check if logging is enabled. If you aggregate your logs into a single centralized S3 bucket, then Security Hub only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is 'No data'. If the bucket is publicly accessible, the check generates a failed finding.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"name\": \"c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (AWS KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses hardware security modules (HSMs) to protect the security of encryption keys. You can configure CloudTrail logs to leverage server-side encryption (SSE) and AWS KMS customer-created master keys (CMKs) to further protect CloudTrail logs. Security Hub recommends that you configure CloudTrail to use SSE-KMS. Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data because a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"name\": \"23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS KMS enables customers to rotate the backing key, which is key material stored in AWS KMS and is tied to the key ID of the CMK. It's the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all previous backing keys so that decryption of encrypted data can take place transparently. Security Hub recommends that you enable CMK key rotation. Rotating encryption keys helps reduce the potential impact of a compromised key because data encrypted with a new key can't be accessed with a previous key that might have been exposed.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"name\": \"a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VPC flow logging is enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC flow logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you have created a flow log, you can view and retrieve its data in CloudWatch Logs. Security Hub recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC and can detect anomalous traffic or insight during security workflows.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"name\": \"00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm unauthorized API calls. Monitoring unauthorized API calls helps reveal application errors and might reduce time to detect malicious activity. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.1 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"name\": \"83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm console logins that aren't protected by MFA. Monitoring for single-factor console logins increases visibility into accounts that aren't protected by MFA. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.2 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"name\": \"a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for root login attempts. Monitoring for root account logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.3 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"name\": \"5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes made to IAM policies. Monitoring these changes helps ensure that authentication and authorization controls remain intact. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.4 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"name\": \"011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to CloudTrail configuration settings. Monitoring these changes helps ensure sustained visibility to activities in the account. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.5 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"name\": \"c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for failed console authentication attempts. Monitoring failed console logins might decrease lead time to detect an attempt to brute-force a credential, which might provide an indicator, such as source IP, that you can use in other event correlations. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.6 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"name\": \"293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for customer-created CMKs that have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys is no longer accessible. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.7 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"name\": \"0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to S3 bucket policies. Monitoring these changes might reduce time to detect and correct permissive policies on sensitive S3 buckets. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.8 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"name\": \"7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to AWS Config configuration settings. Monitoring these changes helps ensure sustained visibility of configuration items in the account. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.9 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"name\": \"b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security groups are a stateful packet filter that controls ingress and egress traffic in a VPC. Security Hub recommends that you create a metric filter and alarm for changes to security groups. Monitoring these changes helps ensure that resources and services aren't unintentionally exposed. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.10 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"name\": \"022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets in a VPC. Security Hub recommends that you create a metric filter and alarm for changes to NACLs. Monitoring these changes helps ensure that AWS resources and services aren't unintentionally exposed. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.11 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"name\": \"3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send and receive traffic to a destination outside a VPC. Security Hub recommends that you create a metric filter and alarm for changes to network gateways. Monitoring these changes helps ensure that all ingress and egress traffic traverses the VPC border via a controlled path. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.12 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"name\": \"33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables route network traffic between subnets and to network gateways. Security Hub recommends that you create a metric filter and alarm for changes to route tables. Monitoring these changes helps ensure that all VPC traffic flows through an expected path. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.13 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"name\": \"9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs. Security Hub recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.14 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"name\": \"b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that no security group allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"name\": \"9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that no security group allow unrestricted ingress access to port 3389. Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"name\": \"ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the default security group of every VPC restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A VPC comes with a default security group with initial settings that deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Hub recommends that the default security group restrict all traffic. Update the default security group for the default VPC in every Region to comply. Any new VPCs automatically contain a default security group that you need to remediate to comply with this recommendation. Configuring all VPC default security groups to restrict all traffic encourages least-privilege security group development and mindful placement of AWS resources into security groups, which in turn reduces the exposure of those resources.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47a6d30e-79c4-411b-920a-06a7eab22bad\",\r\n \"name\": \"47a6d30e-79c4-411b-920a-06a7eab22bad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Imported ACM certificates should be renewed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager. Certificates provided by ACM are automatically renewed. If you're using certificates provided by ACM, you do not need to rotate SSL/TLS certificates. ACM manages certificate renewals for you. ACM does not automatically renew certificates that you import. You must renew imported certificates manually.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f74c50e7-84a3-4e64-ac2b-c4ec74e0cb71\",\r\n \"name\": \"f74c50e7-84a3-4e64-ac2b-c4ec74e0cb71\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API Gateway REST and HTTP API logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether all methods of an Amazon API Gateway REST or HTTP API stage have logging enabled. The control fails if logging is not enabled for all methods of a stage or if 'loggingLevel' is neither 'ERROR' nor 'INFO'. API Gateway REST or HTTP API stages should have relevant logs enabled. API Gateway REST API execution logging provides detailed records of requests made to API Gateway REST API stages. The stages include API integration backend responses, Lambda authorizer responses, and the 'requestId' for AWS integration endpoints. HTTP API access logs include information about requests made to the HTTP API. The information includes the IP address of the caller, the method of the request, the time of the request, and the HTTP status code response. Logs can assist with security and access audits, power additional threat detections, and aid in diagnosing availability issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8127ddad-f29f-4207-a9d3-9bb3ba3f1485\",\r\n \"name\": \"8127ddad-f29f-4207-a9d3-9bb3ba3f1485\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto Scaling groups associated with a load balancer should use load balancer health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. This ensures that the group can determine an instance's health based on additional tests provided by the load balancer. Using Elastic Load Balancing health checks can help support the availability of applications that use EC2 Auto Scaling groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/73c17f13-ba0c-4227-84ee-f34eb85431ca\",\r\n \"name\": \"73c17f13-ba0c-4227-84ee-f34eb85431ca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have a default root object configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured. A user might sometimes request the distribution's root URL instead of an object in the distribution. When this happens, specifying a default root object can help you to avoid exposing the contents of your web distribution.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1fb3f16-5849-4b9d-a7e6-03df4a2235bb\",\r\n \"name\": \"c1fb3f16-5849-4b9d-a7e6-03df4a2235bb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin access identity enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured. CloudFront OAI prevents users from accessing S3 bucket content directly. When users access an S3 bucket directly, they effectively bypass the CloudFront distribution and any permissions that are applied to the underlying S3 bucket content.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbadae9a-7672-4ab2-821a-71f13d319b3b\",\r\n \"name\": \"bbadae9a-7672-4ab2-821a-71f13d319b3b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should require encryption in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if 'ViewerProtocolPolicy' is set to 'allow-all' for 'defaultCacheBehavior' or for 'cacheBehaviors'. HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7196e4f7-7136-4003-b3e5-a8156d160a3f\",\r\n \"name\": \"7196e4f7-7136-4003-b3e5-a8156d160a3f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudFront distributions should have origin failover configured\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins. CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ce0c201-fc34-43ba-85ef-d47406a9ca05\",\r\n \"name\": \"3ce0c201-fc34-43ba-85ef-d47406a9ca05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled and configured with at least one multi-Region trail\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that there is at least one multi-Region CloudTrail trail.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4788ce7d-f39d-40e4-8a46-4308a5bd80ea\",\r\n \"name\": \"4788ce7d-f39d-40e4-8a46-4308a5bd80ea\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should have encryption at-rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether CloudTrail is configured to use the server-side encryption (SSE) AWS Key Management Service customer master key (CMK) encryption. The check passes if the 'KmsKeyId' is defined. For an added layer of security for your sensitive CloudTrail log files, you should use server-side encryption with AWS KMS-managed keys (SSE-KMS) for your CloudTrail log files for encryption at rest. Note that by default, the log files delivered by CloudTrail to your buckets are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03c0e8b8-fcb4-48d1-ae1a-d35e08748340\",\r\n \"name\": \"03c0e8b8-fcb4-48d1-ae1a-d35e08748340\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should automatically scale capacity with demand\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured. Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cf8a0486-5ef6-42f1-8403-35ecd324153f\",\r\n \"name\": \"cf8a0486-5ef6-42f1-8403-35ecd324153f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB tables should have point-in-time recovery enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. DynamoDB point-in-time recovery automates backups for DynamoDB tables. It reduces the time to recover from accidental delete or write operations. DynamoDB tables that have PITR enabled can be restored to any point in time in the last 35 days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ae2524f-9c45-49d6-af31-ec19df32bbe4\",\r\n \"name\": \"5ae2524f-9c45-49d6-af31-ec19df32bbe4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"DynamoDB Accelerator (DAX) clusters should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a DAX cluster is encrypted at rest. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data. For example, API permissions are required to decrypt the data before it can be read.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eaca2aff-0681-4c41-8d7f-04c71577f298\",\r\n \"name\": \"eaca2aff-0681-4c41-8d7f-04c71577f298\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that Amazon Elastic Block Store snapshots are not public, as determined by the ability to be restorable by anyone. EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a specific point in time. You can use the snapshots to restore previous states of EBS volumes. It is rarely acceptable to share a snapshot with the public. Typically the decision to share a snapshot publicly was made in error or without a complete understanding of the implications. This check helps ensure that all such sharing was fully planned and intentional.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b31e09dd-677c-4e14-8ab1-0a9f13e54218\",\r\n \"name\": \"b31e09dd-677c-4e14-8ab1-0a9f13e54218\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"The VPC default security group should not allow inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the default security group of a VPC does not allow inbound or outbound traffic. The rules for the default security group allow all outbound and inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. We do not recommend using the default security group. Because the default security group cannot be deleted, you should change the default security group rules setting to restrict inbound and outbound traffic. This prevents unintended traffic if the default security group is accidentally configured for resources such as EC2 instances.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d828e79-c441-43c3-807e-38ce88a728a5\",\r\n \"name\": \"5d828e79-c441-43c3-807e-38ce88a728a5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Attached EBS volumes should be encrypted at-rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check. For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f1a7dd27-bb23-4de0-a249-adc3c14aa144\",\r\n \"name\": \"f1a7dd27-bb23-4de0-a249-adc3c14aa144\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Stopped EC2 instances should be removed after a specified time period\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days. A failed finding indicates that an EC2 instance has not run for a significant period of time. This creates a security risk because the EC2 instance is not being actively maintained (analyzed, patched, updated). If it is later launched, the lack of proper maintenance could result in unexpected issues in your AWS environment. To safely maintain an EC2 instance over time in a nonrunning state, start it periodically for maintenance and then stop it after maintenance. Ideally this is an automated process.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3f15179b-8414-407a-9432-2b0c131695f3\",\r\n \"name\": \"3f15179b-8414-407a-9432-2b0c131695f3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS default encryption should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS). The control fails if the account level encryption is not enabled. When encryption is enabled for your account, Amazon EBS volumes and snapshot copies are encrypted at rest. This adds an additional layer of protection for your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91ffef5d-42a9-4e34-b1d0-68cdc160748d\",\r\n \"name\": \"91ffef5d-42a9-4e34-b1d0-68cdc160748d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should use IMDSv2\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if 'HttpTokens' is set to required for IMDSv2. The control fails if 'HttpTokens' is set to 'optional'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f53022b-ffee-44cc-b84e-6bcc1bcef11f\",\r\n \"name\": \"6f53022b-ffee-44cc-b84e-6bcc1bcef11f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should not have a public IP address\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether EC2 instances have a public IP address. The control fails if the publicIp field is present in the EC2 instance configuration item. This control applies to IPv4 addresses only. A public IPv4 address is an IP address that is reachable from the internet. If you launch your instance with a public IP address, then your EC2 instance is reachable from the internet. A private IPv4 address is an IP address that is not reachable from the internet. You can use private IPv4 addresses for communication between EC2 instances in the same VPC or in your connected private network. IPv6 addresses are globally unique, and therefore are reachable from the internet. However, by default all subnets have the IPv6 addressing attribute set to false.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aa3fb42f-04c9-4e17-b05b-e4e4f1f90f15\",\r\n \"name\": \"aa3fb42f-04c9-4e17-b05b-e4e4f1f90f15\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EC2 should be configured to use VPC endpoints\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service. To improve the security posture of your VPC, you can configure Amazon EC2 to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to access Amazon EC2 APIs privately. It restricts all network traffic between your VPC and Amazon EC2 to the Amazon network. Because endpoints are supported within the same Region only, you cannot create an endpoint between a VPC and a service in a different Region. This prevents unintended Amazon EC2 API calls to other Regions.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d9e95363-3a8a-498b-bef3-b869869b20b5\",\r\n \"name\": \"d9e95363-3a8a-498b-bef3-b869869b20b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS should be configured to encrypt file data at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. The check fails in the following cases: 'Encrypted' is set to 'false' in the 'DescribeFileSystems' response; The 'KmsKeyId' key in the 'DescribeFileSystems' response does not match the 'KmsKeyId' parameter for 'efs-encrypted-check'. Note that this control does not use the 'KmsKeyId' parameter for 'efs-encrypted-check'. It only checks the value of 'Encrypted'. For an added layer of security for your sensitive data in Amazon EFS, you should create encrypted file systems. Amazon EFS supports encryption for file systems at-rest. You can enable encryption of data at rest when you create an Amazon EFS file system.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f5375c36-4d39-436b-a5fc-42576f9c4c24\",\r\n \"name\": \"f5375c36-4d39-436b-a5fc-42576f9c4c24\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EFS volumes should be in backup plans\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup. The control fails if Amazon EFS file systems are not included in the backup plans. Including EFS file systems in the backup plans helps you to protect your data from deletion and data loss.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/10b9bd1a-d845-4d29-a8f0-aa9386f93226\",\r\n \"name\": \"10b9bd1a-d845-4d29-a8f0-aa9386f93226\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Classic Load Balancer listeners should be configured with HTTPS or TLS termination\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. The control is applicable if a Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the control does not report any findings. The control passes if the Classic Load Balancer listeners are configured with TLS or HTTPS for front-end connections. The control fails if the listener is not configured with TLS or HTTPS for front-end connections. Before you start to use a load balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners can support both HTTP and HTTPS/TLS protocols. You should always use an HTTPS or TLS listener, so that the load balancer does the work of encryption and decryption in transit.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4d75936d-e541-4a75-a183-99cc54462cf1\",\r\n \"name\": \"4d75936d-e541-4a75-a183-99cc54462cf1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application load balancers should be configured to drop HTTP headers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop invalid HTTP headers. The control fails if the value of 'routing.http.drop_invalid_header_fields.enabled' is set to 'false'. By default, ALBs are not configured to drop invalid HTTP header values. Removing these header values prevents HTTP desync attacks.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cbc0dd46-9b4b-4078-8340-b20283037770\",\r\n \"name\": \"cbc0dd46-9b4b-4078-8340-b20283037770\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application and Classic Load Balancers logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if 'access_logs.s3.enabled' is 'false'. Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fbec0eb1-0e7e-4df0-8f3c-bf9ac1601927\",\r\n \"name\": \"fbec0eb1-0e7e-4df0-8f3c-bf9ac1601927\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer deletion protection should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured. Enable deletion protection to protect your Application Load Balancer from deletion.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f4705af2-9651-47f1-8797-2050c0870f35\",\r\n \"name\": \"f4705af2-9651-47f1-8797-2050c0870f35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon EMR cluster master nodes should not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether master nodes on Amazon EMR clusters have public IP addresses. The control fails if the master node has public IP addresses that are associated with any of its instances. Public IP addresses are designated in the 'PublicIp' field of the 'NetworkInterfaces' configuration for the instance. This control only checks Amazon EMR clusters that are in a 'RUNNING' or 'WAITING' state.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4c459de6-4a24-4f24-93bb-6533935019f5\",\r\n \"name\": \"4c459de6-4a24-4f24-93bb-6533935019f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elasticsearch domains should have encryption at-rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled. The check fails if encryption at rest is not enabled. For an added layer of security for your sensitive data in Elasticsearch, you should configure your Elasticsearch to be encrypted at rest. Elasticsearch domains offer encryption of data at rest. The feature uses AWS KMS to store and manage your encryption keys. To perform the encryption, it uses the Advanced Encryption Standard algorithm with 256-bit keys (AES-256).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ecae3088-3cc5-4b7a-bc19-2c20719ab4fb\",\r\n \"name\": \"ecae3088-3cc5-4b7a-bc19-2c20719ab4fb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. You should ensure that Amazon ES domains are not attached to public subnets. You should also ensure that your VPC is configured according to the recommended best practices. Amazon ES domains deployed within a VPC can communicate with VPC resources over the private AWS network, without the need to traverse the public internet. This configuration increases the security posture by limiting access to the data in transit. VPCs provide a number of network controls to secure access to Amazon ES domains, including network ACL and security groups. Security Hub recommends that you migrate public Amazon ES domains to VPCs to take advantage of these controls.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1518211b-17f4-46bc-9538-d6ccd8efa3c4\",\r\n \"name\": \"1518211b-17f4-46bc-9538-d6ccd8efa3c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch Service domains should encrypt data sent between nodes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon ES domains have node-to-node encryption enabled. HTTPS (TLS) can be used to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. Only encrypted connections over HTTPS (TLS) should be allowed. Enabling node-to-node encryption for Amazon ES domains ensures that intra-cluster communications are encrypted in transit. There can be a performance penalty associated with this configuration. You should be aware of and test the performance trade-off before enabling this option.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233d2b0e-27cd-4589-aed5-b76e73744071\",\r\n \"name\": \"233d2b0e-27cd-4589-aed5-b76e73744071\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users' access keys should be rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the active access keys are rotated within 90 days. We highly recommend that you do not generate and remove all access keys in your account. Instead, the recommended best practice is to either create one or more IAM roles or to use federation. You can use these methods to allow your users to use their existing corporate credentials to log into the AWS Management Console and AWS CLI. Each approach has its use cases. Federation is generally better for enterprises that have an existing central directory or plan to need more than the current limit IAM users. Applications that run outside of an AWS environment need access keys for programmatic access to AWS resources. However, if the resources that need programmatic access run inside AWS, the best practice is to use IAM roles. Roles allow you to grant a resource access without hardcoding an access key ID and secret access key into the configuration. If you already have an access key, Security Hub recommends that you rotate the access keys every 90 days. Rotating access keys reduces the chance that an access key that is associated with a compromised or terminated account is used. It also ensures that data cannot be accessed with an old key that might have been lost, cracked, or stolen. Always update your applications after you rotate access keys. Access keys consist of an access key ID and a secret access key. They are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS CLI, Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. If your organization uses AWS Single Sign-On (AWS SSO), your users can sign in to Active Directory, a built-in AWS SSO directory, or another identity provider (IdP) connected to AWS SSO. They can then be mapped to an IAM role that enables them to run AWS CLI commands or call AWS APIs without the need for IAM user access keys.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e5c918c8-d7f6-4d5d-b91f-9b9736457ce9\",\r\n \"name\": \"e5c918c8-d7f6-4d5d-b91f-9b9736457ce9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS Multi-Factor Authentication (MFA) is enabled for all IAM users that use a console password. Multi-factor authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password. In addition, they are prompted for an authentication code from their AWS MFA device. We recommend that you enable MFA for all accounts that have a console password. MFA is designed to provide increased security for console access. The authenticating principal must possess a device that emits a time-sensitive key and must have knowledge of a credential.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2af5aa8e-6e0a-4cf4-82e7-ad17ba327c3c\",\r\n \"name\": \"2af5aa8e-6e0a-4cf4-82e7-ad17ba327c3c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused IAM user credentials should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your IAM users have passwords or active access keys that have not been used for 90 days. IAM users can access AWS resources using different types of credentials, such as passwords or access keys. Security Hub recommends that you remove or deactivate all credentials that were unused for 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d945fb4-6cf1-431b-8e96-66dba76ab2b1\",\r\n \"name\": \"9d945fb4-6cf1-431b-8e96-66dba76ab2b1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM customer managed policies should not allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if the 'kms:Decrypt' or 'kms:ReEncryptFrom' actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies. With AWS KMS, you control who can use your customer master keys (CMKs) and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the 'kms:Decrypt' or 'kms:ReEncryptFrom' permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data. Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, do not allow 'kms:Decrypt' permission on all KMS keys. Instead, allow 'kms:Decrypt' only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d3746ffb-51b3-4cc9-8b5d-2ac1f9192d37\",\r\n \"name\": \"d3746ffb-51b3-4cc9-8b5d-2ac1f9192d37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if 'kms:Decrypt' or 'kms:ReEncryptFrom' actions are allowed on all KMS keys in an inline policy. With AWS KMS, you control who can use your customer master keys (CMKs) and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the permissions they need and only for keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data. Instead of granting permission for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow the users to use only those keys. For example, do not allow 'kms:Decrypt' permission on all KMS keys. Instead, allow them only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91b8d230-94ad-4df8-b737-f585df30fa30\",\r\n \"name\": \"91b8d230-94ad-4df8-b737-f585df30fa30\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS KMS keys should not be unintentionally deleted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether AWS KMS customer managed keys (CMK) are scheduled for deletion. The control fails if a CMK is scheduled for deletion. CMKs cannot be recovered once deleted. Data encrypted under a KMS CMK is also permanently unrecoverable if the CMK is deleted. If meaningful data has been encrypted under a CMK scheduled for deletion, consider decrypting the data or re-encrypting the data under a new CMK unless you are intentionally performing a cryptographic erasure. When a CMK is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS CMK is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS CMK will not be deleted.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/706a0138-900e-4c53-8114-bb5f19eccd09\",\r\n \"name\": \"706a0138-900e-4c53-8114-bb5f19eccd09\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda function policies should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the Lambda function resource-based policy prohibits public access outside of your account. The Lambda function should not be publicly accessible, as this may allow unintended access to your code stored in the function.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ac49a0a5-db33-4be7-9738-301783b6bba9\",\r\n \"name\": \"ac49a0a5-db33-4be7-9738-301783b6bba9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should use latest runtimes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks that the Lambda function settings for runtimes match the expected values set for the latest runtimes for each supported language. This control checks for the following runtimes: nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, ruby2.5, ruby2.7,java11, java8, go1.x, dotnetcore2.1, dotnetcore3.1 Lambda runtimes are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When a runtime component is no longer supported for security updates, Lambda deprecates the runtime. Even though you cannot create functions that use the deprecated runtime, the function is still available to process invocation events. Make sure that your Lambda functions are current and do not use out-of-date runtime environments.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/480c2cd4-467d-4ea5-8ffa-c459cf8503c0\",\r\n \"name\": \"480c2cd4-467d-4ea5-8ffa-c459cf8503c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should be private\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS snapshots are public. RDS snapshots are used to back up the data on your RDS instances at a specific point in time. They can be used to restore previous states of RDS instances. An RDS snapshot must not be public unless intended. If you share an unencrypted manual snapshot as public, this makes the snapshot available to all AWS accounts. This may result in unintended data exposure of your RDS instance. Note that if the configuration is changed to allow public access, the AWS Config rule may not be able to detect the change for up to 12 hours. Until the AWS Config rule detects the change, the check passes even though the configuration violates the rule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/efe6ff8c-8247-4705-9a06-097d57b93305\",\r\n \"name\": \"efe6ff8c-8247-4705-9a06-097d57b93305\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon RDS instances are publicly accessible by evaluating the 'PubliclyAccessible' field in the instance configuration item. The 'PubliclyAccessible' value in the RDS instance configuration indicates whether the DB instance is publicly accessible. When the DB instance is configured with 'PubliclyAccessible', it is an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. When the DB instance isn't publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your RDS instance to be publicly accessible, the RDS instance should not be configured with 'PubliclyAccessible' value. Doing so might allow unnecessary traffic to your database instance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52a194fc-4cc6-4bc3-92c0-7c2454dd1043\",\r\n \"name\": \"52a194fc-4cc6-4bc3-92c0-7c2454dd1043\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether storage encryption is enabled for your Amazon RDS DB instances. For an added layer of security for your sensitive data in RDS DB instances, you should configure your RDS DB instances to be encrypted at rest. To encrypt your RDS DB instances and snapshots at rest, enable the encryption option for your RDS DB instances. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots. RDS encrypted DB instances use the open standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You do not need to modify your database client applications to use encryption. Amazon RDS encryption is currently available for all database engines and storage types. Amazon RDS encryption is available for most DB instance classes.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a9abb2d-5fdd-4264-8770-91c66cf58ecf\",\r\n \"name\": \"5a9abb2d-5fdd-4264-8770-91c66cf58ecf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS cluster snapshots and database snapshots should be encrypted at rest\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB snapshots are encrypted. Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. Data in RDS snapshots should be encrypted at rest for an added layer of security.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f3b277d1-0c86-445b-acf1-bc0a405b193b\",\r\n \"name\": \"f3b277d1-0c86-445b-acf1-bc0a405b193b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should be configured with multiple Availability Zones\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether high availability is enabled for your RDS DB instances. RDS DB instances should be configured for multiple Availability Zones (AZs). This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover if there is an issue with Availability Zone availability and during regular RDS maintenance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7e91ce41-1c19-4950-8a76-cfe3c6596250\",\r\n \"name\": \"7e91ce41-1c19-4950-8a76-cfe3c6596250\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enhanced monitoring should be configured for RDS DB instances and clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether enhanced monitoring is enabled for your RDS DB instances. In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer. Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1d16fd74-7014-464b-b981-6242a4c2be32\",\r\n \"name\": \"1d16fd74-7014-464b-b981-6242a4c2be32\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS clusters should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS clusters have deletion protection enabled. Enabling cluster deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity. When deletion protection is enabled, an RDS cluster cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1831430a-6cf6-4341-b2cc-1e66168bdd21\",\r\n \"name\": \"1831430a-6cf6-4341-b2cc-1e66168bdd21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB instances should have deletion protection enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether your RDS DB instances have deletion protection enabled. Enabling instance deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity. While deletion protection is enabled, an RDS DB instance cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3c0f7022-8906-4a8c-b993-9675f89d8d3e\",\r\n \"name\": \"3c0f7022-8906-4a8c-b993-9675f89d8d3e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database logging should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the following logs of Amazon RDS are enabled and sent to CloudWatch Logs: Oracle: (Alert, Audit, Trace, Listener), PostgreSQL: (Postgresql, Upgrade), MySQL: (Audit, Error, General, SlowQuery), MariaDB: (Audit, Error, General, SlowQuery), SQL Server: (Error, Agent), Aurora: (Audit, Error, General, SlowQuery), Aurora-MySQL: (Audit, Error, General, SlowQuery), Aurora-PostgreSQL: (Postgresql, Upgrade). RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a9c7f5-85ba-4091-b15a-c06bec33faf8\",\r\n \"name\": \"66a9c7f5-85ba-4091-b15a-c06bec33faf8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM authentication should be configured for RDS instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an RDS DB instance has IAM database authentication enabled. IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b948796-172f-426e-a3bd-3f0b1999d0e0\",\r\n \"name\": \"7b948796-172f-426e-a3bd-3f0b1999d0e0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS instances should have automatic backups enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether RDS DB instances have automated backups enabled and whether the backup retention period is greater than or equal to seven. Optionally, you can supply a 'retentionPeriod' to compare against. The control passes if all of the following are true: Backups are enabled, The backup retention period is greater than or equal to retentionPeriod, The retention period is greater than or equal to seven. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. Amazon RDS provides an easy way to configure daily full instance volume snapshots. This control checks that backups are enabled and retained for at least seven days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/53af35b0-2338-4783-9ba9-8399f610a783\",\r\n \"name\": \"53af35b0-2338-4783-9ba9-8399f610a783\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters are publicly accessible. It evaluates the 'PubliclyAccessible' field in the cluster configuration item. The 'PubliclyAccessible' attribute of the Amazon Redshift cluster configuration indicates whether the cluster is publicly accessible. When the cluster is configured with 'PubliclyAccessible' set to 'true', it is an Internet-facing instance that has a publicly resolvable DNS name, which resolves to a public IP address. When the cluster is not publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your cluster to be publicly accessible, the cluster should not be configured with 'PubliclyAccessible' set to 'true'.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4bd4c29c-8565-4052-96b4-5405e68f51ba\",\r\n \"name\": \"4bd4c29c-8565-4052-96b4-5405e68f51ba\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Connections to Amazon Redshift clusters should be encrypted in transit\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit. The check fails if the Amazon Redshift cluster parameter require_SSL is not set to 1. TLS can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over TLS should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b032ed58-d158-401f-b820-424a48414f93\",\r\n \"name\": \"b032ed58-d158-401f-b820-424a48414f93\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift clusters should have automatic snapshots enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven. Backups help you to recover more quickly from a security incident. They strengthen the resilience of your systems. Amazon Redshift takes periodic snapshots by default. This control checks whether automatic snapshots are enabled and retained for at least seven days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/643a00cb-3da3-43ef-b523-15a0f3198e45\",\r\n \"name\": \"643a00cb-3da3-43ef-b523-15a0f3198e45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Redshift should have automatic upgrades to major versions enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster. Enabling automatic major version upgrades ensures that the latest major version updates to Amazon Redshift clusters are installed during the maintenance window. These updates might include security patches and bug fixes. Keeping up-to-date with patch installation is an important step in securing systems.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c816f41-886f-4e31-87f2-41cfb091d59b\",\r\n \"name\": \"2c816f41-886f-4e31-87f2-41cfb091d59b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker. The 'blacklistedactionpatterns' parameter allows for successful evaluation of the rule for S3 buckets. The parameter grants access to external accounts for action patterns that are not included in the 'blacklistedactionpatterns' list.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df8e8066-1415-40c7-9844-f495a1ad179e\",\r\n \"name\": \"df8e8066-1415-40c7-9844-f495a1ad179e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets should have automatic rotation enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically. Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5110f9f8-2bf7-444f-81d7-321bfeceec06\",\r\n \"name\": \"5110f9f8-2bf7-444f-81d7-321bfeceec06\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secrets Manager secrets configured with automatic rotation should rotate successfully\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The control fails if 'RotationOccurringAsScheduled' is 'false'. The control does not evaluate secrets that do not have rotation configured. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically. Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently. In addition to configuring secrets to rotate automatically, you should ensure that those secrets rotate successfully based on the rotation schedule.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad8217e9-5e93-4be2-88bc-3e538960209d\",\r\n \"name\": \"ad8217e9-5e93-4be2-88bc-3e538960209d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SNS topics should be encrypted at rest using AWS KMS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether an SNS topic is encrypted at rest using AWS KMS. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It also adds another set of access controls to limit the ability of unauthorized users to access the data. For example, API permissions are required to decrypt the data before it can be read. SNS topics should be encrypted at-rest for an added layer of security.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c3f3c8-3c13-48be-9ee5-67b6865e7462\",\r\n \"name\": \"11c3f3c8-3c13-48be-9ee5-67b6865e7462\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All EC2 instances managed by Systems Manager should be compliant with patching requirements\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. It only checks instances that are managed by Systems Manager Patch Manager. Having your EC2 instances fully patched as required by your organization reduces the attack surface of your AWS accounts.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Foundational Security Best Practices\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.
Note that the following subnet types will be listed as not applicable: GatewaySubnet, AzureFirewallSubnet, AzureBastionSubnet.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your subnets:
1. Select a subnet to enable NSG on.
2. Click the 'Network security group' section.
3. Follow the steps and select an existing network security group to attach to this specific subnet.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Defender for Cloud has discovered virtual networks with Application Gateway resources unprotected by the DDoS protection service. These resources contain public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"
1. Select a virtual network to enable the DDoS protection service standard on.
2. Select the Standard option.
3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\",\r\n \"Network Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Defender for Cloud uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls:
1. Open the Workload protections dashboard and from the advanced protection area, select Adaptive application controls.
2. To see the groups of machines that Defender for Cloud recommends protecting with adaptive application controls, select the Recommended3. Create a new applications control policy according to the instructions in Defender for Cloud's documentation.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Defender for Cloud's adaptive application controls. Defender for Cloud uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your list of known-safe applications:
1. From the portal, open Defender for Cloud.
2. Select \\\"Adaptive application controls\\\" from Defender for Cloud's sidebar.
3. To see the groups of machines for which Defender for Cloud recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines.
4. The current policy will be displayed together with the new rules that Defender for Cloud recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Defender for Cloud has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly-permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Defender for Cloud's threat intelligence sources. Learn more in Improve your network security posture with adaptive network hardening.\",\r\n \"remediationDescription\": \"To review the recommended changes to the traffic rules for your network security groups, select a machine or select 'Take action'\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"Defender for Cloud has identified some overly-permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks. Learn more in Understanding just-in-time (JIT) VM access.\",\r\n \"remediationDescription\": \"To enable just-in-time VM access:
  • Select one or more VMs from the list below and select \\\"Remediate\\\", or select \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
  • On the \\\"JIT VM access configuration\\\" page, define the ports for which the just-in-time VM access will be applicable.
    • To add additional ports, select the \\\"Add\\\" button on the top left, or select an existing port and edit it.
    • On the \\\"Add port configuration\\\" pane, enter the required parameters.
  • Select \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click on each of the rules that allow management ports (for example, RDP-3389, WINRM-5985, SSH-22).
3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges.
4. Click 'Save'.
Use Defender for Cloud's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Learn more in Understanding just-in-time (JIT) VM access.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Defender for Cloud has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding:
1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade.
2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left).
3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'.
4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Man-in-the-Middle\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Defender for Cloud has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click the Network Security Group with overly permissive rules.
3. In the 'Network security group' blade, click on each of the rules that are overly permissive.
4. Improve the rule by applying less permissive source IP ranges.
5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
To keep your machine as secure as possible, the VM access to the internet must be restricted and an NSG should be enabled on the subnet.
VMs with 'High' severity are internet-facing VMs.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a Network Security Group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the Network Security Group to assign to the subnet and click \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Click 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the Network Security Group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Execution\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Impact\",\r\n \"Credential Access\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Remote Services\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Software Deployment Tools\",\r\n \"Proxy\",\r\n \"Non-Application Layer Protocol\",\r\n \"Trusted Relationship\",\r\n \"Remote Access Software\",\r\n \"Domain Trust Discovery\",\r\n \"Network Denial of Service\",\r\n \"Endpoint Denial of Service\",\r\n \"Man-in-the-Middle\",\r\n \"Lateral Tool Transfer\",\r\n \"Non-Standard Port\",\r\n \"Data from Configuration Repository\",\r\n \"External Remote Services\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a network security group:
1. Select a VM from the list below, or select \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the network security group to assign to the subnet and select \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Select 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the network security group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Defender for Cloud regularly checks your connected machines to ensure they're running vulnerability assessment tools. Use this recommendation to deploy a vulnerability assessment solution.\",\r\n \"remediationDescription\": \"To deploy a vulnerability assessment solution, in the \\\"Unhealthy resources\\\" tab, select the resources, then select \\\"Remediate\\\". Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several hours after remediation completes to see the resources in the 'Healthy resources' tab\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c\",\r\n \"description\": \"Some of your virtual networks aren't protected with a firewall. Use Azure Firewall to restrict access to your virtual networks and prevent potential threats. Learn more about Azure Firewall.\",\r\n \"remediationDescription\": \"To protect your virtual networks with Azure Firewall:
1. From the list below, select a network. Or select Take action if you've arrived here from a specific virtual network page.
2. Follow the Azure Firewall deployment instructions. Make sure to configure all default routes properly.
Important: Azure Firewall is billed separately from Defender for Cloud. Learn more about Azure Firewall pricing.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Command and Control\",\r\n \"Discovery\",\r\n \"Exfiltration\",\r\n \"Initial Access\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"Fallback Channels\",\r\n \"Remote System Discovery\",\r\n \"Network Service Scanning\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Non-Application Layer Protocol\",\r\n \"External Remote Services\",\r\n \"Traffic Signaling\",\r\n \"Remote Access Software\",\r\n \"Non-Standard Port\",\r\n \"Gather Victim Network Information\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for Cloud has identified machines that are missing a file integrity monitoring solution. To monitor changes to critical files, registry keys, and more on your servers, enable file integrity monitoring.
When the file integrity monitoring solution is enabled, a data collection rule is assigned to your machines, and defines the files to be monitored. To edit rules, or see the files changed on machines with existing rules, go to the file integrity monitoring management page\",\r\n \"remediationDescription\": \"To enable file integrity monitoring:
From the list below, select one or more virtual machines and select Remediate\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Privilege Escalation\",\r\n \"Execution\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"OS Credential Dumping\",\r\n \"Boot or Logon Initialization Scripts\",\r\n \"Scheduled Task/Job\",\r\n \"Account Manipulation\",\r\n \"Office Application Startup\",\r\n \"File and Directory Permissions Modification\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Subvert Trust Controls\",\r\n \"Modify Authentication Process\",\r\n \"Impair Defenses\",\r\n \"Hijack Execution Flow\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047\",\r\n \"description\": \"Microsoft Defender for Cloud includes Microsoft Defender for Key Vault, providing an additional layer of security intelligence.
Microsoft Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any key vaults in this subscription, you won't be charged. If you later create key vaults on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for Key Vault.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for Key Vault on all key vaults in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Key Vault to On.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Credentials from Password Stores\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Azure SQL Database servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any Azure SQL Database servers in this subscription, you won't be charged. If you later create Azure SQL Database servers on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for SQL.\",\r\n \"remediationDescription\": \"To enable this plan on all Azure SQL Database servers in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Azure SQL Database servers to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Defense Evasion\",\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Modify Registry\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for SQL servers on machines should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b\",\r\n \"description\": \"Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.

Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. If you don't have any SQL servers on machines in this subscription, no charges will be incurred.
If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Microsoft Defender for SQL servers on machines.\",\r\n \"remediationDescription\": \"To enable this plan on all SQL servers on machines in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set SQL servers on machines to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Defense Evasion\",\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Modify Registry\",\r\n \"Valid Accounts\",\r\n \"Brute Force\",\r\n \"Data from Information Repositories\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Storage should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa\",\r\n \"description\": \"Microsoft Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.
Important: Protections from this plan are charged as shown on the Defender plans page. If you don't have any Azure Storage accounts in this subscription, you won't be charged. If you later create Azure Storage accounts on this subscription, they'll automatically be protected and charges will begin. Learn about the pricing details per region.
Learn more in Introduction to Microsoft Defender for Storage.\",\r\n \"remediationDescription\": \"To enable this plan on all Azure Storage accounts in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Storage to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Lateral Movement\",\r\n \"Command and Control\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Taint Shared Content\",\r\n \"Ingress Tool Transfer\",\r\n \"Data Destruction\",\r\n \"Data from Cloud Storage Object\",\r\n \"Transfer Data to Cloud Account\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb\",\r\n \"description\": \"Microsoft Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
Microsoft Defender for App Service can discover attacks on your applications and identify emerging attacks.

Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred.
If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Protect your web apps and APIs.\",\r\n \"remediationDescription\": \"To enable this plan on all App Service plans in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set App Service to On.\",\r\n \"categories\": [\r\n \"AppServices\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Collection\",\r\n \"Discovery\",\r\n \"Defense Evasion\",\r\n \"Execution\",\r\n \"Privilege Escalation\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Resource Development\",\r\n \"Reconnaissance\"\r\n ],\r\n \"techniques\": [\r\n \"OS Credential Dumping\",\r\n \"Data from Local System\",\r\n \"Query Registry\",\r\n \"Obfuscated Files or Information\",\r\n \"Masquerading\",\r\n \"Windows Management Instrumentation\",\r\n \"Scheduled Task/Job\",\r\n \"Process Injection\",\r\n \"Input Capture\",\r\n \"Process Discovery\",\r\n \"Command and Scripting Interpreter\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Account Discovery\",\r\n \"Ingress Tool Transfer\",\r\n \"Screen Capture\",\r\n \"Audio Capture\",\r\n \"Access Token Manipulation\",\r\n \"Deobfuscate/Decode Files or Information\",\r\n \"Drive-by Compromise\",\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"User Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Domain Trust Discovery\",\r\n \"Resource Hijacking\",\r\n \"Create or Modify System Process\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Unsecured Credentials\",\r\n \"Steal or Forge Kerberos Tickets\",\r\n \"Inter-Process Communication\",\r\n \"Phishing\",\r\n \"Hijack Execution Flow\",\r\n \"Compromise Infrastructure\",\r\n \"Search Victim-Owned Websites\",\r\n \"Active Scanning\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"name\": \"e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38\",\r\n \"description\": \"Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.
You can use this information to quickly remediate security issues and improve the security of your containers.

Important: Remediating this recommendation will result in charges for protecting your Kubernetes clusters. If you don't have any Kubernetes clusters in this subscription, no charges will be incurred.
If you create any Kubernetes clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Introduction to Microsoft Defender for Containers.\",\r\n \"remediationDescription\": \"To enable this plan on all Kubernetes clusters in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Containers to On.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"DenialOfService\",\r\n \"DataSpillage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"11/01/2021\",\r\n \"public\": \"11/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Indicator Removal on Host\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Implant Container Image\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d\",\r\n \"description\": \"Microsoft Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your servers.

Important: Remediating this recommendation will result in charges for protecting your servers. If you don't have any servers in this subscription, no charges will be incurred.
If you create any servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more in Introduction to Microsoft Defender for servers.\",\r\n \"remediationDescription\": \"To enable this plan on all servers in a subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Servers to On.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\",\r\n \"Execution\",\r\n \"Defense Evasion\",\r\n \"Exfiltration\",\r\n \"Discovery\",\r\n \"Command and Control\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Hijack Execution Flow\",\r\n \"Modify Authentication Process\",\r\n \"Boot or Logon Initialization Scripts\",\r\n \"Scheduled Task/Job\",\r\n \"Account Manipulation\",\r\n \"Office Application Startup\",\r\n \"OS Credential Dumping\",\r\n \"Obfuscated Files or Information\",\r\n \"Exfiltration Over Alternative Protocol\",\r\n \"Process Injection\",\r\n \"Command and Scripting Interpreter\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Indicator Removal on Host\",\r\n \"Valid Accounts\",\r\n \"System Information Discovery\",\r\n \"Account Discovery\",\r\n \"Ingress Tool Transfer\",\r\n \"Modify Registry\",\r\n \"Create Account\",\r\n \"Deobfuscate/Decode Files or Information\",\r\n \"Drive-by Compromise\",\r\n \"Indirect Command Execution\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Signed Binary Proxy Execution\",\r\n \"File and Directory Permissions Modification\",\r\n \"Service Stop\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Boot or Logon Autostart Execution\",\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Steal or Forge Kerberos Tickets\",\r\n \"Impair Defenses\",\r\n \"Remote Service Session Hijacking\",\r\n \"Hide Artifacts\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Brute Force\",\r\n \"Masquerading\",\r\n \"User Execution\",\r\n \"Subvert Trust Controls\",\r\n \"Compromise Client Software Binary\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"name\": \"b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for open-source relational databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835\",\r\n \"description\": \"Microsoft Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more in Introduction to Microsoft Defender for open-source relational databases.

Important: Enabling this plan will result in charges for protecting your open-source relational databases. If you don't have any open-source relational databases in this subscription, no charges will be incurred. If you create any open-source relational databases on this subscription in the future, they will automatically be protected and charges will begin at that time.\",\r\n \"remediationDescription\": \"To enable Microsoft Defender for open-source relational databases on your subscription:
1. From Defender for Cloud's Environment settings page, select the relevant subscription.
2. In the Defender plans page, set Open-source relational databases to On.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"09/19/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ebc815f-7bc7-4573-994d-e1cc46fb4a35\",\r\n \"name\": \"2ebc815f-7bc7-4573-994d-e1cc46fb4a35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have infrastructure as code scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found infrastructure as code security configuration issues in repositories. The issues shown below have been detected in template files. To improve the security posture of the related cloud resources, it is highly recommended to remediate these issues.\",\r\n \"remediationDescription\": \"Security issues and vulnerabilities in infrastructure as code can lead to compliance violations and data breaches in production environments. It is recommended to improve the security posture by remediating and fixing these findings to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c68a8c2a-6ed4-454b-9e37-4b7654f2165f\",\r\n \"name\": \"c68a8c2a-6ed4-454b-9e37-4b7654f2165f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have code scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found vulnerabilities in code repositories. To improve the security posture of the repositories, it is highly recommended to remediate these vulnerabilities.\",\r\n \"remediationDescription\": \"The vulnerabilities detected in code repositories can lead to compliance violations and data breaches. It is highly recommended to remediate these vulnerabilities to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27\",\r\n \"name\": \"4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have secret scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found a secret in code repositories. This should be remediated immediately to prevent a security breach. Secrets found in repositories can be leaked or discovered by adversaries, leading to compromise of an application or service. For Azure DevOps, the Microsoft Security DevOps CredScan tool only scans builds on which it has been configured to run. Therefore, results may not reflect the complete status of secrets in your repositories.\",\r\n \"remediationDescription\": \"Invalidate the secrets, tokens, and/or passwords that were found by the secret scanner.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/822425e3-827f-4f35-bc33-33749257f851\",\r\n \"name\": \"822425e3-827f-4f35-bc33-33749257f851\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Code repositories should have Dependabot scanning findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps has found vulnerabilities in code repositories. To improve the security posture of the repositories, it is highly recommended to remediate these vulnerabilities.\",\r\n \"remediationDescription\": \"The vulnerabilities detected in the code repositories can lead to compliance violations and data breaches. It is recommended to remediate these vulnerabilities to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"02/19/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dbf49ec-ce06-476d-ab70-7bd612c4a52c\",\r\n \"name\": \"9dbf49ec-ce06-476d-ab70-7bd612c4a52c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DevOps security posture findings should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Defender for DevOps security posture checks helps you keep your ADO artifacts such as various org/project settings, build/release configurations, service connections, agent pools, etc., configured securely.\",\r\n \"remediationDescription\": \"The security posture checks found can lead to compliance violations and data breaches. It is recommended to improve the security posture by remediating and fixing these configuration findings to reduce the likelihood of a successful attack.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MissingCoverage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"02/06/2023\",\r\n \"public\": \"10/01/2022\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Reconnaissance\",\r\n \"Exfiltration\",\r\n \"Impact\",\r\n \"Collection\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Application Layer Protocol\",\r\n \"Compromise Infrastructure\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation for Credential Access\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03587042-5d4b-44ff-af42-ae99e3c71c87\",\r\n \"name\": \"03587042-5d4b-44ff-af42-ae99e3c71c87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Elastic container registry images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"23/06/2022\",\r\n \"public\": \"23/06/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container registry images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Resolve the findings from the vulnerability assessment solutions on your virtual machines.\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by the vulnerability assessment solutions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77a4a140-e051-481a-84cc-d4bf2109bd65\",\r\n \"name\": \"77a4a140-e051-481a-84cc-d4bf2109bd65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Resolve the findings from the vulnerability assessment solutions on your EC2 instances.\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by the vulnerability assessment solutions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/14/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Execution\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\",\r\n \"Drive-by Compromise\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"AWS\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL databases should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. Learn more\",\r\n \"remediationDescription\": \"To remediate SQL vulnerabilities and mitigate risks:
1. Navigate to a database in the Unhealthy databases list.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Valid Accounts\",\r\n \"Modify Registry\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SQL servers on machines should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d\",\r\n \"description\": \"SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. Learn more\",\r\n \"remediationDescription\": \"To remediate SQL vulnerabilities and mitigate risks:
1. Navigate to a database in the Unhealthy databases list.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Privilege Escalation\",\r\n \"Persistence\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Privilege Escalation\",\r\n \"Valid Accounts\",\r\n \"Modify Registry\",\r\n \"Server Software Component\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your Windows machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Select any of the findings below.
2. On the right pane opened, follow the instructions under 'Remediation' if exist.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Lateral Movement\",\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your Linux machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Select any of the findings below.
2. On the right pane opened, follow the instructions under 'Remediation' if exist.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Credential Access\",\r\n \"Defense Evasion\",\r\n \"Lateral Movement\",\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Credential Access\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploit Public-Facing Application\",\r\n \"External Remote Services\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"
1. Click an identified outstanding update.
2. In the Missing system updates pane, click the support link (when exists) and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Initial Access\",\r\n \"Lateral Movement\",\r\n \"Defense Evasion\",\r\n \"Credential Access\",\r\n \"Impact\",\r\n \"Persistence\",\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Software Deployment Tools\",\r\n \"Exploit Public-Facing Application\",\r\n \"Supply Chain Compromise\",\r\n \"Exploitation for Client Execution\",\r\n \"Exploitation of Remote Services\",\r\n \"Exploitation for Defense Evasion\",\r\n \"Exploitation for Credential Access\",\r\n \"Drive-by Compromise\",\r\n \"Endpoint Denial of Service\",\r\n \"Compromise Client Software Binary\",\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b\",\r\n \"description\": \"Ensure your machines are up to date by installing missing security and critical OS updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install missing system updates on a selected machine: 1. From \\\"Affected resources\\\", select a virtual machine. 2. Select the \\\"Fix\\\" button. This will redirect you to Update management center (preview). 3. In update management center (preview), select \\\"One-time update\\\" or \\\"Schedule updates\\\", and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1. Click any of the configuration vulnerability rules 2. In the Vulnerability details pane, see the remediation description and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"10/24/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\",\r\n \"Discovery\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Abuse Elevation Control Mechanism\",\r\n \"Account Discovery\",\r\n \"OS Credential Dumping\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2\",\r\n \"description\": \"Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. See the documentation for the endpoint protection solutions supported by Defender for Cloud and the endpoint protection assessments.\",\r\n \"remediationDescription\": \"
1. Confirm that your solution is on the list of tools supported by Defender for Cloud.
2. For a list of possible health issues with your solution and advice on how to resolve the health issues, consult this page of the Defender for Cloud documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad50b498-f90c-451f-886f-d0a169cc5002\",\r\n \"name\": \"ad50b498-f90c-451f-886f-d0a169cc5002\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Linux virtual machines should use only signed and trusted boot components\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"With Secure Boot enabled, all OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Defender for Cloud has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allow list or remove the identified components.\",\r\n \"remediationDescription\": \"Investigate the untrusted boot components. If they are legitimate, add them to the allow list. Otherwise, remove them.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"name\": \"dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with read permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have read permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"name\": \"c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with write permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/931e118d-50a1-4457-a5e4-78550e086c52\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have write permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"name\": \"6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Accounts with owner permissions on Azure resources should be MFA enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a\",\r\n \"description\": \"If you only use passwords to authenticate your users, you are leaving an attack vector open.
By enabling Multi-Factor Authentication (MFA), you provide better security for your accounts, while still allowing your users to authenticate to almost any application.
Multi-factor authentication is a process by which users are prompted, during the sign-in process, for an additional form of identification.
To prevent breach and attacks, we recommend you to enable MFA for all accounts that have owner permissions on Azure resources.
More details and frequently asked questions are available here: Manage multi-factor authentication (MFA) enforcement on your subscriptions\",\r\n \"remediationDescription\": \"There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. The following are the supported MFA emblement options to be compliant:

Security defaults (included in Azure AD free)
To enable MFA security defaults in Azure Active Directory:
  1. Sign in to the Azure AD - Properties page as a Security administrator, Conditional Access administrator, or Global administrator.
  2. From the bottom of the page, select Manage security defaults.
  3. Set Enable security defaults to Yes.
  4. Select Save.
Per-user assignment (included in Microsoft 365 Business, E3, or E5 plans)
To enable MFA per-user assignment:
  1. Sign in to the Azure AD - All users page as a Global administrator.
  2. From the top menu, select Per-user MFA.
  3. Find the user(s) you want to enable for per-user MFA and check the box next to the name(s) of the user(s).
  4. On the right-hand side, under quick steps, choose Enable.
  5. Confirm your selection in the pop-up window that opens.
Conditional access (CA) policy (included in Azure AD Premium plans)
To enable MFA using conditional access you must have an Azure AD Premium license:
  1. Sign in to the Azure AD – Conditional Access page as a Conditional Access administrator, or Global administrator.
  2. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
  3. For your conditional access policy, ensure the following:
    1. In the Access controls section, choose Grant and ensure Require multi-factor authentication is enabled.
    2. In the Cloud Apps or actions section's 'Include' tab, check that Microsoft Azure Management or All apps is selected. In the 'Exclude' tab, check that it is not excluded.
  4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Defender for Cloud.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\",\r\n \"Brute Force\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"name\": \"fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with read permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52\",\r\n \"description\": \"Accounts with read permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"name\": \"0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with write permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87\",\r\n \"description\": \"Accounts with write permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"name\": \"20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest accounts with owner permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/339353f6-2387-4a45-abe4-7f529d121046\",\r\n \"description\": \"Accounts with owner permissions that have been provisioned outside of the Azure Active Directory tenant (different domain names), should be removed from your Azure resources.
Guest accounts are not managed to the same standards as enterprise tenant identities.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of guest accounts that require access removal on the Accounts section. Click on each account to view its role definitions and locate source scope. If you accept the risk for a specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"name\": \"1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Blocked accounts with read and write permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be\",\r\n \"description\": \"Accounts that have been blocked from signing in on Active Directory, should be removed from your Azure resources.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of accounts that are blocked from signing in on the Accounts section. Click on each account to view its role definitions and locate the source scope. If you accept the risk for specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the blocked user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"name\": \"050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Blocked accounts with owner permissions on Azure resources should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5\",\r\n \"description\": \"Accounts that have been blocked from signing in on Active Directory, should be removed from your Azure resources.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"Review the list of accounts that are blocked from signing in on the Accounts section. Click on each account to view its role definitions and locate the source scope. If you accept the risk for specific account, use the exempt capability to exclude it from evaluation.
  1. Go to the Azure portal.
  2. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
  3. Click the Role assignments tab to view all the role assignments.
  4. In the list of role assignments, add a checkmark next to the blocked user with the role assignment you want to remove.
  5. Click Remove. In the remove role assignment message that appears, click Yes.
\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"Valid Accounts\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af99038c-02fd-4a2f-ac24-386b62bf32de\",\r\n \"description\": \" Azure's terms of use prohibit the use of Azure services in ways that could damage, disable, overburden, or impair any Microsoft server or the network. This recommendation lists exposed ports that need to be closed for your continued security. It also illustrates the potential threat to each port.\",\r\n \"remediationDescription\": \"Review the findings and evaluate if any ports need to remain open for your service to function or if they can be closed to protect your resources. Please, opt out of the recommendation by using the exemption workflow for any ports that need to remain open.
For all other findings, remediate per instructions below:
• Need to secure network traffic for a single VNet, please follow instruction to setup Network Security Groups (NSG).
• Need to secure network traffic for one or more peered VNet, please follow instruction to setup Azure Firewall.
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"04/04/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/41503391-efa5-47ee-9282-4eff6131462c\",\r\n \"name\": \"41503391-efa5-47ee-9282-4eff6131462c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running container images should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fc39691-5a3f-4e3e-94ee-2e6447309ad9\",\r\n \"description\": \"Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.
7. Use the new image across all pods where it is currently being used.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ElevationOfPrivilege\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"12/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/afd071f0-ebaa-422b-bb2f-8a772a31db75\",\r\n \"name\": \"afd071f0-ebaa-422b-bb2f-8a772a31db75\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function apps should have vulnerability findings resolved\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Runtime vulnerability scanning for functions scans your function apps for security vulnerabilities and exposes detailed findings. Resolving the vulnerabilities can greatly improve your serverless applications security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve function app vulnerabilities:
1. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
2. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [],\r\n \"publishDates\": {\r\n \"public\": \"03/18/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"name\": \"08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d\",\r\n \"description\": \"Azure Policy add-on for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.

Defender for Cloud requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. Learn more.

Requires Kubernetes v1.14.0 or later.

\",\r\n \"remediationDescription\": \"To configure the Azure Policy Add-on for use with your Azure Kubernetes Service cluster, follow the instructions in Install Azure Policy Add-on for AKS.

Auto provisioning:
You can also auto deploy this add-on as explained in Enable auto provisioning of extensions.
When auto provisioning for the add-on is set to On, the extension is enabled by default in all existing and future clusters (that meet the add-on installation requirements).\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0642d770-b189-42ef-a2ce-9dcc3ec6c169\",\r\n \"name\": \"0642d770-b189-42ef-a2ce-9dcc3ec6c169\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b2122c1-8120-4ff5-801b-17625a355590\",\r\n \"description\": \"Azure Policy extension for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.\",\r\n \"remediationDescription\": \"To configure the Azure Policy extension for use with your Azure Arc-enabled Kubernetes cluster, follow the instructions in #Install Azure Policy Extension for Azure Arc-enabled Kubernetes.

Auto provisioning:
You can also auto deploy this extension as explained in Enable auto provisioning of extensions .
When auto provisioning for the extension is set to \\\"on\\\", the extension is enabled by default in all existing and future clusters (that meet the extension installation requirements).\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2022\",\r\n \"public\": \"06/01/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/0adc5395-9169-4b9b-8687-af838d69410a\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"name\": \"405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container CPU and memory limits should be enforced\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\r\n \"description\": \"Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).

We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods without CPU and memory limits. To control a pod's limits, set quotas at the container level. Each container of a pod can specify one or both of the following:
  • spec.containers[].resources.limits.cpu
  • spec.containers[].resources.limits.memory

After making your changes, redeploy the pod with the new limits.

Note: Although requests and limits can only be specified on individual containers, it is convenient to talk about pod resource limits. A Pod resource limit is the sum of the resource limits for all the containers in the pod. Learn more.

\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"DenialOfService\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"name\": \"5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Privileged containers should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\r\n \"description\": \"To prevent unrestricted host access, avoid privileged containers whenever possible.

Privileged containers have all of the root capabilities of a host machine. They can be used as entry points for attacks and to spread malicious code or malware to compromised applications, hosts and networks.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods running privileged containers.

For these pods, set the privileged flag to 'false' or remove this property on the security context of the container's spec. After making your changes, redeploy the pod with the updated spec.

\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"name\": \"8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container images should be deployed from trusted registries only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\r\n \"description\": \"Images running on your Kubernetes cluster should come from known and monitored container image registries. Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.\",\r\n \"remediationDescription\": \"
  1. Ensure a regex, defining your organization private registries is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods running images from untrusted registries. If you see a pod running an unfamiliar image, remove it and report the incident to your security admin. Otherwise, move all images to a trusted private registry and redeploy the pods with the updated registry.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Implant Container Image\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"name\": \"add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Services should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services access to the configured ports.\",\r\n \"remediationDescription\": \"
  1. Ensure a list of ports on which your services are allowed to listen, is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the services which listen on ports outside the configured list.
  3. Limit the services' ports. After making your changes, redeploy the services with the updated ports.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\"\r\n ],\r\n \"techniques\": [\r\n \"External Remote Services\",\r\n \"Non-Standard Port\",\r\n \"Exploit Public-Facing Application\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"name\": \"11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Least privileged Linux capabilities should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\r\n \"description\": \"To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user. We recommend dropping all capabilities, then adding those that are required\",\r\n \"remediationDescription\": \"
1. Make sure lists of dropped capabilities and allowed capabilities are configured, via the security policy parameters. Recommend to set parameter 'Required drop capabilities' as [\\\"ALL\\\"] to enforce to drop all capabilities. The recommendation by default will only block to add capacities.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the running containers with capabilities outside the configured list.
3. Limit the containers' Linux capabilities. To add or remove Linux capabilities for a container, include a capabilities section in the securityContext section of the container manifest with the relevant capabilities set e.g. Drop: ALL ; add: [\\\"NET_ADMIN\\\", \\\"SYS_TIME\\\"].
4. After making your changes, redeploy the pod with the updated capabilities.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"name\": \"27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Immutable (read-only) root filesystem should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80\",\r\n \"description\": \"Containers should run with a read only root file system in your Kubernetes cluster. Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers without read only root file system.
2. For these pods, set the readOnlyRootFilesystem flag to 'true' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Collection\",\r\n \"Lateral Movement\",\r\n \"Persistence\",\r\n \"Defense Evasion\",\r\n \"Impact\",\r\n \"Privilege Escalation\",\r\n \"Credential Access\"\r\n ],\r\n \"techniques\": [\r\n \"Scheduled Task/Job\",\r\n \"Data Staged\",\r\n \"Taint Shared Content\",\r\n \"Account Manipulation\",\r\n \"Create Account\",\r\n \"File and Directory Permissions Modification\",\r\n \"Data Destruction\",\r\n \"Data Encrypted for Impact\",\r\n \"Server Software Component\",\r\n \"Create or Modify System Process\",\r\n \"Event Triggered Execution\",\r\n \"Compromise Client Software Binary\",\r\n \"Modify Authentication Process\",\r\n \"Hide Artifacts\",\r\n \"Data Manipulation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"name\": \"f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75\",\r\n \"description\": \"We recommend limiting pod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths. If there's a compromise, the container node access from the containers should be restricted.\",\r\n \"remediationDescription\": \"
1. Ensure a list of allowed host paths is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running pods with hostPath volume violating the configured list.
3. Update hostPath and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Lateral Movement\"\r\n ],\r\n \"techniques\": [\r\n \"Taint Shared Content\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"name\": \"9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running containers as root user should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042\",\r\n \"description\": \"Containers shouldn't run as root users in your Kubernetes cluster. Running a process as the root user inside a container runs it as root on the host. If there's a compromise, an attacker has root in the container, and any misconfigurations become easier to exploit.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the relevant pods.
2. For these pods, ensure the runAsUser property is set to a non-zero value or set property runAsNonRoot=true.
3. After making your changes, redeploy the pod with the updated rule.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"name\": \"ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of host networking and ports should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe\",\r\n \"description\": \"Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. Pods created with the hostNetwork attribute enabled will share the node's network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node's network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.\",\r\n \"remediationDescription\": \"
1. Ensure the following are all configured in the security policy parameters: allow host network usage, and min and max host ports.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers with host networking violating the configured list.
3. Validate the host networking using the hostNetwork and hostPort attributes (when applicable) of the container's spec.
4. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"name\": \"802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers sharing sensitive host namespaces should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\r\n \"description\": \"To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods sharing host process ID or host IPC.
2. Set the host process ID and host IPC to 'false' on the pod's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"name\": \"43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container with privilege escalation should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\r\n \"description\": \"Containers shouldn't run with privilege escalation to root in your Kubernetes cluster.
The AllowPrivilegeEscalation attribute controls whether a process can gain more privileges than its parent process.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers with privilege escalation to root in your Kubernetes cluster.
2. For these pods, set the AllowPrivilegeEscalation flag to 'false' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"name\": \"86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers should only use allowed AppArmor profiles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e\",\r\n \"description\": \"Containers running on Kubernetes clusters should be limited to allowed AppArmor profiles only.
;AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program.\",\r\n \"remediationDescription\": \"
1. Ensure a list of AppArmor profiles containers are allowed to use is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the running pods with AppArmor profile violating the configured list.
3. Update AppArmor annotation in the Pod's metadata and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\",\r\n \"Persistence\"\r\n ],\r\n \"techniques\": [\r\n \"Process Injection\",\r\n \"Modify Authentication Process\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/111cb068-89df-48bd-9493-2e6773444af8\",\r\n \"name\": \"111cb068-89df-48bd-9493-2e6773444af8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should gate deployment of vulnerable images\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759\",\r\n \"description\": \"Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Defender for Cloud's CI/CD scanning and Microsoft Defender for container registries to identify and patch vulnerabilities prior to deployment.
Evaluation prerequisite: Azure policy add-on/extension and the Defender profile/extension.
Applicable only for private preview customers.\",\r\n \"remediationDescription\": \"Configuration

Use the Settings tab to ensure the recommendation policy meets your requirement.

Monitor and resolve violations in audit mode
  1. Click on a cluster to see violating pods.
  2. For each non-compliant pod, extract used images using 'kubectl get pods <pod name> -n <pod namespace> -o json'
  3. Retrieve list of vulnerabilities per pod using the 'Container registry images should have vulnerability findings resolved' recommendation:
    1. If an image is unscanned, push/import image to registry protected by Defender for Containers and re-deploy pod.
    2. If scan result violates security policy, follow scan findings remediation steps to remediate image and re-deploy pod.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"10/25/2021\"\r\n },\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"techniques\": [\r\n \"Endpoint Denial of Service\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes API server should be configured with restricted access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes API server. You can restrict access by defining authorized IP ranges, or by setting up your API servers as private clusters as explained inCreate a private Azure Kubernetes Service cluster.\",\r\n \"remediationDescription\": \"To manually configure authorized IP ranges, follow the steps in Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS). If your existing cluster uses a Basic SKU Load Balancer, you'll need to redeploy or migrate to a new AKS cluster using the Standard SKU Load Balancer as explained in Moving from a basic SKU load balancer to standard SKU. If you decide not to redeploy, and you want to move these clusters to the 'not applicable' tab, follow the steps in Define an exemption.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Container and Resource Discovery\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows:
1. Go to Azure Kubernetes Services.
2. Select 'Add' and enter your cluster's configuration.
3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ],\r\n \"publishDates\": {\r\n \"ga\": \"06/01/2021\",\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Privilege Escalation\"\r\n ],\r\n \"techniques\": [\r\n \"Exploitation for Privilege Escalation\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6d87087-9ebe-b31f-b452-0bf3bbbaccd2\",\r\n \"name\": \"c6d87087-9ebe-b31f-b452-0bf3bbbaccd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should be accessible only over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\r\n \"description\": \"Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc-enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc\",\r\n \"remediationDescription\": \"From the unhealthy resources tab, select the cluster. Defender for Cloud lists the ingress objects that are accessible without HTTPS. 1. If the ingress controlled by nginx ingress controller, must first set annotation \\\"nginx.ingress.kubernetes.io/force-ssl-redirect\\\"=true. 2. Add the Transport Layer Security (TLS) configuration to your ingress manifest. After making your changes, redeploy the updated ingress object.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"techniques\": [\r\n \"Network Sniffing\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6\",\r\n \"name\": \"3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Arc-enabled Kubernetes clusters should have the Defender extension installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8dfab9c4-fe7b-49ad-85e4-1e9be085358f\",\r\n \"description\": \"Defender's extension for Azure Arc provides threat protection for your Arc-enabled Kubernetes clusters. The extension collects data from all control plane (master) nodes in the cluster and sends it to the Microsoft Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-kubernetes-azure-arc?wt.mc_id=defenderforcloud_inproduct_portal_recoremediation.\",\r\n \"remediationDescription\": \"To install the Defender extension on your Arc-enabled Kubernetes clusters, select an unhealthy cluster and select Remediate.
To manually deploy the extension with Azure Resource Manager, Azure CLI, or the REST API, see the instructions in Microsoft Defender for Arc-enabled Kubernetes.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/708b60a6-d253-4fe0-9114-4be4c00f012c\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a83a6e-c417-42ec-b567-1e6fcb3d09a9\",\r\n \"name\": \"56a83a6e-c417-42ec-b567-1e6fcb3d09a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Kubernetes Service clusters should have Defender profile enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1840de2-8088-4ea8-b153-b4c723e9cb01\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection.
When you enable the SecurityProfile.AzureDefender profile on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data.
Learn more about [Microsoft Defender for Containers](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks#architecture-overview).\",\r\n \"remediationDescription\": \"To enable the profile using Azure CLI, Azure Resource Manager, or the REST API, follow the instructions in Enable the SecurityProfile.AzureDefender profile.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"07/01/2022\",\r\n \"public\": \"12/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ],\r\n \"remediationPolicy\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff87e0b4-17df-d338-5b19-80e71e0dcc9d\",\r\n \"name\": \"ff87e0b4-17df-d338-5b19-80e71e0dcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should not use the default namespace\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\r\n \"description\": \"Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"Defender for Cloud lists the components using the default namespace.
1. From the unhealthy resources tab, select a cluster.
2. Define a namespace for the components.
3. After making your changes, redeploy the components with the updated namespace. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/namespaces/#creating-a-new-namespace\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32060ac3-f17f-4848-db8e-e7cf2c9a53eb\",\r\n \"name\": \"32060ac3-f17f-4848-db8e-e7cf2c9a53eb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should disable automounting API credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/423dd1ba-798e-40e4-9c4d-b6902674b423\",\r\n \"description\": \"Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"From the unhealthy resources tab, select the cluster. Defender for Cloud lists the pods missing the automountServiceAccountToken: false flag. There are multiple ways to opt out of automounting API credentials for a service account. To opt out of automounting API credentials for a single pod, set automountServiceAccountToken: false in PodSpec. After making your changes, redeploy your updated pod or service account.\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/aba14f78-27c5-af84-848e-9105d18dfd92\",\r\n \"name\": \"aba14f78-27c5-af84-848e-9105d18dfd92\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes clusters should not grant CAPSYSADMIN security capabilities\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d2e7ea85-6b44-4317-a0be-1b951587f626\",\r\n \"description\": \"To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.\",\r\n \"remediationDescription\": \"Defender for Cloud lists the pods running containers that have the CAP_SYS_ADMIN Linux security capability. To remove containers' CAP_SYS_ADMIN Linux security capabilities: 1. From the unhealthy resources tab, select the cluster. 2. Insert a capabilities section in the securityContext section of the container manifest with Drop: SYS_ADMIN. 3. After making your changes, redeploy the pod with the updated capabilities\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"public\": \"06/01/2021\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b7683ca3-3a11-49b6-b9d4-a112713edfa3\",\r\n \"name\": \"b7683ca3-3a11-49b6-b9d4-a112713edfa3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced configuration of Defender for Containers should be enabled on GCP connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. To ensure you the solution is provisioned properly, and the full set of capabilities are available, enable all advanced configuration settings.\",\r\n \"remediationDescription\": \"To enable advanced configuration of the Containers plan for a GCP account connected to Microsoft Defender for Cloud:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. Navigate to the \\\"Environment settings\\\" page, and select the relevant GCP account.
  3. Navigate to \\\"Select plans\\\"> \\\"Containers\\\" row, and select \\\"Configure >\\\".
  4. Enable the missing auto provision features and select Save.
  5. Select \\\"Next: Configure access\\\" and follow the instructions.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"03/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d42ac63d-0592-43b2-8bfa-ff9199da595e\",\r\n \"name\": \"d42ac63d-0592-43b2-8bfa-ff9199da595e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled on GCP connectors\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. Enable Containers plan on your GCP connector, to harden the security of Kubernetes clusters and remediate security issues. Learn more about Microsoft Defender for Containers.\",\r\n \"remediationDescription\": \"To enable Defender for Containers on all GKE clusters in an GCP project connected to Microsoft Defender for Cloud:
  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. Navigate to the \\\"Environment settings\\\" page, and select the relevant GCP account.
  3. Navigate to \\\"Select plans\\\", and toggle \\\"Containers\\\" to \\\"On\\\".
  4. Select \\\"Next: Configure access\\\" and follow the instructions.
\",\r\n \"categories\": [\r\n \"Container\"\r\n ],\r\n \"severity\": \"High\",\r\n \"publishDates\": {\r\n \"ga\": \"03/29/2022\",\r\n \"public\": \"03/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Impair Defenses\"\r\n ],\r\n \"cloudProviders\": [\r\n \"GCP\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6672df26-ff2e-4282-83c3-e2f20571bd11\",\r\n \"name\": \"6672df26-ff2e-4282-83c3-e2f20571bd11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have code scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub uses code scanning to analyze code in order to find security vulnerabilities and errors in code. Code scanning can be used to find, triage, and prioritize fixes for existing problems in your code. Code scanning can also prevent developers from introducing new problems. Scans can be scheduled for specific days and times, or scans can be triggered when a specific event occurs in the repository, such as a push. If code scanning finds a potential vulnerability or error in code, GitHub displays an alert in the repository. A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project.\",\r\n \"remediationDescription\": \"1. On GitHub.com, navigate to the main page of the repository. 2. Under your repository name, click Security. 3. To the right of Code scanning alerts, click Set up code scanning. If code scanning is missing, you need to ask an organization owner or repository administrator to enable GitHub Advanced Security. 4. Under 'Get started with code scanning', click Set up this workflow on the CodeQL analysis workflow or on a third-party workflow. 5.To customize how code scanning scans your code, edit the workflow. 6. Use the Start commit drop-down, and type a commit message. 7. Click Commit new file or Propose new file\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/92643c1f-1a95-4b68-bbd2-5117f92d6e35\",\r\n \"name\": \"92643c1f-1a95-4b68-bbd2-5117f92d6e35\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have Dependabot scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub sends Dependabot alerts when it detects vulnerabilities in code dependencies that affect repositories. A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. Vulnerabilities vary in type, severity, and method of attack. When code depends on a package that has a security vulnerability, this vulnerable dependency can cause a range of problems.\",\r\n \"remediationDescription\": \"1. Browse to a GitHub repository. 2. Click on the Settings. 3. Click 'Security & analysis'. 4. Enable Dependabot alerts\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a600c61-6443-4ab4-bd28-7a6b6fb4691d\",\r\n \"name\": \"1a600c61-6443-4ab4-bd28-7a6b6fb4691d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GitHub repositories should have secret scanning enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were accidentally committed to repositories. Secret scanning will scan the entire Git history on all branches present in the GitHub repository for any secrets. Examples of secrets are tokens and private keys that a service provider can issue for authentication. If a secret is checked into a repository, anyone who has read access to the repository can use the secret to access the external service with those privileges. Secrets should be stored in a dedicated, secure location outside the repository for the project.\",\r\n \"remediationDescription\": \"1. On GitHub.com, navigate to the main page of the repository. 2. Under your repository name, click Settings. 3.In the left sidebar, click Security and analysis. 4. If Advanced Security is not already enabled for the repository, to the right of GitHub Advanced Security, click Enable. 5. Review the impact of enabling Advanced Security, then click Enable GitHub Advanced Security for this repository. 6. When you enable Advanced Security, secret scanning may automatically be enabled for the repository due to the organization's settings. If Secret scanning is shown with an Enable button, you still need to enable secret scanning by clicking Enable. If you see a Disable button, secret scanning is already enabled\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"06/02/2022\"\r\n },\r\n \"tactics\": [\r\n \"Initial Access\",\r\n \"Defense Evasion\"\r\n ],\r\n \"techniques\": [\r\n \"Exploit Public-Facing Application\",\r\n \"Exploitation for Client Execution\"\r\n ],\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c0ba94f-e732-43c7-bf3a-05e80f45d642\",\r\n \"name\": \"1c0ba94f-e732-43c7-bf3a-05e80f45d642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure API Management APIs should be onboarded to Defender for APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfiguration.
In order to enable security monitoring & coverage on your APIs within Azure API Management, please remediate this recommendation through steps below.
Important: Enabling Defender for APIs monitoring coverage will require compute & memory utilization on the Azure API Management service.
Please monitor the performance of your Azure API Management service while onboarding APIs, and scale out your Azure API Managment resources when needed.\",\r\n \"remediationDescription\": \"Select the unhealthy resources and click \\\"Fix\\\" to launch \\\"Quick fix\\\" remediation. Note: After the process completes, it may take up 3 hurs until your resources move to the \\\"Healthy resources\\\" tab.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4e8c00a2-e8bc-42a8-9e12-99584a51ad10\",\r\n \"name\": \"4e8c00a2-e8bc-42a8-9e12-99584a51ad10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API endpoints that are unused should be disabled and removed from the Azure API Management service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"API endpoints that are no longer in use should be removed from the Azure API Management service as a best practice. API endpoints that are unused (haven't received traffic for a threshold of 30 days) may pose a risk to an organization. These may be APIs that should have been deprecated from the Azure API Management service, but may have been accidently left as active and they may not be receiving the most up to date security coverage.\",\r\n \"remediationDescription\": \"Note: Manually verify that the API endpoint is unused and consider any potential impact this may cause before removing the API endpoint from the Azure API Management service.
1. Navigate to the Azure API Management resource to locate the unhealthy resources within the Azure Portal.
2. In the left pane, select APIs.
3. Select the API with the associated API collection name that is hosting the affected API endpoint (in Azure API Management, known as \\\"API operation\\\").
4. Select the ellipses next to the endpoint and select \\\"Delete\\\" to remove the unused API endpoint.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ],\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91af2040-7874-4659-abf0-578e1f8d07dc\",\r\n \"name\": \"91af2040-7874-4659-abf0-578e1f8d07dc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API endpoints in Azure API Management should be authenticated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Authentication mechanisms are often implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. API endpoints published within Azure API Management should enforce authentication to help minimize this risk. Learn More\",\r\n \"remediationDescription\": \"1. Verify the configuration of the authentication on the API endpoint. For APIs published in Azure API Management, this recommendation assesses the execution of authentication via the Subscription Keys, JWT and Client Certificate configured within Azure API Management. If none of these authentication mechanisms are present, or if none of these authentication mechanisms are executed, the API will receive this recommendation.
2. After the assessment, if the API is verified and is missing or incorrectly configured authentication, enable & ensure the proper configuration of authentication for the API endpoint. For Azure API Management, steps and a reference example regarding how to enable authentication can be found here in this document: API Management authentication policies\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"publishDates\": {\r\n \"public\": \"08/20/2022\"\r\n },\r\n \"cloudProviders\": [\r\n \"Azure\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer managed metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Customer managed description\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"[elgrady] custom assessment metadata description\",\r\n \"remediationDescription\": \"[elgrady] custom assessment remediationDescription\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"name\": \"9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer managed metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Customer managed description\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"[elgrady] custom assessment metadata description\",\r\n \"remediationDescription\": \"[elgrady] custom assessment remediationDescription\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n }\r\n ]\r\n}", "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata?api-version=2020-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", + "RequestUri": "//subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments?api-version=2021-06-01", + "EncodedRequestUri": "Ly9zdWJzY3JpcHRpb25zLzQ4N2JiNDg1LWI1YjAtNDcxZS05YzBkLTEwNzE3NjEyZjg2OS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2Fzc2Vzc21lbnRzP2FwaS12ZXJzaW9uPTIwMjEtMDYtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "1caa9089-141c-4c39-90e2-6d7426c3669c" + "2dbabe79-13c0-41bf-9c15-f6a84a5854fa" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.29321.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.19042.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.2.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -147,16 +207,16 @@ "no-cache" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "747" + "749" ], "x-ms-request-id": [ - "8171fc0a-94b1-44a0-9366-37f7a025110c" + "5f2c7e7e-cf99-4afd-af20-6130d3380d3d" ], "x-ms-correlation-request-id": [ - "8171fc0a-94b1-44a0-9366-37f7a025110c" + "5f2c7e7e-cf99-4afd-af20-6130d3380d3d" ], "x-ms-routing-request-id": [ - "UKSOUTH:20201130T144748Z:8171fc0a-94b1-44a0-9366-37f7a025110c" + "FRANCESOUTH:20221117T095059Z:5f2c7e7e-cf99-4afd-af20-6130d3380d3d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -165,10 +225,10 @@ "nosniff" ], "Date": [ - "Mon, 30 Nov 2020 14:47:48 GMT" + "Thu, 17 Nov 2022 09:50:59 GMT" ], "Content-Length": [ - "345413" + "276520" ], "Content-Type": [ "application/json; charset=utf-8" @@ -177,28 +237,28 @@ "-1" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.
Learn more about how Endpoint Protection for machines is evaluated.\",\r\n \"remediationDescription\": \"To remediate missing endpoint protection:
1. Confirm that your solution is on the list of tools supported by Security Center.
2. Install the supported endpoint protection solution or enable an existing tool.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"name\": \"0396b18c-41aa-489c-affd-4ee5d1714a59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure Boot should be enabled on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only signed code will be allowed to run on your VM or server.\",\r\n \"remediationDescription\": \"Enabling Secure Boot requires restarting your virtual machine:
1. Stop your VM when it is safe to do so.
2. Enable Secure Boot for the VM.
3. Restart the VM.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"name\": \"f7010359-8d21-4598-a9f2-c3e81a17141e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL server advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"name\": \"ebe970fe-9c27-4dd7-a165-1e943d565e10\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All advanced threat protection types should be enabled in SQL managed instance advanced data security settings\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\r\n \"description\": \"It is recommended to enable all advanced threat protection types on your SQL managed instances. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.\",\r\n \"remediationDescription\": \"To set advanced threat protection types to 'All' on a managed instance:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Advanced threat protection types', mark the check box for 'all'.
4. click OK.
5. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"name\": \"9172da4e-9571-6e33-2b5b-d742847f3be7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Remote debugging should be turned off for API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\r\n \"description\": \"Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.\",\r\n \"remediationDescription\": \"To turn off remote debugging, we recommend the following steps:
1. Go to the app service applications settings page
2. In the remote debugging toggle select Off
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"name\": \"e40df93c-7a7c-1b0a-c787-9987ceb98e54\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CORS should not allow every resource to access your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\r\n \"description\": \"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.\",\r\n \"remediationDescription\": \"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"name\": \"bf82a334-13b6-ca57-ea75-096fc2ffce50\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"API App should only be accessible over HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\r\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\r\n \"remediationDescription\": \"To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\r\n \"description\": \"Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines.
\\n Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to
\\n provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and
\\n compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt
\\n the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use
\\n Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service
\\n Encryption where the encryption keys are Microsoft managed keys in Azure. If this meets your compliance and security requirements,
\\n you can leverage the default Managed disk encryption to meet your requirements.\",\r\n \"remediationDescription\": \"To enable disk encryption on your virtual machines, follow Encryption instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Restart your machines to apply the system updates and secure the machine from vulnerabilities.\",\r\n \"remediationDescription\": \"To restart the machine:
1. Go to Virtual machines and click on your machine.
2. Click 'Restart'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your machines to protect them from attacks.\",\r\n \"remediationDescription\": \"1.\\tClick any of the configuration vulnerabilities. 2. In the Remediate security configurations pane, click View affected machines. 3. Click a machine from the list. 4. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.\",\r\n \"remediationDescription\": \"1. Click any of the health issues. 2. Select a workspace. 3. Customize the Kusto query as necessary and run the command.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1.\\tSelect one or more virtual machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] VMs.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\r\n \"description\": \"Enable transparent data encryption to protect data-at-rest and meet compliance requirements\",\r\n \"remediationDescription\": \"To enable transparent data encryption on your SQL databases:
1. Select the SQL database.
2. Under Data encryption, select On.
3. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\r\n \"description\": \"Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.\",\r\n \"remediationDescription\": \"To enable SQL server auditing:
1. Select the SQL server.
2. Under Auditing, select On.
3. Select Storage details and configure a storage account for the audit log.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"name\": \"8bc390da-9eb6-938d-25ed-44a35d9bcc9d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"OS version should be updated for your cloud service roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5a913c68-0590-402c-a531-e57e19379da3\",\r\n \"description\": \"Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.\",\r\n \"remediationDescription\": \"Update the OS version on your cloud service roles to make sure you have the most recent OS version. To do this, follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"name\": \"383cf3bc-fdf9-4a02-120a-3e7e36c6bfee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Install endpoint protection solution on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"1. Select one or more machines, or use the filter to set criteria for which machines to select. 2. Click Install on [x] machines.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"name\": \"e7ee30c4-bac9-2966-54bd-2023a4282872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Monitoring agent should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.\",\r\n \"remediationDescription\": \"1. For instructions on how to install the agent on Windows, click here 2. For instructions on how to install the agent on Linux, click here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65\",\r\n \"description\": \"Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is both installed on the virtual machines and properly collects security events to the configured workspace.\",\r\n \"remediationDescription\": \"To resolve Log Analytics agent health issues and see the different resolution for each issue, please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499\",\r\n \"description\": \"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. This agent is also is required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. We recommend configuring auto-provisioning to automatically deploy the agent. If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.\",\r\n \"remediationDescription\": \"For multiple ways to install and configure your Log Analytics agent please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.\",\r\n \"remediationDescription\": \"To enable MFA using conditional access you must have an Azure AD Premium license and have AD tenant admin permissions.
1. Select the relevant subscription or click 'Take action' if it's available. The list of user accounts without MFA appears.
2. Click 'Continue'. The Azure AD Conditional Access page appears.
3. In the Conditional Access page, add the list of users to a policy (create a policy if one doesn't exist).
4. For your conditional access policy, ensure the following:
 a. In the 'Access controls' section, multi-factor authentication is granted.
 b. In the 'Cloud Apps or actions' section's 'Include' tab, check that Microsoft Azure Management (App Id :797f4846-ba00-4fd7-ba43-dac1f8f63013) or 'All apps' is selected. In the 'Exclude' tab, check that it is not excluded.
To enable MFA security defaults in Azure Active Directory (included in Azure AD free):
1. Sign in to the Azure AD - Properties page as a security administrator, Conditional Access administrator, or global administrator.
2. From the bottom of the page, select Manage security defaults.
3. Set Enable security defaults to Yes.
4. Select Save.
Note: It can take up to 12 hours for the change to be reflected in Security Center.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\r\n \"description\": \"Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\r\n \"description\": \"Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\r\n \"description\": \"Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. This prevents unmonitored access. These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove external accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of external user accounts that require access removal opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments'
2. Search and select the users that were in the list of user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\r\n \"description\": \"User accounts that have been blocked from signing in, should be removed from your subscriptions.
These accounts can be targets for attackers looking to find ways to access your data without being noticed.\",\r\n \"remediationDescription\": \"To remove blocked user accounts:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The list of blocked user accounts opens.
Click 'Continue'. The Access control (IAM) page opens.
In the Access control page:
1. Click the 'Role assignments' tab.
2. Search and select the users that were in the list of blocked user accounts that require removal. You can scroll back to the left to see the list.
3. Click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\r\n \"description\": \"It is recommended to designate up to {0} subscription owners in order to reduce the potential for breach by a compromised owner.\",\r\n \"remediationDescription\": \"To remove owner permissions from user accounts on your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click the Role assignments tab and set the 'Role' filter to 'Owner'.
2. Select the owners you want to remove.
3. Click Remove.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\r\n \"description\": \"Designate more than one subscription owner in order to have administrator access redundancy.\",\r\n \"remediationDescription\": \"To add another account with owner permissions to your subscription:
Click a subscription from the list of subscriptions below or click 'Take action' if you are coming from a specific subscription.
The Access control (IAM) page opens.
1. Click 'Add' to open the Add role assignment pane.
If you don't have permissions to assign roles, the Add role assignment option will be disabled
1. In the 'Role' drop-down list, select the Owner role.
2. In the Select list, select a user.
3. Click Save.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"name\": \"0677209d-e675-2c6f-e91a-54cef2878663\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in container security configurations should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in the container security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the specified instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on SQL servers:
1. Select the SQL server.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"remediationDescription\": \"To enable Azure Defender for SQL on SQL servers: 1. Select the SQL server. 2. Under 'Security Center', set Azure Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Click Save.
Note: Azure Defender for SQL is billed as shown on the pricing page\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\r\n \"description\": \"Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.\",\r\n \"remediationDescription\": \"To provision an Azure AD administrator for SQL server, see Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\r\n \"description\": \"Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.
Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.

Available resources and information about this tool & migration:
1. Overview of Virtual machines (classic) deprecation, step by step process for migration & available microsoft resources.
2. Details about Migrate to ARM migration tool.
3. Migrate to ARM migration tool using Power shell.\",\r\n \"remediationDescription\": \"To migrate virtual machines to new ARM resources:
1. Go to the Virtual machines (classic) Portal Blade.
2. Click on Migrate to ARM.
3. Click on Validate. If validate failed, use the suggested methods in the error messages or Migration Overview document to fix the errors.
4. Click on Prepare. If prepare failed, use the suggested methods in the error messages or Migration Overview document to fix the errors.
5. (Optional) Click on Abort to rollback migration.
6. Click on Commit. Commit finalizes the migration and cannot be rolled back.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"name\": \"22e18b64-4576-41e6-8972-0eb28c9af0c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\r\n \"description\": \"Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\r\n \"remediationDescription\": \"To upgrade a Kubernetes version using the Azure portal:
1. Go to Azure Kubernetes Services and click on the specific Kubernetes Service.
2. Under 'Upgrade' select the target Kubernetes version and save the change. Note:When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.10.x -> 1.11.x or 1.11.x -> 1.12.x are allowed, however 1.10.x -> 1.12.x is not. To upgrade from 1.10.x -> 1.12.x, first upgrade from 1.10.x -> 1.11.x, then upgrade from 1.11.x -> 1.12.x.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"name\": \"1a2b5b4c-f80d-46e7-ac81-b51a9fb363de\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Authorized IP ranges should be defined on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\r\n \"description\": \"Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.\",\r\n \"remediationDescription\": \"To configure authorized IP ranges, follow the steps described here Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS). If you are using Basic load balancer, you need to first migrate to Standard to use authorized IP ranges.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"name\": \"a3eee263-aa01-4b52-a7c0-0094578ef48f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Pod Security Policies should be defined on Kubernetes Services (Deprecated)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\r\n \"description\": \"(Deprecated) Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.\",\r\n \"remediationDescription\": \"To configure Pod Security Policies, follow the steps described here Secure your cluster using pod security policies in Azure Kubernetes Service (AKS).\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"name\": \"b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Role-Based Access Control should be used on Kubernetes Services\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\r\n \"description\": \"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information, see Azure role-based access control.\",\r\n \"remediationDescription\": \"To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process. Creating a Kubernetes Service with RBAC enabled can be done via the portal as follows:
1. Go to Azure Kubernetes Services.
2. Click 'Add' and enter your cluster's configuration.
3. In the 'Authentication' tab, verify that the 'Enable RBAC' setting is set to 'Yes'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"name\": \"c6dad669-efd7-cd72-61c5-289935607791\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Data Lake Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Analytics diagnostics:
1. Go to Data Lake Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"name\": \"c42fc28d-1703-45fc-aaa5-39797f570513\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\r\n \"description\": \"Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.\",\r\n \"remediationDescription\": \"To enable vulnerability assessment on a managed instance:
1. Select the SQL managed instance.
2. Make sure that 'Advanced data security' is set to 'On'.
3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results.
4. Click Save.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"name\": \"ff6dbca8-d93c-49fc-92af-dc25da7faccd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your managed instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"remediationDescription\": \"To enable Azure Defender for SQL on managed SQL servers: 1. Select the managed SQL server. 2. Under 'Security Center', set Azure Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Click Save.
Note: Azure Defender for SQL is billed as shown on the pricing page.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"name\": \"35b25be2-d08a-e340-45ed-f08a95d804fc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Only secure connections to your Redis Cache should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\r\n \"description\": \"Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable only SSL connections to your Redis Cache, we recommend the following steps:
1. Go to the Redis Caches, and select your redis cache.
2. Select 'Advanced settings'.
3. For 'Allow access only via SSL', click 'Yes' and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable IoT Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"name\": \"32771b45-220c-1a8b-584e-fdd5a2584a66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Batch accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Batch diagnostics:
1. Go to Batch and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"name\": \"f11b27f2-8c49-5bb4-eff5-e1e5384bf95e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Stream Analytics should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Stream Analytics diagnostics:
1. Go to Stream Analytics and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"name\": \"f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Service Bus should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Service Bus diagnostics:
1. Go to the Service Bus.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"name\": \"b12bc79e-4f12-44db-acda-571820191ddc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Automation account variables should be encrypted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\r\n \"description\": \"It is important to enable encryption of Automation account variable assets when storing sensitive data.\",\r\n \"remediationDescription\": \"You should encrypt Automation Account Variables that store sensitive data. This step can only be taken at creation time.
If you have Automation Account Variables storing sensitive data that are not already encrypted, then you will need to delete them and recreate them as encrypted variables.
To apply encryption of the Automation account variable assets, in the Azure CLI - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Read more here\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"name\": \"ad5bbaeb-7632-5edf-f1c2-752075831ce8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Azure Data Lake Store should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Data Lake Store diagnostics:
1. Go to Data Lake Store and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"name\": \"dea5192e-1bb3-101b-b70c-4646546f5e1e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Search services should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Search diagnostics:
1. Go to Search and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"name\": \"03afeb6f-7634-adb3-0a01-803b0b9cb611\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should only use Azure Active Directory for client authentication\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\r\n \"description\": \"Perform Client authentication only via Azure Active Directory in Service Fabric\",\r\n \"remediationDescription\": \"To enable client authentication using Azure Active Directory follow the instructions to Set up Azure Active Directory for client authentication.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"name\": \"7f04fc0c-4a3d-5c7e-ce19-666cb871b510\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\r\n \"description\": \"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.\",\r\n \"remediationDescription\": \"To set 'ClusterProtectionLevel' inside Service Fabric ARM template to 'EncryptAndSign':
1. Go to the Service fabric cluster.
2. Click on 'Custom fabric settings'.
3. Click 'Add new', set the 'Security' section and update the 'ClusterProtectionLevel' property to 'EncryptAndSign'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"name\": \"1597605a-0faf-5860-eb74-462ae2e9fc21\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Event Hub should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Event Hub diagnostics:
1. Go to the Event Hub namespace.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"name\": \"91387f44-7e43-4ecc-55f0-46f5adee3dd5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Logic Apps should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Logic Apps diagnostics:
1. Go to Logic Apps and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Virtual Machines Scale Sets diagnostics follow the instructions\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\r\n \"description\": \"To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. Learn more\",\r\n \"remediationDescription\": \"To migrate storage accounts to new ARM resources :
1. Go to the Storage Account
2. Click on Migrate to ARM and follow the instructions.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\r\n \"description\": \"Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.\",\r\n \"remediationDescription\": \"To enable Key Vault diagnostics:
1. Go to Key Vault and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"name\": \"45d313c3-3fca-5040-035f-d61928366d31\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Access to storage accounts with firewall and virtual network configurations should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\r\n \"description\": \"Review the settings of network access in your storage account firewall settings. It is recommended to configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.\",\r\n \"remediationDescription\": \"
1. In your storage account, go to 'Firewalls and virtual networks'.
2. Under 'Allow access from', choose 'Selected networks'.
3. Configure the relevant virtual networks and IP ranges that should be allowed to access your storage account.
4. Configure \\\"Allow trusted Microsoft services to access your storage account\\\".\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\r\n \"description\": \"Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\r\n \"remediationDescription\": \"To enable secure transfer required:
1. In your storage account, go to the 'Configuration' page.
2. Enable 'Secure transfer required'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.\",\r\n \"remediationDescription\": \"To install system updates:
1. Review the list of missing system updates.
2. Follow the steps to resolve the update, as described in the support link.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b\",\r\n \"description\": \"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. You’ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets. To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.\",\r\n \"remediationDescription\": \"For information on how to add the Log analytics agent as an extension to your virtual machine scale set please see the following instructions. For information on how to deploy the log analytics agent at scale on virtual machine scale set using Azure Policy please see the following instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\r\n \"description\": \"Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.\",\r\n \"remediationDescription\": \"To remediate vulnerabilities in VM scale set security configurations:
1. Review the list of failed rules.
2. Fix each rule according to the instructions provided.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"To install an endpoint protection solution:
1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\r\n \"description\": \"Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.\",\r\n \"remediationDescription\": \"Resolve endpoint protection health issues on your VM scale sets to get full protection and coverage by Azure Security Center. To do this, follow the instructions in each of the possible endpoint protection health issues displayed on your virtual machine scale set.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Guest configuration extension should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601\",\r\n \"description\": \"Install the guest configuration agent to enable auditing settings inside a machine such as:
  • The configuration of the operating system
  • Application configuration or presence
  • Environment settings
Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
For more details, visit in-guest policies\",\r\n \"remediationDescription\": \"Quick fix remediation:
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'.
Read the remediation details in the confirmation box, and approve the remediation.
Note: It can take several minutes after remediation completes to see the resources in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40\",\r\n \"description\": \"Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).\",\r\n \"remediationDescription\": \"Enable controlled folder access: controlled folder access
The following attack surface rules should be enabled:
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
'd3e037e1-3eb8-44c8-a917-57927947596d',
'5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'3b576869-a4ec-4529-8536-b80a7769e899',
'26190899-1602-49e8-8b27-eb1d0a1ce869',
'92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B',
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'
For more information on visit:Learn more\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"name\": \"27ac71b1-75c5-41c2-adc2-858f5db45b08\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Windows-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Windows.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"name\": \"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Log Analytics agent should be installed on your Linux-based Azure Arc machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373\",\r\n \"description\": \"Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.\",\r\n \"remediationDescription\": \"To install the monitoring agent on your Arc machine:
1. From the Azure Arc machine's page, go to Extensions and select Add.
2. Follow the instructions to add the relevant extension.
You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Linux.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"name\": \"fc84abc0-eee6-4758-8372-a7681965ca44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Validity period of certificates stored in Azure Key Vault should not exceed 12 months\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\r\n \"description\": \"Ensure your certificates do not have a validity period that exceeds 12 months.\",\r\n \"remediationDescription\": \"To remediate you must create a new version of the certificate. Ensure that your application or service will be able to get a new version of the certificate before proceeding. Select a key vault from the list below. The list of certificates with a validity period that exceeds 12 months will appear. From the Azure Portal, open Azure Key Vault and select the vault with the certificate that needs to be replaced. Select the relevant certificate and the certificate details page opens. 1. On the certificate details page, select \\\"+ New Version\\\". The \\\"Create a Certificate\\\" pane opens. 2. Change the \\\"Validity period (in months)\\\" field to 12 or less. 3. Select \\\"Create\\\". 4. Ensure that you have set up auto-renewal, or have a process to renew your certificate prior to expiration.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\r\n \"description\": \"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.\",\r\n \"remediationDescription\": \"To prevent public access to containers and blobs in your storage account:
1. In the Azure portal, navigate to your storage account.
2. From the settings menu, select \\\"Configuration\\\".
3. Set \\\"Allow Blob public access\\\" to \\\"Disabled\\\".
Learn more about public access
Note: It might take several minutes after remediation completes until the resource appears in the 'healthy resources' tab.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\r\n \"description\": \"Protect the data on your Azure virtual machines with Azure Backup.
Azure Backup is an Azure-native, cost-effective, data protection solution.
It creates recovery points that are stored in geo-redundant recovery vaults.
When you restore from a recovery point, you can restore the whole VM or specific files.\",\r\n \"remediationDescription\": \"1. To enable Azure Backup for an individual virtual machine, navigate to the virtual machine on the Azure portal and select 'Backup' from the menu.
In the screen that appears, you can then choose to backup the machine to a new or existing Recovery Services vault in the same location and subscription.
Learn more at https://aka.ms/AzureVMBackupDoc 2. To enable Azure Backup for virtual machines at scale, you can assign the policy 'Configure backup on VMs of a location to an existing central Vault in the same location' to a given scope.
This policy can be assigned to one subscription-location pair at a time.
Learn more at http://aka.ms/AzureBackupVMGovernance\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your function app:
1. Go to the App Service for your API app 2. Navigate to Platform features 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"name\": \"2ce368b5-7882-89fd-6645-885b071a2409\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MariaDB\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\r\n \"description\": \"Azure Database for MariaDB allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MariaDB server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=2086853\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your web app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"name\": \"95592ab0-ddc8-660d-67f3-6df1fadfe7ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for PostgreSQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\r\n \"description\": \"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for PostgreSQL server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867615\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\r\n \"description\": \"Client certificates allow for the app to request a certificate for incoming requests.
Only clients that have a valid certificate will be able to reach the app.\",\r\n \"remediationDescription\": \"To set Client Certificates for your Web App:
1. Navigate to Azure App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require.
For more information, visit here: https://aka.ms/auth-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"name\": \"8ad68a2f-c6b1-97b5-41b5-174359a33688\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Geo-redundant backup should be enabled for Azure Database for MySQL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\r\n \"description\": \"Azure Database for MySQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.\",\r\n \"remediationDescription\": \"To configure your Azure Database for MySQL server with geo-redundant backup during server creation, select the “Geo-Redundant” option for the server in the Compute + Storage configuration.
For more information, see: https://go.microsoft.com/fwlink/?linkid=867608\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"name\": \"5a659d57-117d-bb18-65f6-54e51da1bb9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your API app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Diagnostic logs should be enabled in App Service\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\",\r\n \"description\": \"Audit enabling of diagnostic logs on the app.
This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised\",\r\n \"remediationDescription\": \"To enable App Service diagnostics:
1. Navigate to Azure App Service and select App Service logs 2. In Application logging, select File System 3. Specify the retention period for the logs 4. If using Azure monitor select Diagnostic settings and click Add diagnostic setting 5. Select one or more catagories of logs to collect 6. Select one of the options to store the diagnostics logs and follow the instructions.
For more information, visit https://aka.ms/enable-logs\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"name\": \"cc6d1865-7617-3cb2-cf7d-4cfc01ece1df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Managed identity should be used in your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\r\n \"description\": \"For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.\",\r\n \"remediationDescription\": \"To create a managed identity for your API app:
1. Go to the App Service for your API app 2. Scroll to the Settings group in the left navigation 3. Select Identity 4. Use System assigned or User assigned identity following the steps described in this doc: https://aka.ms/managed-identity\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"name\": \"1fde2073-a488-17e9-9534-5a3b23379b4b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for PostgreSQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\r\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for PostgreSQL:
1. Select your Azure Database for PostgreSQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848213\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"name\": \"1f6d29f6-4edb-ea39-042b-de8f123ddd39\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enforce SSL connection should be enabled for MySQL database servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\r\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.\",\r\n \"remediationDescription\": \"To enforce the use of SSL-based encrypted connections for all traffic to your Azure Database for MySQL:
1. Select your Azure Database for MySQL. 2. In Connection Security, set Enforce SSL connection to 'Enabled'.
For more information, see: https://go.microsoft.com/fwlink/?linkid=848211\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your web app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"TLS should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\r\n \"description\": \"Upgrade to the latest TLS version\",\r\n \"remediationDescription\": \"To update your function app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"name\": \"6b86d069-b3c3-b4d7-47c7-e73ddf786a63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"name\": \"7b2a234d-614b-562f-ac85-91b419688b59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"PHP should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\r\n \"description\": \"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the PHP version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-php\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"name\": \"39c63596-aa92-1b90-ee7c-628bee592cc0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your web app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"name\": \"f0fd27eb-25aa-4335-0ba2-0720cccda9a4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\r\n \"description\": \"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your function app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"name\": \"08a3b009-0178-ee60-e357-e7ee5aea59c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Java should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\r\n \"description\": \"Periodically, newer versions are released for Java either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the latest Java version for your API app:
1. Navigate to Azure App Service 2. Go to Configuration 3. Select the latest Java version in the JVM drop down.
For more information, visit here: https://aka.ms/configure-java\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"name\": \"e8407fab-bf38-b0a4-79c1-068bbf82eca1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your web app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your web app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"name\": \"96327a68-4aec-5e76-8f0e-d4670bc5a3a7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your function app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your function app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"name\": \"c2c90d64-38e2-e984-1457-7f4a98168c72\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Python should be updated to the latest version for your API app\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\r\n \"description\": \"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.\",\r\n \"remediationDescription\": \"To set the Python version for your API app, follow the instructions to show and set the version using the Azure CLI outlined in this document: https://aka.ms/configure-python\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"name\": \"c5b83aed-f53d-5201-8ffb-1f9938de410a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for PostgreSQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for PostgreSQL:
1. Navigate to your Azure Database for PostgreSQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/postgresql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/pgprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"name\": \"ca9b93fe-6f1f-676c-2f31-d20f88fdbe56\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MariaDB servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MariaDB:
1. Navigate to your Azure Database for MariaDB. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mariadbprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"name\": \"cec4922b-1eb3-cb74-660b-ffad9b9ac642\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Private endpoint should be enabled for MySQL servers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49\",\r\n \"description\": \"Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.\",\r\n \"remediationDescription\": \"To configure Private Link for Azure Database for MySQL:
1. Navigate to your Azure Database for MySQL. 2. Select Private Endpoint Connections in the left-hand pane 3. Click on \\\"+Private Endpoint\\\" and follow the instructions provided https://docs.microsoft.com/azure/mysql/howto-configure-privatelink-portal.
For more information, see: https://aka.ms/mysqlprivatelink\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\r\n \"description\": \"Audit SQL servers configured with an auditing retention period of less than 90 days.\",\r\n \"remediationDescription\": \"To configure auditing retention on your Azure SQL server or Azure Synapse server:
1.From the Azure portal, select the Azure SQL Server or Azure Synapse resource. 2.From the menu, select Auditing. 3.Select Storage details. 4.To set a new retention period of 90 days or higher, manually enter a value or move the slider for Retention (Days). 5.Select OK.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your function App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your function app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your web App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your web app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"name\": \"67fc622b-4ce6-8c52-08ae-9f830036b757\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"FTPS should be required in your API App\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\r\n \"description\": \"Enable FTPS enforcement for enhanced security\",\r\n \"remediationDescription\": \"To ensure enforcement of FTPS only for your API app:
1. Go to the App Service for your API app 2. Select Configuration, and go to the General Settings tab 3. In FTP state, select FTPS only.
For more information, visit here: https://aka.ms/deploy-ftp\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"name\": \"9d07b7e6-2986-4964-a76c-b2689604e212\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Identical Authentication Credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Identical authentication credentials to the IoT Hub used by multiple devices. This could indicate an illegitimate device impersonating a legitimate device. It also exposes the risk of device impersonation by an attacker\",\r\n \"remediationDescription\": \"Review the devices in question and make sure they are all valid. Replace any duplicated credentials and make sure all device authentication credentials are unique.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IP Filter Configuration should have rules defined for allowed traffic and should deny all other traffic by default\",\r\n \"remediationDescription\": \"Add a default rule at the end of the defined rules list to deny all inbound traffic. Make sure any rules defined above it only allow wanted traffic through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An Allow IP Filter rule's source IP range is too large. Overly permissive rules might expose your IoT hub to malicious intenders\",\r\n \"remediationDescription\": \"Review the rule in question and verify source IP range is as small as it needs to be for necessary traffic to go through.\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"name\": \"1a36f14a-8bd8-45f5-abe5-eef88d76ab5b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Open Ports On Device\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A listening endpoint was found on the device\",\r\n \"remediationDescription\": \"Review the open ports on the device and make sure they belong to legitimate and necessary processes for the device to function correctly\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"name\": \"ba975338-f956-41e7-a9f2-7614832d382d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the input chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed in\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"name\": \"beb62be3-5e78-49bd-ac5f-099250ef3c7c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall policy in one of the chains was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device\",\r\n \"remediationDescription\": \"Change firewall policy to Drop and add specific rules to permit access to legitimate connections to/from the device\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"name\": \"d5a8d84a-9ad0-42e2-80e0-d38e3d46028a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Permissive firewall rule in the output chain was found\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports\",\r\n \"remediationDescription\": \"Review the rules in the recommendation and verify only necessary addresses / ports are allowed out\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"name\": \"5f65e47f-7a00-4bf3-acae-90ee441ee876\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Operating system baseline validation failure\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security related system configuration issues identified\",\r\n \"remediationDescription\": \"Review the failed rules and remediate the security configuration vulnerabilities identified on your devices\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"name\": \"a9a59ebb-5d6f-42f5-92a1-036fd0fd1879\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Agent sending underutilized messages\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IoT agent message size capacity is currently underutilized, causing an increase in the number of sent messages. Adjust message intervals for better utilization\",\r\n \"remediationDescription\": \"To avoid too many underutilized messages, consider enlarging the high/low priority send intervals\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"name\": \"2acc27c6-5fdb-405e-9080-cb66b850c8f5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - TLS cipher suite upgrade needed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Unsecure TLS configurations detected. Immediate TLS cipher suite upgrade recommended\",\r\n \"remediationDescription\": \"Upgrade your TLS cipher suite to a secure configuration. See the Guide to TLS Standards Compliance for more information\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"name\": \"d74d2738-2485-4103-9919-69c7e63776ec\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IoT Devices - Auditd process stopped sending events\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security events originated from Auditd process are no longer received from this device\",\r\n \"remediationDescription\": \"Verify Auditd process is running on the device, restart process or device as needed\",\r\n \"categories\": [\r\n \"IoT\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"name\": \"2acd365d-e8b5-4094-bce4-244b7c51d67c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Service principals should be used to protect your subscriptions instead of Management Certificates\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414\",\r\n \"description\": \"Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. \",\r\n \"remediationDescription\": \"To remove management certificates and replace with service principals:
1. Follow the guidance here to create service principals with a certificate.
2. Select a subscription from the list of subscriptions below or navigate to the specific subscription.
3. You need to have co-admin access in order to complete this step. Select In the Management Certificates under Settings , delete the existing management certificates you would like to replace with the service principals you created.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"name\": \"506a4392-1923-487e-b8d7-8a6aee123ad4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Application Load Balancer should be configured to redirect all HTTP requests to HTTPS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if redirection from HTTP to HTTPS is configured on all HTTP listeners of Application Load Balancers.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"name\": \"4fe7c40f-0e00-4561-a3db-9fb9a1445f8c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should require requests to use Secure Socket Layer\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 buckets should have policies enabled that require all requests to accept only transmission of data over HTTPS in the S3 resource policy.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"name\": \"b26b4bb8-864b-44b7-9dbe-6ebc42784893\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have server-side encryption enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your Amazon S3 buckets have Amazon S3 default encryption configured or if the S3 bucket policy explicitly denies put-object requests without an encryption on server side\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"name\": \"c1769ad9-3c3a-4455-8d86-4d02dc2580f7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Config should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Config is enabled for the current account and region. The AWS Config service manages configuration of supported AWS resources in your account and sends log files to you. Security Hub recommends AWS Config should be enabled in all regions.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"name\": \"bae62237-b51c-4b17-8a35-da91de00f768\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Hardware MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. MFA adds a layer of protection on top of a user name and password for accessing cardholder data environment. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"name\": \"9e06bec8-97f4-4b02-90d4-fa98ebab2079\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"MFA should be enabled for all IAM users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"name\": \"b78b295a-8bdb-431f-ab49-c599a219d1c1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual MFA should be enabled for the root user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"name\": \"5ca086b6-9bd4-4c07-b787-464f296ebb20\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public write access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your S3 buckets enable public write access by checking the bucket policy, the Block Public Access settings, and the bucket access control list (ACL). Make sure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"name\": \"7a15b790-008b-4501-85fe-2515a5bc2bd0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should prohibit public read access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether your S3 buckets enable public read access by checking the bucket policy, the Block Public Access settings, and the bucket access control list (ACL).Make sure that access to the bucket is restricted to authorized principals only.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"name\": \"7526daaf-6485-41a7-93b3-257ef2903035\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM user credentials should be disabled if not used within a pre-defined number days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your AWS Identity and Access Management (IAM) users have inactive credentials that have not been used within a specified number of days, default is 90 days.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"name\": \"d7887c9e-34c3-4c5a-a214-8022007e41f9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Password policies for IAM users should have strong configurations\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the account password policy for IAM users uses the following configurations: Require at least one uppercase character in password (Default = true), Require at least one lowercase character in password (Default = true), Require at least one number in password (Default = true), Password minimum length (Default = 7 or longer), Number of passwords before allowing reuse (Default = 4), Number of days before password expiration (Default = 90).\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"name\": \"d8ae9e00-250a-4a8d-a295-5e40f2e13824\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM root user access key should not exist\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the root user access key is available.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"name\": \"7b1ddbf7-6600-41a9-a23e-e7efb8668c01\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM users should not have IAM policies attached\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that none of your IAM users have attached policies, they must inherit permissions from IAM groups or roles.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"name\": \"c60f9b4d-853d-41d3-a516-f4dc505dd92c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IAM policies should not allow full \\\"*\\\" administrative privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the AWS Identity and Access Management (IAM) policies default version (also known as customer managed policies) do not have administrator access with a statement that has \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\". It does not check inline and AWS Managed Policies, only for the Customer Managed Policies that you created.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"name\": \"a05b1517-27e4-402f-b5d7-3995cb4ffb1f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Customer master key (CMK) rotation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if key rotation is enabled for each customer master key (CMK). It doesn't check CMKs that have imported key material.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"name\": \"b8b4cd2e-d8ef-43fb-a09a-f8faad403309\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the Lambda resource has a Lambda function policy attached that prohibits public access\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"name\": \"e73c08d7-bf33-428c-9a35-047b93826c85\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS snapshots should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"name\": \"ce67af84-5a51-47e7-85e5-fe8cfa5b6237\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"RDS DB Instances should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if RDS instances are publicly accessible by checking the publiclyAccessible field in the instance configuration item.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"name\": \"d2f140fd-4b82-4e49-a312-a1aaea2d4b37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Redshift clusters should prohibit public access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Redshift clusters are publicly accessible by checking the publiclyAccessible field in the cluster configuration item\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"name\": \"529ab31c-7a8e-40f9-a004-91ac1d455fb1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the GitHub or Bitbucket source repository URL includes personal access tokens or user name and password.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"name\": \"8be46b23-a5fd-4ac6-8ec6-018b35b5afb5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Database Migration Service replication instances should not be public\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Database Migration Service replication instances are public by checking the field value of PubliclyAccessible.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"name\": \"b1dadb19-4295-4acb-a592-6b024008e686\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EBS snapshots should not be publicly restorable\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elastic Block Store snapshots aren't publicly restorable.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"name\": \"3a660f6d-c102-4fe5-be7b-82500b9ae065\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 Block Public Access setting should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 buckets should block public access, this checks if the following public access block settings are configured from an account level: ignorePublicAcls: True, blockPublicPolicy: True, blockPublicAcls: True, restrictPublicBuckets: True.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"name\": \"93facfdb-6299-4c07-b650-bc43bc3bc18d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC default security group should prohibit inbound and outbound traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that the default security group of a VPC doesn't allow inbound or outbound traffic\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"name\": \"390db523-709f-466d-8757-b0b54ea6a7bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Security groups should not allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as SSH, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"name\": \"86f26232-2132-4707-99ff-4e70ee16c3ab\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 security groups should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks that security groups are attached to Amazon EC2 instances or to an ENI and are surfaces unused security groups.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/099e9ded-7834-43ad-be02-30114c800211\",\r\n \"name\": \"099e9ded-7834-43ad-be02-30114c800211\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elasticsearch Service domains are in a VPC.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"name\": \"40ba0792-0cf7-48e3-a629-d3871dc4b7c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Lambda functions should be in a VPC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if all Lambda function are in a VPC\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"name\": \"5ce523c5-3508-40ef-98d3-ef440253ba6b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CodeBuild project environment variables should not contain clear text credentials\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if a CodeBuild project includes environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"name\": \"ec43ef1b-935b-4b17-9273-e28fbb94a1c2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Unused EC2 EIPs should be removed\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"An accurate asset inventory of EIPs should be maintained by checking if Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs)\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"name\": \"023c4652-db6a-4f38-ae25-fe2c9a091459\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon SageMaker notebook instances should not have direct internet access\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if direct internet access is disabled for an Amazon SageMaker notebook instance by checking the DirectInternetAccess field is set to disabled for an Amazon SageMaker notebook instance.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"name\": \"0650d086-6677-4776-9bb0-10aad0a7c6dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail logs should be encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"name\": \"f631914d-ed27-4d43-98ce-58aecc12eccf\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Amazon Elasticsearch domains should have encryption at rest enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configured.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"name\": \"336631d3-ba44-4268-8abd-665d3950d775\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A log metric filter and alarm should exist for usage of the \\\"root\\\" user\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks the following metric filters : That the log group name is configured for use with multi-region CloudTrail activated, that there is at least one Event Selector for a Trail with IncludeManagementEvents configured to true and ReadWriteType configured to All, and that there is at least one subscriber active to an SNS topic associated to the alarm.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"name\": \"5db7555b-559c-4fe0-a2e1-d0aee04360e9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"VPC flow logging should be enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC(s) for packet rejects. VPC Flow Logs enable you to capture information about the IP address traffic to and from network interfaces in your VPC, and can help detect anomalous traffic.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"name\": \"4dd331be-aa29-4753-9f09-9fc2edf05bf2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail trails should be integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail trails are set to send logs to Amazon CloudWatch Logs\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"name\": \"6cf046b0-9a14-44ec-b35b-171982c78e9b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS CloudTrail is enabled in your AWS account\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"name\": \"21eaabc0-9210-45fd-b7fc-0c9b255a0c16\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"CloudTrail log file validation should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if CloudTrail log file validation is enabled\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"name\": \"75c358f9-f644-41d1-9a07-af69f5ee0e2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks only EC2 instances managed by AWS Systems Manager, if after patch installation on the instances they are compliant . AWS Systems Manager is an AWS service that can be used control and view your AWS resources. Systems Manager scans the managed EC2 instances in order to maintain security and compliance, by reporting or taking action on a policy violation that is discovered. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"name\": \"6a9bbcb5-81a9-4164-8d17-03b255107dad\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances should be managed by AWS Systems Manager\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if AWS Systems Manager is configured to manage your EC2 instances. AWS Systems Manager is an AWS service that can be used control and view your AWS resources. Systems Manager scans the managed EC2 instances in order to maintain security and compliance, by reporting or taking action on a policy violation that is discovered. \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"name\": \"32b4b856-848d-4ce2-bec7-1a9be69bce6a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association has been executed on an instance\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"name\": \"5010098e-7bef-467c-baed-209d8a5afac4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"S3 buckets should have cross-region replication enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if S3 buckets have cross-region replication enabled.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"name\": \"94d42d13-40a6-47df-b16e-be141aae83c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Auto scaling groups associated with a load balancer should use health checks\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"name\": \"d5c82980-3fce-4c37-9ad3-9c69a1c59d8f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"GuardDuty should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Checks if Amazon GuardDuty is enabled in your AWS account and region. Amazon GuardDuty is a continuous security monitoring service that can identify unexpected and potentially unauthorized and malicious activity within your AWS environment \",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit the AWS Security Hub PCI DSS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"name\": \"bc85a7ee-7f43-47ab-8736-4faaec9346b5\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"SSM agent should be installed on your AWS EC2 instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Systems Manager is an AWS service that can be used to control and view your AWS infrastructure. The AWS Systems Manager Agent (SSM Agent) is a software that can be installed and configured on a machine and makes it possible for Systems Manager to update and configure these resources. Security Center leverages the SSM Agent for automatic installation of Azure Arc, that enables greater parity for AWS instances to Azure VMs.\",\r\n \"remediationDescription\": \"First, Make sure EC2 instances are managed by Systems Manager: 1.Open AWS System Manager.
2. Choose Quick setup
3. keep the default options on the configuration screen.
4. Choose Set up Systems Manager.
For directions on installing and configuring the SSM Agent on Windows instances visit this page For directions on installing and configuring the SSM Agent on Linux instances visit this page \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"name\": \"a7c8fa46-526d-4bf6-b8b3-17fa01310fd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled in every region in your AWS accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub is a regional service and customer must enable Security Hub in each region to view findings in that region. You should continuously monitor all regions across all of your AWS accounts for unauthorized behavior or misconfigurations, including regions you don’t use heavily.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"name\": \"20f6c761-4dd7-4f27-9e37-6db8471486ef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"AWS Security Hub should be enabled for all AWS member accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices. Integrating it into Security Center enables a comprehensive view across multiple cloud environments. any AWS member account related to an onboarded account should have Security Hub enabled as well.\",\r\n \"remediationDescription\": \"For instructions on how to remediate this issue, please visit AWS security hub documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"name\": \"726cde3e-02f8-4041-8935-727f2be19ba7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that corporate login credentials are used\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Make sure to log in using the credentials of a fully-managed corporate account and not a personal account.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select the checkbox next to non-corporate users, and then click 'Remove'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"name\": \"4a946e22-47e8-443d-8761-b25620b4a1e1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that multi-factor authentication is enabled for all non-service accounts\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) must be enabled for all Google Cloud Platform accounts, excluding service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP Security Settings and set up multi-factor authentication for all non-service accounts within the project.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"name\": \"0ad39832-f031-4fdd-885e-c6cce85ac77c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Service Account has no Admin privileges\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service accounts are not configured with administrative roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Select Members and make sure that there aren't any 'User-Managed user created service account' accounts with one of the following roles: admin, editor, or owner.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"name\": \"90191798-da1b-40dd-aa9c-1c0eafb1ba87\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the 'Service Account User' and 'Service Account Token Creator' roles are not granted to users at a project level. Instead, grant these roles to users in the context of specific service accounts.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. In the filter table field, enter 'Role: Service Account User' and click 'Delete' (bin icon) for every user listed. Similarly, filter using 'Role: Service Account Token Creator' and delete every user listed.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"name\": \"ddced3c8-a5e2-4dc4-b0fe-1331c77fc9c4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure user-managed/external keys for service accounts are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all service account keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'Service Account Keys', for every External (user-managed) service account where the creation date is 90 days or more, delete the service account key and create a new one instead.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"name\": \"f493084a-d3c4-4886-8cf2-3c815aeef901\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning service account related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties. Also, make sure that users are not assigned with both 'Service Account Admin' and other 'Service Account User' roles.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. Edit members with both 'Service Account Admin' and 'Service Account User', delete one of the roles, and then click 'Save'. \",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"name\": \"3053474d-4fab-4603-8d18-2a6dfd09f782\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure KMS encryption keys are rotated within a period of 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud KMS encryption keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to GCP Security Kms. For every key ring, for every key in the key ring, do the following: Select 'Right side pop up the blade' > 'Edit rotation period' > 'Select a new rotation period' and specify a period of less than 90 days, and then specify a 'Starting on' date.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"name\": \"3ff38dcd-92e2-4b67-8765-35bb0174a4c7\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Separation of duties is enforced while assigning KMS related roles to users\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there is a separation of duties and that there are no users assigned with both the 'Cloud KMS Admin' role and any of the following roles: 'Cloud KMS CryptoKey', 'Cloud KMS Encrypter/Decrypter', 'Cloud KMS CryptoKey Encrypter' or 'Cloud KMS CryptoKey Decrypterer'.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin. For the member that is listed at the recommendation, click 'Edit'. For the 'Cloud KMS Admin' role, click 'Delete', and then Click 'Save'. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"name\": \"52f83ea2-6871-45c3-8b26-13566e966638\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are not created for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all API keys are not used within the scope of projects. The standard authentication flow should be implemented, since the use of API keys presents many security risks.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', delete the relevant API Keys. These API keys should be replaced by a standard authentication flow as described In the Authentication overview [GCP docs authentication]\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"name\": \"76e8881d-f18e-4e1b-b01d-376d0260e066\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to use by only specified Hosts and Apps\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted, and used only by trusted hosts, HTTP referrers, or applications.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. Under 'Key restrictions', set application restriction to HTTP referrers, IP Addresses, Android Apps, or iOS Apps, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"name\": \"0eaf40a8-5673-4b33-8457-a31d85882233\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are restricted to only APIs that application needs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are restricted to only access API endpoints that are essential to the calling application.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys', select 'API Key Name'. For every API key, make sure that the 'Key restrictions' parameter 'API restrictions' is not set to 'None'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"name\": \"5a235918-41a2-4bd0-8ab0-00a596e9d6a8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure API keys are rotated every 90 days\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that API keys are rotated every 90 days or less.\",\r\n \"remediationDescription\": \"Browse to APIs Credentials. Under 'API Keys'. Select 'API Key Name'. Click 'REGENERATE KEY' to rotate the API key, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"name\": \"f61e15f3-4bcf-4d2e-8f06-32237cabe0a0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Audit Logging is configured properly across all services and all users from a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Cloud Audit Logging is configured to track read and write activities across all supported services and for all users. Configured this way, all administrative activities, or attempts to access user data, will be tracked.\",\r\n \"remediationDescription\": \"Browse to GCP IAM & Admin Audit. On the 'Audit Log' page, select the 'Log type' tab. Select 'Admin read', 'Data read', and 'Data write', and then click 'Save'. Make sure there are no exemptions.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"name\": \"cdb3af55-2abf-476b-aac7-5cfec366a4dd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that sinks are configured for all log entries\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all resource have a log sink configured, exporting copies of all the log entries to a centralized location such as a SIEM.\",\r\n \"remediationDescription\": \"Browse to GCP Logs viewer. Switch to the 'Advanced' filter bar, clear any text from the filter field, and then click 'Submit Filter'. Click 'Create Sink', fill out the required details, and then click 'Create Sink'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"name\": \"bc26b0d4-a1d7-4665-9d44-efc205ae73f0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure log metric filter and alerts exist for project ownership assignments/changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filters and alerts are configured to monitor project ownership assignment/change actions.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browse to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, and run the following query: (protoPayload.serviceName=\\\"cloudresourcemanager.googleapis.com\\\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"REMOVE\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\\\"ADD\\\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\\\"roles/owner\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'. Finally, edit the alert policy and update the 'Target Aggregation' option to 'Count'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"name\": \"3812e247-34f2-4f06-a312-89a8fe51fa37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Audit Configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure log metric filter and alerts are configured for Audit Configuration changes. Audit logging data is required for security analysis. Tracking the log metric filters and alerts is important to ensure that all activities in the projects are being audited as planned.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"SetIamPolicy\\\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*. In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"name\": \"f0f8405a-5ecc-4314-808e-083e030d6163\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Custom Role changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Custom Role changes. Monitoring role creation, update, or deletion may help to identify over-privileged or misused roles. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"iam_role\\\" AND protoPayload.methodName = \\\"google.iam.admin.v1.CreateRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\". In the 'Metric Editor' menu, provide a name for the field, set 'Units' to 1 and 'Type to 'Counter', then click 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"name\": \"c23e0eec-eee4-4632-b1c2-6c884c3c963b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that log metric filter and alerts are configured for Virtual Private Cloud (VPC) Network Firewall rule changes. Firewall create or update rule events indicate network access changes, which may indicate suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_firewall_rule\\\" AND jsonPayload.event_subtype=\\\"compute.firewalls.patch\\\" OR jsonPayload.event_subtype=\\\"compute.firewalls.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to https://console.cloud.google.com/logs/metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"name\": \"7ce5a01f-e94b-438a-8b72-fa02c076f11a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network route changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network route changes. Monitoring network route changes to route tables may indicate of a suspicious activity.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=\\\"gce_route\\\" AND jsonPayload.event_subtype=\\\"compute.routes.delete\\\" OR jsonPayload.event_subtype=\\\"compute.routes.insert\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Creat Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"name\": \"0b86a67f-bde5-4c91-b10c-4102033b8692\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for VPC network changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for Virtual Private Cloud (VPC) network changes. Monitoring network changes to the VPC is important to make sure it is not compromised.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gce_network AND jsonPayload.event_subtype=\\\"compute.networks.insert\\\" OR jsonPayload.event_subtype=\\\"compute.networks.patch\\\" OR jsonPayload.event_subtype=\\\"compute.networks.delete\\\" OR jsonPayload.event_subtype=\\\"compute.networks.removePeering\\\" OR jsonPayload.event_subtype=\\\"compute.networks.addPeering\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add 'Alert Triggers', and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"name\": \"46e4e0ed-106d-405e-b1a9-ca34c8f7d31f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"\\\"Ensure that the log metric filter and alerts are configured for Cloud Storage IAM permission changes. Monitoring changes to a storage bucket permissions can help identify malicious attempts to access a sensitive storage buckets and objects inside buckets.\",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: resource.type=gcs_bucket AND protoPayload.methodName=\\\"storage.setIamPermissions\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"name\": \"b1294b0d-9b2e-4e1b-9f67-77a75fb10a65\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the log metric filter and alerts exist for SQL instance configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the log metric filter and alerts are configured for SQL instance configuration changes. Monitoring changes to an SQL instance can help identify malicious attempts to access a sensitive data stored in an SQL instance. \",\r\n \"remediationDescription\": \"STEP A - Create a Log metric: Browser to GCP Logs metrics. Click 'Create Metric', switch to the 'Advanced' filter bar, clear the text, and run the following query: protoPayload.methodName=\\\"cloudsql.instances.update\\\". In the 'Metric Editor' menu, fill the name field, set Units to 1, and the Type to Counter. Click on 'Create Metric'. STEP B - Create Alert on Metrics: To create an alert policy, browse to GCP Logs metrics. Click 'Create alert from Metric', click 'Create alert from Metric', add Alert Triggers, and then click 'Save'. Configure the alert's notification channels, give it a name, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"name\": \"ece6ec5d-a862-4e22-a8db-271661216018\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the default network does not exist in a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that projects do not have a default network. A default predefined network generates multiple unsecure firewall rules that are not audit logged, cannot be configured to enable firewall rule logging, and do not allow the use of a Cloud VPN or VPC Network Peering with the default network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the 'default' network. On the network detail page, click 'edit', and then click 'Delete VPC network'. If required, you can to create a new network with custom firewall rules to replace the 'default' network.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"name\": \"3af5de46-fda8-4b6e-90f1-6565187d7c48\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure legacy networks do not exist for a project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all projects do not have a legacy network. Legacy networks may have an impact for high network traffic projects and pose a single point of contention or failure.\",\r\n \"remediationDescription\": \"Create a non-legacy network and then delete the legacy networks using the following command: 'gcloud compute networks delete my-legacy-network'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"name\": \"e40b679a-f44e-4366-87dd-7693e16a2128\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that DNSSEC is enabled for Cloud DNS\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that Domain Name System Security Extensions (DNSSEC) is enabled for Cloud DNS zones. DNSSEC helps mitigate the risk of a DNS hijacking and man-in-the-middle attacks, by preventing attackers from issuing fake DNS responses that may misdirect browsers to malicious websites.\",\r\n \"remediationDescription\": \"Browse to GCP DNS zones. For each zone of type 'Public', set DNSSEC to 'On'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"name\": \"049f1551-438b-444e-8904-a3c3afbcb43e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the key-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the key-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"name\": \"cc637123-c11e-40ee-adf8-93c0876481f4\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RSA-SHA1 is not used as the zone-signing key in Domain Name System Security Extensions (DNSSEC).\",\r\n \"remediationDescription\": \"To change the settings for a managed zone where RSA-SHA1 has been enabled: Turn off DNSSEC, modify they settings, and then turn on DNSSEC again. Finally, update the zone-signing for the reported managed DNS Zone.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"name\": \"0327f9da-f758-4d69-8903-55448b8cf70e\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that SSH access is restricted from the internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that SSH access is restricted from the internet because it can be used as initial access to the network. Prevent inbound traffic via SSH (port 22) from the internet using the generic IP address (0.0.0.0/0).\",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"name\": \"684307e9-62a8-4f2a-887a-4b90de5e4b98\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that RDP access is restricted from the Internet\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that RDP access is restricted from the internet, as is may be used for initial access to the network. Prevent inbound traffic via RDP (port 3389) from the internet using the generic IP address (0.0.0.0/0). \",\r\n \"remediationDescription\": \"Browser to GCP Networks List. Select 'Firewall Rules', edit the relevant rule, under 'Source IP ranges' replace the value with a specific IP address, and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"name\": \"3d55e4b1-ecdb-4eaf-9e3f-b00a764182bd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all VPC Flow Logs are enabled, for every subnet in a VPC Network.\",\r\n \"remediationDescription\": \"Browse to GCP Networks List. Select the relevant subnet, click 'Edit', set 'Flow Logs' to 'On', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"name\": \"c28a89d9-7cf4-439b-a8c4-ad4e769f68ee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that there are no HTTPS or SSL Proxy Load Balancers that use weak SSL policies with TLS or 1.1.\",\r\n \"remediationDescription\": \"Browser to GCP SSL Policies. Select the relevant policy, click 'Edit', set 'Minimum TLS version' to 'TLS 1.2', set 'Profile' to 'Modern' or 'Restricted', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"name\": \"233da9cd-11bf-463a-8aa7-4c81b9e788d1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that all instances are not configured to use the default service account with full access to all Google Cloud APIs.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant VM instance, stop the instance if it is currently started, and then click 'Edit'. Under 'Service Account', select 'Compute Engine default service account', make sure that 'Allow full access to all Cloud APIs' is not selected, click 'Save' and then 'Start'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"name\": \"1ff4501b-2109-4ef6-ba9d-e824a96d63d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure \\\"Block Project-wide SSH keys\\\" is enabled for VM instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that no project-wide SSH keys are used for VM instances, as they enable login to all instances in the project.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the impacted instance, click 'Edit', under 'SSH Keys', select 'Block project-wide SSH keys', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"name\": \"fa924a53-0837-4296-9bf7-18ce7dd68593\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure oslogin is enabled for a Project\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that OS login is enabled for all projects, as this pairs the SSH keys in use with IAM users. \",\r\n \"remediationDescription\": \"Browse to GCP Compute metadata. Click 'Edit', add metadata key for 'enable-oslogin' with value 'TRUE', and then click 'Save'. For every instances that overrides the project setting, browse to GCP Compute instances. Select the relevant instance name, click 'Edit', under 'custom metadata', remove 'enable-oslogin' keys with the value 'FALSE', and then click 'Save'.\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"name\": \"c4131c22-1ecc-4beb-9961-d90108bd975f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that 'Enable connecting to serial ports' is not enabled for all VM Instance. When the interactive serial console is enabled for an instance, clients can connect to the instance from any IP address using the proper username and SSH key.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Remote access', make sure that 'Enable connecting to serial ports' is not selected.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"name\": \"3b1713ec-feb3-4b32-b5b0-251acff0a84a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that IP forwarding is not enabled on Instances\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To prevent data loss, forwarding of data packets should not be enabled on instances.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Network interfaces', make sure that 'IP forwarding' is set to 'Off' for every network interface.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"name\": \"6be98232-0100-474a-b33d-ba9c1a747f70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, all data at rest is encrypted by Google Compute Engine. Make sure that VM disks are encrypted using Customer-Supplied Encryption Keys (CSEK) enabling you to control and manage the encryption keys yourself.\",\r\n \"remediationDescription\": \"Browse to GCP Compute disks. Select the relevant disk and make sure that the 'Encryption type' is set to 'Customer supplied'.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"name\": \"9e1789cd-7b61-42db-ba12-7268283ba466\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure Compute instances are launched with Shielded VM enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To protect against advanced threats, a Compute Engine instance using a public image and must be launched with a Shielded VM. It is also important to verify that the boot loader and firmware on the VMs are signed and untampered.\",\r\n \"remediationDescription\": \"Browse to GCP Compute instances. Select the relevant instance, under 'Shielded VM', make sure that 'Turn on vTPM' and 'Turn on Integrity Monitoring' are enabled.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"name\": \"0bdcd23c-4ff2-4077-aa14-eb6950bfbdd8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Compute instances do not have public IP addresses\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Compute instances must not be configured with public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"name\": \"79b4eb34-c06e-49bf-883d-5352a21a962f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage bucket is not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that an IAM policy on Cloud Storage buckets does not allow anonymous or public access so sensitive data.\",\r\n \"remediationDescription\": \"To restrict access to Cloud Storage Buckets: Browse to GCP Storage browser. Select the relevant bucket, select 'Permissions', and then under 'Role(s)', remove all Cloud IAM permissions that were granted to 'allUsers' and 'allAuthenticatedUsers'. To restrict access from public addresses: browse to GCP Firewalls List.. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP adress values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"name\": \"a2bb3a1b-4a09-4cf7-9e79-c438687e2c2f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud Storage buckets have uniform bucket-level access enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"For simple and unified resource access, ensure that Cloud Storage buckets have uniform bucket-level access enabled.\",\r\n \"remediationDescription\": \"Browse to GCP Storage browser. Edit the relevant bucket, under 'Access Control', select 'Uniform', and then click 'Save'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"name\": \"a3ebc80a-847b-46d5-a37d-8dca5e6947df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Ensure that the Cloud SQL Database instance requires all incoming connections to always use SSL encryption.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances, select the relevant instance and under 'Connections', select 'Allow only SSL connections'.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"name\": \"1f386f4e-449e-41e8-b829-a2fe01086ae1\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are not open to the world\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to only accept connections from trustworthy networks and/or IP addresses and restrict all other access. \",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"name\": \"2f6c8a5a-9407-467c-8082-0ad4ab915d77\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances do not have public IPs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL instances must be configured to use private IP addresses, and not public IP addresses.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"name\": \"664c6a0b-5cd2-4140-aaff-a94241c07afd\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that Cloud SQL database instances are configured with automated backups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Cloud SQL database instances must be configured with automated backups.\",\r\n \"remediationDescription\": \"Browse to GCP Sql instances. Select the relevant instance, and under 'Backups', make sure that 'Automated backups' is set to 'Enabled' and that the 'Backup time' is set.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"name\": \"5723400d-5b2a-45f1-99ee-837986866318\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure that BigQuery datasets are not anonymously or publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"To ensure that sensitive data is not compromised, IAM policies on BigQuery datasets must not allow anonymous or public access.\",\r\n \"remediationDescription\": \"Browse to GCP Firewalls List. Edit each firewall rule in the list, under 'Source IP ranges', modify the IP address values to restrict access from public IP addresses, like 0.0.0.0/0.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"name\": \"582c14e9-48c1-4b25-ab93-91bdeaf9120c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Avoid the use of the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The \\\"root\\\" account is the most privileged account and has unrestricted access to all resources in the AWS account. It is highly recommended to avoid use of this account.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"name\": \"1f24d55a-df0f-4772-9090-4629c2d6bfff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Multi-Factor Authentication (MFA) should be enabled on all accounts that have a console password.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"name\": \"8a10942a-02ca-483f-81ae-2260ea7808cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure credentials unused for 90 days or greater are disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS resources can be accessed by using different types of credentials by AWS IAm users. Credentials such as passwords or access keys that haven't been used in 90 days or more should be deactivated or removed.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"name\": \"9b8eac17-6b11-4b94-9bb4-18c81aee7123\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure access keys are rotated every 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Access keys consist of an access key ID and secret access key. they are used to sign programmatic requests made to AWS. Access keys should be regularly rotated to reduce chance of access key used that is associated with a compromised or terminated account and ensure that data can't be accessed with an old key that might have been lost, cracked, or stolen.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"name\": \"554ba13c-d7d4-4530-88ce-94cf11a670ce\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one uppercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one uppercase letter to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"name\": \"66a1d478-4d24-42d4-8eca-dcdab6532a18\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one lowercase letter\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one lowercase letter to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"name\": \"b396f112-a462-4813-a93f-80bc90041e4d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one symbol\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one symbol to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5425052d-cc0d-4424-af71-050311f99634\",\r\n \"name\": \"5425052d-cc0d-4424-af71-050311f99634\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires at least one number\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require at least one number to enforce password complexity requirements . \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"name\": \"09cb7d54-db05-4d31-97f3-9bbfe1dff610\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy requires minimum password length of 14 or greater\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Password policy should require a length of 14 or greater to enforce password complexity requirements.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"name\": \"01fb1ad4-303b-4789-abf2-c024c4a76523\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy prevents password reuse\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policy should prevent the reuse of passwords to prevent reuse of given password by the same user.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"name\": \"0de072b9-6515-4985-842e-0318047bb85b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM password policy expires passwords within 90 days or less\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM password policies should require passwords to expire after 90 days or less.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"name\": \"8c3f474a-234e-442f-92b3-2a45e37f7eee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no root account access key exists\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to an AWS account. All access keys associated with the root account should be removed.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"name\": \"8e3d9ac0-a248-4276-a437-304c6cd1443b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"MFA should be enabled for a root account to increase console security. When a user signs in to an AWS website, they will be prompted for their user name, password as well as for an authentication code\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"name\": \"8d7a6128-c8f2-43df-b422-7877346f9ddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure hardware MFA is enabled for the \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"MFA should be enabled for a root account to increase console security. When a user signs in to an AWS website, they will be prompted for their user name, password as well as for an authentication code. The account should be protected with a hardware MFA\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"name\": \"c55461af-4923-4fbb-b270-40d5e5f4c0ff\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies are attached only to groups or roles\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By default, IAM users, groups, and roles don't have access to AWS resources. IAM policies are used to grant privileges to users, groups, or roles. IAM policies should be applied directly to groups and roles but not users\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"name\": \"bbdc4999-1462-4d46-853b-2f8c6ca1c682\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a support role has been created to manage incidents with AWS Support\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. IAM Role should be created to allow authorized users to manage incidents with AWS Support.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"name\": \"9e1f12d0-cb3d-4e1c-a468-6bc3d934c99d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not created\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"IAM policies are the way in which privileges are granted to users, groups, or roles. Granting only the permissions needed to perform a task should be done instead of allowing full administrative privileges.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"name\": \"22438e3c-73c8-40af-a083-10c980c63aa2\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. CloudTrail should be enabled to allow security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"name\": \"fd5d38f6-340e-4bd2-88f2-e1314c3c07a9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail log file validation is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"A digitally signed digest file is created by CloudTrail log file validation, containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"name\": \"0384d5b7-5def-4130-b7b5-db7da7e63276\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the S3 bucket CloudTrail logs to is not publicly accessible\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Enabling public access to CloudTrail log content could assist an adversary in identifying weaknesses in the affected account's use or configuration.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"name\": \"5720f1a6-6061-4768-9c0d-2000a6041744\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, sending these logs to CloudWatch should be done to enable realtime analysis. \",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"name\": \"dbfc99e3-e648-4c3b-bd32-995e6268430d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure AWS Config is enabled in all regions\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you that can be used for security analysis, resource change tracking, and compliance auditing and should be enabled across all regions.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"name\": \"30c69b23-a9a2-4729-aca6-f21adacfff66\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket and could be used for security analysis, resource change tracking, and compliance auditing.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"name\": \"c01fab9f-bde1-4ba5-9d35-7de51f31c2d3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"CloudTrail logs should be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"name\": \"23b514bd-2afc-4a3e-8d3d-f4327118eee9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure rotation for customer created CMKs is enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"AWS Key Management Service (KMS) enables customers to rotate the backing key, a key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). The backing key is used to perform cryptographic operations such as encryption and decryption.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"name\": \"a9ac48d8-8dd7-42b9-9752-b1fa70ea5dd9\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure VPC flow logging is enabled in all VPCs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"VPC Flow Logs enables you to gather information about the IP traffic going to and from network interfaces in your VPC. After a flow log has been created, you can view and retrieve its data in Amazon CloudWatch Logs. VPC Flow Logs should be enabled for packet \\\"Rejects\\\" for VPCs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"name\": \"00261067-76a8-4ebb-b5fc-becc81067bee\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for unauthorized API calls\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for unauthorized API calls.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"name\": \"83ca4867-58c1-45d6-b6b6-dbf226512891\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for console logins that are not protected by multi-factor authentication (MFA).\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"name\": \"a269cbdb-86e8-431c-9ff2-f0ea491174d8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for root account login attempts.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"name\": \"5ea59e47-093b-446f-9765-5b0ec4c9da61\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for IAM policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to Identity and Access Management (IAM) policies\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"name\": \"011397ca-1366-4bcc-b85a-7a5e3df2e80b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to CloudTrail's configurations\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"name\": \"c62371bc-f6a7-4915-b5b5-14288682cf79\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for failed console authentication attempts.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"name\": \"293ba336-7312-42fc-a59d-836e4e678b17\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for customer created CMKs which have changed state to disabled or scheduled deletion.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"name\": \"0b547a38-2c0d-47e1-b9a2-a59fccc140db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to S3 bucket policies.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"name\": \"7d0ad86f-f43b-4889-b2f7-09d91bd1407b\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to AWS Config configuration settings\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"name\": \"b20558b6-de31-480c-8aa0-e920d62b9764\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for security group changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to Security Groups.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"name\": \"022efc2d-5119-480b-a203-e151b6b2645c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to NACLs\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"name\": \"3ee7608e-f0e7-4c26-8921-5ae46c4e99df\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for changes to network gateways\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to network gateways.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"name\": \"33765629-073d-49eb-bab4-64bdf8ac90da\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for route table changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to route tables.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"name\": \"9c054f50-823f-45ab-839e-9df4eb7c2f11\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure a log metric filter and alarm exist for VPC changes\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes made to VPCs.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"name\": \"b3473ed6-78c0-40d5-b5f0-674e98924952\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 22\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as SSH, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"name\": \"9dd55566-33b9-4c07-a959-14794ce02355\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Restricting connectivity to remote console services, such as RDP, could help reduce a server's exposure to risk.\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"name\": \"ad0b04b9-eaf9-49f8-b85e-724f9520e760\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Ensure the default security group of every VPC restricts all traffic\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"When an instance is launched and no security group is specified, the instance is automatically assign to a default security group. A default security group should restrict all traffic\",\r\n \"remediationDescription\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\r\n \"description\": \"Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. To secure resources in the same subnet from one another, enable NSG directly on the resources as well.\",\r\n \"remediationDescription\": \"To enable Network Security Groups on your subnets:
1. Select a subnet to enable NSG on.
2. Click the 'Network security group' section.
3. Follow the steps and select an existing network security group to attach to this specific subnet.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\r\n \"description\": \"Security Center has discovered virtual networks with Application Gateway resources unprotected by the DDoS protection service. These resources contain public IPs. Enable mitigation of network volumetric and protocol attacks.\",\r\n \"remediationDescription\": \"
1. Select a virtual network to enable the DDoS protection service standard on.
2. Select the Standard option.
3. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\r\n \"description\": \"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.\",\r\n \"remediationDescription\": \"To enable and configure adaptive application controls:
1. From the portal, open Security Center.
2. Select \\\"Adaptive application controls\\\" from Security Center's sidebar.
3. To see the groups of machines that Security Center recommends protecting with adaptive application controls, select the \\\"Recommended\\\" tab and choose a group of machines to protect.
4. Create a new applications control policy according to the instructions in Security Center's documentation: https://aka.ms/aac-newpolicy\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534\",\r\n \"description\": \"Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.\",\r\n \"remediationDescription\": \"To update your list of known-safe applications:
1. From the portal, open Security Center.
2. Select \\\"Adaptive application controls\\\" from Security Center's sidebar.
3. To see the groups of machines for which Security Center recommends updating the policy, select the \\\"Recommended\\\" tab and choose the configured group of machines.
4. The current policy will be displayed together with the new rules that Security Center recommends adding.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"ThreatResistance\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\r\n \"description\": \"Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. learn more\",\r\n \"remediationDescription\": \"To harden the Network Security Group traffic rules, enforce the recommended rules by following the steps below or manually edit the rules directly on the Network Security Group:
  1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a specific VM's recommendation blade.
  2. Click the \\\"Rules\\\" tab.
  3. If you want to modify a recommended rule's parameters:
    • In the rule that you want to change, select the three dots and select \\\"Edit rule\\\". The \\\"Edit rule\\\" blade opens.
    • Modify the parameters that you want to change and click \\\"Save\\\". The blade closes.
  4. If you want to create a new rule:
    • Click \\\"Add rule\\\" (in the top left corner). The \\\"Edit rule\\\" blade opens.
    • Fill in the parameters and click \\\"Add rule\\\". The blade closes and the new rule is listed in the Rules tab.
  5. Select the rules that you want to apply (including any rules that you edited or added) and click \\\"Enforce\\\".
\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\r\n \"description\": \"Azure Security Center has identified some overly-permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks. Learn more.\",\r\n \"remediationDescription\": \"To enable just-in-time VM access:
  • Select one or more VMs from the list below and click \\\"Remediate\\\", or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
  • On the \\\"JIT VM access configuration\\\" page, define the ports for which the just-in-time VM access will be applicable.
    • To add additional ports, click the \\\"Add\\\" button on the top left, or click an existing port and edit it.
    • On the \\\"Add port configuration\\\" blade, enter the required parameters.
  • Click \\\"Save\\\".
\",\r\n \"categories\": [\r\n \"Compute\",\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"name\": \"01b1ed4c-b733-4fee-b145-f23236e70cf3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment solution should be installed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"Install a vulnerability assessment solution on your virtual machines\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"name\": \"71992a2a-d168-42e0-b10e-6b45fa2ecddb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities should be remediated by a Vulnerability Assessment solution\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\r\n \"description\": \"Virtual machines for which a vulnerability assessment 3rd party solution is deployed are being continuously assessed against application and OS vulnerabilities. Whenever such vulnerabilities are found, these are available for more information as part of the recommendation.\",\r\n \"remediationDescription\": \"N/A\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\r\n \"description\": \"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22).
3. Either change the 'Action' property to 'Deny', or, improve the rule by applying a less permissive range of source IP ranges.
4. Click 'Save'.
Use Azure Security Center's Just-in-time (JIT) virtual machine (VM) access to lock down inbound traffic to your Azure VMs by demand. Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\r\n \"description\": \"Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.\",\r\n \"remediationDescription\": \"We recommend you edit the IP configurations of the NICs belonging to some of your virtual machines.
To disable IP forwarding:
1. Select a VM from the list below, or click 'Take action' if you've arrived from a specific VM's recommendation blade.
2. In the 'Networking' blade, click on the NIC link ('Network Interface' in the top left).
3. In the 'IP configurations' blade, set the 'IP forwarding' field to 'Disabled'.
4. Click 'Save'.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\r\n \"description\": \"Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.\",\r\n \"remediationDescription\": \"We recommend that you edit the inbound rules of some of your virtual machines, to restrict access to specific source ranges.
To restrict access to your virtual machines:
1. Select a VM to restrict access to.
2. In the 'Networking' blade, click the Network Security Group with overly permissive rules.
3. In the 'Network security group' blade, click on each of the rules that are overly permissive.
4. Improve the rule by applying less permissive source IP ranges.
5. Apply the suggested changes and click 'Save'.
If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\r\n \"description\": \"Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
VMs with 'High' severity are Internet-facing VMs.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a Network Security Group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the Network Security Group to assign to the subnet and click \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Click 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the Network Security Group to assign to this NIC.
Click here to learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6\",\r\n \"description\": \"Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.\",\r\n \"remediationDescription\": \"To protect a virtual machine with a network security group:
1. Select a VM from the list below, or click \\\"Take action\\\" if you've arrived from a recommendation for a specific VM.
2. Assign the relevant NSG to the NIC or subnet for the VM you're protecting:
  a. To assign the NSG to the VM's subnet (recommended):
    i. In the Networking page, select the 'Virtual network/subnet'.
    ii. Open the \\\"Subnets\\\" menu.
    iii. Select the subnet where your VM is deployed.
    iv. Select the network security group to assign to the subnet and select \\\"Save\\\".
  b. To assign the NSG to the NIC:
    i. In the Networking page, select the network interface that's associated with the selected VM.
    ii. In the Network interfaces page, select the 'Network security group' menu item.
    iii. Select 'Edit' at the top of the page.
    iv. Follow the on-screen instructions and select the network security group to assign to this NIC.
Learn more.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"name\": \"550e890b-e652-4d22-8274-60b3bdb24c63\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Enable the built-in vulnerability assessment solution on virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several minutes after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Install the extension to enable a vulnerability assessment solution on your virtual machines.\",\r\n \"remediationDescription\": \"To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click 'Remediate'. Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. Note: It can take several hours after remediation completes to see the resources in the ‘healthy resources’\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"name\": \"57f36d21-69e3-4b0f-a66c-18629d1b736d\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Adaptive Network Hardening recommendations should be applied on internal facing virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.\",\r\n \"remediationDescription\": \"Security Center recommends that you modify the rules of your virtual machines, to close ports which are not in use.
To close unused ports on your Virtual Machine with a Network Security Group
1. Select a Virtual Machine to display a list of its unused open ports
2. Open the Virtual Machine's Networking blade by clicking its name
3. Edit the Virtual Machine's inbound/outbound rules to block ports according to the list
4. Click Save\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"ThreatResistance\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\r\n \"description\": \"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"Installation of the dependency agent and enabling data collection in Security Center can be done in several ways:
  • Using Security Center automatic provisioning on your subscription(s).
    • This will automatically provision the Microsoft Monitoring Dependency Agent on current and future-created virtual machines on your subscription(s). Learn more
    • You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Pricing & settings' menu item
      • click on a subscription and enable auto provisioning in the 'data collection' menu item.
  • Install the Microsoft Monitoring Dependency agent on your Virtual machines as a VM extension or directly, by following these instructions:
    • Provision the Microsoft Monitoring Dependency agent with Azure Policies. The applicable policy definitions are:
      • '[Preview]: Deploy Microsoft Monitoring Dependency Agent for Windows VMs.'
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\r\n \"description\": \"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.\",\r\n \"remediationDescription\": \"Installation of the dependency agent and enabling data collection in Security Center can be done in several ways:
  • Using Security Center automatic provisioning on your subscription(s).
    • This will automatically provision the Microsoft Monitoring Dependency Agent on current and future-created virtual machines on your subscription(s). Learn more
    • You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Pricing & settings' menu item
      • click on a subscription and enable auto provisioning in the 'data collection' menu item.
  • Install the Microsoft Monitoring Dependency agent on your Virtual machines as a VM extension or directly, by following these instructions:
    • Provision the Microsoft Monitoring Dependency agent with Azure Policies. The applicable policy definitions are:
      • '[Preview]: Deploy Microsoft Monitoring Dependency Agent for Linux VMs.'
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c\",\r\n \"description\": \"Some of your virtual networks aren't protected with a firewall. Use Azure Firewall to restricting access to your virtual networks and prevent potential threats. To learn more about Azure Firewall,
Click here\",\r\n \"remediationDescription\": \"To protect your virtual networks with Azure Firewall:
1. From the list below, select a network. Or select Take action if you've arrived here from a specific virtual network page.
2. Follow the Azure Firewall deployment instructions. Make sure to configure all default routes properly.
Important: Azure Firewall is billed separately from Azure Security Center. Learn more about Azure Firewall pricing.\",\r\n \"categories\": [\r\n \"Networking\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Key Vault should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047\",\r\n \"description\": \"Azure Security Center includes Azure Defender for Key Vault, providing an additional layer of security intelligence.
Azure Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.

Important: Remediating this recommendation will result in charges for protecting your key vaults. If you don't have any key vaults in this subscription, no charges will be incurred.
If you create any key vaults on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Key Vault.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure Key Vault vaults in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Key Vault\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"IdentityAndAccess\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Azure SQL Database servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.

Important: Remediating this recommendation will result in charges for protecting your Azure SQL Database servers. If you don't have any Azure SQL Database servers in this subscription, no charges will be incurred.
If you create any Azure SQL Database servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Azure SQL Database servers.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure SQL Database servers in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Azure SQL Database servers\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for SQL servers on machines should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b\",\r\n \"description\": \"Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.

Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. If you don't have any SQL servers on machines in this subscription, no charges will be incurred.
If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for SQL servers on machines.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all SQL servers on machines in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"SQL servers on machines\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Storage should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa\",\r\n \"description\": \"Azure Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.

Important: Remediating this recommendation will result in charges for protecting your Azure Storage accounts. If you don't have any Azure Storage accounts in this subscription, no charges will be incurred.
If you create any Azure Storage accounts on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Storage\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Azure Storage accounts in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select pricing tier by resource type\\\", set \\\"Storage\\\" to \\\"Enabled\\\"\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for App Service should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb\",\r\n \"description\": \"Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
Azure Defender for App Service can discover attacks on your applications and identify emerging attacks.

Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred.
If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for App Service.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all App Service plans in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"App Service\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/53572822-d3fc-4363-bfb9-248645841612\",\r\n \"name\": \"53572822-d3fc-4363-bfb9-248645841612\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for container registries should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4\",\r\n \"description\": \"To build secure containerized workloads, ensure the images that they're based on are free of known vulnerabilities.
Azure Defender for container registries scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image.
To improve your containers' security posture and protect them from attacks, enable Azure Defender for container registries.

Important: Remediating this recommendation will result in charges for protecting your container registries. If you don't have any container registries in this subscription, no charges will be incurred.
If you create any container registries on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for container registries.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all container registries in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Container Registries\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"name\": \"86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for Kubernetes should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a\",\r\n \"description\": \"Azure Defender for Kubernetes provides real-time threat protection for your containerized environments and generates alerts for suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your containers.

Important: Remediating this recommendation will result in charges for protecting your Kubernetes clusters. If you don't have any Kubernetes clusters in this subscription, no charges will be incurred.
If you create any Kubernetes clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for Kubernetes.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all Kubernetes clusters in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Kubernetes\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"MaliciousInsider\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Defender for servers should be enabled\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d\",\r\n \"description\": \"Azure Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your servers.

Important: Remediating this recommendation will result in charges for protecting your servers. If you don't have any servers in this subscription, no charges will be incurred.
If you create any servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
Learn more about Azure Defender for servers.\",\r\n \"remediationDescription\": \"To enable Azure Defender on all servers in a subscription:
1. Open Security Center's Pricing & settings page.
2. Select the subscription on which you want to enable Azure Defender.
3. Under \\\"Select Azure Defender plan by resource type\\\", set \\\"Servers\\\" to \\\"On\\\".\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"High\",\r\n \"implementationEffort\": \"High\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\r\n \"description\": \"Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.\",\r\n \"remediationDescription\": \"To remediate this recommendation:
1. In your SQL database, go to 'Advanced Data Security' and click 'Data Discovery and Classification'.
2. Review the recommended classifications.
3. Apply the relevant recommendations and dismiss the ones that are not applicable.
4. Please note that the updated health status for the database will not be reflected immediately and can take up to a week to refresh. You can make this happen faster by triggering a database Vulnerability Assessment scan: in your SQL database go to 'Advanced Data Security', click 'Vulnerability Assessment' and click 'Scan'. The health status of the database will be updated within 1 day from scan completion.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Moderate\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment findings on your SQL servers on machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities:
1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562\",\r\n \"description\": \"Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.\",\r\n \"remediationDescription\": \"To resolve container image vulnerabilities:
1. Navigate to the relevant resource under the 'Unhealthy' section and select the container image you are looking to remediate.
2. Review the set of failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.
5. Upload the new remediated image to your registry. Review scan results for the new image to verify the vulnerability no longer exists.
6. Delete the old image with the vulnerability from your registry.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\r\n \"description\": \"Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).\",\r\n \"remediationDescription\": \"Review and remediate vulnerabilities discovered by a vulnerability assessment solution.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"Low\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\",\r\n \"ElevationOfPrivilege\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Vulnerability assessment findings on your SQL databases should be remediated\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\r\n \"description\": \"SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.\",\r\n \"remediationDescription\": \"To resolve SQL vulnerabilities:
1. In your SQL database, go to 'Advanced Data Security' and click 'Vulnerability Assessment'.
2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk.
3. Click on each vulnerability to view its details and explicit remediation instructions and scripts.
4. Either remediate the vulnerability using the provided script, or set the result as an acceptable Baseline for the check so that it will be considered passing in subsequent scans.\",\r\n \"categories\": [\r\n \"Data\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"AccountBreach\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/microsoft.authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\r\n \"description\": \"Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers\",\r\n \"remediationDescription\": \"
1. Click an identified outstanding update.
2. In the Missing system updates pane, click the support link (when exists) and follow the instructions.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"severity\": \"High\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Low\",\r\n \"threats\": [\r\n \"AccountBreach\",\r\n \"DataExfiltration\",\r\n \"DataSpillage\",\r\n \"MaliciousInsider\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\r\n \"description\": \"Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/en-us/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- Endpoint protection assessment is documented here - https://docs.microsoft.com/en-us/azure/security-center/security-center-endpoint-protection\",\r\n \"remediationDescription\": \"
1. Confirm that your solution is on the list of tools supported by Security Center.
2. For a list of possible health issues with your solution and advice on how to resolve the health issues, consult this page of the Security Center documentation\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"userImpact\": \"Low\",\r\n \"implementationEffort\": \"Moderate\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"name\": \"08e628db-e2ed-4793-bc91-d13e684401c3\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d\",\r\n \"description\": \"Azure Policy Add-on for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.

Security Center requires the Add-on to audit and enforce security capabilities and compliance inside your clusters. Learn more.

Requires Kubernetes v1.14.0 or later.

\",\r\n \"remediationDescription\": \"

To configure the Azure Policy Add-on for use with your Azure Kubernetes Service cluster, follow the instructions in Install Azure Policy Add-on for AKS.

\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MissingCoverage\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"name\": \"405c9ae6-49f9-46c4-8873-a86690f27818\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container CPU and memory limits should be enforced\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\r\n \"description\": \"Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).

We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods without CPU and memory limits. To control a pod's limits, set quotas at the container level. Each container of a pod can specify one or both of the following:
  • spec.containers[].resources.limits.cpu
  • spec.containers[].resources.limits.memory

After making your changes, redeploy the pod with the new limits.

Note: Although requests and limits can only be specified on individual containers, it is convenient to talk about pod resource limits. A Pod resource limit is the sum of the resource limits for all the containers in the pod. Learn more.

\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"DenialOfService\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"name\": \"5d90913f-a1c5-4429-ad54-2c6c17fb3c73\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Privileged containers should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\r\n \"description\": \"To prevent unrestricted host access, avoid privileged containers whenever possible.

Privileged containers have all of the root capabilities of a host machine. They can be used as entry points for attacks and to spread malicious code or malware to compromised applications, hosts and networks.

\",\r\n \"remediationDescription\": \"From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods running privileged containers.

For these pods, set the privileged flag to 'false' on the security context of the container's spec. After making your changes, redeploy the pod with the updated spec.

\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"name\": \"8d244d29-fa00-4332-b935-c3a51d525417\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container images should be deployed from trusted registries only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\r\n \"description\": \"Images running on your Kubernetes cluster should come from known and monitored container image registries. Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.\",\r\n \"remediationDescription\": \"
  1. Ensure a regex, defining your organization private registries is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Security Center lists the pods running images from untrusted registries. If you see a pod running an unfamiliar image, remove it and report the incident to your security admin. Otherwise, move all images to a trusted private registry and redeploy the pods with the updated registry.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\",\r\n \"threats\": [\r\n \"MaliciousInsider\",\r\n \"DataSpillage\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/5f88450f-9546-4b78-a181-a2d9162bb441\",\r\n \"name\": \"5f88450f-9546-4b78-a181-a2d9162bb441\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting containers access to the configured ports.\",\r\n \"remediationDescription\": \"
  1. Ensure a list of ports on which your containers are allowed to listen, is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Security Centers lists the pods running containers which listen on ports outside the configured list.
  3. Limit the containers' ports. After making your changes, redeploy the pods with the updated ports.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"name\": \"add45209-73f6-4fa5-a5a5-74a451b07fbe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Services should listen on allowed ports only\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\r\n \"description\": \"To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services access to the configured ports.\",\r\n \"remediationDescription\": \"
  1. Ensure a list of ports on which your services are allowed to listen, is configured, via the security policy parameters.
  2. From the 'Unhealthy resources' tab, select the cluster. Security Center lists the services which listen on ports outside the configured list.
  3. Limit the services' ports. After making your changes, redeploy the services with the updated ports.
\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"name\": \"11c95609-3553-430d-b788-fd41cde8b2db\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Least privileged Linux capabilities should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\r\n \"description\": \"To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user. We recommend dropping all capabilities, then adding those that are required\",\r\n \"remediationDescription\": \"
1. Make sure lists of dropped capabilities and allowed capabilities are configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the running containers with capabilities outside the configured list.
3. Limit the containers' Linux capabilities. To add or remove Linux capabilities for a container, include a capabilities section in the securityContext section of the container manifest with the relevant capabilities set e.g. Drop: ALL ; add: ['NET_ADMIN', 'SYS_TIME'].
4. After making your changes, redeploy the pod with the updated capabilities.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\",\r\n \"threats\": [\r\n \"ElevationOfPrivilege\",\r\n \"DataExfiltration\",\r\n \"ThreatResistance\",\r\n \"DenialOfService\"\r\n ]\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"name\": \"27d6f0e9-b4d5-468b-ae7e-03d5473fd864\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Immutable (read-only) root filesystem should be enforced for containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80\",\r\n \"description\": \"Containers should run with a read only root file system in your Kubernetes cluster. Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers without read only root file system.
2. For these pods, set the readOnlyRootFilesystem flag to 'true' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"name\": \"f0debc84-981c-4a0d-924d-aa4bd7d55fef\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75\",\r\n \"description\": \"We recommend limiting pod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths. In case of compromise, the container node access from the containers should be restricted\",\r\n \"remediationDescription\": \"
1. Ensure a list of allowed host paths is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running pods with hostPath volume violating the configured list.
3. Update hostPath and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"name\": \"9b795646-9130-41a4-90b7-df9eae2437c8\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Running containers as root user should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042\",\r\n \"description\": \"Containers should run as a non-root users in your Kubernetes cluster. Running a process as the root user inside a container runs it as root on the host. In case of compromise, an attacker has root in the container, and any mis-configurations become easier to exploit.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers missing the 'MustRunAsNonRoot' rule.
2. For these pods, add rule: 'MustRunAsNonRoot' in a runAsUser section of the container's spec.
3. After making your changes, redeploy the pod with the updated rule. \",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"name\": \"ebc68898-5c0f-4353-a426-4a5f1e737b12\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Usage of host networking and ports should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe\",\r\n \"description\": \"Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. Pods created with the hostNetwork attribute enabled will share the node’s network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node’s network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.\",\r\n \"remediationDescription\": \"
1. Ensure the following are all configured in the security policy parameters: allow host network usage, and min and max host ports.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers with host networking violating the configured list.
3. Validate the host networking using the hostNetwork and hostPort attributes (when applicable) of the container's spec.
4. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"name\": \"802c0637-5a8c-4c98-abd7-7c96d89d6010\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Containers sharing sensitive host namespaces should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\r\n \"description\": \"To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods sharing host process ID or host IPC.
2. Set the host process ID and host IPC to 'false' on the pod's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"name\": \"43dc2a2e-ce69-4d42-923e-ab7d136f2cfe\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Container with privilege escalation should be avoided\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\r\n \"description\": \"Containers shouldn't run with privilege escalation to root in your Kubernetes cluster.<br>The AllowPrivilegeEscalation attribute controls whether a process can gain more privileges than its parent process.\",\r\n \"remediationDescription\": \"
1. From the Unhealthy resources tab, select the cluster. Security Center lists the pods running containers with privilege escalation to root in your Kubernetes cluster.
2. For these pods, set the AllowPrivilegeEscalation flag to 'false' on the security context of the container's spec.
3. After making your changes, redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"Medium\"\r\n }\r\n },\r\n {\r\n \"id\": \"/providers/Microsoft.Security/assessmentMetadata/86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"name\": \"86f91051-9d6a-47c3-a07f-bd14cb214b45\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Overriding or disabling of containers AppArmor profile should be restricted\",\r\n \"assessmentType\": \"BuiltIn\",\r\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e\",\r\n \"description\": \"Containers running on your Kubernetes cluster should be limited to allowed AppArmor profiles only.<br>AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program.\",\r\n \"remediationDescription\": \"
1. Ensure a list of AppArmor profiles containers are allowed to use is configured, via the security policy parameters.
2. From the Unhealthy resources tab, select the cluster. Security Center lists the running pods with AppArmor profile violating the configured list.
3. Update AppArmor annotation in the Pod's metadata and redeploy the pod with the updated spec.\",\r\n \"categories\": [\r\n \"Compute\"\r\n ],\r\n \"preview\": true,\r\n \"severity\": \"High\"\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.4533293Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.4533293Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOrFwOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group or Azure Firewall\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"VmHasNoPublicIp\",\r\n \"description\": \"This VM has no public IP address.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"DdosStandardIsDisabled\",\r\n \"description\": \"DDoS Protection Standard is currently disabled for your virtual network.\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"ddosProtectionState\": \"False\",\r\n \"appGatewaysCount\": \"1\",\r\n \"appGatewaysHasPublicIp\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VmIsNotProtectedWithNsg\",\r\n \"description\": \"Your virtual machine is not protected with a network security group.\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:00.4811551Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:00.4811551Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:00.4818625Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:00.4818625Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:00.6892204Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:00.6892204Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:01.2728369Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:01.2728369Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9596547Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9596547Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9592241Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9592241Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9607709Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9607709Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9631778Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9631778Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9669885Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9669885Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.979355Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.979355Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.network/virtualnetworks/pssqlvavm9865/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.network/virtualnetworks/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9691492Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9691492Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9925979Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9925979Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3328837Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3328837Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3178374Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3178374Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"cd8b1c77-1998-4f65-b618-b21bb8118c32\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3251543Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3251543Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"cd8b1c77-1998-4f65-b618-b21bb8118c32\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3381121Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3381121Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"cd8b1c77-1998-4f65-b618-b21bb8118c32\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3190056Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3190056Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"cd8b1c77-1998-4f65-b618-b21bb8118c32\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.4711053Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.4711053Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"SQL servers on machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"Unknown\",\r\n \"statusChangeDate\": \"2022-11-17T09:31:47.5529131Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T09:31:47.5529131Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/f97aa83c-9b63-4f9a-99f6-b22c4398f936/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-10-06T23:44:54.5781061Z\",\r\n \"firstEvaluationDate\": \"2022-10-06T23:44:54.5781061Z\"\r\n },\r\n \"additionalData\": {\r\n \"OSName\": \"Linux\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:35:09.9521643Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:35:09.9521643Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:35:10.2291901Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:35:10.2291901Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"TouViolationAssessments.Models.Port\",\r\n \"description\": \"Open TOU ports\",\r\n \"statusChangeDate\": \"2022-10-15T03:31:10.6183747Z\",\r\n \"firstEvaluationDate\": \"2022-10-15T03:31:10.6183747Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"\",\r\n \"statusChangeDate\": \"2022-10-15T03:31:11.5779799Z\",\r\n \"firstEvaluationDate\": \"2022-10-15T03:31:11.5779799Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"\",\r\n \"statusChangeDate\": \"2022-10-15T03:31:15.7293508Z\",\r\n \"firstEvaluationDate\": \"2022-10-15T03:31:15.7293508Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"2\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"2\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/sdk-iothub-la-cus/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/sdk-iothub-la-cus\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/iothubworkspace-centralus-1604511146608/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/iothubworkspace-centralus-1604511146608\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.0429905Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.0429905Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.1586421Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.1586421Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.1627119Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.1627119Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2276504Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2276504Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Network/virtualNetworks/pssqlvavm9865/subnets/pssqlvavm9865/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Network/virtualNetworks/pssqlvavm9865/subnets/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.1722925Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.1722925Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2344409Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2344409Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2232119Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2232119Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2288307Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2288307Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2279455Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2279455Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Network/virtualNetworks/pssqlvavm9865/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Network/virtualNetworks/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.3980229Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.3980229Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.3839845Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.3839845Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"VmHasNoPublicIp\",\r\n \"description\": \"This VM has no public IP address.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.5346488Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.5346488Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The machine doesn’t have data from Microsoft defender vulnerability management. Make sure it’s properly onboarded to Microsoft Defender for Endpoint.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:59.5159241Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:59.5159241Z\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/virtualmachines/0/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/virtualmachines/0\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"TouViolationAssessments.Models.Port\",\r\n \"description\": \"Open TOU ports\",\r\n \"statusChangeDate\": \"2022-11-16T16:10:02.1122669Z\",\r\n \"firstEvaluationDate\": \"2022-11-16T16:10:02.1122669Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/virtualmachines/0/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef\"\r\n },\r\n \"displayName\": \"Container registry images should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NetworkPortsAreOpenToAllSources\",\r\n \"description\": \"Network ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.8875999Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"3389\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"3389\": \"TCP\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.4533293Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6777114Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NetworkPortsAreOpenToAllSources\",\r\n \"description\": \"Network ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6844124Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"22\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"ManagementPortsAreOpenToAllSources\",\r\n \"description\": \"Management ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6787472Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"22\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VmProtectedByNsgWithAllowRules\",\r\n \"description\": \"This VM is protected by an NSG that allows access to management ports.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"22\": \"TCP\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-10T11:56:00.5211587Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6767401Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.882145Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.2218279Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.2218279Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-10T11:56:00.5390737Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.2218279Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The machine doesn’t have data from Microsoft defender vulnerability management. Make sure it’s properly onboarded to Microsoft Defender for Endpoint.\",\r\n \"statusChangeDate\": \"2022-10-27T07:17:56.9155832Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"default\",\r\n \"description\": \"The machine is onboarded to built-in Qualys vulnerability assessment.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:42.0548709Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"default\",\r\n \"description\": \"The machine is onboarded to built-in Qualys vulnerability assessment.\",\r\n \"statusChangeDate\": \"2022-11-15T12:28:56.517978Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The machine doesn’t have data from Microsoft defender vulnerability management. Make sure it’s properly onboarded to Microsoft Defender for Endpoint.\",\r\n \"statusChangeDate\": \"2022-10-27T07:17:56.9155832Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"SQL databases should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"Unknown\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-15T12:29:02.5041539Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.8830869Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"ManagementPortsAreOpenToAllSources\",\r\n \"description\": \"Management ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.8845246Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"3389\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VmProtectedByNsgWithAllowRules\",\r\n \"description\": \"This VM is protected by an NSG that allows access to management ports.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"statusChangeDate\": \"2022-09-11T13:44:18.5950886Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:46.2425828Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2021-06-13T20:23:45.125409Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2022-07-13T05:44:10.0183321Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T04:43:55.3024919Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Virtual machine scale sets should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"OS Offer\": \"UbuntuServer\",\r\n \"OS Type\": \"Linux\",\r\n \"Location\": \"southcentralus\",\r\n \"UpgradePolicyMode\": \"Manual\",\r\n \"Has Oms extension\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on virtual machine scale sets should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AssessmentModeNotSetToAuto\",\r\n \"description\": \"Patch settings assessment mode not set to AutomaticByPlatform\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7166784Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/onPremiseMachines/machineName_b53988df-1137-41f2-99ff-52d49d7f53e1_ec2ad76a-fc72-bc3a-f0d7-017756d33d5e/providers/Microsoft.Security/assessments/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"OnPremise\",\r\n \"WorkspaceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\",\r\n \"VMUUID\": \"ec2ad76a-fc72-bc3a-f0d7-017756d33d5e\",\r\n \"SourceComputerId\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"MachineName\": \"machineName\"\r\n },\r\n \"displayName\": \"Customer managed metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/providers/Microsoft.Security/assessments/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\"\r\n },\r\n \"displayName\": \"Customer managed metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/onPremiseMachines/machineName_b53988df-1137-41f2-99ff-52d49d7f53e1_ec2ad76a-fc72-bc3a-f0d7-017756d33d5e/providers/Microsoft.Security/assessments/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"OnPremise\",\r\n \"WorkspaceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\",\r\n \"VMUUID\": \"ec2ad76a-fc72-bc3a-f0d7-017756d33d5e\",\r\n \"SourceComputerId\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"MachineName\": \"machineName\"\r\n },\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/providers/Microsoft.Security/assessments/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\"\r\n },\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/providers/Microsoft.Security/assessments/9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"name\": \"9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\"\r\n },\r\n \"displayName\": \"Customer managed metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/onPremiseMachines/machineName_b53988df-1137-41f2-99ff-52d49d7f53e1_ec2ad76a-fc72-bc3a-f0d7-017756d33d5e/providers/Microsoft.Security/assessments/d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"OnPremise\",\r\n \"WorkspaceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\",\r\n \"VMUUID\": \"ec2ad76a-fc72-bc3a-f0d7-017756d33d5e\",\r\n \"SourceComputerId\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"MachineName\": \"machineName\"\r\n },\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk/providers/Microsoft.Security/assessments/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk\"\r\n },\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk/providers/Microsoft.Security/assessments/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk\"\r\n },\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NotSupported\",\r\n \"description\": \"Machine image is not supported\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7235019Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NotSupported\",\r\n \"description\": \"Machine image is not supported\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7049485Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AssessmentModeNotSetToAuto\",\r\n \"description\": \"Patch settings assessment mode not set to AutomaticByPlatform\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7356778Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2021-04-07T20:23:43.7791199Z\",\r\n \"firstEvaluationDate\": \"2021-04-07T08:23:44.5057723Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.7856736Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.7856736Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.8319806Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.8319806Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.904596Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.904596Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.9081607Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.9081607Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpn6jwnse6quxirlinxqb6pagnzj7alb4oa5xqk7und7r6k3f24lspime5xux7s3e3/providers/microsoft.devices/iothubs/azurecli-hubewmywoze2j7v/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpn6jwnse6quxirlinxqb6pagnzj7alb4oa5xqk7und7r6k3f24lspime5xux7s3e3/providers/microsoft.devices/iothubs/azurecli-hubewmywoze2j7v\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-07T19:10:41.5574318Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T19:10:41.5574318Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4145442Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-07T21:11:34.4149759Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4149759Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-07T21:11:34.4167636Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4167636Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-07T21:11:34.4930056Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4930056Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Azure SQL Database servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7142889Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8298256Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8581944Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8581944Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access Function Apps\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8666851Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8666851Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8740455Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8740455Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8740455Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8740455Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8746476Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8746476Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore/providers/Microsoft.Security/assessments/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore\"\r\n },\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8875094Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8875094Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8860867Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8860867Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg7exkn4sm4v24amnub5nzbmik37myxeusxwwyn2jpxwhdbbzlofsr5agedmwfjvoxv/providers/microsoft.devices/iothubs/azurecli-hubuksphkbt3lhh/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg7exkn4sm4v24amnub5nzbmik37myxeusxwwyn2jpxwhdbbzlofsr5agedmwfjvoxv/providers/microsoft.devices/iothubs/azurecli-hubuksphkbt3lhh\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8860867Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8860867Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8860867Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8860867Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7383486Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8906885Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7383486Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8906885Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8929336Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8929336Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8975097Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8975097Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9096544Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9096544Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9096544Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9096544Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/providers/Microsoft.Security/assessments/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9191943Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9191943Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9221325Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9221325Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for web apps\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9231178Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9231178Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"name\": \"9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Email notification to subscription owner for high severity alerts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-07-25T02:41:11.1822655Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9235482Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Managed identity should be used in web apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9322509Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9322509Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for function apps\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.930854Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.930854Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"name\": \"af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Auto provisioning of the Log Analytics agent should be enabled on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-02T09:11:15.2514377Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9332772Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9342255Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9342255Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9342255Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9342255Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9355025Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9355025Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf/providers/Microsoft.Security/assessments/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf\"\r\n },\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9334498Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9334498Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9355025Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9355025Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf2/providers/Microsoft.Security/assessments/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf2\"\r\n },\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9334498Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9334498Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9358898Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9358898Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-08T23:46:51.7978842Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9358898Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9387806Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9387806Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9387806Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9387806Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9420744Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9420744Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9420744Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9420744Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"name\": \"4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Key vaults should have purge protection enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9477277Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9477277Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref/providers/Microsoft.Security/assessments/9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"name\": \"9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref\"\r\n },\r\n \"displayName\": \"Container registries should not allow unrestricted network access\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.949715Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.949715Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"name\": \"e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7163231Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9565898Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"name\": \"c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Function apps should have Client Certificates (Incoming client certificates) enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9491743Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9491743Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"name\": \"3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Email notification for high severity alerts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-10-27T17:20:54.0073419Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9543908Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9544101Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9544101Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Storage should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7151166Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9812709Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9549978Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9549978Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9549978Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9549978Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"name\": \"78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Key vaults should have soft delete enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9590469Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9590469Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"name\": \"b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for open-source relational databases should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7131706Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0015183Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"name\": \"2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Private endpoint should be configured for Key Vault\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9573802Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9573802Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-20T00:11:24.8912186Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0601859Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"name\": \"f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Resource Manager should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7239542Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9773946Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL servers on machines should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7106928Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0875362Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.1203455Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.1203455Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"name\": \"77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Subscriptions should have a contact email address for security issues\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-27T17:20:54.0006966Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0114652Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"FTPS should be required in function apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.2272624Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.2272624Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"name\": \"52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Firewall should be enabled on Key Vault\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.2339538Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.2339538Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"name\": \"aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for DNS should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7058846Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9599789Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Diagnostic logs in App Service should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9636939Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9636939Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref/providers/Microsoft.Security/assessments/13e7d036-6903-821c-6018-962938929bf0\",\r\n \"name\": \"13e7d036-6903-821c-6018-962938929bf0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref\"\r\n },\r\n \"displayName\": \"Container registries should use private link\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9629274Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9629274Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/syslogmyservice1net/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1vnet657/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1vnet657\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.network/virtualnetworks/iotsi-fdi-vnet/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.network/virtualnetworks/iotsi-fdi-vnet\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1-vnet/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1-vnet\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet/providers/Microsoft.Security/assessments/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.4767439Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.4767439Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i/providers/Microsoft.Security/assessments/276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"name\": \"276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i\"\r\n },\r\n \"displayName\": \"Azure Cosmos DB accounts should have firewall rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9663621Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9663621Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7117138Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9702185Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9670169Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9670169Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9670169Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9670169Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"FTPS should be required in web apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541097Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541097Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for App Service should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7178395Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9808591Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Managed identity should be used in function apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.982548Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.982548Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-07T22:10:39.4248444Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T22:10:39.4248444Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg2uj7i3dl7bafl4qshuh57m3xmurngdysabbunhnhvcasj7o35vqz4fwgf5zwi6ujr/providers/microsoft.devices/iothubs/azurecli-hub7eff4pwjmjgi/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg2uj7i3dl7bafl4qshuh57m3xmurngdysabbunhnhvcasj7o35vqz4fwgf5zwi6ujr/providers/microsoft.devices/iothubs/azurecli-hub7eff4pwjmjgi\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-10T20:32:13.2897309Z\",\r\n \"firstEvaluationDate\": \"2022-04-10T20:32:13.2897309Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpkgony4xu2tfaw7mrinetpjdcbi35gy5wxlb2db4fkia4df224ibyul2g6e7ovciv/providers/microsoft.devices/iothubs/azurecli-hubdkzwzwckbu5v/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpkgony4xu2tfaw7mrinetpjdcbi35gy5wxlb2db4fkia4df224ibyul2g6e7ovciv/providers/microsoft.devices/iothubs/azurecli-hubdkzwzwckbu5v\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-10T20:32:13.2897309Z\",\r\n \"firstEvaluationDate\": \"2022-04-10T20:32:13.2897309Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgc7vaaluva526rdtaam5rafgbc2m7xmrvi472iiekfgzjvdqkpwzub343jj6a4k4ov/providers/microsoft.devices/iothubs/azurecli-hub222uswluq4fe/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgc7vaaluva526rdtaam5rafgbc2m7xmrvi472iiekfgzjvdqkpwzub343jj6a4k4ov/providers/microsoft.devices/iothubs/azurecli-hub222uswluq4fe\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-27T08:35:36.3477504Z\",\r\n \"firstEvaluationDate\": \"2022-04-27T08:35:36.3477504Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"name\": \"050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Blocked accounts with owner permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4699617Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4699617Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/050ac097-3dda-4d24-ab6d-82568e7a50cf/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"name\": \"20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Guest accounts with owner permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4741787Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4741787Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/20606e75-05c4-48c0-9d97-add6daa2109a/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"name\": \"dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Accounts with read permissions on Azure resources should be MFA enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4722197Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4722197Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"name\": \"1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Blocked accounts with read and write permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-08-16T05:44:34.6117426Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4736264Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1ff0b4c9-ed56-4de6-be9c-d7ab39645926/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"name\": \"0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Guest accounts with write permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4727997Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4727997Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"name\": \"fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Guest accounts with read permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4802849Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4802849Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"name\": \"c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Accounts with write permissions on Azure resources should be MFA enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4810803Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4810803Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c0cb17b2-0607-48a7-b0e0-903ed22de39b/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"name\": \"6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Accounts with owner permissions on Azure resources should be MFA enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.5129783Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.5129783Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6240402e-f77c-46fa-9060-a7ce53997754/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i/providers/Microsoft.Security/assessments/14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"name\": \"14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i\"\r\n },\r\n \"displayName\": \"Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-07-06T07:46:47.0916979Z\",\r\n \"firstEvaluationDate\": \"2022-07-06T07:46:47.0916979Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"name\": \"14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Key Vault secrets should have an expiration date\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-07-28T06:11:40.1653432Z\",\r\n \"firstEvaluationDate\": \"2022-07-28T06:11:40.1653432Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-07-25T09:35:32.8936019Z\",\r\n \"firstEvaluationDate\": \"2022-07-25T09:35:32.8936019Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-07-26T08:35:38.2437985Z\",\r\n \"firstEvaluationDate\": \"2022-07-26T08:35:38.2437985Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"There should be more than one owner assigned to subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.2948643Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.2948643Z\"\r\n },\r\n \"additionalData\": {}\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3111617Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3111617Z\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with owner permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3049262Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3049262Z\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.305783Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.305783Z\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3002478Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3002478Z\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3034825Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3034825Z\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with write permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3045813Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3045813Z\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithWritePermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"A maximum of 3 owners should be designated for subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-14T04:44:15.3211291Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.2991388Z\"\r\n },\r\n \"additionalData\": {\r\n \"identityDesignateLessThanXOwnersObjectIdList\": \"[\\\"56b8f04c-b471-415a-bbc2-74570bd022de\\\",\\\"af29e494-977e-4749-acb6-6fe3a10c56aa\\\",\\\"25b2be9f-65f7-491e-9e53-61fa1b39fa8a\\\"]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3005516Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3005516Z\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with read permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3056507Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3056507Z\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithReadPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-10-19T12:47:53.4001303Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2022-11-17T00:58:05.683Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212024Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212024Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212024Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-07T07:02:26.3021545Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.919619Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"FailureDueToAgentNotResponding\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.919619Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"Off\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"FailureDueToAgentNotResponding\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.919619Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"False\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2022-11-17T03:42:33.784Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n }\r\n ],\r\n \"nextLink\": \"https://management.azure.com/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments?api-version=2021-06-01&NextLink=_dynamic\"\r\n}", "StatusCode": 200 }, { - "RequestUri": "//subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments?api-version=2020-01-01", - "EncodedRequestUri": "Ly9zdWJzY3JpcHRpb25zLzQ4N2JiNDg1LWI1YjAtNDcxZS05YzBkLTEwNzE3NjEyZjg2OS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2Fzc2Vzc21lbnRzP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", + "RequestUri": "//subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments?api-version=2021-06-01", + "EncodedRequestUri": "Ly9zdWJzY3JpcHRpb25zLzQ4N2JiNDg1LWI1YjAtNDcxZS05YzBkLTEwNzE3NjEyZjg2OS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2Fzc2Vzc21lbnRzP2FwaS12ZXJzaW9uPTIwMjEtMDYtMDE=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "3684b3df-6eda-48a1-bb0a-9488ea96c836" + "2fd936bd-4013-45c4-ad57-3c9c26264018" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.29321.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.19042.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.2.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -210,13 +270,13 @@ "749" ], "x-ms-request-id": [ - "01439508-de65-4afa-8947-e4f19834a6a8" + "8642f0ea-669f-457b-879d-8e86c1577250" ], "x-ms-correlation-request-id": [ - "01439508-de65-4afa-8947-e4f19834a6a8" + "8642f0ea-669f-457b-879d-8e86c1577250" ], "x-ms-routing-request-id": [ - "UKSOUTH:20201130T144743Z:01439508-de65-4afa-8947-e4f19834a6a8" + "FRANCESOUTH:20221117T095106Z:8642f0ea-669f-457b-879d-8e86c1577250" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -225,10 +285,10 @@ "nosniff" ], "Date": [ - "Mon, 30 Nov 2020 14:47:43 GMT" + "Thu, 17 Nov 2022 09:51:05 GMT" ], "Content-Length": [ - "128278" + "277024" ], "Content-Type": [ "application/json; charset=utf-8" @@ -237,28 +297,88 @@ "-1" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOrFwOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group or Azure Firewall\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"JitIsEnabled\",\r\n \"description\": \"JIT is enabled.\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"ddosProtectionState\": \"False\",\r\n \"appGatewaysCount\": \"1\",\r\n \"appGatewaysHasPublicIp\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/databases/dataStore/providers/Microsoft.Security/assessments/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/databases/dataStore\"\r\n },\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"ReportTimeUtc\": \"11/26/2020 4:48:59 PM\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore/providers/Microsoft.Security/assessments/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore\"\r\n },\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {}\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"identityDesignateLessThanXOwnersObjectIdList\": \"[\\\"56b8f04c-b471-415a-bbc2-74570bd022de\\\",\\\"c0debf7b-d214-46d6-915f-095bd45f3843\\\",\\\"af29e494-977e-4749-acb6-6fe3a10c56aa\\\"]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithWritePermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithReadPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef\"\r\n },\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for Azure SQL Database servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for SQL servers on machines should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/53572822-d3fc-4363-bfb9-248645841612\",\r\n \"name\": \"53572822-d3fc-4363-bfb9-248645841612\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for container registries should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"name\": \"86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for Kubernetes should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for Storage should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for App Service should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"JitIsEnabled\",\r\n \"description\": \"JIT is enabled.\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The extension might be corrupted, please try to remove it and deploy again\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Vulnerability assessment findings on your SQL databases should be remediated\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"Unknown\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"JitIsEnabled\",\r\n \"description\": \"JIT is enabled.\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"The extension might be corrupted, please try to remove it and deploy again\",\r\n \"description\": \"The extension might be corrupted, please try to remove it and deploy again\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"This resource does not report System Updates to any workspace\",\r\n \"description\": \"This resource does not report System Updates to any workspace\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"This resource does not report System Updates to any workspace\",\r\n \"description\": \"This resource does not report System Updates to any workspace\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"This resource does not report System Updates to any workspace\",\r\n \"description\": \"This resource does not report System Updates to any workspace\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet/providers/Microsoft.Security/assessments/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-cus/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-cus\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Offer\": \"UbuntuServer\",\r\n \"OS Type\": \"Linux\",\r\n \"Location\": \"southcentralus\",\r\n \"UpgradePolicyMode\": \"Manual\",\r\n \"Has Oms extension\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"Off\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"NoHeartbeat\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"NoHeartbeat\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NoHeartbeat\",\r\n \"description\": \"Agent not responsive or missing ID - Security Center is unable to retrieve security data from the VM, even though the agent is installed.\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"Off\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"NoHeartbeat\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NoHeartbeat\",\r\n \"description\": \"Agent not responsive or missing ID - Security Center is unable to retrieve security data from the VM, even though the agent is installed.\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"NoHeartbeat\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2020-11-30T10:33:59.707Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"False\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2020-11-29T18:44:13.58Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/providers/Microsoft.Security/assessments/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Managed identity should be used in your web app\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Managed identity should be used in your function app\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Diagnostic logs should be enabled in App Service\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for your web app\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for your function app\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"FTPS should be required in your web App\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"FTPS should be required in your function App\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.4533293Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.4533293Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOrFwOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group or Azure Firewall\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"VmHasNoPublicIp\",\r\n \"description\": \"This VM has no public IP address.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"DdosStandardIsDisabled\",\r\n \"description\": \"DDoS Protection Standard is currently disabled for your virtual network.\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"ddosProtectionState\": \"False\",\r\n \"appGatewaysCount\": \"1\",\r\n \"appGatewaysHasPublicIp\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VmIsNotProtectedWithNsg\",\r\n \"description\": \"Your virtual machine is not protected with a network security group.\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:00.4811551Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:00.4811551Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:00.4818625Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:00.4818625Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:00.6892204Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:00.6892204Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:01.2728369Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:01.2728369Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9596547Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9596547Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9592241Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9592241Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9607709Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9607709Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9631778Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9631778Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9669885Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9669885Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.979355Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.979355Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.network/virtualnetworks/pssqlvavm9865/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.network/virtualnetworks/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9691492Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9691492Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9925979Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9925979Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3328837Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3328837Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3178374Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3178374Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"cd8b1c77-1998-4f65-b618-b21bb8118c32\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3251543Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3251543Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"cd8b1c77-1998-4f65-b618-b21bb8118c32\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3381121Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3381121Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"cd8b1c77-1998-4f65-b618-b21bb8118c32\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3190056Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3190056Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"cd8b1c77-1998-4f65-b618-b21bb8118c32\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.4711053Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.4711053Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"SQL servers on machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"Unknown\",\r\n \"statusChangeDate\": \"2022-11-17T09:31:47.5529131Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T09:31:47.5529131Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/f97aa83c-9b63-4f9a-99f6-b22c4398f936/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-10-06T23:44:54.5781061Z\",\r\n \"firstEvaluationDate\": \"2022-10-06T23:44:54.5781061Z\"\r\n },\r\n \"additionalData\": {\r\n \"OSName\": \"Linux\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:35:09.9521643Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:35:09.9521643Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:35:10.2291901Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:35:10.2291901Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/45fb078b-a96e-4d0b-90cb-f3ed8a5530c0\",\r\n \"name\": \"45fb078b-a96e-4d0b-90cb-f3ed8a5530c0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Testing the cmdlet\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-17T09:51:05.3882073Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T09:51:05.3882073Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"TouViolationAssessments.Models.Port\",\r\n \"description\": \"Open TOU ports\",\r\n \"statusChangeDate\": \"2022-10-15T03:31:10.6183747Z\",\r\n \"firstEvaluationDate\": \"2022-10-15T03:31:10.6183747Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"\",\r\n \"statusChangeDate\": \"2022-10-15T03:31:11.5779799Z\",\r\n \"firstEvaluationDate\": \"2022-10-15T03:31:11.5779799Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"\",\r\n \"statusChangeDate\": \"2022-10-15T03:31:15.7293508Z\",\r\n \"firstEvaluationDate\": \"2022-10-15T03:31:15.7293508Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"2\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"2\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/sdk-iothub-la-cus/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/sdk-iothub-la-cus\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/iothubworkspace-centralus-1604511146608/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/iothubworkspace-centralus-1604511146608\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.0429905Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.0429905Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.1586421Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.1586421Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.1627119Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.1627119Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2276504Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2276504Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Network/virtualNetworks/pssqlvavm9865/subnets/pssqlvavm9865/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Network/virtualNetworks/pssqlvavm9865/subnets/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.1722925Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.1722925Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2344409Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2344409Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2232119Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2232119Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2288307Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2288307Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2279455Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2279455Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Network/virtualNetworks/pssqlvavm9865/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Network/virtualNetworks/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.3980229Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.3980229Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.3839845Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.3839845Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"VmHasNoPublicIp\",\r\n \"description\": \"This VM has no public IP address.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.5346488Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.5346488Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The machine doesn’t have data from Microsoft defender vulnerability management. Make sure it’s properly onboarded to Microsoft Defender for Endpoint.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:59.5159241Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:59.5159241Z\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/virtualmachines/0/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/virtualmachines/0\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"TouViolationAssessments.Models.Port\",\r\n \"description\": \"Open TOU ports\",\r\n \"statusChangeDate\": \"2022-11-16T16:10:02.1122669Z\",\r\n \"firstEvaluationDate\": \"2022-11-16T16:10:02.1122669Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/virtualmachines/0/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef\"\r\n },\r\n \"displayName\": \"Container registry images should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NetworkPortsAreOpenToAllSources\",\r\n \"description\": \"Network ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.8875999Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"3389\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"3389\": \"TCP\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.4533293Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6777114Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NetworkPortsAreOpenToAllSources\",\r\n \"description\": \"Network ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6844124Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"22\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"ManagementPortsAreOpenToAllSources\",\r\n \"description\": \"Management ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6787472Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"22\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VmProtectedByNsgWithAllowRules\",\r\n \"description\": \"This VM is protected by an NSG that allows access to management ports.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"22\": \"TCP\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-10T11:56:00.5211587Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6767401Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.882145Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.2218279Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.2218279Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-10T11:56:00.5390737Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.2218279Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The machine doesn’t have data from Microsoft defender vulnerability management. Make sure it’s properly onboarded to Microsoft Defender for Endpoint.\",\r\n \"statusChangeDate\": \"2022-10-27T07:17:56.9155832Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"default\",\r\n \"description\": \"The machine is onboarded to built-in Qualys vulnerability assessment.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:42.0548709Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"default\",\r\n \"description\": \"The machine is onboarded to built-in Qualys vulnerability assessment.\",\r\n \"statusChangeDate\": \"2022-11-15T12:28:56.517978Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The machine doesn’t have data from Microsoft defender vulnerability management. Make sure it’s properly onboarded to Microsoft Defender for Endpoint.\",\r\n \"statusChangeDate\": \"2022-10-27T07:17:56.9155832Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"SQL databases should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"Unknown\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-15T12:29:02.5041539Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.8830869Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"ManagementPortsAreOpenToAllSources\",\r\n \"description\": \"Management ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.8845246Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"3389\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VmProtectedByNsgWithAllowRules\",\r\n \"description\": \"This VM is protected by an NSG that allows access to management ports.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"statusChangeDate\": \"2022-09-11T13:44:18.5950886Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:46.2425828Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2021-06-13T20:23:45.125409Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2022-07-13T05:44:10.0183321Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T04:43:55.3024919Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Virtual machine scale sets should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"OS Offer\": \"UbuntuServer\",\r\n \"OS Type\": \"Linux\",\r\n \"Location\": \"southcentralus\",\r\n \"UpgradePolicyMode\": \"Manual\",\r\n \"Has Oms extension\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on virtual machine scale sets should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AssessmentModeNotSetToAuto\",\r\n \"description\": \"Patch settings assessment mode not set to AutomaticByPlatform\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7166784Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/onPremiseMachines/machineName_b53988df-1137-41f2-99ff-52d49d7f53e1_ec2ad76a-fc72-bc3a-f0d7-017756d33d5e/providers/Microsoft.Security/assessments/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"OnPremise\",\r\n \"WorkspaceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\",\r\n \"VMUUID\": \"ec2ad76a-fc72-bc3a-f0d7-017756d33d5e\",\r\n \"SourceComputerId\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"MachineName\": \"machineName\"\r\n },\r\n \"displayName\": \"Customer managed metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/providers/Microsoft.Security/assessments/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\"\r\n },\r\n \"displayName\": \"Customer managed metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/onPremiseMachines/machineName_b53988df-1137-41f2-99ff-52d49d7f53e1_ec2ad76a-fc72-bc3a-f0d7-017756d33d5e/providers/Microsoft.Security/assessments/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"OnPremise\",\r\n \"WorkspaceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\",\r\n \"VMUUID\": \"ec2ad76a-fc72-bc3a-f0d7-017756d33d5e\",\r\n \"SourceComputerId\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"MachineName\": \"machineName\"\r\n },\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/providers/Microsoft.Security/assessments/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\"\r\n },\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/providers/Microsoft.Security/assessments/9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"name\": \"9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\"\r\n },\r\n \"displayName\": \"Customer managed metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/onPremiseMachines/machineName_b53988df-1137-41f2-99ff-52d49d7f53e1_ec2ad76a-fc72-bc3a-f0d7-017756d33d5e/providers/Microsoft.Security/assessments/d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"OnPremise\",\r\n \"WorkspaceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\",\r\n \"VMUUID\": \"ec2ad76a-fc72-bc3a-f0d7-017756d33d5e\",\r\n \"SourceComputerId\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"MachineName\": \"machineName\"\r\n },\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk/providers/Microsoft.Security/assessments/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk\"\r\n },\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk/providers/Microsoft.Security/assessments/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk\"\r\n },\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NotSupported\",\r\n \"description\": \"Machine image is not supported\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7235019Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NotSupported\",\r\n \"description\": \"Machine image is not supported\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7049485Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AssessmentModeNotSetToAuto\",\r\n \"description\": \"Patch settings assessment mode not set to AutomaticByPlatform\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7356778Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2021-04-07T20:23:43.7791199Z\",\r\n \"firstEvaluationDate\": \"2021-04-07T08:23:44.5057723Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.7856736Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.7856736Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.8319806Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.8319806Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.904596Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.904596Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.9081607Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.9081607Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpn6jwnse6quxirlinxqb6pagnzj7alb4oa5xqk7und7r6k3f24lspime5xux7s3e3/providers/microsoft.devices/iothubs/azurecli-hubewmywoze2j7v/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpn6jwnse6quxirlinxqb6pagnzj7alb4oa5xqk7und7r6k3f24lspime5xux7s3e3/providers/microsoft.devices/iothubs/azurecli-hubewmywoze2j7v\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-07T19:10:41.5574318Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T19:10:41.5574318Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4145442Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-07T21:11:34.4149759Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4149759Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-07T21:11:34.4167636Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4167636Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-07T21:11:34.4930056Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4930056Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Azure SQL Database servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7142889Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8298256Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8581944Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8581944Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access Function Apps\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8666851Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8666851Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8740455Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8740455Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8740455Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8740455Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8746476Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8746476Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore/providers/Microsoft.Security/assessments/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore\"\r\n },\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8875094Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8875094Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8860867Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8860867Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg7exkn4sm4v24amnub5nzbmik37myxeusxwwyn2jpxwhdbbzlofsr5agedmwfjvoxv/providers/microsoft.devices/iothubs/azurecli-hubuksphkbt3lhh/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg7exkn4sm4v24amnub5nzbmik37myxeusxwwyn2jpxwhdbbzlofsr5agedmwfjvoxv/providers/microsoft.devices/iothubs/azurecli-hubuksphkbt3lhh\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8860867Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8860867Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8860867Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8860867Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7383486Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8906885Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7383486Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8906885Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8929336Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8929336Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8975097Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8975097Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9096544Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9096544Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9096544Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9096544Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/providers/Microsoft.Security/assessments/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9191943Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9191943Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9221325Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9221325Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for web apps\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9231178Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9231178Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"name\": \"9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Email notification to subscription owner for high severity alerts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-07-25T02:41:11.1822655Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9235482Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Managed identity should be used in web apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9322509Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9322509Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for function apps\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.930854Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.930854Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"name\": \"af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Auto provisioning of the Log Analytics agent should be enabled on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-02T09:11:15.2514377Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9332772Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9342255Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9342255Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9342255Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9342255Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9355025Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9355025Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf/providers/Microsoft.Security/assessments/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf\"\r\n },\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9334498Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9334498Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9355025Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9355025Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf2/providers/Microsoft.Security/assessments/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf2\"\r\n },\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9334498Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9334498Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9358898Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9358898Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-08T23:46:51.7978842Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9358898Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9387806Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9387806Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9387806Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9387806Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9420744Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9420744Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9420744Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9420744Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"name\": \"4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Key vaults should have purge protection enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9477277Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9477277Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref/providers/Microsoft.Security/assessments/9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"name\": \"9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref\"\r\n },\r\n \"displayName\": \"Container registries should not allow unrestricted network access\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.949715Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.949715Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"name\": \"e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7163231Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9565898Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"name\": \"c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Function apps should have Client Certificates (Incoming client certificates) enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9491743Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9491743Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"name\": \"3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Email notification for high severity alerts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-10-27T17:20:54.0073419Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9543908Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9544101Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9544101Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Storage should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7151166Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9812709Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9549978Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9549978Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9549978Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9549978Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"name\": \"78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Key vaults should have soft delete enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9590469Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9590469Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"name\": \"b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for open-source relational databases should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7131706Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0015183Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"name\": \"2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Private endpoint should be configured for Key Vault\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9573802Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9573802Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-20T00:11:24.8912186Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0601859Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"name\": \"f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Resource Manager should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7239542Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9773946Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL servers on machines should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7106928Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0875362Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.1203455Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.1203455Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"name\": \"77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Subscriptions should have a contact email address for security issues\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-27T17:20:54.0006966Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0114652Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"FTPS should be required in function apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.2272624Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.2272624Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"name\": \"52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Firewall should be enabled on Key Vault\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.2339538Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.2339538Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"name\": \"aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for DNS should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7058846Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9599789Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Diagnostic logs in App Service should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9636939Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9636939Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref/providers/Microsoft.Security/assessments/13e7d036-6903-821c-6018-962938929bf0\",\r\n \"name\": \"13e7d036-6903-821c-6018-962938929bf0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref\"\r\n },\r\n \"displayName\": \"Container registries should use private link\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9629274Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9629274Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/syslogmyservice1net/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1vnet657/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1vnet657\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.network/virtualnetworks/iotsi-fdi-vnet/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.network/virtualnetworks/iotsi-fdi-vnet\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1-vnet/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1-vnet\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet/providers/Microsoft.Security/assessments/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.4767439Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.4767439Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i/providers/Microsoft.Security/assessments/276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"name\": \"276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i\"\r\n },\r\n \"displayName\": \"Azure Cosmos DB accounts should have firewall rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9663621Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9663621Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7117138Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9702185Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9670169Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9670169Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9670169Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9670169Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"FTPS should be required in web apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541097Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541097Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for App Service should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7178395Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9808591Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Managed identity should be used in function apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.982548Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.982548Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-07T22:10:39.4248444Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T22:10:39.4248444Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg2uj7i3dl7bafl4qshuh57m3xmurngdysabbunhnhvcasj7o35vqz4fwgf5zwi6ujr/providers/microsoft.devices/iothubs/azurecli-hub7eff4pwjmjgi/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg2uj7i3dl7bafl4qshuh57m3xmurngdysabbunhnhvcasj7o35vqz4fwgf5zwi6ujr/providers/microsoft.devices/iothubs/azurecli-hub7eff4pwjmjgi\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-10T20:32:13.2897309Z\",\r\n \"firstEvaluationDate\": \"2022-04-10T20:32:13.2897309Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpkgony4xu2tfaw7mrinetpjdcbi35gy5wxlb2db4fkia4df224ibyul2g6e7ovciv/providers/microsoft.devices/iothubs/azurecli-hubdkzwzwckbu5v/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpkgony4xu2tfaw7mrinetpjdcbi35gy5wxlb2db4fkia4df224ibyul2g6e7ovciv/providers/microsoft.devices/iothubs/azurecli-hubdkzwzwckbu5v\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-10T20:32:13.2897309Z\",\r\n \"firstEvaluationDate\": \"2022-04-10T20:32:13.2897309Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgc7vaaluva526rdtaam5rafgbc2m7xmrvi472iiekfgzjvdqkpwzub343jj6a4k4ov/providers/microsoft.devices/iothubs/azurecli-hub222uswluq4fe/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgc7vaaluva526rdtaam5rafgbc2m7xmrvi472iiekfgzjvdqkpwzub343jj6a4k4ov/providers/microsoft.devices/iothubs/azurecli-hub222uswluq4fe\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-27T08:35:36.3477504Z\",\r\n \"firstEvaluationDate\": \"2022-04-27T08:35:36.3477504Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"name\": \"050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Blocked accounts with owner permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4699617Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4699617Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/050ac097-3dda-4d24-ab6d-82568e7a50cf/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"name\": \"20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Guest accounts with owner permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4741787Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4741787Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/20606e75-05c4-48c0-9d97-add6daa2109a/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"name\": \"dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Accounts with read permissions on Azure resources should be MFA enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4722197Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4722197Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"name\": \"1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Blocked accounts with read and write permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-08-16T05:44:34.6117426Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4736264Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1ff0b4c9-ed56-4de6-be9c-d7ab39645926/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"name\": \"0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Guest accounts with write permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4727997Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4727997Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"name\": \"fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Guest accounts with read permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4802849Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4802849Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"name\": \"c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Accounts with write permissions on Azure resources should be MFA enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4810803Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4810803Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c0cb17b2-0607-48a7-b0e0-903ed22de39b/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"name\": \"6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Accounts with owner permissions on Azure resources should be MFA enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.5129783Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.5129783Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6240402e-f77c-46fa-9060-a7ce53997754/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i/providers/Microsoft.Security/assessments/14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"name\": \"14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i\"\r\n },\r\n \"displayName\": \"Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-07-06T07:46:47.0916979Z\",\r\n \"firstEvaluationDate\": \"2022-07-06T07:46:47.0916979Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"name\": \"14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Key Vault secrets should have an expiration date\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-07-28T06:11:40.1653432Z\",\r\n \"firstEvaluationDate\": \"2022-07-28T06:11:40.1653432Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-07-25T09:35:32.8936019Z\",\r\n \"firstEvaluationDate\": \"2022-07-25T09:35:32.8936019Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-07-26T08:35:38.2437985Z\",\r\n \"firstEvaluationDate\": \"2022-07-26T08:35:38.2437985Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"There should be more than one owner assigned to subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.2948643Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.2948643Z\"\r\n },\r\n \"additionalData\": {}\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3111617Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3111617Z\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with owner permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3049262Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3049262Z\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.305783Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.305783Z\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3002478Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3002478Z\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3034825Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3034825Z\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with write permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3045813Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3045813Z\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithWritePermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"A maximum of 3 owners should be designated for subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-14T04:44:15.3211291Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.2991388Z\"\r\n },\r\n \"additionalData\": {\r\n \"identityDesignateLessThanXOwnersObjectIdList\": \"[\\\"56b8f04c-b471-415a-bbc2-74570bd022de\\\",\\\"af29e494-977e-4749-acb6-6fe3a10c56aa\\\",\\\"25b2be9f-65f7-491e-9e53-61fa1b39fa8a\\\"]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3005516Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3005516Z\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with read permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3056507Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3056507Z\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithReadPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-10-19T12:47:53.4001303Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2022-11-17T00:58:05.683Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212024Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212024Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212024Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-07T07:02:26.3021545Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.919619Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"FailureDueToAgentNotResponding\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.919619Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"Off\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"FailureDueToAgentNotResponding\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.919619Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"False\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2022-11-17T03:42:33.784Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n }\r\n ],\r\n \"nextLink\": \"https://management.azure.com/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments?api-version=2021-06-01&NextLink=_dynamic\"\r\n}", "StatusCode": 200 }, { - "RequestUri": "//subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments?api-version=2020-01-01", - "EncodedRequestUri": "Ly9zdWJzY3JpcHRpb25zLzQ4N2JiNDg1LWI1YjAtNDcxZS05YzBkLTEwNzE3NjEyZjg2OS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2Fzc2Vzc21lbnRzP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", + "RequestUri": "//subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments?api-version=2021-06-01", + "EncodedRequestUri": "Ly9zdWJzY3JpcHRpb25zLzQ4N2JiNDg1LWI1YjAtNDcxZS05YzBkLTEwNzE3NjEyZjg2OS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2Fzc2Vzc21lbnRzP2FwaS12ZXJzaW9uPTIwMjEtMDYtMDE=", "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "7dc20785-599a-43c7-b5b9-e854c474ccb7" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "749" + ], + "x-ms-request-id": [ + "aef2ce93-ccef-4708-8cdf-c341d45506de" + ], + "x-ms-correlation-request-id": [ + "aef2ce93-ccef-4708-8cdf-c341d45506de" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T095113Z:aef2ce93-ccef-4708-8cdf-c341d45506de" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:51:13 GMT" + ], + "Content-Length": [ + "276520" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.4533293Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.4533293Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOrFwOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group or Azure Firewall\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"VmHasNoPublicIp\",\r\n \"description\": \"This VM has no public IP address.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"DdosStandardIsDisabled\",\r\n \"description\": \"DDoS Protection Standard is currently disabled for your virtual network.\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"ddosProtectionState\": \"False\",\r\n \"appGatewaysCount\": \"1\",\r\n \"appGatewaysHasPublicIp\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VmIsNotProtectedWithNsg\",\r\n \"description\": \"Your virtual machine is not protected with a network security group.\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:00.4811551Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:00.4811551Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:00.4818625Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:00.4818625Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:00.6892204Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:00.6892204Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:01.2728369Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:01.2728369Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9596547Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9596547Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9592241Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9592241Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9607709Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9607709Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9631778Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9631778Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9669885Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9669885Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.979355Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.979355Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.network/virtualnetworks/pssqlvavm9865/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.network/virtualnetworks/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9691492Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9691492Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9925979Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9925979Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3328837Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3328837Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3178374Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3178374Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"cd8b1c77-1998-4f65-b618-b21bb8118c32\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3251543Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3251543Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"cd8b1c77-1998-4f65-b618-b21bb8118c32\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3381121Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3381121Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"cd8b1c77-1998-4f65-b618-b21bb8118c32\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3190056Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3190056Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"cd8b1c77-1998-4f65-b618-b21bb8118c32\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.4711053Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.4711053Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"SQL servers on machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"Unknown\",\r\n \"statusChangeDate\": \"2022-11-17T09:31:47.5529131Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T09:31:47.5529131Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/f97aa83c-9b63-4f9a-99f6-b22c4398f936/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-10-06T23:44:54.5781061Z\",\r\n \"firstEvaluationDate\": \"2022-10-06T23:44:54.5781061Z\"\r\n },\r\n \"additionalData\": {\r\n \"OSName\": \"Linux\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:35:09.9521643Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:35:09.9521643Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:35:10.2291901Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:35:10.2291901Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"TouViolationAssessments.Models.Port\",\r\n \"description\": \"Open TOU ports\",\r\n \"statusChangeDate\": \"2022-10-15T03:31:10.6183747Z\",\r\n \"firstEvaluationDate\": \"2022-10-15T03:31:10.6183747Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"\",\r\n \"statusChangeDate\": \"2022-10-15T03:31:11.5779799Z\",\r\n \"firstEvaluationDate\": \"2022-10-15T03:31:11.5779799Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"\",\r\n \"statusChangeDate\": \"2022-10-15T03:31:15.7293508Z\",\r\n \"firstEvaluationDate\": \"2022-10-15T03:31:15.7293508Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"2\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"2\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/sdk-iothub-la-cus/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/sdk-iothub-la-cus\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/iothubworkspace-centralus-1604511146608/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/iothubworkspace-centralus-1604511146608\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.0429905Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.0429905Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.1586421Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.1586421Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.1627119Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.1627119Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2276504Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2276504Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Network/virtualNetworks/pssqlvavm9865/subnets/pssqlvavm9865/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Network/virtualNetworks/pssqlvavm9865/subnets/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.1722925Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.1722925Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2344409Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2344409Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2232119Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2232119Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2288307Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2288307Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2279455Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2279455Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Network/virtualNetworks/pssqlvavm9865/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Network/virtualNetworks/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.3980229Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.3980229Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.3839845Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.3839845Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"VmHasNoPublicIp\",\r\n \"description\": \"This VM has no public IP address.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.5346488Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.5346488Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The machine doesn’t have data from Microsoft defender vulnerability management. Make sure it’s properly onboarded to Microsoft Defender for Endpoint.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:59.5159241Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:59.5159241Z\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/virtualmachines/0/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/virtualmachines/0\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"TouViolationAssessments.Models.Port\",\r\n \"description\": \"Open TOU ports\",\r\n \"statusChangeDate\": \"2022-11-16T16:10:02.1122669Z\",\r\n \"firstEvaluationDate\": \"2022-11-16T16:10:02.1122669Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/virtualmachines/0/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef\"\r\n },\r\n \"displayName\": \"Container registry images should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NetworkPortsAreOpenToAllSources\",\r\n \"description\": \"Network ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.8875999Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"3389\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"3389\": \"TCP\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.4533293Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6777114Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NetworkPortsAreOpenToAllSources\",\r\n \"description\": \"Network ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6844124Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"22\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"ManagementPortsAreOpenToAllSources\",\r\n \"description\": \"Management ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6787472Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"22\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VmProtectedByNsgWithAllowRules\",\r\n \"description\": \"This VM is protected by an NSG that allows access to management ports.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"22\": \"TCP\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-10T11:56:00.5211587Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6767401Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.882145Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.2218279Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.2218279Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-10T11:56:00.5390737Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.2218279Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The machine doesn’t have data from Microsoft defender vulnerability management. Make sure it’s properly onboarded to Microsoft Defender for Endpoint.\",\r\n \"statusChangeDate\": \"2022-10-27T07:17:56.9155832Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"default\",\r\n \"description\": \"The machine is onboarded to built-in Qualys vulnerability assessment.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:42.0548709Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"default\",\r\n \"description\": \"The machine is onboarded to built-in Qualys vulnerability assessment.\",\r\n \"statusChangeDate\": \"2022-11-15T12:28:56.517978Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The machine doesn’t have data from Microsoft defender vulnerability management. Make sure it’s properly onboarded to Microsoft Defender for Endpoint.\",\r\n \"statusChangeDate\": \"2022-10-27T07:17:56.9155832Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"SQL databases should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"Unknown\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-15T12:29:02.5041539Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.8830869Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"ManagementPortsAreOpenToAllSources\",\r\n \"description\": \"Management ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.8845246Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"3389\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VmProtectedByNsgWithAllowRules\",\r\n \"description\": \"This VM is protected by an NSG that allows access to management ports.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"statusChangeDate\": \"2022-09-11T13:44:18.5950886Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:46.2425828Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2021-06-13T20:23:45.125409Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2022-07-13T05:44:10.0183321Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T04:43:55.3024919Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Virtual machine scale sets should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"OS Offer\": \"UbuntuServer\",\r\n \"OS Type\": \"Linux\",\r\n \"Location\": \"southcentralus\",\r\n \"UpgradePolicyMode\": \"Manual\",\r\n \"Has Oms extension\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on virtual machine scale sets should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AssessmentModeNotSetToAuto\",\r\n \"description\": \"Patch settings assessment mode not set to AutomaticByPlatform\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7166784Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/onPremiseMachines/machineName_b53988df-1137-41f2-99ff-52d49d7f53e1_ec2ad76a-fc72-bc3a-f0d7-017756d33d5e/providers/Microsoft.Security/assessments/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"OnPremise\",\r\n \"WorkspaceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\",\r\n \"VMUUID\": \"ec2ad76a-fc72-bc3a-f0d7-017756d33d5e\",\r\n \"SourceComputerId\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"MachineName\": \"machineName\"\r\n },\r\n \"displayName\": \"Customer managed metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/providers/Microsoft.Security/assessments/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\"\r\n },\r\n \"displayName\": \"Customer managed metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/onPremiseMachines/machineName_b53988df-1137-41f2-99ff-52d49d7f53e1_ec2ad76a-fc72-bc3a-f0d7-017756d33d5e/providers/Microsoft.Security/assessments/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"OnPremise\",\r\n \"WorkspaceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\",\r\n \"VMUUID\": \"ec2ad76a-fc72-bc3a-f0d7-017756d33d5e\",\r\n \"SourceComputerId\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"MachineName\": \"machineName\"\r\n },\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/providers/Microsoft.Security/assessments/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\"\r\n },\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/providers/Microsoft.Security/assessments/9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"name\": \"9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\"\r\n },\r\n \"displayName\": \"Customer managed metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/onPremiseMachines/machineName_b53988df-1137-41f2-99ff-52d49d7f53e1_ec2ad76a-fc72-bc3a-f0d7-017756d33d5e/providers/Microsoft.Security/assessments/d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"OnPremise\",\r\n \"WorkspaceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\",\r\n \"VMUUID\": \"ec2ad76a-fc72-bc3a-f0d7-017756d33d5e\",\r\n \"SourceComputerId\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"MachineName\": \"machineName\"\r\n },\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk/providers/Microsoft.Security/assessments/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk\"\r\n },\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk/providers/Microsoft.Security/assessments/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk\"\r\n },\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NotSupported\",\r\n \"description\": \"Machine image is not supported\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7235019Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NotSupported\",\r\n \"description\": \"Machine image is not supported\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7049485Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AssessmentModeNotSetToAuto\",\r\n \"description\": \"Patch settings assessment mode not set to AutomaticByPlatform\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7356778Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2021-04-07T20:23:43.7791199Z\",\r\n \"firstEvaluationDate\": \"2021-04-07T08:23:44.5057723Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.7856736Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.7856736Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.8319806Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.8319806Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.904596Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.904596Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.9081607Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.9081607Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpn6jwnse6quxirlinxqb6pagnzj7alb4oa5xqk7und7r6k3f24lspime5xux7s3e3/providers/microsoft.devices/iothubs/azurecli-hubewmywoze2j7v/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpn6jwnse6quxirlinxqb6pagnzj7alb4oa5xqk7und7r6k3f24lspime5xux7s3e3/providers/microsoft.devices/iothubs/azurecli-hubewmywoze2j7v\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-07T19:10:41.5574318Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T19:10:41.5574318Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4145442Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-07T21:11:34.4149759Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4149759Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-07T21:11:34.4167636Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4167636Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-07T21:11:34.4930056Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4930056Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Azure SQL Database servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7142889Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8298256Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8581944Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8581944Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access Function Apps\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8666851Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8666851Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8740455Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8740455Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8740455Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8740455Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8746476Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8746476Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore/providers/Microsoft.Security/assessments/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore\"\r\n },\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8875094Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8875094Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8860867Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8860867Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg7exkn4sm4v24amnub5nzbmik37myxeusxwwyn2jpxwhdbbzlofsr5agedmwfjvoxv/providers/microsoft.devices/iothubs/azurecli-hubuksphkbt3lhh/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg7exkn4sm4v24amnub5nzbmik37myxeusxwwyn2jpxwhdbbzlofsr5agedmwfjvoxv/providers/microsoft.devices/iothubs/azurecli-hubuksphkbt3lhh\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8860867Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8860867Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8860867Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8860867Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7383486Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8906885Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7383486Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8906885Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8929336Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8929336Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8975097Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8975097Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9096544Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9096544Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9096544Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9096544Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/providers/Microsoft.Security/assessments/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9191943Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9191943Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9221325Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9221325Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for web apps\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9231178Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9231178Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"name\": \"9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Email notification to subscription owner for high severity alerts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-07-25T02:41:11.1822655Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9235482Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Managed identity should be used in web apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9322509Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9322509Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for function apps\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.930854Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.930854Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"name\": \"af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Auto provisioning of the Log Analytics agent should be enabled on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-02T09:11:15.2514377Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9332772Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9342255Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9342255Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9342255Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9342255Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9355025Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9355025Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf/providers/Microsoft.Security/assessments/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf\"\r\n },\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9334498Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9334498Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9355025Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9355025Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf2/providers/Microsoft.Security/assessments/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf2\"\r\n },\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9334498Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9334498Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9358898Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9358898Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-08T23:46:51.7978842Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9358898Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9387806Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9387806Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9387806Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9387806Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9420744Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9420744Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9420744Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9420744Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"name\": \"4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Key vaults should have purge protection enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9477277Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9477277Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref/providers/Microsoft.Security/assessments/9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"name\": \"9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref\"\r\n },\r\n \"displayName\": \"Container registries should not allow unrestricted network access\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.949715Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.949715Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"name\": \"e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7163231Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9565898Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"name\": \"c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Function apps should have Client Certificates (Incoming client certificates) enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9491743Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9491743Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"name\": \"3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Email notification for high severity alerts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-10-27T17:20:54.0073419Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9543908Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9544101Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9544101Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Storage should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7151166Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9812709Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9549978Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9549978Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9549978Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9549978Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"name\": \"78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Key vaults should have soft delete enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9590469Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9590469Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"name\": \"b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for open-source relational databases should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7131706Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0015183Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"name\": \"2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Private endpoint should be configured for Key Vault\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9573802Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9573802Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-20T00:11:24.8912186Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0601859Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"name\": \"f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Resource Manager should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7239542Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9773946Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL servers on machines should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7106928Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0875362Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.1203455Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.1203455Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"name\": \"77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Subscriptions should have a contact email address for security issues\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-27T17:20:54.0006966Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0114652Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"FTPS should be required in function apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.2272624Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.2272624Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"name\": \"52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Firewall should be enabled on Key Vault\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.2339538Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.2339538Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"name\": \"aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for DNS should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7058846Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9599789Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Diagnostic logs in App Service should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9636939Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9636939Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref/providers/Microsoft.Security/assessments/13e7d036-6903-821c-6018-962938929bf0\",\r\n \"name\": \"13e7d036-6903-821c-6018-962938929bf0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref\"\r\n },\r\n \"displayName\": \"Container registries should use private link\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9629274Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9629274Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/syslogmyservice1net/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1vnet657/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1vnet657\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.network/virtualnetworks/iotsi-fdi-vnet/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.network/virtualnetworks/iotsi-fdi-vnet\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1-vnet/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1-vnet\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet/providers/Microsoft.Security/assessments/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.4767439Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.4767439Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i/providers/Microsoft.Security/assessments/276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"name\": \"276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i\"\r\n },\r\n \"displayName\": \"Azure Cosmos DB accounts should have firewall rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9663621Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9663621Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7117138Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9702185Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9670169Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9670169Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9670169Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9670169Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"FTPS should be required in web apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541097Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541097Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for App Service should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7178395Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9808591Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Managed identity should be used in function apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.982548Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.982548Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-07T22:10:39.4248444Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T22:10:39.4248444Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg2uj7i3dl7bafl4qshuh57m3xmurngdysabbunhnhvcasj7o35vqz4fwgf5zwi6ujr/providers/microsoft.devices/iothubs/azurecli-hub7eff4pwjmjgi/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg2uj7i3dl7bafl4qshuh57m3xmurngdysabbunhnhvcasj7o35vqz4fwgf5zwi6ujr/providers/microsoft.devices/iothubs/azurecli-hub7eff4pwjmjgi\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-10T20:32:13.2897309Z\",\r\n \"firstEvaluationDate\": \"2022-04-10T20:32:13.2897309Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpkgony4xu2tfaw7mrinetpjdcbi35gy5wxlb2db4fkia4df224ibyul2g6e7ovciv/providers/microsoft.devices/iothubs/azurecli-hubdkzwzwckbu5v/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpkgony4xu2tfaw7mrinetpjdcbi35gy5wxlb2db4fkia4df224ibyul2g6e7ovciv/providers/microsoft.devices/iothubs/azurecli-hubdkzwzwckbu5v\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-10T20:32:13.2897309Z\",\r\n \"firstEvaluationDate\": \"2022-04-10T20:32:13.2897309Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgc7vaaluva526rdtaam5rafgbc2m7xmrvi472iiekfgzjvdqkpwzub343jj6a4k4ov/providers/microsoft.devices/iothubs/azurecli-hub222uswluq4fe/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgc7vaaluva526rdtaam5rafgbc2m7xmrvi472iiekfgzjvdqkpwzub343jj6a4k4ov/providers/microsoft.devices/iothubs/azurecli-hub222uswluq4fe\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-27T08:35:36.3477504Z\",\r\n \"firstEvaluationDate\": \"2022-04-27T08:35:36.3477504Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"name\": \"050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Blocked accounts with owner permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4699617Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4699617Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/050ac097-3dda-4d24-ab6d-82568e7a50cf/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"name\": \"20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Guest accounts with owner permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4741787Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4741787Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/20606e75-05c4-48c0-9d97-add6daa2109a/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"name\": \"dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Accounts with read permissions on Azure resources should be MFA enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4722197Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4722197Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"name\": \"1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Blocked accounts with read and write permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-08-16T05:44:34.6117426Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4736264Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1ff0b4c9-ed56-4de6-be9c-d7ab39645926/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"name\": \"0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Guest accounts with write permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4727997Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4727997Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"name\": \"fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Guest accounts with read permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4802849Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4802849Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"name\": \"c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Accounts with write permissions on Azure resources should be MFA enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4810803Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4810803Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c0cb17b2-0607-48a7-b0e0-903ed22de39b/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"name\": \"6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Accounts with owner permissions on Azure resources should be MFA enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.5129783Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.5129783Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6240402e-f77c-46fa-9060-a7ce53997754/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i/providers/Microsoft.Security/assessments/14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"name\": \"14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i\"\r\n },\r\n \"displayName\": \"Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-07-06T07:46:47.0916979Z\",\r\n \"firstEvaluationDate\": \"2022-07-06T07:46:47.0916979Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"name\": \"14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Key Vault secrets should have an expiration date\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-07-28T06:11:40.1653432Z\",\r\n \"firstEvaluationDate\": \"2022-07-28T06:11:40.1653432Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-07-25T09:35:32.8936019Z\",\r\n \"firstEvaluationDate\": \"2022-07-25T09:35:32.8936019Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-07-26T08:35:38.2437985Z\",\r\n \"firstEvaluationDate\": \"2022-07-26T08:35:38.2437985Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"There should be more than one owner assigned to subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.2948643Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.2948643Z\"\r\n },\r\n \"additionalData\": {}\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3111617Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3111617Z\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with owner permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3049262Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3049262Z\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.305783Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.305783Z\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3002478Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3002478Z\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3034825Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3034825Z\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with write permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3045813Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3045813Z\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithWritePermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"A maximum of 3 owners should be designated for subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-14T04:44:15.3211291Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.2991388Z\"\r\n },\r\n \"additionalData\": {\r\n \"identityDesignateLessThanXOwnersObjectIdList\": \"[\\\"56b8f04c-b471-415a-bbc2-74570bd022de\\\",\\\"af29e494-977e-4749-acb6-6fe3a10c56aa\\\",\\\"25b2be9f-65f7-491e-9e53-61fa1b39fa8a\\\"]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3005516Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3005516Z\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with read permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3056507Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3056507Z\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithReadPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-10-19T12:47:53.4001303Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2022-11-17T00:58:05.683Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212024Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212024Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212024Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-07T07:02:26.3021545Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.919619Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"FailureDueToAgentNotResponding\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.919619Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"Off\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"FailureDueToAgentNotResponding\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.919619Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"False\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2022-11-17T03:42:33.784Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n }\r\n ],\r\n \"nextLink\": \"https://management.azure.com/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments?api-version=2021-06-01&NextLink=_dynamic\"\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments?api-version=2021-06-01&NextLink=_dynamic", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudHM/YXBpLXZlcnNpb249MjAyMS0wNi0wMSZOZXh0TGluaz1fZHluYW1pYw==", + "RequestMethod": "GET", "RequestHeaders": { "x-ms-client-request-id": [ - "f11934cd-23ea-4f55-906b-d4e53783f543" + "2dbabe79-13c0-41bf-9c15-f6a84a5854fa" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.29321.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.19042.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.2.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -270,13 +390,13 @@ "748" ], "x-ms-request-id": [ - "f8718cb1-1eac-4599-aff8-401595416b7a" + "452cffb6-2895-4fb4-ae2e-a739e016157d" ], "x-ms-correlation-request-id": [ - "f8718cb1-1eac-4599-aff8-401595416b7a" + "452cffb6-2895-4fb4-ae2e-a739e016157d" ], "x-ms-routing-request-id": [ - "UKSOUTH:20201130T144748Z:f8718cb1-1eac-4599-aff8-401595416b7a" + "FRANCESOUTH:20221117T095101Z:452cffb6-2895-4fb4-ae2e-a739e016157d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -285,10 +405,10 @@ "nosniff" ], "Date": [ - "Mon, 30 Nov 2020 14:47:47 GMT" + "Thu, 17 Nov 2022 09:51:00 GMT" ], "Content-Length": [ - "128679" + "12" ], "Content-Type": [ "application/json; charset=utf-8" @@ -297,28 +417,88 @@ "-1" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOrFwOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group or Azure Firewall\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"JitIsEnabled\",\r\n \"description\": \"JIT is enabled.\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"ddosProtectionState\": \"False\",\r\n \"appGatewaysCount\": \"1\",\r\n \"appGatewaysHasPublicIp\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/databases/dataStore/providers/Microsoft.Security/assessments/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/databases/dataStore\"\r\n },\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"ReportTimeUtc\": \"11/26/2020 4:48:59 PM\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore/providers/Microsoft.Security/assessments/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore\"\r\n },\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {}\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"identityDesignateLessThanXOwnersObjectIdList\": \"[\\\"56b8f04c-b471-415a-bbc2-74570bd022de\\\",\\\"c0debf7b-d214-46d6-915f-095bd45f3843\\\",\\\"af29e494-977e-4749-acb6-6fe3a10c56aa\\\"]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithWritePermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithReadPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef\"\r\n },\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for Azure SQL Database servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for SQL servers on machines should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/53572822-d3fc-4363-bfb9-248645841612\",\r\n \"name\": \"53572822-d3fc-4363-bfb9-248645841612\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for container registries should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"name\": \"86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for Kubernetes should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for Storage should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for App Service should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"JitIsEnabled\",\r\n \"description\": \"JIT is enabled.\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The extension might be corrupted, please try to remove it and deploy again\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Vulnerability assessment findings on your SQL databases should be remediated\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"Unknown\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"JitIsEnabled\",\r\n \"description\": \"JIT is enabled.\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"The extension might be corrupted, please try to remove it and deploy again\",\r\n \"description\": \"The extension might be corrupted, please try to remove it and deploy again\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"This resource does not report System Updates to any workspace\",\r\n \"description\": \"This resource does not report System Updates to any workspace\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"This resource does not report System Updates to any workspace\",\r\n \"description\": \"This resource does not report System Updates to any workspace\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"This resource does not report System Updates to any workspace\",\r\n \"description\": \"This resource does not report System Updates to any workspace\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet/providers/Microsoft.Security/assessments/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-cus/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-cus\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Offer\": \"UbuntuServer\",\r\n \"OS Type\": \"Linux\",\r\n \"Location\": \"southcentralus\",\r\n \"UpgradePolicyMode\": \"Manual\",\r\n \"Has Oms extension\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"Off\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"NoHeartbeat\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"NoHeartbeat\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NoHeartbeat\",\r\n \"description\": \"Agent not responsive or missing ID - Security Center is unable to retrieve security data from the VM, even though the agent is installed.\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"Off\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"NoHeartbeat\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NoHeartbeat\",\r\n \"description\": \"Agent not responsive or missing ID - Security Center is unable to retrieve security data from the VM, even though the agent is installed.\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"NoHeartbeat\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2020-11-30T10:33:59.707Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"False\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2020-11-29T18:44:13.58Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/providers/Microsoft.Security/assessments/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Managed identity should be used in your web app\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Managed identity should be used in your function app\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Diagnostic logs should be enabled in App Service\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for your web app\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for your function app\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"FTPS should be required in your web App\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"FTPS should be required in your function App\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0338728b-bc5c-41d6-ab83-29cf28652680\",\r\n \"name\": \"0338728b-bc5c-41d6-ab83-29cf28652680\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Testing the cmdlet\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": []\r\n}", "StatusCode": 200 }, { - "RequestUri": "//subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments?api-version=2020-01-01", - "EncodedRequestUri": "Ly9zdWJzY3JpcHRpb25zLzQ4N2JiNDg1LWI1YjAtNDcxZS05YzBkLTEwNzE3NjEyZjg2OS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2Fzc2Vzc21lbnRzP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments?api-version=2021-06-01&NextLink=_dynamic", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudHM/YXBpLXZlcnNpb249MjAyMS0wNi0wMSZOZXh0TGluaz1fZHluYW1pYw==", "RequestMethod": "GET", + "RequestHeaders": { + "x-ms-client-request-id": [ + "2fd936bd-4013-45c4-ad57-3c9c26264018" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" + ] + }, "RequestBody": "", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "748" + ], + "x-ms-request-id": [ + "47ff8f36-ba03-4c98-91f2-2d718995b973" + ], + "x-ms-correlation-request-id": [ + "47ff8f36-ba03-4c98-91f2-2d718995b973" + ], + "x-ms-routing-request-id": [ + "FRANCESOUTH:20221117T095107Z:47ff8f36-ba03-4c98-91f2-2d718995b973" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 17 Nov 2022 09:51:07 GMT" + ], + "Content-Length": [ + "12" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"value\": []\r\n}", + "StatusCode": 200 + }, + { + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments?api-version=2021-06-01&NextLink=_dynamic", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudHM/YXBpLXZlcnNpb249MjAyMS0wNi0wMSZOZXh0TGluaz1fZHluYW1pYw==", + "RequestMethod": "GET", "RequestHeaders": { "x-ms-client-request-id": [ - "847dd562-da4a-44a2-af7a-f91c17135b08" + "7dc20785-599a-43c7-b5b9-e854c474ccb7" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.29321.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.19042.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.2.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -327,16 +507,16 @@ "no-cache" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "747" + "748" ], "x-ms-request-id": [ - "39de1ce9-3958-4362-96b6-78271524c05b" + "73949adc-2e99-4ca7-b17a-a04ef980a5ca" ], "x-ms-correlation-request-id": [ - "39de1ce9-3958-4362-96b6-78271524c05b" + "73949adc-2e99-4ca7-b17a-a04ef980a5ca" ], "x-ms-routing-request-id": [ - "UKSOUTH:20201130T144749Z:39de1ce9-3958-4362-96b6-78271524c05b" + "FRANCESOUTH:20221117T095114Z:73949adc-2e99-4ca7-b17a-a04ef980a5ca" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -345,10 +525,10 @@ "nosniff" ], "Date": [ - "Mon, 30 Nov 2020 14:47:48 GMT" + "Thu, 17 Nov 2022 09:51:14 GMT" ], "Content-Length": [ - "128278" + "12" ], "Content-Type": [ "application/json; charset=utf-8" @@ -357,26 +537,25 @@ "-1" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOrFwOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group or Azure Firewall\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"JitIsEnabled\",\r\n \"description\": \"JIT is enabled.\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"ddosProtectionState\": \"False\",\r\n \"appGatewaysCount\": \"1\",\r\n \"appGatewaysHasPublicIp\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/databases/dataStore/providers/Microsoft.Security/assessments/b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"name\": \"b0df6f56-862d-4730-8597-38c0fd4ebd59\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/databases/dataStore\"\r\n },\r\n \"displayName\": \"Sensitive data in your SQL databases should be classified\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"ReportTimeUtc\": \"11/26/2020 4:48:59 PM\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"An Azure Active Directory administrator should be provisioned for SQL servers\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Azure Defender for SQL should be enabled on your SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Vulnerability assessment should be enabled on your SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore/providers/Microsoft.Security/assessments/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore\"\r\n },\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"name\": \"8c3e93d3-0276-4d06-b20a-9a9f3012742c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Network traffic data collection agent should be installed on Linux virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"name\": \"24d8af06-d441-40b4-a49c-311421aa9f58\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Network traffic data collection agent should be installed on Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"There should be more than one owner assigned to your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {}\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"A maximum of 3 owners should be designated for your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"identityDesignateLessThanXOwnersObjectIdList\": \"[\\\"56b8f04c-b471-415a-bbc2-74570bd022de\\\",\\\"c0debf7b-d214-46d6-915f-095bd45f3843\\\",\\\"af29e494-977e-4749-acb6-6fe3a10c56aa\\\"]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with owner permissions should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with write permissions should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithWritePermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with read permissions should be removed from your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithReadPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on your subscription\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef\"\r\n },\r\n \"displayName\": \"Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for Azure SQL Database servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for SQL servers on machines should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/53572822-d3fc-4363-bfb9-248645841612\",\r\n \"name\": \"53572822-d3fc-4363-bfb9-248645841612\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for container registries should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"name\": \"86ea1a79-29d3-4eac-a9f4-3541ace4e718\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for Kubernetes should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for Storage should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Azure Defender for App Service should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"JitIsEnabled\",\r\n \"description\": \"JIT is enabled.\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The extension might be corrupted, please try to remove it and deploy again\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"A vulnerability assessment solution should be enabled on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Vulnerability assessment findings on your SQL databases should be remediated\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"Unknown\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access your Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access your Function App\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"JitIsEnabled\",\r\n \"description\": \"JIT is enabled.\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Vulnerabilities in your virtual machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"The extension might be corrupted, please try to remove it and deploy again\",\r\n \"description\": \"The extension might be corrupted, please try to remove it and deploy again\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"This resource does not report System Updates to any workspace\",\r\n \"description\": \"This resource does not report System Updates to any workspace\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"This resource does not report System Updates to any workspace\",\r\n \"description\": \"This resource does not report System Updates to any workspace\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"This resource does not report System Updates to any workspace\",\r\n \"description\": \"This resource does not report System Updates to any workspace\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet/providers/Microsoft.Security/assessments/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-cus/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-cus\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Offer\": \"UbuntuServer\",\r\n \"OS Type\": \"Linux\",\r\n \"Location\": \"southcentralus\",\r\n \"UpgradePolicyMode\": \"Manual\",\r\n \"Has Oms extension\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection solution should be installed on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection health failures should be remediated on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"Off\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"NoHeartbeat\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"NoHeartbeat\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NoHeartbeat\",\r\n \"description\": \"Agent not responsive or missing ID - Security Center is unable to retrieve security data from the VM, even though the agent is installed.\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"Off\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"NoHeartbeat\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NoHeartbeat\",\r\n \"description\": \"Agent not responsive or missing ID - Security Center is unable to retrieve security data from the VM, even though the agent is installed.\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"NoHeartbeat\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"name\": \"8e2b96ff-3de2-289b-b5c1-3b9921a3441e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Log Analytics agent health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues should be resolved on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2020-11-30T10:33:59.707Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"False\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2020-11-29T18:44:13.58Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your machines should be remediated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"name\": \"c0f5316d-5ac5-9218-b77a-b96e16ccfd66\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Your machines should be restarted to apply system updates\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/providers/Microsoft.Security/assessments/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Managed identity should be used in your web app\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Managed identity should be used in your function app\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Diagnostic logs should be enabled in App Service\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for your web app\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for your function app\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"FTPS should be required in your web App\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"FTPS should be required in your function App\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": []\r\n}", "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/0338728b-bc5c-41d6-ab83-29cf28652680?api-version=2020-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhLzAzMzg3MjhiLWJjNWMtNDFkNi1hYjgzLTI5Y2YyODY1MjY4MD9hcGktdmVyc2lvbj0yMDIwLTAxLTAx", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/45fb078b-a96e-4d0b-90cb-f3ed8a5530c0?api-version=2021-06-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhLzQ1ZmIwNzhiLWE5NmUtNGQwYi05MGNiLWYzZWQ4YTU1MzBjMD9hcGktdmVyc2lvbj0yMDIxLTA2LTAx", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"properties\": {\r\n \"displayName\": \"Testing the cmdlet\",\r\n \"description\": \"Testing that creating a new metadata is working\",\r\n \"severity\": \"High\",\r\n \"assessmentType\": \"CustomerManaged\"\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "37879143-22a2-4bff-94c3-85b85445344d" + "322de184-a2bb-4290-b74c-495ebae8d98f" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.29321.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.19042.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.2.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" @@ -385,6 +564,7 @@ "207" ] }, + "RequestBody": "{\r\n \"properties\": {\r\n \"displayName\": \"Testing the cmdlet\",\r\n \"description\": \"Testing that creating a new metadata is working\",\r\n \"severity\": \"High\",\r\n \"assessmentType\": \"CustomerManaged\"\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -396,13 +576,13 @@ "1199" ], "x-ms-request-id": [ - "28c393fd-e8c4-4a79-960f-9a95f9036dcd" + "c9437242-b2c2-41f5-b638-801b2741ff60" ], "x-ms-correlation-request-id": [ - "28c393fd-e8c4-4a79-960f-9a95f9036dcd" + "c9437242-b2c2-41f5-b638-801b2741ff60" ], "x-ms-routing-request-id": [ - "UKSOUTH:20201130T144744Z:28c393fd-e8c4-4a79-960f-9a95f9036dcd" + "FRANCESOUTH:20221117T095102Z:c9437242-b2c2-41f5-b638-801b2741ff60" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -411,7 +591,7 @@ "nosniff" ], "Date": [ - "Mon, 30 Nov 2020 14:47:44 GMT" + "Thu, 17 Nov 2022 09:51:01 GMT" ], "Content-Length": [ "430" @@ -423,26 +603,25 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/0338728b-bc5c-41d6-ab83-29cf28652680\",\r\n \"name\": \"0338728b-bc5c-41d6-ab83-29cf28652680\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Testing the cmdlet\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Testing that creating a new metadata is working\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"High\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/45fb078b-a96e-4d0b-90cb-f3ed8a5530c0\",\r\n \"name\": \"45fb078b-a96e-4d0b-90cb-f3ed8a5530c0\",\r\n \"type\": \"Microsoft.Security/assessmentMetadata\",\r\n \"properties\": {\r\n \"displayName\": \"Testing the cmdlet\",\r\n \"assessmentType\": \"CustomerManaged\",\r\n \"description\": \"Testing that creating a new metadata is working\",\r\n \"categories\": [\r\n \"Unknown\"\r\n ],\r\n \"severity\": \"High\"\r\n }\r\n}", "StatusCode": 200 }, { - "RequestUri": "//subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0338728b-bc5c-41d6-ab83-29cf28652680?api-version=2020-01-01", - "EncodedRequestUri": "Ly9zdWJzY3JpcHRpb25zLzQ4N2JiNDg1LWI1YjAtNDcxZS05YzBkLTEwNzE3NjEyZjg2OS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2Fzc2Vzc21lbnRzLzAzMzg3MjhiLWJjNWMtNDFkNi1hYjgzLTI5Y2YyODY1MjY4MD9hcGktdmVyc2lvbj0yMDIwLTAxLTAx", + "RequestUri": "//subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/45fb078b-a96e-4d0b-90cb-f3ed8a5530c0?api-version=2021-06-01", + "EncodedRequestUri": "Ly9zdWJzY3JpcHRpb25zLzQ4N2JiNDg1LWI1YjAtNDcxZS05YzBkLTEwNzE3NjEyZjg2OS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2Fzc2Vzc21lbnRzLzQ1ZmIwNzhiLWE5NmUtNGQwYi05MGNiLWYzZWQ4YTU1MzBjMD9hcGktdmVyc2lvbj0yMDIxLTA2LTAx", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"source\": \"Azure\"\r\n },\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "e66814e1-8e0a-4876-981d-64317230d4b0" + "d95a8e9f-0ef9-4196-92c6-52ebda640f46" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.29321.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.19042.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.2.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" @@ -451,6 +630,7 @@ "138" ] }, + "RequestBody": "{\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"source\": \"Azure\"\r\n },\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -458,17 +638,17 @@ "Pragma": [ "no-cache" ], - "x-ms-ratelimit-remaining-subscription-writes": [ - "1198" + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "299" ], "x-ms-request-id": [ - "05a4a3d6-25f0-4e06-8a43-d2acc01a2526" + "d82507ca-41d3-44ad-8ace-58988d5b8fbd" ], "x-ms-correlation-request-id": [ - "05a4a3d6-25f0-4e06-8a43-d2acc01a2526" + "d82507ca-41d3-44ad-8ace-58988d5b8fbd" ], "x-ms-routing-request-id": [ - "UKSOUTH:20201130T144747Z:05a4a3d6-25f0-4e06-8a43-d2acc01a2526" + "FRANCESOUTH:20221117T095105Z:d82507ca-41d3-44ad-8ace-58988d5b8fbd" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -477,10 +657,10 @@ "nosniff" ], "Date": [ - "Mon, 30 Nov 2020 14:47:47 GMT" + "Thu, 17 Nov 2022 09:51:04 GMT" ], "Content-Length": [ - "400" + "503" ], "Content-Type": [ "application/json; charset=utf-8" @@ -489,28 +669,28 @@ "-1" ] }, - "ResponseBody": "{\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0338728b-bc5c-41d6-ab83-29cf28652680\",\r\n \"name\": \"0338728b-bc5c-41d6-ab83-29cf28652680\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Testing the cmdlet\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n}", + "ResponseBody": "{\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/45fb078b-a96e-4d0b-90cb-f3ed8a5530c0\",\r\n \"name\": \"45fb078b-a96e-4d0b-90cb-f3ed8a5530c0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Testing the cmdlet\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-17T09:51:05.3882073Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T09:51:05.3882073Z\"\r\n }\r\n }\r\n}", "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/0338728b-bc5c-41d6-ab83-29cf28652680?api-version=2020-01-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhLzAzMzg3MjhiLWJjNWMtNDFkNi1hYjgzLTI5Y2YyODY1MjY4MD9hcGktdmVyc2lvbj0yMDIwLTAxLTAx", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessmentMetadata/45fb078b-a96e-4d0b-90cb-f3ed8a5530c0?api-version=2021-06-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvYXNzZXNzbWVudE1ldGFkYXRhLzQ1ZmIwNzhiLWE5NmUtNGQwYi05MGNiLWYzZWQ4YTU1MzBjMD9hcGktdmVyc2lvbj0yMDIxLTA2LTAx", "RequestMethod": "DELETE", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "68d7d52f-dcec-422b-9797-be17a6af5cef" + "73c32539-3849-4910-ad34-73b3129b708b" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.29321.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.19042.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.2.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -522,13 +702,13 @@ "14999" ], "x-ms-request-id": [ - "6a560b24-7c3c-4b9e-803d-ffbfa8fd7031" + "53f58dec-804a-4f23-a2e4-3a2de8ab5206" ], "x-ms-correlation-request-id": [ - "6a560b24-7c3c-4b9e-803d-ffbfa8fd7031" + "53f58dec-804a-4f23-a2e4-3a2de8ab5206" ], "x-ms-routing-request-id": [ - "UKSOUTH:20201130T144748Z:6a560b24-7c3c-4b9e-803d-ffbfa8fd7031" + "FRANCESOUTH:20221117T095109Z:53f58dec-804a-4f23-a2e4-3a2de8ab5206" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -537,7 +717,7 @@ "nosniff" ], "Date": [ - "Mon, 30 Nov 2020 14:47:48 GMT" + "Thu, 17 Nov 2022 09:51:08 GMT" ], "Expires": [ "-1" @@ -550,24 +730,24 @@ "StatusCode": 200 }, { - "RequestUri": "//subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0338728b-bc5c-41d6-ab83-29cf28652680?api-version=2020-01-01", - "EncodedRequestUri": "Ly9zdWJzY3JpcHRpb25zLzQ4N2JiNDg1LWI1YjAtNDcxZS05YzBkLTEwNzE3NjEyZjg2OS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2Fzc2Vzc21lbnRzLzAzMzg3MjhiLWJjNWMtNDFkNi1hYjgzLTI5Y2YyODY1MjY4MD9hcGktdmVyc2lvbj0yMDIwLTAxLTAx", + "RequestUri": "//subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/45fb078b-a96e-4d0b-90cb-f3ed8a5530c0?api-version=2021-06-01", + "EncodedRequestUri": "Ly9zdWJzY3JpcHRpb25zLzQ4N2JiNDg1LWI1YjAtNDcxZS05YzBkLTEwNzE3NjEyZjg2OS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5L2Fzc2Vzc21lbnRzLzQ1ZmIwNzhiLWE5NmUtNGQwYi05MGNiLWYzZWQ4YTU1MzBjMD9hcGktdmVyc2lvbj0yMDIxLTA2LTAx", "RequestMethod": "DELETE", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "b85fcc1a-488c-4859-a45a-1aeb40cc09b4" + "d2fbe2a3-bc55-4616-ab5a-a032cc17c0e9" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.29321.03", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.19042.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/2.2.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -579,13 +759,13 @@ "14998" ], "x-ms-request-id": [ - "6f008028-fcec-4646-9142-60bf5e42486b" + "de48738f-8ff6-4701-88cf-3031ae190f45" ], "x-ms-correlation-request-id": [ - "6f008028-fcec-4646-9142-60bf5e42486b" + "de48738f-8ff6-4701-88cf-3031ae190f45" ], "x-ms-routing-request-id": [ - "UKSOUTH:20201130T144748Z:6f008028-fcec-4646-9142-60bf5e42486b" + "FRANCESOUTH:20221117T095110Z:de48738f-8ff6-4701-88cf-3031ae190f45" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -594,7 +774,7 @@ "nosniff" ], "Date": [ - "Mon, 30 Nov 2020 14:47:48 GMT" + "Thu, 17 Nov 2022 09:51:10 GMT" ], "Expires": [ "-1" diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentTests/GetAllAssessments.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentTests/GetAllAssessments.json index 630c68ee64e1..04175c612094 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentTests/GetAllAssessments.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityAssessmentTests/GetAllAssessments.json @@ -6,7 +6,7 @@ "RequestMethod": "GET", "RequestHeaders": { "x-ms-client-request-id": [ - "eb4ca80f-3c43-4dc4-92bf-208dad8b6f69" + "57b40434-e92f-4112-8e03-9edd6d39f554" ], "Accept-Language": [ "en-US" @@ -30,13 +30,13 @@ "749" ], "x-ms-request-id": [ - "484a37f8-59d2-48a0-aea8-e2373168f41b" + "45bc4b6c-c131-4cf1-9c96-98a175ad028e" ], "x-ms-correlation-request-id": [ - "484a37f8-59d2-48a0-aea8-e2373168f41b" + "45bc4b6c-c131-4cf1-9c96-98a175ad028e" ], "x-ms-routing-request-id": [ - "FRANCESOUTH:20221117T081838Z:484a37f8-59d2-48a0-aea8-e2373168f41b" + "FRANCESOUTH:20221117T094930Z:45bc4b6c-c131-4cf1-9c96-98a175ad028e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -45,10 +45,10 @@ "nosniff" ], "Date": [ - "Thu, 17 Nov 2022 08:18:38 GMT" + "Thu, 17 Nov 2022 09:49:29 GMT" ], "Content-Length": [ - "250467" + "276520" ], "Content-Type": [ "application/json; charset=utf-8" @@ -57,7 +57,7 @@ "-1" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.4533293Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.4533293Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOrFwOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group or Azure Firewall\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"VmHasNoPublicIp\",\r\n \"description\": \"This VM has no public IP address.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"DdosStandardIsDisabled\",\r\n \"description\": \"DDoS Protection Standard is currently disabled for your virtual network.\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"ddosProtectionState\": \"False\",\r\n \"appGatewaysCount\": \"1\",\r\n \"appGatewaysHasPublicIp\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VmIsNotProtectedWithNsg\",\r\n \"description\": \"Your virtual machine is not protected with a network security group.\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:00.4811551Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:00.4811551Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:00.4818625Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:00.4818625Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:00.6892204Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:00.6892204Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:01.2728369Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:01.2728369Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-10-06T23:44:54.5781061Z\",\r\n \"firstEvaluationDate\": \"2022-10-06T23:44:54.5781061Z\"\r\n },\r\n \"additionalData\": {\r\n \"OSName\": \"Linux\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"TouViolationAssessments.Models.Port\",\r\n \"description\": \"Open TOU ports\",\r\n \"statusChangeDate\": \"2022-10-15T03:31:10.6183747Z\",\r\n \"firstEvaluationDate\": \"2022-10-15T03:31:10.6183747Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"\",\r\n \"statusChangeDate\": \"2022-10-15T03:31:11.5779799Z\",\r\n \"firstEvaluationDate\": \"2022-10-15T03:31:11.5779799Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"\",\r\n \"statusChangeDate\": \"2022-10-15T03:31:15.7293508Z\",\r\n \"firstEvaluationDate\": \"2022-10-15T03:31:15.7293508Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"2\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"2\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/sdk-iothub-la-cus/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/sdk-iothub-la-cus\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/iothubworkspace-centralus-1604511146608/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/iothubworkspace-centralus-1604511146608\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/virtualmachines/0/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/virtualmachines/0\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"TouViolationAssessments.Models.Port\",\r\n \"description\": \"Open TOU ports\",\r\n \"statusChangeDate\": \"2022-11-16T16:10:02.1122669Z\",\r\n \"firstEvaluationDate\": \"2022-11-16T16:10:02.1122669Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/virtualmachines/0/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef\"\r\n },\r\n \"displayName\": \"Container registry images should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NetworkPortsAreOpenToAllSources\",\r\n \"description\": \"Network ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.8875999Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"3389\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"3389\": \"TCP\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.4533293Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6777114Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NetworkPortsAreOpenToAllSources\",\r\n \"description\": \"Network ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6844124Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"22\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"ManagementPortsAreOpenToAllSources\",\r\n \"description\": \"Management ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6787472Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"22\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VmProtectedByNsgWithAllowRules\",\r\n \"description\": \"This VM is protected by an NSG that allows access to management ports.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"22\": \"TCP\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-10T11:56:00.5211587Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6767401Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.882145Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.2218279Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.2218279Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-10T11:56:00.5390737Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.2218279Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The machine doesn’t have data from Microsoft defender vulnerability management. Make sure it’s properly onboarded to Microsoft Defender for Endpoint.\",\r\n \"statusChangeDate\": \"2022-10-27T07:17:56.9155832Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"default\",\r\n \"description\": \"The machine is onboarded to built-in Qualys vulnerability assessment.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:42.0548709Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"default\",\r\n \"description\": \"The machine is onboarded to built-in Qualys vulnerability assessment.\",\r\n \"statusChangeDate\": \"2022-11-15T12:28:56.517978Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The machine doesn’t have data from Microsoft defender vulnerability management. Make sure it’s properly onboarded to Microsoft Defender for Endpoint.\",\r\n \"statusChangeDate\": \"2022-10-27T07:17:56.9155832Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"SQL databases should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"Unknown\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-15T12:29:02.5041539Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.8830869Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"ManagementPortsAreOpenToAllSources\",\r\n \"description\": \"Management ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.8845246Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"3389\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VmProtectedByNsgWithAllowRules\",\r\n \"description\": \"This VM is protected by an NSG that allows access to management ports.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"statusChangeDate\": \"2022-09-11T13:44:18.5950886Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:46.2425828Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2021-06-13T20:23:45.125409Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2022-07-13T05:44:10.0183321Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T04:43:55.3024919Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Virtual machine scale sets should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"OS Offer\": \"UbuntuServer\",\r\n \"OS Type\": \"Linux\",\r\n \"Location\": \"southcentralus\",\r\n \"UpgradePolicyMode\": \"Manual\",\r\n \"Has Oms extension\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on virtual machine scale sets should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AssessmentModeNotSetToAuto\",\r\n \"description\": \"Patch settings assessment mode not set to AutomaticByPlatform\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7166784Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/onPremiseMachines/machineName_b53988df-1137-41f2-99ff-52d49d7f53e1_ec2ad76a-fc72-bc3a-f0d7-017756d33d5e/providers/Microsoft.Security/assessments/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"OnPremise\",\r\n \"WorkspaceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\",\r\n \"VMUUID\": \"ec2ad76a-fc72-bc3a-f0d7-017756d33d5e\",\r\n \"SourceComputerId\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"MachineName\": \"machineName\"\r\n },\r\n \"displayName\": \"Customer managed metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/providers/Microsoft.Security/assessments/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\"\r\n },\r\n \"displayName\": \"Customer managed metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/onPremiseMachines/machineName_b53988df-1137-41f2-99ff-52d49d7f53e1_ec2ad76a-fc72-bc3a-f0d7-017756d33d5e/providers/Microsoft.Security/assessments/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"OnPremise\",\r\n \"WorkspaceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\",\r\n \"VMUUID\": \"ec2ad76a-fc72-bc3a-f0d7-017756d33d5e\",\r\n \"SourceComputerId\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"MachineName\": \"machineName\"\r\n },\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/providers/Microsoft.Security/assessments/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\"\r\n },\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/providers/Microsoft.Security/assessments/9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"name\": \"9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\"\r\n },\r\n \"displayName\": \"Customer managed metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/onPremiseMachines/machineName_b53988df-1137-41f2-99ff-52d49d7f53e1_ec2ad76a-fc72-bc3a-f0d7-017756d33d5e/providers/Microsoft.Security/assessments/d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"OnPremise\",\r\n \"WorkspaceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\",\r\n \"VMUUID\": \"ec2ad76a-fc72-bc3a-f0d7-017756d33d5e\",\r\n \"SourceComputerId\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"MachineName\": \"machineName\"\r\n },\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk/providers/Microsoft.Security/assessments/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk\"\r\n },\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk/providers/Microsoft.Security/assessments/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk\"\r\n },\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NotSupported\",\r\n \"description\": \"Machine image is not supported\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7235019Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NotSupported\",\r\n \"description\": \"Machine image is not supported\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7049485Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AssessmentModeNotSetToAuto\",\r\n \"description\": \"Patch settings assessment mode not set to AutomaticByPlatform\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7356778Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2021-04-07T20:23:43.7791199Z\",\r\n \"firstEvaluationDate\": \"2021-04-07T08:23:44.5057723Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.7856736Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.7856736Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.8319806Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.8319806Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.904596Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.904596Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.9081607Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.9081607Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpn6jwnse6quxirlinxqb6pagnzj7alb4oa5xqk7und7r6k3f24lspime5xux7s3e3/providers/microsoft.devices/iothubs/azurecli-hubewmywoze2j7v/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpn6jwnse6quxirlinxqb6pagnzj7alb4oa5xqk7und7r6k3f24lspime5xux7s3e3/providers/microsoft.devices/iothubs/azurecli-hubewmywoze2j7v\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-07T19:10:41.5574318Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T19:10:41.5574318Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4145442Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-07T21:11:34.4149759Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4149759Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-07T21:11:34.4167636Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4167636Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-07T21:11:34.4930056Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4930056Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Azure SQL Database servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7142889Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8298256Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8581944Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8581944Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access Function Apps\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8666851Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8666851Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8740455Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8740455Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8740455Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8740455Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8746476Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8746476Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore/providers/Microsoft.Security/assessments/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore\"\r\n },\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8875094Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8875094Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8860867Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8860867Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg7exkn4sm4v24amnub5nzbmik37myxeusxwwyn2jpxwhdbbzlofsr5agedmwfjvoxv/providers/microsoft.devices/iothubs/azurecli-hubuksphkbt3lhh/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg7exkn4sm4v24amnub5nzbmik37myxeusxwwyn2jpxwhdbbzlofsr5agedmwfjvoxv/providers/microsoft.devices/iothubs/azurecli-hubuksphkbt3lhh\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8860867Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8860867Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8860867Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8860867Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7383486Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8906885Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7383486Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8906885Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8929336Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8929336Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8975097Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8975097Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9096544Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9096544Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9096544Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9096544Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/providers/Microsoft.Security/assessments/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9191943Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9191943Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9221325Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9221325Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for web apps\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9231178Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9231178Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"name\": \"9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Email notification to subscription owner for high severity alerts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-07-25T02:41:11.1822655Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9235482Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Managed identity should be used in web apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9322509Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9322509Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for function apps\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.930854Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.930854Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"name\": \"af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Auto provisioning of the Log Analytics agent should be enabled on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-02T09:11:15.2514377Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9332772Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9342255Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9342255Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9342255Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9342255Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9355025Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9355025Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf/providers/Microsoft.Security/assessments/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf\"\r\n },\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9334498Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9334498Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9355025Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9355025Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf2/providers/Microsoft.Security/assessments/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf2\"\r\n },\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9334498Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9334498Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9358898Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9358898Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-08T23:46:51.7978842Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9358898Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9387806Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9387806Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9387806Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9387806Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9420744Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9420744Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9420744Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9420744Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"name\": \"4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Key vaults should have purge protection enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9477277Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9477277Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref/providers/Microsoft.Security/assessments/9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"name\": \"9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref\"\r\n },\r\n \"displayName\": \"Container registries should not allow unrestricted network access\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.949715Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.949715Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"name\": \"e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7163231Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9565898Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"name\": \"c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Function apps should have Client Certificates (Incoming client certificates) enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9491743Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9491743Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"name\": \"3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Email notification for high severity alerts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-10-27T17:20:54.0073419Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9543908Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9544101Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9544101Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Storage should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7151166Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9812709Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9549978Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9549978Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9549978Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9549978Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"name\": \"78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Key vaults should have soft delete enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9590469Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9590469Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"name\": \"b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for open-source relational databases should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7131706Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0015183Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"name\": \"2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Private endpoint should be configured for Key Vault\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9573802Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9573802Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-20T00:11:24.8912186Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0601859Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"name\": \"f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Resource Manager should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7239542Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9773946Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL servers on machines should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7106928Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0875362Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.1203455Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.1203455Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"name\": \"77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Subscriptions should have a contact email address for security issues\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-27T17:20:54.0006966Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0114652Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"FTPS should be required in function apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.2272624Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.2272624Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"name\": \"52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Firewall should be enabled on Key Vault\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.2339538Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.2339538Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"name\": \"aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for DNS should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7058846Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9599789Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Diagnostic logs in App Service should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9636939Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9636939Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref/providers/Microsoft.Security/assessments/13e7d036-6903-821c-6018-962938929bf0\",\r\n \"name\": \"13e7d036-6903-821c-6018-962938929bf0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref\"\r\n },\r\n \"displayName\": \"Container registries should use private link\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9629274Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9629274Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/syslogmyservice1net/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1vnet657/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1vnet657\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.network/virtualnetworks/iotsi-fdi-vnet/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.network/virtualnetworks/iotsi-fdi-vnet\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1-vnet/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1-vnet\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet/providers/Microsoft.Security/assessments/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.4767439Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.4767439Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i/providers/Microsoft.Security/assessments/276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"name\": \"276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i\"\r\n },\r\n \"displayName\": \"Azure Cosmos DB accounts should have firewall rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9663621Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9663621Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7117138Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9702185Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9670169Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9670169Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9670169Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9670169Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"FTPS should be required in web apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541097Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541097Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for App Service should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7178395Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9808591Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Managed identity should be used in function apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.982548Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.982548Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-07T22:10:39.4248444Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T22:10:39.4248444Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg2uj7i3dl7bafl4qshuh57m3xmurngdysabbunhnhvcasj7o35vqz4fwgf5zwi6ujr/providers/microsoft.devices/iothubs/azurecli-hub7eff4pwjmjgi/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg2uj7i3dl7bafl4qshuh57m3xmurngdysabbunhnhvcasj7o35vqz4fwgf5zwi6ujr/providers/microsoft.devices/iothubs/azurecli-hub7eff4pwjmjgi\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-10T20:32:13.2897309Z\",\r\n \"firstEvaluationDate\": \"2022-04-10T20:32:13.2897309Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpkgony4xu2tfaw7mrinetpjdcbi35gy5wxlb2db4fkia4df224ibyul2g6e7ovciv/providers/microsoft.devices/iothubs/azurecli-hubdkzwzwckbu5v/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpkgony4xu2tfaw7mrinetpjdcbi35gy5wxlb2db4fkia4df224ibyul2g6e7ovciv/providers/microsoft.devices/iothubs/azurecli-hubdkzwzwckbu5v\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-10T20:32:13.2897309Z\",\r\n \"firstEvaluationDate\": \"2022-04-10T20:32:13.2897309Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgc7vaaluva526rdtaam5rafgbc2m7xmrvi472iiekfgzjvdqkpwzub343jj6a4k4ov/providers/microsoft.devices/iothubs/azurecli-hub222uswluq4fe/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgc7vaaluva526rdtaam5rafgbc2m7xmrvi472iiekfgzjvdqkpwzub343jj6a4k4ov/providers/microsoft.devices/iothubs/azurecli-hub222uswluq4fe\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-27T08:35:36.3477504Z\",\r\n \"firstEvaluationDate\": \"2022-04-27T08:35:36.3477504Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"name\": \"050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Blocked accounts with owner permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4699617Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4699617Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/050ac097-3dda-4d24-ab6d-82568e7a50cf/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"name\": \"20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Guest accounts with owner permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4741787Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4741787Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/20606e75-05c4-48c0-9d97-add6daa2109a/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"name\": \"dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Accounts with read permissions on Azure resources should be MFA enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4722197Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4722197Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"name\": \"1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Blocked accounts with read and write permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-08-16T05:44:34.6117426Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4736264Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1ff0b4c9-ed56-4de6-be9c-d7ab39645926/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"name\": \"0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Guest accounts with write permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4727997Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4727997Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"name\": \"fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Guest accounts with read permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4802849Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4802849Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"name\": \"c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Accounts with write permissions on Azure resources should be MFA enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4810803Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4810803Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c0cb17b2-0607-48a7-b0e0-903ed22de39b/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"name\": \"6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Accounts with owner permissions on Azure resources should be MFA enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.5129783Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.5129783Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6240402e-f77c-46fa-9060-a7ce53997754/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i/providers/Microsoft.Security/assessments/14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"name\": \"14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i\"\r\n },\r\n \"displayName\": \"Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-07-06T07:46:47.0916979Z\",\r\n \"firstEvaluationDate\": \"2022-07-06T07:46:47.0916979Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"name\": \"14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Key Vault secrets should have an expiration date\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-07-28T06:11:40.1653432Z\",\r\n \"firstEvaluationDate\": \"2022-07-28T06:11:40.1653432Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-07-25T09:35:32.8936019Z\",\r\n \"firstEvaluationDate\": \"2022-07-25T09:35:32.8936019Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-07-26T08:35:38.2437985Z\",\r\n \"firstEvaluationDate\": \"2022-07-26T08:35:38.2437985Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"There should be more than one owner assigned to subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.2948643Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.2948643Z\"\r\n },\r\n \"additionalData\": {}\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3111617Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3111617Z\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with owner permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3049262Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3049262Z\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.305783Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.305783Z\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3002478Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3002478Z\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3034825Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3034825Z\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with write permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3045813Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3045813Z\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithWritePermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"A maximum of 3 owners should be designated for subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-14T04:44:15.3211291Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.2991388Z\"\r\n },\r\n \"additionalData\": {\r\n \"identityDesignateLessThanXOwnersObjectIdList\": \"[\\\"56b8f04c-b471-415a-bbc2-74570bd022de\\\",\\\"af29e494-977e-4749-acb6-6fe3a10c56aa\\\",\\\"25b2be9f-65f7-491e-9e53-61fa1b39fa8a\\\"]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3005516Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3005516Z\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with read permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3056507Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3056507Z\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithReadPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-10-19T12:47:53.4001303Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2022-11-17T00:58:05.683Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212024Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212024Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212024Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-07T07:02:26.3021545Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.919619Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"FailureDueToAgentNotResponding\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.919619Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"Off\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"FailureDueToAgentNotResponding\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.919619Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"False\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2022-11-17T03:42:33.784Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n }\r\n ],\r\n \"nextLink\": \"https://management.azure.com/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments?api-version=2021-06-01&NextLink=_dynamic\"\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.4533293Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.4533293Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoNsgOrFwOnVm\",\r\n \"description\": \"This recommendation is relevant only for VMs protected by a network security group or Azure Firewall\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"VmHasNoPublicIp\",\r\n \"description\": \"This VM has no public IP address.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"DdosStandardIsDisabled\",\r\n \"description\": \"DDoS Protection Standard is currently disabled for your virtual network.\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"ddosProtectionState\": \"False\",\r\n \"appGatewaysCount\": \"1\",\r\n \"appGatewaysHasPublicIp\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VmIsNotProtectedWithNsg\",\r\n \"description\": \"Your virtual machine is not protected with a network security group.\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:00.4811551Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:00.4811551Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:00.4818625Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:00.4818625Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:00.6892204Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:00.6892204Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"name\": \"c476dc48-8110-4139-91af-c8d940896b98\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Machines should be configured securely (Baselines V1)\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-06T16:44:01.2728369Z\",\r\n \"firstEvaluationDate\": \"2022-11-06T16:44:01.2728369Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9596547Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9596547Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9592241Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9592241Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9607709Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9607709Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9631778Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9631778Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9669885Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9669885Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.979355Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.979355Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.network/virtualnetworks/pssqlvavm9865/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.network/virtualnetworks/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9691492Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9691492Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:35.9925979Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:35.9925979Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3328837Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3328837Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3178374Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3178374Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"cd8b1c77-1998-4f65-b618-b21bb8118c32\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3251543Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3251543Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"cd8b1c77-1998-4f65-b618-b21bb8118c32\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3381121Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3381121Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"cd8b1c77-1998-4f65-b618-b21bb8118c32\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:49.3190056Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:49.3190056Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"cd8b1c77-1998-4f65-b618-b21bb8118c32\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.4711053Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.4711053Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"name\": \"f97aa83c-9b63-4f9a-99f6-b22c4398f936\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"SQL servers on machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"Unknown\",\r\n \"statusChangeDate\": \"2022-11-17T09:31:47.5529131Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T09:31:47.5529131Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/pssqlva1732/providers/microsoft.compute/virtualmachines/pssqlvavm9865/providers/Microsoft.Security/assessments/f97aa83c-9b63-4f9a-99f6-b22c4398f936/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-10-06T23:44:54.5781061Z\",\r\n \"firstEvaluationDate\": \"2022-10-06T23:44:54.5781061Z\"\r\n },\r\n \"additionalData\": {\r\n \"OSName\": \"Linux\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:35:09.9521643Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:35:09.9521643Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:35:10.2291901Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:35:10.2291901Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"TouViolationAssessments.Models.Port\",\r\n \"description\": \"Open TOU ports\",\r\n \"statusChangeDate\": \"2022-10-15T03:31:10.6183747Z\",\r\n \"firstEvaluationDate\": \"2022-10-15T03:31:10.6183747Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"\",\r\n \"statusChangeDate\": \"2022-10-15T03:31:11.5779799Z\",\r\n \"firstEvaluationDate\": \"2022-10-15T03:31:11.5779799Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"\",\r\n \"statusChangeDate\": \"2022-10-15T03:31:15.7293508Z\",\r\n \"firstEvaluationDate\": \"2022-10-15T03:31:15.7293508Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"2\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews/providers/Microsoft.Security/assessments/1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"name\": \"1ce68079-b783-4404-b341-d2851d6f0fa2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:55.7597579Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:55.7597579Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-eus\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"2\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.operationalinsights/workspaces/testservicews\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/sdk-iothub-la-cus/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/sdk-iothub-la-cus\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/iothubworkspace-centralus-1604511146608/providers/Microsoft.Security/assessments/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"name\": \"e9c320f1-03a0-4d2b-9a37-84b3bdc2e281\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.operationalinsights/workspaces/iothubworkspace-centralus-1604511146608\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL on machines should be enabled on workspaces\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-30T12:19:57.7740658Z\",\r\n \"firstEvaluationDate\": \"2022-10-30T12:19:57.7740658Z\"\r\n },\r\n \"additionalData\": {\r\n \"Number Of Reporting Machines\": \"0\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.0429905Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.0429905Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.1586421Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.1586421Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.1627119Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.1627119Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2276504Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2276504Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Network/virtualNetworks/pssqlvavm9865/subnets/pssqlvavm9865/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Network/virtualNetworks/pssqlvavm9865/subnets/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.1722925Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.1722925Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2344409Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2344409Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2232119Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2232119Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NonInternetFacingVms\",\r\n \"description\": \"The VM is non-internet-facing\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2288307Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2288307Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.2279455Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.2279455Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Network/virtualNetworks/pssqlvavm9865/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Network/virtualNetworks/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.3980229Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.3980229Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/pssqlva1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.3839845Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.3839845Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"VmHasNoPublicIp\",\r\n \"description\": \"This VM has no public IP address.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:58.5346488Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:58.5346488Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/PSSQLVA1732/providers/Microsoft.Compute/virtualMachines/pssqlvavm9865\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The machine doesn’t have data from Microsoft defender vulnerability management. Make sure it’s properly onboarded to Microsoft Defender for Endpoint.\",\r\n \"statusChangeDate\": \"2022-11-17T08:54:59.5159241Z\",\r\n \"firstEvaluationDate\": \"2022-11-17T08:54:59.5159241Z\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/virtualmachines/0/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"name\": \"bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/virtualmachines/0\"\r\n },\r\n \"displayName\": \"Machines should have ports closed that might expose attack vectors\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"TouViolationAssessments.Models.Port\",\r\n \"description\": \"Open TOU ports\",\r\n \"statusChangeDate\": \"2022-11-16T16:10:02.1122669Z\",\r\n \"firstEvaluationDate\": \"2022-11-16T16:10:02.1122669Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/virtualmachines/0/providers/Microsoft.Security/assessments/bbff27d2-73db-4c2d-8b1a-5f20b1f1da7e/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/syslogmyservice1net/subnets/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"name\": \"dbd0cb49-b563-45e7-9724-889e799fa648\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef\"\r\n },\r\n \"displayName\": \"Container registry images should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/subAssessments_sdk_tests/providers/Microsoft.ContainerRegistry/registries/sdkRef/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NetworkPortsAreOpenToAllSources\",\r\n \"description\": \"Network ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.8875999Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"3389\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"3389\": \"TCP\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.4533293Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/subnets/default\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Network/virtualNetworks/myService1vnet657\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6777114Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"name\": \"3b20e985-f71f-483b-b078-f30d73936d43\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"All network ports should be restricted on network security groups associated to your virtual machine\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"NetworkPortsAreOpenToAllSources\",\r\n \"description\": \"Network ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6844124Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"22\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"name\": \"c3b51c94-588b-426b-a892-24696f9e54cc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"IP forwarding on your virtual machine should be disabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"ManagementPortsAreOpenToAllSources\",\r\n \"description\": \"Management ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6787472Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"22\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VmProtectedByNsgWithAllowRules\",\r\n \"description\": \"This VM is protected by an NSG that allows access to management ports.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"name\": \"f9f0eed0-f143-47bf-b856-671ea2eeed62\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive network hardening recommendations should be applied on internet facing virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.3842523Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"22\": \"TCP\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"name\": \"35f45c95-27cf-4e52-891f-8390d1de5828\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Adaptive application controls for defining safe applications should be enabled on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-10T11:56:00.5211587Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\",\r\n \"statusChangeDate\": \"2022-04-06T09:19:15.6767401Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"name\": \"a9341235-9389-42f0-a0bf-9bfb57960d44\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Non-internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"InternetFacingVms\",\r\n \"description\": \"The VM is internet-facing\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.882145Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.2218279Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.2218279Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-11-10T11:56:00.5390737Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"name\": \"1234abcd-1b53-4fd4-9835-2c2fa3935313\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Allowlist rules in your adaptive application control policy should be updated\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"MissingDataOrUnsupported\",\r\n \"description\": \"VM is missing data or not supported\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.2218279Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The machine doesn’t have data from Microsoft defender vulnerability management. Make sure it’s properly onboarded to Microsoft Defender for Endpoint.\",\r\n \"statusChangeDate\": \"2022-10-27T07:17:56.9155832Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"default\",\r\n \"description\": \"The machine is onboarded to built-in Qualys vulnerability assessment.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:42.0548709Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"default\",\r\n \"description\": \"The machine is onboarded to built-in Qualys vulnerability assessment.\",\r\n \"statusChangeDate\": \"2022-11-15T12:28:56.517978Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"name\": \"ffff0522-1e88-47fc-8382-2a80ba848f5d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Machines should have a vulnerability assessment solution\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VaRpCorruptedInstallation\",\r\n \"description\": \"The machine doesn’t have data from Microsoft defender vulnerability management. Make sure it’s properly onboarded to Microsoft Defender for Endpoint.\",\r\n \"statusChangeDate\": \"2022-10-27T07:17:56.9155832Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Can onboard to Built-in Qualys\": \"true\",\r\n \"Can onboard to BYOL\": \"true\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"name\": \"82e20e14-edc5-4373-bfc4-f13121257c37\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"SQL databases should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"Unknown\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/82e20e14-edc5-4373-bfc4-f13121257c37/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-11-15T12:29:02.5041539Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Network/virtualNetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"name\": \"483f12ed-ae23-447e-a2de-a67a10db4353\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Internet-facing virtual machines should be protected with network security groups\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.8830869Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"name\": \"bc303248-3d14-44c2-96a0-55f5c326b5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports should be closed on your virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"ManagementPortsAreOpenToAllSources\",\r\n \"description\": \"Management ports on your network security group are open to all sources.\",\r\n \"statusChangeDate\": \"2022-04-05T18:45:59.8845246Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"NSG open ports\": \"3389\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"name\": \"805651bc-6ecd-4c73-9b55-97a19d0582d0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Management ports of virtual machines should be protected with just-in-time network access control\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"cause\": \"VmProtectedByNsgWithAllowRules\",\r\n \"description\": \"This VM is protected by an NSG that allows access to management ports.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.5446792Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"description\": \"Vulnerability assessment scanner is not deployed on the machine\",\r\n \"statusChangeDate\": \"2022-09-11T13:44:18.5950886Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"name\": \"1195afff-c881-495e-9bc5-1486211ae03f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should have vulnerability findings resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:46.2425828Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1195afff-c881-495e-9bc5-1486211ae03f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2021-06-13T20:23:45.125409Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VmNotReportingHB\",\r\n \"description\": \"This resource does not report heartbeat to any workspace\",\r\n \"statusChangeDate\": \"2022-07-13T05:44:10.0183321Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-17T04:43:55.3024919Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet/providers/Microsoft.Security/assessments/eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"name\": \"eade5b56-eefd-444f-95c8-23f29e5d93cb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/subnets/iotsi-fdi-subnet\"\r\n },\r\n \"displayName\": \"Subnets should be associated with a network security group\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"OffByPolicy\",\r\n \"description\": \"The recommendation is disabled in policy\",\r\n \"statusChangeDate\": \"2022-10-18T00:09:19.630647Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet/providers/Microsoft.Security/assessments/e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"name\": \"e3de1cc0-f4dd-3b34-e496-8b5381ba2d70\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/iotSimulator/providers/Microsoft.Network/virtualNetworks/iotsi-fdi-vnet\"\r\n },\r\n \"displayName\": \"Azure DDoS Protection Standard should be enabled\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"VnetHasNoAppGateways\",\r\n \"description\": \"There are no Application Gateway resources attached to this Virtual Network\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"name\": \"8941d121-f740-35f6-952c-6561d2b38d36\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Virtual machine scale sets should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"name\": \"45cfe080-ceb1-a91e-9743-71551ed24e94\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"OS Offer\": \"UbuntuServer\",\r\n \"OS Type\": \"Linux\",\r\n \"Location\": \"southcentralus\",\r\n \"UpgradePolicyMode\": \"Manual\",\r\n \"Has Oms extension\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"name\": \"21300918-b2e3-0346-785f-c77ff57d243b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on virtual machine scale sets\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"name\": \"e71020c2-860c-3235-cd39-04f3f8c936d2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on virtual machine scale sets should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Unsupported OS\",\r\n \"description\": \"Unsupported OS\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Workspace Arm Id\": \"\",\r\n \"Severity Cause\": \"Unsupported OS\",\r\n \"Severity Description\": \"Unsupported OS\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"name\": \"bd20bd91-aaf1-7f14-b6e4-866de2f43146\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"System updates on virtual machine scale sets should be installed\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"Missing scan data\",\r\n \"description\": \"Missing scan data\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"Severity Cause\": \"Missing scan data\",\r\n \"Severity Description\": \"Missing scan data\",\r\n \"Last scan time\": \"1/1/0001 12:00:00 AM\",\r\n \"Workspace Arm Id\": \"\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AssessmentModeNotSetToAuto\",\r\n \"description\": \"Patch settings assessment mode not set to AutomaticByPlatform\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7166784Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/onPremiseMachines/machineName_b53988df-1137-41f2-99ff-52d49d7f53e1_ec2ad76a-fc72-bc3a-f0d7-017756d33d5e/providers/Microsoft.Security/assessments/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"OnPremise\",\r\n \"WorkspaceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\",\r\n \"VMUUID\": \"ec2ad76a-fc72-bc3a-f0d7-017756d33d5e\",\r\n \"SourceComputerId\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"MachineName\": \"machineName\"\r\n },\r\n \"displayName\": \"Customer managed metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/providers/Microsoft.Security/assessments/b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\"\r\n },\r\n \"displayName\": \"Customer managed metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/onPremiseMachines/machineName_b53988df-1137-41f2-99ff-52d49d7f53e1_ec2ad76a-fc72-bc3a-f0d7-017756d33d5e/providers/Microsoft.Security/assessments/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"OnPremise\",\r\n \"WorkspaceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\",\r\n \"VMUUID\": \"ec2ad76a-fc72-bc3a-f0d7-017756d33d5e\",\r\n \"SourceComputerId\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"MachineName\": \"machineName\"\r\n },\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/providers/Microsoft.Security/assessments/c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"c53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\"\r\n },\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/providers/Microsoft.Security/assessments/9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"name\": \"9b0c3939-c9db-4ffc-ad4b-4673ff25cdd8\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\"\r\n },\r\n \"displayName\": \"Customer managed metadata\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS/onPremiseMachines/machineName_b53988df-1137-41f2-99ff-52d49d7f53e1_ec2ad76a-fc72-bc3a-f0d7-017756d33d5e/providers/Microsoft.Security/assessments/d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"name\": \"d53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"OnPremise\",\r\n \"WorkspaceId\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.OperationalInsights/workspaces/TestServiceWS\",\r\n \"VMUUID\": \"ec2ad76a-fc72-bc3a-f0d7-017756d33d5e\",\r\n \"SourceComputerId\": \"b53988df-1137-41f2-99ff-52d49d7f53e1\",\r\n \"MachineName\": \"machineName\"\r\n },\r\n \"displayName\": \"[elgrady] custom assessment metadata\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk/providers/Microsoft.Security/assessments/5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"name\": \"5a3d6cdd-8eb3-46d2-ba11-d24a0d47fe65\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk\"\r\n },\r\n \"displayName\": \"Default IP Filter Policy should be Deny\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk/providers/Microsoft.Security/assessments/d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"name\": \"d8326952-60bb-40fb-b33f-51e662708a88\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk\"\r\n },\r\n \"displayName\": \"IP Filter rule large IP range\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2021-03-14T00:00:00\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NotSupported\",\r\n \"description\": \"Machine image is not supported\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7235019Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NotSupported\",\r\n \"description\": \"Machine image is not supported\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7049485Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"name\": \"e1145ab1-eb4f-43d8-911b-36ddf771d13f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines (powered by Update management center)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AssessmentModeNotSetToAuto\",\r\n \"description\": \"Patch settings assessment mode not set to AutomaticByPlatform\",\r\n \"statusChangeDate\": \"2022-09-13T16:14:59.7356778Z\",\r\n \"firstEvaluationDate\": \"2021-03-14T00:00:00\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/e1145ab1-eb4f-43d8-911b-36ddf771d13f/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"name\": \"4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"System updates should be installed on your machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2021-04-07T20:23:43.7791199Z\",\r\n \"firstEvaluationDate\": \"2021-04-07T08:23:44.5057723Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.7856736Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.7856736Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.8319806Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.8319806Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/taklei/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"name\": \"8c3d9ad0-3639-4686-9cd2-2b2ab2609bda\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.904596Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.904596Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/8c3d9ad0-3639-4686-9cd2-2b2ab2609bda/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"name\": \"1f655fb7-63ca-4980-91a3-56dbc2b715c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NoExtension\",\r\n \"description\": \"Guest Configuration extension is not installed on the machine\",\r\n \"statusChangeDate\": \"2021-08-15T16:13:02.9081607Z\",\r\n \"firstEvaluationDate\": \"2021-08-15T16:13:02.9081607Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/myService1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/1f655fb7-63ca-4980-91a3-56dbc2b715c6/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpn6jwnse6quxirlinxqb6pagnzj7alb4oa5xqk7und7r6k3f24lspime5xux7s3e3/providers/microsoft.devices/iothubs/azurecli-hubewmywoze2j7v/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpn6jwnse6quxirlinxqb6pagnzj7alb4oa5xqk7und7r6k3f24lspime5xux7s3e3/providers/microsoft.devices/iothubs/azurecli-hubewmywoze2j7v\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-07T19:10:41.5574318Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T19:10:41.5574318Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4145442Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-07T21:11:34.4149759Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4149759Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-07T21:11:34.4167636Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4167636Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-07T21:11:34.4930056Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T21:11:34.4930056Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"name\": \"58d72d9d-0310-4792-9a3b-6dd111093cdb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Azure SQL Database servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7142889Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8298256Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"name\": \"64b8637e-4e1d-76a9-0fc9-c1e487a97ed8\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8581944Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8581944Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"name\": \"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access Function Apps\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8666851Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8666851Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8740455Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8740455Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"name\": \"f0553104-cfdb-65e6-759c-002812e38500\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"SQL servers should have an Azure Active Directory administrator provisioned\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8740455Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8740455Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"name\": \"df4d1739-47f0-60c7-1706-3731fea6ab03\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"CORS should not allow every resource to access Web Applications\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8746476Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8746476Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore/providers/Microsoft.Security/assessments/651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"name\": \"651967bf-044e-4bde-8376-3e08e0600105\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/databases/datastore\"\r\n },\r\n \"displayName\": \"Transparent Data Encryption on SQL databases should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8875094Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8875094Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iot-resourcegroup-cus/providers/microsoft.devices/iothubs/sdk-iothub-del-cus\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8860867Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8860867Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg7exkn4sm4v24amnub5nzbmik37myxeusxwwyn2jpxwhdbbzlofsr5agedmwfjvoxv/providers/microsoft.devices/iothubs/azurecli-hubuksphkbt3lhh/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg7exkn4sm4v24amnub5nzbmik37myxeusxwwyn2jpxwhdbbzlofsr5agedmwfjvoxv/providers/microsoft.devices/iothubs/azurecli-hubuksphkbt3lhh\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8860867Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8860867Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/sample-rg/providers/microsoft.devices/iothubs/samplehubforsdk\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8860867Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8860867Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7383486Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8906885Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"name\": \"400a6682-992c-4726-9549-629fbc3b988f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7383486Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8906885Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"name\": \"cb0acdc6-0846-fd48-debe-9905af151b6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Function App should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8929336Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8929336Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"name\": \"1b351b29-41ca-6df5-946c-c190a56be5fe\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8975097Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8975097Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"name\": \"12018f4f-3d10-999b-e4c4-86ec25be08a1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Virtual machines should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.8981823Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.8981823Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9096544Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9096544Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"name\": \"94208a8b-16e8-4e5b-abbd-4e81c9d02bee\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Auditing on SQL server should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9096544Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9096544Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi/providers/Microsoft.Security/assessments/961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"name\": \"961eb649-3ea9-f8c2-6595-88e9a3aeedeb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.compute/virtualmachinescalesets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Virtual Machine Scale Sets should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9191943Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9191943Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"name\": \"ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Web apps should request an SSL certificate for all incoming requests\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9221325Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9221325Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"name\": \"2a54c352-7ca4-4bae-ad46-47ecd9595bd2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for web apps\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9231178Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9231178Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"name\": \"9f97e78d-88ee-a48d-abe2-5ef12954e7ea\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Email notification to subscription owner for high severity alerts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-07-25T02:41:11.1822655Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9235482Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"name\": \"4a3d7cd3-f17c-637a-1ffc-614a01dd03cf\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Managed identity should be used in web apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9322509Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9322509Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"name\": \"15be5f3c-e0a4-c0fa-fbff-8e50339b4b22\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"TLS should be updated to the latest version for function apps\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.930854Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.930854Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"name\": \"af849052-4299-0692-acc0-bffcbe9e440c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Auto provisioning of the Log Analytics agent should be enabled on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-02T09:11:15.2514377Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9332772Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9342255Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9342255Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/620671b8-6661-273a-38ac-4574967750ec\",\r\n \"name\": \"620671b8-6661-273a-38ac-4574967750ec\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Audit retention for SQL servers should be set to at least 90 days\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9342255Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9342255Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9355025Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9355025Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf/providers/Microsoft.Security/assessments/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf\"\r\n },\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9334498Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9334498Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"name\": \"87448ec1-55f6-3746-3f79-0f35beee76b4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Windows web servers should be configured to use secure communication protocols\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9355025Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9355025Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf2/providers/Microsoft.Security/assessments/efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"name\": \"efe75f01-6fff-5d9d-08e6-092b98d3fb3f\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/applicationgateways/contosowaf2\"\r\n },\r\n \"displayName\": \"Web Application Firewall (WAF) should be enabled for Application Gateway\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9334498Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9334498Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9358898Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9358898Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"name\": \"1db4f204-cb5a-4c9c-9254-7556403ce51c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"SQL servers should have vulnerability assessment configured\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-09-08T23:46:51.7978842Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9358898Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9387806Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9387806Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"name\": \"75396512-3323-9be4-059d-32ecb113c3de\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Private endpoint connections on Azure SQL Database should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9387806Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9387806Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9420744Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9420744Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"name\": \"22441184-2f7b-d4a0-e00b-4c5eaef4afc9\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Authentication to Linux machines should require SSH keys\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9420744Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9420744Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"name\": \"6c99f570-2ce7-46bc-8175-cde013df43bc\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Guest Configuration extension should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9393317Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9393317Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"name\": \"4ed62ae4-5072-f9e7-8d94-51c76c48159a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Key vaults should have purge protection enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9477277Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9477277Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref/providers/Microsoft.Security/assessments/9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"name\": \"9b828565-a0ed-61c2-6bf3-1afc99a9b2ca\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref\"\r\n },\r\n \"displayName\": \"Container registries should not allow unrestricted network access\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.949715Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.949715Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"name\": \"f2f595ec-5dc6-68b4-82ef-b63563e9c610\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Azure Backup should be enabled for virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9471972Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9471972Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"name\": \"51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage account public access should be disallowed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-11-14T17:16:47.0418689Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9374896Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"name\": \"e599a9fe-30e3-47c6-a173-8b4b6d9d3255\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Containers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7163231Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9565898Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"name\": \"c2ab4bea-c663-3259-a4cd-03a8feb02825\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Function apps should have Client Certificates (Incoming client certificates) enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9491743Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9491743Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"name\": \"47bb383c-8e25-95f0-c2aa-437add1d87d3\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage accounts should be migrated to new Azure Resource Manager resources\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9438819Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9438819Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"name\": \"3869fbd7-5d90-84e4-37bd-d9a7f4ce9a24\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Email notification for high severity alerts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-10-27T17:20:54.0073419Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9543908Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"name\": \"88bbc99c-e5af-ddd7-6105-6150b2bfa519\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Diagnostic logs in Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9544101Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9544101Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"name\": \"1be22853-8ed1-4005-9907-ddad64cb1417\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Storage should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7151166Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9812709Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"name\": \"861bbc73-0a55-8d1d-efc6-e92d9e1176e0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"vTPM should be enabled on supported virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.950383Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.950383Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"name\": \"ad4f3ff1-30eb-5042-16ed-27198f640b8d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage accounts should restrict network access using virtual network rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9540473Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9540473Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9549978Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9549978Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"name\": \"22489c48-27d1-4e40-9420-4303ad9cffef\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Windows Defender Exploit Guard should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"GCExtensionIdentityMissing\",\r\n \"description\": \"Guest Configuration extension, managed identity and user identity are missing.\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9549978Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9549978Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"name\": \"78211c00-15a9-336e-17c4-0b48613dadf4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Key vaults should have soft delete enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9590469Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9590469Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9797516Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9797516Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"name\": \"b6a28450-dd5d-4ba4-8806-245e20ef6632\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for open-source relational databases should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7131706Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0015183Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"name\": \"2e96bc2f-1972-e471-9e70-ae58d41e9d2a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Private endpoint should be configured for Key Vault\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9573802Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9573802Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"name\": \"56a6e81f-7413-4f72-9a1b-aaeeaa87c872\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for servers should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-20T00:11:24.8912186Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0601859Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"name\": \"f0fb2a7e-16d5-849f-be57-86db712e9bd0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Resource Manager should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7239542Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9773946Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"name\": \"6ac66a74-761f-4a59-928a-d373eea3f028\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for SQL servers on machines should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7106928Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0875362Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"name\": \"093c685b-56dd-13a3-8ed5-887a001837a2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Remote debugging should be turned off for Function App\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.1203455Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.1203455Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"name\": \"77758c9d-8a56-5f54-6ff7-69a762ca6004\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Subscriptions should have a contact email address for security issues\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-27T17:20:54.0006966Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.0114652Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"name\": \"972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"FTPS should be required in function apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.2272624Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.2272624Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"name\": \"52f7826a-ace7-3107-dd0d-4875853c1576\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Firewall should be enabled on Key Vault\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.2339538Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.2339538Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"name\": \"aae10e53-8403-3576-5d97-3b00f97332b2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for DNS should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7058846Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9599789Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"name\": \"40394a2c-60fb-7cc5-1944-065772e94f05\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"Diagnostic logs in App Service should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9636939Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9636939Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.compute/virtualmachines/alertstest\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref/providers/Microsoft.Security/assessments/13e7d036-6903-821c-6018-962938929bf0\",\r\n \"name\": \"13e7d036-6903-821c-6018-962938929bf0\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/microsoft.containerregistry/registries/sdkref\"\r\n },\r\n \"displayName\": \"Container registries should use private link\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9629274Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9629274Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice1\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/testservice\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"name\": \"69ad830b-d98c-b1cf-2158-9d69d38c7093\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.compute/virtualmachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Secure Boot should be enabled on supported Windows virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9634039Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9634039Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.storage/storageaccounts/takleidiag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlvamhbxfrvxg27hk\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/syslogmyservice1net/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/syslogmyservice1net\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/new-api-rg/providers/microsoft.storage/storageaccounts/storageaccountnewap90e0\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1vnet657/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1vnet657\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditnorhckgibckar6zs\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/sqlauditcenkokky5rfpyhsm\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.network/virtualnetworks/iotsi-fdi-vnet/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.network/virtualnetworks/iotsi-fdi-vnet\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/storagefdi4i\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1-vnet/providers/Microsoft.Security/assessments/f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"name\": \"f1f2f7dc-7bd5-18bf-c403-cbbdb7ec3d68\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.network/virtualnetworks/myservice1-vnet\"\r\n },\r\n \"displayName\": \"Network Watcher should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541204Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541204Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-cus/providers/microsoft.storage/storageaccounts/samplestorageaccount2\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.storage/storageaccounts/stgvx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/myservice1diag229\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgux2hohzfm5ae5g3e2kmehihecmlqvykbbwsyvm42bkvazts5afq5z5yozj4nl5rkj/providers/microsoft.storage/storageaccounts/clitestiwr74bhqm6myki4hp\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rglcgsehtecwpwxccgtkja6224bw44vnfv2k467vcpemnzdcao6sps5zepofomkzwvi/providers/microsoft.storage/storageaccounts/clitestjnrp2z3af7yw7ebbd\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog/providers/Microsoft.Security/assessments/1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"name\": \"1c5de8e1-f68d-6a17-e0d2-ec259c42768c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/microsoft.storage/storageaccounts/rc44m4u3jcfyesyslog\"\r\n },\r\n \"displayName\": \"Secure transfer to storage accounts should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9612604Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9612604Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet/providers/Microsoft.Security/assessments/f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"name\": \"f67fb4ed-d481-44d7-91e5-efadf504f74a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.network/virtualnetworks/taklei-vnet\"\r\n },\r\n \"displayName\": \"Virtual networks should be protected by Azure Firewall\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:13.4767439Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:13.4767439Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i/providers/Microsoft.Security/assessments/276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"name\": \"276b1952-c364-852b-11e5-657f0fa34dc6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i\"\r\n },\r\n \"displayName\": \"Azure Cosmos DB accounts should have firewall rules\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9663621Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9663621Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"name\": \"b1af52e4-e968-4e2b-b6d0-6736c9651f0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for Key Vault should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7117138Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9702185Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests/providers/Microsoft.Security/assessments/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/subassessments_sdk_tests/providers/Microsoft.Sql/servers/sqlserversdktests\"\r\n },\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9670169Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9670169Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore/providers/Microsoft.Security/assessments/22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"name\": \"22e93e92-4a31-b4cd-d640-3ef908430aa6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/myservice1/providers/Microsoft.Sql/servers/datastore\"\r\n },\r\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9670169Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9670169Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i/providers/Microsoft.Security/assessments/19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"name\": \"19beaa2a-a126-b4dd-6d35-617f6cc83fca\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/iotsimulator-fdi4i\"\r\n },\r\n \"displayName\": \"FTPS should be required in web apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.9541097Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9541097Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"WebApp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"name\": \"0876ef51-fee7-449d-ba1e-f2662c7e43c6\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Microsoft Defender for App Service should be enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-19T08:39:20.7178395Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.9808591Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4/providers/Microsoft.Security/assessments/23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"name\": \"23aa9cbe-c2fb-6a2f-6c97-885a6d48c4d1\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.web/sites/functions-vx6syhq6e4vr4\"\r\n },\r\n \"displayName\": \"Managed identity should be used in function apps\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-05T15:28:12.982548Z\",\r\n \"firstEvaluationDate\": \"2022-04-05T15:28:12.982548Z\"\r\n },\r\n \"additionalData\": {\r\n \"Kind\": \"Functionapp\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5/providers/Microsoft.Security/assessments/cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"name\": \"cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgxczeneca2pu5sate5npese7xprso5rtqqb4zhvvy7rgzutuezqdy4umr7yb3v7bib/providers/microsoft.storage/storageaccounts/clitesty5i4as4fmd4555og5\"\r\n },\r\n \"displayName\": \"Storage account should use a private link connection\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-07T22:10:39.4248444Z\",\r\n \"firstEvaluationDate\": \"2022-04-07T22:10:39.4248444Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg2uj7i3dl7bafl4qshuh57m3xmurngdysabbunhnhvcasj7o35vqz4fwgf5zwi6ujr/providers/microsoft.devices/iothubs/azurecli-hub7eff4pwjmjgi/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rg2uj7i3dl7bafl4qshuh57m3xmurngdysabbunhnhvcasj7o35vqz4fwgf5zwi6ujr/providers/microsoft.devices/iothubs/azurecli-hub7eff4pwjmjgi\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-10T20:32:13.2897309Z\",\r\n \"firstEvaluationDate\": \"2022-04-10T20:32:13.2897309Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpkgony4xu2tfaw7mrinetpjdcbi35gy5wxlb2db4fkia4df224ibyul2g6e7ovciv/providers/microsoft.devices/iothubs/azurecli-hubdkzwzwckbu5v/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgpkgony4xu2tfaw7mrinetpjdcbi35gy5wxlb2db4fkia4df224ibyul2g6e7ovciv/providers/microsoft.devices/iothubs/azurecli-hubdkzwzwckbu5v\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-10T20:32:13.2897309Z\",\r\n \"firstEvaluationDate\": \"2022-04-10T20:32:13.2897309Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgc7vaaluva526rdtaam5rafgbc2m7xmrvi472iiekfgzjvdqkpwzub343jj6a4k4ov/providers/microsoft.devices/iothubs/azurecli-hub222uswluq4fe/providers/Microsoft.Security/assessments/77785808-ce86-4e40-b45f-19110a547397\",\r\n \"name\": \"77785808-ce86-4e40-b45f-19110a547397\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/clitest.rgc7vaaluva526rdtaam5rafgbc2m7xmrvi472iiekfgzjvdqkpwzub343jj6a4k4ov/providers/microsoft.devices/iothubs/azurecli-hub222uswluq4fe\"\r\n },\r\n \"displayName\": \"Diagnostic logs in IoT Hub should be enabled\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-04-27T08:35:36.3477504Z\",\r\n \"firstEvaluationDate\": \"2022-04-27T08:35:36.3477504Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"name\": \"050ac097-3dda-4d24-ab6d-82568e7a50cf\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Blocked accounts with owner permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4699617Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4699617Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/050ac097-3dda-4d24-ab6d-82568e7a50cf/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"name\": \"20606e75-05c4-48c0-9d97-add6daa2109a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Guest accounts with owner permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4741787Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4741787Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/20606e75-05c4-48c0-9d97-add6daa2109a/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"name\": \"dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Accounts with read permissions on Azure resources should be MFA enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4722197Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4722197Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"name\": \"1ff0b4c9-ed56-4de6-be9c-d7ab39645926\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Blocked accounts with read and write permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-08-16T05:44:34.6117426Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4736264Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/1ff0b4c9-ed56-4de6-be9c-d7ab39645926/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"name\": \"0354476c-a12a-4fcc-a79d-f0ab7ffffdbb\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Guest accounts with write permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4727997Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4727997Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/0354476c-a12a-4fcc-a79d-f0ab7ffffdbb/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"name\": \"fde1c0c9-0fd2-4ecc-87b5-98956cbc1095\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Guest accounts with read permissions on Azure resources should be removed\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4802849Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4802849Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/fde1c0c9-0fd2-4ecc-87b5-98956cbc1095/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"name\": \"c0cb17b2-0607-48a7-b0e0-903ed22de39b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Accounts with write permissions on Azure resources should be MFA enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.4810803Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.4810803Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c0cb17b2-0607-48a7-b0e0-903ed22de39b/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"name\": \"6240402e-f77c-46fa-9060-a7ce53997754\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Accounts with owner permissions on Azure resources should be MFA enabled\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-05-10T20:32:53.5129783Z\",\r\n \"firstEvaluationDate\": \"2022-05-10T20:32:53.5129783Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6240402e-f77c-46fa-9060-a7ce53997754/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i/providers/Microsoft.Security/assessments/14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"name\": \"14acab4e-ad95-11ec-b909-0242ac120002\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/iotsimulator/providers/microsoft.documentdb/databaseaccounts/documentdb-fdi4i\"\r\n },\r\n \"displayName\": \"Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-07-06T07:46:47.0916979Z\",\r\n \"firstEvaluationDate\": \"2022-07-06T07:46:47.0916979Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts/providers/Microsoft.Security/assessments/14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"name\": \"14257785-9437-97fa-11ae-898cfb24302b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/taklei/providers/microsoft.keyvault/vaults/alerts\"\r\n },\r\n \"displayName\": \"Key Vault secrets should have an expiration date\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-07-28T06:11:40.1653432Z\",\r\n \"firstEvaluationDate\": \"2022-07-28T06:11:40.1653432Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"name\": \"4fb67663-9ab9-475d-b026-8c544cced439\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection should be installed on machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-07-25T09:35:32.8936019Z\",\r\n \"firstEvaluationDate\": \"2022-07-25T09:35:32.8936019Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"name\": \"37a3689a-818e-4a0e-82ac-b1392b9bb000\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-07-26T08:35:38.2437985Z\",\r\n \"firstEvaluationDate\": \"2022-07-26T08:35:38.2437985Z\"\r\n },\r\n \"additionalData\": {\r\n \"subAssessmentsLink\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/37a3689a-818e-4a0e-82ac-b1392b9bb000/subAssessments\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"name\": \"2c79b4af-f830-b61e-92b9-63dfa30f16e4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"There should be more than one owner assigned to subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.2948643Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.2948643Z\"\r\n },\r\n \"additionalData\": {}\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"name\": \"94290b00-4d0c-d7b4-7cea-064a9554e681\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with owner permissions on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3111617Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3111617Z\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"name\": \"c3b6ae71-f1f0-31b4-e6c1-d5951285d03d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with owner permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3049262Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3049262Z\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"name\": \"57e98606-6b1e-6193-0e3d-fe621387c16b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with write permissions on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.305783Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.305783Z\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"name\": \"e52064aa-6853-e252-a11e-dffc675689c2\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts with owner permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3002478Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3002478Z\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsWithOwnerPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"name\": \"151e82c5-5341-a74b-1eb0-bc38d2c84bb5\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"MFA should be enabled on accounts with read permissions on subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3034825Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3034825Z\"\r\n },\r\n \"additionalData\": {\r\n \"usersWithNoMfaObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"name\": \"04e7147b-0deb-9796-2e5c-0336343ceb3d\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with write permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3045813Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3045813Z\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithWritePermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"name\": \"6f90a6d6-d4d6-0794-0ec1-98fa77878c2e\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"A maximum of 3 owners should be designated for subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-14T04:44:15.3211291Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.2991388Z\"\r\n },\r\n \"additionalData\": {\r\n \"identityDesignateLessThanXOwnersObjectIdList\": \"[\\\"56b8f04c-b471-415a-bbc2-74570bd022de\\\",\\\"af29e494-977e-4749-acb6-6fe3a10c56aa\\\",\\\"25b2be9f-65f7-491e-9e53-61fa1b39fa8a\\\"]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"name\": \"00c6d40b-e990-6acf-d4f3-471e747a27c4\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"Deprecated accounts should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3005516Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3005516Z\"\r\n },\r\n \"additionalData\": {\r\n \"deprecatedAccountsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments/a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"name\": \"a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869\"\r\n },\r\n \"displayName\": \"External accounts with read permissions should be removed from subscriptions\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-09-02T06:00:41.3056507Z\",\r\n \"firstEvaluationDate\": \"2022-09-02T06:00:41.3056507Z\"\r\n },\r\n \"additionalData\": {\r\n \"externalAccountsWithReadPermissionsObjectIdList\": \"[]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"name\": \"83f577bd-a1b6-b7e1-0891-12ca19d1e6df\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Install endpoint protection solution on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9205976Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9205976Z\"\r\n },\r\n \"additionalData\": {\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-10-19T12:47:53.4001303Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2022-11-17T00:58:05.683Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212024Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212024Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"name\": \"181ac480-f7c4-544b-9865-11b8ffe87f47\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Machines should be configured securely\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212024Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212024Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-10-07T07:02:26.3021545Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.919619Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"FailureDueToAgentNotResponding\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.919619Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"Off\",\r\n \"Monitoring agent extension installed\": \"Off\",\r\n \"Monitoring agent installation status\": \"FailureDueToAgentNotResponding\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"name\": \"d1db3318-01ff-16de-29eb-28b344515626\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Log Analytics agent should be installed on virtual machines\",\r\n \"status\": {\r\n \"code\": \"Healthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.919619Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.919619Z\"\r\n },\r\n \"additionalData\": {\r\n \"VM Agent installed\": \"On\",\r\n \"Monitoring agent extension installed\": \"On\",\r\n \"Monitoring agent installation status\": \"Installed\",\r\n \"Automatic monitoring agent installation policy\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"False\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"False\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"name\": \"d57a4221-a804-52ca-3dea-768284f06bb7\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.925792Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.925792Z\"\r\n },\r\n \"additionalData\": {\r\n \"Is supported\": \"True\",\r\n \"OS disk encrypted\": \"False\",\r\n \"Data disk encrypted\": \"True\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Linux\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"NA\",\r\n \"description\": \"NA\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"0001-01-01T00:00:00Z\",\r\n \"Scan data is valid\": \"False\",\r\n \"Scan data exists\": \"False\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Reporting workspace customer id\": \"1e8531b4-8e83-489a-8dc1-0ba398fcc809\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-487bb485-b5b0-471e-9c0d-10717612f869-weu\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"name\": \"3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"Endpoint protection health issues on machines should be resolved\",\r\n \"status\": {\r\n \"code\": \"Unhealthy\",\r\n \"statusChangeDate\": \"2022-08-20T00:34:57.9212714Z\",\r\n \"firstEvaluationDate\": \"2022-08-20T00:34:57.9212714Z\"\r\n },\r\n \"additionalData\": {\r\n \"Last scan time\": \"2022-11-17T03:42:33.784Z\",\r\n \"Scan data is valid\": \"True\",\r\n \"Scan data exists\": \"True\",\r\n \"PolicyState\": \"On\",\r\n \"OS Type\": \"Windows\",\r\n \"Antimalware type\": \"Windows Defender\",\r\n \"Reporting workspace customer id\": \"df35f3e2-89af-4e01-b1f7-4cda6645ed9d\",\r\n \"Reporting workspace azure id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourcegroups/mainws/providers/microsoft.operationalinsights/workspaces/securityuserws\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/IOTSIMULATOR/providers/Microsoft.Compute/virtualMachineScaleSets/iotsi-fdi\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService1\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/syslogmyservice1vm\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/MYSERVICE1/providers/Microsoft.Compute/virtualMachines/testService\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Security/assessments\",\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest/providers/Microsoft.Security/assessments/9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"name\": \"9b7d740f-c271-4bfd-88fb-515680c33440\",\r\n \"properties\": {\r\n \"resourceDetails\": {\r\n \"Source\": \"Azure\",\r\n \"Id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/resourceGroups/TAKLEI/providers/Microsoft.Compute/virtualMachines/alertsTest\"\r\n },\r\n \"displayName\": \"File integrity monitoring should be enabled on machines\",\r\n \"status\": {\r\n \"code\": \"NotApplicable\",\r\n \"cause\": \"AzureMonitoringAgentMissing\",\r\n \"description\": \"Azure Monitor agent, a prerequisite for this feature, is missing.\",\r\n \"statusChangeDate\": \"2022-09-19T11:03:41.0193082Z\",\r\n \"firstEvaluationDate\": \"2022-09-14T09:17:10.8181414Z\"\r\n }\r\n }\r\n }\r\n ],\r\n \"nextLink\": \"https://management.azure.com/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/assessments?api-version=2021-06-01&NextLink=_dynamic\"\r\n}", "StatusCode": 200 }, { @@ -66,7 +66,7 @@ "RequestMethod": "GET", "RequestHeaders": { "x-ms-client-request-id": [ - "eb4ca80f-3c43-4dc4-92bf-208dad8b6f69" + "57b40434-e92f-4112-8e03-9edd6d39f554" ], "Accept-Language": [ "en-US" @@ -90,13 +90,13 @@ "748" ], "x-ms-request-id": [ - "44c216af-3e59-4dcb-a53e-87723034be5b" + "30ab0dcc-e9cd-458d-9323-5891bdabc5cb" ], "x-ms-correlation-request-id": [ - "44c216af-3e59-4dcb-a53e-87723034be5b" + "30ab0dcc-e9cd-458d-9323-5891bdabc5cb" ], "x-ms-routing-request-id": [ - "FRANCESOUTH:20221117T081840Z:44c216af-3e59-4dcb-a53e-87723034be5b" + "FRANCESOUTH:20221117T094931Z:30ab0dcc-e9cd-458d-9323-5891bdabc5cb" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -105,7 +105,7 @@ "nosniff" ], "Date": [ - "Thu, 17 Nov 2022 08:18:39 GMT" + "Thu, 17 Nov 2022 09:49:30 GMT" ], "Content-Length": [ "12" From e66d461a679c7204f4359e9058726fc8b21c8e77 Mon Sep 17 00:00:00 2001 From: yifat Date: Thu, 17 Nov 2022 12:11:51 +0200 Subject: [PATCH 10/18] Record settings tests --- .../ScenarioTests/SecuritySettingTests.ps1 | 2 +- .../GetSubscriptionScope.json | 26 +++++++++---------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/src/Security/Security.Test/ScenarioTests/SecuritySettingTests.ps1 b/src/Security/Security.Test/ScenarioTests/SecuritySettingTests.ps1 index a8ed131eb8bc..830e368cb9de 100644 --- a/src/Security/Security.Test/ScenarioTests/SecuritySettingTests.ps1 +++ b/src/Security/Security.Test/ScenarioTests/SecuritySettingTests.ps1 @@ -54,7 +54,7 @@ function Validate-Settings { param($settings) - Assert-True { $settings.Count -eq 4 } + Assert-True { $settings.Count -eq 5 } Foreach($setting in $settings) { diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecuritySettingTests/GetSubscriptionScope.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecuritySettingTests/GetSubscriptionScope.json index 3b4f58489b1d..ea6fa7a29677 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecuritySettingTests/GetSubscriptionScope.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecuritySettingTests/GetSubscriptionScope.json @@ -1,24 +1,24 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/settings?api-version=2021-07-01", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2V0dGluZ3M/YXBpLXZlcnNpb249MjAyMS0wNy0wMQ==", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/settings?api-version=2022-05-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2V0dGluZ3M/YXBpLXZlcnNpb249MjAyMi0wNS0wMQ==", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "c91343da-5a78-4259-93bd-cd2902396375" + "679cab11-7eb5-426c-afa7-0b7781e6a648" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.30411.01", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.14393.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/3.0.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, + "RequestBody": "", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -36,25 +36,25 @@ "1.0" ], "x-ms-request-id": [ - "57e7e41e-014a-4e81-9290-b7fbffa1e07e" + "7b90b932-d4ac-4038-a629-9f1d6d636b99" ], "Server": [ "Kestrel" ], "x-ms-correlation-request-id": [ - "3644afe3-e49e-4c68-957e-ce4bda33d425" + "649d583a-aca4-467b-97cc-70aee7ddd7c9" ], "x-ms-routing-request-id": [ - "UAECENTRAL:20210831T191104Z:3644afe3-e49e-4c68-957e-ce4bda33d425" + "FRANCESOUTH:20221117T101124Z:649d583a-aca4-467b-97cc-70aee7ddd7c9" ], "X-Content-Type-Options": [ "nosniff" ], "Date": [ - "Tue, 31 Aug 2021 19:11:03 GMT" + "Thu, 17 Nov 2022 10:11:23 GMT" ], "Content-Length": [ - "933" + "1182" ], "Content-Type": [ "application/json; charset=utf-8" @@ -63,7 +63,7 @@ "-1" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/settings/MCAS\",\r\n \"name\": \"MCAS\",\r\n \"type\": \"Microsoft.Security/settings\",\r\n \"kind\": \"DataExportSettings\",\r\n \"properties\": {\r\n \"enabled\": true\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/settings/WDATP\",\r\n \"name\": \"WDATP\",\r\n \"type\": \"Microsoft.Security/settings\",\r\n \"kind\": \"DataExportSettings\",\r\n \"properties\": {\r\n \"enabled\": true\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/settings/WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW\",\r\n \"name\": \"WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW\",\r\n \"type\": \"Microsoft.Security/settings\",\r\n \"kind\": \"DataExportSettings\",\r\n \"properties\": {\r\n \"enabled\": true\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/settings/Sentinel\",\r\n \"name\": \"Sentinel\",\r\n \"type\": \"Microsoft.Security/settings\",\r\n \"kind\": \"AlertSyncSettings\",\r\n \"properties\": {\r\n \"enabled\": false\r\n }\r\n }\r\n ]\r\n}", + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/settings/MCAS\",\r\n \"name\": \"MCAS\",\r\n \"type\": \"Microsoft.Security/settings\",\r\n \"kind\": \"DataExportSettings\",\r\n \"properties\": {\r\n \"enabled\": true\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/settings/WDATP\",\r\n \"name\": \"WDATP\",\r\n \"type\": \"Microsoft.Security/settings\",\r\n \"kind\": \"DataExportSettings\",\r\n \"properties\": {\r\n \"enabled\": true\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/settings/WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW\",\r\n \"name\": \"WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW\",\r\n \"type\": \"Microsoft.Security/settings\",\r\n \"kind\": \"DataExportSettings\",\r\n \"properties\": {\r\n \"enabled\": true\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/settings/WDATP_UNIFIED_SOLUTION\",\r\n \"name\": \"WDATP_UNIFIED_SOLUTION\",\r\n \"type\": \"Microsoft.Security/settings\",\r\n \"kind\": \"DataExportSettings\",\r\n \"properties\": {\r\n \"enabled\": true\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/settings/Sentinel\",\r\n \"name\": \"Sentinel\",\r\n \"type\": \"Microsoft.Security/settings\",\r\n \"kind\": \"AlertSyncSettings\",\r\n \"properties\": {\r\n \"enabled\": false\r\n }\r\n }\r\n ]\r\n}", "StatusCode": 200 } ], From 8ffbfb2518cd77f8d6425bc98a85fec17d44895b Mon Sep 17 00:00:00 2001 From: yifat Date: Thu, 17 Nov 2022 16:42:00 +0200 Subject: [PATCH 11/18] Add SubPlan support in pricing --- src/Security/Security/Models/Pricings/PSSecurityPricing.cs | 2 ++ .../Security/Models/Pricings/PSSecurityPricingConverters.cs | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/Security/Security/Models/Pricings/PSSecurityPricing.cs b/src/Security/Security/Models/Pricings/PSSecurityPricing.cs index 75dc61db9356..2b99facf8c56 100644 --- a/src/Security/Security/Models/Pricings/PSSecurityPricing.cs +++ b/src/Security/Security/Models/Pricings/PSSecurityPricing.cs @@ -25,5 +25,7 @@ public class PSSecurityPricing public string PricingTier { get; set; } public TimeSpan? FreeTrialRemainingTime { get; internal set; } + + public string SubPlan { get; set; } } } diff --git a/src/Security/Security/Models/Pricings/PSSecurityPricingConverters.cs b/src/Security/Security/Models/Pricings/PSSecurityPricingConverters.cs index 59f0efc692bd..9252d822fd42 100644 --- a/src/Security/Security/Models/Pricings/PSSecurityPricingConverters.cs +++ b/src/Security/Security/Models/Pricings/PSSecurityPricingConverters.cs @@ -27,7 +27,8 @@ public static PSSecurityPricing ConvertToPSType(this Pricing value) Id = value.Id, Name = value.Name, PricingTier = value.PricingTier, - FreeTrialRemainingTime = value.FreeTrialRemainingTime + FreeTrialRemainingTime = value.FreeTrialRemainingTime, + SubPlan = value.SubPlan }; } From 992cd9073a0a9d26f05e01d32e7753054c113f8b Mon Sep 17 00:00:00 2001 From: yifat Date: Thu, 17 Nov 2022 17:09:53 +0200 Subject: [PATCH 12/18] Change SecurityContact page type to list --- .../Generated/ISecurityContactsOperations.cs | 2 +- .../Generated/SecurityContactsOperations.cs | 6 +++--- .../Generated/SecurityContactsOperationsExtensions.cs | 5 +++-- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/src/Security/Security.Management.Sdk/Generated/ISecurityContactsOperations.cs b/src/Security/Security.Management.Sdk/Generated/ISecurityContactsOperations.cs index a0315a999898..51db5c2ac29d 100644 --- a/src/Security/Security.Management.Sdk/Generated/ISecurityContactsOperations.cs +++ b/src/Security/Security.Management.Sdk/Generated/ISecurityContactsOperations.cs @@ -41,7 +41,7 @@ public partial interface ISecurityContactsOperations /// /// Thrown when a required parameter is null /// - Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); + Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)); /// /// Get Default Security contact configurations for the subscription /// diff --git a/src/Security/Security.Management.Sdk/Generated/SecurityContactsOperations.cs b/src/Security/Security.Management.Sdk/Generated/SecurityContactsOperations.cs index 95b1543065ae..fd37cb27eb37 100644 --- a/src/Security/Security.Management.Sdk/Generated/SecurityContactsOperations.cs +++ b/src/Security/Security.Management.Sdk/Generated/SecurityContactsOperations.cs @@ -74,7 +74,7 @@ internal SecurityContactsOperations(SecurityCenterClient client) /// /// A response object containing the response body and response headers. /// - public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) + public async Task>> ListWithHttpMessagesAsync(Dictionary> customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) { if (Client.SubscriptionId == null) { @@ -201,7 +201,7 @@ internal SecurityContactsOperations(SecurityCenterClient client) throw ex; } // Create Result - var _result = new AzureOperationResponse>(); + var _result = new AzureOperationResponse>(); _result.Request = _httpRequest; _result.Response = _httpResponse; if (_httpResponse.Headers.Contains("x-ms-request-id")) @@ -214,7 +214,7 @@ internal SecurityContactsOperations(SecurityCenterClient client) _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); try { - _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); + _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject>(_responseContent, Client.DeserializationSettings); } catch (JsonException ex) { diff --git a/src/Security/Security.Management.Sdk/Generated/SecurityContactsOperationsExtensions.cs b/src/Security/Security.Management.Sdk/Generated/SecurityContactsOperationsExtensions.cs index 70d81f4a9fe0..a8e29f52b278 100644 --- a/src/Security/Security.Management.Sdk/Generated/SecurityContactsOperationsExtensions.cs +++ b/src/Security/Security.Management.Sdk/Generated/SecurityContactsOperationsExtensions.cs @@ -13,6 +13,7 @@ namespace Microsoft.Azure.Management.Security using Microsoft.Rest; using Microsoft.Rest.Azure; using Models; + using System.Collections.Generic; using System.Threading; using System.Threading.Tasks; @@ -27,7 +28,7 @@ public static partial class SecurityContactsOperationsExtensions /// /// The operations group for this extension method. /// - public static IPage List(this ISecurityContactsOperations operations) + public static IList List(this ISecurityContactsOperations operations) { return operations.ListAsync().GetAwaiter().GetResult(); } @@ -41,7 +42,7 @@ public static IPage List(this ISecurityContactsOperations opera /// /// The cancellation token. /// - public static async Task> ListAsync(this ISecurityContactsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) + public static async Task> ListAsync(this ISecurityContactsOperations operations, CancellationToken cancellationToken = default(CancellationToken)) { using (var _result = await operations.ListWithHttpMessagesAsync(null, cancellationToken).ConfigureAwait(false)) { From 535a64f52dfb150e1cf63cde90ac522b82c8f439 Mon Sep 17 00:00:00 2001 From: yifat Date: Thu, 17 Nov 2022 17:11:40 +0200 Subject: [PATCH 13/18] Fix and record SecurityContact tests --- .../ScenarioTests/SecurityContactTests.ps1 | 16 +-- .../GetResourceId.json | 132 +++++++++--------- .../GetSubscriptionLevelResource.json | 132 +++++++++--------- .../GetSubscriptionScope.json | 132 +++++++++--------- .../RemoveSubscriptionLevelResource.json | 130 +++++++++-------- .../SetSubscriptionLevelResource.json | 71 +++++----- ...SetSubscriptionLevelResourceSecondary.json | 39 +++--- 7 files changed, 344 insertions(+), 308 deletions(-) diff --git a/src/Security/Security.Test/ScenarioTests/SecurityContactTests.ps1 b/src/Security/Security.Test/ScenarioTests/SecurityContactTests.ps1 index 11581df32218..e219022ef480 100644 --- a/src/Security/Security.Test/ScenarioTests/SecurityContactTests.ps1 +++ b/src/Security/Security.Test/ScenarioTests/SecurityContactTests.ps1 @@ -18,7 +18,7 @@ Get security contacts on a subscription #> function Get-AzureRmSecurityContact-SubscriptionScope { - Set-AzSecurityContact -Name "default1" -Email "ascasc@microsoft.com" -Phone "123123123" -AlertAdmin -NotifyOnAlert + Set-AzSecurityContact -Name "default" -Email "ascasc@microsoft.com" -Phone "123123123" -AlertAdmin -NotifyOnAlert $contacts = Get-AzSecurityContact Validate-Contacts $contacts @@ -30,9 +30,9 @@ Get a security contact #> function Get-AzureRmSecurityContact-SubscriptionLevelResource { - Set-AzSecurityContact -Name "default1" -Email "ascasc@microsoft.com" -Phone "123123123" -AlertAdmin -NotifyOnAlert + Set-AzSecurityContact -Name "default" -Email "ascasc@microsoft.com" -Phone "123123123" -AlertAdmin -NotifyOnAlert - $contact = Get-AzSecurityContact -Name "default1" + $contact = Get-AzSecurityContact -Name "default" Validate-Contact $contact } @@ -42,7 +42,7 @@ Get a security contact by resource ID #> function Get-AzureRmSecurityContact-ResourceId { - $contact = Set-AzSecurityContact -Name "default1" -Email "ascasc@microsoft.com" -Phone "123123123" -AlertAdmin -NotifyOnAlert + $contact = Set-AzSecurityContact -Name "default" -Email "ascasc@microsoft.com" -Phone "123123123" -AlertAdmin -NotifyOnAlert $fetchedContact = Get-AzSecurityContact -ResourceId $contact.Id Validate-Contact $fetchedContact @@ -54,7 +54,7 @@ Set a security contact on a subscription #> function Set-AzureRmSecurityContact-SubscriptionLevelResource { - Set-AzSecurityContact -Name "default1" -Email "ascasc@microsoft.com" -Phone "123123123" -AlertAdmin -NotifyOnAlert + Set-AzSecurityContact -Name "default" -Email "ascasc@microsoft.com" -Phone "123123123" -AlertAdmin -NotifyOnAlert } <# @@ -63,7 +63,7 @@ Set a security contact on a subscription #> function Set-AzureRmSecurityContact-SubscriptionLevelResource-Secondary { - Set-AzSecurityContact -Name "default2" -Email "ascasc@microsoft.com" + Set-AzSecurityContact -Name "default" -Email "ascasc@microsoft.com" } <# @@ -72,8 +72,8 @@ Delete a security contact on a subscription #> function Remove-AzureRmSecurityContact-SubscriptionLevelResource { - Set-AzSecurityContact -Name "default1" -Email "ascasc@microsoft.com" -Phone "123123123" -AlertAdmin -NotifyOnAlert - Remove-AzSecurityContact -Name "default1" + Set-AzSecurityContact -Name "default" -Email "ascasc@microsoft.com" -Phone "123123123" -AlertAdmin -NotifyOnAlert + Remove-AzSecurityContact -Name "default" } <# diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/GetResourceId.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/GetResourceId.json index a33e56cee06f..84f5d9475d57 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/GetResourceId.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/GetResourceId.json @@ -1,55 +1,54 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cy9kZWZhdWx0MT9hcGktdmVyc2lvbj0yMDE3LTA4LTAxLXByZXZpZXc=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDEtcHJldmlldw==", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"properties\": {\r\n \"email\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": \"On\",\r\n \"alertsToAdmins\": \"On\"\r\n }\r\n}", "RequestHeaders": { - "Content-Type": [ - "application/json; charset=utf-8" - ], - "Content-Length": [ - "154" - ], "x-ms-client-request-id": [ - "955b02ff-51a8-44ff-9ced-d9d3d4a4b759" + "e253138d-ab85-4f07-a874-09b968e7fe31" ], - "accept-language": [ + "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.7.3132.0", - "OSName/Windows10Enterprise", - "OSVersion/6.3.17134", - "Microsoft.Azure.Management.Security.SecurityCenterClient/0.9.0.0" - ] - }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default1\",\r\n \"name\": \"default1\",\r\n \"type\": \"Microsoft.Security/securityContacts\",\r\n \"properties\": {\r\n \"email\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": \"On\",\r\n \"alertsToAdmins\": \"On\"\r\n }\r\n}", - "ResponseHeaders": { - "Content-Length": [ - "292" + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ - "-1" + "Content-Length": [ + "210" + ] + }, + "RequestBody": "{\r\n \"properties\": {\r\n \"emails\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": {\r\n \"state\": \"On\"\r\n },\r\n \"notificationsByRole\": {\r\n \"state\": \"On\"\r\n }\r\n }\r\n}", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-request-id": [ - "819f77f5-5b63-4d5d-b57f-970c48942791" - ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "249" ], + "api-supported-versions": [ + "2020-01-01-preview" + ], + "Server": [ + "Kestrel" + ], + "x-ms-request-id": [ + "2449057a-4442-4041-9934-81c59294f0b9" + ], "x-ms-correlation-request-id": [ - "78d61b16-5001-49b3-8118-11b785ef56ff" + "2449057a-4442-4041-9934-81c59294f0b9" ], "x-ms-routing-request-id": [ - "UKSOUTH2:20180820T185247Z:78d61b16-5001-49b3-8118-11b785ef56ff" + "FRANCESOUTH:20221117T150758Z:2449057a-4442-4041-9934-81c59294f0b9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -57,62 +56,65 @@ "X-Content-Type-Options": [ "nosniff" ], - "Cache-Control": [ - "no-cache" - ], "Date": [ - "Mon, 20 Aug 2018 18:52:46 GMT" + "Thu, 17 Nov 2022 15:07:58 GMT" ], - "Server": [ - "Microsoft-HTTPAPI/2.0" + "Content-Length": [ + "434" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" ] }, + "ResponseBody": "{\r\n \"properties\": {\r\n \"notificationsByRole\": {\r\n \"state\": \"On\",\r\n \"roles\": [\r\n \"Owner\"\r\n ]\r\n },\r\n \"emails\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": {\r\n \"state\": \"On\",\r\n \"minimalSeverity\": \"High\"\r\n }\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/securityContacts\",\r\n \"etag\": \"\\\"1a031424-0000-0d00-0000-63764e4e0000\\\"\",\r\n \"location\": \"West Europe\"\r\n}", "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cy9kZWZhdWx0MT9hcGktdmVyc2lvbj0yMDE3LTA4LTAxLXByZXZpZXc=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDEtcHJldmlldw==", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "aafc6aff-b868-431f-ace1-fe9fb3ee0ef4" + "80339727-b3a9-47fe-ba66-1c893d052ced" ], - "accept-language": [ + "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.7.3132.0", - "OSName/Windows10Enterprise", - "OSVersion/6.3.17134", - "Microsoft.Azure.Management.Security.SecurityCenterClient/0.9.0.0" + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default1\",\r\n \"name\": \"default1\",\r\n \"type\": \"Microsoft.Security/securityContacts\",\r\n \"properties\": {\r\n \"email\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": \"On\",\r\n \"alertsToAdmins\": \"On\"\r\n }\r\n}", + "RequestBody": "", "ResponseHeaders": { - "Content-Length": [ - "292" - ], - "Content-Type": [ - "application/json; charset=utf-8" - ], - "Expires": [ - "-1" + "Cache-Control": [ + "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-request-id": [ - "2da19830-e1d4-4c71-a122-d706a01c052e" - ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "749" ], + "api-supported-versions": [ + "2020-01-01-preview" + ], + "Server": [ + "Kestrel" + ], + "x-ms-request-id": [ + "e24001cb-5e66-462a-af97-5ec6358b0636" + ], "x-ms-correlation-request-id": [ - "fbdc8515-079f-4824-925d-ec19d07e45fa" + "e24001cb-5e66-462a-af97-5ec6358b0636" ], "x-ms-routing-request-id": [ - "UKSOUTH2:20180820T185248Z:fbdc8515-079f-4824-925d-ec19d07e45fa" + "FRANCESOUTH:20221117T150759Z:e24001cb-5e66-462a-af97-5ec6358b0636" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -120,16 +122,20 @@ "X-Content-Type-Options": [ "nosniff" ], - "Cache-Control": [ - "no-cache" - ], "Date": [ - "Mon, 20 Aug 2018 18:52:47 GMT" + "Thu, 17 Nov 2022 15:07:58 GMT" ], - "Server": [ - "Microsoft-HTTPAPI/2.0" + "Content-Length": [ + "434" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" ] }, + "ResponseBody": "{\r\n \"properties\": {\r\n \"notificationsByRole\": {\r\n \"state\": \"On\",\r\n \"roles\": [\r\n \"Owner\"\r\n ]\r\n },\r\n \"emails\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": {\r\n \"state\": \"On\",\r\n \"minimalSeverity\": \"High\"\r\n }\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/securityContacts\",\r\n \"etag\": \"\\\"1a031424-0000-0d00-0000-63764e4e0000\\\"\",\r\n \"location\": \"West Europe\"\r\n}", "StatusCode": 200 } ], diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/GetSubscriptionLevelResource.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/GetSubscriptionLevelResource.json index e23d70cc0785..037656abe9b7 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/GetSubscriptionLevelResource.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/GetSubscriptionLevelResource.json @@ -1,55 +1,54 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cy9kZWZhdWx0MT9hcGktdmVyc2lvbj0yMDE3LTA4LTAxLXByZXZpZXc=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDEtcHJldmlldw==", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"properties\": {\r\n \"email\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": \"On\",\r\n \"alertsToAdmins\": \"On\"\r\n }\r\n}", "RequestHeaders": { - "Content-Type": [ - "application/json; charset=utf-8" - ], - "Content-Length": [ - "154" - ], "x-ms-client-request-id": [ - "73fce7f7-8d84-46a4-9c87-c47b4aeb3d71" + "afdbf400-fb36-437d-9bb6-f3cdb34fa09b" ], - "accept-language": [ + "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.7.3132.0", - "OSName/Windows10Enterprise", - "OSVersion/6.3.17134", - "Microsoft.Azure.Management.Security.SecurityCenterClient/0.9.0.0" - ] - }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default1\",\r\n \"name\": \"default1\",\r\n \"type\": \"Microsoft.Security/securityContacts\",\r\n \"properties\": {\r\n \"email\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": \"On\",\r\n \"alertsToAdmins\": \"On\"\r\n }\r\n}", - "ResponseHeaders": { - "Content-Length": [ - "292" + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ - "-1" + "Content-Length": [ + "210" + ] + }, + "RequestBody": "{\r\n \"properties\": {\r\n \"emails\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": {\r\n \"state\": \"On\"\r\n },\r\n \"notificationsByRole\": {\r\n \"state\": \"On\"\r\n }\r\n }\r\n}", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-request-id": [ - "7594e1a5-c04c-4d28-87f0-75812230dd1d" - ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "249" ], + "api-supported-versions": [ + "2020-01-01-preview" + ], + "Server": [ + "Kestrel" + ], + "x-ms-request-id": [ + "9e61afa0-0a11-440f-ad7b-f03b32800ee1" + ], "x-ms-correlation-request-id": [ - "63fe314d-2adc-4889-aac2-95aa5a910a27" + "9e61afa0-0a11-440f-ad7b-f03b32800ee1" ], "x-ms-routing-request-id": [ - "UKSOUTH2:20180820T185323Z:63fe314d-2adc-4889-aac2-95aa5a910a27" + "FRANCESOUTH:20221117T150810Z:9e61afa0-0a11-440f-ad7b-f03b32800ee1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -57,62 +56,65 @@ "X-Content-Type-Options": [ "nosniff" ], - "Cache-Control": [ - "no-cache" - ], "Date": [ - "Mon, 20 Aug 2018 18:53:23 GMT" + "Thu, 17 Nov 2022 15:08:10 GMT" ], - "Server": [ - "Microsoft-HTTPAPI/2.0" + "Content-Length": [ + "434" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" ] }, + "ResponseBody": "{\r\n \"properties\": {\r\n \"notificationsByRole\": {\r\n \"state\": \"On\",\r\n \"roles\": [\r\n \"Owner\"\r\n ]\r\n },\r\n \"emails\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": {\r\n \"state\": \"On\",\r\n \"minimalSeverity\": \"High\"\r\n }\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/securityContacts\",\r\n \"etag\": \"\\\"1a036b26-0000-0d00-0000-63764e5a0000\\\"\",\r\n \"location\": \"West Europe\"\r\n}", "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cy9kZWZhdWx0MT9hcGktdmVyc2lvbj0yMDE3LTA4LTAxLXByZXZpZXc=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDEtcHJldmlldw==", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "b135204d-6b67-4621-a8d1-7a4292198575" + "34660610-0d9e-45cc-815b-369d405a2e17" ], - "accept-language": [ + "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.7.3132.0", - "OSName/Windows10Enterprise", - "OSVersion/6.3.17134", - "Microsoft.Azure.Management.Security.SecurityCenterClient/0.9.0.0" + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default1\",\r\n \"name\": \"default1\",\r\n \"type\": \"Microsoft.Security/securityContacts\",\r\n \"properties\": {\r\n \"email\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": \"On\",\r\n \"alertsToAdmins\": \"On\"\r\n }\r\n}", + "RequestBody": "", "ResponseHeaders": { - "Content-Length": [ - "292" - ], - "Content-Type": [ - "application/json; charset=utf-8" - ], - "Expires": [ - "-1" + "Cache-Control": [ + "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-request-id": [ - "902fee19-e2ee-4b8b-b8b0-baf319798095" - ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "749" ], + "api-supported-versions": [ + "2020-01-01-preview" + ], + "Server": [ + "Kestrel" + ], + "x-ms-request-id": [ + "efa0d434-2e7d-44f7-9a6d-dbed2a784c12" + ], "x-ms-correlation-request-id": [ - "f556ed9c-5949-4dc2-8f85-dac7f8c5f381" + "efa0d434-2e7d-44f7-9a6d-dbed2a784c12" ], "x-ms-routing-request-id": [ - "UKSOUTH2:20180820T185325Z:f556ed9c-5949-4dc2-8f85-dac7f8c5f381" + "FRANCESOUTH:20221117T150811Z:efa0d434-2e7d-44f7-9a6d-dbed2a784c12" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -120,16 +122,20 @@ "X-Content-Type-Options": [ "nosniff" ], - "Cache-Control": [ - "no-cache" - ], "Date": [ - "Mon, 20 Aug 2018 18:53:24 GMT" + "Thu, 17 Nov 2022 15:08:11 GMT" ], - "Server": [ - "Microsoft-HTTPAPI/2.0" + "Content-Length": [ + "434" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" ] }, + "ResponseBody": "{\r\n \"properties\": {\r\n \"notificationsByRole\": {\r\n \"state\": \"On\",\r\n \"roles\": [\r\n \"Owner\"\r\n ]\r\n },\r\n \"emails\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": {\r\n \"state\": \"On\",\r\n \"minimalSeverity\": \"High\"\r\n }\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/securityContacts\",\r\n \"etag\": \"\\\"1a036b26-0000-0d00-0000-63764e5a0000\\\"\",\r\n \"location\": \"West Europe\"\r\n}", "StatusCode": 200 } ], diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/GetSubscriptionScope.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/GetSubscriptionScope.json index d446ee0cb8ea..52c7b4154ff8 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/GetSubscriptionScope.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/GetSubscriptionScope.json @@ -1,55 +1,54 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cy9kZWZhdWx0MT9hcGktdmVyc2lvbj0yMDE3LTA4LTAxLXByZXZpZXc=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDEtcHJldmlldw==", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"properties\": {\r\n \"email\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": \"On\",\r\n \"alertsToAdmins\": \"On\"\r\n }\r\n}", "RequestHeaders": { - "Content-Type": [ - "application/json; charset=utf-8" - ], - "Content-Length": [ - "154" - ], "x-ms-client-request-id": [ - "ab3118c4-ed2b-4d10-8c88-3f6ef160e631" + "1c5c7313-6724-4d4d-ad32-7fe8a6fbd442" ], - "accept-language": [ + "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.7.3132.0", - "OSName/Windows10Enterprise", - "OSVersion/6.3.17134", - "Microsoft.Azure.Management.Security.SecurityCenterClient/0.9.0.0" - ] - }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default1\",\r\n \"name\": \"default1\",\r\n \"type\": \"Microsoft.Security/securityContacts\",\r\n \"properties\": {\r\n \"email\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": \"On\",\r\n \"alertsToAdmins\": \"On\"\r\n }\r\n}", - "ResponseHeaders": { - "Content-Length": [ - "292" + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ - "-1" + "Content-Length": [ + "210" + ] + }, + "RequestBody": "{\r\n \"properties\": {\r\n \"emails\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": {\r\n \"state\": \"On\"\r\n },\r\n \"notificationsByRole\": {\r\n \"state\": \"On\"\r\n }\r\n }\r\n}", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-request-id": [ - "3d2e1b97-c12b-4ab7-a425-8f7befb66d64" - ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "249" ], + "api-supported-versions": [ + "2020-01-01-preview" + ], + "Server": [ + "Kestrel" + ], + "x-ms-request-id": [ + "dcfb6439-f32b-41b9-8c12-7d2062e2880d" + ], "x-ms-correlation-request-id": [ - "5d35e8c6-5239-4698-a7da-4893d69bc301" + "dcfb6439-f32b-41b9-8c12-7d2062e2880d" ], "x-ms-routing-request-id": [ - "UKSOUTH2:20180820T185401Z:5d35e8c6-5239-4698-a7da-4893d69bc301" + "FRANCESOUTH:20221117T150822Z:dcfb6439-f32b-41b9-8c12-7d2062e2880d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -57,62 +56,65 @@ "X-Content-Type-Options": [ "nosniff" ], - "Cache-Control": [ - "no-cache" - ], "Date": [ - "Mon, 20 Aug 2018 18:54:01 GMT" + "Thu, 17 Nov 2022 15:08:22 GMT" ], - "Server": [ - "Microsoft-HTTPAPI/2.0" + "Content-Length": [ + "434" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" ] }, + "ResponseBody": "{\r\n \"properties\": {\r\n \"notificationsByRole\": {\r\n \"state\": \"On\",\r\n \"roles\": [\r\n \"Owner\"\r\n ]\r\n },\r\n \"emails\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": {\r\n \"state\": \"On\",\r\n \"minimalSeverity\": \"High\"\r\n }\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/securityContacts\",\r\n \"etag\": \"\\\"1a038828-0000-0d00-0000-63764e660000\\\"\",\r\n \"location\": \"West Europe\"\r\n}", "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts?api-version=2017-08-01-preview", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cz9hcGktdmVyc2lvbj0yMDE3LTA4LTAxLXByZXZpZXc=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cz9hcGktdmVyc2lvbj0yMDIwLTAxLTAxLXByZXZpZXc=", "RequestMethod": "GET", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "f8193b02-384f-4e33-803e-9441c73a465f" + "833ac958-769f-44c4-be6c-051c39ca15cf" ], - "accept-language": [ + "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.7.3132.0", - "OSName/Windows10Enterprise", - "OSVersion/6.3.17134", - "Microsoft.Azure.Management.Security.SecurityCenterClient/0.9.0.0" + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, - "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default1\",\r\n \"name\": \"default1\",\r\n \"type\": \"Microsoft.Security/securityContacts\",\r\n \"properties\": {\r\n \"email\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": \"On\",\r\n \"alertsToAdmins\": \"On\"\r\n }\r\n }\r\n ]\r\n}", + "RequestBody": "", "ResponseHeaders": { - "Content-Length": [ - "304" - ], - "Content-Type": [ - "application/json; charset=utf-8" - ], - "Expires": [ - "-1" + "Cache-Control": [ + "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-request-id": [ - "d998fc3e-efce-4607-8133-6c89fc830ab5" - ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "749" ], + "api-supported-versions": [ + "2020-01-01-preview" + ], + "Server": [ + "Kestrel" + ], + "x-ms-request-id": [ + "78bb6dbb-073d-4eb8-84d4-67c0337715a0" + ], "x-ms-correlation-request-id": [ - "022cf128-450e-41e3-bdbe-21ed09ee4c8d" + "78bb6dbb-073d-4eb8-84d4-67c0337715a0" ], "x-ms-routing-request-id": [ - "UKSOUTH2:20180820T185402Z:022cf128-450e-41e3-bdbe-21ed09ee4c8d" + "FRANCESOUTH:20221117T150825Z:78bb6dbb-073d-4eb8-84d4-67c0337715a0" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -120,16 +122,20 @@ "X-Content-Type-Options": [ "nosniff" ], - "Cache-Control": [ - "no-cache" - ], "Date": [ - "Mon, 20 Aug 2018 18:54:02 GMT" + "Thu, 17 Nov 2022 15:08:24 GMT" ], - "Server": [ - "Microsoft-HTTPAPI/2.0" + "Content-Length": [ + "436" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" ] }, + "ResponseBody": "[\r\n {\r\n \"properties\": {\r\n \"notificationsByRole\": {\r\n \"state\": \"On\",\r\n \"roles\": [\r\n \"Owner\"\r\n ]\r\n },\r\n \"emails\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": {\r\n \"state\": \"On\",\r\n \"minimalSeverity\": \"High\"\r\n }\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/securityContacts\",\r\n \"etag\": \"\\\"1a038828-0000-0d00-0000-63764e660000\\\"\",\r\n \"location\": \"West Europe\"\r\n }\r\n]", "StatusCode": 200 } ], diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/RemoveSubscriptionLevelResource.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/RemoveSubscriptionLevelResource.json index 4a9651e97b02..1df9eaef2ae8 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/RemoveSubscriptionLevelResource.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/RemoveSubscriptionLevelResource.json @@ -1,55 +1,54 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cy9kZWZhdWx0MT9hcGktdmVyc2lvbj0yMDE3LTA4LTAxLXByZXZpZXc=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDEtcHJldmlldw==", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"properties\": {\r\n \"email\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": \"On\",\r\n \"alertsToAdmins\": \"On\"\r\n }\r\n}", "RequestHeaders": { - "Content-Type": [ - "application/json; charset=utf-8" - ], - "Content-Length": [ - "154" - ], "x-ms-client-request-id": [ - "e8ad617b-30f7-4f25-9216-e5eb253a3291" + "526a9d53-a5a6-4bc3-8628-d1fc326b4c9e" ], - "accept-language": [ + "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.7.3132.0", - "OSName/Windows10Enterprise", - "OSVersion/6.3.17134", - "Microsoft.Azure.Management.Security.SecurityCenterClient/0.9.0.0" - ] - }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default1\",\r\n \"name\": \"default1\",\r\n \"type\": \"Microsoft.Security/securityContacts\",\r\n \"properties\": {\r\n \"email\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": \"On\",\r\n \"alertsToAdmins\": \"On\"\r\n }\r\n}", - "ResponseHeaders": { - "Content-Length": [ - "292" + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ - "-1" + "Content-Length": [ + "210" + ] + }, + "RequestBody": "{\r\n \"properties\": {\r\n \"emails\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": {\r\n \"state\": \"On\"\r\n },\r\n \"notificationsByRole\": {\r\n \"state\": \"On\"\r\n }\r\n }\r\n}", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-request-id": [ - "4b7d055a-fbd9-45b5-8966-b1b7a4f679f4" - ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "249" + "248" + ], + "api-supported-versions": [ + "2020-01-01-preview" + ], + "Server": [ + "Kestrel" + ], + "x-ms-request-id": [ + "4be5e2f1-9f18-4ff4-8035-1551453d2f18" ], "x-ms-correlation-request-id": [ - "1335d76e-c02f-41f1-8569-a1870559501d" + "4be5e2f1-9f18-4ff4-8035-1551453d2f18" ], "x-ms-routing-request-id": [ - "UKSOUTH2:20180820T185442Z:1335d76e-c02f-41f1-8569-a1870559501d" + "FRANCESOUTH:20221117T150831Z:4be5e2f1-9f18-4ff4-8035-1551453d2f18" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -57,56 +56,65 @@ "X-Content-Type-Options": [ "nosniff" ], - "Cache-Control": [ - "no-cache" - ], "Date": [ - "Mon, 20 Aug 2018 18:54:41 GMT" + "Thu, 17 Nov 2022 15:08:31 GMT" ], - "Server": [ - "Microsoft-HTTPAPI/2.0" + "Content-Length": [ + "434" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" ] }, + "ResponseBody": "{\r\n \"properties\": {\r\n \"notificationsByRole\": {\r\n \"state\": \"On\",\r\n \"roles\": [\r\n \"Owner\"\r\n ]\r\n },\r\n \"emails\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": {\r\n \"state\": \"On\",\r\n \"minimalSeverity\": \"High\"\r\n }\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/securityContacts\",\r\n \"etag\": \"\\\"1a03ef29-0000-0d00-0000-63764e6f0000\\\"\",\r\n \"location\": \"West Europe\"\r\n}", "StatusCode": 200 }, { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cy9kZWZhdWx0MT9hcGktdmVyc2lvbj0yMDE3LTA4LTAxLXByZXZpZXc=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDEtcHJldmlldw==", "RequestMethod": "DELETE", - "RequestBody": "", "RequestHeaders": { "x-ms-client-request-id": [ - "6c3e2875-36a7-44d5-80e9-d1303cce30f2" + "ae60f2e9-e8fa-4e58-9ef6-db89bf6ad8e7" ], - "accept-language": [ + "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.7.3132.0", - "OSName/Windows10Enterprise", - "OSVersion/6.3.17134", - "Microsoft.Azure.Management.Security.SecurityCenterClient/0.9.0.0" + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ] }, - "ResponseBody": "", + "RequestBody": "", "ResponseHeaders": { - "Expires": [ - "-1" + "Cache-Control": [ + "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-request-id": [ - "1ce94aa7-dc6f-4bdf-b48a-dfd3f97528fd" - ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14999" ], + "api-supported-versions": [ + "2020-01-01-preview" + ], + "Server": [ + "Kestrel" + ], + "x-ms-request-id": [ + "fa69baf7-c52a-4e3a-8301-6760bd4f897d" + ], "x-ms-correlation-request-id": [ - "26ab5d06-61f8-4db2-a035-f5ad47df9469" + "fa69baf7-c52a-4e3a-8301-6760bd4f897d" ], "x-ms-routing-request-id": [ - "UKSOUTH2:20180820T185443Z:26ab5d06-61f8-4db2-a035-f5ad47df9469" + "FRANCESOUTH:20221117T150846Z:fa69baf7-c52a-4e3a-8301-6760bd4f897d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -114,17 +122,21 @@ "X-Content-Type-Options": [ "nosniff" ], - "Cache-Control": [ - "no-cache" - ], "Date": [ - "Mon, 20 Aug 2018 18:54:43 GMT" + "Thu, 17 Nov 2022 15:08:46 GMT" ], - "Server": [ - "Microsoft-HTTPAPI/2.0" + "Content-Length": [ + "2" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" ] }, - "StatusCode": 204 + "ResponseBody": "{}", + "StatusCode": 200 } ], "Names": {}, diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/SetSubscriptionLevelResource.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/SetSubscriptionLevelResource.json index a8c03d729b32..e8dd872bc9bb 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/SetSubscriptionLevelResource.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/SetSubscriptionLevelResource.json @@ -1,55 +1,54 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cy9kZWZhdWx0MT9hcGktdmVyc2lvbj0yMDE3LTA4LTAxLXByZXZpZXc=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDEtcHJldmlldw==", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"properties\": {\r\n \"email\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": \"On\",\r\n \"alertsToAdmins\": \"On\"\r\n }\r\n}", "RequestHeaders": { - "Content-Type": [ - "application/json; charset=utf-8" - ], - "Content-Length": [ - "154" - ], "x-ms-client-request-id": [ - "5100e4f6-542c-4337-8bfc-71a586794fe2" + "e0b0abd9-7207-40bd-9a27-eefe19058916" ], - "accept-language": [ + "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.7.3132.0", - "OSName/Windows10Enterprise", - "OSVersion/6.3.17134", - "Microsoft.Azure.Management.Security.SecurityCenterClient/0.9.0.0" - ] - }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default1\",\r\n \"name\": \"default1\",\r\n \"type\": \"Microsoft.Security/securityContacts\",\r\n \"properties\": {\r\n \"email\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": \"On\",\r\n \"alertsToAdmins\": \"On\"\r\n }\r\n}", - "ResponseHeaders": { - "Content-Length": [ - "292" + "FxVersion/4.700.22.51102", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ - "-1" + "Content-Length": [ + "210" + ] + }, + "RequestBody": "{\r\n \"properties\": {\r\n \"emails\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": {\r\n \"state\": \"On\"\r\n },\r\n \"notificationsByRole\": {\r\n \"state\": \"On\"\r\n }\r\n }\r\n}", + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-request-id": [ - "8f675c00-dcf6-4b9f-82b1-49fe0ced9a63" - ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "249" ], + "api-supported-versions": [ + "2020-01-01-preview" + ], + "Server": [ + "Kestrel" + ], + "x-ms-request-id": [ + "0e37ad41-cfca-4eb7-a196-9933c4052000" + ], "x-ms-correlation-request-id": [ - "4430715a-c0a5-4406-9d82-18d7d31d8eff" + "0e37ad41-cfca-4eb7-a196-9933c4052000" ], "x-ms-routing-request-id": [ - "UKSOUTH2:20180820T185524Z:4430715a-c0a5-4406-9d82-18d7d31d8eff" + "FRANCESOUTH:20221117T150817Z:0e37ad41-cfca-4eb7-a196-9933c4052000" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -57,16 +56,20 @@ "X-Content-Type-Options": [ "nosniff" ], - "Cache-Control": [ - "no-cache" - ], "Date": [ - "Mon, 20 Aug 2018 18:55:24 GMT" + "Thu, 17 Nov 2022 15:08:16 GMT" ], - "Server": [ - "Microsoft-HTTPAPI/2.0" + "Content-Length": [ + "434" + ], + "Content-Type": [ + "application/json; charset=utf-8" + ], + "Expires": [ + "-1" ] }, + "ResponseBody": "{\r\n \"properties\": {\r\n \"notificationsByRole\": {\r\n \"state\": \"On\",\r\n \"roles\": [\r\n \"Owner\"\r\n ]\r\n },\r\n \"emails\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": {\r\n \"state\": \"On\",\r\n \"minimalSeverity\": \"High\"\r\n }\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/securityContacts\",\r\n \"etag\": \"\\\"1a038827-0000-0d00-0000-63764e610000\\\"\",\r\n \"location\": \"West Europe\"\r\n}", "StatusCode": 200 } ], diff --git a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/SetSubscriptionLevelResourceSecondary.json b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/SetSubscriptionLevelResourceSecondary.json index e937768bcb64..c2e51f5cbfca 100644 --- a/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/SetSubscriptionLevelResourceSecondary.json +++ b/src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.SecurityContactTests/SetSubscriptionLevelResourceSecondary.json @@ -1,30 +1,30 @@ { "Entries": [ { - "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default2?api-version=2017-08-01-preview", - "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cy9kZWZhdWx0Mj9hcGktdmVyc2lvbj0yMDE3LTA4LTAxLXByZXZpZXc=", + "RequestUri": "/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDg3YmI0ODUtYjViMC00NzFlLTljMGQtMTA3MTc2MTJmODY5L3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHkvc2VjdXJpdHlDb250YWN0cy9kZWZhdWx0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDEtcHJldmlldw==", "RequestMethod": "PUT", - "RequestBody": "{\r\n \"properties\": {\r\n \"email\": \"ascasc@microsoft.com\",\r\n \"phone\": \"\",\r\n \"alertNotifications\": \"Off\",\r\n \"alertsToAdmins\": \"Off\"\r\n }\r\n}", "RequestHeaders": { "x-ms-client-request-id": [ - "67e5ff82-b090-4760-8d66-ddc5a4db7829" + "fa0fa1aa-c852-4a55-b7e6-272ea6e8fa36" ], "Accept-Language": [ "en-US" ], "User-Agent": [ - "FxVersion/4.6.27019.06", + "FxVersion/4.700.22.51102", "OSName/Windows", - "OSVersion/Microsoft.Windows.10.0.17134.", - "Microsoft.Azure.Management.Security.SecurityCenterClient/0.10.0.0" + "OSVersion/Microsoft.Windows.10.0.22621", + "Microsoft.Azure.Management.Security.SecurityCenterClient/4.0.0.0" ], "Content-Type": [ "application/json; charset=utf-8" ], "Content-Length": [ - "147" + "203" ] }, + "RequestBody": "{\r\n \"properties\": {\r\n \"emails\": \"ascasc@microsoft.com\",\r\n \"phone\": \"\",\r\n \"alertNotifications\": {\r\n \"state\": \"Off\"\r\n },\r\n \"notificationsByRole\": {\r\n \"state\": \"Off\"\r\n }\r\n }\r\n}", "ResponseHeaders": { "Cache-Control": [ "no-cache" @@ -32,20 +32,23 @@ "Pragma": [ "no-cache" ], - "x-ms-request-id": [ - "59a92935-a7e2-42bf-8261-7cb7a7cae756" + "x-ms-ratelimit-remaining-subscription-resource-requests": [ + "249" + ], + "api-supported-versions": [ + "2020-01-01-preview" ], "Server": [ - "Microsoft-HTTPAPI/2.0" + "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ - "249" + "x-ms-request-id": [ + "cda6390b-ca19-452b-bb4b-035d5f485091" ], "x-ms-correlation-request-id": [ - "4fa9b8b6-3c4a-44b3-80e5-c1b45bb61e8d" + "cda6390b-ca19-452b-bb4b-035d5f485091" ], "x-ms-routing-request-id": [ - "UKWEST:20181213T145753Z:4fa9b8b6-3c4a-44b3-80e5-c1b45bb61e8d" + "FRANCESOUTH:20221117T150805Z:cda6390b-ca19-452b-bb4b-035d5f485091" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" @@ -54,10 +57,10 @@ "nosniff" ], "Date": [ - "Thu, 13 Dec 2018 14:57:52 GMT" + "Thu, 17 Nov 2022 15:08:04 GMT" ], "Content-Length": [ - "274" + "425" ], "Content-Type": [ "application/json; charset=utf-8" @@ -66,7 +69,7 @@ "-1" ] }, - "ResponseBody": "{\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default2\",\r\n \"name\": \"default2\",\r\n \"type\": \"Microsoft.Security/securityContacts\",\r\n \"properties\": {\r\n \"email\": \"ascasc@microsoft.com\",\r\n \"alertNotifications\": \"Off\",\r\n \"alertsToAdmins\": \"Off\"\r\n }\r\n}", + "ResponseBody": "{\r\n \"properties\": {\r\n \"notificationsByRole\": {\r\n \"state\": \"Off\",\r\n \"roles\": []\r\n },\r\n \"emails\": \"ascasc@microsoft.com\",\r\n \"phone\": \"123123123\",\r\n \"alertNotifications\": {\r\n \"state\": \"Off\",\r\n \"minimalSeverity\": \"\"\r\n }\r\n },\r\n \"id\": \"/subscriptions/487bb485-b5b0-471e-9c0d-10717612f869/providers/Microsoft.Security/securityContacts/default\",\r\n \"name\": \"default\",\r\n \"type\": \"Microsoft.Security/securityContacts\",\r\n \"etag\": \"\\\"1a038825-0000-0d00-0000-63764e550000\\\"\",\r\n \"location\": \"West Europe\"\r\n}", "StatusCode": 200 } ], From 5f52a57e6eab671ec79fbe84f437f00f1404eb8c Mon Sep 17 00:00:00 2001 From: yifat Date: Tue, 22 Nov 2022 11:54:52 +0200 Subject: [PATCH 14/18] Add support in evidence, techniques and sub techniques --- .../PSAlertPropertiesSupportingEvidence.cs | 23 +++++++++++++++++++ .../Alerts/PSSecurityAlertConverters.cs | 14 ++++++++++- .../Models/Alerts/PSSecurityAlertV3.cs | 8 +++++++ 3 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 src/Security/Security/Models/Alerts/PSAlertPropertiesSupportingEvidence.cs diff --git a/src/Security/Security/Models/Alerts/PSAlertPropertiesSupportingEvidence.cs b/src/Security/Security/Models/Alerts/PSAlertPropertiesSupportingEvidence.cs new file mode 100644 index 000000000000..ceb6ab2e3f06 --- /dev/null +++ b/src/Security/Security/Models/Alerts/PSAlertPropertiesSupportingEvidence.cs @@ -0,0 +1,23 @@ +// ---------------------------------------------------------------------------------- +// +// Copyright Microsoft Corporation +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// ---------------------------------------------------------------------------------- + +using System.Collections.Generic; + +namespace Microsoft.Azure.Commands.Security.Models.Alerts +{ + public class PSAlertPropertiesSupportingEvidence + { + public string Type { get; set; } + } +} \ No newline at end of file diff --git a/src/Security/Security/Models/Alerts/PSSecurityAlertConverters.cs b/src/Security/Security/Models/Alerts/PSSecurityAlertConverters.cs index b4cfd96ee8f9..7a045540295d 100644 --- a/src/Security/Security/Models/Alerts/PSSecurityAlertConverters.cs +++ b/src/Security/Security/Models/Alerts/PSSecurityAlertConverters.cs @@ -49,7 +49,11 @@ public static PSSecurityAlertV3 ConvertToPSType(this Alert value) Status = value.Status, SystemAlertId = value.SystemAlertId, TimeGeneratedUtc = value.TimeGeneratedUtc, - VendorName = value.VendorName + VendorName = value.VendorName, + Version = value.Version, + Techniques = value.Techniques?.ToList() ?? new List(), + SubTechniques = value.SubTechniques?.ToList() ?? new List(), + SupportingEvidence = value.SupportingEvidence?.ConvertToPSType() }; } @@ -70,5 +74,13 @@ public static List ConvertToPSType(this IEnumerable aps.ConvertToPSType()).ToList(); } + + public static PSAlertPropertiesSupportingEvidence ConvertToPSType(this AlertPropertiesSupportingEvidence value) + { + return new PSAlertPropertiesSupportingEvidence + { + Type = value.Type + }; + } } } diff --git a/src/Security/Security/Models/Alerts/PSSecurityAlertV3.cs b/src/Security/Security/Models/Alerts/PSSecurityAlertV3.cs index 86557394720e..67963773ec8d 100644 --- a/src/Security/Security/Models/Alerts/PSSecurityAlertV3.cs +++ b/src/Security/Security/Models/Alerts/PSSecurityAlertV3.cs @@ -51,6 +51,14 @@ public class PSSecurityAlertV3 public string AlertType { get; set; } + public string Version { get; set; } + + public List Techniques { get; set; } + + public List SubTechniques { get; set; } + + public PSAlertPropertiesSupportingEvidence SupportingEvidence { get; set; } + public DateTime? ProcessingEndTimeUtc { get; set; } public DateTime? EndTimeUtc { get; set; } From 530ce67b2effce2f37c48d63af42eeb29a740e92 Mon Sep 17 00:00:00 2001 From: Keren Damari Date: Thu, 24 Nov 2022 02:41:53 +0200 Subject: [PATCH 15/18] Pricings --- .../Generated/PricingsOperations.cs | 4 +-- .../Security/Cmdlets/Pricings/SetPricings.cs | 7 ++++- .../Security/Common/ParameterHelpMessages.cs | 3 +- .../Security/help/Get-AzSecurityPricing.md | 26 +++++++++------- .../Security/help/Set-AzSecurityPricing.md | 30 ++++++++++++++++++- 5 files changed, 55 insertions(+), 15 deletions(-) diff --git a/src/Security/Security.Management.Sdk/Generated/PricingsOperations.cs b/src/Security/Security.Management.Sdk/Generated/PricingsOperations.cs index a955ddb5d768..3bcca5ed88cd 100644 --- a/src/Security/Security.Management.Sdk/Generated/PricingsOperations.cs +++ b/src/Security/Security.Management.Sdk/Generated/PricingsOperations.cs @@ -490,9 +490,9 @@ internal PricingsOperations(SecurityCenterClient client) } string apiVersion = "2022-03-01"; Pricing pricing = new Pricing(); - if (pricingTier != null || subPlan != null) + pricing.PricingTier = pricingTier; + if (subPlan != null) { - pricing.PricingTier = pricingTier; pricing.SubPlan = subPlan; } // Tracing diff --git a/src/Security/Security/Cmdlets/Pricings/SetPricings.cs b/src/Security/Security/Cmdlets/Pricings/SetPricings.cs index a8a5506c5093..1b3f9ace28da 100644 --- a/src/Security/Security/Cmdlets/Pricings/SetPricings.cs +++ b/src/Security/Security/Cmdlets/Pricings/SetPricings.cs @@ -34,6 +34,9 @@ public class SetPricings : SecurityCenterCmdletBase [ValidateNotNullOrEmpty] public string PricingTier { get; set; } + [Parameter(ParameterSetName = ParameterSetNames.SubscriptionLevelResource, Mandatory = false, HelpMessage = ParameterHelpMessages.SubPlan)] + public string SubPlan { get; set; } + [Parameter(ParameterSetName = ParameterSetNames.InputObject, Mandatory = true, ValueFromPipeline = true, HelpMessage = ParameterHelpMessages.InputObject)] [ValidateNotNullOrEmpty] public PSSecurityPricing InputObject { get; set; } @@ -42,6 +45,7 @@ public override void ExecuteCmdlet() { var name = Name; var tier = PricingTier; + var subPlan = SubPlan; switch (ParameterSetName) { @@ -50,6 +54,7 @@ public override void ExecuteCmdlet() case ParameterSetNames.InputObject: name = InputObject.Name; tier = InputObject.PricingTier; + subPlan = string.IsNullOrEmpty(InputObject.SubPlan) ? null : InputObject.SubPlan; break; default: throw new PSInvalidOperationException(); @@ -57,7 +62,7 @@ public override void ExecuteCmdlet() if (ShouldProcess(name, VerbsCommon.Set)) { - var pricing = SecurityCenterClient.Pricings.UpdateWithHttpMessagesAsync(name, tier).GetAwaiter().GetResult().Body; + var pricing = SecurityCenterClient.Pricings.UpdateWithHttpMessagesAsync(name, tier, subPlan).GetAwaiter().GetResult().Body; WriteObject(pricing.ConvertToPSType(), enumerateCollection: false); } diff --git a/src/Security/Security/Common/ParameterHelpMessages.cs b/src/Security/Security/Common/ParameterHelpMessages.cs index 7d55065624e9..133a9cadb08f 100644 --- a/src/Security/Security/Common/ParameterHelpMessages.cs +++ b/src/Security/Security/Common/ParameterHelpMessages.cs @@ -71,7 +71,8 @@ public static class ParameterHelpMessages #region Pricings - public const string PricingTier = "Pricing Tier."; + public const string PricingTier = "The pricing tier value. Microsoft Defender for Cloud is provided in two pricing tiers: Free or Standard."; + public const string SubPlan = "The sub-plan selected for a Standard pricing configuration, when more than one sub-plan is available. When not specified, full plan is applied."; #endregion diff --git a/src/Security/Security/help/Get-AzSecurityPricing.md b/src/Security/Security/help/Get-AzSecurityPricing.md index 9c1b6b04ccdf..c768a91bd12e 100644 --- a/src/Security/Security/help/Get-AzSecurityPricing.md +++ b/src/Security/Security/help/Get-AzSecurityPricing.md @@ -43,16 +43,22 @@ Get-AzSecurityPricing ``` ```output -Id Name PricingTier FreeTrialRemainingTime --- ---- ----------- ---------------------- -/subscriptions/fbaa2b23-e9dd-4bed-93c1-9e2a44f64bc0/providers/Microsoft.Security/pricings/VirtualMachines VirtualMachines Free 00:00:00 -/subscriptions/fbaa2b23-e9dd-4bed-93c1-9e2a44f64bc0/providers/Microsoft.Security/pricings/Sqlservers SqlServers Standard 00:00:00 -/subscriptions/fbaa2b23-e9dd-4bed-93c1-9e2a44f64bc0/providers/Microsoft.Security/pricings/AppServices AppServices Free 00:00:00 -/subscriptions/fbaa2b23-e9dd-4bed-93c1-9e2a44f64bc0/providers/Microsoft.Security/pricings/StorageAccounts StorageAccounts Free 00:00:00 -/subscriptions/fbaa2b23-e9dd-4bed-93c1-9e2a44f64bc0/providers/Microsoft.Security/pricings/SqlserverVirtualMachines SqlservervirtualMachines Free 00:00:00 -/subscriptions/fbaa2b23-e9dd-4bed-93c1-9e2a44f64bc0/providers/Microsoft.Security/pricings/KubernetesService KubernetesService Free 00:00:00 -/subscriptions/fbaa2b23-e9dd-4bed-93c1-9e2a44f64bc0/providers/Microsoft.Security/pricings/ContainerRegistry ContainerRegistry Free 00:00:00 -/subscriptions/fbaa2b23-e9dd-4bed-93c1-9e2a44f64bc0/providers/Microsoft.Security/pricings/KeyVaults KeyVaults Free 00:00:00 +Id Name PricingTier SubPlan FreeTrialRemainingTime Deprecated ReplacedBy +-- ---- ----------- ------- ---------------------- ---------- ---------- +/subscriptions/c32e05d9-7207-4e22-bdf4-4f7d9c72e5fd/providers/Microsoft.Security/pricings/VirtualMachines VirtualMachines Standard P2 00:00:00 +/subscriptions/c32e05d9-7207-4e22-bdf4-4f7d9c72e5fd/providers/Microsoft.Security/pricings/SqlServers SqlServers Standard 00:00:00 +/subscriptions/c32e05d9-7207-4e22-bdf4-4f7d9c72e5fd/providers/Microsoft.Security/pricings/AppServices AppServices Standard 00:00:00 +/subscriptions/c32e05d9-7207-4e22-bdf4-4f7d9c72e5fd/providers/Microsoft.Security/pricings/StorageAccounts StorageAccounts Standard PerStorageAccount 00:00:00 +/subscriptions/c32e05d9-7207-4e22-bdf4-4f7d9c72e5fd/providers/Microsoft.Security/pricings/SqlServerVirtualMachines SqlServerVirtualMachines Standard 00:00:00 +/subscriptions/c32e05d9-7207-4e22-bdf4-4f7d9c72e5fd/providers/Microsoft.Security/pricings/KubernetesService KubernetesService Free 00:00:00 True [Containers] +/subscriptions/c32e05d9-7207-4e22-bdf4-4f7d9c72e5fd/providers/Microsoft.Security/pricings/ContainerRegistry ContainerRegistry Free 00:00:00 True [Containers] +/subscriptions/c32e05d9-7207-4e22-bdf4-4f7d9c72e5fd/providers/Microsoft.Security/pricings/KeyVaults KeyVaults Standard 00:00:00 +/subscriptions/c32e05d9-7207-4e22-bdf4-4f7d9c72e5fd/providers/Microsoft.Security/pricings/Dns Dns Standard 00:00:00 +/subscriptions/c32e05d9-7207-4e22-bdf4-4f7d9c72e5fd/providers/Microsoft.Security/pricings/Arm Arm Standard 00:00:00 +/subscriptions/c32e05d9-7207-4e22-bdf4-4f7d9c72e5fd/providers/Microsoft.Security/pricings/OpenSourceRelationalDatabases OpenSourceRelationalDatabases Standard 00:00:00 +/subscriptions/c32e05d9-7207-4e22-bdf4-4f7d9c72e5fd/providers/Microsoft.Security/pricings/CosmosDbs CosmosDbs Standard 00:00:00 +/subscriptions/c32e05d9-7207-4e22-bdf4-4f7d9c72e5fd/providers/Microsoft.Security/pricings/Containers Containers Standard 00:00:00 +/subscriptions/c32e05d9-7207-4e22-bdf4-4f7d9c72e5fd/providers/Microsoft.Security/pricings/CloudPosture CloudPosture Free 00:00:00 ``` Gets the status of each Azure Defender plan for the subscription. diff --git a/src/Security/Security/help/Set-AzSecurityPricing.md b/src/Security/Security/help/Set-AzSecurityPricing.md index 59bc1d4544b2..4bd42c7e6304 100644 --- a/src/Security/Security/help/Set-AzSecurityPricing.md +++ b/src/Security/Security/help/Set-AzSecurityPricing.md @@ -19,6 +19,12 @@ Set-AzSecurityPricing -Name -PricingTier [-DefaultProfile ] ``` +### SubscriptionLevelResource (With optional SubPlan) +``` +Set-AzSecurityPricing -Name -PricingTier -SubPlan [-DefaultProfile ] [-WhatIf] + [-Confirm] [] +``` + ### InputObject ``` Set-AzSecurityPricing -InputObject [-DefaultProfile ] [-WhatIf] @@ -36,7 +42,13 @@ For details about Azure Defender and the available plans, see [Introduction to A ### Example 1 ```powershell -Set-AzSecurityPricing -Name "virtualmachines" -PricingTier "Standard" +Set-AzSecurityPricing -Name "AppServices" -PricingTier "Standard" +``` + +### Example 2 + +```powershell +Set-AzSecurityPricing -Name "VirtualMachines" -PricingTier "Standard" -SubPlan P2 ``` Enables **Azure Defender for servers** for the subscription. @@ -109,6 +121,22 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -SubPlan + +Sub Plan. + +```yaml +Type: System.String +Parameter Sets: SubscriptionLevelResource +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -Confirm Prompts you for confirmation before running the cmdlet. From c787925ed0c25c71a6427848c1940e9eca4efc28 Mon Sep 17 00:00:00 2001 From: Sulaiman Abu Rashed Date: Mon, 30 Jan 2023 18:10:49 +0200 Subject: [PATCH 16/18] changes --- .../SecurityContact/PSSecurityContact.cs | 4 +-- .../PSSecurityContactConverters.cs | 36 +++++++++---------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/src/Security/Security/Models/SecurityContact/PSSecurityContact.cs b/src/Security/Security/Models/SecurityContact/PSSecurityContact.cs index 37b953cbbbda..2d91c9f7e6a0 100644 --- a/src/Security/Security/Models/SecurityContact/PSSecurityContact.cs +++ b/src/Security/Security/Models/SecurityContact/PSSecurityContact.cs @@ -26,8 +26,8 @@ public class PSSecurityContact public string Phone { get; set; } - public PSSecurityContactPropertiesAlertNotifications AlertNotifications { get; set; } + public string AlertNotifications { get; set; } - public PSSecurityContactPropertiesNotificationsByRole NotificationsByRole { get; set; } + public string AlertsToAdmins { get; set; } } } diff --git a/src/Security/Security/Models/SecurityContact/PSSecurityContactConverters.cs b/src/Security/Security/Models/SecurityContact/PSSecurityContactConverters.cs index 1f0708c37e29..68d852c7314d 100644 --- a/src/Security/Security/Models/SecurityContact/PSSecurityContactConverters.cs +++ b/src/Security/Security/Models/SecurityContact/PSSecurityContactConverters.cs @@ -30,8 +30,8 @@ public static PSSecurityContact ConvertToPSType(this SecurityContact value) Name = value.Name, Email = value.Emails, Phone = value.Phone, - AlertNotifications = value.AlertNotifications?.ConvertToPSType(), - NotificationsByRole = value.NotificationsByRole?.ConvertToPSType() + AlertNotifications = value.AlertNotifications?.State, + AlertsToAdmins = (value.NotificationsByRole?.Roles?.Contains("Owner") ?? false) ? value.NotificationsByRole?.State : "Off" }; } @@ -40,24 +40,24 @@ public static List ConvertToPSType(this IEnumerable sc.ConvertToPSType()).ToList(); } - public static PSSecurityContactPropertiesAlertNotifications ConvertToPSType(this SecurityContactPropertiesAlertNotifications value) - { - return new PSSecurityContactPropertiesAlertNotifications - { - MinimalSeverity = value.MinimalSeverity, - State = value.State + //public static PSSecurityContactPropertiesAlertNotifications ConvertToPSType(this SecurityContactPropertiesAlertNotifications value) + //{ + // return new PSSecurityContactPropertiesAlertNotifications + // { + // MinimalSeverity = value.MinimalSeverity, + // State = value.State - }; - } + // }; + //} - public static PSSecurityContactPropertiesNotificationsByRole ConvertToPSType(this SecurityContactPropertiesNotificationsByRole value) - { - return new PSSecurityContactPropertiesNotificationsByRole - { - State = value.State, - Roles = value.Roles?.ToList() ?? new List(), + //public static PSSecurityContactPropertiesNotificationsByRole ConvertToPSType(this SecurityContactPropertiesNotificationsByRole value) + //{ + // return new PSSecurityContactPropertiesNotificationsByRole + // { + // State = value.State, + // Roles = value.Roles?.ToList() ?? new List(), - }; - } + // }; + //} } } From 9d79d750b09464c7be750cfe342c702636727d80 Mon Sep 17 00:00:00 2001 From: Sulaiman Abu Rashed Date: Mon, 30 Jan 2023 18:58:49 +0200 Subject: [PATCH 17/18] remove breaking changes --- .../SecurityContact/PSSecurityContact.cs | 2 -- .../PSSecurityContactConverters.cs | 21 ------------------ ...rityContactPropertiesAlertNotifications.cs | 22 ------------------- ...ityContactPropertiesNotificationsByRole.cs | 12 ---------- 4 files changed, 57 deletions(-) delete mode 100644 src/Security/Security/Models/SecurityContact/PSSecurityContactPropertiesAlertNotifications.cs delete mode 100644 src/Security/Security/Models/SecurityContact/PSSecurityContactPropertiesNotificationsByRole.cs diff --git a/src/Security/Security/Models/SecurityContact/PSSecurityContact.cs b/src/Security/Security/Models/SecurityContact/PSSecurityContact.cs index 2d91c9f7e6a0..390861276a28 100644 --- a/src/Security/Security/Models/SecurityContact/PSSecurityContact.cs +++ b/src/Security/Security/Models/SecurityContact/PSSecurityContact.cs @@ -12,8 +12,6 @@ // limitations under the License. // ---------------------------------------------------------------------------------- -using Microsoft.Azure.Commands.SecurityCenter.Models.SecurityContact; - namespace Microsoft.Azure.Commands.Security.Models.SecurityContacts { public class PSSecurityContact diff --git a/src/Security/Security/Models/SecurityContact/PSSecurityContactConverters.cs b/src/Security/Security/Models/SecurityContact/PSSecurityContactConverters.cs index 68d852c7314d..804b9fd59660 100644 --- a/src/Security/Security/Models/SecurityContact/PSSecurityContactConverters.cs +++ b/src/Security/Security/Models/SecurityContact/PSSecurityContactConverters.cs @@ -15,7 +15,6 @@ using System.Collections.Generic; using System.Linq; using Microsoft.Azure.Commands.Security.Models.Alerts; -using Microsoft.Azure.Commands.SecurityCenter.Models.SecurityContact; using Microsoft.Azure.Management.Security.Models; namespace Microsoft.Azure.Commands.Security.Models.SecurityContacts @@ -39,25 +38,5 @@ public static List ConvertToPSType(this IEnumerable sc.ConvertToPSType()).ToList(); } - - //public static PSSecurityContactPropertiesAlertNotifications ConvertToPSType(this SecurityContactPropertiesAlertNotifications value) - //{ - // return new PSSecurityContactPropertiesAlertNotifications - // { - // MinimalSeverity = value.MinimalSeverity, - // State = value.State - - // }; - //} - - //public static PSSecurityContactPropertiesNotificationsByRole ConvertToPSType(this SecurityContactPropertiesNotificationsByRole value) - //{ - // return new PSSecurityContactPropertiesNotificationsByRole - // { - // State = value.State, - // Roles = value.Roles?.ToList() ?? new List(), - - // }; - //} } } diff --git a/src/Security/Security/Models/SecurityContact/PSSecurityContactPropertiesAlertNotifications.cs b/src/Security/Security/Models/SecurityContact/PSSecurityContactPropertiesAlertNotifications.cs deleted file mode 100644 index 2159d6e3492c..000000000000 --- a/src/Security/Security/Models/SecurityContact/PSSecurityContactPropertiesAlertNotifications.cs +++ /dev/null @@ -1,22 +0,0 @@ -// ---------------------------------------------------------------------------------- -// -// Copyright Microsoft Corporation -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// http://www.apache.org/licenses/LICENSE-2.0 -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// ---------------------------------------------------------------------------------- - -namespace Microsoft.Azure.Commands.SecurityCenter.Models.SecurityContact -{ - public class PSSecurityContactPropertiesAlertNotifications - { - public string State { get; set; } - public string MinimalSeverity { get; set; } - } -} diff --git a/src/Security/Security/Models/SecurityContact/PSSecurityContactPropertiesNotificationsByRole.cs b/src/Security/Security/Models/SecurityContact/PSSecurityContactPropertiesNotificationsByRole.cs deleted file mode 100644 index 472a3a942af9..000000000000 --- a/src/Security/Security/Models/SecurityContact/PSSecurityContactPropertiesNotificationsByRole.cs +++ /dev/null @@ -1,12 +0,0 @@ -using System; -using System.Collections.Generic; -using System.Text; - -namespace Microsoft.Azure.Commands.SecurityCenter.Models.SecurityContact -{ - public class PSSecurityContactPropertiesNotificationsByRole - { - public string State { get; set; } - public IList Roles { get; set; } - } -} From ad0acd9d4cbb006e35563b3bbef812adb6b4df4d Mon Sep 17 00:00:00 2001 From: surashed <55134940+surashed@users.noreply.github.com> Date: Wed, 8 Feb 2023 14:35:35 +0200 Subject: [PATCH 18/18] Update ChangeLog.md --- src/Security/Security/ChangeLog.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/Security/Security/ChangeLog.md b/src/Security/Security/ChangeLog.md index 1d20f3b339f2..11f45442414a 100644 --- a/src/Security/Security/ChangeLog.md +++ b/src/Security/Security/ChangeLog.md @@ -19,7 +19,10 @@ --> ## Upcoming Release - +* Updated Alerts cmdlets: + `Get-AzSecurityAlert` + `Set-AzSecurityAlert` +* Moving Security Contacts to be based on the latest API version '2020-01-01-preview' with backward compatibility support ## Version 1.3.0 * Added new cmdlet: `Get-AzSecuritySolution` * Added Alerts Suppression Rules to cmdlets: